[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: "Practical onion hacking: finding the real address of Tor clients"

On 11/1/06, Fabian Keil <freebsd-listen@xxxxxxxxxxxxx> wrote:
For Tor users this shouldn't be a big deal. I also don't see anything
exciting about Narus

the narus advantage is hardware/programmable classifiers, ala snort on fpga, which allows deep inspection across numerous (linearly scalable) OC12/OC48 peering points. rules also scale linearly, with anywhere from 500 to thousands per classifier proc.

Of course a patient person can already do the same thing with
less comfortable tools like tcpdump anyway.

this is all about scale, and since we are discussing taps on the backbones, scale is paramount. but for small ISP's, corp it staff you're right...

> That barely begins to describe what the
> Narus tools can do. If you care about privacy, this is really creepy.

Maybe if you care about privacy and don't use tools like Tor
to protect it.

the problem with narus run by $TLA is that it functions as global adversary, which is explicitly outside Tor's threat model. this may or may not mean they are watching. (and there are certainly some $TLA's who are using packet latency fingerprinting with active manipulation of packet timing up stream to link clients to particular exit traffic)

zero knowledge mixes defend against this threat, but you lose the
(relatively) low latency of onion like routing in Tor.  [exercise for
the researchers: would traffic padding with a DTLS Tor ala reliable
multicast at fixed bandwidth limits keep the low latency but provide
the anonymity of a stronger mix?]

best regards,