

System for generic, decentralized, unstoppable Internet anonymity - tete
http://code.google.com/p/phantom/
Time for a new, (even more) decentralized, anonymous internet compatible with what we have now, yet independent of it? Phantom aims to build something like this.
======
joe_the_user
There is already Freenet which had/has similar ambitions.

The problem with this stuff is that immediately tossing all the possible
anonymity features onto to your app makes it so utterly seperate from the net
that you can't get a critical of mass interest (and your speed really bogs-
down but that is secondary/solvable).

What I'd like to see instead is something like an escalating series of
counter-measures that each user can trigger at the point they're cut-off from
"ordinary" communication - alternative dns _when_ regular dns is messed-with,
alternative pipes _when_ they start filtering ordinary sockets, etc.

But make it one app that initially does simple for the user so it get
widespread but with the proviso that the apps would do enough discovery that
you could "go stealth" when the time came - and have the apps be doing
discovery in the meantime.

Attaching MAFIA-Fire to a "social sharing" app like "tribler"
<http://www.tribler.org/trac> seems like a start.

~~~
chopsueyar
So you could have tiered networks of increasing anonymity?

All levels of stealth would be able to be active, but what levels you decide
to enable determines which secure network you are on.

~~~
joe_the_user
Yes, Tiered networking could have a network-effect that jumping suddenly to
maximum security couldn't.

Plus you could deploy an app like this in a place like China to immediately
get interest/users...

If Google's serious opposing the DNS crocking, _they_ could do something like
this now.

------
pshc
The whitepaper is an interesting read. The "large data throughput" bullet-
point is justified by the claim that no intermediary forwarding node has any
idea whether it's talking to another intermediary node or the one of the
actual endpoints. So once you have a buzzing network of anonymized nodes with
large volumes of anonymous traffic, you can open up a direct connection to
your buddy and transfer at high speed. Later, you can claim with "reasonable
doubt" that you couldn't have possibly known whether or not they were a
forwarding node or an endpoint in that conversation. (You can also claim that
you didn't know whether or not YOU were a forwarding node!) This seems
reasonable to me so long as you're transferring at a rate comparable to the
average throughput, though I'm not sure how you could determine that.

Well, I'm not really familiar with this sort of distributed scheme, so that
might be old hat, insanely insecure, or what have you.

~~~
Groxx
The reasonable doubt would be easily almost-certainly disproved by an ISP
watching both nodes, though - the high-throughput is partially achieved by not
delaying data / sending junk data, so it's reasonably certain that a high
degree of data transfer between two nodes without any high transfer _out_ of
either to unknown nodes represents a direct connection.

If they're both actively sending data out to other nodes, you're _more_
protected, but odds are you won't be giving the network as much bandwidth as
your buddy, much less significantly enough to hide your communication in the
noise.

If your messages are small, yeah, you're lost in the noise and completely
deniable. Which is an interesting advantage.

~~~
chopsueyar
I think it would work to saturate your allocated upload bandwidth and any data
sent would be a combination of sources to constantly have a bunch of anonymous
random source data.

Anytime you are not actively sending something yourself, it would still
saturate the uploads with other people's data.

Then the question remains, "What did you send to that guy?"

I do not think it would ever allow a direct full transfer. But hopping between
a dozen or so users with each serving as dual node types would be enough,
particularly if all are within the same ISP network.

------
nikcub
skip the wiki page, here is the DEFCON presentation in quickview:

[http://docs.google.com/viewer?a=v&q=cache:mQa724u3AvoJ:w...](http://docs.google.com/viewer?a=v&q=cache:mQa724u3AvoJ:www.magnusbrading.com/phantom/phantom-
pres.ppt+http://www.magnusbrading.com/phantom/phantom-
pres.ppt&hl=en&pid=bl&srcid=ADGEESjt9G32WUnrBL6vS3UZaAPjY5msc8c9glTJJh9XK-
fExuQ66q9GdTsvFJCnILVtogQLEgcoDnRuH4N75KKHQiuB8RUruEUhTmC_HMayqJwicERFQTUmDHmjVkEgXUOILPOYDXS4&sig=AHIEtbTwsWIRK2lnMiS-8SZW0VlWj8l-jg)

and the whitepaper:

[http://docs.google.com/viewer?a=v&q=cache:uWb7WlywH9gJ:w...](http://docs.google.com/viewer?a=v&q=cache:uWb7WlywH9gJ:www.magnusbrading.com/phantom/phantom-
design-paper.pdf+http://www.magnusbrading.com/phantom/phantom-design-
paper.pdf&hl=en&pid=bl&srcid=ADGEEShTZta27bvicinF74-FB-
FvwHZp0ZMYzTVe4QGTXvBHkMObo-
uoxYiFhnlDyCQnuanLZ0avF8ubNpzQGQlb3aYCZVOLuufQwrMD-
bwsP66tFkcUjt5hr3o_8dKwmmEi9wbuaOKS&sig=AHIEtbQVwy6TpDhdKxvCzCW8aU5PmpMKWw)

------
hedgehog
Might work for piracy but unfortunately it looks like they punted on issues
that would help use by activists. Design assumption #1 (white paper section
3.1): "The traffic of every node in the network is assumed to be eavesdropped
on (individually, but not globally in a fully correlated fashion) by an
external party."

