On Mon, Sep 29, 2008 at 1:02 PM, Sven Anderson <[EMAIL PROTECTED]> wrote: > Dear Raccoon, > > Am 28.09.2008 um 14:27 schrieb The23rd Raccoon: >> >> [2]. http://www.stinkymeat.net/ > > thanks for that reference. Great! > > As for your article: as far as I can tell the calculations seem to be valid, > but I wonder, why others didn't address this in their timing attack work > before.
I think mainly because there is a heavy incentive to publish, which tends to cause academics to try to show their results in the best light. This doesn't lend itself well to showing a detrimental property of detection, especially when nobody else does. That said, it is important to publish potential attacks, even if they are not terribly effective in their research implementation forms, because it is likely that auxiliary factors, better correlation mechanisms, and combination with other attacks may make them more effective in the future, or in more limited cases. After all, IDS's suffer from this same problem, and those devices seem to still be used. All is not lost as well, as long as detailed measurements of false positive and false negative rates are published that are derived from large enough sample sizes on a realistic model of the network, it is possible to derive the actual bayesian detection rate with an estimation of the base event rate, as I have done here. For future work, it would be interesting to run calculations on how many visits you can expect to survive with a correlation detector of some specified accuracy, and what your anonymity set is effectively reduced to after each successive visit. > One question: You assume 250,000 users and 5000 concurrent connections, so > one connection per 50 users? Is this realistic? I know, that most of the > time a user is idle, but still this seems to low to me, since once the user > becomes active he will open several concurrent connections (like for opening > a website). And why do you assume the number of users at all, I don't see a > reference to it in your calculations. I mentioned it just for reference, so that this sort of observation can be made. I believe the current estimate for the number of Tor users is on the order of 250k, but it's possible this has changed. To my knowledge, a detailed study on the number of Tor users has not been published, though. To arrive at the 5000 streams number, I basically took the total exit bandwidth on the network (about 121MB/sec) and divided it by what I typically observed for transfer capacities (25KB/sec). Of course this has several simplifying assumptions built in, but as a back of the envelope number, it's probably not too far off just to drive home the point, especially since it is likely an underestimation as you pointed out.

