Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Thursday November 12 2015, @11:30PM   Printer-friendly
from the white-hat dept.

Wired and others are reporting on a Tor blog post claiming that Carnegie Mellon University researchers were paid by the Federal Bureau of Investigation to help attack Tor hidden services:

"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."

Tor's statement all but confirms that Carnegie Mellon's attack was used in the late 2014 law enforcement operation known as Operation Onymous, carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.

When WIRED contacted Carnegie Mellon, it didn't deny the Tor Project's accusations, but pointed to a lack of evidence. "I'd like to see the substantiation for their claim," said Ed Desautels, a staffer in the public relations department of the university's Software Engineering Institute. "I'm not aware of any payment," he added, declining to comment further.

Tor's Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor's network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by "friends in the security community."

Previously:

July 26, 2014: Russia Offers $111,000 to Break TOR Anonymity Network
September 30, 2014: Tor Executive Hints at Firefox Integration
November 8, 2014: Huge Raid to Shut Down 400-plus DarkNet Sites
November 10, 2014: Tor Project Mulls How Feds Took Down Hidden Websites
November 17, 2014: Is Tor a Honeypot?
December 22, 2014: Servers Seized After Tor Developers Warn of Potential Government Attempt To Take Down Network


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday November 13 2015, @08:35AM

    by Anonymous Coward on Friday November 13 2015, @08:35AM (#262559)

    On one hand I want the freedom to talk to people securely and *privately* if I so choose. On the other, I want to know that the tech I'm using for said secure communication is being tested. While the intent behind this does smack of the nanny state, their actions will undoubtedly result in a more secure TOR. So I don't know... Fuck it? Meh, fuck it...

  • (Score: 4, Interesting) by takyon on Friday November 13 2015, @11:42AM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Friday November 13 2015, @11:42AM (#262596) Journal

    From the blog:

    Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

    This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 0) by Anonymous Coward on Saturday November 14 2015, @11:02AM

      by Anonymous Coward on Saturday November 14 2015, @11:02AM (#263170)

      Common criminals or government abuse, same result. Regardless of the ethics/legality, a vulnerability or weakness was found and now the TOR devs will respond and future versions will be more secure. The TFA doesn't change that fact. While I agree that this is unethical, that is a separate issue.