Slashdot Mirror
Anonym.OS a Boon for Privacy Geeks?
The Hosting Guy writes "Wired is running an article about a live CD that makes anonymous browsing easy enough for everyone. 'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.' Anonym.OS makes extensive use of Tor, the onion routing network that relies on an array of servers passing encrypted traffic to permit untraceable surfing."
With enough confederate nodes, tor can certainly be tracked. It isn't likely to happen, but it is possible.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
You might think from the daemon logo that it is a FreeBSD-based thing.
It isn't -- it is OpenBSD-based. So you'd figure the encryption would be top-notch. Also the OS is already very secure. That's what they focus on, to the exclusion of other things.
OpenBSD is quite reliable. If it includes drivers for hardware, they work.
Also, they only use code that they can look at. No blogs of code (like Linux or FreeBSD) are allowed. That's because if you can't inspect them, the NSA or an attacker might have put some bad code in there. It is because of things like this that Theo De Raadt won a prize from Stallman for his contributions to free software.
http://www.thebricktestament.com/the_law/when_to_
Yes.
In Minnesota, just having PGP on your computer is evidence of criminal intent.
Welcome to the land of the free...
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
1. What are the theories behind simple anonymous sharing of data?
It depends on what you mean by the terms "simple", "anonymous", and "sharing." Seriously. There is a lot of crypto research out there that touches upon the various possibilities, but it all boils down to this: the more anonymity you have in the network the higher the cost of using that network for everyone involved (where cost == increased bandwidth & CPU consumption and increased message passing latency.) In terms of what is possible there is basically a big dial, labelled "apply various crypto protocols and message-hiding techniques", that you can turn to decide how much inconvenience you are willing to put up with in return for better privacy.
2. Is it possible to completely diversify the Internet away from IP-based hosting to a new swarm-network of anonymous users all hosting little pieces of various forms of information? 2b. Is anyone working on this swarm idea?
Possible, but difficult. The difficulty increases significantly if you want to ensure reliability & availability of the data provided by the swarm or provide the nifty "web 2.0" trappings that most people have come to expect from web sites. Various projects are working on components of this mythical system, ranging from the Tor networking system mentioned in the original post to the Invisible Internet Project and GNUNet. Nailing the whole package in a single effort is a non-starter for anyone who has even casually glanced at the relevant research necessary to begin such a project, so each effort focuses on one specific aspect and eventually it might be possible to combine these efforts into a single coherent sytem.
In other words, don't hold your breath waiting for this one to actually come about.
3. As information becomes more accessible, will the need for information privacy be important? 3b. Is it more important to create a totally anonymous information sharing network than it is to work on harder to break encryption schemes?
I won't bother trying to answer the first part of the question because it is a matter of personal preference. As far as the second half of the question goes, having good end-to-end security does not help you if either of the endpoints is compromised; a malicious server can reveal that you are surfing for child porn while a malicious user can reveal that your site is distributing bomb-making recipes with no need for the points in between the two ends to break the communications encryption.
Of course, (s)he also isn't posting anonymously.
Need a Python, C++, Unix, Linux develop
Untraceable Hardly. Pehaps a little quote from the Tor Project home page is in order to put things in perspective:
And remember that this is development code--it's not a good idea to rely on the current Tor network if you really need strong anonymity.
I would equate untraceable with some damn strong anonymity, which Tor clearly does not yet offer. Non-buyer beware! ;-P
How about the Fourth Amendment? While it denies the government the ability to do "unreasonable" searches and seizures, it allows them to do all the REASONABLE searchin' and seizin' they want. That pretty much limits your privacy to whatever the administration in charge deems to be "reasonable." For instance there is no limit on how intrusive an inspector from Child Protective Services can be. None.
I stopped using TOR when I discovered the name of one of the common exit nodes. I forget exactly what it was, but I kid you not, it was something like "datapirates.org".
When it becomes illegal to criticize the government...
That's exactly what Australian citizens now face as part of the sedition laws brought in because of the "war on Terror".
If we decide that the Australian government is doing the wrong thing in Iraq or Afganistan and we mention this publicly we can be arrested and held without trial or warrant for 14 days. Once the case gets to court it's 7 years jail if proven.
Be afraid, it *can* happen in America too. One day they could tack the same bill on an appropriation request.
The scary thing is if you are arrested for sedition in Australia it is illegal for the press to report that fact, reporting someone is being held for sedition is also a seven year jail term.
I now use TOR so I can email my MP and the Prime Minister without the threat of jail being held over me. Australia *is* now a police state and we need TOR to attempt to balance the evil.
