Hi there,
I recently read about the anonbox project [1], a small hardware-router, which allows end-users to connect their whole LAN to the Tor network. The project is on kickstarter at the moment [2].
Has there already been a discussion on how this might affect the performance of the Tor network?
Regards, Sven.
[1] http://anonabox.com [2] https://www.kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-ro...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Well the topic has come up several times in the last day or two on IRC and generally the feeling is that it may be quite bad for the users of the product, not necessarily the Tor network however.
One thing that AnonBox does do is increase Tor network traffic - you can see this as both good and bad since it adds load to exit operators like myself which are already in short supply and diversity, but at the same time adding traffic to the network makes it safer to use for everyone.
The real concern is the mismarketing and borderline fraud occuring by assuming the simple use of a protocol or open source software (which I note, the hardware is not actually open source at all). In addition, the users of such a system are going to be leaving an enormous browser fingerprint and their activities will be correlated so expectation of reasonable privacy from this project is a misguided hope at best; at worst very dangerous to life and limb of anyone who relies on Tor for their life.
I am personally hoping somebody high up in the Tor Project management will openly condemn this atrocity and hopefully Kickstarter and the funders will withdraw their funds before a whole load of people buy into this "security as a tool" idea.
- -T
On 15/10/2014 12:15, Sven Reissmann wrote:
Hi there,
I recently read about the anonbox project [1], a small hardware-router, which allows end-users to connect their whole LAN to the Tor network. The project is on kickstarter at the moment [2].
Has there already been a discussion on how this might affect the performance of the Tor network?
Regards, Sven.
[1] http://anonabox.com [2] https://www.kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-ro...
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 10/15/2014 08:00 AM, Thomas White wrote:
I am personally hoping somebody high up in the Tor Project management will openly condemn this atrocity and hopefully Kickstarter and the funders will withdraw their funds before a whole load of people buy into this "security as a tool" idea.
I'm more inclined to support him. He appears to be taking our designs and thoughts verbatim from Jake's initial thoughts on a torouter[1]. Access Now did some work on the OpenWRT version of the torouter[2]. Now is our chance to help shape this into a product we like. Others have tried to take their own approach without such attention to technical details.
I look forward to having some smart people analyze the final product and figure out where the strengths and weaknesses lie. Anonabox's response to this analysis will tell us far more than anything else.
[1] https://trac.torproject.org/projects/tor/wiki/doc/Torouter
[2] https://trac.torproject.org/projects/tor/wiki/doc/OpenWRT
I'm far from being knowledgeable about this project, but since no one else has, I'll point out some controversy around it: https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_...
-tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 10/15/2014 07:57 AM, Tom Ritter wrote:
https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_...
This
is what lead me to pull my financial support for this:
https://twitter.com/justinsteven/status/522165101390876672
When considered in the context of the shadiness that's been discovered around the Kickstarter, there is little reason to think that the glaring vulnerabilities @justinsteven discovered are going to be fixed prior to shipment.
- -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/
Broadband?! I'm using a tarot deck and an egg whisk!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I understand the approach of this, but it again reverts back to the problem of people believing a product will provide them reasonable protection without the responsibility of having to take measures themselves. There are stories everyday in the newspapers who think using a fake name on Facebook is enough to stop police tracking the actions of that account to them.
As in the other reply to this message, the hardware isn't open source and there has been a critique posted below:
https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_...
Well intentioned, but as many before me have highlighted; good intentions is not enough if the product does not provide true security. Tor is a technology like many things, but I feel this product is out to make a buck from open source software while under-delivering on it's promises by providing an inferior product. How many more times do we need people to be put off Tor because somebody makes a crap implementation and a headline follows with the usual "TOR IS BROKEN"?
The money in that kickstarter is proof there is cash to fund such things, but it is now in the hands of people riding the wave following the NSA fallout in hope for profit and not actual innovation.
