Researchers Build a Browser-Based Darknet

ancientribe writes "At Black Hat USA next month, researchers will demonstrate a way to use modern browsers to more easily build darknets — underground private Internet communities where users can share content and ideas securely and anonymously. HP's Billy Hoffman and Matt Wood have created Veiled, a proof-of-concept darknet that only requires participants have an HTML 5-based browser to join. No special software or configuration is necessary, unlike with darknets such as Tor. Veiled is basically a 'zero footprint' network, in which groups can rapidly form and disappear without a trace. The researchers admit darknets are attractive to bad guys, too, but they say they think these more easily set-up and dismantled nets will be more popular for mainstream (and legit) users." In somewhat related news, reader cheesethegreat informs us that version 0.7.5 of FreeNet has hit the tubes.

Worried, maybe.

[arizwebfoot]

The researchers admit darknets are attractive to bad guys, too.

Yeah, I would be worried about all those sock hat wearing pedophiles out there.

Of course maybe Craigslist could use it to advertise their wares.

Re:Worried, maybe.

[arizwebfoot]

You mean, like, our own government?

Have you no shame?

Re:Worried, maybe.

[hansraj]

Yes, darknet is attractive to bad guys but so is expectation of privacy in general.

Re:Worried, maybe.

[Opportunist]

Have you no shame?

Is that still a requirement for a public office?

Re:Worried, maybe.

[Opportunist]

And that's exactly the reason why this will be outlawed immediately as soon as a sizable portion of the population (in the western world, folks, I'm not talking about Iran, China and Burma here) uses it to circumvent the governmental snooping that's running rampart.

Can't outlaw it, you say? Because we're in a free world and thus they can't just simply outlaw encryption?

Ok, they won't. What we'll get is a law that makes you liable if you "faciliate the spread of pedophilia". After all, if you help a pedo you're in the wrong as well, ain't you? Since you can't really determine what kind of data you roll around in a darknet (it would kinda defeat the purpose if you could), darknet proponents would get their IP sniffed and law enforcement would download any kind of kiddy porn they could find in the darknet. As soon as the IP of a proponent can be linked to the porn (say, a chunk came from him because it was stored at his part of the cloud), the trap closes, the law enforcement can "prove" that darknet proponents are "only" in for the kiddy porn and thus darknet is an evil tool of child exploitation.

Gimme a single reason to believe this won't happen, I beg you.

Re:Worried, maybe.

[Gotenosente]

I think you are probably right and this type of thing will be attempted. However, in that situation, I would think that one could argue they had no knowledge that that's what they were partaking in. After all, that's the design of the system, right? Hell, if I help out a guy with a flat tire who happens to proceed to rape a child, am I guilty of aiding a pedophile? No, because there are plenty of legit reasons why a guy would be driving around in a car. Just as there are plenty of legit reasons why someone would want to surf entirely anonymously.

Re:Worried, maybe.

[Opportunist]

That would make sense. But do you think a judge will be able to tell the difference, more so when he is told that he should better NOT tell the difference? It will be made a tool that faciliates child porn, and no "honest citizen" needs it... do you think this argumentation wouldn't be used? And all too readily believed by those that don't really care too much as long as they got YouTube and Twitter?

The idea that something should be legal because it is usually used for legal means and only in exceptions for illegal ones is one of the past. The same analogy could be used for guns, cars, almost anything human made can be used for good and ill. The problem here is that darknets are by their very definition something governments cannot regulate or control, and thus they will bring all the firepower they have into the field to destroy them if they see wide public use. The only reason we haven't seen them cracking down hard on them is simply that the amount of people using (or even knowing about) them is minimal. If darknets become a tool usable (and used) by the average computer user, they will become a target of governments which are all too eager to control and monitor what their citizens do.

I.e. pretty much all governments on this planet.

Re:Worried, maybe.

[Gotenosente]

I share your fear. Here's what I think the key is: tie this type of tech up with something that almost all "good" citizens would be against from the start. Ie debut this as a vehicle for freedom of information in oppressive, countries. I think we have enough people in the US who believe that there is some sort of Axis of Evil out there that needs to be defeated by Freedom. Iran would be ideal, China would probably work. We need to give John Q Public a good first impression. Maybe an author writing a nice novel would be helpful too.

Re:Worried, maybe.

I think you are probably right and this type of thing will be attempted.
However, in that situation, I would think that one could argue they had no knowledge that that's what they were partaking in. After all, that's the design of the system, right?
Hell, if I help out a guy with a flat tire who happens to proceed to rape a child, am I guilty of aiding a pedophile? No, because there are plenty of legit reasons why a guy would be driving around in a car. Just as there are plenty of legit reasons why someone would want to surf entirely anonymously.

That might be enough to convince a jury, especially if the FBI doesn't find anything else incriminating on your systems.

But it is more than enough to get a warrant, your front door kicked off the hinges, and all your equipment confiscated for literally years. And you'll be lucky to get any of it back, ever, guilty or not.

As for your example above, they will approach it in the same fashion as P2P is treated. They will simply claim that it's "common knowledge" that most users of that service are involved in some type of shady business. It really pisses me off, but it seems that these days if you show that you are trying to hide anything, you are pretty much presumed guilty of something.

Re:Worried, maybe.

[Gotenosente]

"almost all "good" citizens would not be against"

Re:Worried, maybe.

[cayenne8]

"it's all in how you bypass the legally approved process of governing."

Kinda like how Obama fired that Inspector General, without following the law Obama himself voted in, where you have to give congress 30 days notice AND a written reason why the IG was being fired?

Nah...the govt. doesn't need a darknet or anything to bypass the legally approved processes...

They just count on the general public/press not caring, and so far, it seems to work.

Re:Worried, maybe.

[Trahloc]

I use to spend vacations with my family and sleep in the back of the truck while driving across country. In the back of this truck there was bundles of rope (never know when you'll need it), shovels (ditto), and an unconscious kid (driving thousands of miles made me sleepy when I was 8). I don't see anything wrong with that.

Re:Worried, maybe.

[Opportunist]

Here's your counter argument: In repressive governments like the Chinese, those darknets serve a very sensible purpose because they allow them the right to free speech and discussion of politics. Here, there is no reason for those as you may already speak your mind, and thus the only reason to use them in the "free world" is to do something illegal.

Bet nobody realizes that they're used for exactly the same thing in "repressive" states: To do something illegal. Like, say, enjoy freedom of speech.

Isn't it strange that we're all for handing people the ability to circumvent their laws if we consider those laws "wrong", but we dread the same at home?

Re:Worried, maybe.

[aurispector]

Agreed. Privacy in communications is the basis of free society. Placing anything and everything on the internet vastly expands a governments' ability to keep tabs on people.

Back in the day, gentlemen did not read each other's mail. With the advent of various technologies that barrier has been progressively lowered. Wiretapping POTS lines used to require special judicial approval, but it *was* given for a variety of reasons. These days the NSA (and equivalent agencies in other countries) routinely scan internet traffic to the point where the smart assumption is that you have NO privacy.

Freedom is dangerous in that people can abuse their freedoms to commit crimes. We continue to trade those freedoms for perceived security while the definition of crime becomes broader. The logical end is that all freedoms will eventually be lost in order to control ever-expanding categories of "crime".

A darknet is nothing more than the digital equivalent of a public house where people gather for discussion safe from government interference - a combination of the rights to free speech and to peaceably assemble.

Iran? China?

[davidwr]

Is anyone in Iran reading this right now? OK, don't respond but do pass it on to your friends.

Ditto China.

Re:Iran? China?

[MrMista_B]

How about Germany? Britian?

Good

[timpdx]

Now get it out to the protesters in Iran and spread it in China for that matter.

You mean?

[bigattichouse]

So legitimate users in Iran or China might be able to hook into a darknet that has a portal to the real world outside? Kinda like good old packet HAM radio used to.

Re:You mean?

[grassy_knoll]

If I'm reading TFA correctly, wouldn't that require access from inside Iran/China to a HTML 5 based browser outside of Iran/China?

