-
Notifications
You must be signed in to change notification settings - Fork 6
Threat Model
Hushlist is a tool for privately communicating in spite of a hostile network, in a censorship-resistant and metadata-minimizing way using multiple privacy coin blockchains. For the various different kinds of users of Hushlist to know when they can and cannot safely use this tool, it is necessary to precisely describe the threat model in which Hushlist operates. This document lists Hushlist user assets at issue, and identifies threat sources that might compromise the user’s privacy by emanating various types of metadata, or even having cryptocoins currency stolen from them. The focus of this document is the analysis of metadata, so "data exfiltration" and "data correlation" are some of the main topics.
- private key of a single taddr/zaddr
- wallet.dat - entire wallet, with entire balance and keys of all taddrs/zaddrs and transaction history
- seed phrase
- knowledge that zaddr Z has X ZEC in it
- knowledge that zaddr Z1 sent zaddr Z2 X coinz in a (z,z) transaction
- knowledge that taddr T sent zaddr Z X coinz in a (t,z) transaction
- knowledge that zaddr Z had X coinz in it just before a (z,t) transaction
- the list of taddrs/zaddrs under control by Hushlist on a certain machine
- IP addresses known to have been source/target of a zaddr transaction
Never use Hushlist on the same physical computer or virtual machine with another user you do not trust. If that user can leverage a single CVE and get privilege escalation, full loss of privacy could happen. Best to not ever let this easy-to-prevent situation to occur. Use Hushlist on a private desktop or laptop computer, or a server that you have root on. Practice the art of compartmentalizations and isolation at every level.
Bad actors on your local physical network have elevated risk to you. If you think your local physical network is not secure, use caution and probably choose another place to use Hushlist, like a public wifi at a library or University or some place with many users.
- ARP poisoning
- DDoSing because there is no firewall/router/NAT between
If you can't trust your local network admin, using Hushlist is probably not a good idea. They have all things from above, but in addition
- DNS poisoining
- Deep Packet Inspection
- ...
We can assume that many worldwide ISPs are Threat Actors, and can be rented out by Bad People. It happens more than you think.
- Drop your packets
- Reroute your packets
- Slow down your packets so they always fail/lose/waste resource some way
- Modify cleartext packets, i.e. Inject malware JS snippets into HTTP packets
- ....
This is a unique category because LEOs must follow many laws that ISPs/etc do not have to, but also can/must usually outsource things to other organizations that make software to analyze all the data.
Usually they do not have any power to change data on the wire, but can use bureaucracy to get things like telephone/SMS/MMS/GPS/email/IP address/Facebook records.
Hushlist provides LEOs with almost nothing to work with, since there is no centralized entity or company to ask for data. This is an emergent feature of the application which is built on Zero Knowledge atoms.
LEOs also work closely with people at the next level, which is evident from the headline "Former U.S. Secret Service Agent Shaun Bridges Admits to Stealing 1600 Bitcoins Seized by the Federal Authorities" from https://news.bitcoin.com/rogue-silk-road-agent-admits-to-stealing-bitcoins-seized-by-u-s-marshals/ . Multiple federal agencies and LEOs had bad actors that did not understand blockchain privacy, anonymity and security!!! Who could have imagined.
These nice folks keep us all safe and like to read your encrypted packets, if they can.
Hushlist needs some kind of layer such as Tor/i2p to provide full protection from these nice people, since they can correlate your TCP/IP traffic by asking the nice people at the next level for their data. Sometimes they do get the data, so you can assume that they always can as a worst case.
Hushlist should not be considered to provide protection from these actors, unless it is used as one small part of a large operational security procedure. The goal is to not have these people on your 6, but sometimes that cannot be helped. TLDR: Don't assume you can hide from these people.
These actors have the power to massively disrupt blockchains and the Internet itself, although that power lessons each day as newer protocols for censorship-resistance are being added to Bitcoin core as well as many privacy coins.
Powers:
- can obtain full cyphertext of all network traffic, via direct methods or the various agreements that various security agencies have to access each others resources.
- can poison BGP routes
- can inject/poison any unencrypted/unauthenticated network traffic such as HTTP
- have backdoor access to Internet infrastructure such as routers, switches, fiber lines
- have access to large piles of 0-days
- send drones to your physical location
This is the most dangerous "technical" Threat Actor and the most likely place for Hushlist to be compromised!
Powers:
- Upload backdoored open source software that is trusted
Hushlist depends on an immense amount of free and open source software being compiled correctly. Reproducible/deterministic builds allow people to verify that exactly the same code is being compiled by various independent sources, providing evidence that there are not hidden backdoors. If one open source project that Hushlist depended on injected malware into, for instance, a Perl CPAN module and actually released that malware to CPAN, our users would download that code from CPAN and execute it locally. Even more likely is that a "good citizen" open source project has some kind of bug/CVE/malware planted in it by an innocuous-looking patch that fixes something else. Hushlist tries very hard to verify the dependencies it downloads are trusted.
code=speech + money=code => money=speech