The Datagram Onion Router

After having a quite depressing discussion about how Tor will evolve in Germany considering the data retention laws, I met a guy on IRC who told me about his new really cool project.

Camilo Viecco, who’s just doing his PhD in CS at the Indiana University, developed a naive UDP-implementation of the anonymisation-principle known as onion-routing from scratch. It’s far from perfect and it wouldn’t meld with the Tor-code easily, but it’s a first approach to improve latency for anon-services.

Tdor is an anonymisation-software to be installed on your local PC. It enables you to use the internet anonymously by configuring tdor as a proxy in your webbrowser. By using this software, no one can find out your IP-address, effectively resulting in an obfuscation of your identity.

The software is available on his homepage and is currently compiling on unixish systems.

What’s different about this project compared to regular anonymisation-systems is that tdor is using UDP instead of TCP, dramatically improving the well-known latency you suffer off when you’re using regular TCP-based anon-systems.

The project didn’t even release it’s first alpha-version, but the version I tested was usable and quite fast. I couldn’t make a difference of regular internet-connections and Internet over tdor.

Though where’s light, there’re shadows: The whole tdor-network only uses six nodes at the moment. It’s not meant to be used for real productive use, it’s only for testing – though it works cool!

At the moment the whole project consists of just a handful of people, but I bet Camilo appreciates any help he can get.

So. If you wanna participate in a really cool fancy brand-new cutting-edge anonymisation technology, grab the sources, compile it, run it and report bugs and issues!

A formal description about tdor is available here: http://petsymposium.org/2008/hotpets/udp-tor.pdf

Privacy in Germany: What’s going on?

This is a meta-posting describing what’s going on in Germany.

Organisations:

German Privacy Foundation (GPF)

The German Privacy Foundation was finally officially established. The GPF thinks everyone has the right for privacy and anonymous communication. Anonymity is one of the fundamental basics to privacy and support human- and citizen’s rights.

It’s goals are to inform and educate about safe communication on the internet, supporting and organising tutorialsfor citizen about those topics.

The GPF is supporting and endorsing the development and deployment of anonymous infrastructure.

The GPF is a non-profit organisation according to the German law.

Contact: Use the Contact-Form.

Privacy Legal Fund (Germany) [PLF]

The Privacy Legal Fund (Germany) is a yet-to-be-founded organisation which will help voluntary operators of anonymisation-services like JAP, Tor, Mixmaster, Entropy, Freenet et al. with their problems with the Feds.

Much like the GPF, they want to promote the useage of privacy-enhancing internet-tools, but puts it’s emphasis on direct action instead of education. In that sense, the GPF and the PLC will be complementary.

The PLF doesn’t have fixed rules yet, they’re still to be defined. The PLF will be a non-profit organisation.

Contact: Contact me using the contact-form in this blog. You may encrypt the message using the PGP-key 0×90DEE171.

Events:

Both, the GPF and the PLF, will meet on the Chaos Communication Congress 24 in Berlin at the 27th-30th of December 2007 in Berlin.

On the 27th the PLF will meet for it’s founding-ceremony.
On the 28th the PLF and the GPF will meet to discuss the cooperation of both organisations.

Roger Dingledine, head of the Tor-project, will attend 24C3 for some talks as well.

Other Events:

There should be a “10 Years GnuPG“-party in Düsseldorf featuring Werner Koch this Thursday; however, no official annoucement was made yet. Still waiting.

nemo tenetur seipsum accusare^2

It didn’t even take a month.

The Registers reports about an animal rights activist who’s now asked to hand over her crypto-keys.

El Reg sums up the details:

An animal rights activist has been ordered to hand over her encryption keys to the authorities.

Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, seven years after the original legislation passed through parliament. Intended primarily to deal with terror suspects, it allows police to demand encryption keys or provide a clear text transcript of encrypted text.
[...] she has been given 12 days to hand over a pass-phrase to unlock encrypted data held on the drive – or face the consequences. [Failure to comply can result in up to two years imprisonment for cases not involving national security, or five years for terrorism offences and the like.]

So what do we have here?

A dodgy law which is meant for serious crimes and terrorists.
A women engaged in animals rights.

