How many people live in a 250 mile circle around New York?

everfree · 2025-01-21T17:53:50 1737482030

I think the more important question is how many people in the world don't live within a 250 mile circle around New York? An investigator could potentially cut their geographical search down by 95%+.

modeless · 2025-01-21T18:39:06 1737484746

Also the attack can be performed multiple times and if a person travels it could narrow down the possibilities quite a lot.

vel0city · 2025-01-21T18:47:13 1737485233

They had an example of the attack getting two locations back, Las Vegas and San Francisco.

So the target is somewhere in the many thousand square miles in the circle that encompasses almost half the US!

sureIy · 2025-01-21T19:23:04 1737487384

Let's say they travel between NY and LA, how many sources of data will you need to know who was in NY on a specific date and LA on a second date? Feels like only the government can reasonably locate that.

modeless · 2025-01-21T19:38:06 1737488286

The government is a plausible adversary for Signal

int_19h · 2025-01-21T20:56:34 1737492994

FWIW if it's the government, wouldn't they be able to just get direct access to Cloudflare logs - in real-time even - and thus observe and track the specific incoming connection to fetch the cached image?

kiwijamo · 2025-01-22T00:42:44 1737506564

How many people live in a 250 mile circle around their Cloudflare POP?

Which Cloudflare POP I hit depends on which RSP I use. In the country I live in, our biggest RSP peers with Cloudflare in a neighboring country (as it is much cheaper for Cloudfare to send traffic via that RSP's peering exchange there). So something like 40% of traffic will seem to be from a entirely different country than reality.

My RSP is a small RSP which until fairly recently only had two POPs in the entire country. So regardless of where you lived, customers of my RSP would have traffic exiting onto the internet via only one of two exit points. Rural users would seem to be coming from one of the two largest cities in my country even if they are easily >250miles way from their particular POP. They do peer with Cloudflare but obviously only at the locations where they and Cloudflare are in the same city (and I'm not sure this is the case -- it is possible all national traffic to Cloudflare traffic actually goes via the one POP in our biggest city).

The only reason this attack identifies the city I happen to be in is because I live in the same city as my little's RSP's biggest POP and Cloudflare happens to peer with that RSP at that POP. Where I am is a large city so doesn't narrow things down very much -- but even worse is that whoever is looking for me would actually need to look anywhere in my country.

I don't think I am an unique case as internet routing is rarely the most direct path for various technical, financial, political, etc reasons.

De-anonymization is definitely stretching the reality of what this 'attack' is capable of IMHO.