Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds

AmiMoJo writes: Back in November 2015 it was speculated that Carnegie Mellon University (CMU) helped the FBI attack the TOR network. Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases: "The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU") [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense ("DOD")," an order filed on Tuesday in the case of Brian Farrell reads. Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.

confused

[micahraleigh]

Too lazy to read article ... if Carnegie Melon helped the feds, why are the feds suing them?

Re:confused

[Drethon]

A Subpoena is not a law suit. "subpoena duces tecum orders a person or organization to bring physical evidence before the ordering authority or face punishment. This is often used for requests to mail copies of documents to the requesting party or directly to court." https://en.wikipedia.org/wiki/...

Re:confused

[OffTheLip]

State supported, or is it state sponsored, institutions I suppose is the leverage the feds have.

Re:confused

[pesho]

Feds are not suing CMU. Here is the TLDR summary:

CMU was carrying out department of defense (DoD) funded study on TOR. FBI got wind of what data CMU may have gathered (not sure how) and issued subpoena for the data. Pursuant to the subpoena CMU handed over the data which contained among other things the IP address of a drug dealing suspect the FBI was interested in.

Re:confused

CMU is a private university. It's the SEI that took DoD money.

Re:confused

[Bugler412]

SEI is a federal research facility, much like Livermore and others, operated under contract by CMU. It isn't "owned" by CMU.

Re:confused

(not sure how)

Oh, you're so cute.

Re: confused

Right. If it had been the university, they would have attacked Thor.

Re:confused

Really? So they got the judge to issue a subpeona based on "getting wind of" something? I didn't realize "getting wind" of something is sufficient to establish probably cause for a search warrant.

This is equivalent to the FBI searching houses without the owners permission and, when they find something illegal, they subpeona the courts to find out who lives in the house. The homeowner complains and the response is: Why would you have any expectation of privacy in your own home when the street address is clearly printed on the curb?

The issue isn't that they were able to get a warrant for the IP. The issue is they had already gathered evidence unlawfully before the warrant was issued. The FBI is going to have to drop this case because they'll never be able to satisfy discovery without embarrassing themselves.

Re:confused

[KGIII]

A subpoena is not a warrant. That's not a difference without distinction. From a subpoena they may get a warrant.

I do not know the facts in this case. However, they are two very different legal concepts. I offer no other opinion at this time.

The Future

[SuperKendall]

In the future, all universities will be compelled to write TOR (or Twitter, or whatever) attacking software and then give it to the FBI.

Re:The Future

[gstoddart]

In the future, anything any academic institution or corporation does which is remotely of interest to the FBI and the rest of law enforcement must be surrendered to the FBI.

Those wishing to join the inquisitorial squad for extra credit report to the headmistress' office. Those not wishing to join the inquisitorial squad will be required to submit to questioning.

Congratulations, America, you almost have your own Stasi. You should be proud. Keep defending those freedoms kids, your government needs you.

Only a few years, and children will be turning in their parents for sedition.

Re:The Future

In the future, anything any academic institution or corporation does which is remotely of interest to the FBI and the rest of law enforcement must be surrendered to the FBI.

Those wishing to join the inquisitorial squad for extra credit report to the headmistress' office. Those not wishing to join the inquisitorial squad will be required to submit to questioning.

Congratulations, America, you almost have your own Stasi. You should be proud. Keep defending those freedoms kids, your government needs you.

Only a few years, and children will be turning in their parents for sedition.

We're gonna party like its 1984! Oh, wait...

Re:The Future

Those wishing to join the inquisitorial squad for extra credit report to the headmistress' office. Those not wishing to join the inquisitorial squad will be required to submit to questioning.

I'm required to submit to much more than questioning when I report to MY headmistress' office. CBT anyone?

Re:The Future

[tnk1]

Researching Tor is a legitimate course of study. Since the goal of the system is security, breaking that security is a good idea, if only to understand how it can be done and patched. This sort of research is not automatic collaboration with the FBI.

Obviously, a subpoena for this information seems to be more of an issue of opportunity; it would be rather haphazard unless the FBI was following that research. I imagine that researchers could find an ethical way to destroy this data before publishing or something, I can't imagine they would have any legal requirement to hold on to it, unlike corporations with contracts and specific legal regulation.

