In November 2014, a far-flung, multi-nation bust, dubbed Operation Onymous, snared 410+ supposedly hidden services running 27 markets, including Silk Road 2.0, stripping away the concealing layers of the Tor anonymizing service to lay identities bare.
Ever since, the keepers of Tor – the Tor Project – have been trying to puzzle out how the FBI pulled aside the curtain on the Tor network, which is designed to mask users’ identity by means of software that routes encrypted browsing traffic through a network of worldwide servers.
Now, the non-profit Tor Project says that the FBI did it by using a technique discovered by Carnegie Mellon University (CMU) researchers, and that the university earned a serious amount of coin in the deal.
In a blog post published Wednesday, Tor Project Director Roger Dingledine said that Tor has been told that CMU received a payment of “at least $1 million.”
He didn’t identify the informant. Nor did he offer further evidence.
But as it is, there’s already a wealth of circumstantial evidence.
In the months before the attack, research from CMU described a way to de-anonymize Bitcoin users that allows for the linkage of user pseudonyms to the IP addresses from which the transactions are generated, even when used on Tor.
In fact, two CMU researchers canceled a Black Hat 2014 talk about how easy they found it to break Tor.
The researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and promised to discuss examples of their own work identifying “suspected child pornographers and drug dealers.”
From the original description, before the university’s lawyers had the talk yanked from the lineup:
There is nothing to prevent you from using your resources to de-anonymize the network's users ... by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so.
Looking for the IP address of a Tor user? No problem. Trying to uncover the location of a hidden service? Done. We know because we tested it, in the wild...
Dingledine thinks that the FBI got to those researchers:
Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.
The Tor Project managed to discover and shut down the sustained attack in July 2014, subsequently concluding that the attack resembled the technique described by the CMU team.
Last week, another piece of the puzzle slid into place.
It came in a new court filing in the case of Brian Farrell, an alleged Silk Road 2.0 deputy who went by the handle “DoctorClu” and who’s due to stand trial in Seattle later this month.
The filing, first spotted by Motherboard, shows that a university helped the FBI to bust Silk Road 2.0.
From the filing, courtesy of Ars Technica:
On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0.
Dingledine said that there’s been “no indication yet” that the CMU researchers had either a warrant or “any institutional oversight” by Carnegie Mellon’s Institutional Review Board.
In fact, Dingledine said, the Tor Project thinks it unlikely that a valid warrant would have been issued for the attack, given that it wasn’t targeted at criminals or criminal activity.
Rather, the attackers “indiscriminately targeted many users at once,” he said.
As such, the attack not only violated the Tor Project’s trust and its guidelines for ethical research, he said.
It also put innocent users at risk:
We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.
The “outsourcing” of police investigatory work is also a troubling precedent, Dingledine said:
Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social network - If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.
Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, didn’t directly deny the accusations, but he pointed to a lack of evidence when Wired got in touch:
I'd like to see the substantiation for their claim. I'm not aware of any payment.
Image of key courtesy of Shutterstock.com.
Anonymous
So the first question is: Do the ends justify the means? In this case, they probably did, although in other cases there’s no guarantee that they would again. Does it depend who gets caught in the crossfire?
And the second question is: Does this mean that Tor’s anonymity is so fundamentally flawed that it’s simply no longer worth the hassle? After all, if the CMU can do it, there’s no question that the Chinese can do it too, and then what are all the Chinese internet users evading Chinese control going to do?
justiceISfake
how does it even justify it in this case?
Laurence Marks
The article above includes this paragraph “The Tor Project managed to discover and shut down the sustained attack in July 2014, subsequently concluding that the attack resembled the technique described by the CMU team.”
Apparently Tor’s anonymity is not fundamentally flawed as you suggest.
Mark Stockley
I think there’s a tendency for us all to discuss Tor in absolute terms that gets in our way.
We talk about password hashes and encryption in terms of the effort and cost of trying to break them and I think that’s the approach we need to take when considering Tor rather than asking if it’s flawed or not.
It’s not perfect — the design includes compromises and the implementation will include bugs so there will probably always be a way to attack it.
A better assessment would be ‘what does it cost in time and money to expose the flaws?’. In this case it cost in excess of $1m USD to produce a technique that had to run for a number of months to be effective and which is no longer available.
Spryte
Just goes to show the Three Letter Acronyms do not have the talent/expertise to catch “criminals” on their own.
Anonymous
They’ll use a VPN service instead. :)
Disgusted of Cheltenham
Trouble with saying that the ends probably justify the means is that we don’t necessarily know all the ends. We don’t know what journalists are being tortured or what Chinese dissidents are being chained up in a lunatic asylum all because the FBI paid £1million to supposed academics to expose drug dealers and child pornographers.
This is the entire trouble with criminality continually being used as the excuse for indiscriminate mass surveillance and ever more sophisticated means to carry it out, even to the extent of attempting to destroy the last few remaining privacy-enhancing tools people in danger have. And who knows who is in danger, those relatively safe today may become less so in the future.
Bill Sailer
If you want a specialist to investigate a criminal activity, Psychic, CMU or a hacker it does not matter, after you get through the encryption, if you find a crime happening, you find court acceptable evidence of the crime, and the criminal goes away.