FBI has refused an accusation of paying at least $1 million
to Carnegie Mellon University (CMU) researchers to infiltrate Tor, a free
software implementation of second-generation onion routing that enables its
users to communicate anonymously on the internet.
The intelligence agency told Ars Technica, that these
accusations of paying the security researchers of the university to disclose
the Tor users as well as Reveal their IP addresses as part of a criminal
investigation was 'inaccurate'.
"The allegation that we paid (Carnegie Mellon
University) $1 million to hack into Tor is inaccurate," the FBI said.
However, the Tor Project team had discovered last year in
July that more than hundred new Tor relays that modified Tor protocol headers
to track people who were looking for Hidden Services, web servers hosted on Tor
that offers more privacy.
The attackers used a combination of nodes and exit relays
along with some vulnerabilities in the Tor network protocol that let them
uncovered users' real IP addresses.
After discovering the flaws, the team updated its software
and rolled out new versions of code to block similar attacks in the future. But,
during that time the team could not find the hackers behind the flaws.
“We teach law enforcement agents that they can use Tor to do
their investigations ethically, and we support such use of Tor -- but the mere
veneer of a law enforcement investigation cannot justify wholesale invasion of
people's privacy, and certainly cannot give it the color of "legitimate
research," the Tor team said in a blog post.
"Whatever academic security research should be in the
21st century, it certainly does not include "experiments" for pay
that indiscriminately endanger strangers without their knowledge or consent,"
the post added.
Now, the Tor claims to have patched the vulnerabilities but
this doesn't solve the core problem.