How to run your code on the dark web (full version)

Transcript

1. How to run your code on the dark web (and

   why you should)

2. How to run your code on the dark web and

   why you should

3. How to write your code for the dark web and

   why you should

4. How to write your code for and why you should

5. is a browser

6. is a browser mostly

7. is a browser patched

8. is a browser patched with The Onion Router

9. patched with The Onion Router Why is ?

10. https://www.eff.org/pages/tor-and-https

11. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

12. https://www.eff.org/pages/tor-and-https

13. Note: IP = location https://www.geoiptool.com

14. https://www.eff.org/pages/tor-and-https

15. None
16. None
17. None
18. None

19. protects the user/pw & data from the intermediaries

20. None
21. None
22. None
23. None

24. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

25. How do we protect
 location + destination from intermediaries?

26. http://www.indiatimes.com/technology/how-to/an-idiot-s-guide-to-vpn-what-it-is-and-why-it-s-important-for-you-256154.html

27. Some are bad

28. Good ones cost $ https://www.privacytools.io/#vpn

29. –Christopher Soghoian, “Your smartphone is a civic rights issue” TED

    Summit “… there is now increasingly a gap between the privacy and security of the rich, who can afford devices that secure their data by default, and of the poor, whose devices do very little to protect them by default.” https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

30. How else can we protect
 location + destination from intermediaries?

31. is a browser patched with The Onion Router

32. The Onion Router?

33. https://www.torproject.org/about/overview.html.en

34. None

35. https://www.torproject.org/about/overview.html.en

36. None
37. None
38. None
39. None
40. None
41. None
42. None

43. Tor protection from DNS + HTTP internet threats • Hackers-in-the-middle

    • ISPs snooping on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

44. Since Tor routes thru 3 networks …

45. Optimize for latency (You should do this anyway)

46. https://hpbn.co/primer-on-web-performance/#latency-as-a-performance-bottleneck

47. None

48. Latency Bandwidth

49. on Cached: 0.56s Un-Cached: 1.44s

50. on Cached: 4.38s Un-Cached: 11.99s

51. None

52. on Cached: 4.53s Un-Cached: 5.12s

53. on Cached: 82.87s Un-Cached: 92.49s

54. 21 requests 70 requests

55. Minimize number of requests (You should do this anyway)

56. Make fewer, larger asset bundles https://medium.com/@asyncmax/the-right-way-to-bundle-your-assets-for-faster-sites-over-http-2-437c37efe3ff

57. Make CSS Sprites for images https://css-tricks.com/css-sprites/

58. https://css-tricks.com/css-sprites/

59. Use Data URIs for small images https://css-tricks.com/data-uris/

60. https://css-tricks.com/data-uris/

61. Icon Fonts* for icons https://css-tricks.com/examples/IconFont/

62. https://css-tricks.com/examples/IconFont/

63. Help the browser with Resource hints (You should do this

    anyway) https://w3c.github.io/resource-hints

64. Use rel=“preload” when you know sprite images will be included

    https://developer.mozilla.org/docs/Web/HTML/Preloading_content

65. Use rel=“prefetch” when a resource is likely to be included

    in a future navigation page1.html page2.html https://w3c.github.io/resource-hints/#dfn-prefetch

66. Use rel=“preconnect” when you know a domain may be contacted

    https://w3c.github.io/resource-hints/#dfn-preconnect

67. (Note: Wait until Q1’18 to do this for Tor)

68. Make CDN work with exit nodes

69. https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-

70. https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-

71. Yay! Your site is faster for users

72. Oh noes! Your users are hacked!

73. Remember these?

74. https://www.torproject.org/about/overview.html.en

75. None

76. https://www.khanacademy.org/computing/computer-science/cryptography/modern-crypt/v/diffie-hellman-key-exchange-part-1

77. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/

78. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/ Note: exit nodes can see the Original

    Data

79. hacked

80. hacked hacked hacked hacked

81. exit node threats = Man-in-the-Middle threats • exit node snooping

    on unencrypted data:
 user/password, PII, etc. • Hook browsers with BeEF • Backdoor binaries
82. None

83. protects the location, destination, user/pw, & data from the intermediaries

    +

84. Use HTTPS (OMG you should do this anyway!)

85. +

86. brew install certbot sudo certbot certonly --manual —preferred-challenges dns

87. None

88. Please deploy a DNS TXT record under the name _acme-challenge.www.codesy.io

    with the following value: CxYdvM…5WvXR0 Once this is deployed, Press ENTER to continue
89. None
90. None

