Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix

alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.

What?

[SeaFox]

A black hat presentation was cancelled for legal considerations? Am I reading that right?

Re:What?

Its got to be an NSL. Its the only thing that makes sense. Its not like Tor is a privately owned product. Who's going to sue for revealing information? Can anyone from academia present an example where they couldn't publish/lecture because they were exposed to information they did [b]not[/b] sign a confidentiality agreement to see? If its not an NSL, if I were Alexander Volynkin, I'd be eager to leave the institution that was sabotaging my career over their misplaced sense of what is "proper" at a "black hat" conference.

Re:What?

[Karmashock]

NSA and FBI don't want you to know they've broken TOR.

There are several ways you can break TOR. It's been talked about here for some time. They want computer criminals to think they're safe so long as they stay in tor and use bitcoins etc. They're not. Its trickier to track people down through tor but far from impossible.

Re:What?

[dunkindave]

Put your tin foil away. People at institutions like Carnegie Mellon's Software Engineering Institute typically work on grants and funding that come with conditions, such as the funder owns the material or can dictate its dissemination. It sounds like the researchers discovered something they thought interesting, looked around and decided BlackHat would be a good place to present, then the lawyers pointed out that they hadn't yet received the required permissions per the funding agreement/grant so they have backed off for now.

An NSL is a directive to disclose info that may include the requirement not to reveal the disclosure occurred. An NSL is not a way to simply order someone to be quiet.

Re:What?

At this point everybody pretty much knows that 'they' have broken tor

Up to this point you were not paying attention if you assumed that 'they' had NOT broken tor

IMO it would be really bad form to NOT allow the patch to be widely disseminated before publishing because it would allow a million other actors to exploit it and leave all users vulnerable, because three letter agencies are less of a threat to me than a planet full of d-bags trying to get my goodies

And, there's the whole 'approval for release', which seems to me as actions of SEI and CMU to delay the release of the information

Re:What?

[Charliemopps]

You've got that backward. One group can, at worst, buy porn with your CC number... the other, at worst, will fly you to a random country, torture you for months and then dump your lifeless corpse in the Ocean. I'm more concerned about the 3 letter agencies thank you.

Re:What?

wow and people call me paranoid

Re:What?

[dunkindave]

The conference didn't stop the presentation, the presenters withdrew it on advice of their own council since they believe they didn't have the legal authority to present the results of the research.

Re:What?

[dunkindave]

Er, I mean on advice of COUNSEL. Damn spell checker.

Re:What?

Have you read the NDAA that passed 93-7 in the Senate and keeps getting renewed without amendments?
No courts, no judges, no lawyers, no appeals, not even any charges, and a US citizen can be taken and even shipped to a foreign prison, then held indefinitely.
That is what Ryan brought up last year when asking when Americans would get their rights restored and was scoffed at by McCain and Graham.
But, Obama said he wouldn't use those powers. Last year's renewal added new funding for domestic propaganda campaigns, so believe what you want, it's probably whatever "they" want you to think.

Re:What?

[thejynxed]

I remember reading about flaws, exploits, etc that broke Tor anonymous browsing/data transfer as far back as 2005 or so. Some of these issues are still there because they honestly can't be fixed without a complete overhaul of how the entire thing is coded and works. Instead they have fixed what they could, and coded in mitigations for the rest.

It goes without saying though, that Tor, like many other things online, is, was, and always will be vulnerable to MITM attacks.

Re: What?

[dunkindave]

An NSL is quite frankly whatever the author of the NSL wants it to be. Typically, you're right, it's a request for information or access, but it also prevents you from telling ANYONE about it. So, who knows. You don't most likely. Unless you're party to it.

No, an NSL is specifically only for requesting of information.

From Wikipedia: A national security letter (NSL) is an administrative subpoena ...

A subpoena is a writ issued to compel testimony by a witness or production of evidence.

What makes the NSL special, and the reason people believe it is unconstitutional, is 1) it is not directly authorized by a judge, and 2) it can come with the requirement that the recipient not disclose that it happened or that the disclosure occurred.

