[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] BlackHat2014: Deanonymize Tor for $3000



Can anyone from the Tor Project jump in to say whether these guys have
reached out or not?

We should be concerned about another CCC-style "0-day" presentation where
they find a legitimate vulnerability that could have been patched prior,
but are using it as a PR stunt to boost book sales as opposed to
responsible disclosure. Alexander Volynkin [1] and the grad student Michael
McCord, [2] both stand to benefit professionally/financially from
disclosing a vulnerability in as dramatic form as possible.. and of course
picked up and misinterpreted by the media.

I'm raising this concern based solely on the negative phrasing in the
description.
> ...It has also been used for distribution of child pornography, illegal
drugs, and malware. Anyone
> with minimal skills and resources can participate on the Tor network.
Anyone can become a
> part of the network. As a participant of the Tor network, you can choose
to use it to
> communicate anonymously or contribute your resources for others to use.
There is very little to
> limit your actions on the Tor network. There is nothing that prevents you
from using your
> resources to de-anonymize the network's users instead by exploiting
fundamental flaws in Tor
> design and implementation. And you don't need the NSA budget to do so.
Looking for the IP
> address of a Tor user? Not a problem. Trying to uncover the location of a
Hidden Service? Done.
> We know because we tested it, in the wild...

Worst case stated, I don't want to hate on researchers -- the two should be
praised for their research if they have something new and they've already
been working with the Tor Project team to get it resolved.

If I were a betting person, a beer says that they will be summarizing the
current issues with hidden services, and as Adrian said, doing a client
side disbanding attack (e.g. Java + DNS)

[1] https://www.blackhat.com/us-14/speakers/Alexander-Volynkin.html
[2] https://www.blackhat.com/us-14/speakers/Michael-McCord.html


On Thu, Jul 3, 2014 at 7:58 PM, Seth David Schoen <schoen@xxxxxxx> wrote:

> Adrian Crenshaw writes:
>
> > Best guess, many client side and web app attacks Tor can't do much about.
> > (My talk at Defcon will cover a bunch of folks that got Deanonymized, but
> > in every case it was not Tor that was really broke)
>
> The description on the Black Hat site refers "a handful of powerful
> servers and a couple gigabit links" that are operated for "a couple
> of months", which sounds like this involves actually running nodes and
> getting the attack targets to build circuits through them.
>
> --
> Seth Schoen  <schoen@xxxxxxx>
> Senior Staff Technologist                       https://www.eff.org/
> Electronic Frontier Foundation                  https://www.eff.org/join
> 815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk