The FBI, Carnegie-Mellon University, CERT/CC, and Tor

Rayzer Rayzer@riseup.net
Tue Dec 15 15:23:38 PST 2015


> The news of CMU’s possible assistance in compromising Tor’s most
> critical feature, anonymity, presents an opportunity for many to
> attack the integrity of CERT/CC and the researchers at the Software
> Engineering Institute. Bruce Schneier and others have been quick to
> point out that this incident has erased (or at least greatly
> diminished) CERT/CC’s hard-earned reputation as an honest broker. It
> is certain to be a warning to other CSIRTs around the world that they
> should transparently define their relationships with law enforcement
> agencies.

From Just Security (legal):

https://www.justsecurity.org/28343/fbi-stop-undermining-norms-root/

Reports surfaced last month suggesting that Carnegie Mellon University
(CMU) has been helping
<https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html>
the FBI crack Tor, the secure browsing application used by
privacy-conscious Internet users for both legal and illegal activities.
Normally, an academic institution assisting law enforcement in fighting
crime wouldn’t raise any eyebrows, particularly if that assistance came
in the form of responding to subpoenas. But this isn’t your average
case. Beyond the complicated (and unclear) set of facts involved, CMU
houses the Computer Emergency Response Team Coordination Center
(CERT/CC), one of the world’s most important hubs for coordinating
information about various cybersecurity vulnerabilities and attacks.

More than a month after the news first broke, the details are murky at
best. Tor has alleged
<https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users>
that the FBI paid CMU to crack the system’s anonymity feature in
exchange for payment. CMU’s own statement
<https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html>
about the incident says that many of the media reports have been
inaccurate, but acknowledges that the university — and by extension
CERT/CC — complies with valid subpoenas that it receives (as it must).
It also said that it receives “no funding for compliance.” The FBI has
said
<http://www.forbes.com/sites/thomasbrewster/2015/11/18/fbi-cmu-tor-million-dollar-payment-innacurate/>
that reports on the payment are inaccurate, but stopped short of saying
no payment was made. And Tor has responded
<http://www.wired.com/2015/11/carnegie-mellon-denies-fbi-paid-for-tor-breaking-research/>
by saying that these vague responses raise a whole host of questions on
their own.

The public saga leading up to the recent accusations began in July 2014,
when Ed Felten, the then-director of Princeton’s Center for Information
Technology Policy, noted
<https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/>
that CERT/CC researchers at CMU had submitted a presentation abstract to
organizers of the Black Hat security conference discussing a new
vulnerability they had found in Tor. The timing of CERT/CC’s pitch to
Black Hat aligned with a large-scale attack on Tor that lasted from
January to July 2014, during which CERT/CC researchers shared only
“hints” about the vulnerability they had discovered. As for the
abstract, it was abruptly withdrawn in July when CMU failed to approve
the content of the talk for public release.

Eyebrows were again raised in January 2015, after the arrest
<http://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attack-on-tor-to-decloak-crime-suspects/>
of a man who allegedly helped run Silk Road 2.0, a large online trading
post on the dark web whose visitors often use Tor to access the site. At
the time, some speculated that his arrest was tied to the attack against
Tor in the first half of 2014.

Most recently, in mid-November, Tor accused CMU of accepting payment and
assisting the FBI — in ways that indicate a warrant was not involved —
to “attack hidden services users in a broad sweep, and then sift through
their data to find people.” These allegations are hugely problematic for
CERT/CC. As an entity that espouses <http://www.cert.org/about/> to be
“a trusted, authoritative organization dedicated to improving the
security of computer systems and networks,” finding and not disclosing
vulnerabilities is a good way to undermine that trust. Exploiting those
vulnerabilities is even worse.

But let’s take a step back for a moment. Why, beyond the obvious privacy
concerns raised by Tor, is this such a big deal?

CERT/CC, and indeed the Computer Security Incident Response Team (CSIRT)
community as a whole
<https://www.newamerica.org/cybersecurity-initiative/csirt-basics-for-policy-makers/>,
is a pillar of global cybersecurity. (CSIRT is another term often used
to describe the type of organization CERT/CC is.) Generally, CSIRTs are
responsible for receiving, reviewing, and responding to computer
security incident reports from a set of clients, which can include
government agencies, private companies, security researchers, and
ordinary Internet users.