- -T
On 15/10/2014 15:51, Andrew Lewman wrote:
On 10/15/2014 08:00 AM, Thomas White wrote:
I am personally hoping somebody high up in the Tor Project management will openly condemn this atrocity and hopefully Kickstarter and the funders will withdraw their funds before a whole load of people buy into this "security as a tool" idea.
I'm more inclined to support him. He appears to be taking our designs and thoughts verbatim from Jake's initial thoughts on a torouter[1]. Access Now did some work on the OpenWRT version of the torouter[2]. Now is our chance to help shape this into a product we like. Others have tried to take their own approach without such attention to technical details.
I look forward to having some smart people analyze the final product and figure out where the strengths and weaknesses lie. Anonabox's response to this analysis will tell us far more than anything else.
[1] https://trac.torproject.org/projects/tor/wiki/doc/Torouter
[2] https://trac.torproject.org/projects/tor/wiki/doc/OpenWRT
On Wed, Oct 15, 2014 at 01:33:43PM -0800, I wrote:
and if they were really into TOR why aren't they discussing it on this list?
because they're like two guys who threw up a under-$10k kickstarter and had it completely explode under their feet, I suspect.
Succeeding far beyond your dreams at crowdfunding is one of the worst things that can happen to a project. Just ask ZPM Espresso, KREYOS, or any of a dozen other "success" stories. Othermill is a sobering example of how to actually succeed at this, but it's a success I'm not sure I'd wish on my worst enemy. (Mike from othermill is a good friend of mine and I have seen just how hard it can be to succeed.)
-andy
Sven Reissmann transcribed 2.4K bytes:
Hi there,
I recently read about the anonbox project [1], a small hardware-router, which allows end-users to connect their whole LAN to the Tor network. The project is on kickstarter at the moment [2].
Has there already been a discussion on how this might affect the performance of the Tor network?
Yes and no.
One of the Anonabox developers, August Germar, posted to their kickstarter page that the distributed Anonaboxes would have a checkout option to be relays/bridges by default. [0] Colin Mahns responded to this, [1] pointing out some of my recent discussions with Mike Perry and others on the tor-dev list on scaling the Tor network. [2] [3] (And August Germar responded in their Reddit AMA. [4])
I agree with Colin that the Anonabox folks seem to be well-intentioned. However, the network effects, were these routers to be distributed, and were a majority of them to be configured as relays by default, would likely be harmful due to the low bandwidth of most residential connections.
That said, I think that everyone here would welcome the chance for a pocket-sized FLOSS router which enforces safe Tor usage. If that is their goal, and they are able to communicate honestly with users, I'd like to help them succeed. Particularly if it means someone else does hardware development, since that's not really my jam. :)
[0]: https://www.kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-ro... [1]: https://www.kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-ro... [2]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007558.html [3]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007560.html [4]: https://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_august_germar_a_deve...
I was excited about this project and signed up as a backer. Then I read http://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_august_germar_a_devel... and have reduced my contribution amount. Yes, I really like the idea of it this small device and what it does but at the same time I can see that it really *appears* that someone's allegedly selling on cheap hardware and applying a large markup. What an incredible testimony to the name of Tor though; the amount pledged with 27 days to go is approaching $500k ?!
What concerns me more is that a lot of less-knowledgeable folk might sign up to be an exit node using what is really a low-power, low bandwidth device. Not good.
I've since changed my pledge to $1 in recognition of the publicity, but I'll be setting up an Onion Pi and making a donation to Tor instead.
--- Peter T Garner, MBCS On the Road (iPad)
On 15 Oct 2014, at 14:47, isis isis@torproject.org wrote:
Sven Reissmann transcribed 2.4K bytes:
Hi there,
I recently read about the anonbox project [1], a small hardware-router, which allows end-users to connect their whole LAN to the Tor network. The project is on kickstarter at the moment [2].
Has there already been a discussion on how this might affect the performance of the Tor network?
Yes and no.
