Researchers from Carnegie Mellon University have been told to keep quiet
Organisers of the Black Hat security conference have cancelled a keynote which was apparently due to reveal how to identify users of the Tor network, after receiving a complaint from Carnegie Mellon University.
The abstract for the keynote entitled “You don’t have to be the NSA to break Tor: de-anonymizing users on a budget,” has been removed from the Black Hat website.
A spokeswoman for the University told Reuters that the researchers did not receive permission to publish the materials developed at the government-funded Software Engineering Institute (SEI).
There’s no further information on the exact methods used to compromise Tor’s encryption and traffic routing protocols.
Anonymity is dead?
The Tor Project is a free encrypted network that is believed to conceal a user’s location or Internet use from anyone conducting network surveillance or traffic analysis.
Originally sponsored by the US Naval Research Laboratory, today the project hosts a variety of content, from news and secure communication services to drugs bazaars and things like The Hidden Wiki, a collection of illegal instructions and manuals.
The project simultaneously helps activists, dissidents and journalists to evade oppressive governments, while also enabling cyber criminals to conduct their dealings in secret.
Carnegie Mellon researchers Alexander Volynkin and Michael McCord were due to reveal how to track Tor users “on a budget” at a conference in in Las Vegas in August. They have claimed it is possible to “de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months,” using equipment worth just $3,000. However, the talk will not be going ahead.
The topic was always going to divide the audience at Black Hat, which traditionally includes representatives of the US intelligence community.
The secret documents released by Edward Snowden last year detailed repeated efforts by the US National Security Agency (NSA) to crack Tor, and similair work has been conducted by the UK’s National Cyber Crime Unit (NCCU). However, the security of the network was thought to have remained intact. Indeed, Snowden himself used Tor as a preferred method of communication with journalists.
Even though notorious Tor users are sometimes apprehended by authorities, like in the cases of Ross William Ulbricht AKA ‘Dread Pirate Roberts’ and Eric Eoin Marques, the alleged head of Freedom Hosting, the suspects are usually tracked through software used alongside Tor, rather than through the anonymisation network itself.
SEI at Carnegie Mellon University, where both researchers are based, is funded by the US Department of Defence. It also runs Computer Emergency Response Team (CERT), which develops exercises, courses, and systems for the US Department of Homeland Security (DHS).
The organisation clearly has enough clout to make anonymity advocates nervous, and the Tor community will certainly keep an eye on SEI in the coming weeks.
An unnamed official told Reuters that the DHS had no part in cancelling the talk. The Tor Project has also denied it had anything to do with the cancellation.
Can you look after your personal data online? Take our quiz!