[tor-talk] End-to-end correlation for fun and profit
Maxim Kammerer
mk at dee.su
Tue Aug 21 23:48:19 PDT 2012
On Wed, Aug 22, 2012 at 8:51 AM, Andreas Krey <a.krey at gmx.de> wrote:
> Buying software for a) will probably show up in public records, and b)
> may be hindered by the paranoia of the participating LEAs. Even the
software
> needed to get all the intercepted data in one place could be nightmarish.
I don't think that buying the software would be that difficult. For a
big project, LE could outsource it to one of those shady companies
selling exploits, or (more likely) to a government contractor with
security clearance. For something smaller, a hungry grad student
should do, after making them sign an NDA, or, in case of a really
arrogant LE, some national secrecy act. Writing the service as
something innocent in accounting is probably par for the course.
Closer to the topic, I think that traffic correlation can be performed
in a distributed fashion, if you know the target IPs to watch for
(which can be gathered beforehand locally on exit nodes, and
aggregated and analyzed afterwards). Exit nodes that see packets
to/from target hosts aggregate their exact timestamps for a few
seconds, and then send the chunks to all other nodes (so yes, you
can't correlate too much traffic). All other (guard) nodes then try to
locally correlate the received packets with their own traffic, and
aggregate successes for later reports. In this fashion, each node
needs to keep perhaps a minute of timestamped traffic. It is also
possible to play with traffic / disk space / success probability
tradeoffs: send chunks to rotating sets of nodes, increase recorded
traffic window (to be able to send old chunks to nodes that didn't see
traffic to a given IP yet), etc.
--
Maxim Kammerer
Liberti Linux: http://dee.su/liberte
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list