The response by Patio11 regarding how this was acceptable penetration testing was beyond stupid.
Just because you are univesity researcher does not means you can take money and then attack some random company and say LOL JK just doing "Research". Universities have enormous computing power / resources available via various means to do research. Just because I have access to a thousand node cluster does not means I can randomly launch DDOS attack against some company and then claim "Research". This is equivalent to those youtube videos where at the end they justify assault and other egregious behaviour claiming "Social experiment" or "Prank".
This is perhaps the most unnecessarily rude comment to be at the top of a hacker news thread in some time. Let's all remember that disagreeing with someone doesn't mean being glib or mean.
Anonymous random new account, I don't know how intimidated you think I'm going to by whatever your academic credentials will turn out to be when you reveal them, but nobody I know in security research is talking about this Tor work the way you are, or would take umbrage at what Patrick said. Patrick knows what he's talking about.
Dude the fact that nobody you know is worried should be the first clue that something is really wrong or you are hanging out with wrong people. Security, Privacy & Data Mining research are ripe for bureaucratic takedown. Incidences like these will only lead to harsher requirements and stifle future research. Its essential for the security community to police itself. As far as Patrick knowing what he's talking about I do not take anyone who has never published a research article, let alone an abstract seriously.
We have access to hundred of millions of medical records, if were to throw away integrity, ethics and morality out of the window. The results would be spectacular enough to warrant a front page news in all major newspapers. And it would completely destroy any future medical research in this field, since we would have betrayed public trust.
Oh and guess what we are exempt from IRB. The true reality is that research to a large extent cannot be completely controlled / monitored. It is thus extremely essential for a research community to hold itself to some ethical standards.
I'm not sure what the last part of your first paragraph was supposed to mean, but if I wanted to compare my own computer security cite record with yours, would I search scholar.google.com for "AMEDICALRe"?
You've misread Patrick's messages to spectacular effect, leaving me with the impression that you were simply champing at the bit to jump at him and his silly bingo card site.
Tor chose world governments as their adversary, and if $1MM was all it took to buy unmasking of users, they failed. That's important information, and regardless of CMU's ethics (and I think this was an ethical lapse), the revelation that there is or was a flaw of that scale is a service to the Internet.
To his credit, I'd guess he's not sharing his bona fides because doing so would jeopardize the program he alleges to be involved in, and there isn't a particular reason to doubt the veracity of his claim by virtue of his creating an anonymous account to protect said program.
While his passion for the issue has made his message more aggressive than you'd like, don't dismiss his claim because you believe he's just full of piss and vinegar. Looking past the totally unrelated arguments about his identity, I don't have any difficulty believing what he's said. I know several folks in American academia who have stated unequivocally that the amount of computing power and data analysis ability available to them would make Dr. Evil blush.
Let's be honest and set emotional responses and character assault aside here. If you take the emotion out of what he said, can you honestly say the rest of it is bullshit? It rings true to me, and he's right: if academia, which is generally held by the public to be above the sort of cloak and dagger stuff that happened with Tor, lost its way and tossed their ethics out the window ... Well, that's a Bad Thing in ways we can only begin to understand. Who's left for us to trust?
It is totally fine if they disagree with me. What's not fine is the way they chose to express their disagreement: by taking umbrage at the idea that anyone, let along the author of a Bingo Card site, would have an opinion contrary to theirs.
I don't even think I disagree with the second part of 'AMEDICALRe's root comment. But of course, that comment has very little to do with what Patrick actually said. Patrick is responding to the fact that an anti-surveillance tool that chose as its adversaries all the world's governments was broken for a sum of money any angel investor in SFBA could have coughed up.
Fair enough. But I would argue that qualifying Tor as a group targeting world governments is a bit dramatic. That may be propagandist commentary on their part - they're entitled to make it, and people still use Tor in spite of it - but isn't the primary intention of Tor to preserve free speech and anonymity, and to offer protection from persecution (or prosecution) by nation-states that seek to quell dissent? And if all the worlds' governments are truly the stated target of Tor, why on earth should an American academic institution insinuate itself into that battlefield? For that matter, given the stated powers of our governments network and data analysis engines, why were they even needed?
They provided information "on that battlefield" that shows that Tor is wholly inadequate to "offer protection from persecution by nation-states". If you're in a place where your life is on the line and you think Tor will help you, this shows clearly that is incorrect. That is useful, even critical information, since lives depend on it. Maybe you don't know the source or the method but the output is very valuable.
> I would argue that qualifying Tor as a group targeting world governments is a bit dramatic. That may be propagandist commentary on their part - they're entitled to make it, and people still use Tor in spite of it - but isn't the primary intention of Tor to preserve free speech and anonymity, and to offer protection from persecution (or prosecution) by nation-states that seek to quell dissent?
I don't understand what you're trying to say. Surely, if the primary intention of Tor is to protect users from persecution by nation-states, then their adversaries are world governments?
> was broken for a sum of money any angel investor in SFBA could have coughed up.
perhaps nitpicking, and a bit tangential to this debate, but I can't imagine the $1m on its own would be enough to break it.