Orationem pulchram non habens, scribo ista linea in lingua Latina
I couldn't find a torrent link in the comments, so here is one:= anonymos-shmoo.iso.torrent
http://linuxtracker.org/download.php?id=1249&name
175seeds to 700peers as of 6:53PM MST
You're MAC address isn't used outside of your subnet.
Both the concept of privacy and the right to it go back much farther than you believe. As a simple example, do you think the inhabitants of a Roman insula (Equivalent to a modern apartment house.) had a communal lifestyle? No, of course they didn't, any more than renters in a modern apartment complex do today, and for the same reason. Each family has their own private space, and what they do there is nobody else's business. I suggest you study at least a little history before you start sounding off about it again, lest you put your other foot into your mouth.
Good, inexpensive web hosting
Steve Jackson Games
EFF's SJG Archive
SJG's Opinion of the whole thing
In short, the Secret Service knocks over a game publisher (micro-TSR-style games, such as Illuminati) and attempts to prove that D&D'ers taught David Lightman how to use a Shlitz pulltab to hack into the 911 system. Courts decide Secret Service was completely unjustified, award court fees to SJG. The legal team/computer activists that coalesced around the issue became the EFF.
Don't blame me, I voted for Baltar.
boo hoo, somebody might listen in on your messages informing others how '31337' you are, because you installed a Windows service pack.
r FAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
Seriously, though, RTFM. This is answered in the Tor FAQ: http://wiki.noreply.org/noreply/TheOnionRouter/To
I got a copy of this at Shmoocon. It seems to be a good, stable OS. However, it still misses the mark with respect to ease of use. Hardly anyone's grandmother or even their mother would feel comfortable in using this OS. For example, your e-mail settings need to be re-entered everytime you use it. There are a few other areas of concern as well. However, I must say that this was an excellent first try, and I look forward for the enhancements that are supposed to come shortly.
Jim McCoy wrote:
>
> having good end-to-end security does not help you if either of the endpoints
> is compromised;
This is false.
> a malicious server can reveal that you are surfing for
> child porn
Not if it doesn't know who you are. All the server would know is the nearest node in the anonymous network the request came from. It would not know the where the user is coming from.
Here's an illustration, with "S" denoting the (compromised) server, "H" denoting a regular (non-anonymous) host/hop in between the server and the anonymous network, "A" denoting a host/hop in the anonymous network, and "U" denoting the user.
This diagram below illustrates a connection from the server to the user (or vice-versa).
S-H-H-H-A-A-A-A-U
Here is how the connection would look to the server:
S-H-H-H-A
It's clear that the server can only see the first link in the chain that constitutes the anonymous network. It does not know where the user is, execept that he's somewhere beyond that first "A".
> while a malicious user can reveal that your site is distributing
> bomb-making recipes with no need for the points in between the two ends to
> break the communications encryption.
This is also false for similar reasons to the ones described above. Below is another illustration, this time of a server hiding behind an anonymous network. (It's really the reverse of the above diagram.)
U-H-H-H-A-A-A-A-S
That is a diagram of a (compromised) user connecting to the server hiding behind a chain of hosts/hops in an anonymous network. But here is what the user would see:
U-H-H-H-A
Once again it's clear that the user can not see past the first link in that chain.
So it's clear that such a network is useful for preserving anonymity (at least in the ideal case). And even in the less than ideal case where either the server or the user's machine has been compromised it still preserves anonymity. In fact, if implemented right, it even preserves anonymity if more than one host/hop in the chain of the anonymous network is compromised. For more details on how this is accomplished I recommend reading up on the design and implementation of the mixmaster remailers.
All of the above assumes, of course, that the user/server itself doesn't do something stupid like provide identifying information about itself (ie. signing their emails with their real name/email address, and the like).
I think that either you or the users you have in mind are missing the point of an anonymous Internet proxy. The idea is that when you go through a proxy network, the website you're viewing/posting can't (easily) identify you by your IP. Sure, the site admins can see what you posted, but they can't be sure where it originated.
If you're worried about man-in-the-middle attacks, then the website you're visiting is probably the party you trust most in the transaction, and every step that your info takes along the way is another set of eyes that might be snooping on it. In this situation, you are correct that an anonymizing proxy will probably result in subjectively poorer security.