I can see the plot!

Evil trrrsts meetin animal-rights activists to blow up Downing Street.

Oh, you’ve got nothing to hide? Sure mate.

Some people pointed out that this silly law could be circumvented by technology based on plausible deniability and hard crypto – but still I say, it’s the law that’s flawed!

nemo tenetur seipsum accusare

Well, not in the UK anymore.

Nowadays you got to hand over your encryption keys to the authorities if they ask you. Non-compliancy can be punished with up to two years for ordinary “crimes” and up to five for trrrsts.

Schily, Schily, oy oy oy

My “favourite” politician, Mr. Wolfgang Schäuble, Home Secretary of Germany, was interviewed by the newspaper TAZ.

I almost spilled my coffee over my keyboard while reading the interview. I knew that he’s absolutely for Law and Order but I couldn’t imagine that he’s that ignorant about what the citizen think about his plans to introduce a governmental trojan horse, which should infiltrate terrorist’s computers. It’s about security, isn’t it? (And the children. And world peace. Are you against the children or what? Either your’re with us or the terrorist.)

Some examples:

TAZ: Mr. Schäuble, are you Germany’s highest ranked hacker?
Schäuble: No, I don’t get into any computer, and frankly I don’t really know how the police is doing that. I barely know what a trojan horse is.

TAZ: Are you afraid of those so called trojans, means e-spionage software?
Schäuble: No, in general I never open attachments in email, where I’m not sure about it’s origin. And also I’m a decent guy, the BKA [German Federal Police] doesn’t need to send trojans to me.

TAZ: 10,000 citizen are planning to file a constitutional complaint against the mandatory data retention. Don’t you get contemplative about that?
Schäuble: That doesn’t bother me any more.

Once again I’m totally convinced that the politicians don’t give a damn about the citizen’s opinion. They try to justify every surveillance measurement with the terrorism/child-porn/internet pirate argument.

To quote Kurfürst Friedrich Wilhelm v. Brandenburg:

“Es ist dem Untertanen untersagt, den Maßstab seiner beschränkten Einsicht an die Handlungen der Obrigkeit anzulegen.”
(Flaky translation: “It’s forbidden to the subject to apply the standard of his limited views to the acts of the authorities”)

Happy hacking.

Tech Tags: law privacy rants

Skype, oh Skype

Via /., via pagetable:

To quote a fellow blogger: “As a Web Worker, you have undoubtedly used, tried, or at least heard of Skype, that wonderful peer-to-peer IM/voice tool that end users love, but security administrators detest.“

Wee. I had my own experience with Skype (see the first posting, Bloglines still isn’t able to recover all the postings correctly); they just kill your account-balance if you don’t use your account for a while. They claim that the administrative hassle is too much, so I can’t be with them anymore. Whatever, probably I wasn’t made for loving them.

Also there was quite a discussion what kind of encryption Skype uses, their motto is security through obscurity. They’re using a propriatary encryption which was never disclosed and is therefore of doubtful security.

Now i just read this posting at /.; The Skype-software is now accused of reading the BIOS.

For what? There is no apparent reason why Skype should be reading the BIOS. Except maybe reading some serial number.

Skype. What’s your bloody problem. Eh? Tell us. This is crazy. Not that you only take the piss with your customers accouting-wise, now you’re collecting data about your customers which you aren’t supposed to collect. And, I make this statement clear: This action is absolutely illegal in Germany. The german privacy-laws clearly say that you’re only allowed to collect data about users if they AGREE and that you’re only allowed to collect data necessary for billing. Nothing bloody else.

What the hell is wrong with those people? Isn’t there an organization in the EU which could sue their ass off? Well, there’s the newly founded EFF Europe, but I doubt that they’re already fully operational.

Tech Tags: privacy

Verfassungsbeschwerde gegen Vorratsdatenspeicherung

Note to my readers: This posting is about a constitutional complaint against the upcoming EU data retention laws.

