Forgot your password?
typodupeerror
Privacy Security

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix 52

Posted by Soulskill
from the you-can't-say-that-on-television dept.
alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.
This discussion has been archived. No new comments can be posted.

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix

Comments Filter:
  • by SeaFox (739806)

    A black hat presentation was cancelled for legal considerations? Am I reading that right?

    • by Anonymous Coward

      Its got to be an NSL. Its the only thing that makes sense. Its not like Tor is a privately owned product. Who's going to sue for revealing information? Can anyone from academia present an example where they couldn't publish/lecture because they were exposed to information they did [b]not[/b] sign a confidentiality agreement to see? If its not an NSL, if I were Alexander Volynkin, I'd be eager to leave the institution that was sabotaging my career over their misplaced sense of what is "proper" at a "bla

      • Re:What? (Score:5, Informative)

        by dunkindave (1801608) on Tuesday July 22, 2014 @08:44PM (#47512097)
        Put your tin foil away. People at institutions like Carnegie Mellon's Software Engineering Institute typically work on grants and funding that come with conditions, such as the funder owns the material or can dictate its dissemination. It sounds like the researchers discovered something they thought interesting, looked around and decided BlackHat would be a good place to present, then the lawyers pointed out that they hadn't yet received the required permissions per the funding agreement/grant so they have backed off for now.

        An NSL is a directive to disclose info that may include the requirement not to reveal the disclosure occurred. An NSL is not a way to simply order someone to be quiet.
    • NSA and FBI don't want you to know they've broken TOR.

      There are several ways you can break TOR. It's been talked about here for some time. They want computer criminals to think they're safe so long as they stay in tor and use bitcoins etc. They're not. Its trickier to track people down through tor but far from impossible.

      • by thejynxed (831517)

        I remember reading about flaws, exploits, etc that broke Tor anonymous browsing/data transfer as far back as 2005 or so. Some of these issues are still there because they honestly can't be fixed without a complete overhaul of how the entire thing is coded and works. Instead they have fixed what they could, and coded in mitigations for the rest.

        It goes without saying though, that Tor, like many other things online, is, was, and always will be vulnerable to MITM attacks.

  • by Taco Cowboy (5327) on Tuesday July 22, 2014 @08:17PM (#47511943) Journal

    Many of you thinks that TOR is a godsend, that TOR provides you with absolute privacy

    But you guys must understand that TOR itself is actually from a project sponsored by Uncle Sam - and its initial usage was to thaw the cyber iron-curtains (something like the Great Firewall of China)

    I do use TOR, but I do reckon that there might be a certain "permissible flaw" in it since it is, after all, an Uncle Sam project

    Call me a paranoid if you want, but I will never trust Uncle Sam 100%, neither will I trust TOR 100%

    • by bug1 (96678) on Tuesday July 22, 2014 @08:22PM (#47511975)

      You dont have to trust Uncle Sam, you have to (trust/dont trust) the source code.

      • by Anonymous Coward

        You also have to be competent enough to evaluate the security vulnerabilities of said source code.

      • Given what the actual authors of TOR have said about their system over the years, the likelihood that the talk was cancelled because they've suddenly become evil (or have suddenly revealed that they've been evil all along!) vs. the likelihood that it was cancelled because the lawyers at CMU were being overly conservative and paranoid, I'll go for the latter explanation. There are projects for which that wouldn't be the case.

        TOR has its limitations and weaknesses, and the developers have always tried to b

      • OpenSSL (Score:5, Insightful)

        by ArchieBunker (132337) on Tuesday July 22, 2014 @09:27PM (#47512305) Homepage

        How many people trusted the OpenSSL source code? How many people actually read it?

        • How many people think the openssl bug was maliciously inserted?

        • by bug1 (96678)

          The value of open source is that end users can choose to take repsonsibility of the software for themselves, or get someone else to do it for them.

          A lot of moneypeople expected volunteers to do all the work and were not willing to accept any responsibility themselves. You would think they would learn from their mistake wouldnt you.

    • Many of you thinks that TOR is a godsend, that TOR provides you with absolute privacy

      Who are these people that think TOR provides absolute privacy?

    • by bmo (77928)

      It's dumb to trust any technology 100 percent.

      This was discussed here earlier after a poll showing that people with low knowledge of the Internet don't trust it, implying by omission that those that have more trust the Internet more, which is far from the case. The people with the most knowledge know what the flaws are.

      Blind trust in any kind of technology is dumb.

      Blind distrust of anything is also just as dumb.

      Distrust of TOR because it was a US Navy project is practicing a type of ad-hominem. I'd rather

    • by AHuxley (892839) on Tuesday July 22, 2014 @09:02PM (#47512185) Homepage Journal
      Follow the funding back in the day (Office of Naval Research and DARPA), understand the funding for the huge costly, fast exit nodes in the US early on.
      The origins where for open source intelligence gathering by the US mil and the US gov support of "freedom fighters" spreading democracy.
      The main issue early on was any user of the tech would be seen as a tool of the US gov. Not good if emerging human intelligence stands out on any telco system.
      How was this set back to be fixed? By flooding the network with diverse users globally and offering free bandwidth, better speed and pushing the an open source grassroots technology front.
      The press, dissidents and whistleblowers, all kinds of sites started to spread news about wanting to help people the in repressive countries.
      ie a large group of users had to be created allow gov users to hide and help with the node/relay.
      Carefully crafted news dropped the military and intelligence origins and pushed the press, First Amendment, dissidents, protected speech side.
      Follow the early grants back ie "Pass-Through" funding.
      Terms like '“Basic and Applied Research and Development in Areas Relating to the Navy Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance.”" seems to be floating around.
      Finally we got to Snowden and the Stinks page. "Critical mass" - the users are all on the same network, and we are back to the fast exit relays question.
      Follow the few law enforcement stories, if you have all data moving out of a network, around the world a few times and then back into the same network?
      Its simple to find the in ip, back from the message sent. We also now know that the "internet" in some countries is a known network Tempora https://en.wikipedia.org/wiki/... [wikipedia.org] and XKeyscore http://daserste.ndr.de/panoram... [daserste.ndr.de]
    • by Anonymous Coward

      PROTIP: You can usually spot someone who doesn't really know much about the Tor project and hasn't even read the website - they spell it TOR.

      Tor's funding is from several sources currently and historically, but there definitely aren't any intentional backdoors in either Tor, or the concept of onion routing (or garlic routing), and it was never asked to put one in. It's been the subject of many such talks like this, and at the forefront of practical anonymity system research as it's overwhelmingly the one pe

    • This is true of most circumvention tools, and something that the authors of these tools are all well aware of. We could really use a global money laundering system, so those that benefit most from these tools can contribute to their funding.
    • ..is here to tell you not to use Tor. Meanwhile, the NSA attempts to monitor its userbase. Good thing taco has a bunch of other paid trolls to upvote his garbage, else he'd just get ignored.
  • Since when is Tor popular?
    Since when is Tor a privacy tool?

No skis take rocks like rental skis!

Working...