Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users

An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service. From the article: "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.

I paid the FBI

I paid the FBI $1 million to make me a sandwich. Still waiting though.

Re:I paid the FBI

I paid the FBI $1 million to make me a sandwich. Still waiting though.

FBI, or IBM?

Re: I paid the FBI

Should have used Sudo.

Re:I paid the FBI

[mitcheli]

"but this attack crosses the crucial line between research and endangering innocent users" ... There is a fine line between protecting the anonymity of Internet users from political oppression and aiding and abetting in a crime. Comments like this don't do well to keep that line clear.

Re: I paid the FBI

[KGIII]

kgiii@kgiii-desktop-8:~$ sudo make girl
[sudo] password for kgiii:
make: *** No rule to make target 'girl'. Stop.

Re:I paid the FBI

[Coren22]

Frankly, is there anyone who could be considered an innocent user of silk road 2.0?

Re:I paid the FBI

[oldmac31310]

Yes.

Re:I paid the FBI

[Coren22]

Oh? Please enlighten me on the legal uses for Silk Road 2.0. It is after all an illegal marketplace, so how could there be a possible legal use for an illegal marketplace?

Re:I paid the FBI

Sure. Most of them have not been convinced by a jury of their peers and therefore are innocent at this time under US law (to which the FBI must adhere).

Re:I paid the FBI

[MobSwatter]

Yes! The FBI now knows that judges are using TOR to watch PR0N on gubbermint puters!

Re:I paid the FBI

[oldmac31310]

You are conflating legality with innocence. I don't think drug use should be illegal therefore I consider these people innocent. It is the law that deems them legally guilty, but who is to judge them morally guilty? Not me anyway.

Re:I paid the FBI

[Coren22]

If they are breaking the law, they are guilty of a crime. Therefore, the FBI's job to investigate crime should fall on those breaking the law in Silk Road just as much as on the street corner.

News At Eleven

Law Enforcement Pays Consultants to Help Unmask Criminals.

News at Eleven.

Re:News At Eleven

[fuzzyfuzzyfungus]

'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.

News at 11:30.

Re:News At Eleven

[LateArthurDent]

'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.

I'm the first to complaint about warrantless search of Americans, but I don't think this qualifies. If you're going to install software on computers you don't own in order to capture information, you need a warrant. If you're going to ask a private company to hand over data on their users, you need a warrant. If you're going to capture information that passes through your own hardware, even if it's encrypted, that's fair game. If you find a way to break the anonymizing network by creating your own fake relays to do it, as far as my judgement goes, the data was yours to play with, because it passed through your relays, and the research was legitimate, because you did find a flaw on the network.

The only thing I see wrong with this entire operation is that we have laws against what people can or can't take. It's their life, their bodies, their decision, and the FBI is wasting resources going after people who pose no danger to society (at least as far as Silk Road 2.0. The first Silk Road had the guy in charge trying to hire a hit man. Definitely not just a drugs thing. The investigation was legit, the research was legit, and it gives the Tor Project something to think about as far as improving their network.

Re:News At Eleven

'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing [...]

And likely not even in the FBI's jurisdiction.

Also, kind of a dick move to pay academics to do things that your charter won't allow you to do yourself.

Re:News At Eleven

[TheCarp]

So how is paying someone else to do something different from doing it yourself anyway?

They are acting... on your request. You are using them, as a tool, to perform the action, and using department funds to compensate them. Acting via a proxy is still acting.

In fact, its involving them in a criminal conspiracy, as conspiracy to commit a criminal act is, itself, a crime. Everyone involved should be facing felony charges.

Re:News At Eleven

[fuzzyfuzzyfungus]

It's another poxed tactic from the unpleasant world of 'distinction without difference to get around pesky regulations' wing of government. There isn't any meaningful difference; but if you have a contractor do it you can just refer to them as a 'Source of Information', without further elaboration; much the same way that local PDs will conjure up a 'confidential informant' whenever they'd prefer not to admit to using a Stingray; or the DEA employs 'parallel construction' to provide a legal backstory for legally inadmissible evidence.

It is very popular, and has all kinds of uses. For pretty much any restriction that either forbids a specific practice, or requires obtaining a specific sort of permission; you can probably find either a euphemism that is equivalent to that practice; but different for regulatory purposes; or something that sounds like that specific sort of permission; but is way easier to get(eg. an 'administrative subpoena' vs. a 'subpoena').

Re:News At Eleven

[fuzzyfuzzyfungus]

Even better given the likely association with CERT. Unless you still live in the fantasy world where your tech-heavy society is safer when it is full of holes because at least you get to catch a few of the bad guys; pissing the reputation of a major security-research institution down the drain in order to catch a few drug dealers seems like a really terrible plan. There will be more drug dealers tomorrow; but repairing an environment for people to get vulnerabilities fixed without the fear that they'll be stuck in limbo until the feds have finished weaponizing them, then released for fix, will take a lot longer; and leave a lot of important things vulnerable so that the feds can go hunt a few minor threats.

Re:News At Eleven

[shaitand]

It's pretty serious news if "consultants" are allowed to violate rights of citizens that law enforcement themselves are not.

The restrictions on law enforcement should carry over to anyone working with them and the admissibility of anything found that way in court should be the same as if the FBI had carried out those actions themselves..

Re:News At Eleven

[shaitand]

" If you're going to install software on computers you don't own in order to capture information, you need a warrant."

