[tor-talk] Tor developers vow to fix bug that can uncloak users

Eugen Leitl eugen at leitl.org
Wed Jul 23 12:22:36 UTC 2014


Tor developers vow to fix bug that can uncloak users

Weakness was topic of talk abruptly pulled from security conference.

by Dan Goodin - July 22 2014, 8:15pm CEST

Developers of the Tor privacy service say they're close to fixing a weakness
that researchers for an abruptly canceled conference presentation said
provides a low-cost way for adversaries to deanonymize hundreds of thousands
of users.

The talk previously scheduled for next month's Black Hat security conference
in Las Vegas was titled "You Don't Have to be the NSA to Break Tor:
Deanonymizing Users on a Budget." The abstract said that the hack cost less
than $3,000 and could uncloak hundreds of thousands of users. On Monday,
Black Hat organizers said the presentation was canceled at the request of
attorneys from Carnegie Mellon University (CMU), where the researchers were
employed, as well as the Software Engineering Institute (SEI). The attorneys
said only that the materials to be presented "have not yet been approved by
CMU/SEI for public release." Researchers Alexander Volynkin and Michael
McCord have yet to explain why their talk was pulled.

Tor officials responded by saying that they're working on an update for
individual Tor relay nodes that will close the unspecified security hole.

"Based on our current plans, we'll be putting out a fix that relays can apply
that should close the particular bug they found," Tor project leader Roger
Dingledine wrote in an e-mail to Tor users. "The bug is a nice bug, but it
isn't the end of the world. And of course these things are never as simple as
'close that one bug and you're 100% safe.'"

He said the fix was complicated because the researchers didn't provide all
the technical details when privately informing Tor officials of the

"We've been trying to find delicate ways to explain that we think we know
what they did, but also it sure would have been smoother if they'd opted to
tell us everything," he wrote. "The main reason for trying to be delicate is
that I don't want to discourage future researchers from telling us about neat
things that they find. I'm currently waiting for them to answer their mail so
I can proceed."

In a previous e-mail, Dingledine said Tor developers "informally" received
some materials related to the vulnerability. He went on to say Tor officials
played no role in the cancellation of the Black Hat talk.

"We did not ask Black Hat or CERT to cancel the talk. We did (and still do)
have questions for the presenter and for CERT about some aspects of the
research, but we had no idea the talk would be pulled before the announcement
was made," he wrote.

CMU is affiliated with CERT, which coordinates security disclosures between
researchers and affected parties. A CMU spokesman contacted Monday didn't
elaborate on the reasons for pulling the talk.

More information about the tor-talk mailing list