On Fri, 23 Feb 2024, Stainless Steel Rat wrote:

> Policies can be changed, modified or revoked at any time. I wouldn't accept
> a Kindle as a gift, given this history. All it would take is for Amazon to
> back-track on their policy, and they could do the same all over again.

Oh yes. I think we have all learned by now that you cannot trust
companies and you cannot trust your government. The only one you can
trust is your self and your family.

> When I /pirate/ something, it's mine, forever.

I sometimes to wonder about how much suffering my pirating causes. I
console myself with the fact that I actually pay for books. It is my
greatest passion. When it comes to the movies and music I pirate, I
think I could honestly live without them, since I am not a huge movie or
music fan. I do occasionally pay for a movie theater visit, but that
happens about 1 or 2 times per year. I probably go to a classical
concert or some small jazz concert about 2-3 times per year and that's
about it.

> It's like privacy-by-policy versus privacy-by-design -- I would always want
> the latter as opposed to the former. That is why I use a nymserver instead
> of Protonmail. Protonmail is built on privacy by policy, whereas the nym-
> server is based on privacy by *design*.

I do not understand how it can be so difficult for even hardened privacy
enthusiasts to understand that if you rely on someone elses service, it
can in theory very easily be broken. For instance, signal. All it takes
is an update and you're smoked.

What is a nymserver? Is it just a storage space where you upload client
encrypted information?

Best regards,
Daniel

On Fri, 23 Feb 2024 22:56:32 +0100, D <nospam@example.net> said:

> On Fri, 23 Feb 2024, Stainless Steel Rat wrote:
>
>> Policies can be changed, modified or revoked at any time. I wouldn't accept
>> a Kindle as a gift, given this history. All it would take is for Amazon to
>> back-track on their policy, and they could do the same all over again.
>
> Oh yes. I think we have all learned by now that you cannot trust
> companies and you cannot trust your government. The only one you can
> trust is your self and your family.
>
>> When I /pirate/ something, it's mine, forever.
>
> I sometimes to wonder about how much suffering my pirating causes. I
> console myself with the fact that I actually pay for books. It is my
> greatest passion. When it comes to the movies and music I pirate, I
> think I could honestly live without them, since I am not a huge movie or
> music fan. I do occasionally pay for a movie theater visit, but that
> happens about 1 or 2 times per year. I probably go to a classical
> concert or some small jazz concert about 2-3 times per year and that's
> about it.

I don't worry about it, let me tell you why. Copyright did not exist prior
to the English Statute of Queen Anne, in 1710. That was the world's first
copyright legislation. Think about it for a moment... Shakespeare's works
were written before copyright, as were the works of Homer, Tacitus, Cato,
Aeschylus, Euripides, Julius Caesar, and countless other classical authors.

Copyright has existed for just over 3 centuries. In the beginning of the
20th Century, the copyright term in the United States was set at, if memory
serves, 28 years, and could be renewed once, for a total of 56 years.

That was quite reasonable. Copyright terms were extended time and again in
the 20th Century, to the point now that copyright terms extend for the life
of the author plus anywhere from 50-100 years, depending on the jurisdiction.

So, for example, you can have a film, say "The Big Broadcast of 1938" made
86 years ago -- not a single individual in that film is alive anymore. Yet,
as far as I can determine, the film is still in copyright. The only entities
who benefit from such bloated copyright terms are corporations.

Speaking of copyright, and artists getting screwed, consider Toni Braxton.
She was locked into contracts that were absolutely outrageous -- the only
way she got out of them was by declaring bankruptcy.

Despite $170 million in worldwide sales, from hits like
"Breathe Again" and "Another Sad Love Song," Braxton said
she got a measly $1,972 royalty check from her first
recording contract.

Pirates did not screw-over Toni Braxton, the recording industry did. To make
matters worse, after Braxton declared bankruptcy and escaped her exploitative
contracts, the recording industry lobbyists pushed to have the law changed
so no one else could do the same as she did (i.e. get out of exploitative
contracts by declaring bankruptcy.)

