Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to run your code on the dark web (full version)

Ec25d046746de3be33779256f6957d8f?s=47 luke crouch
November 03, 2017

How to run your code on the dark web (full version)

Tor is an open anonymized network and web browser. Millions of users connect with Tor every day. Is your code ready for them? This talk introduces Tor, provides an overview of how it works and the adversaries and attacks its designed to stop, and shows that optimizing your code for Tor is quite practical, and improves your code for everyone.


luke crouch

November 03, 2017


  1. How to run your code on the dark web (and

    why you should)
  2. How to run your code on the dark web and

    why you should
  3. How to write your code for the dark web and

    why you should
  4. How to write your code for and why you should

  5. is a browser

  6. is a browser mostly

  7. is a browser patched

  8. is a browser patched with The Onion Router

  9. patched with The Onion Router Why is ?

  10. https://www.eff.org/pages/tor-and-https

  11. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  12. https://www.eff.org/pages/tor-and-https

  13. Note: IP = location https://www.geoiptool.com

  14. https://www.eff.org/pages/tor-and-https

  15. None
  16. None
  17. None
  18. None
  19. protects the user/pw & data from the intermediaries

  20. None
  21. None
  22. None
  23. None
  24. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  25. How do we protect
 location + destination from intermediaries?

  26. http://www.indiatimes.com/technology/how-to/an-idiot-s-guide-to-vpn-what-it-is-and-why-it-s-important-for-you-256154.html

  27. Some are bad

  28. Good ones cost $ https://www.privacytools.io/#vpn

  29. –Christopher Soghoian, “Your smartphone is a civic rights issue” TED

    Summit “… there is now increasingly a gap between the privacy and security of the rich, who can afford devices that secure their data by default, and of the poor, whose devices do very little to protect them by default.” https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
  30. How else can we protect
 location + destination from intermediaries?

  31. is a browser patched with The Onion Router

  32. The Onion Router?

  33. https://www.torproject.org/about/overview.html.en

  34. None
  35. https://www.torproject.org/about/overview.html.en

  36. None
  37. None
  38. None
  39. None
  40. None
  41. None
  42. None
  43. Tor protection from DNS + HTTP internet threats • Hackers-in-the-middle

    • ISPs snooping on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address
  44. Since Tor routes thru 3 networks …

  45. Optimize for latency (You should do this anyway)

  46. https://hpbn.co/primer-on-web-performance/#latency-as-a-performance-bottleneck

  47. None
  48. Latency Bandwidth

  49. on Cached: 0.56s Un-Cached: 1.44s

  50. on Cached: 4.38s Un-Cached: 11.99s

  51. None
  52. on Cached: 4.53s Un-Cached: 5.12s

  53. on Cached: 82.87s Un-Cached: 92.49s

  54. 21 requests 70 requests

  55. Minimize number of requests (You should do this anyway)

  56. Make fewer, larger asset bundles https://medium.com/@asyncmax/the-right-way-to-bundle-your-assets-for-faster-sites-over-http-2-437c37efe3ff

  57. Make CSS Sprites for images https://css-tricks.com/css-sprites/

  58. https://css-tricks.com/css-sprites/

  59. Use Data URIs for small images https://css-tricks.com/data-uris/

  60. https://css-tricks.com/data-uris/

  61. Icon Fonts* for icons https://css-tricks.com/examples/IconFont/

  62. https://css-tricks.com/examples/IconFont/

  63. Help the browser with Resource hints (You should do this

    anyway) https://w3c.github.io/resource-hints
  64. Use rel=“preload” when you know sprite images will be included

  65. Use rel=“prefetch” when a resource is likely to be included

    in a future navigation page1.html page2.html https://w3c.github.io/resource-hints/#dfn-prefetch
  66. Use rel=“preconnect” when you know a domain may be contacted

  67. (Note: Wait until Q1’18 to do this for Tor)

  68. Make CDN work with exit nodes

  69. https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-

  70. https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-

  71. Yay! Your site is faster for users

  72. Oh noes! Your users are hacked!

  73. Remember these?

  74. https://www.torproject.org/about/overview.html.en

  75. None
  76. https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-1

  77. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/

  78. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/ Note: exit nodes can see the Original

  79. hacked

  80. hacked hacked hacked hacked

  81. exit node threats = Man-in-the-Middle threats • exit node snooping

    on unencrypted data:
 user/password, PII, etc. • Hook browsers with BeEF • Backdoor binaries
  82. None
  83. protects the location, destination, user/pw, & data from the intermediaries

  84. Use HTTPS (OMG you should do this anyway!)

  85. +

  86. brew install certbot sudo certbot certonly --manual —preferred-challenges dns

