FBI and Carnegie Mellon Possibly Colluded in Tor Uncloaking Scheme
Reports have come out recently that paint an interesting picture of the Federal Bureau of Investigation and Carnegie Mellon University. For starters, a court document acquired by Vice showed that the FBI was crediting an unnamed academic institution with helping it in locating a child pornography suspect as well as the people behind Silk Road 2.
Researchers from the school canceled a talk they were scheduled to give at July’s Black Hat conference on exactly the subject of unmasking a Tor IP address. The talk promised to show the conference of hackers how this could be done with a mere $3,000 equipment investment cost. The attack that was successful last year cost around $50,000, sources say. Considering the time and money put into the Tor project over the years, the relative low cost and low research debt which Carnegie Mellon researchers appear to have leveraged should be, well, scary.
But things get more interesting as the reporting goes deeper. While there remains no current evidence that CMU is in fact working in league with the FBI on a regular and active basis, the Tor project itself claims to have received word that CMU received $1 million for its help in breaking Tor.
The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. […] We have been told that the payment to CMU was at least $1 million.
When contacted about the co-operation with the government, Motherboard received a telling boilerplate from Richard Lynch, public relations at Carnegie’s Software Engineering Institute:
Thanks for your inquiry, but it is our practice not to comment on law enforcement investigations or court proceedings.
This is telling in that the inquiry was more related to the claims made by the researchers regarding what they were able to do in their attacks on Tor. After all, the group had claimed to be able to do something that was very similar to what the Tor project had previously described.
Also read: Tor Network May Face Disabling Attack
At present, there is no overwhelming evidence that a payment was ever exchanged. There is no evidence that the academic institution wasn’t some other institution. But we have here more building blocks than a typical conspiracy theorist would need to construct a story here: Carnegie Mellon outsourced some of its research to the FBI, was helpful, and the FBI compensated Carnegie Mellon. The civil libertarian element of the research is what is troubling. For while they may have uncloaked some bad guys, they also certainly uncloaked a lot of innocent traffic – people in repressed countries trying to communicate with loved ones in the West, for instance.
Tor is compromised, and these aren’t the kinds of things you can easily trust again later. The government occasionally makes grandiose claims regarding its computer science capabilities, that’s for sure, but believing that you can browse anywhere anymore without being tracked may be a more grandiose thought indeed.
Featured image from Shutterstock.