Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Communications Encryption Government Privacy Security The Almighty Buck

Carnegie Mellon Denies FBI Paid For Tor-Breaking Research (wired.com) 79

New submitter webdesignerdudes writes with news that Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique, and that it was not paid $1 million by the FBI for doing so. Wired reports: "In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. 'In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,' the statement reads. 'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
This discussion has been archived. No new comments can be posted.

Carnegie Mellon Denies FBI Paid For Tor-Breaking Research

Comments Filter:
  • ...what was the $1 million for? What did the taxpayers get out this?
    • by msauve ( 701917 )
      "what was the $1 million for? What did the taxpayers get out this?"

      I'm thinking Astroglide. You can figure out the rest.
    • Re: (Score:3, Insightful)

      ...what was the $1 million for? What did the taxpayers get out this?

      I bet it would have cost them a lot less than $1 million to hire a lawyer and at least make even the most feeble effort to resist this subpoena.

      • by arth1 ( 260657 )

        I bet it would have cost them a lot less than $1 million to hire a lawyer

        You're talking at least one meeting with the client, research, a letter, a follow-up, an expense account, and preparation fees for itemized billing. Yeah, this shouldn't have cost more than half a million going through a reputable lawyer. Or a unicorn-riding leprechaun.

  • Weasel Words (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 18, 2015 @08:58PM (#50959759)

    "Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."

    Now if that word "direct" had not been there I would have a little more faith.

    As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc

    • Re:Weasel Words (Score:5, Insightful)

      by tylerni7 ( 944579 ) on Wednesday November 18, 2015 @09:35PM (#50959929) Homepage

      The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC), similar to places like Los Alamos, Sandia, or Lincoln Labs. So yes, they certainly receive funding from the government, and that probably includes funding from the FBI.

      It sounds like what they are saying is that they were doing general research on Tor as part of their normal research activities. Funding for this, like all other research they do as an FFRDC, comes from the federal government in some form. So yes, indirectly I'm sure the government paid for the research, but that does not seem shocking.

      All in all, it's hard to understand what all the fuss is about for this, it seems pretty much in line with the goals of an FFRDC to do this type of research.

      • by ThatsNotPudding ( 1045640 ) on Thursday November 19, 2015 @07:38AM (#50961245)

        All in all, it's hard to understand what all the fuss is about for this, it seems pretty much in line with the goals of an FFRDC to do this type of research.

        Yes, all they did was merely destroy the trustfulness of the CERT process to warn EVERYONE of vulnerabilities in software, instead of delightedly handing it over to the descendants of J Edgar Hoover and not bothering to tell the software maintainers anything. This is the main point; the million pieces of silver were just added insult.

    • by rsborg ( 111459 )

      "Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."

      Now if that word "direct" had not been there I would have a little more faith.

      As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc

      You forgot government grants. As the government gets more corporatized (even the good "public servants" are just less corrupt), you sure as hell can bet that the grant proposal/acceptance process can become part of the corruption (oh, look CMU - such nice grants proposals you have there ... )

    • Mr. Burns: I see. Well, I- ...Oh, that reminds me, it is time for your annual contribution. How much should I give?
      Male Admissions Officer: Well frankly, test scores like Larry's would merit a very generous donation. A score of 400 would require new football uniforms. 300 would require a new dormitory. And in Larry's case? We'd need an international airport.
      Female Admissions Officer: Yale could use an international airport, Mr. Burns.

    • by msauve ( 701917 )

      As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc

      "Here's $1MM of additional grant money to extend your work on breaking onion routing."

      • Here's $1MM

        Did you fail in science class? Or is that supposed to stand for $1 mega million?

        • I think it means one dollar's worth of m&m's....
        • by msauve ( 701917 )
          No, "M" is ambiguous with regard to currency. It could stand for Million, or Mega, or the traditional accounting measure of 1000, from the roman numeral. MM is unambiguous, in addition to being a common abbreviation for million (thousand-thousand) in accounting.

          There, you can tell your classmates you learned something today [accountingcoach.com]. Now go back to class.
          • Why in the world would anyone use Roman Numerals in this day and age? Do you know what year this is? It's MMXV for God's sake!
            • by msauve ( 701917 )
              They're not Roman numerals, but come from them. The Roman numeral MM would be 2000, and $1MM isn't a Roman numeral at all. Additionally, SI prefixes are always properly separated from the number with a space (1 km), while in accounting no space is used ($1MM).
          • In recent years people started using k to denote 1000? What kind of drivel is that? Only if 1799 is recent...
            http://physics.nist.gov/cuu/Un... [nist.gov]

            M for Mega or Million has been used for a very long time. MM only makes sense in Roman times, who the hell uses M to denote 1000 besides the Romans? Do you often mix Roman Numerals and Latin Numerals in the same sentence? Also, since when is MM equal to M multiplied by M instead of M plus M as Roman numerals work? MM is 2000, not 1,000,000.

