This is a post series on cyber crime. For more posts click here or the cybercrime tag below.
Tor is looking at the efforts of a group of researchers at Carnegie Mellon as an “attack.” I think that Tor is taking the wrong tack with this. Rather than thinking of the efforts of the Carnegie Mellon people as an attack they should consider it as cleanup. Look if the Tor network becomes the go to place for ransomware criminals and other people wanting to hide the consequences of their actions, then Tor’s utility as a communication network for people wanting to remain hidden from illegitimate abuse becomes muddied.
In November, Motherboard reported that a “university-based research institute” provided information to the Federal Bureau of Investigation that led to the identification of criminal suspects on the so-called dark web. Circumstantial evidence pointed to that body being the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU). After a media-storm, CMU published a very carefully worded press release, implying that it had been subpoenaed for the IP addresses it obtained during its research.
Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.
“The record demonstrates that the defendant’s IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.
“Farrell’s IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.
Screenshot of filing.
Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.
This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor.
Evidence has pointed to SEI being behind that attack: SEI researchers Alexander Volynkin and Michael McCord were due to present research at the Black Hat hacking conference in August 2014 on how to unmask the IP addresses of Tor hidden services and their users, before the talk was suddenly canceled without explanation. SEI also submitted a research paper to the 21st ACM Conference on Computer and Communications Security (CCS) in 2014 on unmasking dark web users and sites, although that paper was apparently based on simulations, rather than in-the-wild attacks. That research was funded by Department of Defense contract number FA8721-05-C-0003. (The Tor Project has made an unsubstantiated claim that CMU was paid by the FBI to the tune of at least $1 million to carry out the attack. The Tor Project did not respond to questions about this claim in light of the subpoena.)
This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor, and that information obtained from that move was accessed by law enforcement via a subpoena, facts that Farrell’s defense has been aware of for some time, judging by the latest filing.
When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”
The fact is that the people at Carnegie Mellon were tracking stuff that was clearly way off the reservation. Not just drugs, but child porn and even assassinations. The various black markets were clearly bad news.
Of course Tor’s entire attitude seems to be that they are not responsible for the stuff that the users may be doing. For mutual communication that’s pretty much the case. But what if the communication is not voluntary, like the case in ransomware. In that case the victim doesn’t want to communicate anonymously with the other party. But because the other party is hiding behind the Tor network the victim has no recourse. From the following Tor’s attitude seems to be hear no evil, see no evil, speak no evil. When you are the front for the evil, what does that make you?
Criminals can already do bad things. Since they’re willing to break laws, they already have lots of options available that provide better privacy than Tor provides. They can steal cell phones, use them, and throw them in a ditch; they can crack into computers in Korea or Brazil and use them to launch abusive activities; they can use spyware, viruses, and other techniques to take control of literally millions of Windows machines around the world.
Tor aims to provide protection for ordinary people who want to follow the law. Only criminals have privacy right now, and we need to fix that.
Some advocates of anonymity explain that it’s just a tradeoff — accepting the bad uses for the good ones — but there’s more to it than that. Criminals and other bad people have the motivation to learn how to get good anonymity, and many have the motivation to pay well to achieve it. Being able to steal and reuse the identities of innocent victims (identity theft) makes it even easier. Normal people, on the other hand, don’t have the time or money to spend figuring out how to get privacy online. This is the worst of all possible worlds.
So yes, criminals can use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things. At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and so on.
The fact is that Tor, under it’s funding legislation and the laws under which common carriers operate, as Tor has identified itself as such. They also have to know about the sort of stuff that’s populating the Tor network. The attitude of the Tor people, as far as I’ve been able to see from the documents that they post online is “we are not responsible for anything that happens on our network.” I’m sorry, but just because criminals might be using another network for their activities doesn’t absolve you of the responsibility for making sure that your nose is clean.
For necessary expenses to enable the Broadcasting Board of Governors
(BBG), as authorized, to carry out international communication
activities, and to make and supervise grants for radio, Internet, and
television broadcasting to the Middle East, $734,087,000: Provided,
That in addition to amounts otherwise available for such purposes, up to
$31,135,000 of the amount appropriated under this heading may remain
available until expended for satellite transmissions and Internet
freedom programs, of which not less than $15,000,000 shall be for
Internet freedom programs: Provided further, That of the total amount
appropriated under this heading, not to exceed $35,000 may be used for
representation expenses, of which $10,000 may be used for such expenses
within the United States as authorized, and not to exceed $30,000 may be
used for representation expenses of Radio Free Europe/Radio Liberty:
Provided further, <<NOTE: 22 USC 6206 note.>> That the authority
provided by section 504(c) of the Foreign Relations Authorization Act,
Fiscal Year 2003 (Public Law 107-228; 22 U.S.C. 6206 note) shall remain
in effect through September 30, 2016: Provided further, That the BBG
shall notify the Committees on Appropriations within 15 days of any
determination by the Board that any of its broadcast entities, including
its grantee organizations, provides an open platform for international
terrorists or those who support international terrorism, or is in
violation of the principles and standards set forth in subsections (a)
and (b) of section 303 of the United States International Broadcasting
Act of 1994 (22 U.S.C. 6202) or the
[[Page 129 STAT. 2713]]
entity’s journalistic code of ethics: Provided further, That
significant modifications to BBG broadcast hours previously justified to
Congress, including changes to transmission platforms (shortwave, medium
wave, satellite, Internet, and television), for all BBG language
services shall be subject to the regular notification procedures of the
Committees on Appropriations: Provided further, That in addition to
funds made available under this heading, and notwithstanding any other
provision of law, up to $5,000,000 in receipts from advertising and
revenue from business ventures, up to $500,000 in receipts from
cooperating international organizations, and up to $1,000,000 in
receipts from privatization efforts of the Voice of America and the
International Broadcasting Bureau, shall remain available until expended
for carrying out authorized purposes.
It galls me that the funds for maintaining the network that’s enabling the raid on people all over the world is funded by my government. Maybe it’s time to reconsider that funding. At least there needs to be a greater degree of willingness on Tor’s part to clean up the mess that they are enabling and that’s threatening to spin out of control.