Slashdot Mirror
Anonym.OS a Boon for Privacy Geeks?
The Hosting Guy writes "Wired is running an article about a live CD that makes anonymous browsing easy enough for everyone. 'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.' Anonym.OS makes extensive use of Tor, the onion routing network that relies on an array of servers passing encrypted traffic to permit untraceable surfing."
Has the will to un-molestation finally passed out of mainstream?
Since Slashdot bans most Tor proxies from making comments. Perfect for geeks, eh?
With enough confederate nodes, tor can certainly be tracked. It isn't likely to happen, but it is possible.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
This is why co-workers and I have been working on Fappix - The Pornnoisseur Distro. Not only can you browse anonymously but you have several thousand pre-bookmarked pages to choose from in categories ranging from Amateur Nudes to Bukkake Hentai to Puke porn. You have a hankering for some DP? We got it. Maybe a little fisting for those slow lonely nights at home. Nothing but the best for our users!
Never worry about having the correct video codec or player again as they will all be pre-installed! No more waiting another 20 minutes to download and install some obscure viewer just so you can rub on off to Kismet the Albino Sheep Goes to the Circus!
With our patented "Live (Hand) CD" technology you simply boot from the disk and off you go into fantastic realms of spanktacular fun without the worry of spyware, malware, trojans, or incriminating cache files again. You'll never have to blame that spandex scat video on "some spam or something" ever again!
Fappix. The sound of one hand clapping.
Do not taunt Happy-Fun Ball
'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.'
Am I the only one who finds the juxtaposition of these two quotes alarming? I don't want gamgams to end up in the pokey (pun intended) for inappropriate behavior at Starbucks. That would be weird.
Do not taunt Happy-Fun Ball
Anonymizing yourself isn't a crime or probable cause for any kind of search warrant.
I've been very interested in the world of anonymous information sharing -- possibly as a replacement for the normal IP-based Internet. Maybe someone out there can answer a few questions:
1. What are the theories behind simple anonymous sharing of data? (I know there are newer versions of P2P beyond Torrent that allow for a third party mediator between two anonymous parties. This seems like a start to making a truly free-speech undernet.)
2. Is it possible to completely diversify the Internet away from IP-based hosting to a new swarm-network of anonymous users all hosting little pieces of various forms of information? 2b. Is anyone working on this swarm idea?
3. As information becomes more accessible, will the need for information privacy be important? 3b. Is it more important to create a totally anonymous information sharing network than it is to work on harder to break encryption schemes?
So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.
... (pause)...
Fantastic! I've always thought copious amounts of caffeine and an anonymous method of browsing for porn were meant for ubergeeks like myself, but now that my *grandma* can do it as well, that's just fantastic!
OH GOD, MY EYES!!!
Anonymizing yourself isn't a crime or probable cause for any kind of search warrant.
In police states, someone who wants to be anonymous deviates from the norm and automatically becomes suspicious, as The Man considers that if you're not guilty, you have nothing to hide.
In US-PATRIOT USA, I'm not sure I'd want to participate in the Tor network. I'm definitely not the only one. Perhaps I'm a coward, but that should tell you something of what this country is slowly turning into...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
You might think from the daemon logo that it is a FreeBSD-based thing.
It isn't -- it is OpenBSD-based. So you'd figure the encryption would be top-notch. Also the OS is already very secure. That's what they focus on, to the exclusion of other things.
OpenBSD is quite reliable. If it includes drivers for hardware, they work.
Also, they only use code that they can look at. No blogs of code (like Linux or FreeBSD) are allowed. That's because if you can't inspect them, the NSA or an attacker might have put some bad code in there. It is because of things like this that Theo De Raadt won a prize from Stallman for his contributions to free software.
http://www.thebricktestament.com/the_law/when_to_
I'd check on these projects every few years, until finally, I sorta gave up on following them. They seemed to stagnate, never getting beyond the fringe.
A year or so ago, I wanted to the utilize mixmaster remailers, and I *still* wasn't able to find an up-to-date, lucid HOWTO or a client that didn't require a *lot* of work to use.
I haven't actively sought these tools in a while, so maybe they've caught up. But I keep my ear to the wall, and I have yet to hear any murmers of good anonymizing technologies, nor do I ever see any passing references to people using them.
