Actually the MAC address is a key point. Having worked for a very large ISP, I can assure you MAC addresses are frequently recorded along with the DHCP request and time. How long those logs are kept depends on the provider.
There were more than a few instances where we assisted (after a warrant) in investigations involving stolen laptops where the owners had recorded the MAC and we were able to tie them back to user accounts based on checks through our DHCP logs.
Get the mac, tie it to an IP. Check which modem that IP was assigned to on the date in question, tie the serial of that modem to a customer account...
Tor would actually be a poor choice for use on any machine not under your own direct control courtesy of appliances like Bluecoat.
Copied from a reply I made on focus-ids on SecurityFocus:
"you prevent this generating a warning to the user is by creating a CA for your domain and ensuring all machines have this set as a trusted CA. If you are using something like Bluecoat, you then intercept and re-sign the certs with that CA or a subsidiary of the CA. The users machine automatically trusts that re-signed certificate because of these previous steps, and allows you to inspect the SSL traffic"
So if the machine you are on is administered by anyone but yourself (and you aren't in the habit of checking every individual cert) your ssl traffic can be inspected.
Fair, but how hard is it really to obtain the mac address of a system if the person is already under some measure of scrutiny by the state?
Given that it's a relatively easy step to take, why not a script that changes the mac randomly at boot?
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.