Did Carnegie Mellon Attack Tor for the FBI?
There’s pretty strong evidence that the team of researchers from Carnegie Mellon University who cancelled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI.
Details are in this Vice story and this Wired story (and these two follow-on Vice stories). And here’s the reaction from the Tor Project.
Nicholas Weaver guessed this back in January.
The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.
Does anyone still trust CERT to behave in the Internet’s best interests?
EDITED TO ADD (12/14): I was wrong. CERT did disclose to Tor.
Ferris • November 16, 2015 7:49 AM
I usually agree with you 100%, but not in this case. The researcher’s behavior was not “reprehensible”. Academics work in concert with the government all the time. I begrudging support an encrypted internet even though it provides safe harbor for criminals, but if that encrypted internet turns out to be flawed, I have no sympathy for the criminals that are found there, nor do I particularly care how those flaws were discovered.