The Scandal Brewing at the Biggest Hacking Event of the Year

Jul 22, 2014 at 2:49 PM ET

The annual Black Hat conference in Las Vegas is the world’s premiere hacking showcase. Researchers stunned the attendees last year by intercepting audience members’ cellphone traffic using a simple hack on signal booster. And a hacker “jackpotted” an ATM onstage in 2010 by breaking into its network with a USB drive. 

One of the most anticipated conference talks this year in Las Vegas was to be from a pair of research scientists named Alexander Volynkin and Michael McCord on Aug. 6. They claimed they’d figured out how to hack Tor, the so-called “dark net” where users’ identities are completely anonymous.

Tor scrambles your IP address, which theoretically makes it impossible for government agents to track you online. It’s where sites like Silk Road, the online drug bazaar, famously operated for two years before the FBI shut it down.

As you can imagine, the talk was getting quite a bit of buzz in privacy and security circles leading up to the conference. After all, the duo, who work for both the Computer Emergency Response Team (CERT) and Carnegie Mellon University, seemed to insinuate that they’d figured out how to de-anonymize the anonymous web. That’s something even the NSA can’t seem to do.

But Black Hat conference organizers canceled the speech yesterday and scrubbed details about the demonstration from its website. “Unfortunately, Mr. Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet approved by CMU/SEI for public release,” conference organizers wrote on the site. “As a result, we have removed the briefing from our schedule.”

Volynkin’s talk, which was titled “You Don’t Have to Be the NSA to Break Tor: De-Anonymizing Users on a Budget,” claimed the pair would present a paper on how to “de-anonymize hundreds of thousands Tor clients” within a couple of months and for under $3,000. In their briefing, Volynkin and McCord wrote that “newly discovered shortcomings” in the design and implementation of Tor “can be abused to break Tor anonymity.” You can read a full cached version of the speech summary here, thanks to the Wayback Machine.

Reuters reported last night that the talk was canceled “at the request of attorneys for Carnegie Mellon University,” but didn’t provide further clarification.

At this point, there’s no smoking gun conspiracy theory, but it does raise some eyebrows about what Volynkin and McCord have discovered. If they have indeed developed a method for de-anonymizing the dark net, it would be a huge development in crypto and cybersecurity circles.

Tor, for its part, maintains that it had nothing to do with the canceled speech.

I’ve reached out to Volynkin and McCord and will update if I hear back.

In the meantime, the online hacking community has been speculating about the last-minute scratch. “This talk may have been viewed as crossing streams that he could not cross,” writes one commenter on Hacker News. “He likely had to get the talk approved by whoever manages his clearance to ensure his talk is not leaking secret information. Someone further up the chain may have caught wind and pulled it.”