Design of a simple truly anonymous email system for all

[Mok-Kong Shen]

In view of the tendency of certain governments to put the electronic
communication of common people under increasingly intensified
surveillance [1], it may be worthwhile IMHO to consider the possibility
of a relatively simple to be realized email system that provides truly
anonymous communication of (albeit fairly) limited capacity to
everybody. (The result of a recent discussion elsewhere was that e.g.
Yahoo's free email accounts and internet cafes in combination couldn't
achieve that goal, since certain genuine personal data are known to the
provider.) Lacking knowledge, I am sketching below a proposed
preliminary rough design, in the hope of eventually obtaining
improvements from critiques and comments of the experts.

Assumptions:

(A) Someone (hereafter designated provider) in a democratic country with
comparatively liberal policy with respect to IT surveillance has the
resources and the right to run a server.

(B) Ordinary mails by post from the users to the provider are not
intercepted.

Mode of operation:

(a) Anyone can via an anonymous ordinary mail inform the provider a
pseudonym and a corresponding password.

(b) The provider publishes on his webpage a list of the pseudonyms and
the alloted serial numbers of the accounts.

(c) The user can have at anytime a limited number (say 10) of posts of
limited length (say 25 lines of 80 bytes) sent via an input
window in the webpage of the provider and stored in his account in
a FIFO manner.

(d) Anyone is free to view the content of any account via the account
serial number or the pseudonym of the sender.

Some discussions of my own:

(1) Concerning (B): A user from a highly non-democratic country may be
able to let a friend living somewhere else to register for him.

(2) If the posts are well encrypted and with authentication (containing
date and message serial number), even the provider couldn't do
anything evil. For the worst case would be bogus posts, from which
the communication partners would very soon learn of the defect. It
is of course assumed that the password system is ok such that no
outsider can post into a foreign account.

(3) Possible financial problems could be solved via free donations from
sponsors or users (including banknotes sent via ordinary mail) or
allowing some commercial stuffs in the webpage of the provider.

(4) An attack through large amounts of bogus registrations is unlikely,
for that is not done electronically but via ordinary mails, which
costs something. I am not sure that server capacity exhaustion
absolutely couldn't occur eventually but surmise that's in any case
sufficiently satisfactorily solvable, e.g. through an expiration
data of the accounts, raising a small amount of registration fees
or yearly fees (with banknotes sent via ordinary mail), etc.

(5) Of course a provider with goodwill is assumed. Hopefully there would
also be more than one such providers for any user to choose from.

(6) Mirror sites at different geographical locations may be considered
in order to somewhat enhance the availability of the service in
unexpected adverse situations. Surely the system would fail to
function under the attack of an opponent who is mighty enough to
break even certain fundamental security components of the internet
communication, in particular the digital signatures. (Nevertheless
no secret will be lost, as long as the encryption done by the user
is strong enough.)

(7) The user should change his password at the first trial so as to
ease the security measures to be taken by the provider.

(8) Of course all posts into an account should be done exclusively
from an anonymous location, e.g. an internet cafe or a call shop.
Reading of posts should also be done from an anonymous location
so that no correlations could be done.

M. K. Shen

-----------------------------------------------------------------------

[1]
http://www.washingtonpost.com/world/europe/britain-weighs-proposal-to-allow-greatly-increased-internet-snooping/2012/04/02/gIQAOerQrS_story_1.html

[Landmark]

Mok-Kong Shen <mok-ko...@t-online.de> wrote:

>In view of the tendency of certain governments to put the electronic
>communication of common people under increasingly intensified
>surveillance [1], it may be worthwhile IMHO to consider the possibility
>of a relatively simple to be realized email system that provides truly
>anonymous communication of (albeit fairly) limited capacity to
>everybody.

Do you mean anonymous communications or private communications. I'd
think anonymous means someone can speak to me and I can reply to them
without me being able to find out who they are. There have been
anonymising proxies in the past, but these days its fairly easy for
someone to set up a throwaway hotmail address or similar and use it
for one conversation before discarding it again.

