InfoCamp Seattle: The privacy web application called Tor

The Tor Project

https://www.torproject.org/


How to: Use Tor for Windows

by Electronic Frontier Foundation
https://ssd.eff.org/en/module/how-use-tor-windows

How to: Use Tor on Mac OS X

by Electronic Frontier Foundation
https://ssd.eff.org/en/module/how-use-tor-mac-os-x


torbrochure

Spread the word about Tor

by The Tor Project
https://blog.torproject.org/blog/spread-word-about-tor


torhops

Everything about Tor

by Tom Ritter
https://ritter.vg/p/tor-vlatest.pdf


torstinks

NSA and GCHQ target Tor network that protects anonymity of web users

by The Guardian
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption


Tor exit relays in libraries: a new LFP project

by Alison Macrina
https://libraryfreedomproject.org/torexitpilotphase1/


Configuring a Tor relay on Debian/Ubuntu

https://www.torproject.org/docs/tor-relay-debian.html.en

Configuring Hidden Services for Tor

https://www.torproject.org/docs/tor-hidden-service.html.en

Tor: Bridges

https://www.torproject.org/docs/bridges.html.en


Building Enterprise Tor Onions: Tips and Notes

by Alec Muffett
https://storify.com/AlecMuffett/tor-tips

How to Get a Company or Organisation to implement an Onion Site, i.e. a Tor Hidden Service

by Alec Muffett
https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962


Tor Hidden (Onion) Services Best Practices

by Rise Up
https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices


SecureDrop

https://securedrop.org/


The Official SecureDrop Directory

by Freedom of the Press Foundation
https://freedom.press/securedrop/directory


Organizations Supporting Tor: Help Us Help You!

by ACLU of Washington
https://aclu-wa.org/blog/organizations-supporting-tor-help-us-help-you


City of Seattle could lead privacy and transparency efforts with SecureDrop and Tor

by ACLU of Washington
https://yawnbox.com/?p=3742


Tor outreach materials

by The Tor Project
https://people.torproject.org/~lunar/outreach-material/


Tails Linux

https://tails.boum.org/


Orfox: Tor Browser for Android

by The Tor Project
https://play.google.com/store/apps/details?id=info.guardianproject.orfox

Orbot: Proxy with Tor

by The Tor Project
https://play.google.com/store/apps/details?id=org.torproject.android


Anonabox

https://www.anonabox.com/

Invizibox

https://www.invizbox.io/

A resolution for Seattle: encryption and anonymity as moral imperatives

Published: 2015-Sep-19
Updated: 2015-Sep-19, revision 17


CITY OF SEATTLE
RESOLUTION _________________

title

A RESOLUTION affirming the human right to encryption and anonymity as consistent with the findings of the United Nations report on encryption, anonymity, and the human rights framework, advancing previously adopted human rights resolutions.

body

WHEREAS, in December 2012, the Seattle City Council adopted Resolution 31420 proclaiming Seattle to be a Human Rights City, endorsing the human rights set forth in the Universal Declaration of Human Rights, recognizing the importance of using the international human rights framework for cities to work on their commitment to protecting, respecting, and fulfilling the full range of universal human rights; and

WHEREAS, in July 2015, the Seattle City Council adopted Resolution 31598 affirming privacy as a human right and aligning the work of the City’s privacy initiative with the right to privacy as described in the Universal Declaration of Human Rights; and

WHEREAS, in May 2015, the United Nations report on encryption, anonymity, and the human rights framework was published and finds that encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age; and

WHEREAS, with respect to encryption and anonymity, the City of Seattle should adopt policies of non-restriction or comprehensive protection: (1) only adopt restrictions on a case-specific basis and that meet the requirements of legality, necessity, proportionality and legitimacy in objective, (2) require court orders for any specific limitation, and (3) promote security and privacy online through public education; and

WHEREAS, potential criminality and emergency situations do not relieve the City of its obligation to ensure respect for international human rights law; and

WHEREAS, legislative proposals for the revision or adoption of restrictions on individual security or privacy online should be subject to public debate and adopted according to regular, public, informed and transparent legislative process; and

WHEREAS, the City must promote effective participation of a wide variety of civil society actors and minority groups in such debate and processes and avoid adopting such legislation under accelerated legislative procedures; and

