Professionalism/Tor, CMU, and the FBI

Tor stands for The Onion Router. It is a software and open network that helps improves individual's privacy and security by enabling anonymous communication. Tor also helps users defend against traffic analysis, which is a form of network surveillance.^[1] It is the process of intercepting and examining messages to deduce information from patterns in communication.^[2] Tor defends users from traffic analysis through onion routing which allows users to be anonymous. Tor prevents others who are watching Tor users' internet connection from tracking the sites they visits and prevents the sites that the Tor users visits from learning their physical location.

History edit

The concept of onion routing was first proposed in 1995, where it was first funded by the Office of Naval Research. The Defense Advanced Research Projects Agency (DARPA) later helped out in 1997.^[3] The Tor network was deployed in 2003, and its code was released under the free and open MIT license. Since then funding for the Tor project has been provided by a number of different sponsors, primarily users.^[4]

Operations edit

The idea of onion routing is simply to wrap traffic in encrypted layers, like an onion, in order to protect the contents of the data as well as the anonymous identity of the sender and receiver. On a high level, Tor encrypts and then randomly bounces communication from your computer to destinations through a network of relays, or a series of intermediate computers run by volunteers around the globe.^[5]

Users edit

People use Tor to communicate socially sensitive information, maintain their civil liberties, access services blocked by internet providers, publish websites and other services anonymously, and to prevent identity theft. Tor enables freedom of speech, especially for those living under oppressive regimes and protects human rights activists working overseas from prosecution. Many news organizations use it to protect the privacy of whistleblowers. It is also being increasingly used by domestic violence victims and the social workers and agencies that assist then.^[6]

Ethical Dilemmas edit

Tor hides the destination and source address of its users and can be used for both legitimate and malicious purposes. Tor can promote criminal activity since it gives users the impression that they can avoid getting caught by authorities.^[7] Most individuals who use the internet tend to access only the visible layer of the internet. This however, only accounts for approximately 1% of the internet. The other 99% of the internet is referred to as the Deepnet. The Deepnet is the layer of the web that is not easily accessed, they are not indexed by search engines and can only be accessed by a handful of people These websites belong to the dark web.^[8] Tor facilitates use of Deepnet by providing links to these hard to find links. These links are difficult to access since they do not use friendly links. The Deepnet contains websites that allows for criminal activity, such as hiring a killer or contracting a hacker. And this is just scratching the surface, the deeper you dive into the Deepnet the darker the content gets. In addition, the time and effort required by law enforcement agents to track nefarious Tor users (even when possible) is infeasible.

Sequence of Events edit

In the summer of 2014, researchers at CMU's security research institute released the abstract to a paper they intended to release at "Blackhat 2014" - a computer security research conference. The abstract suggested that CMU had discovered a covert way to de-anonymize and identify TOR users mathematically at minimal cost (around $3000, presumably for server space) ^[9]. Days before the conference, the presentation was cancelled ^[10].

Initially, the TOR community did not react to this news. A few months passed without incident. Then, later in the year, several high profile users of the TOR network were arrested, and their sites were seized by the FBI as part of "operation onymous" ^[11]. The Silk Road 2.0, a massive online drug dealing portal run by the infamous Dread Pirate Roberts (DPR), was among these targeted sites. Investigators with the FBI had previously claimed that DPR was, in fact, a man by the name of Ross Ulbricht. Several accomplices of his, running the site in his absence, were also captured. Ulbricht and his accomplices were sent to prison, with Ulbricht serving for life in New York Metropolitan ^[12].

Active members of the TOR community were suddenly frenzied. Somehow, the FBI had overcome the TOR network's anonymity. Seeing this panic, Roger Dingledine, a director of the Tor project, accused the FBI of paying CMU $1 million under the table for the technology they had supposedly developed earlier^[13].

Technology edit

By design, TOR puts a lot of trust into the "exit nodes" of the system. These are the nodes at the last layer of the network which talk directly to end users. If you control the exit nodes, you control the system. Smaller scale attacks may have taken place in the past using this mechanism ^[14]. It is, however, very hard to take advantage of this at scale. TOR has checks and balances in place to ensure that no untrusted nodes are periodically switched out. The TOR community is structured such that mass analysis of TOR traffic can't realistically be executed by exit nodes unless you control all of them, and this requires the trust of all members off the network.

For this reason, it is believed that CMU discovered an alternate means of overcoming TOR's anonymity. Even though they couldn't effectively use exit nodes, they knew that the middle "relay" nodes were essentially unregulated. By creating thousands of these relay nodes and analyzing the traffic that went through them, CMU researchers began to see patterns. With statistical analysis and some clever traffic intercetion techniques, it is believed that this is how they were able to de-anonymize those using TOR to mask their identity ^[15]. Between the release of their abstract, and the arrest of Ross Ulbricht, CMU and the FBI would have had several months to collect data and work out who was who in the network, all with no access to the exit nodes ^[16].