An NSL is NOT a blank check for the government to order people to do whatever they say. It is very specific in its abilities, and that is only to request information, and possibly (though while the norm, this is not required) to require its existence to be kept confidential. So you see, I do know, as does anyone else who does a cursory lookup about what an NSL is.

Re:What?

[Charliemopps]

wow and people call me paranoid

No, you're just naive.
http://en.wikipedia.org/wiki/K...

Only reason he's not at the bottom of the Ocean right now is Condoleezza Rice had some scruples while the rest of the federal government did not.

TOR is actually sponsored by Uncle Sam

[Taco+Cowboy]

Many of you thinks that TOR is a godsend, that TOR provides you with absolute privacy

But you guys must understand that TOR itself is actually from a project sponsored by Uncle Sam - and its initial usage was to thaw the cyber iron-curtains (something like the Great Firewall of China)

I do use TOR, but I do reckon that there might be a certain "permissible flaw" in it since it is, after all, an Uncle Sam project

Call me a paranoid if you want, but I will never trust Uncle Sam 100%, neither will I trust TOR 100%

Re:TOR is actually sponsored by Uncle Sam

[bug1]

You dont have to trust Uncle Sam, you have to (trust/dont trust) the source code.

Re:TOR is actually sponsored by Uncle Sam

[jeIIomizer]

Many of you thinks that TOR is a godsend, that TOR provides you with absolute privacy

Who are these people that think TOR provides absolute privacy?

Re:TOR is actually sponsored by Uncle Sam

You also have to be competent enough to evaluate the security vulnerabilities of said source code.

Re:TOR is actually sponsored by Uncle Sam

[bmo]

It's dumb to trust any technology 100 percent.

This was discussed here earlier after a poll showing that people with low knowledge of the Internet don't trust it, implying by omission that those that have more trust the Internet more, which is far from the case. The people with the most knowledge know what the flaws are.

Blind trust in any kind of technology is dumb.

Blind distrust of anything is also just as dumb.

Distrust of TOR because it was a US Navy project is practicing a type of ad-hominem. I'd rather distrust it based on either reading the code or the opinions and arguments of people better able than me at reading its code.

I've said it before about other things - there are plenty of reasons to dislike something without having to invent them. I use this when discussing GMO, because the "frankenfood" argument is specious - the real problem is the IP angle, for example.

--
BMO

Re:TOR is actually sponsored by Uncle Sam

[AHuxley]

Follow the funding back in the day (Office of Naval Research and DARPA), understand the funding for the huge costly, fast exit nodes in the US early on.
The origins where for open source intelligence gathering by the US mil and the US gov support of "freedom fighters" spreading democracy.
The main issue early on was any user of the tech would be seen as a tool of the US gov. Not good if emerging human intelligence stands out on any telco system.
How was this set back to be fixed? By flooding the network with diverse users globally and offering free bandwidth, better speed and pushing the an open source grassroots technology front.
The press, dissidents and whistleblowers, all kinds of sites started to spread news about wanting to help people the in repressive countries.
ie a large group of users had to be created allow gov users to hide and help with the node/relay.
Carefully crafted news dropped the military and intelligence origins and pushed the press, First Amendment, dissidents, protected speech side.
Follow the early grants back ie "Pass-Through" funding.
Terms like '“Basic and Applied Research and Development in Areas Relating to the Navy Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance.”" seems to be floating around.
Finally we got to Snowden and the Stinks page. "Critical mass" - the users are all on the same network, and we are back to the fast exit relays question.
Follow the few law enforcement stories, if you have all data moving out of a network, around the world a few times and then back into the same network?
Its simple to find the in ip, back from the message sent. We also now know that the "internet" in some countries is a known network Tempora https://en.wikipedia.org/wiki/... and XKeyscore http://daserste.ndr.de/panoram...

Re:TOR is actually sponsored by Uncle Sam

[bigfinger76]

Pardon?

Re:TOR is actually sponsored by Uncle Sam

> Who are these people that think TOR provides absolute privacy?

The men who hail from the land of Straw.

