Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds (vice.com)

← Back to Stories (view on slashdot.org)

Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds (vice.com)

Posted by timothy on Thursday February 25, 2016 @05:38AM from the is-the-state-your-friend? dept.

AmiMoJo writes: Back in November 2015 it was speculated that Carnegie Mellon University (CMU) helped the FBI attack the TOR network. Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases: "The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU") [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense ("DOD")," an order filed on Tuesday in the case of Brian Farrell reads. Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.

25 of 56 comments (clear)

Min score:

Reason:

Sort:

confused by micahraleigh · 2016-02-25 05:50 · Score: 1, Troll

Too lazy to read article ... if Carnegie Melon helped the feds, why are the feds suing them?
1. Re:confused by Drethon · 2016-02-25 05:55 · Score: 1
  
  A Subpoena is not a law suit. "subpoena duces tecum orders a person or organization to bring physical evidence before the ordering authority or face punishment. This is often used for requests to mail copies of documents to the requesting party or directly to court." https://en.wikipedia.org/wiki/...
2. Re:confused by OffTheLip · 2016-02-25 05:56 · Score: 1
  
  State supported, or is it state sponsored, institutions I suppose is the leverage the feds have.
3. Re:confused by pesho · 2016-02-25 06:04 · Score: 4, Interesting
  
  Feds are not suing CMU. Here is the TLDR summary:
  CMU was carrying out department of defense (DoD) funded study on TOR. FBI got wind of what data CMU may have gathered (not sure how) and issued subpoena for the data. Pursuant to the subpoena CMU handed over the data which contained among other things the IP address of a drug dealing suspect the FBI was interested in.
4. Re:confused by Bugler412 · 2016-02-25 07:10 · Score: 2
  
  SEI is a federal research facility, much like Livermore and others, operated under contract by CMU. It isn't "owned" by CMU.
5. Re:confused by KGIII · 2016-02-25 16:48 · Score: 1
  
  A subpoena is not a warrant. That's not a difference without distinction. From a subpoena they may get a warrant.
  I do not know the facts in this case. However, they are two very different legal concepts. I offer no other opinion at this time.
  
  --
  "So long and thanks for all the fish."
The Future by SuperKendall · 2016-02-25 05:51 · Score: 1

In the future, all universities will be compelled to write TOR (or Twitter, or whatever) attacking software and then give it to the FBI.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:The Future by gstoddart · 2016-02-25 06:04 · Score: 2
  
  In the future, anything any academic institution or corporation does which is remotely of interest to the FBI and the rest of law enforcement must be surrendered to the FBI.
  Those wishing to join the inquisitorial squad for extra credit report to the headmistress' office. Those not wishing to join the inquisitorial squad will be required to submit to questioning.
  Congratulations, America, you almost have your own Stasi. You should be proud. Keep defending those freedoms kids, your government needs you.
  Only a few years, and children will be turning in their parents for sedition.
  
  --
  Lost at C:>. Found at C.
2. Re:The Future by tnk1 · 2016-02-25 07:23 · Score: 1
  
  Researching Tor is a legitimate course of study. Since the goal of the system is security, breaking that security is a good idea, if only to understand how it can be done and patched. This sort of research is not automatic collaboration with the FBI.
  Obviously, a subpoena for this information seems to be more of an issue of opportunity; it would be rather haphazard unless the FBI was following that research. I imagine that researchers could find an ethical way to destroy this data before publishing or something, I can't imagine they would have any legal requirement to hold on to it, unlike corporations with contracts and specific legal regulation.
  This should be a minor irritant unless someone writes a law requiring security researchers to cooperate with law enforcement by storing data for their review. And I don't see that happening. But if it did, that would be a concrete step towards the security state.
3. Re:The Future by rtb61 · 2016-02-25 12:01 · Score: 1
  
  You can not do research by attacking a public legal network without their permission, that is a crime under the bulk of countries computer abuses act and is subject to an extended custodial sentence. Quite simple those involved should be charged under the computer abuses act, be fined and given the appropriate custodial sentence, that is the law.
  
