Slashdot Mirror
Drug Case In Ireland Has Fingerprints of Carnegie Mellon's Attack On Tor
blottsie writes: Newly released evidence shows that Irish detectives who worked the case of two convicted drug dealers may have also used data obtained through CMU's Software Engineering Institute's methods. Mannion and O'Connor were arrested on Nov. 5, 2014, according to a database of Dark Net arrests created by independent researcher Gwern Branwen. That's the same day that the owner of Silk Road 2.0, the replacement for the infamous drug marketplace Silk Road, was arrested. The IP addresses of Silk Road 2.0 were provided to the FBI by a "source of information," according to a search warrant in another case impacted by the attack on Tor, which court documents later confirmed was a university-based research institute.
Good read, thanks.
Its a shame we have to hire interns to do the important stuff..
and then capitalize on it, as if it was their own..
lame
I hope some privacy concerns come up strong enough to topple this crap
What did you expect that research to be used for? It is not like a company was paying them so they could deliver relevant ads via tor. (mmmm, donuts)
https://youtu.be/dGOVbXF7Iog?t=1m4s
"Speaking as a roofer: I can tell you a roofer's personal politics comes in to play heavily when choosing jobs."
What university promotes libertarian thought in any way shape or form? Seriously, I'd love to know.
Kids need to be taught that spying on each other is normal and good long before university.
(cough)
Seriously, hook us up OP.
Spying on the enemy *is* normal, and has been since, oh... the beginning of humanity.
"I don't know, therefore Aliens" Wafflebox1
You seem off topic.
First, I agree with you about Ulbright, DPR.
Second, this seems to be about silk road 2.
Third, this isn't even about jackasses acting with jackassery- this is about attacks on TOR.
By the way, in Washington (where I live), Colorado, and very soon Oregon, you can buy weed in regulated stores in shopping malls and downtown hipster hangouts, take it home and toke to your heart's content, and answer the door to a cop who will tell you to turn your music down and then go away.
If you want news from today, you have to come back tomorrow.
Right, so because everyone who buys or sells drugs is an enemy, and every citizen has the potential to buy/sell drugs, then we should spy on all citizens. It's basic logic, citizen, the NSA, FBI, DEA, and ATF are all spying on you, because that's what a responsible government does to protect itself from its enemies. You do like having a government, don't you, citizen? Citizen...?
You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
Remember kids - your so-called "friends" may be your enemy! They may be secretly communists/capitalists/muslims/jews/infidels (underline where necessary), therefore you need to secretly check their phones etc and report any unauthorized content to local authorities.
being left-wing and libertarian
Next time, pull the pants off your head before you post.
The problem is that nowadays the tools needed to spy on other countries end up being used against us, either by those other countries or by our own traitors.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
OP pls
An Irish narcotics trafficking site will presumably involve some jail time for those involved; but at least the tax burden will be among the lightest in the EU!
Unfortunately, what they were doing before was arguably much more useful: CERT/CC, a program heavily intertwined with CMU's software engineering side, has a relatively noble history of doing security research with the intent to make software more secure; rather than weaponize exploits for somebody's petty temporary advantage at the expense of every other user.
There is absolutely no way that catching a few druggies could possibly be worth tainting the reputation of a respected security research institution with the suspicion of being just another malware vendor for the feds. Are there scary bad people who use software? Sure. Do all the rest of us use mostly the same software, almost all of it terrifyingly full of holes and in dire need of any and all assistance available? Also yes.
It's true. Secular institutions like universities don't generally promote faith-based philosophies like libertarianism.
You are welcome on my lawn.
It's an OS, and /. has covered releases even of stuff like OpenBSD which must have a smaller user base than TAILS does.
I know you're trolling, but I can't resist:
How does a libertarian philosophy require faith? What must be believed without evidence?
Maybe it played out for CMU like this:
That people, left to their own devices, will simultaneously act for both their own good and for the good of the commons?
Yeah but it is much funnier to spy on friends.
Everything I write is lies, read between the lines.
CMU is a high-profile institution, their reputation won't be negatively impacted in any way.
To believe their reputation would suffer you should believe that the general public would view their activities negatively. It shouldn't matter at all what your own personal opinion of their actions are. If you dislike what they do, that doesn't mean the public does, or that they should be concerned the impression would be negative.
I think most people would view this as them doing one of the tasks that security research is for, even if there are others with different color hats in the niche who might disagree. Don't expect an educational institution to take stands against the government on your behalf; they never agreed with your position, and whatever the government is lawfully doing is going to be seen as "white hat" work by, lets see, almost all of society.
