back to article The million-dollar hole in the FBI 'paying CMU to crack Tor' story

It's something every journalist learns: if you hit on an important story, make sure every part of it is accurate. One small error is all that is needed to undermine the entire piece. Roger Dingledine is not a journalist, but as interim chief executive of the Tor project, he should have known to be more careful when he wrote in …

  1. Palpy
    Joke

    Sources which I cannot reveal --

    -- have informed me that El Reg has been given two quid and a kippered herring to cast doubt on the story of Carnegie-Mellon being a total vassal of the FBI. Buscando la verdad!

    1. Anonymous Coward
      Holmes

      Re: Sources which I cannot reveal --

      I was going to suggest something similar. Buy a case of scotch and a plane ticket to Pittsburgh and see what you can find out. The first thing you want to get is every email sent from the chancellor's office since the week before this story broke. Then you'll know what they've been told they can't talk about.

  2. Anonymous Coward
    Facepalm

    I am shocked; Shocked!

    The Carnegie Mellon won a DoD contract to establish the Software Engineering Institute. CERT (which they insist is not an acronym) is a subsidiary established with funding from DoD's DARPA. It is (and I quote from their FAQ): "funded primarily by the U.S. Department of Defense and the Department of Homeland Security". It's a government think tank. With over 150 professionals you're probably talking a half billion budget and a $1m contract or grant would be chump change. Did the FBI contract with them to research TOR? It sounds plausible but I suspect the FBI didn't expect them to identify individuals (because of the problems of evidence). No big story in any case.

    Besides, if you want to hate on Carnegie Mellon, do it because they invented and maintain CMMI - a profitable business for them and a roadblocking level of busywork for big business and government IT.

  3. Anonymous Coward
    Anonymous Coward

    Good story

    I know they are paid to hack TOR. Wake me up when CMU/CERT is paid for information they discover while hacking TOR.

  4. Anonymous Coward
    Anonymous Coward

    > "I'm not aware of any payment," the university's press person told WiReD.

    Obviously the comptroller would have apprised the PR flak of any payments received from the feds under NDA. So that's that.

    1. James Micallef Silver badge

      Or rather, the PR flak is kept in the dark so that he can genuinely and truthfully say "I'm not aware of any payment".

      How about that same question is asked to the financial controller rather than the PR hack?

  5. Mark 85

    The Trust Factor...

    Given that we (commentards and then there's the percentage of the general population) see broken trust on what we're told, this could go either way. The parties involved either didn't exchange money for info, or they did. Denying is simple. Proving that they didn't is hard. This is where the trust comes in. Which tale do we believe?

    1. Anonymous Coward
      Anonymous Coward

      Re: The Trust Factor...

      How about this: for me, it does not matter 'who done it'. The major point of this entire tale is:

      "There are still serious questions to be asked – but probably not of the FBI. For one, why did CERT not inform the Tor Project about a critical security flaw in its software?"

      EXACTLY.

      CERT quite essentially hacked a foreign (as in "not theirs") operational network and failed to notify the operator of the discovered flaws. That removes any and all (later) statements / defense / clauses / copouts that they were doing a "white hat" research project; after that point, trying to claim that the FBI simply 'globbed on' to their discovery refutes reality. CERT, as well as the FBI, can now try to deny anything and everything it wants, in an attempt to save face, but the undeniable fact - the one fact that neither party is even TRYING to deny - is the fact that [they] hacked a system and didn't tell Tor...until after the hacking activity was discovered.

      That makes CERT, operationally, a BLACK HAT hacking group and I fully agree with link to Bruce Schneier post: that CERT can no longer be trusted, period, in regards to future "research" when it comes to IT security. They have now proven that their "research" easily, and wantonly, can cross over from "theory" to "production", into the field without a care or concern for those upon whom they targeted their "research" against...if the right person, group or monied interest is involved. That makes them the equivalent of the Tuskegee Experiment: too easy to collapse their objectivity and morals when it benefits their [own] goals.

      They compromised their independent operational researcher integrity to the ultimate and are now trying to backtrack and whitewash the situation. As one commentator on the Schneier post well said,

      "The CMU researchers are reprehensible because they violated one of the most basic ethical rules of scientific research: No research on human subjects without the subjects' informed consent."

      Go to hell, CERT. Go to hell.

      1. Mark 85

        Re: The Trust Factor...

        You expressed the broken trust quite well. They didn't deny that they did it. They denied the money aspect. Damn little in this world that we can trust anymore.

        1. P. Lee

          Re: The Trust Factor...

          No the didn't deny the money aspect. One PR flack denied being aware of it. If they were denying the money the could have said, "No payment was made in money or in kind to the researchers and no pressure was placed on them or incentive given to them to keep their research secret."

          If the govt funds CERT and CERT finds the uni's researchers, then the govt is funding the uni. They are also paying for the results if they are benefitting from the uni's researchers' output.

