back to article Black Hat anti-Tor talk smashed by lawyers' wrecking ball

Boring Carnegie-Mellon University lawyers have scuppered one of the most hotly anticipated talks at the Black Hat conference – which would have explained how $3,000 of kit could unmask Tor hidden services and user IP addresses. The university did not say why it torpedoed the accepted talk, triggering speculation that it feared …

  1. Number6

    With a subject like that, I was expecting the article to talk about how the lawyers went t'werk on the presentation.

    1. Anonymous Coward
      Anonymous Coward

      She's out of the wiggly-arse "newscycle" now, get over it.

  2. Destroy All Monsters Silver badge
    Childcatcher

    "Further details had not been discussed but Tor Project in a now deleted synopsis they wrote they planned to cover the feasibility and limitations of attacks before detailing how botnet command and control servers, child pornography forums and hidden drug marketplaces like Silk Road have been revealed."

    In the best Fred Flintstone voice: "EDITOOORRRRRRR!!!!"

  3. Mark 85 Silver badge

    Makes me wonder who the lawyers were protecting, the researchers? The university? And why they needed protection. Too much speculation in the article and not enough facts but that's the way it goes sometimes. If I were paranoid, I'd assume NSA got to them since perhaps theyre presence on Tor would be revealed.

    1. Anonymous Coward
      Anonymous Coward

      You mean you are naive enough to believe that they might not have a presence on Tor?

      Every major police force and spook agency in the world will have some kind of presence and will be trying to find some method of identifying users and services. They would be foolish not to.

      1. Indolent Wretch

        They would be negligent not to.

        1. Destroy All Monsters Silver badge
          Facepalm

          Because Not looking into everyone's nether regions == Negligence

          Yes, this is 2014.

          1. monkeyfish

            To be fair, Tors nether regions are often quite a bit more netherly than most.

          2. Anonymous Coward
            Anonymous Coward

            > Because Not looking into everyone's nether regions == Negligence

            Because not looking into an area where criminal activity is known to take place == Negligence

  4. Anonymous Coward
    Anonymous Coward

    Talk about conspiracy fuel.

  5. Valeyard

    Black hat conferences

    Hosted at universities with pre-approved talks?

    and there was I thinking it'd be in some underground club with milk and countdown and cyberpunk music and the cast of the matrix and highly illegal new exploits being sold by Ukranians with scars down their eyes

    The reality's really rather disappointing

    1. Anonymous Coward
      Anonymous Coward

      Re: Black hat conferences

      Black hat conferences are rarely these days as such...it's a bit like holding an armed robber convention at the Hilton....

      1. Suricou Raven

        Re: Black hat conferences

        Doesn't stop the Bilderberg meetings. You just need enough money.

        1. Destroy All Monsters Silver badge

          Re: Black hat conferences

          I raise you a Trilateral Commission!

    2. oddie

      Re: Black hat conferences

      Oi! You there with all the consonants! I am challenging you to street countdown! :)

      Bring a jacket, it can get very cold you know :)

  6. John Smith 19 Gold badge
    FAIL

    So not just insecure to the Chinese..

    But also just about anyone else...

    Remind me what the the idea behind The Onion Router was again?

    Note. It's not the implementation.

    It's the design.

    1. ElReg!comments!Pierre

      Re: So not just insecure to the Chinese..

      To be fair my installs still state that TOR is experimental, not fully tested and DO NOT RELY ON IT FOR STRONG ANONYMITY. At each startup.

      So, nothing to complain about really. Both the implementation and the design benefit from disclosure of this kind of vulnerabilities.

      Of course there's the unavoidable fact that anyone with fat enough pipes and enough servers*, given enough time, will eventually be able to home in on you. That's true for anything that relies on wired, machine-to-machine networks; TOR only makes it much harder than on a centralized network. The only way to get around that would be a broadcast model, with machines listening to the whole of the traffic but only being able to read what they have the decryption key for (a bit like how crypto mail works on Usenet). Really doing it by radio broadcast would be safer than Usenet though. And usable for synchronous activity such as web browsing.

