Dissidents Seeking Anonymous Web Solutions?

DocMurphy asks: "I'm working with some dissidents who are looking for ways to use the Internet from within repressive regimes. Many have in-home Internet access, but think it too risky to participate in pro-freedom activities on home PCs. Internet cafés are also available, but although fairly anonymous, every machine may be infected with keystroke loggers that give governments access to and knowledge of 'banned' sites. Dissidents not only want to remain anonymous themselves, but also wish to not compromise the sites they access. Any suggestions for products/procedures/systems out there making anonymous access & publishing a reality under repressive regime run Internet access?"

write in advance, encrypt and email it

[maharg]

write it in advance, take it to the cybercafe on a floppy, pgp it, email it to someone you trust (or an automated publisher)

Re:write in advance, encrypt and email it

[FreezerJam]

Just beefing that up a bit...

In general keep needed software and materials off the machine, on usb key only. Ideally, use an OS with no swapping. Keep the USB key in a shielded housing when not in use to prevent locating it due to active components.

Regularly use the machine for innocuous activities, so that there is a record of something. Regularly use an identical usb key with the system, to provide cover in the event you are seen with the device (see below), and to provide a reason for any needed drivers on the machine.

To send...

1) write it in advance
2) PGP it
3) steganographically hide it
4) take it to the cybercafe on a floppy/usb key
5) upload it to a public place where everyone can see, so it is hard to track receipt
6) Afterwards, out-of-band relay to a contact where to find it. If you relay ahead of time, a compromised contact could leak where to look for you. THIS IS THE HARDEST PART. It is effectively your key-exchange process.

For receipt...

1) Beforehand, find out where to look for what. THIS IS THE OTHER HARDEST PART. It is effectively your key-exchange process.
2) at cybercafe, download uninteresting materials
3) at home, de-steg and de-crypt
4) store only if needed on key

Regularly upload and download un-steg (no payload) and random steg (random payload) materials to defeat traffic analysis.

If you have any time left over after all this, you can use it to be a dissident. However, you should regularly do other things such as get a job or have a family to provide a plausible reason for your existence.

Re:write in advance, encrypt and email it

[Simonetta]

write it in advance, take it to the cybercafe on a floppy, pgp it, email it to someone you trust (or an automated publisher)

This wouldn't work in the People's Republics where sending and receiving encrypted messages is illegal.
In this case, perhaps encrypting the message and putting the message inside a photograph using a stegnography program would work for a while.
Eventually the police will learn about stegnographic programs and test all photos leaving the country on the web for any messages. There aren't that many commercial steg programs around.
In brutal repressive regimes, the primary means of gathering information on the resistance is through informers. Eventually the police arrest everyone and offer them the deal of either spy on your neighbors and friends or rot in prison forever. The former East Germans were the masters of this. Almost everyone was forced to spy for the secret police. When the government fell the people first burned down the internal security headquarters and the files. The Israelis also use this technique to control Palestine. But they are far too heavy-handed to be effective.
Assume that the best scientists and engineers will be working to spy on people. The police can easily arrest these people for imaginary crimes and then offer them special treatment in exchange for their willing co-operation. An excellent novel on how this works is The First Circle by Aleksandr Solzhenitsyn, writing about the slave labor camps for scientists in the Stalinist USSR.

Re:write in advance, encrypt and email it

[Krunch]

Maybe Tinfoil Hat Linux could be useful to someone after all.

Onion Routing

http://tor.eff.org/

Use the Circumventor.

[Silverlancer]

PeaceFire distributes a free program called the Circumventor which can be used (by running it on a server in a free country) to safely and securely proxy out of a firewalled nation like China.

Tor

[Tack]

Look at Tor. It works well.

Jason.

Re:Tor

[geminidomino]

If it works at all.

Wholesale blocking of Tor nodes as they are identified has become popular because, like anything remotely useful, it's been abused by spammers, stalkers, and other general asshats.