91. observatory.mozilla.org

92. None
93. None
94. None

95. Yay! Your code is faster and more secure for users

96. Oh noes! Your code is broken in

97. is a browser patched

98. is a browser patched ESR

99. None

100. Firefox ESR

101. Make your code work in Firefox ESR (You should do

     this anyway)

102. Make your code work in all browsers! (You should do

     this anyway)

103. Download ESR

104. Firefox Dev Tools!

105. caniuse.com

106. None
107. None
108. None

109. MDN Browser Compat

110. kangax.com

111. Coding tools • Autoprefixer • CSSNext • Oldie • PostCSS

     plugins • Modernizr • @supports

112. Browser CI Platforms • Saucelabs • Browserstack
 
 
 Both

     include Firefox ESR

113. Yay! Your code works for users ESR

114. Oh noes! Some of your code is still broken in

115. Why is patched ESR

116. https://www.torproject.org/projects/torbrowser/design/

117. Adversary Model • Goals • Capabilities - Positioning • Capabilities

     - Attacks

118. Adversary Models guide Implementations

119. For example …

120. Someone Confiscates Computer

121. Tor Implementation: Disk Avoidance Confiscate

122. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c

123. So … Tor users will have to sign in every

     time

124. Another example …

125. None

126. Fingerprint

127. None

128. E.g., WebGL Fingerprinting http://cseweb.ucsd.edu/~hovav/dist/canvas.pdf

129. Tor Implementation: Cross-Origin Fingerprinting Unlinkability

130. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c Minimal WebGL No Gamepads Popups open into new tabs

     UTC timezone No device sensors No WebAudio Windows 7

131. To really debug everything …

132. Download Tor !

133. Tor Dev Tools!

134. Oh noes! Some of your code is STILL broken in

135. None

136. * * Icon Fonts

137. No JavaScript Slow JavaScript No MathML No SVG No Web

     Fonts

138. No JavaScript?!

139. None

140. hacked

141. https://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

142. https://web.archive.org/web/20130806020101/https://pastebin.mozilla.org/2777139 ESR/Tor

143. Summary • Optimize for latency • Make it work in

     Firefox (ESR) • (Optional) WITHOUT:
 JavaScript, MathML, SVG, Web Fonts

144. Yay! Your code works* fast* and secure* for users *

     for some definition of “works|fast|secure”

145. Oh noes! YOU are pwned

146. Oh noes! YOU are pwned if YOU were trying to

     stay anonymous

147. Now we’re (finally) to the dark web

148. https://www.bibliotecapleyades.net/sociopolitica/sociopol_internet214.htm

149. https://www.quora.com/What-is-the-deep-dark-web-and-how-do-you-access-it

150. https://www.eff.org/pages/tor-and-https

151. https://www.eff.org/pages/tor-and-https

152. None

153. How do you set up ? Site.com

154. https://domain.me/how-domain-names-work/

155. https://domain.me/how-domain-names-work/

156. https://whois.icann.org/en/domain-name-registration-process

157. Not Anonymous

158. Not Anonymous

159. How do you set up anonymously? Site.com

160. You set up Site.onion

161. is a Tor Hidden Service Site.onion

162. a Tor Hidden Service uses a “rendezvous protocol” instead of

     DNS

163. https://www.torproject.org/docs/hidden-services.html.en

164. https://www.torproject.org/docs/hidden-services.html.en

165. https://www.torproject.org/docs/hidden-services.html.en

166. reddit.com/r/onions

167. https://www.torproject.org/docs/hidden-services.html.en

168. https://www.torproject.org/docs/hidden-services.html.en

169. https://www.torproject.org/docs/hidden-services.html.en

170. Rendezvous Point

171. is easy to set up! Site.onion

172. 1. Run a web server 2. Edit your torrc file

     3. Run tor Site.onion
173. None

174. torrc

175. None
176. None
177. None
178. None

179. Yay! Your .onion is working!

180. But since
 Tor hidden services hop thru 6 nodes …

181. … really, optimize for latency (You should do this anyway)

182. Optimize for latency • Minimize Requests • Prefer fewer, larger

     asset bundles • Use CSS Sprites for images • Use Data URIs for small images • Use Icon Fonts • Use Resource Hints • Allow CDN access from Tor nodes

183. … wait … Can you use a CDN with hidden

     service?