  87. None
  88. Please deploy a DNS TXT record under the name _acme-challenge.www.codesy.io

    with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue
  89. None
  90. None
  91. observatory.mozilla.org

  92. None
  93. None
  94. None
  95. Yay! Your code is faster and more secure for users

  96. Oh noes! Your code is broken in

  97. is a browser patched

  98. is a browser patched ESR

  99. None
  100. Firefox ESR

  101. Make your code work in Firefox ESR (You should do

    this anyway)
  102. Make your code work in all browsers! (You should do

    this anyway)
  103. Download ESR

  104. Firefox Dev Tools!

  105. caniuse.com

  106. None
  107. None
  108. None
  109. MDN Browser Compat

  110. kangax.com

  111. Coding tools • Autoprefixer • CSSNext • Oldie • PostCSS

    plugins • Modernizr • @supports
  112. Browser CI Platforms • Saucelabs • Browserstack

    include Firefox ESR
  113. Yay! Your code works for users ESR

  114. Oh noes! Some of your code is still broken in

  115. Why is patched ESR

  116. https://www.torproject.org/projects/torbrowser/design/

  117. Adversary Model • Goals • Capabilities - Positioning • Capabilities

    - Attacks
  118. Adversary Models guide Implementations

  119. For example …

  120. Someone Confiscates Computer

  121. Tor Implementation: Disk Avoidance Confiscate

  122. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c

  123. So … Tor users will have to sign in every

  124. Another example …

  125. None
  126. Fingerprint

  127. None
  128. E.g., WebGL Fingerprinting http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf

  129. Tor Implementation: Cross-Origin Fingerprinting Unlinkability

  130. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c Minimal WebGL No Gamepads Popups open into new tabs

    UTC timezone No device sensors No WebAudio Windows 7
  131. To really debug everything …

  132. Download Tor !

  133. Tor Dev Tools!

  134. Oh noes! Some of your code is STILL broken in

  135. None
  136. * * Icon Fonts

  137. No JavaScript Slow JavaScript No MathML No SVG No Web

  138. No JavaScript?!

  139. None
  140. hacked

  141. https://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

  142. https://web.archive.org/web/20130806020101/https://pastebin.mozilla.org/2777139 ESR/Tor

  143. Summary • Optimize for latency • Make it work in

    Firefox (ESR) • (Optional) WITHOUT:
 JavaScript, MathML, SVG, Web Fonts
  144. Yay! Your code works* fast* and secure* for users *

    for some definition of “works|fast|secure”
  145. Oh noes! YOU are pwned

  146. Oh noes! YOU are pwned if YOU were trying to

    stay anonymous
  147. Now we’re (finally) to the dark web

  148. https://www.bibliotecapleyades.net/sociopolitica/sociopol_internet214.htm

  149. https://www.quora.com/What-is-the-deep-dark-web-and-how-do-you-access-it

  150. https://www.eff.org/pages/tor-and-https

  151. https://www.eff.org/pages/tor-and-https

  152. None
  153. How do you set up ? Site.com

  154. https://domain.me/how-domain-names-work/

  155. https://domain.me/how-domain-names-work/

  156. https://whois.icann.org/en/domain-name-registration-process

  157. Not Anonymous

  158. Not Anonymous

  159. How do you set up anonymously? Site.com

  160. You set up Site.onion

  161. is a Tor Hidden Service Site.onion

  162. a Tor Hidden Service uses a “rendezvous protocol” instead of

  163. https://www.torproject.org/docs/hidden-services.html.en

  164. https://www.torproject.org/docs/hidden-services.html.en

  165. https://www.torproject.org/docs/hidden-services.html.en

  166. reddit.com/r/onions

  167. https://www.torproject.org/docs/hidden-services.html.en

  168. https://www.torproject.org/docs/hidden-services.html.en

  169. https://www.torproject.org/docs/hidden-services.html.en

  170. Rendezvous Point

  171. is easy to set up! Site.onion

  172. 1. Run a web server 2. Edit your torrc file

    3. Run tor Site.onion
  173. None
  174. torrc

  175. None
  176. None
  177. None
  178. None
  179. Yay! Your .onion is working!

  180. But since
 Tor hidden services hop thru 6 nodes …

  181. … really, optimize for latency (You should do this anyway)

  182. Optimize for latency • Minimize Requests • Prefer fewer, larger

    asset bundles • Use CSS Sprites for images • Use Data URIs for small images • Use Icon Fonts • Use Resource Hints • Allow CDN access from Tor nodes
  183. … wait … Can you use a CDN with hidden

  184. Clear-web CDN requests can reveal site owner

  185. 200ok.us

  186. Not Anonymous Not Anonymous DERP!

  187. Not Anonym ous

  188. https://trac.torproject.org/projects/tor/ticket/9623

  189. No Referer

  190. Only use public CDN with hidden service?

  191. Optimize for latency • Minimize Requests • Use Resource Hints

    • Only use public CDNs • Probably just don’t use a CDN
  192. Oh noes! You are still hacked identified!

