BwheKLxCQAAdzAP.jpg large

PacketFlagon – The HydraProxy

Today marks 1 year since the Immunicity arrest that saw someone get arrested for allowing people to send their HTTP(s) traffic where they wanted to without interference.

In that time it’d seem that the City of London Police haven’t really done much;

However the guys and gals over at Brass Horn Communications have been doing quite a bit culminating in todays “launch party” of HydraProxy.Party

Whilst not a real launch party* it is the official unveiling of the open sourced software derived from the original RoutingPacketsIsNotACrime.uk platform.

What is a ProxyShard / HydraProxy

The PacketFlagon platform is essentially one central server that feeds and receives information from lots of other servers around the Internet.

Anyone is free to download the BSD licensed software from GitHub, upload it to their webserver and then 30 seconds later are capable of creating, editing and serving the PAC files that help your browser circumnavigate Internet censorship.

The HydraProxy element comes in several parts, the first is that not only are there now tens of the PacketFlagon frontends available but the PAC files are also available on S3 and most impressively of all the platform maintains a number of what it terms “deadhand” nodes that constantly monitor the central server and the various frontends.

If the deadhand nodes reach consensus that a frontend has been blocked another domain is automatically registered, a new virtual machine is created and then bootstrapped to be a frontend node, all without human intervention!

Android App

There is also an Android app available on the Google Play store or by compiling the sourcecode yourself from GitHub.

The App provides an easy way to manage existing PAC files or to create new ones, we’re told that later versions will also include some intelligent circumnavigation methods in case the ISPs start to block the PacketFlagon API itself.

Is It Safe To Use?

Yes. Keep an eye on the Brass Horn Communications warrant canary just in case but we trust the team.

With that said it’s always a better bet to take your security and censorship circumnavigation into your own hands and look at how to properly use Tor or create SSH tunnels / your own SOCKS proxies.

* It’s understood that if you’re at DefCon in Las Vegas and can track down the @PacketFlagon team they might buy you a beer!

Devils_Bridge

Introducing Brass Horn Communications

Brass Horn Communications is a non-profit entity registered in the UK whose sole purpose is to provide Internet based services and education to help people evade censorship and avoid surveillance.

Their first Tor Exit node went live on March 2nd 2015 joining 8 other multi-purpose Tor relays, additionally Brass Horn Communications has adopted the infrastructure of RoutingPacketsIsNotACrime.uk / PacketFlagon.is and in doing so has published the Tor entry bridges used by the Squid proxies into the public directory for general use.

The name came from a Welsh legend;

Britain was plagued by the Coraniaid who could not be injured because their hearing was so sharp that they could hear any sound that the wind carried. It was by using a Brass Horn that Llefelys was able to securely communicate to his brother Lludd how to defeat the Coraniaid.

One of the stated goals of the organisation is to provide UK centric Tor relays and bridges (especially obfuscated bridges) to enable those in the UK to browse an uncensored Internet at relative speed to their native connection.

At the moment the team is working on a new version of the PacketFlagon.is software to release under the BSD license.

safe

Introducing ASafe.Space

David Cameron recently said in a speech that he would deny potential Terrorists a safe space on the Internet to communicate;

The obvious problem here is that everyone is a potential Terrorist so what David Cameron is actually promising that he intends to legislate against anyone having a means of communication that is secure from Government interference.

We’ve seen that GCHQ and the Police have abused (or just plain broken) laws in order to spy on Journalists, Lawyers and other innocents, the Government can not be trusted with these powers.

In response ASafe.Space has been registered and will contain a few short guides on how to have a safe space to browse the Internet, communicate over Instant Messaging, Email or even Pen and Paper.

Evading censorship and surveillance are one and the same, if the censor doesn’t know what you are saying or what you are reading they can’t stop you nor can they hold it against you.

blogimg-opendns

Defeating DNS Based Filtering (Sky, BT etc) with DNSCrypt

Several of the “Big Five” ISPs utilise a form of filtering that intercepts DNS requests and spoof replies for sites that are on the block list, in certain cases if you are able to resolve the IP address out-of-band (e.g. a hosts file) then you can browse uninterrupted.

