New Democracy Now! Onion site

g6klvb3bfx3zuivo.onion

Updated onion address: 2017-March-12

Previous work here. The rest of this post is for technical individuals.

I recently moved to a new DN! host mainly because my first one ran out of storage. I apologize to those who have not been able to access the last few episodes due to the old host filling up. This post goes into detail how I set up the new Onion site, then how I transfered all ~30GB of existing DN! files from the old host to the new host exclusively over Onion service via rsync.

Some major improvements include Democracy Now’s third-party services all support TLS now, meaning that I’m finally pulling the media via authenticated and confidential (exluding metadata) transport. My updated shell script is below, too.

Please note that not all traffic is torified on the new host, the DN! files are still getting pulled via port 443, outbound DNS via port 53, and outbound NTP via port 123.

New Ubuntu 16.04 Xenial host setup

Enable the firewall disabling all inbound traffic:

sudo ufw enable

Edit sources list to remove the default HTTP repositories with Wikimedia’s HTTPS repositories for transport authentication and confidentiality, and add Tor Project’s HTTP repository:

sudo vim /etc/apt/sources.list

deb https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb http://deb.torproject.org/torproject.org xenial main

Add the Tor Project’s signing key:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Update, upgrade, then install the necessary Tor apps:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install tor apt-transport-tor deb.torproject.org-keyring -y

Edit torrc to create the new Onion site address:

sudo vim /etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:80

Restart the Tor service:

sudo service tor restart

View the new Onion site address:

sudo cat /var/lib/tor/hidden_service/hostname

gnt3qwmxads3yytg.onion

Edit sources list again so that the repositories will only be accessed via Onion service:

sudo vim /etc/apt/sources.list

deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb tor+http://deb.torproject.org/torproject.org xenial main

Update and upgrade again, and install Open-SSH, all via Onion service:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install openssh-server

Configure the SSH server to only accept connections via Onion service. Also harden the security a little bit:

sudo vim /etc/ssh/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
AllowUsers user
Port 22
ListenAddress 127.0.0.1:22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 30
ServerKeyBits 4096
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

Install Apache via Onion service, disable status, and enable headers:

sudo apt-get install apache2 -y && sudo a2dismod status && sudo a2enmod headers

Configure the index view of the Apache landing page:

sudo vim /etc/apache2/mods-available/autoindex.conf

IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 SuppressDescription SuppressIcon SuppressLastModified SuppressRules
IndexOrderDefault Descending Name

Harden Apache’s security configuration:

sudo vim /etc/apache2/conf-available/security.conf

Directory /
AllowOverride None
Require all denied
/Directory

Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
Header always set Cache-Control: "private, no-cache, no-store, must-revalidate"
Header always set Pragma: "no-cache"
Header always set Expires: "-1"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "sameorigin"
Header always set Content-Security-Policy: "default-src 'self'"
ServerTokens Prod
ServerSignature Off
TraceEnable Off

Configure Apache to only work via Onion service:

sudo vim /etc/apache2/sites-available/000-default.conf

VirtualHost 127.0.0.1:80
ServerName gnt3qwmxads3yytg.onion
ServerAdmin gnt3qwmxads3yytg@yawnbox.com
DocumentRoot /var/www/html/dn/
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
/VirtualHost

Restart Apache:

sudo service apache2 restart

Make the DN! directory:

sudo mkdir /var/www/html/dn/

Create the shell script to download the various DN! files:

sudo vim dn-now.sh

#!/bin/bash
cd /var/www/html/dn/
daystamp=$(date +%Y-%m%d)
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://ewheel.democracynow.org/dn$daystamp.mp4.torrent
chown -R www-data:www-data /var/www/html/dn/*

Edit cron to check for new files every 15 minutes:

sudo crontab -e

*/15 * * * * bash /home/user/dn-now.sh

Old Host

Configure SSH client to be torified:

sudo vim /etc/ssh/ssh_config

Host *
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
CheckHostIP no

Rsync all files from the old host (ssh client) to the new host (ssh server):

sudo rsync -v /var/www/html/dn/* user@gnt3qwmxads3yytg.onion:/var/www/html/dn/

Cheers!

Watch Democracy Now! via Tor Onion

Similar to ProPublica’s Onionsite for reading the news with integrity and privacy, I’ve created a repository of recent DN! episodes. I am tired of waiting for DN! to deploy HTTPS and I have doubts they’ll ever go further with an Onion.

If I could obtain a copy of DN! archives, I would explore hosting all of them. My current Onion host is limited in space but I could expand it. I also welcome feedback on ways that I could improve this setup. You can safely access this Onionsite with Tor Browser‘s ‘High’ Privacy and Security Setting.

http://at25itpf2cbg3asm.onion/

Below is the simple shell script that I use to grab the daily files, if they exist. It checks every 15 minutes via root’s crontab -e.

#!/bin/bash

cd /var/www/html/

daystamp=$(date +%Y-%m%d)

wget -m -p -E -k -K -np -nd -e robots=off -H -r http://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4

wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3

wget -m -p -E -k -K -np -nd -e robots=off -H -r http://ewheel.democracynow.org/dn$daystamp.mp4.torrent

chown -R www-data:www-data /var/www/html/

GlobaLeaks and SecureDrop: which is right for you?

GlobaLeaks and SecureDrop are both secure and anonymous document submission systems. However, there are important differences between the two that must be understood before choosing either.

TL;DR

Use SecureDrop to best defend legally privileged work, or when utmost security is needed.