Consider TV series: e.g. Star Trek. None of the actors get residuals, so if
you watch a pirate copy versus a 'legit' copy, they don't lose any money.

My attitude can be summed-up like this: "FUCK copyright!"

>> It's like privacy-by-policy versus privacy-by-design -- I would always want
>> the latter as opposed to the former. That is why I use a nymserver instead
>> of Protonmail. Protonmail is built on privacy by policy, whereas the nym-
>> server is based on privacy by *design*.
>
> I do not understand how it can be so difficult for even hardened privacy
> enthusiasts to understand that if you rely on someone elses service, it
> can in theory very easily be broken. For instance, signal. All it takes
> is an update and you're smoked.

Yep.
> What is a nymserver? Is it just a storage space where you upload client
> encrypted information?

No. You can think of a nymserver as a specialized type of mailserver. They
have the following properties:

* The nymservers do NOT store any email -- all email is forwarded to a
destination listed in the nym account's reply-block.

* Email, when received, is PGP-encrypted with the public key associated with
the nym account; the encrypted email contains all the original headers that
were in the original email.

* Encrypted emails, before being sent on to their final destination, are
sent through a back-end remailer, which removes all metadata.

* When an email arrives at its' target destination, all that is visible
is the sender (Mixmin nymserver). The subject line readsL (No Subject).

There is NO indication as to who sent the original email, what the actual
Subject: line is, or what the email content is.

If the nymserver were ever to be raided, all the operator could hand over is:

1) The PGP public key associated with that account; and

2) The reply-block telling where the email was forwarded-on to.

The operator doesn't have any other information. Accounts can be setup via
specially-formatted email messages, which can be sent from Tor-based email
accounts, or sent through one or more anonymous remailers. Either way, the
operator does not know, and indeed /cannot/ know, who the sender/account
holder is.

Another way to think about it is: protonmail done right.
> Best regards,
> Daniel

Stainless Steel Rat

On Sat, 24 Feb 2024, Stainless Steel Rat wrote:

>> I sometimes to wonder about how much suffering my pirating causes. I
>> console myself with the fact that I actually pay for books. It is my
>> greatest passion. When it comes to the movies and music I pirate, I
>> think I could honestly live without them, since I am not a huge movie or
>> music fan. I do occasionally pay for a movie theater visit, but that
>> happens about 1 or 2 times per year. I probably go to a classical
>> concert or some small jazz concert about 2-3 times per year and that's
>> about it.
>
> I don't worry about it, let me tell you why. Copyright did not exist prior
....
> My attitude can be summed-up like this: "FUCK copyright!"

I had no idea! Thank you for a very thorough and enlightening post. I
still think there is hope for usenet! ;)

>> What is a nymserver? Is it just a storage space where you upload client
>> encrypted information?
>
> No. You can think of a nymserver as a specialized type of mailserver. They
> have the following properties:
....
> * Encrypted emails, before being sent on to their final destination, are
> sent through a back-end remailer, which removes all metadata.

Can you chain remailers? Kind of like tor, but for emails? If I'm
understanding you correctly I see the chain
mail->nymserver->remailer->remailer->destination.

And do I understand you correctly if I think it is impossible to reply,
except, through a newsgroup or other common "posting area"? Due to the
chaining, and making sure no information is stored in case of server
capture, I would imagine people using this anonymously by sendind
encrypted messages to a news group (for instance) and then decrypting
the content there on their client.

> The operator doesn't have any other information. Accounts can be setup via
> specially-formatted email messages, which can be sent from Tor-based email
> accounts, or sent through one or more anonymous remailers. Either way, the
> operator does not know, and indeed /cannot/ know, who the sender/account
> holder is.

To me, this sounds like the only potential way to find you. If you
somehow capture the nymserver, and you (the sender) do not use tor to
access it, but do it through your regular connection.

If the remailers also habe built in random delays to make timing more
difficult, I think that would be an additional benefit.

I don't have a need (at the moment) for such strict privacy and secrecy,
but I always like to learn more and experiment. Where can I find such a
nymserver and learn more and try it out?

