Slashdot Mirror

← Back to Stories (view on slashdot.org)

Black Hat Presentation On Tor Cancelled, Developers Working on Bug Fix

Posted by Soulskill on from the you-can't-say-that-on-television dept.

alphadogg writes A presentation on a low-budget method to unmask users of a popular online privacy tool Tor will no longer go ahead at the Black Hat security conference early next month. The talk was nixed by the legal counsel with Carnegie Mellon's Software Engineering Institute after a finding that materials from researcher Alexander Volynkin were not approved for public release, according to a notice on the conference's website. Tor project leader Roger Dingledine said, "I think I have a handle on what they did, and how to fix it. ... Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn't the end of the world." Tor's developers were "informally" shown materials about the bug, but never saw any details about what would be presented in the talk.

11 of 52 comments (clear)

  1. TOR is actually sponsored by Uncle Sam by Taco+Cowboy · · Score: 4, Interesting

    Many of you thinks that TOR is a godsend, that TOR provides you with absolute privacy

    But you guys must understand that TOR itself is actually from a project sponsored by Uncle Sam - and its initial usage was to thaw the cyber iron-curtains (something like the Great Firewall of China)

    I do use TOR, but I do reckon that there might be a certain "permissible flaw" in it since it is, after all, an Uncle Sam project

    Call me a paranoid if you want, but I will never trust Uncle Sam 100%, neither will I trust TOR 100%

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:TOR is actually sponsored by Uncle Sam by bug1 · · Score: 4, Insightful

      You dont have to trust Uncle Sam, you have to (trust/dont trust) the source code.

    2. Re:TOR is actually sponsored by Uncle Sam by Anonymous Coward · · Score: 2

      You also have to be competent enough to evaluate the security vulnerabilities of said source code.

    3. Re:TOR is actually sponsored by Uncle Sam by bmo · · Score: 2

      It's dumb to trust any technology 100 percent.

      This was discussed here earlier after a poll showing that people with low knowledge of the Internet don't trust it, implying by omission that those that have more trust the Internet more, which is far from the case. The people with the most knowledge know what the flaws are.

      Blind trust in any kind of technology is dumb.

      Blind distrust of anything is also just as dumb.

      Distrust of TOR because it was a US Navy project is practicing a type of ad-hominem. I'd rather distrust it based on either reading the code or the opinions and arguments of people better able than me at reading its code.

      I've said it before about other things - there are plenty of reasons to dislike something without having to invent them. I use this when discussing GMO, because the "frankenfood" argument is specious - the real problem is the IP angle, for example.

      --
      BMO

    4. Re:TOR is actually sponsored by Uncle Sam by AHuxley · · Score: 5, Informative

      Follow the funding back in the day (Office of Naval Research and DARPA), understand the funding for the huge costly, fast exit nodes in the US early on.
      The origins where for open source intelligence gathering by the US mil and the US gov support of "freedom fighters" spreading democracy.
      The main issue early on was any user of the tech would be seen as a tool of the US gov. Not good if emerging human intelligence stands out on any telco system.
      How was this set back to be fixed? By flooding the network with diverse users globally and offering free bandwidth, better speed and pushing the an open source grassroots technology front.
      The press, dissidents and whistleblowers, all kinds of sites started to spread news about wanting to help people the in repressive countries.
      ie a large group of users had to be created allow gov users to hide and help with the node/relay.
      Carefully crafted news dropped the military and intelligence origins and pushed the press, First Amendment, dissidents, protected speech side.
      Follow the early grants back ie "Pass-Through" funding.
      Terms like '“Basic and Applied Research and Development in Areas Relating to the Navy Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance.”" seems to be floating around.
      Finally we got to Snowden and the Stinks page. "Critical mass" - the users are all on the same network, and we are back to the fast exit relays question.
      Follow the few law enforcement stories, if you have all data moving out of a network, around the world a few times and then back into the same network?
      Its simple to find the in ip, back from the message sent. We also now know that the "internet" in some countries is a known network Tempora https://en.wikipedia.org/wiki/... and XKeyscore http://daserste.ndr.de/panoram...

      --
      Domestic spying is now "Benign Information Gathering"
  2. Re:What? by Karmashock · · Score: 2

    NSA and FBI don't want you to know they've broken TOR.

    There are several ways you can break TOR. It's been talked about here for some time. They want computer criminals to think they're safe so long as they stay in tor and use bitcoins etc. They're not. Its trickier to track people down through tor but far from impossible.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  3. Re:What? by dunkindave · · Score: 4, Informative

    Put your tin foil away. People at institutions like Carnegie Mellon's Software Engineering Institute typically work on grants and funding that come with conditions, such as the funder owns the material or can dictate its dissemination. It sounds like the researchers discovered something they thought interesting, looked around and decided BlackHat would be a good place to present, then the lawyers pointed out that they hadn't yet received the required permissions per the funding agreement/grant so they have backed off for now.

    An NSL is a directive to disclose info that may include the requirement not to reveal the disclosure occurred. An NSL is not a way to simply order someone to be quiet.

  4. Evil TOR Conspiracy or OverConservative Lawyers? by billstewart · · Score: 2

    Given what the actual authors of TOR have said about their system over the years, the likelihood that the talk was cancelled because they've suddenly become evil (or have suddenly revealed that they've been evil all along!) vs. the likelihood that it was cancelled because the lawyers at CMU were being overly conservative and paranoid, I'll go for the latter explanation. There are projects for which that wouldn't be the case.

    TOR has its limitations and weaknesses, and the developers have always tried to be upfront and public about them, both for the threat model / design and for the code itself.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  5. Re:popular online privacy tool Tor by AHuxley · · Score: 2

    Re Since when is Tor popular?
    Think back to the mid/late 1990's as the start point for some onion routing topics.
    Naval Research Labs Review had the 1997 paper "Private Web Browsing".
    Would early/mid 2000 be another interesting time? The funding, grants, press where in place by 2005. More grants over 2007-2010+

    --
    Domestic spying is now "Benign Information Gathering"
  6. OpenSSL by ArchieBunker · · Score: 5, Insightful

    How many people trusted the OpenSSL source code? How many people actually read it?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  7. Re:What? by Charliemopps · · Score: 2

    You've got that backward. One group can, at worst, buy porn with your CC number... the other, at worst, will fly you to a random country, torture you for months and then dump your lifeless corpse in the Ocean. I'm more concerned about the 3 letter agencies thank you.