Use GlobaLeaks if:

  • You or your organization needs an internal auditing and/or whistleblowing platform, a survey/questionnaire platform, or a file submission platform.
  • You or your organization does not have dedicated technical support to properly manage SecureDrop.
  • You or your organization wants to trial-run a secure and anonymous document submission system to understand the policy and procedural impacts before investing in SecureDrop.
  • You or your organization cannot monetarily afford the SecureDrop infrastructure.

Similarities

  • Both systems are free software.
  • Both are regularly audited by independent software security firms, and the audit results are published.
  • Both use the Tor network to support user anonymity.
  • Both require consistent administration and updates to maintain software security.
  • Both require careful thought about the system’s physical security.
  • Both require careful thought about organizational policy changes and the organizational procedural changes.

Differences

There are many important consequences of their usability decisions. Always perform a careful threat assessment before deploying, and periodically after deployment.

GlobaLeaks

Docs: https://github.com/globaleaks/globaleaks/wiki

GlobaLeaks aims for ease-of-use for both the administrator and users. GlobaLeaks only requires one small Ubuntu 14.04 x86-64 system with root or sudo privileges for installation and system updates. Anyone with basic Linux systems administration can install GlobaLeaks onto, for example, a $200 laptop. Freedom of the Press foundation recommends the Intel NUC for SecureDrop, and that is a good system choice for GlobaLeaks, too.

The administrator needs to be able to install GlobaLeaks onto an Ubuntu system, either Virtual Machine (VM) or computer. After Ubuntu is installed, the GlobaLeaks install script is super simple. Once the install script has completed, the end of the install script will report the Onion site for submissions and administraiton.

GlobaLeaks is incredibly flexible. An administrator could choose to install their GlobaLeaks instance in “the cloud” (someone else’s computer). But there are many security and legal consequences if you have someone else manage the service. The security consequences include the risks associated with hosting sensitive material in a virtual machine that is shared with an unknown amount of unknown people or organizations. Shared virtual hosting environments are notorius, especially if you are trying to keep the location of your Onion service hidden. Additionally, if your work is threatening to any adversary, getting services shutdown or losing access to materials is a higher risk if a 3rd party manages it.

My first encounter with GlobaLeaks was in 2012 when I met one of the core developers at a Tor hackathon. I was so inspired by the project that I wrote the first GlobaLeaks Wikipedia article to help bring attention to the project. Since I’m not a developer, information activism is one of the best things that I can do to support free software and the amazing people that choose to work on free software.

I’ve deployed GlobaLeaks for several small projects. One of the projects needed a secure and anonymous document submission system (non- privileged, professional work), and another needed a secure and anonymous questionnaire to support a privacy-technology workshop.

SecureDrop

Docs: https://securedrop.readthedocs.org/en/latest/

SecureDrop aims to be as secure as possible for both the administrator and users. Administration requires intermediate Linux systems administration expertise. Once SecureDrop has been deployed, administration can only be performed locally and is command line only. Further, it is ideal for there to be an administration team, but not everyone needs to have technical skills. It is very important to understand the different systems needed and the roles they play.

SecureDrop requires, at a minimum, four independent but low-power x86-64 computer systems. The four computer systems are necessary to properly compartmentalize specific SecureDrop properties for ideal security via defense-in-depth.

One of these computer systems is connected to the Internet, the SecureDrop web server. Contrary to the default option in GlobaLeaks, the SecureDrop web server is only accessible via Onion services. A second computer system connects to the web server for the sole purpose of event reporting. This is necessary so that if the web server experiences any issues, a dedicated, compartmentalized system will be alerted of trouble. The other two computer systems needed for SecureDrop should never be networked and are called “air-gapped”. One of the air-gapped computer systems is needed to perform administrative functions; namely, the creation of Tails Linux USB drives. The second air-gapped computer system is solely used for reviewing SecureDrop submissions. Both of the air-gapped computer systems run Tails linux.

My first and only SecureDrop deployment was for the ACLU of Washington, which is really incredible. ACLU-WA was many firsts:

– The first non- journalist organization in the world.
– The first ACLU organization.
– The first legal organization.
– The first organization in the Pacific Northwest.

At ACLU-WA, there was a desire to begin experimenting with secure submission systems as an alternative to existing, common forms of communication like e-mail and HTTPS forms that come with inherent vulnerabilities. This decision was made without a fully developed sense of what the myriad internal policy implications would be. We knew ahead of deployment that a system like SecureDrop would pose certain organizational policy and procedural consequences, but waited until after receiving our first submission to finalize all our administrative practices. Most importantly, we know that existing legal intake methods used by legal organizations pose concrete risks because they all depend on communication systems that are not designed to withstand certain passive surveillance systems.

I was not part of ACLU-WA staff or part of the technical team that installed SecureDrop. My voluntary role at ACLU-WA was to design the landing page, to create our advanced threat modeling page, to advise on website and SecureDrop hardening, and to advise on organizational policy changes.

Create an anonymous document drop with any Android

Honestly I have no idea why I didn’t think about this before. I’m sorry it’s taken so long. This guide will show you how to use any Android to host a Tor hidden service and send it files from anywhere in the world with SSH or SCP. I tested this with a Nexus 6 (shamu) running Android 6 but I will test this on Android 4.4.4 soon. Root is not needed, you could perform these steps on any Android. Play around with this. I do not currently have a lot of confidence (stability) in an Android (Wifi), SSHelper (app), Orbot (app), and Tor (circuit) hidden-service combination. But I’ll try this out on an extra Android and see if I can still access it after a week or so and update the post.

