Kickstarter Cancels Anonabox Funding Campaign

An anonymous reader writes: On Friday, the controversy surrounding Anonabox reached its zenith with Kickstarter officially canceling the project's funding campaign. Anonabox began with a modest goal of $7,500, but quickly reached its goal 82 times over. Then funders and interested parties began to scrutinize the project's claims, and that's when the project ran into trouble. From hardware that wasn't actually custom-made to software that didn't actually fulfill promises of privacy-focused routing on the internet, the facts regarding Anonabox proved that it was in blatant violation of Kickstarter's rules against false advertising. This project clearly failed, but if the support it initially garnered is any indication, the public is hungry for easy-to-use technology that encrypts and anonymizes all personal internet traffic.

Really?

[Ralph+Wiggam]

The guys who said they could create custom hardware for 7,500 bucks were full of shit? I am shocked.

Re:Really?

[saloomy]

Why is custom hardware needed? Im just curious. There seem to be plenty of cheap ($100) SOC boards out there with ethernet ports. You only need one to route. Not sure what sort of hardware performance requirements the encryption and tunneling software would require, but surely one can be built for much less than $7500. Even a desktop with a bunch of 4x1GB port PCIe cards wouldn't cost a grand... its a desktop I know, but still....

Re:Really?

[r1348]

Hardware backdoors. See Huawei.

Re:Really?

[Ralph+Wiggam]

I believe that among this target market there is a belief that any off-the-shelf hardware is going to have NSA back doors in it.

And you can certainly hand make one unit for less than $7500. But setting up mass production of any consumer electronics product, even one based on stock boards, requires one or two orders of magnitude more money than that.

Re:Really?

>> surely one can be built for much less than $7500. Even a desktop with a bunch of 4x1GB port PCIe cards wouldn't cost a grand

Do you not understand the concept of prototyping? (apparently neither did the Anonabox founders)

The $7500 goal they set was (supposedly) to DESIGN and create MULTIPLE prototype revisions of a custom board. Building one circuit board yourself doesn't cost $7500, but paying an actual EE and fab to design and build a small production run of boards to test your software, the reliability and work out flaws costs a LOT more than $7500.

The question really is: were the Anonabox people just incompetent and not *know* the real costs for custom fab work, or were they maliciously trying to scam to public? The Reddit AMA seems to indicate the latter given the volume of faked and/or stolen product shots which they mysteriously 'didn't know' why they were exactly the same as commercial providers.

Re:Really?

[TechyImmigrant]

Designing and building a 6 layer board, 3 iterations to get right, using your own time is 10-30 grand, depending on the components and manufacturer fees. Any board of takes 6 months. It just does. String together all the things to do for a manufacturable board and it takes 6 months.

Doing a one off, for your own amusement, or a PoC, I managed that in 2 very long days once.

Re:Really?

[NoMaster]

Why is custom hardware needed?

It's not. The off-the-shelf hardware they chose, combined with off-the-shelf software they chose, was quite capable of doing what he said it would.

The problem was he lied when he said it was custom hardware developed through a series of different iterations. It wasn't - it was as off-the-shelf as you can get, with only a "would you like fries with that?" ROM upgrade from 8meg to 16meg, and a lack of USB port - to differentiate it from the Alibaba $20 special. Right down to the case, which he also claimed was custom-designed by him...

(Hell, after people showed him pictures of an identical board in an identical case being sold there, he popped up saying the USB port was a 'fantastic idea' and that he'd now decided to include one too...)

The images of the hardware and development process used on the Kickstarter page? Again, deceptive - the picture of his 'custom-made' case was lifted from Alibaba and the original logo (badly) photoshopped out; images labelled as showing how ongoing development had shrunk the size of the hardware showed exactly the same photo (copied from elsewhere too) of exactly the same board simply resized to make it appear as though it was smaller , etc, etc.

Software? Very similar story. His 'custom-made code' consisted simply of a bunch of rules; the

The issue was never that he was taking a $20 box, installing Linux, and asking $50 for it. That's just capitalism. The issue was that he misrepresented what he was doing as original hardware and software development, lied blatently about it, and then when caught out doubling-down on the lies .

His Reddit AMA is a good overview of the whole thing.

Re:Really?

[wierd_w]

openwrt + debian chroot + tor linux package == wireless router that simply puts everything through tor, transparently.

one could dispense with the debian chroot altogether if they did a well maintained fork of openwrt with well updated packages.

Routers are getting quite powerful these days. while they often lack hardware fpu, that can be somewhat alleviated with softfloat solutions.

keep your traffic under control, and such a box can easily handle the load. (naturally, you need to keep the number of connected devices under control, and keep packet count sane within limits of the weaksauce router's hardware.)

just saying that such an appliance can be made at home right now with old network gear and free software.

enjoy.