> Another way to think about it is: protonmail done right.

Got it!

Best regards,
Daniel

On Sat, 24 Feb 2024 12:00:06 +0100, D <nospam@example.net> wrote:

> On Sat, 24 Feb 2024, Stainless Steel Rat wrote:
>
>>> I sometimes to wonder about how much suffering my pirating causes. I
>>> console myself with the fact that I actually pay for books. It is my
>>> greatest passion. When it comes to the movies and music I pirate, I
>>> think I could honestly live without them, since I am not a huge movie or
>>> music fan. I do occasionally pay for a movie theater visit, but that
>>> happens about 1 or 2 times per year. I probably go to a classical
>>> concert or some small jazz concert about 2-3 times per year and that's
>>> about it.
>>
>> I don't worry about it, let me tell you why. Copyright did not exist prior
> ...
> > My attitude can be summed-up like this: "FUCK copyright!"
>
> I had no idea! Thank you for a very thorough and enlightening post.

You're welcome. Most people just unthinkingly buy into the copyright cartel's
nonsense about creativity requiring copyright -- they don't bother to learn
the truth. The Canadian copyright cartel even went so far as to publish and
distribute a comic featuring Captain Copyright in Canadian elementary schools.

The stupid bastards at Access Copyright Canada mis-stated the law (very
likely deliberately) in that comic book; someone who knew better, got hold
of it, and blew the whistle on them -- the comic ended-up having to be
withdrawn, and the entire program scrapped.

I think the idea was to brainwash kids while they were still young enough to
unquestioningly accept what they were told by their teachers and authorities.
(The same way kids are brainwashed into accepting religion as true, and
drugs are bad...)

https://web.archive.org/web/20060602091441/http://www.boingboing.net/2006/06/01/canadian_copyright_a.html

> I still think there is hope for usenet!

I agree... Usenet's demise has been predicted for decades!

>>> What is a nymserver? Is it just a storage space where you upload client
>>> encrypted information?
>>
>> No. You can think of a nymserver as a specialized type of mailserver. They
>> have the following properties:
> ...
>> * Encrypted emails, before being sent on to their final destination, are
>> sent through a back-end remailer, which removes all metadata.
>
> Can you chain remailers? Kind of like tor, but for emails? If I'm
> understanding you correctly I see the chain
> mail->nymserver->remailer->remailer->destination.

This is already long-since implemented, although not quite the way as you
describe.

The two software suites that accomplish this are:

* Mixmaster and

Mixmaster was written in the 1990s, using then state-of-the-art ciphers,
hash algorithms, and key-derivation functions. (3DES, RSAES-PKCS1-v1_5 and
MD5). All of these are now showing their age... TripleDES is vulnerable
to a meet-in-the-middle attack that reduces its' effective strength from
168-bits to 112-bits. MD5 has been broken for some considerable time.

* YAMN (Yet Another Mix Net)

Yet Another Mix Net - A Mixmaster derivative

YAMN tries to look like Mixmaster in order to maintain compatibility
with the various GUI's and peripheral applications that serve to make
it a complete solution. Under the covers there will be some significant
differences:-

* Revised crypto functions. Instead of Mixmaster's Triple-DES,
RSAES-PKCS1-v1_5 and MD5, YAMN will use AES, NaCl Box and Blake2.

* Deterministic header padding to protect against tagging attacks

> And do I understand you correctly if I think it is impossible to reply,
> except, through a newsgroup or other common "posting area"? Due to the
> chaining, and making sure no information is stored in case of server
> capture, I would imagine people using this anonymously by sending
> encrypted messages to a news group (for instance) and then decrypting
> the content there on their client.

One can use a nymserver account to reply directly to a regular email account.

Similarly, one can configure their nymserver reply block to send directly to
an email account.

That said, if you want to, you can also have messages sent to an anonymous
message pool (i.e. alt.anonymous.messages, or AAM for short.) As an aside,
AAM was newgrouped in 1994, making 2024 it's 30th year in operation.

