Its inspiring to see so much financial commitment to an idea like this, but disheartening to see it go to the wrong place -- a Kickstarter, not the Tor Project.
Maybe we, as the FOSS community, need to start utilizing crowd sourcing more. Maybe we can use the marketing from Heartbleed etc. to launch a Kickstarter to audit OpenSSL, and use the NSA revelations to launch a Kickstarter to run more exit nodes (which are depereately needed -- about 1k nodes for 2M users). The project to audit Truecrypt seemed to reap the benefits of this quite effectively.
I'm not familiar with the TOS for Kickstarter so maybe this isn't possible, but clearly the general public clearly has more interest than we (I) thought. They just don't know how to channel their support effectively.
The problem with traditional fundraisers is that the rewards don't align well at all with FOSS projects. I ran a fundraiser for a FOSS project and part of the reason I feel it was successful was because I put a lot of work into coming up with rewards that were a good fit with the community.
The big thing is that most FOSS fundraisers adopt the same perks used by proprietary software. These are typically vanity rewards or early-access. Early access is straight up anti-social when it comes to FOSS. Giving people the ability to steer the project makes a lot more sense.
Of course no one has software for that, so I had to make my own.
> run more exit nodes (which are depereately needed -- about 1k nodes for 2M users)
What is the ideal ratio of exit nodes to users? It seems that too close to 1:1 is going to be almost as bad as too few nodes, at least to my (not particularly well versed in Tor infrastructure) thinking.
Thats a difficult question I'm not qualified to answer, and in hindsight that statistic was confusing. The real issue with the tiny amount of exit nodes in operation is a fundamental weakness in Tor; if an attacker can run a large enough percentage of Tor nodes (not necessarily just exit nodes), they can use traffic confirmation attacks to deanonymize users.
https://www.bountysource.com/ wants 10% on cashout, which sounds like a reasonable fee of operation. I have no problem with people making a living of that. OSS is no charity.
Well, there's Gratipay (formerly Gittip), which is a great platform since it allows you to support an open-source project through regular payments. Unfortunately, the project has not yet received broad adoption, which I hope will change in the future, though.
It's all well and good to build one, but this project didn't get 600K because it's a good idea - it got it because it hit the right buttons on the largest by far crowdfunding website around.
If it's not permitted on Kickstarter, we would probably do better to convince them to allow it, with certain restrictions of course. A purpose-built site simply wouldn't have the traffic to produce that kind of funding for smaller projects.
Agreed. The money would be much better if given to The Guardian Project. I wish those guys would get involved in building hardware project like this - as the demand is definitely there.
I've been working through the technical elements of the anonabox setup. I'll leave the moral outrage to others, personally I think $50 for anonymity with tor is great but impossible. Currently I'm (somewhat hilariously) trying to reverse engineer the firmware in an open source operating system to a product described as 100% open source, but here's what I have so far:
The source shipped so far is a bunch of config files that appear to be hand-loaded onto devices running an existing image according to a forum post[1]. You would expect to see a firmware image built using OpenWRT the imagebuilder or complete toolchain with some degree of code audit if you want to promise no backdoors.
The firewall configuration uses both OpenWRT's UCI and a separate unintegrated iptables script. The configuration means that the device will leak protocols other than TCP and UDP with specific destination ports out through the wan interface onto the other network or the Internet.
There's a hard coded root password in the build. OpenWRT doesn't have one and asks you to set your own.
The lan side wifi is completely open and unencrypted. If you were to use this device thinking you're safe, anyone can sniff what you're doing if they're within wireless range before it goes through Tor. Because Tor provides transport encryption, almost all .onion sites use HTTP.
The device exposes port 9040 on all interfaces, this is the tor socks port. I don't yet know whether this could be used to get to the lan side network (e.g. 127.0.0.1 HTTP interface) from tor as I haven't looked into it yet by chaining proxies as I haven't had time, but I don't think it's needed.
There's hard-coded host key material, the startup entropy state is unknown - basically lots of potential crypto problems that to be honest can be saved until we see actual thing and it's code.