I think there are two elements you have to consider when thinking
about private communications

1) Stopping people knowing what is being said
2) Stopping people knowing who you are talking to

The first isn't that difficult. There is plenty of technology around
to securely encrypt messages, public key/private key solves the key
exchange problem, and https stops eacvesdropping on the message in
transit. Online disk space isn't really an issue these days so I don't
think you'd need to worry about limiting message size or storage
periods.

However, the technology itself isn't really the issue. Most people
fail because they choose poor passwords, or choose a really
complicated one that they have to keep written down somewhere, or they
have decrypted copies of messages on their computer, etc.

Even if you do all the technical stuff really well, that might not be
enough. In the UK, for instance, whilst its legal to encrypt files,
you can also be required to decrypt files if the police have a search
warrant. Failure to decrpyt files carries a two year prison sentence,
and claiming you have forgotten the password is not an allowable
excuse. Other countries don't have such laws, but being beaten with a
rubber hose by the security services until you hand over your password
can be just as effective as a search warrant.

The second requirement, stopping people knowing who you are talking
to, is more difficult to do without leaving traces. If you communicate
via a trusted third party system, you still have the problem that
somehow you have to agree in the first place to use that system and
exchange addresses. Unless you are meeting face to face to do that,
you run the risk of leaving a trace or flagging up an association.

You also hit the problem that usage of the third party system can
itself be monitored and usage of it might automatically be regarded as
suspicious. Given plenty of data, patterns could be detected. For
instance, if you were monitoring subject A and subject B, and both
were using the service to exchange plans, you might find clues such as
A sends a really big message and ten minutes later, B reads a really
big message, then sends a short message, and ten minutes after that, A
reads a short message and sends another message out.

>(8) Of course all posts into an account should be done exclusively
> from an anonymous location, e.g. an internet cafe or a call shop.
> Reading of posts should also be done from an anonymous location
> so that no correlations could be done.

That too can be behaviour which alerts someone to persons of interest.
If you have an internet connection at home but then go out to an
Internet cafe once a day to do something, its obviously going to
arouse suspicion. What's more, it would be a lot easier to slip
hardware key loggers into the computers at your favourite internet
cafe than it would to do that in your home. It would also be easier
for someone to shoulder surf you and read your screen in a public
location or better still, position a camera to record your whole
session.

As a general rule, good encryption systems need to be designed by
people with a lot of experience of cracking encryption. You see a lot
of people with no experience of cracking codes who dream up algorithms
and think its going to be secure. I expect the same is true of secure
email. To design a secure messaging system, you first have to be
really experienced at knowing how to crack open the existing ones.

[Hans-Georg Michna]

On Tue, 10 Apr 2012 11:56:43 +0100, Landmark wrote:

>Even if you do all the technical stuff really well, that might not be
>enough. In the UK, for instance, whilst its legal to encrypt files,
>you can also be required to decrypt files if the police have a search
>warrant. Failure to decrpyt files carries a two year prison sentence,
>and claiming you have forgotten the password is not an allowable
>excuse. Other countries don't have such laws, but being beaten with a
>rubber hose by the security services until you hand over your password
>can be just as effective as a search warrant.

This can easily be overcome with undetectable, deniable
encryption. Steganography is one example.

Hans-Georg

[Hans-Georg Michna]

On Sun, 08 Apr 2012 21:35:12 +0200, Mok-Kong Shen wrote:

>In view of the tendency of certain governments to put the electronic
>communication of common people under increasingly intensified
>surveillance [1], it may be worthwhile IMHO to consider the possibility
>of a relatively simple to be realized email system that provides truly
>anonymous communication of (albeit fairly) limited capacity to
>everybody. (The result of a recent discussion elsewhere was that e.g.
>Yahoo's free email accounts and internet cafes in combination couldn't
>achieve that goal, since certain genuine personal data are known to the
>provider.) Lacking knowledge, I am sketching below a proposed
>preliminary rough design, in the hope of eventually obtaining
>improvements from critiques and comments of the experts.
>
>Assumptions:
>
>(A) Someone (hereafter designated provider) in a democratic country with
> comparatively liberal policy with respect to IT surveillance has the
> resources and the right to run a server.

Here is the weak spot. The institution wanting to do the
surveillance can buy or create such a server.

You need trust, but trust is not easy to establish anonymously.

