Tor Security Talk Cancelled at Black Hat Conference

A presentation on cracking the anonymity of the TOR network scheduled to be held at the upcoming Black Hat USA conference in Las Vegas has been cancelled.

The presentation, titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’, has been pulled from the schedule – a relatively rare but not unheard of occurrence at the security conference. The research was performed by CERT/Carnegie Mellon researchers Alexander Volynkin and Michael McCord.

According to a posting on the Black Hat Website, the conference organizers were informed late last week by the legal counsel of the Software Engineering Institute (SEI) and Carnegie Mellon University (CMU) that Volynkin would not be able to speak at the conference because the content of the talk had not yet been approved by CMU or SEI for public release.

Short for ‘The Onion Router’, Tor works by directing Internet traffic through a network of thousands of relays in order to conceal a user’s location and activity. Though it was originally sponsored by the U.S. Naval Research Laboratory, it is now under the province of the Tor Project.

In the now deleted description of the talk, Volynkin and McCord wrote that they discovered that a persistent adversary with a handful of powerful servers and a few gigabit links can deanonymize hundreds of thousands of Tor clients and thousands of hidden services in a couple months – all with a budget of just $3,000.

In a post on the ‘Tor-Talk’ mailing list, Tor Project Leader Roger Dingledine stated that the Tor Project did not ask Black Hat or CERT (Computer Emergency Response Team) to cancel the talk, though the project did have questions for the presenter about aspects of the research. The Tor Project had been informally shown some materials in response to its questions, he added, but never received slides or any description of what would be in the talk itself beyond what was available on the Black Hat webpage.  

“We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks,” he wrote Monday. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.”

He also added that the organization was working with CERT to do a coordinated disclosure of the details of the talk. In another posting to the list, he explained that he believes he has a “handle” on what the researchers did and how to fix it, but feels it would have been smoother if they had opted to tell the project everything.

“The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find,” he wrote. “I’m currently waiting for them to answer their mail so I can proceed.”

“Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found,” he wrote. “The bug is a nice bug, but it isn’t the end of the world. And of course these things are never as simple as ‘close that one bug and you’re 100% safe’.”

The Black Hat conference will run from Aug. 2 to Aug. 7 at Mandalay Bay Hotel and Casino, with the briefings occurring on the 6th and 7th.

*This story was updated with additional commentary and information.