AAM is still being used today, but the volume of traffic in that group is
very much reduced from what it was back in the day. AAM used to receive /in/
/excess/ of 1000 postings per day. I'm not sure what the message volume is
like today, but it is very much reduced from what it was at its' peak.

Insofar as nymserver capture goes, I'm not too worried about it. The system
was designed to avoid capturing IP addresses; in any case, if you're really
worried about it, just use a Tor-based email to send messages to the nym-
server, or send your email through a YAMN or Mixmaster chain. That way,
there /is/ no useful information that can be captured in the first place.

>> The operator doesn't have any other information. Accounts can be setup via
>> specially-formatted email messages, which can be sent from Tor-based email
>> accounts, or sent through one or more anonymous remailers. Either way, the
>> operator does not know, and indeed /cannot/ know, who the sender/account
>> holder is.
>
> To me, this sounds like the only potential way to find you. If you
> somehow capture the nymserver, and you (the sender) do not use tor to
> access it, but do it through your regular connection.

As I said, use a Tor-based email service, or send your email through a YAMN
chain.

What you might find interesting is that about a dozen years ago, the FBI
seized a Mixmaster remailer (for the second time) and they got /absolutely/
/nothing/ out of it:

WiReD
Kim Zetter
Security
Apr 20, 2012 1:41 PM

FBI Uses 'Sledgehammer' to Seize E-Mail Server in Search for Bomb Threat
Evidence

In an effort to uncover the source of bomb threats sent to the University
of Pittsburgh, agents with the Federal Bureau of Investigation seized an
entire server on Wednesday that is used by anonymous remailing service
Mixmaster as well several progressive rights groups.
https://www.wired.com/2012/04/fbi-seizes-server/

UPDATE: With May First/Riseup Server Seizure, FBI Overreaches Yet Again
By Hanni Fakhoury
May 3, 2012

UPDATE: Late last week, the FBI returned the seized server to the
colocation facility that May First/People Link and Riseup shared.
Yesterday, May First released video footage of the server's return.
As we learn more details about the situation, we'll keep you posted.

The FBI is at it again -- executing broad search warrants, disrupting
legitimate Internet traffic, and getting nothing in return.

Since the end of March, a number of anonymous bomb threats have been
emailed to the University of Pittsburgh. Through its investigation,
the FBI discovered the threats were being relayed through a server
hosted by the progressive cooperative Internet Service Provider (ISP)
May First/People Link (May First). The server was used by the European
Counter Network (ECN), an Italian based activist group, and stored in
a colocation facility in New York shared by May First and Riseup, an
organization that provides secure communication tools for activists
around the world. When the FBI paid May First a visit at their offices
in New York, May First reached out to EFF, and we agreed to help. The
next day the FBI returned to May First's offices, this time with a
subpoena, requesting information about the server. We helped them
respond to the subpoena and May First turned over what minimal
information it had; namely that the server was running the anonymous
remailer program Mixmaster, which removes header information and,
similar to Tor, reroutes email in order to maintain a sender's
anonymity.

The fact that the FBI's investigation led them to an anonymous remailer
should have been the end of the story. It should have been obvious that
digging deeper wouldn't lead to helpful information because anonymous
remailers don't always leave paper trails. They're specifically designed
with the capability to turn logging off in order to maintain anonymity.1
And if logging was turned off -- as it was here -- there would be nothing
useful to be gained by examining the servers.

Nonetheless, on April 18, the FBI seized the server from the colocation
facility shared by May First and Riseup with a search warrant (PDF). The
actual investigative effect of the seizure was zero. Even after the
server was seized, the bomb threats continued. No arrests have been made.
And while one group came forward and claimed responsibility, so far
nothing suggests any connection to the seized server.

https://www.eff.org/deeplinks/2012/04/may-firstriseup-server-seizure-fbi-overreaches-yet-again

Click here to read the complete article

On Sat, 24 Feb 2024 12:00:06 +0100, D <nospam@example.net> said:

> I don't have a need (at the moment) for such strict privacy and secrecy,
> but I always like to learn more and experiment. Where can I find such a
> nymserver and learn more and try it out?

