The DoD funded the Carnegie Mellon University’s research on Tor Hacking

A judge has confirmed that US Departement of Defense funded the Carnegie Mellon University to conduct research on the Tor hacking.

In November 2015, the researchers at the Tor Project publicly accused the FBI of paying the experts at the Carnegie Mellon University to deanonymize Tor users.

The experts at the Tor Project collected information about the attack technique elaborated in 2014 by Carnegie Mellon researchers on the popular anonymizing system.

In January 2014, the attackers used more than 100 Tor relays in an attempt to deanonymize suspects. Fortunately the researchers at the Tor Project removed from the network in July 2014.

The Director of the Tor Project Roger Dingledine accused the FBI of commissioning to the Carnegie Mellon boffins a study on methods to de-anonymize Tor users. The FBI has paid at least $1 million track Tor users and to reveal their IP addresses as part of a large criminal investigation.

“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/

Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
along with Ed Felten’s analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/

We have been told that the payment to CMU was at least $1 million.” reads a blog post published by the Tor Project.

The FBI has paid at least $1 million to the researchers to find a way to de-anonymize users under investigations of law enforcement.

The research was funded by the Department of Defense (DoD) and the FBI obtained the information on alleged criminals after serving a subpoena to Carnegie Mellon’s Software Engineering Institute (SEI).

This means that the SEI research was funded by the DoD and not by the FBI.

Court documents confirmed that the experts at the Carnegie Mellon university had helped the law enforcement to de-anonymize suspects.

The evidence of the collaborations between the FBI and the Carnegie Mellon University has emerged also in a stand trial in federal court in Seattle in November 2015. The court was discussing the case of Brian Farrell, an alleged Silk Road 2 lieutenant, under investigation of the law enforcement that discovered his IP addresses belong to the suspect. A new filing in Farrell’s case states that a “university-based research institute” supported the investigation and helped the feds to de-anonymize Farrell.

According to a Homeland Security search warrant, between January 2014 and July 2014 a “source of information” provided law enforcement “with particular IP addresses” that had accessed the vendor side of Silk Road 2.

The Farrell’s advocates filed a motion asking the prosecution to provide further information on the involvement of the Carnegie Mellon researchers in the investigation and the hacking technique used to de-anonymize suspects.

The response of a federal judge was negative, the magistrate denied the motion this week explaining that authorities had not violated the Fourth Amendment rights identifying the suspects via their IP addresses.

“SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny. “

The judge confirmed that the identity of the suspects was identified by exploiting security vulnerabilities in the Tor network.

The Carnegie Mellon University always denied having received money for their research.

Pierluigi Paganini

Security Affairs –  (Tor Network, Tor hacking)