TMCnet News
Cracking Tor talk cancelled [ITWeb](ITWeb Via Acquire Media NewsEdge) A highly anticipated talk on how to identify users of the Internet privacy service Tor was withdrawn from the upcoming Black Hat security conference, a spokeswoman for the event said yesterday. The talk was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers, the spokeswoman, Meredith Corley, told Reuters. Tor is a double-edged sword that has given dissidents living under repressive regimes a way of communicating safely. But it also has enabled criminals to take advantage of its cloak of anonymity. The Black Hat conference, one of the longest-running and best-attended security trade shows in the world, is scheduled for Las Vegas on 6 and 7 August. Corley said a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI). It was unclear what aspects of the research concerned the university. The institute, based at the university, is funded by the Defence Department. SEI also runs CERT, historically known as the Computer Emergency Response Team, which works with the Department of Homeland Security (DHS) on major cyber security issues. Spokesmen for Carnegie Mellon and the Defence Department did not comment on the cancellation. One official said DHS had played no role in pulling the talk. Its abstract, titled "You don't have to be the NSA to Break Tor: De-Anonymising Users on a Budget", had attracted attention within the security and privacy communities. The abstract had been published on Black Hat's Web site but has since been removed. The US government funded the creation and much of the operation of Tor as a communications tool for dissidents in repressive countries. But Tor has frustrated the US National Security Agency for years, according to documents released by former agency contractor Edward Snowden. That revelation has helped increase adoption by those seeking privacy for political reasons, as well as criminals, researchers say. Some criminal suspects on Tor have been unmasked by the US Federal Bureau of Investigation and other law enforcement or intelligence agencies using a variety of techniques, including tampering with software often used alongside Tor. Disappearing act In their now-vanished Black Hat abstract, researchers Alexander Volynkin and Michael McCord, said "a determined adversary" could "de-anonymise hundreds of thousands Tor clients and thousands of hidden services within a couple of months", all for less than $3 000. Neither man responded to a request for comment. Their summary said they had tested their techniques and that they would discuss dozens of successes, including cases where suspected child pornographers and drug dealers had been found. In the best-known Tor case, US authorities in October shut down online drug bazaar Silk Road, a so-called hidden service reachable only via Tor. Tor project president Roger Dingledine, lead developer of the software, told an online mailing list that the project had not requested the talk be cancelled. Dingledine said the non-profit group was working with CERT to co-ordinate disclosure of details on the researchers' attack on the network. He also said he had questions "about some aspects of the research". In years past, other researchers studying Tor traffic have been criticised for intruding on users' privacy. Hacking experts disclose vulnerabilities at conferences to alert the public about security flaws, both to pressure developers to fix them and to warn users about products that may not be completely safe. Yet concerns are sometimes raised as to whether such disclosures are helpful, or harmful, to the public interest. Missing in action This would not be the first time a talk has been cancelled at Black Hat. Presentations have been pulled from it and other conferences under pressure from software makers or for other reasons. Here are some examples of other hacking talks that have been pulled from conferences over the past decade: 2013: Three European computer scientists cancelled a talk on hacking the locks of luxury cars at a prestigious US academic conference known as USENIX, after Volkswagen AG obtained a restraining order from a British court. Their paper identified ways to hack into the lock systems of luxury cars, including Porsches, Audis, Bentleys and Lamborghinis. 2008: Three MIT undergrads cancelled a Def Con talk in Las Vegas on hacking the "Charlie Card" payment cards for Boston's subway system after a federal court issued an injunction. A judge later rescinded the order, allowing the students to go public. 2007: Security firm IOActive pulled a talk at Black Hat DC on bugs in radio-frequency identification, or RFID, technology, saying it was pressured to do so by RFID technology firm HID Global. 2005: Cisco Systems persuaded security firm Internet Security Systems to pull a discussion on hacking routers by researcher Michael Lynn at the Black Hat hacking conference in Las Vegas. On the eve of the conference, Black Hat organisers had workers tear Lynn's presentation materials out of a printed handbook that was to be distributed to thousands of attendees. Lynn gave the talk anyway. Cisco obtained an injunction blocking further public discussion. (c) 2014 ITWeb Limited. All rights reserved. Provided by SyndiGate Media Inc. (Syndigate.info). |