Anonymity systems designed to allow users to carry out actions on the Internet without identifying themselves can often be cracked with a bit of unorthodox thinking, according to a Cambridge researcher.

Stephen Murdoch, a researcher in the University of Cambridge's Security Group, outlined a number of different anonymity-cracking techniques in a recently published PhD thesis.

The techniques aim at removing the cloak provided by anonymity systems such as Tor, which can be used by legitimate users looking to protect their identities, as well as by criminals covering their tracks.

Murdoch has tested his techniques whenever possible, and his results show that even supposedly infallible techniques can often be defeated by exploiting real-world weaknesses in the systems.

One technique explored in the paper, called indirect traffic analysis, relies on examining the actions of an anonymous user, through which the user's intent and often their identity can be inferred, according to Murdoch.

For example, if an attacker is able to modify certain characteristics of an anonymised data stream coming through an anonymisation network such as Tor, the attacker can often discover the first Tor node connected to by the client, Murdoch said.

"This reduces the anonymity provided to that of a single-hop proxy, and then mundane legal mechanisms might be used to discover the initiator," Murdoch wrote.

In experimenting with such techniques on Tor, Murdoch said he was able to de-anonymise 11 out of the 13 Tor nodes tested.

One of the more outré techniques examined in the paper explores the link between processor load and the behaviour of the system's clock crystal - its "clock skew." This is because when the processor is undergoing a greater load, it is emitting more heat, which in turn affects the temperature of the clock crystal.

The link has been examined since the early 1990s in the security community, but Murdoch's innovation is to deliberately induce a pattern of processor load in an anonymous service, and use the resulting clock skew data to determine the identity of the service.

"Such an attack could be deployed in practice by an attacker using one machine to access the hidden service, varying traffic over time to cause the server to heat up or cool down," Murdoch wrote.

"Simultaneously, he probes all candidate machines for timestamps. From these the attacker infers clock skew estimates and when a correlation between the skew and the induced load pattern is found, the hidden service is de-anonymised," he wrote.

Such an attack is unlikely to be the fastest way to de-anonymise users of anonymity networks, Murdoch conceded, but he expects interest in and use of such techniques to grow.

"As systems become hardened against more conventional attacks, this attack could become a plausible threat," he wrote.