back to article Boffins follow TOR breadcrumbs to identify users

It's easier to identify TOR users than they believe, according to research published by a group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL). Their paper, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, is to be presented in November at November's Conference on …

COMMENTS

This topic is closed for new posts.
  1. Don Jefe
    Black Helicopters

    Kind of makes you wonder if this is really an initial discovery, or if it has been known about for a while and simply not published. I'm generally not the tinfoil hat sort, but with the Snowden leaks I find myself kind of distrusting all the security options out there.

    No matter I guess. The government already knows what I do. They're responsible for almost a third of my business. I keep all my plans for global domination in a series of spiral bound single rule notebooks hidden in an extinct volcano I lease in Indonesia. As long as they don't know about my plans or volcano everything will be just fine.

    1. James O'Shea Silver badge

      are your notebooks guarded by a white cat, Persian or otherwise? If not, perhaps this white cat might be of assistance http://www.123rf.com/photo_18425302_white-tiger.html?

    2. LarsG
      Meh

      Anonymity

      Did anyone really think that anonymity Tor could be guaranteed?

      With the resources Governments have it is a given that they can see what you are upto on any day of the week.

      As Tor is based and originated in America don't you think they would have allowed it if they couldn't crack it?

      They just want you to have a false sense of security because it makes it easier for them to get you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Anonymity

        >Did anyone really think that anonymity Tor could be guaranteed?

        For most cases as good as guarenteed yes, for messing about with governments no. If you've been bad enough governments will throw as many resources as necessary to get you.The same can't be said for companies who have their websites defaced, and that's just an example I don't suggest tor should be used for that or any other illegal activity.

        1. Paul Crawford Silver badge

          Re: Anonymity

          >Did anyone really think that anonymity Tor could be guaranteed?

          I suspect even for gov-level snooping (maybe less so for pan-gov like USA/UK/CAN/NZ sort of thing) and for its intended job of the occasional spy/oppressed activist message it is good enough. But not for users who route a lot of traffic through it, which is the key to this discovery.

          And WTF routing bittorrent through it? Not only is that going to give your game away much more, it is a serious abuse of the network and going to be real slow. Really, such folk should be using a VPN for that sort of thing.

      2. Ted Treen
        Big Brother

        Re: Anonymity

        I'm somewhat less concerned regarding anonymity than I am regarding TPTB seeing where I've been.

        I don't use TOR to access porn or torrents:- if anything I use it with the primary aim of confounding those who insist on following my web movements when as far as I'm concerned they have absolutely no f***ing right to or need to.

        Anything to throw a spaniard in the worms or even just piss 'em off is, in my book, an exercise worth following...

        1. Pascal Monett Silver badge
          Coat

          Re: "Anything to throw a spaniard in the worms"

          Goodness me, what have Spanish people done to you to warrant such ire ?

          1. John Bailey
            Boffin

            Re: "Anything to throw a spaniard in the worms"

            Google Spoonerism.

            1. vanrouge
              FAIL

              Re: "Anything to throw a spaniard in the worms"

              google malapropism

              1. Graham Dawson

                Re: "Anything to throw a spaniard in the worms"

                Google "writing comments on a touchscreen"

                (writing came off as spring and wording first couple of tries. ..)

              2. John Bailey

                Re: "Anything to throw a spaniard in the worms"

                I just did.

                "A malapropism (also called a Dogberryism) is the use of an incorrect word in place of a word with a similar sound, resulting in a nonsensical, often humorous utterance. An example is Yogi Berra's statement: "Texas has a lot of electrical votes,"[1] rather than "electoral votes"."

                "A spoonerism is an error in speech or deliberate play on words in which corresponding consonants, vowels, or morphemes are switched (see metathesis) between two words in a phrase,[1] for example saying "The Lord is a shoving leopard." instead of "The Lord is a loving shepherd." While spoonerisms are commonly heard as slips of the tongue resulting from unintentionally getting one's words in a tangle, they can also be used intentionally as a play on words."

                Both are essentially the same thing.

