Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps Because It Broke Wiretapping Laws

from the questionable-legality dept

There's some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.
A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.
There's been plenty of speculation about what's going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn't have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn't yet been confirmed that this is what happened, it certainly is a pretty sensible theory.

Of course, none of that changes the fact that it's possible to identify some Tor users. But... that's also not particularly new. In fact, we've discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn't so much Tor itself but how people use it -- and the simple fact is that most people use it in a way that will eventually reveal who they are. While it's not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn't any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alexander volynkin, anonymity, blackhat, michael mccord, privacy, tor, wiretapping laws, wiretaps
Companies: carnegie mellon, cert


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Chronno S. Trigger (profile), 21 Jul 2014 @ 5:26pm

    Well, if you show how to find people on TOR on the cheap, people will learn to hid themselves better and the NSA can't do it any more.

    link to this | view in chronology ]

  • icon
    John Fenderson (profile), 21 Jul 2014 @ 8:10pm

    Security isn't in the tools

    The problem isn't so much Tor itself but how people use it


    This. And it's not just Tor, it's true for all security tools including (maybe especially) encryption. People seem to believe that there exists some tool, some fire-and-forget software that will make them secure. The trouble is that it doesn't exist, and never has.

    Security comes through behaviors, not tools. While tools are essential to maintaining high security, they don't provide it themselves. They only enable it.

    If you have installed and are using security software without adopting secure habits, you are deceiving yourself.

    link to this | view in chronology ]

    • identicon
      Michael, 22 Jul 2014 @ 6:01am

      Re: Security isn't in the tools

      Dear Mr. Fenderson,

      STFU

      - The NSA

      link to this | view in chronology ]

    • icon
      BernardoVerda (profile), 23 Jul 2014 @ 1:58am

      Re: Security isn't in the tools

      This way of thinking is part of the environment that consumers are exposed to every day.

      It's even more prevalent in the technology sphere (including computers and personal electronics) than elsewhere (eg, Microsoft's "Start" button, or the entire Apple product line). From cooking to personal finance, it's presented as something that the vendor can offer, and that the consumer can should expect. (I leave the application of this perspective to the world view provided by sit-coms as an exercise for the reader).

      One office-supply and electronics retail chain in my part of the world even has, as its marketing motif, something semi-facetiously called The 'Easy' Button.

      link to this | view in chronology ]

  • identicon
    stman, 22 Jul 2014 @ 2:39am

    A fully agree with John Fenderson !

    You are right bro. I keep saying this in the french hacktivist scene because it is the fucking truth.

    Crypto Tools without corresponding security procedures / measures / methods are almost useless, and indeed counter productive because people think they are protected while they are NOT.

    I tryed to teach that deeper in France to some people like RSF (Reporter Sans Frontières) working with Free Press Journalist to remind them that "Tools" are just a mandatory but not sufficient part of the solution to keep journalists safe.

    Thing are evolving now, and "risky people" like journalist or NGO's are more and more conscious of the problem. But it was really a hard work to spread the word.

    Kind regards dear brother.

    Stman.
    @Stmanfr

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2014 @ 11:02am

    Here's one of the Tor developers commenting on how the Black Hatters probably exploited Tor.

    "Based on our current plans, we'll be putting out a fix that relays can
    apply that should close the particular bug they found. The bug is a nice
    bug, but it isn't the end of the world. And of course these things are
    never as simple as "close that one bug and you're 100% safe".

    https://lists.torproject.org/pipermail/tor-talk/2014-July/033956.html

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Jul 2014 @ 1:06pm

    The problem isn't so much Tor itself but how people use it. To some extent. Tor itself has had shortcomings from time to time that users would have had no way of protecting from.

    http://blog.malwarebytes.org/intelligence/2013/08/firefox-zero-day-used-to-reveal-identities-do es-the-end-justify-the-means/
    http://ha.ckers.org/blog/20070926/de-anonymizing-tor-and-detecting-prox ies/
    http://www.internetsociety.org/doc/sniper-attack-anonymously-deanonymizing-and-disabling-tor-net work

    Some were very simple, some fairly cheap, and some no one could have known about without auditing Firefox. But the fact remains that Tor is not and will never be 100% anonymous. 99.999% sure, but blaming the users refusing to acknowledge this fact is the reason people get caught.

    link to this | view in chronology ]

  • identicon
    JD007, 5 Aug 2014 @ 9:22pm

    The attempt by CMU experts to unmask Tor Project software was appalling

    There was a letter to editor in local Pittsburgh Post-Gazette criticizing the usually-lauded CMU re. Tor: "The attempt by CMU experts to unmask Tor Project software was appalling" |

    http://www.post-gazette.com/opinion/letters/2014/08/05/The-attempt-by-CMU-experts-to-unmask-Tor-Proj ect-software-was-appalling/stories/201408050074

    I tried leaving a few comments there and cited this article but didn't find much support and wonder if anyone else would check it out and see if something more forceful is warranted?

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.