Carnegie researchers reportedly planned to present the exploit at a Blackhat conference last year. In a deleted synopsis, it said "a persistent adversary ... can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months [for] just under $3,000." However, the talk was cancelled at the last minute, and the team never gave Tor itself details about the bugs to help it patch them -- normally a no-no in the security community.
Researchers were puzzled by the pullout at the time, but Dingledine thinks law enforcement convinced it to keep the details private. "We have been told that the [FBI's] payment to CMU was at least $1 million," he said. Several months after the cancellation, the feds made several high profile busts on the Silk Road 2.0 and other big drug sites, saying those were just the tip of the iceberg. (The Tor group has since patched the security hole, and promised to further toughen security in the near term.)
When contacted by Wired, a CMU PR spokesman said he's "not aware of any payment," and added "I'd like to see the substantiation for their claim." The university didn't issue an outright denial, however. To back up its claims, Tor said it identified Carnegie Mellon servers during the attack, which promptly disappeared when it questioned the school.
Dingledine emphasized that he's not against law enforcement going after illegal Tor sites, but rather the manner in which the FBI did it. "The mere veneer of law enforcement investigation cannot justify wholesale invasion of people's privacy," he said. If that tune sounds familiar, it's similar to complaints about the NSA sifting through the private data of millions of people in order to catch a few criminals or terrorists. In this case, though, the negative effects could wash off on legitimate researchers. "If academia uses 'research' as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute," wrote Dingledine.
[Image credit: Bloomberg via Getty Images]