I have assumed that the movement is either dead (nobody cares anymore) or ubiquitous (it's common knowledge and no big deal). Somehow, I kinda doubt it's the latter.
I've been toying with an idea for a site/system in the spirit of the Mixmaster remailers, but I want to be able to evaluate the current technologies before I totally re-invent the proverbial wheel. (Plus, I wish to be as anonymous in the registration and publication of the site as possible). I'd *love* some pointers.
Method of processing duck feet
Yes, I suppose they have that kind of porn, too.
The world's burning. Moped Jesus spotted on I50. Details at 11.
I nominate this for the most concisely inept retelling of the history of the Internet ever!
The world's burning. Moped Jesus spotted on I50. Details at 11.
You have the right to pamphlet anonymously. You have the right to use the internet to do it. You should be able to criticize the government without worrying about anyone getting revenge on you. I totally agree that the Patriot act goes way too far. By removing our basic freedoms, George W. has given the victory to the terrorists. We should be fighting to preserve our freedoms, not giving up our freedoms to fight the terrorists.
The fact that a bunch of sickos use this technology to be perverted does not mean that the rest of us should not use it. If you care about your freedom and you don't like what is going on then you can use it to safely make your complaints heard.
If the certificate validates, then probably yes.
If it doesn't validate, it means that someone could have setup a web server pretending to be the one asking for your credit card. It's a common man-in-the-middle attack, and is very easy to do with automated tools (like ettercap). You are protected, though, since the certificate (shouldn't be) valid in this case... the trusted CAs are trusted because they won't give a valid certificate to someone that's doing MITM attacks in Starbucks. (However, the CAs have been known to lapse. A certificate was granted a while back to something like paypa1.com and was used to phish paypal details. Users thought it was OK because the cert was valid, but it was valid for the wrong site.)
Either way, be careful.
My other car is first.
The idea that one might live one's life in private and without fear of molestation is a *very* recent phenomenon. It's not passing out of the mainstream, it never quite arrived there.
The right to privacy is a post-war interpolation from the set of Constitutional rights. It was hardly a consideration before single-family households became common beyond the elite classes consequent to industrialisation. The very idea of private life took meaning from the distinction to be drawn between the public and private duties of the landed gentry, whether he was acting as public judge or administrator of his chattel. The idea that citizens required more privacy than that demanded by Christian modesty simply did not occur. It is only in the last generation that anyone became actually interested in the details of your private life. Before the information age, such trivia had no value beyond the prurient, of interest only to busibodies and the beat cop; again, unless you were a name.
illegitimii non ingravare
I'll believe it wen I see it.
Like, have they downloaded/posted credit card numbers, kiddy porn, terrost plots, maybe post a promise to kill the president, and customized ones for several western and radical countries? Maybe send death threats to the head of the CIA, FBI, and NSA? Maybe the russian mafia? Maybe the israli secret police?
If people start getting away with those kind of things, then I'll conisider it.
The cypherpunk movement is dead. Just scanning the slashdot comments and reading all the "If you don't have anything to hide, why are you concerned?" posts makes that obvious.
At one point in Internet history, we (the libertarian/anarchists/cypherpunks) thought it might bring a new era of freedom. BBSs had given us a taste, and many people expected the Internet to be like a huge BBS, with everything you could imagine on it.
And it was, for a while.
Then some copyright lawyers started jumping on board, and harassing lyrics sites.
The Scientologists started suing people left and right.
Spam started snowballing.
MP3s cause the record companies to start wishing people were only trading lyrics.
Late 1998 though 1999 was the high point I think. Geeks were Gods. Stories of geek millionaires were all over the place. The US finally watered down the stupid crypto regulations. Things were looking up.
Then the Columbine shootings happened.
The 2000 elections brough all kinds of leftists out of the woodwork. Remember Nader? He sure got enough astroturfing here on Slashdot.
The so called "anarchists" get all over the news acting like total fuckwads at WTO "protests".
The WTC attack caused all the people with comfortable lives that liked to think they were cypherpunks to turn. Pull up some stories from Slashdot on 9/11 and 9/12 and see how many people were so willing to offer up the liberty for a slice of security. PATRIOT act flies through with little hassle.
