Did the FBI Pay Carnegie-Mellon to Hack Tor?

Category: Privacy

The November 13 terrorist attacks in Paris have sparked renewed debate about government surveillance, encryption, and anonymous Web services such as the Tor Project. Coincidentally, just two days before the Paris tragedy, the Tor Project accused the FBI of paying “at least $1 million” to Carnegie-Mellon University researchers for the identities and activity logs of Tor users. Here's the bigger story...

Who Hacked Tor?

Tor’s director Roger Dingledine (I assume that's an encrypted version of his actual name) accused researchers at Carnegie-Mellon of infiltrating the Tor network with multiple relay nodes that tracked traffic between Tor users and “hidden services” - servers within the Tor network that cannot be detected through the normal Domain Name Service. Hidden servers are used for a variety of reasons, from connecting dissidents in repressive regimes to drug trafficking and, probably, terrorist plots.

The researchers, according to Dingledine, tracked the identities of Tor users and the descriptions of the hidden services they accessed. They may have also logged all communications between the users and hidden services, although that data would be encrypted. Then the researchers turned over everything to the FBI. The feds, presumably, are sifting through all the data looking for potential drug dealers, sex traffickers, terrorists, and other criminals.

Who Hacked Tor?

The problem is, they would also be sifting through the private communications of innocent parties without a search warrant. But that would be OK, the feds might argue, because they didn’t do any searching and seizing; they just bought data collected by researchers who had Tor’s permission to study traffic on the anonymous network. It’s as if the FBI bought data sets about citizens’ Web surfing habits from a commercial data broker, something law enforcement and national security agencies do all the time.

The FBI issued a carefully worded response to Tor’s accusations: “The allegation that we paid Carnegie Mellon University $1 million to hack into Tor is inaccurate.” There’s a lot of wiggle room in that sentence. The amount of money might be “inaccurate.” The money might have been paid for data already collected, and not for an act of “hacking.” But it’s definitely true that if anything nefarious was done, it wasn’t done by Carnegie-Mellon University.

The research/spying in question was carried out by the CERT (Computer Emergency Response Team) division of SEI (Software Engineering Institute). SEI is a federally-funded research and development center (FFRDC) that is located on Carnegie-Mellon’s campus and works closely with the school’s academic researchers. But SEI/CERT is not subject to Carnegie-Mellon University’s oversight or rules. While the feds may have ordered and funded this Tor-hacking project, the money would not have been paid to CMU, nor would the university have benefited or had any say in the matter.

Tor’s outrage over the flouting of its “researchers’ guidelines” is misdirected at CMU. It’s as if you blamed the landlord of your cheating spouse/lover for not keeping closer tabs on him or her.

Spy Versus Spy

This Tor hack is not news; Tor revealed it in July, 2014. What’s new today is the accusation that the FBI paid something on the order of a million dollars for the data (or the hack, or both). Unfortunately, the rather fuzzy dollar figure comes from equally fuzzy “sources within the security community,” according to Tor. I guess that’s what you can expect from an organization dedicated to protecting privacy, but it does not make compelling evidence. However, other evidence does support the theory that CERT/SEI was behind the Tor hack:

A CERT/SEI researcher named Alexander Volynkin was scheduled to make a presentation at the 2014 Black Hat security conference entitled, "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget," but it was canceled abruptly at the behest of SEI attorneys.

Court documents filed in the federal prosecution of Brian Richard Farrell, an alleged ringleader in The Silk Road “dark web” marketplace, revealed that Farrell “was identified based on information obtained by a university-based research institute that operated its own computers on the anonymous network (Tor) used by Silk Road…”

When Tor leaders asked CERT/SEI if the spying relay nodes belonged to the latter, the nodes vanished from Tor overnight. ("These are not the nodes you're looking for...") Who hacked Tor is uncertain, as is exactly what data they got and what they may be able do with it. Remember, the web pages, messages, and other application-level data are encrypted.

Nobody really knows if the FBI, NSA, paid hackers or skilled researchers have the tools to decode encrypted messages. The fact that governments are asking for "back door" capabilities in popular encryption tools tells me the answer is no, at least for now. But clearly this is an arms race that will continue to escalate on both sides.

The major lesson to be learned by users of Tor and other so-called “anonymizing” networks is that they are not 100% safe from prying eyes. Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 18 Nov 2015

For Fun: Buy Bob a Snickers.

Prev Article:
The Best Black Friday Deals

The Top Twenty
Next Article:
Windows 10: Ready for Primetime?