I imagine they have some fairly beefy research budget with an existing infrastructure with a substantial computing power and prior research experience to begin with. So quite a tall giant to stand on. If I had to guess, the $1m was only there to cover time spent on this very specific task at hand, and for allocating researchers' time away from other tasks...
the revelation that there is or was a flaw of that scale is a service to the Internet
Right on all points regarding Tor's failures, except this above is the crux of the problem. Specifically, that the researchers did NOT disclose this to either the Tor project or the broader security community. They disclosed it to the Feds, pulled their presentation, and sat on it presumably forever until third parties smelled something fishy.
Patrick and you are correct in your criticism of the criticism, but the fact that academic security researchers have become obsequious functionaries to state power is a MUCH larger issue here, so much so that you are arguing at completely orthogonal purposes to many of us.
My guess is that this orthogonality is lost on AMEDICALRe, and theirs on you.
Where do you think Tor came from in the first place? The US Naval Research Lab. Why do you think the USG went to CMU for this research? Because CMU has been a bastion of state-funded computer security research since the 1990s.
No, the big story here is that Tor was broken for a pittance. But that story is a lot less fun than demanding scalps from CMU, because it suggests that you might not in fact be able to thwart national SIGINT agencies with volunteer open source projects, and we nerds demand a monopoly on technological skill.
Do you think it was broken for $1M without using an already existing computing infrastructure that costed much more?
I'm more interested in knowing how much the real total cost involved here is. Maybe it's not a pittance that any VC in SV could cough.
"No, the big story here is that Tor was broken for a pittance."
That was my prediction and take-away from this. I've constantly warned against relying on Tor to stop nation-states. It's requirements, especially synchronous and performance, make the anonymity goal ridiculously difficult.
That the attacks are still so inexpensive is more disturbing. Opens up doors to non-nation-state attackers that have money and connections to smart people.
Right; the ethical experiment here would be to set up one's own private Tor network and then attack that. (Think that requires a lot of effort? Well, yeah; that's why you do it as part of a university with grant funding!) This would also have the bonus effect of being able to instrument all the nodes, so you could see the effects of your attack flowing through the system in a white-box manner.
Some of us are more outraged by the fact that they kowtowed to authority on the BlackHat presentation, and had a disclosure policy that favored the Feds over both the Tor project and the entire security community.
The CMU researchers are basically Sabu. Subhuman traitors to the hacker ethos.
I doubt they ever particularly cared about the mantle of 'hacker' and whatever ethos is supposed to go with it. That makes it hard for them to betray it.
If you had cut the ridiculous and mean first sentence out of this comment it would have been fine, but then, as you know, nobody would have cared about it, because you'd have been saying nothing everyone else hadn't already been saying.
flippant answer—tptacek doesn't "copyright" anything. in territories that recognize the Berne convetion of 1989, everything created that meats the standards for copyright is protected by copyright. you can't "copyright" something—something either is, or isn't protected by copyright. IANAL, but as tptacek's comments are tangible forms of creative works, they are trivially protected by copyright
less flippant answer—because he's probably had problems with people stealing his answers and posting them on other forums or similar issues.
> Tor is having a fit of institutional pique that researchers are compromising the network's privacy guarantees by, well, looking at it.
> If you write security software, and you're not praying that loyal opposition hits you with everything they've got, you're not doing security
> Tor is intended to be, and is marketed as, robust against nation state adversaries. It cannot possibly be so if it worries about academics.
Two interpretations:
1. It's OK to go after Tor. This is dead wrong - attacking a network without permission is very bad form. Maybe it's OK to do the equivalent of checking to see if someone's front door is locked (this is a grey area), but only if you intend to warn them that their door's unlocked. Going through their stuff is obviously unethical (and probably illegal).
2. Tor should be more permissive, encouraging more attacks from researchers.
Obviously, the researchers crossed the line when they started gathering user data. But Tor should only be upset that the attack went too far, not that the attack succeeded.
I'm not sure of the context - was the Tor community pissed off that researchers found a weakness, or pissed off that the weakness was exploited?
Twitter is a pretty poor platform if you want nuance, so it's probably best to be charitable in your interpretations of what people say there.
> The response by Patio11 regarding how this was acceptable penetration testing was beyond stupid.
Actually, from a security perspective, its quite understandable. If you provide a tool that claims to be safe from state actors, they can use that kind of power to attack it.
That said, if it didn't pass the usual protocols at the university for ethical standards they can and should be fired regardless of the client or reason.
I believe it was a tweet https://twitter.com/patio11/status/664551822120476672 which was interpreted as chiding the victims for being thin-skinned in the attack upon them. (Secure systems thrive and survive only if they can take on all stressors and remain robust.)
While Patrick seemed to be focusing on the abstract notion of security mechanisms needing to welcome malicious scrutiny, the strong reaction against his tweet was based on the observation that Patrick failed to take into account the real, human cost of such an attack. This was further compounded by the fact that often, research requires IRB approval to determine whether the research is ethical, and the evidence is that CMU's actions weren't ethical. Yet Patrick felt it necessary to opine without understanding the ethical component of such an attack.
Just because you are univesity researcher does not means you can take money and then attack some random company and say LOL JK just doing "Research". Universities have enormous computing power / resources available via various means to do research. Just because I have access to a thousand node cluster does not means I can randomly launch DDOS attack against some company and then claim "Research". This is equivalent to those youtube videos where at the end they justify assault and other egregious behaviour claiming "Social experiment" or "Prank".