Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Boffins follow TOR breadcrumbs to identify users
The Register ^ | 1 September 2013 | Richard Chirgwin

Posted on 09/02/2013 2:05:27 PM PDT by ShadowAce

It's easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).

Their paper, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, is to be presented in November at November's Conference on Computer and Communications Security (CCS) in Berlin. While it's been published at the personal page of lead author Aaron Johnson of the NRL, it remained under the radar until someone posted a copy to Cryptome.

The paper states simply that “Tor users are far more susceptible to compromise than indicated by prior work”. That prior work provided the framework for what Johnson's group has accomplished: using traffic correlation in the live TOR network to compromise users' anonymity.

“To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths”, they write. In some cases, they found that for the patient attacker, some users can be identified with 95 percent certainty.

The compromise isn't something available to the trivial attacker. The models that Johnson developed assume that an adversary has access either to Internet exchange ports, or controls a number of Autonomous Systems (for example an ISP). However, it's probably reasonable to assume that the instruments of the state could deploy sufficient resources to replicate Johnson's work.

At the core of Johnson's work is a Tor path simulator that he's published at github. The TorPS simulator helps provide accurate AS path inference from TOR traffic.

“An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities,” the paper states.

If the adversary controls an AS or has access to Internet exchange point (IXP) traffic, things are even worse. While the results of their tests depended on factors such as AS or IXP location, “some users experience over 95 percent chance of compromise within three months against a single AS or IXP.”

The researchers also note that different user behaviours change the risk of compromise. Sorry, BitTorrent fans, your traffic is extremely vulnerable over time. ®


TOPICS: Computers/Internet
KEYWORDS: privacy

1 posted on 09/02/2013 2:05:27 PM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...

2 posted on 09/02/2013 2:05:42 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

So no more anonymity? What do we have to do to get some real privacy? Launch and use some microsats as relays?


3 posted on 09/02/2013 2:13:47 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

For best security you should run a TOR node.

You have to put up with annoying emails from various copyright holders as they all seem to think the TOR traffic is yours. Once informed that the ip is a TOR node they cease their pestering ways.


4 posted on 09/02/2013 2:14:36 PM PDT by Bobalu (Bobo the Wonder Marxist leads Operation Rodeo Clown against Syria)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Paging Mr. Johnson...


5 posted on 09/02/2013 2:14:56 PM PDT by Kip Russell (Be wary of strong drink. It can make you shoot at tax collectors -- and miss. ---Robert A. Heinlein)
[ Post Reply | Private Reply | To 2 | View Replies]

To: ShadowAce

Yup, there’s no such thing as privacy on the internet. And that’s just regular attackers, when the government (you know the guys that constructed ARPA that is the backbone of the internet) gets involved it’s even easier.


6 posted on 09/02/2013 2:16:07 PM PDT by discostu (This is why we have ants!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

Don’t use the internet.


7 posted on 09/02/2013 2:16:28 PM PDT by discostu (This is why we have ants!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce
With each passing day, the 'net loses a bit more of its appeal.

Given the volume of prying being done by such fascist maggots as referenced above, at the behest of their Stasi overlords, the day will come when the 'little guy' may just decide it's not worth it.

8 posted on 09/02/2013 2:19:52 PM PDT by tomkat
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The paranoid Soviet government required the registration of typewriters.
The new paranoid state overlords are doing the same with the Internet.

You will have to wardrive.


9 posted on 09/02/2013 2:23:12 PM PDT by Bon mots
[ Post Reply | Private Reply | To 1 | View Replies]

To: COUNTrecount; Nowhere Man; FightThePower!; C. Edmund Wright; jacob allen; Travis McGee; opentalk; ..

Nut-job Conspiracy Theory Ping!

To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don’t add you to the list...

10 posted on 09/02/2013 2:29:02 PM PDT by null and void (I'm betting on an Obama Trifecta: A Nobel Peace Prize, an Impeachment, AND a War Crimes Trial...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Carrier pigeons, anyone?