Like seizing Tormail and using it to install malware in Tor users browsers? I agree, the FBI should be putting some of their own in federal prison for these crimes the same as anyone else would be. If anything police should be punished more severely for breaking the law than anyone else. Anyone they hire should have the same limitations imposed and any information gathered from third parties should be restricted in the same manner with respect to violations of civil and constitutional rights as if the police had gathered in the manner those third parties did.

In the case of data traversing the network it comes down to whether or not the network was functioning as private or public infrastructure. There is a very simple way to figure that out. Sue them for copyright infringement and if they claim they fall under the safe harbor provision they were acting as public infrastructure and a warrant is required for admissibility. You can't both claim to be legally blameless for the data I sent over your network and claim you own it and therefore I have no expectation of privacy with regard to it at the same time.

Re:News At Eleven

[ADRA]

Pardon me, but is there a law in the US that the government can't break people's encryption (for any reason)? I'd say the more pertinent question was if the data being decrypted was acquired legally (AKA from nodes owned by a willing third party) or if that traffic was intercepted.

More importantly, is there any assumption of anonymity using a tool running through specifically anonymous peers over public/private pipes ever considered private? If I ran exit nodes to tor and I offered the service of reposting all that data to a web site, is there a crime being committed?

Re:News At Eleven

[david_thornley]

As I understand it, what you want is true. If I break into your house and discover evidence that you've been transporting underage ferrets across state lines for immoral purposes, that's admissible evidence. If anyone in the police hints to me that I should break into your house, the evidence is inadmissible. The only way for the police to cause a legal search is to get a warrant.

That's how it's supposed to work, anyway. We need more judges who crack down on "parallel construction".

Re:News At Eleven

[viperidaenz]

Felony charges from breaking what law, exactly?
What did anyone at the FBI or the university do that was illegal? Tracked a bunch of packets going through their own Tor relays and figured out where it was going and where it came from?

Just like finding a random packet on the internet and looking at the IP header data? It's the same concept.

Re:News At Eleven

[sjames]

What are your thoughts on warrantless use of stingray?

Re:News At Eleven

[sjames]

Funny how if I hire someone to do something, they are legally treated as my proxy and so I can only hire them to do something I can legally do and if they cross the line, accountability can come back to me.

Re:News At Eleven

[Agripa]

If you find a way to break the anonymizing network by creating your own fake relays to do it, as far as my judgement goes, the data was yours to play with, because it passed through your relays, and the research was legitimate, because you did find a flaw on the network.

So using Stingrays to capture data and voice content is fair game?

Re:News At Eleven

[Agripa]

Pardon me, but is there a law in the US that the government can't break people's encryption (for any reason)?

If the data was lawfully seized, then there is nothing to prevent attempting decryption. Further, encryption does *not* create an expectation of privacy under US law.

http://papers.ssrn.com/sol3/pa...

Re:News At Eleven

[LateArthurDent]

What are your thoughts on warrantless use of stingray?

That's a very good analogy, and I had to go read about how it works in order to answer your question.

I think I'm ok with the use of stingray to intercept communications as it happens today, but think it should be treated as a security flaw and the method shouldn't work in the future. It works by forcing nearby cell phones to connect to it, but in order for the call to be completed it must also connect to a legitimate cell phone tower in a man-in-the-middle attack.

Ideally, the cell phone companies should fix the protocol with stronger authentication between phone and towers, to prevent such attacks. Then, in order to operate a stingray in this mode, a warrant would be required that would compel the mobile company to provide the police with a valid key for use by the stingray device for a particular tower, for a given period of time.

Re:News At Eleven

[LateArthurDent]

Like seizing Tormail and using it to install malware in Tor users browsers? I agree, the FBI should be putting some of their own in federal prison for these crimes the same as anyone else would be. If anything police should be punished more severely for breaking the law than anyone else.

I'm not familiar with that case, but if they did so without a warrant, then yes, absolutely. I agree entirely with your sentiment, I do think law enforcement should be held even more strictly to the laws than everyone else.

Re:News At Eleven

[shaitand]

" If I break into your house and discover evidence that you've been transporting underage ferrets across state lines for immoral purposes, that's admissible evidence."

It shouldn't be. In a world where I can work at Company X and discovering they are putting carcinogens to the water supply a midwestern town and the documents I smuggle out are inadmissable on the grounds they are "stolen company documents" the police shouldn't be able to use evidence that wasn't obtained in a way they couldn't have obtained it themselves legally, even if it wasn't at their request.

Which isn't to say I don't think the burglers testimony wouldn't be valid grounds to then get a warrant to search for evidence of said ferret trade that could be admitted. If he was asked by police to break in, then what he sees shouldn't even be considered for the purpose of getting a warrant.

Re:News At Eleven

[sjames]

I wonder how the cops would feel about it if I merely took advantage of a protocol weakness to listen in on their radios... Or how the DOJ would feel if I merely took advantage of a protocol weakness to listen in on their phone calls. If their reaction would be anything but "carry on, fair's fair", then they need a warrant.

More generally, there are a great many exploitable security flaws in our society that police require a warrant to exploit. For example, there are very few locks that are really even pick resistant and nearly none that are pick proof (if any). That "protocol" can be exploited in seconds to minutes. But a detective picking your lock is in it deep if he doesn't have a warrant. But it goes beyond that. Even if you forget to lock your door at all, it is illegal to enter your home without permission.

Hmmm...

