NAT Traversal & Bootstrapping

Indeed.

This is very unlikely once the network has reached critical mass. Even before then, it would be extremely unlikely. Churn would hurt timing analysis and the chunks in question would likely not be on the targets’ machine when the knock comes. Even if they were to find the chunk on the targets computer, given the fact that anyone at any time could have that same chunk on their computer and the inherent inaccuracy of timing analysis, it would be very difficult to prove with certainty that the target is indeed the one whose computer served the chunk.

If they went on to analyze the hard drive and find other illegal chunks, it could be argued that the file wasn’t served to anyone. It’s just passing through the targets machine as a result of the designed flow of the network.

in response to:

The general population knowing the guarantee of permanence of their files, would after the affair, likely do quick inquiries on the internet as they often do for even the most mundane topics, discover that SAFE is fine to use. Look at the silk road bust. It was all over the place. Still we have roughly 3 million Tor users and that’s without the benefits of permanent storage and super simple cheap maintenance free website hosting SAFE offers. The odds are good my friend. :relaxed:

Anything below 100% accuracy can be argued against. SAFE unlike other systems doesn’t keep data on your system permanently with exception to archive nodes whose data is not being accessed by anyone (when touched, the data is on the move again). The transient nature of the files on the network makes plausible deniability a strong defense.

In response to:

Again latency due to natural artificial churn decreases the accuracy of analysis. It would be hard to prove the true source. On top of that, bundling of chunks could be introduced to further hamper analysis.

So what? Firstly, your data will be moving in many different direction away from you. Secondly, even if you could watch where it goes, it wouldn’t be there for long. :wink:

At the moment the only issue I could see is the shitty UK precedent of holding relays responsible for data transferred. Then again if the investigator requested the chunks, there might be an entrapment defense as they cannot prove that the relay has passed the chunk to anyone.else before then. It could also be argued that the chunk would have never passed through the relay to a general requester if it had never been requested by the investigators. So I think there are grounds for dismissal here.

Agreed. They’re many unknowns but like Firefox or any other self updating application, the hurdle is low. I believe most users like to keep their software updated and jump at the chance to see shiny new features. Knowing they are using software that prioritizes security, would motivate them to update. You don’t have to be a geek to appreciate the benefits of security in the same way a driver doesn’t have to be a mechanic to take their vehicle in for maintenance in the hopes of safeguarding their lives and improving the life span of their vehicle. :slightly_smiling:

Read back my comment which you quoted before saying this. I said you will have LOTS of connections - you’re not telling me anything I don’t know. I’m not sure what it is but people either aren’t understanding what I’m saying or they’re not listening.

You’ve just contradicted yourself and are now saying that they will see more than this. They will see that you are transferring data between all other connected nodes…not just 2 streams of data (up and down)!!!

Taking the Torrent example. If your client decides to download chunks of 1MB from each connected peer then I can tell how long you’ve been connected to this other client. If I was an ISP with details of the other peer then I could also tell what connections they had open during that time…so if I was streaming data where the other client was acting as a relay I would have a reasonably good idea what inbound connection to them was feeding through to the outbound connection to me because they would likely live for pretty much the same amount of time. This is the most basic way of gauging this. As I’ve said there will likely be other pattern that could be used to.

You’ve already proved it. The part of Breaking Bad didn’t magically appear on your computer and you can demonstrate through logs that the data that came from them, which was then decrypted became a part of breaking bad. What you are saying is similar to a thief thinking that they can steal a sandwich from a shop, get recorded on CCTV in the process but they’ll be OK because the ate the sandwich. I’m not saying the person who’s running the node is a thief, what I’m saying is that there’s a recording of what happened so the data doesn’t need to exist on their system any more.

There’s nothing magical about it. When you connect to the Maidsafe servers you are not connecting directly to them. When you connect to ANYTHING over the Internet you are first going to go through your ISP. They are in complete control of where you’re routed - I don’t know what ISP you’re with but it’s not uncommon for them to block access to certain websites…I don’t understand why people aren’t getting this.

Forgive me for not aknowledging more of your points Tonda but I think I’d be close to repeating what I’ve already said in this post.

I’m not so sure about this comment. You are obviously security conscious however I’d say you are in the minority. If SAFE starts attracting Mr Average I’d bet money that most won’t update frequently (unless forced). I’ve been on plenty of servers owned by massive businesses and found them running outdated versions of nearly everything.