I like the concept, but similar to Iran shutting down SMS service it seems possible at least this could be disrupted.

Re:You mean?

[jefu]

Short of shutting down the network a nicely distributed service could be very tough to disrupt. And while communications to the rest of the world are undoubtedly important, for the Iranians right now, internal communications are likely to be much more important.

Bad Guys

[aaandre]

Of course secrecy is attractive to bad guys. Problem is according to current legislation we are all bad guys, always crossing some obscure irrelevant law we don't know about.

So one man's secrecy is another man's privacy and protection from overreaching criminalization.

Oh, and anything you write or view on the internet, say over the phone, purchase, sms about, dial on your phone, etc. is saved and archived forever, by default, unless you make a special effort to enforce your right of privacy. Even that special effort does not guarantee protection and furthermore, that effort is not difficult to notice, and boom, you are someone with something to hide, i.e. one of the bad guys.

War is peace. Doublegood peace.

Re:Bad Guys

[plover]

And don't forget that just because you think it's safe doesn't mean that it actually IS safe. Check out the BlueCoat proxy, which is a corporate web proxy/filter that also works on SSL connections (via man-in-the-middle attack.) All your company has to do is drop their own root certificate on your machine, and unless you're in the habit of checking the sites providing your signature, you may never spot it. (Fortunately Firefox displays the certificate's site name next to the padlock icon.) There's also nothing stopping a corporation from installing a key sniffer or remote observation software on their equipment, which includes your desktop.

Just in case you were thinking that you were "safe" blowing whistles on a darknet at work.

I guess the "Post Anonymously" box isn't going to help me now anyway.

Re:Bad Guys

[Opportunist]

I have something to hide. It's called my private life and it's nobody's business. Not yours, not some company's and most certainly not my government's.

I think it was Franklin who said, if the people fear the government, it's a tyranny, if the government fears its people, it's liberty. I think the US (and a good portion of the rest of the planet) would need a few leaders like the founding fathers of the US. If they could see what came to their dream, what they fought for, died for and had others die for, I think they'd get fed up enough to start over.

Re:Bad Guys

[OpenGLFan]

I guess the "Post Anonymously" box isn't going to help me now anyway.

I know it's an offhand comment, but it already doesn't help you. /. still stores who you are; you can't moderate and post in the same story, even if you checked "post anonymously."

Re:Bad Guys

[EdIII]

I don't think you have thought that through enough. What is your basis for your claim of it being impractical? Remember, we went to the Moon. I would think that was the definition of impractical at the time. However, if you can disregard the conspiracy theories, we actually did step foot on a soundstage, I mean the Moon.

Storage capacity? There are plenty of examples of extremely large storage arrays at universities and data centers that did not cost anywhere near "trillions" of dollars to build and construct. 500 million dollars would be enough to construct a data center with a few Exabytes of storage at today's prices. Let's say $100 per Terabyte. $200M worth of hard drives would get you 2 Exabytes of non redundant storage capacity. Using an appropriate RAID setup you could even gain redundancy and lose less than 10% of that storage space. You got $300M left to build the rest of the data center. It's possible. Just Google for news about Exabyte data centers being constructed.

Take a phone conversation for example. Let's say 2.5 kB/s is the data rate. If a person talked 16 hours a day, that would put them at a 144 MB storage capacity per person per day. Let's just assume 250 million people a day are talking. That would put it at 36,000 Terabytes of storage. I know that sounds big, but that's only a few percent of a *single* Exabyte. A data center with multiple Exabytes could store weeks worth before filling up.

Now of course why would you even want to keep RAW data? You wouldn't. Let's convert it to text instead. You could assume about 130 words per minute spoken on average, which should be pretty conservative. Assuming Unicode text, with no compression, an average word length of 10 characters (twice the real amount?), that would take you from 144 MB per person per day, to......... 2.5 MB per person per day. That's quite a reduction right there. Now we only need ~625 Terabytes to store the text of every single voice conversation every day.

