CMU responds to alleged Tor hacks

The week before last, the Tor Group, the non-profit organization behind Tor, a network of servers that provides internet anonymity, accused Carnegie Mellon's Software Engineering Institute (SEI) of selling research to the government that allowed the FBI to unmask — and in some cases, indict — Tor users.

In an interview with Wired two weeks ago, a member of the SEI’s public relations team Ed Desautels said, “I’m not aware of any payment,” declining to comment further.

The FBI similarly denied the claims in response to Ars Technica, telling Ars, “The allegation that we paid [Carnegie Mellon University] $1 million to hack into Tor is inaccurate.”
Last week, the university responded formally to the allegations with a media statement, which reads: “One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.

In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.”

Although the statement denies receiving payment from the FBI for the research that allowed them to break through Tor’s guarantee of anonymity, it implies that the university gave up the research under subpoena. The original $1 million figure quoted by Tor Group President Roger Dingledine came, he said, from “friends in the security community.”

The university first fell under suspicion when it pulled a presentation of the research in question from the Black Hat Conference, a conference for information security professionals. Soon afterwards, the FBI and Interpol launched Operation Onymous, designed to unmask users of Tor on the “dark web,” a part of the internet frequented by drug, weapon, and other illicit trafficking. Recently, court documents in the trial of drug dealer Brian Farrell made reference to “a university-based research institution” that caused many to draw a connection to Carnegie Mellon.

Dingledine criticizes Carnegie Mellon for its alleged involvement with the FBI; he wrote on Tor’s blog, “This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute.”

The Tor Project responded to the university’s statement with more questions. Tor Project spokesperson Kate Krauss wrote to Wired that it still has “many questions about [Carnegie Mellon’s] new statement,” including how the FBI knew what to subpoena from the Carnegie Mellon and whether the research on Tor was approved by the university’s Institutional Review Board.