[tor-talk] Exit snooping 'research'

grarpamp grarpamp at gmail.com
Thu Feb 24 07:45:34 UTC 2011


> Of course, until you factor in the information we received later which
> is that a researcher has apparently been using a technique to discover
> "passively" eavesdropping nodes, and the node in question here came
> up. Sort of mooting the whole discussion until the research is
> published.

The above has been mentioned twice now as some sort of
pending serious, paper worthy, research.
Some corrective Network Engineering 101 is obviously needed here
before some poor soul ends up mis-educated.
There is NO way to detect passive monitoring unless you have access
to the monitor. Real world passive monitoring involves mirrored
upstream switch ports or optical splitters. No contact, separate devices,
that's why it's called passive. Don't try to mention optical dB loss, spectral
anomalies, bump insertion events, TEMPEST, heat and power consumption...
because, as a user, you don't have access to those. Nor try to claim
anything about running BPF on the same machine as the node thus
overloading the box and perturbing flows or exploiting the listener process....
because that's not proper passive snooping and thus you're doing it wrong.

Now you could properly rename that 'detection' word to 'entrapment'
where you watch for the use of your unique seed. But that's a different
thing, obviously.

Now if you'll excuse me, I have another 100GiB of quietly recorded traffic
to sift through before Friday ;-)


More information about the tor-talk mailing list