Hmmmmm. It's starting to seem like that $500M data center is capable of storing quite a few years worth of transcripts. About 9 years worth to be exact. So let's say...

60 MILLION DOLLARS PER YEAR.

That's it. Just for voice transcripts. Even if I am off by a whole order, that is only 600 million dollars per year. A far cry from your "trillions" of dollars estimate is it not?

I don't even think you would need the transcripts either. Not all of them. Analyze them for keywords, context, blah blah blah and you can start to keep databases of relationships between people and categorize them based on the content of their speech. The information just became more valuable, and a lot more CONDENSED.

Now let's say it costs ten times that to analyze SMS, purchase records, blogs, etc. We are still a far cry away from your impractical threshold.

Put simply, Google, Yahoo, MS, are already in the business of working with that much data and processing it.

BUT, BUT, BUT WHY?

That's the real question. Would the government, the big bad government, even be interested in a database that had relationships, political and religious views, spending patterns, movement patterns (grocery store, then the bank, etc.)?

I think the answer is yes. Either in the guise of security, protecting the children, defeating the terrorists, defeating the communists, defeating some sort of 'ism, there is a continual pressure to provide these "tools" to government. I don't think "tin foil hat" arguments are going to cut it much longer.

Clearly it's possible on a technical basis to store and process this much information, and at least in other governments, there is clearly the desire and motivation to use such abilities.

but logs and cache gets flushed unless there is a reason to keep it.

Do you know that for a fact? Everywhere? DNS records from local ISP's are VALUABLE. Targeted advertising is a big thing right now. Don't forget commercial motivations

HTML5

[Amazing+Quantum+Man]

Which browsers (please include note if it's beta) support HTML 5?

Re:HTML5

[Jugalator]

None that I know of, but Firefox, Safari, Chrome, (and Opera?) should have rudimentary support for parts of it, like the video tag, and the canvas tag.

Not that I know if that's what they're referring to though.

All major browers today have very poor HTML 5 support though. It's still not even a finalized standard.

Re:HTML5

[tholomyes]

Here's the details on which browsers support what parts of the new features of HTML5 thus far: http://www.quirksmode.org/dom/html5.html.

According to quirksmode, it appears that Safari 4.0 has the most complete support, followed by FF 3.5b and IE8. Chrome and Opera do not appear to, at least as far as supporting the new features is concerned.

Re:HTML5

[tholomyes]

Also note quirksmode's caveat:

"The compatibility information above is only for the HTML5 features I tested; they do not necessarily say anything about the browsers' overall HTML5 support. The number of tests will slowly expand."

Talking in secret

[CarpetShark]

I'm not sure how much use it is for people to talk in secret. They probably do that now, with family etc. As we can see in Iran right now, it takes people to have the guts and will to take to the streets and make their feelings known before things change.

Re:Talking in secret

[pjt33]

Talking in secret in advance helps them to take to the streets at the same time and in the same place.

Easier is better

[tnk1]

If its easier to use, you will definitely see more people using it who are legitimate. Tor and other darknets are a pain in the ass to use, and they clearly have a larger proportion of people using it for more nefarious purposes. The reason is simple: they *need* to use it because they are bad guys. Good guys, unless they fully comprehend the threats against them, are less likely to go to the effort. Hopefully this works out and is secure. It would be a big plus for people who don't want to deal with the hassle, not to mention, they don't want instantly incriminating software on their machine. My guess is that the Chinese and Iranian government minders don't like you if they see you getting your hands on anything like a Tor/Freenet software package.

Re:Easier is better

[Opportunist]

Defining "good" and "bad" in this day and age ain't so simple anymore. A lot of "good" guys break the law.

Someone blogging about human rights in China? A bad guy, according to the Chinese government. Someone writing instructions how to use your hardware in the way you want it and not in the way its manufacturer wants? A bad guy, according to pretty much any western government. Someone telling people how to circumvent internet filters? A bad guy, in pretty much any government's eyes.

Any of those guys "bad" by your definition?

Late April Fools' joke?

