Category Archives: Activism

Emerald Onion has launched

The Tor network and the dot-Onion infrastructure was built for security and privacy in mind. This is unlike legacy clear-net infrastructure, which over the years needs routine and dramatic security changes just to solve evolving security chalenges. Even worse, modern security for legacy clear-net infrastructure does very little for privacy.

Vulnerable populations were the first to recognize the importance of a technology like “the onion router”. The United States Navy was among the first. The United States Navy, realizing very quickly that an anonymity network that only the Navy would use, means that any of its users is from the United States Navy. To this day, the United States Navy researches and develops Tor.

Once Tor became a public, free, and open source project, journalists and other vulnerable populations with life-and-death threat models started using Tor. These survivors and human-rights defenders were a red flag. By the time Tor became a public project, other departments from the United States Government, such as the United States National Security Agency, had already started conducting global mass surveillance.

The United States Navy knew and continues to know that Tor is a necessity in a world dominated by global mass surveillance and by governments that strive for power and control.

Emerald Onion envisions a world where access and privacy are the defaults. This is necessary to ensure human rights including access to information and freedom of speech. If we do not have human rights online, we will not have them offline, either. We launched, officially, on July 2nd. We are looking at 10 year+ development and sustainability. Please reach out to me if you can think of ways to support our work.

Advertisements

House Bill 1909: Automatic License Plate Reader Systems

My testimony to the State of Washington House Transportation Committee:

Chair Clibborn and members of the committee, my name is Christopher Sheats, Chair of the Privacy Committee for Seattle’s Community Technology Advisory Board, and Chair of the Seattle Privacy Coalition. I want to make clear that any form of Automatic License Plate Reader (ALPR), regardless of its security or policy controls, is fundamentally a mass-surveillance system for the simple fact that it indiscriminately collects data about everyone.

ALPR mass-surveillance systems collect an incredible amount of personal information.

Where are you and where are you not?
Where are you heading?
What time were you there and not anywhere else?
Who else was traveling or not traveling around that time?

All of these personal facts can facilitate identifying our interests, affiliations, activities, and beliefs. Data collection, and any amount of data retention, allows for the copying and sharing of said data. According to the U.S. Department of Transportation Bureau of Transportation Statistics, an “overwhelming majority of person trips—for all purposes—are taken in personal vehicles.” When mass-surveillance data of our vehicles is collected, granularly surveilling a state, a city, a community, or an individual becomes trivial.

Where do they live?
Who lives around them?
Where do they go to church?
Who else goes to their church?
Where do they work?
When do they visit their friends and family?
When do they drop their children off at school or childcare?
When do they leave the house to go grocery shopping?
When do they visit their doctor and how often?

Answering these questions go above and beyond “personal information,” yet these questions become answerable when data collected by an ALRP mass-surveillance system is gathered by an abusive government or hacker, domestic or foreign.

If the State is to condone APRL mass-surveillance systems, whereby we have precluded we will not protect human rights by not collecting personal data in the first place, the only other rational alternative is to not retain collected data for any period longer than absolutely needed.

Thank you for your time.

Concerns of mine that I did not include in my testimony because of the delicate nature of politics:

Regarding House Bill 1909, I have several concerns:

1. How is House Bill 1909 going to impact RCW 40.24 — Address Confidentiality for Victims of Domestic Violence, Sexual Assault, and Stalking? Particularly, how is House Bill 1909 going to protect vulnerable people from law enforcement abuses?

2. Is any part of the ALPR mass-surveillance system, including data retention, managed or operated by unregulated third party providers?

3. Why are third parties not explicitly barred from owning and operating ALRP mass-surveillance systems?

4. What specific controls and audit safeguards will be put in place to prevent system operators from performing unapproved searches of people or vehicles?

5. Once data is collected by mass-surveillance systems, it can be copied, used, copied again, and re-used for unimaginable purposes. What specific controls and audit safeguards will be put in place to prevent data copying by federal agency data systems such as regional Fusion Centers?

6. The “Second War Powers Act of 1942” removed Census privacy protections of Japanese-Americans, allowing federal agents to know exactly where go and whom to arrest. How is Washington State going to defend us from unconstitutional policy changes brought on by an illegitimate U.S. President?

Surprise props from the City

From January CTAB Minutes:

One last thing, because I’m trying keep within my five minutes, I really want to say thank you to Christopher Sheats for the ongoing support as chair of CTAB Privacy Committee. I find it very invigorating to go to the CTAB Privacy Committee meetings, and look forward to their continued work and the guidance of that committee. I’m very thankful for the initial feedback. We have a little more baking to do on our side, and then we’ll be back in front of this group and Privacy to think about controls and how we consider deployment of that technology. I imagine that Christopher will have more to share about how the ACLU has been working with Councilmember Gonzalez on a rewrite of the City’s surveillance ordinance, which we agree that the current ordinance is not very effective, just in the way that it’s structured. It lacks accountability. It lacks clear definition. As a result, I don’t think the community or the City is getting the value of that legislation. One thing I’ve encouraged this group to think about is what role you would like to have in providing input to the rewrite of the surveillance ordinance. Be think about how you might want to engage the councilmember in making that desire to [unintelligible]. Christopher, I hope I’m not impeding on your update. But I put that out there to make sure that it’s on your wavelength. If there’s anything I or we can do to in the way of support, please let us know.

