Also Mike Perry is right the resolution of the intercept is important in determining how much damage can be done, but given the capabilities of Narusinsight supercomputers I think it is not a good idea to assume that intelligence agencies are merely sampling Tor traffic. In 2005 A single Narusinsight box could continuously analyze 10 gigabits per second of traffic in real time. The NSA has several of these things hooked up to split fiber optic cables at many major internet exchange points in the USA. They can target traffic based on all kinds of characteristics, and it would be trivial for the NSA to decide to start gathering all traffic to and from Tor nodes. Also I will need to read through those papers, but I am currently under the impression that observation of a single 512 byte packet at entry and exit is enough to carry out a timing correlation attack. Resolution is still important, if the NSA only intercepts one out of a thousand Tor packets then a lot of traffic they could have otherwise deanonymized will get by. But as far as a single users traffic goes, if they can observe a packet at entry and exit I am under the impression that the user is very likely fucked. I don't believe that it takes megabytes of traffic to carry out a timing attack. I will need to read those .pdfs that MP linked to (again probably) when I have some more time.