Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Encryption Government Privacy The Courts United States

Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users 108

An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service. From the article: "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.
This discussion has been archived. No new comments can be posted.

Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users

Comments Filter:
  • Hmmm... (Score:5, Informative)

    by Shoten ( 260439 ) on Thursday November 12, 2015 @09:08AM (#50914581)

    Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.

    The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.

    It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.

    • Re:Hmmm... (Score:4, Informative)

      by Anonymous Coward on Thursday November 12, 2015 @09:28AM (#50914685)

      There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy.

      As of 25 Oct. 2015 [torproject.org], this is no longer true.

      "Our internet standard reflects on considerations for handling .onion names on the internet as well as officially reserving .onion as a Special-Use-Domain-Name with the Internet Assigned Numbers Authority (IANA). With this registration, it is should also be possible to buy Extended Validation (EV) SSL/TLS certificates for .onion services thanks to a recent decision by the Certification Authority Browser Forum."

      Your statement however was correct when Operation Onymous [wikipedia.org] was active last year.

      • Yup, and even before that, Facebook [facebookcorewwwi.onion] and Cyph [cyphdbyhiddenbhs.onion] were the second and first (within hours of each other) to roll out EVSSL certs for their onion domains, both provided by DigiCert.
  • by Anonymous Coward on Thursday November 12, 2015 @09:08AM (#50914585)

    Does it really matter who does the "uncovering"? Security through not-being-paid-by-the-FBI is not security.

    • That part doesn't matter, but if it's true, the perps should never work in academia again. They can probably get cushy jobs in NoVA though. CMU's reputation is also on the line. If they do a thorough investigation and out any wrongdoers, only their review process ought be found needing of improvement.

  • So what? (Score:5, Insightful)

    by Anonymous Coward on Thursday November 12, 2015 @09:25AM (#50914671)

    So, the FBI paid someone to unmask TOR users, just like anyone could have paid anyone else to unmask TOR users. So what?

    There are two issues here and neither of them are really with the FBI.

    1. It is possible to unmask TOR users. This means that TOR is not fit for purpose. No further use or discussion of TOR is necessary. It is not capable of delivering what it promises on the tin.

    2. CMU "researchers" are willing to be bad actors for a price. If you want to take issue with them, you would be justified.

    The FBI paying someone to do what the FBI does, is not the fucking point. Don't allow yourself to be misdirected away form the fact that TOR is not fit for purpose.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The FBI paying someone to do what the FBI does, is not the fucking point.

      Actually, it is the point since the legality of law enforcement agencies like the FBI and the DEA breaking into systems using malware and hacking tools provided by contract firms like the Hacking Team and Carnegie Mellon, has never actually been discussed in public or by Congress. I'm not even sure the DOJ has issued any position briefs on it, or if their legality has been tested in court yet. It also should be noted btw that the FBI

    • Re:So what? (Score:4, Funny)

      by Type44Q ( 1233630 ) on Thursday November 12, 2015 @10:32AM (#50915081)

      So, the FBI paid someone to unmask TOR users

      Only until they discovered that those users were actually DEA agents...

    • by AmiMoJo ( 196126 )

      TOR is fine, the discovery of real IP addresses relies on side channel attacks. Often it is things like using exploits to make the server provide its real IP address, in much the same way as individual users can be identified by using exploits to make their browser give up its real IP address.

      Another option is to fingerprint the server/browser somehow, and then look for the same fingerprint in other places. Quite often the server will be hosting non-TOR content as well, so you might narrow it down by lookin

      • And yes, the CMU researchers are persona non gratis now, and we won't be sharing any details of zero day vulnerabilities or other interesting research with them again.

        While those researchers are still at CMU, that should be "we won't be sharing any details of zero day vulnerabilities or other interesting research with anyone at CMU"

    • by Anonymous Coward

      > The FBI paying someone to do what the FBI does, is not the fucking point.

      The FBI is not supposed to conduct drag-net surveillance. Use of Tor is not probable cause.

      • So you're saying they're not allowed to run Tor relays?

        They probably run thousands of them. So would the NSA, and probably many other governments as well.

  • by gstoddart ( 321705 ) on Thursday November 12, 2015 @09:29AM (#50914691) Homepage

    Such action is a violation of our trust and basic guidelines for ethical research.

    I can't speak for the researchers, but essentially agencies like the FBI are long past trust and ethics.

