On the recent Black Hat 2014 Talk Cancellation

As posted by Roger on the Tor-Talk mailing list:

Hi folks,

Journalists are asking us about the Black Hat talk on attacking Tor that got cancelled. We're still working with CERT to do a coordinated disclosure of the details (hopefully this week), but I figured I should share a few details with you earlier than that.

1) We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.

2) In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage.

3) We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks. Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.

[Edit 30 July 2014: here is the security advisory we posted.]

Or maybe because SOMEONE with big moneys doesn't want the public disclosure, and want to keep secret about this generical bug

Or maybe because SOMEONE who earns big money from the government for his work at the Tor project used his connections doesn't want the public disclosure, and want to keep secret about this generical bug

Conspiracy or not, time will tell...

I'm just wondering about the fact that 'coincidentally' your colleagues* disallowed the publication. I never claimed it was you personally who intervened. But there are a bit to many coincidences in this whole story in my humble opinion.

I call the CMU lawyers "your colleagues" because 'coincidentally' the CMU is sponsored by the Department of Homeland Security, which is -oh wonder- a part of the government that remunerates you and your Tor Project not quite bad.


July 22, 2014


Hi, looking forward to hear about the paper.
Before you stopped Vidalia I used to have 2 browsers, he TBB without modifying it, and another one which I edited the proxy settings so it uses the normal connection. So I called this the secure browser, it worked great and it felt safe. Until you replaced TBB with TorBrowser and I no longer have the secure browser because each time I edited the proxy settings like above it stopped working completely. My question is where can I find the torBROWSER standalone? without the proxy settings? If it doesn't exist may I request you make it happen please? it would mean alot to me and to everyone else, since we'd have the opportunity to use a secure browser with settings we trust.


July 22, 2014


Could you please clarify your blog post?

"..we were informally shown some materials" seems to directly contradict "...beyond what was available on the Black Hat Webpage."

Regardless of what happened here, this generally laudable attempt at transparency is not helped by overly dense and unclear writing.

So how screwed is everyone when the guy turns in his data to the FBI and the NSA?

Trust me, they knew before these researchers did.

That would also explain the deanonymization techniques they allude to in their "Tor Stinks" presentation - they've been able to deanonymize a particular target who's actively using the network.

Looks like someone bought this Tor deanonymization technique. Otherwise there would be no reason for not giving the Tor team full disclosure.

Well, if that's the conspiracy, it isn't working very well:

Also, why would they cancel the talk in that case, rather than proceed and just not mention the sekrit part?

"I think I have a handle on what they did"
Or maybe your assumption is wrong?

I don't think this technique is so complex that they can left out the magic ingredient without voiding the whole talk.

Cool heads and tireless work on behalf of the community as always. A big thank you to arma et al.!

I don't like their wordering there. It makes it sound so much more dramatic and accusational. But then again, "Bug found in Tor, developers going to fix it" doesn't sound as dramatic.


And when you're done checking it out, then check out

Lots of good reading material there.

ooh, scary

TOR uses a number of servers. Why not go gown to MESH (as defined by how to run a mobile-phone newtwork without towers) i.e. every member is a TINY server. Not enough to noticeably but to increase paths by orders of magnitudes. If the system deals with out of order packets - make sure some ARE.

Pity PGP is too slow (ATM) so data is different every time and harder to follow...

I really liked the presentation at least year's FOCI by the Berkeley folks on how mesh networks have some fundamental scaling problems.

I'm curious about the real-life implications of this, speculation aside. What do you recommend those of us who may have been targeted by either the BlackHat researchers or governments do now? Shut down my hidden service and talk to a lawyer or sit tight and do damage assessment? Basically, how likely is it that I'm screwed?



July 24, 2014

In reply to by Anonymous (not verified)


Elaborate please.

Maybe they collaborated with law enforcement to use their experiments to catch drug dealers and stuff, and they aren't allowed to talk about it yet because the investigation is still happening.

I doubt it. They were able to tell enough to Tor devs which they would not be allowed to do if they collaborated with law enforcement. Also that doesn't seem like them, it's out of character for someone who's trying to break and tell the devs how to fix tor to also tell law enforcement how. They could not do the vigilantee thing and only give over IP addresses of people they deem worthy of deanonymization because law enforcement could not legally do anything with that list of IPs unless they collected it themselves, which would require being told the bug.

Now hotmail keeps bugging users to input a mobile number when using tor to sign in!
Yahoo also, but hotmail is worst.