We already know that most ISP implementations of filtering cannot intercept and block SSL protected HTTP traffic and in the same way DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between people and our OpenDNS’ servers.

The DNSCrypt code base is open source and it’s available on GitHub.

Download for Mac
Download for Windows
Linux can be installed via your favourite package manager

Once installed just set your DNS server to be 127.0.0.2 and you should be set to go.

If you have any issues or need more help with installation check out; http://dnscrypt.org/

thankyou_img

Building a PIPCU Resistant Immunicity Style Proxy Using Tor

A Little History

In June 2004 BT took the step of putting technical measures in place that allowed them to censor the Internet.

At the time there was muffled dissent at the idea of creating and deploying such technology but those voices were silenced by accusations that opposition to CleanFeed was to support the abuse of children.

We warned that this was the start of a slippery slope.

In 2011 the MPA took BT to court in an attempt to block Newzbin, when the Honourable Justice Arnold understood that BT already had an Internet censorship system in place he ordered it to be used to block Newzbin

In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise, [BT] shall within 14 days adopt the following technical means to block or attempt to block access by its customers to the website known as Newzbin2 currently accessible at www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 websiteHon Justice Arnold

On the back of the Newzbin success various other private entities took to the High Court to chase more ISPs and in February 2012 the Honourable Justice Arnold ruled

… that both users and the operators of TPB infringe the copyrights of the Claimants (and those they represent) in the UK.Hon Justice Arnold

The result of this ruling was that BT, TalkTalk, Sky and others were required to take measures to block or at least impede access by their customers to a peer-to-peer (“P2P”) file-sharing website called The Pirate Bay (“TPB”).

At the time the OpenRightsGroup issued the following statement;

Blocking the Pirate Bay is pointless and dangerous. It will fuel calls for further, wider and even more drastic calls for internet censorship of many kinds, from pornography to extremism.Jim Killock, Executive Director of the Open Rights Group

So here we are in 2014, a decade after we originally predicted the slippery slope of Internet censorship and we have Court ordered censorship at the behest of foreign private entities, secret URL blocklists courtesy of the IWF, varying levels of Internet Filtering in homes, Internet filtering in coffee shops etc and now the City of London Police appear to be using organised Crime Legislation to intimidate and shut down proxies.

How a PAC Proxy Works

The PAC (Proxy auto-config) file format was originally designed by Netscape in 1996 for the Netscape Navigator 2.0 and is a text file that defines which URLs are to be routed over a proxy and optionally which proxy to use on a per URL basis.

A very basic PAC file could look like this;

function FindProxyForURL(url, host) 
{    
    var list = new Array("wtfismyip.com","www.ipchicken.com");
    for(var i=0; i < list .length; i++)
    {
        if (shExpMatch(host, list[i]))
        {
           return "SOCKS socks.survivetheclaireperryinter.net:9050";
        }
    }
    return "DIRECT";
}

This PAC file defines two URLs (wtfismyip.com and www.ipchicken.com) and tells the browser that these URLs should be routed via the SOCKS proxy socks.survivetheclaireperryinter.net using port 9050. Any other URLs are routed directly (as in not using a proxy).

The Tor Project is one of the most powerful tools we have against Internet censorship and one of the features of a Tor relay is the ability to be used as a SOCKS proxy.

There are lots of Tor relays on the Internet that are configured not only as Bridges, pluggable transports, Exits & relays but also as SOCKS servers. We will create a Tor relay to be coupled with a PAC file to selectively route certain URLs over The Onion Routing network to bypass censorship.

Using the Tor PAC Proxy

To test a Tor powered PAC proxy simply set your Browser Proxy settings to; https://RoutingPacketsIsNotACrime.uk/pac.config?id=piratebay this will allow you to browse to thepiratebay.se via a Tor proxy in Russia.

