Privacy Enhancing Technologies Symposium 2014: Neue Forschung zu Privatsphäre und Anonymität

Auch im Zeitalter der digitalen Vollüberwachung gibt es Technologien, die Privatsphäre und Anonymität schützen können. Auf dem jährlichen Privacy Enhancing Technologies Symposium wurden einige davon diskutiert und weiterentwickelt. Die Forschung reagiert auf die konkreten Inhalte der Snowden-Enthüllungen.

CC BY 2.0 via flickr/hyku

Diese Woche fand die 14. jährliche Ausgabe des Privacy Enhancing Technologies Symposium (PETS) in Amsterdam statt. Das PETS „befasst sich mit der Konzeption und Umsetzung von Datenschutz-Diensten für das Internet und andere Datensysteme und Kommunikationsnetze“. Wie immer gab es viele spannende Veranstaltungen über Privatsphäre und Anonymität mit Forscher/innen aus der ganzen Welt. In diesem Jahr natürlich mit Fokus auf die Enthüllungen zur digitalen Vollüberwachung – und der Suche nach Konsequenzen.

In diesem Jahr gab es drei Keynote-Veranstaltungen:

Dazu wurden viele Forschungsergebnisse vorgestellt und diskutiert, von denen jede einzelne eigentlich einen eigenen Blogpost wert wäre. Wir haben hier wenigstens mal alle Abstratcs aus den Papers kopiert und die Hauptergebnisse hervorgehoben:

Privacy in a Mobile World

Exploiting Delay Patterns for User IPs Identification in Cellular Networks

Vasile Claudiu Perta, Marco Valerio Barbera, Alessandro Mei

A surprisingly high number of mobile carriers worldwide do not block unsolicited traffic from reaching their mobile devices from the open Internet or from within the cellular network. This exposes mobile users to a class of low-resource attacks that could compromise their privacy and security. In this work we describe a methodology that allows an adversary to identify a victim device in the cellular network by just sending messages to its user through one or more messaging apps available today on the mobile market. By leveraging network delays produced by mobile devices in different radio states and the timeliness of push notifications, we experimentally show how our methodology is able to quickly identify the target device within 20 messages in the worst case through measurements on a large mobile network.

Quantifying the Effect of Co-Location Information on Location Privacy

Alexandra-Mihaela Olteanu, Kévin Huguenin, Reza Shokri, Jean-Pierre Hubaux

Mobile users increasingly report their co-locations with other users, in addition to revealing their locations to online services. For instance, they tag the names of the friends they are with, in the messages and in the pictures they post on social networking websites. Combined with (possibly obfuscated) location information, such co-locations can be used to improve the inference of the users‘ locations, thus further threatening their location privacy: as co-location information is taken into account, not only a user’s reported locations and mobility patterns can be used to localize her, but also those of her friends (and the friends of their friends and so on). In this paper, we study this problem by quantifying the effect of co-location information on location privacy, with respect to an adversary such as a social network operator that has access to such information. We formalize the problem and derive an optimal inference algorithm that incorporates such co-location information, yet at the cost of high complexity. We propose two polynomial-time approximate inference algorithms and we extensively evaluate their performance on a real dataset. Our experimental results show that, even in the case where the adversary considers co-locations with only a single friend of the targeted user, the location privacy of the user is decreased by up to 75% in a typical setting. Even in the case where a user does not disclose any location information, her privacy can decrease by up to 16% due to the information reported by other users.

Crypto & Differential Privacy

Forward-Secure Distributed Encryption

Wouter Lueks, Jaap-Henk Hoepman, Klaus Kursawe

Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution by Hoepman and Galindo — in particular it does not rely on pairings — and that satisfies stronger security requirements. Moreover, we show how to achieve key evolution, which is necessary to ensure scalability in many practical applications, and prove that the resulting scheme is forward secure. Finally, we present a provably secure batched distributed encryption scheme that is much more efficient for small plaintext domains, but that requires more storage.

