<-- back to the mailing list

Gemini server logging formats and practices

Dave Huseby dwh at vi.rs

Wed May 13 17:07:00 BST 2020

- - - - - - - - - - - - - - - - - - - ```

I love your enthusiasm Sean. I'm going to reply in kind and call out when I'm trolling you. Just remember that I appreciate your position and thank you for sharing your perspective. I'm sincere as Fred Rogers when I say that. Now...let the trolling begin! Let's see who can flame each other better. ; )

On Tue, May 12, 2020, at 8:06 PM, Sean Conner wrote:
>   Back in 1989, the Internet as we know it was still five years away. 
> Commerical activity was against the rules and the only people who were on
> the Internet back then where largely academics (students, instructors,
> professors) at universities and a few researchers at some select companies
> (like IBM, Sun or Symbolics).  I would think that had you seriously
> presented this argument at the time, people might have looked at you
> strangely.  While people were still largely trustful of other users, the
> Morris Worm of Nov 1988 was still quite recent and if not for logging, it
> would have taken much longer to stop.

You're not wrong. I was. It was 1991, not 1989: 

=
> http://ksi.cpsc.ucalgary.ca/archives/WWW-TALK/www-talk-1991.messages/1.html

Dismissive troll: The rest of what you said above is irrelevant, missing the point, and distracting. 
>   So a not-so-hypothetical situation here---if I were to put on my Gemini
> server "I LOG ALL THE IPS!", honestly, how could I get your consent (or
> non-consent)?  I can't get it from you prior to your connection, because I
> don't know you will connect.  I can't get your concent afterwards because I
> already have your IP.  And would such a disclaimer have to be added to every
> page?  How can you know prior to requesting a Gemini page that the server
> will log your IP address?

You're not wrong. IP is what we have. You seemed to have completely missed that I'm making philosophical arguments.

>   I'm not under the delusion that security is possible on the Internet, nor
> privacy.  I've always operated under the assumption that anything I put on a
> public server, *even with access controls,* is public [1].

Humble swagger troll: Write better software. I'd be happy to teach you how you can have strong enough security without logging. You wrote your server in Lua. You put a lot of trust in the underlying C code. I personally wouldn't be comfortable with that situation. I'd also be willing to help you learn a real programming language like Rust. ; )

>   Yes, I'm a bit antagonistic towards such goals because I don't believe
> that one can have a truly anonymous exchange of data over *any* medium, but
> unfortunately, I don't have such a proof, other than---you need two
> endpoints who of of each other such that data can be exchanged, and how do
> you prove your identities (or repudate an identity, such as "I am NOT a FBI
> agent")?  I think you can exchange data anonymously but you won't know who
> is actually on the other end, or you can know, but so will an observer.  I
> don't think you can get both.

You're not wrong with what you think is the state of the world, so I understand why you're black pilled. However, it is theoretically possible to achieve both uncorrelatable and correlatable pseudonimity using stochastic mixnets as the routing mechanism on top of IP. I'll also soon publish my paper on what I call "Anon's Triangle" where I show that cryptographically provable contributions to open source projects can serve as a human-scale proof-of-work system for bootstrapping actual trust in a pseudonymous identity. If you throw in there, zero-knowledge proofs for verifiable claims, it's possible to shift authorization to be focused on *what* I am and not *who* I am. A good friend of mine likes to say: "I only care that the pilot is properly trained and fit to fly the plane. I don't care what their name is or anything else for that matter."

The problem has always been the lack of a global, trustworthy PKI. Just look at why GPG never took off or why Mobile IP isn't pervasive; it's the PKI problem. However, we now have standardized and ubiquitous PKI.

See:

=
> https://w3c.github.io/did-core/=
> https://w3c-ccg.github.io/did-method-registry/=
> https://www.w3.org/TR/vc-data-model/=
> https://www.techrepublic.com/article/linux-foundation-will-host-the-trust-over-ip-foundation/

Time for you to catch up with the rest of us Sean. It's only a matter of time now. People--including me--are already working on a mixnet that leverages this. Once we unlock that achievement, Gemini will be able to stop relying on IP entirely.

Concern troll: I'm worried about you. Hopefully post-mixnet you'll have a better attitude about the state of the world. Stress kills y'know ; )

> 
> Right now the only thing we can do is willfully
> 
> blind our servers. Eventually though, if all goes according to plan,
> 
> Gemini servers will be running on a mixnet of some kind 
> 
>   Really?  I don't recall seeing such a plan myself.  Solderpunk, are you
> holding out on me?