This should be a minor irritant unless someone writes a law requiring security researchers to cooperate with law enforcement by storing data for their review. And I don't see that happening. But if it did, that would be a concrete step towards the security state.

Re:The Future

Obviously, a subpoena for this information seems to be more of an issue of opportunity; it would be rather haphazard unless the FBI was following that research.

Quite an opportunity indeed. How did the FBI know this research was available to subpoena in the first place? Was it announced in public prior to the subpoena?

Re:The Future

[rtb61]

You can not do research by attacking a public legal network without their permission, that is a crime under the bulk of countries computer abuses act and is subject to an extended custodial sentence. Quite simple those involved should be charged under the computer abuses act, be fined and given the appropriate custodial sentence, that is the law.

Re:The Future

[KGIII]

Not positive but I believe the legal term is "Royally Fucked and Fucked Hard" if you destroy data after it has been subpoenaed. You can fight a subpoena. Destroying that data, or refusing to submit it after a "fair hearing,"* you are going to pound-me-in-the-ass prison. You are in SERIOUS trouble for not submitting all data if the subpoena is challenged and the challenge is overturned.

I'm not sure there's an "ethical" way to destroy the data.* I really don't have an answer.

* That's assuming a fair hearing and adherence to the law.

Re:The Future

> In the future, anything any academic institution [...] must be surrendered to the FBI.

Yah, but not before Monsanto and the RIAA had their grubby fingers in it.

Of course...

[wbr1]

They denied it before: http://yro.slashdot.org/story/...

But it looks like they denied the FBI paid them.. of course since DOD paid them it all a-okay.

Re:Of course...

[GameboyRMH]

They also denied that they were paid any money from the government for Tor research, which was just a lie:

In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.

meh

[zlives]

its not like the universities helped nuke a country or something....

Re:meh

Replying to undo accidental downmod.

Re:meh

Replying to undo accidental downmod.

That only works if you're logged in for the comment as well.

The university could also do it just because

[jfdavis668]

If a university wants to break into TOR, it's perfectly legal. There are probably lots of people doing the same thing today for whatever reason they want to.

Re:The university could also do it just because

[ArchieBunker]

There is no "breaking into" TOR. They ran enough fake exit nodes to deduce the path of traffic. But I do suppose that really putting TOR to the test is a good thing.

Re:The university could also do it just because

[tnk1]

Yes, testing TOR to its limit is like trying to break encryption and finding a better method using that information. If you get to the point that you are unable to break it, it becomes much more valuable.

The problem is, until you find the fully secure solution, they are effectively working on a method that will break your crypto or find your hidden service. That will cause immediate security concerns.

Re:The university could also do it just because

[TheCarp]

This is true, but I think this case clearly brings up that there was sever ethical oversight.

The end result of de-anonymized traffic is, by its very nature, a danger to the person de-anonymized.

It is one thing for researchers to prove that they can de-anonymize users, but, in doing so, they take on the responsibility of protecting that information. It is highly irresponsible for them to have stored any of those results in a form which could be correlated to specific sites.

In the future, I hope all such research will be more strictly aimed at proving concepts and will take steps to protect the data which they do de-anonymize.

Re:The university could also do it just because

I'm not a lawyer and I'm not very familiar with the CFAA, but this seems like exactly the sort of thing that would be, and should be, illegal under that act.

Unfortunately, the only victims we know about are people who are facing criminal charges themselves, and even if there were a way to know how many other victims there were, those people are (almost by definition) unlikely to want to stand up and draw attention to themselves.

Maybe Tor is just a giant honeypot.

Seems like it's working fairly well.

Fearmongering

[mshieh]

"attacked"

Do people not understand the concept of security research? What would you prefer they do, wait for someone else to discover vulnerabilities and not notify tor?

Re:Fearmongering

[buck-yar]

So the DOD is having Carnegie attack TOR to improve its security?

And the community will be notified of found vulnerabilities, right?

Re:Fearmongering

So the DOD is having Carnegie attack TOR to improve its security?

And the community will be notified of found vulnerabilities, right?

The DOD is the Tor community.

The felon usage of Tor is a recent event, incidental beneficiaries of the technology. This does put Tor at odds with FBI and local police some of the time, but the existence of a useful Tor network is generally seen as more important than catching every single druggy who uses it.

