=head1 AnoNet2 - Anonymity & PseudonymityBack to homepage - L<http://www.anonet2.org/>=head2 IntroductionThis page is intended to explain a bit of the theory behind anonymityand pseudonymity. If your goal in joining AnoNet is to protect youranonymity, this page may help you avoid some "leaks."=head2 DefinitionAnonymity translates literally into "having no name," and means havingno useful identification "marks" ("useful" being defined as "usablefor future find operations"). While it's technically possible to betruly anonymous on AnoNet, true anonymity is not really necessary (nordesirable) in order to achieve the goals that most guys here expect.Pseudonymity ("having no real name") is what most of us are here toachieve. (Most of us don't care if you can find us again on AnoNet(and in fact, we normally _want_ you to). We only care if you can findus _outside_ AnoNet.) However, the theory behind both is quite similar,since the potential attacks against both are quite similar. Therefore,this page primarily concerns itself with true anonymity on the assumptionthat a certain amount of correlation between your actions is alreadyfeasible for an attacker.=head2 Introduction to TriangulationThe fundamental method that people use for identification istriangulation, where we look at something from a bunch of different anglesand then narrow down our guesses to items that match that combinationof observations. For example, a duck is something that looks likea duck, quacks like a duck, etc. It should go without saying, then,that our goal here is to avoid others being able to apply triangulation"against" us. That is, our goal is to prevent triangulation "attacks."=head2 Simple TriangulationIf you see someone on a chatroom around 1800 GMT, and he tells you thathis mother just bought him some colourful pants when he got back fromschool, it'd be a pretty safe bet to say that he probably:=over=item 1is a kid (his mother buys him simple clothing items, after school)=item 2in England (colourful == British spelling; pants == underpants)=item 3who is actually a she (boys with colorful pants?)=backNow, obviously, if you found more details concerning the makeup of hisclass, you may be able to narrow down the possibilities for his schools.Combine that with his IP address, and you can focus on your candidateswithin range of his geographical location. Perhaps he (she) talks abouthis older brother walking him (her) to school in the morning, beforegoing to his own school. Well, in that case, you can be reasonably surethat his older brother graduated from the same school "back in the day."Given the fact that England's birth rate is relatively low, you cantherefore speculate that this bit of information is likely to narrowdown the possibilities (especially if he tells you how much older hisbrother is). Another reasonably safe guess is that he's probably locatedin a rather urban area. Now, you can add a bit of active triangulationto the mix, by telling his ISP that his IP address has been sharingyour intellectual property. If the owners of that IP address reallydo have a girl in primary school and your intellectual property soundslike something oriented towards kids, the parents' first defense islikely to be that they don't fileshare, so it was probably their kid (ormaybe some guy who drove by with wifi, who happens to like kid stuff).(Obviously, if you're a civilian, your country is likely to have lawsagainst you committing fraud like that, but intelligence agenciesroutinely do this type of thing, so it's worthwhile understanding someof the options physically available to an attacker, even if they're not"legally" available to him. You certainly don't want your anonymitydependent on an adversary "playing by the rules," do you?)As L<the world's current trend towards totalitarianism continues todevelop|http://www.theregister.co.uk/2011/03/11/us_tpp_proposal_leaked/>,it will only become easier for others to invade your privacy on IcannNet.It's really just a matter of time in our accounting-centered world beforeyour legal right to anonymity converges to zero. This is why it becomeseven more important to learn how to protect your anonymity.=head2 A Bit More FormalityA very powerful science for dealing with these types of problems isMathematics, so we gain an advantage if we can translate our problems intoMathematics (and our solutions out of it, of course). Our Mathematicalmodel for triangulation is similar to that of geolocating a cellular phonethat dials for emergency assistance. Initially, we can only say thatthe cellular phone is likely to be someplace on (or near) planet Earth.Since we know that the cellular signal deteriorates over distance and weknow (based on the phone's specifications) the original signal strength atsource, each tower can guage its distance from the phone by translatingbackwards from its observed signal strength to meters. Most towersare well out-of-range, and won't observe any measurable signal at all(meaning an effectively infinite distance), while the nearby towers willobserve measurable signals. Now, each tower has a circle around it madeup of all the points at a particular distance from it. (Actually, it's athree-dimensional sphere, but in our case, we're assuming the phone isn'tin flight or underground, for a bit of simplification. Real systems willadd an additional tower in order to triangulate in all three dimensions.)Two intersecting circles will normally intersect (touch or cross over eachother) at two points. Three intersecting circles will rarely intersectat more than a single point. Therefore, as long as the towers can safelyassume that the phone is broadcasting a uniform signal in all directions,they can safely claim to have triangulated his position.Now, let's see if we can apply triangulation to our own problem space.We know that there are approximately 6 billion people on our planet,so we're starting out with a population of 6 billion candidates.