I'm intrigued, though slightly sceptical. As each packet passes through the router buffers, then any inter-packet delays would be erased. However, I suppose it's possible that he either inserts additional "silence" packets between legit packets in the flow, or else remaps the packet payloads and so inserts said delays. One "good" thing here is that this will probably be very difficult to do en masse...they'll have to target a specific individual I suspect. Also, I would think it's useless with mere email, etc... But of course, if they already have you on their radar screen and you are trying to hide the identities of people you are communicating with, then they MIGHT be able to figure out who you are communicating too. Another good thing is that I suspect it's possible to develop a counter to this (or at least detect it), but it may overburden some TOR nodes. -TD
From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@jfet.org Subject: [anogeorgeo@yahoo.com: ATTN: MiTH attack against SkyPE, defeates "Findnot.com"] Date: Tue, 16 May 2006 18:07:15 +0200
----- Forwarded message from Anothony Georgeo <anogeorgeo@yahoo.com> -----
From: Anothony Georgeo <anogeorgeo@yahoo.com> Date: Tue, 16 May 2006 07:42:58 -0700 (PDT) To: or-talk@freehaven.net Subject: ATTN: MiTH attack against SkyPE, defeates "Findnot.com" Reply-To: or-talk@freehaven.net
Hello,
Here is a quoted section from an article about the US FBI and the next generation of "Carnivore" which will focus on VoIP.
The qutoed section deals with a MiTH attack (I think) that has been discussed here before. The attacker adds a packet timing delay and invisable 'tag' to packets of the P2P VoIP software "SkyPE".
This MiTH attack defeated the anonymity offered by http://www.findnot.com and as such everyone should concider all other web-based, single-hop and weak [eg. non-Tor ;-) ] anonymizing services to be broken.
I don't think this MiTH attack can effect the Tor network but I'm not sure. I think Tor's DH key authentication of nodes and TLS tunnels precludes this attack but I'm not positive.
Can an Onion Route II/Tor expert offer assurance this MiTH attack does not effect Tor?
-Quoted section- http://news.com.com/Feds+fund+VoIP+tapping+research/2100-7348_3-5825932.html... part=rss&tag=5825932&subj=news
The FBI or any other government agency that's eavesdropping on both ends of the link would see that each person was connected to the anonymizing server--but couldn't know for sure who was talking to whom. The more customers who use the service at once, the more difficult it would be for investigators to connect the dots.
Wang discovered he could embed a unique, undetectable signature in Skype packets and then identify that signature when they reached their destination. The technique works in much the same way as a radioactive marker that a patient swallows, permitting doctors to monitor its progress through the digestive system.
"It's based on the flow itself," Wang said. "I embed a watermark into the flow itself, the timing of the packets. By adjusting the timing of select packets slightly, it's transparent. There's no overhead in the bandwidth, and it's very subtle. It's mingled with the background noise." (The anonymizing service tested was Findnot.com, which did not immediately respond to a request for comment on Tuesday.)
A paper co-authored by Wang and fellow George Mason researchers Shiping Chen and Sushil Jajodia describing their results is scheduled to be presented at a computer security conference in November. An early draft concludes that "tracking anonymous, peer-to-peer VoIP calls on the Internet is feasible" with only 3-millisecond timing alterations as long as the calls are at least 90 seconds long.
-End quoted section-
Options, comments?
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]