[Shoten]

Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.

The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.

It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.

Re:Hmmm...

There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy.

As of 25 Oct. 2015, this is no longer true.

"Our internet standard reflects on considerations for handling .onion names on the internet as well as officially reserving .onion as a Special-Use-Domain-Name with the Internet Assigned Numbers Authority (IANA). With this registration, it is should also be possible to buy Extended Validation (EV) SSL/TLS certificates for .onion services thanks to a recent decision by the Certification Authority Browser Forum."

Your statement however was correct when Operation Onymous was active last year.

Re:Hmmm...

[gcnaddict]

Yup, and even before that, Facebook and Cyph were the second and first (within hours of each other) to roll out EVSSL certs for their onion domains, both provided by DigiCert.

Either it's secure or it isn't

Does it really matter who does the "uncovering"? Security through not-being-paid-by-the-FBI is not security.

Re:Either it's secure or it isn't

Or if you are a hiring manager remember that grads from CMU might be fed moles.

Re:Either it's secure or it isn't

That depends on what you're doing. If you're an end node, but really a govt snoop, the network may be secure, but you have enough data of other notes to be able to point fingers. You've heard of honey pots?

Re: Either it's secure or it isn't

[bill_mcgonigle]

That part doesn't matter, but if it's true, the perps should never work in academia again. They can probably get cushy jobs in NoVA though. CMU's reputation is also on the line. If they do a thorough investigation and out any wrongdoers, only their review process ought be found needing of improvement.

Re:Either it's secure or it isn't

Yes, and moles taste disgusting.

We need to address this kind of thing

Since the Citizen's United decision businesses (and Universities are businesses) claim to be "persons" and have free speech which translates to spending money on political campaigns. Well, if they're persons, they should also serve jail time if convicted of a crime. It should probably be in the form of complete loss of profit during a given time. After all, if I were to do this sort of thing on my own, the government wouldn't let me continue working my job and earning money from prison so why should a corporation be able to to the same thing? They could still pay their rent and employees (more than an individual can do), but no more.

Re:We need to address this kind of thing

[KGIII]

Err... If you ran an exit node, on your own hardware and using your own bandwidth, and then decrypted the content or monitored the traffic then you'd not only be legally in the clear but you'd be getting accolades from academia or, at least, the FBI. It's not like they went out and hacked anything that didn't belong to them or that they didn't have rights to act on. They were well within their legal rights according to what has been disclosed. Immoral? That's subject to debate (and I'd agree). Illegal? Unlikely.

So what?

So, the FBI paid someone to unmask TOR users, just like anyone could have paid anyone else to unmask TOR users. So what?

There are two issues here and neither of them are really with the FBI.

1. It is possible to unmask TOR users. This means that TOR is not fit for purpose. No further use or discussion of TOR is necessary. It is not capable of delivering what it promises on the tin.

2. CMU "researchers" are willing to be bad actors for a price. If you want to take issue with them, you would be justified.

The FBI paying someone to do what the FBI does, is not the fucking point. Don't allow yourself to be misdirected away form the fact that TOR is not fit for purpose.

Re:So what?

It's my money and I disagree with the use of it. Go catch your own victimless criminals and use your own money for it, dick!

Re:So what?

Oh, you didn't know? The government owns everything. Sometimes they allow you to keep some of their money that they allow companies to pay you, but if they want more of it, they'll take it back. After all, they know when you've made enough, and they know better than you how to spend it.

And if they want to spend their money on investigating and prosecuting the folks that fall for scams and attempt to buy illegal but harmless drugs, well, who's going to stop them? The president has shows he doesn't need to obey the law, and the courts can't stop him. And you can't stop him, because you aren't allowed to have any real weapons, beyond small arms, because the government wants to make sure you can't fight back.

Re:So what?

The FBI can not conduct a wide-spread warrantless wiretap which is what this amounted to. So it is not entirely clear if they are allowed to pay someone to do it for them.

For example, the FBI can not pay you to kill for them. That would be illegal.

The FBI does use paid informants all the time, but those are typically targeted situations covering a few individuals, not a large population of potentially innocent people.

Then there's the issue of where the million dollars came from. If it was on the budget, there will be a internal paper trail of authorizations that journalists can request via a FOIA request. If it was money recovered from say a previous drug bust, then there may be some issues with that as well.

Re:So what?

The FBI paying someone to do what the FBI does, is not the fucking point.

Actually, it is the point since the legality of law enforcement agencies like the FBI and the DEA breaking into systems using malware and hacking tools provided by contract firms like the Hacking Team and Carnegie Mellon, has never actually been discussed in public or by Congress. I'm not even sure the DOJ has issued any position briefs on it, or if their legality has been tested in court yet. It also should be noted btw that the FBI, DEA and DoD have since cancelled their contracts with the Hacking Team once they were exposed. That doesn't seem like the posture of government agencies certain of the legality of their actions in regard to using hacking tools.

Re:So what?

[Type44Q]

So, the FBI paid someone to unmask TOR users

Only until they discovered that those users were actually DEA agents...

Re:So what?

"It is possible to unmask TOR users." Is it?

Re:So what?

How is this rate insightful? You take one sentence from the summary and conclude that TOR is not useful or worth talking about anymore. It doesn't say how the person was identified. TOR users can be identified if they slip up and post information that can be used to identify them, there is writing analysis, they could have set up their hidden service incorrectly, etc.