WHEREAS, all Seattle organizations should not block or limit the transmission of encrypted communications and should permit anonymous communication; and

WHEREAS, all Seattle organizations should support secure technologies for websites and software applications, develop widespread end-to-end encryption, and employ anonymity-preserving software to support privacy-sensitive populations; and

WHEREAS, the City’s laws must recognize that individuals are free to protect the privacy of their communications by using encryption technology and tools that allow anonymity online; and

WHEREAS, the City’s legislation and regulations protecting human rights defenders and journalists must include provisions enabling access and providing support to use the technologies to secure their communications; and

WHEREAS, the City must avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows; and

WHEREAS, the City must refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users; and

WHEREAS, all Seattle organizations should consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms); and

WHEREAS, all Seattle organizations should follow internationally and regionally accepted principles for conducting business in accordance with human rights law; and

WHEREAS, court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals; and

WHEREAS, all Seattle organizations will not conduct any manner of intentional or unintentional mass tracking, monitoring, or surveillance of person-linkable information or metadata without strict anonymization processes during collection, transfer, and storage processes; and

WHEREAS, if strict anonymization processes during person-linkable information or metadata collection, transfer, and storage cannot be performed, then those tracking, monitoring, or surveillance technologies will not be used; and

WHEREAS, given the relevance of new communication technologies in the promotion of human rights and development, all those involved should systematically promote access to encryption and anonymity without discrimination; and

WHEREAS, given the threats to freedom of expression online, corporate actors should review the adequacy of their practices with regard to human right norms; and

WHEREAS, Seattle companies should adhere to principles such as those laid out in the Guiding Principles on Business and Human Rights (PDF), the Global Network Initiative’s Principles on Freedom of Expression and Privacy (PDF), the European Commission’s ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, and the Telecommunications Industry Dialogue Guiding Principles; NOW, THEREFORE,

BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF SEATTLE, THE MAYOR CONCURRING, THAT:

Section 1. In accordance with the findings of the UN Report on encryption, anonymity, and the human rights framework, the City Council affirms the human right to encryption and anonymity are foundational to human dignity, intellectual freedom, and democratic governance in the digital age.

Section 2. The City Council implores that all City of Seattle past, present, and future technology projects maximize person anonymity during the collection, transference, and storage of person-linkable data and information.

Section 3.

Exploring Cuban Internet surveillance and censorship

This research is ongoing.

After December 17, Cubans don’t have more food, more money, or more liberty. But we have more hope.

— Cuban journalist Yoani Sanchez said in May 2015

Larry Press, Professor of Information Systems at California State University, Dominguez Hills, recently asked some important questions on his blog:

  • Is the Cuban government surveilling the users?
  • Which IP addresses are blocked?
  • Are the Chinese supplying equipment, software or expertise for surveillance and content filtering?

Cuban infrastructure

Cuba’s Ministry of Communications (MIC) is responsible for approving Cuban communications infrastructure. Historically, according to TeleGeography, “Internet access in Cuba is largely restricted to legally recognized individuals and institutions considered most significant to the island’s culture and development, such as state officials and academics.”

According to Wikikeaks, “Cuba worked around the US embargo in order to deploy an undersea cable to Venezuela.” For more history, Wikileaks has available a document titled: “Radio and Television Broadcasting to Cuba: Background and Issues Through 1994.”

According to the United States Congressional Research Service in 2006, “On December 12, 2006, independent Cuban journalist Guillermo Fariñas Hernández received the 2006 Cyber Dissident award from the Paris-based Reporters Without Borders. Fariñas went on a seven-month hunger strike in 2006, demanding broader Internet access for Cubans.” Reporters Without Borders “voices its support to the members of various dissident groups who have themselves been on a rotating hunger strike since 4 June [2006] in a show of solidarity with Fariñas and to draw international attention to his condition.”

In 2007, state-owned “Telecom Venezuela” and Cuban telco “Transbit” formed a new company called “Telecomunicaciones Gran Caribe”. The company eventually completed ALBA-1 in 2011, the only submarine cable that connects Cuba to the Internet and allows for the transmission of data, video and voice (VoIP). The cable has termination points in La Guaira, Venezuela, Ocho Rios, Jamaica, Santiago de Cuba, Cuba, and Siboney, Cuba. Until 2012, most Internet users in Cuba had limited access via satellite.

