Carnegie Mellon Tor Attack Confirmed

Carnegie Mellon Tor Attack Confirmed

This post is also available in: heעברית (Hebrew)

Despite repeated denials by the US government, a federal judge has now confirmed that Carnegie Mellon University (CMU) was commissioned by the government to break the encryption of the ultra-secure Tor network.

Tor, the so-called “onion router,” is a privacy network that hitches a ride over the regular internet. Like an onion, each layer is opaque to the other. Connect to an entry node to the network, and the darknet is laid out before you. There, a range of users roam, from privacy-aware law-abiding citizens, to the seedy underbelly of society. The drugs marketplace Silk Road found its home there until it was shut down, and child pornography is spread through sordid sites on the network.

But, journalists and activists under oppressive regimes find unmonitored means of communications through the network, and even the US  International Broadcasting Bureau (think Voice of America and Radio Free Europe) supports the development of the network.

Details of the operation are murky, but a few things are clear. It was not the FBI who approached CMU as was long suspected, but an agency under the Department of Defence umbrella. This points, in all likelihood, to either National Security Agency (NSA) or the whacky kooks at the Defense Advanced Research Projects Agency (DARPA).

A large number of entrance and exit nodes were operated on the network by CMU’s Software Engineering Institute (SEI), the purpose of which was demasking and deanonymising the network and its users. The attack relied on a number of vulnerabilities in the software, and could potentially unmask new servers within a fortnight. This led to the arrest of Brian Farrell, the operator behind Silk Road 2.0. It is through his case that details of the cooperation have emerged. Most details of the case are still under wraps, and it is unclear if they will be released.

The Tor Project told Motherboard that “The Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online.”