I'm looking for a small number of volunteers to help build a secure mesh network using openvpn and dnscrypt along with some other possible security functions and software, something similar to PORTAL. I'm pretty new to information security so setting up an encrypted mesh network would take a considerable amount of time. I may be willing to ship raspberry pi's to function as node hardware, however you would have to supply the SD card and peripherals. Nothing is concrete and I made this post just to see if anyone was actually interested. I honestly don't trust any vpn service within the US and would like data to be more decentralized in case of a security breach. Anyone interested can contact me at [email protected] or just reply to this post.
Can you provide some more information about a "PORTAL" configuration?
Otherwise I'm assuming the configuration will be similar like a chain of VPNs leaking onto the internet, or a closed network (darknet) that holds data in a decentralized manner. The first is called Torr, the second is called Freenet and we are better off helping to implement those systems by setting up Torr relays and random freenet nodes (that can totally run inside VMs) than to homebrew anything.
http://arstechnica.com/information-technology/2014/08/a-portable-router-that-conceals-your-internet-traffic/
PORTAL helps obfuscate encryption and gives a defence against this (Below), and some of the software, if not all, can be used with openvpn.
http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor
Tor is almost completely broken because of the exit nodes, among other things. Freenet is ok but it's not perfect, it will most likely be running the back-end for the network.
Okay so PORTAL is the idea of using the onion router on a cheap router for ease of use/set up time. PORTAL /is/ tor, but on a router instead of being client specific. That seems like it would be a nice ddwrt plugin actually. There's an openvpn client on ddwrt already, why not a tor one?
Tor has a lot of development and governmental attention going into it and has the key benefits of being truly decentralized/internet accessible. While it is true that exit nodes tend to be watched a lot, this isn't an issue to be solved by switching technologies but rather via making it fully legal to run exit nodes (need to talk to legislature) and by spreading tor everywhere.
The defoc presentation for PORTAL (tor on a stock/moded router, especially GL-iNet's clone of the TP-Link 703N) lists onion pi (https://learn.adafruit.com/onion-pi/overview; tor running on a raspberry pi) and safeplug (https://pogoplug.com/safeplug; tor on a purchasable console for home networks) as alternatives and goes to great lengths to show how much development is currently going into tor and the many concerns using it solves.
The key issue here is that you were talking about possibly shipping hardware and setting up a privacy centric ad-hoc network but I'd rather contribute to an already functional anonymity project than try to set up a competing one. Why not crowd-fund a purchase of those GL-iNet clones ($220/10 or $22/each), flash them with PORTAL and ship them to people who want the awesomeness that is their router on tor?
Making the configuration of these services easier is why safeplug can exist commercially so it's not like there isn't demand.
I'll take it into consideration, but tor nodes can be compromised if the average joe figures he wants to use his macbook on an unsecured network to operate as a node. A solution where nodes can be shutdown in case of a security breach or at least send out a warning to the rest of the network seems more preferable, plus added security can help protect data. There are definite problems with tor as stated in this article is dated and possibly defunkct, but it raises concerns for an otherwise "completely secure" service. It's just a matter of time before the entire team at the NSA trying to break tor succeeds, and it would never be made public.
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
I'm not trying to argue for security through obscurity, but tor gathers alot of attention and homebrew solutions could possibly be more resilient.
Sorry about the grammatical errors, I'm pretty tired.
I'm quite skeptical of the possibility that a homebrew system could possibly be more resilient than tor has been to attack. Replace the noun "tor" with "AES" and hopefully you will get where I'm coming from.
Tor was made for you and the more you type the more that's clear. The average joe would likely prefer that a secure by design system fail open and be performance centric, but you would prefer to have it fail closed and be security focused. That's okay and it's prolly possible to configure the GL-iNet TP-Link 703N clones to go both ways.