Hans-Georg

[Mok-Kong Shen]

Am 10.04.2012 12:56, schrieb Landmark:

> Mok-Kong Shen<mok-ko...@t-online.de> wrote:
>
> Do you mean anonymous communications or private communications. I'd
> think anonymous means someone can speak to me and I can reply to them
> without me being able to find out who they are. There have been
> anonymising proxies in the past, but these days its fairly easy for
> someone to set up a throwaway hotmail address or similar and use it
> for one conversation before discarding it again.

I have never had a throwaway address. Hence a question: Does one
on registration have to provide some personal data that are genuine,
or the provider doesn't check or even require such data at all?

> I think there are two elements you have to consider when thinking
> about private communications
>
> 1) Stopping people knowing what is being said
> 2) Stopping people knowing who you are talking to
>
> The first isn't that difficult. There is plenty of technology around
> to securely encrypt messages, public key/private key solves the key
> exchange problem, and https stops eacvesdropping on the message in
> transit. Online disk space isn't really an issue these days so I don't
> think you'd need to worry about limiting message size or storage
> periods.
>
> However, the technology itself isn't really the issue. Most people
> fail because they choose poor passwords, or choose a really
> complicated one that they have to keep written down somewhere, or they
> have decrypted copies of messages on their computer, etc.
>
> Even if you do all the technical stuff really well, that might not be
> enough. In the UK, for instance, whilst its legal to encrypt files,
> you can also be required to decrypt files if the police have a search
> warrant. Failure to decrpyt files carries a two year prison sentence,
> and claiming you have forgotten the password is not an allowable
> excuse. Other countries don't have such laws, but being beaten with a
> rubber hose by the security services until you hand over your password
> can be just as effective as a search warrant.

Yes, one has to avoid that the authority knows that one sends posts
to the provider. I suppose that could be achieved in practice, excepting
the case where one is particularly under surveillance, e.g. being
suspected to be a drug dealer.

> The second requirement, stopping people knowing who you are talking
> to, is more difficult to do without leaving traces. If you communicate
> via a trusted third party system, you still have the problem that
> somehow you have to agree in the first place to use that system and
> exchange addresses. Unless you are meeting face to face to do that,
> you run the risk of leaving a trace or flagging up an association.

The partners that communicate have somehow (i.e. directly or indirectly
through their trusted friends) to know the pseudonyms of each other.
The provider and other persons don't know their true names.

> You also hit the problem that usage of the third party system can
> itself be monitored and usage of it might automatically be regarded as
> suspicious. Given plenty of data, patterns could be detected. For
> instance, if you were monitoring subject A and subject B, and both
> were using the service to exchange plans, you might find clues such as
> A sends a really big message and ten minutes later, B reads a really
> big message, then sends a short message, and ten minutes after that, A
> reads a short message and sends another message out.

Even if it is observed that the messages of A and B (both in pseudonyms)
are correlated (in time) to some extent, IMHO that doesn't matter much.
For the observer doesn't have any idea of who they are in reality and
what is being talked about.

>> (8) Of course all posts into an account should be done exclusively
>> from an anonymous location, e.g. an internet cafe or a call shop.
>> Reading of posts should also be done from an anonymous location
>> so that no correlations could be done.
>
> That too can be behaviour which alerts someone to persons of interest.
> If you have an internet connection at home but then go out to an
> Internet cafe once a day to do something, its obviously going to
> arouse suspicion. What's more, it would be a lot easier to slip
> hardware key loggers into the computers at your favourite internet
> cafe than it would to do that in your home. It would also be easier
> for someone to shoulder surf you and read your screen in a public
> location or better still, position a camera to record your whole
> session.

If one is severely under observation, e.g. being suspected to be
a drug dealer, then that could easily be the case. On the other hand,
I don't believe any government has the resources to do that for the
common people in general. In the city where I live, for example, there
are quite a number of people who don't have internet connections at
home and they use to go to the call shops to send emails and do surfing.

> As a general rule, good encryption systems need to be designed by
> people with a lot of experience of cracking encryption. You see a lot
> of people with no experience of cracking codes who dream up algorithms
> and think its going to be secure. I expect the same is true of secure
> email. To design a secure messaging system, you first have to be
> really experienced at knowing how to crack open the existing ones.

