When I wrote my Anonabox Analysis yesterday evening, I expected perhaps a few comments from a few nerds. I mostly wrote the analysis because I was curious. I have spent a huge amount of time on the Cloak firmware, and I am always looking for inspiration and ideas to make it a better product.
What I did not expect was nearly 12000 page views in less than 18 hours and an avalanche of tweets. Hell, we actually got mentioned on a Twitter Trending site and _that_ is the first time in my life I have been accused of being trendy.
What this does show however is that there is still a huge need for a product like Cloak and the importance of such a product being Open Source, so that the security aspects can be scrutinized by the community.
So far, Cloak is the only product that has actually posted public source code that can be used to build a firmware image from scratch – absolutely NO binaries that could hide potential back doors. We are also the only ones that have actually ported Tor to OpenWrt and are not relying in an old Tor version from the OpenWrt project that is now dead and unsupported.
Please do comment on our forum if you have any questions regarding Cloak and/or my Anonabox Analysis.
Lars Boegild Thomsen has dissected Anonabox – it gave up without a fight. For the more technical amongst you, you can skip straight to the gory details here. The short version is, it doesn’t have any security at all – not even an access password.
It does connect to Tor. Not having any Wi Fi encryption and leaving root access password set to ‘admin’ is about as private as taking a piss in a glass bathroom with your microphone still on.
Dig the chutzpah
Scamming the public for 80 thousand dollars under cover of a “no guarantees” Indiegogo crowdfunding project and then selling the company has a bit of derring do about it. I like August Germar – he wrote to me personally and offered to buy me a beer if I’m ever in Chico – so I’m going to defend him.
We think he’s just honestly and utterly incompetent.
4,000 site hits in 6 hours
This is getting a lot of attention – at Reclaim Your Privacy we’re considering a Cloak resurrection for Easter.
We’ll be happy to answer any questions in our forum.
Yesterday, Steve Lord (@stevelord on twitter) did a screen cast, where he was essentially dissecting the Cloak firmware. I was fully aware of his intentions and had in fact provided him with a firmware copy myself. I thoroughly enjoy being examined in this way as I do not believe in security by obscurity.
Overall I think we came out quite nicely. Steve did however point out one issue related to Cloak allowing access to .onion addresses even when clients are connected to the Open network. Originally I implemented this (which consisted of one network forward and one DNS forward) just because it was a damn cool thing. However, Steve Lord is of course absolutely right, from an anonymity perspective it was a really stupid “feature”. What can happen is that a web page on a hidden service can reference an image or a script on an open net server and your anonymity is shot to pieces.
I have of course immediately updated the source on Github and removed this issue.
Thanks to Steve for pointing this out.
I read about your plans to make Internet Service Providers record user IP addresses http://www.bbc.co.uk/news/uk-politics-30166477
It’s easy to collect the data you want, but expensive to store and keep secure. It’s very powerful because it provides geolocated identification – it’s worth a fortune to an advertiser and it’s really hard to catch clever crooks who – as they inevitably will – figure out a way to copy and sell it.
Internet Service Providers face a cost with no (honest) benefit and the prospect of public censure for loss or misuse of sensitive data. Criminals will see new resource they want to exploit and advertisers will try to make it legal to do so.
It will make everybody more vulnerable to all manner of sinister deviance. Modern data correlation techniques offer frightening power to scientifically select vulnerable targets.
From an engineers viewpoint, what you are doing considerably increases the risk of personal security breaches. You are vague about the benefits on the grounds of national security. That doesn’t relive you of your responsibility to the public interest. You need to canvas the opinion of data security experts and encourage public debate to inform estimates of the potential cost of unintended consequences.
The cost for an ordinary non technical internet user to prevent their ISP logging them will be about 35 pounds. https://www.kickstarter.com/projects/1227374637/cloak
It’s so cheap and easy to defeat the tactic you propose that it really is of very questionable crime fighting value.
Cloak was discussion on BFM 89.9 in Malaysia today. For those that missed the original broadcast, BFM have made a Podcast available.
Posted in Cloak
This survey by Pew shows how Americans view the state of privacy in their country – “not positively” is a fair summary. According to the survey, the majority Americans would like to do more to protect themselves, but don’t think it’s easy. The good news for them is, Cloak makes it much easier.
The business insider reports that traveling business executives are being actively targeted by criminals in their hotel rooms.
More evidence that you need to protect your own business – public networks simply can’t be trusted with confidential information. Cloak is a practical way for IT professionals to protect executive communications. By providing .onion access to corporate web services, strong resistance to even sophisticated exit node sniffing attacks is achieved.
Steve Lord, security pro and co founder of 44Con reports on the apparent scam called Anonabox. It’s been booted from Kickstarter but is now back up on Indiegogo and taking peoples money. Steve wrote, “Adrian Wade of the Cloak project offered to “stump up the $51 he’s asking for and publicly offer him a debate”
I can confirm that we have done this. Here’s a screen dump, just in case he tries to kick the gauntlet under the rug instead of picking it up.
Steve’s full article is here