From the config files it looks like the hardware uses kernel modules that load firmware in binary blob form from the device's flash memory. This is common in routers and makes kernel upgrades difficult because the blobs are designed for specific kernel versions.
The source code for the device's OS is not available. There's an upgrade firmware available but looking at the firmware using various extraction and carving tools yielded nothing. Some initial analysis shows that there's a prologue and a higher entropy possibly compressed or encrypted component. This is not an open hardware platform.
Without some serious modifications the device will almost certainly suffer from a transparent proxy leak problem[2].
In conclusion the technical claims don't match what has been provided at this stage. I'd be quite happy to discuss things with the developers, but fundamentally this project is not going to deliver the anonymity customers have been told they will even if the security problems are fixed and the source for everything is opened up. I'm a bit disheartened that they're taking the money and going to ship, but I accept that it's hard to turn down half a million dollars.
I don't what the point of lying about the source of the boards was. That was just stupid. This user htilonom is just milking it for all it's worth though.
I've seen those devices retail for as much as $30. $50 isn't unreasonable. That price should ensure they can deliver.
After it's done with Germar, the reddit mob should take its pitchforks over to Starbucks. What a scam that place is. Slapping their logo on coffee from some third world country, claiming they made it. Outrageous!
If the price was the only issue, $50 wouldn't be unreasonable at all. People underestimate the cost of distribution, offering support and warranties, vat/sales taxes etc.. $50 just for reselling the unmodified Chinese devices would be reasonable many places.
So I agree that making a fuss over the price is silly. Especially since their initial goal was low. A $7500 kickstarter to fund a bit of developer time to put together something nice is not unreasonable. Everything beyond that should pretty much be considered pre-orders.
But the lies and deception, false claims and apparent total lack of understanding of how to make the device secure on the other hand, goes far beyond stupid.
You understand that your router came with the username 'admin' and the password 'password' when you bought it right?
(don't get me wrong, there's some weird stuff going on with that kickstarter, but the password/username thing is such a strawman it hurts me to see people talking about it)
It's not really a strawman. By default OpenWRT doesn't have a root password, and asks you to set one in order to be able to log into the interface or over SSH.
A lot of devices running OpenWRT that are shipped these days (e.g. mainly routers of some sort) come with WPA-PSK encrypted wireless network, not an open wireless network. It's common to see the password put on a sticker on the device or supplied with it, and it's usually algorithmically or randomly generated.
Because the default wifi is open anyone in the local area will be able to connect to the device, passively sniff wireless traffic going through the bridge etc. before it hits tor, including any usernames and passwords used to log into the router other than through SSH.
Here in Europe, standalone routers are not very popular, since ISPs provide CPEs (customer premises equipment) that are a combination of a modem and router with multiple Ethernet ports and Wi-Fi. The norm is for the ISP to configure them with unique web-interface passwords, WiFi SSIDs as well as WPA keys, printed on the back of the device [1].
Outstanding. Sounds like any banner ad you happen across could own your network with a variant of <img src="hxxp://192.168.0.1/admin.cgi?op=login&password=sky">.
To protect against these kinds of attacks (and DNS rebinding attacks), most (?) modern browsers won't allow a webpage to make requests to non-routable IP addresses unless the page itself came from a non-routable IP address. Not that that's a fix, but it definitely helps mitigate the issue.
I just tested Firefox and Chrome, both made a HTTP request successfully to my laptop's rfc1918 address referenced from a web page on the internet. Maybe you are thinking of IE's "zones" feature?
I've literally never encountered a router that didn't have a default password on it.
Some times service providers will set a random (or user) password before shipping the device, but they all reset to the default one when you factory reset it.
I thought it was just universal.
I'm actually quite interested to know which manufacturers ship a custom rom per device with a unique password.
Fritz Boxes have a unique password, it's printed on the sticker on the back. My consumer grade Telekom router does the same, same for the vodafone router my brother owns. It's de-facto standard for all consumer grade adsl/cable modems/routers that german telkos hand off to their customer.
