Boing Boing 

Onion Pi - Convert a Raspberry Pi into a Anonymizing Tor Proxy, for easy anonymous internet browsing

About this nifty "Onion Pi" HOWTO just published at Adafruit, Phil Torrone says, "Limor and I cooked up this project for folks. We are donating a portion of any sales for the pack we sell that helps do this to the EFF and Tor."

Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi. Using it is easy-as-pie. First, plug the Ethernet cable into any Internet provider in your home, work, hotel or conference/event. Next, power up the Pi with the micro USB cable to your laptop or to the wall adapter. The Pi will boot up and create a new secure wireless access point called Onion Pi. Connecting to that access point will automatically route any web browsing from your computer through the anonymizing Tor network.

My books on a Tor hidden service

Part of the plot in Homeland revolves around "hidden services" on the Tor network. Now, a fan of mine in Norway called Tor Inge Røttum has set up a hidden service and stashed copies of all my books there. He writes:

A hidden service in Tor is a server, it can be any server, a web server, chat server, etc. A hidden service can only be accessed through Tor. When accessing a hidden service you don't need an exit node, which means that they are more secure than accessing the "clearnet" or the normal Internet (if you want). Because then the exit nodes can't snoop up what you are browsing. Hidden services are hard to locate as most of them aren't even connected to the clearnet.

I don't have any servers or computers that I can run 24/7 to host a hidden service, but fortunately there is a free webhost that is hosting websites on Tor:

After creating the domain I wrote a dirty bash script to download most of Cory's books and create a HTML file linking to them. It's available on pastebin:

How cool is that?

Using Silk Road: game theory, economics, dope and anonymity

Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.

But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)

Using Silk Road (via O'Reilly Radar)

Jacob Appelbaum's 29C3 keynote on the out-of-control surveillance state

Jacob Appelbaum's keynote from 29C3 -- last December's Chaos Communications Congress in Hamburg -- is a riveting hour on surveillance, freedom, and the wild, criminal lawlessness of the NSA and other spy agencies. Jacob's factual, methodical laying out of the growth of American surveillance is brilliant, terrifying and enraging, and it left me wanting to rush to a barricade. Jacob's insights into how we are coping with the surveillance state and why that needs to change are terrific. Someone make a transcript of this, please.

Jacob Appelbaum 29C3 Keynote: Not My Department (via Schneier)

Tor Project is hiring support assistants and translators

Runa from the TOR project sez, "We are hiring support assistants and translators who can help us handle support requests via our ticketing system and our new Q&A website, as well as make sure translations for software and documentation are up to date. We are looking for candidates who are fluent in one of Arabic, French, Mandarin, Burmese, Vietnamese, Spanish, and English. All must be fluent in English."

Ubiquitous surveillance rap

The latest edition of Juice Rap News, "Big Brother is WWWatching You," is a catchy little rap ditty about how the Internet is being remade as a total information awareness panopticon:

September 2012 rocks around with some crucial developments in the ongoing struggle over the future of the internet. Will it remain the one open frequency where humanity can bypass filters and barriers; or become the greatest spying machine ever imagined? The future is being decided as we type. Across Oceania, States have been erecting and installing measures to legalise the watching, tracking and storage of data of party-members and proles alike. If such plans materialize, will this place ever be the same? And what will be the evolutionary consequences for our human journey? Join our plucky host Robert Foster as he conducts an incisive analysis of the situation at hand. Joining him are newly appointed Thought Police General at the Pentopticon, Darth O'Brien Baxter, and a surprisingly lucid Terence Winston Moonseed. Once again, in the midst of this Grand Human Experiment, we are forced to ask tough questions about our future. Will it involve a free internet which will continue to revolutionise the way the world communicates with itself? Or is our picture of the future a Boot stamping on this Human InterFace forever?

I like the guest appearance from George TORwell.