  193. OnionScan

  194. Not Anonymous

  195. Get an anonymous email address

  196. Encrypted Email privacytools.io

  197. None
  198. None
  199. None
  200. Yay! You have anonymous email You should have this anyway

  201. Note: Use PGP between email providers

  202. Oh noes! You are still hacked identified!

  203. May not be Anonymous

  204. None
  205. See?

  206. None
  207. None
  208. Strip EXIF data from images You should do this anyway

  209. Yay! You have location-free images You should probably have this

  210. Oh noes! You (and your users) are still hacked identified!

  211. May not be Anonymous

  212. Obfuscate uploaded file-names You should do this anyway

  213. More Checks Apache mod_status leak Open directories Server fingerprints Analytics

    IDs PGP IDs SSH fingerprints FTP & SMTP banners Cryptocurrency clients IRC, XMPP, VNC, Ricochet
  214. Oh noes! Some hacks against your users are “easier” on

    the dark web.
  215. Phishing on the dark web https://pirate.london/intercepting-drug-deals-charity-and-onionland-a2f9bb306b04

  216. Brute-force .onion keys + Run MITM Proxy

  217. http://www.reuters.com/article/us-virginia-protests-daily-stormer-idUSKCN1AV1HY?il=0

  218. BTC address of neo-nazi @$$-holes

  219. Use GPU instead of CPU: 115M Hashes/sec 701,505,730,000,000 hashes 1h

    41m 9s dstormer65alxsqn.onion
  220. proxychains4 \ mitmproxy \ -p 20081 \ -R http://dstormer6em3i4km.onion \

    —anticache \ -s “replace_btc.py 19m9yEChBSPuzCzEMmg1dNbPvdLdWA59rS 1CU5YgjquupDw6UeXEyA9VEBH34R7fZ19b” --replace ":~hq .:dstormer65alxsqn.onion:dstormer6em3i4 km.onion" /etc/tor/torrc
 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 /etc/proxychains.conf
 [ProxyList] socks4 9050
  221. BTC address of tunapanda.org: teaching tech skills to low-income people

    in east Africa
  222. Yay! Nazis are hacked! (Because screw Nazis)

  223. Writing code for the dark web is fun

  224. Writing code for the dark web makes your code better

  225. Writing code for the dark web makes your code better

    faster more secure more compatible
  226. Writing code for the dark web makes you think

  227. Writing code for the dark web makes you think about

    your privacy
  228. Writing code for the dark web makes you think about

    others’ privacy
  229. … but wait, isn’t the dark web just for criminals?

  230. Yes, there are criminals on the the dark web

  231. None
  232. None
  233. traderouteilbgzt.onion

  234. … but most of the sites on
 the dark web

    are not illegal
  235. “In February a presentation by INTELLIAGG and DARKSUM reported that

    they had classified 29,532 onion services and reported that 52% of these sites contained illegal content. … taking into account a 29% duplication rate and at least 10% of traffic being SSH (not to mention the various other protocols) - then we have to conclude that the amount of crime is far lower than the reported 52% figure.” https://mascherari.press/onionscan-report-april-2016-the-tor-network-security-and-crime/
  236. the dark web is not illegal tech

  237. the dark web is neutral tech

  238. the dark web is anonymity tech

  239. Clear web sites use
 the dark web

  240. None
  241. None
  242. None
  243. None
  244. None
  245. None
  246. http://33y6fjyhs3phzfjj.onion/

  247. http://33y6fjyhs3phzfjj.onion/generate

  248. None
  249. https://docs.securedrop.org/en/latest/overview.html#infrastructure

  250. Hardware • Run your own physical machines to prevent in-memory

    access by adversaries with physical access • 2 computers for SecureDrop application • 1 computer each for Admin, Journalist, and Secure Viewing Station • 2FA devices (smartphone or yubikey) • Network firewall & 3 ethernet cables • Plenty of USB sticks • Writeable DVD/CD-R discs
  251. Create Tails USB sticks • Create Tails USB sticks •

    Secure Viewing Station • Admin Workstation • Label them immediately
  252. None
  253. Set up secure viewing station

  254. Set up secure viewing station • Insert & run Secure

    Viewing Station Tails USB • air-gapped from internet • physically remove other storage & networking • fill ports with epoxy • remove speakers to prevent
 exfiltration of data via ultrasonic audio
 (yes, it’s a thing)
  255. Set up transfer device