That people who disagree have an echo chamber should not alter their analysis about what the standard, default public position will be.
TOR was created and supported by the US government to encourage free speech in oppressive locations. From the view of many academics, using it for criminal activity subverts its purpose and is harmful to free speech. If the drug war is absurd, that does not change that calculation for most people. TOR is absolutely not viewed by most people as being intended as an anti-government tool of anarchy; arresting users for non-speech-related crimes in no way tarnishes TOR, or the researchers involved. That criminals have made such extensive use of it is the blemish on the reputations of all the researchers whose work involves TOR. Turnabout is exactly what might improve the reputations of these people.
Don't confuse disagreement with being in a silent majority, and don't let an echo chamber convince you of it either. CMU researchers got paid by the government to do legal stuff. That will enhance their reputation. There is no way to avoid it.
"Attacks on TOR" or the unmasking of criminals abusing a free speech platform by building a black market inside it?
I don't approve of the drug war, but I'm not convinced that black is white whenever a drug dealer gets arrested. How is it an attack on the tool they were abusing? If they were using TOR to engage in anonymous speech about how awful drug prohibition is and discussing their efforts to get the law changed, and they were arrested for the content of their speech, then that would clearly be an attack on TOR. Or if the researchers had used some sort of exploit to gain control of somebody else's computers, and used that control to get the information, that would clearly be an attack. But tipping off the police with information about the identity of a criminal? Even if you dislike the law, it seems obvious that isn't an "attack" at all, especially not when the context is computer security research.
All Philosophy requires faith, other wise it would be called Science.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Consumers will have perfect access to market information and will therefore pick good products and punish companies by not buying bad products.
Yes, how great that we have a university fighting moral bankruptcy with.... moral bankruptcy.
What isn't normal is the little twist you are trying top slip in under the radar. It isn't normal to consider each other to be the enemy. That is something encouraged by the government, but shunned by intelligent and educated people, as well as plenty who don't have those opportunities.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Spare the moralizing. "Attacks" aren't bad from the perspective of the attacker, and the attacker could well be doing something like busting up bad guys. That doesn't make the technical discussion less valid, or warrant some new fucking word to avoid offending someone. More importantly, the TOR project isn't there to give back doors to good guys but not to bad guys.
What university promotes libertarian thought in any way shape or form? Seriously, I'd love to know.
Seriously, hook us up OP.
OP pls
You just have to love the AC that posts three separate times to appear is if he is three different people. Heads up: everyone can tell.
The mods can tell that at least "Seriously, hook us up OP" didn't come from the same place as the other two, cause I typed that one and I'm not the other guy(s).
Are you willing to stop being meta and deliver for OP tho? Definitely want to find the university pushing libertarianism.
Libertarianism doesn't require faith in that. The mix of people actually enjoying acting out of altruism and the situations where people acting for their own good inherently results in the good of the commons (competition, efficiency improvements) is enough for a lot of things and is quite demonstrable without any faith needed.
Their reputation with the general public is largely irrelevant, nor do I think that it will be affected(if the general public could even identify 'CERT/CC' at all).
The problem is their reputation with people who don't directly work for them; but have historically worked with them: if they are respected as a group that coordinates security improvements, that is one thing. If they are seen as feeding exploits to the feds rather than fixing things; why work with them when you could sell to one of the outfits that already makes a business of selling exploits to the feds?
Libertarianism always starts with "if only". As in, "If only people were different, people would be different."
The part that's demonstrable is that those that act only for their own good will inevitably take advantage of those who work in the good of the commons, and eventually will poison the well. There is a reason greed has been considered a human failing, at least until the relatively recent development of libertarianism. Let's be honest: libertarianism only exists to provide a moral/social/political framework to give cover to sociopaths. Not that all libertarians are sociopaths. I don't believe that at all. But all libertarians are useful to the sociopaths.
You are welcome on my lawn.
Looks like this genie is out of the bottle, and the temptation will simply be too great for law enforcement to let it back in. Tor is compromised. What can we do now? Can Tor be improved to mitigate such attacks, or to warn users in real time that an attack is happening? Are there alternative systems that are not known to have been compromised yet?
Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
Federal law applies on federal property in DC. So no toking in the park,
since they're almost all National Park Service property. Pity.
No, mods can't tell who ACs are. I would assume you are the same person as it is a common thing being done by ACs.
It you want to differentiate yourself, make an account, otherwise you are the amorphous blob called AC.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
I think your tin foil hat might be a little tight.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Secular institutions like universities don't generally promote faith-based philosophies like libertarianism.
I know you're trolling, but I can't resist: How does a libertarian philosophy require faith? What must be believed without evidence?
