Tor Project: US government paid university $1m bounty to hack our networks The Tor Project is claiming that researchers at Carnegie Mellon University (CMU) were paid a hefty bounty by the FBI to stage an attack last year aiming to unmask the operators of the network's hidden servers. "We have been told that the payment to CMU was at least $1 million," the group said in a blog post. In July 2014 the …
Let's take this a bit further.... at least in this case, they know who did the what. What about other players than those mentioned? Yes, it could have been worse and maybe it is. If this is their response, then any vulns will a) never be known by the general users and b) never be fixed. It's also possible that now the white hats will walk away not bother to test TOR and push for patches. Between black hats and state actors, it's a bloody mean world we have nowadays.
Perhaps the government will be happy when Silk Road 3.0 / the Chinese / bogeyman-of-the-day returns the favour of putting a bounty on analysing government networks.
No?
If they were doing it ethically and by the book, they should have set up their own tor network and done their research there.
I would have thought breaking intended protection mechanisms breaks the DMCA, but perhaps not.
I'm not sure that "I'm trying to break your network security but don't worry I'm an academic (working for the US gov)" is congruent with the government's stance on security.
This post has been deleted by its author
"I'm not sure that "I'm trying to break your network security but don't worry I'm an academic (working for the US gov)" is congruent with the government's stance on security."
Actually, it's quite congruent with the US government's stance on security. They remain secure, nobody else may do so.
Given that this was a third party asking another third party to try and compromise the network without ever running it by the target and putting a fair bit of money into doing so, I don't know if this really counts as "white hat" at this point. Grey hat at most, but doing it without the target's knowledge/consent and having a sufficient impact on their infrastructure that they caught it and had to release a patch might be enough that it slides into black hat.
It depends a lot on what the university was to do with the research afterwards, if it was to be shared with Tor then fair enough, that's probably enough to push it back to grey hat, but if they were only going to share it with the FBI department that paid for it, that's basically no different to selling exploits on the darknet except you know who's buying
"Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," said the group.
Try to take away peoples guns and they go nuts in support of the second amendment.
Take away free speech and nothing happens. We need an NRA for the first amendment.
To do otherwise is to pursue security through obscurity.
If CMU doesn't do the research, DARPA or someone else, or some other government, will, and they and we would not know of the vulnerability. A million bucks is a drop in the ocean.
No one owes anything to the TOR leadership. (Support it if you think that is a good idea, by all means. That's a donation, not a debt.) If it is broken, they can fix it or fade away. No tears need be shed over a project that fails to deliver what it promises, no matter how lofty its goals or rhetoric.
This post has been deleted by its author
@AC
Wha . . .?
No. $3000 is what they estimate that it will cost to implement the attack method that they have developed. $1m is what it cost them to develop and test that attack.
Well, maybe not what it actually cost them but that was what the payment was for - developing a 'product' (so to speak), which tends to cost more than actually producing that product.
$1M is what the US federal government paid CMU to perform a pen test on TOR.
TOR can say thank you very much for that useful information, patch the vulnerabilities that CMU found and US gov is no further forward.
They have to do it themselves, quietly through DARPA or they get nowhere.
Fascinating. While I can see the reasons for developing TOR to further publicly declared US interests in free speech (overseas at least), I assume that the NSA were keeping a careful eye out and that it would not be allowed to come back and bite them on the buttox? Although I suppose that has worked well in similar 'well meaning' interventions - such as support for a nascent Taliban in Afghanistan and Pakistan?
"....paying someone to commit a crime...." Before you declare that, maybe you should first show a criminal act has occurred? They didn't ask CMU to gain unauthorised access to anyone else's server, they added their own servers to the TOR network and ran modified TOR software to add tracking packets to the network. The TOR software is FOSS and there was no law broken by CMU in modifying it, no subsequent illegal access of anyone else's servers, no decryption of messages, just information on where their own packets issued by the CMU's trick servers ended up. All in all, absolutely and completely legal. If you wish to insist otherwise then quit whining and post an actual factual argument.
Governments are not homogenous. The many different arms of a government (e.g. military, law enforcement, espionage, "public relations" (i.e. propaganda), tax & revenue) have many needs that are mutually incompatible, thus one department may well be actively implementing or encouraging an activity that another department is trying to prevent or circumvent.
That is IF you believe their story.
It very well be the case of backdoors instead of vulns and all of this is an act created by Tor and the feds. Easily done and Tor gets off the hook because anyone can be hacked - Feds get the blame.
But remember that Tor is also gov-funded. Never forget that. They will probably let some crooks operate there to seed trust to higher ranked criminals and/or terrorists who will feel confident to use Tor. Then the Feds will "hack" Tor and arrest the criminals. Then Tor, after some period of time, will gain once more its credibility and the cycle begins again.
Arresting criminals of course is something everybody wants but we all want privacy, too. So the question is what we want MORE.
Final thought, if white-hats hacked Tor then black-hats should be able to do that, too. But didnt. Which to me translates that Tor "let them in".
my 2p.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