The block encryption AES is standardized and is commonly considered
to be sufficiently secure. A good message authentication is IMHO needed.
(I unfortunately don't have much knowledge in that issue, but as far as
I know that isn't a big practical problem.)

Many thanks for the comments.

M. K. Shen

[Mok-Kong Shen]

You are certainly right. The institution could well secretly pose
as a provider itself. Since it doesn't know who is talking to whom and
what is being taked about, the worst that could happen is only that the
communication through that provider fails to function for those pairs
of partners having one of their accounts rendered inoperable by the
provider. On the other hand, if it were to block the posts of all its
users, then it would be out of business.

One would thus have to hope that there exist some providers in the
world that are honest and willing to render service to other people.

[Landmark]

Mok-Kong Shen <mok-ko...@t-online.de> wrote:

>I have never had a throwaway address. Hence a question: Does one
>on registration have to provide some personal data that are genuine,
>or the provider doesn't check or even require such data at all?

Hi M-K, last time I set up a Hotmail address, I'm pretty sure I didn't
need to provide anything to authenticate myself. It requested an email
address so it could send password reminders if you needed it, but I'm
pretty sure it was and still is optional. For the purposes of research
you should try it and see just what is required. Hotmail isn't the
only choice of course. There are quite a few free webmail providers
out there, like mail.com, fastmail.fm, alternativefuse.com and so on
and you can have a completely made up user ident as the front half of
your webmail address, like DT139678_44GJJ_X if you wanted to.

Since they are free, you don't have to leave a credit card trail and
if they support HTTPS and you are mailing another user who is also
using the same service via HTTP then its going to be pretty difficult
for anyone to spy on your net traffic and find out which anonymous
ident is mailing which other anonymous ident.

You should look particularly at Hushmail which is set up as a secure
webmail system which only stores data in encrypted form etc.

>Yes, one has to avoid that the authority knows that one sends posts
>to the provider. I suppose that could be achieved in practice, excepting
>the case where one is particularly under surveillance, e.g. being
>suspected to be a drug dealer.

and later on you said

>If one is severely under observation, e.g. being suspected to be
>a drug dealer, then that could easily be the case. On the other hand,
>I don't believe any government has the resources to do that for the
>common people in general.

I think this touches on why you want a secure and concealed email.
Your original post mentioned government monitoring such as is being
conceived in the UK and probably already happens routinely in some
countries. Obviously I don't particualry want to make life easier for
drug dealers, terrorists, etc, but I do accept that there are other
groups such as political dissidents who would like mail which the
government cannot monitor and which cannot be retrieved at a later
date. But whatever the reason, you need to accept that if you become a
person of interest to the watchers then they do have the resources to
do things like correlation checks of when you and other persons of
interest are sending possibly matching messages, install key loggers
on computers, sniff data off WiFi connections, and so on.

I think you also should be aware that no matter how good a system you
build, most people won't use it because they perceive the ordinary
POP3 email they get from their service provider to be all they need,
so using some sort of anonymising service can automatically make you a
person of interest to the people who want to monitor us. In some ways
you are better off using something like hotmail which is already used
by millions of people for mundane comms so that you can be lost in the
crowd, and exchange sensitive data in encrypted attachements, or
disguised using steganography etc as Hans-Georg suggested.

>Even if it is observed that the messages of A and B (both in pseudonyms)
>are correlated (in time) to some extent, IMHO that doesn't matter much.
>For the observer doesn't have any idea of who they are in reality and
>what is being talked about.

Actually, that is really what the UK bill is about. The plan isn't to
monitor the content of emails but to keep records of who talked to who
and when which can divulge an enormous amount about relationships
between people. Phone call records are already used extensively for
this purpose.

>The block encryption AES is standardized and is commonly considered
>to be sufficiently secure. A good message authentication is IMHO needed.
>(I unfortunately don't have much knowledge in that issue, but as far as
>I know that isn't a big practical problem.)

You might find this article interesting.

http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html

It describes how the Brazilian police and then the FBI were unable to
decrpyt files where AES and Truecrypt had been used to protect them,
even though the FBI spent a year running them through its cracking
software.