  --
  Chaos - everything, everywhere, everywhen
4. Re:The Future by KGIII · 2016-02-25 16:58 · Score: 1
  
  Not positive but I believe the legal term is "Royally Fucked and Fucked Hard" if you destroy data after it has been subpoenaed. You can fight a subpoena. Destroying that data, or refusing to submit it after a "fair hearing,"* you are going to pound-me-in-the-ass prison. You are in SERIOUS trouble for not submitting all data if the subpoena is challenged and the challenge is overturned.
  I'm not sure there's an "ethical" way to destroy the data.* I really don't have an answer.
  * That's assuming a fair hearing and adherence to the law.
  
  --
  "So long and thanks for all the fish."
Of course... by wbr1 · 2016-02-25 05:58 · Score: 1

They denied it before: http://yro.slashdot.org/story/...
But it looks like they denied the FBI paid them.. of course since DOD paid them it all a-okay.

--
Silence is a state of mime.
1. Re:Of course... by GameboyRMH · 2016-02-25 06:57 · Score: 2
  
  They also denied that they were paid any money from the government for Tor research, which was just a lie:
  
  In a terse statement Wednesday, Carnegie Mellon wrote that its Software Engineering Institute hadn’t received any direct payment for its Tor research from the FBI or any other government funder.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
meh by zlives · 2016-02-25 05:59 · Score: 5, Funny

its not like the universities helped nuke a country or something....
Fearmongering by mshieh · 2016-02-25 06:22 · Score: 1

"attacked"
Do people not understand the concept of security research? What would you prefer they do, wait for someone else to discover vulnerabilities and not notify tor?
1. Re:Fearmongering by buck-yar · 2016-02-25 06:46 · Score: 2
  
  So the DOD is having Carnegie attack TOR to improve its security?
  And the community will be notified of found vulnerabilities, right?
2. Re:Fearmongering by Anonymous Coward · 2016-02-25 07:01 · Score: 1
  
  So the DOD is having Carnegie attack TOR to improve its security?
  And the community will be notified of found vulnerabilities, right?
  The DOD is the Tor community.
  The felon usage of Tor is a recent event, incidental beneficiaries of the technology. This does put Tor at odds with FBI and local police some of the time, but the existence of a useful Tor network is generally seen as more important than catching every single druggy who uses it.
3. Re:Fearmongering by KGIII · 2016-02-25 17:46 · Score: 1
  
  You seem to know what you're talking about. Let me pick your brain?
  If I understand this, they didn't really attack it. What they did was simply add more exit nodes and then observe the traffic. Is that correct?
  If that is correct, why are we calling it attacking instead of spying, monitoring, or otherwise? Then, as it was their equipment, their exit nodes, their physical property - is the monitoring (in and of itself) illegal?
  I'd argue that it is immoral but even my web sites have logs. If you're accessing my hardware, I have every right to monitor, observe, or whatever. Is that also correct? It might be immoral to take it to a certain level, is this a level too far?
  I would argue on your side that I agree, the data should have been anonymized from the very beginning. If they're going to be collecting this data, the data should have been anonymized from the start. If you collect it or store it in a non-anonymous form then it can be subject to a subpoena which we're seeing here.
  Given the nature of Tor, I'd have liked them to take greater precautions with this. It's disappointing that they did not. However, I'm not sure that they really attacked anything and I'm not sure that they did anything illegal. (You're not claiming illegality but others are.)
  What am I missing?
  
  --
  "So long and thanks for all the fish."
The old saying by ThatsNotPudding · 2016-02-25 06:27 · Score: 4, Insightful

All it takes for evil to flourish, is for good men to do nothing - or in the case Carnegie Mellon - meekly follow orders.

I used to think that in the coming decade, the most precious commodity would be potable water.

Now I realize it will instead be true privacy, afforded to only the rich and powerful on our planet, that is soon to become the ultimate Panopticon.
1. Re:The old saying by Anonymous Coward · 2016-02-25 07:07 · Score: 1
  
  Following the law is a problem when doing so makes you extremely vulnerable to criminals, as well as to the whims of corrupt politicians.
  Also, though it takes more intellectual effort to see, following the law winds up keeping the poor class poor, and ensuring that the lions share of all wealth continues to flow upwards into the pockets of an ever-smaller group of elites.
  The typical thoughtless answer is "change the law...we are a democracy, right?" No, at least not America. Though ostensibly a constitutional republic (not a democracy even technically), we function as an oligarchy. It makes the changing of the law in such a way to ensure justice for the lower classes an extremely difficult (and sometimes impossible) uphill battle.
2. Re:The old saying by KGIII · 2016-02-25 18:08 · Score: 1
  