The Best of Both Worlds: Combining Information-Theoretic and Computational PIR for Communication Efficiency

Casey Devet, Ian Goldberg

The goal of Private Information Retrieval (PIR) is the ability to query a database successfully without the operator of the database server discovering which record(s) of the database the querier is interested in. There are two main classes of PIR protocols: those that provide privacy guarantees based on the computational limitations of servers (CPIR) and those that rely on multiple servers not colluding for privacy (IT-PIR). These two classes have different advantages and disadvantages that make them more or less attractive to designers of PIR-enabled privacy enhancing technologies.

We present a hybrid PIR protocol that combines two PIR protocols, one from each of these classes. Our protocol inherits many positive aspects of both classes and mitigates some of the negative aspects. For example, our hybrid protocol maintains partial privacy when the security assumptions of one of the component protocols is broken, mitigating the privacy loss in such an event. We have implemented our protocol as an extension of the Percy++ library so that it combines a PIR protocol by Aguilar Melchor and Gaborit with one by Goldberg. We show that our hybrid protocol uses less communication than either of these component protocols and that our scheme is particularly beneficial when the number of records in a database is large compared to the size of the records. This situation arises in applications such as TLS certificate verification, anonymous communications systems, private LDAP lookups, and others.

A Predictive Differentially-Private Mechanism for Mobility Traces

Konstantinos Chatzikokolakis, Catuscia Palamidessi, Marco Stronati

With the increasing popularity of GPS-enabled handheld devices, location based applications and services have access to accurate and real-time location information, raising serious privacy concerns for their millions of users. Trying to address these issues, the notion of geo-indistinguishability was recently introduced, adapting the well-known concept of Differential Privacy to the area of location-based systems. A Laplace-based obfuscation mechanism satisfying this privacy notion works well in the case of a sporadic use; Under repeated use, however, independently applying noise leads to a quick loss of privacy due to the correlation between the location in the trace.

In this paper we show that correlations in the trace can be in fact exploited in terms of a prediction function that tries to guess the new location based on the previously reported locations. The proposed mechanism tests the quality of the predicted location using a private test; in case of success the prediction is reported otherwise the location is sanitized with new noise. If there is considerable correlation in the input trace, the extra cost of the test is small compared to the savings in budget, leading to a more efficient mechanism.

We evaluate the mechanism in the case of a user accessing a location-based service while moving around in a city. Using a simple prediction function and two budget spending strategies, optimizing either the utility or the budget consumption rate, we show that the predictive mechanism can offer substantial improvements over the independently applied noise.

Users and Privacy

Social Status and the Demand for Security and Privacy

Jens Grossklags, Nigel Barradale

High-status decision makers are often in a position to make choices with security and privacy relevance not only for themselves but also for groups, or even society at-large. For example, decisions about security technology investments, anti-terrorism activities, and domestic security, broadly shape the balance between security and privacy. However, it is unclear to what extent the mass of individuals share the same concerns as high-status individuals. In particular, it is unexplored in the academic literature whether an individual’s status position shapes one’s security and privacy concerns.

The method of investigation used is experimental, with 146 subjects interacting in high- or low-status assignments and the subsequent change in the demand for security and privacy being related to status assignment with a signifcant t-statistic up to 2.9, depending on the specification. We find that a high-status assignment significantly increases security concerns. This effect is observable for two predefined sub-dimensions of security (i.e., personal and societal concerns) as well as for the composite measure. We find only weak support for an increase in the demand for privacy with a low-status manipulation.

We complement these results with a second experiment on individuals‘ time preferences with 120 participants. We show that the high-status manipulation is correlated with increased patience, i.e., those individuals exhibit more robust long-term appreciation of decisions. Given that many security and privacy decisions have long-term implications and delayed consequences, our results suggest that high-status decision makers are less likely to procrastinate on important security investments, and are more likely to account for future risks appropriately. The opposite applies to privacy and low-status roles.

