Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tiny Wireless Device Offers Tor Anonymity

Posted by Soulskill on from the fits-discreetly-in-left-nostril dept.

Lucas123 writes: The Anonabox router project, currently being funded through a Kickstarter campaign, has surpassed its original $7,000 crowdfunding goal by more than 10 times in just one day. The open source router device connects via Wi-Fi or an Ethernet cable making it harder for your IP address to be seen. While there have been other Tor-enabled routers in the past, they aren't small enough to fit in a shirt pocket like the Anonabox and they haven't offered data encryption on top of the routing network. The device, which is being pitched as a way for consumers to securely surf the web and share content (or allow businesses to do the same), is also being directed at journalists who may want to share stories in places where they might otherwise be censored.

41 of 68 comments (clear)

  1. I wonder how much we can trust it by PhrostyMcByte · · Score: 5, Insightful

    Making Tor dead simple to use is great, but this is such a nice device for three-letter agencies to target inserting a backdoor into.

    1. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 3, Insightful

      Its open source and open hardware. All the good.

    2. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 2, Interesting

      "Open" is rather misleading because it would be easy for "them" to compromise a few individual shipped units and poison the pool.

      Do you plan to audit the code and make sure it's as-advertised, none of the code does anything shady, and the binaries are compiled from the code you saw?

      Didn't think so.

    3. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 1, Insightful

      "Open" is rather misleading because it would be easy for "them" to compromise a few individual shipped units and poison the pool.

      It's going to be pretty easy to confirm whether your device is running the same binaries as everybody else and to recompile and replace them if it isn't.

      Do you plan to audit the code and make sure it's as-advertised, none of the code does anything shady

      Yes. You can never be 100% sure but you can be pretty certain.

      and the binaries are compiled from the code you saw?

      I can compile the binaries.

    4. Re:I wonder how much we can trust it by ArmoredDragon · · Score: 4, Informative

      A sha256sum of the entire firmware image should suffice for verification.

    5. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 1

      And how do you know the hardware itself wasn't modified? You gonna examine the BGA components with an electron microscope.

    6. Re:I wonder how much we can trust it by DaHat · · Score: 4, Insightful

      How do you determine that the checksum hasn't been modified in transit?

      You could always audit the code yourself and compile it as well... but are you sure your compiler doesn't have any backdoors which might inject evil code just for something like this?

      The bugger about paranoia... is you never know if you are sufficiently paranoid.

      --
      Help Brendan pay off his student loans
    7. Re:I wonder how much we can trust it by Sqr(twg) · · Score: 5, Insightful

      The three-letter agencies don't need to insert a backdoor. All they need to do is operate a bunch of Tor exit nodes.

      As soon as you use Tor for everyday activities you are effectively not anonymous anymore.

      Example: You set up the WiFi router and start doing your secret stuff. The bad guys have no idea who's behind the connection.
      Then the jogging app on your iPhone connects over the same Tor tunnel. It opens an unencrypted connection to a "share my run" server, and now the bad guys know your email address, weight, and the GPS coordinates of the route you ran this morning. They don't even have to tap your or the server's connection. They get the information directly from their own exit node. (I.e. easier than if you had not been running Tor. Anyone can do this. Not just the three-letter agencies.)

      Want anonymity? Install the Tor Browser. Then only use it for the anonymous stuff. Never visit any of the sites you ordinarily frequent.

    8. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 2, Insightful

      Ahem! Everyone already *is* attacked by mass-surveillance. Tor gives protection.

    9. Re:I wonder how much we can trust it by oneandoneis2 · · Score: 4, Interesting

      Don't over-dramatise. This is a way of making it easy & convenient for non-techies to use Tor. Anyone with anything to hide - criminals, terrorists, activisits, whatever - will have long-since spent the 30 seconds it takes to find out how to use tools like Tor without buying a gadget for it.

      --
      So.. it has come to this
    10. Re:I wonder how much we can trust it by fuzzyfuzzyfungus · · Score: 5, Informative

      Making Tor dead simple to use is great, but this is such a nice device for three-letter agencies to target inserting a backdoor into.

