Techdirt is on holiday this Thursday and Friday. We'll be back with our regular posts on the weekend!Hide

Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps Because It Broke Wiretapping Laws

from the questionable-legality dept

There's some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.
A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.
There's been plenty of speculation about what's going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn't have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn't yet been confirmed that this is what happened, it certainly is a pretty sensible theory.

Of course, none of that changes the fact that it's possible to identify some Tor users. But... that's also not particularly new. In fact, we've discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn't so much Tor itself but how people use it -- and the simple fact is that most people use it in a way that will eventually reveal who they are. While it's not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn't any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.

Reader Comments (rss)

(Flattened / Threaded)

  • icon
    Chronno S. Trigger (profile), Jul 21st, 2014 @ 5:26pm

    Well, if you show how to find people on TOR on the cheap, people will learn to hid themselves better and the NSA can't do it any more.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), Jul 21st, 2014 @ 8:10pm

    Security isn't in the tools

    The problem isn't so much Tor itself but how people use it

    This. And it's not just Tor, it's true for all security tools including (maybe especially) encryption. People seem to believe that there exists some tool, some fire-and-forget software that will make them secure. The trouble is that it doesn't exist, and never has.

    Security comes through behaviors, not tools. While tools are essential to maintaining high security, they don't provide it themselves. They only enable it.

    If you have installed and are using security software without adopting secure habits, you are deceiving yourself.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, Jul 22nd, 2014 @ 6:01am

      Re: Security isn't in the tools

      Dear Mr. Fenderson,


      - The NSA

      reply to this | link to this | view in chronology ]

    • icon
      BernardoVerda (profile), Jul 23rd, 2014 @ 1:58am

      Re: Security isn't in the tools

      This way of thinking is part of the environment that consumers are exposed to every day.

      It's even more prevalent in the technology sphere (including computers and personal electronics) than elsewhere (eg, Microsoft's "Start" button, or the entire Apple product line). From cooking to personal finance, it's presented as something that the vendor can offer, and that the consumer can should expect. (I leave the application of this perspective to the world view provided by sit-coms as an exercise for the reader).

      One office-supply and electronics retail chain in my part of the world even has, as its marketing motif, something semi-facetiously called The 'Easy' Button.

      reply to this | link to this | view in chronology ]

  • identicon
    stman, Jul 22nd, 2014 @ 2:39am

    A fully agree with John Fenderson !

    You are right bro. I keep saying this in the french hacktivist scene because it is the fucking truth.

    Crypto Tools without corresponding security procedures / measures / methods are almost useless, and indeed counter productive because people think they are protected while they are NOT.

    I tryed to teach that deeper in France to some people like RSF (Reporter Sans Frontières) working with Free Press Journalist to remind them that "Tools" are just a mandatory but not sufficient part of the solution to keep journalists safe.

    Thing are evolving now, and "risky people" like journalist or NGO's are more and more conscious of the problem. But it was really a hard work to spread the word.

    Kind regards dear brother.


    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, Jul 22nd, 2014 @ 11:02am

    Here's one of the Tor developers commenting on how the Black Hatters probably exploited Tor.

    "Based on our current plans, we'll be putting out a fix that relays can
    apply that should close the particular bug they found. The bug is a nice
    bug, but it isn't the end of the world. And of course these things are
    never as simple as "close that one bug and you're 100% safe".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, Jul 22nd, 2014 @ 1:06pm

    The problem isn't so much Tor itself but how people use it. To some extent. Tor itself has had shortcomings from time to time that users would have had no way of protecting from. es-the-end-justify-the-means/ ies/ work

    Some were very simple, some fairly cheap, and some no one could have known about without auditing Firefox. But the fact remains that Tor is not and will never be 100% anonymous. 99.999% sure, but blaming the users refusing to acknowledge this fact is the reason people get caught.

    reply to this | link to this | view in chronology ]

  • identicon
    JD007, Aug 5th, 2014 @ 9:22pm

    The attempt by CMU experts to unmask Tor Project software was appalling

    There was a letter to editor in local Pittsburgh Post-Gazette criticizing the usually-lauded CMU re. Tor: "The attempt by CMU experts to unmask Tor Project software was appalling" | ect-software-was-appalling/stories/201408050074

    I tried leaving a few comments there and cited this article but didn't find much support and wonder if anyone else would check it out and see if something more forceful is warranted?

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Insider Shop - Show Your Support!

Hide this ad »
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Hide this ad »
Recent Stories
Hide this ad »


Email This

This feature is only available to registered users. Register or sign in to use it.