Why Doesn’t Jane Protect Her Privacy?

Karen Renaud, Melanie Volkamer, Arne Renkema-Padmos

End-to-end encryption has been heralded by privacy and security researchers as an effective defence against dragnet surveillance, but there is no evidence of widespread end-user uptake. We argue that the non-adoption of end-to-end encryption might not be entirely due to usability issues identified by Whitten and Tygar in their seminal paper “Why Johnny Can’t Encrypt”. Our investigation revealed a number of fundamental issues such as incomplete threat models, misaligned incentives, and a general absence of understanding of the email architecture. From our data and related research literature we found evidence of a number of potential explanations for the low uptake of end-to-end encryption. This suggests that merely increasing the availability and usability of encryption functionality in email clients will not automatically encourage increased deployment by email users. We shall have to focus, first, on building comprehensive end-user mental models related to email, and email security. We conclude by suggesting directions for future research.

Attacks to Privacy

I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis

Brad Miller, Ling Huang, A. D. Joseph, J. D. Tygar

Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 90% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 17% caused by assumptions acting caching and cookies. We present a novel defense reducing attack accuracy to 25% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.

I Know What You’re Buying: Privacy Breaches on eBay

Tehila Minkus, Keith W. Ross

eBay is an online marketplace which allows people to easily engage in commerce with one another. Since the market’s online nature precludes many physical cues of trust, eBay has instituted a reputation system through which users accumulate ratings based on their transactions. However, the eBay Feedback System as currently implemented has serious privacy flaws. When sellers leave feedback, buyers‘ purchase histories are exposed through no action of their own. In this paper, we describe and execute a series of attacks, leveraging the feedback system to reveal users‘ potentially sensitive purchases. As a demonstration, we collect and identify users who have bought gun-related items and sensitive medical tests. We contrast this information leakage with eBay users‘ privacy expectations as measured by an online survey. Finally, we make recommendations towards better privacy in the eBay feedback system.

Misc (Chair: Sharon Goldberg)

C3P: Context-Aware Crowdsourced Cloud Privacy

Hamza Harkous, Rameez Rahman, Karl Aberer

Due to the abundance of attractive services available on the cloud, people are placing an increasing amount of their data online on different cloud platforms. However, given the recent large-scale attacks on users data, privacy has become an important issue. Ordinary users cannot be expected to manually specify which of their data is sensitive, or to take appropriate measures to protect such data. Furthermore, usually most people are not aware of the privacy risk that different shared data items can pose. In this paper, we present a novel conceptual framework in which privacy risk is automatically calculated using the sharing context of data items. To overcome ignorance of privacy risk on the part of most users, we use a crowdsourcing based approach. We use Item Response Theory (IRT) on top of this crowdsourced data to determine the sensitivity of items and diverse attitudes of users towards privacy. First, we determine the feasibility of IRT for the cloud scenario by asking workers feedback on Amazon mTurk on various sharing scenarios. We obtain a good fit of the responses with the theory, and thus show that IRT, a well-known psychometric model for educational purposes, can be applied to the cloud scenario. Then, we present a lightweight mechanism such that users can crowdsource their sharing contexts with the server and determine the risk of sharing particular data item(s) privately. Finally, we use the Enron dataset to simulate our conceptual framework and also provide experimental results using synthetic data. We show that our scheme converges quickly and provides accurate privacy risk scores under varying conditions.

Do dummies pay off? Limits of dummy traffic protection in anonymous communications

Simon Oya, Carmela Troncoso, Fernando Pérez-González

Anonymous communication systems ensure that correspondence between senders and receivers cannot be inferred with certainty. However, when patterns are persistent, observations from anonymous communication systems enable the reconstruction of user behavioral profiles. Protection against profiling can be enhanced by adding dummy messages, generated by users or by the anonymity provider, to the communication. In this paper we study the limits of the protection provided by this countermeasure. We propose an analysis methodology based on solving a least squares problem that permits to characterize the adversary’s profiling error with respect to the user behavior, the anonymity provider behavior, and the dummy strategy. Focusing on the particular case of a timed pool mix we show how, given a privacy target, the performance analysis can be used to design optimal dummy strategies to protect this objective.