According to the U.S. Department of State Bureau of Democracy, Human Rights, and Labor on Internet Freedom in 2007:

“The [Cuban] government controlled nearly all Internet access. Authorities reviewed and censored e‑mail and forbade any attachments. Authorities also blocked access to Web sites they considered objectionable. Citizens could access the Internet only through government‑approved institutions, except at Internet facilities provided by a few diplomatic offices. In August authorities shut down Internet access in four government-run Internet cafes, including one located in the Ministry of Communications. The only citizens granted direct Internet access were some government officials and certain government‑approved doctors, professors, and journalists. The government also further restricted Internet use in government offices, confining most officials to Web pages related to their work. Foreigners, but not citizens, were allowed to buy Internet access cards from the national telecommunications provider and to use hotel business centers where Internet access cost $10 (240 pesos) an hour. The government stated that 8 percent of the population had Internet access, but independent studies concluded that only 2 percent of the population had access to the Internet.

A 2004 law stipulates that all public Internet centers must register with the government, and that all such centers may be the object of control and supervision, without prior warning, by the Agency of Ministry for Information Technology and Communications. While the law does not provide for any specific punishments for Internet use, it is illegal to own a satellite dish that would provide uncensored Internet access.”

According to the United States Congressional Research Service in 2009, “On May 21, 2008, the Senate passed S.Res. 573 (Martinez) by unanimous consent, which recognized Cuba Solidarity Day and the struggle of the Cuban people. On the same day, President Bush called for the Cuban government to take steps to improve life for the Cuban people, including opening up access to the Internet. He also announced that the United States would change U.S. regulations to allow Americans to send mobile phones to family members in Cuba.”

Prior to June 2013, Internet was only available at select state institutions and 200 hotels. The Cuban government then began offering access to the Internet at 118 outlets including a small number of cybercafés. According to Agencia EFE, “On June 14, 118 new Internet establishments were opened in the country where, through the national portal Nauta, permanent or temporary accounts were made available for e-mail access, online navigating and other services.”

As of April 2015, three million Cubans use mobile phones, a figure expected to grow by 800,000 a year. The state-owned monopoly Empresa de Telecomunicaciones de Cuba (ETECSA) has over 600 base stations across the island, up from 350 in 2010.

ETECSA will host the Internet Addresses Registry for Latin America and the Caribbean (LACNIC) meeting from May 2 to 6, 2016. ETECSA, and thus the Cuban government, clearly has ultimate authority of this region.

Desoft is the largest software developer in Cuba and based in La Habana, Cuba. Desoft’s CEO, since November 2014, is Luis Guillermo Fernandez Perez. Desoft’s website describes a product called “RCTel” that is a “Solution for recording and monitoring of telephone calls and their associated costs.” ETECSA is listed as one of their primary customers.

Prior to Desoft, Perez was the CEO of Cuba’s Softel from January 2004 through October 2014. Softel, according to LinkedIn, “Provides software solutions, analytics and consultancy for the telecommunication business.” Softel is “currently developing Softel Monitoring and Management Framework,” and their best selling product is “CMTS Monitoring System,” “capable of large scale (up to few millions easy scalable) docsis 2&3 cable modem customers monitoring. Some analytics and prediction algorythms in the area.”

According to Dyn Research, “Almost all of Cuba’s international Internet traffichas been passing through the United States for as long the Internet has existed in Cuba. For example, the satellite ground stations for the satellite service they currently use are on the East Coast of the United States.” “The Telefonica and Tata service across the ALBA-1 cable eventually makes its way to Miami to reach the global Internet. For technical reasons and not necessarily political, it is very hard to avoid the gravitational pull of the United States when routing international Internet traffic in the western hemisphere.”

United States infrastructure

IDT Corporation, based out of New Jersey, U.S. and in cooperation with ETECSA, is the “only U.S. carrier to have a direct interconnection into Cuba.

SMS Cuba, a telecom startup in Florida, U.S., is a two-way provider of SMS to those wishing to send mobile texts to and from Cubans. The service is not in direct communication with Cuba and must pass through multiple other nation states meaning there are even more connection points subject to carrier surveillance. SMS Cuba advertises directly to Cubans about how cost effective it is. Further, SMS Cuba’s registration web site does not employ transport security (HTTPS), meaning the US government (at minimum) gets to record the personal information of who signs up for the service.

