FBI paid Carnegie Mellon $1M to break Tor

[Guest]

In one of the more startling blogs to come out of the Tor Project, the team responsible for maintaining the Tor anonymizing network has claimed the FBI paid researchers at Carnegie Mellon University $1 million to disclose techniques they’d discovered that could help uncover the identities of users.

 

The story goes all the way back to early last year, when an unknown entity started attacking the Tor network, which uses a range of nodes to direct users’ encrypted traffic through, including exit relays, which act as the last hop between the Tor network and the so-called “clear web”. The Tor Project only noticed in July that a group of malicious relays were trying to pick out people who were looking for Hidden Services – sites hosted on Tor that are supposed to offer more privacy. They used a mix of nodes and exit relays, along with some vulnerabilities in the network protocol that allowed for users’ real IP addresses to be discovered.

 

Those relays were subsequently removed and that appeared to provide some closure. But when a Carnegie Mellon talk from researchers Alexander Volynkin and Michael McCord on de-anonmyizing Tor users was cancelled at Black Hat 2014 with no explanation, suspicions were aroused that their techniques were used in the attacks described by the Tor Project. The talk promised it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and they could prove it with examples of their own work identifying “suspected child pornographers and drug dealers”.

 

Some claimed this was all but confirmed this week, as Motherboard reviewed court filings that proved the FBI had indeed recruited a research institute that was running systems on the Tor network to uncover the identity of a user of Silk Road 2, the drug marketplace that replaced the first version run by Ross Ulbricht. That user – Brian Richard Farrell – was arrested in January 2014.

 

But so far the FBI and Carnegie Mellon have neither confirmed nor denied any deal took place.

 

The Tor Project, however, is being more garrulous, as Roger Dingledine, the organisation’s leader, issued a brief diatribe against unethical use of research, claiming innocent users of the Tor network were likely unmasked. “Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” he wrote.

 

“We have been told that the payment to CMU was at least $1 million. There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon’s Institutional Review Board.

 

“We think it’s unlikely they could have gotten a valid warrant for CMU’s attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.”

 

Dingledine had not returned a request for comment on where he came by that figure. In his blog, he said the researchers had crossed the line from doing research that helps identify vulnerabilities in the Tor network to endangering innocent people.

 

But making a claim of a $1 million payment without substantiating evidence might also be a step too far.

 

Source: http://www.forbes.com/sites/thomasbrewster/2015/11/11/tor-fbi-cmu-controversy/

 

The head of the Tor Project has accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

Neither Carnegie Mellon officials nor the FBI immediately responded to Ars' request for comment. If true, it would represent a highly unusual collaboration between computer security researchers and federal authorities.

 

Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, did not deny the accusations directly but told Wired: “I’d like to see the substantiation for their claim,” adding, “I’m not aware of any payment.”

 

One of the IP addresses revealed belongs to Brian Farrell, an alleged Silk Road 2 lieutenant who is due to stand trial in federal court in Seattle later this month. A new filing in Farrell's case, which was first reported Wednesday by Vice Motherboard, says that a "university-based research institute" aided government efforts to unmask Farrell.

 

Source: http://arstechnica.com/tech-policy/2015/11/tor-director-fbi-paid-carnegie-mellon-1m-to-break-tor-hand-over-ips/

 

It's believed that the information pulled during the five months the attack was running was used in Operation Onymous, a joint mission against dark web marketplaces and sellers, carried out by Europol, Eurojust, the FBI, the US Department of Homeland Security, and other governmental agencies. The operation was responsible for the arrest of 17 sellers and site administrators, the shuttering of around 410 hidden services only accessible through Tor, and the seizure of $1 million in Bitcoin.

 

The Tor Project questioned the legality and ethical basis for the attack, and the collusion between a research institute and the FBI. "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board," the group wrote in a statement. "We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once."

 

Source 1: http://www.theverge.com/2015/11/11/9719098/fbi-reportedly-paid-1-million-carnegie-mellon-tor

Source 2: http://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmask-users/?mbid=social_twitter

 

I personally never liked the platform tor laid out when they released it

I knew something was bound to happen considering the skill of the people utilizing it

It looks like the government is now involved in the already spiraling situation tor has been over for a few years

 

[Syntaxvgm]

Is....is this legal?

Or is it eventually gonna be retroactively legal? 

[KemoKa]

Is....is this legal?

Or is it eventually gonna be retroactively legal? 

Pretty much ^This. if it's not legal now, the government will retroactively make it legal and disavow all knowledge of it ever being illegal. And without our consent.

[FelixMemoria]

On what level is this legal? The, we are the government and therefore don't give a shit level?

[patrickjp93]

Is....is this legal?

Or is it eventually gonna be retroactively legal? 

It's completely legal. The FBI has broad authority to go after drug traffickers, so any attempt to get at the Silk Road is covered by warrants. Whether or not they catch other people's identities in the process is a foregone conclusion and is unavoidable. You expect police to be able to do their job and then not actually have the power to do it?

[AresKrieger]

Is....is this legal?

Or is it eventually gonna be retroactively legal? 

Technically the government made tor, so more so legal than other crap they did, this is actually pretty tame for the FBI, considering they were founded with the intention to poison Americans.

[patrickjp93]

Technically the government made tor, so more so legal than other crap they did, this is actually pretty tame for the FBI, considering they were founded with the intention to poison Americans.

citation?

[AresKrieger]

citation?

Prohibition one of the stupidest things the US did http://www.slate.com/articles/health_and_science/medical_examiner/2010/02/the_chemists_war.html

[Biased Opinion]

citation?

does not need a citation, its common knowledge is the same way we all know that jet fuel cant melt steel beams.

[patrickjp93]

does not need a citation, its common knowledge is the same way we all know that jet fuel cant melt steel beams.

 

Except that claim's BS in a closed room with insulation locking heat in (building it up way beyond the ignition point of jet fuel).

[AresKrieger]

citation?

Apparently they were formed slightly earlier than I remembered (1918 is when I thought not 1908), they were given more power to poison americans, regardless they killed about 10,000 people

[Trik'Stari]

Is....is this legal?

Or is it eventually gonna be retroactively legal? 

Nothing the government does is illegal. Why? Because they're the government. They can just change the rules on a whim to say "this is, and was legal"

 

Doesn't make it right or wrong, just makes it legal. Because they''re the government.

[CommandMan7]

Humans and their devices can always be compromised - the fundamental laws of nature, however, cannot. Until quantum encryption is made available, absolutely nothing short of a hard drive disconnected and locked away is safe from unwanted access (actually the gov has stuff that hides in storage device firmware. Let's say the DoD puts this on their computers - if a hard drive containing secrets ever escapes, just make the firmware erase the drive when it's connected to another PC) is safe from unwanted access.

[Arty]

Except that claim's BS in a closed room with insulation locking heat in (building it up way beyond the ignition point of jet fuel).

The governemnt is hiding the truth, of 9/11 so until they tell us the turth, it remains that busch did it.

[qwertywarrior]

a bit of wrong info in this article