Carnegie Mellon Kills Black Hat Talk About Identifying Tor Users -- Perhaps Because It Broke Wiretapping Laws

from the questionable-legality dept

Mon, Jul 21st 2014 12:20pm — Mike Masnick

There's some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.

There's been plenty of speculation about what's going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn't have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn't yet been confirmed that this is what happened, it certainly is a pretty sensible theory.

Of course, none of that changes the fact that it's possible to identify some Tor users. But... that's also not particularly new. In fact, we've discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn't so much Tor itself but how people use it -- and the simple fact is that most people use it in a way that will eventually reveal who they are. While it's not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn't any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: alexander volynkin, anonymity, blackhat, michael mccord, privacy, tor, wiretapping laws, wiretaps
Companies: carnegie mellon, cert

8 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Chronno S. Trigger (profile), 21 Jul 2014 @ 5:26pm

Well, if you show how to find people on TOR on the cheap, people will learn to hid themselves better and the NSA can't do it any more.
[ link to this | view in chronology ]
John Fenderson (profile), 21 Jul 2014 @ 8:10pm

Security isn't in the tools
The problem isn't so much Tor itself but how people use it

This. And it's not just Tor, it's true for all security tools including (maybe especially) encryption. People seem to believe that there exists some tool, some fire-and-forget software that will make them secure. The trouble is that it doesn't exist, and never has.

Security comes through behaviors, not tools. While tools are essential to maintaining high security, they don't provide it themselves. They only enable it.

If you have installed and are using security software without adopting secure habits, you are deceiving yourself.
[ link to this | view in chronology ]
- Michael, 22 Jul 2014 @ 6:01am
  
  Re: Security isn't in the tools
  Dear Mr. Fenderson,
  
  STFU
  
  - The NSA
  [ link to this | view in chronology ]
- BernardoVerda (profile), 23 Jul 2014 @ 1:58am
  
  Re: Security isn't in the tools
  This way of thinking is part of the environment that consumers are exposed to every day.
  
  It's even more prevalent in the technology sphere (including computers and personal electronics) than elsewhere (eg, Microsoft's "Start" button, or the entire Apple product line). From cooking to personal finance, it's presented as something that the vendor can offer, and that the consumer can should expect. (I leave the application of this perspective to the world view provided by sit-coms as an exercise for the reader).
  
  One office-supply and electronics retail chain in my part of the world even has, as its marketing motif, something semi-facetiously called The 'Easy' Button.
  [ link to this | view in chronology ]
stman, 22 Jul 2014 @ 2:39am

A fully agree with John Fenderson !
You are right bro. I keep saying this in the french hacktivist scene because it is the fucking truth.

Crypto Tools without corresponding security procedures / measures / methods are almost useless, and indeed counter productive because people think they are protected while they are NOT.

I tryed to teach that deeper in France to some people like RSF (Reporter Sans Frontières) working with Free Press Journalist to remind them that "Tools" are just a mandatory but not sufficient part of the solution to keep journalists safe.

Thing are evolving now, and "risky people" like journalist or NGO's are more and more conscious of the problem. But it was really a hard work to spread the word.

Kind regards dear brother.

Stman.
@Stmanfr
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 11:02am

Here's one of the Tor developers commenting on how the Black Hatters probably exploited Tor.

"Based on our current plans, we'll be putting out a fix that relays can
apply that should close the particular bug they found. The bug is a nice
bug, but it isn't the end of the world. And of course these things are
never as simple as "close that one bug and you're 100% safe".

https://lists.torproject.org/pipermail/tor-talk/2014-July/033956.html
[ link to this | view in chronology ]
Anonymous Coward, 22 Jul 2014 @ 1:06pm

The problem isn't so much Tor itself but how people use it. To some extent. Tor itself has had shortcomings from time to time that users would have had no way of protecting from.

http://blog.malwarebytes.org/intelligence/2013/08/firefox-zero-day-used-to-reveal-identities-do es-the-end-justify-the-means/
http://ha.ckers.org/blog/20070926/de-anonymizing-tor-and-detecting-prox ies/
http://www.internetsociety.org/doc/sniper-attack-anonymously-deanonymizing-and-disabling-tor-net work

Some were very simple, some fairly cheap, and some no one could have known about without auditing Firefox. But the fact remains that Tor is not and will never be 100% anonymous. 99.999% sure, but blaming the users refusing to acknowledge this fact is the reason people get caught.
[ link to this | view in chronology ]
JD007, 5 Aug 2014 @ 9:22pm

The attempt by CMU experts to unmask Tor Project software was appalling
There was a letter to editor in local Pittsburgh Post-Gazette criticizing the usually-lauded CMU re. Tor: "The attempt by CMU experts to unmask Tor Project software was appalling" |

http://www.post-gazette.com/opinion/letters/2014/08/05/The-attempt-by-CMU-experts-to-unmask-Tor-Proj ect-software-was-appalling/stories/201408050074

I tried leaving a few comments there and cited this article but didn't find much support and wonder if anyone else would check it out and see if something more forceful is warranted?
[ link to this | view in chronology ]