RAP NEWS 15: Big Brother is WWWatching You

Experience the Iranian Internet in central London

Runa from the Tor Project sez, "What is the Iranian Internet? How does it feel to be censored? Filtered? Under constant surveillance? Unsure? Restricted? Oppressed? On Wednesday September 26, Small Media will transform their office in central London into a space where you can really get a feel of how it feels to be oppressed by censorship." (Thanks, Runa!)

The Dictator's Practical Guide to Internet Power Retention, Global Edition

The Dictator's Practical Guide to Internet Power Retention, Global Edition is a wry little 45-page booklet that is, superfically, a book of practical advice for totalitarian, autocratic and theocratic dictators who are looking for advice on how to shape their countries' Internet policy to ensure that the network doesn't loosen their grip on power.

Really, though, this is Laurier Rochon's very good critique of the state of Internet liberation technologies -- a critical analysis of what works, what needs work, and what doesn't work in the world of networked technologies that hope to serve as a force for democratization and self-determination.

It's also a literal playbook for using technology, policy, economics and propaganda to diffuse political dissent, neutralize opposition movements, and distract and de-politicize national populations. Rochon's device is an admirably compact and efficient means of setting out the similarities (and dissimilarities) in the Internet control programs used by Singapore, Iran, China, Azerbaijan, and other non-democratic states -- and the programs set in place by America and other "democratic" states in the name of fighting Wikileaks and piracy. Building on the work of such fierce and smart critics as Rebecca McKinnon (see my review of her book Consent of the Networked), The Dictator's Guide is a short, sharp look at the present and future of networked liberation.

Firstly, the country you rule must be somewhat "stable" politically. Understandably "stable" can be defined differently in different contexts. It is essential that the last few years (at least) have not seen too many demonstrations, protests questioning your legitimacy, unrest, political dissidence, etc. If it is the case, trying to exploit the internet to your advantage can quickly backfire, especially if you can't fully trust your fellow party officials (this is linked to condition #3). Many examples of relatively stable single-leader states exist if in need of inspiration, Fidel Castro's Cuba for example. Castro successfully reigned over the country for decades, effectively protecting his people from counter-revolutionary individuals. He appointed his brother as the commander in chief of Cuba's army and managed his regime using elaborate surveillance and strict dissuasive mechanisms against enemies of the state.[49] As is always the case, political incidents will occur and test your regime's resilience (the Bay of Pigs invasion or the missile crisis, for example), but even massive states have managed to uphold a single-party model and have adapted beautifully to the digital age - in China's case, despite close to 87 000 protests in 2005.[2] Follow these states' example and seek stability, no matter what your regime type is. Without it, you are jeopardizing the two next prerequisites and annihilating your chances to rule with the internet at your side. If you are in the midst of an important political transformation, busy chasing counter-revolutionary dissidents or sending your military to the streets in order to educate protesters, you will need to tame these fires first and come back to this guide afterwards.

The Dictator's Practical Guide to Internet Power Retention, Global Edition

Tor project considers covering costs for exit nodes

The maintainers of the Tor Project -- which provides more anonymous and private Internet use by bouncing traffic around many volunteers' computers -- is considering paying $100/month to people who maintain high-speed "exit nodes." "Exit nodes" are the last hop in the Tor chain, and they sometimes attract legal threats and police attention, which makes some people reluctant to run them. As a result, there aren't enough exit nodes to provide really robust anonymity for Tor users. Tor hopes that by covering costs for organizations and individuals who are willing to provide exit nodes, they'll get more diversity in the population of exits. Darren Pauli has more in SC magazine:

"We've lined up our first funder BBG, and they're excited to have us start as soon as we can," Dingledine wrote on the Tor mailing list.

The backflip came about because exit node diversity was low: most Tor users choose one of just five of the fastest exit relays about a third of the time, from a pool of about 50 relays.

"Since extra capacity is clearly good for performance, and since we're not doing particularly well at diversity with the current approach, we're going to try [the] experiment," he said.

