Researchers Build a Browser-Based Darknet

ancientribe writes "At Black Hat USA next month, researchers will demonstrate a way to use modern browsers to more easily build darknets — underground private Internet communities where users can share content and ideas securely and anonymously. HP's Billy Hoffman and Matt Wood have created Veiled, a proof-of-concept darknet that only requires participants have an HTML 5-based browser to join. No special software or configuration is necessary, unlike with darknets such as Tor. Veiled is basically a 'zero footprint' network, in which groups can rapidly form and disappear without a trace. The researchers admit darknets are attractive to bad guys, too, but they say they think these more easily set-up and dismantled nets will be more popular for mainstream (and legit) users." In somewhat related news, reader cheesethegreat informs us that version 0.7.5 of FreeNet has hit the tubes.

Worried, maybe.

[arizwebfoot]

The researchers admit darknets are attractive to bad guys, too.

Yeah, I would be worried about all those sock hat wearing pedophiles out there.

Of course maybe Craigslist could use it to advertise their wares.

Re:Worried, maybe.

[Gotenosente]

I share your fear. Here's what I think the key is: tie this type of tech up with something that almost all "good" citizens would be against from the start. Ie debut this as a vehicle for freedom of information in oppressive, countries. I think we have enough people in the US who believe that there is some sort of Axis of Evil out there that needs to be defeated by Freedom. Iran would be ideal, China would probably work. We need to give John Q Public a good first impression. Maybe an author writing a nice novel would be helpful too.

Re:Worried, maybe.

[cayenne8]

"it's all in how you bypass the legally approved process of governing."

Kinda like how Obama fired that Inspector General, without following the law Obama himself voted in, where you have to give congress 30 days notice AND a written reason why the IG was being fired?

Nah...the govt. doesn't need a darknet or anything to bypass the legally approved processes...

They just count on the general public/press not caring, and so far, it seems to work.

You mean?

[bigattichouse]

So legitimate users in Iran or China might be able to hook into a darknet that has a portal to the real world outside? Kinda like good old packet HAM radio used to.

Re:You mean?

[grassy_knoll]

If I'm reading TFA correctly, wouldn't that require access from inside Iran/China to a HTML 5 based browser outside of Iran/China?

I like the concept, but similar to Iran shutting down SMS service it seems possible at least this could be disrupted.

HTML5

[Amazing+Quantum+Man]

Which browsers (please include note if it's beta) support HTML 5?

Late April Fools' joke?

[castrox]

Is this a late April Fools' joke? How does this supposed system work? It seems there must be a hosted PHP file somewhere - that server needs to have logs, at least if it's inside the EU and however you slice that you're toast.

Basically it seems to work sort of like a BitTorrent tracker that directs your client to other clients. So by what mechanism do you choose who to include in the "net"? If I understand correctly you sort of create channels for different purposes or groups. By using a introductory key? And how do you communicate that key? By encrypted e-mail? So any agencies that listen in on you very easily can see who you communicated with prior to your request for so and so domain holding the darknet PHP file? And how tough is that encryption? Ordinary SSL?

It connects the user's HTML 5-based browser to a single PHP file, which downloads some JavaScript code into the browser. Pieces of the file are spread among the members of the Veiled darknet. It's not peer-to-peer, but rather a chain of "repeaters" of the PHP file, the researchers say.

Spreads the file onto multiple peers? Is it possible for this file to run out of entropy in any way??

Corporations and Consumers

[castrox]

In case you didn't notice, the latest trend is that there are Corporations and Consumers. You are probably part of the Consumer segment and so a product of Society and can be sold to the Corporations.

That's where we're headed people!

Very Useful

[jefu]

Currently to do shared chat/video chat/audio/documents... most systems are dependent on servers of one sort or another. Making something that could work on a more peer-to-peer level would be very useful indeed as it would help alleviate (though probably not entirely eliminate) the reliance on servers that are often under someone else's control. If you doubt the usefulness of this, just look at what is happening in Iran right now.

Re:But what about the quality?

