Carnegie Mellon Denies FBI Paid For Tor-Breaking Research (wired.com) 79
New submitter webdesignerdudes writes with news that Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique, and that it was not paid $1 million by the FBI for doing so. Wired reports: "In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. 'In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,' the statement reads. 'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
So... (Score:2)
Re: (Score:3)
I'm thinking Astroglide. You can figure out the rest.
Re: (Score:3, Insightful)
...what was the $1 million for? What did the taxpayers get out this?
I bet it would have cost them a lot less than $1 million to hire a lawyer and at least make even the most feeble effort to resist this subpoena.
Re: (Score:2)
I bet it would have cost them a lot less than $1 million to hire a lawyer
You're talking at least one meeting with the client, research, a letter, a follow-up, an expense account, and preparation fees for itemized billing. Yeah, this shouldn't have cost more than half a million going through a reputable lawyer. Or a unicorn-riding leprechaun.
Re: (Score:3)
So, when gathering the info, they technically provided free labor to the FBI in doing so, right? Even if it's just pointing them to the correct paperwork.
They probably compared the cost of said free labor, against the cost of being penalized for failure to comply with a subpoena, and decided that the former was much cheaper than the latter.
In the "land of the free" of course.
Re: (Score:3)
In the "land of the free" of course.
Don't forget "home of the brave". The brave thing to do is of course to say "yes, sir, how high, sir?"
What's the current definitions of "free" and "brave" again?
It might be better if we just went back to the original lyrics. "to entwine the myrtle of Venus with Bacchus' vine" seems like a much more achievable sentiment.
Weasel Words (Score:5, Insightful)
"Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."
Now if that word "direct" had not been there I would have a little more faith.
As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc
Re:Weasel Words (Score:5, Insightful)
The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC), similar to places like Los Alamos, Sandia, or Lincoln Labs. So yes, they certainly receive funding from the government, and that probably includes funding from the FBI.
It sounds like what they are saying is that they were doing general research on Tor as part of their normal research activities. Funding for this, like all other research they do as an FFRDC, comes from the federal government in some form. So yes, indirectly I'm sure the government paid for the research, but that does not seem shocking.
All in all, it's hard to understand what all the fuss is about for this, it seems pretty much in line with the goals of an FFRDC to do this type of research.
Police State Lapdog (Score:5, Insightful)
Yes, all they did was merely destroy the trustfulness of the CERT process to warn EVERYONE of vulnerabilities in software, instead of delightedly handing it over to the descendants of J Edgar Hoover and not bothering to tell the software maintainers anything. This is the main point; the million pieces of silver were just added insult.
Re: (Score:3)
"Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."
Now if that word "direct" had not been there I would have a little more faith.
As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc
You forgot government grants. As the government gets more corporatized (even the good "public servants" are just less corrupt), you sure as hell can bet that the grant proposal/acceptance process can become part of the corruption (oh, look CMU - such nice grants proposals you have there ... )
Re: (Score:3)
Mr. Burns: I see. Well, I- ...Oh, that reminds me, it is time for your annual contribution. How much should I give?
Male Admissions Officer: Well frankly, test scores like Larry's would merit a very generous donation. A score of 400 would require new football uniforms. 300 would require a new dormitory. And in Larry's case? We'd need an international airport.
Female Admissions Officer: Yale could use an international airport, Mr. Burns.
Re: (Score:1)
"Here's $1MM of additional grant money to extend your work on breaking onion routing."
Re: (Score:2)
Here's $1MM
Did you fail in science class? Or is that supposed to stand for $1 mega million?
Re: (Score:2)
Re: (Score:1)
There, you can tell your classmates you learned something today [accountingcoach.com]. Now go back to class.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In recent years people started using k to denote 1000? What kind of drivel is that? Only if 1799 is recent...
http://physics.nist.gov/cuu/Un... [nist.gov]
M for Mega or Million has been used for a very long time. MM only makes sense in Roman times, who the hell uses M to denote 1000 besides the Romans? Do you often mix Roman Numerals and Latin Numerals in the same sentence? Also, since when is MM equal to M multiplied by M instead of M plus M as Roman numerals work? MM is 2000, not 1,000,000.
