14 DAY TRIAL // A presentation at the Black Hat USA security conference this year from researchers working at Carnegie Mellon University in Pittsburgh, which was supposed to talk about a low-cost method to reveal the identity of users relying on TOR network for anonymity, has been cancelled late last week.
The decision was sent to the organizers of the conference by the legal counsel for the Software Engineering Institute (SEI) and Carnegie Mellon University, and was motivated by the fact that the details of the talk had not been approved by SEI and the University.
TOR (The Onion Router) is an open-source service designed to provide anonymous browsing and fight censorship. However, for this reason, it is also used by various actors to conduct illegal activities.
It is a network of nodes that relay encrypted communication between the sender and the receiver, through multiple, random proxy servers. Lately, techniques have been developed to de-anonymize the users, mostly by law enforcement agencies seeking to capture criminals.
The presentation was supposed to be held by Alexander Volynkin, a researcher scientist with the University’s Computer Emergency Response Team (CERT), and was titled “You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.”
“Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release,” inform the conference organizers in a note on the event’s website.
The reasons behind this turn of events are unclear, but the one thing that is certain is that the request did not come from the people involved directly in the TOR project.
Roger Dingledine, who is TOR project leader, said that they’re working with CERT in order to disclose the details, which could happen this week.
“We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made,” says Dingledine.
He also mentions that he was offered some details about the now cancelled presentation, but nothing in-depth. The team behind the anonymity network is interested in any research touching their project and agrees with the responsible disclosure of new forms of attack.
Although removing the talk from the schedule of the conference is shrouded in mystery at the moment, some may speculate that the nature of the details supposed to be revealed would have violated federal wiretapping laws.
In the now-deleted description of the presentation, researchers Alexander Volynkin and Michael McCord said that there is no stop to someone using their resources to de-anonymize the network’s users “by exploiting fundamental flaws in Tor by design and implementation.”
They also said that the operation required a little less than $3,000 / €2,224 and could lead to find the identity of “hundreds of thousands of TOR clients and thousands of hidden services within a couple of months.”