[castrox]

Is this a late April Fools' joke? How does this supposed system work? It seems there must be a hosted PHP file somewhere - that server needs to have logs, at least if it's inside the EU and however you slice that you're toast.

Basically it seems to work sort of like a BitTorrent tracker that directs your client to other clients. So by what mechanism do you choose who to include in the "net"? If I understand correctly you sort of create channels for different purposes or groups. By using a introductory key? And how do you communicate that key? By encrypted e-mail? So any agencies that listen in on you very easily can see who you communicated with prior to your request for so and so domain holding the darknet PHP file? And how tough is that encryption? Ordinary SSL?

It connects the user's HTML 5-based browser to a single PHP file, which downloads some JavaScript code into the browser. Pieces of the file are spread among the members of the Veiled darknet. It's not peer-to-peer, but rather a chain of "repeaters" of the PHP file, the researchers say.

Spreads the file onto multiple peers? Is it possible for this file to run out of entropy in any way??

Re:Not surprising -- browsers are basically OSes

[morgan_greywolf]

Microsoft realized that early on, which is why Explorer was integrated into Windows in the first place. And it's also why they're fighting to try to keep IE on top.

No, Netscape and Sun realized that early on, which is where the concept of browser plugins, JavaScript, and ultimately, Java come from. Then they started wagging their tongues about it rather than sit there and quietly implement stuff (ala Google), so Microsoft.moved to "cut off their air supply" (direct quote from a Microsoft memo used as evidence in their antitrust case) by integrating Internet Explorer into Windows.

Attractive to bad guys?

[The+Archon+V2.0]

The researchers admit darknets are attractive to bad guys, too

So is encryption. So is privacy. So are knives. So is food. So is living another day. It's not wrong just because it can be used to ill ends.

Or, to be all profound and Latin and stuff: abusus non tollit usum.

Re:Attractive to bad guys?

[hansraj]

I was going to fiercely argue against all that you wrote, but your punchline was in Latin so now I have to agree to every word you say!

Corporations and Consumers

[castrox]

In case you didn't notice, the latest trend is that there are Corporations and Consumers. You are probably part of the Consumer segment and so a product of Society and can be sold to the Corporations.

That's where we're headed people!

Very Useful

[jefu]

Currently to do shared chat/video chat/audio/documents... most systems are dependent on servers of one sort or another. Making something that could work on a more peer-to-peer level would be very useful indeed as it would help alleviate (though probably not entirely eliminate) the reliance on servers that are often under someone else's control. If you doubt the usefulness of this, just look at what is happening in Iran right now.

Tomatoes are way more dangerous than darknets

[Rick+Bentley]

Ninety-two point four per cent of juvenile delinquents have eaten tomatoes.

Eighty-seven point one per cent of the adult criminals in penitentiaries throughout the United States have eaten tomatoes.

Informers reliably inform that of all known American Communists ninety-two point three percent have eaten tomatoes.

Eighty-four per cent of all people killed in automobile accidents during the year 2004 had eaten tomatoes.

Those who object to singling out specific groups for statistical proofs require measurements within in the total. Of those people born before the year 1850, regardless of race, color, creed or caste, and known to have eaten tomatoes, there has been one hundred per cent mortality!

In spite of their dread addiction, a few tomato eaters born between 1850 and 1900 still manage to survive, but the clinical picture is poor-their bones are brittle, their movements feeble, their skin seamed and wrinkled, their eyesight failing, hair falling, and frequently they have lost all their teeth.

Those born between 1900 and 1950 number somewhat more survivors, but the overt signs of the addiction's dread effects differ not in kind but only in degree of deterioration. Prognostication is not hopeful.

Exhaustive experiment shows that when tomatoes are withheld from an addict, invariably his cravings will cause him to turn to substitutes-such as oranges, or steak and potatoes. If both tomatoes and all substitutes are persistently withheld-death invariably results within a short time!

The skeptic of apocryphal statistics, or the stubborn nonconformist who will not accept the clearly proved conclusions of others may conduct his own experiment.