      While that is a possibility(albeit one that could theoretically be ameliorated, barring hardware-level backdoors, by 'here's how to build Tor from mainline and replace our firmware' documentation), I'd be more worried about the fact that Tor isn't dead simple.

      The project itself has a list of handy warnings concerning What Not To Do on Tor and expect the anonymity to keep working, even assuming there are no unknown attacks and vulnerabilities at play. Tor has no magical ability to scrub dangerously identifying information from the assorted dumb, lazy, or just plain user-hostile chatter generated by various programs on your computer. It also, as a necessary side effect of its design, exposes some traffic to the exit node, which requires that you be careful about SSL/TLS for anything that the exit node shouldn't see.

      That's what makes me nervous about the projects(hardware or software, boxes like this or Android VPN plugins, or whatever) that make it dead easy to route all traffic through Tor. Unless you know exactly what you are doing, that probably isn't what you want. Your day-to-day OS is very likely to be far too dangerously chatty(which means that you really shouldn't use it at all, unless booted to a liveCD; with the Tor browser bundle, that passes only traffic from the Tor browser as a distant second best); but you definitely shouldn't just plug it into the magic Tor box. Some applications you just don't want going through Tor at all. If the traffic is intrinsically personally identifying the best case is that you'll gain nothing and the worst case is that you'll be less secure than you were.

      Things that keep people from running the browser bundle on their poxed XP machines and expecting anonymity are good; but Tor simply isn't easy to use, even if it is made easy to set up, and that can bite you in the ass.

    11. Re:I wonder how much we can trust it by fuzzyfuzzyfungus · · Score: 3, Informative

      The Tor Browser is better than 'just route all traffic through Tor'; but unless you trust that your machine isn't carrying 12 strains of cyber-syphilis, you probably want a non-persistent liveCD OS if you are doing something sensitive.

    12. Re:I wonder how much we can trust it by mrchaotica · · Score: 3

      The very reason Truecrypt died was because they couldn't trust future compilers for Windows.

      [citation needed]

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    13. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 1, Insightful

      but are you sure your compiler doesn't have any backdoors which might inject evil code just for something like this?

      There are known ways to check that too.

      The bugger about paranoia... is you never know if you are sufficiently paranoid.

      The bugger is that people get too stupid about it and stop trying to recognize how likely something is.

    14. Re:I wonder how much we can trust it by Anonymous Coward · · Score: 1

      Not 100% true. a) your traffic won't alway go through their exit nodes and b) you are sharing the exit node with 1000s of other users and no way to know who is making which request. If 5 people access their email then someone accesses a webpage you don't even know if it's one of those 5 people let alone which one.

      You can't be anonymous alone. You can be anonymous in a crowd.

    15. Re:I wonder how much we can trust it by The+Ickle+Jones · · Score: 3, Informative

      As the other person said, everyone is already subject to mass surveillance.

      But even if what you said were true, the more people that use this, the more targets they have to selectively harass. We need more and more people to use this sort of thing in order to better thwart their mass surveillance efforts.

    16. Re:I wonder how much we can trust it by torkus · · Score: 1

      Indeed...visiting somewhere and don't want your traffic tracked? few moments with this and back to what you were up to.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    17. Re:I wonder how much we can trust it by macromorgan · · Score: 1

      I would argue that thanks to Edward Snowden, we now know a lot of things we thought were unlikely aren't.

    18. Re:I wonder how much we can trust it by mspohr · · Score: 1

      This box only solves the Tor part of the problem. If you continue to use the same browser, you can be tracked.
      Best to use a solution like Tails which live boots (from CD or USB) and has Tor and an anonymous browser (plus a bunch of other security stuff).
      https://tails.boum.org/

      --
      I don't read your sig. Why are you reading mine?
  2. Not secure by BitcoinBenny · · Score: 5, Interesting

    Its a cool idea. There are things that are problematic about it though, like the fact that the browser itself hasn't been properly anonymized. The Tor browser package tries to disable plugins and third party software that might inadvertently reveal your identity or cause other information leakage. There is no such guarantee in this instance, which is a bit of a false sense of security. Tor isn't a panacea for all anonymity issues, and you wouldn't want to route most of your traffic over it.

    I'm personally more interested in the hardware, any specifics on that? I think it would be a nice platform for a lot of interesting projects, hardware based firewalling etc.

    1. Re:Not secure by tlhIngan · · Score: 5, Insightful

      Its a cool idea. There are things that are problematic about it though, like the fact that the browser itself hasn't been properly anonymized. The Tor browser package tries to disable plugins and third party software that might inadvertently reveal your identity or cause other information leakage. There is no such guarantee in this instance, which is a bit of a false sense of security. Tor isn't a panacea for all anonymity issues, and you wouldn't want to route most of your traffic over it.

      And therein lies the problem Well, one of several.

      First, the users have to actually want to be anonymous. There's no magic "make me anonymous" magic pixie dust that can be applied - I mean, what's the point of using Tor if you're going to log into your Google, Facebook, Amazon, Twitter, or whatever else account? You've not only gave your anonymity up a long time ago, you've just defeated all the anonymity you're going to get because all those ad networks now will be able to re-link your Tor usage to you.

      Additionally, Tor is not magic. Using it doesn't make you invisible. Especially if you're going on about "black helicopters" and such because the likes of the NSA have revealed to be running the largest number of high-speed exit nodes, and those who control exit nodes on Tor control it all. Either keep your traffic within the Tor network on Tor-specific sites, or realize that where ever your traffic exits, the exit node may be screwing with you.

      Sure you may get certificate errors and such, but I'm sure most users will click through them anyways.

      Hell, it almost seems all the spies want users using Tor because by making it magic box, they'll do the same old stupid shit over it and not only be really easy to track and monitor, but the users will think all is well, at that.

    2. Re:Not secure by TrollstonButterbeans · · Score: 1, Funny

      The casual user will set this up and then log into Facebook and check their gmail. Totally secure!!! Absolutely anonymous!

      Oh, and don't forget the cross-domain 'Flash cookies'!

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    3. Re:Not secure by Anonymous Coward · · Score: 1

      > what's the point of using Tor if you're going to log into your Google, Facebook, Amazon, Twitter, or whatever else account?

      Depends on your threat model, really. If you're going for total anonymity, chances are, you're not using any of those services anyway.

      But if you're a normal person, using Tor accessing those services does increase your privacy! Why should Google et al know (and save for perpetuity), where I am coming from/where I am located at time of login? A regular VPN does also have its purposes here...

  3. I wonder how much we can trust it by Anonymous Coward · · Score: 1

    Making Tor dead simple to use is great, but this is such a nice device for three-letter agencies to target inserting a backdoor into.

    Why would they bother? This thing is likely just going to route all the data over one Tor curcit. If anyone behind it sends one identifiable thing (say an application checking for updates of a license server, getting your email, logging into something etc) it will blow the whole thing to an observer on the backbone, exit node or server side. Unless you are really careful (and then its not dead simple to use) It basically offers all the security of a VPN run by an unknown potentially hostile party: it hides your traffic from your ISP, and makes your traffic slightly harder to associate with you.

    If you don't like your ISP, this is a good way to piss them off, add latency, and hide your data from them. It won't do much else. I should note that this is a valid and useful thing to do if your ISP and related nation are more oppressive that those who do large scale spying. Ex: if you don't want to hide from the NSA, just Iran or something this might work (and get you killed, but Iran does that to lots of people)

  4. Of course its not idiot-proof by penguinoid · · Score: 4, Insightful

    The weak link in Tor security has always been its users.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:Of course its not idiot-proof by TrollstonButterbeans · · Score: 2

      You did an unintentional double entendre there. You know, like, the weak link is the "users" as in user failing to understand how to safely browser anonymously and inadvertently compromise their security using Tor. Or the weak link is the "users" as in 'although the idea of anonymity is great' and some casual users will be attracted, it will be a magnet for underground malfeasance and Silk Road wannabees and drug traffickers.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  5. uniqueness by Nauglamir · · Score: 1

    Great, it'll help all the 3 letters to reduce the userspace with another metadata field where usesThingieToConnectToHoneypotNode=true. As if the systems weren't unique enough with the info the browser will spew.

