Did the FBI Pay a University to Attack Tor Users?

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/

Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten's analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".

Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.

But of course! Child pornographers "get caught" every time the FBI executes an operation of questionable legality. If it wasn't for those child pornographers conveniently waiting to get caught every time, congress and judiciaries might do something about those illegal ops, but they can't because... think of the children!

Anonymous

November 11, 2015

Permalink

It is TOR's failure to protect the hidden services, not the FBI's failure in choosing to take advantage of a disclosure issue. If your code is spilling everyone's information everywhere, don't go crying about how you're the real victim.

Tor is getting a bad reputation for its criminal infestation. Many people's first introduction to Tor hidden services is so they can pay a bitcoin ransom, or they hear you can get drugs or child porn on there. The FBI is totally justified in doing everything they can to find and shut down the sites. Every prosecution was against pedophiles and drug sites, and it's clear that they aren't going after innocent people for visiting innocent websites.

Few terms to look up first:
Net neutrality
Right to anonymity online
Freedom of speech
Right to privacy

Then you can also check the values and principles behind the Tor foundation.

Moreover, I am not sure if you would want to see all your info, search details, online habits revealed to the world without your consent.

oh let not forget some FBI undercovers also been caught with their fingers in the bitcoin tills and running rackets too not just the criminals. And the crime fighters also need TOR as much as the criminals and oppressed people too.

> It is TOR's failure to protect the hidden services, not the FBI's failure in choosing to take advantage of a disclosure issue. If your code is spilling everyone's information everywhere, don't go crying about how you're the real victim.

The expectation that "Tor" is responsible for failure is illogical. Tor is a project worked on by numerous individuals and cannot be attributed to a single individual or company. The very fact you, an individual, is attempting to treat "Tor" as a responsible party ('your code') is laughable. It's also a fallacy, which you probably already knew.

> Tor is getting a bad reputation for its criminal infestation.
I used Tor occasionally and do so for non-criminal purposes. While there may be users on Tor who are breaking laws, justifying widespread rights violations that include my rights is not a sustainable solution to catching criminals. A better question for all involved would be, "Why does the FBI think they can minimize crime (to zero, AFAICT) while violating our rights as free citizens and opening the door to abuse from corruption in their ranks?" If the cost of taking crime to zero is giving up my rights as a citizen and making me venerable to other types of criminals (corruption) then I choose another method, even one that allows some criminals to "get away with their crimes".

Assigning suffering to all of us collectively by violating our rights (collecting my private data) to eliminate perceived future suffering (drug sales to minors tomorrow) is an asinine approach, just like your FUD induced comment.

It is BOTH's failure.
A failure from the Tor Project, who failed its promises, but also a BIGGER failure of the democratic system in your country which is now endemic. And no, the FBI is NOT justified, they can't do whatever they want violating the laws and rights of their own citizens. These criminals (FBI and the researchers who are their accomplices) need to be prosecuted, and sent to jail. In democracy there are rules, if you don't like them then go to north corea or china.

I do not wish trolling or flaming but 1 m$ could change a life. I forgive the fbi and these researchers because so am i, i should accept it.
By the way, usa, eu, turkey promote a product that they do not have ; rules, democracy etc.

> I do not wish trolling or flaming but 1 m$ could change a life. I forgive the fbi and these researchers because so am i, i should accept it.

I do not understand.

> By the way, usa, eu, turkey promote a product that they do not have ; rules, democracy etc.

If you mean that US, EU, Turkey all falsely claim to be "democracies which obey the rule of law" [sic], then I agree. It's increasingly dangerous to be a dissident, but nonethless we all need to continue to try to resist the trend towards fascism, to the extent we feel we can. Tor can help.

I believe the folks at the TOR project are doing a public service by making these open source tools available to the public. It would be naive to think that these sorts of networks don't exist outside of TOR... I think the important question here is whether such networks should be accessible by any individual who wants to access them for the sake of anonymity and privacy. This isn't a "good guys versus bad guys" scenario, it is a privacy issue. Darknets and obfuscated digital networks are always going to be available to law enforcement and militaries. So, why shouldn't you be allowed to have access to something similar for the sake of your privacy? Clearly, there is a criminal element to TOR but the significance of the project extends well beyond criminal activity and restricting the public's access on the basis of that criminality would be a genuine disservice, in my opinion.