          There's would be nothing wrong with them doing the research, but for the govt's hypocritical stance on "defeating security measures" being illegal.

      2. Michael Wojcik Silver badge

        Re: The Trust Factor...

        No research on human subjects without the subjects' informed consent

        And in addition to being a serious ethical lapse, if Volynkin and McCord did any of this research under the auspices of CMU (and whether CERT, in this case, counts as "under the auspices" is a question for the lawyers), then they either performed human subjects research without approval from the CMU Institutional Review Board, or in violation of their approved project, or the IRB approved something they shouldn't have.

        The first two are very serious professional violations, and the last would be a very serious institutional one. We're talking about the sort of violation that can get professors fired regardless of tenure.

        Personally, I don't give a rat's ass about the payment issue. There appear to be much more serious violations in this case.

    2. werdsmith Silver badge

      Re: The Trust Factor...

      So we are left with what Occam's Razor cuts out for us.

      It was supposed to be done quietly and without the world knowing.

    3. I. Aproveofitspendingonspecificprojects

      Which tale do we believe?

      You believe neither, without evidence.

  6. websey

    0day black market

    I disagree how the researchers come across their findings much like every other commentard

    But what if it wasn't CERT now bare with me

    Their is a profitable black market for 0 days etc what if the researchers found it was going to do a talk but the FBI jumped in and went that's a nice zero day guys let us buy it from you.

    Researchers agree sell it to the FBI and pull the talk.

    In this situation Carnegie Mellon would not be lying when they said "we got no money for this" as they didn't the researchers did.

    Just a thought and one I could see as happening if nothing else to make the university / CERT have deniable plausibility

    1. Sir Runcible Spoon
      Headmaster

      Re: 0day black market

      "They're not responsible for their actions over there."

      Just sayin'. :)

    2. Andy00ff00

      Re: 0day black market

      > now bare with me

      I always giggle when I see this. I think it unlikely that I'd want to.

    3. I. Aproveofitspendingonspecificprojects

      Re: 0day black market

      I'm pretty sure that universities have contracts that tie research to them if they were the home base. Te profit from research is thus all theirs.

  7. Anonymous Coward
    Anonymous Coward

    An apology

    On the previous article I commented that CMU were Black Hats. If, as this article lays out, CMU were unaware of what was going on, then I withdraw that accusation. Clearly, Volynkin and McCord are the Black Hats - and maybe CERT as well, if CERT had anything to do with authorising their original work and their non-disclosure to TOR.

  8. Anonymous Coward
    Anonymous Coward

    "this story is wholly inaccurate"

    Probable translation: "we were paid one million dollars and 2 cents"

    1. Preston Munchensonton
      Coat

      Re: "this story is wholly inaccurate"

      Surely a better translation would be: "we were paid nine hundred ninety-nine thousand nine hundred ninety-nine dollars and ninety-nine cents". The conjecture insisted at least one million.

  9. TeeCee Gold badge
    Facepalm

    Bloody typical!

    Septics. Bunch of arseholes.

    Given the choice of (a) logical and realistic explanation or (b) convoluted conspiracy theory involving space gnomes and dirty tricks by the government, it's "b" every time.

    You can't trust any story originating in the U S of A, especially since the term "journalist" got heavily downgraded to mean "any tosser with an axe to grind and his own computer".

    1. I. Aproveofitspendingonspecificprojects

      Re: Bloody typical!

      Never trust a country where Rupert Murdoch makes money and never trust a journalist with an hole in its arse.

  10. Wyrdness

    It has been pointed out by a number of people elsewhere, that this payment story is a nice misdirection to divert people's attention away from the real issue which is that TOR isn't secure.

    1. BenR

      TOR *WASN'T* secure... the article states that the exploit they utilised has since been patched and the relays removed.

      The fact is that TOR is only as secure as the relay nodes. It's long been known that the injection of a compromised relay node into TOR could be used to break the security - which seems to me to have been shown true in this case.

      Now the question is, what *other* exploits are there in TOR, and who might be using them?

  11. John Smith 19 Gold badge
    Meh

    I can comment on the Lincoln Lab

    IIRC it's charter is something around "problems of national defense"

    You look at their projects over the years.

    Heavily into speech coding and transmission at low data rates

    Speech recognition. Microwave (then milmetric) radar with lots of phased array stuff.

    I'd be surprised if you didn't have to be vetted to be taken on a "research" project there.

    1. Anonymous Coward
      Anonymous Coward

      Re: I can comment on the Lincoln Lab

      Definitely. Pretty sure my grandfather worked on radar there in the 30s-40s. All top secret until WW2 was over. He didn't really talk about it. Back then, at least one could feel good about that sort of research - it was all about shooting down Luftwaffe bombers and then Russian ICBMs.