Much wow.

There are several amazing things about this setup:

1. Easy. It’s so easy, omg. Even securing the Android is super easy with this narrow of use case.

2. Cheap. Like, as little as $10 cheap, or, “can I have your old Android for free, please” cheap.

3. You could drop a burner Android, using any Wifi you can connect to, in so many places. And if you don’t have a wall outlet where it could sit and charge forever, you could have several days or weeks worth of uptime before it dies.

Guide

0. Buy a cheap Android in person with cash, you may prefer one with an SD card slot for additional storage. Go to a coffee shop you’ve never been that has free Wifi. Turn on your Android and connect to the public Wifi. Create a new Google account with an unattributable username and password. Put the phone into airplane mode then reactivate the Wifi. Disable any apps and services not needed (dependent on the device) then install any Android OS or app updates that are necessary. Ensure the Android’s storage is encrypted, and ensure that devices access requires a long passphrase for boot and for device entry.

Note on “buy any Android” — some burners that I’ve purchased before, like a $30 one from Verizon, forces you to activate the device as soon as you turn it on, making it extremely difficult to control any aspect of Android until phoning home to Verizon and activating with a phone number. If you want to be sure you don’t have to deal with carrier crap, spend a little more and go with an unlocked Moto E for $120. The 1st Gen and 2nd Gen Moto E’s conveniently support a 32GB microSD.

1. Download “Orbot: Proxy with Tor” (by: The Tor Project) from the Play Store. Open “Orbot”. Go into settings and scroll down to “Hidden Service Hosting” and enable “Hidden Service Hosting”. Tap “Hidden Service Ports” and enter “2222”. Back out of settings and long-press the power button to connect to the Tor network. Go back into settings then scroll down and tap “.Onion Hostname” to view your hidden service address. Document that address on your laptop with Tails or Torified SSH ready to go.

2. Download “SSHelper” (by: Paul Lutus) from the Play Store. Open the “SSHelper” app. That’s it. The default user is “admin”, default password is “admin”. The default ssh, scp, and rsync directory is your normal user’s home directory, which is one below the virtualized (or real) “SDCard”. I was able to connect with an ECDSA key pair.

3. Download “NetGuard – no-root firewall” (by: Marcel Bokhorst) from the Play Store. Open “NetGuard”. In the top right corner are three vertically aligned dots. Tap that button to enter into the Settings menu. Activate “Block Wi-Fi by default”, “Block mobile by default”, and “Manage system applications”. Click back to save the settings changes. Now scroll down and find “Orbot” and tap the orange Wifi icon (it will turn from a striked-out orange icon to a green icon) which will allow it to access the network over Wifi only. Scroll down a little bit more to “SSHelper” and tap the orange Wifi icon to give it Wifi access too. Now at the very top, to the right of “NetGuard”, tap the switch icon to activate your firewall rules. Accept (OK) the two prompts that follow.

Your Android is now ready to go.

4. From your Linux or OS X command line interlace (CLI), you should now be able to send it any files. It only took 22 seconds for me to transfer an 8 MB PDF:

scp -P 2222 bulletproof-ssl-and-tls.pdf admin@c3dznupj493fgtd5j.onion:.

Torify SSH (Ubuntu) for connecting to hidden service addresses

Install tor and openssh-client. Then:

sudo vim /etc/ssh/ssh_config

Add (under “Host *”)

proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then:

sudo service ssh restart

A hardened Tor hidden service for less than $200

About this article

You will not understand this article if you do not have an understanding and appreciation for Tor hidden services. If you don’t even have an appreciation for Tor, you might like my article Comparing HTTP, HTTPS, VPN, and Tor with “snail mail” metaphors that looks at basic Tor operations.

Following my blog post A guide for journalists that need to defend their work from governments, I purchased a new, inexpensive Acer laptop and have reviewed it by configuring and hardening it to be a secure Tor hidden service with the intent of thwarting well-funded adversaries that may search for and discover its physical location. But first and foremost, journalists and other human rights defenders need safe spaces for their information and data, especially when moving around and crossing borders.

If I were a journalist and needed to defend my work from a wide range of threats, I would deploy several of these laptops in various geographical locations and configure them to automatically sync with to each other. People need to be able to document wrongdoing and safely transport their work to private systems; quite plainly, it is often not safe for people to carry valuable information with them due to government and corporate abuses.

Please note that I am not a subject matter expert at any of the systems that I discuss in this guide. There is always someone else that knows more than I do on specific topics, but I do my best to bring together many different knowledge areas to create a holistic, usable solution. What is “best” or “more secure” is relative to so many things. If you do not understand why you do or do not perform any of these actions, you should consider not doing any of them until you do. Operational security is hard and easy to mess up, so you need to be able to think carefully, independently, and rethink about your problems, often, as circumstances change.

Brief SecureDrop vs GlobaLeaks vs plain hidden service discussion

I believe that news and law professionals have an ethical obligation to implement SecureDrop when interfacing with the public. That being said, this guide absolutely must not be intended to support the public. This guide is exclusively for news media professionals, human rights investigators, or documentary film makers that need private storage accessible over the net.

SecureDrop has outstanding security features but it is a complex system that requires several physically-disparate systems to work together. SecureDrop doesn’t scale well due to time (education, installation, maintenance) and financial (hardware) costs. SecureDrop is not an option for the problem that this guide aims to help solve.

