[anogeorgeo at yahoo.com: ATTN: MiTH attack against SkyPE, defeates "Findnot.com"]

Tyler Durden camera_lumina at hotmail.com
Tue May 16 11:04:09 PDT 2006


I'm intrigued, though slightly sceptical. As each packet passes through the 
router buffers, then any inter-packet delays would be erased. However, I 
suppose it's possible that he either inserts additional "silence" packets 
between legit packets in the flow, or else remaps the packet payloads and so 
inserts said delays.

One "good" thing here is that this will probably be very difficult to do en 
masse...they'll have to target a specific individual I suspect. Also, I 
would think it's useless with mere email, etc...

But of course, if they already have you on their radar screen and you are 
trying to hide the identities of people you are communicating with, then 
they MIGHT be able to figure out who you are communicating too.

Another good thing is that I suspect it's possible to develop a counter to 
this (or at least detect it), but it may overburden some TOR nodes.

-TD


>From: Eugen Leitl <eugen at leitl.org>
>To: cypherpunks at jfet.org
>Subject: [anogeorgeo at yahoo.com: ATTN: MiTH attack against SkyPE,  defeates 
>"Findnot.com"]
>Date: Tue, 16 May 2006 18:07:15 +0200
>
>----- Forwarded message from Anothony Georgeo <anogeorgeo at yahoo.com> -----
>
>From: Anothony Georgeo <anogeorgeo at yahoo.com>
>Date: Tue, 16 May 2006 07:42:58 -0700 (PDT)
>To: or-talk at freehaven.net
>Subject: ATTN: MiTH attack against SkyPE, defeates "Findnot.com"
>Reply-To: or-talk at freehaven.net
>
>Hello,
>
>Here is a quoted section from an article about the US
>FBI and the next generation of "Carnivore" which will
>focus on VoIP.
>
>The qutoed section deals with a MiTH attack (I think)
>that has been discussed here before.  The attacker
>adds a packet timing delay and invisable 'tag' to
>packets of the P2P VoIP software "SkyPE".
>
>This MiTH attack defeated the anonymity offered by
>http://www.findnot.com and as such everyone should
>concider all other web-based, single-hop and weak [eg.
>non-Tor ;-) ] anonymizing services to be broken.
>
>I don't think this MiTH attack can effect the Tor
>network but I'm not sure.  I think Tor's DH key
>authentication of nodes and TLS tunnels precludes this
>attack but I'm not positive.
>
>Can an Onion Route II/Tor expert offer assurance this
>MiTH attack does not effect Tor?
>
>-Quoted section-
>http://news.com.com/Feds+fund+VoIP+tapping+research/2100-7348_3-5825932.html?
>part=rss&tag=5825932&subj=news
>
>The FBI or any other government agency that's
>eavesdropping on both ends of the link would see that
>each person was connected to the anonymizing
>server--but couldn't know for sure who was talking to
>whom. The more customers who use the service at once,
>the more difficult it would be for investigators to
>connect the dots.
>
>Wang discovered he could embed a unique, undetectable
>signature in Skype packets and then identify that
>signature when they reached their destination. The
>technique works in much the same way as a radioactive
>marker that a patient swallows, permitting doctors to
>monitor its progress through the digestive system.
>
>"It's based on the flow itself," Wang said. "I embed a
>watermark into the flow itself, the timing of the
>packets. By adjusting the timing of select packets
>slightly, it's transparent. There's no overhead in the
>bandwidth, and it's very subtle. It's mingled with the
>background noise." (The anonymizing service tested was
>Findnot.com, which did not immediately respond to a
>request for comment on Tuesday.)
>
>A paper co-authored by Wang and fellow George Mason
>researchers Shiping Chen and Sushil Jajodia describing
>their results is scheduled to be presented at a
>computer security conference in November. An early
>draft concludes that "tracking anonymous, peer-to-peer
>VoIP calls on the Internet is feasible" with only
>3-millisecond timing alterations as long as the calls
>are at least 90 seconds long.
>
>-End quoted section-
>
>Options, comments?
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>----- End forwarded message -----
>--
>Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>______________________________________________________________
>ICBM: 48.07100, 11.36820            http://www.ativel.com
>8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>
>[demime 1.01d removed an attachment of type application/pgp-signature which 
>had a name of signature.asc]





More information about the cypherpunks-legacy mailing list