Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users — Perhaps Because It Broke Wiretapping Laws
from the questionable-legality dept
There’s some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.
A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.
There’s been plenty of speculation about what’s going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn’t have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn’t yet been confirmed that this is what happened, it certainly is a pretty sensible theory.
Of course, none of that changes the fact that it’s possible to identify some Tor users. But… that’s also not particularly new. In fact, we’ve discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn’t so much Tor itself but how people use it — and the simple fact is that most people use it in a way that will eventually reveal who they are. While it’s not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn’t any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.
Filed Under: alexander volynkin, anonymity, blackhat, michael mccord, privacy, tor, wiretapping laws, wiretaps
Companies: carnegie mellon, cert
Comments on “Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users — Perhaps Because It Broke Wiretapping Laws”
Well, if you show how to find people on TOR on the cheap, people will learn to hid themselves better and the NSA can’t do it any more.
Security isn't in the tools
This. And it’s not just Tor, it’s true for all security tools including (maybe especially) encryption. People seem to believe that there exists some tool, some fire-and-forget software that will make them secure. The trouble is that it doesn’t exist, and never has.
Security comes through behaviors, not tools. While tools are essential to maintaining high security, they don’t provide it themselves. They only enable it.
If you have installed and are using security software without adopting secure habits, you are deceiving yourself.
Re: Security isn't in the tools
Dear Mr. Fenderson,
STFU
– The NSA
Re: Security isn't in the tools
This way of thinking is part of the environment that consumers are exposed to every day.
It’s even more prevalent in the technology sphere (including computers and personal electronics) than elsewhere (eg, Microsoft’s “Start” button, or the entire Apple product line). From cooking to personal finance, it’s presented as something that the vendor can offer, and that the consumer can should expect. (I leave the application of this perspective to the world view provided by sit-coms as an exercise for the reader).
One office-supply and electronics retail chain in my part of the world even has, as its marketing motif, something semi-facetiously called The ‘Easy’ Button.
A fully agree with John Fenderson !
You are right bro. I keep saying this in the french hacktivist scene because it is the fucking truth.
Crypto Tools without corresponding security procedures / measures / methods are almost useless, and indeed counter productive because people think they are protected while they are NOT.
I tryed to teach that deeper in France to some people like RSF (Reporter Sans Frontières) working with Free Press Journalist to remind them that “Tools” are just a mandatory but not sufficient part of the solution to keep journalists safe.
Thing are evolving now, and “risky people” like journalist or NGO’s are more and more conscious of the problem. But it was really a hard work to spread the word.
Kind regards dear brother.
Stman.
@Stmanfr
Here’s one of the Tor developers commenting on how the Black Hatters probably exploited Tor.
“Based on our current plans, we’ll be putting out a fix that relays can
apply that should close the particular bug they found. The bug is a nice
bug, but it isn’t the end of the world. And of course these things are
never as simple as “close that one bug and you’re 100% safe”.
https://lists.torproject.org/pipermail/tor-talk/2014-July/033956.html
The problem isn’t so much Tor itself but how people use it. To some extent. Tor itself has had shortcomings from time to time that users would have had no way of protecting from.
http://blog.malwarebytes.org/intelligence/2013/08/firefox-zero-day-used-to-reveal-identities-does-the-end-justify-the-means/
http://ha.ckers.org/blog/20070926/de-anonymizing-tor-and-detecting-proxies/
http://www.internetsociety.org/doc/sniper-attack-anonymously-deanonymizing-and-disabling-tor-network
Some were very simple, some fairly cheap, and some no one could have known about without auditing Firefox. But the fact remains that Tor is not and will never be 100% anonymous. 99.999% sure, but blaming the users refusing to acknowledge this fact is the reason people get caught.
The attempt by CMU experts to unmask Tor Project software was appalling
There was a letter to editor in local Pittsburgh Post-Gazette criticizing the usually-lauded CMU re. Tor: “The attempt by CMU experts to unmask Tor Project software was appalling” |
http://www.post-gazette.com/opinion/letters/2014/08/05/The-attempt-by-CMU-experts-to-unmask-Tor-Project-software-was-appalling/stories/201408050074
I tried leaving a few comments there and cited this article but didn’t find much support and wonder if anyone else would check it out and see if something more forceful is warranted?