Of course, they can work on preventing nodes forwarding hidden header information, but an entity with global network insight will always be able to correlate users by the timing of their transmissions alone.
The introduction of malicious nodes is a workable option for lesser players. But hidden in the realtime nature of the Tor network is always the possibility of deanonymizing users if you're a powerful agency that can afford to inspect a sufficiently large part of all network traffic - they don't even have to run any nodes themselves.
Onion routing with something like Mixminion[1] works much like Tor, but instead of establishing connections it passes messages between routers. Messages are arbitrarily delayed, preventing even traffic analysis from finding you.
However, using an anonymous remailer like Mixminion would require completely rethinking browsers and our protocols for web browsing. They simply aren't designed for a world where packets might take minutes to get to you.
For what it's worth, this type of adversary is explicitly excluded in Tor's threat model[0].
[0] https://svn.torproject.org/svn/projects/design-paper/tor-des...
I think it is, though it may never be practical. In theory, you could have every node everywhere constantly streaming encrypted noise to every other node, and when you actually want to communicate something, you just switch out the noise for something you actually care about. You'd never know who is actually talking and who is just sending noise.
As you can imagine, that would take a lot of bandwidth and probably a lot of computing power, but it would have very high latency.
EDIT: To clarify, I mean nodes on the network, not relay nodes. Potentially you could use a relay system, but that wouldn't be necessary if everything on the network was constantly in connection with everything else on the network.
I guess his job does not involve participating in projects that have git repositories or public mailing lists.
What was the benefit to having no electronic record? Was he a lawyer for the mob?
Don't ever do this, at least not for a bug that matters. It would be better not to disclose at all than to do this.
Responsible disclosure is best, get it patched then release the details of the vulnerability.
Of course, if you do that, you probably need to remain constantly connected and moving data through Tor 24/7 to prevent any kind of analysis since you can't hide the fact you:
A) Control the relay you connect to.
B) Are connected to Tor.
You almost have it. The problem is that just moving data through isn't enough. Given enough sample data, you can eventually figure out enough information about the traffic to correlate with another host moving the same traffic.
The most effective way to mask the effects of passive statistical analysis is to employ either a masking effect or a countermeasure. Either make all the traffic look identical (and have its rate be identical and constant), or make all the traffic look random, insofar as garbage is injected or frames are truncated at every hop.
Also, you don't have to control both ends. You just have to observe a given percentage of the traffic along its path(s), and you can determine a probability of which hosts lead to/from what traffic. If you're just trying to trace an unknown adversary, it may be able to [at the very least] identify the network they're on.
Really? I figured the number of hops involved meant as long as they couldn't control both Entry Guard & Exit Node you were relatively safe.
> The most effective way to mask the effects of passive statistical analysis is to employ either a masking effect or a countermeasure. Either make all the traffic look identical (and have its rate be identical and constant), or make all the traffic look random, insofar as garbage is injected or frames are truncated at every hop.
So, setup a webcrawler whenever you aren't using it that randomly crawls pages I suppose. Random garbage would make you easier to find, I suspect, since it doesn't fit with a "normal" pattern of any kind.
I mostly look at Tor out of curiosity. :)
I guess this is why they recommend running a (non-exit) relay – at the very least it increases the cost of figuring out when you're using Tor yourself.
But yes, the title doesn't quite reflect that.
It's a truly bad title; it editorializes, it's contradicted by the article ("maybe" is not "affirmatively"), and it confuses its subjects with the venue they happen to present at (think about how nonsensical "ACM researchers do X" or "USENIX researchers do Y" sounds).