On the Effectiveness of Obfuscation Techniques in Online Social Networks

Terence Chen, Roksana Boreli, Mohamed Ali Kaafar, Arik Friedman

Data obfuscation is a well-known technique for protecting user privacy against inference attacks, and it was studied in diverse settings, including search queries, recommender systems, location-based services and Online Social Networks (OSNs). However, these studies typically take the point of view of a single user who applies obfuscation, and focus on protection of a single target attribute. Unfortunately, while narrowing the scope simplifies the problem, it overlooks some significant challenges that effective obfuscation would need to address in a more realistic setting. First, correlations between attributes imply that obfuscation conducted to protect a certain attribute, may in influence inference attacks targeted at other attributes. In addition, when multiple users conduct obfuscation simultaneously, the combined effect of their obfuscations may be significant enough to act the inference mechanism to their detriment. In this work we focus on the OSN setting and use a dataset of 1.9 million Facebook profiles to demonstrate the severity of these problems and explore possible solutions. For example, we show that an obfuscation policy that would limit the accuracy of inference to 45% when applied by a single user, would result in an inference accuracy of 75% when applied by 10% of the users. We show that a dynamic policy, which is continuously adjusted to the most recent data in the OSN, may mitigate this problem. Finally, we report the results of a user study, which indicates that users are more willing to obfuscate their profiles using popular and high quality items. Accordingly, we propose and evaluate an obfuscation strategy that satisfies both user needs and privacy protection.


Dovetail: Stronger Anonymity in Next-Generation Internet Routing

Jody Sankey, Matthew Wright

Given current research initiatives advocating „clean slate“ Internet designs, researchers have the opportunity to design an internet-work layer routing protocol that provides efficient anonymity by decoupling identity from network location. Prior work in anonymity for the next-generation Internet fully trusts the user’s ISP. We propose Dovetail, which provides anonymity against an active attacker located at any single point within the network, including the user’s ISP. A major design challenge is to provide this protection without including an application-layer proxy in data transmission. We address this in path construction by using a matchmaker node (an end host) to overlap two path segments at a dovetail node (a router). The dovetail then trims away part of the path so that data transmission bypasses the matchmaker. We develop a systematic mechanism to measure the topological anonymity of our designs, and we demonstrate their privacy and efficienciency by Internet-scale simulations at the AS-level.

Spoiled Onions: Exposing Malicious Tor Exit Relays

Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl

Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.

Censorship Resistance

Measuring Freenet in the Wild: Censorship-resilience under Observation

Stefanie Roos, Benjamin Schiller, Stefan Hacker, Thorsten Strufe

Freenet, a fully decentralized publication system designed for censorship-resistant communication, exhibits long delays and low success rates for finding and retrieving content. In order to improve its performance, an in-depth understanding of the deployed system is required. Therefore, we performed an extensive measurement study accompanied by a code analysis to identify bottlenecks of the existing algorithms and obtained a realistic user model for the improvement and evaluation of new algorithms.

Our results show that 1) the current topology control mechanisms are suboptimal for routing and 2) Freenet is used by several tens of thousands of users who exhibit uncharacteristically long online times in comparison to other P2P systems.

CloudTransport: Using Cloud Storage for Censorship-Resistant Networking

Chad Brubaker, Amir Houmansadr, Vitaly Shmatikov

Censorship circumvention systems such as Tor are highly vulnerable to network-level filtering. Because the traffic generated by these systems is disjoint from normal network traffic, it is easy to recognize and block, and once the censors identify network servers (e.g., Tor bridges) assisting in circumvention, they can locate all of their users.