GlobaLeaks, on the other hand, is so easy to install it puts WordPress to shame. As long as you are comfortable with the Linux command line (yeah, I know), all you do is download the script, make the script executable, and then run the script. The GlobaLeaks script takes care of installation and prudent configuration. This guide, however, is more complex simply because hardware and software systems are not designed to withstand well-funded adversaries.

GlobaLeaks, once it’s installed, is completely configurable through a web interface. This guide will not look at GlobaLeaks configuration, you will need to research that separately. I will say that GlobaLeaks is a hardened web interface that makes it easy to upload whole files, including automatically encrypting any file uploaded to your GlobaLeaks server with a PGP public key of your choosing. It is at this point that we need to explore using a regular Tor hidden service.

A Tor hidden service, simply configured in the torrc file, is easily the most secure option if you only operating via the command line (ssh, scp, rsync, etc). If an adversary (accidental or purposeful) were to discover your private onion address(es), a CLI-only server has a lot less attack surface. But it also requires that you expose openssh and its dependencies. Probabilistically, an adversary discovering your Onion site(s) without first finding them physically is not likely. In my opinion it is more important at this stage of defense-in-depth thinking that you choose a solution that makes your job easier. This guide is written to support GlobaLeaks with an added hidden service for CLI operations.

Rsync’ing is probably really ideal given the use of Tor hidden services. Large file transfers may be problematic if your Tor circuits aren’t stable. Incremental backups are really great, even more so because you can perform an incremental backup on an entire encrypted volume and you don’t have to transfer the entire volume.

If you are a journalist or human rights defender and need a technical resource, I make myself available using the contact methods listed on my blog.

The new Acer Aspire One Cloudbook

The Acer Aspire One Cloudbook, also reviewed on Mashable, is a budget laptop that is, in my opinion, a good option for a Tor relay or Tor hidden service computer. The Acer with 32GB of disk storage was $189 (retail) at my local Microsoft Store. After asking about, smiling, and receiving a 10% student discount, the total was $186.43 after tax. There are also 16GB and 64GB models of this laptop.

Tested

Acer AO1-131-C1G9
Mfg date: 2015/07/30
Series: AO1-131
Model: N15V1

Important hardware specifications and security thoughts

The Intel Celeron N3050 is one of two reasons why this laptop is so valuable. This Celeron has the AES-NI instruction set, which means Tor’s encryption processing overhead is greatly reduced. AES-NI is traditionally used to speed up Tor relays, but it has the same effect on Tor hidden services if there are large file transfers taking place.

Low-hanging fruit problem number one: RAM. The second reason why this Acer is so great for Tor hidden services specifically is because the DDR3L SDRAM is integrated into the system board. This means, if an adversary were to discover the physical location of your hidden service, the RAM cannot be removed which mitigates all cold boot attacks. Combined with LUKS disk encryption, this Acer would have strong defenses against physical attack.

A nice perk is that this Acer has a TPM chip. Sadly, the laptop (either the eMMC drive or BIOS) does not support full disk encryption.

Last but not least, laptops, by design, have two great things going for them: internal batteries to withstand brief power loss, and power adapters that have built in surge protection. It is also quite slim, is passively cooled (it makes no noise), so is very discrete. You can throw this in a friend’s closet (because of its wireless connection) and would be easily forgotten. Keep in mind that if and when these systems (with BIOS and partition encryption passwords) power down, they cannot be started back up until you are physically present to enter in the passwords. Fortunately, I have personally seen Linux server systems have uptime of 600+ days. Tor will accommodate poor connections common with residential Internet.

Most regrettably, this Acer does not have a 1 GbE port. Fortunately the Wifi card is quite good and is recognized by Tails 1.7. For Ubuntu 15.10 server, there is some minor configuration editing needed to get the Wifi to work, but nothing crazy like driver installation. If you will not or cannot accept relying on Tor hidden services using Wifi, do not use this laptop.

If you need more storage space you will need to find a different laptop simply because of the security implications. The security implications are simple — we need to shut down all USB access, which is discussed below. From a management point of view, it is easier to manage a Linux client if there is only one storage volume — the one the OS is installed on. Never treat a solution like this as any manner of backup or archive, only as a transitional solution that is part of a broader information assurance plan. There are “desktop replacement” laptops that can support 2+ drives, and in those configurations it is possible to leverage hardware or software RAID (like RAID-1, mirroring) for storage-at-rest redundancy. Desktop replacement laptops, however, have RAM that is easily removable, and the threat model will have to be re-assessed.

Open question: I do not believe this Acer can have its eMMC drive upgraded. As far as I can tell, it is also integrated into the system board.

Low-hanging fruit problem number two: USB. If an adversary were to find the physical server, said adversary might perform a USB attack to extract important information from the system to support additional attacks, or they might modify the system in a malicious way to gain entry. There are three things to be done to mitigate USB attacks:

1. Verify that the first boot device in BIOS is the internal drive, and verify there is a high-entropy BIOS administrator password and a high-entropy BIOS boot password.

2. Configure the Linux kernel not to support USB (detailed below).

3. Optionally, close the USB ports with heat-resistant epoxy resin, and make sure the epoxy has fully cured before turning the system back on. For obvious reasons, only perform this step after you have a stable system configuration and are comfortable with the fact that it will not be possible to install another OS.

BIOS configuration for bootable USB drives

Enter into BIOS by pressing the F2 key during boot.

