Author: John Durret

HotSpotShield alternative, free VPN SpotFlux

Spotflux is a free VPN for Mac and Windows computers, it can help you get around censorship in countries where ISPs block websites, theoretically it can bypass computer Internet filters but it is not portable and you need administrator rights to install it, you won’t be able to use Spotflux in your college or workplace unless you have your own laptop.

I tested their speed from Europe a few times and it gave me a consistent 1MB/1.5MB, enough to stream online video, hoovering your mouse over the Windows tray will show your given IP, Spotflux provides a US computer IP allowing you to access CWTV, ABC, Pandora radio and other websites restricted to US residents only, I tried to watch Hulu and it worked fine, the same with Pandora Radio.

During installation the software will ask you to install a device driver and also to run Java, this is one part that I did not like, I have used multiple VPNs in the past and I have never been asked to run a Java app, Java runs locally in your computer it has been exploited in the past and it could endanger your security unless you are really sure that the place you downloaded it from is trustworthy.

Free VPN SpotFlux

Spotflux settings are very simple, consisting of automatic updates, proxy configuration and language interface. What makes this VPN different from others is that they scan and filter all pages you request for malware and viruses, tracking cookies are filtered out too. Nearly all advertisements are blocked. As a blogger I find this VPN unethical, the reason why I don’t update hacker10 more often is because the scarce income I make here does not justify my posting time. Browser addons blocking adverts allow people configuration options to only target websites abusing privacy and overdone with adverts, Spotflux block all sites, if you use them to visit your favourite sites you will deprive them from advert income and eventually kill the site.

Spotflux privacy policy doesn’t mention what logs they keep and how long for but they say that they will use deep packet inspection of user traffic to cooperate with law enforcement if necessary. This is definitely not a VPN to be used for privacy even if they claim so. I don’t know how they make money with it, I will speculate that Spotflux might start charging for extra services in the future. HotSpotShield privacy policy is equally bad but they don’t have any system in place filtering the sites you visit for “privacy reasons“. I would say that both VPNs, SpotFlux and HotSpotShield, are ok to watch US online TV and that is it, never use a free VPN like them to check your email if you care about your online privacy.

UPDATE December 2012: After using Spotflux again I noticed that the installer comes with sponsored software, you can refuse to install it unchecking a tickbox. SpotFlux is also blocked in Abc.com where I get a message saying that I have to disable add blocking programs before I can watch their videos.

Visit SpotFlux homepage

25 April, 2012
GPGAuth logs into a website using GPG/PGP keys

GPGAuth is an authentication mechanism that allows you to use public/private encryption keys (GnuPG,PGP) to login into a website, there is no need to remember any password or username, GPG keys act as username and password verification is carried out in your browser, trust level for each website can be specified in GPGAuth options, like making sure that the User ID matching the domain has been signed by one of your trusted keys.

Keyloggers are easily defeated as you don’t have to type in anything, the server’s owner is given the public encryption key before hand making man in the middle attacks extremely difficult, with GPGAuth you won’t need to remember multiple passwords for every different site, it can be used as a single sign-on system, it is possible to create multiple User IDs from a solo GPG keypair, this allows for various online identities if needed.

Chrome GPG addon GPGAuth

The downside is that the website you are using must offer the possibility of using GPGAuth and it hasn’t exactly caught on. The browser addon is only available for the Chrome browser at the moment, the project uses the framework FireBreath to be cross compatible with Windows, Linux and Mac computers and all major browsers, there is no technical reason stopping it from being ported to other browsers addons in the future. If Chrome is your main browser you could use it in conjunction with WebPG, a GPG key management addon from the same author, otherwise you will need to have some kind of OpenPGP compatible software installed in your computer.

Visit GPGAuth homepage

21 April, 2012
FBI seizes anonymous remailer from Rise Up Network facilities

A server physically located in a collocation facility in New York shared by left leaning organizations Rise Up Networks&May First/People Link was seized two days ago, 18th April, by the FBI turning up with a search warrant. The server belonged to the “European Counter Network“, an Italian group defining itself as “antifascist“, it provided email accounts, mailing lists, website hosting for activists and remailing to the public. It appears that an anonymous person sent more than 100 bomb threats over a period of months through the mixmaster remailer network to the University of Pittsburgh leading to numerous building evacuations while the police cleared all false alarms. No arrests have been made so far but the investigation remains open.

Riseup press release calls the server seizure an attack on free speech that has left artists, historians, gay rights groups, feminists and others without mailing lists and email accounts, various websites have also been taken offline as a consequence of the seizure. Riseup claims that while sympathizing with the University of Pittsburgh community they do not understand why the FBI has taken the server when “authorities knew that the server contained no useful information that would help in their investigation“.

Anonymous remailer

Mixmaster remailers resemble the tor proxy network in that they do not log anything and work in chain mode, normally three servers in different jurisdictions are involved routing an email before being finally delivered to an inbox, however more servers could be involved if the sender specifies it in the settings. Mail servers running open source Mixmaster software remove header information to make it impossible finding out the sender, messages are deliberately held for some time to avoid time based attacks and it can take days or hours before an anonymous email is finally delivered.

A Mixmaster remailing server has been designed to make it impossible to trace emails back to the original source for the system to fail it would be necessary to seize all of the servers involved sending a message and recovering erased logs, assuming they ever existed. A new protocol called Mixminion is in development and intended to replace Mixmaster in the future.

More information: EFF article about remailer seizure

20 April, 2012
Hyperboria, censorship resistant darknet based on CJDNS

CJDNS is an open source project building a censorship resistance decentralized network, the routing engine has been designed for security, scalability, speed and ease of use, CJDNS runs on top of your ISP network and provides you with an internal IPv6 address generated from a public encryption key.

