XPost: alt.privacy.anon-server, sci.crypt   
   From: noreply@mixmin.net   
      
   Stefan Claas  wrote:   
   >Anonymous User wrote:   
   >> Stefan Claas  wrote:   
   >   
   >> > With YAMN's security flaws you can be easily de-anonymized.   
   >>   
   >> Which security flaws?  You don't think of Internet I/O which anyhow has   
   >> to be handled by specialized communication software like OmniMix?   
   >   
   >First of all, Zax should IMHO seperate the client form the remailer   
   >code, so that users can focus on one program.   
      
   Doesn't look like a problem for OmniMix.   
      
   >   
   >I do not use OmniMix, so I can't speak for it.   
      
   So you stir up hatred against it though you're not competent   
   talking about it.  That paints a queer character.   
      
   >   
   >YAMN has the following security flaws:   
   >   
   >a) It does not want onion addresses to been used in the MX code   
   >and Zax should really tell us why!   
      
   With its advanced delivery strategy OmniMix does a much better   
   job in forwarding remailer packets than any remailer packet   
   encoder could ever do.   
      
   >   
   >b) Users new to remailing with YAMN, see only at his repository   
   >minimal configuration files, which are of not much help, IMHO.   
      
   Users new to remailing should use a GUI like OmniMix or QS/L.   
   There's so much that can go wrong.  And all that copying &   
   pasting is boring and prone to errors.  Fortunately there's no   
   reason to reinvent the wheel and learn command line commands.   
      
   >   
   >But the problem is, if you do not look close at his source code   
   >IIRC in config.go, the YAMN client, when set-up not properly,   
   >with socat, can and does bypass your Tor settings in socat and   
   >sends via clearnet to mixmin, filling up his log files and then   
   >crashing his server. Remops know that when analyzing MTA logs   
   >that they include the IP address from the originating client, if   
   >Tor is bypassed, and to whom the email goes. *That is definetily   
   >an absolute no-go* and Zax should explain to us why he coded it   
   >that way for client usage, if users are unaware of this! I am   
   >talking of the internal MXRelay = true setting, which should   
   >be by default set to false in his source code. Mixmaster IIRC   
   >does not do this.   
   >   
   >c) Zax should better use Go's proxy package for a seperate   
   >YAMN client, so that stats and pub keys can be fetched via   
   >Tor and also remailing is done via Tor.   
      
   OmniMix does all this on its own.   
      
   But with YAMN Steve did a great job in packet creation fixing   
   known Mixmaster flaws and moving to more stylish crypto   
   algorithms.  The rest is of minor importance.   
      
   You as a Linux guy should be accustomed to task separation with   
   a GUI integrating all of those components?  OmniMix is just   
   that.   
      
   >   
   >He should really tell us all, what has driven him to not   
   >like onions, which can be seen IIRC in mail.go.   
   >   
   >YAMN in it's current form tells me unfortunately that you   
   >must rely on the old a.p.a-s saying "trust nobody" :-(   
   >   
   >Hence the reasone I released yamn-proxy. :-)   
      
   But a properly configured MTA would do it as well.   
      
   >   
   >https://github.com/Ch1ffr3punk/yamn-proxy   
   >   
   >Regards   
   >Stefan   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)