Did Carnegie Mellon Attack Tor for the FBI?

There’s pretty strong evidence that the team of researchers from Carnegie Mellon University who cancelled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI.

Details are in this Vice story and this Wired story (and these two follow-on Vice stories). And here’s the reaction from the Tor Project.

Nicholas Weaver guessed this back in January.

The behavior of the researchers is reprehensible, but the real issue is that CERT Coordination Center (CERT/CC) has lost its credibility as an honest broker. The researchers discovered this vulnerability and submitted it to CERT. Neither the researchers nor CERT disclosed this vulnerability to the Tor Project. Instead, the researchers apparently used this vulnerability to deanonymize a large number of hidden service visitors and provide the information to the FBI.

Does anyone still trust CERT to behave in the Internet’s best interests?

EDITED TO ADD (12/14): I was wrong. CERT did disclose to Tor.

Posted on November 16, 2015 at 6:19 AM • 128 Comments