Silk Road

FBI Beat Tor Anonymity Via Academic Research, According to Revelations from "Silk Road 2.0" Prosecution

Tor Project insists those vulnerabilities are not longer exploitable by law enforcement.


Some grim news snuck out from the "Silk Road 2.0" prosecution last week. Andy Greenberg of Wired gets right to the terrible point:

the FBI was able to bypass the anonymity software Tor—the central tool used by the Silk Road 2 and its buyers and sellers to evade the cops—with information they obtained from a subpoena to Tor-focused security researchers at Carnegie Mellon University's Software Engineering Institute.

In a ruling, judge Richard Jones of the Western District of Seattle wrote that Farrell's IP address was obtained through a subpoena to Carnegie Mellon while the university researchers were running an experiment on the Tor network designed to show how its anonymous users and servers could be identified.

Greenberg uses this as an object lesson in the dangers of doing that sort of info-hacking academic research; that it leaves you open to having the Feds swoop in and take what you've learned to use in criminal investigations.

What exactly is at stake is still somewhat ambiguous:

The FBI's subpoena could feasibly have even gone beyond private data to include the Carnegie Mellon's actual Tor-cracking technique…[but] exactly what the Carnegie Mellon researchers handed over to the FBI remains far from clear. But in an abstract on the website of the Black Hat hacker conference, where they planned to present their Tor-focused research in August of 2014, they described it as a serious vulnerability that would allow them to identify both Tor users and web servers that use Tor to hide their location, known as Tor hidden services. "Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know, because we tested it, in the wild…" the abstract reads….

Weirdly, that talk was never actually given, abruptly pulled from the Black Hat conference schedule, and a couple of months later, Greenberg notes without asserting a certain connection:

the FBI and Europol together launched Operation Onymous, a purge of the dark web that took down dozens of Tor hidden services including the Silk Road and several other top drug markets.

Europol told Wired at the time it didn't want to reveal exactly how it cracked the sites.

If in fact the government subpoenaed info from Carnegie Mellon that actually revealed enough that the feds could have replicated their Tor-cracking technique, this would be analogous, Greenberg notes, to what the feds want from Apple now in the San Bernardino terrorist phone case, getting a technique "just once" that could be reused in other cases.

The Carnegie Mellon crew might not have been that apt to fight such an subpoena, Greenberg also notes, as Apple is trying to do, as they receive a ton of Department of Defense funding.

The ruling in the prosecution of Brian Farrell, one of the accused operators of "Silk Road II," with the revelation.

Carnegie-Mellon does at least insist that, despite some reports, it lawfully obeys subpoenas, but isn't paid off specifically for doing so.

Vice Motherboard in reporting on the revelation reports the encouraging news that the particular vulnerabilities that Carnegie-Mellon found have been patched, according to this comment from The Tor Project:

"the Tor network is secure and has only rarely been compromised. The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online."

Previous blogging on the "Silk Road 2.0" case as it broke.

NEXT: 9 Times Ben Carson Compared Modern America to Nazi Germany

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Greenberg notes that the Carnegie Mellon crew might not have been that apt to fight such an subpoena, as Apple is trying to do, as they receive a ton of Department of Defense funding.

    Maybe Apple is holding out for a lucrative defense contract. They could easily then be drafted into further future federal service like the eggheads at CMU.

  2. The FBI can suck it. They’ll never beat this Tor!

  3. Carnegie Mellon is as quick to snitch as Reason!

    1. I have nothing to contribute to this conversation.

      1. See the guy who just contributed mightily.

        1. Who you callin’ Guy?

          1. Oops Paul – I read that as “Says the guy….”

            Please disregard.

      2. I forgot you were one of the parties. So casual.

        Everything OK? Lemme know if you need help.

        1. It’s a trap!

          1. It’s a cookbook!

      3. Oh, I think you do.

        1. Oh, you want the Canadian FBI knocking on your door? All polite and dressed in red and on horseback? Is that what you want? IS IT????

          1. You think I live in an igloo, do you. Admit it.

  4. The ruling in the prosecution of Brian Farrell, one of the accused operators of “Silk Road II,” with the revelation.


    1. I now grasp what that non-sentence was trying to say.

      I blame matt welch.

  5. Tor is safe, until it isn’t.

    1. Nature of the beast

    2. So how did they beat the vulnerability, which is built into the way Layer 3 routing works on the Internet?

  6. Did I miss a thread on this?

    “FBI admits it wants access to even more smartphones”
    “FBI Director James Comey told Congress on Tuesday that if the government succeeds in forcing Apple Inc. to unlock an iPhone owned by one of the San Bernardino shooters, the case would establish a precedent that could be used to gain access to data in many more iPhones, an acknowledgement that runs counter to the agency’s earlier contention that the case is limited to a single device….”…..864178.php

    “[R]uns counter to” ~ ‘miss-spoke’ = lie.

  7. One of the problems Tor has that’s still a potential problem is the government’s use of end-to-end correlation. And with it presumed the government controls end points, this is always a concern.