Since the late 1980s, CERT/CC, as the name suggests, has been a major
coordination center for global CSIRT activities. As as result, it has
access to a wide array of incident information and vulnerabilities,
which could, hypothetically, be used to help crack Tor’s anonymity
feature. In addition, the organization — initially funded as a DARPA
project and still funded <http://www.cert.org/faq/> with federal money —
is largely transnational in nature and serves as the secretariat for
national CSIRTs, more than 100 of which are distributed across the globe.

CSIRTs are increasingly referenced in international discussions as a key
component in efforts to build global capacity to combat cybersecurity
threats and develop norms of behavior among nations in the cyber realm.
For example, the United Nations Group of Governmental Experts on
cybersecurity suggested
<http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174> this summer
that special teams authorized to respond to cybersecurity incidents,
such as CSIRTs, should not be used to “engage in malicious international
activity” and should not be the target of attacks. If CSIRTs are to be
held out as off limits, they need to be impartial (like, say, the Red
Cross <http://time.com/3713226/red-cross-cyberspace/>) and cannot be
political actors, lest they become legitimate targets.

CERT/CC, and many other CSIRTs around the world, collect information
that can be very useful for both identifying and capturing criminals.
They rely heavily
<https://www.newamerica.org/cybersecurity-initiative/csirt-basics-for-policy-makers/>
on the trust incident reporters and vulnerability researchers have in
the CSIRTs, trust that is garnered after developing close ties with the
constituencies they serve. When a CSIRT is discovered, or even rumored,
to be acting in a way that is negligent or undermines network security
of perfectly legal services, this bond of trust is fractured. Less trust
means less information for CSIRTs.

To pour salt on the wound, the controversy around the latest story
undermines the effectiveness of CERT/CC both to carry out its own duties
and to assist the FBI in the future. Though it is often not explicit in
documentation, a relationship between CSIRTs and law enforcement
agencies is often assumed. Indeed, such cooperation can be helpful for
both law enforcement and CSIRTs. Law enforcement can obtain important
technical information about incidents from CSIRTs, which in turn helps
law enforcement identify and pursue cyber-criminals. On the flipside,
some industries (particularly in the US) have close relationships with
law enforcement that result in law enforcement becoming an important
reporter of incidents to the CSIRT. But if these two types of bodies are
to have close working relationships, they should follow explicit and
transparent guidelines in accordance with due process. If the FBI is
engaging with CSIRTs to essentially break a feature of Internet security
en masse, it is making its own life more difficult down the line by
removing the legitimacy of a key ally in cyber criminal investigations.

To be clear: This is not an indictment of CSIRTs working with law
enforcement. As I explain in detail with my colleagues Isabel Skierka,
Mirko Hohmann, and Tim Maurer in our recent report
<https://static.newamerica.org/attachments/11916-national-csirts-and-their-role-in-computer-security-incident-response/CSIRTs-incident-response_11-2015.d66cfc29c2d642258110859b27a649b1.pdf>,
cooperation between CSIRTs and law enforcement is not necessarily a bad
thing. A comprehensive approach to addressing cybercrime would ideally
meld the technical expertise and access CSIRTs have painstakingly
developed with traditional law enforcement expertise found in agencies
like the FBI. In fact, many national-level CSIRTs actually sit within
law enforcement, intelligence, or national security organizations or
have formal liaisons with those agencies.

Indeed, most in the CSIRT community seem ready to accept that CSIRTs
have reached a point in their maturity where a formal, transparent
relationship with law enforcement is practicable. This is because the
quandary facing CSIRTs is one that has pervaded the American
intelligence community for decades: Some activities simply do not pass
the front-page test; meaning that some actions, when they come to light,
will hurt the reputation of the organization. As New America
Cybersecurity Fellow and Georgia Tech professor Peter Swire wrote
earlier this year
<https://www.newamerica.org/new-america/the-declining-half-life-of-secrets/>,
the half-life of secrets is diminishing, and interactions like CERT/CC’s
with the FBI are likely to become known much sooner than they would in
the past. For the CSIRT community, which relies so heavily on trust for
effectiveness, keeping their relationships with the government secret
will be both extremely difficult and may undermine their reputations
once they come to light.