CloudTransport is a new censorship-resistant communication system that hides users’ network traffic by tunneling it through a cloud storage service such as Amazon S3. The goal of CloudTransport is to increase the censors’ economic and social costs by forcing them to use more expensive forms of network filtering, such as large-scale traffic an alysis, or else risk disrupting normal cloud-based services and thus causing collateral damage even to the users who are not engaging in circumvention. Cloud-Transport’s novel passive-rendezvous protocol ensures that there are no direct connections between a CloudTransport client and a CloudTransport bridge. Therefore, even if the censors identify a Cloud Transport connection or the IP address of a CloudTransport bridge, this does not help them block the bridge or identify other connections.

CloudTransport can be used as a standalone service, a gateway to an anonymity network like Tor, or a pluggable transport for Tor. It does not require any modifications to the existing cloud storage, is compatible with multiple cloud providers, and hides the user’s Internet destinations even if the provider is compromised.

Anonymous Communications

One Fast Guard for Life (or 9 months)

Roger Dingledine, Nicholas Hopper, George Kadianakis, Nick Mathewson

„Entry Guards“ in the Tor anonymity network mitigate against several traffic analysis attacks including the „predecessor“ attack, statistical profiling, and passive AS-level correlation attacks. Several recent works have shown that the current design does not provide sufficient mitigation against these attacks and may also introduce new vulnerabilities. We propose a simple response to these results: Tor clients should move from using three entry guards to a single, fast entry guard, and rotate entry guards after 9 months rather than after 45 days. We measure the likely effect on anonymity and performance of these changes, and discuss some of the remaining problems with entry guards not addressed by this proposal.

From Onions to Shallots: Rewarding Tor Relays with TEARS

Rob Jansen, Andrew Miller, Paul Syverson, Bryan Ford

The Tor anonymity network depends on volunteers to operate relays, and might offer higher bandwidth with lower response latencies if more users could be incentivized to contribute relay bandwidth. We introduce TEARS, a system rewarding useful service with traffic priority. TEARS audits relays and rewards them with anonymous coins called Shallots, proportionally to bandwidth contributed. Shallots may be redeemed anonymously for PriorityPasses, which in turn may be presented to relays to request traffic priority. The PriorityPass construction enables relays to prevent double spending locally without leaking information. Unlike previous incentive proposals, TEARS incorporates transparent and distributed banking using protocols from distributed digital cryptocurrency systems like Bitcoin. Shallots are publicly-verifiable, minimizing reliance on and trust in banking authorities, making them auditable while naturally distributing bank functionality and associated overhead. Further, these distributed banking protocols resist denial-of-service attacks and can recover from catastrophic failures. TEARS may either be deployed in the existing Tor network or operate alongside it.

A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays

Mainak Ghosh, Miles Richardson, Bryan Ford, Rob Jansen

The Tor network relies on volunteer relay operators for relay bandwidth, which may limit its growth and scaling potential. We propose an incentive scheme for Tor relying on two novel concepts. We introduce TorCoin, an „altcoin“ that uses the Bitcoin protocol to reward relays for contributing bandwidth. Relays „mine“ TorCoins, then sell them for cash on any existing altcoin exchange. To verify that a given TorCoin represents actual bandwidth transferred, we introduce TorPath, a decentralized protocol for forming Tor circuits such that each circuit is privately-addressable but publicly verifiable. Each circuit’s participants may then collectively mine a limited number of TorCoins, in proportion to the end-to-end transmission goodput they measure on that circuit.

