Hacked reported last week that Tor director Roger Dingledine made the bold claim that the FBI had directly paid Carnegie Mellon University researchers at their Software Engineering Institute to help uncloak Tor nodes and aid law enforcement in prosecuting Dark Web criminals. Carnegie Mellon was not consulted in most of the media coverage, but had declined comment to those who inquired. The story was more to do with Dingledine’s allegations and their potential validity than anything.
Now Carnegie Mellon has come out to take issue with a particular part of the narrative, the part that says the government compensated the university for its efforts. In a very short statement, the University said something interesting, in that they do not deny the government could be using their research to further its aims.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
The statement also notes that the Software Engineering Institute does receive federal funding. Such budgetary dispensations are usually public knowledge, but one must know where to begin to look. In any case, at no point in the statement does Carnegie Mellon deny that the FBI used their research. Specifically noting that they occasionally receive subpoenas is also interesting, in that they appear to be implying that if they had helped the government, it would have been what amounts to coercion, as they are subject to the long arm of the law as are any of us.
They seem to be saying: what did you expect us to do? The resounding answer would likely be: disclose the vulnerabilities to the Tor project first, no matter the consequences, so as not to compromise the lives of political dissidents both in and out of the United States. But we digress.
In the wake of all this, a lesser-spoken-about principal of security software engineering has proven true yet again: paranoia is a great motivator. The Tor project has mentioned that it is now
overhauling the software in several key ways, hoping to close holes they still don’t necessarily know enough about. End of the day, the law can still get to you if you’re behind Tor. Using data from nodes, they can potentially compel unwitting accomplices to turn someone over.
One such effort of improvement is a change to the way that guard nodes are dispatched. The guard node is the first node to anonymize data. The more guard nodes an onion request connects to, the less secure. Developers want to change that so, by default, a minimum of guard nodes is selected, with just one guard node being the ideal number.
The next upgrade will come in the form of helping to thwart deep web crawlers. Yes, they exist, the dark wiki isn’t all there is anymore. Hacked covered Memex’s efforts earlier this year. Indexing and the ability to search are not features on the dark web – they’re liabilities, vulnerabilities. The purpose of the service is to hide you, after all. For the longest time, getting somewhere required a link or prior knowledge.
Fighting the ability of bad people to cloak their online activities inevitably fights the ability of good people to do the same. Tor was originally funded with government funds, after all, and now the project is a monster they’re trying to re-tame. What the world needs is a wider variety of options similar to Tor, to slow down the encroaching grip of thought police and Machiavellian political agendas.
Images from Wikimedia.