A state-level adversary can instrument their major ISPs, put a bunch of nodes
on the network, push traffic through the network and do analyze the resulting
traffic. Once they figure out who they want to question it's pretty simple,
the mere presence of the software on your computer would be incriminating.

I think right now social networking sites are the best game in town because
they have legitimate non-activist uses so they won't automatically get you in
trouble. To improve on them resistance to traffic analysis and on-client
footprint both need to be dealt with or the tool needs to be really popular
for some innocuous application.

It is a really interesting set of problems though.

~~~
kragen
The reason they punted on defeating the global-traffic-analysis adversary is
that that's, well, really hard. The projects that are requiring themselves to
solve that problem before releasing their first version are still in stealth
mode.

------
ezyang
One important difference of Phantom from systems like Tor is that it doesn't
seek primarily to be an anonymous way to access the Internet, but to be an
anonymized network separate from the Internet. You can do this with Tor as
well, but that was never really the emphasis.

------
nextparadigms
I think he should change the name before it gets any kind of mainstream
adoption...or maybe way before that. It's bad enough that such properties
imply usage by the "evil-doers". You shouldn't give it a name that _sounds_
like it's something used by evil-doers, too, which might actually be the worst
part. Politicians never bother to learn about something in-depth anyway. All
it matters is if it sounds bad or good, then they'll vote for it or against
it.

~~~
keane
This is an important concept. If such a system did gain widespread adoption,
the government would certainly take steps against it.

In the 60s the Diggers/Yippie type group <http://en.wikipedia.org/wiki/UAW/MF>
chose their name very aware that it would not be able to be written in print.
They knew that they would not be controlling the message in the coverage of
their group in the traditional media and so they attempted to embed a message
in their name itself.

Likewise, rather than call this scheme Phantom, it might be wiser to name it
after a member of the old
<http://en.wikipedia.org/wiki/Committee_of_correspondence> for embedded
patriotism and appeal to authority type connotation. Perhaps "Jefferson". In
this way, if the government were to target the protocol, they would have to
take questions from the press as to why they were targeting JeffersonNet, etc.

~~~
nextparadigms
You have a good point about giving it a positive connotation like that, but a
name like Jefferson would be cumbersome, too. Perhaps something like SafeNet.
Just think about it, even when someone would hear something like that they'd
be intrigued.

"Oh? Safenet?Is it like a safer Internet? Interesting. Where do I find it?"

Plus, you could almost see what the news headlines would be like: "Government
tries to take down the Safenet". "Government wants to make Safenet illegal",
"Why the Government doesn't want you to be Safe online", "What's so wrong
about wanting to be safe online?" etc

Pretty much anyway you'd spin it, it would make the Government the bad guy.
Why do you think RIAA names bills like "Protect IP", which is about censoring
the Internet, or Homeland security wanted to make the SHIELD law, which is
about catching whistleblowers and such. They named them so anyone who "dares"
to go against them would be looked at as the bad guy. "How could you want to
stop something like SHIELD as its name??"

Naming is not everything, but it can definitely have a big impact on
perception of the general population, which is all that matters in the end.

------
cookiecaper
The link is pretty scarce on details, basically just a bulleted list of
abstract nice-to-haves for a theoretical anonymous network. More detail would
be greatly appreciated; users shouldn't have to go into the code to find out
how something like this works.

For instance, how is this an improvement over I2P? Phantom should really take
a note from I2P's website on what constitutes an adequate amount of exposition
to get people to learn about and try your anonymous network.

~~~
DrCatbox
There is a nice white paper and other pdfs in the wiki.

~~~
cookiecaper
I glanced around and didn't see it, even though I loaded the wiki's MainPage.
Nonetheless, I don't really have much motivation to download a PDF in the
first place, but having done so, I don't have enough motivation to try to read
this 58-page white paper just to find out the basics of how this works. They
need to write an executive summary and a basic overview of its mechanisms,
totaling <= 5 pages tops. It's totally unrealistic to expect people to 1) find
your obscure links, 2) download a PDF or other external resource to learn
anything about your product, and 3) sit down and read a 58-page white paper as
an introduction. If someone is really interested in technical details because
they're considering development on the project, or something like that, then
this is reasonable, but not for people that you expect to be users.