Re:Really?

[wierd_w]

The internet was not designed to prevent eavesdropping either.

Hell, ETHERNET was not designed to prevent it!

If you want a technology to prevent eavesdropping, you need to go ground up quantum crypto over optical fiber or something.

Tor is basically security through obscurity anyway. However, it is still more difficult to intercept and piece together than naked, unfiltered traffic, which is what a normal router offers.

Basically, what I am pointing out is that your argument is absurd. TOR was attacked by governments, not from within the TOR network, but by observing the traffic going into and out of its exit nodes. That is because the traffic going in and out was unencumbered at that point, because it has to talk with the regular internet. Coupled with other forensic techniques, the powers that be were able to deduce a great deal about who sent what packets through TOR.

ANY APPLIANCE WOULD SUFFER THIS ISSUE.
THE INTERNET ITSELF DOES NOT PREVENT EAVESDROPPING.

Instead, the best you can do is make the message meaningless to the one who is eavesdropping. That is encryption. Even better if you use encrypted packets with a randomized route. This means that eavesdroppers will only get a few of the packets, and will not have enough data to attack the message contents.

Encryption that is worth a shit requires a beefy FPU. That's why I pointed out that current COTS routers aren't a good fit exactly-- normal packet routing does not require FPU function. However, as data security on the internet becomes more and more a requirement, and less and less of a simple paranoia thing-- (and as cost of manufacture for SoC systems comes down and economies of scale interject into the market for SoCs) then home routers with real hardfloat will emerge. At that time, it really would be possible to have a consumer device in your house that does the data fiddling for you.

Again, your objection is bullshit. Followed to its conclusion, the internet itself shouldnt be used at all.

Re:Really?

Tor provides anonymity. Tor hides your location. ANYONE can setup a Tor exit node and monitor / log packets. The exit node is a stranger to you. There is no reason to trust whoever sets up an exit node, this is not security. Tor was not designed to secure data but hide its origin. Funneling general web browsing, banking etc by default through a tor device seems like an absolutely stupid idea. Hence, relying on tor this way is makes no sense. This does not mean one must give up on the internet, but it's obvious you like to hear yourself - even when I read it I learn nothing new.

Re:Really?

[wierd_w]

Love the ad hominem. I guess you wouldn't be a slashdot AC without using one. I especially loved how you believe that I dont understand what TOR does (and that the only purpose of other peoples posts are to increase your own, personal knowledge base), or what its limitations are. Next up, you will complain about my spelling and grammar. You neednt bother though; I will spare you the expense, and admit openly that both are poor. I dont care. :P (See how I flagrantly fail to use apostrophes! Oh the humanity! Clearly I dont have a fucking clue because I cant use an apostrophe, even though I clearly do by pointing this out! OH NO!)

However, your scope of use-case is not very broad. You are assuming a person wants an easy tor node to hide all that home traffic (bank account logins, et-al), rather than for other purposes that one would want a tor node for. Say for instance, political speech, anonymizing a server that is black boxed (you can't change the software on), etc. I never said that this box needed to be the gatekeeper to the ISP. It just needs to be the gatekeeper for a TORed subnet.

Granted, there would be some added utility to the tor community at large to have so much benign traffic passing through their obfuscation network, because it would add hay to the haystack (making finding the needles harder) but it would also make the already poorly performing TOR network even more burdened, and it would in general destroy network performance, in addition to exposing lots of people to a very huge Man in the Middle.

Tor can basically be used like a vpn without a specific endpoint. This means it would be useful for people in oppressive regimes that want to send real information, free from the censors. Having a single device to configure in one's kit would be handy; especially something easily transportable, like a portable hotspot, or a router. (Just use it like a bridge instead; openwrt will let you do this. Show up at the hotel/library/Burgerking/$hotspot, use the 'free' wifi, send fully tor'd up political speech all you want.) A PORTABLE tor node that can latch onto public open networks would be quite handy, and I can definitely see a use for it.

The implication that this was for "All the interwebz!" was entirely your own fabrication, and I am hereby officially calling you out on that strawman.

Re:Really?

[davester666]

"The issue was that he misrepresented what he was doing as original hardware and software development, lied blatently about it, and then when caught out doubling-down on the lies ."

That's just being a capitalist salesman.

Re:Really?

[rvw]

Why is custom hardware needed? Im just curious. There seem to be plenty of cheap ($100) SOC boards out there with ethernet ports. You only need one to route. Not sure what sort of hardware performance requirements the encryption and tunneling software would require, but surely one can be built for much less than $7500. Even a desktop with a bunch of 4x1GB port PCIe cards wouldn't cost a grand... its a desktop I know, but still....

How about the Alix APU1D4 combined with Pfsense and encrypted harddisk.

Are people still going to buy this thing?

[krkhan]

Sure, the Kickstarter is canceled but the makers have continued their marketing campaign. From the official website:

Looks like the Kickstarter is over. The device will be for sale soon directly through this website though, so check back soon. Sign up for our mailing list to be notified as soon as its [sic] available.

It'll be interesting to see how the general public's trust pans out over this thing. Do they take Kickstarter's cancellation as a red flag or are they so desperate for a easily-configurable Tor router that they'll pay whoever they can for it. Even if that means trusting these assholes vs. their ISPs.

Re:Are people still going to buy this thing?

[sexconker]

It'll be interesting to see how the general public's trust pans out over this thing. Do they take Kickstarter's cancellation as a red flag or are they so desperate for a easily-configurable Tor router that they'll pay whoever they can for it. Even if that means trusting these assholes vs. their ISPs.

Neither - their interest was enough to get them click on the button on the Kickstarter they were linked to, but their interest is not enough to get them to go to some other site, fill out payment info, and hope for the best.

Kickstarter works because:
There's a single site with tons of people on it who would otherwise never visit yourrandomproject.com or thatotherproject.org .
It's a single click to pledge your cash for a specific reward.
Backers know that they have the option to cancel their pledge at the 11th hour. This safety encourage people to pledge when they're only slightly interested, and limited rewards encourages them to do it early, generating hype.

There's a reason the vast majority of Kickstarters are extremely front-loaded - people don't want to be left out of the next big thing. I would see more value in the Kickstarter model, and trust it more, if projects were posted before funding opened. This would allow for comments, questions, and updates before the bandwagon gets rolling. Then a limited funding period (7-10 days?) would commence where people could fund the thing. Right now everything is driven by hype and impulse. This is, of course, what project creators and Kickstarter itself want, so it's not going to change.

Re:Are people still going to buy this thing?

[BarbaraHudson]

Anyone searching for them by the term "anonabox" is going to come across a LOT of negative stories on the first page of results.

Anyone searching for "tor router" is going to see competing products + negative stories about anonabox.

In short, "It's dead, Jim!"

Hungry in Italics, Fuck Kickstarter

[sexconker]

I'm not hungry for "easy-to-use technology that encrypts and anonymizes all personal internet traffic", nor am I hungry for it.

If you want to encrypt traffic then set up secure keys (OFFLINE) with the hosts you wish to communicate with. Use whatever you want for keys - certificates (NOT FROM THE ESTABLISHED CERTIFICATE AUTHORITIES), passwords, RSA clocks, OTPs, or scans of your genitals.

If you want to anonymize your traffic, then use someone else's connection, changing your MAC every time you do so. Try to use multiple different connections in different locations. Try to use locations away from your house. Do not travel to said locations in a way that can easily be tracked (your cell phone, your car, etc.).

Tor, proxies, certs from the established authorities, etc. are nothing but annoying obfuscation to the NSA and similar entities. There is no easy way to be secure and there never will be. Unless you have physical control over the entire pipe, you cannot trust the connection. End of story.

Beyond that, fuck Kickstarter. I haven't seen a useful one yet.

Re:Hungry in Italics, Fuck Kickstarter

[houstonbofh]

If you want to anonymize your traffic, then use someone else's connection, changing your MAC every time you do so. Try to use multiple different connections in different locations. Try to use locations away from your house. Do not travel to said locations in a way that can easily be tracked (your cell phone, your car, etc.).

You solution is difficult, and not always needed. Sometimes you do not need perfect security, just enough to stop casual eavesdropping. TOR does this. And does it better that the current baseline, the laughably insecure SSL.

Re:Hungry in Italics, Fuck Kickstarter

[houstonbofh]

Tor does not and was not designed to prevent ease dropping.

But it sure prevents finding the person to eavesdrop... So, again, good enough.

Re:Hungry in Italics, Fuck Kickstarter

[CountBrass]

Not if the content of the traffic gives that away anyway.

And Tor concentrates all your traffic which makes some types of attack easier.

SlashDot Is Watching You

[Evan+Langlois]

16 Companies Tracking This Page

How bad are people tracking you? Everytime you see a facebook, twitter, or other social media button, a like button, or whatever, that image is tracking you. I'm showing 16 different companies tracking slashdot from google analytics to facebook and twitter to places like taboola and others - some running scripts, some setting cookies. Don't know if any are using web bugs as I haven't checked to see what methods they all use, but this is what keeps slashdot running.

The problem is that every site is doing this. People are no longer customers, but you are now a PRODUCT. People are selling YOU. This isn't what the Internet was designed to be, its not the outpost of freedom we wanted. I am trully disappointed.

Re:SlashDot Is Watching You

[Ralph+Wiggam]

This isn't what the Internet was designed to be, its not the outpost of freedom we wanted. I am trully disappointed.

The internet was designed to be a way for DARPA contractors to share data without having to mail giant tape spools to each other. "We" didn't get involved until a couple decades later.

Re:SlashDot Is Watching You

[SeaFox]

Are you sure that's sixteen separate companies?

Disconnect is showing 16 counters for me too.
  - 12 content-related requests from Google
  - 3 Google social-related requests
  - One analytics request from ComScore

Looks like two companies to me.

Re:SlashDot Is Watching You

[SeaFox]

I believe you're thinking of Ghostery, actually.
And that's if you have the Ghostrank feature turned on, which helps the makers financially, but it is disabled by default.

Re:SlashDot Is Watching You

[SeaFox]

I have Adblock Plus set to block social stuff, too. Maybe it's filtering some stuff before Disconnect gets it.

Re:SlashDot Is Watching You

[rocket+rancher]

16 Companies Tracking This Page

This isn't what the Internet was designed to be, its not the outpost of freedom we wanted. I am trully disappointed.

wtf...? Dude, the internet was designed to allow American nuclear weapons research facilities (both private and governmental) to distribute their data so that they could survive a Soviet first-strike and continue to develop weapons. This was back in the early 1970's, and it was called DARPANet, after the US government think tank that funded its development, the Defense Advanced Research Project Agency. Seriously, it wasn't until the late 1980's and early 1990's that "the outpost of freedom" you are talking about began to take shape. Ironically, it wasn't on DARPANet that the whole subversive aspect of anonymous information exchange got governments noticing computer networks. It was the crude dial-up serial connections between PC hobbyists and their bulletin board networks. But it didn't take long for US government-funded researchers to scale up the hobbyists' point-to-point protocols with a couple of powerful tools that made distributed applications way easier to write -- network news transport protocol and unix-to-unix encoding - culminating in a store-and-forward distributed database nicknamed USENET which hitched a ride on the government-funded DARPANet. Thanks to USENET, developed after the dial-up BBS days but sharing the same spirit of information freedom, did the real power of network anonymity begin to manifest. This power was suddenly available to anybody who actually paid attention in their undergraduate CS courses. By the end of the 1990's HTML pretty much took over for NNTP and UUencoding, and the power of anonymity was available to anybody, not just engineers, scientists, and geek hobbyists. Look up Endless September for what happens when millions of middle-class American morons obtain cheap and easy access to a planetary information network -- that is what happened to your outpost of freedom -- people noticed it and turned it into a cesspool.

Re:SlashDot Is Watching You

[Evan+Langlois]

Funny - you start by saying that the government designed the internet, and then turn around an contradict yourself and say that the Internet that we know started taking shape from Usenet and hobbyist BBS users. I know. I was there. Long live my 300bps modem and 110bps acoustic coupler!

Yes, the networks merged, hence the name Internet. The .coms watching what you do so they can sell to you more efficiently is all brand new.

A-Oh-Hell users flooding the system is just re-inforcing my point. AOL is one of the problems. Hell, people freak out when you use standard reply syntax instead of putting your whole message at the top and 20 layers of quoting at the bottom.

But, banning all AOL IP Addresses was pretty back then. I don't have a problem with it. I have tons of IPs blocked on my firewall (real firewall, not some stupid Windows program) to prevent web-bugs and other listening devices. And I have a plethora of plugins that prevent such things from escaping the browser in the first place.

frosty

[Hognoxious]

Anonabox began with a modest goal of $7,500, but quickly reached its goal 82 times over. Then funders and interested parties began to scrutinize the project's claims

Way hod. I think I've spotted the problem.

Use the Filter...

[pubwvj]

You still have a filter in your brain that lets you not buy stuff. Use it, lukite.

THIS THING NOT EVEN NEEDED

There was no reason for the Anonabox anyway, it already exists. Why did they get so much on kickstarter?
https://pogoplug.com/safeplug
and it was even featured on slashdot last year
http://yro-beta.slashdot.org/story/13/11/22/1929234/tor-now-comes-in-a-box

No shortage of scam products....