To come to such a conclusion without knowing the particulars you are either a zealot or the FBI just trying to convince people TOR isn't secure (or both).

Re: So what?

since the days of SPARTA, freedom has been under attack. it is an eternal battle and the left right dichotomy describes it in a very limited way.

banksters like the nsa quite much, for example. they know which kind of stuff is ignored...

Re: So what?

in general, government contractors need a warrant as much as the government itself does. otherwise it is a funny show and not lawful.

but we all know how they interpret the law when it comes to sigint.

having said that, by all accounts they could have got a warrant against silk road easily. selling dope is still illegal. so is conspiracy to murder.

Re: So what?

it should be not so difficult. just apply the spirit of police wiretapping regulations. do collection in a limited fashion. respect magna charta. dont play the absolute king.

the side effect is a sharp focus on the really bad guys like those who bombed boston.

Re: So what?

only with massive effort at the network level. what tor fails to do is to generate decoy traffic. that enables simple traffic bandwidth modulation attacks.

Re:So what?

[AmiMoJo]

TOR is fine, the discovery of real IP addresses relies on side channel attacks. Often it is things like using exploits to make the server provide its real IP address, in much the same way as individual users can be identified by using exploits to make their browser give up its real IP address.

Another option is to fingerprint the server/browser somehow, and then look for the same fingerprint in other places. Quite often the server will be hosting non-TOR content as well, so you might narrow it down by looking at the exact versions of software it is running (e.g. the web server), what timezone its clock is set to, how much the clock has drifted at any given moment etc.

So TOR is fine, but you have to understand that you can't just turn it on and forget everything else. It's best to use Tails if you are just browsing, but for servers there isn't anything really like that and you have to very carefully configure it on your own. Ideally you need a dedicated box, not a VPS.

And yes, the CMU researchers are persona non gratis now, and we won't be sharing any details of zero day vulnerabilities or other interesting research with them again.

Re:So what?

[whoever57]

And yes, the CMU researchers are persona non gratis now, and we won't be sharing any details of zero day vulnerabilities or other interesting research with them again.

While those researchers are still at CMU, that should be "we won't be sharing any details of zero day vulnerabilities or other interesting research with anyone at CMU"

Re: So what?

having said that, by all accounts they could have got a warrant against silk road easily. selling dope is still illegal. so is conspiracy to murder.

Just to be clear, Operation Onymous targeted Silk Road 2.0, not the original Silk Road.

Re: So what?

[Impy+the+Impiuos+Imp]

Someone noticed government had first dibs on your income and could tax it. And therefore you should think of it as government's money, and that it lets you keep some.

This was not a cynical libertarian view, but rather a socialist's rah rah rah! attitude.

This survives today in the meme that government reducing taxes for a particular industry is "subsidizing" them, taking away The People's money and "giving" it to a company.

While the wisdom of any particular tax break is up for debate, and political, and, let's face it, the exact reason people go into power, so they can hand these out, it is important to keep in mind refusing to take someone's money does not mean it is your money

Re: So what?

[Impy+the+Impiuos+Imp]

Nelson, refusing on Tuesdays to take Bart's lunch, does not mean on Tuesdays Bart eats Nelson's lunch by grace of a gift from Nelson.

Re: So what?

[Impy+the+Impiuos+Imp]

A tool that breaks into things is not unconstitutional. Using it without a warrant is.

While the contents of unencrypted networks might properly be considered something The People cannot reasonably expect privacy in, encrypted networks The People definitely expect to be secure in, especially without a warrant. This would include not just the latest stuff, but older stuff like basic HTTPS and password transfers.

Re:So what?

> The FBI paying someone to do what the FBI does, is not the fucking point.

The FBI is not supposed to conduct drag-net surveillance. Use of Tor is not probable cause.

Re: So what?

Yep. And CMU IP blocks are blacklisted. Anyone care to look them up?

Re: So what?

[bmo]

5 seconds of googling:

Carnegie Mellon's primary IP address range (128.2.#.#).

https://www.cmu.edu/iso/govern...

--
BMO

Re:So what?

[viperidaenz]

So you're saying they're not allowed to run Tor relays?

They probably run thousands of them. So would the NSA, and probably many other governments as well.

LOL ... good luck ...

[gstoddart]

Such action is a violation of our trust and basic guidelines for ethical research.

I can't speak for the researchers, but essentially agencies like the FBI are long past trust and ethics.

They don't give a crap what the law says, they just do what they want. From illegal and overly broad surveillance to formalized perjury in the form of "Parallel Construction" -- modern police forces have decided they don't give a fuck what we think is legal, and think whatever they do is legal because they say so.

They don't give a damn about pesky little things like warrants.

Re:LOL ... good luck ...

[Fire_Wraith]

Oh, they do care what it says - they just don't let it stop them. They don't ask "Am I allowed to do what I want to do?", they ask "How can I do what I want to do despite what this says?"

They've let the ends justify the means. They've convinced themselves that this is right, that it's justifiable, and that it's absolutely necessary, otherwise the Terrorists/Drug Kingpins/Pedophiles/etc win. It's not just about warrants and espionage either. It's about things like due process, torture, and any number of related things.

Re:LOL ... good luck ...

[gweihir]

The problem is that this completely invalidates the concept of "checks and balances". Law enforcement must never have unchecked powers, because that is the only way to avoid a police state.