News media reduced to saying things like "Some civil libertarians have concerns" instead of "What the fuck are they thinking?"
Scam artists hiding behind patent law started really milking it.
So you have left what you have today. An environment where you can't really do anything without the risk of lawsuit or arrest. I see things slowly shifting back toward the side of freedom, but it's been a slow recovery.
If Steve Jackson Games Raid happened today, would people be outraged enough to form something like the EFF? I doubt it.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
And thank God..... instead of trying to win a losing battle against privacy loss it would be better if we put our energies into making a completely transparent world. Information wants to be free, deal with it.
Hey, can I have your Social Security and bank account numbers?
What do you mean, "no"? INFORMATION WANTS TO BE FREEEEE!!!
So true. In fact, I would suggest that you stop using envelopes when mailing letters and just use postcards instead, that way everybody along the way can read them much more easily. You don't have anything to hide, do you?
No real reason for secret ballots either, now that I think about it. After all, you're not attemting to make an illegal vote.
The police ought to be able to search your house at will, too. If you're not doing anything wrong you have nothing to fear, right?
Oh, remember that sooner or later if you stop defending your freedoms you lose them. When it becomes illegal to criticize the government and you say "but that wasn't what I meant" it's just a tad too late.
http://www.rootstrikers.org/
Another thing wrong with the story is that they didn't post a link to the CD: Anonym.OS LiveCD.
That's the first time I've ever known a Slashdot editor to be sloppy.
I stopped using TOR when I discovered the name of one of the common exit nodes. I forget exactly what it was, but I kid you not, it was something like "datapirates.org".
I couldn't find a torrent link in the comments, so here is one:= anonymos-shmoo.iso.torrent
http://linuxtracker.org/download.php?id=1249&name
175seeds to 700peers as of 6:53PM MST
Just by running a tor node, you get the oppertunity to collect login+password information for any non-ssl site tor users log into. You also get to see cookie information to boot. Hey, at some point, the traffic has to exit the tor obfuscation network, and if you run a node, you're going to get a bunch of that traffic. It's only a matter of time.
That's why I refuse to use "anonymizer" networks like tor. You can't even login to your damn webmail, without giving away your account information.
Please help metamoderate.
Steve Jackson Games
EFF's SJG Archive
SJG's Opinion of the whole thing
In short, the Secret Service knocks over a game publisher (micro-TSR-style games, such as Illuminati) and attempts to prove that D&D'ers taught David Lightman how to use a Shlitz pulltab to hack into the 911 system. Courts decide Secret Service was completely unjustified, award court fees to SJG. The legal team/computer activists that coalesced around the issue became the EFF.
Don't blame me, I voted for Baltar.
The fact that this score has an Insightful Moderation is scary...I've got Karma to burn, so let me speak my mind.
We should have a reasonable expectation of privacy in our everyday lives, even if the constitution doesn't have a "de facto" privacy clause in it. Remember that crazy court Case Roe v. Wade? The court didn't say that "abortion was legal," the Court declared that laws prohibiting abortion represented a violation of a women's right to privacy. While the right to privacy does to exist as such in the Constitution it has long been interpreted to exist as an umbrella created by the first 5 amendments in the Bill of Rights.
To be quite honest with you, I know cops who have problems with the way that today's society is going. They don't want to have to worry about carrying an ID when they're walking down the street to buy a gallon of milk. (HIIBEL V. SIXTH JUDICIAL DIST. COURT OF NEV.,HUMBOLDT CTY. (03-5554) 542 U.S. 177 (2004) 118 Nev. 868, 59 P.2d 1201, affirmed.)
It really bothers me in a multitude of ways that our civil liberties are being torn down under the guise of terrorism. It really bothers me that many people are letting their guards down and just allowing these rights to just be walked on like nothing matters. Is it just me or am I the only one who sees a problem here?
I disable sigs...do you?
[Grandma] Where's the blue E?
[me] There's no blue E grandma, click on the orange and blue ball.
[Grandma] What does "Server not found" mean?
[me, muttering...] fsck'ing TOR timeouts
[Grandma] What was that again, I couldn't hear you.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What are you saying? Is this like... better than the "Post Anonymously" check box and stuff?
