The FBI hacking of Tor blurs lines between Academia, Contractor, Law Enforcement and Military.

On February 24, Vice's Motherboard tech blog announced that it had discovered the FBI hacking the Tor online privacy network with a generous amount of assistance from Carnegie Mellon University (CMU). Motherboard's research into this attack and the resultant court cases spans six thorough articles on this topic going back to November 2015. Despite their respectable efforts, there are stones yet unturned, as the case is a metaphorical rock garden of discovery. A few more stones will be flipped below and turned into dots that connect.

The case concerns prosecutions arising from the FBI's investigation into and infiltration of the Silk Road 2.0 website. The site was could only be accessed through the TOR anonymous browser and was an online black market hub. TOR is open software and was produced to give users anonymity and bypass government censorship.

The FBI made a handful of arrests and there were resultant prosecutions. During the pre-trial motions, it became clear that the FBI had compromised the identity of at least 80 Tor users, most whom had committed no crime. Rather than obtaining a warrant through the FISA courts, the FBI simply used “security research” by CMU. The FBI was tight lipped and when CMU was further investigated the it produced a subpoena from the FBI.

This attack from CMU was not the first time the TOR network had been compromised at the behest of the FBI. In August 2013, Wired Magazine's Threat Level blog reported that Science Applications International Corporation (SAIC) had previously inserted malware into TOR accessible sites and was collecting user data on it's server in Herdon VA. SAIC is a key defense contractor. Research shows that SAIC had no specific unclassified contract to produce the software.

This is mirrored by CMU having no specific contract to produce software or research for the FBI. The division of CMU that provided the “research” to the FBI is called the Software Engineering Institute (SEI).

SEI was initially funded in 2005 by a 411 million dollar contract from the federal government. According to Motherboard this was Defense Department contract number FA8721-05-C-0003. The contract was renewed in July 2015 for an additional 1.73 billion dollars. Motherboard's reporting was correct but imprecise. The contracting agency is actually the Air Force Material Command through it's sub-agency the Electronic Systems Center Plans and Programs Directorate.

In 2012 the Air Force subsumed this command into the Air Force Life Cycle Management Center, which still answers to the Air Force Material Command and has the same assets. This is the part of the Air Force that handles equipment for Command Control Communications Computers Intelligence and Reconnaissance, or C4IR, and works with the FAA and NASA as well as foreign partners in NATO. It has no direct working relationship with the FBI on paper.

The contract is for the actual establishment, from the ground up, of SEI as a defense associated research organization. Through the contract, other resident partners, corporations are brought in, on a small scale, to conduct research and better their own products. Apple and Google have both participated and are tenants in the center. A less famous and less trumpeted tenant is SAIC.

Although SAIC's recorded participation in contract FA8721-05-C-0003 does not include any software as a deliverable, it does engage in joint software projects with SEI. These include a “smart grid” electric utility management and security system and prototype unmanned semi-autonomous land vehicles for the Army. SAIC's relationship with CMU predates the contract and goes back at least to 2003.

It appears that SAIC deployed TOR de-anonomyzing software for the FBI secretly sometime prior to 2013. The FBI was rumored to have so capability in this area as far back as 2007. The TOR project, which maintains the free and open software always patches know security flaws within days of their discovery. They claimed to have patched this hole within 48 hours.

The exploit of this security hole may have existed as far back as 2013. SEI researchers were slated to give a presentation at the July 2014 Black Hat conference. They deleted their synopsis and withdrew the presentation through CMU's lawyers. A paper on the topic was to be presented at the 2014 ACM Conference on Computer and Communications Security. It was accepted and then withdrawn.

The research, which is funded through and unclassified contract with a non-profit, should be in the public domain. Officials at the Tor project claim that the FBI paid SEI 1 million dollars to hack the Tor network. The FBI denies this claim. CMU-SEI's comments on the issue seem to have the same availability as their research.

The path of money leads from the Air Force, through a non-profit associated with a major private university, to a defense contractor and then to the FBI. Thus so-called private academic research is being used by the military to create military grade information warfare tool which are then deployed in secret by domestic law enforcement without a warrant, violating the privacy of dozens if not hundreds of people in no way involved with illegality other than having a desire for privacy that the FBI does not support.

Date Originally Published: 
Wednesday, March 9, 2016
Gerry Bello