In fact, they do now have and use some unchecked powers. The only way to fix this would be to dismantle these organizations, put everybody that lied under oat, ordered others to do so or participated in circumventing constitutional provisions in jail and re-build from scratch. That is obviously not going to happen, hence the police state is already partially there and will be fully established in the next few years. After that, the path inevitably leads to full fascism.

The fundamental mistake the FBI and others are making is that they think being able to identify and prosecute every crime is good. It is not. Crime needs to be limited to some acceptable level in order for society to function, but trying to eliminate it mostly or completely creates so much extreme evil that it must never be attempted. By the same measure, nothing must be made criminal, except things that really, really matter and where criminalizing them actually helps. The US legal system is going into the opposite direction and has done so for some time.

Re: LOL ... good luck ...

Put yourself in their shoes. They see criminals do criminal shit all the time. After a while, it's easier to justify abusing criminal's rights and the rights of innocent citizens who are unaware of violations of their rights. (sound of tree in forest argument).

Not justifying it, just realize these are people making decisions.

Dingledine!

I can't say it or think it without laughing my ass off.

Innocent?

[plover]

"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

The circumstances all seem pretty similar to me.

Re:Innocent?

If Cop, who knows they cannot, tells a Law Enforcement Student they will pay them $1,000,000.00 to go arrest a bunch of peaceful protesters and throw them into a bus, then yeah that should raise a red flag.

Re:Innocent?

They are presumed innocent until proven guilty in a court of law. But then the question is, if the government then convicts them using unconstitutional means, should we still presume their guilt at that point?

Re:Innocent?

> Since many of the 'endangered users' were then charged with various crimes, are they innocent?

Yes. Being charged with a crime is not the same as being convicted by a jury of your peers for the crime.

Re:Innocent?

Since many of the 'endangered users' were then charged with various crimes, are they innocent?

Were all "endangered users" charged with any crime? Were most "endangered users" charged with any crime? No? Then, I'm not sure how much of a point you really have...

If I illegally enter 10000 random houses, for sure I'll find evidence of at least a handful of crimes. Would that justify the invasion of privacy of 10000 households? According to the spirit of the law, no (which is why there is such a thing as a "warrant" in the first place).

Re:Innocent?

[Qzukk]

Since many of the 'endangered users' were then charged with various crimes, are they innocent?

Based on what? The say-so of someone paid $50 million to finger people as experimental "research"?

If the FBI paid a psychic $50 million to finger drug users, would you still open your argument with that line?

Re:Innocent?

[AmiMoJo]

The FBI is considered a bad actor by many, one which subverts the law whenever it suits it. Parallel construction, for example, or the use of fake cell towers. So helping them is morally dubious. To take up your example, a doctor might feel morally obliged not to tell the police if she believed that the police were likely to misuse the information, e.g. by taking the opportunity to frame a black man for a crime (as often happened in South Africa, once upon a time).

Okay, let's say that in this case the CMU researchers were convinced that the FBI was acting within the law and for good reasons. Is attacking users of the TOR network and keeping the research out of public view responsible? Many people rely on TOR to protect them from oppression and violence. Just because this time the FBI wants to go after some bad guys, does that justify hiding security issues you discover that may be being exploited by other people to find and murder/torture/imprison their political opponents? Especially when you are benefiting from other researchers privately revealing zero day vulnerabilities to you (and software vendors) and then using them to attack.

Re:Innocent?

[ADRA]

The parent's post was poorly worded / judged since charges don't mean convictions, but realistically a few things may happen:
      1. Police won't find any extra evidence to charge the individuals with and the court dismisses the case due to lack of evidence
      2. The case goes forward with just the TOR logs, and the court will have a public record of exactly how that data was acquired / processed
      3. The case goes forward with other corroborating evidence and they don't end up using the TOR logs at all

Of course step 3 could still be introduced in trial by the defence for proving malicious prosecution, but I'm not sure of that defences' strength in this scenario.

Re:Innocent?

[Impy+the+Impiuos+Imp]

"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

The circumstances all seem pretty similar to me.

These are really in the larger context of disallowing government the tools of tyrrany. Government is forbidden from warrantless searching to prevent them from rooting around looking for things to charge political challengers with. Yes, even legitimate criminal charges. Putin, Chavez, there are contemporary examples where this is occuring. And political science has for centuries been aware that the more defined crimes, the easier it is for government to have a hook on which to hang pulling you over, thus having several ready reasons to hamper anybody who irritates those in power.

And don't say it doesn't happen here. When SJP announced a downgrade to government bonds, the government announced an inquiry into them to see if they were violating anything. Hemming and hawwing ensued.

Re:Innocent?

[viperidaenz]

It's more like cop paying Spy School student to get the names of people who buy drugs from street dealers, after they give the student the location of all the dealers.

Goes to show lack of ethics at liberal institution

They should have all the federal money pulled for lack of ethics.
But since it is the Feds that benefitted, that won't happen.
More liberals that argued for taking morals out of the classroom, that wonder why they don't follow the constitution.

If the feds are asking us to do it, it MUST be legal.

Tormail sodomized

I knew it could be a honey-pot for any number of reasons/sources but dammit I liked it. I could use it via Tor through a hidden service without javascript. Just sign up for free and you're off on an adventure. But in the end, it was too good to be true.

I don't trust any .onion sites. I've seen people modify web forums to crash Tor clients. That was enough for me.

The last free site to work with Tor without javascript required was safe-mail - but now they're restricting new accounts when they fix whatever bullshit their site says they're in.

At least 2 reasons why this is not a good stance

[klingens]

for the FBI and the university to take:
If they are allowed to decrypt messages which are passing through "their" property, then:
a) Pay TV hackers must be allowed to decrypt the Pay TV signals ending at the cable box or coming from a satellite
b) Any ISP or whoever owns a router which transmits encrypted traffic is allowed to decrypt and read it.

Either the FBI and the university have to be punished like cable signal hackers and other bad guys, or the law covering those offenses is not worth the paper.

Re:Burning Witches at 12

Assuming the whole 'Tor' project isn't just a 'trap', I think it's funny when TLA manage to pull shit like this off. This is how progress in projects like this mature, by getting hit from any direction and reacting by tightening the code/process.

FBI violated the DMCA?

I thought it was illegal to circumvent encryption. Why's it ok for them to do it?

Re:FBI violated the DMCA?

[EmagGeek]

There is a law enforcement exception written into almost every criminal statute, from running red lights to the DMCA.

Re:FBI violated the DMCA?

[viperidaenz]

Only if the encryption is designed to limit access to copyrighted material.
Perhaps you should actually read the DMCA before you bleat on about it.

Re: At least 2 reasons why this is not a good stan

How naive can you be? There has always been and always will be one set of rules for kings, their knights and their faithful lords and one different set for us peons.

peace on earth and goodwill toward men

[each member of the team makes a request in return for the decryption chip]

Whistler: I want peace on earth and goodwill toward man.
Bernard Abbott: Oh, this is ridiculous.
Martin Bishop: He's serious.
Whistler: I want peace on earth and goodwill toward men.
Bernard Abbott: We are the United States Government! We don't do that sort of thing.
Martin Bishop: You're just gonna have to try.
Bernard Abbott: All right, I'll see what I can do.
Whistler: Thank you very much. That's all I ask.

- http://www.imdb.com/title/tt01...

Re:At least 2 reasons why this is not a good stanc

Either the FBI and the university have to be punished like cable signal hackers and other bad guys, or the law covering those offenses is not worth the paper.

You do understand that government agencies are allowed to do things that individual citizens are not permitted to do? This isn't even high-school civics class level, it's basic common sense. Duh.

Fucking imbicel

Working as agents of the govt == fruit of the poison tree just as if you were the policeman himself.

Bet you're an SJW fuck who's opposed to men marrying young girls too.

Pedantic nitpick

[Cigaes]

$1m? A tenth of cent? That is not much. $1M would have been more worrying.

Re:Pedantic nitpick

[Zero__Kelvin]

Stop being a pedant. You suck at it.

Re:Burning Witches at 12

[shaitand]

Sure but this isn't just about making the FBI play nice and stop cheating. This is about a bunch of defendants at risk of being convicted on evidence that should not be admissible without a warrant or that was only subsequently obtainable because of the information illegally obtained without a warrant and therefore also should not be admissible.

Re:At least 2 reasons why this is not a good stanc

[klingens]

A university is not a government agency with special powers against other citizens.
Law enforcement ist allowed to do these things only with the approval of the judiciary too. Which they apparently didn't get. 4th amendment, computer security laws and all thoes pesky things.

LOL

"between research and endangering innocent users"

Like the ones buying hits against other people, right?

Re: LOL

That was Silk Road, not Silk Road 2.0. SR2.0 didn't have hitmen for hire.

Get your fucking facts right before you flame.

A bunch of defendants...

[Etherwalk]

Sure but this isn't just about making the FBI play nice and stop cheating. This is about a bunch of defendants at risk of being convicted on evidence that should not be admissible without a warrant or that was only subsequently obtainable because of the information illegally obtained without a warrant and therefore also should not be admissible.

No, it's not about the defendants. The defendants did something illegal. That's about drug policy.

This is about everyone *other* than the defendants, who might be the victim of an illegal search by the state tomorrow.

Courts don't exclude evidence obtained from an illegal search in order to protect defendants. They do it to protect everyone else. They don't have the physical power to make police act legally on the street (cops have to consent to do that), but they do have the power to let defendants go when the cops violate the Constitution. That makes cops mad, so the cops want to follow the Constitution to avoid letting criminals go.

Re:A bunch of defendants...

[shaitand]

The defendants are innocent until proven guilty. The defendants have rights. Those rights have been violated. Whether or not they happened to have actually committed a crime is another matter. Whether or not the alleged crimes should be crimes is also another matter.

The reality is that everyone breaks the law every day. You probably broke half a dozen laws you don't even know exist today. It is actually more important that law enforcement fail to enforce the law 99.999% of the time due to limitations placed on them than it is to catch "the bad guys." Those limitations are the only way our society can function to some degree while the legal system is broken with courts illegally lying to juries about their right to judge the law. Until jurors are properly informed of their right to nullify unjust laws or to nullify laws on a case by case basis where their application would not result in justice, limiting law enforcement is the best we have. At least then people who can at least operate in society without disrupting it to the extent it becomes viable and worthwhile for law enforcement with their limitations to arrest them are not arrested and that is the only reason almost everyone reading this is not in jail.

It's already so bad that if you ever do get arrested for any of the dozens of things we all do on a daily basis without even realizing they are illegal or could be illegal at officer discretion you are effectively unemployable for the rest of your life. Or at least your education is now worthless and your professional career over, relegating you to work in the lowest paid stratum of society.

People who break the law are everywhere. People who break drug laws are at least 30% of the people you interact with on a daily basis. People who actually need to be taken off the streets are uncommon and there are more of them in suits and uniforms than peddling drugs.

"Courts don't exclude evidence obtained from an illegal search in order to protect defendants. They do it to protect everyone else."

The defendants are part of everyone else until they are convicted and even then being convicted doesn't mean you are actually guilty and even then being guilty of a crime doesn't mean you've actually done anything wrong. Do not equate defendants with bad guys who don't need protected, they are those of who are currently under fire and in need of our immediate protection. And if you are on a jury remember that courts never determined the people didn't reserve the right to nullify the law in the Constitution, they only determined they don't have to tell you about it and later that they can legally lie to jurors about it and aren't blocked from excusing jurors or declaring a mistrial if they find out the jurors know about it. As a juror "not guilty" doesn't mean (s)he didn't do it. Not guilty means I don't believe this defendant, my neighbor, needs to be locked in a cage, raped, and denied meaningful pursuit of employment for life based on what the prosecution has proven beyond the slightest reasonable doubt.

How Is It Fine?

How is TOR fine? The TOR project themselves are whining about CMU researchers unmasking TOR users.

If you can unmask TOR users, then TOR is not fine and is not fit for purpose.

Re:How Is It Fine?

[viperidaenz]

Maybe the US Navy designed TOR to be vulnerable in the first place

Re:How Is It Fine?

[Jeremi]

Maybe the US Navy designed TOR to be vulnerable in the first place

Yes, it could have all just been an elaborate ruse... but given the fact that any software of non-trivial complexity has vulnerabilities in it somewhere, it's more likely that the designers of TOR didn't foresee every possible attack vector. This would make them neither more nor less nefarious than any other designers of (allegedly) secure software.

The term "warrant" has lost all meaning

Have you ever heard of a case where a judicial authority declined to authorize a warrant? The circumstances required for a judge to approve a warrant seem to be "a law enforcement agency is requesting one".

You could make the argument that issuing a warrant creates a paper trail, so that watchdog and oversight groups can audit these things and possibly apply some kind of corrective action if there was overreach. Would this ever happen? I can't find a single instance where a judge faced any sort of consequences for authorizing a 'bad' warrant. Similarly, law enforcement agencies don't face any consequences for requesting 'bad' warrants.

Why even play this game? Law enforcement is going to continue to break laws and do whatever they can get away with (which seems to be anything and everything).

Re: At least 2 reasons why this is not a good stan

You do also understand that government agencies are also permitted to contract out things that they are allowed to do to third-parties? Those tanks and planes didn't make themselves you know. Double-duh.

Coren22's "greatest hits" fails #1/5... apk

"Apk doesn't think DNS servers are worth running & believes Microsoft Active Directory can run w/out DNS." - by Coren22 (1625475) on Tuesday October 27, 2015

Where'd I say it? I say AD needs internal DNS far back as 2007 http://forums.tweaktown.com/wi...

See "To warn users who have ActiveDirectory/AD LAN-WAN setups to NOT use external DNS servers" there on OpenDNS free (I use it) + AD in my security guide.

+ Migrate hosts across a LAN (admin/scripts not GPO)-> http://slashdot.org/comments.p...

---

I'm RIGHT on admin priv + hosts update (WFP/SFP)!

"figured out why privilege escalation's a bad thing?" - by Coren22 on Tuesday September 22, 2015

How else can I programmatically update it?

---

"it requires elevation to write hosts" - by Coren22 (1625475) on Wednesday September 23, 2015

Hypocrite later admits it!

Even MalwareBytes AntiMalware (best one) DEMANDS it or it can't do its job fully like many security tools!

Guess what?

Don't NEED to run my program as ADMIN - I do it here manually vs. auto.

---

"Needing admin privileges every time a program updates is poor design" - by Coren22 (1625475) on Tuesday November 10, 2015

Users set it, not programmatic impersonation for autoupdate. You design zero & say what's what here?

---

"90's technology to fight modern war" - by Coren22 (1625475) on Tuesday November 10, 2015

Ozymandias/Watchmen per a namesake:

"I resolved to use antiquities teachings" (hosts) "to our world today & began my path to conquest - Conquest not of men but of the evils that beset them: Fossil Fuels (antispyware), Oil (antivir), Nuclear Power (addons) are like a drug & you gentlemen along w/ foreign interests are the pushers"

It works Aryeh Goretsky NOD32/ESET said hosts = good security-> http://it.slashdot.org/comment...

Oliver Day (Symantec) too-> http://www.securityfocus.com/c...

MalwareBytes' hpHosts' Admin hosts+recommends APK Hosts File Engine 9.0++ SR-2 32/64-bit-> http://hosts-file.net/?s=Downl...

APK

P.S.=> Continued in #2/5... apk

Coren22's "greatest hits" fails #2/5... apk

"Virus scanners/Adblock software don't need admin priv to update" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

AV does to remove threats - Adblock addons = VASTLY INFERIOR in abilities + efficiency vs. hosts as I've proven w/ noone proved me wrong to date!

---

"your software does" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

No, hosts do due to WFP/SFP!

---

"won't reveal your source code" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

I don't owe you it. I don't give away work to be stolen by others so it's misused like GOOGLE CHROME http://it.slashdot.org/story/1...