Most recent comments on "Did the FBI Pay Carnegie-Mellon to Hack Tor?"

Posted by:

Rhonda Lea Kirk Fries
18 Nov 2015

Roger Dingledine (Americanization of the German Dingeldein) is his real name. He's not a hacker--he's a computer scientist:

Master of Engineering in Electrical Engineering and Computer Science, MIT, June 2000.
Bachelor of Science in Computer Science and Engineering, MIT, June 2000.
Bachelor of Science in Mathematics, MIT, June 2000.

Posted by:

John Orvis
18 Nov 2015

Don't forget that for a long time Bobbies were unarmed.

Posted by:

Allen Wright
18 Nov 2015

I would guess that any encripted communication will eventually be decrypted if anyone is willing to spend enough resources to complete the task. It's just a matter of time.

Posted by:

Clare Smith-Larson
18 Nov 2015

I don't usually read these posts in detail, but this one definitely caught my eye. I got a notification from my computer security provider recently identifying an attempted breach of my e-mail by an entity closely affiliated with or using physical space VERY close to Carnegie Mellon University.
Now I know I am on someone's watch list (Lol), since I tend to be quite vocal on Facebook regarding the inept and wrong-headed actions of my representatives in Congress, but I certainly wasn't expecting to learn that this "delightful" group would be interested in me.
I don't think I'm into the "dark web", but ...

Posted by:

jim saber
18 Nov 2015

It is all in the digits. Anything is eventually breakable or hackable. Might as well opt for safety.

Posted by:

18 Nov 2015

The government are forward thinking and looking for the real bad guys who are threatening our Western society, this is for real, they are not tracking the the muppet fiddling the meter.
When the bombs go off in New York and London as they did in Boston and Paris, people will ask why are we not safe? and the reason will be spy paranoia

Posted by:

Andrew Duncan-Jones
18 Nov 2015

Dear Bob

A very interesting post.

Two little problems, in the phrase:
'the flaunting of its “researchers’ guidelines” '
a) I am fairly sure you mean 'flouting' - 'ignoring, disregarding, disdaining' or 'holding in contempt', rather than 'showing off in a proud or gaudy manner' which is what is meant by 'flaunt'

b) I at first thought 'its "researchers guidelines" ' meant that TOR had actually asked CERT/SEI to study its procedures, which left me confused about who had initiated this hack. I had to read through the references you give to grasp that TOR welcomed academic research as long as it did not injure TOR's users but had in no way invited CERT/SEI to conduct the study they did.

I write this just to help - I know personally how hard it is to make one's meaning clear - at which you generally excel; and I am not asking for this to be posted.

EDITOR'S NOTE: You are quite right, thanks. I've changed my "flaunt" to a "flout." It reminds me of a favorite poem that uses the word.

"They drew a circle to keep me out.
Heretic, rebel, a thing to flout.
But Love and I had the wit to win.
We drew a circle that took them in."

Posted by:

Ed Mekolites
18 Nov 2015

I think the SEI is operated by Carnegie Mellon based on this from the FAQ page at CERT:

"How is the CERT Division related to Carnegie Mellon University? the Software Engineering Institute?
Carnegie Mellon operates the Software Engineering Institute."

I don't really care about TOR's outrage. While private and secure communications between law abiding citizens which remain free of government scrutiny could be of importance at a societal level on occasion, criminals and terrorists do not deserve such protection. TOR does no screening or vetting of participants in their open network and as such is allowing their systems to be used as a conduit for extreme antisocial behaviors which have potential for great public harm. Until TOR comes up with a method of preventing their networks from harming innocent parties, let them be hacked by the government or a third party. In addition, TORS' network admins already know they they are constantly subject to surreptitious analysis and attack on their networks, so beware TOR.

Posted by:

18 Nov 2015

Anonymous meet TOR. TOR meet Anonymous.

Posted by:

19 Nov 2015

Re Robert's comment about spy paranoia: just because you have nothing to hide today doesn't mean you won't be on the wrong side of an oppressive government next year.
Would you have supported McCarthyism (the witch hunt for communists in the '50s)?
Those who are willing to trade freedom for security wind up with neither.

Posted by:

19 Nov 2015

Yes Sherman I remember McCarthyism and I take your point, its a valid one, but personally feel safer knowing that our governments are actually doing something because I have nothing to hide.