Obtain two dozen tomatoes-they may actually be purchased within a block of some high schools, or discovered growing in a respected neighbor's back yard! - crush them to a pulp in exactly the state they would have if introduced into the stomach, pour the vile juice into a bowl, and place a goldfish therein. Within minutes the goldfish will be dead!

Those who argue that what affects a goldfish might not apply to a human being may, at their own choice, wish to conduct a direct experiment by fully immersing a live human head* into the mixture for a full five minutes.

* It is suggested that best results will be obtained by using an experimental subject who is thoroughly familiar with and frequently uses the logical methods demonstrated herein, such as:

(a) The average politician. Extremely unavailable to the average citizen except during the short open season before election.

(b) The advertising copywriter. Extremely wary and hard to catch due to his experience with many lawsuits for fraudulent claims.

(c) The dedicated moralist. Extremely plentiful in supply, and the experimenter might even obtain a bounty on each from a grateful community.





THE DREAD TOMATO ADDICTION Mark Clifton This essay originally appeared in the February 1958 edition of Astounding. The dates in this version have been modified (all dates plus 50 years).

HOW?

[rosvall]

Since there are zero details in TFA, i'm just going to speculate that one of three things is going on, in order of increasing probability:
1. HTML 5 creates all sorts of fantastic new ways to communicate anonymously through a central server. In that case, please fill me in. In genuinely interested.
2. The researchers have implemented something like the dining cryptographers protocol in js and php.
3. TFA is utter bullshit

Re:If I give a killer a ride...

[shentino]

Perhaps he saw that the terrorists have already won by getting our governments to take all our freedoms away.

Yes I said it.

The terrorists have won.

Re:But what about the quality?

[fractoid]

This is my worry about things like Tor - as I understand it, the anonymity is provided by bouncing encrypted packets between nodes, and is predicated on the nodes not collaborating. As soon as you have one entity running N nodes, any request for any bounce length less than N becomes a simple client-server transaction and the server (probably Government-run) has a good chance to know what the client is downloading. Can anyone more qualified comment on this?

Re:But what about the quality?

[marol]

That certainly is a problem. A brute force solution to that problem is to make sure the network has enough "non-government" nodes to drive down the probability figures in such analyses. I guess if the probability of identifying an end node is low enough, that also makes it less likely for the government to seek warrants. (Unless they are just trying to bring down all nodes of the network.)
The I2P website has a list of different threat models and links to related papers. I guess this one falls under partitioning attacks.

Re:A Seriously Important Requirement

[L4t3r4lu5]

Much like Tor.

• The client software pseudo-randomly assigns you an identifier which is used for connections on that network.
• Your first connection to the next node in the chain may be identifiable as you, but your destination is not known. It goes "Well, I'm connected to these three guys, and I'll send this packet that way. I'll remember that response packets need to go back to the same identifier on the return."
• The next node does not know your originating IP address, only the identifier the software assigned to you and that you want to be routed to another location.
• The second to last node in the chain knows where you want to go, but only that this identifier wants to get there; Not what the IP address of that identifier is.
• The whole process is repeated back, with the two ends of the chain only knowing one half of where you want to go, and the places in between don't know jack apart from your identifier (which is only of any use if both ends of the connection are compromised)

.
The added bonus with darknets is you also host the information you retrieve, increasing availability.

Re:If I give a killer a ride...

[stonewallred]

It is too early on Wednesday morning for truth here on /. Please wait until I am not drunk in the future if you don't mind. The terrorists won when we started gutting the Constitution, the Bill of Rights and the accumulated body of laws that had established our freedoms in this country. When little hick towns like the one I live in started x-raying all people entering the courthouse, and making them remove their belts, a sign of loss. When arriving two hours early at the airport, having to remove your shoes, the lists of forbidden items, another sign of loss. When the NSA and other alphabet soup agencies coerced the phone companies in letting them tap the lines of almost the entire nation, another loss. When we stopped protecting American interests with the full force of the military and started doing the limited war bullshit, another loss. When the perception of other countries became more important than our country's safety and well-being, we were pretty much done at that point.