The security issues involved with running outdated software are obviously not new. Microsoft are taking a slightly different approach these days but not that long ago they were letting (encouraging) people they KNEW were running pirate copies of Windows to keep Windows update running. It was recognised that hookie unpatched copies were a security risk to their legitimate customers.

1 Like

Yeah, on BitTorrent you can. On SAFE you can’t. I won’t connect to an IP to get a certain chunk or file. I will have multiple connections to different IP’s and get part of the network. No matter if I download 1 episode of Breaking Bad or not. I become part of the network. I’m not setting up a new IP to IP-connection for every file like BT.

I’ll need you to prove this to me. If you’re saying what I think you are then the only way this could happen is if all close nodes maintained long standing connections with each other (i.e. even when the line is quiet). This just isn’t possible with UDP which is what SAFE was designed to use.

It seems to have recently got some form of TCP support but I don’t know why. At the minute the only thing I know is that NAT hole punching isn’t going to work as well with TCP as it will UDP. I think Davids figure was ~63% of routers can be punched for TCP so I’m going to guess that means roughly half of non-techy users are going to be using with UDP.

I don’t know if it actually matters too much anyway. Even if the same TCP connection were being used to send parts of different chunks I’d be reasonably sure there’ll be a way to tell where one chunk starts and the next ends - especially if they are mostly 1MB. I don’t think anyone has claimed there will be interleaving of chunks on the same connection at the same time - if this is a claim please point me to some evidence.

DoS attacks are fine but they don’t compromise security in any way. They’re a waste of time and subject to petition/complaints if the ISP is caught. Most are paying customers after all. With node finding implemented, ISPs would have to block all HTTPS to be effective. This would be disastrous. Too many p2p protocols use encryption to just start blocking anything that even remotely looks suspicious.

No forcing necessary. Just a small pop up that says an update is available. It could be designed to annoy the user or even scare them into submission. Simple. “Click here to update your SAFE software. This update will be applied upon restart of the client unless you select this check box that forces it to happen now” or “Alert if you do not update now your software could be in trouble. Hurry!” or better yet, have auto update be the default. “An update has been downloaded. For best security, apply it now? Otherwise it will be applied upon restart”. Just some ideas.

I think what @polpolrene meant is that everyone on the network will always be routing something. Never a moment of silence. It will be hard to discern when a connection is opened and closed specific to the investigation. So an attacker can create all the traffic they want, but it’ll be difficult if not impossible to follow with so much noise.

To a very low degree of accuracy. Not enough to ensure guilt.

There will be an iterative roll out that will of course include anything that improves both security and anonymity. If these ideas are useful and feasible, expect them to be implemented.

So Mr. anonymous, all this boils down to is extreme cases that are likely not going to happen any time soon. In such a world very few liberties would be left intact. We’re not yet there. Until then we’re SAFE. :sunglasses:

1 Like

Spot on!

This is how I understand the network. And I’m quite sure it’s the way the network works. You are connected over IP to maybe 3 or 4 or 5 IP-addresses. These are relay-nodes. They’ll connect you to a max of 31 nodes in XOR. If you want any data (GET) you request the others in XOR to get it. So you connect to max 31 XOR nodes by using just 3 or 4 IP-connections. This means indeed that there’s always some chatter going on, because all 31 other nodes will talk to you and you back to them as well. And they request chunks from you as well when you are the closes one in the group to a chunk. I laid it out here, and David said it was the way things work indeed. So for this little part (so much I still don’t understand about the technology, it’s so much!) you can ask me to “prove it”. But I ask you to disprove me if I’m wrong :yum:. Now do you really keep saying that an ISP will see chunks come by from outside looking in? Even while all communication between you and max 31 other nodes goes over 3 or 4 IP-pipes? Here’s another read about how your safe-client goes from IP-level to XOR. Quite some chatter back and forth before that happens. And the different HOPS that are mentioned, before you get a chunk, are in XOR. Nobody and especially someone from the outside can’t make any sense of it. Remember that this is the big trick: your relay-node knows your IP-address but is doesn’t know what you communicate with your 31 friends in XOR. And your 31 friends in XOR know your relay-node’s address in XOR (and some on IP-level) but they don’t have a clue about your IP-address and ports.

