(Adds comment from Tor leader)
By Joseph Menn
SAN FRANCISCO, July 21 A highly anticipated talk
on how to identify users of the Internet privacy service Tor was
withdrawn from the upcoming Black Hat security conference, a
spokeswoman for the event said on Monday.
The talk was canceled at the request of attorneys for
Carnegie Mellon University in Pittsburgh, where the speakers
work as researchers, the spokeswoman, Meredith Corley, told
Tor is a double-edged sword that has given dissidents living
under repressive regimes a way of communicating safely. But it
also has enabled criminals to take advantage of its cloak of
The Black Hat conference, one of the longest-running and
best-attended security trade shows in the world, is scheduled
for Las Vegas August 6-7.
Corley said a Carnegie Mellon attorney informed Black Hat
that one of the speakers could not give the Tor talk because the
materials he would discuss have not been approved for public
release by the university or the Software Engineering Institute
It was unclear what aspects of the research concerned the
The institute, based at the university, is funded by the
Defense Department. SEI also runs CERT, historically known as
the Computer Emergency Response Team, which works with the
Department of Homeland Security on major cybersecurity issues.
Spokesmen for Carnegie Mellon and the Defense Department did
not comment on the cancellation. One official said DHS had
played no role in pulling the talk.
Its abstract, titled "You don't have to be the NSA to Break
Tor: De-Anonymizing Users on a Budget," had attracted attention
within the security and privacy communities. The abstract had
been published on Black Hat's website but has since been
The U.S. government funded the creation and much of the
operation of Tor as a communications tool for dissidents in
repressive countries. But Tor has frustrated the U.S. National
Security Agency for years, according to documents released by
former agency contractor Edward Snowden.
That revelation has helped increase adoption by those
seeking privacy for political reasons, as well as criminals,
Some criminal suspects on Tor have been unmasked by the U.S.
Federal Bureau of Investigation and other law enforcement or
intelligence agencies using a variety of techniques, including
tampering with software often used alongside Tor.
In their now-vanished Black Hat abstract, researchers
Alexander Volynkin and Michael McCord, said "a determined
adversary" could "de-anonymize hundreds of thousands Tor clients
and thousands of hidden services within a couple of months," all
for less than $3,000. Neither man responded to a request for
Their summary said they had tested their techniques and that
they would discuss dozens of successes, including cases where
suspected child pornographers and drug dealers had been found.
In the best-known Tor case, U.S. authorities in October shut
down online drug bazaar Silk Road, a so-called hidden service
reachable only via Tor.
Tor Project President Roger Dingledine, lead developer of
the software, told an online mailing list that the project had
not requested the talk be canceled.
Dingledine said the nonprofit group was working with CERT to
coordinate disclosure of details on the researchers' attack on
He also said he had questions "about some aspects of the
research." In years past, other researchers studying Tor traffic
have been criticized for intruding on users' privacy.
This would not be the first time a talk has been canceled at
Black Hat. Presentations have been pulled from it and other
conferences under pressure from software makers or for other
(Reporting by Joseph Menn; Additional reporting by Jim Finkle;
Editing by Chris Reese, Jonathan Oatis and Dan Grebler)