Main > Touchpad > select: Basic
Main > Network Boot > select: Disabled
Main > F12 Boot Menu > select: Disabled
Main > Lid Open Resume > select: Disabled
Main > D2D Recovery > select: Disabled

Security > select: Set Supervisor Password (max is 12 characters)
Security > select: Set User Password (max is 12 characters)

Assure that you use high-entropy passwords. Sadly, 12 characters is not a lot. But we can use complex passwords, so be sure to document them on a separately encrypted device. After some testing, I was able to determine which alpha-numeric and special characters this BIOS will accept, so here is a Linux command to generate a good 12-character passwords (15 passwords will print, so you can easily choose two of them):

cat /dev/urandom | tr -dc 'a-zA-Z0-9-=[];,.' | fold -w 12 | head -n 15
Security > Password on Boot > select: Enabled

Boot > Boot Mode > UEFI > select: Legacy

Verify USB HDD is first when preparing to install the OS. After the OS is installed, make sure the “EMMC : HBG4e 32GB” boot device is first.

Exit > select: Exit Saving Changes

Tails 1.7 test (just for fun)

I made a Tails 1.7 USB-bootable drive from a Ubuntu 15.10 system:

dd if='tails-i386-1.7.iso' of=/dev/sdb bs=16M && sync

Tails booted without issue. The trackpad on the Acer does not work with Tails, but this does not affect a Server OS. I used a USB mouse to navigate. The Wifi works great and Tor connected with no problem.

Ubuntu Server 15.10 x64 w/ GlobaLeaks

GlobaLeaks advises using the LTS versions of Ubuntu (12.04, 14.04), but unfortunately, the eMMC SSD (storage) is not recognized by 14.04. Ubuntu 15.10 has no problem seeing using the eMMC SSD. With the 32GB SSD, after Ubuntu Server is installed, 24GB is usable. I started by making my USB-bootable drive from a Ubuntu 15.10 system:

Disks (utility) > (select USB drive) > menu > Format Disk > (defaults) Format > Format
dd if='ubuntu-15.10-server-amd64.iso' of=/dev/sdb bs=16M && sync

Ubuntu setup configuration

  • I acknowledged that there are no network interfaces.
  • I changed the hostname to “Windows”.
  • I set an unattributable user name and long (64+ characters), unique password.
  • I selected my time zone.
  • I did not encrypt the home directory.
  • I selected: Guided – use entire disk and set up encrypted LVM (with a long (64+ characters), unique password)
  • I confirmed no automatic updates.
  • I did not install any additional services.
  • I confirmed installation of GRUB.

Find the on-board Wifi device name (the one after “lo”):

inconfig -a

Mine is called “wlp2s0”. Make sure your Wifi network uses standard DHCP with WPA2 security (like a normal home network should). Add all of this information to the interfaces configuration file:

sudo vim /etc/network/interfaces

Add these four lines:

auto wlp2s0
iface wlp2s0 inet dhcp
wpa-ssid 'SSID'
wpa-psk 'password'

Enable the iptables firewall with UFW, which, when enabled, blocks all incoming network traffic (that isn’t Tor).

sudo ufw enable

Start up the wireless interface and connect:

sudo ifup -a

Install GlobaLeaks

sudo apt-get update
sudo apt-get dist-upgrade -y
sudo shutdown -r now

sudo su
mkdir /etc/systemd/system/tor.service.d
vim /etc/systemd/system/tor.service.d/directory.conf

Add these two lines:

[Service]
ReadWriteDirectories=-/var/globaleaks/torhs/

Then:

wget https://deb.globaleaks.org/install-globaleaks.sh
chmod +x install-globaleaks.sh
./install-globaleaks.sh

Yes, accept that you are using an unsupported system.

Once GlobaLeaks is installed, it will have printed out the onion address for the GlobaLeaks site. Now you can go there to perform your desired configuration: https://github.com/globaleaks/GlobaLeaks/wiki/Configuration-guide

Another hidden service for command line interface access

sudo vim /etc/tor/torrc

Uncomment lines 74 and 76 to active them:

HiddenServiceDir /var/lib/tor/other_hidden_service/
HiddenServicePort 22 127.0.0.1:22

Install openssh-server:

sudo apt-get install openssh-server -y

Configure SSHd (at a minimum):

sudo vim /etc/ssh/sshd_config

Comment out these lines:

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Edit these lines:

ServerKeyBits 4096
PermitRootLogin no

Uncomment and edit this line:

ListenAddress 127.0.0.1:22

Restart tor and ssh:

sudo service ssh restart
sudo service tor restart

View your new (second), command-line-interface only hidden service address:

sudo cat /var/lib/tor/other_hidden_service/hostname

Disable all USB

sudo vim /boot/grub/grub.cfg

There should be five different instances of the following line:

linux   /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro

Each one of them needs to be modifed with “nousb” at the end, like the following:

linux   /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro nousb

Here are the 5 line numbers that I found (in vim, typing “:” then the number, like “:143” then pressing enter to take you directly to that line):

143
161
178
196
213
sudo shutdown -r now

You can verify that USB devices are not initialized by your system by viewing the kernel log in real time and inserting USB devices (if no logs are created, then no new devices are being initialized):

sudo tail -f /var/log/kern.log

A guide for journalists that need to defend their work from governments

This is a brain dump guide that may be expanded depending on feedback. The goal is for a journalist to be able to keep all of their work “in the cloud” (on a personally controlled Tor hidden service) and not keep any sensitive data with them when they travel.

Most journalists are not able to commit to the requirements (high technical competency) of this guide. Dedicated journalists should consult with a technical expert that they trust.