(Obviously, we're assuming that aliens don't have anything interesting todo on our ICANN-dominated Internet, and so for all intents and purposesdon't count.) Now, there are many "dimensions" in which these peopleare organized. (A dimension is simply a metric where each individualhas a potentially measurable coordinate.) For example, everybody hasa gender. Everybody lives in some country. Everybody has some levelof computer expertise, some level of Mathematical education, some setof familiar authors, some set of favourite bands, some color skin andsome length hair, etc. Now, as you're able to intersect coordinates indifferent dimensions, you can start eliminating unlikely candidates andfocusing on the likely ones. For example, the number of males is quitehigh (on the order of 3 billion or so), the number of people in Portugalis quite high, the number of 15-year-olds is quite high, the number ofstay-at-home parents is quite high, the number of people who are stillmarried to their first wife is quite high, and the number of parents withtwo kids is quite high, but the number of Portuguese males around age 15who stay at home to care for their two kids while their first wife is outworking is very low (probably well under 1000 - low enough for you to beable to go door-to-door looking for him, if you'd recognize him by face).Clearly, by triangulating coordinates between a variety of dimensions,we're able to take the intersection of a variety of sets, which is quitesmall when the sets have little in common (which is normally true whenthere's no causal relationship between the sets in question).Therefore, if you're that guy and you don't want others to find you,you probably shouldn't give away too many facts about yourself.=head2 CountermeasuresRemember when we talked about the cellular phone geolocation problem,where we noted that the towers need to assume the phone is broadcastingthe same value (in this case, the same starting signal strength) inall directions? Obviously, a phone without an omnidirectional antennacould point a different directional antenna at each nearby (or even faraway) tower, and transmit a highly focused signal at an arbitrary powerlevel to each tower, and thereby confuse the towers. Alternatively, itcould even work backwards through the triangulation algorithm in orderto figure out a set of inputs that would cause the towers to geolocatethe phone "accurately" as being kilometers away from its true location.It should come as no surprise, then, that similar techniques work inour own problem space. For example, how do you know that the guy isreally male? Given the other dimensions, wouldn't you say he's morelikely to be a female?=head2 VerificationGoing back to our cellular phone geolocation problem, we left offwith our phone fooling the towers into thinking it's someplace else.However, we didn't take into account that the towers themselves mayhave directional antennas scanning around on a regular basis in orderto detect precisely this type of fraud. If the phone is supposed to besouthwest of one of our towers, why is its signal coming in from the east?Not surprisingly, certain verification techniques may be applicable inour own problem space. For example, suppose you somehow got a list ofall candidates, and then combed all of Portugal door-to-door lookingfor the guy, and didn't find him? What if he told you that he was alicensed pilot, but you couldn't find any pilot matching his description?The goal of a verification algorithm is to assess the probability ofour data sources being correct. The goal of a verification algorithmis to tell us how likely it is that we've been fooled, not to find theright answer. (Obviously, a verification algorithm may itself revealadditional information that we can then triangulate with. For example,the towers employing directional antennas can geolocate our phone withthe directional antennas (using the law of intersecting lines), withouteven relying on the omnidirectional antennas. Therefore, the verificationalgorithm in this particular case not only verifies the likelyhood of thetriangulation, but actually provides its own alternative triangulationdataset.)=head2 AnoNetOn AnoNet, the single most important factor in securing your anonymity isprecluding verification. If an adversary can't verify his data about you,then he's trivially vulnerable to countermeasures, making it difficult forhim to trust the results of his triangulation (and making it difficult,therefore, for him to even justify the cost of triangulating in thefirst place).For example, you probably don't want to recycle a nickname youuse elsewhere, since a simple Google search may give adversariesa verification tool to use against anything they learn about you onAnoNet. You also want to make sure that the public IP address you usefor peering doesn't geolocate your exact location (try MaxMind's onlinetool, for example). A good way of getting around this one is to get aVPS (Virtual Private Server) before peering with too many other guys.There are plenty of cheap ones (well under 10EUR or 10USD each month),and you can easily get a VPS in a different country. An even betterway of getting around this is to peer over i2p, if you don't mindinstalling Java on your routers. If you're lucky, your ISP maySNAT outgoing traffic from its users, giving you a certain amount of"built-in" protection. If you're not comfortable giving a peer your IPaddress and none of the above is an option, you may consider peeringusing TCP over tor or something. In addition, it's also possible toexchange data using DNS, so if each of you has access to a DNS serverand some method to automatically load TXT records into it, you cantunnel a VPN over it without either of you giving away his IP address.