Attacks via a Representative Sample : Myths and Reality

Imagine the situation: you are an employee of a secret service, and your task is to calculate a particularly dangerous criminal, engaged in blackmail and appearing in the network periodically and only for the transfer of data. For his criminal activity he has a separate laptop from which he "cut out" the microphone, speakers and camera. A sensible decision, given that the speakers can also listen.

| Disclaimer ❗️ This is the translation of originally written article written originally by, edited by and translated, edited by

He uses Tails as his operating system, although he should have used Whonix for maximum anonymity. Anyway, all the traffic goes via Tor, he doesn't trust VPN or only trusts his VPN and he needs Tor for the DarkWeb "work" anyway.

He uses Jabber with PGP (tip: PGP may be a fake, cause anyone can change a date on PC and generate a fake PGP key. Use key fingerprints, always use only them, they cannot be changed (you may find it in your Adium.Im or Psi+) encryption to communicate, he could also put Telegram, but he is an old-school criminal. Even if you have access to the Jabber server, you can only get Tor's encrypted data and IP addresses. This is a useless information.

The criminal works on the principle of "silence-gold"; he won't say anything unnecessary, he won't open a link or file. It is only known that he has to be in the same country as you. It would seem that there is no chance to identify him, but it's an illusion, you can identify him despite all the measures he takes.

The case described above is ideal for a timing attack on a messenger or a thematic forum. The first thing you need is a program that will track and record all of the user's entries and exits. He appeared on the network - the system immediately marks the time, left - the system recorded the time of exit.

Now you have a log of his activity for a few days, it is time to use the system ORM (operational and investigative measures). Intelligence services of most countries have such systems at their disposal. We need to find out who in your country during these time intervals +/- 5 minutes connected to the Tor network.

We know that the target to be de-anonymized connected on 11.04.2022 at 11:07 and disconnected at 12:30. At the same time points (+/- 5 minutes), 3,000 people across the country connected to and disconnected from the Tor network. We take those 3,000 and see which of them reconnected at 2:17 p.m. and disconnected at 4:54 p.m., how many people do you think are left?

So, step by step, it narrows it down and eventually you will be able to figure out where your victim or perpetrator goes online. The more often he goes online and the fewer other users there are, the faster the timing attack will work.


What can prevent a timing attack from taking place.

Constantly changing network access points makes such an attack pointless. If, on the other hand, the target periodically changes the exit points, it may make it difficult to find, but it is a preliminarily acceptable option and is not capable of confusing the system.

| Tip: It is possible to track you down by comparing unique punctuation marks, language, specifics commas and dots (as an example, one guy will write down 25mg like that, the other one will write 25 mg), read about a forensic linguistics more:

I hope that our reader is not a wanted criminal and does not have to roam from one cafe with public Wi-Fi hotspot to another. However, the second tip against timing attacks is worthwhile for everyone. It's about disabling messenger-level transmission of status information or establishing a permanent "offline" status. Most messengers provide one of these options. As for thematic forums, the logic is the same.

If it's possible to hide your status information in your messenger, hide this information.

An additional tool for defending against a timing attack may be to stop turning on the messenger along with connecting to the network. As you can understand from the attack description, the time of login/logout to the network and appearing online/offline in the messenger are checked. With forums, you have made an advance login/logout, thereby avoiding a timing attack.

The % of false positive results is allowed, but it must not be very large. If the target of the attack connects to Tor and only an hour later launches a messenger, it will be very difficult to associate login and status in the messenger, as well as the forum.

Any analysis, collection of information via OSINT techniques is a pure logic do not ever forget it!

| It all depends on how much heritage, who pooped, in what amount the damage was done, the interest of state agencies or rarely - private offices and many other factors. I think I understand, at least a little bit.

| Check out:

You have already understood that this is one of the attack vectors, aimed at doxxing of someone, related to weak IS control of time synchronization policy (leakage of present time, login/logout in messenger, forum), during which the information about the time on user's device is obtained (namely the present time, not that which is spoofed/changed in the system settings). But or the method of monitoring the entry/exit to the messenger, thematic forum, you have already understood.

But here are all possible attack vectors:

  • ⚒ Application-level Traffic

  • ⚒ Denial of Service

  • ⚒ Locating Onion Services

  • ⚒ Remote Code Execution

  • ⚒ Remote Device Fingerprinting

  • ⚒ Replay Attacks

There are also Clock Leak Attack vectors:

  • ⚒ ICMP Timestamps

  • ⚒ NTP Clients

  • ⚒ TCP Initial Sequence Numbers (ISNs)

  • ⚒ TCP Timestamps

You can find detailed information about time synchronization mechanisms from whonix (

The most interesting is that there is a protection against it.

Most of them use sdwdate.

You can read more about it here: in conjunction with software that moves the clock a few seconds or nanoseconds into the past or future at boot time randomly (often pseudo-random) or called Boot Clock Randomization, although sdwdate has a similar function (to some extent). This way you can confidently protect yourself from time-base fingerprinting and just from setting the connection time, about which I wrote above. The main thing is to use sdwdate (which sort of randomizes the system clock too), by the way, it will be much safer than using programs to synchronize and set the system time:

! Sdwdate has been proven to randomize the clock wrongly, so it is better to use it in conjunction with the above mentioned bootclockrandomization (

As a counter-measure to the attack on getting TCP ISN CPU information, tirdad ( was developed.

Also better still:

  • ⚒ disable TCP timestamps(TCP timestamp) with kernel sysctl

  • ⚒ do not forget to work with iptables to limit (block) incoming ICMP messages and traffic.

  • ⚒ remove timer output function from linux TCP ISN code (tirdad above, but you can do it manually).

So, it is possible to protect against a Time Attack, and do it successfully, but much will depend on your vigilance, willingness to dig into the technical documentation tools above. And of course, in the aspect of your IS, the choice of operating system is important, of course if you are on windows or macOS, that's too bad.

All these tools and add-ons, are already available in whonix ( and QubeOs cube ( But I recommend to stop with whonix!

| Tip: Press New Identity in Tor more often, suggest doing it once in a hour.

You and I have figured out both the attack vectors and the possibility of protection, and, most importantly, you have understood the logic of this attack vector.

I would like to wish everyone to become more educated, smarter and richer. Stay safe!

| Disclaimer ❗️ This is the translation of originally written article written originally by, edited by and translated, edited by

Support is very important to me, with it I can spend less time at work and do what I love - educating DeFi & Crypto users!

If you want to support my work, you can send me a donation to the address:

Thank you! ❤️

Subscribe to Officer's Blog
Receive the latest updates directly to your inbox.
This entry has been permanently stored onchain and signed by its creator.