Libertarianism doesn't require faith in that. The mix of people actually enjoying acting out of altruism and the situations where people acting for their own good inherently results ...
There you go. That word "inherently" is the faith part.
There is absolutely no way that catching a few druggies could possibly be worth tainting the reputation of a respected security research institution with the suspicion of being just another malware vendor for the feds.
CMU is a high-profile institution, their reputation won't be negatively impacted in any way.
Their reputation may be harmed in some segment of the tech population, but do keep in mind that it will be enhanced in other segments. You may not believe it, but the response "Good! At least one institution is actively working to unmask terrorists, pedophiles, and drug pushers" is going to be exactly the way some people will view it.
You many not like it, but not everybody thinks the same.
And human history is a grim testament to the bloody results. Perhaps it's time to just admit this "enemy" thing isn't working and try something else?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Why do you think this toy is so popular this year? Get the kids used to the idea of someone always there, quiet and observing everything.
If you can monitor just the packet headers passing in and out of Tor you can identify the dark web host. It takes a little while, but sending traffic to the server at randomly chosen times will eventually give it up.
This is true even if random delays are added to the forwarding. User response time severely limits how much a delay can be added. Once you know the mean and variance of the added delays. You just need to control a packet stream going to the host and run it for a long enough period of time. It need not even be a single session. It can be multiple sessions. It's slow, but traffic analysis like this cannot be bypassed.
Not really, no. Those assumptions don't really bear close examination. If not for your faith, you'd see that.
You don't actually know any Libertarians, do you? *sighs* I am not typing this out again Pope. You know better. At least read the Wikipedia article (even just the first four paragraphs) before I have to type all this shit out all over again. I seriously need to start cutting and pasting.
*I* am a Libertarian and have been for some 40 years or so. I am further to the left of any elected official (probably even Bernie) and the difference is that I used logic and reason to come to my conclusions. Randians aren't Libertarians - they're idiots. Ashamed Republicans who self-identify as Libertarians don't even understand the platform. Anarco-capitalists are not Libertarians, they're just stupid.
Of course, you might call me a Classic Libertarian or even a Socialist Libertarian but you'd fucking KNOW that if you actually knew anything about Libertarianism. Sheesh. I gotta repeat this at least once a week. By the time I type it all out people are like, "Oh, well that's cool. I had no idea." Well, maybe if I'd stop writing novellas and try to fit it on bumper sticker you'd finally understand!
Ah well... I swear to Christ, I'm not typing it out again already this week. You can wait until the weekend for a Political Science lesson. Yes, me... The guy who admits he pays too little in taxes, donates, loves drugs and guns, supports single payer health care, supports a strong social safety net, and evens supports reasonable regulation and governance - is a Libertarian. Now, I do admit, we've got some straight up idiots in our party but they're no more or less idiotic than the ones you have in other parties. They just make the news more often because the bleat they loudest and say the stupidest things which means they get the ratings. Rand Paul is not a Libertarian. He's an idiot. His dad was a lunatic, I kind of liked him.
We need image macros. Grumpy Cat is appropriate here.
"So long and thanks for all the fish."
And what of a Philosopher of Mathematics then, hmm? The highest order of science, indeed. ;-)
"So long and thanks for all the fish."
I see the confusion. There is a world of difference between big "L" libertarians and small "l" libertarians.
One is a political faction (or party). The other is a socio-economic fantasy. My earlier comment was in reference to the latter.
You are welcome on my lawn.
LOL It's okay. I was just feeling like ranting for a while. I generally assume you're joking when you're posting wiseass remarks. I even found it funny but I wanted a good excuse to rant and there it was. ;-)
I think it only fair that I point out that it is nearly 70 outside here in PCB. The downside is, of course, I'm in Florida. Err... So take that!
But yeah, we do have a bunch of idiots in our party. It would be a bit antithetical to silence them or kick them out. I think the vast majority of people who self-identify as a Libertarian (note capitalization) don't actually understand the platform but are convinced it either means that they can be anarchists and greedy without remorse or limit. Also, they probably noticed some of us have a pro-choice drug use opinion.
I can't help it. Anyone can identify as a Libertarian if they want. It's not like we have a purity test (GOP) or insist on conformity by shaming (DNC). It's also not like I don't understand why some people are confused. I gotta be honest here, some Libertarians are straight up fruitcakes. We've got our share of zealots, idiots, and insane. It's not like we've been very forthcoming about telling people that they're idiots - we kind of wanted the attention and party memberships. "Give us your tired, your poor..." Yeah, we said, "Give us your crazy, degenerates, and imbeciles." In our defense, we were probably quite drunk at the time.