  While I tend to agree, within reason, there's a problem with that. There unjust laws but that's too deep for you and I to get into today.
  So, here's the important part and it's the simple part. We can go deeper than this if you want...
  You do not know the laws. Chances are, you're breaking at least one law right now. You might not think so but you are. You are a criminal, you're just not convicted yet. Nobody knows all the laws. Some of them are even felonies. (The bullshit about a felony a day is just that, bullshit. No need for hyperbole here.)
  Right now, you're guilt of some offense and with selective enforcement you need only offend someone enough for them to prosecute you. That this has not happened to you does not mean it will not happen to you and once you get their attention they will have their hooks in you for the rest of your life. This is not a slippery slope argument, this is a legitimate concern.
  Specifically, with Tor, you can compound this with things like "parallel construction." I encourage you, if you're unfamiliar, to Google these terms. This *is* a real risk and there may come a time when you are the target and the target is not some drug dealing terrorist. You might be okay with the current administration, I encourage you to take a closer look at the current candidates. Keep in mind that they'll be setting policy and have access to these same tools starting next January.
  I implore you to think carefully about this subject. If you've thought this through and reasoned your way to that sort of flippant response then I'm not going to be able to reason with you. I'm not the spittle flecked zealot, I'm the rational guy and I take a ration of shit for it sometimes. If you need help understanding why this is a problem, I'll help you with that. Someone will...
  The ability to be monitored in all that you do has no good end. There is no way, no way at all, that it can end up well. Literally... There is no conceivable benefit, in the long-term, to being unable to communicate without being monitored. That path leads to oppression and it always has.
  I really want to engage in some hyperbole but I'm afraid that would ruin my chance to help you understand why this is a problem. Do some reading of history, do some reasoning, and start to think about what unchecked power does. And, yes... Information is power. Being unable to communicate without interception and monitoring is a very basic requirement for a healthy society - even if it goes unused or even if it is used for bad things. Freedom means that bad things happen to otherwise good people. This is an acceptable risk.
  There's a huge swath between this and a lawless society with zero governance. The excluded middle has many shades of gray.
  
  --
  "So long and thanks for all the fish."
No More Secrets by TigerPlish · 2016-02-25 06:39 · Score: 1

I think it's plain, now.. no one should have any secrets. Not you, not me, not your lover, not my friend, not the government nor industry nor banking nor religion.
We should be able to know every thought each and every one of us have, as soon as we have it. Something like a mandatory cleartext Facetwat for the massess. Something as communistic as a Borg collective. Ooh wouldn't that rankle the US Government!
Heh.
There's no way in hell a secret-less society could even begin to function.

--
The "Civilized World" jumped the shark ca. 1973.
Re:The university could also do it just because by tnk1 · 2016-02-25 07:29 · Score: 2

Yes, testing TOR to its limit is like trying to break encryption and finding a better method using that information. If you get to the point that you are unable to break it, it becomes much more valuable.
The problem is, until you find the fully secure solution, they are effectively working on a method that will break your crypto or find your hidden service. That will cause immediate security concerns.
Re:The university could also do it just because by TheCarp · 2016-02-25 11:19 · Score: 1

This is true, but I think this case clearly brings up that there was sever ethical oversight.
The end result of de-anonymized traffic is, by its very nature, a danger to the person de-anonymized.
It is one thing for researchers to prove that they can de-anonymize users, but, in doing so, they take on the responsibility of protecting that information. It is highly irresponsible for them to have stored any of those results in a form which could be correlated to specific sites.
In the future, I hope all such research will be more strictly aimed at proving concepts and will take steps to protect the data which they do de-anonymize.

--
"I opened my eyes, and everything went dark again"
Re:The university could also do it just because by Anonymous Coward · 2016-02-25 15:34 · Score: 1

I'm not a lawyer and I'm not very familiar with the CFAA, but this seems like exactly the sort of thing that would be, and should be, illegal under that act.
Unfortunately, the only victims we know about are people who are facing criminal charges themselves, and even if there were a way to know how many other victims there were, those people are (almost by definition) unlikely to want to stand up and draw attention to themselves.