  256. Set up transfer device • encrypt the drive • plug

    into secure viewing station and journalist station; • check box to remember passphrase
  257. Use CD-R/DVD, because BadUSB • “Very widely spread USB controller

    chips, including those in thumb drives, have no protection from … being reprogrammed” to … • emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer. • detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot • Once infected, computers and their USB peripherals can never be trusted again.
  258. Generate Submission Key (For/from secure viewing station) • Correct system

    time (to prevent some brute-force shortcuts based on time) • Create the RSA 4096 key (gpg —full-generate-key) • Export public key to transfer device
  259. Set up admin workstation

  260. Set up admin workstation • Insert & run Admin Workstation

    Tails USB • Connected to internet via Tor • Download SecureDrop
 git clone https://github.com/freedomofpress/securedrop.git • Download & verify SecureDrop Release Signing Key
 gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" • Verify release tag
 git tag -v 0.4.3
 Good signature from "SecureDrop Release Signing Key" • Create Admin Passphrase Database (KeePassX)
  261. Set up (pfSense) firewalls • Admin subnet • Application subnet

    • Monitor subnet • No DHCP • Static IP for Admin workstation
  262. Set up servers

  263. Install SecureDrop

  264. Set up Authenticated Tor Hidden Services auth-cookie values in torrc

  265. Okay, You’re probably not building SecureDrop

  266. But you can respect your users’ privacy

  267. “Privacy by Design” https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/

  268. Privacy Guidelines for Designing Personalization https://www.smashingmagazine.com/2016/03/privacy-for-personalization/

  269. Clumsy transition to preachy privacy part …

  270. http://www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

  271. –Trisha Salas @ Thunder Plains 2016 “I want to try

    Tor … but I heard it puts you on some kind of list … and I plan to travel soon.”
  272. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 “There are

    dozens of psychological studies that prove that when somebody knows that they might be watched, the behavior they engage in is vastly more conformist and compliant.” https://www.ted.com/talks/glenn_greenwald_why_privacy_matters
  273. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “This

    realization was exploited most powerfully for pragmatic ends by the 18th-century philosopher Jeremy Bentham, who set out to resolve an important problem ushered in by the industrial age. Where, for the first time, institutions had become so large and centralized that they were no longer able to monitor and therefore control each one of their individual members. And the solution that he devised was an architectural design - originally intended to be implemented in prisons - that he called the panopticon.”
  274. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The

    primary attribute of which was the construction of an enormous tower in the center of the institution where whoever controlled the institution could, at any moment, watch any of the inmates, although they couldn’t watch all of them at all times. And crucial to this design was that the inmates could not see into the panopticon, into the tower, and so they never knew if they were being watched.”
  275. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And

    what made him so excited about this discovery was that would mean the prisoners would have to assume that they were being watched at any given moment, which would be the ultimate enforcer for obedience and compliance.”
  276. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The

    20th-century French philosopher Michel Foucault realized that model could be used not just for prisons but for every institution that seeks to control human behavior - schools, hospitals, factories, workplaces.”
  277. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And

    what he said was that this mindset, this framework discovered by Bentham, was the key means of societal control for modern western societies which no longer need the overt weapons of tyranny - punishing or imprisoning or killing dissidents; or legally compelling loyalty to a particular party … because mass surveillance creates a prison in the mind that is a much more subtle but much more effective means of fostering compliance … much more effective than brute force could ever be.”
  278. “There’s a strong physiological basis for privacy. Biologist Peter Watts

    makes the point that a desire for privacy is innate: mammals in particular don’t respond well to surveillance. We consider it a physical threat, because animals in the natural world are surveilled by predators. –Data and Goliath, by Bruce Schneier
  279. “Surveillance makes us feel like prey, just as it makes

    surveyors act like predators.” –Data and Goliath, by Bruce Schneier
  280. None
  281. “… information collection takes place in asymmetrical power relationships: we

    rarely have a choice as to whether or not we are monitored, what is done with any information that is gathered, or what is done to us on the basis of conclusions drawn from that information.”
  282. “One of the benefits of running a Tor relay is

    the additional layer of confusion it creates: is this traffic starting with you, or are you just passing it along for someone else?”
  283. TrackMeNot randomly searches

  284. AdNauseam randomly clicks ads

  285. None
  286. –me “I have done many weird things with/on Tor and

    I’ve had no problems traveling.
 In fact, using Tor is quite empowering.”
  287. Questions? • Optimize for latency • Use HTTPS • Make

    it work in Firefox ESR • Set up your .onion • OnionScan • Privacy • torproject.org • eff.org • onionscan.org • mascherari.press • speakerdeck.com/ groovecoder