distributed traffic patterns (for personal traffic)
Virtual Private Servers are getting fairly cheap, and Amazon EC2 instances even cheaper. A hundred or so dollars per month could put together a fairly large set (say, five ?) of general purpose unix nodes on at least 3 continents ... EC2 in Asia and Ireland, and then some bullshit VPS provider(s) here and there in the US. So let's say you assemble a little quiver of these root shells, and your intention is to completely obfuscate your own personal traffic ... to just disappear completely (as an atomic, individual net user). The technical foundation is pretty basic - just set up your own system, or perhaps a firewall at your home/office to block all traffic except for SSH or HTTPS and to take all outbound traffic and tunnel it over one of those to a random one of your systems. Easy. ----- So at this point, what do you have ? First, your own ISP no longer sees anything but encrypted traffic. I suppose they also see time patterns, but you've pretty much excluded your own ISP from all information regarding your net usage. Further, you've upped the ante considerably - an actor has to have a global eye view of the entire global Internet to collect a true portfolio of your net usage. Maybe a few US nodes are easy, and maybe if you go EC2 Ireland, that's easy too ... but some VPS provider in Hong Kong ? Seoul ? Sao Paulo ? ----- So where does this start to fall apart ? First, if you hit any kind of personal/vanity/small sites on a daily or hourly basis, an attacker just has to camp out upstream from there and collect all the source IPs that come in. So if you run your own mailserver (or whatever), this falls apart almost immediately. You either need to start hosting a lot more traffic on your own server (giving away accounts or something like that) or you need some kind of jumphost that isn't connected to you, and an out of band link between the jumphost and your own site(s). This isn't rocket science, though ... just set up a big ubuntu/freebsd/whatever mirror next to your own vanity host, and cross connect with an ethernet cable over non routable IP space. Second, unencrypted login sessions ... between web forums and chat rooms and any number of other things, somewhere you're entering a user/pass over plain old HTTP... and if an attacker can guess one or more sites that they know you visit, they can, just like above, camp out upstream and just collect all of your proxy IPs. This is easy to fix with a firewall rule, but may be impractical to deal with that way ... a certain discipline with nyms and aliases, etc., needs to be adopted, and unlike typical "nym leakage" you need to be thinking of nym leakage on an infrastructure level. Not impossible, though... Where else does this fall apart ? I don't think there is a weakness with DNS resolution, since the dns resolution will come from your proxy, which will move around... presumably your local connection has everything but 22 (or 443) blocked. Remember, this isn't Tor ... the idea here is not to create mathematically provable security. The idea is to make ones own traffic disappear to a degree that one needs to be a nation state to put it back together. The local ISP can't see it, the servers you visit can't see it, and the intermediate ISPs (and even a conglomeration of several of them) can't see it. And it looks like this is a fairly cheap thing to put together in 2010...
On Mon, 2010-11-08 at 05:15 +0000, John Case wrote:
Virtual Private Servers are getting fairly cheap, and Amazon EC2 instances even cheaper. A hundred or so dollars per month could put together a fairly large set (say, five ?) of general purpose unix nodes on at least 3 continents ... EC2 in Asia and Ireland, and then some bullshit VPS provider(s) here and there in the US.
So let's say you assemble a little quiver of these root shells, and your intention is to completely obfuscate your own personal traffic ... to just disappear completely (as an atomic, individual net user).
The technical foundation is pretty basic - just set up your own system, or perhaps a firewall at your home/office to block all traffic except for SSH or HTTPS and to take all outbound traffic and tunnel it over one of those to a random one of your systems. Easy.
So where does this start to fall apart ?
First, if you hit any kind of personal/vanity/small sites on a daily or hourly basis, **an attacker just has to camp out upstream from there and collect all the source IPs that come in.** So if you run your own mailserver (or whatever), this falls apart almost immediately.
Second, unencrypted login sessions ... between web forums and chat rooms and any number of other things, somewhere you're entering a user/pass over plain old HTTP... and if an attacker can guess one or more sites that they know you visit, they can, just like above, camp out upstream and just collect all of your proxy IPs. ... And it looks like this is a fairly cheap thing to put together in 2010...
