Anonym.OS a Boon for Privacy Geeks?

The Hosting Guy writes "Wired is running an article about a live CD that makes anonymous browsing easy enough for everyone. 'So easy to use you can hand it to your grandmother and send her off on her own to the local Starbucks.' Anonym.OS makes extensive use of Tor, the onion routing network that relies on an array of servers passing encrypted traffic to permit untraceable surfing."

Privacy Geek

[(1+-sqrt(5))*(2**-1)]

I'm decidedly uncomfortable with the neologism "privacy geek [google.com]": it implies that wanting to be left the hell alone is now fringe.

Has the will to un-molestation finally passed out of mainstream?

Anonymous developments?

[dada21]

I've been very interested in the world of anonymous information sharing -- possibly as a replacement for the normal IP-based Internet. Maybe someone out there can answer a few questions:

1. What are the theories behind simple anonymous sharing of data? (I know there are newer versions of P2P beyond Torrent that allow for a third party mediator between two anonymous parties. This seems like a start to making a truly free-speech undernet.)

2. Is it possible to completely diversify the Internet away from IP-based hosting to a new swarm-network of anonymous users all hosting little pieces of various forms of information? 2b. Is anyone working on this swarm idea?

3. As information becomes more accessible, will the need for information privacy be important? 3b. Is it more important to create a totally anonymous information sharing network than it is to work on harder to break encryption schemes?

Re:Too bad no one using it can comment

[grub]

testing through tor...

The whole privacy movement seems to have fizzled.

[Deagol]

Back in the early 90's, when I was new to the 'net, I remember uncovering all these programs and concepts that gave me hope that people would be able to wander the internet truly anonymously. I discovered PGP, anon.penet.fi, the whole cypherpunk movement (crypto, remailers, etc.), anonymoizer.com, Chaum's eCash. Things were rough around the edges, and tough to use for a internet newbie, but progressing along fast enough that I thought we'd actually see Joe Sixpack able to easily utilize these tools. Someday.

I'd check on these projects every few years, until finally, I sorta gave up on following them. They seemed to stagnate, never getting beyond the fringe.

A year or so ago, I wanted to the utilize mixmaster remailers, and I *still* wasn't able to find an up-to-date, lucid HOWTO or a client that didn't require a *lot* of work to use.

I haven't actively sought these tools in a while, so maybe they've caught up. But I keep my ear to the wall, and I have yet to hear any murmers of good anonymizing technologies, nor do I ever see any passing references to people using them.

I have assumed that the movement is either dead (nobody cares anymore) or ubiquitous (it's common knowledge and no big deal). Somehow, I kinda doubt it's the latter.

I've been toying with an idea for a site/system in the spirit of the Mixmaster remailers, but I want to be able to evaluate the current technologies before I totally re-invent the proverbial wheel. (Plus, I wish to be as anonymous in the registration and publication of the site as possible). I'd *love* some pointers.

Re:Too bad no one using it can comment

[Anonymous Coward]

I said most. They use one of the Tor blacklists, so you may be on an as yet un-blacklisted node. (Other services like some IRC servers also use them.)

Re:Maybe it's a newbie question

[jrockway]

If the certificate validates, then probably yes.

If it doesn't validate, it means that someone could have setup a web server pretending to be the one asking for your credit card. It's a common man-in-the-middle attack, and is very easy to do with automated tools (like ettercap). You are protected, though, since the certificate (shouldn't be) valid in this case... the trusted CAs are trusted because they won't give a valid certificate to someone that's doing MITM attacks in Starbucks. (However, the CAs have been known to lapse. A certificate was granted a while back to something like paypa1.com and was used to phish paypal details. Users thought it was OK because the cert was valid, but it was valid for the wrong site.)

Either way, be careful.

Re:The whole privacy movement seems to have fizzle

[GigsVT]

The cypherpunk movement is dead. Just scanning the slashdot comments and reading all the "If you don't have anything to hide, why are you concerned?" posts makes that obvious.

At one point in Internet history, we (the libertarian/anarchists/cypherpunks) thought it might bring a new era of freedom. BBSs had given us a taste, and many people expected the Internet to be like a huge BBS, with everything you could imagine on it.

And it was, for a while.

Then some copyright lawyers started jumping on board, and harassing lyrics sites.

The Scientologists started suing people left and right.

Spam started snowballing.

MP3s cause the record companies to start wishing people were only trading lyrics.

Late 1998 though 1999 was the high point I think. Geeks were Gods. Stories of geek millionaires were all over the place. The US finally watered down the stupid crypto regulations. Things were looking up.

Then the Columbine shootings happened.

The 2000 elections brough all kinds of leftists out of the woodwork. Remember Nader? He sure got enough astroturfing here on Slashdot.

The so called "anarchists" get all over the news acting like total fuckwads at WTO "protests".

