back to article Tor wars: CMU says FBI came not with cash, but a subpoena

Carnegie-Mellon University has fired back in the TOR war, saying that it wasn't paid by the FBI to reveal its de-anonymisation research outputs. The university's statement on the matter is here and includes the following: There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University …

  1. Richard Boyce

    The thoughtless leading the learned

    So the researchers acknowledge doing government-funded reseach. Nothing wrong with that on its own. However, the concern is that the US government may have employed people to engage in a fishing expedition that unreasonably threatened the innocent as well as the guilty, without probable cause. Issuing a subpoena to get the results of the research you've paid for could be a cover-your-ass legality.

    I wish there were as much concern about this here in the UK, as our non-computer literate leaders plan to legislate how things must work. I wonder if our government will one day be as much of a laughing stock as the US politicians who once legislated that the value if Pi is exactly 3....

    1. Mark 85

      Re: The thoughtless leading the learned

      On other topics we've been chewing this one over as to who has the biggest idiots running things.

      This is really getting murky... such as is there a secret court order not to release the findings to the TOR Project? There's still hints of money in the way the denials are worded... I realize TOR was setup by various government departments but what influence did they have on design and architecture? I'm of the belief that TOR has never been as secure as we would like to believe.

      1. Anonymous Coward
        Anonymous Coward

        Re: The thoughtless leading the learned

        > I'm of the belief that TOR has never been as secure as we would like to believe.

        I've long suspected as much. Never bothered to dig into the code; the weaknesses are semi-obvious, and they've been confirmed several times in the last few years. I have a non-conspiracy theory: TOR was designed 20 years ago when compsci people thought they had a handle on security, and it was just a proof of concept, not meant to withstand every attack imaginable. Apparently TOR is still largely government-funded, but it's possible that the developers and the bureaucrats holding the pursestrings are true patriots hellbent on undermining the surveillance-state traitors in their midst. Or maybe it is just a honeypot full of backdoors. Regardless, any hardware/firmware/OS that TOR will run on is hopelessly insecure.

        Very interesting to watch as it all finally hits the fan... with thanks to our blackhat brethren of all stripes, who risk so much to point out the fatal flaws in our houses of cards.

      2. NoneSuch Silver badge

        Re: The thoughtless leading the learned

        Nothing is as secure as the governments would like you to believe.

        1. Anonymous Coward
          Anonymous Coward

          Re: The thoughtless leading the learned

          Nuff said.

    2. scrubber
      WTF?

      Re: The thoughtless leading the learned

      "unreasonably threatened the innocent as well as the guilty"

      I think you'll find 'the guilty' are actually innocent until proven guilty by a jury in their peers in a court of law. Undertaking a fishing expedition to uncover evidence of wrongdoing should have that evidence thrown out of court, fruit of the poisoned tree and all that, and the wrongdoers will actually be not guilty.

      1. g e

        Re: The thoughtless leading the learned

        In an ideal world. Yes.

      2. Anonymous Coward
        Anonymous Coward

        Re: The thoughtless leading the learned

        "innocent until proven guilty" presupposes that they are (or may be) guilty, but is hasn't been proven YET. I.e. it is only a matter of time ("until").

        The correct statement is "innocent UNLESS proven guilty".

        1. Michael Wojcik Silver badge

          Re: The thoughtless leading the learned

          "innocent until proven guilty" presupposes that they are (or may be) guilty, but is hasn't been proven YET. I.e. it is only a matter of time ("until").

          "Until" is not guaranteed to terminate. Your objection is ill-founded, even if "innocent until proven guilty" weren't a term of art in US jurisprudence (and even if "the correct statement" didn't obviously fall foul of the prescriptive fallacy).

    3. WalterAlter
      Holmes

      Kinda Zany

      Witnessing 19th century minds trying to cope with the 21st century.

  2. Anonymous Coward
    Anonymous Coward

    The way I read it is that SEI and CERT are government sponsored think tanks funded, primarily, by DoD and DHS. Cracking TOR fell within their general, government paid, research. Exposing TOR participants was unexpected and unrequested (not government directed). When the FBI (a DOJ branch) caught wind of the paper they subpoenaed it so they could prosecute because if it had been presented at the conference the evidence would be inadmissible in court (which is why I don't think it was government requested).

    That said, there is a high likelihood that government funded SEI/CERT researchers are trying to crack TOR and other dark web sites today and for the foreseeable future. It has likely been made clear to them that hacks which could lead to names be turned over to the FBI for deanonomizing and prosecution.

  3. Gene Cash Silver badge

    Translation

    Yup, we took money and we worked on cracking TOR, but we're either under a National Security Letter, the whole thing is highly classified, or the NSA is leaning on our lawyers some other way.

  4. Schultz
    Boffin

    Some disconnect in the statement:

    If I cut some of the fat, I see two completely unrelated statements:

    <1> One mission of CERT is to research vulnerabilities so that they may be corrected.

    <2> The University complies with subpoenas without payment.

    Some statements are suspiciously absent:

    - What did CERT do in in the TOR project? (Who cares about their mission, esp. if there may be more unmentioned missions.)

    - Who financed the TOR project, and did anybody receive money from the FBI or related agencies? (I don't think anybody claimed that they received money for complying with a subpoena.)

    - Did the CERT receive a subpoena, maybe related to the TOR project? (Who cares about the University as a whole, it's a big organization and you can make many completely irrelevant statements about it.)