Well since an ex NSA person got appointed what do you expect. They are such idiots they assume everyone in the world has a mobile phone. I do but screw giving them my number, better to dump the yahoo and hotmail accounts, groups, etc.

I have never abused Tor or used it for anything illegal in my western country, but to put it into perspective, how worried should I be if I were a terrorist using Tor, plotting to kill 10,000 people?

No terrorist in history has ever managed to kill 10000 people. Hence you must either be an incompetent (and harmless) or a state actor (and then deanonymizing you does not help).

Russian gouvernment offer 3.9 mio ruble or $111k for the hack, if it really works:


Seems, the hack is really good?


One could be tempted to say "Come on, that's not enough, it's only half of what arma gets annually from the government to hush up possible exploits like this..."

And it's way less than the public research funding that goes to university research groups around the world to study and analyze Tor:

I agree. Russia is surely behind this. They offered $ 111.000 for cracking Tor network.

Sorry, but this doesn't make any sense to me. Is the theory that the CERT researchers noticed the Russian announcement, so they got the CMU lawyers to cancel the talk so they could secretly sell the topic of their talk to the Russians instead?

Remember that CERT's primary funder is the US Department of Defense.

Also, why cancel it and draw all this attention to themselves?

Also also, the Russian thing apparently can only be bid on by qualified people inside the Russian defense department equivalent.

It's hot to write about Tor these days, but that doesn't mean that every thing people find to write about is related.

Sorry, but I can't leave that uncommented:

"Remember that CERT's primary funder is the US Department of Defense"

arma, Remember that YOUR (primary?) funder is the US Department of Defense as well.

Yes, and this is a great reason for you to conclude that we're probably not being instructed by our funders to secretly sell our results to the Russians. :)

Learn about VPN and TOR right here


Why is it that when I exclude the major western countries from being used to build circuits via "ExcludeNodes" and "StrictNodes" I am not able to access hidden services ?

Is this so that one cannot try to avoid NSA owned exit and entry nodes ?

Each hidden service picks a set of relays at random to perform various components of the hidden service rendezvous (in particular, hidden service directory points and introduction points). Most Tor relays are in these major western countries (heck, most of the Internet is too). So when you tell your Tor never to interact with any of those relays, but it needs to talk to one in order to do the hidden service rendezvous steps, it's stuck.


As for NSA owned exit and entry nodes -- assuming they exist, how do you know what countries they're in? Seems like a tough gamble to win, especially when the cost is building circuits that look wildly different from the ones that normal Tor users build.

Thank you for your reply Arma.

So are you saying that regardless, the hidden service you are attempting to connect to controls the specifics of the circuit to be built without regard to ones local torcc config and that that will almost certainly include western countries owing to those being the most prevalent place to that tor nodes are located ?

I think no sensible argument can be made that USA based agencies like the NSA etc face certain inherent difficulties in establishing, administering and maintaining the integrity of tor exit and entry nodes in those countries that are not sympathetic to US plans to enslave their citizens in terms of many legal difficulties in doing so and so on.

Therefore, why not change the tor source to allow users to use torcc config entries to not use western countries and have the hidden services (and all tor nodes) respect that criteria when building a circuit ?

For otherwise why even offer the excludenodes switch anyway if it is of no consequence ?

The hidden service you're connecting to controls the specifics of the circuits it builds, including the introduction points it uses. Your client controls the specifics of the circuits on your side. During the hidden service rendezvous, you connect to relays that the hidden service has chosen, and ultimately the two circuits get glued together.

Really, you should go look at the URL I gave describing the protocol. Hidden services don't work the way you seem to think they do.

As for why excludenodes exists in the first place,
A) Hidden services are a tiny fraction of Tor use, and they haven't gotten much development attention, well, ever:
and B) You're right; that's why the FAQ entry recommends against using those torrc options for normal users:

Thank you Arma for your time to respond with further details, I shall look at the pages that you suggest to gain a better understanding.

Hi, i has found the Tor bug, it is some kind of obscure bug, but there is: First, in your web server select with a click the IP of the tor exit node which is connected to your server,and press in your keyboard the keys: Up,Up,Down,Down,Left,Left,Right,Right,A,B and enter, this will show you the real IP of the client connected to your server.


I hear Black Hat has an extra slot open.

tor has its good points it stops people from being beaten unrecognisable. But the postings on here are from mentally defectives who have nothing of any interest to anybody they are transparent mentally defectives with their lizard people and flying saucers. Tor can stop somebody from being shot in the head or hacked to pieces with a machete. Or tortured and locked up in prison indefinitely in the U.S. without trial. It has its life-saving side but it's such a pity about these postings on here.