Tor wars: CMU says FBI came not with cash, but a subpoena
University has broken its silence, but will that quell the critics?
Carnegie-Mellon University has fired back in the TOR war, saying that it wasn't paid by the FBI to reveal its de-anonymisation research outputs.
The university's statement on the matter is here and includes the following:
There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity.
Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI’s CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected.
In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.
The statement almost says, but not quite, that it was complying with a subpoena in relation to its 2014 discovery that TOR could be attacked in a way that discovered user IP addresses.
TOR's interim CEO Roger Dingledine set the hounds running last week when he accused the University of taking the FBI's cash to crack TOR.
At the time, the university denied receiving payment, but didn't deny handing over data.
That has opened an ethical can of worms: the researchers spent some time on their de-anonymisation work without telling the TOR Project what was going on.
The IP addresses the researchers collected have been implicated as helping the FBI make arrests associated with Silk Road 2 and a child exploitation images case. ®