It seems to me like Tor would do everything this solution would do, and even would avoid the two attacks you present. The attacker can do the same thing (camp the destination), but they'll just get Tor exits. It's also simple to transparently proxy all traffic on your system through Tor. If you really wanted to limit your anonymity set, you could run those nodes and set a few of them up as bridge nodes and a few of them up as exits, and cycle through that. An upcoming feature of Tor is matching circuits to destination ports, so you could use your (trusted) exits for cleartext traffic (the few sites when you're forced onto HTTP) and use the wider Tor network for the rest. Maybe I'm not seeing what you're trying to get at, but it seems like this would do everything you need. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Subject: Re: distributed traffic patterns (for personal traffic) From: teddks@gmail.com To: cypherpunks@al-qaeda.net Date: Mon, 8 Nov 2010 09:07:47 -0500
On Mon, 2010-11-08 at 05:15 +0000, John Case wrote:
Virtual Private Servers are getting fairly cheap, and Amazon EC2 instances even cheaper. A hundred or so dollars per month could put together a fairly large set (say, five ?) of general purpose unix nodes on at least 3 continents ... EC2 in Asia and Ireland, and then some bullshit VPS provider(s) here and there in the US.
So let's say you assemble a little quiver of these root shells, and your intention is to completely obfuscate your own personal traffic ... to just disappear completely (as an atomic, individual net user).
The technical foundation is pretty basic - just set up your own system, or perhaps a firewall at your home/office to block all traffic except for SSH or HTTPS and to take all outbound traffic and tunnel it over one of those to a random one of your systems. Easy.
So where does this start to fall apart ?
First, if you hit any kind of personal/vanity/small sites on a daily or hourly basis, **an attacker just has to camp out upstream from there and collect all the source IPs that come in.** So if you run your own mailserver (or whatever), this falls apart almost immediately.
Second, unencrypted login sessions ... between web forums and chat rooms and any number of other things, somewhere you're entering a user/pass over plain old HTTP... and if an attacker can guess one or more sites that they know you visit, they can, just like above, camp out upstream and just collect all of your proxy IPs. ... And it looks like this is a fairly cheap thing to put together in 2010...
It seems to me like Tor would do everything this solution would do, and even would avoid the two attacks you present. The attacker can do the same thing (camp the destination), but they'll just get Tor exits. It's also simple to transparently proxy all traffic on your system through Tor.
If you really wanted to limit your anonymity set, you could run those nodes and set a few of them up as bridge nodes and a few of them up as exits, and cycle through that. An upcoming feature of Tor is matching circuits to destination ports, so you could use your (trusted) exits for cleartext traffic (the few sites when you're forced onto HTTP) and use the wider Tor network for the rest.
Maybe I'm not seeing what you're trying to get at, but it seems like this would do everything you need.
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Some people don't wish to use Tor for a variety of reasons, whether a lack of trust, or simply because they don't want anyone to see Tor traffic on their connection. I see what you're saying, mind you. Perhaps even better would be to combine the two, and run Tor from some Asian/off-shore server you own which you tunnel into. Either or, Tor is better simply because it eliminates the upstream camping, which would probably be the main problem; eventually, your proxy servers would be enumerated, and then, you'd be vulnerable. There's the cost, too. 100 dollars a month, which would need to be reasonably anonymously transferred, otherwise someone already has a list of your shells. This kind of method would work against someone who has limited resources, but then, so does vanilla Tor, or simple proxy chaining.
On Mon, 8 Nov 2010, Alastair O'Neill wrote:
If you really wanted to limit your anonymity set, you could run those nodes and set a few of them up as bridge nodes and a few of them up as exits, and cycle through that. An upcoming feature of Tor is matching circuits to destination ports, so you could use your (trusted) exits for cleartext traffic (the few sites when you're forced onto HTTP) and use the wider Tor network for the rest.
