[Noisebridge-discuss] Tor/Cypherpunk hack day at Noisebridge?

Patrick O'Doherty p at trickod.com
Sat Aug 20 00:02:00 UTC 2016


Hey Mike!

Thanks for writing up these projects. I'd be very interested in working
with you to get the udev stuff cleaned up and packaged for debian. Are
these scripts in a shareable form at the moment?

I also have a spare openwrt suitable device (Netgear WNDR3800) which I
could donate to the openwrt-based project's cause, though I've not done
any mucking around w/ the openwrt internals before.

Outside of specific projects like the ones you've listed, any guidance
you could provide to folks who might be interested in contributing a
patch to either little-t tor or the related software projects on
git.torproject.org would be great! Sometimes the trac can be a little
daunting with the collection of tags and old tickets making it hard to
find an "easy" first patch.

p

Mike Perry:
> Hey Noisebridgers,
> 
> I've been out of orbit for a looong time, but I've been observing your
> earth, and I would like to make a contact with you[1].
> 
> I've been talking to Patrick O'Doherty and he suggested it would be good
> to try to set up some kind of regular Tor and/or general cypherpunk
> meetings or hack days at Noisebridge. I have a pile of projects I'm
> working on that may be interesting to folks, and I can also help get
> people up to speed with Tor development and build processes, how to
> write patches, and familiarize people with Tor codebases and Tor
> functionality for use in their own projects.
> 
> This is a long email. The TL;DR is that I'm looking for people to tell
> me what sort of stuff they would be interested in working on or learning
> about at these meetings, so I can try to serve that audience better and
> keep things focused.
> 
> I'm giving a ton of detailed examples based on stuff I've been hacking
> on on the side. Let me know either on or off-list if you find any of
> these projects interesting and would like to work on any of them. Please
> also suggest your own projects/ideas on-list, and please also +1 other's
> topics as well.
> 
> I'm hoping that the projects we work on can be featured on Tor Labs,
> which is a website we're launching that is meant to showcase prototypes
> and external projects that make interesting use of Tor, or that may
> otherwise be of interest to Tor hobbyists. Tor has a lot of eyes on it,
> and I think we should make use of that attention to get more people
> excited about the great work that folks do outside of the official Tor
> organization.
> 
> 
> Here's some of the stuff I've been working on:
> 
> # A Tor Phone prototype based on CopperHeadOS
> 
> Since I wrote my writeup of a prototype Tor/Cypherpunk/Wingnut Phone[2],
> a lot of cool stuff has been done by volunteers and the wider Android
> community. Cédric Jeanneret adapted my pile of half-insane Droidwall
> hacks into the rather slick OrWall[3], Patrick Connolly transformed the
> manual install process into an update.zip[4], and some Toronto hackers
> created CopperHeadOS[5] - a hardened Android rebuild using grsec and
> several hardening additions, including verified boot[6].
> 
> Unfortunately, CopperHeadOS does not support Google Apps, MicroG[7] (the
> FLOSS replacement for Google Services), or SuperUser. You can hack this
> stuff in via sideloading, but then you lose verified boot. So I'm
> working on a pile of scripts to try to shove this stuff in to the
> official CopperHead release images, and re-sign them with new keys. That
> way, you don't have to give up security to be able to use apps with Tor,
> or to use apps that require Google Play Services (such as Signal).
> 
> Ideally, long-term we'd either restrict root access to just OrWall, or
> diagnose why the VPN APIs in Android/Orbot leak traffic like crazy (see
> below for a fun related router project to help with this).
> 
> To work on this project, you'll need a Nexus 9, 5X, or 6P device.
> 
> 
> # A udev-based USB firewall
> 
> I wrote a crappy pile of shell scripts that act as a USB device ID
> (model + serial number) whitelist, to provide vulnerability surface
> reduction against USB device driver exploits and attacks like BadUSB.
> 
> The scripts work for me, but maybe we should try to make this into a
> debian package with easier configuration or something.
> 
> 
> # CFC/No More 404s/Resurrect Pages
> 
> Cloudflare captchas and Tor bans are annoying, especially if all you
> want to do is read something.
> 
> Yawning Angel at the Tor Project has been working on a Tor Browser addon
> to automatically fetch pages that are blocked by CloudFlare/other
> captchas from archive.is/archive.org. It needs a UI and some general