[Kazoo+the+Clown]

Since a Kickstarter project doesn't usually have the benefit of a reputation, they're ripe for scam artists and huckster/hype factories. Then again, that HAS actually established a reputation. For Kickstarter/Indiegogo/etc. projects in general. Even ones that do what they say they're going to do can boil down to overhyped junk. Take the Om One, Leap Motion, or Midi PUC for example. They do what they say they can do. But it's like, so what, what they say they can do turns out to be pretty lame, it's just their marketing made it seem like something really hot.

Not sure what the fuss is about.

Not sure why people were mad about the hardware in this whole ordeal. Who gives a shit if it looks like something else or he used stock photos?

This device was never ever going to be anything but the cheapest and most practical router SoC they could get their hands on. The things are made in china by the millions and cost less than a buck. Add a little flash and two ethernet jacks and some supporting hardware and you're done. Fuck, there are literally dozens of two port micro routers that are literally this I can go buy on amazon right now. AND they have wifi. Some are even USB powered.

Realistically, they were just going to take an existing micro router reference deisgn and load custom firmware on it. Your typical router SoC has more than enough power to run a tor node.

What would make this project special would be the software stack. Making a tor node that easy to use and still be truly secure would be something of a challenge. Would it really be possible to make an idiot proof automagic tor node that intercepts and redirects traffic?

Re:Not sure what the fuss is about.

[vadim_t]

The problems are:

1. He said it was 100% open source ("The anonabox is an open source embedded networking device designed specifically to run Tor. It's 100% Open Source." on the project's page), and that he was designing the hardware (see the generation 1, 2, etc pics), clearly implying he was developing the hardware.

He clearly lied about that. Is there a problem with a customized small Linux distro running on an existing chinese router? No, there isn't, if you don't lie about it.

2. A quick review proved the software to contain significant security flaws, which makes this guy unsuitable for developing something where security is critical.

I see no problem with buying an off the shelf router with custom firmware from somebody who isn't balantly lying about what I'm paying for, and who actually understands security. This guy isn't either of those things.

'Freedom in the Cloud'

[Wootery]

Reminds me of something Eben Moglen says in one of his Freedom in the Cloud talks:

So what do we need? We need a really good web server that you can put in your pocket and plug in any place. It shouldn't be any larger than the charger for your cellphone. You should be able to plug it into any power jack in the world or sync it up with any wi-fi router that happens to be in this neighborhood ... It should have a couple of USB ports that attach it to things. It should know how to bring itself up; how to start its web server; how to go and collect your stuff from all the social networking places you've got it.

It should know how to send an encrypted backup of everything to your friends' servers. It should know how to micro-blog, It should now how to make some noise that's like tweet but doesn't infringe on anyone's trademark. It should know how to ... be your avatar in a free net that works for you and keeps the logs. You can always tell what's happening in your server and if anybody else wants to know they can get a search warrant.

Re:'Freedom in the Cloud'

[g4sy]

This is doable. There are clearly many people who are willing to shell out $50 for much less. The market is there. We need to get an A-team of open project leaders (Andrew "Bunnie" Huang, the guys at Apertus, probably others I can't think of off the top of my head) and get a community around them to crowd-fund and build such a device. It needs a tipping point of network effect as well.

Sure they do

[Kjella]

People would like a magic box that make them anonymous and secure on the internet while they log into Facebook, just like they want a magic diet pill while they continue to stuff their faces with sugar and fat. Or for a more relevant tech example they'd like a magic oracle to tell them if a website belongs to who they think it belongs to which is why we have CAs as the best approximation. It's never going to work that way, but there's a lot of money in selling snake oil...

hum

Don't get it, whatever happened to the old fashion way where the owners of the company or of the project would either invest their own money or borrow from the bank. Look at Mark Shuttleworth, he has about $500 Million and yet he did not invest $32 Million of his own money into the Ubuntu Phone project but instead went with crowdfunding which failed. Canonical makes about $30+ Million a year and has 500 employees for some reason, they have to be making $30k a year salary.

Google's tax avoidance shells

[tepples]

Perhaps it's counting Google Inc. and almost a dozen of its wholly owned tax avoidance shells as separate companies.

Pay less for a better product.

https://pogoplug.com/safeplug $49.

From a company with some history of delivery (makers of the Pogoplug).

Fuck Kickstarter

[Lord+Kano]

I'm never giving money to anything that is funded via that method.

LK

Not surprised

[eneville]

What do you expect when the Washington Redskins come after you.

A better option

[mraiser]

Want actual, real, not-made-up security and privacy? Head over to IndieGoGo and help support my company's Newbound Network product. It's real. It exists. It was made in America by real live Americans. And you can try it out for a buck. http://igg.me/at/newbound