When the Tor team went public with its accusation, it revealed that Carnegie Mellon was supposed to present an exploit that can de-anonymize Tor clients en masse during a Blackhat conference. However, the university withdrew its submission and suddenly canceled the presentation. "Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep," the announcement claimed, "and then sift through their data to find people whom they could accuse of crimes." On the same day that statement went out, Motherboard also reported finding a court document, which said a "university-based research institute" helped identify the case's defendant. Whatever the truth is, that security hole can't be exploited anymore, as Tor already patched it up after detecting the attack that de-anonymized its users.
Here is the university's full statement:
There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity.
Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
[Image credit: Bloomberg via Getty Images]