To create your own list of URLs to route via your Tor proxy start by navigating to https://RoutingPacketsIsNotACrime.uk and identify which URLs you would like to route.

Note that the only URL selected by default is wtfismyip.com. To re-iterate, this is a technical demonstration of Censorship evasion and bypassing censorship is NOT illegal.

Add all of your URLs separated by a comma e.g. “google.com, yahoo.com, bing.com” then click “Save PAC File”.

Make note of your unique PAC file URL e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890

Configure your browser to use your unique PAC file


Configure Internet Explorer

  1. Go to Start then Control Panel. (Windows 8 users hover your mouse to the bottom right, click Settings, then click Control Panel)
  2. Find Internet Options (sometimes under Network and Internet), then go to the Connections tab.
  3. At the bottom, click the LAN settings button.
  4. A new dialog will appear. Tick the box that says Use automatic configuration script.
  5. In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  6. Press OK, then OK on the Internet Options dialog.

Configure Mozilla Firefox

  1. In Mozilla Firefox, go to Options. In Windows, click the Firefox button then choose Options, or go to Tools, then Options. In Mac OS X, go to Firefox, then Preferences. In Linux, go to Tools, Options.
  2. Go to the Advanced tab, then go to the Network tab.
  3. Click Settings next to Configure how Firefox connects to the Internet.
  4. Select Automatic proxy configuration URL.
  5. In the text field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  6. Press OK, then OK on the Options dialog.

Configure Google Chrome

  1. In Google Chrome, click the menu button to the right of the URL bar, and choose Settings.
  2. At the bottom, click the Show advanced settings
  3. Under Network, click Change proxy settings.
    1. On Windows, at the bottom click the LAN settings button. A new dialog will appear. Tick the box that says Use automatic configuration script.
    2. On Mac OS X, tick Automatic Proxy Configuration.
    3. On Linux, click Network proxy, select Automatic from the Method drop down menu.
  4. In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  5. Close the dialogs to save the settings. On Mac OS X, press Apply first.

You’ll note that the PAC file specifies the proxy as localhost:9050, trying to visit the URLs in question won’t work until we setup the local Tor relay.

Creating Your Local Tor Proxy

If you want to help the Tor network grow and create your own proxy to use with the RoutingPacketsIsNotACrime PAC files then these instructions should get you started.

If you don’t already have a dedicated server consider visiting DigitalOcean, Amazon EC2 or for some really good deals check LowEndBox.com.

For various reasons I would suggest hosting the server outside of the UK but that is a choice for you to make.

CentOS 6

Install EPEL

wget http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install epel-release-6-8.noarch.rpm

Edit iptables

vim /etc/sysconfig/iptables

Allow the ORPort and the proxy port (in this case 9001 and 9150)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9150 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Save and quit

/etc/init.d/iptables restart

If your server has IPv6 then make similar changes to ip6tables

Editing torrc

vim /etc/tor/torrc

A minimal torrc for use with a PAC file style proxy would look similar to the below (although you should read all the options to understand what you are doing);

SocksPort xx.xx.xx.xx:9150
ORPort 9001
Nickname TheNameOfYourRelay
ContactInfo YourContactDetails
ExitPolicy reject *:*

xx.xx.xx.xx should be a routeable IP (e.g. not 127.0.0.1) of your server, if you want to keep your relay server partially private you might want to add PublishServerDescriptor 0 to your config too.

There is no security here, if someone port scanned your server then they would see that it is an open proxy and could use it to do nasty things that people will blame you for!
If your Tor relay is on a public IP (e.g. not 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16) then you may want to restrict the IPTables allow rule to only allow your source IP addresses

Start Tor & Confirm it is working

/etc/init.d/tor start
tail -f /var/log/messages

You should see something along the lines of;

socks Tor[31452]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
socks Tor[31452]: Bootstrapped 85%: Finishing handshake with first hop.
socks Tor[31452]: Bootstrapped 90%: Establishing a Tor circuit.
socks Tor[31452]: Tor has successfully opened a circuit. Looks like client functionality is working.
socks Tor[31452]: Bootstrapped 100%: Done.
socks Tor[31452]: Performing bandwidth self-test...done.