    1. How can you say that about a DOD project???

  8. Trump’s new health care plan. Don’t get sick losers…..index.html

    1. “price transparency” to allow patients to “shop and find the best prices” for their medical care

      Of course, one suspects Trump will not cover procedures done in Malaysia.

    2. Don’t get sick

      Always a good idea.

      1. “Dammit, I paid *into* this system ….!”

    3. “and making individuals’ health insurance premium payments fully tax deductible.”

      If they’re not already deductible, uhhhh

    4. . . . repealing Obamacare, breaking down state barriers that prevent the sale of health insurance across state lines and making individuals’ health insurance premium payments fully tax deductible.

      God damnit Trump. Why you have to go starting to make sense?

    5. Fuck off, let me read Hayek in peace,

    6. This plan is actually decent, compared to everyone else’s plan. It is mostly deregulation and cutting taxes through deductions and HSAs. There is now exactly one thing to like about the short-fingered vulgarian.

  9. OT: who knew Rocky Dennis was a jurist.

    1. When asked to comment, the judge said “batlh qel supreme bo’DIj” in her native tongue.

      1. Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn?

          1. And yes, its sad that I can recognize it.

    2. Read that, but this story caught my eye while there.…..lbany.html

      For students and activists in Albany and elsewhere, the stakes were greater. Many feared that the hard-won dialogue over racism on campus, the fragile moment of unity, would disappear under a wave of finger-pointing.

      It sucks that the story was bs because it hurt the cause. FFS, if even 50% of the stories weren’t fake, they might have something.

      1. Sorry Sloop, for piggy backing your link 😉

        1. Don’t apologize. You classed it up.

          By the way, the DOJ has given immunity to the guy that set up clinton’s email server.

          Maybe that will actually get mentioned by reason. Unless, you know, Trump says something that can be taken out of context and/or blown out of proportion by tomorrow morning.

          1. “By the way, the DOJ has given immunity to the guy that set up clinton’s email server.”

            From your link:
            “He [HRC campaign mouthpiece] also said the campaign is “pleased” that Pagliano, who invoked his Fifth Amendment rights before a congressional panel in September, is now cooperating with prosecutors. The campaign had encouraged Pagliano to testify before Congress.”

            I’m sure they ‘encouraged’ him. With a carefully scripted set of ‘answers’ and instructions to plead A5 when it got sticky.
            ‘Way back when Nixon was getting the death of a thousand cuts, I remember wondering why immunity was granted to so-and-so. And then I read a bit and realized there was no way Nixon could now toss that guy to the wolves.
            Who knows?

      2. Any time the person in an Eagles jersey is the most civilized one in the video, there are no winners.

  10. I am a bit confused about why the government has the skills and resources to crack TOR but they cannot unlock the iPhone owned by the City of San Bernardino and used by a pair of Islamist kooks to facilitate a mass murder.

    1. They probably can. This is about setting a legal precedent.

    2. Paul,

      I’m generally negative about conspiracy theories and deep-state plots, but in this case I think probably the you are correct is close to 1.

  11. If Trump becomes POTUS what’s to stop the Senate from impeaching him? They’ll need a reason, but given who he is that won’t be long in coming.

    There will be enough folks in both parties that despise him that getting 66 votes to impeach should not be a problem.

    Who(m)ever his VP is might be acceptable enough to escape impeachment but if he isn’t and goes down at the same time as Trump, Paul Ryan could walk right into the Oval Office.

    1. Uh, impeaching a prez isn’t something that happens ’cause a lot of folks don’t like him; too many others are subject to that standard to make it fly in the cesspool of the Fed gummint.
      Not going to happen.

      1. This is why the incoming president – no matter party affiliation – never goes after the previous occupant or his associated circus of clowns; indict one and you’d have to indict every other one.

        Ugly as it is, a devil’s advocate could make a good argument for that behavior’s social utility; the lack of such unspoken decorum is a primary reason other presidents of other countries try so hard to be president-for-life – such an arrangement is the only way to avoid prison and/or execution. Maduro of Venezuela’s decisions increasingly will be motivated by that calculus, for example.

      2. My thought are similar.

        Though given things like the back and forth on the filibuster and election year SC nominations – both parties have shown an amazing amount of short-sightedness when it comes to pulling the trigger on these sorts ofthings.

    2. If Trump becomes POTUS what’s to stop the Senate from impeaching him?

      What’s to stop President Trump from letting the FBI and DOJ loose to charge HRC with security crimes. And while he’s at it, why not charge Eric Holder and Loretta Lynch with civil rights crimes. I have many reservations about Trump, but he not going to take a sucker punch.

  12. A?f?ter be????in??g fir??ed from my old job 6 months ago, i’ve had luck to learn about this great company online that was a lifesaver for me… They offer online home-based w0rk. My last month payment after working with them for 6months was 9000 bucks…ZW Great thi?ng ab?out it wa?s th?at only requirement for the job is basic typing and reliable int?ernet…If you th?ink this co?uld b?e for you th?en find o?ut more he?re?….


Please to post comments

Comments are closed.