11 posted on 09/02/2013 2:34:59 PM PDT by OldNewYork (Biden '13. Impeach now.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: null and void

You have to add me to your ping list or I’ll report you to the mods.


12 posted on 09/02/2013 2:35:34 PM PDT by expat_panama
[ Post Reply | Private Reply | To 10 | View Replies]

To: null and void

would anyone like a solution to this problem?

how to monetize an anonymous communications system?


13 posted on 09/02/2013 2:36:44 PM PDT by sten (fighting tyranny never goes out of style)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Utilizer

The bottom line is that nothing electronic can be trusted. About the only communication that can be relied on for privacy are hand written notes, hand delivered.

The sad thing is how many government and private organizations are obsessed with such minutiae. Truly, it accomplishes nothing, and comes across as a mental illness.


14 posted on 09/02/2013 2:47:12 PM PDT by yefragetuwrabrumuy (The best War on Terror News is at rantburg.com)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce

For all of us dinosaurs (like me!) on FR who are clueless as to what TOR is:

http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

“Tor (originally short for The Onion Router) is free software for enabling online anonymity.

Tor directs Internet traffic through a free, worldwide volunteer network consisting of more than three thousand relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.

Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, back to the user and is intended to protect users’ personal privacy, freedom, and ability to conduct confidential business by keeping their internet activities from being monitored.”


15 posted on 09/02/2013 3:03:32 PM PDT by BwanaNdege ("Life is short. It's even shorter if you suggest going out for pizza on your anniversary" Peter Egan)
[ Post Reply | Private Reply | To 1 | View Replies]

To: yefragetuwrabrumuy
I dunno about that. Over the years I have seen several methods of encryption using methods that I guarantee you are not going to break unless you know the exact key and method used. I even know of a method, quite simple actually, to shrink down any dual layer movie-dvd -sized data to about half its size and sometimes quite a bit more, using an algorithm that you have probably used many times before unknowingly, and that is before using more readily available methods like the zip and 7z formats. Just make absolutely sure you never lose the encryption key or even the person or computer system used will never recover it.

Encryption, however is not the same as anonymity. I guarantee using that level of encryption you can send the data over the net with little chance of anyone deciphering it. No, what I am concerned with is the ability for unwanted others to track us over the internet.

16 posted on 09/02/2013 3:07:28 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 14 | View Replies]

To: expat_panama

Perfect! Welcome aboard!


17 posted on 09/02/2013 3:09:13 PM PDT by null and void (I'm betting on an Obama Trifecta: A Nobel Peace Prize, an Impeachment, AND a War Crimes Trial...)
[ Post Reply | Private Reply | To 12 | View Replies]

To: ShadowAce

Back to carrier pigeons? Since the Libs hate guns and won’t have them around (so they say), we don’t have to worry about them shooting the pigeons down. /S


18 posted on 09/02/2013 3:21:52 PM PDT by MissMagnolia (You see, truth always resides wherever brave men still have ammunition. I pick truth. (John Ransom))
[ Post Reply | Private Reply | To 1 | View Replies]

To: OldNewYork

Daggone ... should have read all the comments before I posted. :-)


19 posted on 09/02/2013 3:24:11 PM PDT by MissMagnolia (You see, truth always resides wherever brave men still have ammunition. I pick truth. (John Ransom))
[ Post Reply | Private Reply | To 11 | View Replies]

To: ShadowAce

So do you use a TOR with a VPN? Or is a VPN all you need to provide anonymity? If so do you have any recommendations on VPNs?


20 posted on 09/02/2013 3:44:58 PM PDT by bigheadfred (INFIDEL)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Wonder if the tormail user who was sending pedoporn to conservative pundits can be traced, and who it traces to?


21 posted on 09/02/2013 3:49:18 PM PDT by Darksheare (Try my coffee, first one's free..... Even robots will kill for it!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bobalu
Once informed that the ip is a TOR node they cease their pestering ways.

