Peek-a-Boo

Anemophilous Coward writes "Tom's Hardware has a story detailing cDc's new anonymity app, just demonstrated Sunday. Peek-A-Booty is designed to let surfers access sites blocked by government restrictions, and is essentially, a distributed proxy network. It uses a peer-to-peer model, masking the identity of each node. This means the user can route around censorship that blocks citizens' access to specific IP addresses, because the censor doesn't know they're going there. There is also a website dedicated to the project."

Good for some, nightmare for others

[Dark+Paladin]

I can see both the good and bad of this application.

On the good side: China. Folks over there who have to deal with the gigantic "Firewall O' Death" (also known as the "Damn it, Communism works so stop reading about how it doesn't" Firewall) can possibly use this tool to get to the outside information they need to keep spreadin' the news that "Information good."

On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job.

So I've got mixed feelings on this utility.

Re:Good for some, nightmare for others

[Rupert]

Where I work they have the drones' boxen locked down so they can't change their proxy settings. Thus PeekaBooty is not a problem.

The more inspired drones have installed Opera, which doesn't require administrator access to install in Windows. They could presumably use PB. They're a small minority, though.

Re:Good for some, nightmare for others

[mosch]

As a security manager, you should learn how to lock down the computers that the users are using, thus preventing the installation and deployment of this utility.

Additionally, your security policy should have language forbidding the use of non-authorized software, thus making the use of said software a fireable offense.

Re:Good for some, nightmare for others

[shut_up_man]

Dude, you're such a tease... nakedhairyeyebrowedcheerleaders.com doesn't even exist!

And here I was getting all excited...

Re:Good for some, nightmare for others

[Rogerborg]

• On the good side: China [...] to keep spreadin' the news that "Information good."

Er, good side: USA. To find DeCSS or similar tools without fear of prosecution, for example, or to keep spreadin' the news that "Censorship bad, even when it's done by a (heh) democratically (heh heh) elected (heh heh heh) administration."

• as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job

Depends on what your job is. If your job is to protect the bank from liability, anonymised browsing allows you to state with certainty "Nobody can link us or our employees with porn surfing. Not us, not nobody."

If you've been tasked with catching a known baddie in the act (perhaps at preteenlolitas.com), then you've got keyloggers, machine caches (they don't have admin access, right?) or just drop VNC on their machine and catch them with their pants down, so to speak.

I appreciate your concerns, but really, wouldn't it actually make your job easier if users showed a little courtesy and consideration, and stopped waving their dodgy surfing habits in your face (so to speak)?

Re:Good for some, nightmare for others

[smallpaul]

So what you're saying is: "On the good side, fundamental human rights. On the bad side, makes life harder for pointy haired bosses who feel that lunch breaks spent playing cards are fine but lunch breaks surfing porn are an abomination.

And this gives you mixed feelings???

Re:Good for some, nightmare for others

[Rupert]

I don't administer any kind of network (apart from the 4 Linux & 1 Win98 at home). However, you don't have to be a sysadmin to be patronising and arrogant. And my uid is not particularly low. It's about two orders of magnitude too high to get a proposal of marriage from CmdrTaco.

They are not drones because they are windows users. The reverse would be more accurate.

Re:Good for some, nightmare for others

[YU+Nicks+NE+Way]

I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.

That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?

Would you be willing to bet the company on their care?

Re:Good for some, nightmare for others

[sharkey]

I don't care how low your uid is, I still find your referring to employees as drones to be patronising and arrogant.

That's right. Please refer to them more accurately. Call them "lusers".

Re:Good for some, nightmare for others

[trog]

No this makes it a security issue. Remember, all web browsers have remote expoits in them from time to time. Pr0n sites tend to be the first one's to exploit these holes (to get email addresses, install software, pop up ad pushing, etc.) Surfing pr0n sites at work is an almost for sure way to compromise the office network.

Easily blocked too...

[Nijika]

THe problem is restrictive governments have people on staff to look for stuff like this. This app (while I haven't tested it) pulls from multiple sources. I like the idea a lot. Sorta moving towards a P2P web network where you can browse content like you do now but peer to peer rather than client / server.

This still won't work!

[SMN]

Peacefire has been following Peek-A-Booty for a while, and we keep coming to the conclusion that a peer-to-peer anti-censorship system is impossible. There's a very basic problem that Peek-A-Booty still hasn't solved.

The problem: Say I'm a user who wants to connect to a Peek-A-Booty network. I need to get the address of a node to connect to. How do I get this? The obvious solution, and the one used for Gnutella and other peer-to-peer apps, is to publish a list of nodes (or at least one). But that won't work here -- because then the censors can use the same list to track down the nodes and block and/or disable them. This is especially problematic if you're using Peek-A-Booty as it claims it is meant to be: if you're in a country that filters access (say, China) and the government can track down the users trying to circumvent the filters, they can and will punish/torture/kill those people.

Peek-A-Booty has not solved this problem. Read what Tom's article has to say about it:

"For security, there's no attempt at initial discovery - you'll get sent details of a node by word of mouth, or from some other secure source. Baronowski and de Villa expect that citizens groups (NGOs) will become trusted servers."

That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective. Finding a node will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed. Government spies could give out addresses that the claim are Peek-A-Booty networks, then catch anyone who tries to connect to those. Worst of all, they could just offer some huge incentive to people for turning in their friends.

I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

Re:This still won't work!

[lysurgon]

I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

And they never will. Why? Because the problem they are attempting to solve is not a purely techincal one. Censorship is a political issue (e.g. involves people, not just machines) and as such demands a political component to it's resolution.

