Carnegie Mellon Weakly Denies That It Got Paid To Help FBI Crack Anonymity Tool

Layers of intrigue in The Onion Router

It is easy to forget, in our social age of public profiles and constantly tracked online presence, but there are parts of the internet that still offer obscurity. Tor, an identity-cloaking tool initially funded in part by DARPA and still funded to this day in part by the United States State Department, offers a form of protection for anyone online who wants to stay anonymous, like political dissidents abroad or law-avoiding drug sellers in the United States.

But activity conducted through Tor isn’t entirely untraceable, and there’s increasing evidence that, in exchange for cash, a security research team at Carnegie Mellon turned over information to legal authorities that led to several arrests.

Tor lets people use the internet anonymously by routing data through some of the many nodes in a complex network, obscuring the start point and end point. Built from an idea in the mid-1990s to let government officials securely communicate on civilian internet networks without revealing their location, Tor was one of many tools used by activists during the Arab Spring protests of 2011 to communicate while avoiding government scrutiny. Existing Tor nodes include such innocuous sites as public libraries in New Hampshire and research universities, and the network is supported by many digital rights activists as a tool to protect personal freedoms online.

No system is without flaws, and it’s through one of these that a Brian Richard Farrell was arrested in Seattle and “charged with conspiracy to distribute heroin, methamphetamine and cocaine,” on the online darkweb marketplace known as Silk Road 2.0 How was he found? His legal case is ongoing, and Farrell’s defense pointed to a breach in Tor for the information that revealed his identity. Motherboard reports:

The maintainers of the Tor project knew their network was attacked last year. In a statement published in response to the recent revelations, the Tor project claims such an attack threatens the very civil liberties of the web:

The Tor Project also claims that friends in the security community informed them that the FBI paid Carnegie Mellon $1 million for the attack.

Carnegie Mellon houses CERT, the Computer Emergency Response Team. Decades old, CERT’s stated mission is “improving the security and resilience of computer systems and networks,” and in that work they partner with “government, industry, law enforcement, and academia.” In 2014, CERT reportedly carried an attack on the Tor network that lasted from January 30th to July 4th. (The following sequence of events come from Princeton Director of Princeton’s Center for Information Technology Policy Ed Felten’s timeline of the attack, published on July 31, 2014) The attack strategy including adding 115 new nodes to the network, which likely enabled the owners of those nodes to monitor Tor traffic in an unprecedented way. CERT researchers submitted an abstract on this style of attack and were scheduled to speak at the Black Hat hacker conference that year, before the presentation was canceled on account of the material not being cleared for release by Carnegie Mellon.

At the time, Felten wrote:

On Monday, security researcher Bruce Schneier said the attacks undermine CERT’s role as responsible steward of the internet. He wrote:

Yesterday, Carnegie Mellon released a brief statement on the accusations:

At best, that’s a very tepid denial, focused more on the accusations of payment than on the actions taken by the university itself. At worst, it means the people using Tor to protect their identity, no matter the nature of their activity online, might be putting their faith in a compromised system, and one that reveals more information to law enforcement than it obscures.