, Emergent Chaos 2008-08-05
Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how you believe attackers will behave. This is somewhat unusual in two ways: first, it implies the need for a dynamic analysis, and second, that analysis will only function if we have data.
We often apply a very static analysis to attackers: they have these capabilities and motivations, and they will stick with their actions. This paper shows a real world example of a place where as attackers get more resources, they will behave differently, rather than doing more of what they did before. So actually operating a secure Tor system requires an understanding of how certain attackers are behaving, and how they choose to attack the system at any given time.
There's a sense in which this is not surprising, but these dynamic models rarely show up in analysis.
Bonus snark to the Colorado team: why don't you buy a botnet and see what you can break? (The Colorado team is the people Chris blogged about in "Ethics, Information Security Research, and Institutional Review Boards.")
