Trilight Zone

digital8 · Second Lieutenant Joined: 29 Sep 2005 Posts: 1002

JAP is an open source Java 'anonymous web surfing' application which the client uses in conjunction with mix servers mostly located in Germany. Interestingly, at least one mix is now located in New York, USA.

Here is what the JAP 'anon proxy' service site represents to would be users:

http://anon.inf.tu-dresden.de/index_en.html

"JAP makes it possible to surf the internet anonymously and unobservably."

"All mix providers for the JAP internet service declare in the following official declaration, that they do not save connection log files or exchange with other mix providers data which could be used to uncover JAP users".

As reported in the link below, the reality appears to be quite different from the unqualified assertions of anonymity made above:
http://www.news2web.com/cgi-bin/dnewsweb.e...roup=alt.p rivacy.anon-server&item=274814&utag=

Excerpts from the news link above:
"Looking at the source code, there's no ambiguity at all: the system has been fatally compromised, intentionally and by design. There is a back-channel from the last mix (at which point all the data is unencrypted, but the source IP it arrived from is unknown) to the first mix (at which point the data is encrypted, but the incoming IP address is known).

The entire security of mix-systems, whether remailers or JAP, rests on an attacker being unable to link the encrypted activity at the entry point with the unencrypted activity at the exit point. If a mechanism is built into the system which breaches that condition, there is no real security in the system."

The news post link above states that the source code reveals the back-channel code now in the JAP software. For detail of the back-channel source code and how it works, see the news2web link above.

You can download the mix source code yourself and see that several files (such as CACmdLnOptions.cpp) do contain the 'Crime Detection' routines described in the first news2web link above. Get source code at:
http://anon.inf.tu-dresden.de/develop/mix_V00.01.74.src.tgz

It appears that the JAP team have now admitted that the tracking code exists and confess as follows below. It is remarkable that the information they purportedly now reveal is NOT set forth on the JAP www site. It is also remarkable that the purported JAP team statements were not proactive and only made after someone troubled themselves to examine the JAP source code and post their findings.

Here is the JAP team's statement; it is presumed that the post below has not been forged:

http://www.news2web.com/cgi-bin/dnewsweb.e...roup=alt.p rivacy.anon-server&item=275406&utag=

"Subject: Re: JAP compromised, privacy community panics
Date: 14 Aug 2003 06:46:05 -0700
From: jap-at-inf.tu-dresden.de (JAP Team)
Newsgroups: alt.test,alt.privacy,alt.privacy.anon-server,alt.fan.unabomber,sci.cryp t

Hello,

it is good to know there are people who read the source code. Yes, your analysis of the backchannel is correct... ... but the most important thing: JAP still allows anonymous surfing, still on the probably highest level world-wide. So there is no reason to exaggerate a single case and read too much into things.

What has actually happened? The project operators of AN.ON received a judicial instruction that said that the access to a particular IP address had to be recorded for a limited time period. The background is preliminary proceedings by the German Federal Bureau of Criminal Investigation. Such a judicial instruction cannot be rejected without risking severe sanctions. This applies even if you consider this judicial instruction to be not correct. It's the same thing here: The operators of AN.ON have taken measures against this instruction but they have to adhere to it until a higher instance has made a decision.

What was the alternative? Shutting down the service? The security apparatchiks would have appreciated that -- anonymity in the Internet and especially AN.ON are a thorn in their side anyway. No, in contrast: AN.ON must be continued and made even more unassailable by use of further mixes. If we chickened out just because of one single, quite limited judicial decision that is still to be verified in the next instance we obviously would not have much to contribute to the struggle for anonymity in the Internet.

The JAP update of July did not have to do anything with this process; it is rather a product of the suggestions for improvement by thousands of JAP users.

However, since the judicial instruction landed on the desk at this time, a server update (but not one of JAP) was necessary. As already mentioned it is good to know that people actually read our source code, but this time, it lead to the misunderstanding that the JAP was generally opened for the sake of criminal prosecution.

Why the operators of AN.ON have not been addressing the public by themselves, yet? In Germany, there are holidays, too, and a judicial instruction of this kind was something perfectly new for all involved, particularly the holiday crew.

Therefore: keep cool. AN.ON is and will remain *the* service when it comes to anonymity. Only because one single judge has decided (provisionally) that all access to a particular IP address are to be recorded for a limited time period, there is no reason to throw the baby out with the bathwater.

MfG
The JAP Team"

Apparently, you can use JAP to appear 'anonymous' in respect of your ISP and web sites you visit -as long as you don't mind the operators having the capability to track all of your surfing habits. There is no guaranty however that they won't reveal all you do to your ISP, law enforcement world-wide and/or anyone else at any time.

There are several obvious lessons to be drawn from this story; others may decide to elaborate on them and the issues of so-called anonymity via proxy use in general.