Carnegie Mellon engineers aim to unmask anonymous surfing software



Two Carnegie Mellon University researchers may have removed the veil of secrecy from the Tor Project, a free software program that allows users to anonymously surf the Internet.

Tor was the preferred mode of covert communication used by Edward Snowden, a former National Security Agency contractor. Mr. Snowden leaked a trove of confidential documents that revealed secret snooping of personal communications conducted by the NSA.

Governments in the United States, Russia and Britain have worked for years to unmask users of Tor, which, according to the British Broadcasting Corp., has been linked to illegal activity including drug deals and the sale of child-abuse images.

It seems that the CMU researchers may have cracked it.

Alexander Volynkin and Michael McCord work at the university’s Software Engineering Institute, whose efforts in Oakland are financed by the Defense Department.

Mr. Volynkin was slated to give a talk titled “You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget” at the Black Hat USA hacker conference in Las Vegas beginning Saturday.

The talk was canceled after CMU said neither the university nor SEI had approved of the talk, according to a post by Black Hat organizers.

Messages left Wednesday night for Mr. Volynkin and Mr. McCord were not returned.

According to the university’s website, Mr. Volynkin is a research scientist and Mr. McCord is a software vulnerability analyst, both with SEI’s cybersecurity solutions department.

“Right now, I’m told we’re not commenting,” CMU spokesman Ken Walters said when asked Wednesday night about the scientists’ work.

SEI spokesman Richard Lynch said he could offer no elaboration beyond a schedule update added to the Black Hat conference website.

According to the Black Hat website, Mr. Volynkin has research interests that include network security, malware behavior analysis, advanced reverse engineering techniques and cryptanalysis. He wrote various scientific publications and a book on malware behavior analysis, and has a patent related to full disk encryption technologies, the site said.

One of Tor’s creators, Roger Dingledine, announced on his blog Wednesday that an attack on the site was discovered July 4.

He wrote that he believes the attack, initiated in January, was led by the CMU researchers, who were trying to “deanonymize users.”

“We spent several months trying to extract information from the researchers who were going to give the Black Hat talk,” Mr. Dingledine wrote. “They haven’t answered our emails lately, so we don’t know for sure, but it seems likely that” they were the hackers.

SEI is a federally funded research and development center with a mission to “research software and cybersecurity problems of considerable complexity,” according to its website.

In 2010, the Defense Department extended its contract with SEI through June 2015. The contract was worth $584 million, or a little over $110 million a year.

In what may have been a coincidence, the director of the FBI, James B. Comey, and the assistant U.S. attorney general for national security, John Carlin, came to Pittsburgh on Wednesday to laud the city's contributions to efforts to fight cybercrime.

Mr. Carlin spoke to a crowd of about 100 at the SEI in Oakland but didn't mention Tor.

Later, he stood beside Mr. Comey at a news conference at the FBI's Pittsburgh office.

Mr. Comey, who did not mention Tor either, said his plan to boost FBI staffing across the nation by 1,500 later this year will include sending more agents to the FBI's Pittsburgh office to focus on cybercrime.

Briefly touching on the first-of-their kind indictments of Chinese officials for stealing trade secrets from Pittsburgh-based companies, Mr. Comey said, “It is no coincidence the work that has come out of Pittsburgh is the product of something that I was just about to describe as magical. I hope it's not magical because that will be harder to replicate.”


Matt Nussbaum: mnusbaum@post-gazette.com or 412-263-1504; Bill Schackner: bschackner@post-gazette.com or 412-263-1977; Liz Navratil: lnavratil@post-gazette.com or 412-263-1510.

Join the conversation:

Commenting policy | How to report abuse
To report inappropriate comments, abuse and/or repeat offenders, please send an email to socialmedia@post-gazette.com and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner. Thank you.
Commenting policy | How to report abuse

Advertisement
Advertisement
Advertisement

You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here