Posted by:

19 Nov 2015

@ Sherman

The fact that leftists still try to obfuscate anout 'McCarthyism' is that, if anything, Senator McCarthy was understating the degree of soviet penetration of US (and other western) governmental and cultural institutions. After the USSR fell apart, the KGB's archives were opened up to historians and the full extent of spying and interference with policy decisions became known. Look up the 'Venona' transcripts.

Posted by:

20 Nov 2015

I would like to respond to Robert and others who dismiss opposition to domestic spying by the NSA, FBI, and other agencies as "spy paranoia". A lot of information about someone can be obtained through scanning just the meta data of someone's activity such as the person's political beliefs, religious beliefs, etc. This surveillance program hasn't been able to prevent attacks and violates the rights of innocent everyday US Citizens who are doing nothing wrong. Just look at the Boston marathon bombers who seemed to not raise a single eyebrow within the NSA or other US agencies even though intelligence sources from Russia and other countries warned the United States to watch one of the brothers since he seemed to have Anti-American views and intentions of attacking the US in some way. Add to this, the phone calls that this person made to his mother back in Russia talking about starting a holy war in the United States should have raised eyebrows by the
US intelligence community. Right after the Boston Marathon bombings a family was terrorized by fully armed Department of Homeland Security agents who raided their house after noticing one family member looking at pressure cookers online, another family member was reading news coverage of the Boston Marathon online, and another family member was looking up backpacks online in what was described as a "perfect storm" of information
gathering. Looking up information on pressure cookers online, looking up information on backpacks online, and reading news coverage of the Boston Marathon online are perfectly legal for this family to do but because the attackers used a pressure cooker style bomb in a backpack
and decided to attack during the Boston Marathon this family was visited by DHS and treated as potential terrorists when they did nothing
wrong. Even before the Patriot Act and other mass surveillance activities the US Government had plenty of tools to find potential terrorists
planning an attack on the United States of America. For example, prior to the September 11, 2001 attacks federal agents received tips from
concerned flight instructors who told them that there were middle eastern students taking flight lessons who seemed interested in flying
airliners but didn't seem interested in taking all the classes and seemed to be taking flight lessons for smaller aircraft to learn the basics
of flying hoping they can use this information to fly much larger airliners. US and foreign intelligence obtained information that Al Qaeda had plans on carrying out some kind of attack in the United States involving hijacked airliners months before September 11, 2001. Al Qaeda also
was believed to be the mastermind behind a previous attack on the World Trade Towers in the 1990s involving truck bombs. For some reason they
never acted on this information. If you are doing nothing wrong you can still find yourself the target of law enforcement for doing things perfectly legal. For example you may go to a bar to enjoy drinks but not get intoxicated and try to drive home, you could be a designated driver for a group of friends who plan to drink, or you could be going to a bar to pick up a friend who called you for a ride home. The police can set up a license plate reading camera in bar parking lots and decide that since you were at a bar that you must be a drunk driver. Like going to a bar using TOR itself isn't illegal but the government could decide that a TOR user is doing something illegal because they are using TOR when they may be someone trying to contact the press to report corruption by the government to the press, speaking to a lawyer regarding a confidential case that the US government is a party involved in, speaking to a physician about confidential personal health information, etc. This information can easily be abused or used against someone who is doing nothing wrong.

Posted by:

Bob Greene
26 Nov 2015

Bob Rankin said, "Nobody really knows if the FBI, NSA, paid hackers or skilled researchers have the tools to decode encrypted messages. The fact that governments are asking for "back door" capabilities in popular encryption tools tells me the answer is no, at least for now..."
Whether the self-labeled "security community" actually owns the tools is almost beside the point-- clearly enough, the agencies already have technical means to secure access. What the NSA and others want now is legal authority to use those tools with impunity, in the name of "national security".
In 2014, when Sen. Feinstein and others on the US senate intelligence oversight committee made critical remarks about abusive US agency activity, the CIA, itself, spied on privileged communications between committee staff members-- apparently to determine what the committee had discovered, and from whom and how they had discovered it.
Conclusion-- Despite assurances from McCarthyite forum posters a "national security" rationale keeps us safe, there is little or no evidence for their claim. In contrast, violation of constitutional protections is, itself, the very erosion of a government of laws our constitution is designed to protect. After cynically trading "security" for legality, we are left with a surveillance state equal to Russia or China.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Did the FBI Pay Carnegie-Mellon to Hack Tor? (Posted: 18 Nov 2015)
Source: https://askbobrankin.com/did_the_fbi_pay_carnegiemellon_to_hack_tor.html
Copyright © 2005 - Bob Rankin - All Rights Reserved