Re:TOR is actually sponsored by Uncle Sam

I used to work at a huge defense contractor, definitely one of the top 5 largest in the US. I had to look up stuff on the net that if aggregated together would have revealed too much about the project I was working on and the fact that my outgoing IP was theirs didn't help either. But their corporate IT policy completely forbade the use of TOR. No exceptions.

Re:TOR is actually sponsored by Uncle Sam

PROTIP: You can usually spot someone who doesn't really know much about the Tor project and hasn't even read the website - they spell it TOR.

Tor's funding is from several sources currently and historically, but there definitely aren't any intentional backdoors in either Tor, or the concept of onion routing (or garlic routing), and it was never asked to put one in. It's been the subject of many such talks like this, and at the forefront of practical anonymity system research as it's overwhelmingly the one people actually USE (which, itself, makes it the most effective, hiding among bigger crowds) - an intentional flaw WOULD have been noticed in the design.

You are however correct not to trust any tool, including Tor, 100%. If you need 100%, layer your security mechanisms carefully, use the best opsec and tradecraft you can, and prepare for the worst anyway. Nothing can be relied upon 100%, including the processor you're running it on, the embedded processors in your keyboard and mouse and network card and your Southbridge and your NIC and your storage devices and did you ever read your BIOS chips with hardware, etcetera. That rabbit hole goes down all the way to needing to check the poles of individual transistors to check someone hasn't nobbled your RNG.

At present, we have no platform we can trust 100%. We could maybe build one, and we probably need to for high-assurance cryptographic services, but it's a hard road to travel.

Re:TOR is actually sponsored by Uncle Sam

[complete+loony]

This is true of most circumvention tools, and something that the authors of these tools are all well aware of. We could really use a global money laundering system, so those that benefit most from these tools can contribute to their funding.

Re:TOR is actually sponsored by Uncle Sam

[alexo]

You also have to be competent enough to evaluate the security vulnerabilities of said source code.

Case in point.

popular online privacy tool Tor

[Mister+Liberty]

Since when is Tor popular?
Since when is Tor a privacy tool?

Re:popular online privacy tool Tor

I don't know what defines "popular" in your eyes, but Tor's user base has certainly been growing for years. According to metrics.tor.org, they currently estimate that there are about 2 million users connected to the Tor network at any given time.

Tor has always been a privacy tool, in that it allows you to browse the web without allowing your ISP, or anyone else snooping on your network, to tell what sites you are connecting to.

Re:popular online privacy tool Tor

From https://www.torproject.org/

"
What is Tor?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
"

Re:popular online privacy tool Tor

[AHuxley]

Re Since when is Tor popular?
Think back to the mid/late 1990's as the start point for some onion routing topics.
Naval Research Labs Review had the 1997 paper "Private Web Browsing".
Would early/mid 2000 be another interesting time? The funding, grants, press where in place by 2005. More grants over 2007-2010+

Re:popular online privacy tool Tor

And how are you so sure it isn't all collected and dissected?
Pointless as a privacy tool if it is
In fact, it may even be worse if it draws all the attention you are trying to avoid.
Then all you have is a false sense of security.

Re:popular online privacy tool Tor

I did not say anything about the effectiveness. but it is a "privacy tool" or at the least claims to be.

Re:popular online privacy tool Tor

Tor is very popular in the Arabic world, to get through country filters, something it is very good at. As a privacy tool, it is much better than nothing.

Re:popular online privacy tool Tor

[IamTheRealMike]

Depends how you define "very popular" I guess. The most popular way to bypass state-level censorship in the Arab world and elsewhere is a product called HotSpot Shield. When Turkey blocked Twitter some time ago, HSS experienced 1000% growth and reached 1.1 million installs in the iOS App Store alone within only four days, with 800,000 regular users.

In contrast Tor went from 30,000 to 40,000 "direct connects" from Turkey.

HSS doesn't get much press in the geek world as it's just a plain old VPN run by a company in California that inserts ads into people's web pages to pay for the bandwidth costs. But usage wise it utterly dominates Tor.

