this post was submitted on 26 Nov 2023

32 points (92.1% liked)

Privacy

31182 readers

1812 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago

MODERATORS

[email protected]

What is the point in using tails memory amnesic feature when ISP can simply look at logs and correlate the times you used tor? (lemmy.world)

submitted 9 months ago by [email protected] to c/[email protected]

13 comments fedilink hide all child comments

top 13 comments

sorted by: hot top controversial new old

[–] [email protected] 36 points 9 months ago* (last edited 9 months ago)

If you're worried about time correlation attacks, to deanonymize traffic, they are things you can do:

Leave the connection on all the time, so there's no time to correlate.
Comingle different streams of traffic over the link, to make it harder to to traffic pattern analysis. Stream a video game, run an exit note, watch a movie, proxy variety of low intensity sporadic traffic.
Leave the connection up for a random amount of time before and after whatever activity you're considering sensitive. That way there's not very clean brackets on time logs.
Just like in military radio operations, keep your sensitive activity short, low density, and very fast. ( Identifying the origin of two IP packets it's much harder than identifying who is watching a video stream).
Depending on how technical you want to get you can use reverse traffic shaping. You can generate false traffic to always ensure that your traffic over your first link looks uniform.
Use a multi hop onion network, so different data streams take different paths, making it much harder to identify a single stream through the entire network. I.e. different Tor circuits or safing, or multihop Mullvad with different routes for different streams.
Don't use a static connection to connect to the internet. Use open wi-fi, use coffee table wi-fi, use library wi-fi, use a burner phone with an esim loaded on it. Use a shotgun Pringles can Wi-Fi adapter to connect to a distant access point. You can do many things to change the origin of your traffic.
If your threat model seriously considers time correlation attacks, don't have a repeatable set pattern. Break up your schedule. Don't be predictable. Make it harder to gather more intelligence from your activity. Don't do the same thing at the same time

All of this being said, don't let perfect be the enemy of good. Do whatever you can to mitigate, don't make things easy for your adversary. There's no reason to give up just because you're not perfect

[–] [email protected] 18 points 9 months ago (1 children)

Your ISP can see that you used tor but not what for

[–] [email protected] 0 points 9 months ago* (last edited 9 months ago) (5 children)

That's not what I'm saying. The point I'm making is tails feature where it wipes memory when turned off is pointless because ISP can look at the times of tor usage and see what times you were likely using tails, which us why I ask if there is any point in using it?

[–] [email protected] 23 points 9 months ago

Memory stores more data than just when you used tor, like websites visited (like resources downloaded on page load through GETs). Your ISP should only be able to tell what the first node you are using is, and if you use an unlisted bridge it should be much harder to even try to correlate, which if your smart should be near impossible anyways.

[–] [email protected] 10 points 9 months ago

What are you worried about the ISP finding out? Simply the fact you were using Tor?

If that's the case, I suppose you could use an always-on VPN, and run the Tor browser on that, for example.

[–] [email protected] 9 points 9 months ago

If you leave it on as much as you can, and make it generate random traffic, then you're effectively obfuscating the pattern.

[–] [email protected] 7 points 9 months ago (1 children)

I think the first responder @grant did understand and answered in a relevant way. I'll answer your question with a question. What is the point of using VPN if your ISP can correlate times from logs? I think you should get on the Tails site and educate yourself further to better understand use case for Tails.

[+] [email protected] -14 points 9 months ago (1 children)

I think this comment is very arrogant and unhelpful. "I think you should get on the Tails site and educate yourself further to better understand use cases for tails" - instead of telling me what the use cases for tails actually are.... Maybe you yourself don't even know and hence referring me to their website...

Anyhow, I did as you said and researched on tails website what the point of their memory erasure is and was actually hard pressed to find specific detail on what the memory erasure feature is actually intended to do and on their own website https://tails.net/contribute/design/memory_erasure/

"In order to protect against memory recovery such as cold boot attack, most of the system RAM is overwritten when Tails is being shutdown or when the boot medium is physically removed. "

So, the memory erasure is purely to prevent any kind of memory recovery... Granted this doesn't really go into any specifics. But the point I was making in this post was Law enforcement are able to pull logs from ISP and see your for usage and so hence they can correlate that and have a decent idea of the times that you were likely using tails.

However, I do believe another user in this thread has cleared up why they do this memory erasure and its to more specifically stop attackers from extracting things like websites visited.

I looked online to figure out what data can be obtained using a cold boot attack and wasnt't really able to find anything specific enough and so I asked chatgpt and it came back with the below:

"Login Credentials: Usernames, passwords, or other authentication tokens that were in use before the reboot.

Open Files and Documents: Content of files and documents that were open and active in RAM.

Cryptographic Certificates: Digital certificates and keys used for secure communication.

Browser Session Data: Active browser sessions may contain login information, session tokens, or browsing history.

Decryption Keys: Keys used for decrypting encrypted data stored on the computer.

System and Application Data: Configuration settings, temporary data, and other information related to the operating system and running applications."

[–] [email protected] 15 points 9 months ago* (last edited 9 months ago)

See, you educated yourself! I only wanted to point you to official documentation with the hope you get in the habit of starting there (with any tech). Ask a hundred people and probably get a hundred differing answers. Look at Stack Overflow and sites like that where there's always multiple answers. Thankfully there's usually one with a green tick that is likely the best answer. Anyway, you now have it in a nutshell - No data to recover = The point of using Tails (without persistence). There's no such thing as permanent total online anonymity.

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago)

Don't let perfect be the enemy of good. Just because it's physically possible, doesn't mean you have to make it easy for somebody

[–] [email protected] 10 points 9 months ago

Some of possible solutions include:

always use Tor 24/7, Tails or not, when possible, even when browsing normal websites, or using IRC etc.
use bridges

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago)

What is the point in using a car if it has GPS, but no internal cameras or microphones? Metadata is dangerous, but far from the only kind of data.

[–] [email protected] 1 points 9 months ago

So are you saying the "hide that you are using tails from your isp" option doesn't work? Does it still show you are using TOR?