[tor-talk] End-to-end correlation for fun and profit

Maxim Kammerer mk at dee.su
Wed Aug 22 03:51:06 UTC 2012


On Wed, Aug 22, 2012 at 2:11 AM, Roger Dingledine <arma at mit.edu> wrote:
> I think your numbers may not be right (there are a lot of other subtleties
> to the calculation), but your point is still generally correct.

There are some subtleties, mainly the restriction on distinct families
in a circuit — you can account for them in a spreadsheet, or by
writing a proper analysis program, but I doubt that it will result in
more than a few percents difference (just speculating, maybe it's
more). Doing some heuristic search for intercepted nodes selection (a
few high-bandwidth Exit-only or Guard-only nodes) will probably push
the estimates in the other direction.

> For more details calculating diversity, see
> https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

This quote: “They only use relays with the Guard flag for their first
hop. They read weighting parameters from the consensus and use them to
avoid Guard-flagged nodes for positions other than the first hop and
avoid Exit-flagged nodes for positions other than the last hop, in
proportion to how much capacity is available in each category.” — is
this actually true? Are Guard+Exit nodes never used as guard nodes? Or
even only used as middle nodes (depending on how one reads the first
sentence)? I didn't see something like that in the code.

> Really? Across jurisdictions? And for 'all traffic of those relays'?
> I don't want to downplay the risk too far, but I think you overestimate
> "unsophisticated law enforcement operations".

Ok, maybe I overestimate LE — different countries have different
standards. Let's consider extra-legal attacks. You mentioned [1],
which looks at intercepting IX traffic. IX links are probably
considered a part of vital national infrastructure wherever they are
located (similarly to telcoms), so it would be extremely hard for a
non-LE adversary to install their (extremely expensive) equipment or
software in the relevant facilities. However, consider what would be
needed to intercept all traffic from the /28 networks mentioned here,
managed by ~20 VPS hosting providers (I don't think I noticed anything
residential, but intercepting that would be much easier). Let's say
you have a million dollars to spare. Allocate $50k for each of the
hosters, and budget another $50k for some smooth salesperson type who
will fly to each hosting facility / office, befriend an infrastructure
admin with beer / hookers / coke, and offer him $50k for shadowing
traffic from VPSes of interest to your own VPS (which might be
possible to do purely in software in most cases, probably). I think
it's doable, whether you are just curious and want your own
international surveillance operation, or treat it as a data mining
investment (there is probably a lot of interesting traffic going
through Tor, if you know what to look for). It is also quite cheap for
the effect.

[1] http://freehaven.net/anonbib/#murdoch-pet2007

> Well, do you have an alternative design that scales adequately to 6 or
> 7 figures of users, provides roughly-real-time browsing and other TCP
> connections, works on the Internet that we have, and has better traffic
> confirmation resistance?

For one, everyone should contribute as a relay. This also has the
potential to improve the users community, and advance hidden service
resources as a result. “Internet that we have” is also problematic,
because Internet is too hierarchical. I think that EFF should promote
large-scale ISP-independent mesh networks, instead of caring so much
about the ability of some CIA-funded NGO activists to get on Facebook.

> Or said another way, how well do other usable low-latency anonymity
> systems hold up to ongoing wiretaps at 25 arbitrary network locations? I
> believe the answer is 'mostly less well than Tor'.

Other anonymity systems don't care much about accessing clearnet. I am
not even sure whether I2P, for instance, has any active outproxies at
the moment, and they do fine, since they provide what the users need —
community, ability to religiously tweak the console panel, integrated
file sharing, etc.

> It would be interesting to see your stats on as AS level rather than
> a /24 netblock level.

I don't think it would change the top-25 list much, since. for
instance, all /28 networks there belong to different /16 classes.
Maybe something like Amazon EC2 could creep in, but I doubt that. But
it's difficult to say definitely, e.g:

$ cut -d' ' -f1 nodes | sort -u | wc -l
1595 (IPs)
$ cut -d' ' -f1 nodes | cut -d. -f1-3 | sort -u | wc -l
1461 (/24 networks)
$ cut -d' ' -f1 nodes | cut -d. -f1-2 | sort -u | wc -l
984 (/16 networks)

> I think we still do a pretty good job explaining the risks and limitations
> of using a system like Tor, e.g. in each Tor talk.

I don't think it matters much. Technical people are skeptical to begin
with. Non-technical people are irrational (e.g., if to judge from
experience with activists described on liberationtech mailing list) —
they will keep everything in plaintext and use unencrypted connections
even when told explicitly that it's dangerous. From my experience,
warnings only work when you show people something that will cause a
cognitive dissonance. I.e.: “don't email exams” doesn't work, whereas
“here is the exam you wrote for tomorrow, and here is the student who
stole it from your mailbox” works well. It seems that Tor is not yet
at the point where one can show such examples, although someone with a
few million $ to spare or to invest might to just that (see above).

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte


More information about the tor-talk mailing list