Tor hacked via FBI fund: CMU “researchers” got $1M, it’s alleged

Here's the plan: We hold the world ransom for... ONE MILLION DOLLARS!

Capella/Eric’s Boy/Juno/KC Medien/Moving Pictures/New Line Cinema

The Tor Project is up in arms, alleging that the FBI paid Carnegie Mellon University “at least” a million dollars to unmask Tor users.

Tor is an anonymizing network overlay, partially funded by the U.S. Navy’s ONR. The allegation is that CMU researchers hacked Tor’s hidden services feature. The vulnerability exploited has since been fixed.

What price due process? It doesn’t appear that this was done under a search warrant. It’s alleged that the FBI allowed CMU to pretend that this was mere academic research. However, it walks and quacks like a fishing expedition.

If true, extremely worrying. In IT Blogwatch, bloggers worry about the constitutionality of fighting crime in this way.

Not to mention: What was wrong with Robin Williams? It's not what you think...

Your humble blogwatcher curated these bloggy bits for your entertainment.
[Developing story: Updated Saturday 2:54 am PST with an FBI sort-of-denial and more comment]

Tor Project co-founder Roger “arma” Dingledine rants, raves, and gets generally unhappy:

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers. ... Apparently [they] were paid by the FBI to attack...users in a broad sweep, and...find people whom they could accuse of crimes.

We have been told that the payment to CMU was at least $1 million.

We think it's unlikely they could have gotten a valid warrant...since it was not narrowly tailored...but instead appears to have indiscriminately targeted many users. ... We strongly support independent research on our software and network, but this attack crosses the...line [and] sets a troubling precedent.

The mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy.  MORE

Iain Thomson registers the complaint:

The Tor Project is claiming that [CMU] researchers...were paid a hefty bounty by the unmask the operators of...hidden servers [in] 2014.

[They’re] fuming that the FBI used the university to circumvent federal hacking laws.

For Tor to go on the record with such a claim indicates pretty strong evidence.  MORE

But wait. There’s more. Joseph Cox joins the dots to Silk Road 2.0:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects...includ[ing] a staff member of the...Silk Road 2.0 drug marketplace.

It raises questions about the role that academics are playing in the continued crackdown on dark-web crime [and] the fairness of the trials:..Crucial discovery evidence has allegedly been withheld from both defendants.

The timeline lines up perfectly with [the] attack on the Tor network last year. ... This suggests that the FBI's Source of Information was whoever was behind this attack; an attack that may have swept up perfectly innocent users.

There is no hard evidence at this time that CMU was the source [but] circumstantial evidence points to it.  MORE

And Andy Greenberg pulls no punches:

Ever since a Carnegie Mellon talk on cracking...Tor was abruptly pulled from the schedule of...Black Hat...last year, the security community has been left to wonder whether the research was silently handed over to law enforcement.

[CMU] didn’t deny the Tor Project’s accusations, but pointed to a lack of evidence. “I’d like to see the substantiation for their claim,” said Ed Desautels, a [CMU PR person]. “I’m not aware of any payment.”

Tor’s Dingledine responded to that [by saying] it identified Carnegie pinpointing servers running on Tor’s network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers...the anomalous servers disappeared...and the university offered no response. The $1 million payment...was revealed to Tor by “friends in the security community.”  MORE

Xeni Jardin writes with la plume de sa tante: [You're fired -Ed.]

It sounds like a serious ethical breach.

No official word yet from the FBI on any of this.  MORE

So what’s the biggie? The ACLU’s Christopher Soghoian cuts to the chase in three tweets:

CMU team used US gov funds to identify Tor users/hidden servers, turned over data to the FBI. At what point are they working for the gov?

The likely absence of IRB approval of CMU Tor research is even more problematic now that it looks like they turned user data over to the FBI.

Research ethics...aside, the most troubling thing [is] the FBI got Tor IPs without a warrant.  MORE

Update: A throwaway-account-Reddittor points the finger elsewhere:

This wasn't done by CMU, but (allegedly) by the CERT division of the SEI.

This isn't academia, it's a DoD funded research lab.  MORE

The FBI denies involvement, says Cyrus Farivar:

The FBI is denying that it paid $1 million to Carnegie Mellon .

"The allegation that we paid [CMU] $1 million to hack into Tor is inaccurate," an FBI spokeswoman [said, but] declined to respond to further questions.

It's not clear from the FBI's statement which part is inaccurate: the specific payment amount or its involvement.  MORE

And Finally...
What was wrong with Robin Williams?
[It wasn't Parkinsons]

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon