[Noisebridge-discuss] Tor/Cypherpunk hack day at Noisebridge?

zaki at manian.org zaki at manian.org
Tue Aug 16 21:34:20 UTC 2016


Hi Mike,

I'm super enthusiastic about this items. But my time is pretty limited
until October. I'd be super happy if there was a Gitlab for working on
these projects somewhere.
- CFC/No More 404s/Resurrect Pages

- Better Tor Browser support for SSH exits/private Tor exits

- OpenWRT-based Tor Firewall

On Tue, Aug 16, 2016 at 1:42 PM Mike Perry <mikeperry at torproject.org> wrote:

> Hey Noisebridgers,
>
> I've been out of orbit for a looong time, but I've been observing your
> earth, and I would like to make a contact with you[1].
>
> I've been talking to Patrick O'Doherty and he suggested it would be good
> to try to set up some kind of regular Tor and/or general cypherpunk
> meetings or hack days at Noisebridge. I have a pile of projects I'm
> working on that may be interesting to folks, and I can also help get
> people up to speed with Tor development and build processes, how to
> write patches, and familiarize people with Tor codebases and Tor
> functionality for use in their own projects.
>
> This is a long email. The TL;DR is that I'm looking for people to tell
> me what sort of stuff they would be interested in working on or learning
> about at these meetings, so I can try to serve that audience better and
> keep things focused.
>
> I'm giving a ton of detailed examples based on stuff I've been hacking
> on on the side. Let me know either on or off-list if you find any of
> these projects interesting and would like to work on any of them. Please
> also suggest your own projects/ideas on-list, and please also +1 other's
> topics as well.
>
> I'm hoping that the projects we work on can be featured on Tor Labs,
> which is a website we're launching that is meant to showcase prototypes
> and external projects that make interesting use of Tor, or that may
> otherwise be of interest to Tor hobbyists. Tor has a lot of eyes on it,
> and I think we should make use of that attention to get more people
> excited about the great work that folks do outside of the official Tor
> organization.
>
>
> Here's some of the stuff I've been working on:
>
> # A Tor Phone prototype based on CopperHeadOS
>
> Since I wrote my writeup of a prototype Tor/Cypherpunk/Wingnut Phone[2],
> a lot of cool stuff has been done by volunteers and the wider Android
> community. Cédric Jeanneret adapted my pile of half-insane Droidwall
> hacks into the rather slick OrWall[3], Patrick Connolly transformed the
> manual install process into an update.zip[4], and some Toronto hackers
> created CopperHeadOS[5] - a hardened Android rebuild using grsec and
> several hardening additions, including verified boot[6].
>
> Unfortunately, CopperHeadOS does not support Google Apps, MicroG[7] (the
> FLOSS replacement for Google Services), or SuperUser. You can hack this
> stuff in via sideloading, but then you lose verified boot. So I'm
> working on a pile of scripts to try to shove this stuff in to the
> official CopperHead release images, and re-sign them with new keys. That
> way, you don't have to give up security to be able to use apps with Tor,
> or to use apps that require Google Play Services (such as Signal).
>
> Ideally, long-term we'd either restrict root access to just OrWall, or
> diagnose why the VPN APIs in Android/Orbot leak traffic like crazy (see
> below for a fun related router project to help with this).
>
> To work on this project, you'll need a Nexus 9, 5X, or 6P device.
>
>
> # A udev-based USB firewall
>
> I wrote a crappy pile of shell scripts that act as a USB device ID
> (model + serial number) whitelist, to provide vulnerability surface
> reduction against USB device driver exploits and attacks like BadUSB.
>
> The scripts work for me, but maybe we should try to make this into a
> debian package with easier configuration or something.
>
>
> # CFC/No More 404s/Resurrect Pages
>
> Cloudflare captchas and Tor bans are annoying, especially if all you
> want to do is read something.
>
> Yawning Angel at the Tor Project has been working on a Tor Browser addon
> to automatically fetch pages that are blocked by CloudFlare/other
> captchas from archive.is/archive.org. It needs a UI and some general
> usability improvements:
> https://git.schwanenlied.me/yawning/cfc
>
> We could also adapt the official Firefox addons No More 404s or
> Resurrect Pages, depending on how they work.