Then again, any website that has private data that you'd like to keep that way most likely has SSL enabled anyway. If you're using an end-to-end SSL-enabled webmail service like Gmail (httpS://gmail.com), and you trust 128-bit SSL, then you've probably got nothing to fear*. If you don't trust SSL, then you're probably worried about Big Brother and No Such Agency and the like. In this case, you're probably better off just hiding under your bed.
*Note that Yahoo! mail SSL-enables only their login page. Anybody in the middle running a packet sniffer or checking their web proxy logs can see your mail when you read it. They just can't see your Yahoo! password.
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Anonym.OS provides the ability to automatically randomize MAC addresses at bootup. This is not done automatically, as doing so in certain environments (VMware, VirtualPC, MAC-restricted switch ports) may interfere with proper connectivity. Nonetheless, it's a Y/N question at boot time, and if Y it will be difficult -- if not impossible -- to effectively track a user across reboots, even from the same physical node.
The WTO protests was one of the biggest events of the late 20th century
Sure. I am sure that in fifty years it will be right up there with two world wars, a cold war, various civil rights movements, the rise and fall of communism, and various middle-east conflicts. Anarchists of the early 20th century were more significant than you or or compatriots will ever be.
[...] it was part of a snowballing effect against corporate globalization which stretched from all points on the globe, and culminated in events such as the uprisings in Argentina and the Zapatista march on Mexico City.
Yeah, and how did that zapatista march turn out in the long run? I hear the subcommandante is out touring again now that he realized his fifteen minutes were up and that the turnout is rather pathetic so far...
I've just updated the kaos.theory blog with some further information about Anonym.OS and some responses to blog, article, and comment criticism:
http://theory.kaos.to/blog/archives/2006/01/17/kao stheory-responds/
First of all, I'd like to take a moment to express, on behalf of kaos.theory, how excited and flattered we are by all of the attention that we and Anonym.OS have received. We always thought we were working on a cool project, but we really underestimated the overwhelming response that we've had. Scores of terabyte upon terrabytes of data have flowed and the hit counters keep on ticking. It appears that privacy is as big of a concern for a large segment of the population as it is for us.
That being said, there have been a few comments made and viewpoints published that we would like to address while we have the bully pulpit provided by the good folks at digg, Slashdot, Reddit, Wired News, and Ars Technica, among others.
USB
In the article written and posted at Wired News, Ethan Zuckerman makes the excellent point that rebooting really isn't an option for many living in oppressive, hostile regimes. Additionally, Mr. Zuckerman suggests the use of a bootable / emulated Anonym.OS environment available from a removable, USB key chain device. This is a feature that we have already incorporated into our road map and that we hope to release very soon.
For now, we need as many people as can reboot or run a session in VMWare / Virtual PC / QEMU to please please please test our release. We're not at 1.0 yet, contrary to some postings and articles. Our hope with this release is to solicit feedback from the community concerning features, bugs, and suggestions for everything from desktop wallpaper to file system optimization. Immediately after the Shmoocon talk, all of the members of the group happily fielded questions and comments from audience members that included many suggestions that we intend to incorporate quickly. This type of candid environment is one of the many traits that make Open Source a success and it's what we need in order to keep Anonym.OS growing and on a positive track.
The "China Problem"
Some have asked how we intend to deal with the "China Problem," which could be rephrased as, "What can Anonym.OS do to protect a user against a monitoring party who owns the entire network that the user is using?" Ultimately, this comes down to the ability of the user to utilize covert channels for escaping the network and reaching tor servers. If the party controlling the network is serious enough about its desires and goals in censoring its users, nothing can stop them from implementing a white-list only policy, effectively blocking all tor traffic as well as access to proxies and other tools used for evading filtering.
With those concerns in mind, kaos.theory will be working towards and automated egress filtering evasion script for use in conjunction with Anonym.OS. In terms of the "China Problem," this may not offer much as it will most likely require a "trusted friend" on the outside of the hostile network. In terms of a restrictive corporate network, this could be a viable solution. Again, however, these "covert channels" will likely lead to a ridiculous number of anomalous packets coming from a system (who really makes 25,000 DNS requests in an hour, anyway?) and thus are not a bullet-proof solution.
This is a staggering issue, and it's not one that's answerable entirely by technology. If a country or company chooses to restrict access for its users, and the entity is really serious in terms of throwing resources at the problem, there's not a lot we can do from the client-side.
The Naysayers
There have been two strains of objection to the project, one classical and the other uninformed. The former line of argument goes that we're simply enabling criminals to hide their illegal activities and, as suc
You mac can be changed at will. The physical address is burned into the card, but the OS (windows or linux) can be bluffed into using a different one.