While writing this article, I sent an email to the founder of SMS Cuba with some questions about their infrastructure. They declined to answer any of my questions, which were mostly technical in nature.

Sprint provides voice and SMS service to Cuba, a known NSA partner, even though it is the only major carrier to push back in court.

Products

According to Gigaom, “U.S. companies banned from selling or exporting everything from smartphones, servers and networking gear will be free to bring their hardware and software into the country.” Similairy, from the White House, “The commercial export of certain items that will contribute to the ability of the Cuban people to communicate with people in the United States and the rest of the world will be authorized. This will include the commercial sale of certain consumer communications devices, related software, applications, hardware, and services, and items for the establishment and update of communications-related systems.” “Telecommunications providers will be allowed to establish the necessary mechanisms, including infrastructure, in Cuba to provide commercial telecommunications and internet services, which will improve telecommunications between the United States and Cuba.”

Intro to Tor exit relay deployment and operation

This post is under construction.

Also read: Tips for Running an Exit Node with Minimal Harassment

Running an Exit takes a special kind of person. One who understands its value while also realizing that <2% of Tor traffic can be malicious in nature. Sometimes you and/or your service provider will be required to respond to complaints. There are generally two kinds of exit relays. One is the kind that accepts and routes any and all ports (1-65k). The other uses a reduced exit policy that limits accepted traffic to specific ports (22, 443, etc).

I have always used a reduced exit policy or a modified version of it. Running a reduced exit policy is common for people who want to minimize abuse complaints. For instance, I’ve received the most amount of complaints when adding and allowing port 80 (clear-text web traffic) because people use Tor to perform cross-site scripting attacks on websites, and secondly port 22 (SSH) traffic which people use to attempt to brute force other people’s web servers. This should not discourage you.

There are specific rules in place in the Tor specification which gives relays specific “flags” that help identify your relay’s capabilities. While you could only permit port 443 traffic out of your “exit”, you would not be given an exit flag. I’m not sure where that documentation is right now, but I know that the official reduced exit policy gives a relay an exit flag. You’ll get a “stable” flag after the relay has been online for several days without interruption, and there’s a “fast” flag if you donate enough bandwidth. People tend not to see much use of their relays until after they’re given a stable flag.

Relay configuration (be it an exit, bridge, or regular relay) is done via the TORRC file — on Debian systems in /etc/tor/torrc. Debian systems are relatively easy to harden to prevent passive attacks.

Most people run reduced exit policies — you should notice that it does not permit port 80.

You do not need to deploy a relay on dedicated hardware, unless:

1. you’re going to tune a relay to push as many bits as possible from one or many Tor instances.

2. you want to minimize the impact of a law enforcement seizure, in the rare event that LE/IC think that a Tor relay would be valuable to them.

I’ve ran a 1 Gbps reduced exit policy relay from my personal residence for over two years with minimal issues, although my ISP was very understanding and accommodating. The risk of a seizure if very low, especially in the United States. Since then I moved to a VPS in the Netherlands because an unmetered 1 Gbps VPS is only ~$40 /mo there.

The value of Tor increases as more people use it, and as there are more relays–particularly exits–setup in more geographically diverse locations. The Tor Project website has a community-generated list of hosting providers that are either good or bad about Tor hosting. It would be good to read through to understand some of the problems that people face with them. If you already have rackspace and unused bandwidth in a datacenter, that’s the best place to put it.

Please email the tor-relays mailing list with questions, or me directly if you have feedback.

Operational security training for Seattle activists and journalists

UPDATE! The date *may* change! An announcement to our first activist training will be posted on SeattlePrivacy.org within the first week of January 2015.

Starting on MLK day, to cover January 19th TA3M, I will be hosting a 3 to 5 hour event specific to digital security for on-the-ground activism. In February, I am going to host a related event specifically for journalists. This style of training is going to happen every month with activist and journalist training happening on alternating months. This program will happen in addition to TA3M, I’m just going to jump start off of TA3M in January.

Curriculum is going to be facilitated by the SaferJourno guide (https://saferjourno.internews.org/ — “digital safety and online security”). Technical material can be adopted from many sources, but I will be asking for specialists to facilitate various trainings. A new website will be created that will be breaking this content down in wiki format. The content will be duplicated and modified for activists. The goals include enhancing and contributing back to the SaferJourno project.