    They don't give a crap what the law says, they just do what they want. From illegal and overly broad surveillance to formalized perjury in the form of "Parallel Construction" -- modern police forces have decided they don't give a fuck what we think is legal, and think whatever they do is legal because they say so.

    They don't give a damn about pesky little things like warrants.

    • Oh, they do care what it says - they just don't let it stop them. They don't ask "Am I allowed to do what I want to do?", they ask "How can I do what I want to do despite what this says?"

      They've let the ends justify the means. They've convinced themselves that this is right, that it's justifiable, and that it's absolutely necessary, otherwise the Terrorists/Drug Kingpins/Pedophiles/etc win. It's not just about warrants and espionage either. It's about things like due process, torture, and any number of re
      • by gweihir ( 88907 )

        The problem is that this completely invalidates the concept of "checks and balances". Law enforcement must never have unchecked powers, because that is the only way to avoid a police state.

        In fact, they do now have and use some unchecked powers. The only way to fix this would be to dismantle these organizations, put everybody that lied under oat, ordered others to do so or participated in circumventing constitutional provisions in jail and re-build from scratch. That is obviously not going to happen, hence

  • Innocent? (Score:3, Interesting)

    by plover ( 150551 ) on Thursday November 12, 2015 @09:32AM (#50914711) Homepage Journal

    "this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

    If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

    Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

    The circumstances all seem pretty similar to me.

    • by Anonymous Coward

      > Since many of the 'endangered users' were then charged with various crimes, are they innocent?

      Yes. Being charged with a crime is not the same as being convicted by a jury of your peers for the crime.

    • by Anonymous Coward

      Since many of the 'endangered users' were then charged with various crimes, are they innocent?

      Were all "endangered users" charged with any crime? Were most "endangered users" charged with any crime? No? Then, I'm not sure how much of a point you really have...

      If I illegally enter 10000 random houses, for sure I'll find evidence of at least a handful of crimes. Would that justify the invasion of privacy of 10000 households? According to the spirit of the law, no (which is why there is such a thing as a "warrant" in the first place).

    • by Qzukk ( 229616 )

      Since many of the 'endangered users' were then charged with various crimes, are they innocent?

      Based on what? The say-so of someone paid $50 million to finger people as experimental "research"?

      If the FBI paid a psychic $50 million to finger drug users, would you still open your argument with that line?

      • by ADRA ( 37398 )

        The parent's post was poorly worded / judged since charges don't mean convictions, but realistically a few things may happen:
        1. Police won't find any extra evidence to charge the individuals with and the court dismisses the case due to lack of evidence
        2. The case goes forward with just the TOR logs, and the court will have a public record of exactly how that data was acquired / processed
        3. The case goes forward with other corroborating eviden

    • by AmiMoJo ( 196126 )

      The FBI is considered a bad actor by many, one which subverts the law whenever it suits it. Parallel construction, for example, or the use of fake cell towers. So helping them is morally dubious. To take up your example, a doctor might feel morally obliged not to tell the police if she believed that the police were likely to misuse the information, e.g. by taking the opportunity to frame a black man for a crime (as often happened in South Africa, once upon a time).

      Okay, let's say that in this case the CMU r

    • "this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

      If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

      Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

      The circumstances all seem pretty similar to me.

      These are really in the larger context of disallowing government the tools of tyrrany. Government is forbidden from warrantless searching to prevent them from rooting around looking for things to charge political challengers with. Yes, even legitimate criminal charges. Putin, Chavez, there are contemporary examples where this is occuring. And political science has for centuries been aware that the more defined crimes, the easier it is for government to have a hook on which to hang pulling you over, thus

  • by klingens ( 147173 ) on Thursday November 12, 2015 @09:48AM (#50914805)

    for the FBI and the university to take:
    If they are allowed to decrypt messages which are passing through "their" property, then:
    a) Pay TV hackers must be allowed to decrypt the Pay TV signals ending at the cable box or coming from a satellite
    b) Any ISP or whoever owns a router which transmits encrypted traffic is allowed to decrypt and read it.

    Either the FBI and the university have to be punished like cable signal hackers and other bad guys, or the law covering those offenses is not worth the paper.

  • $1m? A tenth of cent? That is not much. $1M would have been more worrying.

One good suit is worth a thousand resumes.

Working...