I don’t know about the TCP and UDP and all these details. David talks about it in this video. And in some others as well.

1 Like

One think is block access to certain websites and other is create a worldwide ISP plotting to trick new users of the SAFE network, which is what you are proposing. The first is possible, the second extremely improbable.
If happen, which would be discovered very easily because old users can detect it, we could create lists, web sites or even bittorrent, with thousands of new bootstrapping nodes. Each user can choose randomly the nodes to connect.

1 Like

Could this thread be renamed to “NAT traversal, Bootstrapping, and Possible Attacks”? I think it would help others perusing the forum looking for these details. I know there is info on the wiki but I strongly believe debates like these help to elaborate and exhaust questions people might have. I’m sure there are many people like Mr anonymous that have the same concerns and little insight. This thread could help I think. :slightly_smiling:

I promise I’m in the process of bowing out of this :smiley:

It’s not a DoS and nothing to do with HTTPS or anything. The hardcoded bootstrapping nodes are easily discoverable. ISP’s can redirect requests to these IP’s somewhere else. This other place you’re directed to can stick you onto the SAFE network just as the intended bootstrapping node would have. It’s most likely that you wouldn’t notice.

Neither of us can answer either of these points with any certainty at this point.

I don’t doubt this. As I’ve argued before though each improvement in relation to privacy will almost certainly have a negative impact in relation to performance.

These are two more points neither of us can answer with certainty.

I’ve just watched the video you posted on Crust and then another one on Routing. Both very interesting but didn’t go into enough detail to really help answer any questions. I didn’t get the impression though that a node only communicates with 3-5 other IP addresses. If you held a gun to my head I’d say the number is more like 64 or 32 (but I think 64 - just as this was getting interesting in the video the topic changed)

If someone can prove me wrong great but my thinking at the minute is there’s confusion around what XOR routing is. The XOR stuff is just used to organise a routing table. In order to travel between nodes on this route IP is going to be used…it feels like people are thinking that XOR routing is some magical thing that allows nodes to communicate with each other outside of the Internet. If any node wants to speak to another one IP is going to be used - and this means packets will be routed through ISP’s.

I will admit that I’ve never used RUDP before and made some assumptions about it - I’d assumed that it was a slightly more connected layer on top of UDP (i,e. send request wait for response) however it appears it’s actually been implemented as a fully connected protocol so it is possible to keep connections open between clients. Seems UDT is actually being used now anyway (same idea as RUDP it seems but if you asked me this morning I would have said UDT was network cable - Unshielded Twisted Pair - so every day’s a school day :slightly_smiling: In any case I don’t think this revelation is a major change to anything discussed.

How do old users detect it? Why would they be even looking? All these things that you would create are also easily discoverable. How would a new user randomly select a new node? It doesn’t matter if you put had one node in the US, another in Europe one in Atlantis and another on the moon. If my ISP wants to send me to Y rather than X there’s nothing I can do about it.

Please don’t take the fact that I’m trying to wrap this up to mean that my concerns have been resolved. I’m just trying to conserve energy after realising this is going nowhere (there isn’t enough information for any of us to claim victory).

I would also be careful before jumping to conclusions and claiming it’s me that’s lacking insight. The funny thing about insight is that you don’t know when you lack it - so it’s wise to keep that in mind ;). You are surrounded by people shouting “SAFE is great” and and believe that yourself. You do not know most of the technical details yourself and therefore cannot claim to have perfect insight.

How? The place you speak of would have to be able to decrypt the bootstrap request and return the expected value. The client would detect this failure to produce and reject the connection.

100% accuracy is hard enough to get to with the current obfuscation and encryption schemes currently in play. There might not be certainty but my confidence is grounded in extensive real world data.

Some of it might be negligible with great benefit. It’s to be seen. Also consider that network speeds are improving all over the planet. These negative impacts you claim will likely be offset by this fact.

Of course there is no certainty. Only likelihood. Slow changes are inherent to politics. This is clearly evident. I know of no one global policy change that happened over night. This falls in favor of SAFE.

I’ve never once implied this so I’ll assume I’m not included in this broad statement.

I love this about life. I wouldn’t have it any other way.