One of the Anonabox developers, August Germar, posted to their kickstarter page that the distributed Anonaboxes would have a checkout option to be relays/bridges by default. [0] Colin Mahns responded to this, [1] pointing out some of my recent discussions with Mike Perry and others on the tor-dev list on scaling the Tor network. [2] [3] (And August Germar responded in their Reddit AMA. [4])
I agree with Colin that the Anonabox folks seem to be well-intentioned. However, the network effects, were these routers to be distributed, and were a majority of them to be configured as relays by default, would likely be harmful due to the low bandwidth of most residential connections.
That said, I think that everyone here would welcome the chance for a pocket-sized FLOSS router which enforces safe Tor usage. If that is their goal, and they are able to communicate honestly with users, I'd like to help them succeed. Particularly if it means someone else does hardware development, since that's not really my jam. :)
-- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
It looks like Kickstarter has suspended the project.
http://www.wired.com/2014/10/kickstarter-suspends-anonabox
Colin
On October 15, 2014 9:47:09 AM EDT, isis isis@torproject.org wrote:
Sven Reissmann transcribed 2.4K bytes:
Hi there,
I recently read about the anonbox project [1], a small
hardware-router,
which allows end-users to connect their whole LAN to the Tor network. The project is on kickstarter at the moment [2].
Has there already been a discussion on how this might affect the performance of the Tor network?
Yes and no.
One of the Anonabox developers, August Germar, posted to their kickstarter page that the distributed Anonaboxes would have a checkout option to be relays/bridges by default. [0] Colin Mahns responded to this, [1] pointing out some of my recent discussions with Mike Perry and others on the tor-dev list on scaling the Tor network. [2] [3] (And August Germar responded in their Reddit AMA. [4])
I agree with Colin that the Anonabox folks seem to be well-intentioned. However, the network effects, were these routers to be distributed, and were a majority of them to be configured as relays by default, would likely be harmful due to the low bandwidth of most residential connections.
That said, I think that everyone here would welcome the chance for a pocket-sized FLOSS router which enforces safe Tor usage. If that is their goal, and they are able to communicate honestly with users, I'd like to help them succeed. Particularly if it means someone else does hardware development, since that's not really my jam. :)
-- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Oct 17, 2014 at 3:36 PM, Colin Mahns colinmahns@riseup.net wrote:
It looks like Kickstarter has suspended the project.
Some of this thread seems a bit silly. Tor does one thing, it anonymizes your IP address. These boxes push everything through that, which is generally exactly what you want... no leaks. So great, go sell a million of them.
But some of this thread bashes the boxes for doing simply that. I say NO. If you want a teacher to handhold and teach you anything safe beyond how to be an anon IP address (which Tor and boxen already provide) ... such as system administration, session management, how to actually be contextually, network, and datawise anon... go kickstart a companion book on that. Don't just bash the boxen about not including such a book if you are not also willing to write the book... as the boxen exist to sell 'IP address anonymizers', not books.
Chinese lookalikes, and best interaction with Tor network, are also separate subjects. To the latter which is relavent, Tor is becoming very popular, its fundamental design and ops need planned to be able to scale to many millions of clients, like yesterday perhaps.
Perhaps a more constructive approach is to help define what the golden standard for a true tor router should be at https://trac.torproject.org/projects/tor/wiki/doc/Torouter. There are a bunch of open tickets and design questions which need thought, research, and solutions.
If someone wants to take this golden standard and turn it into a shipping product, great. Best of luck. There is clearly a demand for it and more people willing to pay for something than to build their own.
Perhaps a more constructive approach is to help define what the golden standard for a true tor router should be at https://trac.torproject.org/projects/tor/wiki/doc/Torouter. There are a bunch of open tickets and design questions which need thought, research, and solutions.
If someone wants to take this golden standard and turn it into a shipping product, great. Best of luck. There is clearly a demand for it and more people willing to pay for something than to build their own.
Out of curiosity, has anyone reached out to the guys running the Kickstarter?
