Slashdot Mirror
Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users
An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service.
From the article:
"There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine.
"Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.
Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.
The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.
It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.
For your security, this post has been encrypted with ROT-13, twice.
I can't speak for the researchers, but essentially agencies like the FBI are long past trust and ethics.
They don't give a crap what the law says, they just do what they want. From illegal and overly broad surveillance to formalized perjury in the form of "Parallel Construction" -- modern police forces have decided they don't give a fuck what we think is legal, and think whatever they do is legal because they say so.
They don't give a damn about pesky little things like warrants.
Lost at C:>. Found at C.
The FBI paying someone to do what the FBI does, is not the fucking point.
Actually, it is the point since the legality of law enforcement agencies like the FBI and the DEA breaking into systems using malware and hacking tools provided by contract firms like the Hacking Team and Carnegie Mellon, has never actually been discussed in public or by Congress. I'm not even sure the DOJ has issued any position briefs on it, or if their legality has been tested in court yet. It also should be noted btw that the FBI, DEA and DoD have since cancelled their contracts with the Hacking Team once they were exposed. That doesn't seem like the posture of government agencies certain of the legality of their actions in regard to using hacking tools.