If someone would do the thing-to-be-detected (e.g. accessing CSAM) every day, then that 0.14% probability of detection turns out to be 40% for a single year (0.9986^365) or 64% over two years, so even that would deanonymize the majority of such people over time.
That assumes you could run thousands of malicious tor nodes for several years without being detected. Unless you have vast resources and time, this is unlikely.
My point is that it doesn't require "vast resources". A VPS is $5 a month. A thousand of them would be in the disposable income budget of a single FAANG engineer never mind a nation state.
Pay people on Fiverr to set them up for you at different ISPs so that all the setup information is different. You can use crypto to pay if you want anonimity (this is actually the main reason I used to use bitcoin - I'd pay ISPs in Iceland to run TOR exit nodes for me without linking them to my identity).
This isn't a difficult problem. A single individual with a good job could do it.
And sure, each connection only has a very small chance of being found, but aggregate it over a year or two and you could catch half of the users of a site if they connected with a new circuit one time per day.
I honestly can't see why a nation state or two hasn't already done this.
What detection? A malicious node is only different from a non-malicious node because all the traffic is being logged. If that's our definition of a malicious node in this case then there is no way to detect one.
The attack Germany is thought to have actually used was to flood the network with middle nodes and wait until the victim connects to their middle node. Then, it knows the guard node's IP. Then, it went to an ISP and got logs for everyone who connected to that IP.
technicly this is the only comment in this chain that is relevant to the featured article, but it's technicly so incomplete that it's almost wrong, I can tell from having read the thread and knowing next to nothing else about how TOR works.
They don't have plausible evidence to subpoena the guard node if a middle node only sees encrypted traffic. They would also need to control the exit nodes which communicate with the target's host or they simply control the host as a honeypot.
Because the victim was an onion server, they could make it generate new connections at will. They used timing correlation to determine their node was the middle node for their connection.
assuming the guard node connects to the host when the host communicates with the client, this makes a little more sense. If I understand correctly you are saying that they did not seize a boat load of unrelated nodes and have rather fluxcompensated it with "timing correlation" and infinite funds.
Ad hominem: your username spells out MIB, Men in Black, surely you are joking.
The server connects to the guard node and tells it to connect to the middle node and tells the middle node to connect to the final node and tells the final node to connect to the rendezvous point, which already has a connection in the other direction from the client and splices them together at this point.
All Tor hosts use a small set of "guard" nodes as their first hops, because it's considered that directly connecting to a compromised node immediately reveals your IP address, in most cases. Using a small set of first hops reduces the probability that at least one of them is compromised. In older versions of Tor, the middle node is completely random, which means sometimes it is compromised. The German government is thought to have used statistical methods to identify when their compromised node was the middle node, and log the address of the node before it - the guard node. Then, they used legal methods to sniff the traffic on the guard node to find the server's IP address.
In newer versions of Tor, this is more difficult because onion servers use two layers of guard nodes - they use a small infrequently-rotated set of entry guard nodes, and a larger more-frequently-rotated set of middle guard nodes, and the third is still random.