                Now report the icon administrator's office for a lesson on incorrect use of the fail icon.

            2. Anonymous Coward
              Anonymous Coward

              Re: "Anything to throw a spaniard in the worms"

              I think you mean Spoogle Goonerism

          2. Anonymous Coward
            Anonymous Coward

            Re: "Anything to throw a spaniard in the worms"

            "I'm sorry, I've met too many Spaniels."

      3. Ian McNee
        Go

        Re: Anonymity

        What this research demonstrates (and it's fairly readable and not too long - go for it) is that an avdersary with ISP-level network resources can deanonymise users in a statistically predictable time period - some shorter and some longer but a lot shorter and more predictable than previous analyses have shown.

        But, and it's quite a big but, it seems obvious from the paper that they are analyzing the bulk or Tor use (i.e. for which Tor is probably the only anonymity tool in use) rather than Tor plus anonymous proxies, encryption and the like. That work is yet to be done but it is likely that someone more technically competent than your average BitTorrent freetard attempting to avoid the RIAssA would take a lot longer to identify even with state-level resources.

        That said Tor is clearly of interest right now to some big player or other as recently reported by Ars Technica. This will be interesting to follow in the coming months in light of the ongoing Snowden NSA/GCHQ revelations.

      4. h4rm0ny

        Re: Anonymity

        "Did anyone really think that anonymity Tor could be guaranteed?"

        I think one of the main things it does is that even if it can ultimately be compromised, it shifts the scenario from a few quick commands on a keyboard to considerable effort and resource. The more people who use TOR or GPG, etc., the less that casual and speculative searching can take place.

        It changes the scenario from 'scan all the people who visited X' or 'search all emails for references to Y', to 'we suspect this specific person - start the machinery up and get back to me'.

        That's a big win for privacy.

        My own view of TOR, though, is that however much I approve of securing privacy and building measure to resist abuse of power by the state, the moment I contribute by setting up a TOR node, I've no idea whether what I'm actually helping is the distribution of child porn and people pirating movies. So I don't.

        1. M Gale

          Re: Anonymity

          I've no idea whether what I'm actually helping is the distribution of child porn and people pirating movies. So I don't.

          Don't ever run an ISP. You'll never be able to sleep at night.

  2. Anonymous Coward
    Anonymous Coward

    Force all users to act as relays?

    I mean there are only 4000 or so active tor relays at the moment, it stands to reason that many of these would be operated by parties that have interests other than keeping data anonymous.

    Can't they just force all tor users to act as relays? Sure it wouldn't make the system immune to the same problem, but it'd greatly increase either the cost to those doing the spying, or the time it takes them to discover anything.

    1. Daniel B.
      Boffin

      Re: Force all users to act as relays?

      The problem with that is you're assuming everyone running/using TOR is doing so under the same conditions you get in the "free" world. Actually, a lot of users will end up being

      - Behind CG-NAT, which some cheapskate ISPs have implemented in some countries (all CableCos in Mexico!) which makes the relay unreachable

      - Behind an oppressive regime that has probably made TOR illegal. Running in relay mode might land said user in jail. Or behind a firing squad.

      1. Crisp Silver badge
        Coat

        Re: Or behind a firing squad.

        Or worse, in front of a firing squad!

      2. Anonymous Coward
        Anonymous Coward

        Re: Force all users to act as relays?

        Make it on by default and have an opt-out setting n the options.

        I assume anyone intelligent enough to be using tor in the first place would be intelligent enough to untick the "send me to jail" option. It's gotta increase the number of relays somewhat even if some do opt-out.

      3. ChrisG13
        Happy

        Re: Force all users to act as relays?

        "Or behind a firing squad."

        It's quite safe behind a firing squad. It's in front of it where the danger lies.

        1. Muscleguy Silver badge
          FAIL

          Re: Force all users to act as relays?

          Squad! About, Turn!

        2. Muscleguy Silver badge
          Pirate

          Re: Force all users to act as relays?

