
The talk about de-anonymizing Tor at the BlackHat conference has been removed - lanbird
http://tux.so/journal:2014:07:21:the_talk_about_de-anonymizing_tor_at_the_blackhat_conference_has_been_removed
======
wfn
Roger's response here is probably relevant:

[https://lists.torproject.org/pipermail/tor-
talk/2014-July/03...](https://lists.torproject.org/pipermail/tor-
talk/2014-July/033954.html)

    
    
      Hi folks,
    
      Journalists are asking us about the Black Hat talk on attacking Tor
      that got cancelled. We're still working with CERT to do a coordinated
      disclosure of the details (hopefully this week), but I figured I should
      share a few details with you earlier than that.
    
      1) We did not ask Black Hat or CERT to cancel the talk. We did (and still
      do) have questions for the presenter and for CERT about some aspects
      of the research, but we had no idea the talk would be pulled before the
      announcement was made.
    
      2) In response to our questions, we were informally shown some
      materials. We never received slides or any description of what would
      be presented in the talk itself beyond what was available on the Black
      Hat Webpage.
    
      3) We encourage research on the Tor network along with responsible
      disclosure of all new and interesting attacks. Researchers who have told
      us about bugs in the past have found us pretty helpful in fixing issues,
      and generally positive to work with.
    

(imho _2)_ and _3)_ is a polite way of saying that this particular talk did
not feature much in terms of responsible disclosure. But these are not related
to _1)_.)

~~~
lawnchair_larry
Coordinated disclosure is the proper term.

------
packetlss
A Black Hat spokeswoman told Reuters that the talk had been canceled at the
request of lawyers for Carnegie-Mellon University, where the speakers work as
researchers. A CMU spokesman had no immediate comment.

Source: [http://www.reuters.com/article/2014/07/21/cybercrime-
confere...](http://www.reuters.com/article/2014/07/21/cybercrime-conference-
talk-idUSL2N0PW14320140721)

~~~
x1798DE
I have to imagine that this is for some sort of internal bureaucratic reason.
I don't see who is in a position to even _want_ to stop this talk - almost
certainly not the Tor project itself.

The mundane (and thus most likely) answer is that the CMU lawyers wanted to
pull it either because they want to sort out some sort of intellectual
property first, or they're worried about some sort of liability.

~~~
andor
_I don 't see who is in a position to even want to stop this talk_

A government agency that wants to stay a step ahead of the competition or of
its targets?

~~~
toyg
Or a University who doesn't want to get sued / get bad publicity for screwing
with a tool used by government agencies...

~~~
MacsHeadroom
Legality aside, I'm surprised this wasn't pulled on ethical grounds. Does
Black Hat not require "researchers" to follow responsible/coordinated
disclosure?

What about the political dissidents who use Tor? They could be at risk of
certain death if caught by the authoritarian regimes they live under. Without
coordinated disclosure, the "researchers" might as well have been signing
death warrants.

~~~
tptacek
Black Hat is a venue for presenting research. They don't influence the
procedures used by researchers at all. And the Black Hat review board is not
stuffed full of people who buy into "responsible disclosure".

In fact: I'm not aware of a vulnerability research conference that _does_ get
nosy about this stuff. I even reviewed for Usenix WOOT one year, and we didn't
vet research for "coordinated disclosure". Not even Usenix works the way you
want BH to.

------
yalue
I doubt this removal is anything sinister. Attacks on Tor have been a
relatively common theme at many large security conferences. For example, there
was a presentation at IEEES&P 2013 on de-anonymizing Tor hidden services
([http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf](http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf)). The Tor people are typically
pretty open to this stuff. It was most likely removed due to something
mundane, like the presenters having issues getting through their
organization's bureaucracy.

------
dpeck
Mid summer tends to be pullout season for Blackhat and Defcon speakers. A
handful happen every year, thats why they have alternates.

Sometimes the speakers screwed up and didn't get their material together and
they weren't important enough to ignore that. Other times they're threatened
by their employer or some external forces.

Subway hacking, Padgets RFID (and GSM a few years later IIRC), etc. Theres
quite a history of great presentations that have never happened for one reason
or another.

------
bitexploder
Wild conjecture. Most of the guys on CERT have a security clearance. This talk
may have been viewed as crossing streams that he could not cross. He likely
had to get the talk approved by whoever manages his clearance to ensure his
talk is not leaking secret information. Someone further up the chain may have
caught wind and pulled it.

------
pekk
Speakers drop out all the time.

Or maybe someone didn't want to compromise Tor in public until the Tor project
had a chance to address the issues.

~~~
at-fates-hands
>>> Or maybe someone didn't want to compromise Tor in public until the Tor
project had a chance to address the issues.

To some degree, isn't this what the Black Hat conference is all about?

~~~
MacsHeadroom
No, to some degree BH is about compromising X in public after X has been
repeatedly contacted with the necessary details AND given ample time to
address the issues.

What these "researchers" were doing was just reckless. When it comes to Tor,
lives are on the line. This kind of irresponsible disclosure is abhorrent, at
best.

~~~
tptacek
I don't know what BH you've been attending for the last 10 years, but it's not
the one I've been going to.

------
ripb
A lot of "I don't like your post so I'm downvoting it", Reddit-esque behaviour
in this thread.

------
orbifold
At this point it is not really a good idea to use Tor anyways, given that you
are then automatically targeted by the NSA and at the same time potentially
provide cover for covert operations of several countries. What is really
needed is political action to limit the capabilities of security agencies to
indiscriminantly monitor web traffic.

~~~
cortesoft
I disagree. The only way to prevent security agencies from indiscriminately
monitor web traffic is to make it technically impossible. No political action
is going to stop all such entities in the world from monitoring web traffic,
let alone prevent non-government entities from doing so. I am not saying Tor
is the answer, but whatever the answer is, it will have to be technical.

~~~
DanBC
> The only way to prevent security agencies from indiscriminately monitor web
> traffic is to make it technically impossible.

The vast majority of people do not want that Internet. See, for example, the
popularity of Facebook. (About 1.2bn users per month).

You need technical measures, and law, and effective oversight.

~~~
Zigurd
Privacy or "oversight," pick one. With strong croup and deniability privacy is
absolute, unless you want torture to be a law enforcement tactic. If you can't
handle that, you might as well communicate in the clear.

~~~
DanBC
What?

Oversight is a legal measure applied to police and security agencies to ensure
that they are obeying the law, not something you do to the general public.

~~~
Zigurd
Ideally, but in these times...

