Latest in Blackhat

Image credit:

Carnegie Mellon may have ratted out Tor users to the FBI

150 Shares
Share
Tweet
Share

Sponsored Links

In a story that may become an acid test for internet privacy, the operators of the Tor network have accused Carnegie Mellon University (CMU) of taking up to $1 million to help the FBI bust illegal sites. If the allegations are true, the defendants in question certainly had it coming -- they include the drug market Silk Road 2.0 and a child pornographer. However, Tor director Roger Dingledine questions the university's ethics in the attack. "We think it's unlikely they could have gotten a valid warrant ... [since it] appears to have indiscriminately targeted many users at once," he said.

Carnegie researchers reportedly planned to present the exploit at a Blackhat conference last year. In a deleted synopsis, it said "a persistent adversary ... can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months [for] just under $3,000." However, the talk was cancelled at the last minute, and the team never gave Tor itself details about the bugs to help it patch them -- normally a no-no in the security community.

Researchers were puzzled by the pullout at the time, but Dingledine thinks law enforcement convinced it to keep the details private. "We have been told that the [FBI's] payment to CMU was at least $1 million," he said. Several months after the cancellation, the feds made several high profile busts on the Silk Road 2.0 and other big drug sites, saying those were just the tip of the iceberg. (The Tor group has since patched the security hole, and promised to further toughen security in the near term.)

When contacted by Wired, a CMU PR spokesman said he's "not aware of any payment," and added "I'd like to see the substantiation for their claim." The university didn't issue an outright denial, however. To back up its claims, Tor said it identified Carnegie Mellon servers during the attack, which promptly disappeared when it questioned the school.

Dingledine emphasized that he's not against law enforcement going after illegal Tor sites, but rather the manner in which the FBI did it. "The mere veneer of law enforcement investigation cannot justify wholesale invasion of people's privacy," he said. If that tune sounds familiar, it's similar to complaints about the NSA sifting through the private data of millions of people in order to catch a few criminals or terrorists. In this case, though, the negative effects could wash off on legitimate researchers. "If academia uses 'research' as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute," wrote Dingledine.

[Image credit: Bloomberg via Getty Images]

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
150 Shares
Share
Tweet
Share

Popular on Engadget

Google and Amazon approved home speaker apps that spied on users

Google and Amazon approved home speaker apps that spied on users

View
The Morning After: The battery-saving power of dark mode on iPhones

The Morning After: The battery-saving power of dark mode on iPhones

View
Rocket Lab plans to send payloads to the Moon

Rocket Lab plans to send payloads to the Moon

View
Google will fix Pixel 4 face unlock issue with 'eyes open' update

Google will fix Pixel 4 face unlock issue with 'eyes open' update

View
Test shows dark mode really can save battery life on OLED iPhones

Test shows dark mode really can save battery life on OLED iPhones

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr