Skip to comments.Boffins follow TOR breadcrumbs to identify users
Posted on 09/02/2013 2:05:27 PM PDT by ShadowAce
It's easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL).
Their paper, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, is to be presented in November at November's Conference on Computer and Communications Security (CCS) in Berlin. While it's been published at the personal page of lead author Aaron Johnson of the NRL, it remained under the radar until someone posted a copy to Cryptome.
The paper states simply that Tor users are far more susceptible to compromise than indicated by prior work. That prior work provided the framework for what Johnson's group has accomplished: using traffic correlation in the live TOR network to compromise users' anonymity.
To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths, they write. In some cases, they found that for the patient attacker, some users can be identified with 95 percent certainty.
The compromise isn't something available to the trivial attacker. The models that Johnson developed assume that an adversary has access either to Internet exchange ports, or controls a number of Autonomous Systems (for example an ISP). However, it's probably reasonable to assume that the instruments of the state could deploy sufficient resources to replicate Johnson's work.
At the core of Johnson's work is a Tor path simulator that he's published at github. The TorPS simulator helps provide accurate AS path inference from TOR traffic.
An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities, the paper states.
If the adversary controls an AS or has access to Internet exchange point (IXP) traffic, things are even worse. While the results of their tests depended on factors such as AS or IXP location, some users experience over 95 percent chance of compromise within three months against a single AS or IXP.
The researchers also note that different user behaviours change the risk of compromise. Sorry, BitTorrent fans, your traffic is extremely vulnerable over time. ®
So no more anonymity? What do we have to do to get some real privacy? Launch and use some microsats as relays?
For best security you should run a TOR node.
You have to put up with annoying emails from various copyright holders as they all seem to think the TOR traffic is yours. Once informed that the ip is a TOR node they cease their pestering ways.
Yup, there’s no such thing as privacy on the internet. And that’s just regular attackers, when the government (you know the guys that constructed ARPA that is the backbone of the internet) gets involved it’s even easier.
Don’t use the internet.
Given the volume of prying being done by such fascist maggots as referenced above, at the behest of their Stasi overlords, the day will come when the 'little guy' may just decide it's not worth it.
The paranoid Soviet government required the registration of typewriters.
The new paranoid state overlords are doing the same with the Internet.
You will have to wardrive.
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I dont add you to the list...
Carrier pigeons, anyone?
You have to add me to your ping list or I’ll report you to the mods.
would anyone like a solution to this problem?
how to monetize an anonymous communications system?
The bottom line is that nothing electronic can be trusted. About the only communication that can be relied on for privacy are hand written notes, hand delivered.
The sad thing is how many government and private organizations are obsessed with such minutiae. Truly, it accomplishes nothing, and comes across as a mental illness.
For all of us dinosaurs (like me!) on FR who are clueless as to what TOR is:
“Tor (originally short for The Onion Router) is free software for enabling online anonymity.
Tor directs Internet traffic through a free, worldwide volunteer network consisting of more than three thousand relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.
Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, back to the user and is intended to protect users’ personal privacy, freedom, and ability to conduct confidential business by keeping their internet activities from being monitored.”
Encryption, however is not the same as anonymity. I guarantee using that level of encryption you can send the data over the net with little chance of anyone deciphering it. No, what I am concerned with is the ability for unwanted others to track us over the internet.
Perfect! Welcome aboard!
Back to carrier pigeons? Since the Libs hate guns and won’t have them around (so they say), we don’t have to worry about them shooting the pigeons down. /S
Daggone ... should have read all the comments before I posted. :-)
So do you use a TOR with a VPN? Or is a VPN all you need to provide anonymity? If so do you have any recommendations on VPNs?
Wonder if the tormail user who was sending pedoporn to conservative pundits can be traced, and who it traces to?
Or, perhaps, they don't - and you end up arrested. There is no way to separate your activities from activities of Tor users that you facilitate. So if someone connects to port 22 of some server at Pentagon, the FBI has legal right to come after you.
Running a Tor exit node is just as smart as standing in the street and doing everything that some stranger tells you to do over a cell phone. Like "Find a nearest cracker and hit him in the mouth."
An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability.
ENCRYPTION! ENCRYPTION! ENCRYPTION! THE NSA CANNOT HACK ENCRYPTED TRAFFIC (Yet)!
Go to StartSSL.com and get yourself a free Class 1 cert to start. Learn about encryption, and encrypt what you can: email, instant messaging. Get an SSL-sniffing add-on for your browser like HTTPS Finder for Firefox that ports you to an HTTPS address if it's available.
Until quantum computers are a reality, the NSA is not going to waste data processing cycles on your traffic unless you're a known, imminent threat. Even then, they won't decrypt everything in any meaningful amount of time.
Encrypt your traffic, buy your own domain and learn how to setup an email server on Ubuntu for yourself utilizing the keys available out there. Privacy is available if you make yourself knowledgeable.
And worst-case scenario, learn HAM radio!
Code breaking is now so far in advance of encryption that it is hardly worth the effort to try anymore. The use of factoring no longer presents a serious obstacle, and with quantum computing it will just be brushed aside.
The best advice to keep privacy is not to use electronics.
LOL. I read part of that and understood not one word of it. The world is leaving me behind....WAHHHHHH.
The face belonging to hand delivery can be easily recognized due to billions of photos available online and the software capable of facial recognition.
Even worse, when hand delivery carries an Android device, their whereabouts are traceable. If they leave device at home and it is deviation from routine, it is easily flagged.
A software using social diagram can predict whereabouts of each social diagram member at any time.
One can be smart, but it's the sum of stupid contacts that counts.
Facial photo recognition has never been successful in application. They want it to be, they crave it to be, but it just never pans out.
And it’s not just an Android device, but all cellphones now have GPS location detection, but that is moot, because if you carry a cellphone, why are you hand delivering a written message to avoid electronic interception? The government even wants to integrate GPS into all automobiles, but has not yet pulled that one off.
And then, on your person there are probably several RFID tags, and when you pass near an RFID reader, you give off a unique signature for that vicinity with even a single tag. Who else in the area is wearing your brand of shoes, and your brand of pants, etc.?
But your last reference was to data mining. A brilliant idea used by both law enforcement and intelligence, it is still dependent on a lack of GIGO, garbage in, garbage out. Even if it established some contacts, it still has no clue as to message content.