Attendees of the Black Hat security conference were looking forward to finding out next month how the average person can identify people using Tor, a browser that masks the identity of users so people can do things like buy and sell drugs online and communicate privately without fear of people intercepting their chats and emails.
But lawyers from Carnegie Mellon University, where the researchers work, requested that Black Hat pull the talk, Reuters reported. The speakers are researchers at the university.
The talk was titled “You Don’t Have To Be the NSA to Break Tor: De-Anonymizing Users on a Budget.”
Tor has frustrated the FBI, NSA, and other intelligence agencies seeking to tap into online communications. When the FBI busted the illicit Tor website Silk Road, it relied on other clues, like postings on non-encrypted websites, that helped them identify the man behind the operation, Ross Ulbricht.
The researchers from Carneige Mellon were planning to explain techniques that let them find out the identity of Tor users, as well as talk about cases in which criminals had been found.
There has been much speculation about why the popular talk was pulled from the conference. The Software Engineering Institute, a research arm of the university, is funded by the Defense Department and the Computer Emergency Response Team, which also works with the U.S. government. According to Reuters, one of the researchers worked there and hadn’t sought permission from his employers for the talk:
[Black Hat spokeswoman Meredith] Corley said a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI).
The Tor Project, a nonprofit which helps distribute and develop Tor software, was not involved in the removal of the presentation from the conference. In a statement released Monday night, the group said that they support research on bugs and other security vulnerabilities:
We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.
Tor officials have promised a fix for the bug that allowed researchers to find the identity of users. In an email to users, Tor project leader Roger Dingledine said:
Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world. And of course these things are never as simple as “close that one bug and you’re 100% safe”.
Photo by Mary-Di