The news of CMU’s possible assistance in compromising Tor’s most
critical feature, anonymity, presents an opportunity for many to attack
the integrity of CERT/CC and the researchers at the Software Engineering
Institute. Bruce Schneier
<https://www.schneier.com/blog/archives/2015/11/did_carnegie-me.html>
and others
<http://blog.cryptographyengineering.com/2015/11/why-tor-attack-matters.html>
have been quick to point out that this incident has erased (or at least
greatly diminished) CERT/CC’s hard-earned reputation as an honest
broker. It is certain to be a warning to other CSIRTs around the world
that they should transparently define their relationships with law
enforcement agencies.

Regardless of how fault should be apportioned in this particular
instance, the news comes as part of a larger trend in the CSIRT
community. Once relatively apolitical, these technical teams are
undergoing a process of politicization. National level CSIRTs, many of
which once resided outside of government in academic institutions and
non-governmental organizations, are being pulled into government
structures. At the same time, their relationships with law enforcement
agencies are becoming closer and (to those outside of the agencies) more
opaque.

What can be done to protect the credibility and neutrality of these
important pillars in the network security ecosystem? The recommendations
we outline in our report provide a roadmap:

  * The first step to protect trust in these teams is to reverse the
    recent trend and /not/ place them under the control of law
    enforcement and intelligence agencies. Such agencies are
    incentivized to use the tools at their disposal to investigate
    crime, collect intelligence, and pursue threat groups, and thus will
    often disregard the apolitical information coordination role CSIRTs
    play.

  * Second, CSIRTs and law enforcement must more transparently define
    the terms of their cooperation, including how and under what
    circumstances they interact. They should also clearly define what
    kinds of information and expertise are exchanged and what
    direction(s) shared information flows.

  * Third, for CSIRTs to remain trusted brokers, they must clarify their
    mandates and missions. Traditionally, a CSIRT has placed remediating
    damage from incidents and returning systems to operation as top
    priorities. Is this still the case, or is CSIRT expertise being
    poured into combating cybercrime and assisting law enforcement
    agencies in developing tools and methods to discover criminals?

Finally, though not included in our recommendations in the report, to
recover the trust it has recently lost, CERT/CC’s mission and role needs
to be clearly defined by the organization itself, its funders, its
partners, and its constituency. Is it essentially a second US national
CSIRT alongside the Department of Homeland Security’s US-CERT
<https://www.us-cert.gov/>, or is it something closer to a private CSIRT
that plays a role in maintaining global cybersecurity? If it is a
global, non-government CSIRT, transparently defining its relationship
with law enforcement, intelligence, and other political actors — both
inside and outside the US — is all the more important.

In the end, the actions of the computer security professionals at
CERT/CC who allegedly aided the FBI are somewhat understandable. Their
overarching goal is to secure computer systems. The traditional CSIRT
approach focuses on technical identification and remediation of
incidents, in addition to promoting technical measures to protect
systems from attacks in the first place. The goal of law enforcement
bodies in cybersecurity is to lend a helping hand in preventing attacks
from taking place by rounding up the likely and past perpetrators. That
aligns with the CSIRT community’s goal. But the allegations of the
researchers’ work (the cybersecurity applicability of which is dubious
at best) to crack Tor demonstrate the damage that can be done when when
a CSIRT’s interaction with law enforcement is not openly and strictly
governed.

The controversy surrounding this story represents something much larger
than the alleged incident. CSIRTs are meant to be apolitical actors
concentrating on computer and network security. The ramifications of
politicization and muddied mandates could permeate up to states’ efforts
to develop international norms of behavior in cyberspace, like those
outlined
<https://ccdcoe.org/2015-un-gge-report-major-players-recommending-norms-behaviour-highlighting-aspects-international-l-0.html>
by the UN Group of Governmental Experts, that rely on the integrity and
independence of global CSIRTs. By undermining these norms before they
take root, the FBI, and by extension the US government, undermine their
own efforts to promote an open and secure cyberspace through norms for
responsible state behavior.

About the Author

Robert Morgus is a Policy Analyst with New America’s Cybersecurity
Initiative and International Security Program. You can follow him on
Twitter (@robmorgus).

-- 
RR

"You might want to ask an expert about that - I just fiddled around
with mine until it worked..."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20151215/9bfb0469/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20151215/9bfb0469/attachment.sig>


More information about the cypherpunks mailing list