The crucial thing here is that the banker who was under investigation
had been incredibly disciplined in choosing a password which wasn't
susceptible to a dictionary attack, which was too long for a brute
force attack, and he'd never written down his password or used
something corny like his name spelt backwards, (its amazing how many
people do that and think no one will ever guess it). So the technology
to make secure files is there. Its people that are the weak spot.

[Spam Guy]

Mok-Kong Shen wrote:

> I have never had a throwaway address. Hence a question: Does one
> on registration have to provide some personal data

hushmail.com.

No personal data, no verification e-mail sent to another e-mail address.

Just answer a captcha to prove you're not a bot.

[Gordon Levi]

Mok-Kong Shen <mok-ko...@t-online.de> wrote:

>I have never had a throwaway address. Hence a question: Does one
>on registration have to provide some personal data that are genuine,
>or the provider doesn't check or even require such data at all?

A Gmail address only requires a user name and password. You can use
Gmail as a POP or IMAP server or ask it forward the mail so you can
easily manage any number of throwaway addresses.

[Landmark]

Gordon Levi <gor...@address.invalid> wrote:

>A Gmail address only requires a user name and password. You can use
>Gmail as a POP or IMAP server or ask it forward the mail so you can
>easily manage any number of throwaway addresses.

I'd have big reservations about recommending Gmail for someone who is
concerned about privacy. Google's business is built around profiling
people and tying together all the info they can about you, via your
search history etc.

[Ivan Shmakov]

>>>>> Landmark <dontm...@no.junkmail.here> writes:
>>>>> Gordon Levi <gor...@address.invalid> wrote:

[Cross-posting to news:alt.privacy, just for the case.]

For this reason, I usually keep Google Mail sessions in a
separate browser instance.

Also note that Tor (https://www.torproject.org/) may help
conceal your identity from the e-mail provider itself.

--
FSF associate member #7257

[Ivan Shmakov]

>>>>> Gordon Levi <gor...@address.invalid> writes:

>>>>> Mok-Kong Shen <mok-ko...@t-online.de> wrote:

[Cross-posting to news:alt.privacy, just for the case.]

>> I have never had a throwaway address. Hence a question: Does one on
>> registration have to provide some personal data that are genuine, or
>> the provider doesn't check or even require such data at all?

> A Gmail address only requires a user name and password.

Also to consider are http://noemail.in/ (requires a name, which
is the "local part", and a captcha; mail boxes expire after some
time) and Tor Mail (http://jhiwjjlqpyawmpjx.onion/, accessible
only via Tor, https://www.torproject.org/.)

> You can use Gmail as a POP or IMAP server or ask it forward the mail
> so you can easily manage any number of throwaway addresses.

... However, this may allow the e-mail provider to deduce that
the accounts are related.

[Gordon Levi]

Good point, but the mail service including spam filtering is hard to
beat. As for privacy, I have a plan. It's a little program that does
random Google searches to ensure that the profile they have is not of
me.

[Landmark]

Gordon Levi <gor...@address.invalid> wrote:

>Good point, but the mail service including spam filtering is hard to
>beat. As for privacy, I have a plan. It's a little program that does
>random Google searches to ensure that the profile they have is not of
>me.

Yes, although in the context of the original question, I didn't think
spam would be an issue. The OP never came back to us to tell us why he
wanted anonymity but lets suppose he's a political activist or
dissident (which can be either a freedom fighter or a terrorist
depending on who owns the news station) and needs to set up a way of
communicating with his colleagues without his messages being scanned
by a state-run email monitoring system looking for keywords. So in
that scenario I'd be guessing the two correpsondents would have picked
unlikely email addresses and never publicised them anywhere since they
want to stay off the radar as much as possible, don't want to
accidentally get it linked via cookie to their facebook page or
anything like that. They'd also be looking for webmail services in
other countries to their own so that, should their email addresses
fall into the hands of the watchers, the watchers cannot so easily go
to the webmail provider with a court order demanding identity info.

However, if you decide to use Hushmail, for example, then it might be
that this is itself of interest to the watchers who will undoubtedly
take the attitude "If they have nothing to hide then why are they
using hushmail?" flawed as that argument is, so it may be better for
correspondents to use a very popular service like Gmail which will not
arouse suspicion, offers moderate anonymity, and which allows them to
hide their sensitive messages in pictures etc.

