Slashdot Mirror
Carnegie Mellon Denies FBI Paid For Tor-Breaking Research (wired.com)
New submitter webdesignerdudes writes with news that Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique, and that it was not paid $1 million by the FBI for doing so. Wired reports: "In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. 'In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,' the statement reads. 'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
...what was the $1 million for? What did the taxpayers get out this?
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
"Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."
Now if that word "direct" had not been there I would have a little more faith.
As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc
So, when gathering the info, they technically provided free labor to the FBI in doing so, right? Even if it's just pointing them to the correct paperwork.
They probably compared the cost of said free labor, against the cost of being penalized for failure to comply with a subpoena, and decided that the former was much cheaper than the latter.
In the "land of the free" of course.
"hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...
So they have received indirect payments or have received direct payments from non-government funders.
That's like when the Bush administration found "dozens of weapons of mass destruction related program activities" in Iraq, but no actual WMDs.
No direct payment.
I wonder what other research the government also subpoenas - perhaps that of the aircraft manufacturer who had a nifty idea but whose bid didn't get the job?
Watch for weasel words...
The whole $1 million payment accusation comes from "sources in the information security community". That's a hell of accusation to put out there, damaging a school's reputation, without anyone willing to stand up behind it.
...like a carefully worded statement designed to be strictly factually correct to remove the stink from CMU, but that there is probably mostly truth in the original story. Just the wording of their statement seems so carefully selected that you just know the reality is that they did do it, but not exactly the way they are defending their selves. So they can sound innocent when they probably are not.
Carnegie Mellon is one of the biggest academic military contractors in the US. They've been developing surveillance tools for the NSA for decades, as well as developing weapons for the purpose of "crowd control" and other aspects of domestic policing..
Look at this article, and when you read the word "cybersecurity" be aware that it's being used as a synonym for "surveillance".
https://thetartan.org/2015/8/3...
https://books.google.com/books...
You are welcome on my lawn.
Yes, all they did was merely destroy the trustfulness of the CERT process to warn EVERYONE of vulnerabilities in software, instead of delightedly handing it over to the descendants of J Edgar Hoover and not bothering to tell the software maintainers anything. This is the main point; the million pieces of silver were just added insult.
In the "land of the free" of course.
Don't forget "home of the brave". The brave thing to do is of course to say "yes, sir, how high, sir?"
What's the current definitions of "free" and "brave" again?
It might be better if we just went back to the original lyrics. "to entwine the myrtle of Venus with Bacchus' vine" seems like a much more achievable sentiment.
OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.
Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/... ).
So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.
Thus, what could CMU have done.
* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}
So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)
What are the software IP rights with regards to a federally-funded academic institution? The Software Engineering Institute at Carnegie Mellon is a Federally Funded Research and Development Center (FFRDC), which means grant money, which means conditions on what they can do with their research results.
I still agree with you that they should have fought it more, and it's definitely against the public interest, but I don't know if an IP tactic would have worked.
Examine even your most deeply held beliefs. Nobody is always right.
Yes, we all think you really are that fucking stupid. You can't read the 10 or so comments just above yours where they detail that the Software Engineering Institute is federally funded, and so quite literally, the research was indirectly funded because it was federally funded.. Heck, that response was like 45 minutes before yours.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.
Ok. So I guess they received indirect payments for doing this?