The merit of the program sits on the notion that repressive countries cannot afford to blockade the internet wholesale in order to control access to the proxy network. Ergo the success of the project is based on enough people in non-firewalled countries participating. And this doesn't just mean a lot of p2p proxy nodes, it also means a lot of people publishing a list of gateways.

Much like in the world of warez, the massive proliferation of information would make it difficult if not impossible for the censoring agent not only to keep up with the number of IPs that serve as proxy nodes, but also to keep up with the number of websites that point to potential gateways.

Look, this is a software project designed to break the laws of repressive countries. As such, it will never be a "technical solution" to the problem. At best (and this is what I think they're going for) it is a technical aid in the struggle for freedom. I say cheers to them.

Spooky prediction

[Rogerborg]

The Great Rogerborgio will make a spooky prediction. When Peek-a-Booty 1.0 reaches 100,000 downloads, a story will break that the client contains a hostile trojan that lets "evil hackers" take control of your machine, impersonate you, steal your credit card details, and screw your shrieking girlfriend in the ass while you watch helplessly, tears of frustration streaming down your shocked, betrayed face.

The story will be submitted by a "credible group of anonymous white hat hackers" and run - unquestioned - by BBC Online and - slightly questioned, at best - by Reuturs, and every other online news source will pick it up from there and spread it as gospel truth.

It will not be true. It will be Fear, Uncertainty and Doubt, pure and simple. Many interested parties will want Peek-a-Booty to fail. In fact, there are so many - governmental and industrial - that even the Great Rogerborgio cannot peer through the mists of time sharply enough to determine the culprit.

But it will happen. And remember, you read it here first.

Another Diamond Age prediction true?

[wickidpisa]

Doen't this system remind anyone of the media network in Neal Stephenson's The Diamond Age? Information gets passed from one place to another by different people, so that no one can tell where the person on the other end is. Looks like another one of Stephenson's ideas has become a reality.

Look for the worst and you'll always find it.

[Perianwyr+Stormcrow]

Information-type limiting works against the very idea of the system.

I don't mind helping everyone equally. Even sexual predators- there are other ways to catch them.

Sorry, kiddie porn is not a trump card with me.

Employee surfing - hard learned lessons

[nomadicGeek]

I see a lot of posts which seem to imply that employee surfing should be ignored. Why is it a big deal if an employee does some personal surfing? Why not measure an employee's productivity and leave it at that?

I used to work at a company that had a very liberal internet use policy. We were pretty early adopters as far as the corporate world goes. We wanted people to use the Internet as a tool and didn't want to micromanage or scrutinize its usage.

Over the years we had to tighten our policy as abuses started to mount. The final straw was an idiot who was collecting kiddie porn and saving it on our network server! We immediately notified the police and he has arrested and prosecuted. The guy literally had hundreds of pictures carefully organized into directories to categorize them. It was obvious (1) that he had been doing it for a while, (2) he had invested a great deal of thought and time in these activities.

The company was dragged into the employee's defense trial. We spent a lot of time and money on attorneys, depositions, etc. It was a nightmare. We were forced to implement a system to control and monitor access to the Internet to insure that this type of thing did not happen again. It is one thing to get caught in that type of situation once but it can't happen again.

So we spent a lot of time and money watching and controlling Internet access. It sucks but it only takes one idiot to mess things up for everyone and there are a lot of idiots out there.

I still think that ideally Internet usage should be the employees' responsibility but in the real world things often get much more complicated.

This works now

[StrawberryFrog]

the only way to connect ... is word-of-mouth, which is horribly ineffective. Finding ... will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed.

Millions of drug users use this model quite happily.

Peek-A-Booty is no longer affiliated with CDC

http://cultdeadcow.com/details.php3?listing_id=426

PEEKABOOTY UPDATE
FOR IMMEDIATE RELEASE

LUBBOCK, TX, February 7 -- The CULT OF THE DEAD COW (cDc) would like to clarify a few matters in relation to Peekabooty, an anti-censorship software application currently under development.

Peekabooty was originally the brainchild of the Hacktivismo group, an international cadre of hackers founded by the cDc's Oxblood Ruffin. Hacktivismo's mandate was and is to develop technology in the service of human rights. Peekabooty was its first project; others are in various stages of planning and development.

The CULT OF THE DEAD COW has supported this work from its conception, because we view censorship of the Internet as a cancer that must be excised. However, it should be noted that the cDc membership have not been contributing code or driving the development schedule for Peekabooty. This project was entirely the concern of Hacktivismo group.

Two years ago, Bronc Buster and Mr. Pink wrote the proto-code for the current iteration of Peekabooty. Paul Baranowski (who until recently used the handle "Drunken Master") later became its chief architect and took charge of the Peekabooty programming effort. Some months ago, Paul chose to dedicate himself full-time to refactoring the codebase and finish implementing the remaining functionality.

Paul has recently decided to sever ties with the Hacktivismo group but he will continue to develop the Peekabooty app. Occasionally developers can't find the environment they need to do their best work and now is one such time.

Paul will be leaving Hacktivismo and taking on full responsibility for his work and all future development of his software. So from now on, Paul is directing all aspects of the Peekabooty project. It is no longer a Hacktivismo production. The Hacktivismo group will shift its main focus back to other projects in the pipeline.

We continue to wish Paul the best of luck. We believe that Peekabooty will prove itself to be a liberating force on the Net. Although Hacktivismo has severed formal ties with the project, some members intend to informally contribute their testing skills, etc. to the ongoing effort.

Paul will be presenting a recent snapshot at CodeCon, February 15 - 17, in San Francisco. Go check it out. But please be aware that this is not a launch; Peekabooty is still a work in progress.