Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled
yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong
. Last month, Tor then dropped
a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014
, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.
As it turns out, a new report from Kashmir Hill at Fusion notes that Tor developers had ample forewarning that something was going wrong
. In fact, a Tor supporter sent a message to the Tor mailing list
early in 2014 highlighting the odd behavior of these computers, but it was effectively brushed aside by Tor developers
as nothing to worry about. That has of course raised concerns among the 2 million people that use Tor every day -- activists, human rights workers, journalists, and security-minded computer users among them. The revelation has obviously also devastated the reputation of Carnegie Mellon and the CERT Coordination Center
Both the FBI and the university continue to deny the claims, for whatever that's worth:
“The allegation that we paid CMU $1 million is inaccurate,” said a FBI spokesperson.
Meaning, if you're familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.
Regardless, Hill's new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn't the developers' finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:
"I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone... "It didn’t occur to me that they would run the attack in the wild on random users," said Mathewson. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn’t seem to me like a deep threat."
Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon -- which targeted the Darkode black marketplace. And the markets are still reeling. Though it's always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they're trying to implement upgrades that will make their drug bazaars more secure.
But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody
. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon's Institutional Review Board sets a disgusting precedent for the security community:
"There’s an argument that this attack hurts all of the bad users of Tor so it’s a good thing,” said Mathewson. “But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects."
For what it's worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a "new cryptographic trick" that will allow a hidden services directory to send Tor users to a hidden site -- without the directory knowing where it's sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they're no longer "extending security researchers the benefit of the doubt on anything." Good idea.
The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor's $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign
to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we're left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?