Mike Perry may argue that, but Nick Mathewson and Roger Dingledine will both tell you that observation of a single packet at two points on a Tor circuit is likely enough for linkability. None of the big name academic anonymity researchers actually think that Tor can even stand a chance of resisting an attacker who watches both ends of a circuit. Let's consider an active attacker who watermarks streams. Now, active attacking isn't required, and observation of multiple packets isn't required, but I can understand and explain the probability of a false positive for a watermarked stream much better than I can explain the probability of a false positive from arrival time of a single packet. Imagine that the stream carries 128 packets, since Tor packets are 512 bytes this means the stream of packets is 64 kilobytes. The attacker can delay individual packets such that an identifiable interpacket arrival time signature is inserted in the stream. Imagine that the attacker delays 64 kilobytes of traffic from the user, and then releases the packets one after the other with 50 milliseconds of artificial delay between each of them. This will add a few seconds of delay to the stream, but it will create packets that have a very unique arrival time pattern. The attacker could first run several Tor exit nodes and observe how many streams of packets come with a delay of 50 +/- 10 milliseconds between each of them (to take into account any potential minor jitter at the middle node). They are likely to find that absolutely no streams have this characteristic. When they modify the targeted stream, they force it to have this characteristic, and because the middle node does not artificially delay traffic, the watermark will permanently be embedded in the stream from the time it is inserted all the way up to the destination website. I highly doubt that there is any base rate fallacy that will cause false positives in such a scenario, especially if the attacker delays the individual packets for 0-50 milliseconds prior to forwarding them on, and then looks for that signature of interpacket arrival timings. In fact, it can even be done more smoothly than that. The attacker could insert a specific timing delay between the first two packets, and then if they detect two packets at another surveillance point that arrive with this timing characteristic, they release two more with a different delay, and then release more and more and more. If they observe their inserted watermark for 64 rounds it seems like it is very conclusive that they are observing the same stream at two different locations. Especially considering that there will be a correlation in the total stream size as well, and especially considering that they can do this bidirectionally (although considering that a single packet in one direction is enough, using unidirectional tunnels like I2P does is not a protection but rather doubles the risk of falling victim to an internal attack)! I don't think that Narusinsight computers are capable of active attacks, but they can passively record and analyze the natural interpacket arrival timing characteristics of a stream in real time. Real time analysis by itself would not be as useful for a passive attack, in an active attack they could monitor for streams with their predetermined watermarks inserted into them, but for passive analysis they will need to compare fingerprints collected from all of their different collection points. But if they find a correlation between interpacket timing characteristics between a stream collected at one internet backbone and a stream collected at another, it is not at all likely to be a false positive. I actually am considering making a simple graphical program that can observe a Tor stream and visually represent the packets (perhaps as tiny squares, with space between them representing the difference between their arrival time). It will be fun to send traffic through two nodes running this program, and then to visually compare the stream as it was recorded passing through the entry and the exit node, to see how closely they map together. Then I can add some delays as well, as well as visually compare the delayed stream at an entry node to an exit node. Of course there is no need to create a visual representation, but it just seems like a fun project to me, and it will perhaps help people to understand this attack better, especially if they notice that the watermarked stream looks strikingly different from all of the normal streams. Then maybe I will make a program that simply carries out passive interpacket timing correlation, and see the success rate it has with linking my own streams together out of the noise of regular traffic running over my nodes. It is not even as hard as comparing all streams through node 1 with all streams through node 2, it is at worst a matter of comparing all streams through node 1 and node 2 that are the same size, this can further be reduced by only comparing streams of the same size that share a middle node. If there are ten simultaneous streams through node 1 and 2 that are 100 kb and that share a middle node, something tells me it will not be hard to tell which of the streams is which simply by looking at the spatially represented interpacket arrival timing characteristics of the first several dozen packets of each stream.