          Note I have my Boys Brigade Drill badge which requires you to command a squad so I have issued that command in my time. A long time ago, but still. For the record you About Turn to the Right.

      4. Anonymous Coward
        Anonymous Coward

        CG-NAT, which some cheapskate ISPs have implemented

        Like BT Retail

        http://www.ispreview.co.uk/index.php/2013/05/uk-isp-bt-quietly-forces-cgnat-ipv4-internet-address-sharing-pilot.html

        Previously I'd been assigned static, now dynamic, (shared).

  3. Andy Tunnah

    so a guy who uses a lot of traffic in a pattern thats not too hard to figure out can be found out on a secret network....well done

    Now find the people who go into it to browse, changing IDs often and only there just to read a few bytes, then my pickle can be classed as tickled, AND NOT A AY BEFORE! :)

  4. dssf

    Was just a matter of time

    I wonder how many millions or how many hundreds of thousands are burned now.

    Probably what happened to help the statistical analyses thingies was coercing known and likely/suspected TOR users under some ruse or legit warrant to hand over their password. Then, after seizing their equipment, they probably impersonated said person for weeks on the user's own network and an agency shadow network while they had the subject in quarantine. Then, they compare paths, hops, latencies, fingerprints of the files, the embedded attachments and other content, then map the possible paths against replies and reply fingerprints.

    Somewhere in all this probably are tens of thousands of AT&T, Cox, Comcast, Sprint, etc., others' hardware that secretly are NOT stripping off the headers in the routers (in 95, network classes taught that routers stripped out what wasn't for them, and did handshaking and such to enhance the quality of service and so on, but, hey, what if a backdoor since then came into existence to dump checksums of traffic, even embedded, hidden messages?), and forwarding checksums.

    OK, I'm pulling all this out of my ass as fast as I can type, and I am not a SysAdmin of any merit. I just wing/ponder stuff as if fitting into a hopper for possible use in a movie script. Of course, before making such a suggestion in dialogue, real analysts might have to ponder it -- then worry about the risks of doing so under pre-delivered NSLs, hmmmmm...

  5. A Non e-mouse Silver badge

    Never anonymous

    Yet another study to show that anonymising data is very difficult...

    http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/

  6. asdf Silver badge

    >Sorry, BitTorrent fans, your traffic is extremely vulnerable over time

    Good because if you are running bittorrent over Tor you are officially an ass nine muppet. Tor has many good uses but lame piracy using volunteer resources means your the kind of guy that shits all over a public restroom for teh lulz.

  7. Anonymous Coward
    Anonymous Coward

    BYOS

    The only way to be even partially secure is to write your own encryption and run it your own Operrating System on a computer you built yourself where all the firmware on all the chips including the network was written by yourself to avoid backdoors.

    Hell, you'd even have to write your own compiler from assembler upwards.

    1. Miek
      Coat

      Re: BYOS

      "Hell, you'd even have to write your own compiler from assembler upwards." -- Sounds like something from the matrix ... "The reader software works for the matrix so we have to view the raw code. I don't see the code any more, I just see Blonde, Redhead, Brunette ..."

    2. breakfast
      Trollface

      Re: BYOS

      And lets face it- anyone who would dedicate the time and effort to do that would have no time for subverting the state and, dare I say it, possibly even be a tiny bit boring so the only secure system in the world would be in the possession of someone nobody would ever want to listen in on.

      1. M Gale

        Re: BYOS

        so the only secure system in the world would be in the possession of someone nobody would ever want to listen in on.

        Sounds like the perfect plan!

      2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: BYOS

      But the guys at the Help Desk told me my laptop is perfectly secure. All I have to do is shake it and the memory is cleared.

  8. Phil O'Sophical Silver badge

    News?

    So people who regularly use the same networks wiith the same patterns aren't as anonymous as they think? Well, what a surprise. Isn't this why the professionals in the physical spying trade randomise their routes when they travel, use dummies and cut-outs, never stick to a schedule or the same roads, etc?