Draft proposal for Debian

Draft:

Please criticize and contribute to the following:

Objectives:

1. The Debian community must immediately deploy Onion Service repositories for Debian downloads and Debian updates.

2. The Debian community must immediately deploy TLS-only repositories for Debian downloads and Debian updates as a backup to Onion Services.

3. The Debian community must assure anonymity-by-default with the employment of apt-transport-tor by changing existing update mechanics.

4. The Debian community must deploy a critical security update to patch existing update mechanics to use Onion Services.

Summary:

Current and future network adversaries can view and retain which repositories Debian servers connect to (metadata), when (metadata), the updates schedule (information), which updates are being applied (information), and into which operating system (information). This is incredibly valuable information for any adversary wanting to perform minimal attacks against Debian servers. Further, with cheapening data retention, mass-hacking and nation-state dominance is supported by the Debian community’s short-sighted update mechanics.

Edward Snowden has given the world factual evidence describing the capabilities and objectives of global powers and the Debian community has willfully neglected these problems.

Arguments:

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye — Presented to the Human Rights Council in May 2015:

(2)(A)(9) “Notably, encryption protects the content of communications but not identifying factors such as the Internet Protocol (IP) address, known as metadata. Third parties may gather significant information concerning an individual’s identity through metadata analysis if the user does not employ anonymity tools. Anonymity is the condition of avoiding identification. A common human desire to protect one’s identity from the crowd, anonymity may liberate a user to explore and impart ideas and opinions more than she would using her actual identity. […] Users seeking to ensure full anonymity or mask their identity (such as hiding the original IP address) against State or criminal intrusion may use tools such as virtual private networks (VPNs), proxy services, anonymizing networks and software, and peer-to-peer networks.1 One well-known anonymity tool, the Tor network, deploys more than 6,000 decentralized computer servers around the world to receive and relay data multiple times so as to hide identifying information about the end points, creating strong anonymity for its users.”

Debian powers more than one-third of the Internet. The default behavior of Debian is to obtain updates via clear-text HTTP which discloses the following to any network adversary:

1. Server location via IP address
2. Update server via IP address and DNS resolution
3. Server update schedule
4. Server version
5. Application version

This information, via network analysis, would allow any passive or active adversary to plan effective attacks against any Debian server.

Not all adversaries are the same because not all servers have the same risk. Like people, data mining and data retention capabilities pose grave risks for infrastructure. HTTPS may resolve some of the above information leakage depending on an adversary’s capabilities, but Tor resolves them to a greater degree. Anonymity provides the strongest security and is the only acceptably secure option given the facts.

XKEYSCORE, a FVEY technology, is one example of a modern threat to Internet infrastructure. Via Wikipedia:

On January 26, 2014, the German broadcaster Norddeutscher Rundfunk asked Edward Snowden in its TV interview: “What could you do if you would [sic] use XKeyscore?” and he answered:

“You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.

You can tag individuals… Let’s say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what’s called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.”

The question posed to Edward Snowden was rightly focused on people. However, an XKEYSCORE-like system can trivially threaten any node on the Internet. If XKEYSCORE-like systems can be programmed to track nations, servers, or application installations, the Debian community must act.

Scenarios:

1. Debian server > https://update-server.onion

In scenario 1, operating system and application updates are obtained exclusively within the Tor network with an added layer of Certificate Authority validation ability. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

2. Debian server > http://update-server.onion

In scenario 2, operating system and application updates are obtained exclusively within the Tor network. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

3. Debian server > tor+https://update-server.org

In scenario 3, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTPS destination. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian servers retain anonymity but security risk is increased.

4. Debian server > tor+http://update-server.org

In scenario 4, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTP destination. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian server retain anonymity but security risk is increased.

5. Debian server > https://update-server.org

In scenario 5, operating system and application updates are obtained via normal Internet with minimal transport security. Server location information, update server information, and server update schedule information easily obtainable, and sophisticated attackers can obtain server version information and package version information. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.

6. Debian server > http://update-server.org

In scenario 6, the current Debian default, operating system and application updates are obtained via normal Internet with zero transport security. Server location information, update server information, server update schedule information, server version information, and package version information are trivially obtainable. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.