    1. Yet Another Anonymous coward Silver badge

      Re: Some disconnect in the statement:

      The statement says they received a warrant for some data and didn't charge for that - it doesn't deny that they were separately being paid to develop cracks against TOR.

  5. Archivist

    Smacks of incredulity

    Why engage a university - that is bound to be leaky - to do a dirty deed, when they already employ some of the brightest minds who work in secret.

  6. Gordon 10

    Err maybe because the feebs <> the nsa . the FBI has less of a budget and lesser hackers than the NSA.

    Cluestick different branches of the US govt dont necessarily play nicely with each other.

  7. Bob H

    I'm confused CMU/CERT did research into TOR vulnerabilities and found them, but didn't let TOR know? Irrespective of the FBI warrant, surely it is standard practice for CERT to notify interested parties of vulnerabilities so that they can mitigate and alert users if they see fit?

    1. Matt Bryant Silver badge
      Facepalm

      Re: Bob H

      "....but didn't let TOR know?...." As stated in the article, not only did they let TOR org know but they were also going to report all their investigation results to the community at a conference, hardly the behaviour of a "secret squirrel" operation.... Some people that post here need to actually read the articles before jumping to pre-formed conclusions.

  8. chivo243 Silver badge

    CMU claims no cash was paid to them

    but someone at CMU was paid, maybe not in their main account. It could be in a mattress or a bunch of coffee cans in the quad? Just to be clear.

    1. Matt Bryant Silver badge
      Happy

      Re: sheepo243 Re: CMU claims no cash was paid to them

      "but I want to baaaaaahlieve someone at CMU was paid, maybe not in their main account. It could be in a mattress or a bunch of coffee cans in the quad , because that plays to my tinfoil-wrapped socio-politiocal outlook? Just to be clear and in the hope reinforcement of that view from the other sheeple will somehow lend legitimacy to that baaaaaaahlief."

      TFTFY

      1. Old Handle
        Big Brother

        Re: sheepo243 CMU claims no cash was paid to them

        Oh goody the statist shepherd as arrived to round up all the poor confused sheep. But where is he taking them? Don't question, I'm sure he knows best for us.

        1. Matt Bryant Silver badge
          Facepalm

          Re: Old Handle Re: sheepo243 CMU claims no cash was paid to them

          "....the statist shepherd as arrived to round up all the poor confused sheep...." Apologies for letting you hope that someone was going to help you - I mean, you lot obviously do need help! - but I'm only here to laugh at you as you stagger round in your little herds of popular self-delusion. Big hint - no-one gives a shit about what you do online, you're just not that interesting, mmmkay?

      2. chivo243 Silver badge

        Re: sheepo243 CMU claims no cash was paid to them

        John Belushi's lawyer called... stop using his bit.

  9. NonSSL-Login

    Funding

    They are claiming that no payment directly for the Tor info was made but it still leaves the possibility that the uni received or will be receiving some indirect funding as a result. For example the FBI tells them that government will make a donation under the banner of x or y so as not to connect the payment with the Tor information.

    The whole situation is fishy and the carefully worded statements just add more weight to the uni and fbi being stingy with the truth.

  10. Old Handle

    An interesting combination of suspiciously specific and suspiciously vague denial. Clearly it's intended to create the impression that they explained what "really happened", but it doesn't actually do so. This leads me to believe that either it's not actually true, and they didn't want to lie outright, or they're under a gag order. Neither option is good news.

    And even it's a exactly as they imply, it's fairly disturbing. If they're they are the target of subpoenas "from time to time", how could they think advertising possession of a list of who visits illegal websites would end any other way?

  11. Mike 16

    I, for one,

    don't see a problem with funding two groups: One to make a security product and One to try to break it. That's how you get robust products. So I am curious about the hooraw over the government even funding CMU/CERT research into TOR. Of course I question the (possible) misuse of this research, and the (probable) gagging and tap-dancing involved, but just doing the research is a good thing (_IF_ the TOR Project was in fact warned. I get a whiff of "not me, no, I didn't know anything about it" in the original statement).

    1. Michael Wojcik Silver badge

      Re: I, for one,

      The issue of notifying the Tor project is one possible ethical lapse. Payment for possible bad acts is a secondary, though still serious, possible ethical lapse.

      Failure to follow protocols for human-subjects research is another, and to my mind more important, ethical issue here - and one that neither CMU nor US-CERT has addressed, to my knowledge. Did this project have IRB approval? Did they exceed their approved methodology, or was their methodology not compliant with standard practices in the first place? Based on what's been disclosed so far, it's hard for me to see how this could have complied with HSR guidelines. And that is a serious lapse indeed.

  12. Anonymous Coward
    Anonymous Coward

    Typical media gets it all wrong

    This place like much of mainstream media frequently gets it all wrong often yet they rarely admit to just regurgitating the false news ripped from another source. A perfect example is the VW Diesel emissions scandal where VW was cleared of any wrong doing on the 3.0L V6 Diesel engines by the German motor authority KBA, yet The Register and others failed to report this significant event in regards to the scandal even though The Register was provided with links to the KBA's investigation in to the VW 3.0L V6 Diesel engines that were cleared of any defeat device or illegal ECU software code. Selective reporting and slanting of the news is more important to some than the actual facts as the Tor story illustrates.

    1. Michael Wojcik Silver badge

      Re: Typical media gets it all wrong

      Good thing we have anonymous, uncredited sources posting in obscure forums to put us straight, then. Keep up the good work!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like