[fractoid]

This is my worry about things like Tor - as I understand it, the anonymity is provided by bouncing encrypted packets between nodes, and is predicated on the nodes not collaborating. As soon as you have one entity running N nodes, any request for any bounce length less than N becomes a simple client-server transaction and the server (probably Government-run) has a good chance to know what the client is downloading. Can anyone more qualified comment on this?

Re:Bad Guys

[EdIII]

I don't think you have thought that through enough. What is your basis for your claim of it being impractical? Remember, we went to the Moon. I would think that was the definition of impractical at the time. However, if you can disregard the conspiracy theories, we actually did step foot on a soundstage, I mean the Moon.

Storage capacity? There are plenty of examples of extremely large storage arrays at universities and data centers that did not cost anywhere near "trillions" of dollars to build and construct. 500 million dollars would be enough to construct a data center with a few Exabytes of storage at today's prices. Let's say $100 per Terabyte. $200M worth of hard drives would get you 2 Exabytes of non redundant storage capacity. Using an appropriate RAID setup you could even gain redundancy and lose less than 10% of that storage space. You got $300M left to build the rest of the data center. It's possible. Just Google for news about Exabyte data centers being constructed.

Take a phone conversation for example. Let's say 2.5 kB/s is the data rate. If a person talked 16 hours a day, that would put them at a 144 MB storage capacity per person per day. Let's just assume 250 million people a day are talking. That would put it at 36,000 Terabytes of storage. I know that sounds big, but that's only a few percent of a *single* Exabyte. A data center with multiple Exabytes could store weeks worth before filling up.

Now of course why would you even want to keep RAW data? You wouldn't. Let's convert it to text instead. You could assume about 130 words per minute spoken on average, which should be pretty conservative. Assuming Unicode text, with no compression, an average word length of 10 characters (twice the real amount?), that would take you from 144 MB per person per day, to......... 2.5 MB per person per day. That's quite a reduction right there. Now we only need ~625 Terabytes to store the text of every single voice conversation every day.

Hmmmmm. It's starting to seem like that $500M data center is capable of storing quite a few years worth of transcripts. About 9 years worth to be exact. So let's say...

60 MILLION DOLLARS PER YEAR.

That's it. Just for voice transcripts. Even if I am off by a whole order, that is only 600 million dollars per year. A far cry from your "trillions" of dollars estimate is it not?

I don't even think you would need the transcripts either. Not all of them. Analyze them for keywords, context, blah blah blah and you can start to keep databases of relationships between people and categorize them based on the content of their speech. The information just became more valuable, and a lot more CONDENSED.

Now let's say it costs ten times that to analyze SMS, purchase records, blogs, etc. We are still a far cry away from your impractical threshold.

Put simply, Google, Yahoo, MS, are already in the business of working with that much data and processing it.

BUT, BUT, BUT WHY?

That's the real question. Would the government, the big bad government, even be interested in a database that had relationships, political and religious views, spending patterns, movement patterns (grocery store, then the bank, etc.)?

I think the answer is yes. Either in the guise of security, protecting the children, defeating the terrorists, defeating the communists, defeating some sort of 'ism, there is a continual pressure to provide these "tools" to government. I don't think "tin foil hat" arguments are going to cut it much longer.

Clearly it's possible on a technical basis to store and process this much information, and at least in other governments, there is clearly the desire and motivation to use such abilities.

but logs and cache gets flushed unless there is a reason to keep it.

Do you know that for a fact? Everywhere? DNS records from local ISP's are VALUABLE. Targeted advertising is a big thing right now. Don't forget commercial motivations

Re:But what about the quality?

[marol]

That certainly is a problem. A brute force solution to that problem is to make sure the network has enough "non-government" nodes to drive down the probability figures in such analyses. I guess if the probability of identifying an end node is low enough, that also makes it less likely for the government to seek warrants. (Unless they are just trying to bring down all nodes of the network.)
The I2P website has a list of different threat models and links to related papers. I guess this one falls under partitioning attacks.