Carnegie Mellon: We Didn’t Get $1M to Hack Tor

19 Nov 2015 | Author: | No comments yet »

An attack on Tor was launched early last year and lasted six months, and involved the use of malicious nodes on the network..

“There have been a number of inaccurate media reports in recent days regarding [our] Software Engineering Institute work in cybersecurity,” the university said in a statement. “In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,” it continued. “The university abides by the rule of law, complies with lawfully issued subpoenas, and receives no funding for its compliance.” At issue is a blog post from The Tor Project, which accused Carnegie Mellon researchers of accepting “at least $1 million” to attack Tor and uncover details about those trafficking in illegal goods on Silk Road 2.0. “Such action is a violation of our trust and basic guidelines for ethical research,” the Tor Project wrote. “We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.” Largely funded by the U.S.

A senior director at Tor – a service people can use to gain a higher level of privacy online – claimed that Carnegie Mellon University had accepted a seven-figure sum from the FBI.A federally funded technology research institute, criticised for its role in unmasking users of an Internet anonymity service, said it has complied with FBI subpoenas but has not accepted payment for identifying several suspects in a drug investigation.Since Carnegie Mellon’s researchers pulled their talk on cracking the protections of the anonymity software Tor from the schedule of the Black Hat security conference in 2014, the university has been nearly silent about rumors that their technique ended up in the FBI’s hands. Tor’s director Roger Dingledine wrote in a post last week that university “researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes”. In the statement, the University highlights that its Computer Emergency Response Team is part of a larger federally funded research and development center.

The university’s wording suggests it’s only dismissing The Tor Project’s claims that it accepted $1 million from the FBI — not that it disclosed research that led to the unmasking of possible criminal users. In its original post from this past week, Tor said it doubted the FBI would have received a valid warrant because the research and vulnerability exploitation was not “narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.” It also said, if proven true, this attack and fruitful law enforcement / university relationship would set a “troubling precedent.” “We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of ‘legitimate research,’” the blog post says. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected. Even now—despite its flat denial that the FBI paid for its research—Carnegie Mellon’s statement doesn’t contradict Tor’s claims that its research was used to unmask criminals by or on behalf of the FBI. There are, of course, numerous university-based research institutes in the U.S., but Motherboard says Carnegie Mellon is at the top of that list in part because of a presentation it was scheduled to give at Black Hat 2014 about weaknesses within the Tor network.

Many in the security research community speculated then that government officials may have pressured the researchers to keep quiet about their de-anonymising technology. It resulted in the takedown of dozens of the Tor-protected servers known as “hidden services”—among them several of the most popular dark web black markets for drugs and other contraband including the Silk Road 2—and the arrest of 17 suspects. In response to WIRED’s request for comment, Tor Project spokesperson Kate Krauss writes that it still has “many questions about CMU’s new statement.” Those questions, Krauss writes, include how the FBI might have known what to subpoena from Carnegie Mellon, and whether Carnegie Mellon’s Institutional Review Board approved of its Tor research. In the meantime, however, the story of how the feds identified Tor users last year seems to be coming into focus—albeit through a process as messy as that anonymity-stripping technique itself.

Here you can write a commentary on the recording "Carnegie Mellon: We Didn’t Get $1M to Hack Tor".

* Required fields
All the reviews are moderated.
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site