Victory!?!? I don’t care about something so juvenile in this regard. We’re just brains interfacing and exchanging data. Filling each others informational void. I love to know there are things I don’t know. Like a hungry fat kid. More please!!!

Well there were some things you didn’t seem to be aware of things like the transience of vault data and the privacy afforded by asymmetric encryption. You’ve clearly expressed concern for users of public data and various attacks. Forgive me if I have offended you. I just want others to benefit from our exchange.

I know that I lack insight to many things especially space and time. So it is indeed possible to know. :relaxed:

Not because they shout it. I look at the available data conclude what I do then attach sentiment to it. In this case I agree with the prevailing opinion on this forum as a result of my analysis.

Never claimed to nor would I. That would be true even If I were apart of the core development team. Things change so rapidly I would hesitate to claim such. Only David is closest to understanding everything perfectly. He of course doesn’t program everything himself. This I’m sure leaves small holes in his understanding of the entire code base. Otherwise there would be no bugs ever.

Perfection is overrated. It leaves no room for growth. :yum:

Completely impossible like @Tonda already showed you. I made the point a zillion times already, it just can’t be done. Your node will use the public key from the bootstrapping node which is in your binaries. So when someone redirects you to another IP-address the folks at that address have nu clue what they’re getting. They can’t decrypt it.

The place I speak of is a clone of the SAFE network (with the minimum viable number of nodes). I’ve already covered this near the start (I talked about this as a 1st network) and even David admitted this part was possible…the part where he said “with caveats” relates to a part of the plan I dropped (a 2nd network)…

You’ve made a claim like this already. There is no real world data yet. The fact that feature X works in system X is not proof that feature X works in system Y.

Good, then I didn’t mean you :slightly_smiling:

Another thing is the claim (possibly not by you) that everything is encrypted from bit 1 is obviously false. From this minute this was said it was clear it was impossible but I’m having to do a lot of work to convince people of anything and didn’t have the energy follow it up. The Maidsafe technical video on Crust explains this for you - headers of TCP and UDP packets are not encrypted (things obviously couldn’t work if they were).

Hmmm, maybe I got something wrong… How would you achieve this without altering the binaries? The client expects a specific value to be returned as a result of the communication exchange.

What does the false bootstrap node do? Say sorry buddy I can’t give what your looking for but here’s this instead? Your client just rewrites itself and acquiesces?

Seriously, maybe I’m missing something. Please point me to it. I’m not kidding. Help a brutha out. :open_mouth: !

There was no real world exacting data to prove many physics theories in the past. Yet many, including Einstein, used the available data and predictionary mathematics to confidently claim a whole slew of things including the recently proven existence of gravitational waves. Albeit he fell short is some areas, much progress was made from previously existing data.

So I remain confident. Many current systems use broken technology (slow buggy languages, sloppy code, minimal packet padding and little uniformity) to function and still remain relatively difficult to analyze remotely. SAFE on the other hand is built from the group up to make analysis very difficult. This doesn’t mean that it’s impossible to analyze by a global adversary. It just means that they will have to go that extreme just to get tiny peeks into the network from the outside. Anything else just won’t cut once critical mass has been reached.

Please don’t reiterate the whole “what if before critical mass” bit. We’ve already acknowledge the road ahead. AND yes, the option of hacking and flooding the network with massive amount of new nodes (sybil) exist. Acknowledged. Still, these are extreme and potentially illegal measures that will have be taken to get useful results. Few if any other systems can make that claim.

You’re still going on theory and unsubstantiated claims. Nothing is out for us to study and confirm; is what you would likely have repeated had I not written this. Now you will probably just highlight this to add content to your next post. Maybe not now that this has been expressed. :expressionless: :confused: :frowning: :astonished: :weary: :disappointed:

Definitely not me. IIRC I wrote that the initial key exchange is done over the clear before subsequently establishing a secure channel.

I don’t know friend… It’s you seem to be exhibiting the quality you’re suggesting. We’ve given you official documentation and a link to mathematical proof of an encryption scheme. The same cannot be said of you. :expressionless:

Since you clearly see this discussion as a challenge/debate, you will likely nit pick and ensure you have the last word.