184. Clear-web CDN requests can reveal site owner

185. 200ok.us

186. Not Anonymous Not Anonymous DERP!

187. Not Anonym ous

188. https://trac.torproject.org/projects/tor/ticket/9623

189. No Referer

190. Only use public CDN with hidden service?

191. Optimize for latency • Minimize Requests • Use Resource Hints

     • Only use public CDNs • Probably just don’t use a CDN

192. Oh noes! You are still hacked identified!

193. OnionScan

194. Not Anonymous

195. Get an anonymous email address

196. Encrypted Email privacytools.io

197. None
198. None
199. None

200. Yay! You have anonymous email You should have this anyway

201. Note: Use PGP between email providers

202. Oh noes! You are still hacked identified!

203. May not be Anonymous

204. None

205. See?

206. None
207. None

208. Strip EXIF data from images You should do this anyway

209. Yay! You have location-free images You should probably have this

     anyway

210. Oh noes! You (and your users) are still hacked identified!

211. May not be Anonymous

212. Obfuscate uploaded file-names You should do this anyway

213. More Checks Apache mod_status leak Open directories Server fingerprints Analytics

     IDs PGP IDs SSH fingerprints FTP & SMTP banners Cryptocurrency clients IRC, XMPP, VNC, Ricochet

214. Oh noes! Some hacks against your users are “easier” on

     the dark web.

215. Phishing on the dark web https://pirate.london/intercepting-drug-deals-charity-and-onionland-a2f9bb306b04

216. Brute-force .onion keys + Run MITM Proxy

217. http://www.reuters.com/article/us-virginia-protests-daily-stormer-idUSKCN1AV1HY?il=0

218. BTC address of neo-nazi @$$-holes

219. Use GPU instead of CPU: 115M Hashes/sec 701,505,730,000,000 hashes 1h

     41m 9s dstormer65alxsqn.onion

220. proxychains4 \ mitmproxy \ -p 20081 \ -R http://dstormer6em3i4km.onion \

     —anticache \ -s “replace_btc.py 19m9yEChBSPuzCzEMmg1dNbPvdLdWA59rS 1CU5YgjquupDw6UeXEyA9VEBH34R7fZ19b” --replace ":~hq .:dstormer65alxsqn.onion:dstormer6em3i4 km.onion" /etc/tor/torrc
 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:20081 /etc/proxychains.conf
 [ProxyList] socks4 127.0.0.1 9050

221. BTC address of tunapanda.org: teaching tech skills to low-income people

     in east Africa

222. Yay! Nazis are hacked! (Because screw Nazis)

223. Writing code for the dark web is fun

224. Writing code for the dark web makes your code better

225. Writing code for the dark web makes your code better

     faster more secure more compatible

226. Writing code for the dark web makes you think

227. Writing code for the dark web makes you think about

     your privacy

228. Writing code for the dark web makes you think about

     others’ privacy

229. … but wait, isn’t the dark web just for criminals?

230. Yes, there are criminals on the the dark web

231. None
232. None

233. traderouteilbgzt.onion

234. … but most of the sites on
 the dark web

     are not illegal

235. “In February a presentation by INTELLIAGG and DARKSUM reported that

     they had classified 29,532 onion services and reported that 52% of these sites contained illegal content. … taking into account a 29% duplication rate and at least 10% of traffic being SSH (not to mention the various other protocols) - then we have to conclude that the amount of crime is far lower than the reported 52% figure.” https://mascherari.press/onionscan-report-april-2016-the-tor-network-security-and-crime/

236. the dark web is not illegal tech

237. the dark web is neutral tech

238. the dark web is anonymity tech

239. Clear web sites use
 the dark web

240. None
241. None
242. None
243. None
244. None
245. None

246. http://33y6fjyhs3phzfjj.onion/

247. http://33y6fjyhs3phzfjj.onion/generate

248. None

249. https://docs.securedrop.org/en/latest/overview.html#infrastructure

250. Hardware • Run your own physical machines to prevent in-memory

     access by adversaries with physical access • 2 computers for SecureDrop application • 1 computer each for Admin, Journalist, and Secure Viewing Station • 2FA devices (smartphone or yubikey) • Network firewall & 3 ethernet cables • Plenty of USB sticks • Writeable DVD/CD-R discs

251. Create Tails USB sticks • Create Tails USB sticks •

     Secure Viewing Station • Admin Workstation • Label them immediately
252. None

253. Set up secure viewing station

254. Set up secure viewing station • Insert & run Secure

     Viewing Station Tails USB • air-gapped from internet • physically remove other storage & networking • fill ports with epoxy • remove speakers to prevent
 exfiltration of data via ultrasonic audio
 (yes, it’s a thing)

255. Set up transfer device

256. Set up transfer device • encrypt the drive • plug

     into secure viewing station and journalist station; • check box to remember passphrase

257. Use CD-R/DVD, because BadUSB • “Very widely spread USB controller

     chips, including those in thumb drives, have no protection from … being reprogrammed” to … • emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer. • detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot • Once infected, computers and their USB peripherals can never be trusted again.