Watch Democracy Now! via Tor Onion

Similar to ProPublica’s Onionsite for reading the news with integrity and privacy, I’ve created a repository of recent DN! episodes. I am tired of waiting for DN! to deploy HTTPS and I have doubts they’ll ever go further with an Onion.

If I could obtain a copy of DN! archives, I would explore hosting all of them. My current Onion host is limited in space but I could expand it. I also welcome feedback on ways that I could improve this setup. You can safely access this Onionsite with Tor Browser‘s ‘High’ Privacy and Security Setting.

http://at25itpf2cbg3asm.onion/

Below is the simple shell script that I use to grab the daily files, if they exist. It checks every 15 minutes via root’s crontab -e.

#!/bin/bash

cd /var/www/html/

daystamp=$(date +%Y-%m%d)

wget -m -p -E -k -K -np -nd -e robots=off -H -r http://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4

wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3

wget -m -p -E -k -K -np -nd -e robots=off -H -r http://ewheel.democracynow.org/dn$daystamp.mp4.torrent

chown -R www-data:www-data /var/www/html/

Debian update repos: transport security and privacy

Some friends and I have started thinking about ways to bring attention to this important issue.

In short, network adversaries can view not only what repositories your server operating system connects to (metadata), when (metadata), but precisely which updates are being applied. This allows a network adversary to not only know what vulnerabilities your operating system and applications are vulnerable to, but they know what applications are installed and likely running.

This critical issue is aside from the fact that most repository signing keys are using 1024-bit keys, some of which created in 2004 and do not expire. This is also aside from the fact that there are many man-in-the-middle attacks that HTTP is vulnerable to that high-grade HTTPS is not.

Further, no different than standard HTTP / HTTPS web browsing, non-Torified traffic is vulnerable to all types of Certificate Authority, Domain Name System, and Border Gateway Protocol attacks. It is equally critical to discuss apt-transport-tor.

Debian claims that HTTPS is not for privacy. In August 2014, B_Meson filed a bug on this issue, and it was closed.

Debian claims that apt-secure is good enough for security. This boils down to: “By adding a key to apt’s keyring, you’re telling apt to trust everything signed by the key.” Debian cannot assure that these keys have not been compromised. In Ubuntu, there is still a 1024-bit master signing key from 2004 in the apt-key keychain that does not expire!

I’ve purchased “apt-transport-https.org” (not active) presuming that this will be the homepage for this initiative. The initiative includes documenting popular repos, grade their SSL/TLS, and shame organizations that are neglecting our security and privacy. Default security and privacy is a requirement.

Below is my initial list of popular repositories. Most fail. I am looking for feedback and advice on how we should document these problems and how we can best influence repository maintainers to care about modern security concerns.

Basically…

  • http is bad.
  • https is better for security.
  • tor+http is better for privacy.
  • tor+https is better for security and privacy.
  • http .onion is best for security and privacy.

Questions

  • Does apt-transport-https support configurations such as PFS, HSTS, HSTS Preload, or HPKP?
  • Can installing apt-transport-tor be configured to automatically replace known repos with an Onion replacement in sources.list?
  • Post-Snowden, why isn’t apt-transport-tor the default for all OS distributions?

Defaults

Debian OS:
http://httpredir.debian.org/
http://security.debian.org/

Ubuntu OS:
http://us.archive.ubuntu.com/
http://security.ubuntu.com/

Tails OS (using apt-transport-tor by default):
tor+http://deb.tails.boum.org/
tor+http://deb.torproject.org/
tor+http://ftp.us.debian.org/
tor+http://security.debian.org/

Subgraph OS (using apt-transport-tor by default):
tor+https://devrepo.subgraph.com/
tor+http://security.debian.org/
tor+http://httpredir.debian.org/

Kali OS:
http://http.kali.org/
http://security.kali.org/

Optional

Debian nor Ubuntu distinguishes HTTPS mirrors:

Debian OS mirrors (ideal):
http://m4dcywym6p6poxdm.onion/debian/ (Info: http://onionmirors63y7c.onion/)

Ubuntu PPAs:
http://ppa.launchpad.net/

Tor Project, Inc apps:
https://deb.torproject.org/

Notes

An excellent discussion concerning Tails. Tails is a Debian based client and has different threat models than Debian based servers.

I’ve started a Google Doc list grading mirrors.

Configurations

Here’s what an improved Ubuntu configuration might look like:

sudo apt-get install apt-transport-tor
sudo vim /etc/apt/sources.list
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily main restricted
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-updates main restricted
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily universe
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-updates universe
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-updates multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-backports main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-security main restricted
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-security universe
deb tor+https://ubuntu.wikimedia.org/ubuntu/ wily-security multiverse

Debian example:

sudo apt-get install apt-transport-tor
sudo vim /etc/apt/sources.list
deb tor+http://m4dcywym6p6poxdm.onion/debian/ jessie main
deb tor+http://m4dcywym6p6poxdm.onion/debian/ jessie-updates main
deb tor+http://security.debian.org/ jessie-updates main

Why Tor Matters

As far back as I can remember, I have been introspectively concerned and cautious about my physical safety and well being.