            • by msauve ( 701917 )
              Do you understand that there's a difference between accounting and science? Were you aware that the USD ($) is not an SI unit?
    • We've already seen that companies 'doing business' with the NSA have been prohibited from talking about it. In other words, they may have been threatened by the government (even with jail time) if they reveal their connections to the NSA.
    • It says: "'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
      Right, no funding for compliance to the subpoena. If they got paid for doing any work isn't even a part of the sentence.

    • by mshieh ( 222547 )

      "Hey here's some money for your sports team"

      Your main point has merit, but this particular one cracks me up.

      I think I've had one discussion ever regarding our sports teams, and it was from someone who was a member of a rival div iii football team.

  • Liars (Score:5, Insightful)

    by Etherwalk ( 681268 ) on Wednesday November 18, 2015 @09:12PM (#50959823)

    "hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...

    So they have received indirect payments or have received direct payments from non-government funders.

    That's like when the Bush administration found "dozens of weapons of mass destruction related program activities" in Iraq, but no actual WMDs.

    • Re:Liars (Score:5, Informative)

      by Frobnicator ( 565869 ) on Wednesday November 18, 2015 @11:01PM (#50960215) Journal

      "hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...

      So they have received indirect payments or have received direct payments from non-government funders.

      Yes, that is exactly true. I'm assuming you didn't read the actual statement by the school.

      It begins: "Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues."

      So there you go, a blatant admission to an indirect payment. The government did not say "We will pay you to develop this specific technology" which would have been direct. The government told that lab, and many more, "Here is money to research this type of technology generally", and the lab happened to fund that project among many others, yielding an indirect payment. What most people probably didn't expect, the lab included, was that they would get a subpoena demanding the research.

      While the tin-foil hat may be necessary elsewhere, no need for it here. The lab has always openly admitted to the indirect funding from federal grants. In their research papers, and in fact in the vast majority of university research papers, there is a line about the grants funding the lab. That is a non-secret.

      • Re: (Score:2, Insightful)

        by Etherwalk ( 681268 )

        Yes, I saw the wired statement first, which is more weasely, but the point stands--it is not an effective denial because it's not a statement as to what exactly happened. It is a non-statement that has gone through a communications office and/or legal counsel so that it ends up not saying anything. No sane reader would believe it as a denial, because it's not one. Of course that *could* be incompetence and stupidity, but why assume incompetence and stupidity when you're dealing with a high-quality engine

        • It is a very effective "denial" if its intent was to state that CMU received indirect funding. In other words, it was not a denial, but a clarification of how they received the funding, to wit, indirectly.
      • Besides, everybody knows that it's the NSA that pays for this type of research, not the FBI.

        Most likely, the NSA didn't want to share the core technology, so the FBI just ripped off the NSA by going after its minions.

  • No direct payment.
  • CMU's statement is so full of non-denials and red herrings that a first-year philosophy student wouldn't be fooled.
  • I wonder what other research the government also subpoenas - perhaps that of the aircraft manufacturer who had a nifty idea but whose bid didn't get the job?
    • Well, subpoena's don't change intellectual property rights, so I'm not 100% sure how that would be relevant.

      • So, if the FBI subpoena's Carnegie-Mellon's research, Carnegie-Mellon gets to set the price they charge for the use of their software? That could be a sweet deal, since the university knows in advance that they have a captive audience.
  • Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique

    I guess they couldn't be bothered to say "no" to the FBI. A "subpoena" does not over-ride intellectual property rights. With all the money Carnegie Mellon has, they might have at least put up a little fight.

    But the fact is that this is not the first time that Carnegie Mellon has done work for the government against the public interest.

    • What are the software IP rights with regards to a federally-funded academic institution? The Software Engineering Institute at Carnegie Mellon is a Federally Funded Research and Development Center (FFRDC), which means grant money, which means conditions on what they can do with their research results.

      I still agree with you that they should have fought it more, and it's definitely against the public interest, but I don't know if an IP tactic would have worked.
  • Watch for weasel words...

  • The whole $1 million payment accusation comes from "sources in the information security community". That's a hell of accusation to put out there, damaging a school's reputation, without anyone willing to stand up behind it.
    • That may well be, but it has been confirmed by a representative of the CMU SEI that the accusation was essentially true, and that CMU received funding for the purpose. That funding was paid indirectly, rather than directly.
  • ...like a carefully worded statement designed to be strictly factually correct to remove the stink from CMU, but that there is probably mostly truth in the original story. Just the wording of their statement seems so carefully selected that you just know the reality is that they did do it, but not exactly the way they are defending their selves. So they can sound innocent when they probably are not.
  • by ramriot ( 1354111 ) on Thursday November 19, 2015 @09:14AM (#50961809)

    OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.

    Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/... [wikipedia.org] ).

    So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.

    Thus, what could CMU have done.

    * They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
    *They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
    * They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
    * Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
    * If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}

    So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)

  • Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.

    Ok. So I guess they received indirect payments for doing this?

Never test for an error condition you don't know how to handle. -- Steinbach

Working...