Does this rag smell like chloroform to you?
I've just updated the kaos.theory blog with some further information about Anonym.OS and some responses to blog, article, and comment criticism:
http://theory.kaos.to/blog/archives/2006/01/17/kao stheory-responds/
First of all, I'd like to take a moment to express, on behalf of kaos.theory, how excited and flattered we are by all of the attention that we and Anonym.OS have received. We always thought we were working on a cool project, but we really underestimated the overwhelming response that we've had. Scores of terabyte upon terrabytes of data have flowed and the hit counters keep on ticking. It appears that privacy is as big of a concern for a large segment of the population as it is for us.
That being said, there have been a few comments made and viewpoints published that we would like to address while we have the bully pulpit provided by the good folks at digg, Slashdot, Reddit, Wired News, and Ars Technica, among others.
USB
In the article written and posted at Wired News, Ethan Zuckerman makes the excellent point that rebooting really isn't an option for many living in oppressive, hostile regimes. Additionally, Mr. Zuckerman suggests the use of a bootable / emulated Anonym.OS environment available from a removable, USB key chain device. This is a feature that we have already incorporated into our road map and that we hope to release very soon.
For now, we need as many people as can reboot or run a session in VMWare / Virtual PC / QEMU to please please please test our release. We're not at 1.0 yet, contrary to some postings and articles. Our hope with this release is to solicit feedback from the community concerning features, bugs, and suggestions for everything from desktop wallpaper to file system optimization. Immediately after the Shmoocon talk, all of the members of the group happily fielded questions and comments from audience members that included many suggestions that we intend to incorporate quickly. This type of candid environment is one of the many traits that make Open Source a success and it's what we need in order to keep Anonym.OS growing and on a positive track.
The "China Problem"
Some have asked how we intend to deal with the "China Problem," which could be rephrased as, "What can Anonym.OS do to protect a user against a monitoring party who owns the entire network that the user is using?" Ultimately, this comes down to the ability of the user to utilize covert channels for escaping the network and reaching tor servers. If the party controlling the network is serious enough about its desires and goals in censoring its users, nothing can stop them from implementing a white-list only policy, effectively blocking all tor traffic as well as access to proxies and other tools used for evading filtering.
With those concerns in mind, kaos.theory will be working towards and automated egress filtering evasion script for use in conjunction with Anonym.OS. In terms of the "China Problem," this may not offer much as it will most likely require a "trusted friend" on the outside of the hostile network. In terms of a restrictive corporate network, this could be a viable solution. Again, however, these "covert channels" will likely lead to a ridiculous number of anomalous packets coming from a system (who really makes 25,000 DNS requests in an hour, anyway?) and thus are not a bullet-proof solution.
This is a staggering issue, and it's not one that's answerable entirely by technology. If a country or company chooses to restrict access for its users, and the entity is really serious in terms of throwing resources at the problem, there's not a lot we can do from the client-side.
The Naysayers
There have been two strains of objection to the project, one classical and the other uninformed. The former line of argument goes that we're simply enabling criminals to hide their illegal activities and, as suc
I love the IDEA of Tor. I also love the idea of FreeNet. Neither one seems to work at all well (or quickly) in their current iterations however. Until these things are solved, for most people the trade-offs are just not worth it. Especially when so much is achievable under the mere guise of the millions of people involved. Until the RIAA hires MILLIONS of lawyers to sue MILLIONS of customers per year, people won't mind thumbing their nose at them and playing the numbers game. The same is CERTAINLY true for surfing and IM.
rhY
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
While the intent of this project is very good, and I hate to pick holes ....here's one for the ultra-paranoid:
..[whoops, maybe too late], but this is a significant problem that I've come across personally when considering a "privacy" geared livecd. You place a lot of trust in the person(s) packaging the distro unless you pretty much compile the whole thing yourself.
Do you trust the precompiled binaries on the livecd ?
Sure, the OpenBSD source is available for you to comb over for backdoors & sniffers etc, but how do you know that Anonym.OS was compiled using that exact same source code ?