Tor Project mulls $100 cheque for exit relay hosts

(Image: Counterfeit $100 Bill, a Creative Commons Attribution (2.0) image from travisgoodspeed's photostream)

TOR project uncovers flaw in mass-surveillance appliance

The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. Cyberoam makes "deep packet inspection" software, used in mass surveillance of Internet traffic, and as TOR's Runa Sandvik and OpenSSL's Ben Laurie investigated the matter, they discovered that all Cyberoam devices share a common vulnerability related to their handling of certificates. The company was notified of this on June 30, and told that the vulnerability would be made public today.

Last week, a user in Jordan reported seeing a fake certificate for The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a US company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.

After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.

Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception.

Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372) (Thanks, Runa!)

Tor anonymity developers tell all

Runa from the Tor anonymity project sez, "Karen and I will be answering questions on Reddit today. Feel free to ask us anything you'd like relating to Tor and the Tor Project!"

Tor Project on The Alyona Show

On The Alyona Show, Jacob Appelbaum talks about the Tor Project and internet anonymity.

TOR is hiring

Runa from The Onion Router -- a privacy and anti-censorship tool used around the world -- writes, "We are looking for another dedicated core developer to join our team. Your job would be to work on all aspects of the main Tor network daemon and other open-source software. This would be a contractor position for 2012 (starting as soon as you're ready and with plenty of work to keep you busy), with the possibility of 2013 and beyond. Please see the website for details and information on how to apply."

FBI tells net cafe owners that TOR users might be terrorists

Icecube sez, "Are you concerned about your online privacy? Do you shield your laptop from view of others? Do you use various means of hiding your IP address? Do you use any encryption at all like PGP? That means you are probably a terrorist according to the FBI. These are just some of the activities that are suggested indicators of terrorism according to a flyer being distributed entitled 'Communities Against Terrorism' You can find a PDF version here entitled 'Internet Cafes'"

State of the arms race between repressive governments and anti-censorship/surveillance Tor technology (and why American companies are on the repressive governments' side)

Last night's Chaos Computer Congress (28C3) presentation from Jacob Applebaum and Roger Dingledine on the state of the arms race between the Tor anti-censorship/surveillance technology and the world's repressive governments was by turns depressing and inspiring. Dingledine and Applebaum have unique insights into the workings of the technocrats in Iranian, Chinese, Tunisian, Syrian and other repressive states, and the relationship between censorship and other human rights abuses (for example, when other privacy technologies failed, governments sometimes discovered who was discussing revolution and used that as the basis for torture and murder).

Two thirds of the way through the talk, they broaden the context to talk about the role of American companies in the war waged against privacy and free speech -- SmartFilter (now an Intel subsidiary, and a company that has a long history of censoring Boing Boing) is providing support for Iran's censorship efforts, for example. They talked about how Blue Coat and Cisco produce tools that aren't just used to censor, but to spy (all censorware also acts as surveillance technology) and how the spying directly leads to murder and rape and torture.

Then, they talked about the relationship between corporate networks and human rights abuses. Iran, China, and Syria, they say, lack the resources to run their own censorship and surveillance R&D projects, and on their own, they don't present enough of a market to prompt Cisco to spend millions to develop such a thing. But when a big company like Boeing decides to pay Cisco millions and millions of dollars to develop censorware to help it spy on its employees, the world's repressive governments get their R&D subsidized, and Cisco gets a product it can sell to them.

They concluded by talking about how Western governments' insistence on "lawful interception" back-doors in network equipment means that all the off-the-shelf network gear is readymade for spying, so, again, the Syrian secret police and the Iranian telcoms spies don't need to order custom technology that lets them spy on their people, because an American law, CALEA, made it mandatory that this technology be included in all the gear sold in the USA.

If you care at all about the future of free speech, democracy, and privacy, this is an absolute must-see presentation.