Done!

Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.

Windows

Follow our tutorial on Securely Installing Tor on Windows to get the full Tor Browser bundle up and running.

Once installed and started Tor will be running on localhost:9150 (do not close the Tor Browser as this will also close the relay)

Done!

Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.

Some Final Thoughts (and quotes)

Internet Censorship is abhorrent, we shouldn’t stand by and let the Government, Police or lawyers dictate what we can read. The slippery slope is getting steeper every day so we all need to help stop it.

When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle.Edmund Burke

I always wondered why somebody doesn’t do something about that. Then I realized I was somebody.Lily Tomlin

Withholding information is the essence of tyranny. Control of the flow of information is the tool of the dictatorship.Bruce Coville

Who is more to be pitied, a writer bound and gagged by policemen or one living in perfect freedom who has nothing more to say?Kurt Vonnegut

Once a government is committed to the principle of silencing the voice of opposition, it has only one way to go, and that is down the path of increasingly repressive measures, until it becomes a source of terror to all its citizens and creates a country where everyone lives in fear.Harry S. Truman

Free societies…are societies in motion, and with motion comes tension, dissent, friction. Free people strike sparks, and those sparks are the best evidence of freedom’s existence.Salman Rushdie

All men dream: but not equally. Those who dream by night in the dusty recesses of their minds wake in the day to find that it was vanity: but the dreamers of the day are dangerous men, for they may act their dreams with open eyes, to make it possible.T.E. Lawrence

tor-browser-anonymity-online

Installing TOR on Windows Securely

As mentioned on our Top Ways to Avoid Filters page the Onion Router Project (better known as TOR) excels at bypassing censorship technologies such as the Sky Broadband Shield, the TalkTalk filters, BT Parental Controls and even the Great Firewall of Cameron China whilst at the same time offering almost perfect anonymity.

TOR is an excellent choice for any would-be whistle blower, political journalist, privacy advocate, vulnerable adult or any other person who wants/needs unrestricted Internet access.

TOR is no more a tool for criminals than a kitchen knife or a car, much like encryption the more it is used by normal people for normal day-to-day tasks the better the protection for everyone by making it more expensive for nation states to perform blanket surveillance and Internet filtering.

This post will show you how to download and install the TOR client (which is easy) whilst also ensuring it’s the real deal and hasn’t been interfered with by your ISP or other malicious actors.

Downloading

The best place to download TOR is from the projects own website here: https://www.torproject.org/download/download-easy.html.en (note the https). You should also do whatever is necessary to acquire the signature file which can be found by following the link labelled sig (underlined in red below) on the download page.

sig

 

The download is also available on this website by clicking here and the signature for this download is reproduced below.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABCAAGBQJTaXIZAAoJEEFvBhBj/uZZEJsIAKD2Ny/oXZheHd3xkgk9t906
a3Xayel0Mxp7Yj6dEvoDKTvvkyvmN1PC4K7oFjovaFP29SekDSRvMYnRlLnDaEHD
QZoPs7bFpf1qoRukZgMr9Q9B4rsy4Q9hr8iNcV1OeVawiGf8aQ/9XIp3TDErb80w
0tKnK4JI0a8FDKumc5GFTNQNZo9G2r46puSu4hLkckbz8zZa4FqVIjOpiyG65ri4
VdujXmpObLYEL/lAfg6xoCIF8VzM9eb1jBj+ISCxt0r2bpD8/iBizEvNRjzWIQUe
krqEuPpzYNiGLzXvczMTULs4lo7s6jGDR44ztijnwm87JdJCtFIrrh/+8QKe82Q=
=h2XC
-----END PGP SIGNATURE-----

At this point you could just install TOR and trust that everything is OK but in this day and age you should really make sure.