Maybe I'm not seeing what you're trying to get at, but it seems like this would do everything you need.
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Some people don't wish to use Tor for a variety of reasons, whether a lack of trust, or simply because they don't want anyone to see Tor traffic on their connection. I see what you're saying, mind you. Perhaps even better would be to combine the two, and run Tor from some Asian/off-shore server you own which you tunnel into. Either or, Tor is better simply because it eliminates the upstream camping, which would probably be the main problem; eventually, your proxy servers would be enumerated, and then, you'd be vulnerable. There's the cost, too. 100 dollars a month, which would need to be reasonably anonymously transferred, otherwise someone already has a list of your shells. This kind of method would work against someone who has limited resources, but then, so does vanilla Tor, or simple proxy chaining.
The threat model is not a current one. If you are actively breaking the law _right now_, then all of this (including Tor, IMO) is out the window - you move to the realm of throwaway mobile phones and prepaid visa cards and open wifi networks. No, the threat model I am concerned with is future correlation attacks and data mining. I am concerned with a set of digital footprints that can be stored indefinitely and can be used to frame all possible motives. So yes, Tor would work, but Tor is slow, and even with a large number of additional nodes and much more bandwidth, Tor will still have _very_ high latency. If you read back in the Tor mailing list, you can see the devs state that while the bandwidth will get better over time, the latency issues are here to stay. This is in contrast to a hop from CONUS over to Amsterdam and back to check nfl.com ... that's pretty snappy, I am happy to report. So that's the threat model, and that's why I have declined to use Tor (I'm well versed in Tor usage and admin). Payment is prepaid visa or postal money order, etc. Most asian ISPs I have dealt with don't accept credit cards for service anyway. As to cost, if $80 or $100 per month is too much, I guess you use Tor. I'm of the mind that this is extremely cheap for 3-5 nodes spread across the world, especially considering that this barely got you a single colo'd server 8 years ago. Comments ? Where does this break down, given the modest requirements described ?
Date: Mon, 8 Nov 2010 17:55:16 +0000 From: case@sdf.lonestar.org To: lisheo@hotmail.com CC: cypherpunks@al-qaeda.net Subject: RE: distributed traffic patterns (for personal traffic)
On Mon, 8 Nov 2010, Alastair O'Neill wrote:
The threat model is not a current one. If you are actively breaking the law _right now_, then all of this (including Tor, IMO) is out the window - you move to the realm of throwaway mobile phones and prepaid visa cards and open wifi networks.
No, the threat model I am concerned with is future correlation attacks and data mining. I am concerned with a set of digital footprints that can be stored indefinitely and can be used to frame all possible motives.
So yes, Tor would work, but Tor is slow, and even with a large number of additional nodes and much more bandwidth, Tor will still have _very_ high latency. If you read back in the Tor mailing list, you can see the devs state that while the bandwidth will get better over time, the latency issues are here to stay. This is in contrast to a hop from CONUS over to Amsterdam and back to check nfl.com ... that's pretty snappy, I am happy to report.
So that's the threat model, and that's why I have declined to use Tor (I'm well versed in Tor usage and admin).
Payment is prepaid visa or postal money order, etc. Most asian ISPs I have dealt with don't accept credit cards for service anyway.
As to cost, if $80 or $100 per month is too much, I guess you use Tor. I'm of the mind that this is extremely cheap for 3-5 nodes spread across the world, especially considering that this barely got you a single colo'd server 8 years ago.
Comments ? Where does this break down, given the modest requirements described ?
If all you're looking to do is avoid data-mining and digital footprints being stored by non-state actors, I think it would suffice, as long as you were careful with the shell/VPS providers. Mix it up, and connect to a free shell provider (if you aren't doing anything that requires stronger anonymity) or server that has other accounts, as mentioned, to use as an "exit node" in order to hide your exit traffic from upstream camping, and of course use a browser that's resistant to browser-fingerprinting, and all of that standard jazz.
participants (4)
-
Alastair O'Neill -
John Case -
Noah Crocell -
Ted Smith