This story is over 5 years old.

Why the CMU Tech Lab That Hacked Tor Is Government-Funded

Federally Funded Research and Development Centers (FFRDC) should come as no shock; they're everywhere.
February 26, 2016, 4:29pm

On Wednesday, Motherboard confirmed that Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) was the university-based research body that carried out an in-the-wild attack on the Tor anonymity network in 2014, the results of which were used in the FBI crackdown on Silk Road 2.0.

A court document also confirmed that the SEI was subpoenaed for the IP addresses of Tor hidden services and users, which led to the arrest of a number of dark web crime suspects.


What some might not know is that SEI is not a normal university department, however. SEI is a Federally Funded Research and Development Center (FFRDC), an interesting public-private partnership that carries out work for the US government. With FFRDCs in the spotlight with this latest case, it's worth going back over exactly what they are and how they work.

"We serve the nation as a Federally Funded Research and Development Center (FFRDC) sponsored by the U.S. Department of Defense (DoD) and are based at Carnegie Mellon University, a global research university annually rated among the best for its programs in computer science and engineering," the SEI's website reads.

Dozens of FFRDCs exist. The RAND Corporation, an established American think tank, runs three of them. The Massachusetts Institute of Technology's (MIT) Lincoln Laboratory, which focuses on issues of national security, is also an FFRDC.

"To ensure objectivity and technical excellence, FFRDCs are organized as independent, not-for-profit entities, prohibited from manufacturing products, competing with industry, or working for commercial companies. They combine the expertise and outlook of government, industry, and academia," the Lincoln Laboratory website reads.

The SEI as a whole is transparently funded by the Department of Defense (DoD), and has been since its inception over 20 years ago.

It's worth bearing in mind that there isn't necessarily anything malicious about being funded by government sources

That relationship goes way back to 1984, when SEI was established by the DoD, with a focus, naturally, on software-related security and engineering issues, according to the SEI's website.

A few years later, SEI, apparently at the urging of the Defense Advanced Research Projects Agency (DARPA), created the Computer Emergency Response Team Coordination Center, or CERT-CC. CERTs are now commonplace all over the world, with governments making their own to warn of impending digital security threats, such as CERT-UK for the United Kingdom, and Q-CERT in Qatar.


Because SEI is financed by the DoD, naturally the Tor-related research was as well.

"This particular project was focused on identifying vulnerabilities in Tor, not to collect data that would reveal personal identities of users," Defense Department spokesperson Lieutenant Colonel Valerie Henderson told Reuters back in August 2014, after SEI's planned talk was pulled from the Black Hat hacking conference.

Motherboard previously reported that SEI researchers also submitted an (ultimately declined) research paper on the technique to the 21st ACM Conference on Computer and Communications Security (CCS) that same year. That work was funded by a Department of Defense contract, number FA8721-05-C-0003. (This is a general contract used to finance SEI, rather than specific projects.)

It's worth bearing in mind that there isn't necessarily anything malicious about being funded by government sources. In 2014, 75 percent of the Tor Project's $2.5 million income was from US government grants, although the non-profit is trying to diversify its financing. Whether those funds are spent wisely, or whether research is responsible, is another matter.

Kenneth Walters, a spokesperson for CMU, did not provide comment, and instead pointed to the SEI website. Nicolas Christin, an assistant research professor at CMU did not respond to a request for comment, but Christin previously told Motherboard that the Tor attack researchers "are with CERT/SEI a semi autonomous entity at CMU. It is an FFRDC, not a traditional academic department. There is a big difference," he said.