Maybe confusing the WiFi password and the admin password? I just got a new modem/router today and the WiFi is WPA2 secured by default with a random passcode printed on a sticker on the base of the unit... but once connected, the login for configuring the unit itself is your standard default admin/password deal.
ADSL/Cable modems are usually set up to download firmware from the ISP, at least in cable modems throttling is usually done on the device as well, so it is sort of resets every time you turn it off and on.
There are ethical questions about the person ripping off multiple different products and not crediting them. He is taking a bunch of things and putting them in a nice shiny box with almost zero end user configuration required. Now, that's a moral question and I'll let you all decide if it's right or wrong.
Coming to the technical aspects of the box, the product is fine in the sense that it does exactly what it says technically - routing your connection via Tor. Using verified credentials over Tor is a bad idea for that specific identity. If you're the kind of person who's going to buy this, I can take a guess that a large percent of the population wouldn't really know how it works and will think "I'm anonymous and private now, thanks to this little box" and use the Internet exactly as they were using it before - bad idea. The concept is flawed simply because a layman will use email and facebook over Tor and then bam! you can identify him instantly.
> The concept is flawed simply because a layman will use
> email and facebook over Tor and then bam! you can
> identify him instantly.
This doesn't match my understanding of how Tor works, and I'm happy to be wrong on this. Do you mean that their actions when logged-in/authorized will be identifiable as them, or if while using a Tor service, if you make any identifiable internet calls, the whole of the rest of your session is identifiable?
Because of the way Facebook and other sites can track your movements across websites (due to Like button embedding and other third party scripts that we all use on our sites), they'll be able to identify you across your session, defeating the purpose of Tor. At least thats how I've understood it.
True, most people, ourselves included since we are posting here, cannot maintain true anonymity online. It's not that they do not want to, it's that they do not know how nor do they realize that Fb is not anonymous.
Still, it is an educating experience and the success of the kickstart is a great indicator of a itch the wants to be scratched. I think the way to view this is that people want to have privacy but are unaware of how to go about it or what it takes. We should view this as an opportunity to educate people about TOR and it's benefits and costs to each of us personally and as a society. Having people log into TOR to use Fb is dumb, yes, but at least they are using TOR at all!
Forgetting the fact that it very well may be a crappy product, I am not sure I see the issue that has caused the pitchforks to come out on this one. The controversy seems to be over this statement:
"Little did we know, it would take over four years, and a lot more tacos and beer, to create a device with the security, speed, functionality and easy-of-use that is the anonabox."
It certainly could have taken them four years, even if that only means they were tinkering with it for four years before they stumbled across a $20 board from China that finally made it feasible given their apparent lack of skills necessary to create a custom device. While I certainly won't be buying one of these, the description on the site seems fairly accurate. It's an OpenWRT-based router that they pre-configure to work with TOR. It seems like it probably does what it says.
By our fourth round of prototypes we had created a model
with 64mb memory and a 580mhz CPU. This not only runs the
software well, it flies! At last happy with the board, we
designed a simple, minimalist case in plain white to house
it. The end result is our current model. We decided to name
it the anonabox.
They did not create the board nor did they design the case.
It just says they created the complete box, it says nothing about the components. For anybody that has any experience with assembling hardware, it is completely common case to use components from other manufacturers. Apple says "we created iPhone" but they use Samsung chips inside, should they say "Samsung created iPhone" instead? No, because they added their own work to the components, things that the components didn't do before. So the question is - did the source components do what Anonabox is doing? If not, they created something new and have valid claim to that. They don't have to make the silicon and extract the metal from ore to have right to claim that.
It definitely implies they designed the board. Apple certainly designed their own board.
If Apple was buying fully-functional iPhone hardware that only lacked a case then it would be ridiculous for them to claim they had created the iPhone.
For you to say 'complete box' is misleading, because the plastic shell doesn't actually do anything, the bare board is functionally already complete.
The board is not a mere component, it is 95% of the end result.
And especially the wording of creating a model, then evaluating the performance of the board, then designing a case... creation can only apply to the uncased board in that paragraph. If they didn't make the board it's a pack of lies.
