Imagine a Situation:

Undiscussed Horrific Abuse, One Victim of Many gmkarl at gmail.com
Wed Apr 20 13:18:54 PDT 2022 

On Wed, Apr 20, 2022, 3:06 PM zeynepaydogan <zeynepaydogan at proton.me> wrote:

> Imagine a situation: you are an intelligence officer, and your task is to
> identify a particularly dangerous blackmailing criminal who appears on the
> network periodically and only for data transmission. For criminal
> activities, he or she started a separate laptop, from which he or she “cut
> out” a microphone, speakers and a camera. A smart decision, given that the
> speakers also know how to listen.
>
> He or She uses  Tails as an operating system, although Whonix would be
> worth taking for maximum anonymity. One way or another, all traffic goes
> through Tor, he does not trust the VPN, or only trusts his VPN, and he
> still needs Tor to work on the Darknet.
>
> He or She uses PGP-encrypted Jabber to communicate, he or she could also
> install Telegram, but this is the representative of the old school of
> criminals. Even if you have access to the Jabber server, you can only get
> encrypted data and Tor IP addresses. This is useless information.
>
> The criminal works on the principle of "silence is gold", he will not say
> too much, he or she will not open links or files. It is only known that he
> must be in the same country with you. It would seem that there is no chance
> to establish his identity, but this is an illusion, it is possible to
> establish his identity despite all the measures he or she takes.
>

This is not how criminals behave. It is how cypherpunks behave.


> The described case is ideal for applying a timing attack on a messenger or
> a thematic forum. The first thing you need is a program that will track and
> record all user logins and logouts. He appeared on the network - the system
> immediately notes the time, left - the system recorded the exit time.
> Now you have a log of his activity in your hands for several days, it's
> time to use the ORM (operational-search measures) system. Similar systems
> are at the disposal of the special services of most countries, in Russia it
> is SORM. You need to find out who connected to the Tor
>

I think this used to be called digital forensics.

network during these +/- 5 minutes in your country.
> We know that the target that needs to be deanonymized connected on
> 04/11/2022 at 11:07 and disconnected at 12:30. At the same time points (+/-
> 5 minutes), 3,000 people connected to the Tor network and disconnected from
> it throughout the country. We take these 3000 and see which of them
> reconnected at 14:17 and disconnected at 16:54, how many people do you
> think will remain?
>
> So, step by step, the circle narrows, and in the end you will be able to
> calculate the place where your victim or criminal enters the network. The
> more often he enters the network and the fewer other users at this time,
> the faster the timing attack will work.
>

I have observed deanonymisation results that are much swifter and more
accurate than this. For example, most of these people are probably within
some other surveillance pool, where information can be automatically
cross-referenced.


> Example:
>
> metrics.torproject.org - checks if the IP address was used as a host to
> send traffic to Tor.
>
> check.torproject.org (
> https://check.torproject.org/cgi-bin/TorBulkExitList.py)
> github.com/SpiderLabs - will find a list of all Tor exit nodes in the
> last 16 hours that could contact the IP;
>
> ipqualityscore.com/user/proxy-detection-api/lookup - Find out if a person
> is using a proxy, VPN or TOR.
>
>
> The constant change of access points to the network makes such an attack
> meaningless. If the target periodically changes the exit points, this may
> complicate the search, but is a pre-admissible option and is not capable of
> confusing the system.
>

Pretty cool post. We do try not to conflate safety and privacy with
criminality.

There are few people remaining now who behave as you describe. The
criminals have likely stopped. The people who remain will be those who are
obsessive about it from personal principles.

But if you have data showing I am wrong, then I am. Of course it could also
be some other agency.

I have never worked for or with a government, a corporation, a crime ring,
or a cypherpunk group. So my expressions are all casual, from personal
interest and experience.

>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6798 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20220420/512443b7/attachment.txt>

More information about the cypherpunks mailing list