There are some people that if they don't know, you can't tell 'em.
This is easy under Linux:
# ifconfig eth0 hw ether [new MAC address]
However, I've no idea of what the userspace program under Windows is to do this.
Incidently, this breaks a (rather silly) 802.11 security proposal I've heard that relies on people not being able to modify their MAC address.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
While you are correct that "the Internet" (by which I take that you mean TCP/IP) is an end-to-end protocol, email is not. It's a store-and-forward protocol, which means that you are potentially leaving a copy of your message at every intermediate point along the network, and assuming that the servers will purge that message later without allowing anyone to read it.
In fact I wouldn't liken email to regular 'snail mail' at all. It's much more like the old Western Union telegram service. You prepare your message and give it to someone who transmits it to someone else, who copies it down, and then passes it off for delivery to the recipient at some later time. People trust email because the machinery isn't very visible, and the whole thing seems very direct; the telegraph system in contrast is rather obviously not private even to someone unfamiliar with the technology because of the human interaction involved.
People have to divorce the idea of "no human interaction" from "privacy." Just because a system is automated doesn't mean that you should have or make any assumption of privacy. You have no way of knowing whether the recipient's mailserver is retaining copies of all their messages, or forwarding them to a third party, or many third parties. In fact in many corporate environments it's safe to assume that all email is being saved (although it's probably not being looked over immediately by a person) for a number of years -- yet because there's no obvious and constant reminder of the openness of the system (i.e. the telegraph clerk) people forget that it's not private.
As much as I despise the law in its current incarnation, I think the DMCA is an interesting model for the future of privacy in the digital age. If you send unencrpyted conversations over the wire, using any communication model where the messages do not flow directly from one client to the other over TCP/IP (or other network fabric which is commonly known to be end to end, or where the message is not stored and forwarded as a whole, e.g. only as packets), then there should not be any assumption of privacy. The exception is if the owners/operators of all the intermediate servers used in the communication (email servers, IM relays) have explicitly agreed not to retain copies or otherwise retain traffic. (In which case if they do retain copies, it becomes a breach-of-contract case.) If you desire any privacy, either use an end-to-end communication model, which could be as easy as clicking on the other person in AIM and choosing Direct Connect, or use some form of encrpytion on your messages. I don't care if your "encrpytion" is ROT-13, just something so that the person doing the interception has to expend some amount of directed effort to read your message, and that they know the contents were sent with the assumption of privacy.
By encrypting the message you as the communicator are attempting to create a more private channel of communication, and it means that to read your message, someone has to purposely decrypt the message and therefore cannot defend themselves by saying that the message was not sent as a private one. In the same way that the DMCA makes it illegal to circumvent a device meant to protect copyrighted data, a new privacy law could make it illegal for anyone to decrypt a communication that they are not the sender or intended recipient of, without due process and authority (e.g. warrant, or existing agreement with one party).
The point is that nobody with a basic understanding of the technology makes the assumption that email or instant messaging is private; although I understand the feelings of people who don't want privacy to be an "opt in" deal, it's also fair that people should have to take a certain amount of responsibility and consideration of how they communicate. If they desire privacy, it's easy enough to do. What we need to do is make sure that we have a legal framework for protecting people, once they make the decision to attempt to secure their channels of communication, so that there is not an open 'arms race' that will leave all but the most technically adept behind.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The Iridium system is for mobile voice and data usage, not fixed data service like the GP was speaking about.
You're correct that it's two-way, however it's a very different style of system. Iridium uses a constellation of 66 low-earth-orbit satellites (similar to how GPS works) and small handheld transcievers; satellite internet is much more like satellite television: "pizza box" dishes aimed at geosyncronous satellites (much higher orbits than the LEO Iridiums) that just bounce a signal from the remote earth station to a gateway somewhere else. The Iridium system by contrast features satellites that actually talk to each other, and relay a signal down to the ground station.
Iridium allows for very compact devices, typically battery powered, and worldwide availability, but low bandwidth. Satellite internet requires more hardware and requires a directional antenna (i.e. dish) but provides much more transfer.
Trust me: you wouldn't want to try and bittorrent the latest "24" episode via your Iridium phone. Neat as the system is -- and I think Iridium is cool as hell -- it's not high-speed internet.
Two-way, high speed internet via satellite is the stock in trade of Starband, you can read a very vague "how it works" article here:
http://www.starband.com/whatis/howdoesitwork.asp
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
How exactly do you think the mail gets from your GMail account to someone else's Yahoo mail account?