Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users — Perhaps Because It Broke Wiretapping Laws

from the questionable-legality dept

There’s some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.

There’s been plenty of speculation about what’s going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn’t have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn’t yet been confirmed that this is what happened, it certainly is a pretty sensible theory.

Of course, none of that changes the fact that it’s possible to identify some Tor users. But… that’s also not particularly new. In fact, we’ve discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn’t so much Tor itself but how people use it — and the simple fact is that most people use it in a way that will eventually reveal who they are. While it’s not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn’t any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.

Filed Under: , , , , , , ,
Companies: carnegie mellon, cert

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users — Perhaps Because It Broke Wiretapping Laws”

Subscribe: RSS Leave a comment
John Fenderson (profile) says:

Security isn't in the tools

The problem isn’t so much Tor itself but how people use it

This. And it’s not just Tor, it’s true for all security tools including (maybe especially) encryption. People seem to believe that there exists some tool, some fire-and-forget software that will make them secure. The trouble is that it doesn’t exist, and never has.

Security comes through behaviors, not tools. While tools are essential to maintaining high security, they don’t provide it themselves. They only enable it.

If you have installed and are using security software without adopting secure habits, you are deceiving yourself.

BernardoVerda says:

Re: Security isn't in the tools

This way of thinking is part of the environment that consumers are exposed to every day.

It’s even more prevalent in the technology sphere (including computers and personal electronics) than elsewhere (eg, Microsoft’s “Start” button, or the entire Apple product line). From cooking to personal finance, it’s presented as something that the vendor can offer, and that the consumer can should expect. (I leave the application of this perspective to the world view provided by sit-coms as an exercise for the reader).

One office-supply and electronics retail chain in my part of the world even has, as its marketing motif, something semi-facetiously called The ‘Easy’ Button.

stman says:

A fully agree with John Fenderson !

You are right bro. I keep saying this in the french hacktivist scene because it is the fucking truth.

Crypto Tools without corresponding security procedures / measures / methods are almost useless, and indeed counter productive because people think they are protected while they are NOT.

I tryed to teach that deeper in France to some people like RSF (Reporter Sans Frontières) working with Free Press Journalist to remind them that “Tools” are just a mandatory but not sufficient part of the solution to keep journalists safe.

Thing are evolving now, and “risky people” like journalist or NGO’s are more and more conscious of the problem. But it was really a hard work to spread the word.

Kind regards dear brother.


Anonymous Coward says:

Here’s one of the Tor developers commenting on how the Black Hatters probably exploited Tor.

“Based on our current plans, we’ll be putting out a fix that relays can
apply that should close the particular bug they found. The bug is a nice
bug, but it isn’t the end of the world. And of course these things are
never as simple as “close that one bug and you’re 100% safe”.

Anonymous Coward says:

The problem isn’t so much Tor itself but how people use it. To some extent. Tor itself has had shortcomings from time to time that users would have had no way of protecting from.

Some were very simple, some fairly cheap, and some no one could have known about without auditing Firefox. But the fact remains that Tor is not and will never be 100% anonymous. 99.999% sure, but blaming the users refusing to acknowledge this fact is the reason people get caught.

JD007 (user link) says:

The attempt by CMU experts to unmask Tor Project software was appalling

There was a letter to editor in local Pittsburgh Post-Gazette criticizing the usually-lauded CMU re. Tor: “The attempt by CMU experts to unmask Tor Project software was appalling” |

I tried leaving a few comments there and cited this article but didn’t find much support and wonder if anyone else would check it out and see if something more forceful is warranted?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...