One of the best documents (that I have found, so far) describing the history
and workings of the Cypherpunk nymservers can be found in the following
academic paper:

The Design, Implementation and Operation of an Email Pseudonym Server
David Mazières and M. Frans Kaashoeke
MIT Laboratory for Computer Science
545 Technology Square, Cambridge MA 02139

http://pdos.csail.mit.edu/papers/nymserver:ccs5.pdf or

http://freehaven.net/anonbib/cache/nym-alias-net.pdf

This paper was originally published in the Proceedings of the 5th ACM
Conference on Computer and Communications Security, 1998.

The Association for Computing Machinery (ACM) was founded in 1947, and is
one of the oldest and most-respected computing associations still in
existence.

Abstract

Attacks on servers that provide anonymity generally fall into two
categories: attempts to expose anonymous users and attempts to
silence them. Much existing work concentrates on withstanding the
former, but the threat of the latter is equally real. One
particularly effective attack against anonymous servers is to
abuse them and stir up enough trouble that they must shut down.

This paper describes the design, implementation, and operation of
nym.alias.net, a server providing untraceable email aliases. We
enumerate many kinds of abuse the system has weathered during two
years of operation, and explain the measures we enacted in response.
From our experiences, we distill several principles by which one
can protect anonymous servers from similar attacks.

Stainless Steel Rat

On Sun, 25 Feb 2024, Stainless Steel Rat wrote:

>> I had no idea! Thank you for a very thorough and enlightening post.
>
> You're welcome. Most people just unthinkingly buy into the copyright cartel's
> nonsense about creativity requiring copyright -- they don't bother to learn
> the truth. The Canadian copyright cartel even went so far as to publish and
> distribute a comic featuring Captain Copyright in Canadian elementary schools.

Captain Copyright?! Jesus Christ on a pogo stick, that's absurd!!

> The stupid bastards at Access Copyright Canada mis-stated the law (very
> likely deliberately) in that comic book; someone who knew better, got hold
> of it, and blew the whistle on them -- the comic ended-up having to be
> withdrawn, and the entire program scrapped.

Thank goodness!

> I think the idea was to brainwash kids while they were still young enough to
> unquestioningly accept what they were told by their teachers and authorities.
> (The same way kids are brainwashed into accepting religion as true, and
> drugs are bad...)

Oh well, I guess one shouldn't be surprised. Plenty of stories like that
where I am based. You can have any opinion you like about Trump, but I
find it absurd when kinder garten teachers read the book "The evil
orange man" to children who are 2-3 years old. (True story!)

>> I still think there is hope for usenet!
>
> I agree... Usenet's demise has been predicted for decades!

I found an effective technique to clean up my news! I go to alt.atheism,
and then I just add every user who doesn't make sense or who cannot
write more than one sentence replies to a killfille, and all of a
sudden, my daily messages went from 70 down to 20 or so. ;) And out of
the 20, I think some at least are potentially interesting.

>> Can you chain remailers? Kind of like tor, but for emails? If I'm
>> understanding you correctly I see the chain
>> mail->nymserver->remailer->remailer->destination.
>
> This is already long-since implemented, although not quite the way as you
> describe.

What I find fascinating is that hosters of "edge"-nymservers aren't
hounded by the FBI or CIA. I mean, take the silkroad market and
eventually the police caught him. I imagine a lot of evil stuff passing
through nym servers, or is it that nym servers are so forgotten and old,
that only privacy enthusiasts use them any longer and there, they
haven't really attracted the attention of the FBI?

>> And do I understand you correctly if I think it is impossible to reply,
>> except, through a newsgroup or other common "posting area"? Due to the
>> chaining, and making sure no information is stored in case of server
>> capture, I would imagine people using this anonymously by sending
>> encrypted messages to a news group (for instance) and then decrypting
>> the content there on their client.
>
> One can use a nymserver account to reply directly to a regular email account.
>
> Similarly, one can configure their nymserver reply block to send directly to
> an email account.