Verifying the Download

At this point you should go off and read about GnuPG on Wikipedia and consider reading the GnuPG manual so you fully understand why we’re about to do what we are going to do.

As we’re on Windows (you should consider trying Linux even if it’s only on a live boot CD/USB) we need to install GPG4WIN which can be downloaded here: http://gpg4win.org/download.html. Pay close attention to the SHA1 checksum you will need that shortly.

Secondarily download and install the Microsoft File Checksum Integrity Verifier from, here: https://www.microsoft.com/en-gb/download/details.aspx?id=11533

Luckily the Microsoft download will be signed and certified by a certificate already embedded in the OS so go ahead and install it, you should see that the publisher is “Microsoft Corporation” and if you click the blue text you should see a confirmation that the Digital Signature is OK;

file_integrity_certificate

 

Once extracted to a useful location (preferably the same place you downloaded the GPG4WIN installer to) execute the following command;

fciv.exe -sha1 gpg4win-2.2.1.exe

This will generate the SHA1 hash you noted earlier in a manner similar to that below, if the two hashes do not match exactly then something is wrong.

//
// File Checksum Integrity Verifier version 2.05.
//
6fe64e06950561f2183caace409f42be0a45abdf gpg4win-2.2.1.exe

Now (assuming that the hashes match) we need to install GPG4Win, for added security you can ensure that the certificate is also genuine for the installer by clicking More Details then Show information about this publishers certificate. The default GPG4Win installs options should suffice;

gpg4win

 

Once installed load up the GNU Privacy Assistant or GPA from the All Programs > Gpg4Win section of the start menu. GPA allows you to import the public keys of the TOR developers who signed the TOR installer to guarantee that it is genuine and hasn’t been tampered with.

All the signing keys can be found on this page; https://www.torproject.org/docs/signing-keys.html.en if you are unable to reach that page then the key we want is from a developer named Erinn Clark whose key can be identified as 0x63FEE659.

To install her key select Server then Retrieve Keys from the GPA menu

key_import

In the popup box that appears type or paste 0x63FEE659 then click OK.

retreive_keyYou should then be told that one 1 public key has been read and imported!

imported

Select Erinn’s key from the list and look at the details, ensure that the fingerprint matches the one on https://www.torproject.org/docs/signing-keys.html.en or if you can’t reach that page this;

8738 A680 B84B 3031 A630  F2DB 416F 0610 63FE E659

If it does right click on her key and select Sign Key, this indicates that you trust this key for encryption and importantly for our purposes any signatures made.

You’re now ready to confirm if the TOR download is safe to install. Navigate to the location where you saved the TOR executable and the signature file, right click on the installer and navigate to More GpgEx Options then click Verify.

verify

 

In the window that pops up click Decrypt / Verify, if all has been succesful you will see a green notice confirming that the signature passes.

signature_success

You can now install TOR safe in the knowledge that the download has not been tampered with by malicious criminals or the surveillance state. Once installed you will now be able to evade any form of Government or ISP filtering.

Remember if you are using TOR to protect yourself as part of a whistle blowing exercise there are several warnings to take heed of to ensure that you do not jeopardise the work you’ve put in so far.

 

 

 

 

 

 

440px-XDSL_Connectivity_Diagram_en.svg

Further Proof Claire Perry Doesn’t Understand What She Has Created

Not content with accusing bloggers of sponsoring the hack of her website Claire Perry has further demonstrated her lack of understanding of how the Internet and indeed her own filters are going to work.

Whether she is confused, isn’t concerned about the details or just hasn’t understood what it is she has done the fact remains that ISPs are interfering with your traffic after it has left your modem and entered into their transit network.

They are mis-routing packets, spoofing DNS and who knows what else all in the name of filtering.