Did the FBI Pay Carnegie-Mellon to Hack Tor?
The November 13 terrorist attacks in Paris have sparked renewed debate about government surveillance, encryption, and anonymous Web services such as the Tor Project. Coincidentally, just two days before the Paris tragedy, the Tor Project accused the FBI of paying “at least $1 million” to Carnegie-Mellon University researchers for the identities and activity logs of Tor users. Here's the bigger story...
Who Hacked Tor?
Tor’s director Roger Dingledine (I assume that's an encrypted version of his actual name) accused researchers at Carnegie-Mellon of infiltrating the Tor network with multiple relay nodes that tracked traffic between Tor users and “hidden services” - servers within the Tor network that cannot be detected through the normal Domain Name Service. Hidden servers are used for a variety of reasons, from connecting dissidents in repressive regimes to drug trafficking and, probably, terrorist plots.
The researchers, according to Dingledine, tracked the identities of Tor users and the descriptions of the hidden services they accessed. They may have also logged all communications between the users and hidden services, although that data would be encrypted. Then the researchers turned over everything to the FBI. The feds, presumably, are sifting through all the data looking for potential drug dealers, sex traffickers, terrorists, and other criminals.
The problem is, they would also be sifting through the private communications of innocent parties without a search warrant. But that would be OK, the feds might argue, because they didn’t do any searching and seizing; they just bought data collected by researchers who had Tor’s permission to study traffic on the anonymous network. It’s as if the FBI bought data sets about citizens’ Web surfing habits from a commercial data broker, something law enforcement and national security agencies do all the time.
The FBI issued a carefully worded response to Tor’s accusations: “The allegation that we paid Carnegie Mellon University $1 million to hack into Tor is inaccurate.” There’s a lot of wiggle room in that sentence. The amount of money might be “inaccurate.” The money might have been paid for data already collected, and not for an act of “hacking.” But it’s definitely true that if anything nefarious was done, it wasn’t done by Carnegie-Mellon University.
The research/spying in question was carried out by the CERT (Computer Emergency Response Team) division of SEI (Software Engineering Institute). SEI is a federally-funded research and development center (FFRDC) that is located on Carnegie-Mellon’s campus and works closely with the school’s academic researchers. But SEI/CERT is not subject to Carnegie-Mellon University’s oversight or rules. While the feds may have ordered and funded this Tor-hacking project, the money would not have been paid to CMU, nor would the university have benefited or had any say in the matter.
Tor’s outrage over the flouting of its “researchers’ guidelines” is misdirected at CMU. It’s as if you blamed the landlord of your cheating spouse/lover for not keeping closer tabs on him or her.
Spy Versus Spy
This Tor hack is not news; Tor revealed it in July, 2014. What’s new today is the accusation that the FBI paid something on the order of a million dollars for the data (or the hack, or both). Unfortunately, the rather fuzzy dollar figure comes from equally fuzzy “sources within the security community,” according to Tor. I guess that’s what you can expect from an organization dedicated to protecting privacy, but it does not make compelling evidence. However, other evidence does support the theory that CERT/SEI was behind the Tor hack:
A CERT/SEI researcher named Alexander Volynkin was scheduled to make a presentation at the 2014 Black Hat security conference entitled, "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget," but it was canceled abruptly at the behest of SEI attorneys.
Court documents filed in the federal prosecution of Brian Richard Farrell, an alleged ringleader in The Silk Road “dark web” marketplace, revealed that Farrell “was identified based on information obtained by a university-based research institute that operated its own computers on the anonymous network (Tor) used by Silk Road…”
When Tor leaders asked CERT/SEI if the spying relay nodes belonged to the latter, the nodes vanished from Tor overnight. ("These are not the nodes you're looking for...") Who hacked Tor is uncertain, as is exactly what data they got and what they may be able do with it. Remember, the web pages, messages, and other application-level data are encrypted.
Nobody really knows if the FBI, NSA, paid hackers or skilled researchers have the tools to decode encrypted messages. The fact that governments are asking for "back door" capabilities in popular encryption tools tells me the answer is no, at least for now. But clearly this is an arms race that will continue to escalate on both sides.
The major lesson to be learned by users of Tor and other so-called “anonymizing” networks is that they are not 100% safe from prying eyes. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 18 Nov 2015
|For Fun: Buy Bob a Snickers.
The Best Black Friday Deals
The Top Twenty
Windows 10: Ready for Primetime?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Did the FBI Pay Carnegie-Mellon to Hack Tor? (Posted: 18 Nov 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved