When we learned of this vulnerability last year, we patched it and published the information we had on our blog: Legitimate privacy researchers study many online systems, including social networks - If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users. Such action is a violation of our trust and basic guidelines for ethical research. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.
There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We have been told that the payment to CMU was at least $1 million.
Here is the link to their (since withdrawn) submission to the Black Hat conference:Īlong with Ed Felten's analysis at the time: We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future: Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes.
The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem.
0 kommentar(er)