It's important to keep in mind that the NSA represents an dedicated attacker with unlimited funding, governmental backing and perfect knowledge of the system (tor is open source and the NSA monitors vast swaths of the internet). Tor will defeat anything short of that and is currently trading blows with the NSA for supremacy. That itself is quite an accomplishment. People need only boot into Tails for tor to effectively anonymize them and law enforcement/NSA need to go to enormous lengths to de-anonymize them with likely poor success rates.
One way of looking at security is to create a barrier that costs more to breach than the assets its protecting are worth. Look at Schneier's article, all the effort involved in de-anonymization, how fragile their detection schemes are, and compare that to the user cost of booting into tails to post on tech syndicate.
From the articles you have listed, tor profiling is currently performed by identifying tor traffic (crucial to de-anonymization) and as-it-so-happens, how to deploy countermeasures for that took up a few slides in this year's Defcon 22 (09Aug14). Traffic sharpers, known internally as "pluggable transports for obfuscated bridges", go a long way towards mitigating the detection of tor and there's a how-to vid over at torproject.org/docs/bridges. Tails also supports using obfuscated bridges.
There are a lot of conceptual flaws with how you're thinking about software and network-level design decisions. Tired maybe? There's no such thing as a perfectly secure system, there never will be, and tor can't solve all anonymity problems but it goes a long way short of overly creating a darknet (tor hidden services!). “It's just a matter of time before the entire team at the NSA trying to break [AES] succeeds, and it would never be made public.” -> Trust the math dude. The reason there is so much government-level attention given to breaking torr is exactly because they can't and that scares them. “They” can just break down a door or pressure a company when it comes to anything else; that's all the more reason to spread tor everywhere.
It would be a dream to hack into consumer routers and make them all tor exit nodes/relays. Doing so would move our society towards accepting that an IP != a person (albiet painfully) and do wonders for the health of the tor network overall. Expanding tor relays/exists is the real promise of the portal project as far as I'm concerned.
I think you understand me well enough, you definitely seem to have some experience with this sort of thing. The goal is a small network of 5-10 people with at least 1024 bit RSA, so it's certainly not going to be fast. The small size and nature of the homebrew operation allows fast modification if we need to change encryption types or vulnerabilities are detected. I've heard horror stories about corporations that are slow to upgrade when it's a serious issue. Also I prefer Twofish over AES although it's slightly slower. Thanks for the tips though.
1 Like
I'd be down, if I could get some more details on what exactly I'd need to do. Been looking for a soluyion like this for some time now.
I think raspberry pi's are probably best to use as nodes, since an SD card image can be made and then distributed to upgrade anything. If you already have a raspberry pi or can purchase one that helps, if not I can mail one to you (without any peripherals just the rpi and power supply). My email address is [email protected] you can use a P.O. box if you don't want to give away your address. Otherwise if you have a computer that can run 24/7, preferably low power to save electricity, then install openvpn, ossec, aide, and dnscrypt (you need to allow it to bind ports, assuming you're running linux, with setcap 'cap_net_bind_service=+ep' /usr/local/sbin/dnscrypt-proxy ). Stay in contact, and when there at least five people I will contact you and we can start setting everything up, if we don't do that before hand and then just connect them together.
You send me the Pi, and I'll hook it up.
I've seen some of your posts before, you're pretty cool. send me an email with your P.O. box or address and I'll mail you one.
Sounds doable, I'll look into getting myself a Pi.
Cool, just email me when you're done and you can be a part of this if you want.
I have a pie I could spair for this project, I think its a 512mb model. Ill keep an eye on this.
I have a pi, it's being used at the moment, but I have no problem giving it up for this.
I'll absolutely run Tor if you ship me a Pi. I'm an infosec student, and a Crypto Anarchist, so I'm very interested in things like this.
It's not exactly tor, but it's similar. It's more of a vpn network, if you're interested I can ship you a raspberry pi (just the pi and a power supply) just email me your address or P.O. box the only thing I ask is that you cover shipping costs.
Sounds good, PM sent.
PORTAL uses the Tor network, yes?