There is no anonymity on the internet

[HighOrbit]

Between IP-Addresses, MAC addresses, and dial-in-numbers, there is no anonymity on the internet. Any feeling of anonymity is an illusion. Best not to risk your life if a regime is that oppressive. Not even encryption is safe, because as you mentioned, keyloggers and silent listeners can capture passcodes and keys. If you must pass information, try it the old fashioned way - person to person or with a trusted intermediary.

https steganographic, encrypted proxies

[js7a]

From http://doc.asf.ru/Tools%20&%20Utilities.htm

Corkscrew (Unix, Windows) : Tunnel SSH connections through an HTTP proxy.

Curl (Unix, Windows) : Utility who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP, ... Also supports proxies, cookies, authentification, resumes, ...

DesProxy (Unix, Windows) : Tunnel TCP connections through an HTTP proxy, eventually by converting SOCKS requests.

FizzBounce (Unix) : TCP redirector through HTTP proxies.

HTTPort (Windows) [Closed source]: Tunnel TCP connections through the HTTP protocol, by simulating a SOCKS server, and by eventually using an intermediate server.

HTTPTunnel (Unix, Windows) : Bidirectionnal tunnel through HTTP requests, eventually through an HTTP proxy.

LibCurl (Unix, Windows) : Library who permits to easily download and upload files by using different protocols: FTP, HTTP, HTTPS, Telnet, LDAP, ... Also supports proxies, cookies, authentification, resumes, and lots of languages: C, C++, Perl, ...

MultiProxy (Windows) [Closed source]: HTTP proxies tester. MultiProxy can be used as a proxy server who use a different proxy for each request.

Numby (Unix) : Scanner for HTTP vulnerables proxies.

Proxomitron (Windows) [Closed source]: Scanner and redirector through HTTP proxies, who can also delete or modify informations contained in HTML transferred pages. For example, this permits to easily filter automatic popups, DHTML or JavaScript.

ProxyTools (Unix, Windows) : Set of Perl utilities, who permits to use, sort, test and search for HTTP proxies.

TransConnect (Unix) : Transparently tunnel TCP connections through an HTTP proxy.

Zylyx (Unix) : permits to access to files through HTTP proxy caches.

Re:https steganographic, encrypted proxies

[DrEldarion]

Proxomitron [proxomitron.org] (Windows) [Closed source]: Scanner and redirector through HTTP proxies, who can also delete or modify informations contained in HTML transferred pages. For example, this permits to easily filter automatic popups, DHTML or JavaScript.

I'd just like to say that this is one of the most wonderful programs of all time. Quite powerful.

Re:Freenet... not all that anonymous

[Sanity]

The Reg has an article that points out a soft spot in the supposed anonymity provided by Freenet.

Yes, and the Freenet website has a response:

A recent story in The Register claims to have exclusively discovered an "easy forensic attack" that would allow an attacker to determine what you had downloaded from Freenet. Whether raiding somone's home and gaining access to their computer can really be considered an "easy" attack is debatable, but either way this issue is not news to us, we have publicly discussed it as early as October 2003, when it was raised on our mailing list.

The article doesn't point out that while the attack as described requires someone to have direct access to your computer, Freenet is not designed to thwart forensic analysis of your hard disk, but there are numerous tools which do that have been widely available for years. These tools can be used in conjunction with Freenet if you consider it likely that your home will be raided and your computer forensically analysed.

Of course, even the theoretical possibility of this kind of attack is undesirable, and as the article points out, it will be addressed in the next major release of Freenet which we are working on at present.

Re:And the entire internet is public..

[WhiplashII]

Even better:

1. Have a PC with a CDROM drive.
2. Rent or borrow an SSH account outside the country.
3. Boot PC using KNOPPIX (do not load hard drive)
4. Open a connection through SSH that forwards a local to an anonymous proxy at the far end.
5. Use 127.0.0.1 as your proxy address.
6. Surf away!