(This particular method can also get around restrictive firewalls, whichmay be independently useful.) Other things you probably don't wantto advertise are your name (especially not your full name), location,age, marital status, occupation, school, and hobbies. Under normalcircumstances, it's safest to assume that anything you tell anybodyon AnoNet may be used by anybody else on AnoNet for triangulation orverification attacks, and so the only reliable method of preventingthese types of attacks is to avoid leaking any verifiable informationto anyone on AnoNet. When that's not feasible, try to avoid givingmultiple pieces of information to individuals. For example, if you'recoming in with UFO's CP, it's probably unwise to use his IRC server.(It's also smart not to come onto IRC as soon as you connect, sincethen UFO can guess that the guy who just joined IRC is probably thesame guy who just connected to his CP. To protect your anonymity fromthe organizers of a darknet, it's imperative that you peer with someone(preferably not an organizer) ASAP after joining. The more often youcome in through the CP, the higher the probability that an organizerwill find you. If you've come in over the CP more than a few timesbefore getting peered, you'll probably want to at least change your IRCnickname before rejoining IRC after peering, so the darknet organizersat least can't trivially connect your IcannNet IP address with yourAnoNet nickname. If a darknet's organizers try to put you through a"hazing" period before they'll allow anybody to peer with you, that'sa strong indication that they don't care much for I<your> anonymity.They may tell you that "nobody here trusts you enough yet to give you hisIP address," but that's (at best) just a thinly veiled way of saying that"nobody here cares enough about your anonymity to have bothered to gethimself a VPS for peering." By making it difficult for new users to join,they're effectively dooming their darknet into forever being a small andincestuous club, a fraternity if you will, where everybody gradually getsto know everybody else quite well (since static analysis works quite wellagainst rigid structures). An anonymity-preserving darknet makes it easyfor users to enter and exit at will, with the organizers keeping minimal(or no) tabs, in order to resist static analysis.)=head2 AnoNet2 vs. The CompetitionAnoNet2 aims to provide the best anonymity feasible with TCP/IP, througha variety of techniques:=over=item minimizing required direct information disclosureMost TCP/IP-based darknets require new users to submit a fair amount ofinformation up-front. Non-anonymizing darknets like dn42, for example,expect users to sign up for a wiki account to register resources, to joina mailing list for operational discussions, etc. (dn42, incidentally,deserves special mention, as the resource database has recently beenmigrated over to a decentralized resdb-like registry. In addition,there's now an NNTP gateway to the mailing list reachable from insidedn42, making it feasible to avoid giving away much information.)So-called "anonymizing" darknets, by comparison, tend to turn these typesof expectations into policy requirements. A case in point is AnoNet1,where new users are expected to go through a "hazing" process for 2-4weeks before anybody is supposed to peer with them. During the "hazing"process, the new user is expected to answer questions like "what bringsyou here?" from an informal panel of existing members, and is expectedto "participate in the discussion" for a couple of weeks to prove thathe's serious about joining AnoNet1. (The official excuses range fromavoiding "drive-by peerings" to preventing infiltration by law enforcementofficials. The former commands a high price relative to the nuisancefactor of a temporary peering, while the latter is just plain laughable.)AnoNet1 also requires members to maintain their resource registrationson a centralized wiki, making certain information available to crzydmnd.There is only one official client port (run by Kaos), and users arediscouraged from setting up additional ones. AnoNet2 gets this partright by making it very easy for new users to join, and to peer as earlyas technically possible.