"Hey, I'm from the Tor Project and we noticed a few issues with your design, would you mind hopping on the mailing list so that we can help you work these out and provide a safer and more secure product to your customers?"
It's entirely possible that they are unaware of the lists or the issues with their design. I imagine if they care about their product and not just the possibly literal boat loads of money they are about to make, they'd be open to the idea.
Thank you, Derric Atzrott
On 10/16/2014 11:31 AM, Derric Atzrott wrote:
Out of curiosity, has anyone reached out to the guys running the Kickstarter?
Yes. I and others have been talking to August since last week, before the article was published and kickstarter was launched.
On Thu, 16 Oct 2014 11:31:44 -0400 "Derric Atzrott" datzrott@alizeepathology.com wrote:
It's entirely possible that they are unaware of the lists or the issues with their design.
How is it possible for anyone planning to make a Tor router without being unaware of tor mailing lists? It looks like they were able to find PORTAL from grugq, compiled, and run it. I'm sure they know tor project mailing lists, but they do not bother to subscribe to exchange ideas.
Of course, it would be possible that they are unaware, but I'm really suspicious about it. And if they are, I'm sorry to say this but it's a shame.
Regards, Grace H.
Out of curiosity, has anyone reached out to the guys running the Kickstarter?
Yes. I and others have been talking to August since last week, before the article was published and kickstarter was launched.
I see. That's unfortunate then. I'm glad someone did reach out to them though. It seemed like throughout this entire thread we were missing the obvious potential solution, but it appears that was not the case.
It's entirely possible that they are unaware of the lists or the issues with their design.
How is it possible for anyone planning to make a Tor router without being unaware of tor mailing lists? It looks like they were able to find PORTAL from grugq, compiled, and run it. I'm sure they know tor project mailing lists, but they do not bother to subscribe to exchange ideas.
Of course, it would be possible that they are unaware, but I'm really suspicious about it. And if they are, I'm sorry to say this but it's a shame.
Not everywhere does this, but coming from a Wikimedia background, I tend to Assume Good Faith [1] wherever possible. It appears that they were aware, so in this case it wasn't warranted, but I've found that assuming good faith tends to lead to significantly fewer disputes.
I think then our best bet at this point is probably to keep complaining, do some outreach and education, and prepare for the wave of Tor users and relays that don't know what they are doing. :(
Thank you, Derric Atzrott
Not everywhere does this, but coming from a Wikimedia background, I tend to Assume Good Faith [1] wherever possible. It appears that they were aware, so in this case it wasn't warranted, but I've found that assuming good faith tends to lead to significantly fewer disputes.
Forgot the link.
Andrew Lewman:
Perhaps a more constructive approach is to help define what the golden standard for a true tor router should be at https://trac.torproject.org/projects/tor/wiki/doc/Torouter. There are a bunch of open tickets and design questions which need thought, research, and solutions.
FWIW, I spoke with someone named 'torrouter' in #tor-dev IRC a couple months back. I'm not sure if they were related to this project, but I pointed out that the biggest problem with a simple "torify everything" Tor router is that there are tons and tons of apps on your computer that love to make network connections and broadcast information about your computer to remote servers. This problem was first analyzed in 2008 at PETS: http://www.chiark.greenend.org.uk/~mroe/research/pets2008.pdf.
Since then, we've seen the advent of app stores, account-based autoupdates, Dropbox, iCloud, things like Ubuntu's "Spotlight" search, and many many more chatty things. Not to mention the web browser tracking problem, of course.
The problem with naively shoving all of this stuff over Tor is that Tor Exit nodes (and services watching for long-term Exit IP usage correlation) can see that user "AnonymousDissident1" really is the same as "Frank.Grimes.SF.CA.USA@gmail.com" who has a Dropbox account that he paid with his credit card.
