Black Hat Cancels Presentation on Cracking Tor

A presentation at the Black Hat conference about weaknesses within the Tor network has been canceled.

Alexander Volynkin, a researcher with CERT/Carnegie Mellon, was scheduled to give a talk titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" at the hacker conference, which kicks off Aug. 2.

But conference organizers this week announced that the presentation has been pulled form the lineup after the Software Engineering Institute (SEI) and Carnegie Mellon University informed them that "the materials that [Volynkin] would be speaking about have not yet [been] approved by CMU/SEI for public release."

Tor is a free network of tunnels for routing Web requests and page downloads. It's supposed to make it impossible for the site you access to figure out who you are, and was once an acronym for "The Onion Router," the implication being there are many layers of security offered.

Last year, documents leaked by Edward Snowden suggested that federal agencies were working on cracking Tor to identify those using it. It appeared, however, that only those with vulnerable bugs were susceptible to interception.

There are legitimate reasons why law enforcement might want to crack Tor. The online black market Silk Road obscured its activities using Tor, after all. However, Web users who want a little Internet anonymity for non-nefarious purposes might also find themselves in the NSA's clutches. A report released earlier this month from German site Tagesschau found that the NSA flags anyone using the Tor network for long-term surveillance and retention.

In a blog post, Roger Dingledine, an original developer of Tor and current project leader, director, and researcher at The Tor Project, said Tor did not ask Black Hat or CERT to cancel Volynkin's talk.

"We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made," Dingledine wrote.

CERT "informally" showed Tor some of its materials in response to Tor's questions, but "we never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage," Dingledine said.

In a follow-up post on the Tor Project forums, Dingledine said he believes he has a handle on the exploit that Volynkin identified and how to fix it. But it "would have been smoother if [CERT had] opted to tell us everything."

Still, Tor is trying to be "delicate" so as not to discourage researchers from reporting bugs in the future.

"We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks," he said. "Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with."

For now, Tor plans to roll "out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as 'close that one bug and you're 100 percent safe.'"