Skeleton guide

1. Find some secure and stable places to host a few Tor hidden service web hosts. Choose different places that small actors (non-targeted malice, etc) and big actors (targeting by private companies, local law enforcement searches, intelligence agencies, etc) would have trouble finding. Inexpensive “netbooks” are great options because they are portable, inconspicuous, have built in batteries, surge protectors, and RAM that’s integrated into the system board (can’t be removed for evil maid attacks). Always presume adversaries will find them, so always use layered security.

1.1. The web hosts must at least be behind a basic firewall, even a residential Internet connection using NAT. The host itself must not have any externally-accessible ports, must employ LUKS disk encryption, and must be running the most current version of Tor. OwnCloud Community edition or WordPress are ideal platforms that allow remote uploading of files or note taking. Access to the web resource must be hardened and password protected in case a random adversary is able to uncover the hidden service address.

1.2. Physical access to the host, and remote access to the host, must require high-entropy passwords. You must remember them, or you must have a secure way of documenting and retrieving them like disposable SpiderOak accounts. Never carry passwords or your hidden service addresses with you. Two-factor authentication options cannot be used because you must presume said authentication devices will be taken from you.

1.3. Hosting multiple Tor hidden service web servers, for redundancy, can be configured to automatically sync with each other via Tor.

2. Carry the following:

2.1. An inexpensive laptop that has an unencrypted hard drive and operating system that has some “use” (don’t ever use it). Some passive-search actors will force you to turn on the device to demonstrate its legitimacy. Turning it on and opening apps keeps the friction low between you and your adversary. Always presume that adversaries will take it all from you. If any device is taken from you and removed from your sight, dispose of the device immediately.

2.2. Several USB drives with Tails Linux, and in different locations (on-person necklace, pockets, bags). If you’re able to maintain ownership of at least one, and you trust it was not tampered with, you won’t need to create a new one after passing through security check points.

2.2.1. Presume that the drives will be confiscated, so you must know how to recreate a Tails drive from any operating system. Don’t use pre-created drives if you think leaving them behind in “secure” places will help you. And don’t mail pre-created drives to yourself, they are trivially intercepted. Plan ahead to determine where you can create a new Tails drive, such as a retail electronics store or a local library. If you can’t assure that your Tails drive is clean, and your computer is free from any hardware or firmware compromise, do not access your Tor hidden service resources.

Supporting SecureDrop with Creative Commons

Dear SecureDrop supporters,

As of writing, there are 17 organizations actively using SecureDrop [1] in order to support secure and anonymous document submission. This number needs to increase for redundancy and diversity purposes. In this post I will describe one important way to enhance SecureDrop adoption.

Administrators of SecureDrop are responsible for creating an HTTPS landing page with the goal of educating its visitors about the technology including the ideal ways to use their SecureDrop server. Organizations employing SecureDrop must write thoughtful and clear instructions for their landing page based on their unique organizational requirements and goals. Freedom of the Press Foundation has written a sample privacy policy [2] that provides a solid foundation for some of this landing page content.

Exceptional SecureDrop landing pages already exist, and The Intercept’s SecureDrop landing page [3] is one example. I believe there is always room for improvement, which I have detailed in a related post, The limitations of SecureDrop and Tor for whistleblowers [4].

Proposal


To best support the use of high-quality information:

  1. Freedom of the Press Foundation should encourage SecureDrop adopters to license the semantic and/or graphics content of their respective landing page as Creative Commons Public Domain (CC0) [5] or Creative Commons Attribution-ShareAlike (CC-BY-SA) [6].
  2. Existing organizations employing SecureDrop should apply a CC0 or CC-BY-SA license to their SecureDrop landing page.

Tor Project already licenses their website’s content as CC-BY-SA [7] which is an important contribution in addition to their existing open source software.

SecureDrop is a complex security environment that depends on Tor. Tor Browser is also a complex security tool despite Tor Project’s usability achievements. Additionally, high quality SecureDrop landing pages explain that Tails Linux should be used instead of Tor Browser when submitting documents in order to mitigate specific security concerns. These are three independently complicated security tools that require clear and thoughtful information pertaining to their use. Of all of the possible users of Tor and SecureDrop, supporting the extreme security-sensitive population, whistleblowers, demands providing high quality information.

An unrestrictive Creative Commons license such as CC0 or CC-BY-SA applied to a SecureDrop landing page allows other organizations the ability to easily adopt high quality information. Applying an open license would help foster a stronger community of organizations working hard to best support possible whistleblowers. Having to reword complex security precautions because of copyright restrictions is a dangerous proposition given the limited amount of open source privacy technologies available.

Thank you!

References

1 https://freedom.press/securedrop/directory

2 https://securedrop.org/sample-privacy-policy

3 https://theintercept.com/securedrop/

4 https://yawnbox.com/?p=3655

5 https://creativecommons.org/publicdomain/zero/1.0/

6 https://creativecommons.org/licenses/by-sa/3.0/us/

7 https://www.torproject.org/docs/trademark-faq.html.en

License

CC0

To the extent possible under law, the person who associated CC0 with Supporting SecureDrop with Creative Commons has waived all copyright and related or neighboring rights to Supporting SecureDrop with Creative Commons. This work is published from the United States.

