The university that broke the Dark Web is still running Tor nodes—but it's not what it appears

There is a massive, Empire-sized army of people dedicated to making us trackable online and very tiny rebel ships trying to prevent it.

Last year, a couple of security researchers attacked one of the rebel ships. Michael McCord and Alexander Volynkin of Carnegie Mellon University broke the Dark Web by launching an attack on Tor, software that makes it possible to browse the Web anonymously and host sites “hidden” from the public Web. Their attack unmasked many Tor users and may have led to some of their arrests. After I wrote an in-depth account of the attack that explained what Tor is doing to make sure it never happens again, a security researcher contacted me, alarmed. Tor had said it shut down the malicious nodes controlled by the attackers, yet he saw that Tor users’ activity was still being routed through nodes hosted by Carnegie Mellon, home of the attack.

Alex Heid, chief research officer at SecurityScorecard, has a tool that monitors every Tor node as it goes online and offline; nodes are the computers through which Internet requests are passed, along with a layer of encryption, to keep Tor users anonymous. The tool found that relay and exit nodes affiliated with Carnegie Mellon are still active on the network. While this might seem at first problematic, that the same university that unmasked Tor users by taking over a sizeable portion of the network was still taking part in the network, it’s not what it first appears.

Carnegie Mellon’s official public relations channels did not do a good job of dispelling the alarm. When I reached out to the university to ask about its continuing activity on Tor, spokesperson Ken Walters simply replied, “Carnegie Mellon has no comment.”

So instead, I tracked down who was actually running the nodes: Carnegie Mellon’s CYLab, a cybersecurity research lab distinct from Carnegie Mellon’s Software Engineering Institute (SEI), from which the Tor attack was launched. The attackers from SEI used subterfuge. When they flooded Tor with over 100 new nodes, they used a cloud service provider, so the IP addresses looked generic and weren’t obviously tied to Carnegie Mellon. The nodes being run by CYLab, on the other hand, don’t try to hide the fact that they’re using Carnegie Mellon IP addresses.

“There are two relays running at CMU right now,” said Tor founder Roger Dingledine through a spokesperson. “One of them is tiny, and the other is run by a friend that we’ve known in person for many years.”

Nicolas Christin, the faculty member at CMU in charge of the Tor exit node, explained by email that his is “an entirely separate group, not affiliated with CERT/SEI.”

“Our Tor exit node (“cmutornode“) has been around since November 2012, and it has never been under CERT/SEI control,” said Christin. “It is not, and has never been used for any deanonymization activities.”

Cristin says his group decided to start running a node because they frequently use Tor for research and wanted to “contribute back to the community.” Tor, a decentralized, peer-to-peer network, relies on volunteers to create nodes so the network can function—and has asked universities in particular to consider running nodes on their campuses. The more non-malicious nodes Tor can get, the stronger its privacy-protective network is. And it’s not always easy; a library in New Hampshire that wanted to run a node got a stern letter from a Department of Homeland Security agent warning it against doing so because the agent was concerned that Tor is used by criminals.

Funnily enough, DHS is a funder of Tor. It’s an oddity at the center of the controversy around this non-profit project. It’s funded in large part by governments, including DHS and the State Department in the US, because of its privacy-protective features, while at the same time, it’s decried by law enforcement, such as the Department of Justice and even DHS, as an anonymity tool that makes the Web “go dark” and hides criminal activity. We’re seeing that drama play out in miniature form at Carnegie Mellon, where computer scientists in one building are running computers to support the network while computer scientists in another building across campus were plotting to disrupt it.

Cristin didn’t respond when I asked him what he thought about the attack on Tor performed by his colleagues at SEI.

“If Carnegie Mellon were still running a bunch of relays, it would be a problem [because with a bunch of nodes, an attacker can potentially follow a user’s movement through the network]. If it’s a single relay it’s not a problem,” said Matthew Green, an encryption expert at Johns Hopkins University. “I don’t think CMU should be banned from running a relay. It seems unfair to hurt the cause of privacy because some people at CMU did something bad.”

Tor isn’t that large a network after all. It needs as many nodes as it can get so it can randomize the paths of those who use it so that attacks like the one launched by SEI researchers can be prevented.

“Tor is an essential part of the Internet freedom infrastructure,” wrote its new executive director Shari Steele, who previously headed the Electronic Frontier Foundation. “Activists around the world depend on Tor, as do whistleblowers, victims of domestic violence, and regular citizens who care about their privacy.”

Tor’s network is still relatively small, with fewer than 7,000 relays, despite being used by 2 million people per day.

“It’s a small network,” said Green. “It’s amazing to me that it works.”