258. Generate Submission Key (For/from secure viewing station) • Correct system

     time (to prevent some brute-force shortcuts based on time) • Create the RSA 4096 key (gpg —full-generate-key) • Export public key to transfer device

259. Set up admin workstation

260. Set up admin workstation • Insert & run Admin Workstation

     Tails USB • Connected to internet via Tor • Download SecureDrop
 git clone https://github.com/freedomofpress/securedrop.git • Download & verify SecureDrop Release Signing Key
 gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" • Verify release tag
 git tag -v 0.4.3
 Good signature from "SecureDrop Release Signing Key" • Create Admin Passphrase Database (KeePassX)

261. Set up (pfSense) firewalls • Admin subnet • Application subnet

     • Monitor subnet • No DHCP • Static IP for Admin workstation

262. Set up servers

263. Install SecureDrop

264. Set up Authenticated Tor Hidden Services auth-cookie values in torrc

265. …

266. Okay, You’re probably not building SecureDrop

267. But you can respect your users’ privacy

268. “Privacy by Design” https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/

269. Privacy Guidelines for Designing Personalization https://www.smashingmagazine.com/2016/03/privacy-for-personalization/

270. Clumsy transition to preachy privacy part …

271. http://www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

272. –Trisha Salas @ Thunder Plains 2016 “I want to try

     Tor … but I heard it puts you on some kind of list … and I plan to travel soon.”

273. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 “There are

     dozens of psychological studies that prove that when somebody knows that they might be watched, the behavior they engage in is vastly more conformist and compliant.” https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

274. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “This

     realization was exploited most powerfully for pragmatic ends by the 18th-century philosopher Jeremy Bentham, who set out to resolve an important problem ushered in by the industrial age. Where, for the first time, institutions had become so large and centralized that they were no longer able to monitor and therefore control each one of their individual members. And the solution that he devised was an architectural design - originally intended to be implemented in prisons - that he called the panopticon.”

275. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The

     primary attribute of which was the construction of an enormous tower in the center of the institution where whoever controlled the institution could, at any moment, watch any of the inmates, although they couldn’t watch all of them at all times. And crucial to this design was that the inmates could not see into the panopticon, into the tower, and so they never knew if they were being watched.”

276. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And

     what made him so excited about this discovery was that would mean the prisoners would have to assume that they were being watched at any given moment, which would be the ultimate enforcer for obedience and compliance.”

277. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “The

     20th-century French philosopher Michel Foucault realized that model could be used not just for prisons but for every institution that seeks to control human behavior - schools, hospitals, factories, workplaces.”

278. –Glenn Greenwald, “Why Privacy Matters” @ TED 2014 https://www.ted.com/talks/glenn_greenwald_why_privacy_matters “And

     what he said was that this mindset, this framework discovered by Bentham, was the key means of societal control for modern western societies which no longer need the overt weapons of tyranny - punishing or imprisoning or killing dissidents; or legally compelling loyalty to a particular party … because mass surveillance creates a prison in the mind that is a much more subtle but much more effective means of fostering compliance … much more effective than brute force could ever be.”

279. “There’s a strong physiological basis for privacy. Biologist Peter Watts

     makes the point that a desire for privacy is innate: mammals in particular don’t respond well to surveillance. We consider it a physical threat, because animals in the natural world are surveilled by predators. –Data and Goliath, by Bruce Schneier

280. “Surveillance makes us feel like prey, just as it makes

     surveyors act like predators.” –Data and Goliath, by Bruce Schneier
281. None

282. “… information collection takes place in asymmetrical power relationships: we

     rarely have a choice as to whether or not we are monitored, what is done with any information that is gathered, or what is done to us on the basis of conclusions drawn from that information.”

283. “One of the benefits of running a Tor relay is

     the additional layer of confusion it creates: is this traffic starting with you, or are you just passing it along for someone else?”

284. TrackMeNot randomly searches

285. AdNauseam randomly clicks ads

286. None

287. –me “I have done many weird things with/on Tor and

     I’ve had no problems traveling.
 
 In fact, using Tor is quite empowering.”

288. Questions? • Optimize for latency • Use HTTPS • Make

     it work in Firefox ESR • Set up your .onion • OnionScan • Privacy • torproject.org • eff.org • onionscan.org • mascherari.press • speakerdeck.com/ groovecoder