>
>
> # Better Tor Browser support for SSH exits/private Tor exits
>
> Related to the Captcha and ban problem, I hacked up some prefs and env
> vars to make it possible to chain an SSH SOCKS -D proxy after Tor, so
> that it is possible to access sites that completely ban Tor with strong
> pseudonymity: https://trac.torproject.org/projects/tor/ticket/16917
>
> We could give this thing a UI. As a more involved project, we could
> patch Tor to support "Tor Exit Bridges": ie Tor "bridges" that have an
> exit policy and can be used instead of public exits.
>
>
> # OpenWRT-based Tor Firewall
>
> I have a prototype Tor Router based on OpenWRT that only lets Tor
> traffic through, and acts as a wifi firewall. It is based on
> https://wiki.openwrt.org/toh/tp-link/tl-mr3040, and uses the LEDs to
> tell you if anything on your computer has tried to bypass Tor, if
> anything on the local network has tried to make a TCP connection to you,
> or if anything has sent a ping/UDP packet at you. I've arranged these
> LEDs as a sort of "hitpoint" bar, so that the UDP LED is the farthest
> out, then the TCP connect-back LED, and then the Tor bypass led is
> closest in. It is rather amusing to use this thing at hacker events to
> watch how fast stuff happens to you. Since the MR3040 also has an
> ethernet jack, you can use it to prevent exposing your laptop's wifi
> firmware to hostile networks, by putting the router into client mode and
> routing through ethernet. The router firmware supports concurrent client
> and host wifi operation, so that you can have the device still provide
> firewalling to devices that only support wifi by creating your own
> personal access point on one side of the firewall, and acting as a wifi
> client on the other.
>
> It is also very useful for helping to debug proper behavior of Tor
> applications (especially mobile/embedded apps), so that leaks are
> quickly apparent to you.
>
> This device is different than other Tor-enabled routers (such as NetAid
> and Anonabox, etc) because it is primarily meant to function as an
> additional security layer, not just something that blindly shoves all
> your traffic through Tor.
>
> The device has switches on it, so it can be easily switched between
> different modes.
>
> Areas of improvement for this project:
>
>  ii). It would be cool to make some kind of REST negotiation API with Tor
>       Browser, so that this device could pick bridges or guard nodes for
>       Tor Browser, tell Tor Browser about them, and ensure that only
>       these bridges or guard nodes were used (as a security layer).
>
>  ii). Various UI work to make it easier to configure through a web UI.
>       Maybe borrowing ideas or sharing code with https://netaidkit.net/,
>       or maybe just sticking to the OpenWRT UI.
>
>  iii). It might be nice to also have a VPN on here as an option via one of
>        the switches, so that traffic that was not destined to Tor was
>        VPN'ed instead of dropped. This will require some hacking with
>        OpenWRT image creator, since there is not enough space for a VPN in
>        the default images for the device.
>
> To work on this project, you will need an OpenWRT compatible router. It
> doesn't have to be the MR3040, I just like that one because it has a
> battery and LEDs :). If there is enough interest, I can also bring a
> pile of old routers I have lying around, as well.
>
>
> # Reproducible build help with your Tor/Cypherpunk Project
>
> If you're making security tools, build security is very important. I can
> help people work towards ensuring their projects can be build
> reproducibly. We can also discuss various opsec considerations for
> signing key material, and build security for projects that are a long
> way away from being able to build reproducibly.
>
>
> # Your idea here!
>
> Please, suggest stuff you want to work on. Maybe I can help. Or if not,
> maybe someone else can!
>
>
>
> 1. https://www.youtube.com/watch?v=teBV0EoJJY8
> 2.
> https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
> 3. https://github.com/EthACKdotOrg/orWall
> 4. https://github.com/patcon/mission-impossible-android
> 5. https://copperhead.co/android/
> 6. https://source.android.com/security/verifiedboot/verified-boot.html
> 7. https://microg.org/
>
> --
> Mike Perry
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20160816/13550209/attachment-0003.html>


More information about the Noisebridge-discuss mailing list