I also believe that any alternative to TOR would face the same challenges if it came under such scrutiny.

http://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tamper…

How much does it makes sense for militaries.and law enforcement to have their own anonymizing networks that only them can access, remember Tor started as a project of US navy and they realised it to the general public when they realised that if they were the only people using it it would be trivial to find out who their operatives were.

tor is for every one and open for new projects.
At the beginning, very wise persons decide to protect some persons ; it was in 1900 , these persons were useful for the world , the peace, the industry, the states (all around the world). So, they must not be involved or exposed in any criminal case , tor was like internet, a free (protected vip community ) network for these persons and only them.
' Militaries and law enforcement ' were considered as a piece of the world peace in the usa. It has changed , some of them had and will have big problem.
tor started as project of us navy because the budget was given to them and nothing more. It was open for every one because the cryptography science brought another universal dimension.
@remember ( i wonder what you could remember ! ).

Whenever I see "TOR" in comments on the net, it looks like paid disinfo to me. It's almost as if all caps TOR is a signal to other paid disinfo agents.

I know what you mean, but--- assuming you were serious--- I think it makes more sense to flag possible FVEY trolling by content than by an isolated stylistic feature.

It is true that USG employees (not just people in intelligence) often become accustomed to using all-caps acronyms, but as you can see from my own usage (USG, FVEY) not everyone who falls into such habits is a JTRIG operative!

In my view, content which raises suspicion of JTRIG style trolling includes such obviously false claims as these:

o Tor is "broken" [sic]

o Tor is "only used by criminals, terrorists, and pron purveyors" [sic]

o Tor is "already backdoored by the US government" [sic]

o Tor/Tails are "utterly useless if you are individually targeted by FVEY" [sic]

Despite all their Ph.D. psychologist consultants eager to advise JTRIG/TAO how to "disrupt" our community, I have not yet seen evidence suggesting that their trolling is more sophisticated than troll campaigns such as "Gamergate" which we have survived.

> content which raises suspicion of JTRIG style trolling includes such obviously false claims as these:

Another criterion is consistency with known principles of the deception units operated by FVEY (and Russia, and other nations), such as what is known in CIA as Magruder's Principle:

> It is generally easier to induce an opponent to maintain a preexisting belief than to present notional evidence to change that belief. Thus, it may be more fruitful to examine how an opponent's existing beliefs can be turned to advantage than to attempt to alter these views.

All of the above can be seen as attempts to cynically exploit pre-existing paranoia to cause anyone thinking of protesting to freeze in terror.

>It is TOR's failure to protect the hidden services, not the FBI's failure in choosing to take advantage of a disclosure issue. If your code is spilling everyone's information everywhere, don't go crying about how you're the real victim.

Classic victim blaming. Tor never made any claims to being perfectly secure. If I stumble across a poorly secured website, do I have the right to break into it, because someone might be doing something bad on it?

>Every prosecution was against pedophiles and drug sites, and it's clear that they aren't going after innocent people for visiting innocent websites.

The attacks performed didn't make a distinction between those targeted for investigation and everyone else. You don't get to wiretap my phone because someone down the street is a drug dealer, even if you don't prosecute me for anything. Or more analogous, you don't get to pay the phone company to wiretap me and hand over the recordings as a way of avoiding the legal process entirely, all for a crime I didn't commit or was ever even accused of committing.

Wiretaps require a special level of access. The attacks that happened could have been executed by you or me. The problem is that the Tor software is flawed and people thought something was private but it was right out there in the open. Their stupidity doesn't need special accommodation.

>Classic victim blaming. Tor never made any claims to being perfectly secure. If I stumble across a poorly secured website, do I have the right to break into it, because someone might be doing something bad on it?

