Slashdot Mirror
Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users
An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service.
From the article:
"There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine.
"Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.
'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.
News at 11:30.
Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.
The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.
It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.
For your security, this post has been encrypted with ROT-13, twice.
Does it really matter who does the "uncovering"? Security through not-being-paid-by-the-FBI is not security.
So, the FBI paid someone to unmask TOR users, just like anyone could have paid anyone else to unmask TOR users. So what?
There are two issues here and neither of them are really with the FBI.
1. It is possible to unmask TOR users. This means that TOR is not fit for purpose. No further use or discussion of TOR is necessary. It is not capable of delivering what it promises on the tin.
2. CMU "researchers" are willing to be bad actors for a price. If you want to take issue with them, you would be justified.
The FBI paying someone to do what the FBI does, is not the fucking point. Don't allow yourself to be misdirected away form the fact that TOR is not fit for purpose.
I can't speak for the researchers, but essentially agencies like the FBI are long past trust and ethics.
They don't give a crap what the law says, they just do what they want. From illegal and overly broad surveillance to formalized perjury in the form of "Parallel Construction" -- modern police forces have decided they don't give a fuck what we think is legal, and think whatever they do is legal because they say so.
They don't give a damn about pesky little things like warrants.
Lost at C:>. Found at C.
"this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?
If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.
Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.
The circumstances all seem pretty similar to me.
John
'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.
I'm the first to complaint about warrantless search of Americans, but I don't think this qualifies. If you're going to install software on computers you don't own in order to capture information, you need a warrant. If you're going to ask a private company to hand over data on their users, you need a warrant. If you're going to capture information that passes through your own hardware, even if it's encrypted, that's fair game. If you find a way to break the anonymizing network by creating your own fake relays to do it, as far as my judgement goes, the data was yours to play with, because it passed through your relays, and the research was legitimate, because you did find a flaw on the network.
The only thing I see wrong with this entire operation is that we have laws against what people can or can't take. It's their life, their bodies, their decision, and the FBI is wasting resources going after people who pose no danger to society (at least as far as Silk Road 2.0. The first Silk Road had the guy in charge trying to hire a hit man. Definitely not just a drugs thing. The investigation was legit, the research was legit, and it gives the Tor Project something to think about as far as improving their network.
for the FBI and the university to take:
If they are allowed to decrypt messages which are passing through "their" property, then:
a) Pay TV hackers must be allowed to decrypt the Pay TV signals ending at the cable box or coming from a satellite
b) Any ISP or whoever owns a router which transmits encrypted traffic is allowed to decrypt and read it.
Either the FBI and the university have to be punished like cable signal hackers and other bad guys, or the law covering those offenses is not worth the paper.
Should have used Sudo.
There is a law enforcement exception written into almost every criminal statute, from running red lights to the DMCA.
So how is paying someone else to do something different from doing it yourself anyway?
They are acting... on your request. You are using them, as a tool, to perform the action, and using department funds to compensate them. Acting via a proxy is still acting.
In fact, its involving them in a criminal conspiracy, as conspiracy to commit a criminal act is, itself, a crime. Everyone involved should be facing felony charges.
"I opened my eyes, and everything went dark again"
It's another poxed tactic from the unpleasant world of 'distinction without difference to get around pesky regulations' wing of government. There isn't any meaningful difference; but if you have a contractor do it you can just refer to them as a 'Source of Information', without further elaboration; much the same way that local PDs will conjure up a 'confidential informant' whenever they'd prefer not to admit to using a Stingray; or the DEA employs 'parallel construction' to provide a legal backstory for legally inadmissible evidence.
It is very popular, and has all kinds of uses. For pretty much any restriction that either forbids a specific practice, or requires obtaining a specific sort of permission; you can probably find either a euphemism that is equivalent to that practice; but different for regulatory purposes; or something that sounds like that specific sort of permission; but is way easier to get(eg. an 'administrative subpoena' vs. a 'subpoena').
Even better given the likely association with CERT. Unless you still live in the fantasy world where your tech-heavy society is safer when it is full of holes because at least you get to catch a few of the bad guys; pissing the reputation of a major security-research institution down the drain in order to catch a few drug dealers seems like a really terrible plan. There will be more drug dealers tomorrow; but repairing an environment for people to get vulnerabilities fixed without the fear that they'll be stuck in limbo until the feds have finished weaponizing them, then released for fix, will take a lot longer; and leave a lot of important things vulnerable so that the feds can go hunt a few minor threats.
It's pretty serious news if "consultants" are allowed to violate rights of citizens that law enforcement themselves are not.
The restrictions on law enforcement should carry over to anyone working with them and the admissibility of anything found that way in court should be the same as if the FBI had carried out those actions themselves..
$1m? A tenth of cent? That is not much. $1M would have been more worrying.
" If you're going to install software on computers you don't own in order to capture information, you need a warrant."
Like seizing Tormail and using it to install malware in Tor users browsers? I agree, the FBI should be putting some of their own in federal prison for these crimes the same as anyone else would be. If anything police should be punished more severely for breaking the law than anyone else. Anyone they hire should have the same limitations imposed and any information gathered from third parties should be restricted in the same manner with respect to violations of civil and constitutional rights as if the police had gathered in the manner those third parties did.
In the case of data traversing the network it comes down to whether or not the network was functioning as private or public infrastructure. There is a very simple way to figure that out. Sue them for copyright infringement and if they claim they fall under the safe harbor provision they were acting as public infrastructure and a warrant is required for admissibility. You can't both claim to be legally blameless for the data I sent over your network and claim you own it and therefore I have no expectation of privacy with regard to it at the same time.
Sure but this isn't just about making the FBI play nice and stop cheating. This is about a bunch of defendants at risk of being convicted on evidence that should not be admissible without a warrant or that was only subsequently obtainable because of the information illegally obtained without a warrant and therefore also should not be admissible.
A university is not a government agency with special powers against other citizens.
Law enforcement ist allowed to do these things only with the approval of the judiciary too. Which they apparently didn't get. 4th amendment, computer security laws and all thoes pesky things.
Pardon me, but is there a law in the US that the government can't break people's encryption (for any reason)? I'd say the more pertinent question was if the data being decrypted was acquired legally (AKA from nodes owned by a willing third party) or if that traffic was intercepted.
More importantly, is there any assumption of anonymity using a tool running through specifically anonymous peers over public/private pipes ever considered private? If I ran exit nodes to tor and I offered the service of reposting all that data to a web site, is there a crime being committed?
Bye!
"but this attack crosses the crucial line between research and endangering innocent users" ... There is a fine line between protecting the anonymity of Internet users from political oppression and aiding and abetting in a crime. Comments like this don't do well to keep that line clear.
Select from tblFriends where interesting >= 4;
Yes.
http://www.acetonestudio.com
Sure but this isn't just about making the FBI play nice and stop cheating. This is about a bunch of defendants at risk of being convicted on evidence that should not be admissible without a warrant or that was only subsequently obtainable because of the information illegally obtained without a warrant and therefore also should not be admissible.
No, it's not about the defendants. The defendants did something illegal. That's about drug policy.
This is about everyone *other* than the defendants, who might be the victim of an illegal search by the state tomorrow.
Courts don't exclude evidence obtained from an illegal search in order to protect defendants. They do it to protect everyone else. They don't have the physical power to make police act legally on the street (cops have to consent to do that), but they do have the power to let defendants go when the cops violate the Constitution. That makes cops mad, so the cops want to follow the Constitution to avoid letting criminals go.
Err... If you ran an exit node, on your own hardware and using your own bandwidth, and then decrypted the content or monitored the traffic then you'd not only be legally in the clear but you'd be getting accolades from academia or, at least, the FBI. It's not like they went out and hacked anything that didn't belong to them or that they didn't have rights to act on. They were well within their legal rights according to what has been disclosed. Immoral? That's subject to debate (and I'd agree). Illegal? Unlikely.
"So long and thanks for all the fish."
As I understand it, what you want is true. If I break into your house and discover evidence that you've been transporting underage ferrets across state lines for immoral purposes, that's admissible evidence. If anyone in the police hints to me that I should break into your house, the evidence is inadmissible. The only way for the police to cause a legal search is to get a warrant.