    Let's face it, most of the people who want to be anonymous on the internet are amateurs who just don't want to be caught downloading pirate moves or extreme porn. They don't understand how the network actually works, and have no clue what being anonymous really means, so they just rely on third parties with a "tick this box and you're hidden" approach. Is anyone surprised that it doesn't work very well?

    1. Pascal Monett Silver badge
      Coat

      If you have to go to the same place with any regularity, it will be most difficult to "randomize their routes".

      Fiction is all it is meant to be, but in the real world I think that spies rely more on acting like normal people with daily routines. Someone who actually does randomize his travel routes every time is going to be easy to suspect of being a spy.

      And having a (plastic) dummy drive the car is rather dangerous, not to mention terribly conspicuous.

    2. Anonymous Coward
      Anonymous Coward

      Re: News?

      "Let's face it, most of the people who want to be anonymous on the internet are amateurs who just don't want to be caught downloading pirate moves or extreme porn."

      Well, for some people Tor just makes it's easier to buy weed. I mean, so I've heard. Allegedly.

      What were we talking about again?

  9. bazza Silver badge

    The Irony

    TOR started off as a NRL project which they later open sourced. It's ironic that another NRL study has found it to be not wholly effective...

    1. Anonymous Coward
      Anonymous Coward

      Re: The Irony

      Not really; testing things is one of the many ways people improve things.

      I'm not entirely sure I want people with a 'ahh, it's probably fine' attitude working on something that deals with anonymity.

      1. Don Jefe
        Happy

        Re: The Irony

        Ideally people with the 'its probably fine' attitude wouldn't be allowed to work on anything. There's always room for improvement and even something as simple as the guy making hamburgers can ruin your day with a dropped patty and that attitude.

        1. Anonymous Coward
          Anonymous Coward

          Re: The Irony

          Really? Ability on the job is separable from caring.

          I know plenty of people who are good at what they do, but ultimately don't really care. I also know people who care tremendously but are ultimately, quite useless.

    2. Suricou Raven

      Re: The Irony

      I'm sure whoever authorised that project got a solid telling-off from the NSA later for making their job harder.

  10. Anonymous Coward
    Anonymous Coward

    If you're really paranoid

    Use Torbrowser together with a real VPN and proxy. Then you can say "try to find me bitch!".

    1. Anonymous Coward
      Anonymous Coward

      Re: If you're really paranoid

      ...and only ever use all of them from your raspberry pi. Lob it out of the window when the time comes.

    2. Anonymous Coward
      Anonymous Coward

      Re: If you're really paranoid

      Mark, is that you?

  11. corestore

    Clarity would be good.

    Do you mean a 100% chance of identifying a user with 95% probability?

    Or a 95% chance of identifying a user with 100% probability?

    The latter stands up in court, for instance - nailed.

    The former is a statistic and doesn't.

  12. ZanzibarRastapopulous

    Compromising tor...

    If you have enough relays tor isn't really secure, you could even map hidden services by recording relay to relay traffic and thereby mapping hot spots which would be most likely services.

    I suspect the entire network is actually law enforcement. The cost of 4000 relays would be peanuts for that kind of intelligence.

  13. CommanderGalaxian
    Facepalm

    >>Kind of makes you wonder if this is really an initial discovery...

    If you read the fine TOR manual, they have always warned that this type of attack is possible, right down to noting the (many) problems with routing bittorrent through TOR nodes.

    I guess this is the first paper to put some actual numbers on things though.

  14. The last doughnut
    Unhappy

    OK I am now officially old

    Someone please explain WTF is TOR?

    1. ZanzibarRastapopulous

      Re: OK I am now officially old

      It's kind of like tcpip for paedos.

      1. RobHib

        @ZanzibarRastapopulous - Re: OK I am now officially old

        Who think they'll never be caught.

        Exactly.

    2. Sureo

      Re: OK I am now officially old

      http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29

  15. envmod

    TORettes

    TOR: does exactly the opposite of what it says on the tin.