~~~
SeoxyS
Maybe, just maybe, they don't have an obligation to cater to your expectations
of how they must describe their network. Maybe the people they're trying to
reach are happy with a white paper. Maybe they're not great writers, designers
or marketers and would rather spend their time working on their product.

~~~
cookiecaper
Maybe, and that's fine. I'm just trying to help set expectations and comment
generally on why this kind of thing is a bad idea if you want to attract
users. Most people are not going to read 58 pages to learn about how this
works; that should be obvious even to bad marketers. If they don't care and
only want users that cared enough to read the white paper (or were careless
enough to use the network with almost no technical detail), that's their
prerogative and they're welcome to it. :)

~~~
SoftwareMaven
The problem is the five-page people tend to be the bike shedders. They don't
understand the system well enough to provide good feedback, so start pointing
out inconsequential things, causing diversion from getting stuff done.

~~~
_tef
Alternatively, the people who wax lyrical for 60 or so pages don't understand
much either, and are compelled to pad out their document.

I remember seeing this a while ago, but I didn't pay much attention to it
then, because punishing those who understand the problems with a lengthy
verbose soliloquy isn't a good strategy for disseminating information.

:-)

The other problem is that something 60 pages long without any references or
citations beyond an occasional casual link to wikipedia, smacks of reinventing
the wheel. This would be why he can go for 60 pages without mentioning known
terms like "Cybil Attack", or "Onion Routing".

This white paper smells more of bikeshedding - there was no code and right at
the bottom of the document, you can see the caveat & apology "This white paper
is in no way a complete protocol specification, far from it actually. Its main
goal is rather to provide suggestions for solutions for several typical
problems [...] which could hopefully work as some kind of reference point for
any discussions that may be inspired by it."

I think my favourite part of the paper is where he handwaves PKI & Voting atop
of a DHT to 'solve' lots of problems, without realising those are the
genuinely hard problems people are still working on.

A close runner-up is in the slides he talks about "no central point of
failure" and then explains his "Manual Override Command Support", which is a
central point of abuse.

It is nice to see that someone is finally writing code for it, and I wish them
luck working out all of the details left out in the paper, especially the
organisation and management of addresses.

------
plainOldText
This seems like an interesting idea/solution to one of Internet's issues. The
challenge however is how do you persuade enough people to start using it? And
then the more people use it the more important it becomes and people just
won't stop using it.

Facebook is a typical example of how important is to have people adopt a
technology. Prior to Facebook was MySpace, yet the former managed to impose
and finally replaced the latter because more and more people started using
Facebook. With Twitter it's pretty much the same adoption process. Because
most people into micro-blogging use it, it is now virtually impossible to come
up with another micro-blogging platform that can replace Twitter. And the
conversation could go on forever with countless examples.

I'm sure there are so many great ideas out there that get wasted just because
people won't start adopting them.

------
meow
Can some one explain how this protocol compensates for DNS level blocking ?

~~~
robertskmiles
It uses a DHT-based distributed system as DNS, so there are no root DNS
servers that can be got at by attackers. The DNS database is contained in the
nodes themselves.

------
hallowtech
I was actually thinking about this a couple hours before I saw this. Crazy.
Just not about the anonymity part. One thing I came up with was that instead
of a trusted website bootstrapper to show a new node to the swarm, one of the
nodes could update a DNS record to point to itself. If that node fails,
another node is choosen to update the record.

------
sixwing
I wonder how this would compare to TeleHash - <http://TeleHash.org>

~~~
tete
There are very fundamental differences, but this stuff is interesting for very
different things, sot thanks for sharing the link! :)

------
shii
As submitted here more than 2 months ago when he (Magnus) released the
protocol and paper originally: <http://apps.ycombinator.com/item?id=2336429>

------
nextparadigms
Could this be combined with a P2P mesh network like <http://www.mondonet.org>
and also work from mobile phones? They seem to have similar goals.

------
eschulte
white-paper describing the protocol (from the wiki)

[http://www.magnusbrading.com/phantom/phantom-design-
paper.pd...](http://www.magnusbrading.com/phantom/phantom-design-paper.pdf)

~~~
plainOldText
A lot more easy to follow IMO is the powerpoint presentation

------
sneak
Not a technical point, but—

Anonymity/privacy software written by a bunch of people with gmail addresses?
Does that strike anyone else as weird?

~~~
kmfrk
Not when it comes to security abroad. Some Google people were deeply involved
in aiding the Egyptian revolution.

Can't speak for their domestic philosophy, though.

------
berntb
Off topic:

What did happen to the torrent anonymity proxies, that was in the media a year
or two ago? Are they used, but not discussed in the media?

~~~
Devilboy
They are still doing good business all over the world. American proxies are
popular for access to Hulu and Pandora by foreigners and Swedish proxies are
popular for bittorrent.

------
AndrewMoffat
I like the idea, but I won't use it, because I don't think "enough" people
will use it.

