Silence and denials surround new research that may reveal Tor's vulnerabilities
Tor has been heralded as a foil to the National Security Agency's widespread surveillance programs since last year, when the Guardian reported that the anonymous browsing tool hadn't yet been compromised despite the NSA's best efforts. That isn't strictly true, as the Guardian revealed in a follow-up report on the tools and strategies used to attack it, but Tor's reputation as a panacea for society's surveillance woes has mostly remained intact.
That was supposed to change at the Black Hat Conference in August, where researchers were scheduled to reveal how anyone could "de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months" with just $3,000 in equipment, but that talk has since been cancelled because one of the researchers didn't have permission from his university, Carnegie Mellon -- or from the relevant department within the university -- to reveal his findings.
In a statement on its website, Tor says that it had nothing to do with having the presentation removed from the Black Hat Conference's schedule, and that it was looking forward to getting more details about the techniques used to exploit its vulnerabilities and learn the identities of its users. Carnegie Mellon hasn't commented on the issue, and an official from the Department of Homeland Security told Reuters only that the department had "no role in pulling the talk."
The problem with all of the silence and hard-to-believe denials about the talk's removal is that it's hard to know who to blame. If this is an example of a university clamping down on its employees to the detriment of others, it's upsetting but not tinfoil-hat-worthy. If the government had some role in shutting down the talk, it's worth wondering why it wouldn't want techniques used to compromise Tor revealed to the public -- or at least it would be, if Pando's Yasha Levine hadn't already explored Tor's government ties:
Let’s start with the basics: Tor was developed, built and financed by the US military-surveillance complex. Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it.
Peek under Tor’s hood, and you quickly realize that just everybody involved in developing Tor technology has been and/or still is funded by the Pentagon or related arm of the US empire. That includes Roger Dingledine, who brought the technology to life under a series of military and federal government contracts. Dingledine even spent a summer working at the NSA. Yasha's post, which is worth reading in its entirety even if you were already aware of Tor's beginnings as a project of the Naval Research Laboratory, also makes it clear that Tor isn't anywhere near as secure as its advocates have made it seem. The talk scheduled for the Black Hat Conference wouldn't have been a shocking revelation of Tor's insecurity so much as it would have been a blinking neon sign meant to point out just how insecure the tool really is.
Considering the revelation that using Tor and other security tools can make people a prime target for the NSA's surveillance programs, that sign might have helped bring attention to a real issue that many might not have considered because of repeated claims about Tor's magic ability to protect anyone from governments and hackers and anyone else. At least the removal of the presentation from the Black Hat Conference has attracted some attention on its own.
[illustration by Brad Jonas]