Re: (Score:1)
Re: (Score:2)
Yes, we all think you really are that fucking stupid. You can't read the 10 or so comments just above yours where they detail that the Software Engineering Institute is federally funded, and so quite literally, the research was indirectly funded because it was federally funded.. Heck, that response was like 45 minutes before yours.
Re: (Score:1)
Re: (Score:1)
Most likely the person writing the report is annoyed at having to lie. And this is their way of making it obvious.
Re: (Score:2)
Re: (Score:3)
It says: "'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
Right, no funding for compliance to the subpoena. If they got paid for doing any work isn't even a part of the sentence.
Re: (Score:1)
"Hey here's some money for your sports team"
Your main point has merit, but this particular one cracks me up.
I think I've had one discussion ever regarding our sports teams, and it was from someone who was a member of a rival div iii football team.
Liars (Score:5, Insightful)
"hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...
So they have received indirect payments or have received direct payments from non-government funders.
That's like when the Bush administration found "dozens of weapons of mass destruction related program activities" in Iraq, but no actual WMDs.
Re:Liars (Score:5, Informative)
"hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...
So they have received indirect payments or have received direct payments from non-government funders.
Yes, that is exactly true. I'm assuming you didn't read the actual statement by the school.
It begins: "Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues."
So there you go, a blatant admission to an indirect payment. The government did not say "We will pay you to develop this specific technology" which would have been direct. The government told that lab, and many more, "Here is money to research this type of technology generally", and the lab happened to fund that project among many others, yielding an indirect payment. What most people probably didn't expect, the lab included, was that they would get a subpoena demanding the research.
While the tin-foil hat may be necessary elsewhere, no need for it here. The lab has always openly admitted to the indirect funding from federal grants. In their research papers, and in fact in the vast majority of university research papers, there is a line about the grants funding the lab. That is a non-secret.
Re: (Score:2, Insightful)
Yes, I saw the wired statement first, which is more weasely, but the point stands--it is not an effective denial because it's not a statement as to what exactly happened. It is a non-statement that has gone through a communications office and/or legal counsel so that it ends up not saying anything. No sane reader would believe it as a denial, because it's not one. Of course that *could* be incompetence and stupidity, but why assume incompetence and stupidity when you're dealing with a high-quality engine
Re: (Score:2)
Re: (Score:1)
Besides, everybody knows that it's the NSA that pays for this type of research, not the FBI.
Most likely, the NSA didn't want to share the core technology, so the FBI just ripped off the NSA by going after its minions.
Wording is quite telling. (Score:2, Troll)
Wouldn't fool a 1st-year philosophy student (Score:1)
Inexpensive aquisition of intellectual property (Score:2)
Re: (Score:2)
Well, subpoena's don't change intellectual property rights, so I'm not 100% sure how that would be relevant.
Re: (Score:2)
Carnegie Mellon = fucking punks (Score:1)
I guess they couldn't be bothered to say "no" to the FBI. A "subpoena" does not over-ride intellectual property rights. With all the money Carnegie Mellon has, they might have at least put up a little fight.
But the fact is that this is not the first time that Carnegie Mellon has done work for the government against the public interest.
Re: (Score:3)
Carnegie Mellon is one of the biggest academic military contractors in the US. They've been developing surveillance tools for the NSA for decades, as well as developing weapons for the purpose of "crowd control" and other aspects of domestic policing..
Look at this article, and when you read the word "cybersecurity" be aware that it's being used as a synonym for "surveillance".
https://thetartan.org/2015/8/3... [thetartan.org]
https://books.google.com/books... [google.com]
Re: (Score:2)
I still agree with you that they should have fought it more, and it's definitely against the public interest, but I don't know if an IP tactic would have worked.
"DIRECT" payment (Score:2)
Watch for weasel words...
Anonymous accusation (Score:2)
Re: (Score:2)
This smells to me... (Score:2)
$1M or not $1M here is the important bit (Score:3)
OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.
Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/... [wikipedia.org] ).
So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.
Thus, what could CMU have done.
* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}
So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)
Indirect Payment (Score:2)
Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.
Ok. So I guess they received indirect payments for doing this?