      * they can be virtual ones, hence the "handful of powerful servers" cited here: probably used to host thousands of virtual ones.

      1. channel extended
        Happy

        Re: So not just insecure to the Chinese..

        The alternative to a broadcast system is a mesh. The would require a node to transfer traffic not meant for it, but would help decenteralize the network.

        1. ElReg!comments!Pierre

          Re: So not just insecure to the Chinese..

          "The alternative to a broadcast system is a mesh. The would require a node to transfer traffic not meant for it, but would help decenteralize the network."

          No, I'm not the one who downvoted you but a mesh won't work. As long as you piggyback on the TCP/IP protocol there has to be a machine somewhere that knows the destination machine's IP. Tor is pretty good at hiding this from an outside observer but an inside attacker with enough ressources will eventually find out. Litterally the only way to avoid that is to remove the concept of "target" machine entirely. In a broadcast model the target being an encryption key makes it almost impossible to pinpoint it ot a physical machine (unless you go out of your way to do stupid things). Tor already largely operates as a mesh (same as for freenet for example) and it is well known that it is only a mitigation measure; it's not bulletproof.

          The "only tiny little problem" with a broadcast model is the frigging mess that would ensue. Imagine the tube at rush hour, and then imagine everyone in there shouting at the top of their lungs.

  7. splatt

    tinfoil'd....

    So does this mean we can comfortably assume Tor is compromised?

    I mean, it was a DARPA project initially anyway - if there is an easily 'sploitable flaw (as opposed to a horrifically-expensively-sploitable flaw that only the gov. knows about) then I imagine the US Gov will want to keep a lid on it so that they can continue to gather information on people using it, thinking themselves anonymous.

    1. ElReg!comments!Pierre

      Re: tinfoil'd....

      > if there is an easily 'sploitable flaw

      My understanding is that it's no easily exploitable flaw but a long-known design weakness which originates from the fact it uses TCP-IP, and hence each node knows the IP adress of its "adjacent" nodes in the chain. With enough time and control over enough nodes, you can slowly home in on anyone who is continuously on the network (that would be most hidden services) "just" by recouping hops. The counter-measures such as forced latency etc are only partially effective. I think there may be a way to force the traffic through other nodes under your control which would speed up things considerably (there is for sure a way to _avoid_ routing the same packets through several nodes that you control).

  8. Sanctimonious Prick
    Trollface

    For Crying Out Loud

    Damnit! Hate to mention Wikipedia here, but if you look at their page on ToR, and read about the weaknesses of ToR, you'd be a fool for trusting it believing it, or thinking it is in any way secure! Crikey!!

  9. Peter 26

    This a real shame. I don't use Tor myself as I have no need, but from a technologist perspective I'd love to know what methods the security services have been using to circumvent the system.

    There has been so many cases in the news where criminals using Tor have been caught. Usually there is something saying "we found them as they accidentally used their email address..." I don't believe that for a minute, they obviously have cracked Tor and then look for some other reason to say how they found them. Just like how we did with U boats when we cracked their code and sent out spotter planes to make it look like we got lucky.

  10. Peshman

    Do you really think you can hide?

    If you step out of your front door somebody knows what you look like. Get online and someone knows what you've been looking at and browsing for. I don't lose sleep at night worrying about who knows what about me. If my bank cards are stolen, I call the bank and they put the money back in my account. The credit ref agencies make sure that I can still get a loan and life goes on. FWIW, I don't use TOR because I don't download illegal content and don't need to look at "CP" Isn't that the basic assumption behind the reason for anyone using it? Sure, the stuff within the network is encrypted but as soon as you convert that picture/mp3/data back into some form of recognisable file format to view it once it's left the exit node then it becomes fair game doesn't it?

    1. ElReg!comments!Pierre

      Re: Do you really think you can hide?

      "I don't use TOR because I don't download illegal content and don't need to look at "CP" Isn't that the basic assumption behind the reason for anyone using it?"

      Daily Mail logic spotted. You have curtains on your windows and a lock on the bog's door, hence you have a meth lab in your bedroom and you rape kids in the john everyday.

      "Sure, the stuff within the network is encrypted"

      That doesn't prevent tracking, which is the issue discussed here. The content is not a concern.

      "as soon as you convert that picture/mp3/data back into some form of recognisable file format to view it once it's left the exit node then it becomes fair game doesn't it?"

      That's wrong on soooo many levels!

      -The exit node is the one far away from you, not the one sending you the content directly. That would be the entry node.

      -The entry node has your IP but doesn't send you the content in clear form, the final decryption step is performed on the target machine (i.e. your machine).

      -In the context of hidden services (which is what is discussed here), there is no exit node. Everything originates from, and stays on the TOR network. As a corollary, everything is ecrypted at all times. Which is not the concern here anyway, we're talking tracking not content.

      1. Peshman

        Re: Do you really think you can hide?

        So the reason for tracking isn't the content? The whole premise of the argument is that there are enough ways to transmit data from A - B. What do YOU have to move that YOU don't want anyone else to know about that couldn't be sent by any other method? Prove that a snapshot of all the content being transmitted through TOR right now isn't mainly comprised of compromising material and I'll fight your corner with you. You won't do that though will you. Even if you were the only one with the ability to open it up and shut it again so that it's secure.

        That's the problem. Innocent until proven guilty only works if you can't be proved guilty. Right now you don't have an alibi for anything that might be found to be incriminating. It's a fair cop. Accusations have been made but you're not throwing up any arguments to discredit them are you?

        1. ElReg!comments!Pierre

          Re: Do you really think you can hide?

          So the reason for tracking isn't the content?

          Not necessarily. These days anyone using encryption in a way or another goes on the NSA's "interest" list, regardless of the content they receive or send. Some people use TOR just to avoid being tracked while browsing for legal but perhaps embarrassing content; others use is just for the heck of it. Others use it because they think it is important to keep such networks alive just in case something goes horribly wrong with the 'tarwebs regulation (à la Great Firewall of China). And probably many many more reasons.

          In any case there are plenty of ways to get to the content and monitor it. There are also ways to compromise TOR users' anonymity, via persistent tracking coockies, malicious javascript and various spyware. That's not the issue here. The issue here is a working method to game the network in order to "unmask" specific TOR nodes; something that everyone knew was a potential issue but no-one had publicly demonstrated (there has been suspicions that various law enforcement agencies were using similar tactics for years, but no publicly-demonstrated working method).

          Prove that a snapshot of all the content being transmitted through TOR right now isn't mainly comprised of compromising material and I'll fight your corner with you. You won't do that though will you.

          No I won't, because I don't have the technical ability to take a snapshot of all the content transmitted through TOR, because even if I could take the snapshot I would not have the technical ability to decrypt it, and also because I could not possibly care less.

          That's the problem. Innocent until proven guilty only works if you can't be proved guilty. Right now you don't have an alibi for anything that might be found to be incriminating. It's a fair cop. Accusations have been made but you're not throwing up any arguments to discredit them are you?

          What The Almighty Fucking Fuck are your talking about? What am I accused of that I don't have an alibi for?

          1. Cynic_999 Silver badge

            Re: Do you really think you can hide?

            Another variation of the, "If you have nothing to hide you have nothing to fear," argument - this one is the associated claim, "Only criminals have any need for anonymity." It is a completely false argument, because whilst it may be true that the bad guys often want to remain anonymous from the good guys, the good guys quite often also need to remain anonymous from the bad guys. But bad guys don't all wear black hats and good guys don't always wear white hats, so its best to remain anonymous from everyone. And of course, sometimes (quite frequently) the bad guys are your own government.

    2. Destroy All Monsters Silver badge
      Thumb Down

      Re: Do you really think you can hide?

      If you step out of your front door somebody knows what you look like. Get online and someone knows what you've been looking at and browsing for.