Tor's Stand Point edit

After the FBI investigation on the Silk Road 2.0 became public, Tor believed that researchers at the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU) were paid by the FBI in exchange for their research which can compromise Tor's hidden service network. The Tor Project posted a blog article mentioning that they were told that CMU has received one million dollars for this exchange.^[17]

Roger Dingledine, a co-founder and a director of the Tor Project, accused SEI for providing this Tor-breaking research information to the FBI in exchange for money. From the letter sent by Roger Dingledine to WIRED, using SEI's technique, FBI first collected massive data by sweeping the Tor network, then searched to find the people who conducted crimes on the network. Although FBI's investigation was to make justice, Dingledine found that most cases were invading the privacy of the innocent users and is therefore a violation of basic guidelines of an ethical research.^[18] It was verified that the FBI did use SEI's exploitation of the Tor network to shutdown Silk Road 2.0, arresting administrator and staffs of the dark web.

The foundation of Dingledine's accusation against CMU was that CMU received payment from the FBI for their research. When people wanted to verify the reliability of this information, Roger Dingledine told WIRED that his primary source was from a friend in the security community. ^[19]

It can be confirmed that criminals are using Tor for malicious purposes. However, Tor doesn't believe that their network significantly enables criminals to commit crimes. According to Tor, criminals are already doing bad things and break the law, regardless of whether Tor exists or not. They believe that there are many better options available to criminals to protect their identity. One of the given examples was that criminals can steal a phone, use it for malicious purposes, and throw it away and therefore not be traced. Their main standpoint on the ethical dilemma's surrounding Tor is that criminals have other better options than Tor, therefore terminating Tor's service will not stop the criminals from committing crimes online.^[20]

CMU's Stand Point edit

On November 18th, 2015, CMU made a statement related to the Tor attack. According to CMU, this statement was made to prevent inaccurate information from leaking out. This statement was short and did not mention anything about Tor, payment, or the FBI; however, the statement stated that the SEI of CMU is a federally funded research and development center (FFRDC) with the purpose of researching and identifying software and computing network vulnerabilities so that they can be corrected. It also mentions that the university serves subpoenas time to time when information is requested on the research that they have performed.^[21]

CMU claimed that they have not received any payments from the FBI to attack on the Tor network. However they are not denying that they have provided data on Tor to the FBI. CMU did so to serve and comply to legally issued subpoenas, not because they were paid. CMU also stated that they did not receive any funding for its compliance.^[22] On Motherboard's follow up article, when the FBI was asked how they knew about CMU's project on the attacking Tor network, the spokesperson of the FBI Jillian Stickels stated that Motherboard should ask CMU to get an answer since the release will probably come from CMU, if this information will be released at all. However, CMU has not respond to this particular question yet.^[23]

Professionalism edit

One asked if CMU was being unprofessional by receiving a fund from the FBI. SEI of CMU is a research center funded by the federal government, thus, there is nothing wrong with receiving funds from another federal agency, the FBI. The factor that determines whether CMU was professional or unprofessional will be whether they crossed a line to get the job done. Likewise, FBI funding SEI to conduct research on Tor itself is considered unprofessional, unless they asked SEI to cross the line in exchange for funds.

1. ↑ https://www.torproject.org/
2. ↑ http://smallbusiness.chron.com/computer-surveillance-techniques-50593.html
3. ↑ http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.728.3577&rep=rep1&type=pdf
4. ↑ https://www.torproject.org/about/sponsors.html.en
5. ↑ /https://www.torproject.org/about/overview.html.en#whyweneedtor
6. ↑ https://www.torproject.org/about/torusers.html.en
7. ↑ http://io-tech.net/the-onion-router-ethical-dilemma-in-tors-network/
8. ↑ http://money.cnn.com/2014/03/10/technology/deep-web/index.html
9. ↑ http://securityaffairs.co/wordpress/26395/hacking/tor-network-broken.html
10. ↑ http://www.securityweek.com/tor-security-talk-cancelled-black-hat-conference
11. ↑ https://www.wired.com/2014/11/operation-onymous-dark-web-arrests/
12. ↑ http://www.nysd.uscourts.gov/cases/show.php?db=special&id=416
13. ↑ https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users
14. ↑ https://hackertarget.com/tor-exit-node-visualization/
15. ↑ https://blog.torproject.org/category/tags/cmu
16. ↑ http://fusion.kinja.com/the-attack-that-broke-the-dark-web-and-how-tor-plans-to-1793853221
17. ↑ https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users
18. ↑ https://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmask-users/
19. ↑ https://www.theregister.co.uk/2015/11/17/milliondollar_hole_in_fbi_tor_story/
20. ↑ https://www.torproject.org/docs/faq-abuse.html.en
21. ↑ https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html
22. ↑ https://motherboard.vice.com/en_us/article/cmu-implies-it-gave-up-silk-road-2-data-under-subpoena CMU side/
23. ↑ https://motherboard.vice.com/en_us/article/carnegie-mellon-university-attacked-tor-was-subpoenaed-by-feds