
Detailing the CMU Tor Hidden Services Attack and Tor's Response - zmanian
http://fusion.net/story/238742/tor-carnegie-mellon-attack/
======
zmanian
Support Tor's first donation campaign.

Become a crowdfunder.

[https://blog.torproject.org/blog/our-first-real-donations-
ca...](https://blog.torproject.org/blog/our-first-real-donations-campaign)

~~~
tacojuan
I can't believe they're using PayPal of all things...

~~~
EthanHeilman
You can play via bitcoins if that is your thing:

[https://www.torproject.org/donate/donate-
options.html.en](https://www.torproject.org/donate/donate-options.html.en)

------
zaroth
So who is going to get the billing record for all those hosts they spun up?
Hard proof should not be that hard to come by, so I'm just waiting to see
that. I am more likely to believe Tor than CMU because of the way the research
was pulled, and it would be nice to pin them to it.

------
anonymous4
Useless web site. Can anybody please post the text of the article so that it
is readable??

~~~
j_s
[http://pastebin.com/6938UxS0](http://pastebin.com/6938UxS0)

TL;DR (2014):

Feb: Understaffed Tor minimized security warning. _" Activity in the past has
looked suspicious at the time, but ultimately did stuff that helped advance
our art."_

May: CMU researchers announce breaking Tor, ignoring potential ethical
violations. Blackhat talk cancelled; CMU & FBI begin 'not the droids you're
looking for' responses.

Jul: Emergency fix to Tor to block CMU vulnerability. CMU researchers stop
corresponding with Tor project.

Nov: FBI crackdown

------
rasz_pl
TLDR: CIA funded people angry at FBI funded people for breaking their toys.
CIA funded people react only after being deanonymized __personally__.

~~~
iamsohungry
Do you have a source on Tor being funded by the CIA?

It's disingenuous to say that Tor reacted only after being deanonymized
personally:

1\. It was well known that Nick Mathewson worked for Tor long before this
attack.

2\. Tor added code that allowed them to detect the attack before they knew
their IPs were deanonymized: that's the only way they found out their IPs were
deanonymized.

