Seven things you should know about Tor

Tor (The Onion Router) is a military-grade, secure tool for increasing the privacy and anonymity of your communications; but it's been the subject of plenty of fear, uncertainty and doubt.

The Electronic Frontier Foundation's 7 Things You Should Know About Tor debunks some of the most common myths about the service (which even the NSA can't break) and raises some important points about Tor's limitations.

7 Things You Should Know About Tor [Cooper Quintin/EFF]

Open Wireless Movement's router OS will let you securely share your Internet with the world

Open Wireless Movement, a joint project of the Electronic Frontier Foundation, Fight for the Future, Mozilla, Free Press and others, will reveal its sharing-friendly wifi router firmware at the HOPE X conference in NYC next month. The openwireless operating system allows you to portion out some of your bandwidth to share freely with your neighbors and passersby, while providing a high degree of security and privacy for your own communications.


The Open Wireless Movement's goals are to both encourage the neighborliness that you get from sharing in your community, and undermining the idea that an IP address can be used to identify a person, establishing a global system of anonymous Internet connectivity. The project includes an excellent FAQ on the myths and facts about your legal liability for things that other people do with your network.

Read the rest

Piratebox 1.0: anonymous, go-anywhere wireless file-sharing

Piratebox, a great project for making standalone wireless fileservers, has gone 1.0. The 1.0 has a slick 4chan-style message board, a responsive UI, and does UPnP discovery for your file-sharing needs. Combined with cheap wireless gear and a little battery, it's a perfect file-sharing boxlet that you can take anywhere in order to share anything -- for example, buskers could use it to distribute copies of their music to watchers. Piratebox is the technology that underlies Librarybox, a fork that is specialized for use by libraries and archives.

Read the rest

Tor: network security for domestic abuse survivors


Michael from Beta Boston writes, "The privacy protections offered by tools like Tor aren't just for journalists and spies; they're important for everyone. Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that, and we took a long look at the work cut out for them."

This is an important point: when you make it so that no one can keep secrets from the state and its enforcement arm, you also make it so that no one can keep secrets from crooks, thugs, stalkers, and every other kind of bad guy.

Read the rest

TAILS: Snowden's favorite anonymous, secure OS goes 1.0


TAILS -- The Amnesiac Incognito Live System -- is a highly secure operating system intended to be booted from an external USB stick without leaving behind any trace of your activity on either your computer or the drive. It comes with a full suite multimedia creation, communications, and utility software, all configured to be as secure as possible out of the box.

It was Edward Snowden's tradecraft tool of choice for harvesting and exfiltrating NSA documents. Yesterday, it went 1.0. If you need to turn a computer whose operating system you don't trust into one that you can use with confidence, download the free disk image. (Note: TAILS won't help you defend against hardware keyloggers, hidden CCTVs inside the computer, or some deep malware hidden in the BIOS). It's free as in speech and free as in beer, and anyone can (and should) audit it.

Effectively, this is the ParanoidLinux I fictionalized in my novel Little Brother.

Read the rest

Vi Hart: cramming G+ into YouTube has made comments even worse, I'm leaving

Google has changed the commenting system on YouTube so that you need to be a Google Plus user to post; the new system uses algorithms to promote some comments above others, and has the perverse effect of making trolls more visible. Vi Hart, the incomparable math-vlogger (and a regular favorite around here) describes how Google's decision to double down on its flagging Facebook-alike G+ service by ramming YouTube users into it has made her lose faith in the service: now her regular, good commenters comments hover at the bottom of the pile, while hateful trolls whose messages generate a lot of replies are judged "good" by G+ and promoted to the top.

The promise of G+ in the beginning was that making people use their real names would incentivize them to behave themselves. It's abundantly clear now that there are more than enough people who are willing to be jerks under their real names. In the meantime, people who have good reason not to post under their own names -- vulnerable people, whistleblowers, others -- are now fully on display to those sociopaths who are only too happy to press the attack with or without anonymity.

Read the rest

Anti-Tor malware reported back to the NSA


More information on the malicious software that infected Tor Browser through Freedom Hosting's servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA.