Heute einmal ein Posting auf Deutsch: Rechtsanwalt Meinhard Starostik strebt eine Verfassungsbeschwerde gegen die Vorratsdatenspeicherung an, sobald diese verabschiedet worden ist. Kleine Zusammenfassung: Die EU verlangt von seinen Mitgliedsstaaten, dass zum Jahreswechsel 2007/2008 ein nationales Gesetz ratifiziert wird, welches die EU Richtlinie 2006/24/EG umsetzt.

Wikipedia hat eine einfache Zusammenfassung:

“Die Richtlinie über die Vorratsdatenspeicherung ist eine Richtlinie der Europäischen Union, durch die die unterschiedlichen nationalen Vorschriften der EU-Mitgliedsstaaten zur Speicherung von Telekommunikationsdaten auf Vorrat vereinheitlicht werden sollen. Durch die Harmonisierung soll sichergestellt werden, dass die Daten für einen bestimmten Zeitraum zum Zweck der Ermittlung und Verfolgung von schweren Straftaten aufbewahrt werden.”

Im Prinzip bedeutet das: Jeder ist verdächtig. Es wird verdachtsunabhängig gespeichert, ohne dass konkrete Hinweise auf eine Straftat vorliegen. Es werden riesige Sammlungen an personenbezogenen Daten erzeugt, auf die die Strafverfolgungsbehörden Zugriff bekommen. Um sich einen Überblick zu verschaffen, welche Daten alles gespeichert werden sollen, ist der Wikipedia-Artikel ein guter Anfang.

Ich als unbescholtener Bürger wehre mich gegen diese pauschale Verdächtigung und gegen den Bruch meiner informellen Selbstbestimmung. Deshalb habe ich Herrn Starostik eine gerichtliche Vollmacht erteilt, dass er in meinem Namen eine Beschwerde einreichen kann.

Macht mit. Der Satz “Wer nichts zu verbergen hat, hat nichts zu befürchten” ist absoluter Hohn. Zeigt denen, dass Politik für den normalen Bürger nicht nur heisst, alle paar Jahre ein Kreuz zu machen um dann bis zur nächsten Wahl die Schnauze zu halten. Wehrt Euch!

Mehr Informationen zu diesem Thema:
Stoppt die Vorratsdatenspeicherung
Verein zur Förderung des öffentlichen bewegten und unbewegten Datenverkehrs e.V.
Originaltext Richtlinie 2006/24/EG

Gruss, Alex.

Tech Tags: Privacy politics

Analyzing TOR-exitnodes for anomalies – results

As my regular readers clearly remember, a couple of days ago i accused the Linux Magazine of bigotry. Later I learned that it’s not only the Linux Magazine, but lot’s of other sites which show a strange behaviour when accessed through the Tor-system.

To check what’s really going on i started an investigation and tested more than a thousand Tor-nodes for strange behaviour. I submitted my results to the or-talk List yesterday:

Date: Thu, 5 Oct 2006 17:56:51 +0200
From: “Alexander W. Janssen” <yalla@ynfonatic.de>
To: or-talk@freehaven.net
Subject: First results of analysis

Hi all,

i checked 1161 nodes in total.

269 of them where responsive exit-nodes, all behaving correctly.

9 exitnodes where responsive, but their had some proxy installed which didn’t behave quite correct when you accessed a webpage with the notation original.url.$nodename.exit; the error-messages varied from “could not resolve” (looks like a DNS-leak to me) over “502 Bad Gateway” through “502 Proxy Error”.

However, in my list of exit-nodes i couldn’t find any host which showed the described behaviour. My test-URL was http://www.linux-magazine.com/.

So there is still some space left for discussion: Did i miss the “bad” or “banned” exitnode?

I tend to agree with Claude; at the moment it doesn’t seem likely that we have some sort of bad exitnodes in place.

However we probably should think if we should install some kind of early warning system. I could imagine something like this: Every client checks once per day some random website on the internet via, let’s say, 10 random exit-nodes and compares the results. If something is wrong the exitnode could be signalled to a real human which could verify the claim.

How do you think about that?

Cheers, Alex.

I stopped my efforts at the moment; I tend to blame Linux Magazine’s webhoster, but no-one knows exactly what’s going on. It’ll just be a matter of time until somehow set’s up rogue Tor-nodes.