It says about technical specs of the product, and it says about how they looked for the hardware that would work for them, but it never says they soldered the board themselves. At least I don't see any of such language on the Kickstarter page, maybe they claimed this in AMA, I didn't read that. The product is what is sold, and if 95% was already there, I personally see no problem in that - a lot of great things were done as adding the final 5% to what already existed but was not as practical. I'm also not sure why anybody would care where the board comes from - as long as it works as a consumer product that didn't exist before, what's the problem?
Right, so I'm not sure yet if there was intent for deception. Sure, the product needs work - like default password, etc. - it should be fixed before it can be reasonably considered a security product, and that's all valid points, but that is not a fraud - it's just a product needing some work, not an uncommon thing on kickstarter. Now if they did claim they built it from scratch then it would be outright deception, and that changes the picture completely.
They're abusing words, here talking about hardware, IIUC they're only valuable addition is the software setup. Putting a board in an already appropriate case isn't creation.
It says "we had created a model with 64mb memory and a 580mhz CPU". That says literally nothing about the source of anything. All that says is "we stuffed various parts in a box".
According to a user in the Reddit IAMA thread with the Anonbox creator, the idea (and some of the wording) is plagiarized from a Hackaday semi-finalist:
> There are many obvious similarities and anonabox are even using almost the same sentences I'm using for my HaD project, same arguments.
> The anonabox campaign started one day before the contest judging, and his website has been registered on 18 of september, (after I released the project details). This is a very aggressive move and everyone should be carefull about this campaign.
This is a common Kickstarter scam. Take a Chinese product off alibaba, maybe tweak the software, brand it, and sell it on kickstarter. It has happened time and time again for things like Android watches, Bluetooth low energy devices, almost anything currently being made.
There's an interesting email thread on the tor-relay mailing list with people from the torproject itself commenting and sharing their thoughts on that project:
Hey @kickstarter It's time to kill the @anonabox - @torproject needs to make a statement disowning this project too.
I've got a pile of money and an idea... let's make a mint by stealing peoples ideas.....
"Well, we have enough capital to do anything we want. We could have a new board made in the US with a new layout if we wanted. Its ultimately up to all of you, the backers"
the bigger problem is they failed to execute, not that they "stole" an idea. if every no-totally-original idea were not allowed to be executed, then we could be still in the bronze age or something.
According to filesharing rules and many people here on HN, you can't "steal" an idea. After all, it's not like a car. The idea is still there to be used by the original owner.
Oh, and I can't forget the other motto in business: "ideas are worthless...execution is everything"
Let's count the ways this could have been done better. For starters, Let's not spend most of the time lying to people (apart from the straight up amaturish parts of their project), second, start the project by including the costs of security based milestones in the price of admission.
This results in higher costs because people are being altruistic... so let's make the cost $80 starters...
$40 for Hardware (There are better mini routers out there for the price).
$10 for Shipping.
$10 for Software.
$10 for Security Audit.
$10 for TOR donation, because you're exploiting them for profit (higher pledges to TOR = TOR merch).
The more you sell, the better bulk hardware (increases in RAM/decreases in cost) order you can manage... but for 10,000~ units you'll need somebody with feet on the ground in China to deal with the local team. plus QA and taxes and lawyers and.. ARGGHHHHH
plus, should have an open and detailed platform with a threat model and design documentation before you even start.
Which OS/disto?, which packages/why these packages?, GCsecurity? firewall? administration UX? Update path? Stretch goals?! Feature set? Less is more in this kind of thing...
I think a big part of the backlash was that the hardware is not open source. Sticking existing things together is fine but he can't guarantee the safety which is unfair to those wo purchase one an trusting it.
I think a lot of the anger is also related to the consistent and blatant lies given by August Germar. The AMA on reddit[1] was a disaster - August was repeatedly called out on various statements, and repeatedly made obviously debunked replies.
It was embarrassing to read, but it also leaves a bad taste in the mouth with regards to the integrity of the project.
As it doesn't have a source of hardware entropy, and the Raspberry Pi actually does (bcm2708-rng/bcm2835-rng), I'd say it's clearly worse from one perspective.