Read the rest

Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit

FreedomWeb, an Irish company known for providing hosting for Tor "hidden services" -- services reached over the Tor anonymized/encrypted network -- has shut down after its owner, Eric Eoin Marques, was arrested over allegations that he had facilitated the spread of child pornography. Users of Tor hidden services report that their copies of "Tor Browser" (a modified, locked-down version of Firefox that uses Tor by default) were infected with malicious Javascript that de-anonymized them, and speculate that this may have originated with with FBI. Tor Browser formerly came with Javascript disabled by default, but it was switched back on again recently to make the browser more generally useful. Some are predicting an imminent Bitcoin crash precipitated by the shutdown.

Read the rest

Anonymizing is really hard really, so why is the EU acting like it's easy?

My latest Guardian column is "Data protection in the EU: the certainty of uncertainty," a look at the absurdity of having privacy rules that describes some data-sets as "anonymous" and others as "pseudonymous," while computer scientists in the real world are happily re-identifying "anonymous" data-sets with techniques that grow more sophisticated every day. The EU is being lobbied as never before on its new data protection rules, mostly by US IT giants, and the new rules have huge loopholes for "anonymous" and "pseudonymous" data that are violently disconnected from the best modern computer science theories. Either the people proposing these categories don't really care about privacy, or they don't know enough about it to be making up the rules -- either way, it's a bad scene.

Since the mid-noughties, de-anonymising has become a kind of full-contact sport for computer scientists, who keep blowing anonymisation schemes out of the water with clever re-identifying tricks. A recent paper in Nature Scientific Reports showed how the "anonymised" data from a European phone company (likely one in Belgium) could be re-identified with 95% accuracy, given only four points of data about each person (with only two data-points, more than half the users in the set could be re-identified).

Some will say this doesn't matter. They'll say that privacy is dead, or irrelevant, or unimportant. If you agree, remember this: the reason anonymisation and pseudonymisation are being contemplated in the General Data Protection Regulation is because its authors say that privacy is important, and worth preserving. They are talking about anonymising data-sets because they believe that anonymisation will protect privacy – and that means that they're saying, implicitly, privacy is worth preserving. If that's policy's goal, then the policy should pursue it in ways that conform to reality as we understand it.

Indeed, the whole premise of "Big Data" is at odds with the idea that data can be anonymised. After all, Big Data promises that with very large data-sets, subtle relationships can be teased out. In the world of re-identifying, they talk about "sparse data" approaches to de-anonymisation. Though most of your personal traits are shared with many others, there are some things about you that are less commonly represented in the set – maybe the confluence of your reading habits and your address; maybe your city of birth in combination with your choice of cars.

Data protection in the EU: the certainty of uncertainty

My books on a Tor hidden service

Part of the plot in Homeland revolves around "hidden services" on the Tor network. Now, a fan of mine in Norway called Tor Inge Røttum has set up a hidden service and stashed copies of all my books there. He writes:

A hidden service in Tor is a server, it can be any server, a web server, chat server, etc. A hidden service can only be accessed through Tor. When accessing a hidden service you don't need an exit node, which means that they are more secure than accessing the "clearnet" or the normal Internet (if you want). Because then the exit nodes can't snoop up what you are browsing. Hidden services are hard to locate as most of them aren't even connected to the clearnet.

I don't have any servers or computers that I can run 24/7 to host a hidden service, but fortunately there is a free webhost that is hosting websites on Tor: http://torhostg5s7pa2sn.onion.to

After creating the domain I wrote a dirty bash script to download most of Cory's books and create a HTML file linking to them. It's available on pastebin: http://pastebin.com/3YR6j8zJ

How cool is that?

Using Silk Road: game theory, economics, dope and anonymity


Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.

But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)

Using Silk Road (via O'Reilly Radar)

EFF Pioneer Award winners announced

Rebecca from EFF sez, "EFF is proud to announce the winners of this year's Pioneer Awards: hardware hacker Andrew (bunnie) Huang, anti-ACTA activist Jérémie Zimmermann, and the Tor Project -- the organization behind the groundbreaking anonymity tool Tor. These winners have all done truly important work to protect our digital rights. Join us at the award ceremony on September 20 in San Francisco. Cory

The Dictator's Practical Guide to Internet Power Retention, Global Edition

The Dictator's Practical Guide to Internet Power Retention, Global Edition is a wry little 45-page booklet that is, superfically, a book of practical advice for totalitarian, autocratic and theocratic dictators who are looking for advice on how to shape their countries' Internet policy to ensure that the network doesn't loosen their grip on power.