Re:Fearmongering

Do you even know if CMU did or did not publish what they found, which could then be used to improve TOR?

Re:Fearmongering

Security Research? I didn't realize it was ethical to do security research by hacking real people in the wild in exchange for money. If they were getting paid by anyone other than the US government this would be a crime.

Re:Fearmongering

Do people not understand the concept of security research? What would you prefer they do, wait for someone else to discover vulnerabilities and not notify tor?

Not sure what you're trying to say here. The people at CMU who performed this attack

(a) attacked the live Tor network, i.e. performed their so-called "research" on real human beings without their consent, without appropriate minimization procedures, and consequently caused some very real harm to some of those people;

(b) did not at the time, and have not since, informed the Tor developers of the vulnerability.

The "concept of security research", as you put it, is that you do it in an ethical way - you *avoid* collecting data from human subjects if you can; if you can't do that, you either get *informed consent* from those subjects, or *anonymize* the collected data, or both; and you *disclose* the results of your research in a way that allows the developers to fix the issue while minimizing the potential harm to users. The people responsible for this attack did none of those things.

Re:Fearmongering

They have not. The bug was independently discovered by the Tor developers observing the abnormal behavior of the attacking nodes.

Re:Fearmongering

[KGIII]

You seem to know what you're talking about. Let me pick your brain?

If I understand this, they didn't really attack it. What they did was simply add more exit nodes and then observe the traffic. Is that correct?

If that is correct, why are we calling it attacking instead of spying, monitoring, or otherwise? Then, as it was their equipment, their exit nodes, their physical property - is the monitoring (in and of itself) illegal?

I'd argue that it is immoral but even my web sites have logs. If you're accessing my hardware, I have every right to monitor, observe, or whatever. Is that also correct? It might be immoral to take it to a certain level, is this a level too far?

I would argue on your side that I agree, the data should have been anonymized from the very beginning. If they're going to be collecting this data, the data should have been anonymized from the start. If you collect it or store it in a non-anonymous form then it can be subject to a subpoena which we're seeing here.

Given the nature of Tor, I'd have liked them to take greater precautions with this. It's disappointing that they did not. However, I'm not sure that they really attacked anything and I'm not sure that they did anything illegal. (You're not claiming illegality but others are.)

What am I missing?

The old saying

[ThatsNotPudding]

All it takes for evil to flourish, is for good men to do nothing - or in the case Carnegie Mellon - meekly follow orders.

I used to think that in the coming decade, the most precious commodity would be potable water.

Now I realize it will instead be true privacy, afforded to only the rich and powerful on our planet, that is soon to become the ultimate Panopticon.

Re:The old saying

[Megol]

What? If you want to live in an anarchy move to Somalia (some parts of it), if not then why is following the law of the country a problem? ...

Re:The old saying

Following the law is a problem when doing so makes you extremely vulnerable to criminals, as well as to the whims of corrupt politicians.

Also, though it takes more intellectual effort to see, following the law winds up keeping the poor class poor, and ensuring that the lions share of all wealth continues to flow upwards into the pockets of an ever-smaller group of elites.

The typical thoughtless answer is "change the law...we are a democracy, right?" No, at least not America. Though ostensibly a constitutional republic (not a democracy even technically), we function as an oligarchy. It makes the changing of the law in such a way to ensure justice for the lower classes an extremely difficult (and sometimes impossible) uphill battle.

Re:The old saying

"The typical thoughtless answer is "change the law...we are a democracy, right?" No, at least not America. Though ostensibly a constitutional republic (not a democracy even technically), we function as an oligarchy. It makes the changing of the law in such a way to ensure justice for the lower classes an extremely difficult (and sometimes impossible) uphill battle."

Holy hyperbole Batman!

Re:The old saying

Nice strawman. Geez.

Since you're clearly not that bright: First, he/she/it said nothing about anarchy. Second, is any law passed by any sort of government anywhere, automatically legitimate? Is there no law you would consider so unjust that you would break it rather than follow it? Better give it some thought, 'cause we're in for an interesting few years ahead.

Re:The old saying

[KGIII]

While I tend to agree, within reason, there's a problem with that. There unjust laws but that's too deep for you and I to get into today.

So, here's the important part and it's the simple part. We can go deeper than this if you want...