A resolution for Seattle: encryption and anonymity as moral imperatives

Published: 2015-Sep-19
Updated: 2015-Sep-19, revision 17


CITY OF SEATTLE
RESOLUTION _________________

title

A RESOLUTION affirming the human right to encryption and anonymity as consistent with the findings of the United Nations report on encryption, anonymity, and the human rights framework, advancing previously adopted human rights resolutions.

body

WHEREAS, in December 2012, the Seattle City Council adopted Resolution 31420 proclaiming Seattle to be a Human Rights City, endorsing the human rights set forth in the Universal Declaration of Human Rights, recognizing the importance of using the international human rights framework for cities to work on their commitment to protecting, respecting, and fulfilling the full range of universal human rights; and

WHEREAS, in July 2015, the Seattle City Council adopted Resolution 31598 affirming privacy as a human right and aligning the work of the City’s privacy initiative with the right to privacy as described in the Universal Declaration of Human Rights; and

WHEREAS, in May 2015, the United Nations report on encryption, anonymity, and the human rights framework was published and finds that encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age; and

WHEREAS, with respect to encryption and anonymity, the City of Seattle should adopt policies of non-restriction or comprehensive protection: (1) only adopt restrictions on a case-specific basis and that meet the requirements of legality, necessity, proportionality and legitimacy in objective, (2) require court orders for any specific limitation, and (3) promote security and privacy online through public education; and

WHEREAS, potential criminality and emergency situations do not relieve the City of its obligation to ensure respect for international human rights law; and

WHEREAS, legislative proposals for the revision or adoption of restrictions on individual security or privacy online should be subject to public debate and adopted according to regular, public, informed and transparent legislative process; and

WHEREAS, the City must promote effective participation of a wide variety of civil society actors and minority groups in such debate and processes and avoid adopting such legislation under accelerated legislative procedures; and

WHEREAS, all Seattle organizations should not block or limit the transmission of encrypted communications and should permit anonymous communication; and

WHEREAS, all Seattle organizations should support secure technologies for websites and software applications, develop widespread end-to-end encryption, and employ anonymity-preserving software to support privacy-sensitive populations; and

WHEREAS, the City’s laws must recognize that individuals are free to protect the privacy of their communications by using encryption technology and tools that allow anonymity online; and

WHEREAS, the City’s legislation and regulations protecting human rights defenders and journalists must include provisions enabling access and providing support to use the technologies to secure their communications; and

WHEREAS, the City must avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows; and

WHEREAS, the City must refrain from making the identification of users a condition for access to digital communications and online services and requiring SIM card registration for mobile users; and

WHEREAS, all Seattle organizations should consider their own policies that restrict encryption and anonymity (including through the use of pseudonyms); and

WHEREAS, all Seattle organizations should follow internationally and regionally accepted principles for conducting business in accordance with human rights law; and

WHEREAS, court-ordered decryption, subject to domestic and international law, may only be permissible when it results from transparent and publicly accessible laws applied solely on a targeted, case-by-case basis to individuals (i.e., not to a mass of people) and subject to judicial warrant and the protection of due process rights of individuals; and

WHEREAS, all Seattle organizations will not conduct any manner of intentional or unintentional mass tracking, monitoring, or surveillance of person-linkable information or metadata without strict anonymization processes during collection, transfer, and storage processes; and

WHEREAS, if strict anonymization processes during person-linkable information or metadata collection, transfer, and storage cannot be performed, then those tracking, monitoring, or surveillance technologies will not be used; and

WHEREAS, given the relevance of new communication technologies in the promotion of human rights and development, all those involved should systematically promote access to encryption and anonymity without discrimination; and

WHEREAS, given the threats to freedom of expression online, corporate actors should review the adequacy of their practices with regard to human right norms; and

WHEREAS, Seattle companies should adhere to principles such as those laid out in the Guiding Principles on Business and Human Rights (PDF), the Global Network Initiative’s Principles on Freedom of Expression and Privacy (PDF), the European Commission’s ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, and the Telecommunications Industry Dialogue Guiding Principles; NOW, THEREFORE,

BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF SEATTLE, THE MAYOR CONCURRING, THAT:

Section 1. In accordance with the findings of the UN Report on encryption, anonymity, and the human rights framework, the City Council affirms the human right to encryption and anonymity are foundational to human dignity, intellectual freedom, and democratic governance in the digital age.

Section 2. The City Council implores that all City of Seattle past, present, and future technology projects maximize person anonymity during the collection, transference, and storage of person-linkable data and information.

Section 3.

ACLU-WA encryption evangelism internship proposal

Goal

Further the use of FOSS encryption technologies within Washington legal and journalism circles.

Tor

Tor relay and Tor exit relay adoption by organizations because of resources and stability. EFF “Tor Challenge” is unsuccessful at gaining long-term relays because they are focused on individuals that are largely not focused or lack stable resources. ACLU-WA support could happen in three ways: write to local organizations who are likely to
deploy a Tor relay, provide written education or in-person training, and create public reports on successes and failures. Supporting Tor supports human rights work 24/7/365, globally.

HTTPS and StartTLS

Many organizations who require privacy lack website/service transport security. Focusing on specific types of organizations, such as law firms and news agencies, would benefit the public and overall Internet health. HTTPS is critical for keeping private specific pages and forms visited in addition to any transmitted information. StartTLS is critical for keeping entire emails confidential. In light of recent developments in Texas [1], it would be timely to push Washington state legal policy organizations to adopt similar rules. The “Let’s Encrypt” project has been pushed out to November 16th, 2015 [2] — it would be great to have 2 months to start an ACLU-WA parallel initiative (focused on law firms and news agencies, for example) when it launches in order to benefit and enhance the initial press.

