Did the FBI Pay a University to Attack Tor Users?
The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten's analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/
We have been told that the payment to CMU was at least $1 million.
There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.
Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.
This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.
When we learned of this vulnerability last year, we patched it and published the information we had on our blog:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".
Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.
http://motherboard.vice.com/read/court-docs-show-a-university-helped-fbi-bust-silk-road-2-child-porn-suspects
article link
It is TOR's failure to protect the hidden services, not the FBI's failure in choosing to take advantage of a disclosure issue. If your code is spilling everyone's information everywhere, don't go crying about how you're the real victim.
Tor is getting a bad reputation for its criminal infestation. Many people's first introduction to Tor hidden services is so they can pay a bitcoin ransom, or they hear you can get drugs or child porn on there. The FBI is totally justified in doing everything they can to find and shut down the sites. Every prosecution was against pedophiles and drug sites, and it's clear that they aren't going after innocent people for visiting innocent websites.
oh let not forget some FBI undercovers also been caught with their fingers in the bitcoin tills and running rackets too not just the criminals. And the crime fighters also need TOR as much as the criminals and oppressed people too.
I believe the folks at the TOR project are doing a public service by making these open source tools available to the public. It would be naive to think that these sorts of networks don't exist outside of TOR... I think the important question here is whether such networks should be accessible by any individual who wants to access them for the sake of anonymity and privacy. This isn't a "good guys versus bad guys" scenario, it is a privacy issue. Darknets and obfuscated digital networks are always going to be available to law enforcement and militaries. So, why shouldn't you be allowed to have access to something similar for the sake of your privacy? Clearly, there is a criminal element to TOR but the significance of the project extends well beyond criminal activity and restricting the public's access on the basis of that criminality would be a genuine disservice, in my opinion.
I also believe that any alternative to TOR would face the same challenges if it came under such scrutiny.
http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden
>It is TOR's failure to protect the hidden services, not the FBI's failure in choosing to take advantage of a disclosure issue. If your code is spilling everyone's information everywhere, don't go crying about how you're the real victim.
Classic victim blaming. Tor never made any claims to being perfectly secure. If I stumble across a poorly secured website, do I have the right to break into it, because someone might be doing something bad on it?
>Every prosecution was against pedophiles and drug sites, and it's clear that they aren't going after innocent people for visiting innocent websites.
The attacks performed didn't make a distinction between those targeted for investigation and everyone else. You don't get to wiretap my phone because someone down the street is a drug dealer, even if you don't prosecute me for anything. Or more analogous, you don't get to pay the phone company to wiretap me and hand over the recordings as a way of avoiding the legal process entirely, all for a crime I didn't commit or was ever even accused of committing.
"The FBI is totally justified in doing everything they can to find and shut down the sites."
Actually that's where I would disagree. Sure, the FBI should go against people doing illegal things, but that doesn't equal justification of every form of prevention/investigation they can think of. For example if you're trying to get information out of someone, that doesn't justify torture even if the information is important. Or in this example, it doesn't justify invading the privacy of many innocent people. The same way you don't get a search warrant for all houses of a city just because you're quite sure there are some people doing bad things living in this particular city. (Even if that'd prove quite effective.)
"Tor is getting a bad reputation for its criminal infestation."
I won't deny this. Even though I don't understand why people don't do proper research themselves and then notice that Tor itself is not at fault. I'm just not sure how this relates to your other arguments. Just because something has a bad reputation that automatically leads to fewer rights?
Except their actions didn't only affect the anonymity of "pedophiles and drug sites". It affected everyone that made use of those compromised relays. Not cool.
Maybe every prosecution where we *know* they gained information from this was against pedos and drug sites, but we know the US government uses illegally obtained information to create investigations and cover up their sources.
http://mobile.reuters.com/article/idUSBRE97409R20130805
Bypassing the fourth amendment undermines public trust, and they're spending extravagant amounts of tax money to orchestrate a cyber attack to do that. The FBI is perfectly able to investigate crimes within the scope of the law, and they've been doing that successfully for a very long time. Behaving in this way is harmful to their own mission.
Also, Tor is a tool, and can be used for many purposes. If someone commits a murder with a hammer, would you blame the tool manufacturer for making weapons?
This is garbage. If I put a lock on my door that is breakable and then the FBI come and break into my house with out a warrant, the FBI are in the wrong, not the lock maker. You sound like an idiot when you make such blatantly dumb arguments.
You have to be dumber than a bag of nails to have just said what you said. Try reading next time.
You say Tor is getting a bad reputation for its criminal infestation. You fail to realize that the problem is not technology. That criminal infestation you are talking about such as the ones you mention are social problems not technological ones.
I wish some CMU students, faculty, or alumni would start a petition demanding that the university return this dirty money, or at least donate the same amount to The Tor Project.
the boards heads should roll on this disgusting people, am sure FBI could have social engineered the child abusers and catch them anyway.
There is a difference between reparations and repentants. You shouldn't ask them to support TOR, but rather just admit activity and refuse to participate in the future.
All fair points, but this post equates CERT/SEI, which is where this work was allegedly done, with Carnegie Mellon and that is a bit misleading. CERT/SEI are not academic department, but a semi-autonomous FFRDC within CMU. This is somewhat similar to the relationship between JHU APL and Johns Hopkins, MIT Lincoln Lab with MIT, GTRC with Georgia Tech...
Whether universities should host and support such centers is a matter of debate (e.g., in 1970, SRI became completely independent from Stanford), but equating directly these centers with traditional academic research departments is quite a shortcut.
> I wish some CMU students, faculty, or alumni would...
...contribute back to Tor, improving any weakness they found. great security research there.
It was probably not CMU per se, but CMU's Software Engineering Institute (https://www.sei.cmu.edu/), which specifically works with defense agencies, government organizations, and the intelligence community (with the private sector as something of an afterthought). The SEI seems to be exempt from the usual research ethics review process due to the nature of their connections (an org that has and uses a SCIF tends to be able to get some exceptions to the usual processes). If anything, it was probably a "We need this, we'll pay you to do it, get to work" kind of deal.
Like most FFRDCs, CERT/SEI will basically take as much money as they can regardless of ethics or ability to deliver on contracts.
Dear 'anonymous' authors of the comments above, your names, addresses and social security numbers have been forwarded to the CMU principal for immediate academic suspension.
- FBI
Well, I used Tor Browser for commenting ;)
Can CERT/SEI be sued for illegal wiretapping ?
Seems like Institutional Review Boards would be a good way to have recourse for these kinds of things. If the Institutional Review Board makes an error they are liable. Pretty straight-forward. Maybe have a list-of-suggested-guidelines for IRBs.
Post new comment