The WTC attack caused all the people with comfortable lives that liked to think they were cypherpunks to turn. Pull up some stories from Slashdot on 9/11 and 9/12 and see how many people were so willing to offer up the liberty for a slice of security. PATRIOT act flies through with little hassle.

News media reduced to saying things like "Some civil libertarians have concerns" instead of "What the fuck are they thinking?"

Scam artists hiding behind patent law started really milking it.

So you have left what you have today. An environment where you can't really do anything without the risk of lawsuit or arrest. I see things slowly shifting back toward the side of freedom, but it's been a slow recovery.

If Steve Jackson Games Raid happened today, would people be outraged enough to form something like the EFF? I doubt it.

Re:The whole privacy movement seems to have fizzle

[r_naked]

It hasn't completely fizzled and it hasn't become 100% user friendly. But we at anoNet [brinkster.net] are trying to make it as newbie friendly as possible.

Re:un-molestation

[Anonymous Coward]

You make some valid points, but on the whole, I disagree.

People have an inherent concept of public vs. private space, just like they have an inherent concept of property. Neither of these things were magically created by feudalism, still less by industrialization. Even animals like dogs understand the concept of territory, and they will fight when another animal intrudes on that territory.

It's true that in the course of history, some people got a lot of private space, and some people got the shaft. And yes, there was always the concept of owning someone else's territory, or even owning another person. None of that is new.

What is new, is the pervasive way that surveillance is being integrated into our lives. The same person who would hate the thought of some busybody leaning over their monitor, and watching their web browsing, can bring himself to accept the much more invasive forms of surveillance practiced by cookies, "phone home" web widget like doubleclick's, and email snooping. That is what we are trying to change-- hopefully not in vain.

Re:Anonymous and suspicious

[DrSkwid]

In my days as a hunt saboteur I have seen high ranking policemen defend the right of sabs to wear balaclavas (ski masks) and other identity obscuring clothing.

Contrary to popular belief you run in to quite a few sympathetic coppers in that line of protest. Especially after they'ved been ordered about by a few Audrey Hamilton's.

OT : I know a lot of Americans like their hunting and those of you who don't care one way or the other about hunting, I just want to make the point that in England hunting is not just a sport, it's a heritage. A heritage of murder, execution, force land clearance and other negative behaviour that resonates through our society and legal structure to this day. Reformation of society should be a constant and land ownership is central to this.

http://www.guardian.co.uk/freedom/Story/0,2763,144 3881,00.html [guardian.co.uk]

Re:The whole privacy movement seems to have fizzle

[roman_mir]

Try my FireFox extension [mozilla.org]. It has DES encryption that can be used for email clients, forums, etc. Any text or binary actually. It is true that the other party has to know what password you used for encryption, but that can be agreed upon.

Re:Privacy Geek

[(1+-sqrt(5))*(2**-1)]

Who the fuck uses the word neologism?

Students of Greek; neologism is actually a bit of a misnomer, though, since we're talking about the novel combination of predicate and noun. "Neo-epithet" would do the trick, but then I'm guilty of neologism.

"Privacy Geek" might also refer to someone who is an objective intellect simply studying the technical details of privacy laws as they pertain to todays digital culture.

It might; but the article touts making "anonymous browsing easy enough for everyone:" so they're clearly talking about the demos, or trough.

Beware of Geeks Bearing Grifts

[fm6]

First off, "privacy geek" isn't a neologism. To get one of those, you have to invent a completely new word or at least use an old word or phrase in a completely new way. There's nothing new about "privacy" or "geek" and there's nothing particular special about using the two words together.

(One reason I stopped contributing to Wikipedia: members of that community love to use the word "neologism" but obviously have no idea what it actually means.)

Anyway, geekhood is hardly fringe. A geek is just somebody who has an unusual interest in technology. Geeks constitute a special community with their own interests, priorities and jargon, but the same can be said for Freemasons, Realtors, and NASCAR enthusiasts — none of whom count as "fringe".

Besides, a "privacy geek" isn't just somebody who cares about privacy, any more than anybody who uses a computer is a "computer geek".

sniffing outbound connections from a tor node

[SuperBanana]

With enough confederate nodes, tor can certainly be tracked. It isn't likely to happen, but it is possible.

Just by running a tor node, you get the oppertunity to collect login+password information for any non-ssl site tor users log into. You also get to see cookie information to boot. Hey, at some point, the traffic has to exit the tor obfuscation network, and if you run a node, you're going to get a bunch of that traffic. It's only a matter of time.

That's why I refuse to use "anonymizer" networks like tor. You can't even login to your damn webmail, without giving away your account information.

Re:Anonymous developments?

[ZB Mowrey]

1. What are the theories behind simple anonymous sharing of data?

For starters, turn as many people as possible into open proxies. Then encrypt traffic between those proxies. Get brave volunteers to allow their machines to be end-nodes (places where traffic is allowed to exit and enter the network) instead of just routing nodes. Ideally, the end-nodes should be located in countries with a) negligible computer-crime budgets, or b) negligible computer crime laws. This has a detrimental effect on network latency (and possibly throughput), but it's hard for a country to prosecute someone for something that isn't illegal where the someone lives.

