[devconsole]

It's worth noting that Tails doesn't make you impervious. Tails uses Tor, and Tor is vulnerable to NSA and GCHQ attacks. Specifically, they have the capability of deanonymizing individual targets. I hypothesize that this capability works by monitoring Tor traffic worldwide, then performing a timing correlation between an origin and an endpoint.

Here's an example: Let's say (for the sake of example please) that the NSA can passively monitor Google searches in realtime. Let's say you search for a phrase that sets off their monitor: something like "a Tor user has Googled for Snowden." They'd like to know who you are. How would they do that?

One way is to record the fact that from your home computer originated some Tor traffic at almost the same time the Google search took place.

It's unclear exactly how they deanonymize Tor users, but one piece of info that may corroborate my hypothesis is that in a Snowden screenshot, you can see the NSA has a tab called "Tor Events" in one of their tools.

The need for websites to load quickly is Tor's Achilles heel, because it enables timing correlation. The fact that few people use Tor exacerbates the problem.

[nounaut]

I think you mean to say that users of Tor are potentially vulnerable to NSA and GCHQ attacks. Specifically, they lack the capability to deanonymize individual targets upon request and according to the slides leaked by Snowden they are only able to deanonymize a very small fraction of the traffic and usually have to rely on attacking surrounding software, such as the Firefox browser bundled with Tor.

http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack...

[mike-cardwell]

https://tails.boum.org/doc/about/warning/index.en.html#index...

"Tor doesn't protect you from a global adversary

A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network. By studying, for example, the timing and volume patterns of the different communications across the network, it would be statistically possible to identify Tor circuits and thus matching Tor users and destination servers.

It is part of Tor's initial trade-off not to address such a threat in order to create a low-latency communication service usable for web browsing, Internet chat or SSH connections.

For more expert information see Tor Project: The Second-Generation Onion Router, part 3. Design goals and assumptions. [https://svn.torproject.org/svn/projects/design-paper/tor-des...

[pavanky]

> One way is to record the fact that from your home computer originated some Tor traffic at almost the same time the Google search took place.

This either implies someone already suspects you and are monitoring you or that you are the only person searching on Google using Tor at that particular moment. I find the latter hard to believe. Even if it is true, it can be mitigated by more people using tor at the same time.

[unhammer]

You might want to run a non-exit node at your home. That way you have a lot of Tor traffic all the time, and the one time you really do need anonymity, it doesn't show up as anything unusual.

[im3w1l]

I don't quite know how this works, so forgive me if this is a stupid question, but couldn't someone just take the difference between your inbound and outbound tor traffic to find how much traffic originates from your computer?

[unhammer]

If the in/out rate of your bridge was both constant And lower than the max in/out rate of your connection, but it seems a bit of a stretch.

(And of course they wouldn't know that it was your traffic to whatever site they're surveilling, they'd just have evidence that was not inconsistent with you actively using Tor to do Something Or Other at that time.)

[sp332]

They might know how much, but they wouldn't know which traffic was yours.

[pavanky]

The same is still true even if you do not run a tor node.

[tzakrajs]

They can see all of the packets in both directions. Which mean they could tell when more was coming out than being relayed in.

[saalweachter]

Yes, because nothing will make you less interesting to law enforcement than running a Tor node.

[dobbsbob]

Google searching no, but an IRC room or being logged into something would be good for metadata. Especially a forum or chat room where you reveal timezone or other geolocation info. "It's snowing here"

Would not take long to grep ISP logs and find the known Tor bridges, Obfsproxy bridges, relays and who might have used them.

If you tunneled Tor traffic through a VPN exiting Russia then your local ISP has no Tor timing metadata to give, unless you're Snowden and your adversary is global. Running an internal relay would help obfuscate your own traffic too if you can connect to it on a local network it would be a lot harder to prove you logged into IRC channel #blowuptheembassy on the Al Qaeda IRC freenode server.

[hackuser]

> Tails doesn't make you impervious

For all X, X does not make you impervious. All it can do is increase the cost to an attacker.

[jgalt212]

Has anyone looked into thwarting timing attacks by using Selenium to run web tasks at random times?