Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?


Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the FBI.

No matter who the researchers and which institution, it sounds like a serious ethical breach.

First, from VICE, a report which didn't name CMU but revealed that a U.S. University helped the FBI bust Silk Road 2, and suspects in child pornography cases:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Here's a screenshot of the relevant portion of one of the court Documents that Motherboard/Vice News published:

Later today, a followup from Wired about discussion that points the finger directly at CMU:

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

Read the rest

Library offers Tor nodes; DHS tells them to stop

John writes, "After a library created a Tor node on its network, the DHS and local police contacted them to ask them to stop. For now they have; their Board of Trustees will vote soon on whether to renew the service." Read the rest

What happened when we got subpoenaed over our Tor exit node

We've run a Tor exit-node for years. In June, we got the nightmare Tor operator scenario: a federal subpoena (don't worry, it ended surprisingly well!)

NZ's anti-troll law: gift to trolls, bad for free speech

If you set out to create the platonic ideal of a badly considered anti-trolling bill that made a bunch of ineffectual gestures at ending harassment without regard to the collateral damage on everything else on the Internet, well, you'd be New Zealand's Parliament, apparently. Read the rest

Crypto-Santa: use onion routing to anonymize gifts at your Xmas party

Dmytri writes, "Add a crypto wrinkle to your Kris Kringle! Make your Secret Santa even more secret with the magic of Onion Wrapping!" Read the rest

Tor Project declares solidarity with harassed colleague

Roger Dingledine from the Tor Project writes, "One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. Read the rest

Serial offenders plague Twitter

Glenn Fleishman reports on how the platform could fix its harassment problem.

Comcast blocks Tor (updated)

"Users who try to use anonymity, or cover themselves up on the internet, are usually doing things that aren’t so-to-speak legal; we have the right to terminate, fine, or suspend your account at anytime due to you violating the rules -- Do you have any other questions? Thank you for contacting Comcast." Read the rest

Honorable spies anonymously leak NSA/GHCQ-discovered flaws in Tor

Andrew Lewman, head of operations for The Onion Router (TOR), an anonymity and privacy tool that is particularly loathed by the spy agencies' capos, credits Tor's anonymous bug-reporting system for giving spies a safe way to report bugs in Tor that would otherwise be weaponized to attack Tor's users. Read the rest

Seven things you should know about Tor

Tor (The Onion Router) is a military-grade, secure tool for increasing the privacy and anonymity of your communications; but it's been the subject of plenty of fear, uncertainty and doubt.

The Electronic Frontier Foundation's 7 Things You Should Know About Tor debunks some of the most common myths about the service (which even the NSA can't break) and raises some important points about Tor's limitations.

7 Things You Should Know About Tor [Cooper Quintin/EFF] Read the rest

Open Wireless Movement's router OS will let you securely share your Internet with the world

Open Wireless Movement, a joint project of the Electronic Frontier Foundation, Fight for the Future, Mozilla, Free Press and others, will reveal its sharing-friendly wifi router firmware at the HOPE X conference in NYC next month. The openwireless operating system allows you to portion out some of your bandwidth to share freely with your neighbors and passersby, while providing a high degree of security and privacy for your own communications.

The Open Wireless Movement's goals are to both encourage the neighborliness that you get from sharing in your community, and undermining the idea that an IP address can be used to identify a person, establishing a global system of anonymous Internet connectivity. The project includes an excellent FAQ on the myths and facts about your legal liability for things that other people do with your network. Read the rest

Piratebox 1.0: anonymous, go-anywhere wireless file-sharing

Piratebox, a great project for making standalone wireless fileservers, has gone 1.0. The 1.0 has a slick 4chan-style message board, a responsive UI, and does UPnP discovery for your file-sharing needs. Combined with cheap wireless gear and a little battery, it's a perfect file-sharing boxlet that you can take anywhere in order to share anything -- for example, buskers could use it to distribute copies of their music to watchers. Piratebox is the technology that underlies Librarybox, a fork that is specialized for use by libraries and archives. Read the rest

Tor: network security for domestic abuse survivors

Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."

This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy. Read the rest

TAILS: Snowden's favorite anonymous, secure OS goes 1.0

TAILS -- The Amnesiac Incognito Live System -- is a highly secure operating system intended to be booted from an external USB stick without leaving behind any trace of your activity on either your computer or the drive. It comes with a full suite multimedia creation, communications, and utility software, all configured to be as secure as possible out of the box.

It was Edward Snowden's tradecraft tool of choice for harvesting and exfiltrating NSA documents. Yesterday, it went 1.0. If you need to turn a computer whose operating system you don't trust into one that you can use with confidence, download the free disk image. (Note: TAILS won't help you defend against hardware keyloggers, hidden CCTVs inside the computer, or some deep malware hidden in the BIOS). It's free as in speech and free as in beer, and anyone can (and should) audit it.

Effectively, this is the ParanoidLinux I fictionalized in my novel Little Brother. Read the rest

Vi Hart: cramming G+ into YouTube has made comments even worse, I'm leaving

Google has changed the commenting system on YouTube so that you need to be a Google Plus user to post; the new system uses algorithms to promote some comments above others, and has the perverse effect of making trolls more visible. Vi Hart, the incomparable math-vlogger (and a regular favorite around here) describes how Google's decision to double down on its flagging Facebook-alike G+ service by ramming YouTube users into it has made her lose faith in the service: now her regular, good commenters comments hover at the bottom of the pile, while hateful trolls whose messages generate a lot of replies are judged "good" by G+ and promoted to the top.

The promise of G+ in the beginning was that making people use their real names would incentivize them to behave themselves. It's abundantly clear now that there are more than enough people who are willing to be jerks under their real names. In the meantime, people who have good reason not to post under their own names -- vulnerable people, whistleblowers, others -- are now fully on display to those sociopaths who are only too happy to press the attack with or without anonymity. Read the rest

Anti-Tor malware reported back to the NSA

More information on the malicious software that infected Tor Browser through Freedom Hosting's servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA. Read the rest

Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit

FreedomWeb, an Irish company known for providing hosting for Tor "hidden services" -- services reached over the Tor anonymized/encrypted network -- has shut down after its owner, Eric Eoin Marques, was arrested over allegations that he had facilitated the spread of child pornography. Users of Tor hidden services report that their copies of "Tor Browser" (a modified, locked-down version of Firefox that uses Tor by default) were infected with malicious Javascript that de-anonymized them, and speculate that this may have originated with with FBI. Tor Browser formerly came with Javascript disabled by default, but it was switched back on again recently to make the browser more generally useful. Some are predicting an imminent Bitcoin crash precipitated by the shutdown. Read the rest

More posts