I believe this consciousness started when I was 4 years old. To this day I have vivid memories of being terribly frightened by the thought and act of jumping off of a 1-meter diving board into the deep end of a swimming pool. This was a routine occurrence for me as a child because swimming was the first sport I ever took part in.

Following swimming, at the age of 5, and following the footsteps of my older brother, I began training in martial arts. Karate, for me, taught me about physical awareness and control.

Attack

Around my 8th year of life, my mother and brothers became victim to an individual who ultimately forced us to make a decision for our need to do something about the domestic violence we were all wrapped up in. My family could continue to endure the abuse of said individual, or buy a gun and in an act of self-defense potentially commit an act of violence so severe that none of us would ever again be the same, or we could physically move ourselves to a safer location.

The only reason why buying a gun was an option to my mother was because having consulted with the state police, their recommendation was to “shoot the bastard.” We were told there were no laws to help us defend ourselves. This wasn’t an acceptable way of life to my family.

I don’t know if it was because my mother’s martial arts training, her genuine regard for human life, or a combination of the two, but we fit everything into our car that we could and moved to Washington state. In order to best protect everyone involved, we physically relocated our entire family’s life, leaving behind my mother’s house and all of our friends. It was not easy, but from our point of view, necessary.

Defense

When my family and I moved to Washington state, my mother took part in domestic violence survival education and we quickly became participants in the Address Confidentiality Program (ACP). The benefits of the ACP included requiring government institutions to use our Secretary of State -provided P.O. Box address as our physical location address. This is a critical feature because our (United States of America) way of life is built around the documentation of our physical residence, including but not limited to the public information made available via mandatory State identification licensing, school registration, vehicle licensing, and common utilities such as water, trash, and power.

For a determined adversary, it is trivial to research or social engineer physical location information from public and private databases. Sadly, since the age of 8, I have been forced to understand the values of privacy as it concerns physical location safety.

Intellectual development

The Internet became a critical facet of my life, almost as much as Pokemon, during my late elementary and middle school years. In the late nineties, my mother saw so much value in a general-purpose computer for me and my brothers that she saved up and purchased a 500MHz Compaq. Life was never the same for me because of my new ability to read, download, and share so much, and without the restrictions imposed at school libraries.

It wasn’t until my second or third year at university where I became exposed to Tor from material I had read on Global Voices. However, at the time, because I was learning about computer networking and Virtual Private Networks, I remember being skeptical to the emergence of a technology dependent on volunteers. I did not understand the value of Tor until several years later.

My routine Tor use started sometime in 2010, around the time that I moved to the Seattle area. Prior to 2010, I had spent several years moving around between a total of roughly 25 different dormitories, apartments, and houses because of my prolonged undergraduate university studentship. Moving to the Seattle area had been my goal for many years. I moved into my first, independently financed, one-bedroom apartment. I finally started understanding the burden that is adulthood and the wonders and consequences of independence.

My use of Tor became routine because of two reasons: one, to enhance my autonomy and independence, which was flourishing for me. The second reason, and probably the catalyst, was my childhood and family’s paranoia concerning our prior experiences of physical and mental violence. I became increasingly conscious of physical location information left behind on the Internet, a place I visited more often than I did my own kitchen.

In 2012, after 6 years of minor Wikipedia editing, I contacted Wikipedia’s administration asking for the ability to edit from the Tor network. Shockingly, they did not support my wishes.

Rights

Tor matters because of several human and United States’ rights.

The right to read is a fundamental requirement because of humanity’s need for the consumption, understanding, construction, and dissemination of information over time. Writing things down is an extension of our ability, as a species, to learn and to teach for our collective betterment. Independently, I cannot contribute to society without an unbounded right to access information.

The right to speak, or to contribute, is a fundamental requirement as an individual needing to sustain autonomy and connection. Without the unfettered ability to communicate with those around me, especially on the Internet, I cannot be a part of any system, small or large. Be it a need to warn others about problems, or a need to educate others about myself or our shared world, the right to freely express myself overwhelmingly supports the human condition.

The right to privacy is a fundamental human right that reinforces the development of the prior two rights above, something that cannot be understated. The right to intellectually develop in an autonomous way is the only power I have that not only dictates my individuality, but it supports responsibility in social contexts. I cannot hold myself accountable without the cognitive ability to process information in a way that distinguishes myself from my environments.

The right to read, the right to speak, and the right to privacy are things that the Internet and Tor empower me to exercise in a truly incredible way. If we are to survive as a culture and as a species, Tor has to be understood as a defining technology that embodies the values that we claim to have and want.