"So long and thanks for all the fish."
Under the spreading chestnut tree
I sold you and you sold me.
Glad they got these two terrible shits. I can't stand it that drug addicts are ruining Tor for everybody though.
There is absolutely no way that catching a few druggies could possibly be worth tainting the reputation of a respected security research institution with the suspicion of being just another malware vendor for the feds.
No, but like many things it probably started with the feds saying 'you have to help us catch those evil child abusers hiding on Tor and posting their sick images'. Because who can oppose that? There's also 'Without these powers, the terrorists will attack again!' Because nobody wants to stop the government from getting terrorists. But pretty soon it's 'well, we've got power, why shouldn't we also use it against those evil drug traffickers?' and suddenly, much like PATRIOT act powers, drug cases become the predominant use of new abilities. Back in the day getting the druggies was enough of an excuse on its own to trample the constitution, but now they need to justify their powers with OMG PEDOS! or OMG TERRISTS! and bust 1-2 of them, THEN they can go after the hundreds of drug arrests just dripping with forfetiable assets and pocket-filling cash and dope on the table.
And it's such an effective skeleton key because whatever arguments you possibly make are drowned out by people screaming that you're supporting child abusers and terrorists.
Libertarianism doesn't require faith in that. The mix of people actually enjoying acting out of altruism and the situations where people acting for their own good inherently results in the good of the commons (competition, efficiency improvements) is enough for a lot of things and is quite demonstrable without any faith needed.
Uh, OK, if you say so.
By the way, if you are looking for an investment there is some land in Chile you may be interested in:
http://gawker.com/ayn-rands-capitalist-paradise-is-now-a-greedy-land-grab-1627574870
A man who wants nothing is invincible
So, are you proposing that security researchers who won't take money from the government for white-hat work is the majority, or even a significant faction?
I would propose instead that even the ones who don't really like this will very carefully limit any complaints to hair-splitting details. They certainly won't refer to the government as The Feds, or call service work of identifying online parties based on existing (unrelated) research to be an "exploit." For one thing, calling it an exploit would cause them to lose a lot of professional reputation. For another, selling exploits to the government is a large part of what white-hat security researchers (that's the ones that work in academia, to be sure) do. I mean, that is the top-shelf stuff of what they do that involves having a "career" in the industry instead of just being teachers and summertime contractors. To the extent that their peers look over the fence because of this, it is probably fond gazes, maybe a few extra resumes get mailed or something.
As far as coordinating security improvements goes, the industry is used to working with even black-hats, to the extent that many of the black-hats are good-intentioned security activists who are breaking into stuff to piss people off into securing it. Even when it comes to commercially interested black hats, there is a willingness in the industry to pay them for information, for example. Extremists who view working with the government as being worse than working with criminals... I hate to break it to you, but people in that category are not exactly lining up to participate in coordinated security improvements.
And ultimately, people who care the most about security improvements are sysadmin types who do not care who did what or who coordinated what. CMU reputation as an institution is what they'll look at to decide if they can trust them to still be around in the future. That's the part they care about; will the improvement be in long-term stable use, or is it an imperfect improvement with a lot of feature thrash or potential abandonment in the future? And it turns out to be "above their pay grade" anyways.
Attacks are attacks from the perspective of the attacker, or else they really suck at it. And you might find causing of harm to be part of the meaning of attack.
You're so busy moralizing and accusing others of it so that you can be on the other side than them that you failed to consider that somebody might simply find value in the correct meaning of words and in communicating honestly from an objective basis instead of just spewing subjectivity from opinion.
And yes, the TOR project is there to give "back doors" to "good guys," assuming you agree that the local oppressive government being unable to locate them to punish them for speech is a "back door." I think that is rather specious, personally. I think it is generally agreed that people engaging in political free speech and trying not to get in trouble for it are "good guys." Even if you think they're bad, you'd have to acknowledge that in general language they will be talked about as being good.
Wishing that the purpose of TOR was privacy, instead of free (political) speech is just technical ignorance. It is historical fact, it is not opinion. Nobody cares if it offends you, certainly not me. But when people are whining about how their fake privacy isn't being respected by people using the tool as it was intended (a tool to expand certain western political values), they're just being loud and lame.
Also, when they talk about this thing being "like" (or falsely using the word "fingerprint of" when they really mean "the technique used by") what CMU did, lets remember that CMU helped bust some pedos. That is who the actual "bad guys" in question are when discussing CMU. And somebody, maybe them or more likely somebody else, then also used the same technique to catch other criminals.