  16. AntonCrow

    German Govt R&D

    Have been looking into this a few years ago and I remember public papers on the subject. They all state that NSA/GCHQ-class actors could indeed do quite a few passive and active things to correlate traffic back from the exit node towards the concealed endpoint.

    TOR is by no means perfect, but certainly it is a powerful tool to defeat all the commercial data collectors (from Amazon to Google) and it will make it quite difficult even for governments. The more people use it, the less chance they stand to perform traffic correlation.

    Plus, you can use elite hacker tools like wget (recursively) to create "chaff" traffic over your DSL line, which will make it much more difficult to correlate traffic. Or just make it a habit to stream a radio station in the background.

  17. AntonCrow

    Plus

    We C developers can patch the TOR sw to make it use up to 7 hops instead of three. Not actually difficult - just change a macro and recompile. Of course it will be very slow then.

  18. AntonCrow

    More Countermeasures

    First, TOR policies (Guard, Exit,...) could be randomly mutated by a script upon each TOR startup.

    Secondly, as already mentioned, bury your confidential traffic under a mountain of irrelevant chaff like music, video or download traffic.

    Thirdly, FOSS developers should create a kind of Super-TOR, which continously transmits crypto traffic between nodes. At a constant rate. Don't increase or slow traffic rate based on the real payload traffic. At least not as a short-term reaction. Sounds like waste ? Well, good security does not come for free.

    The last approach was how governments stopped traffic-analysis attacks against their diplomatic traffic. They simply transmitted around the clock at constant rates.

    1. Anonymous Coward
      Anonymous Coward

      Re: More Countermeasures

      "They simply transmitted around the clock at constant rates."

      Presumably the data is generated by a PRBS which then explains why their policies are indistinguishable from those created by a finite number of monkeys typing on a finite number of keyboards.

  19. rcorrect
    Boffin

    knowledge is power

    Like anything else, a tool is only useful if it is used properly.

    If I really had to transmit classified data then I would jump on a wifi hotspot for a couple, do something for 5 minutes, then disconnect. When reconnecting I would be sure to obtain a new IP from TOR. Along the way I would use a browser extension to fake all information about my computer including browser and operating system.

    Warning: Someone who actually knows what they are talking about will probably rip what I just said apart.

    1. AntonCrow
      Go

      Re: knowledge is power

      No, your post makes sense to me. I add that you can use a Cantenna to extend you range to the WLAN access point to about 1000 meters.

  20. Snar

    Fuck off!

    I'm of a mind to post a turd; a nice steamer to Obama. The cunt seems to want to know all about me, so why not bathe in my shite. Fucker!

  21. Anonymous Coward
    Anonymous Coward

    I wonder how many TOR users

    Are going to have an Xbox One with Kinect in their living room spying on them?

  22. HippyFreetard
    Trollface

    Whaaat???

    Even if I'm behind seven proxies?

    1. Anonymous Brave Guy
      Trollface

      Re: Whaaat???

      I'm behind 35 proxies, latency is a real bitch though. :(

  23. Anonymous Coward
    Anonymous Coward

    I hate to be the one who everyone thinks is encouraging Tor usage among the BitTorrent crowd - I don't.

    However, what they say about tracing a BitTorrent user wouldn't happen anytime soon, not unless copyright suddenly became a national security offence equal to, or greater than Terrorism.

  24. Lerianis

    So, is this only a problem if you use Bittorrent over TOR

    Or is this a problem when someone is using Bittorrent or another p2p program over TOR? Or is this a problem when someone is downloading a file over TOR that might take a long time to download because of the speed limitations of TOR via FTP?

    If the latter, yes, there is a hell of a reason to be exceptionally concerned here. Not just for people doing illegal things via TOR but for regular TOR users like myself as well.

  25. pewpie

    Funny how all these stories set to hit Tor users confidence surface as it's popularity blooms..

  26. Anonymous Coward
    Anonymous Coward

    no, its safe!

    no, this is a lie!

    you can identify the user according to his behaviour everywhere so you need to behave differently in the TOR network and use a different, clean browser (delete cookies etc)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019