/tech/ - Technology★

That works if the attacker knows the path your packets are taking before they hit the VPN. Of course the NSA could easily do that, but then a VPN is really best for getting around geoblocks and preventing your IP being exposed in a torrent.

>>806059

Which is why you use tor. You can redirect your packets while making them look likt https packets. Sure it's still possible to decrypt and track the packets. But then the effort went from a snooper with hardrive to a multi-trillion dollar cracking machine.

>>806056 (OP)

why bother when every router and gateway on ISP side has logs to hell and back again?

*randomly increases and decreases all traffic patterns on client side to distract prismniggers*

heh, nuffin personnel nsss-ayy-kun

It's easier to do time correlation than doing that.

Simply looking at when packet has entered a first node you are looking at and observing the last node you are looking at (example: Tor network) and seeing that time differences between these two packets entering and exiting your observed space is same then you can deduce it is the same person.

The BBC already does this with packet length steganography to catch pirate streaming via wifi wardriving. No amount of naive encryption will save you.

/tech/ will never believe me, I certainly wouldn't, but I worked on the data capture side of PRISM (the fiber splitters they found in AT&T's room literally used to live in my desk drawer) and we did implement flow time correlation. This was way before tor and our results were being published publicly as part of an internet mapping project. I left before it was scaled up into a global spying apparatus so I have no idea what they did with that code but I know they had it as I wrote part of it. It was being used to estimate global VPN/IPSEC usage where we needed to know that a machine was relaying a flow rather than creating a flow despite all the headers having been munged.

Fun fact / story time / LARP corner: the hardest part of the project was a different type of time correlation - the fiber connections at the time were unidirectional and we didn't have machines fast enough to capture both directions at once so we had to splice the bidirectional stream together after capturing it, and clock drift at OC3/OC12 speeds would make a session gibberish within a few seconds. We solved this with two GPS units, one per tap, to get (mostly) driftless timing and we had to run wires at each site to the roof for the antennas (this was before having stuff on the roof was normal).

But today there are all sorts of easier ways to leak data. Anything that is "random", for example. How do you know if those TCP sequence numbers or diffie-hellman keys chosen by a hardware RNG aren't actually part of a payload being exfiltrated and could be reassembled by someone listening to your traffic? You don't.

But then again, today there are only a few ethernet chipset vendors and they could have been required to listen for and execute magic packets. You'd never know as they'd not be delivered to the kernel, and they could travel through your network even with your computers turned off thanks to those chips being powered to support wake-on-LAN magic packets (look into it if you don't realize how active those chips really are when 'off'). The code's already there for wake-on-LAN, it would take next to no effort.

>>806400

I don't believe you but it was interesting.