Representing Network Trust and Using It to Improve Anonymous Communication

Aaron D. Jaggard, Aaron Johnson, Paul Syverson, Joan Feigenbaum

Motivated by the effectiveness of correlation attacks against Tor, the censorship arms race, and observations of malicious relays in Tor, we propose that Tor users capture their trust in network elements using probability distributions over the sets of elements observed by network adversaries. We present a modular system that allows users to efficiently and conveniently create such distributions and use them to improve their security. The major components of this system are (i) an ontology of network-element types that represents the main threats to and vulnerabilities of anonymous communication over Tor, (ii) a formal language that allows users to naturally express trust beliefs about network elements, and (iii) a conversion procedure that takes the ontology, public information about the network, and user beliefs written in the trust language and produce a Bayesian Belief Network that represents the probability distribution in a way that is concise and easily sampleable. We also present preliminary experimental results that show the distribution produced by our system can improve security when employed by users; further improvement is seen when the system is employed by both users and services.

Law and Policy

The ABCs of ABCs – An Analysis of Attribute-Based Credentials in the Light of Data Protection, Privacy and Identity

Merel Koning, Gergely Alpar, Paulan Korenhof, Jaap-Henk Hoepman

Our networked society increasingly needs secure identity systems. The Attribute-based credential (ABC) technology is designed to be privacy-friendlier than contemporary authentication methods, which often suffer from information leakage. So far, however, some of the wider implications of ABC have not been appropriately discussed, mainly because they lie outside of the research scope of most cryptographers and computer engineers. This paper explores a range of such implications, shows that there are potential risks associated with the wider introduction of ABC in society, and makes the case that legal and societal aspects of ABC be subjected to extended interdisciplinary research.

Loopholes for Circumventing the Constitution: Warrantless Surveillance on U.S. Persons by Collecting Network Traffic Abroad

Axel M. Arnbak, Sharon Goldberg

In this multi-disciplinary paper, we reveal interdependent legal and technical loopholes that intelligence agencies of the U.S. government could use to circumvent constitutional and statutory safeguards for U.S. persons. We outline known and new circumvention techniques that can leave the Internet traffic of Americans as vulnerable to surveillance, and as unprotected by U.S. law, as the Internet traffic of foreigners.

Building Effective Internet Freedom Tools: Needfinding with the Tibetan Exile Community

Michael Brennan, Katey Metzroth, Roxann Stafford

Over the past several months a team of computer scientists and ethnographic researchers created and applied to apply a human-centered design approach to understanding the needs of the Tibetan exile community related to safe and secure communication practices, particularly on the Internet. This process included a two week visit to Dharamsala, India in March 2014. What our process allowed us to discover are not only the top-level needs that will directly act development of privacy enhancing technologies, but a deep understanding of reasons behind the needs which we hope will support greater impact of these findings. We learned about the communication norms, security and privacy related behaviors, perceptions of surveillance, software usability considerations, and more. This paper reviews our process, our research questions, and our learnings. It will also outline elements of a research framework that can be used by developers and researchers to further serve the Tibetan community and other communities that face threats to free and safe access to communication on the Internet. This work is in progress, and this paper re reflects that. We note throughout this paper where research findings are preliminary and incomplete. We aim to have a full draft of our framework and our findings complete in time for HotPETS. abstract environment.

Privacy Measurement

Crying Wolf? On the Price Discrimination of Online Airline Tickets

Thomas Vissers, Nick Nikiforakis, Nataliia Bielova, Wouter Joosen

Price discrimination refers to the practice of dynamically varying the prices of goods based on a customer’s purchasing power and willingness to pay. In this paper, motivated by several anecdotal accounts, we report on a three-week experiment, conducted in search of price discrimination in airline tickets. Despite presenting the companies with multiple opportunities for discriminating us, and contrary to our expectations, we do not find any evidence for systematic price discrimination. At the same time, we witness the highly volatile prices of certain airlines which make it hard to establish cause and effect. Finally, we provide alternative explanations for the observed price differences.