This may not be a problem for many people, but statements like "The anonabox uses Tor to allow anyone to access the Internet anonymously without having to install any software" and "The result is strong, secure anonymity. Using the anonabox hides your location, as well as all the other personal data that leaks through ordinary Internet use" are really not something you can claim if you are operating in this way. Location in particular will probably still leak all over the place due to chatty apps you have installed that broadcast it happily.
All of that said, I immediately followed this bad news up with an offer to the 'torrouter' IRC nick that I would be happy to work with them to design a secure pairing system between Tor Browser and a Tor router, such that if you were using Tor Browser, it could get configuration information from your Tor router so that it used it as an upstream proxy, or such that Tor router would then install a firewall that only allowed certain Tor Guard/bridge IPs through.
In this mode, the Tor router could actually act as a defense-in-depth mechanism that would block all non-proxied traffic, providing additional protection against browser or other remote exploits, by only allowing properly Tor-configured application traffic to exit onto the Tor network.
I imagine the same sort of mechanism could also be used to provide defense-in-depth for OrBot+OrWall+Android and Tails users.
Unfortunately, the 'torrouter' nick stopped talking to me at this point. I'm not sure if they just didn't want to put in this extra work, or were intimidated by how much work this, or what. Granted this would not be trivial to implement, but the offer to help come up with a design for it still stands, though. We can figure out the implementation and development cost sharing details after we have a good design.
I'm not sure such a thing could be designed and implemented by their January 2015 rollout date goal, but I suspect they're going to struggle to meet that anyway with this much interest. I wished they'd actually talked to us about this earlier, instead of ignoring my offer then.
As a result of their claims not matching up to reality, I've been debating writing a blog post warning about the various issues with Anonabox, but that seemed premature at this point, too. I suppose it still may come to that, though, if they keep ignoring us and making extreme, unsubstantiated, and inaccurate claims, especially with our trademark and logo plastered on the thing, as if it were an endorsement, or even our product.
On Thu, Oct 16, 2014 at 11:56:57AM -0700, Mike Perry wrote:
As a result of their claims not matching up to reality, I've been debating writing a blog post warning about the various issues with Anonabox
I think a blog post teaching people about the issues is a fine plan.
I was thinking something like:
- Many people keep wanting to build a magic anonymity box. And it's really appealing to not have to change your behavior or your application settings, and just magically get anonymity, so I can understand why the idea keeps popping up.
- Unfortunately, if you just route all your traffic through Tor, you're only solving half the problem: all the application-level issues remain. First this is a problem when you use your Chrome over Tor and then wonder how websites are able to recognize you anyway (remember all the protections that Tor Browser adds over vanilla Firefox). And second, as you say in your post here, it's a problem because of all the chatter that comes from background applications, update attempts, printer notifications, and so on that most systems do by default these days.
- To be fair, some expert users may still get a benefit from Torifying their traffic. For example, if they've already set up a firewall to block everything they don't want talking, and now they want to use an application that's hard to configure a proxy for. Or if they have thought deeply about their threat model and they don't want a lot of the anonymity properties that Tor aims to offer. But that user is very far from the target audience for these magic anonymity boxes.
- The best design we've been able to come up with is one that forces you to be using Tor on your side, and only allows your traffic through if it's coming from Tor. Making it use a proxy, or maybe even better a Tor bridge, that's running on the router seems a fine way to do this limiting. And we could also imagine running a captive portal website on the router that intercepts outgoing port 80 requests and teaches you what you need to do to use this network connection safely. Perhaps it has a local copy of Tor Browser for you (but how does the user know it's the real Tor Browser?), or perhaps it lets you reach https://www.torproject.org/ so you can fetch it yourself.
- This approach sure isn't as usable as the magic anonymity box. What a great research area! But be aware that people have been thinking about this issue for several years now, and don't get fooled by solutions that brush all the above details under the rug.
This may also be a good opportunity to point people at https://www.usenix.org/conference/foci14/workshop-program/presentation/edmun...
--Roger
[immured to dopey snipes]
http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/
tor-relays@lists.torproject.org