Check out the new USENIX Web site. next up previous
Next: 3.2.3 Bandwidth theft Up: 3.2.2 Exploiting the grace Previous: 3.2.2.2 Prepayment

3.2.2.3 Post-payment

An alternative scheme is based on requiring payment after using the grace period (with or without a restoration). Here the central computer keeps track of each computer's partners. Each computer is supposed to honor the grace period and pay ``$d{+}1$ days'' to its partners after being restored after $d$ days of downtime. If it does not, its partners will complain to the central server, causing the server to sever those partnerships and impose a fine of ``3 weeks'' on all of the parties.

The fine must be imposed on everyone because, in general, there is no way for the central server to know who is truly at fault. This is unfortunate because it introduces a new free-rider attack: don't bother to complain, letting others shoulder the burden of deterring attackers alone. We believe that this last attack will not be serious because it is only really tempting when there are a lot of attackers exploiting the grace period, which should not happen if most computers act to deter them by complaining.

The central server must impose the fine (e.g., it supplies the data and does the challenging) because an attacker's partners (new or old) may be accomplices that will not fine it. Should a computer refuse or try to cheat the fine, it is exiled by the central server from the system: the central server tells the machine's partners to abandon it and refuses to authorize any new partnerships for it ever again.

In order for the threat of exile to be an effective deterrent, rejoining the system under a new name must cost more than ``3 weeks'' times the maximum number of partners. A possible way to do this in a decentralized manner is by requiring joining computers to possess a class 2 personal digital certificate that has never been seen by the server before. Such certificates can currently be purchased from companies like GlobalSign (www.globalsign.net) for 16 Euros.

When disk-space wasting is used, this scheme provides better backup service availability than the prepayment one because it limits backup service only immediately after a restoration. It may, however, require the user to pay for membership somehow and requires much more effort from the central server per system member.


next up previous
Next: 3.2.3 Bandwidth theft Up: 3.2.2 Exploiting the grace Previous: 3.2.2.2 Prepayment
Mark Lillibridge 2003-04-07