=item avoiding centralization of critical infrastructureMost TCP/IP-based darknets have a fair amount of centralizedinfrastructure. Centralized infrastructure is problematic, since itcreates a single point of control (or evesdropping), making it easy forthe operator to learn information that's not intended for him, and/oralter transmissions that aren't intended for him. Typical examples arethings like resource databases, chatrooms, DNS, routing infrastructure,documentation stores, forums, mailing lists, and public Web pages.AnoNet1 is a model of centralized infrastructure, with centralizedmechanisms in-place for pretty much all of the above minus routing(and even routing is quite centralized on AnoNet1, due to their peeringpolicies). Even dn42 (whose primary claim to fame is decentralization)retains centralized mechanisms for IRC, wiki, mailing list, and publicWeb pages. AnoNet2 has only a single point of centralization, in thepublic Web pages here, and even they are easy for anybody on AnoNet2 tomodify (although there's still a centralized point of control over whatends up getting published here and what doesn't, a point which has neverbeen used so far (a fact that's very easy to prove in a decentralizedway), and which will hopefully never be used). In addition, users areencouraged to set up their own public Web pages and to put links to themhere, in order to further reduce centralization of AnoNet2's Web presence.In addition to protecting your anonymity, this level of decentralizationmakes it far more likely for AnoNet2 to survive a splitbrain condition(where some bad guys take a number of central users out of the picture,leaving a few disconnected fragments with critical services missing),something that an anonymity-preserving darknet always has to plan for.If AnoNet1 were to become split, the "non-central" side would mostlikely wither away and die (a statistical fact that AnoNet1 used totry and destroy AnoNet2 before it ever got off the ground), whereas ifAnoNet2 splits, the individual fragments should have no problem carryingon indefinitely as independent darknets, and little difficulty mergingback together again if their paths cross at some point in the future.What git and monotone do for software development, AnoNet2 does fordarknet development.=item not requiring resource registrationAnoNet1 had a very powerful idea, of allowing people to mark a resource"reserved" without specifying who has reserved it, but like most goodideas in AnoNet1, this one also turned out incompatible with whatAnoNet1 has become. AnoNet2 takes this idea one step further: not onlycan you easily leave out the "owner" field in a resource registration,but you can even leave out the registration completely, and let someonewho happens to notice the resource in use (presumably, someone who'sscanning to make sure a resource is available before using it himself)add it himself as "apparently in use."=item not requiring resource exclusivityIn fact, AnoNet2 takes it a step further, by having no conflict resolutionpolicy for resources. This means two users can use the same IP address,for example, and leave it up to routing to decide who "wins." (Undernormal circumstances that's not likely to happen, since at least one ofthe users will almost certainly prefer to renumber rather than fightingit out with the other guy. If they both want to fight it out, though,there's no AnoNet2 rule that either of them is violating by refusingto "talk it out," even if it's trivial to prove which guy's claim camefirst.) This is intended to be useful during darknet merges, but it canalso aid in anonymity protection for cooperating users who agree amongthemselves on some algorithm to determine who gets the resource when,or perhaps they use the split routing to their advantage, SNATting (orproxying) through each other for locations they can't reach directly(or even for locations they I<can> reach directly, if they reallywant to confuse an attacker - and themselves, if they're not careful).The same thing goes for ASNs, domains, nicknames, etc. Static analysisagainst any of these resource types is not guaranteed to yield usefulinformation (i.e., excessive triangulation may yield strange results),and with only a little bit of coordination, a group of users can achievetrue anonymity, if that's really what they want.=item avoiding bandwidth requirements for peeringNot everybody can afford a VPS, but everybody should be able to enjoy hisanonymity, not just as a leaf, but also as a transit. Conversely, manyusers will want more path diversity, even if it means using slower links.Therefore, AnoNet2 defines no rules about minimum bandwidth for peering.Individual users can obviously do whatever they want, but there's noofficial policy for them to use as an excuse. There's nothing wrongwith a transit node being on dial-up. If you prefer speed over pathdiversity, just tell your router to avoid any path going through that ASN.By the same token, if you have both VPSes and dial-up links and you wantto make it easy for people to implement different policies for routespassing through each of them, it's probably wise to use different ASNs.=item avoiding I<all> censorshipAnoNet1 officially sanctions some censorship, and unofficially practicesmuch more. The problem is that once you start complexifying thedefinition of censorship, where do you draw the line? AnoNet2 has a verysimple definition of censorship: interfering with communications of whichyou are not the (I<the>, not I<an>) intended recipient. AnoNet2 doesn'timpose anybody's morals (nor anybody's legal system) on you, so feelfree to communicate anything you want. If we don't like what you say,we can always just ignore you.=item avoiding arbitrary restrictions on freedomWorking around restrictions wastes resources, so those who are determinedto achieve their goals will still achieve them, while the rest of ussuffer the consequences of a legal framework. To avoid wasting yourresources working around AnoNet2 rules, AnoNet2 simply avoids definingany rules. Anything goes. If you manage to annoy enough people (andyou'll probably have to put in a serious effort, if you really want toannoy enough of us), you'll most likely wind up forking AnoNet2, whichis probably what you'd want in that case, anyway.=back