Boring Carnegie-Mellon University lawyers have scuppered one of the most hotly anticipated talks at the Black Hat conference – which would have explained how $3,000 of kit could unmask Tor hidden services and user IP addresses. The university did not say why it torpedoed the accepted talk, triggering speculation that it feared breaking federal wiretapping laws – or that it had simply not gained pre-approval and the scuppering was a part of internal bureaucracy.
Tor Project leader Roger Dingledine said it was provided with informal access to some research materials but “never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat webpage. We did not ask Black Hat or CERT (the university’s computer emergency response team) to cancel the talk. We did — and still do — have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” That announcement was planned to be made later this week and would have included details on the attack.
University researchers Alexander Volynkin and Michael McCord planned to demonstrate how hundreds of thousands of Tor clients, along with thousands of hidden services, could be de-anonymised within a couple of months. It would do this using unspecified recently disclosed vulnerabilities within the design and implementation of Tor user anonymity and about $3000 worth of tools including a “handful of powerful servers and a couple gigabit links”. Volynkin and McCord said they had successfully tested the attacks in the wild.