Re:popular online privacy tool Tor

Since when is Tor popular?
"I like it!" - Benny Hill

Evil TOR Conspiracy or OverConservative Lawyers?

[billstewart]

Given what the actual authors of TOR have said about their system over the years, the likelihood that the talk was cancelled because they've suddenly become evil (or have suddenly revealed that they've been evil all along!) vs. the likelihood that it was cancelled because the lawyers at CMU were being overly conservative and paranoid, I'll go for the latter explanation. There are projects for which that wouldn't be the case.

TOR has its limitations and weaknesses, and the developers have always tried to be upfront and public about them, both for the threat model / design and for the code itself.

OpenSSL

[ArchieBunker]

How many people trusted the OpenSSL source code? How many people actually read it?

Re:OpenSSL

[ThatsMyNick]

How many people think the openssl bug was maliciously inserted?

Re:OpenSSL

[bug1]

The value of open source is that end users can choose to take repsonsibility of the software for themselves, or get someone else to do it for them.

A lot of moneypeople expected volunteers to do all the work and were not willing to accept any responsibility themselves. You would think they would learn from their mistake wouldnt you.

Re:OpenSSL

> How many people trusted the OpenSSL source code? How many people actually read it?

Well, we know at least two teams of people read it since heartbleed was discovered almost simultaneously by two groups.
All it takes is one guy to find a bug.

But what's the alternative? Closed source? That doesn't guarantee any better results. Closed source even has its own perverse incentives not to do bug hunts because some people will believe that since the source isn't widely available there is less chance of someone discovering and using an exploit.

Re:OpenSSL

The OpenSSL "bug" was there for a long time. Even if you are right the GP's point still stands.

Roger Dingledine?

Fuck off, that's completely made up.

Okey, but what exactly is the attack vector?

Is there any way to actually track target through TOR network itself? That would be something. If its something on the order of target being an unique snowflake and sending data about its own identity, or using connections other than tor then that's nothing that hasn't been seen. If you have a squeaky clean virtual machine, communication through tor and only tor it should in principle be untraceable.

Re:Okey, but what exactly is the attack vector?

With enough resources is very simple to track from an exit node back to the tor connection point (ie. IP address). In other words you might as well not be using tor at all.

Re:Okey, but what exactly is the attack vector?

All it takes is the metadata, who you sent a packet to, who they sent a packet to, who they sent a packet to, and so on.

The NSA knows every single person on Tor and what websites they went to, .onion or not.

Re:Okey, but what exactly is the attack vector?

How would they get that metadata(provided you don't give that information out yourself)? Each node in tor network only knows who they get a packet from and who they send it to. But not where it has been before that or where its going after that. Also only exit nodes know what the packet contains or where its headed to in normal web. Amount of resources is irrelevant, what you gonna do, break crypto on all tor traffic? Yeah good luck with that. Having lots of tor exit nodes under your command might be useful, but you probably cant have a useful amount of them without half the world noticing that somehow half the tor exit nodes are situated next door from NSA server farm.

Establishment troll Taco Cowboy

[Rujiel]

..is here to tell you not to use Tor. Meanwhile, the NSA attempts to monitor its userbase. Good thing taco has a bunch of other paid trolls to upvote his garbage, else he'd just get ignored.

TOR vulnerable to timing analysis

Because TOR is designed as a low latency network, it is vulnerable to a timing analysis attack. If you control the entry and exit node, you can reveal the user. If you browse the web through TOR, you make lots of requests, so the attacker doesn't need to be almighty, its enough to catch just some network traffic. NSA is capable to do that.
And now... there is even a low-budget method? Man, TOR has some big issues it seems...

Re:TOR vulnerable to timing analysis

[Tiger4]

Because TOR is designed as a low latency network, it is vulnerable to a timing analysis attack... Man, TOR has some big issues it seems..

So you're saying that because a theoretical attack method MIGHT be plausible, then a real world compromise MUST be in progress right now. Damn, too bad all those people on the Tor Project never thought to consider a Crypto 101 attack (I even saw it in a Hollywood movie). They could have saved themselves decades of work. Brilliant analysis!