You do not know the laws. Chances are, you're breaking at least one law right now. You might not think so but you are. You are a criminal, you're just not convicted yet. Nobody knows all the laws. Some of them are even felonies. (The bullshit about a felony a day is just that, bullshit. No need for hyperbole here.)

Right now, you're guilt of some offense and with selective enforcement you need only offend someone enough for them to prosecute you. That this has not happened to you does not mean it will not happen to you and once you get their attention they will have their hooks in you for the rest of your life. This is not a slippery slope argument, this is a legitimate concern.

Specifically, with Tor, you can compound this with things like "parallel construction." I encourage you, if you're unfamiliar, to Google these terms. This *is* a real risk and there may come a time when you are the target and the target is not some drug dealing terrorist. You might be okay with the current administration, I encourage you to take a closer look at the current candidates. Keep in mind that they'll be setting policy and have access to these same tools starting next January.

I implore you to think carefully about this subject. If you've thought this through and reasoned your way to that sort of flippant response then I'm not going to be able to reason with you. I'm not the spittle flecked zealot, I'm the rational guy and I take a ration of shit for it sometimes. If you need help understanding why this is a problem, I'll help you with that. Someone will...

The ability to be monitored in all that you do has no good end. There is no way, no way at all, that it can end up well. Literally... There is no conceivable benefit, in the long-term, to being unable to communicate without being monitored. That path leads to oppression and it always has.

I really want to engage in some hyperbole but I'm afraid that would ruin my chance to help you understand why this is a problem. Do some reading of history, do some reasoning, and start to think about what unchecked power does. And, yes... Information is power. Being unable to communicate without interception and monitoring is a very basic requirement for a healthy society - even if it goes unused or even if it is used for bad things. Freedom means that bad things happen to otherwise good people. This is an acceptable risk.

There's a huge swath between this and a lawless society with zero governance. The excluded middle has many shades of gray.

No More Secrets

[TigerPlish]

I think it's plain, now.. no one should have any secrets. Not you, not me, not your lover, not my friend, not the government nor industry nor banking nor religion.

We should be able to know every thought each and every one of us have, as soon as we have it. Something like a mandatory cleartext Facetwat for the massess. Something as communistic as a Borg collective. Ooh wouldn't that rankle the US Government!

Heh.

There's no way in hell a secret-less society could even begin to function.

Re:No More Secrets

I wonder how many of your neurons keep secrets from the other neurons.

Re:No More Secrets

[TigerPlish]

None, I hear all the voices, all the time as I twitch merrily down the road! Whhhoooeeeee!

Lazlo Hollyfeld: Did you wanna borrow my pajamas?

nt

This is why

in my country university has immunity. Police is not allowed to enter it without approval.

Re:This is why

This will change, however. Just wait and see.

So...

Carnegie Mellon U are scum. Gotcha.

Think of the Children!

They just need to demand Samsung send them their Smart TV data and they'll be able to catch thousands of cases of domestic abuse, child neglect, and conspiracies to avoid speed traps.

Samsung has the data and is doing nothing to help the children!

Ignore it

What are they going to do, force you?

Tell them if they value their life, good luck.

-- internet tough guy

Judge's ruling are scary as hell for privacy

Essentially the judge said that the case can proceed because of the fact that you can't get 100% secure bug free software and are trusting random people. There is 'no expectation of privacy' were the words the prosecution/judge(s) have used. This is non-sense. While you do need to be weary of such things the prosecutors wording is in excess stating that users are "taking a significant gamble". All because the project warns users of the risk and possibility of exposure in a worst-case scenario. Of course they conveniently leave out worse case scenario and I'm not even entirely sure that the Tor project isn't to blame here for failing to include alongside these warnings a statement indicating that the solution is still as private as is possible by the state of the art in anonymity technology. However for someone who has thoroughly examined the Tor site like a prosecutor it is quite clear that this is the case as the Tor project does clearly state it's as good as it can get currently for a low latency network. That leads me to wonder if adding a party that received payment somewhere in the chain would result in added legal protection. Because that seems to be what they're suggesting. You can only have an expectation of privacy if your not relying on volunteers and dependant on a party that is paid to be or legally required to protect your privacy. It might also be sufficient to have added a terms of use to the Tor network (?) which prohibited exploitation to thwart these types of arguments.