[Landmark]

Tim Streater <timst...@greenbee.net> wrote:

> Not sure I want someone else deciding on my behalf
> what constitutes spam.

Well if you want to go through all your mails by hand and do your own
spam filtering manually then fine, you can do, no-one is forcing you
to use spam filtering tools, but for many people their email accounts
would be unusable if they didn't employ some sort of spam defences. If
people want a webmail account with spam filtering then Gmail gets a
lot of positive recommendations in this regard.

[Thor Kottelin]

"Landmark" <dontm...@no.junkmail.here> wrote in message
news:hvsfo7p9600i1pd9f...@4ax.com...

I have tried using Gmail for throwaway accounts (e.g. when buying stuff
online), and I am quite underwhelmed. Gmail places spam in a spam folder.
This is not very useful, as the user still needs to check for false
positives. The right way to handle spam is to reject it during the SMTP
dialog.

In addition, Gmail delivered a lot of spam right into my inbox folder, so
I see little reason for 'positive recommendations'. Of course, Gmail is
free, and one gets what one pays for. Gmail also unleashes endless amount
of outgoing spam on the Internet community.

--
Thor Kottelin
http://www.anta.net/

[Mok-Kong Shen]

The main reason I suggested that there be means of truly ananymous
communications available to everybody was given in the first sentence
of my OP. I myself don't have currently, and also don't hope to have
in any near future, any need of anonymous communications. But I am
as a principle opposed to the governments' limiting the freedom of
common people on the questionable grounds that the communication of
(the comparatively negligible small number of) certain criminals of
the common type or some non-conformists of the ruling parties of the
governments are done using phones or the Internet just in the 'same'
way like the common people. (Should drinking of water be unter
control/limitation as well just because some bad guys also drink
water??) That's why my proposal to (if it's successful in practice)
demontrate the fundamental nonsense of limiting the freedom of common
people in such manners.

Once again I like to say that I am happy to learn the informations
given in the diverse follow-ups. BTW, I learnt elsewhere that there
is a usenet group alt.anonymous.messages and found that there exist
evidently already some communications there via encrypted messages.
I think that one problem there could be that any third party could
post under the same pseudonym that one is using. While with proper
message authentication codes the bogus messages could be identified,
there could however under circumstances IMHO be an non-trivial issue
of how to adequately/conveniently filter in order to read the proper
messages. With a webpage of the kind I proposed, where a password
is needed to post, this deficiency could hardly ever arise (assuming
that the password system is intact and that the provider is a good guy).

M. K. Shen

[Nomen Nescio]

Hello,

actually this system already exists. In fact it's been around for a while.
Have a look at http://en.wikipedia.org/wiki/Mixmaster_anonymous_remailer

It is similar to Tor, if you know what I mean. mixmaster can be set up for
mail and news - in fact I'm sending this article through the mixmaster
network.

Regards
anon

[Mok-Kong Shen]

I learnt elsewhere that there is the usenet group alt.anonymous.messages
and found that there are encrypted messagages posted with pseudonyms.
Lacking knowledge, I don't yet see what additional security benefits
the remailers could offer (and surmise that there could even be
disadvantages). One problem IMHO with the said usenet group is that
any third party could post bogous mails under one's pseudonym and these
under circumstances need to be appropriately filtered out. With my
proposal no such bogous mails could ever occur, since a login password
is needed to post (assuming that the provider is not a bad guy).

M. K. Shen

[Mok-Kong Shen]

Am 15.04.2012 18:47, schrieb Andreas Mattheiss:
> there seems to be some misunderstanding here.

>
>> Lacking knowledge, I don't yet see what additional security benefits the
>> remailers could offer (and surmise that there could even be
>> disadvantages). One problem IMHO with the said usenet group is that any
>

> The big thing about remailers is that they totally obfuscate from which IP
> a message comes from. The design is rather clever and can be attacked only
> under some rather esoteric circumstances. Look at "Nomen Nescio"
> article's headers - they are most certainly not the original ones.

