The non-profit Tor Project has accused the FBI of paying the security researchers of Carnegie Mellon University (CMU) at least $1 Million to disclose the technique they had discovered that could help them…
…Unmask Tor users as well as Reveal their IP addresses as part of a criminal investigation.
As evidence, the Tor Project points to the cyber attack that it discovered last year in July.
The team discovered more than hundred new Tor relays that modified Tor protocol headers to track people who were looking for Hidden Services – web servers hosted on Tor that offers more privacy.
The unknown attackers used a combination of nodes and exit relays, along with some vulnerabilities in the Tor network protocol that let them uncovered users' real IP addresses.
The attack reportedly began in February 2014 and ran until July 2014, when the Tor Project discovered the vulnerability. Within few days, the team updated its software and rolled out new versions of code to block similar attacks in the future.
But who was behind this serious ethical breach was a mystery until the talk from Carnegie Mellon University's Michael McCord and Alexander Volynkin on de-anonymizing Tor users was cancelled at last year’s Black Hat hacking conference with no explanation.
The Carnegie Mellon talk detailed a new way to _"de-anonymize hundreds of thousands of Tor [users] and thousands of Hidden Services [underground sites] within a couple of months" _using just $3,000 of hardware.
The researchers were going to prove their technique with examples of their own workaround identifying "suspected child pornographers and drug dealers."
However, after the ongoing attack on Tor network was discovered in July last year, the talk was abruptly canceled and suspicions were aroused that their techniques were used in the attacks discovered by the Tor Project.
The Tor Project also says the researchers stopped answering their emails, which made them more convinced of who was behind the attack – Carnegie Mellon's Computer Emergency Response Team (CERT).
> "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users," The Tor Project Director Roger Dingledine wrote in a blog post published Wednesday.
However, the team is more confident that the Federal Bureau of Investigation (FBI) used the researchers of Carnegie Mellon University to circumvent federal hacking laws.
This week, Motherboard reviewed a court filing in the case of Brian Richard Farrell, an alleged Silk Road 2 lieutenant who was arrested in January 2014, that proved the FBI had indeed recruited a "university-based research institute" that was running systems on the Tor network to uncover the identity of Farrell.
> "Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine wrote. "We have been told that the payment to CMU was at least $1 million."
Neither the FBI nor the Carnegie Mellon officials immediately responded to the Tor Project’s claims. If true, this incident would really make us think that…
Are these research by computer security researchers meant to help "identify vulnerabilities in the software" Or "endanger innocent people?"
What do you think? Let us know by hitting the comments below.