ShareThis Page

Ruling keeps lid on Carnegie Mellon hack of 'anonymous' Tor network

| Thursday, Feb. 25, 2016, 11:00 p.m.
Tor, free software downloadable from the Internet, allows users to send and receive encyrpted messages, and makes it difficult for authorities to track illicit transactions.
Andrew Russell | Tribune-Review
Tor, free software downloadable from the Internet, allows users to send and receive encyrpted messages, and makes it difficult for authorities to track illicit transactions.

Computer users on the shadowy Tor network put themselves at risk of being identified ever since researchers at Carnegie Mellon University figured out how to unmask them, a federal judge ruled this week.

Working for the Defense Department, scientists at CMU's Software Engineering Institute identified the Internet protocol address for Brian Farrell, who has been accused of helping run a massive online drug marketplace called Silk Road 2.0 on Tor, U.S. District Judge Richard A. Jones of Washington state's Western District wrote.

The ruling rejects Farrell's attempts to learn more about how the CMU institute identified him and about its military contracts.

“... Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network,” Jones said. “In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.”

The Tor network was originally developed by scientists at the Naval Research Laboratory with the goal of providing Internet anonymity for computer users. The network provides security for the military and pro-democracy dissidents around the world — but it also has served as a haven for illicit trading in drugs, weapons and child pornography and other criminal activities.

“The Tor network is secure and has only rarely been compromised,” officials at the Tor Project, a nonprofit in Cambridge, Mass., that supports the network, wrote in a blog post.

The network strips away identifying information about users as their messages pass through Tor, meaning communications should remain secret, they wrote in a blog. The attackers in this case appear to have tampered with the user's traffic in the network, where it should not have been linked to a particular user.

“The Software Engineering Institute of Carnegie Mellon University compromised the network in early 2014 by operating relays and tampering with user traffic,” Tor officials wrote. “That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it.”

CMU Software Engineering Institute researchers identified Farrell's Internet address while operating its computers on the Tor network, Jones wrote in his legal ruling. Federal investigators obtained the information from Carnegie Mellon under subpoena.

Richard Lynch, spokesman for CMU's Software Engineering Institute, declined to comment but referred to an earlier statement provided on the matter.

“One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected,” the statement reads. “In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas, and receives no funding for its compliance.”

Alexander Volynkin, a researcher at the CMU institute, and his colleague, Michael McCord, had planned to make a presentation at the 2014 Black Hat cyber security conference in Las Vegas demonstrating how the anonymity of Tor users could be defeated for $3,000 until university lawyers stopped them.

Long before that, Volynkin had warned in an interview with the Trib that the network, which transfers Internet traffic among volunteer-run nodes around the world, had flaws.

To use the Tor network, users must disclose their Internet address to other people running the nodes through which messages are routed, Jones wrote.

Tor's operators also have warned that their network has vulnerabilities, he said.

Taken together, that means users should know they could be identified, Jones ruled.

Officials at the Tor Project wrote that the judge does not fully understand how the network operates and affords users anonymity.

Andrew Conte is a member of the Tribune-Review investigations team. Reach him at 412-320-7835 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.