---

"What's stopping you from pointing my bank's web site at your private server?" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

I don't keep a server. You're a security guru (not - you create no ware for security & your forensics skills = non-existent): Put it in a VM, trace it using process monitor + wireshark to prove it (don't need code) & I only put in hardcodes of fav sites @ top of hosts for speed & reliabilty - you'd spot it easily & bulk of the file is sorted blocked known bad threat origins.

---

"the possibility of being caught, which would be pretty hard to catch w/ such a large hosts file, as no one can go through it manually." - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

See just above!

---

"What are you going to do when Windows gets rid of the hosts file completely?" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

Hasn't happened!

---

"They have already taken steps to make it useless in Windows 10." - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

It still works there!

APK

P.S.=> To be continued in part #3/5... apk

Coren22's "greatest hits" fails #3/5... apk

"I guess we should avoid your crap, it looks like it is marked as malware. Good luck getting that removed." - by Coren22 (1625475) on Monday November 02, 2015 @03:52PM (#50850445)

62 sources of good repute show + /. users say otherwise:

Proven safe by 57 antivirus programs in its 64-bit model https://www.virustotal.com/en/...

+

Same for the 32-bit model https://www.virustotal.com/en/...

&

Per VirScan its installer too -> http://f.virscan.org/APKHostsF...

---

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news... /.'ers say my work is good too:

"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)

"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)

"APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)

"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)

---

You tried using Computer Associates another antivirus I turned over on false positives (1/8 over time) & they were caught in ACCOUNTING SCANDALS FRAUD http://www.bing.com/search?q=c...

Reputable source (not): They had to sell off their PC security suite too (crap fraud also) LOWERING the 'threat level' on THAT program (not my hosts file engine) TO ZERO!

* YOU ARE WRONG ON EVERY ACCOUNT NOTED!

APK

P.S.=> To be continued in part #4/5... apk

Coren22's "greatest hits" fails #4/5... apk

"nowhere in there did you actually say what you are using that isn't a proxy/VPN" - by Coren22 (1625475) on Thursday November 12, 2015 @02:25PM (#50916751)

I don't use proxies/VPN (or anonymous relays).

"APK ... uses anonymous relays to get around the limits of posting anonymous" - by Coren22 (1625475) on Wednesday November 04, 2015 @10:06AM (#50863109)

I'm not stupid enough to do what YOU want (make me as stupid as an easily tracked for retrolling sheep like you).

There's 3-4 ways to do what I do & those? Aren't them in your mistake accusations.

What I do, like all I do = FAST + EFFICIENT, NO extra "moving parts" - less IS more = GOOD engineering, using what you have natively vs. "Bolting on 'MoAr'" stupidly & illogically.

You're MCSE, networking admin 'god', & security guru (not) - figure it out, I gave clues - I'm NOT going to tell you!

All you know is I do it WHEN combatting little scumbags like you that hide behind fake names online trolling me.

It works, like all I do does with testimonials to that effect no less.

"it's funny how little you know of security APK" - by Coren22 (1625475) on Thursday November 12, 2015 @02:25PM (#50916751)

Funny how little you know in computing (no code, especially for security - I have it. You don't)

(& you're stumped on an anti-troll technique I use too!)

I've long ago done far more than you will or have in the art & science of computing! For security?

CIS Tool took fixes from me http://slashdot.org/comments.p... which you doubted & my layered security guides got me paid http://pcpitstop.com/news/winn... & MILLIONS use it.

APK

P.S.=> To be continued in part #5/5... apk

Coren22's "greatest hits" fails #5/5... apk

"but rather than take my advise on various things, he feels that he is allowed to defame me by saying things he knows are not true - by Coren22 (1625475) on Wednesday November 04, 2015 @10:06AM (#50863109)

Hypocrite, I show you're projecting in my posts. What "advice" can you, an INFERIOR to me, like yourself give?

"I have offered him advise on ways to improve what he does to reduce the feeling of icky his software - by Coren22 (1625475) on Wednesday November 04, 2015 @10:06AM (#50863109)

I've shown /.'er saying differently - Show us you've done better: YOU can't - & you're "advising"? Talking out your ass on things you haven't done is what you're doing.

"posting them so often that maybe, just maybe, someone will think they are true - by Coren22 (1625475) on Wednesday November 04, 2015 @10:06AM (#50863109)

Quotes of you are true! You can't keep your word as you're replying to me yet again + projecting what I prove YOU do (AD/DNS lie).

"I don't have time for the Troll APK, and refuse to respond anymore to a post signed APK" - by Coren22 (1625475) on Tuesday November 03, 2015 @04:27PM (#50858983)

No troll. I protect users for free w/ a program that speeds them up, helps reliability, & even anonymity online w/ more abilities & efficiency than ANY other 1 solution doing more w/ less - do you? No.

"Maybe I should change my signature again just to rile him up some more." - by Coren22 (1625475) on Tuesday November 03, 2015 @10:07AM (#50855451) FROM http://slashdot.org/comments.p...

"Rile" me? Childish sig bs is all you've got!

"I have repeatedly refuted his assertions - by Coren22 (1625475) on Wednesday November 04, 2015 @10:06AM (#50863109)

BS - See my last 4 posts here!

APK

P.S.=>

"I never admitted you were right" - by Coren22 (1625475) on Tuesday November 10, 2015 @04:14PM (#50904323)

You PROVE I AM FOR ME part #1-#5 of your "Greatest Hits Fails"... apk