US university credibility questioned after court documents show it was paid to hack Tor network
Court documents have confirmed that the US government funded research by Carnegie Mellon University (CMU) in order to hack Tor.
The row began last November when Tor alleged that FBI had paid “at least $1m (£675,000)” to researchers at Carnegie Mellon university in Pittsburgh. Tor made reference to an attack by the FBI in late 2014 which took down dozens of Tor sites, including the drug selling website Silk Road 2.
But CMU denied the Tor allegation that the FBI had outsourced a cyber attack in return for cash payment, and pointed to “a number of inaccurate media reports”.
It did admit at the time that its Software Engineering Institute was federally funded in order to research and identify vulnerabilities in software and computing networks.
And now court documents have proved that CMU was actually funded by the US Department of Defence, to try and identify users of the service.
The court documents confirm that two researchers at CMU’s Software Engineering Institute (SEI) were able to hack into Tor to unmask its users. The FBI then subpoenaed some of the resulting information, including the home IP address of a user (Brian Farrell), alleged to be on the staff of Silk Road 2.
Farrell is denying helping run Silk Road 2, which sold drugs via Tor. His trial begins in April.
The court documents actually came to light in the Silk Road 2 court case, and confirmed that Carnegie Mellon was behind the attack, and that the resulting information gained in the attack was accessed by the FBI via subpoena.
But it is unclear at this time exactly how the FBI knew that CMU had successfully hacked into Tor in the first place. For its part Carnegie Mellon is standing behind its statement made in late November, according to the Guardian newspaper.
The university certainly seems to have trodden a fine line as its statement is technically right, but there is little doubt that CMU researchers were paid by the US government to unmask Tor users.
The Tor Project meanwhile has condemned the decision by the US judge in the Silk Road 2 case, and also the role of Carnegie Mellon University in the matter.
“We read with dismay the Western Washington District Court’s Order on Defendant’s Motion to Compel issued on February 23, 2016, in U.S. v. Farrell,” blogged the Tor Project. “The Court held “Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network.” It is clear that the court does not understand how the Tor network works.”
The entire purpose of the network is to enable users to communicate privately and securely,” said Tor. “The Tor network is secure and has only rarely been compromised. The Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it.”
The Tor network whilst offering web users anonymity, is also widely used for criminal purposes, such as operating contraband websites. And it is increasingly being used by attackers to hide their identities as they scan for vulnerabilities or carry out attacks.
Last August IBM recommended that system administrators ban access to the network, as it was increasingly used as the point of origin of attacks on public- and private-sector organisations.
Are you a security pro? Try our quiz!