TextSecure, RedPhone, & Signal

While HTTPS and StartTLS are important for public and private communication, mobile apps can greatly strengthen inter-org privacy. Classic telephony and SMS communications are insecure. The Open Whisper Systems ecosystem uses state of the art encryption, is scalable, and is free and open source software. Purchasing 5th gen iPod Touch devices is a small cost for law firms and allows lawyers to register their work phone number with Signal. Doing so would let anyone with their regular work phone number to leverage end-to-end encryption instead. No wiretaps, no SS7 tracking, no IMSI catcher tracking, and no baseband or SIM card vulnerabilities that are inherent with any cellular device.

SecureDrop

Whistleblowing is a critical part in a democracy by keeping the public informed and organizations accountable. SecureDrop, by Freedom Press Foundation, is a powerful tool that allows anyone to leak information to targeted organizations. SecureDrop has been around for 2 years and is largely used by news agencies. That being said, a very small fraction of news agencies support SecureDrop which creates two problems: overall diversity and market diversity. Overall, there are too few options in terms of trusted organizations for whistleblowers to choose from. If a specific person who has access to specific information is only comfortable providing information to a specific organization or person, but secure a whistleblowing platform does not exist, nothing will get leaked. Similarity, if only news agencies support secure
whistleblowing platforms, other NGOs who might be better equipped to handle response will not get leaks. ACLU-WA could work with Freedom Press Foundation to focus on evangelizing SecureDrop to NGOs.

Conclusion

It is ethics and education apathy that is preventing people from adopting FOSS security systems that provide privacy. It is one thing to be apathetic in our personal lives, but it is not acceptable in professions that demand privacy in order to keep people safe.

1 http://ridethelightning.senseient.com/2015/07/when-must-lawyers-ethically-encrypt-data-texas-answers.html

2 https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html

Infosec masters capstone ideas: supporting the closeted whistleblower

I’m a long way from having to choose a capstone but I want it to be meaningful. Focusing on an end goal is ideal so I can actively apply the concepts of my coursework to my capstone. Since learning about global surveillance systems (thank you Edward Snowden), I’ve been impassioned about learning about these systems and teaching people about them. Abused populations like journalists and whistleblowers are the groups that I identify with the most because of their importance for a democratic society.

Tor and Tor hidden services, in general, are intriguing, and there is a lot of existing academic work on them. However, there are four equally interesting software projects that are dependent on Tor’s success. We have Ricochet, an instant messaging client and soon to be file sharing client. There’s OnionShare, a file sharing client. There’s Pond, an email-like messaging client. Add there’s SecureDrop, a fire sharing and email-like messaging system.

Simply put, anonymity tools are required for information and metadata control; be it maximal deniability or maximal influence, whistleblowers need to control what is and is not exposed. Journalists are a tool of whistleblowers, not the other way around.

I am not a software developer or a cryptographer. I never want to be because my brain is not developed for those types of information manipulation. However, educators (technology trainers), which I have been valued for since I started using and understanding general purpose computers, are an important part of the information security ecosystem. As a surveillance self defense instructor for Seattle Privacy Coalition, it is clear that educators are a required part of trusted crypto tool adoption.

There is a societal need for people that understand information infrastructures, the operations of journalists, the threats of surveillance, crypto and software specialists, and how to boil all of that down into consumable information for the lay person. Not to mention be a valuable feedback loop for crypto and software developers.

Problems

Nothing in information security can ever be perfect because information security tools are always targeted at specific problems. Problems will always shift. Crypto and software developers need to solve many unique problems, and sources and journalists need to solve many unique problems. How do they work together?

As it stands, the problem that I want to tackle is helping bridge the gap between sources and journalists. Edward Snowden was largely successful as a whistleblower because his skill set is technical in nature. Knowledge of various systems allowed him to reap maximal control, albeit he was not alone. Snowden had a native advantage in the process of whistleblowing. Most people that are exposed to information presumed to have public interest are not technical and therefore do not have a native advantage. To leak something to a reporter they respect requires comfortability with their own crypto tool knowledge, if any, and they have to commit to a journalist they think they can trust. Closeted whistleblowers are not going to pick a journalist just because they publish a PGP key or because their organization hosts a SecureDrop site.

The “closeted” whistleblower

‘Closeted’ and ‘in the closet’ are adjectives for lesbian, gay, bisexual, transgender etc. (LGBT) people who have not disclosed their sexual orientation or gender identity and aspects thereof, including sexual identity and sexual behavior.

This is applicable to a person who is conscious of organized wrong-doing, has information or access to information that is presumed to be in the public interest, and needs to leak said material to a publication organization.

The solution then must be education and awareness. Something structured yet easily adaptive. Should we develop source curriculum?

Semantic information–be it verbal or written, without hands-on workshops–probably transitions best into tacit knowledge if it is formed into scenarios. Source curriculum must avoid explicit information (regurgitation) wherever possible.

Questions

Can whistleblower threat modeling training be accomplished without in-person education?

SecureDrop landing pages are very specific. They do not offer hypotheticals, they focus purely on the “best” way to use a specific system. Is that enough to help turn a closeted whistleblower into a whistleblower?

Does SecureDrop support all forms of direct-to-journalist whistleblowing? If not, what’s missing?

Can web-based curriculum be designed well enough to turn computer users into secure whistleblowers?

Trust is always a required foundation in security. How do we teach “how to trust”?

I’ll think of more and better questions.