    --
    i *had* a low uid, but lost it in my lawn
  6. Re:FBI reaction on sharing by FatdogHaiku · · Score: 2

    Freeze! Is that a crew membership badge of pirate Tor's ship in your pocket, or are you just happy to see me?

    Aye, 'tis hard to arrrgue...

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  7. way more than 10x now.... by SethJohnson · · Score: 2

    According to the kickstarter page, the campaign is over $170,000.

    A $51 pledge gets you one shipped to your house in the USA.

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re:way more than 10x now.... by SethJohnson · · Score: 2

      I just checked less than 24 hours later. It's up to $247,000. Something tells me there is strong consumer interest in this type of a product.

      --
      $5 / month hosted VPS on linux = awesome!
  8. CDNs will render the device useless by Anonymous Coward · · Score: 2, Interesting

    Using tor to acces a website that is served via cloudfront will get you a captcha to solve.
    The capchas are sometime way too hard for humans to solve.

    Most of the anonbox users will be annoyed by the constant capthca onslaught and decide that the device is broken and stop using it.

  9. It should really be called a... by Anonymous Coward · · Score: 2, Interesting

    Internet restriction circumvention device. But *NOT* an anonymity device. Tor is great for avoiding deep packet inspection monitoring/blocking at the ISP level, but without a chain of anonymous accounts proxies outside the tor network, etc it's useless as an anonymity device. Sure you might be able to troll slashdot, or reddit, or digg, or whatever your favorite website is, but if even one of those is done with an account you made via the 'normal' net, it has the potential of being identified and tied back to you.

    Given the comments about Comcast and Tor mentioned in an article here a few weeks back, I expect we'll see more of the social engineering angle coming at us from hostile incumbent ISPs. The FBI/NSA/USAFCC will mostly not care since they can probably use Tor as probable cause to hack your system (when you finish laughing over 'probable cause', like that would stop them from hacking you either way!)

    Overall I think these devices, assuming the hardware is secure and the software is suitably hardened (and lacking either a heartbleed-esque memory leak, or remote exploitable hole offering root level system access), and firmware upgrades are not trojan'd en-route, should see a net increase in tor usage and perhaps wider adoption of anonymity enhancing technology. After all, it's a net gain for all of us if more people use tor, and if this device takes off, hopefully dozens more will spring up. Assuming consolidation is avoided, 10 different types of Tor routers with no more than 20-30 percent compromisation should ensure sufficient route anonymity for the average user.

    That said, Windows, your CPU ID, your ethernet hardware address, and now Nvidia's GPU UUID, all seem like much larger and more immediate anonymity holes than tor network compromise. Can anyone verify for me if AMD's GPUs have a similiar UUID feature as Nvidia's cards, and if either or both have a method of disabling the return of said ID's to non-root/administrator applications (The latter obviously won't help with videogames however, since most have administrator level access through their DRM.)

  10. Bad idea! by thegarbz · · Score: 4, Informative

    No it's not great, and no it's not a back door you need to worry about.

    The fundamental problem is that anonymity is hard, very hard. There have been several people identified via Tor, seemingly smart people who thought they were covering their tracks. In many ways making Tor easy to use, and making a Tor proxy style router is the single worst way of using Tor.

    We leave tracks everywhere we go. Our browser configuration, plugins, OS, etc all leave fingerprints for people to follow and using Tor doesn't stop that. Tor should be hard to use. It should require reading a manual. It should require understanding everything about anonymity. It should be used like Tails, a burner Linux distribution which should leave no trace on the system on which it was used.

