Tor (and other nets) probably screwed by Traffic Analysis by now
https://motherboard.vice.com/read/the-uk-is-using-bulk-interception-to-catch... https://conspicuouschatter.wordpress.com/2016/02/03/a-technical-reading-of-t... https://www.documentcloud.org/documents/2702948-Problem-Book-Redacted.html Researchers have speculated that GCHQ may have the capability to deanonymise Tor users by examining the timing of connections going in and out of the Tor network. ... there is clear evidence that timing information is both recognized as being key to correlating events and streams; and it is being recorded and stored at an increasing granularity. There is no smoking gun as of 2011 to say they casually de-anonymize Tor circuits, but the writing is on the wall for the onion routing system. GCHQ at 2011 had all ingredients needed to trace Tor circuits. It would take extra-ordinary incompetence to not have refined their traffic analysis techniques in the past 5 years. The Tor project should do well to not underestimate GCHQ’s capabilities to this point. ... one should wonder why we have been waiting for 3 years until such clear documents are finally being published from the Snowden revelations. If those had been the first published, instead of the obscure, misleading and very non-informative slides, it would have saved a lot of time — and may even have engaged the public a bit more than bad powerpoint. http://motherboard.vice.com/read/the-uk-will-police-the-dark-web-with-a-new-... https://blog.torproject.org/blog/traffic-correlation-using-netflows Prediction market (place your bids): "First networks utilizing fill traffic as TA countermeasure to emerge and reach early deployment by year end 2017..."
On 6/2/16, Georgi Guninski <guninski@guninski.com> wrote:
On Thu, Jun 02, 2016 at 12:13:10AM -0400, grarpamp wrote:
deanonymise Tor users by examining the timing of connections going in and out of the Tor network. ...
isn't this well known, especially if they inject delays in suspects (or say districts)?
On global backbones... Inject / drop / delays require a complete fiber cut and insertion of active hardware capable of selecting traffic. A carrier that cares about such things must not ignore their line diagnostics. If you had insane alien tap tech capable of precise timing, invading wavelengths, and faster-than-subject-fiber processing and transmission... dropping could be done without cut by laser corrupting CRC / addresses with gain hits or losses, whiteout, etc... injection is similar, delay is drop and injection. Adversaries couldn't do sneaky blackbag shit to the fiber if carriers would encrypt all their links, like Google now says it does internally. All bets are off if the carrier is partner with, or under threat of, adversary... regarding global telecoms (remember Qwest), this paragraph seems the most likely of all the above. Continental, regional, district... more or less the same thing. On the last hop mile RJ-45 of a suspect end user... childs play, and they're fucked at that point anyways.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/03/2016 01:07 AM, grarpamp wrote:
On 6/2/16, Georgi Guninski <guninski@guninski.com> wrote:
On Thu, Jun 02, 2016 at 12:13:10AM -0400, grarpamp wrote:
deanonymise Tor users by examining the timing of connections going in and out of the Tor network. ...
isn't this well known, especially if they inject delays in suspects (or say districts)?
...
All bets are off if the carrier is partner with, or under threat of, adversary... regarding global telecoms (remember Qwest), this paragraph seems the most likely of all the above.
Continental, regional, district... more or less the same thing.
On the last hop mile RJ-45 of a suspect end user... childs play, and they're fucked at that point anyways.
Anonymized routing protocols are designed to defeat passive observation and limited traffic manipulation by hostile actors. But what if an effectively unlimited number of compromised routers, subject to realtime observation and internal manipulation, were available to hostile actors? Game over, I think. About 15 years ago I used online traceroute utilities and whois lookups to determine (roughly) where all the high performing Mixmaster remailers were physically located. Over half of them, including most with "exotic sounding" TLDs, were apparently in the state of Texas. Then I used my data to construct "hard to compromise" chains, routing Mixmaster messages through national jurisdictions not likely to have comprehensive data sharing between their security services, and started sending test messages. None of these test messages ever made it back to me. So I concluded that, despite its major technical superiority to other anonymized networking protocols, the Mixmaster network was most likely compromised by passive observation (one owner for a majority of reliable remailers) and active intervention (traffic between uncontrolled remailers interrupted in transit). Owning enough of the routers in an anonymizing network to negate its security is largely a question of money: How much budget to you have, how certain do you want to be that nobody is really anonymous? If I had to neutralize an anonymous routing network, my approach would be to set up a cloud server running thousands of instances of the router software in question, customized to facilitate monitoring by a hypervisor. Each of these routers would be connected via VPN to a unique remote host, which would function as a transparent proxy. The proxy hosts could be machines owned by "friendly" actors, rooted consumer grade routers, purpose built appliances, conventional Windows botnets or some combination of these. I have not seen this method of attack described and named; I call it a "hydra" attack, because one body, many heads. I think this mode of attack deserves competent attention (i.e., not by me) because realtime observation and manipulation of any desired quantity of routers would provide solutions to any distributed anonymous routing protocol. The only defence I can think of is to assure that message traffic passes back and forth between mutually hostile national jurisdictions before delivery. This would be a bit of a hairball to implement, lots of slippery variables and potential counter-actions by hostiles would have to be taken into account. But this approach could increase the cost and reduce the reliability of Hydra attacks against anonymizing protocols. Long story short: If you want to be /really/ anonymous in the presence of hostile State sponsored actors, do not rely on a software-only approach: Use physical security measures to conceal your identity from the physical router that connects you to the Internet, because most or all of the anonymizing routers your traffic passes through may be owned and controlled by the very people you are hiding from. :o/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXUdBBAAoJEECU6c5XzmuqlFoH/2COw22qWVeQr2B+s9w3LEwt XG+ixbo9a7fT0tmvy6S5bmmq39Cq38sw1eQnV6RSd1hzirKWqCwqwWpVS65biYpn CoCpm2AriwLHiyNgZZq1H36McybKYMph2Gd9DDmKPgUWn4p61V/jKDfXDCSqZmIs kkmTSaEBoRI0xpwauVqCYbs2kRk1srZvbRoXxSyFYtgeXGg/4HBqZ9S8pZkgS9gs M7izZs4xUkzgj7qQ40swtjzwSUJaCeRGxtoB3xemGdD/ngQId68GI7nVCIlk4w+R m3HjxtmhrOTaSsF6yuxVhODNS2FRvAXv+KPwuTr5PCYXPBcrb+XEkITOdUAf8e0= =tKZB -----END PGP SIGNATURE-----
participants (3)
-
Georgi Guninski -
grarpamp -
Steve Kinney