Re: Anonymity easily thwarted by flooding network with relays?
On Fri, 19 Nov 2010, Theodore Bagwell wrote: On Fri, 19 Nov 2010 08:11 -0500, Paul Syverson syver...@itd.nrl.navy.mil wrote: Your reactions are good. It's just that many people have had the same reactions so we've explored this, and nobody in all of the research done has yet produced a viable version of what you suggest. The nature of the attack outlined in the paper is expensive. The paper suggests rapid deployment, collection of data, and undeployment. The longer the interloping system runs, the more it costs. I don't think it sounds expensive at all - I suspect a private individual could ramp this up for $10k per month or less. It's not chump change, but it's not exactly at the nation-state level either... (I am thinking of Amazon EC instances, etc.) Perhaps, at a network level, we can detect a sudden massive deployment of ORs and mark them as suspicious? Or, as mentioned earlier, we can assign an OR a level of trust commensurate with its age? (Admittedly, this may increase security at the expense of delayed benefit of new ORs) Isn't this problem an obvious web of trust application ? Can't this be solved by a pgp-style web of trust ? I don't like the idea of solving it this way because I rather like running my tor node(s) in complete anonymity, so it's not something I necessarily want to be involved in ... but theoretically, that would solve it, no ? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Anonymity easily thwarted by flooding network with relays?
On 11/18/2010 11:03 PM, Roger Dingledine wrote: attack, which doesn't care how many hops your path has (as long as it's at least two). You can read more about it from the various freehaven.net/anonbib/ links in this blog post about a related topic: https://blog.torproject.org/blog/one-cell-enough --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ Roger, I'm not sure as a career sys admin that I am qualified to really comment on this. But in order for this attack to work, you have to correlate the input data to the entry node to the output data to the exit node (as you have said). That can be done by measuring timing and size of the data. Getting around this seems to me to be easy. All that has to happen is the addition of garbage data from the client which is then stripped out on the exit node. That way the data going into the network has a false size, always larger than what is actually being transported, this happens in the first layer of the onion. So the data in, never equals the data out and vice versa. At that point *timing* is the only correlating factor. And with the latency of the tor network, that would be very hard to track, with the perceived security going up on busier guard and exit nodes. Also, some slight random latency could be introduced (smallish factor, 1 to 10 ms) for all middle nodes, muddying the waters even more. Like I mentioned before, I'm not really qualified to comment on this. I use tor as an IT tool for security and offsite testing. -- Michael Cozzi co...@cozziconsulting.com *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Anonymity easily thwarted by flooding network with relays?
On Fri, Nov 19, 2010 at 10:49:32AM -0500, Jonathan D. Proulx wrote: On Fri, Nov 19, 2010 at 10:33:38AM -0500, Paul Syverson wrote: :Better go have another espresso ;) further through the coffee now and wishing if I had to have said thout out loud I'd at least not sent from my MIT addresss :) Dare to be stupid. is a motto I've lived by for decades. (Just ask anyone who knows me.) But I'm not kidding. I try to put in appropriate effort learning background so as not to waste people's time, but I also try to resist the fear of asking or suggesting something off the cuff because it might be stupid. I'm smarter than smart people in this respect because I know to surround myself with smarter people than me to draw from when I make such suggestions, while they obviously are dumber since they are relying on me. This is hardly the worst already-settled-that question raised on or-talk. And don't worry about the MIT affiliation. I've known too many to be impressed. (Shades of Westley talking to Inigo Montoya.) OK, clearly distracting myself from pressing matters. Back to it. -Paul *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Anonymity easily thwarted by flooding network with relays?
On Thu, Nov 18, 2010 at 06:19:03PM -0800, Theodore Bagwell wrote: Some of you may be aware of the paper,Cyber Crime Scene Investigations (C2SI) through Cloud Computing (http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf) which illustrates a feasible method of invalidating the anonymity afforded by Tor. I just took a brief look through it. I wish they'd included analysis of guard nodes in their equations -- because relays take several days or more to get the Guard flag, and clients only rotate their guards monthly, the equations in this paper are misleading and their conclusions like 99% if the user connects three times and the network forensics section may last for a few hours [and still be effective] are also misleading. That isn't to say that the general point is wrong -- I think with the current size of the Tor network, a well-funded adversary could run enough relays that he will have a high probability of deanonymizing users. We sure do need to get a larger network if we want to raise the cost of these attacks. But at some point somebody should run the numbers to find out how much it would cost in practice. (These numbers might also convince us to change the parameters like 3 guards and 30 days.) We should also take the next step in our bandwidth measurement authorities at some point -- right now the directory authorities put in a better estimate for your bandwidth _once we have a better estimate_, and use the self-advertised bandwidth until that point. I think that's a security flaw. We could cap the believed self-advertised bandwidth at something like 100KB. It would mean that newly volunteering relays would take even longer before they're usefully contributing. The step after that would be to accelerate the initial measurements on new relays, to narrow the window where we don't have an opinion on bandwidth weight. There's also an open research question on how to combine Mike Perry's measurements (which are more accurate at high bandwidths) with Robin Snyder's measurements (which are more accurate at low bandwidths). I know Mike would love to have some help there. I nominate this paper as a founding reason why Tor should permit users to increase the number of relay nodes used in each circuit above the current value of 3... No, that won't work. The key vulnerability is the first-last correlation attack, which doesn't care how many hops your path has (as long as it's at least two). You can read more about it from the various freehaven.net/anonbib/ links in this blog post about a related topic: https://blog.torproject.org/blog/one-cell-enough --Roger *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Anonymity easily thwarted by flooding network with relays?
-Original Message- From: Theodore Bagwell torus...@imap.cc To: or-t...@seul.org Sent: Fri, Nov 19, 2010 9:19 am Subject: Anonymity easily thwarted by flooding network with relays? Some of you may be aware of the paper,Cyber Crime Scene Investigations C2SI) through Cloud Computing http://www.cs.uml.edu/~xinwenfu/paper/SPCC10_Fu.pdf) which illustrates feasible method of invalidating the anonymity afforded by Tor. For those who are not, the approach is this: Someone with a lot of oney, such as a government, uses cloud computing to release a veritable rmy of Tor relays into the Tor network. The number of legitimate Tor elay nodes in the network is dwarfed by those under the government's ontrol. The chances of your Tor client choosing a government-controlled evil) Tor node when building a circuit increase to 99/100. Since one ntity (the government) controls the evil relay nodes, and 2 or 3 of the hree relay nodes in your circuit are evil; chances are you have no nonymity left to speak of. Does anyone have any comments on this paper? Any reassurance? Frankly, his is scary. I nominate this paper as a founding reason why Tor should permit users o increase the number of relay nodes used in each circuit above the urrent value of 3... Thoughts? -- Theodore Bagwell torus...@imap.cc -- ttp://www.fastmail.fm - The professional email service Hello. I cannot speak to the technical side of your comments and the paper you use but I agree with you on being able to increase the number of hops. It seems we should never underestimate their knowledge, intelligence, lack of compassion and the backing of the entire welfare system that they have used to build such weapons to be used against the citizens. I've read some of their oaths and no where do they mention protecting their bosses. *** o unsubscribe, send an e-mail to majord...@torproject.org with nsubscribe or-talkin the body. http://archives.seul.org/or/talk/