Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds (vice.com) 56
AmiMoJo writes: Back in November 2015 it was speculated that Carnegie Mellon University (CMU) helped the FBI attack the TOR network. Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases: "The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU") [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense ("DOD")," an order filed on Tuesday in the case of Brian Farrell reads. Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.
confused (Score:1, Troll)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re:confused (Score:5, Interesting)
CMU was carrying out department of defense (DoD) funded study on TOR. FBI got wind of what data CMU may have gathered (not sure how) and issued subpoena for the data. Pursuant to the subpoena CMU handed over the data which contained among other things the IP address of a drug dealing suspect the FBI was interested in.
Re: (Score:1)
A subpoena is not a warrant. That's not a difference without distinction. From a subpoena they may get a warrant.
I do not know the facts in this case. However, they are two very different legal concepts. I offer no other opinion at this time.
The Future (Score:2)
In the future, all universities will be compelled to write TOR (or Twitter, or whatever) attacking software and then give it to the FBI.
Re: (Score:3)
In the future, anything any academic institution or corporation does which is remotely of interest to the FBI and the rest of law enforcement must be surrendered to the FBI.
Those wishing to join the inquisitorial squad for extra credit report to the headmistress' office. Those not wishing to join the inquisitorial squad will be required to submit to questioning.
Congratulations, America, you almost have your own Stasi. You should be proud. Keep defending those freedoms kids, your government needs you.
Only
Re: (Score:2)
Researching Tor is a legitimate course of study. Since the goal of the system is security, breaking that security is a good idea, if only to understand how it can be done and patched. This sort of research is not automatic collaboration with the FBI.
Obviously, a subpoena for this information seems to be more of an issue of opportunity; it would be rather haphazard unless the FBI was following that research. I imagine that researchers could find an ethical way to destroy this data before publishing or som
Re: (Score:2)
You can not do research by attacking a public legal network without their permission, that is a crime under the bulk of countries computer abuses act and is subject to an extended custodial sentence. Quite simple those involved should be charged under the computer abuses act, be fined and given the appropriate custodial sentence, that is the law.
Re: (Score:1)
Not positive but I believe the legal term is "Royally Fucked and Fucked Hard" if you destroy data after it has been subpoenaed. You can fight a subpoena. Destroying that data, or refusing to submit it after a "fair hearing,"* you are going to pound-me-in-the-ass prison. You are in SERIOUS trouble for not submitting all data if the subpoena is challenged and the challenge is overturned.
I'm not sure there's an "ethical" way to destroy the data.* I really don't have an answer.
* That's assuming a fair hearing a
Of course... (Score:2)
But it looks like they denied the FBI paid them.. of course since DOD paid them it all a-okay.
Re: (Score:3)
They also denied that they were paid any money from the government for Tor research, which was just a lie:
In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.
meh (Score:5, Funny)
its not like the universities helped nuke a country or something....
The university could also do it just because (Score:1)
Re: (Score:1)
There is no "breaking into" TOR. They ran enough fake exit nodes to deduce the path of traffic. But I do suppose that really putting TOR to the test is a good thing.
Re: (Score:3)
Yes, testing TOR to its limit is like trying to break encryption and finding a better method using that information. If you get to the point that you are unable to break it, it becomes much more valuable.
The problem is, until you find the fully secure solution, they are effectively working on a method that will break your crypto or find your hidden service. That will cause immediate security concerns.
Re: (Score:2)
This is true, but I think this case clearly brings up that there was sever ethical oversight.
The end result of de-anonymized traffic is, by its very nature, a danger to the person de-anonymized.
It is one thing for researchers to prove that they can de-anonymize users, but, in doing so, they take on the responsibility of protecting that information. It is highly irresponsible for them to have stored any of those results in a form which could be correlated to specific sites.
In the future, I hope all such rese
Re: (Score:1)
I'm not a lawyer and I'm not very familiar with the CFAA, but this seems like exactly the sort of thing that would be, and should be, illegal under that act.
Unfortunately, the only victims we know about are people who are facing criminal charges themselves, and even if there were a way to know how many other victims there were, those people are (almost by definition) unlikely to want to stand up and draw attention to themselves.
Fearmongering (Score:1)
"attacked"
Do people not understand the concept of security research? What would you prefer they do, wait for someone else to discover vulnerabilities and not notify tor?
Re: (Score:3)
So the DOD is having Carnegie attack TOR to improve its security?
And the community will be notified of found vulnerabilities, right?
Re: (Score:1)
So the DOD is having Carnegie attack TOR to improve its security?
And the community will be notified of found vulnerabilities, right?
The DOD is the Tor community. [pando.com]
The felon usage of Tor is a recent event, incidental beneficiaries of the technology. This does put Tor at odds with FBI and local police some of the time, but the existence of a useful Tor network is generally seen as more important than catching every single druggy who uses it.
Re: (Score:1)
You seem to know what you're talking about. Let me pick your brain?
If I understand this, they didn't really attack it. What they did was simply add more exit nodes and then observe the traffic. Is that correct?
If that is correct, why are we calling it attacking instead of spying, monitoring, or otherwise? Then, as it was their equipment, their exit nodes, their physical property - is the monitoring (in and of itself) illegal?
I'd argue that it is immoral but even my web sites have logs. If you're accessing m
The old saying (Score:5, Insightful)
I used to think that in the coming decade, the most precious commodity would be potable water.
Now I realize it will instead be true privacy, afforded to only the rich and powerful on our planet, that is soon to become the ultimate Panopticon.
Re: (Score:1)
What? If you want to live in an anarchy move to Somalia (some parts of it), if not then why is following the law of the country a problem? ...
Re: (Score:1)
Following the law is a problem when doing so makes you extremely vulnerable to criminals, as well as to the whims of corrupt politicians.
Also, though it takes more intellectual effort to see, following the law winds up keeping the poor class poor, and ensuring that the lions share of all wealth continues to flow upwards into the pockets of an ever-smaller group of elites.
The typical thoughtless answer is "change the law...we are a democracy, right?" No, at least not America. Though ostensibly a constituti
Re: (Score:1)
While I tend to agree, within reason, there's a problem with that. There unjust laws but that's too deep for you and I to get into today.
So, here's the important part and it's the simple part. We can go deeper than this if you want...
You do not know the laws. Chances are, you're breaking at least one law right now. You might not think so but you are. You are a criminal, you're just not convicted yet. Nobody knows all the laws. Some of them are even felonies. (The bullshit about a felony a day is just that,
No More Secrets (Score:2)
I think it's plain, now.. no one should have any secrets. Not you, not me, not your lover, not my friend, not the government nor industry nor banking nor religion.
We should be able to know every thought each and every one of us have, as soon as we have it. Something like a mandatory cleartext Facetwat for the massess. Something as communistic as a Borg collective. Ooh wouldn't that rankle the US Government!
Heh.
There's no way in hell a secret-less society could even begin to function.
Re: (Score:1)
None, I hear all the voices, all the time as I twitch merrily down the road! Whhhoooeeeee!