      Toward the end of his career, it sounds like the whole industry devolved into "Milking The Taxpayers Is My Business (And Business Is Good)". Probably just a lot of highly classified paper word doc-shuffling and ass-kissing these days.

  12. Graham Marsden
    Devil

    " It's something every journalist learns:

    "... if you hit on an important story, make sure every part of it is accurate."

    Unless you work for the Tabloid Media, in which case, just blame Immigrants, Dole Scroungers, Paedophiles or Drug Dealers and your readers' knees will be jerking so much that they won't know, let alone care, about any inaccuracies...

  13. NozeDive

    I'm posting this blindly without reading all of the other comments first, but...

    I'm posting this blindly without reading all of the other comments first, but...

    ...just so no one else makes the same confusing mistake I did when reading this, please note that there is a difference between cert.org and us-cert.gov.

    Two different groups using the Computer Emergency Response Team moniker. One is a part of the federal government, and the other is a part of a university (that I believe receives federal funding, so... tomato/tomato).

  14. imanidiot Silver badge

    My biggest concern

    Is not even really with the whole payment bussiness but that 2 researchers serve two VERY different interests. On the one hand the independent and public CMU and on the other hand the DOD and government funded research institute CERT. This is just asking for trouble, because how can they truly perform independent research for CMU without taking their CERT connections into account.

  15. Anonymous Coward
    Boffin

    Are there codes of ethics/conduct in place for CERT and it's relationship with CMU

    Sounds bad, that CERT employees are IDing security vulnerabilities in the wild, and not contacting the network owner or publicizing the findings. This makes it sound as if they are shilling for the NSA or others who would rather have the vulnerability to exploit than secure IT to protect IT users in general.

    1. asdf

      Re: Are there codes of ethics/conduct in place for CERT and it's relationship with CMU

      Yep the US government in general is beginning to big time reap what they have sown in not putting protection of its citizen (and more importantly to them corporations) first. Did they really think any adversary would ever be more vulnerable to cyber warfare (stupid name but know what I am saying) than the US? Stooges.

  16. Catfitz

    Thank God for El Reg or I wouldn't ever know half of the evil that goes on in the software cults of Silicon Valley.

    First of all, there's a principle of academic freedom, and even any kind of freedom of speech in the US, which enables any researcher or member of the public to criticize software, you know? Especially software paid for by the Department of Defense. Yes, this is a fact you can find on the Tor website -- the overwhelming majority of their funds come from DoD; the rest come from DRL (State Department on Democracy, Human Rights and Labor) and other private donors all listed. It was developed by the Navy. It is paid for by the DoD. Yet it is run by crypto anarchists, including Snowden's chief helper Jacob Appelbaum, WikiLeaks rep in North America who fled to Germany one step of the WikiLeaks grand jury.

    So please, let's not be children here. This is a faction fight in the military industrial complex where long-haired hippies like that man named Julian who once got a grant from the NSA (yes, that Julian Assange, and yes that NSA) to work on his "Rubber Hose" program and when he was classified out of his own software later, rebelled like the Free Software nerd and has waged jihad on his former paymasters ever since.

    The Navy *itself* has posted scholarly research showing that the chief developer *himself* who is also on the board of Tor found that most users could be de-anonymized given a month or so and many faster. Not to mention that the mere fact of usage of Tor stands out like a sore thumb not only for authoritarians like Russia who use the real rubber hoses then, but Harvard which easily found an idiot who emailed a bomb scare using Tor.

    Dingledine is not a journalist and not merely some non-profit do-gooder with government funding. He's the leader of a crypto-anarchist cell that openly calls on their colleagues to "go in and get the ball and bring it out," as Jacob Appelbaum put it at the aptly named Chaos Computer Club, egging Snowden *whom they had already met in 2012* and others to savage the NSA. You may be fine with that, but this isn't democracy, isn't liberal, and isn't desirable as a form of government. It leads to terrorism such as we had in Paris.

  17. Michael Wojcik Silver badge

    Good police work?

    Shut the talk down to preserve the evidence for a trial, and then force the researchers to hand over the information so they can find and arrest people. That's good police work.

    Oh, it's great police work if you're a fan of the burgeoning police state. Otherwise it's pretty fucking suspect.

    "Force the researchers to hand over the information"? With a proper (and that means, among other things, not secret) warrant, perhaps that's excusable. It's a debatable point.

    "Shut the talk down to preserve the evidence for a trial"? Lovely. Exactly what evidence might have been destroyed by the BlackHat talk? And since when is this a good justification for a restraint on freedom of expression anyway?

  18. Anonymous Coward
    Anonymous Coward

    Contractual obligation

    The truth may be very simple. The researchers are quite likely obligated to report findings of criminal activity uncovered during their work. This obligation is probably linked to procedural stuff that ensures the preservation of evidence and integrity of investigation with embargo on communication of same finding to anyone but law enforcement.

    Not too hard.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like