    The TLAs don't need to backdoor this device. It's quite likely that they welcome its use.

    1. Re:Bad idea! by hodet · · Score: 1

      This right here. It is worse to access the internet under the illusion of anonymity than anything else. If you need anonymity then take responsibility for your requirements. Do not farm it out to others. I think the intent is noble with this device, but I just don't see how this improves on Tor Browser, or even better on Tails.

  11. yes, keep adding leechers! by Anonymous Coward · · Score: 2, Insightful

    The problem with Tor is that there are hundreds of leechers, even the agencies are using it to cover their tracks and it wouldn't be surprising if they controlled most of the exit nodes too!

    What we need is to have every internet user to be an exit node, otherwise Tor will just collapse.

    This device should at least be a client and relay device, being just a client is being a leecher.

    1. Re:yes, keep adding leechers! by Anonymous Coward · · Score: 1

      > What we need is to have every internet user to be an exit node, otherwise Tor will just collapse.

      Agree. In fact, that will make Tor far more secure, in addition to resilient, than it is now.

      Ditto for remailers. Once every MUA can act as a remailer for your friends and family (really a quite simple thing to implement), the entire 'metadata' debate and collection goes out the window!

  12. Designed to keep you anonymous and yet... by 0x537461746943 · · Score: 4, Funny

    One of the kickstarter rewards for buy the device is...

    "Get your name on the sponsors page of our website"

    I got a little chuckle at the irony in that.

  13. Alternate solution. by Anonymous Coward · · Score: 3, Informative

    This is a different flavor of the TP-Link TL-WR703N wireless router I ordered from the SLBoat store on ebay.com. It comes preloaded with OpenWRT and I can then flash it with the PORTAL bin file from github.com. PORTAL uses TOR for all access to the Internet.

    https://github.com/grugq/portal

  14. TOR's purpose abused. by kualla · · Score: 1

    "A promotional video suggests several uses for the device, including using it to securely share Internet access with family and friends, or to stream live audio from sports games that are blocked in a specific region. "

    First off, this is great project, but their promotional video makes me a bit upset with this company... Encouraging people to use this to get around blocks to allow streaming of their favorite sports game is just wrong, the service does not currently have bandwidth to realistically do that, especially not for a massive amount of people to go out purchasing this device for that reason!

    They are basically saying we are going to sell our devices by abusing a free network so we can make profits while carelessly screwing over the reporters that need their anonymity, people who's governments put such tight restrictions on their internet use, allowing the NSA to continue on abusing their spying technologies, and on and on!!!

    Now if they sold these devices and claimed they were going to donate a sizable amount of bandwidth based on sales, or better yet make an easy to integrate feature that allows users to share their own bandwidth with the TOR network, then I would not feel so negative towards their promotional video's advertising high-bandwidth consumption such as a sports game!

  15. Be considerate for TOR use please. by kualla · · Score: 1

    "A promotional video suggests several uses for the device, including using it to securely share Internet access with family and friends, or to stream live audio from sports games that are blocked in a specific region. "

    First off, this is great project, but their promotional video makes me a bit upset with this company... Encouraging people to use this to get around blocks to allow streaming of their favorite sports game is just wrong, the service does not currently have bandwidth to even realistically do that, especially not for a massive amount of people to go out purchasing this device for that reason!

    They are basically saying we are going to sell our devices by abusing a free network so we can make profits while carelessly screwing over the reporters that need their anonymity, people who's governments put such tight restrictions on their internet use, allowing the NSA to continue on their rapid spying technologies, and on and on!!!

    Now if they sold these devices and claimed they were going to donate a sizable amount of bandwidth based on sales, or better yet make an easy to integrate feature that allows users to share their own bandwidth with the TOR network, then I would not feel so negative towards their promotional video's advertising high-bandwidth consumption such as a sports game!

  16. No Kickstarter needed by mnt · · Score: 1

    The device is (as reddit already proofed) an clone of a tp-link router. And someone has already done the work to put TOR on the device. That leaves us only with hot air on this Kickstarter.