The distinction between activists and journalists is critical. Risk analysis and legalities are totally different for the two groups, even though they sometimes share the same threats. In addition, SaferJourno has many hands-on training and conversation-oriented coursework. Sharing similar experiences with one another is important, and also making the attendees feel as comfortable and secure as possible is important. The registration process will be constructed to be as anonymous as possible, and participation will remain as private as possible. Registration is interesting because there are pre-surveys that have to be filled out for the trainers.

As for journalists, I will be working with various volunteers to create curriculum specific to SecureDrop; part for its use, and part for its technical implementation. Also concerning journalists, I plan to make available tailored training for Seattle news organizations who wish to incorporate their working environments into the training.

Meeting space is TBD. Sadly, the Seattle Public Library closes too early.

A name for this new program has not been created. At this time, I have people interested in starting the same program in other cities, but will probably not happen as soon as MLK day.

Aside from me, I plan on keeping the identities of volunteers related to this new program private unless they wish to provide public support. My preferred methods of communication are TextSecure, PGP email, XMPP/OTR, and Ricochet — most details kept up to date on my website, https://yawnbox.com/.

I expect that trainers will write reports based on their experiences as educators and contribute (anonymously, if desirable) to the program in the form of SaferJourno (or SaferActivist) wiki edits. I’ll try to get trainers repeatable structure for said reports. Those not familiar with SaferJourno should know that it’s CC-BY-NC-SA. We can freely copy, remix, and redistribute the content with reference to the original, plus maintaining the same license or more-open, like CC-BY-SA or CC0.

What I currently need:

Does anyone know the activists who organized the WTO protests? I’d like to get them involved.

I need assistance breaking down the various needs of activist topics to cover. This will help copy the SaferJourno guide and modify it for activists. For January, time should not exceed 5 hours total, including breaks. Following January, events will likely be on weekends that could span an entire weekend.

I need technical specialists for iPhone and Android security. I could instruct Android, but there are many people who know more than I do. If we can’t rely on one person, we can break down various aspects of phone security to accommodate training. I also need someone to manage the topic of social media and video distribution.

Please be critical in thought and response. I look forward to pushing this forward in light of increased worldwide surveillance with as much help as I can get. I prefer to simply be an organizer, but I will facilitate/educate when/where needed. Please be aware than any involvement with this program will likely garner increased surveillance of yourself and connections, if TA3M wasn’t enough.

Ideas to support the Tor Project: Wikipedia IdeaLab proposal

Special thanks to my open-access comrade-in-arms Lane Rasberry.

Lane emailed me this morning asking for my input on a current proposal that’s on Jimmy Wales very own Wikipedia talk page.

After CC’ing Runa Sandvik from the Tor Project to verify the factuality of my feedback for the Wikipedia community, I posted my comments.

The ongoing issue, that Jacob Appelbaum repeatedly vocalizes, is that Tor users, Jacob included, is not able to protect his identity and contribute to the knowledge base that exists on Wikipedia.

Political activists and dissidents create a critical feedback loop into the controversial dialogue that is only made possible through the Internet and social media. Not only are these people self-empowering, they are the ones most likely to seek out the truth.

From Lane:

If you would be willing to write a brief set of proposals about what Wikipedia should do with Tor, then [Lane] would format those with you in the IdeaLab. This is a space where ideas are stored on Wikipedia so that they would always be found if anyone ever wanted them. I think it would be a good idea just to establish the conversation.

https://meta.wikimedia.org/wiki/Grants:IdeaLab

[If] it is of interest to you, I would help you start a proposal, format it properly, publicize it, and if you know anyone in the Tor community that might want to make a grant proposal for funding to establish and document the relationship between Tor and Wikipedia, then I might be able to advise on how to do that also.

This conversation is happening now live and it does have Jimbo Wales’ attention. It would be awesome to get input from established Tor supporters.

If you would like to create a proposal and have the support of a Wikipedia veteran, please contact Lane directly, and ask for other peoples input! I’m also extremely interested in supporting, I just don’t know what an ideal proposal would look like, and I don’t want to speak on behalf of Tor Project.

Thank you!