Carnegie Mellon University (CMU), in response to claims that it was paid at least $1 million by the FBI to perform an attack on Tor, has finally issued a statement about the situation.
The university does not deny providing the FBI with the IP addresses of Tor hidden services and their users, however it does make veiled references to the media storm that has gathered around the work of the Software Engineering Institute, a part of CMU, which is believed by many to have been a source of information for the FBI.
"There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity," the statement reads. When asked what specifically about recent media reports was inaccurate, Kenneth Walters, a CMU spokesperson, told Motherboard that "We have nothing to add beyond the statement."
"The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance"
Last week, Motherboard revealed that a university had provided information to the FBI that ultimately led to the arrests of dark web crime suspects. After the publication of that piece, Tor Project, the non-profit that maintains the Tor anonymity network, made an unsubstantiated claim that CMU had been paid at least $1 million by the FBI to carry out the attack. An FBI spokesperson said that claim was inaccurate.
"Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues," CMU's statement continues.
"One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected."
Previously, a source with knowledge of CMU's work told Motherboard that the university's research could unmask a new Tor hidden service in less than two weeks.
But no mention of Tor or any specific research is mentioned in the statement. Previously when asked for more details on this case, a CMU spokesperson told Motherboard "We cannot comment on Tor," and today the university declined to answer any follow up questions.
The statement continues, "In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance."
This particular section has led some in the information security community to speculate that CMU was served with a subpoena in order to turn over the IP addresses the FBI was after. The FBI did not respond to requests to clarify this point.