2. Is it possible to completely diversify the Internet away from IP-based hosting to a new swarm-network of anonymous users all hosting little pieces of various forms of information? 2b. Is anyone working on this swarm idea?

The concept of a swarm is incompatible with anonymity. See, in a Bittorrent situation, there must be some entity that handles the "who gets connected to whom". Also, it's always possible to see the IP address of anyone who sends you data. So if you're in a swarm, you can tell (by sniffing your own traffic) who is sending and receiving data. If you're only receiving illegal files, you can logically assume that anyone sending you bits is providing said illegal data.

One notable exception to this would be if an entire area (say, a neighborhood, town, or nation) were to have a free-access mesh network that offers dynamic addressing. Then someone could, in theory, write software that would periodically establish a new IP address within the mesh (disconnect, change MAC address, reconnect). Add bonus points if all traffic between the clients and the access point is encrypted.

3. As information becomes more accessible, will the need for information privacy be important? 3b. Is it more important to create a totally anonymous information sharing network than it is to work on harder to break encryption schemes?

The need for information privacy is as important now as it has ever been, or will ever be. It's all based on the user's perception. If you maintain good security practices and don't wind up with trojans on your system, *and* you don't do anything illegal, you only have to worry about commercial exploitation. If you get hacked, the acts of another could be pinned on you.

More important than the need for information privacy is the need for a consensus that the mere encryption of data does not constitute a reason for the authorities to break it and/or question you. Ideally, they'd require real-world probable cause before even being able to capture your traffic. All too often, that is not the case.

Re:Privacy Geek

[Anonymous Coward]

"Anything I do outside of my home, whether I travel via foot or via wire, is public and there's a possibility that I may be seen or even recognized."

Being "seen" or "recognized" as in the pre-computer-age sense isn't the issue. The issue is having the minutiae of your online and offline behavior recorded, wherever you go and whatever you do.

How do you think the police would react if you, a private citizen, set up cameras recording all of their officers as they left and returned to their station. You would deploy robotic cameras to follow them on the public roadways. You'd correlate this video with officer names and pictures and store it in a database, which you'd sell to anyone who would pay your price. I don't think they would permit you to do it for long.

This is essentially what they want to do to us. Why should we permit it, when they won't permit us the same privilege? Are police some sort of superbeings who won't use this imbalance to their own advantage? Are they the world's most perfect database administrators and programmers, who will never leave any flaws or bugs that would let someone steal this information? Are they free of bureaucracy and able to establish truly secure protocols for the management of this information?

It's a power grab, plain and simple, happening online and offline. Technology isn't the problem; the problem is that the current authorities are seizing the initiative to establish every new technological application in their own favor, further empowering the powerful and weakening everyone else.

Re:Privacy Geek

[Anonymous Coward]

You know, there's people that have cookies set on, and start all their internet activity from the same page: Google.

This one company knows everything they do online. And if they have any other G services, with names and emails.

Thinking about that, here's something (Anonym.OS) I want to see.

Virtual Machine available?

[hagn]

A preconfigured VM for this [slashdot.org] player would be nice. Then you could use the secure enviroment if you are e.g. at Starbucks and go the normal way, when you are in a secure enviroment. Does anybody know if this already exists?

Re:un-molestation

[mrchaotica]

I hate to break it to you, but Roman insulae are a pretty bad example to use in this case, since they were more similar to college dorm rooms than modern apartments. For example, they tended to consist of only one or two small rooms -- a bedroom and (maybe) a sitting room. Residents used communal toilets and baths, and bought food from vendors rather than cooking for themselves (especially since cooking in their room was likely to burn down the whole building!). Also, since windows were just opened or curtained (since they didn't have glass), the neighbors could hear everything said.

Really, in an insula there was no privacy at all.

(Sources: 1 [cuny.edu], 2 [hadrians.com])

Now, who was it that put their foot in their mouth, again?

Re:Too bad no one using it can comment

[bugg]

You misunderstand, and it's probably my fault.

People need to anonymize their browsing when they are not surfing casually, but rather doing surfing that they don't want anyone to know they've done (duh). So most people don't bother or care to surf, say, slashdot anonymously.

When you are doing things that a government doesn't approve of (and COINTELPRO has taught us that the US government spends lots of time and resources going after people who exercise their rights) then using tor is a good idea.

To put it another way, people who need to anonymize their traffic are probably only visiting a very small subset of websites: sites where they can post information but fear law enforcement seizing server logs, sites where they want to obtain information but they don't want law enforcement to know that they have it, so on and so forth.

Therefore, it is fundamentally flawed to think "not many people who visit my site need to do so anonymously, therefore not many people need to visit any site anonymously."