Someone breaks open source software and uses it to get attention in the media, and it gets called security research, and anyone trying to stop it is an evil oppressor. (Look at weev)

Someone breaks open source software and uses it to catch pedos, and it gets called oppression and victimization.

This sort of attitude in the privacy community fucking disgusts me. It seems like people are more interested in protecting the ability of pedos and extortionists to operate, and use that as the gold standard for privacy. If the FBI can't catch pedos, we must be secure.

I'll either throw up or be compelled to throw-up. But I respect your comment regardless, this is a free world.

Tor is not a 100% secure, so as everything else man has ever made, get over it. We use Tor because it protects us way more than any other software out there. Rather than advocating what Tor cannot do, could you perhaps come up with a better solution? Tor has saved lives globally, thanks to a dedicated team. People giving themselves to a course rather than seeking pleasures and eating their bellies out.

"Tor is a failure" - Your idiot.

"Tor never made any claims to being perfectly secure."

well....I will stop using tor, then as it looks like it's a piece of junk.

"The FBI is totally justified in doing everything they can to find and shut down the sites."

Actually that's where I would disagree. Sure, the FBI should go against people doing illegal things, but that doesn't equal justification of every form of prevention/investigation they can think of. For example if you're trying to get information out of someone, that doesn't justify torture even if the information is important. Or in this example, it doesn't justify invading the privacy of many innocent people. The same way you don't get a search warrant for all houses of a city just because you're quite sure there are some people doing bad things living in this particular city. (Even if that'd prove quite effective.)

"Tor is getting a bad reputation for its criminal infestation."

I won't deny this. Even though I don't understand why people don't do proper research themselves and then notice that Tor itself is not at fault. I'm just not sure how this relates to your other arguments. Just because something has a bad reputation that automatically leads to fewer rights?

I'm right behind you on that!
The FBI is NOT justified in doing EVERYTHING possible! By doing what they did here; THEY have become criminals themselves and nobody seems to care. What would happen to anyone outside of law enforcement doing the same thing they did? It's amazing to me that just because they consider themselves law enforcement; it's acceptable to society for them to commit a crime and go unnoticed!

Except their actions didn't only affect the anonymity of "pedophiles and drug sites". It affected everyone that made use of those compromised relays. Not cool.

Maybe every prosecution where we *know* they gained information from this was against pedos and drug sites, but we know the US government uses illegally obtained information to create investigations and cover up their sources.

http://mobile.reuters.com/article/idUSBRE97409R20130805

Bypassing the fourth amendment undermines public trust, and they're spending extravagant amounts of tax money to orchestrate a cyber attack to do that. The FBI is perfectly able to investigate crimes within the scope of the law, and they've been doing that successfully for a very long time. Behaving in this way is harmful to their own mission.

Also, Tor is a tool, and can be used for many purposes. If someone commits a murder with a hammer, would you blame the tool manufacturer for making weapons?

The 4th amendment does not apply to things that are public.

When people think something is private, but it's actually out there in the open, that doesn't mean the government needs to pander to that misconception.

The attack against hidden services could have probably been done with anyone that has an internet connection.

> The 4th amendment does not apply to things that are public.

I think you need to recognize that one of the problems with current cyberlaws in all nations is the failure to reconcile the contradiction between a computer operated by someone from their own home (so Fourth Amendment would apply, no brainer) and an anonymous comment replying to a blog or bulletin board post appearing on some blog or bb hosted as a HS somewhere. For example.

Some legal scholars have argued that another portion of the Bill of Rights renders keyloggers unconstitutional:

https://en.wikipedia.org/wiki/Third_Amendment_to_the_United_States_Cons…

The fact is that "the scope of the law" is a very shifting thing right now because all the crime is moving to the Internet and the police can't do anything about it. And when they actually do, people bitch and moan because I guess they don't want cops arresting people for crimes.

The fact is that if the police are going to be in any way effective in the Internet age, they need the ability to investigate crimes. The Tor community might be up in arms about this but there are also victims every day getting doxed, getting their sexual abuse shared, getting their money stolen, and this sort of thing is sometimes the only way to get justice for the victims.

