XPost: alt.privacy.anon-server, sci.crypt   
   From: nobody@yamn.paranoici.org   
      
   Stefan Claas wrote:   
   >Yamn2 Remailer wrote:   
   >> Stefan Claas  wrote:   
   >> > Anonymous User wrote:   
   >> > > Stefan Claas  wrote:   
   >> >   
   >> > > > With YAMN's security flaws you can be easily de-anonymized.   
   >> > >   
   >> > > Which security flaws?  You don't think of Internet I/O which anyhow has   
   >> > > to be handled by specialized communication software like OmniMix?   
   >> >   
   >> > First of all, Zax should IMHO seperate the client form the remailer   
   >> > code, so that users can focus on one program.   
   >>   
   >> Doesn't look like a problem for OmniMix.   
   >   
   >But who uss OmniMix? Only a handful of a.p.a-s users which   
   >is not the global majority of remailer users.   
      
   You have user statistics?  Interesting.   
      
   >>   
   >> >   
   >> > I do not use OmniMix, so I can't speak for it.   
   >>   
   >> So you stir up hatred against it though you're not competent   
   >> talking about it.  That paints a queer character.   
   >   
   >With using I mean regularly, soory. I have tested a couple of times   
   >of course too.   
      
   Liar!  Those who "test" it must see that OM doesn't use MM or YAMN for   
   any internet task.   
      
   >   
   >> > YAMN has the following security flaws:   
   >> >   
   >> > a) It does not want onion addresses to been used in the MX code   
   >> > and Zax should really tell us why!   
   >>   
   >> With its advanced delivery strategy OmniMix does a much better   
   >> job in forwarding remailer packets than any remailer packet   
   >> encoder could ever do.   
   >   
   >See above.   
      
   Means you have no idea.   
      
   >   
   >> > b) Users new to remailing with YAMN, see only at his repository   
   >> > minimal configuration files, which are of not much help, IMHO.   
   >>   
   >> Users new to remailing should use a GUI like OmniMix or QS/L.   
   >> There's so much that can go wrong.  And all that copying &   
   >> pasting is boring and prone to errors.  Fortunately there's no   
   >> reason to reinvent the wheel and learn command line commands.   
   >   
   >No, they use what they see at GitHub and elsewhere.   
      
   Sure, newbies look at GitHub/-Lab, then install the respective IDE on   
   their own to finally compile the program from the source code.   
      
   >   
   >> > But the problem is, if you do not look close at his source code   
   >> > IIRC in config.go, the YAMN client, when set-up not properly,   
   >> > with socat, can and does bypass your Tor settings in socat and   
   >> > sends via clearnet to mixmin, filling up his log files and then   
   >> > crashing his server. Remops know that when analyzing MTA logs   
   >> > that they include the IP address from the originating client, if   
   >> > Tor is bypassed, and to whom the email goes. *That is definetily   
   >> > an absolute no-go* and Zax should explain to us why he coded it   
   >> > that way for client usage, if users are unaware of this! I am   
   >> > talking of the internal MXRelay = true setting, which should   
   >> > be by default set to false in his source code. Mixmaster IIRC   
   >> > does not do this.   
   >> >   
   >> > c) Zax should better use Go's proxy package for a seperate   
   >> > YAMN client, so that stats and pub keys can be fetched via   
   >> > Tor and also remailing is done via Tor.   
   >>   
   >> OmniMix does all this on its own.   
   >   
   >See above.   
      
   Means you have no idea.   
      
   >>   
   >> But with YAMN Steve did a great job in packet creation fixing   
   >> known Mixmaster flaws and moving to more stylish crypto   
   >> algorithms.  The rest is of minor importance.   
   >   
   >You mean this theorethic Ritter's tagging attack?   
      
   Right.  More hadn't to be done.   
      
   >   
   >> You as a Linux guy should be accustomed to task separation with   
   >> a GUI integrating all of those components?  OmniMix is just   
   >> that.   
   >   
   >Please don't repeat the OmniMix usage.   
      
   Its perfection hurts, I know.   
      
   >   
   >> > He should really tell us all, what has driven him to not   
   >> > like onions, which can be seen IIRC in mail.go.   
   >> >   
   >> > YAMN in it's current form tells me unfortunately that you   
   >> > must rely on the old a.p.a-s saying "trust nobody" :-(   
   >> >   
   >> > Hence the reasone I released yamn-proxy. :-)   
   >>   
   >> But a properly configured MTA would do it as well.   
   >   
   >An MTA has nothing to do with what I have described and Zax   
   >owes us an explanation.   
      
   You don't need any mumbo jumbo to forward remailer packets sitting in a   
   data folder.  That's what MTAs are for.   
      
   But a profile-hungry amateur who repeatedly tries to reinvent something   
   and in the end makes it worse than ever before surely knows better.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)