> usability improvements:
> https://git.schwanenlied.me/yawning/cfc
> 
> We could also adapt the official Firefox addons No More 404s or
> Resurrect Pages, depending on how they work.
> 
> 
> # Better Tor Browser support for SSH exits/private Tor exits
> 
> Related to the Captcha and ban problem, I hacked up some prefs and env
> vars to make it possible to chain an SSH SOCKS -D proxy after Tor, so
> that it is possible to access sites that completely ban Tor with strong
> pseudonymity: https://trac.torproject.org/projects/tor/ticket/16917
> 
> We could give this thing a UI. As a more involved project, we could
> patch Tor to support "Tor Exit Bridges": ie Tor "bridges" that have an
> exit policy and can be used instead of public exits.
> 
> 
> # OpenWRT-based Tor Firewall
> 
> I have a prototype Tor Router based on OpenWRT that only lets Tor
> traffic through, and acts as a wifi firewall. It is based on
> https://wiki.openwrt.org/toh/tp-link/tl-mr3040, and uses the LEDs to
> tell you if anything on your computer has tried to bypass Tor, if
> anything on the local network has tried to make a TCP connection to you,
> or if anything has sent a ping/UDP packet at you. I've arranged these
> LEDs as a sort of "hitpoint" bar, so that the UDP LED is the farthest
> out, then the TCP connect-back LED, and then the Tor bypass led is
> closest in. It is rather amusing to use this thing at hacker events to
> watch how fast stuff happens to you. Since the MR3040 also has an
> ethernet jack, you can use it to prevent exposing your laptop's wifi
> firmware to hostile networks, by putting the router into client mode and
> routing through ethernet. The router firmware supports concurrent client
> and host wifi operation, so that you can have the device still provide
> firewalling to devices that only support wifi by creating your own
> personal access point on one side of the firewall, and acting as a wifi
> client on the other.
> 
> It is also very useful for helping to debug proper behavior of Tor
> applications (especially mobile/embedded apps), so that leaks are
> quickly apparent to you.
> 
> This device is different than other Tor-enabled routers (such as NetAid
> and Anonabox, etc) because it is primarily meant to function as an
> additional security layer, not just something that blindly shoves all
> your traffic through Tor.
> 
> The device has switches on it, so it can be easily switched between
> different modes.
> 
> Areas of improvement for this project:
> 
>  ii). It would be cool to make some kind of REST negotiation API with Tor
>       Browser, so that this device could pick bridges or guard nodes for
>       Tor Browser, tell Tor Browser about them, and ensure that only
>       these bridges or guard nodes were used (as a security layer).
> 
>  ii). Various UI work to make it easier to configure through a web UI.
>       Maybe borrowing ideas or sharing code with https://netaidkit.net/,
>       or maybe just sticking to the OpenWRT UI.
> 
>  iii). It might be nice to also have a VPN on here as an option via one of
>        the switches, so that traffic that was not destined to Tor was
>        VPN'ed instead of dropped. This will require some hacking with
>        OpenWRT image creator, since there is not enough space for a VPN in
>        the default images for the device.
> 
> To work on this project, you will need an OpenWRT compatible router. It
> doesn't have to be the MR3040, I just like that one because it has a
> battery and LEDs :). If there is enough interest, I can also bring a
> pile of old routers I have lying around, as well.
> 
> 
> # Reproducible build help with your Tor/Cypherpunk Project
> 
> If you're making security tools, build security is very important. I can
> help people work towards ensuring their projects can be build
> reproducibly. We can also discuss various opsec considerations for
> signing key material, and build security for projects that are a long
> way away from being able to build reproducibly.
> 
> 
> # Your idea here!
> 
> Please, suggest stuff you want to work on. Maybe I can help. Or if not,
> maybe someone else can!
> 
> 
> 
> 1. https://www.youtube.com/watch?v=teBV0EoJJY8
> 2. https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
> 3. https://github.com/EthACKdotOrg/orWall
> 4. https://github.com/patcon/mission-impossible-android
> 5. https://copperhead.co/android/
> 6. https://source.android.com/security/verifiedboot/verified-boot.html
> 7. https://microg.org/
> 
> 
> 
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20160820/3df0e8f6/attachment.pgp>


More information about the Noisebridge-discuss mailing list