Maybe comparing hashes of the binaries to the offical OpenBSD versions would be a good start, but there are various reasons why this will only get you half way to validating that the build is kosher
I'm not even beginning to suggest this work is trojaned or anything - the last thing I want to do is spread FUD about something this cool and useful
One solution (which is very time consuming, and already dated), is the Trusted Build Live CD (TB) by the Hacktivismo group. It is basically a cookbook for rolling your own Gentoo livecd, with some tailoring for anonymity related applications like Tor (AFAIK, it doesn't do the nice packet filtering that Anonym.OS does, however).
While you are correct that "the Internet" (by which I take that you mean TCP/IP) is an end-to-end protocol, email is not. It's a store-and-forward protocol, which means that you are potentially leaving a copy of your message at every intermediate point along the network, and assuming that the servers will purge that message later without allowing anyone to read it.
In fact I wouldn't liken email to regular 'snail mail' at all. It's much more like the old Western Union telegram service. You prepare your message and give it to someone who transmits it to someone else, who copies it down, and then passes it off for delivery to the recipient at some later time. People trust email because the machinery isn't very visible, and the whole thing seems very direct; the telegraph system in contrast is rather obviously not private even to someone unfamiliar with the technology because of the human interaction involved.
People have to divorce the idea of "no human interaction" from "privacy." Just because a system is automated doesn't mean that you should have or make any assumption of privacy. You have no way of knowing whether the recipient's mailserver is retaining copies of all their messages, or forwarding them to a third party, or many third parties. In fact in many corporate environments it's safe to assume that all email is being saved (although it's probably not being looked over immediately by a person) for a number of years -- yet because there's no obvious and constant reminder of the openness of the system (i.e. the telegraph clerk) people forget that it's not private.
As much as I despise the law in its current incarnation, I think the DMCA is an interesting model for the future of privacy in the digital age. If you send unencrpyted conversations over the wire, using any communication model where the messages do not flow directly from one client to the other over TCP/IP (or other network fabric which is commonly known to be end to end, or where the message is not stored and forwarded as a whole, e.g. only as packets), then there should not be any assumption of privacy. The exception is if the owners/operators of all the intermediate servers used in the communication (email servers, IM relays) have explicitly agreed not to retain copies or otherwise retain traffic. (In which case if they do retain copies, it becomes a breach-of-contract case.) If you desire any privacy, either use an end-to-end communication model, which could be as easy as clicking on the other person in AIM and choosing Direct Connect, or use some form of encrpytion on your messages. I don't care if your "encrpytion" is ROT-13, just something so that the person doing the interception has to expend some amount of directed effort to read your message, and that they know the contents were sent with the assumption of privacy.
By encrypting the message you as the communicator are attempting to create a more private channel of communication, and it means that to read your message, someone has to purposely decrypt the message and therefore cannot defend themselves by saying that the message was not sent as a private one. In the same way that the DMCA makes it illegal to circumvent a device meant to protect copyrighted data, a new privacy law could make it illegal for anyone to decrypt a communication that they are not the sender or intended recipient of, without due process and authority (e.g. warrant, or existing agreement with one party).
The point is that nobody with a basic understanding of the technology makes the assumption that email or instant messaging is private; although I understand the feelings of people who don't want privacy to be an "opt in" deal, it's also fair that people should have to take a certain amount of responsibility and consideration of how they communicate. If they desire privacy, it's easy enough to do. What we need to do is make sure that we have a legal framework for protecting people, once they make the decision to attempt to secure their channels of communication, so that there is not an open 'arms race' that will leave all but the most technically adept behind.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Taking it to Starbucks, (at least where I live) means using Wifi. It really isn't possible they've implemented usable Wifi support in their LiveCD is it? Usually getting wireless to work on linux means finding windows drivers, utilizing NDISWrapper, etc.
That being said, what would be required for the linux community to make Wifi drivers more accessible? Is this something that is reliant entirely on the manufacturers providing drivers or is there some other solution? It would surely aid linux adoption if it was easier to get your Laptop Wifi working.
For the linux-savvy, NDISWrapper is of course very slick, and I was able to get my HP Notebook Wifi card working in about 20 minutes, but the less techy people such as the Grandmother mentioned in the posting are not going to be able to sort their way through ndiswrapper and iwconfig, much less figure out newer encryption methods.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...