Ruling keeps lid on Carnegie Mellon hack of 'anonymous' Tor network
Computer users on the shadowy Tor network put themselves at risk of being identified ever since researchers at Carnegie Mellon University figured out how to unmask them, a federal judge ruled this week.
Working for the Defense Department, scientists at CMU's Software Engineering Institute identified the Internet protocol address for Brian Farrell, who has been accused of helping run a massive online drug marketplace called Silk Road 2.0 on Tor, U.S. District Judge Richard A. Jones of Washington state's Western District wrote.
The ruling rejects Farrell's attempts to learn more about how the CMU institute identified him and about its military contracts.
“... Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network,” Jones said. “In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.”
The Tor network was originally developed by scientists at the Naval Research Laboratory with the goal of providing Internet anonymity for computer users. The network provides security for the military and pro-democracy dissidents around the world — but it also has served as a haven for illicit trading in drugs, weapons and child pornography and other criminal activities.
“The Tor network is secure and has only rarely been compromised,” officials at the Tor Project, a nonprofit in Cambridge, Mass., that supports the network, wrote in a blog post.
The network strips away identifying information about users as their messages pass through Tor, meaning communications should remain secret, they wrote in a blog. The attackers in this case appear to have tampered with the user's traffic in the network, where it should not have been linked to a particular user.
“The Software Engineering Institute of Carnegie Mellon University compromised the network in early 2014 by operating relays and tampering with user traffic,” Tor officials wrote. “That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it.”
CMU Software Engineering Institute researchers identified Farrell's Internet address while operating its computers on the Tor network, Jones wrote in his legal ruling. Federal investigators obtained the information from Carnegie Mellon under subpoena.
Richard Lynch, spokesman for CMU's Software Engineering Institute, declined to comment but referred to an earlier statement provided on the matter.
“One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected,” the statement reads. “In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas, and receives no funding for its compliance.”
Alexander Volynkin, a researcher at the CMU institute, and his colleague, Michael McCord, had planned to make a presentation at the 2014 Black Hat cyber security conference in Las Vegas demonstrating how the anonymity of Tor users could be defeated for $3,000 until university lawyers stopped them.
Long before that, Volynkin had warned in an interview with the Trib that the network, which transfers Internet traffic among volunteer-run nodes around the world, had flaws.
To use the Tor network, users must disclose their Internet address to other people running the nodes through which messages are routed, Jones wrote.
Tor's operators also have warned that their network has vulnerabilities, he said.
Taken together, that means users should know they could be identified, Jones ruled.
Officials at the Tor Project wrote that the judge does not fully understand how the network operates and affords users anonymity.
Andrew Conte is a member of the Tribune-Review investigations team. Reach him at 412-320-7835 or firstname.lastname@example.org.