Ed Felten writes:
Yesterday the Tor Project issued an advisory describing a large-scale identification attack on Tor hidden services. The attack started on January 30 and ended when Tor ejected the attackers on July 4. It appears that this attack was the subject of a Black Hat talk that was canceled abruptly.
These attacks raise serious questions about research ethics and institutional responsibilities.
I’m hard pressed to think of previous examples where legitimate researchers carried out a large scale attack lasting for months that aimed to undermine the security of real users. That in itself is ethically problematic at least. The waters get even darker when we consider the data that the researchers might have gathered—data that would undermine the security of Tor users. Did the researchers gather and keep this data? With whom have they shared it? If they still have it, what are they doing to protect it? CERT, SEI, and CMU are not talking.
Read more on Freedom to Tinker.