Or, perhaps, they don't - and you end up arrested. There is no way to separate your activities from activities of Tor users that you facilitate. So if someone connects to port 22 of some server at Pentagon, the FBI has legal right to come after you.

Running a Tor exit node is just as smart as standing in the street and doing everything that some stranger tells you to do over a cell phone. Like "Find a nearest cracker and hit him in the mouth."

22 posted on 09/02/2013 3:59:14 PM PDT by Greysard
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
Looks like no one read the entire article.

“An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability.

23 posted on 09/02/2013 4:03:52 PM PDT by SunTzuWu
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer
What do we have to do to get some real privacy?

ENCRYPTION! ENCRYPTION! ENCRYPTION! THE NSA CANNOT HACK ENCRYPTED TRAFFIC (Yet)!

Go to StartSSL.com and get yourself a free Class 1 cert to start. Learn about encryption, and encrypt what you can: email, instant messaging. Get an SSL-sniffing add-on for your browser like HTTPS Finder for Firefox that ports you to an HTTPS address if it's available.

Until quantum computers are a reality, the NSA is not going to waste data processing cycles on your traffic unless you're a known, imminent threat. Even then, they won't decrypt everything in any meaningful amount of time.

Encrypt your traffic, buy your own domain and learn how to setup an email server on Ubuntu for yourself utilizing the keys available out there. Privacy is available if you make yourself knowledgeable.

And worst-case scenario, learn HAM radio!

24 posted on 09/02/2013 4:31:14 PM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: hiredhand

Ping.


25 posted on 09/02/2013 5:00:43 PM PDT by DuncanWaring (The Lord uses the good ones; the bad ones use the Lord.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Utilizer

Code breaking is now so far in advance of encryption that it is hardly worth the effort to try anymore. The use of factoring no longer presents a serious obstacle, and with quantum computing it will just be brushed aside.

The best advice to keep privacy is not to use electronics.


26 posted on 09/02/2013 7:25:57 PM PDT by yefragetuwrabrumuy (The best War on Terror News is at rantburg.com)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce

LOL. I read part of that and understood not one word of it. The world is leaving me behind....WAHHHHHH.


27 posted on 09/02/2013 10:30:04 PM PDT by WVNan
[ Post Reply | Private Reply | To 1 | View Replies]

To: yefragetuwrabrumuy
>>>>>he bottom line is that nothing electronic can be trusted. About the only communication that can be relied on for privacy are hand written notes, hand delivered.<<<<<

The face belonging to hand delivery can be easily recognized due to billions of photos available online and the software capable of facial recognition.

Even worse, when hand delivery carries an Android device, their whereabouts are traceable. If they leave device at home and it is deviation from routine, it is easily flagged.

A software using social diagram can predict whereabouts of each social diagram member at any time.

One can be smart, but it's the sum of stupid contacts that counts.

28 posted on 09/03/2013 7:04:21 AM PDT by DTA (Hands off Syria !)
[ Post Reply | Private Reply | To 14 | View Replies]

To: DTA

Facial photo recognition has never been successful in application. They want it to be, they crave it to be, but it just never pans out.

And it’s not just an Android device, but all cellphones now have GPS location detection, but that is moot, because if you carry a cellphone, why are you hand delivering a written message to avoid electronic interception? The government even wants to integrate GPS into all automobiles, but has not yet pulled that one off.

And then, on your person there are probably several RFID tags, and when you pass near an RFID reader, you give off a unique signature for that vicinity with even a single tag. Who else in the area is wearing your brand of shoes, and your brand of pants, etc.?

But your last reference was to data mining. A brilliant idea used by both law enforcement and intelligence, it is still dependent on a lack of GIGO, garbage in, garbage out. Even if it established some contacts, it still has no clue as to message content.


29 posted on 09/03/2013 7:45:34 AM PDT by yefragetuwrabrumuy (The best War on Terror News is at rantburg.com)
[ Post Reply | Private Reply | To 28 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson