Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Project Claims FBI Paid University Researchers $1m To Unmask Tor Users

Posted by timothy on from the beats-a-wrench-to-the-knee dept.

An anonymous reader writes: Have Carnegie Mellon University researchers been paid by the FBI to unmask a subset of Tor users so that the agents could discover who operated Silk Road 2.0 and other criminal suspects on the dark web? Tor Project Director Roger Dingledine believes so, and says that they were told by sources in the information security community that the FBI paid at least $1 million for the service. From the article: "There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once," noted Dingledine. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," he pointed out.

19 of 108 comments (clear)

  1. Re:News At Eleven by fuzzyfuzzyfungus · · Score: 5, Insightful

    'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.

    News at 11:30.

  2. Hmmm... by Shoten · · Score: 4, Informative

    Operation Onymous (which is what this is all about) wasn't all that and a bag of chips. Most of the sites they took down weren't the actual intended targets...they were replicas, meant to scam people who were trying to go to the authentic sites they were mimicking. Silk Road 2.0 was pretty much the only significant site that got brought down.

    The challenge with dark web sites is that there's no central authority to anything. So, as easy as it is to set up a fake site on the normal web to capture logins or other information, it's even easier on the dark web. There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy. If you don't know for a fact that the .onion address you're going to is valid, it could well be that you're at a copycat that's going to harvest your login, take your bitcoins and give you nothing in return, or whatever else.

    It's kind of amusing to think that some academics might have been paid so much and yet accomplish so little, for want of basic understanding of that fact. Carnegie Mellon's people are no slouch (as the academic crowd goes, at least), but that makes this all the more poignant.

    --

    For your security, this post has been encrypted with ROT-13, twice.
    1. Re:Hmmm... by Anonymous Coward · · Score: 4, Informative

      There's no warning that a certificate doesn't match a domain, no "verified domains" concept to make your browser turn green up in the address bar and make you all happy.

      As of 25 Oct. 2015, this is no longer true.

      "Our internet standard reflects on considerations for handling .onion names on the internet as well as officially reserving .onion as a Special-Use-Domain-Name with the Internet Assigned Numbers Authority (IANA). With this registration, it is should also be possible to buy Extended Validation (EV) SSL/TLS certificates for .onion services thanks to a recent decision by the Certification Authority Browser Forum."

      Your statement however was correct when Operation Onymous was active last year.

    2. Re:Hmmm... by gcnaddict · · Score: 2

      Yup, and even before that, Facebook and Cyph were the second and first (within hours of each other) to roll out EVSSL certs for their onion domains, both provided by DigiCert.

      --
      Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  3. Either it's secure or it isn't by Anonymous Coward · · Score: 4, Insightful

    Does it really matter who does the "uncovering"? Security through not-being-paid-by-the-FBI is not security.

  4. So what? by Anonymous Coward · · Score: 5, Insightful

    So, the FBI paid someone to unmask TOR users, just like anyone could have paid anyone else to unmask TOR users. So what?

    There are two issues here and neither of them are really with the FBI.

    1. It is possible to unmask TOR users. This means that TOR is not fit for purpose. No further use or discussion of TOR is necessary. It is not capable of delivering what it promises on the tin.

    2. CMU "researchers" are willing to be bad actors for a price. If you want to take issue with them, you would be justified.

    The FBI paying someone to do what the FBI does, is not the fucking point. Don't allow yourself to be misdirected away form the fact that TOR is not fit for purpose.

    1. Re:So what? by Anonymous Coward · · Score: 2, Informative

      The FBI paying someone to do what the FBI does, is not the fucking point.

      Actually, it is the point since the legality of law enforcement agencies like the FBI and the DEA breaking into systems using malware and hacking tools provided by contract firms like the Hacking Team and Carnegie Mellon, has never actually been discussed in public or by Congress. I'm not even sure the DOJ has issued any position briefs on it, or if their legality has been tested in court yet. It also should be noted btw that the FBI, DEA and DoD have since cancelled their contracts with the Hacking Team once they were exposed. That doesn't seem like the posture of government agencies certain of the legality of their actions in regard to using hacking tools.

    2. Re:So what? by Type44Q · · Score: 3, Funny

      So, the FBI paid someone to unmask TOR users

      Only until they discovered that those users were actually DEA agents...

  5. LOL ... good luck ... by gstoddart · · Score: 3, Informative

    Such action is a violation of our trust and basic guidelines for ethical research.

    I can't speak for the researchers, but essentially agencies like the FBI are long past trust and ethics.

    They don't give a crap what the law says, they just do what they want. From illegal and overly broad surveillance to formalized perjury in the form of "Parallel Construction" -- modern police forces have decided they don't give a fuck what we think is legal, and think whatever they do is legal because they say so.

    They don't give a damn about pesky little things like warrants.

    --
    Lost at C:>. Found at C.
    1. Re:LOL ... good luck ... by gweihir · · Score: 2

      The problem is that this completely invalidates the concept of "checks and balances". Law enforcement must never have unchecked powers, because that is the only way to avoid a police state.

      In fact, they do now have and use some unchecked powers. The only way to fix this would be to dismantle these organizations, put everybody that lied under oat, ordered others to do so or participated in circumventing constitutional provisions in jail and re-build from scratch. That is obviously not going to happen, hence the police state is already partially there and will be fully established in the next few years. After that, the path inevitably leads to full fascism.

      The fundamental mistake the FBI and others are making is that they think being able to identify and prosecute every crime is good. It is not. Crime needs to be limited to some acceptable level in order for society to function, but trying to eliminate it mostly or completely creates so much extreme evil that it must never be attempted. By the same measure, nothing must be made criminal, except things that really, really matter and where criminalizing them actually helps. The US legal system is going into the opposite direction and has done so for some time.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Innocent? by plover · · Score: 2, Interesting

    "this attack crosses the crucial line between research and endangering innocent users." Since many of the 'endangered users' were then charged with various crimes, are they innocent?

    If a student doctor treats a patient with a gunshot wound, they are still obligated to report the wound to the police. Is the student not learning, and if so, is that materially any different than what the Tor researchers were doing? The gunshot victim may be innocent, or may have been taking part in a crime, but that doesn't change the doctor's obligation.

    Or if a Law Enforcement student is participating in a community event and witnesses a crime, we don't raise a red flag if they apprehend the suspect.

    The circumstances all seem pretty similar to me.

    --
    John
    1. Re:Innocent? by Qzukk · · Score: 2

      Since many of the 'endangered users' were then charged with various crimes, are they innocent?

      Based on what? The say-so of someone paid $50 million to finger people as experimental "research"?

      If the FBI paid a psychic $50 million to finger drug users, would you still open your argument with that line?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. Re:News At Eleven by LateArthurDent · · Score: 4, Insightful

    'Consultants' perform wide-scale, warrantless, attack against large number of individuals not even suspected of wrongdoing on behalf of FBI under the guise of 'research'(probably not IRB approved); FBI thanks them for their assistance and introduces the fruits of an operation that would have been dubiously legal in scope even with a warrant; much less without one.

    I'm the first to complaint about warrantless search of Americans, but I don't think this qualifies. If you're going to install software on computers you don't own in order to capture information, you need a warrant. If you're going to ask a private company to hand over data on their users, you need a warrant. If you're going to capture information that passes through your own hardware, even if it's encrypted, that's fair game. If you find a way to break the anonymizing network by creating your own fake relays to do it, as far as my judgement goes, the data was yours to play with, because it passed through your relays, and the research was legitimate, because you did find a flaw on the network.

    The only thing I see wrong with this entire operation is that we have laws against what people can or can't take. It's their life, their bodies, their decision, and the FBI is wasting resources going after people who pose no danger to society (at least as far as Silk Road 2.0. The first Silk Road had the guy in charge trying to hire a hit man. Definitely not just a drugs thing. The investigation was legit, the research was legit, and it gives the Tor Project something to think about as far as improving their network.

  8. At least 2 reasons why this is not a good stance by klingens · · Score: 4, Interesting

    for the FBI and the university to take:
    If they are allowed to decrypt messages which are passing through "their" property, then:
    a) Pay TV hackers must be allowed to decrypt the Pay TV signals ending at the cable box or coming from a satellite
    b) Any ISP or whoever owns a router which transmits encrypted traffic is allowed to decrypt and read it.

    Either the FBI and the university have to be punished like cable signal hackers and other bad guys, or the law covering those offenses is not worth the paper.

  9. Re: I paid the FBI by Anonymous Coward · · Score: 3, Funny

    Should have used Sudo.

  10. Re:News At Eleven by shaitand · · Score: 2

    It's pretty serious news if "consultants" are allowed to violate rights of citizens that law enforcement themselves are not.

    The restrictions on law enforcement should carry over to anyone working with them and the admissibility of anything found that way in court should be the same as if the FBI had carried out those actions themselves..

  11. Re:At least 2 reasons why this is not a good stanc by klingens · · Score: 3, Insightful

    A university is not a government agency with special powers against other citizens.
    Law enforcement ist allowed to do these things only with the approval of the judiciary too. Which they apparently didn't get. 4th amendment, computer security laws and all thoes pesky things.

  12. A bunch of defendants... by Etherwalk · · Score: 3, Insightful

    Sure but this isn't just about making the FBI play nice and stop cheating. This is about a bunch of defendants at risk of being convicted on evidence that should not be admissible without a warrant or that was only subsequently obtainable because of the information illegally obtained without a warrant and therefore also should not be admissible.

    No, it's not about the defendants. The defendants did something illegal. That's about drug policy.

    This is about everyone *other* than the defendants, who might be the victim of an illegal search by the state tomorrow.

    Courts don't exclude evidence obtained from an illegal search in order to protect defendants. They do it to protect everyone else. They don't have the physical power to make police act legally on the street (cops have to consent to do that), but they do have the power to let defendants go when the cops violate the Constitution. That makes cops mad, so the cops want to follow the Constitution to avoid letting criminals go.

  13. Re:News At Eleven by Agripa · · Score: 2

    If you find a way to break the anonymizing network by creating your own fake relays to do it, as far as my judgement goes, the data was yours to play with, because it passed through your relays, and the research was legitimate, because you did find a flaw on the network.

    So using Stingrays to capture data and voice content is fair game?