Slashdot Mirror
Carnegie Mellon Denies FBI Paid For Tor-Breaking Research (wired.com)
New submitter webdesignerdudes writes with news that Carnegie Mellon University now implies it may have been subpoenaed to give up its anonymity-stripping technique, and that it was not paid $1 million by the FBI for doing so. Wired reports: "In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder. But it instead implied that the research may have been accessed by law enforcement through the use of a subpoena. 'In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,' the statement reads. 'The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.'"
"what was the $1 million for? What did the taxpayers get out this?"
I'm thinking Astroglide. You can figure out the rest.
"National Security is the chief cause of national insecurity." - Celine's First Law
...what was the $1 million for? What did the taxpayers get out this?
I bet it would have cost them a lot less than $1 million to hire a lawyer and at least make even the most feeble effort to resist this subpoena.
"Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder."
Now if that word "direct" had not been there I would have a little more faith.
As well know , there are hundreds of ways to indirectly pay for stuff...... "Hey here's some money for your sports team", "hey here's some money for your building funds", etc etc etc etc etc
So, when gathering the info, they technically provided free labor to the FBI in doing so, right? Even if it's just pointing them to the correct paperwork.
They probably compared the cost of said free labor, against the cost of being penalized for failure to comply with a subpoena, and decided that the former was much cheaper than the latter.
In the "land of the free" of course.
"hadn’t received any direct payment for its Tor research from the FBI or any other government funder"...
So they have received indirect payments or have received direct payments from non-government funders.
That's like when the Bush administration found "dozens of weapons of mass destruction related program activities" in Iraq, but no actual WMDs.
Carnegie Mellon is one of the biggest academic military contractors in the US. They've been developing surveillance tools for the NSA for decades, as well as developing weapons for the purpose of "crowd control" and other aspects of domestic policing..
Look at this article, and when you read the word "cybersecurity" be aware that it's being used as a synonym for "surveillance".
https://thetartan.org/2015/8/3...
https://books.google.com/books...
You are welcome on my lawn.
Yes, all they did was merely destroy the trustfulness of the CERT process to warn EVERYONE of vulnerabilities in software, instead of delightedly handing it over to the descendants of J Edgar Hoover and not bothering to tell the software maintainers anything. This is the main point; the million pieces of silver were just added insult.
In the "land of the free" of course.
Don't forget "home of the brave". The brave thing to do is of course to say "yes, sir, how high, sir?"
What's the current definitions of "free" and "brave" again?
It might be better if we just went back to the original lyrics. "to entwine the myrtle of Venus with Bacchus' vine" seems like a much more achievable sentiment.
OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.
Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( https://en.wikipedia.org/wiki/... ).
So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.
Thus, what could CMU have done.
* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}
So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)