The Tor network, an anonymising service used by privacy conscious internet users from law enforcement to criminals, admitted yesterday that the identity of its users may have been identified by government-funded researchers.
In a 'security advisory' blog post the team responsible for maintaining Tor warned that anyone who used the network between 30 January 2014 and 4 July “should assume they were affected”, adding that it was “likely” the attack was connected to work conducted by two security researchers at Carnegie-Mellon University.
The pair of researchers had been scheduled to give a paper showing how to identify Tor users at the Black Hat security conference next month, but the talk was cancelled by lawyers working for the university. The Carnegie-Mellon researchers were based in the university’s Software Engineering Institute whic is mostly funded by the US Department of Defense.
The title of the cancelled talk was "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget,” and promised to explain how to crack Tor’s anonymity systems on a budget of $3,000 or less.
The creation of Tor was funded by the US Navy in the early 2000s and although leaked documents from Edward Snowden suggest that both the NSA and GCHQ have attempted to crack it, figures published last year show that the US government remains Tor’s primary source of funding.
The network operates by bouncing internet traffic around a network of volunteer-operated nodes. Anyone logging on to the Tor network has their signal sent around this mesh, with the information encrypted at each step. This makes it incredibly difficult to track an individual’s activity or to uncover their identity, meaning the software has been used by diverse groups including law enforcement, privacy lawyers, human right activists - and criminals.
Roger Dingledine, one of the network's co-creators, wrote on the Tor Project blog that his team had been trying to contact the Carnegie Mellon University researchers to find out the exact nature of their attack and to see if it tallies what the breach they have discovered this week, but reported that the researchers have not responded to any recent attempts at contact.
"They haven't answered our emails lately, so we don't know for sure, but it seems likely that [they were responsible," wrote Dingledine. "In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was."