TheTor Project last week claimed theFBI paidCarnegie Mellon University $1 million to crack the anonymity of Tor users.
Tor’s claim appears to have been triggered by areport last week in Motherboard that said the FBI’s arrest of an alleged member of the Silk Road 2.0 drug ring was based on “information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”
That network was Tor, and the research institute was Carnegie Mellon, Tor said.
“Apparently these [Carnegie Mellon] researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Tor Project Director Roger Dingledine wrote in a statement posted on the Tor website.
“We have been told that the payment to CMU was at least $1 million,” he added.
Dingledine did not respond to our request for comment for this story. The million-dollar figure came from “friends in the security community,” he told Wired.
The university declined to comment for this story.
Kicked Off Network
Tor discovered the attack on its network in July 2014.
“If a person controls a large fraction of the computers that operate the Tor network, there are attacks that they can run that correlate where a user’s traffic is being bounced around the network,” explained Matthew Green, a professor in the computer science department atJohns Hopkins University.
“By doing that, you can de-anonymize users, actually track them back to their real address,” he told TechNewsWorld.
After identifying the computers, which had been on the network since January, Tor took action.
“They kicked the computers off the network. There was also a bug in the Tor software that was making it easier to correlate the hops, so they fixed that bug,” Green said.
“That seems to have fixed the problem,” he added, “but there’s always a worry that someone will come up with a new way to de-anonymize users.”
However, Tor’s trust model could lead to future problems with the network, suggested Lance Cottrell, chief scientist with Ntrepid.
“They’ve worked hard with the technology to prevent this, but the reality is there’s effectively no vetting of new Tor nodes,” he told TechNewsWorld.
“You sort of know a fraction of the network is absolutely untrustworthy to begin with, and you’re hoping that it’s a low enough fraction to keep you safe,” added Cottrell. “That’s the assumption that seems to be breaking down.”
Although Tor uncovered the attack, it still didn’t know who was behind it — until August 2014.
Then, at the Black Hat conference held in Las Vegas, two CMU researchers, Alexander Volynkin and Michael McCord, were scheduled to present a session titled “You Don’t Have to Be the NSA to Break Tor: De-anonymizing Users on a Budget.”
“In our analysis, we’ve discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” the pair noted in a description of their presentation.
The talk was canceled, which led Tor to believe that the researchers were behind the attack on the network earler in the year.
Neither Volynkin nor McCord responded to a request for comment for this story.
“We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users,” Tor’s Dingledine wrote.
“The research that these researchers did does not seem to have been that careful,” Johns Hopkins’ Green said.
“They certainly went after some criminals, but along the way they could de-anonymize people whose governments would torture them if they found out who they were,” he said.
“As computer science researchers, when we do this kind of work, we have these incredibly strong requirements to meet ethical standards and have our work reviewed by university research review boards. It does not sound like that happened with this work,” Green added.
“It crosses an ethical line, because you’re vacuuming up the data of lots of innocent people,” added Jeremy Gillula, a staff technologist with the Electronic Frontier Foundation.
“For a long time, computer science researchers haven’t thought about the ethical aspects of their research, because their research has just been about computers,” he told TechNewsWorld, “but when it starts to affect people, researchers have to start thinking about the ethical implications.”
Sidestepping Civil Liberties
The FBI’s action threatens more than research ethics — civil liberties are at stake, Dingledine maintained.
“Legitimate privacy researchers study many online systems, including social networks,” he added. “If this kind of FBI attack by university proxy is accepted, no one will have meaningful Fourth Amendment protections online and everyone is at risk.”
An FBI spokesperson was not immediately available for comment.
Although Tor is touted as a way to protect political dissidents in repressive regimes and whistleblowers, criminals also have used it to hide their illegal activity.
“You have to take the good with the bad when it comes to these kinds of anonymous communications networks,” Green said.