Therefore: Dear editor and people from the Linux Magazine, I was in rage. You clearly didn’t deserve to be called “bigot”. I honestly apologize. I don’t know what’s really going on, but maybe you start an investigation on your own.

Alexander “Yalla” Janssen.

Tech Tags: TOR Security Analysis Privacy

Analyzing TOR-exitnodes for anomalies

A few days ago I had a strange encounter with Linux New Media’s “Linux Magazine” website; depending on whether I used TOR to access their website i got different results. Accessing their site with TOR resulted in getting redirected to some kind of link-farm which made me totally suspicious. I assumed that they’re looking on the source IP-address and deciding for the correct webpage – however, that phenomenon vanished a couple of hours after blogging about it so i assumed that they fixed it.

Later i found a posting on the or-talk mailinglist about someone who was suspecting that certain TOR-nodes might alter webpages and include advertising of some sort. This would’ve been an interesting attack.

I take my own work and my own assumptions very serious. I don’t want to blame the Linux Magazine if they didn’t do it and denouncing their actions as “bigotry“, as I did, is not to be taken ligthly.

For that reason, out of curiosity, interest and for everyone else I started an investigation about if there are any bogus TOR-exitnodes which might alter the content of webpages and if they do, what else they might do.

Theory of operation is simple:

1. Get a list of known nodes which allow outbound tcp/80 traffic (http://localhost:9030/tor/running-routers is a good start)
2. Loop over all exitnodes i and get a website A via exitnode i using TOR: “wget http://A.${i}.exit/ -O $i.html“
3. Compare all stored websites (or, let’s say, distinctive parts) with an original

I already checked about 20% of all known exitnodes which were known to one of machines as of today and I certainly will conduct the same experiment a couple of times until publishing a result.

Stay tuned for updates. If there are bogus exitpoints we’ll find; what actions we might take is up to the TOR-operators. I’d suggest putting them on your TOR-nodes blacklist.

Tech Tags: TOR Security Analysis Privacy

The Linux Magazine, TOR and bigotry

Update: Just hours later i can access the website via TOR. Nice that they reacted that fast. Or maybe not all TOR exit-nodes suffer from this message?

Update 2 (Wednesday): Something doesn’t seem to be so right, more people are complaining about the same problem on various websites so that i started an analysis if there’s something wrong with the Tor-system itself.

Update 3 (Friday): I finished my analysis and I’m not so sure anymore what’s really going on: A formal excuse to the people of the Linux Magazine, ideas about how to proceed.

This morning a friend of mine sent me a link to an article at the Linux Magazine; i pasted the link into my Firefox’s URL-field, pressed on go… and i got redirected to a very strange URL, “http://www.linux-magazine.com/frame.aspx?\
u=http%3a%2f%2flanding.domainsponsor.com\
%3fa_id%3d1637%26domainname%3dlinux-magazine.com\
%26adultfilter%3doff%26popunder%3doff&r=\
SUSPECTED+UNDESIRABLE+BOT“. (backspaces mine)

(click to see full picture, stupid theme clips pictures at 480px)

That made me suspicious, maybe there’s a typo in the URL? Checked, asked my friend, she said “no, the URL is correct” – other people also said that they don’t have any problems. Then I remembered that i was using the TOR-network. I told Firefox not to use TOR, called up the same site, and…

(clicky-click)

I’d like to point out their article named “TOR and Privoxy: Protect your Privacy by covering your IP-address”. Obviously there seems to be a disagreement between the editor of the Linux Magazine and the webmaster of Linux New Media about what’s appropriate content and who’s considered to be a good client and who’s not. Good clients do not need to hide themselves! People who try to protect their privacy can only be evildoers! Obey!
The URL gives a hint: “SUSPECTED+UNDESIRABLE+BOT“. “Suspected” comes from “suspicious”. “Undesirable”. “Bot”? Not me.

Disappointing. Maybe someone just tried out a new blacklist-feature and didn’t really bother about the implications. Considering that TOR is one of the very few alternatives for certain people living in oppressive countries to access the interweb freely, the Linux Magazines gives a very bad example for the rest of the web.

Filed under rants. I’m disappointed.

Tech Tags: TOR Privacy rants