Right now if you are the victim of a cybercrime, the odds of getting justice are about nil. Is that the world you really want to live in?

Fuck yes, it exactly is. You don't get it, do you? You don't get to force everybody else do your bidding just because you're too fucking stupid, in the same way you don't get to announce you're driving to the cliff edge today and everyone else had better fucking pay up to fund the construction of a gentle slope, made of robots, at the cliff edge to save you, and they had better shut up about how this is terrible, pointless, and stupid and "get with the program".

"victims every day getting doxed, getting their sexual abuse shared, getting their money stolen, and this sort of thing is sometimes the only way to get justice for the victims."

Because knowing that someone got fined or incarcerated over it would totally make it go away if something like that happened to me. Wrong. Just so you know, the police can't take that information back from the Internet for you.

Restitution is one thing, although I don't exactly see a lot of that going on, especially when we're talking about over-seas ransomware extorting people for money, or Bitcoins disappearing left and right. But what you mean by "justice" is a little unclear to me.

Sorry, but I'll take prevention before prosecution.

This is garbage. If I put a lock on my door that is breakable and then the FBI come and break into my house with out a warrant, the FBI are in the wrong, not the lock maker. You sound like an idiot when you make such blatantly dumb arguments.

It's not the "Ferguson Effect" that's causing social unrest in this country, it's pigs like you.

I was using Tor during the time they were de-anonymizing users. I was simply doing security research and at times looking at legal porn from well established, clear-web websites like Porn Hub. I use Tor because, frankly, I don't want the government, my ISP, or my DNS provider to know certain private details about my life and/or interests (which, to be quite honest, aren't that racy). What's followed has since been a many-year nightmare of stalking, harassment, spying, and character assassination orchestrated by the government in what seems like some Orwellian attempt to justify their gross constitutional abuses.

I was using VPN with Tor, so when they did their trace it pointed them to the VPN IP instead of my home IP. As a result, they needed to get creative.

Some of the tactics they used, in addition to typical surveillance, were:

- Cloning friends' social media accounts (without their permission).
- Masquerading as friends' accounts on certain messaging applications.
- Hacking and/or DDOS'ing routers offline.
- They used Windows Update to drop malware into the computer.

If you've payed attention to the security news recently, you might know that the government has sworn off using Windows Update, but I assure you they very much are and have been using it for some time (just covertly) and I'm almost certain Microsoft knows about it and may have signed the malware.

Another thing you guys might want to be aware of: I'm not certain, but it seems like they might still have the capacity to de-anonymize users.

You say Tor is getting a bad reputation for its criminal infestation. You fail to realize that the problem is not technology. That criminal infestation you are talking about such as the ones you mention are social problems not technological ones.

The problem is the technology. Before the technology, the cops had some success rate. Now their success rate is horrible, and we see massive communities of abuse with real victims(not just drugs), and no recourse for those victims.

When you say success rate, do you mean number of criminals caught over number of criminals, or number of criminals caught over number of criminals known about?

I'm interested to know how you calculate the former ratio using the number of criminals we don't know about. In the latter case, are you sure that wouldn't have anything to do with the fact that most of the general population knows more about all of the things going on in the world now versus before, simply because there are more ways to publish and read about it?

Or maybe it's just because the population is higher now, there is more data, and "Photos found on man's computer depicting children wearing clothes" or "Woman found with a toaster purchased on an underground auction site" still doesn't make a good headline.

Come back when you've added some control variables and have had your little study peer reviewed.

When the technology enables the criminal faction, yes, it is the technology at fault, not the social aspect.

Read what Albert Einstein said about the atomic bomb.

It is TOR's failure to protect the hidden services, but that does not make what CM and the FBI did any more legal or constitutional.

Age of consent laws are crimianl nonsense and so are any laws against the free use and trade of drugs. The real criminal here is the american. The same government that also happens to fund tor.

> The same government that also happens to fund tor.

USG does currently provide most of Tor Project's funding, and while this does not imply that Tor is some kind of "USG sting" (it isn't, quite the opposite in fact), this issue has been a concern for a long time. Recently the Project has taken steps to address the problem, and I encourage you to donate to the current funding drive!

