Media coverage of "Covert channel vulnerabilities in anonymity systems"

Over the past few days there has been some coverage of my PhD thesis, and its relationship to Tor, on blogs and online news sites. It seems like this wave started with a column by Russ Cooper, which triggered articles in PC World and Dark Reading. The media attention came as a bit of a surprise to me, since nobody asked to interview me over this. I'd encourage other journalists writing about Tor to contact someone from the project as we're happy to help give some context.

My thesis is a fairly diverse collection of work, but the articles emphasize the impact of the attacks I discuss on users of anonymity networks like Tor. Actually, my thesis doesn't aim to show that Tor is insecure; the reason I selected Tor as a test case was that it's one of the few (and by far the largest) low-latency system that aims to stand up to observation. Other, simpler, systems have comparatively well understood weaknesses, and so there is less value in researching them.

Quantifying the security of anonymity systems is a difficult question and still being actively worked on. Comparing different systems is even harder since they make different assumptions on the capabilities of attackers (the “threat model”). The mere chance of attacks doesn't indicate that a system is insecure, since they might make assumptions about the environment that are not met, or are insufficiently reliable for the scenario being considered.

The actual goal of my thesis was try to better understand the strengths and weaknesses of systems like Tor, but more importantly to also to suggest a more general methodology for discovering, and resolving flaws. I proposed that the work from the well-established field of covert channels could be usefully applied, and used examples, including Tor, to justify this.

There remains much work to be done before it's possible to be sure how secure anonymity systems are, but hopefully this framework will be a useful one in moving forward. Since in September 2007 I joined the Tor project, I hope I'll also help in other ways too.

Tor meetup in San Francisco, 7pm this Thursday


Hi, folks! I'm in the San Francisco area for the week, so I thought it would be good to have an impromptu meetup for Tor users, operators, and enthusiasts. So if that's you, and if you're in town, and you'd like to chat, hang out, or whatever, stop on by. I'll try to hang around for a couple of hours at least.
When: 7pm, Thursday.
Where: the Sugarlump Coffee Lounge, at 2862 24th St, at Bryant.
I hope you can make it!

Vidalia bundle, OSX and Qt bugs

It appears Qt-4.3.3 has a bug that is causing Vidalia to crash when the list of Tor nodes refreshes and is sorted. The current and bundles for OSX are built against Qt-4.3.3.

I've downgraded the build hosts to Qt-4.3.2. The rebuilt OSX vidalia-bundle packages for both and are available as:

These bundles contain Vidalia compiled with Qt-4.3.2. This makes Vidalia happy again.

24C3 talk

I'm back from the 24C3 congress in Berlin. My talk went well (video, slides).

Basically I gave an overview of some of the big technical things we did in 2007, some of the policy/legal issues that we're tackling, and some of the technical things that need to come next. The focus was on Germany, so it included some discussion of the upcoming data retention problems, and of the general issue with police in Germany seizing servers.


Welcome to the official Tor Project blog. We post a few times a month to discuss topics such as Tor development, recent press, and other related memes.

Syndicate content Syndicate content