Two security researchers at Carnegie Mellon University wanted to demonstrate a proof of concept on the Black Hat 2014 conference in Las Vegas,
The highly anticipated talk on how to identify users of the Internet privacy service Tor was withdrawn from the upcoming Black Hat 2014 security conference.
The talk was canceled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers, the spokeswoman, Meredith Corley, told Reuters.
The committee of the university did not give permission
Corley said a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI).
It was unclear what aspects of the research concerned the university. The institute, based at the university, is funded by the Defense Department. SEI also runs CERT, historically known as the Computer Emergency Response Team, which works with the Department of Homeland Security on major cybersecurity issues.
This is the announcement deleted from the blackhat website.
You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget The Tor network has been providing a reasonable degree of anonymity to individuals and organizations worldwide. It has also been used for distribution of child pornography, illegal drugs, and malware. Anyone with minimal skills and resources can participate on the Tor network. Anyone can become a part of the network. As a participant of the Tor network, you can choose to use it to communicate anonymously or contribute your resources for others to use. There is very little to limit your actions on the Tor network. There is nothing that prevents you from using your resources tode-anonymize the network’s users instead by exploiting fundamental flaws in Tor design and implementation. And you don’t need the NSA budget to do so. Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild…In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity. In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000. During this talk, we will quickly cover the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places. The presentation will conclude with lessons learned and our thoughts on the future of security of distributed anonymity networks.
Spokesmen for Carnegie Mellon and the Defense Department did not comment on the cancellation. One official said DHS had played no role in pulling the talk.
The question remains why the talk was cancelled. Some suggest the ties with various US government security agencies others suspect ethical reasons. For example many people who live in countries where the regime is suppressing the freedom of speech and they use tor to stay save.
But the second motive is highly questionable. Presenting the proof of concept would only strengthen the Tor project but in that case various US government security agencies will lose an important spy-ing tool.
The volunteer-run Tor network allows users to surf anonymously on the internet. For this purpose, various forms of encryption is used. Among other things, the NSA has a lot of interest in users of the Tor network and tries to identify them, for example by exploiting browser bugs.
Continue reading →