Analysis of OpenX-Publishers Cooperation

Lukasz Olejnik, Claude Castelluccia

Real-Time Bidding is a protocol enabling the serving of advertisements. It involves Ad Exchanges, bidders and publishers. In this note, we report the findings of cooperation between OpenX Ad Exchange and selected publishers. The setting has potentially important implications for Web users privacy and security. For example, Web browser mechanisms responsible for blocking third-party cookies are rendered inective.

Measuring the Leakage of Onion at the Root, A measurement of Tor’s .onion pseudo-top-level domain in the global domain name system

Matthew Thomas, Aziz Mohaisen

The Tor project provides individuals with a mechanism of communicating anonymously on the Internet. Furthermore, Tor is capable of providing anonymity to servers, which are configured to receive inbound connections only through Tor—more commonly called hidden services. In order to route requests to these hidden services, a namespace is used to identify the resolution requests to such services. A namespace under a non-delegated (pseudo) top-level-domain (TLD) of .onion was elected. Although the Tor system was designed to prevent .onion requests from leaking into the global DNS resolution process, numerous requests are still observed in the global DNS. In this paper we will present the state of .onion requests received at the global public DNS A and J root nodes, potential explanations of the leakage, and highlights of trends associated with global censorship events. By sharing this preliminary work, we wish to trigger further discussions on the matter in the community.


Blogs and Twitter Feeds: A Stylometric Environmental Impact Study

Rebekah Overdorf, Travis Dutko, Rachel Greenstadt

Stylometry is the study of determining the author of a document based on the linguistic features contained in the document. Previous work in this area has yielded impressive results, but assumes that the training and testing documents are similar key attributes, namely the domain and setting in which they are written. This paper focuses on the scenario where this assumption cannot be made. We determine that standard methods in stylometry do not perform well when the training and suspect documents differ in this way. For example, when working exclusively with blogs we obtain an average accuracy of 93.30% and with Twitter feeds we obtain an average accuracy of over 98.99%. However, when we apply the same method to try to identify a twitter feed via a blog’s writing, accuracy falls drastically. We provide a method to improve this cross-domain accuracy to 88.89%. Being able to identify authors across domains facilitates linking identities across the Internet, making this a key privacy concern.

CoinShuffle: Practical Decentralized Coin Mixing for Bitcoin

Tim Ruffing, Pedro Moreno-Sanchez, Aniket Kate

The decentralized currency network Bitcoin is emerging as a potential new way of performing financial transactions across the globe. Its use of pseudonyms towards protecting users’ privacy has been an attractive feature to many of its adopters. Nevertheless, due to the inherent public nature of the Bitcoin transaction ledger, users’ privacy is severely restricted to linkable anonymity, and a few Bitcoin transaction deanonymization attacks have been reported thus far.

In this paper we propose CoinShuffle, a completely decentralized Bitcoin mixing protocol that allows users to utilize Bitcoin in a truly anonymous manner. CoinShuffle is inspired by the accountable anonymous group communication protocol Dissent and enjoys several advantages over its predecessor Bitcoin mixing protocols. It does not require any (trusted, accountable or untrusted) third party and it is perfectly compatible with the current Bitcoin system. CoinShuffle introduces only a small communication overhead for its users, while completely avoiding additional anonymization fees and minimizing the computation and communication overhead for the rest of the Bitcoin system.

Forensic analysis of home automation systems

Thomas Mundt, Andreas Dahn, Hans-Walter Glock

Modern buildings are often equipped with universal bus systems. The purpose of these bus systems is to control functions of houses such as lighting, climate control, and heating. In this paper we present a case study on investigating such a system under a forensic focus without direct physical contact (over the air). The purpose of this paper is to demonstrate the entire forensic process of gathering digital evidence, reconstructing data, analyzing digital evidence, and drawing conclusions from the data. We show in detail which data are available in a typical installation of the widely adopted bus system KNX. This paper demonstrates the impossibility of securing a KNX installation in a building with publicly accessible parts.

Eine Ergänzung

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter Deine E-Mail-Adresse wird nicht veröffentlicht.