From another perspective, the network on the Pi's connected via USB so it's not particularly great but it ought to be just fine for Tor. (Never actually tried an Onion Pi setup myself, but I have a few lying around, so I might do.)
All they did was smear away the logo in photochop, though their OEM might have provided this image. Anybody can make their own Anonbox with a Cubieboard or similar Allwinner A1x/A20 box for under $60. Or use thegrugqs PORTAL on a chipped TP-Link router you can find plenty on amazon/ebay for $40 https://github.com/grugq/portal/blob/master/README.md
ha, I think the real take away from this is that there's a great opportunity for someone who knows what they're doing to create a very similar product without any of controversial baggage, and make a killing.
I wouldn't give my money to someone who thought "The default password is developer! because developers are the only ones who would be looking at the code." [1]
This is an interesting phenomena to watch. A startup I was involved with years ago considered the use of the TOR network as an added service - mostly using the technology but with a managed set of nodes - to provide something like VPN services. This was very early in the reddit/social media days. I'm curious if it had seen the light of day what sort of press it would have received.
Looking at the amount of pledges they collected, that start-up likely had not, because on Reddit people like Tor. Issue here seems to be about general dishonesty - consequences of which I really think more companies could use to think about.
Sorry, how is this different from, say, Barracuda Networks packaging commodity hardware with open source software in nice boxes and selling them for a mint? Where is the outrage coming from on this if he's making this stuff easier to buy and deploy, even if the hardware wasn't developed in-house?
The issue is lying about it, and making other false claims. Such as claiming its "open hardware" when they are relying on closed off the shelf devices.
It also doesn't help that it appears that their default setup is hideously insecure.
Now that they have solved the chicken-and-the-egg problem, they're legit.
Point being, lot's of startups over-promise (and exaggerate) in the beginning. It takes time fix bugs and find things. If you waited for a perfect product and were 110% honest you would likely not get any traction.
That's not to say that this guy shouldn't be penalized for lying about where he sourced his products though!
I certainly agree that startups over-promise in the beginning, but they need to be very explicit and very clear as far as human safety is concerned. I work (up until the end of the day today) for a medical startup. We speak highly of our own product, but we make it unambiguously, blatantly clear that our product is NOT an emergency feedback system. If we lie and say we're a system like that, people could get killed. In this case, the publishers lied critically about the source of the parts and the system that was running on top. While perhaps not as immediately and spectacularly fatal as a medical device malfunction, if journalists or revolutionaries are using the product and there's a backdoor, there will be lives lost. They were NOT clear that the hardware they were using was actually a Chinese manufactured product from a Chinese design company. When it comes to surveillance, the Chinese government doesn't have a great reputation. There's plenty of reason to believe the device may have a hardware backdoor, as has happened before. Second, the software installed on the device is itself highly insecure. The original Reddit post pointed out that the device had a web-exposed remote administration panel open with the default username and password.
The only thing worse than no security is the illusion of security. This product, as sold, provided just that -- a minimal but ultimately illusory security.
Exaggeration is a very different thing from pretending you designed an off-the-shelf product.
Exaggeration is normal. Nobody expects an entrepreneur to be objective and unbiased.
It's Kickstarter. They don't even need to pretend to be finished.
But if they are only providing software glue, why pretend at custom hardware?
It makes them look like less of a middleman, which is a confidence trick, and leaves a bad taste in people's mouths, much more than exaggeration does.
So reddit employees having multiple accounts? Closer to exaggeration, and something that had a legitimate purpose to it: helping conversations happen. This has only illegitimate purpose.
Maybe we, as the FOSS community, need to start utilizing crowd sourcing more. Maybe we can use the marketing from Heartbleed etc. to launch a Kickstarter to audit OpenSSL, and use the NSA revelations to launch a Kickstarter to run more exit nodes (which are depereately needed -- about 1k nodes for 2M users). The project to audit Truecrypt seemed to reap the benefits of this quite effectively.
I'm not familiar with the TOS for Kickstarter so maybe this isn't possible, but clearly the general public clearly has more interest than we (I) thought. They just don't know how to channel their support effectively.