Weakness was topic of talk abruptly pulled from security conference.

Developers of the Tor privacy service say they're close to fixing a weakness that researchers for an abruptly canceled conference presentation said provides a low-cost way for adversaries to deanonymize hundreds of thousands of users.

The talk previously scheduled for next month's Black Hat security conference in Las Vegas was titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget." The abstract said that the hack cost less than $3,000 and could uncloak hundreds of thousands of users. On Monday, Black Hat organizers said the presentation was canceled at the request of attorneys from Carnegie Mellon University (CMU), where the researchers were employed, as well as the Software Engineering Institute (SEI). The attorneys said only that the materials to be presented "have not yet been approved by CMU/SEI for public release." Researchers Alexander Volynkin and Michael McCord have yet to explain why their talk was pulled.

Tor officials responded by saying that they're working on an update for individual Tor relay nodes that will close the unspecified security hole.

"Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found," Tor project leader Roger Dingledine wrote in an e-mail to Tor users. "The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as 'close that one bug and you're 100% safe.'"

He said the fix was complicated because the researchers didn't provide all the technical details when privately informing Tor officials of the vulnerability.

"We've been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they'd opted to tell us everything," he wrote. "The main reason for trying to be delicate is that I don't want to discourage future researchers from telling us about neat things that they find. I'm currently waiting for them to answer their mail so I can proceed."

In a previous e-mail, Dingledine said Tor developers "informally" received some materials related to the vulnerability. He went on to say Tor officials played no role in the cancellation of the Black Hat talk.

"We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made," he wrote.

CMU is affiliated with CERT, which coordinates security disclosures between researchers and affected parties. A CMU spokesman contacted Monday didn't elaborate on the reasons for pulling the talk.