Carnegie Mellon University has hit back at claims it was paid $1 million by the FBI to research ways to de-anonymize users of the Tor network to help the Feds investigate alleged crimes.
In a statement posted to the famed university’s site, it slammed what it described as “inaccurate media reports.”
It continued:
“Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.”
The statement seems to suggest the FBI didn’t pay the university to carry out the alleged Tor research but instead issued it with a subpoena.
However, some will argue that the researchers should have told Tor of their work, which was carried out over a six-month period.
They apparently found a flaw in the network which they exploited by adding new relays and then modifying Tor protocol headers to carry out traffic confirmation attacks.
This gave them the IP addresses and ultimately the identities of some of its users. The FBI is said to have used the information it obtained via the research to arrest one person on suspicion of involvement in the notorious Silk Road drugs marketplace and another in connection with possession of child sex abuse images.
The university certainly recognized it was doing something pretty controversial because its lawyers apparently pulled a presentation on the research—Deanonymizing Users on a Budget—planned for Black Hat last year.
The Tor Project has yet to respond to this latest statement.
It must be said that its blog last week accusing the university didn’t have much proof for FBI bribe claim—merely stating “We have been told that the payment to CMU was at least $1 million.”
Photo © Photographee.eu