You're not wrong. I made a mistake implying the Gemini had *anything* to do with my efforts fix the Internet status quo. i gave three, one-hour presentations last week at the Internet Identity Workshop and decided I was going to walk the walk and *not* publish my papers on the web. I grep'd the internet and discovered Gemini. I always disliked Gopher because of the ugly hack used to get text in Gopher index. Gemini fixed that elegantly and I'm a fan. 
> 
> and they won't be
> 
> able to track IP addresses because the source isn't mapped to anything in
> 
> the real world. 
> 
>   I know a lot of people use TOR for anonimity, but I feel that it's still
> not 100% secure and that a state actor (like, oh, I don't know, China or the
> United States) can, with enough resources, do a correlation attack on both
> ingress and egress TOR points.  I mean, the authorities *say* they caught
> the Dread Pirate Roberts on one mistake he made a few years earlier, but I
> feel that the mistake was found *after* they knew who we really was, because
> the US threw enough resources (legal and otherwise) into finding him.

You're not wrong. It's well known that MIT researchers working for intelligence agencies mounted a pretty widespread attack again the Tor network and proved that statistical de-anonymization was possible.

=
> https://www.extremetech.com/extreme/211169-mit-researchers-figure-out-how-to-break-tor-anonymity-without-cracking-encryption

My support for pseudonimity is a philosophical line in the sand. The only way for users to maintain leverage against surveillance capitalism to do all they can to maintain pseudonimity and privacy. My contributions to the Gemini community are mostly philosophical. There's no reason we have to do things the same way just because that's how it's always been done. Gemini is about being better than the web and gopher. Why should the Gemini protocol *settle* for the same bad/limited solutions that contributed to the dumpster fire that is the surveillance/propaganda system we call "the web."

> 
> Accessing permissioned resources (i.e. 6X response codes) doesn't
> 
> necessarily imply correlation of the user. Certainly the user can present
> 
> the same cryptographic credentials on subsequent requests but a better
> 
> design is to allow for pair-wise credentials that are ephemeral to each
> 
> session and potentially ephemeral to each request. Currently TLS doesn’t
> 
> allow for this mode of operation. Something like CurveCP with
> 
> decentralized verifiable credentials is a superior solution for
> 
> uncorrelatable confidentiality.
> 
>   So go ahead and implement it if you think it's possible.

It is. I am. 
> 
> Anyway, back to logging. I don't think it is our place as server operators
> 
> to collect IP addresses without consent since it isn't our data. 
> 
>   Technically, the IP address you use to access a server isn't yours either. 
> It's the providers.  They are just letting you use it.

You're not wrong.

Troll: Again, you're answering a philosophical argument with a technical one. I'm starting to think you're uncomfortable discussing philosophy and always run to the comfort of black and white, right angles and straight jackets....I mean straight walls. ; )

When I send you a packet, my computer fills in the source IP address. That source IP address is personally identifiable information the vast majority of the time. It's the same as me filling in my address on an envelope. I may rent, and not own, the house--and therefore the address--that I live in but legally, my address is considered personally identifiable information (PII) and protected under the GDPR and CCPA. I'm suggesting that to gain a consistent and coherent philosophy about user sovereignty to make the internet better with truly decentralized systems, we should all start thinking of IP addresses as PII and build/configure systems accordingly.

I'll repeat myself: 

> 
> It is an
> 
> unfortunate legacy of the existing IP network layer that will hopefully be
> 
> overcome soon.  
>   TOR?  Content addressible stuff with names like 
> 9a793f67-3df1-45e2-a3f5-4b3166800102? 
> Yeah, I'm not sold on that stuff.

Troll: You're not a lost cause then. ; )

> 
> I think the hashing of IP addresses for correlation is fine
> 
> but I think it is fair to expect all server operators to notify their
> 
> users that they are doing so.
> 
>   Again, how?

You're not wrong, with the world it is now. Digest functions are one way. If I intentionally blind myself by using salted hashes of IP's first, it is theoretically impossible for me to take those hashes and get the pre-image IP address that could de-anonymize the client. As we work to make the internet better we have to be conscious of every possible way our design decisions affect user sovereignty.

Thanks for your reply Sean. It was fun replying to you. I understand what you're saying and you're not wrong with all of your technical details. But I was speaking in philosophical terms as guiding principles for making decisions going forward. I reject the current status quo. I only look back to remind myself of what went wrong but all of my energy is focused ahead of me. I think Aaron's quote is apropos here:

"What is the most important thing you could be working on in the world right now? ... And if you're not working on that, why aren't you?"

Troll: maybe you should work on learning Rust and meditating ; )

Cheers!Dave