      Brain meets floor at first sentence.

      NEXT!

  11. Peshman

    What you're accused of...

    is the same as what others have been prosecuted of.

    Clear enough for you? The problem with there being a few bad apples is that the assumption is that the rest of the apples in the apple-cart are also rotten. You may not be into "CP" but the pictures were found in your house. To the rest of the world that doesn't use TOR they only get to hear about its nefarious uses. Conspiracy theorists can try to claim that the pictures were planted there by the powers that be. However, Jack Bauer scenarios are fictional and actual people have been banged up for using TOR to try to hide what they've been doing.

    1. ElReg!comments!Pierre

      Re: What you're accused of...

      What you're accused of... is the same as what others have been prosecuted of.

      You seem to be very confused about how TOR works. You are probably referring to the case of the Autrian exit node operator from a few weeks ago; it is not even distantly related to what is discussed here.

      As a primer, what happend in Austria was that someone accessed child pornography material on the web (possibly a police honeypot) through TOR; in a nutshell they sent an encrypted request to a nearby node, which forwarded it to another node with an added layer of encryption, and another, and another, and finally to the Autrian exit node which forwarded the request -in clear- to the honeypot, making it look like the request originated from the Austrian exit node. There was no tracking involved, someone just wrote down the IP adress on a post-it and sent a request to the corresponding ISP.

      Here we are talking about "hidden services" in TOR parlance, which are servers accessible only through the TOR network, no "regular" unencrypted internet involved. The methods discussed are not aimed at examining content but at associating a "real-world" IP with a TOR node ID; possibly because it is serving illegal content, possibly to bring as many nodes as possible offline to disrupt the network, possibly in a bid to compromise or otherwise take over as many nodes as possible for whatever reason ("circle" infiltration, plain regular fishing trip, ...), possibly just to map the network and add TOR node operators to the watchlist.

    2. ElReg!comments!Pierre

      PS: Re: What you're accused of...

      "What you're accused of... is the same as what others have been prosecuted of. Clear enough for you?"

      As a sidenote and just to be clear, you're not accusing me of distributing child porn are you?

  12. Old Handle

    Risky Business

    Just speculating here, but it seems like the biggest concern for the university lawyers would be the claim that the presenters had actually unmasked illegal hidden services (if I understood the claims correctly). They would open themselves up to libel lawsuits if they reveal that information, and open themselves up to subpoenas if they don't. Publicly claiming that you know who runs Silk Road or <insert popular CP site> is just asking for trouble.

    Assuming this is true and all, you can't blame them for setting their sights high, but there are other hidden services hosting things like political rants, legal porn Tor directories, and privacy guides. They could have proved the concept on one of these without risking anyone (guilty or innocent) getting hurt.

    1. ElReg!comments!Pierre

      Re: Risky Business

      I was playing with the thought myself and I came to the conclusion that the actual services being unmasked did not matter (after all you could just set up your own hidden service and unmask that; which is most probably what they did).

      My opinion (and I'm wrong at least as often as every other guy on the net) is that it's either

      -a technical liability (whoever you unmask, you're still "bypassing technical measures yadda yadda yadda", HACKER YOU, thanks RIAA/MPAA/DOD/whoever)

      -or gov. agencies using the same techniques who don't want them publicly demonstrated as it would make it easier to implement a workaround

      (-or both of the above of course)

  13. channel extended
    Black Helicopters

    Who am I?

    The question of tracking is simple, "I want to ID you." the methods I've seen reported all are using the same method, trying to hide. The other medthod, one I like to use, is to lie to them. Who cares if they track if you are different each time your computer boots up.

    OH WAIT....By posting this it looks I just unzipped.......

  14. Thorne
    Black Helicopters

    The real reason it was cancelled was that the researchers were to busy working for the NSA to attend......

  15. JCitizen
    Pirate

    Use the botnet...

    All you have to do is crack one command and control server, and you've got it! Don't even bother to encrypt anything, just communicate in the open! The bot herders might get mad, but so what?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022