This article is more than 1 year old
The million-dollar hole in the FBI 'paying CMU to crack Tor' story
Researchers and writers blur lines, cause problems
The dangerous flaw in the tale
But the $1m turns that story on its head. If true, suddenly we have the federal authorities paying a university to carry out investigative work on their behalf.
That is a very much more serious situation but it is one predicated on a single line in a single blog post: "We have been told that the payment to CMU was at least $1 million."
The evidence for this claim is weak at best. It's no wonder the FBI and Carnegie Mellon are unhappy about it, and they have every right to be – far be it from us to run to the defense of a moneybags university and powerful federal agency. The problem is that making an unsubstantiated claim that is much more serious than the original issue is liable to detract from the real issues.
There are still serious questions to be asked – but probably not of the FBI. For one, why did CERT not inform the Tor Project about a critical security flaw in its software? Is it because the Tor network is a high-priority target for law enforcement? Or does CERT itself have a flawed disclosure policy that needs reviewing?
Just how cozy is the relationship between CERT and the US government? We know, thanks to Edward Snowden, that the NSA uses security flaws in software as a way to carry out covert surveillance. But where does it find those flaws? Is CERT feeding the US establishment with at least some of the valuable software holes it uses?
At least one respected security researcher has since pondered aloud whether CERT's credibility is now under question.
Another question: how does Carnegie Mellon separate research carried out under its name and research carried by associated entities paid for by the US government? And how does it resolve conflicts and crossovers between the two? Who are researchers representing – CERT or Carnegie Mellon?
And finally: what about the other 45 FFDRCs?
Do similar policies – or lack of adequate policies – exist at the Princeton Plasma Physics Laboratory? What about at the Lincoln Laboratory at MIT? Or the Johns Hopkins University Applied Physics Laboratory?
We count eight FFDRCs at universities across the United States. And they add to the 15 "university-affiliated research centers" (UARCs) across the country. All are funded by the federal government and closely associated with researchers at independent universities.
There are very good reasons why academic study is kept separate from the often very different goals of the federal government – particular law enforcement. In this case, the suggestion that the FBI paid a university to acquire specific actionable information appears far-fetched.
But the case of Carnegie Mellon, CERT, and Tor should serve as a warning to everyone that the line is too easily broached. ®
Biting the hand that feeds IT
