IE 11 is not supported. For an optimal experience visit our site on another browser.

Carnegie Mellon Denies It Was Paid $1M by FBI to Hack Tor Anonymizing Service

Carnegie Mellon University issued a statement Wednesday describing as "inaccurate" reports that it had taken a $1 million payment from the FBI to hack
Get more newsLiveon

Carnegie Mellon University issued a statement Wednesday describing as "inaccurate" reports that it received a $1 million payment from the FBI to hack Internet anonymity service Tor.

The accusation arose from the Tor Project itself; Tor obfuscates its users' Internet traffic by passing it along a network of carefully protected computers, and last year it was announced that a number of these "relays" were attempting to decrypt the data they were supposed to merely pass on.

Related: Manhattan DA Pushes for Lawful Backdoor Into Encrypted Phones

A paper describing a hack like this, by security researchers at CMU's Software Engineering Institute, was then submitted for presentation at the Black Hat hacking conference but later pulled. Such research is valuable for keeping secure networks on their toes, and sometimes must be carried out without the knowledge of the system to be evaluated — but this attack in particular put actual users' data at risk of being exposed.

Last week, with new information in hand, Tor accused CMU of carrying out the hack attack as part of a million-dollar contract with the FBI, possibly as part of its investigation of the Silk Road black market on the "Dark Web." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities," read the Tor Project's blog post making the accusation.

Shortly afterward, the FBI told Ars Technica and other news outlets that "The allegation that we paid Carnegie Mellon University $1 million to hack into Tor is inaccurate."

Related: Internet Anonymizer Tor Working On Chat App

Now CMU has issued its own carefully worded statement, not specifically denying carrying out the attack but definitely denying payment.

"One of the missions of the SEI's [Computer Emergency Response Team] division is to research and identify vulnerabilities in software and computing networks so that they may be corrected," the CMU statement said.

"In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."