When done (or if the government busts in!), reboot your computer - no traces left. (Knoppix stores everything in RAM).

Keyloggers do not work against you, because you are booting from known media. (On the other hand, if the NSA REALLY wants you, they will hack your bios - but no one else is probably that anal).

Re:Q:

[mad.frog]

No, not quite.

A dissident (my definition, anyway) expresses dissent by speaking, writing, or other nonviolent activity.

A terrorist expresses dissent by violence, mayhem, murder, or destruction of property.

Re:And the entire internet is public..

All you need to do is tunnel a local port over the ssh connection to a remote proxy.

For example, you could forward local port 8888 to a remote SOCKS server (port 1080 is SOCKS) like so:

ssh -L 8888:some-anon-proxy.com:1080 ssh-user@ssh-host

That forwards port 8888 on your machine to some-anon-proxy.com port 1080 via the ssh tunnel.

Then set your browser to use localhost port 8888 as the SOCKS proxy.

Note that most SOCKS connections still do DNS from your local machine so you need to protect that by some method. To do that you either need to use SOCKS 4a (I think), use a non-SOCKS proxy (like HTTP proxy), or use a local proxy like privoxy that itself fowards to another proxy via the SSH tunnel.

And there is always Tor.

Re:And the entire internet is public..

[WhiplashII]

The command is:

ssh -L proxyport:proxyIP:proxyport sshServerIP

for example:
ssh -L 8000:lvsweb.lasvegasstock.com:8000 shell.frogstar.com

Note that this is not untraceable - especially by the NSA. But other governments will have a difficult time with it.

Re:American dissidents persecuted by Secret Police

[jmorris42]

> There are many posters on fark.com who tell of farkers getting
> intimidation visits from teh Secret Police

Yo, cornholio. This IS Fark, right? And you believe anything written there? Yea, right. All the zaniness of the Moveon.org crowd without the maturity. And that is saying something. Hint: don't lieten to what the tinfoil hat crowd says, they ain't sane. Not saying that the Secret Service doesn't at least keep an eye on even low threat sites like Fark, but I seriously doubt they would waste their limited manpower harassing a random leftist posting "death to Bush" threats there unless they had their profile linked with accounts on more seriously dangerous sites.

And besides, death threats against a President should be taken seriously, and shouldn't be protected by the 1st Amendment. It isn't like the odds of surviving being elected President of the US isn't already worse than being shot into space, lets not make em worse by inventing a constituitional right to make death threats against the poor bastards.

Lets review recent history, shall we? (Warning, flamebait)

Bush II: The Deaniacs are this >< close to launching suicide bombers against him. I'd be shocked if he makes it to the end of his term without somebody taking a shot. And depending on where that last airliner was bound and whether they knew he wasn't home at the time you could say Osama already give it a go.

Clinton: Somebody crashed a fscking airplane INTO THE WHITE HOUSE. Of course he left a trail of blood in his own minions. (Ron Brown, et al.)

Bush I: Ok, so nobody tried to kill him until he left office.

Reagan: Blamo. But they just don't make crazed gunmen like they used and he didn't succeed. For which the world should give thanks, otherise half the world would still be under the darkness of Soviet Communism.

Carter: I seem to recall a nutjob taking a run at him. Or was it Ford.

Ford: See above.

Nixon: Nobody tried to shoot him. Nobody even really wanted to, except some of John Kerry's more extreme friends. Which says volumes about how far public civility has sunk in the interveening time.

Johnson: Well he probably assumed by office by assination, but that doesn't count, does it?

Kennedy: Blamo. See above.

Re:And the entire internet is public..

[Jack+Taylor]

Knoppix stores everything in RAM

Not entirely true. Knoppix searches for and uses existing unix swap partitions. To stop it doing this you should pass the 'noswap' option at boot. Look at the Knoppix Cheat Codes page for evidence, and for other boot options.