[x1798DE]

I have to imagine that this is for some sort of internal bureaucratic reason. I don't see who is in a position to even want to stop this talk - almost certainly not the Tor project itself.

The mundane (and thus most likely) answer is that the CMU lawyers wanted to pull it either because they want to sort out some sort of intellectual property first, or they're worried about some sort of liability.

[tedks]

I would imagine the researchers broke quite a few laws verifying this attack on the public Tor network, if they indeed did so. And since Tor is incredibly hard to simulate at that level, it's likely that they did. Even if they developed the attack on a simulated network they may have run the tool for verification against the live network. Maybe they did it to de-anonymize a drug marketplace or something else they thought they could get "ethical hacker points" for. Maybe they sent the information to the feds and thought they were doing the right thing.

This is something that has always been legally murky, enough so that I feel like some technical people could decide that they didn't care and just go with it. More people under them might have as well, pulled along by sheer groupthink if not genuine agreement.

This attack was unique not in that it made strong claims, but that it had unusually specific strong claims that indicated some amount of empiricism. I feel like you could only reasonably claim that number if you actually tested it against a very strong network simulation (which doesn't exist for Tor) or the real network.

It's not like other researchers haven't done similar things to get results about Tor. There are a few workshop and academic conference papers that talk about results obtained by analyzing Tor traffic; this is technically wiretapping according to the Tor project, but previously it's always been mundane enough that nobody has gotten involved. This experiment might have compromised some people's very personal information, and it's incredibly public.

This is all really just an expansion of "they're worried about some sort of liability." In any case that's by far the likelier of the two; I can't imagine you could sell IP related to this.

[x1798DE]

>This is all really just an expansion of "they're worried about some sort of liability." In any case that's by far the likelier of the two; I can't imagine you could sell IP related to this.

I more or less agree that liability seems more likely, but I have no idea what the nature of the attack is, so it's always possible it's an offshoot of some other research they are doing which can be patentable. Alternatively, it could be that CMU procedure is to require approval for all talks for brand and IP protection reasons and he just hasn't gone through the proper procedure, so in the meantime they pulled it (rather than pulling it in response to an actual analysis of the talk). This last one seems unlikely, though, as you'd imagine there was no rush to pull the abstract (which contained no details).

[tedks]

At a school like CMU it's hard for me to believe they'd cancel a researcher's talk because it wasn't properly disclosed. It'd create a headache for the IP team, but they wouldn't cancel the talk. That just makes them look awful.

[andor]

I don't see who is in a position to even want to stop this talk

A government agency that wants to stay a step ahead of the competition or of its targets?

[x1798DE]

It's possible, but I think that's the paranoid / Hollywood spy version of this. Not saying that this sort of thing doesn't happen - the spy agencies take themselves very seriously but aren't big on effective policies anyway, but unless there's a specific operation that is relying on this specific exploit, and someone in the government got advance details of the nature of the exploit, it doesn't seem to have a particularly high prior probability. Anyone with a significant budget can probably pay for any number of zero days so they don't have a single weak point like "if anyone fixes this bug in the software our operation / malware will stop working".

Generally when you see some outside force trying to suppress security research and the presentation thereof, it comes from the companies who will actually have to fix the problems and deal with support calls (or companies who feel that security through obscurity is sufficient and are hoping to somehow suppress the information from ever getting out). In this case, that would be maybe the Tor Project, but they generally are very receptive to this kind of thing.

[toyg]

Or a University who doesn't want to get sued / get bad publicity for screwing with a tool used by government agencies...

[MacsHeadroom]

Legality aside, I'm surprised this wasn't pulled on ethical grounds. Does Black Hat not require "researchers" to follow responsible/coordinated disclosure?

What about the political dissidents who use Tor? They could be at risk of certain death if caught by the authoritarian regimes they live under. Without coordinated disclosure, the "researchers" might as well have been signing death warrants.

[tptacek]

Black Hat is a venue for presenting research. They don't influence the procedures used by researchers at all. And the Black Hat review board is not stuffed full of people who buy into "responsible disclosure".

In fact: I'm not aware of a vulnerability research conference that does get nosy about this stuff. I even reviewed for Usenix WOOT one year, and we didn't vet research for "coordinated disclosure". Not even Usenix works the way you want BH to.

[dllthomas]

"at risk of certain death"

That's an odd construction...