Really, though, this is Laurier Rochon's very good critique of the state of Internet liberation technologies -- a critical analysis of what works, what needs work, and what doesn't work in the world of networked technologies that hope to serve as a force for democratization and self-determination.

It's also a literal playbook for using technology, policy, economics and propaganda to diffuse political dissent, neutralize opposition movements, and distract and de-politicize national populations. Rochon's device is an admirably compact and efficient means of setting out the similarities (and dissimilarities) in the Internet control programs used by Singapore, Iran, China, Azerbaijan, and other non-democratic states -- and the programs set in place by America and other "democratic" states in the name of fighting Wikileaks and piracy. Building on the work of such fierce and smart critics as Rebecca McKinnon (see my review of her book Consent of the Networked), The Dictator's Guide is a short, sharp look at the present and future of networked liberation.

Firstly, the country you rule must be somewhat "stable" politically. Understandably "stable" can be defined differently in different contexts. It is essential that the last few years (at least) have not seen too many demonstrations, protests questioning your legitimacy, unrest, political dissidence, etc. If it is the case, trying to exploit the internet to your advantage can quickly backfire, especially if you can't fully trust your fellow party officials (this is linked to condition #3). Many examples of relatively stable single-leader states exist if in need of inspiration, Fidel Castro's Cuba for example. Castro successfully reigned over the country for decades, effectively protecting his people from counter-revolutionary individuals. He appointed his brother as the commander in chief of Cuba's army and managed his regime using elaborate surveillance and strict dissuasive mechanisms against enemies of the state.[49] As is always the case, political incidents will occur and test your regime's resilience (the Bay of Pigs invasion or the missile crisis, for example), but even massive states have managed to uphold a single-party model and have adapted beautifully to the digital age - in China's case, despite close to 87 000 protests in 2005.[2] Follow these states' example and seek stability, no matter what your regime type is. Without it, you are jeopardizing the two next prerequisites and annihilating your chances to rule with the internet at your side. If you are in the midst of an important political transformation, busy chasing counter-revolutionary dissidents or sending your military to the streets in order to educate protesters, you will need to tame these fires first and come back to this guide afterwards.

The Dictator's Practical Guide to Internet Power Retention, Global Edition

Google execs: our technology can be used to fight narcoviolence in Mexico

In a Washington Post op-ed, Google's executive chairman (and former CEO) Eric Schmidt and Google Ideas director Jared Cohen argue the case for technology as a tool to aid citizen activists in places like Juarez, Mexico. Schmidt and Cohen recently visited the drug-war-wracked border town, and describe the climate of violence there as "surreal."

In Juarez, we saw fearful human beings — sources — who need to get their information into the right hands. With our packet-switching mind-set, we realized that there may be a technological workaround to the fear: Sources don’t need to physically turn to corrupt authorities, distant journalists or diffuse nonprofits, and rely on their hope that the possible benefit is worth the risk of exposing themselves.

Technology can help intermediate this exchange, like servers passing packets on the Internet. Sources don’t need to pierce their anonymity. They don’t need to trust a single person or institution. Why can’t they simply throw encrypted packets into the network and let the tools move information to the right destinations?

In a sense, we are talking about dual crowdsourcing: Citizens crowdsource incident awareness up, and responders crowdsource justice down, nearly in real time. The trick is that anonymity is provided to everyone, although such a system would know a unique ID for every user to maintain records and provide rewards. This bare-bones model could take many forms: official and nonprofit first responders, investigative journalists, whistleblowers, neighborhood watches.

I'll be interested to hear what people in Juarez, and throughout Mexico, think of the editorial. The notion that crypto, Tor, or other anonymity-aiding online tools might help peaceful observers is not a new one, and not one that activists in Mexico need outsiders to teach them about. There are plenty of smart geeks in Mexico who are well aware of the need for, and usefulness of, such tools. But Google execs speaking directly to the conflict, and how widely-available free tools might help, is a new and notable thing. Red the rest here. (thanks, @martinxhodgson)

Tor anonymity developers tell all

Runa from the Tor anonymity project sez, "Karen and I will be answering questions on Reddit today. Feel free to ask us anything you'd like relating to Tor and the Tor Project!" Cory