It's not necessary that Tor accept no funding from any government or corporation, but we all now agree, I think, that Tor cannot continue to accept too great a percentage of funding from any "block", such as FVEY governments.

Wow....SJW was the first to comment and also completely miss the point (as these idiots usually do).

I'm sure other SJW types will take this criticism as my endorsing CP trafficking. NO.

The point is, dimwit, that the goddamned Federal government circumvented due process by outsourcing this "investigation" to this university, because the university was able to play innocent and say "We were just doing research".

The FBI is NOT "totally justified" in engaging in this kind of rogue law enforcement. Just because some good things may have come out of it, the end in no way justifies the means.

And don't give me that "well, if you've got nothing to hide" bullshit. Everyone has something to hide, and we have a right to do so. It's outlined pretty clearly in the fourth amendment. I've got nothing to hide, but do I want anyone - much less law enforcement - rifling through my underwear drawer, or looking at my computer just to make sure I'm not a criminal of some kind? HELL NO. I like legal porn, but I would be really uncomfortable if some pig or anyone else could just decide to go through my history and make a list of the kind of weird stuff I wank to. It's NONE OF THEIR BUSINESS, and certainly none of yours. Fuck off with your stupidity, and go study some history. While you're at it, familiarize yourself with the constitution before you do something stupid like cast a vote in an election being as ignorant as you are. FUCK.

LOL

Why sign as Anonymous and not as the FBI?

How many bad guys have you caught today?

The world is a better place?

Fuck off.

So if the bank teller gets sick and runs to the rest room, it's OK for me to take the money from her cash drawer? By your logic, it would be her fault and not mine, so I guess I'll start looking for opportunities to get money in ways I used to think were illegal, or at least immoral. Understanding that everything is the victim's fault is useful, so thanks.

Saying, "The FBI is totally justified in doing everything they can to find and shut down the sites." shows such an incomprehensible and complete failure to understand the purpose of the 4th Amendment. While, they're at it, they should wiretap your home just to make sure that you are not breaking any laws.

It's sheeple like you who are the source of the U.S. political problems, and you will be the cause to the beginning the 2nd American Revolution.

the FBI and USA lock up more of it's citizens for non violent and victimless crimes than any other country in the world.

people buying drugs for personal use and people looking at porn anonymously are victims of hate crimes when they are locked up for doing something that hurts no one.

What people need to understand ist that almost every state in the world operates under the color of commercial law. Every "crime" these days is a commercial crime. If a person gets accused of a crime, the prosecutor floats a bond and attempts to make the accused person a surety on the bond by means of a trial. The accused person is always presumed guilty in a commercial court (Federal and State Courts). The trial itself is an opportunity for the accused to settle the commercial liability attached to his person. If he does not recognise this (and most people dont), he must either pay cash or go to the bonded warehouse (called prison) for a certain amount of time, so that the government can claim it has secured collateral on the bond. Maturity of the bond is accelerated if the collateral behaves well in the warehouse. On the maturity date of the bond, the government gets paid and the collateral is released from the warehouse.
The FBI does not look for "criminals" in the traditional sense. It looks for persons who violate US Codes and regulations because this generates credit for the state. It has nothing to do with the amendments. They are not applicable to people who are US citizens (generally people who have a social security number). The amendments are for non-corporate people. If one is a US citizen, one has waived such rights.

As far as Tor is concerned. It is a tool, nothing more and nothing less. A knife and a hammer are also tools. One can use a tool for honerable purposes or for dishonorable ones. It is up to the user. According to the arguments put forward by some here, one must be consequent and also ban all hammers, knifes, cars, well, literally everything that has the potential of being abused which is, well, really,..... everything. This is a stupid argument and is really made by people who have no capacity to think and act properly.

With the number of laws on the books now it is just a case of pick a person and find a crime. Al Capone was busted for income tax and Hillary Clinton is being busted for E-Mail. If they want to bust you they can find a crime to fit. ;(