Iran blocked Tor handshakes using Deep Packet Inspection (DPI) in January 2011 and September 2011. Bluecoat tested out a Tor handshake filter in Syria in June 2011. China has been harvesting and blocking IP addresses for both public Tor relays and private Tor bridges for years.

Roger Dingledine and Jacob Appelbaum will talk about how exactly these governments are doing the blocking, both in terms of what signatures they filter in Tor (and how we've gotten around the blocking in each case), and what technologies they use to deploy the filters -- including the use of Western technology to operate the surveillance and censorship infrastructure in Tunisia (Smartfilter), Syria (Bluecoat), and other countries. We'll cover what we've learned about the mindset of the censor operators (who in many cases don't want to block Tor because they use it!), and how we can measure and track the wide-scale censorship in these countries. Last, we'll explain Tor's development plans to get ahead of the address harvesting and handshake DPI arms races.

How governments have tried to block Tor

SOPA bans Tor, the US Navy's censorship-busting technology

Tor, the censorship-busting technology developed by the US Navy and promoted by the State Department as part of the solution to allowing for free communications in repressive regimes, is likely illegal technology under the Stop Online Piracy Act. SOPA makes provision for punishing Americans who contribute expertise to projects that can be used to defeat its censorship regime, and Tor fits the bill.

"I worry that it is vague enough, and the intention to prevent tunneling around court-ordered restrictions clear enough, that courts will bend over backwards to find a violation," says Mark Lemley, a professor at Stanford Law School who specializes in intellectual property law.

Smith's anti-circumvention language appears designed to target software such as MAFIAAFire, the Firefox add-on that bypassed domain seizures, and ThePirateBay Dancing and Tamer Rizk's DeSOPA add-ons, which take a similar approach. (As CNET reported in May, the U.S. Department of Homeland Security has tried, unsuccessfully so far, to remove MAFIAAFire from the Web.)

But Smith worded SOPA broadly enough that the anti-circumvention language isn't limited to Firefox add-ons. In an echo of the 1998 Digital Millennium Copyright Act's anti-circumvention section, SOPA targets anyone who "knowingly and willfully provides or offers to provide a product or service designed or marketed by such entity...for the circumvention or bypassing" of a Justice Department-erected blockade.

How SOPA's 'circumvention' ban could put a target on Tor (Thanks, James!)

Tor project asks supporters to set up virtual Tor bridges in Amazon's cloud

The Tor project, whose network tool helps people avoid online censorship, works by bouncing traffic around several different computers before it reaches its destination. The more computers there are in the Tor network, the better it works. Now, Tor's developers want its supporters to set up Tor "bridges" on Amazon's cloud computing platform, EC2. EC2 has a free introductory offer and there's an easy Tor image that is configured and ready to go -- but if you don't qualify for the free offer, you can donate a powerful Tor bridge for as little as $30 a month, and help people all over the world who want to be more anonymous and more private.

Setting up a Tor bridge on Amazon EC2 is simple and will only take you a couple of minutes. The images have been configured with automatic package updates and port forwarding, so you do not have to worry about Tor not working or the server not getting security updates.

You should not have to do anything once the instance is up and running. Tor will start up as a bridge, confirm that it is reachable from the outside, and then tell the bridge authority that it exists. After that, the address for your bridge will be given out to users.

Run Tor as a bridge in the Amazon Cloud

Hacker Prom tonight at San Francisco's Noisebridge hackerspace

NoiseBridge, the celebrated hackerspace in San Francisco's Mission district, is celebrating its third anniversary tonight with a Hacker Prom. There's a makeout room (featuring Makerbots), pre-spiked punch, and awkward prom photos. You're encouraged to bring a robot date. Oh, this does look fun!

The whole event is a fundraiser for NoiseTor, a part of the TOR anonymizing proxy system, which creates and manages Tor nodes for those without the time to set one up themselves.

(Thanks, Danny!)