So go on and please, pretty please be done with it. Go out with a bang!!! :grinning:

It was fun while it lasted. Now I’m getting :weary: :sob: :pensive: :neutral_face: :no_mouth:

I’m going to tackle both these points together. Show me the official documentation that shows the bootstrapping process - you haven’t so far. We also are not talking about how solid a particular encryption algorithm is - it’s irrelevant to this discussion because I’m not claiming anything can be decrypted.

Other than the odd mention of bootstrapping in whitepapers and such the most “official” documentation I could find is this forum post which is “liked” by David and Fraser - so I have to assume accurate:

Here is an extract from that post:

In this case we see that Client (A) connects to an IP-address (B) and provides it’s public key. If Client (A) is new to B than B will add Client A to it’s Client map. It will also provide it’s own public key to A.

I don’t know how interpret this any other way than: A and B may be encountering each other for the first time and have no prior knowledge (somehow A knows B’s IP address though). They then EXCHANGE keys.

What am I to think? This is the closest thing to proof I have on the matter - plus Davids acknowledgement early on that this process could work.

You did this for me. Thanks!

Look at it again.

What!? Of course it is relevant. Without it we couldn’t secure the bootstrap connection and mitigate a man in the middle attack which you essentially claim is possible.

It is. Which why I’m still here trying to convince you to accept the facts.

That’s only true of new bootstrap nodes that are found some other way. If the client uses it’s own list (which it will by default), it will expect to receive something very specific. I don’t know how to simplify this further. New users should not from my understanding be at risk.

See: https://safenetwork.wiki/en/FAQ#Can_an_ISP_thwart_the_network.3F
This is the second time I given you this. Please read the first two paragraph once more.

Tor has been hosting its own bootstrap servers for years and there is yet to be any reports of people being redirected to a false onion network. I’m sure Maidsafe too can handle this well. In time, with enough notoriety people will setup secure and easy ways to bootstrap without depending on the Maidsafe organization. In addition, the download page could strongly warn the user about all of the risk of using unknown bootstrap servers and ways to mitigate them. For the lazy, a nice colorful video could be presented with all relevant details.

You know what, you’re right. :smirk:

Problem solved.

I mean I never mentioned that the public key of the bootstrap node is HARD CODED INTO THE CLIENT. Nope never did. Sorry about. Please forgive and let it end. :weary:

P.S. If the hard coded nodes fail to deliver. There are other ways to get valid benign nodes as David has previously stated. Any valid issues you’ve stated are relatively easy to solve. Most of the hard ones are done.

Your initial argument of doom and gloom was inflated. I’m trying to dispel that.

I’ve noticed that you tried little to help solve any SAFE related issue during this entire exchange. You’ve been so focus on proving yourself right that you have forgotten about the greater good.

Jeez brother help out…:confused:

It’s convenient that the most detailed documentation on the matter left this “minor” aspect out! Not to worry I accept PK’s will be hardcoded into the client along with bootstrap IP addresses.

I don’t think this actually makes a huge amount of difference and I told you this when you mused about having additional validation keys for bootstrapping nodes - feels like months ago now!

I am an ISP and I have configured my router to route requests to bootstrapping node at IP X to my own bootstrapping node that is running within a minimally viable FAKE-SAFE network. Your client encrypts something (likely a bit of random data) with the public key for the bootstrapping node and sends it to me. Of course I’m going to have a hard time decrypting this (and I’ve never once said I would want to decrypt anything!). What can I do? Ummm, why don’t I just forward the request as it is through to the legitimate bootstrapping node and when I receive the response relay this back to the client?

Now, what if the data that was encrypted with the bootstrapping nodes PK was the clients IP address. How about the legitimate bootstrapping node just makes a new connection back to the client? One problem, any data going to or from the client has to go through their ISP…and this is the same ISP that’s intercepting traffic going to the legitimate bootstrapping node.

Routing packets around is the whole purpose of an ISP and I don’t think there is anything you can do to stop them from doing this type of thing. They are in control of the IP addresses that they own. They can manipulate packets. They own the wires and you are playing by their rules.

I know nobody wants to hear about potential issues. Like it or not this will help more than posting “everything’s great, no issues here”.

I do NOT want to see the network fail. As I’ve said numerous times I see masses of potential but I think the anonymity side of things (which seems to be the main marketing point) is going to attract a hell of a lot of attention from lots of very powerful groups.

