[116616] in Cypherpunks
FW: Is Privada Snake Oil?
daemon@ATHENA.MIT.EDU (Support Mailbox)
Mon Aug 16 13:57:46 1999
Message-ID: <99921504273ED211969D00104B6AB2F55F3B44@fileserver.zks.net>
From: Support Mailbox <support@zeroknowledge.com>
To: cypherpunks@toad.com, coderpunks@toad.com, dang@cnet.com,
support@privada.net
Date: Mon, 16 Aug 1999 13:33:40 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Reply-To: Support Mailbox <support@zeroknowledge.com>
Oops,
Didn't mean to send that from my test account. That should have gone out
from this account. (Just trying to be clear that I do work for a
competitor). (And BTW - I'm not speaking for my employer, the facts are just
plain wrong and I had to throw in my two cents. The NYTimes article at
http://www.nytimes.com/library/tech/99/08/biztech/articles/16data.html talks
specifically about how they do escrow identities for tracking purposes, yet
this article talks about how good the system is because it isn't vulnerable
to subpoena. Dan even talks about how this information can be abused in his
article on Scientology at http://www.news.com/News/Item/0,4,37383,00.html )
-Jordan
jordan@zeroknowledge.com
-----Original Message-----
From: Hot Pop [mailto:testme@hotpop.com]
Sent: August 16, 1999 3:06 PM
To: cypherpunks@toad.com; coderpunks@toad.com; dang@cnet.com;
support@privada.net
Subject: Is Privada Snake Oil?
Dear Dan,
With regards to your article about Privada's impending privacy service,
http://www.news.com/News/Item/0,4,40503,00.html?st.ne.fd.gif.j
>Until now, people who wanted to prevent Web sites from collecting private
information had to use so-called proxy sites such as >Anonymizer.com. Used
as a jumping-off point, proxy sites block other Web sites from gaining
access to user information.
>But proxy sites come with drawbacks. First, if presented with a subpoena,
the sites would likely be required to turn over any information they >may
have about a user. In addition, proxy sites are typically unable to accept
cookies, which can be useful for eliminating the hassle of >repeatedly
entering passwords.
>Web Incognito uses software that resides on the user's PC to encrypt
identifying information before it makes its way onto the Internet. Web
>sites that collect information about visitors see only a Privada Internet
protocol address to which the software connects, the company said.
>The Privada server also acts as a buffer between the visitor and the Web
site, storing any cookies the user may want to accept. This allows >people
to access personalized Web pages from many different computers because
cookies are no longer stored on a single machine.
I don't see how this is different from the Pipleline service from
Anonymizer. Privada hasn't published any technical documents,
specifications or opened up there system architecture for peer review. If
client software encrypts my data and then my IP address comes from Privada,
then the system sounds exactely like Pipeline from Anonymizer, which relies
on the Trust of a 3rd party like Anonymizer or Privada. (And if I'm going
to have to trust someone I'd rather trust Anonymizer who has published
details about what the system does and doesn't do)
Privada has gotten criticized by the cryptography community before for
making false claims about being the first to invent bi-directional private
e-mail. I would be cautious and make sure to talk to your security
experts, or people such as Bruce Schneier of Counterpane before reporting
company's claims about cryptography. Generally a lot of security and
cryptography vendors are referred to as 'Snake Oil Vendors' because the
claims they make are simply not true.
If you are looking for systems that provide true private, encrypted
networking look at systems such as,
http://www.onionrouter.net Onion Routing from NRL
http://www.research.att.com/~crowds/ Crowds from AT&T
http://www.freedom.net Freedom from zeroknowledge
All of these systems have reputable cryptographers and scientist who have
published whitepapers and the systems are based on known security models and
being peer reviewed. (Although a true security should also have
published source code like PGP).
Please make sure you educate your readers, since the only thing worse the no
security is people believing they have it, when they don't.
Thank you,
Privacy Guy