A couple of questions of ignorance: Could authorities (or bad guys)
somehow monitor the input to the remailers and hence know the IPs from
which some encrypted stuffs have been sent? If yes, one has to use
e.g. the IP of an internet cafe. If the recipient gets the encrypted
mails at home, one knows his IP. So he also has to to get the mails
from a neutral place. But then I don't yet see why both partners
couldn't simply post to alt.anonymous.messages.

M. K. Shen

[Thor Kottelin]

"Andreas Mattheiss" <pleas...@publicly.invalid> wrote in message
news:pan.2012.04.15....@publicly.invalid...

> Am Sun, 15 Apr 2012 20:55:35 +0200 schrieb Mok-Kong Shen:
>
>> A couple of questions of ignorance: Could authorities (or bad guys)
>> somehow monitor the input to the remailers and hence know the IPs from
>> which some encrypted stuffs have been sent?

> no, it can't be monitored, by design. This is what it's all about.

If I understand correctly, the IP addresses from which encrypted messages
have been sent can indeed be known. However, encryption would make it
difficult for an eavesdropper to find out the contents of the messages. By
chaining remailers, the sender can also make it difficult for an
eavesdropper to ascertain to which recipients the messages are intended.
Traffic analysis can be made even more difficult by sending dummy messages
or by running a remailer that is also used by others.

[Mok-Kong Shen]

I am layman, but I believe that any email sent anywhere must first go
through an internet service provider (unless one is one such oneself)
who assigns the IPs to the clients and hence the IPs are known to the
internet service provider and can't be completely secret.

I should explicitly add to my OP that all the messages are meant to
be encrypted and with MACs, so that it could be detected by the
communication partners whether there are bogous posts (inserted by a
provider who turns out not to be a good guy).

M. K. Shen

[Mok-Kong Shen]

Am 15.04.2012 22:17, schrieb Tim Streater:

> If I'm running my own mail host, and so are you, then AFAIK we can
> exchange mail without leaving too much of a trace. Certainly with no
> copy of the email sitting on a server belonging to an ISP, unless they
> take steps to intercept it.

Again I don't have exact knowledge. But I believe that on one level
higher an ISP is just like us with respect to the ISPs. An ISP has
to communicate with some machines on the internet that relay the
messages to the destinations and hence must have an unique identity
itself, i.e. can't be anonymous.

M. K. Shen

[Thor Kottelin]

"Tim Streater" <timst...@greenbee.net> wrote in message
news:timstreater-66CC...@news.individual.net...
> In article <jmf9uo$ifu$1...@news.albasani.net>,

> Mok-Kong Shen <mok-ko...@t-online.de> wrote:
>
>> Am 15.04.2012 21:43, schrieb Thor Kottelin:

>> > If I understand correctly, the IP addresses from which encrypted
>> > messages have been sent can indeed be known. However, encryption
>> > would
>> > make it difficult for an eavesdropper to find out the contents of the
>> > messages.

>> I am layman, but I believe that any email sent anywhere must first go
>> through an internet service provider (unless one is one such oneself)
>> who assigns the IPs to the clients and hence the IPs are known to the
>> internet service provider and can't be completely secret.
>

> If I'm running my own mail host, and so are you, then AFAIK we can
> exchange mail without leaving too much of a trace. Certainly with no
> copy of the email sitting on a server belonging to an ISP, unless they
> take steps to intercept it.

For the purposes of this discussion, it would probably be useful to assume
that the eavesdropper has physical access to the network and thus is not
dependent on evidence left on endpoint devices.

[Mok-Kong Shen]

Am 15.04.2012 22:39, schrieb Thor Kottelin:

> For the purposes of this discussion, it would probably be useful to
> assume that the eavesdropper has physical access to the network and thus
> is not dependent on evidence left on endpoint devices.

I assume that the surveillance is done by a mighty agency that can
tap anywhere it wants on the communication network. In regions served
by an ISP it could for convenience let the work be done indirectly
through the ISP.

M. K. Shen

[Luigi]

Your problems are already solved. Read about anonymous remailers and
nym servers (http://en.wikipedia.org/wiki/Anonymous_remailer).

What you need is a nym server account, and for you as a Windows user
the most efficient way to interact with nym servers is a local proxy
server called OmniMix (http://www.danner-net.de/om.htm), which also
processed this message sent by my standard mail & news client.

Luigi