It is going to be impossible to guarantee your anonymity on this network, even if the only point of weakness was that the nodes connected directly to you can tell your IP address it proves this point. Even with this tiny weakness there’s enough risk of me being identified that I wouldn’t dare use it if I lived in a place like North Korea - and they’re the people that need it!

This network could be used to solve heaps of problems, and could become super successful. However because I think the product that’s currently being sold is going to fail to deliver it’ll mean the network will fail. Market it in a different way and it’s not going to get all of the negative attention that it’s bound to get. It won’t matter so much WHEN people find holes in the security because it’s not so critical, people aren’t getting killed in North Korea because they think they are guaranteed anonymity, kids who are raped and and filmed aren’t going to know that the tape is floating around forever and it can’t possibly be taken down…everyone’s happy.

Now tell me again I’m only interested in proving myself right.

I thought I heard or read a response from David Irvine that stated plainly that there is a way to trace uploaded material to its originator but that it would be an extremely costly process that only a nation state with extensive resources might be able to undertake. YO’s concern for North Korean Dissenters and Documentarian Rapists is not unfounded if that is true. That said the reach of the well funded hacker is likely not enough to penetrate the levels of security built into the safenetwork but the reach of the Nation State is likely a completely different ballgame.

1 Like

Friend, I never argued against this. What I did is merely inform you that routing and being the the middle is not an attack per se, just an observational capability that would yield very little return. Since they can’t see shit, they remain uninformed as to the details of the activity. Let them swallow all the metadata they want and let them enjoy the server costs however negligible.

Nobody is just carelessly saying everything is fine here like some mindless morons. We give technical details and account for most mitigation techniques. Please don’t attempt to paint us as airhead fanatics, it makes you seem bitter. A childish quality IMO.

The network is called SAFE, which is an acronym for secure access for everyone. Security is not the same as anonymity. So I don’t know where you got the idea that this is the main marketing hook. Just look at the video on the main website. Yes, SAFE is designed to grant a user as much anonymity as possible but it cannot prevent local tyranny. Crazy dictators is what we hope to over time eliminate by allowing the freedom to disseminate information and prevent the erasure of critical politically damning evidence. Technology cannot solve all problems but it can facilitate change.

SAFE aims to make ones activities on the network impossible to connect with the user. Unfortunately there are governments that have no humanitarian boundaries. Its sad.

Though this alone isn’t enough to claim the network will fail or experience little usage. The vast majority of the world still has their relevant liberties intact. With mesh, low orbit satellites, and long range narrow beam technologies maturing, this becomes less of a problem as time progresses.

Of course, that’s why your still here. Need I mention that you have yet to really start brainstorming solutions. Over and over you keep reiterating the message of doom and failure. Your behavior is so one sided it makes me suspicious. Others might label this as fear mongering and initial attempt to misinform. I’m still undecided.

I don’t know how this would be possible as once the data is on the network it is untethered. Even public data is uploaded In encrypted form and is only detectable once it has been completely updated. Would be nice if David could shed some light on this.

With extreme passive surveillance it might be possible to record all activity on the network then rewind and attempt to find a pattern as Mr. anonymous has previously stated. This would of course be very difficult yielding below perfect accuracy.

That might be okay for targeting terrorists but unacceptable for prosecution as it leaves the plausible deniability defense available and quite strong.

The continued growth of the network means that this kind of surveillance will begin providing diminishing returns over time. Then again they could always have an ace up their sleeve. If they do, they’re reserving it something very high profile. Otherwise Tor, I2P, Freenet and friends would have been obliterated long ago. There is a lot to hang them for after all. :wink:

Never said it was unfounded. We were discussing the mechanics of the bootstrapping process among other things. I already acknowledged the implications for those living in oppressive regimes.

2 Likes

The post before that:

:confused:

I’ve wasted more than enough time on this. If you can’t even hold onto your own thoughts there’s no chance you’re going to grasp what I’m telling you.

Wait what!? Are you suggesting that man in the middle is possible?

What I DID NOT argue against is the fact that an ISP is responsible for routing packets. Everything I said was valid.

Lol. Nice try though. I didn’t expect this (well kinda) from you. Oh well such is reality. :relieved:

EDIT: Wait for it. Wait for it. Here it comes!!! Time for a meaningless and fruitless jab…