Hmm, to me it seems as if you insist on replies it weakens security a
bit, but I'll have a look at the software you mentioned and I am certain
there are more in depth documents available there, so that you don't
have to spell everything out for me here.

> That said, if you want to, you can also have messages sent to an anonymous
> message pool (i.e. alt.anonymous.messages, or AAM for short.) As an aside,
> AAM was newgrouped in 1994, making 2024 it's 30th year in operation.
>
> AAM is still being used today, but the volume of traffic in that group is
> very much reduced from what it was back in the day. AAM used to receive /in/
> /excess/ of 1000 postings per day. I'm not sure what the message volume is
> like today, but it is very much reduced from what it was at its' peak.

That seems like the "gold standard" to me for making sure it is as safe
and anonymous as possible. Actually, come to think of it, it reminds me
a bit of bitmessage. All messages sent to everyone (well, to federated
repository accessible by everyone) and only the one with the correct key
can decrypt.

>> To me, this sounds like the only potential way to find you. If you
>> somehow capture the nymserver, and you (the sender) do not use tor to
>> access it, but do it through your regular connection.
>
> As I said, use a Tor-based email service, or send your email through a YAMN
> chain.

You just wait until email gets regulated. No more tor-email allowed for
the safty of the children! ;)

> What you might find interesting is that about a dozen years ago, the FBI
> seized a Mixmaster remailer (for the second time) and they got /absolutely/
> /nothing/ out of it:
>
> WiReD
....
> See also: https://edri.org/our-work/edrigramnumber10-8fbi-seizure-server-remailer/
>

Thank you very much! This message is saved for later deep reading! =)

>> If the remailers also have built in random delays to make timing more
>> difficult, I think that would be an additional benefit.
>
> My understanding is that they do this already, to one degree or another.

Great!

>> I don't have a need (at the moment) for such strict privacy and secrecy,
>> but I always like to learn more and experiment. Where can I find such a
>> nymserver and learn more and try it out?
>
> Send an email to: help@nymph.paranoici.org -- it'll reply with the nymserver
> help file, that was originally written for nym.alias.net in the mid-1990s.
>
> This file will give you an overview of the remailer features and operations.
>
> [...]

Thank you very much! =)

Best regards,
Daniel

Thank you very much! This also, is saved for later deep reading. =)

Best regards,
Daniel

On Mon, 26 Feb 2024, Stainless Steel Rat wrote:

> On Sat, 24 Feb 2024 12:00:06 +0100, D <nospam@example.net> said:
>
>> I don't have a need (at the moment) for such strict privacy and secrecy,
>> but I always like to learn more and experiment. Where can I find such a
>> nymserver and learn more and try it out?
>
> One of the best documents (that I have found, so far) describing the history
> and workings of the Cypherpunk nymservers can be found in the following
> academic paper:
>
> The Design, Implementation and Operation of an Email Pseudonym Server
> David Mazi??res and M. Frans Kaashoeke
> MIT Laboratory for Computer Science
> 545 Technology Square, Cambridge MA 02139
>
> http://pdos.csail.mit.edu/papers/nymserver:ccs5.pdf or
>
> http://freehaven.net/anonbib/cache/nym-alias-net.pdf
>
> This paper was originally published in the Proceedings of the 5th ACM
> Conference on Computer and Communications Security, 1998.
>
> The Association for Computing Machinery (ACM) was founded in 1947, and is
> one of the oldest and most-respected computing associations still in
> existence.
>
>
> Abstract
>
> Attacks on servers that provide anonymity generally fall into two
> categories: attempts to expose anonymous users and attempts to
> silence them. Much existing work concentrates on withstanding the
> former, but the threat of the latter is equally real. One
> particularly effective attack against anonymous servers is to
> abuse them and stir up enough trouble that they must shut down.
>
> This paper describes the design, implementation, and operation of
> nym.alias.net, a server providing untraceable email aliases. We
> enumerate many kinds of abuse the system has weathered during two
> years of operation, and explain the measures we enacted in response.
> From our experiences, we distill several principles by which one
> can protect anonymous servers from similar attacks.
>
>
> Stainless Steel Rat
>
>