That's how it's supposed to work, anyway. We need more judges who crack down on "parallel construction".
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Felony charges from breaking what law, exactly?
What did anyone at the FBI or the university do that was illegal? Tracked a bunch of packets going through their own Tor relays and figured out where it was going and where it came from?
Just like finding a random packet on the internet and looking at the IP header data? It's the same concept.
Oh? Please enlighten me on the legal uses for Silk Road 2.0. It is after all an illegal marketplace, so how could there be a possible legal use for an illegal marketplace?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Maybe the US Navy designed TOR to be vulnerable in the first place
Only if the encryption is designed to limit access to copyrighted material.
Perhaps you should actually read the DMCA before you bleat on about it.
What are your thoughts on warrantless use of stingray?
Yes! The FBI now knows that judges are using TOR to watch PR0N on gubbermint puters!
Funny how if I hire someone to do something, they are legally treated as my proxy and so I can only hire them to do something I can legally do and if they cross the line, accountability can come back to me.
So using Stingrays to capture data and voice content is fair game?
If the data was lawfully seized, then there is nothing to prevent attempting decryption. Further, encryption does *not* create an expectation of privacy under US law.
http://papers.ssrn.com/sol3/pa...
If they are breaking the law, they are guilty of a crime. Therefore, the FBI's job to investigate crime should fall on those breaking the law in Silk Road just as much as on the street corner.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
What are your thoughts on warrantless use of stingray?
That's a very good analogy, and I had to go read about how it works in order to answer your question.
I think I'm ok with the use of stingray to intercept communications as it happens today, but think it should be treated as a security flaw and the method shouldn't work in the future. It works by forcing nearby cell phones to connect to it, but in order for the call to be completed it must also connect to a legitimate cell phone tower in a man-in-the-middle attack.
Ideally, the cell phone companies should fix the protocol with stronger authentication between phone and towers, to prevent such attacks. Then, in order to operate a stingray in this mode, a warrant would be required that would compel the mobile company to provide the police with a valid key for use by the stingray device for a particular tower, for a given period of time.
Like seizing Tormail and using it to install malware in Tor users browsers? I agree, the FBI should be putting some of their own in federal prison for these crimes the same as anyone else would be. If anything police should be punished more severely for breaking the law than anyone else.
I'm not familiar with that case, but if they did so without a warrant, then yes, absolutely. I agree entirely with your sentiment, I do think law enforcement should be held even more strictly to the laws than everyone else.
" If I break into your house and discover evidence that you've been transporting underage ferrets across state lines for immoral purposes, that's admissible evidence."
It shouldn't be. In a world where I can work at Company X and discovering they are putting carcinogens to the water supply a midwestern town and the documents I smuggle out are inadmissable on the grounds they are "stolen company documents" the police shouldn't be able to use evidence that wasn't obtained in a way they couldn't have obtained it themselves legally, even if it wasn't at their request.
Which isn't to say I don't think the burglers testimony wouldn't be valid grounds to then get a warrant to search for evidence of said ferret trade that could be admitted. If he was asked by police to break in, then what he sees shouldn't even be considered for the purpose of getting a warrant.
I wonder how the cops would feel about it if I merely took advantage of a protocol weakness to listen in on their radios... Or how the DOJ would feel if I merely took advantage of a protocol weakness to listen in on their phone calls. If their reaction would be anything but "carry on, fair's fair", then they need a warrant.
More generally, there are a great many exploitable security flaws in our society that police require a warrant to exploit. For example, there are very few locks that are really even pick resistant and nearly none that are pick proof (if any). That "protocol" can be exploited in seconds to minutes. But a detective picking your lock is in it deep if he doesn't have a warrant. But it goes beyond that. Even if you forget to lock your door at all, it is illegal to enter your home without permission.
Maybe the US Navy designed TOR to be vulnerable in the first place
Yes, it could have all just been an elaborate ruse... but given the fact that any software of non-trivial complexity has vulnerabilities in it somewhere, it's more likely that the designers of TOR didn't foresee every possible attack vector. This would make them neither more nor less nefarious than any other designers of (allegedly) secure software.
I don't care if it's 90,000 hectares. That lake was not my doing.