Did the FBI Pay a University to Attack Tor Users?

Discussion in 'privacy problems' started by Nebulus, Nov 11, 2015.

  1. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users

     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Anyone paying attention has been pretty sure of that all along. We know that CMU works for the NSA etc. The timing was a total giveaway. They pulled the Black Hat talk, and not long thereafter, SR2 etc went down. Nothing new here.

    Although the Tor Project did speak up, finally, I'm not impressed. The SR2 etc connection came up in a comment. And there's no mea culpa for ignoring the CMU attack for five months. Maybe they got blindsided by CMU's attack. Maybe it was a zero day vulnerability. Maybe they just weren't paying enough attention. But it's stuff like this that fuels conspiracy theories about Tor and the US military.
     
    Last edited: Nov 11, 2015
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    One thing to point out for folks considering TOR. We all know a chain is only as strong as its weakest link. Once again (and not surprising at all) Windows made the exploit possible. The same SR2 users on linux and/or operating in compartmentalized VM's would have been untouched. The TOR dev team had noticed the exploit and patched it, but the LAZY Windows users that just kept operating on the now obsolete bundle got caught with their pants down!
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Is that the one where they injected something into the browser *if* it was out of date and *if* Noscript was set to allow all scripts?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    No. That was the Freedom Hosting takedown. There, the FBI first compromised the server. Then they configured hosted onion sites to push malware, exploiting a Firefox Javascript vulnerability (which had just been patched in Tor browser). The malware installed a Windows executable that phoned home with IP, MAC, etc. So only Windows users who hadn't updated Tor browser got pwned.

    In this attack, CMU "researchers" exploited a bug in the onion service protocol. They directly deanonymized users by compromising the Tor network. So this is far more serious than the Freedom Hosting takedown. In that operation, the Tor network was not compromised in any way.
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,749
    Location:
    Texas
  8. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,423
    CMU did it for money. How low can you go. Ethics? What are ethics when you get a million bucks for your trouble.

    No matter what you think of the targets this is not good. These attacks are getting better with time.

    I imagine the NSA has better de-anonymizing attacks against TOR they are using.

    Sorry but this unforgivable. TOR devs should of been ontop of this not 5 months behind.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I see from the CMU/SEI/CERT website that it works with both DHS and DoD.[0] I'm guessing that it's funded in part by both. Although I don't see anything specific about the FBI, it's not too much of a stretch that they also fund CERT. So maybe the Tor Project is pointing to a deliverable about supporting FBI investigations, rather than a specific quid pro quo payment. But in any case, it's not illegal for the FBI to lie.

    [0] https://www.cert.org/about/
     
    Last edited: Nov 14, 2015
  10. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Oh wow that is pretty serious. I hadn't heard about. I've been out of the loop too long.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, it's good insurance to hit Tor through a VPN. Or a nested chain of three VPNs ;)
     
  12. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects.

    .

    -- Tom
     
  14. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research/
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Courts sometimes authorize reasonable fees for complying with subpoenas. Perhaps the FBI subpoenaed CMU/SEI/CERT before they had focused on SR2 etc, and then agreed to cover server rental, staff time and overhead. Even if that were so, I find it hard to imagine getting to $1 million :eek:
     
  16. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I doubt this was done by subponea. The cast doesnt surprise me at all. When I was in academia my boss was contracted to provide evidence in a trial. His fee was $7,500 a day. A prof from a high end university could easily go up to $20k a day. $1 million doesnt go that far when you charge that rate.
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    One of the corrosions of trust that we have had to come to terms with, is to read all these public pronouncements through the lenses of shyster-lawyers and public officials who will fib to Congress and in other testimony.

    Two glaring signatures are:

    "direct payment"

    and

    "the FBI or any other government funder"

    Which rather obviously leaves the expected under-the-counter skulduggery that's appropriate for work which they probably well knew was unethical. Indirect payments from some hyper-rich military contractor, given the nod by government, is completely compatible with their denial.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
  19. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    That outcome was almost a "fact" that could be taken for granted.

    Bear in mind that 78 IP's and other small numbers mentioned are virtually nothing compared to the many thousands of members. Once, and if ever, we learn the exact steps of the compromise, it will likely become apparent that those discovered had poorly configured and insecure setups.

    We don't know yet but my questions would gravitate towards some like this:

    Would workspace in a linux VM have isolated this attack from getting to a linux host?

    Would the TOR bundle running inside a linux VM have prevented this even further than a straight TOR install to the VM? Remember the bundle is pretty amazing at keeping the TBB workspace apart from the VM supporting it!

    Would one or more VPNs nested prior to joining TOR have isolated the VM workspace from this IP attack, all the way back to the host? i.e. never getting to the actual IP due to bridging, NAT, isolation etc......


    Without answer to the above we are left with a degree of conjecture. However; repeating from above, the small capture rate of the original IPs seems to confirm that most users there are fine. Would be nice to know wouldn't it?


    ps - the current attack seems to be almost exclusively windows so the questions I asked are valid because we need to know if the attack vectors can be easily modified to leave even "heavy" users exposed.
     
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I hate the way these public-private partnerships work to suppress transparency and rule of law; and it's a trend that's happening in many areas.

    I find it hard to see how the methods used can stand up to forensic evidential standards, which have hopefully improved and be scrutinised very carefully (hence presumably the defence discovery process).

    It's even worse when the techniques like mass-surveillance data mining and algorithmic rankings, ratings, and machine-decisions - without any scrutiny that you'd hopefully get in a court case - secretly have innocent people end up on various databases with no recourse.

    Incidentally, it seems the legal case seems at least in part to rest on the "fact" that you have to give your real IP to the entry node:

    "This line of argument echoes that made in a recent case of FBI mass hacking, where a judge wrote that Tor doesn't give its users complete anonymity because users do have to provide their real IP address to a node of the network at some point. Indeed, in his order, Jones pointed explicitly to this ruling."

    which would make the mirimir VPN dressing before Tor both useful and give the lie to the statement.
     
    Last edited: Feb 25, 2016
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    @Palancar and @deBoetie -- Yes, people hitting Tor through VPN(s) would have been protected. Or at least, the FBI would have needed logs from VPN providers to get targets' ISP-assigned IP addresses. Using honest private bridges would also have helped, because targets would not have used entry guards run by CMU "researchers".

    Over the past few months, I've seen more and more warnings (and ads) on onion sites and onion-focused forums about the importance of using VPNs before Tor. I've been saying that for years, and have taken flack from Tor Project folk about it. But still, it is possible that other Tor "researchers" could run honeypot VPNs, the better to pwn Tor users. It's a jungle out there :eek:
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    It's a jungle, and likely the only protection is to rely on hostility between jurisdictions, no? Doesn't matter if they log the 7 bells out of you, if they are hostile to another party asking for that information.

    I loathe that it has come to this.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, that's the only option left. Sadly enough. Enemy of my enemy, and all that.
     
  24. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    With the introduction of significant inconvenience you can always start the connectivity journey via a coffee shop. Using a high end/high dbi antenna you could be quite a distance away and connect remotely. Then start your two vpns, followed by TOR, etc.....

    Before doing anything else I suggest any and all readers of this thread determine to abandon Windows. Especially if your internet activities involve the use of TOR or site attendance that would be injurious if it became public. Consider it please.
     
Loading...