Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users

Posted by timothy on from the beats-a-wrench-to-the-knee dept.

An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service. From the article: "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.

2 of 108 comments (clear)

  1. Hmmm... by Shoten · · Score: 4, Informative

    Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.

    The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.

    It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:Hmmm... by Anonymous Coward · · Score: 4, Informative

      There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy.

      As of 25 Oct. 2015, this is no longer true.

      "Our internet standard reflects on considerations for handling .onion names on the internet as well as officially reserving .onion as a Special-Use-Domain-Name with the Internet Assigned Numbers Authority (IANA). With this registration, it is should also be possible to buy Extended Validation (EV) SSL/TLS certificates for .onion services thanks to a recent decision by the Certification Authority Browser Forum."

      Your statement however was correct when Operation Onymous was active last year.