A virtual network card (TUN device) is used to send data to anyone connected to the network, what makes CJDNS different from other decentralized P2P projects like PirateBox is that it is routable over the current Internet, nodes can be reached anywhere in the world. In the future, as the number of nodes increases, data packets can be sent wireless in ad-hoc mode. No DNS is required to access a node, if DNS is ever implemented it will be made decentralized and secure, at the moment the user only needs to know the IPv6 address and paste it in the browser.

Project MeshNet CJDNS flowchart

Man in the middle attacks are not possible because public key encryption is used to send packets, CJDNS provides privacy too, other users can’t locate people by simply looking up their internal IPv6 address, node operators could track a user down but only if the community helps them out. Unlike the tor network , the node operator that gave someone access to the mesh can deal with abuse and ban people, a CJDNS network abuse policy will have been democratically decided by those who are part of the network, stopping Government interference and frivolous multinational lawsuits. CJDNS is not trying to replace tor, it wants to replace the Internet, the idea is that with all hardware working in P2P mode a single person can’t be intimidated into shutting down the network, there isn’t any central infrastructure that can be attacked.

Like with darknets, to join CJDNS you will first need a friend inside giving you access, once in the network you can connect to everyone else. Hyperboria is the main CJDNS network composed of dozens of nodes. To connect to the IPv6 addresses, Hyperboria sites, you will need to be running CJDNS, it doesn’t matter if your computer is using IPv4 as CJDNS encapsulates IPv6 into IPv4 packets for routing.

The network is resistant to Distributed Denial of Service ( DDoS ) because it has too many nodes to bring down, this makes CJDNS enduring to natural disasters too, there isn’t a single point of failure. CJDNS can be installed in OpenWRT routers, MAC and Linux computers, Windows is being tested on, hardware requirements are low and if you run a node you can host anything that doesn’t go against the community values.

Visit Hyperboria homepage

18 April, 2012
Code Talker Tunnel disguises tor traffic as Skype video calls

Countries like Iran and China routinely block public tor IP addresses, to get around this problem relays called tor bridges are not made public and only facilitated to users living in repressive countries after request. According to recent research from Internet security firm Team Cymru, China’s Great Firewall can distinguish in between normal traffic and tor traffic using SSL deep packet inspection, one factor used by the Great Firewall of China to detect tor traffic is the tor proxy SSL cipher list, in between others. Communications can not be read because they are encrypted but a bot attempts to connect to the suspected tor server IP passing itself of as a user, when it confirms it is a tor bridge via a successful connection the tor server IP is added to the list of blocked IPs in the firewall.

Iran has also been reported in the past for having an Internet censorship system able to identify the beginning of a tor proxy SSL handshake and interrupting the handshake.

Code Talker Tunnel disguises tor proxy traffic

~~SkypeMorh~~ renamed Code Talker Tunnel uses traffic shaping to convert tor packets into UDP (User Datagram Protocol) traffic preventing deep packet inspection of tor data from being recognized as such. Code Talker Tunnel traffic shaping mimics the sizes and packet timings of a normal Skype video call, the developers of this tool at the University of Waterloo in Canada chose a VoIP client to hide tor traffic because the flow of data packets, sending a request and waiting for a response with a long pause during transmission resembles how a tor proxy server works.

~~SkypeMorph~~ Code Talker Tunnel is a pluggable transport that will work with the own tor project developed obfsproxy a program for Mac, Windows and Linux users masking tor traffic as a different protocol specified using pluggable transports.

Visit Code Talker Tunnel homepage

17 April, 2012
ArmorText Android app to encrypt SMS&MMS messages

ArmorText is a free Android app to secure text messages, it uses RSA1024 and AES256bit to encrypt your SMS&MMS messages, the receiver will need to have the same app installed to be able to decrypt the messages. ArmorText will connect to the Internet after launching it for the first time to retrieve your friends public key encryption. Security can easily be enabled tapping an ON/OFF lock button, a Smart Predict option will detect when the app believes you need to encrypt your text messages (based on the last texts sent) and automatically turn security on unless you decide otherwise, the app can stop message forwarding by the recipient too.

ArmorText is a pure text messaging solution, not a chat client, it only encrypts SMS and MMS messages with photos.

ArmorText Android SMS encryption

With smart phones increasingly used for mobile payments, email and online banking they have become a prized asset for thieves, ArmorText will protect your data even when it is not stored in your phone but the person you are communicating with, messages are encrypted before sending, stopping middle man eavesdroppers, like your network provider. Planned features for the future include controlling how many times a text message can be viewed, how long the message is available for and non-repudiation.

Update 2014: This app is no longer available in Google Play

Visit ArmorText homepage

9 April, 2012
Share encrypted messages on social networks with Privly

Priv.ly is an open source project that allows you to communicate with others using the site of your choice while denying that site access to your data, everything is encrypted and shared through a link, the site can not be forced to reveal data it doesn’t hold and data retention won’t matter, by posting your messages through a link Google+, Twitter or Facebook will never have access to your private data. The messages will be automatically decrypted by people using the Privly browser addon making the process easy an automatic for everyone, only users whose public encryption key has been used to encrypt data will be able to read the message, it is possible to revoke access to a single user by not using his key and the content on the server can quickly be destroyed or changed.

At the moment Privly servers host the encryption keys to automate decryption and the extension pulls the encryption key and content off the server after your friend clicks on a Privly URL link, this makes the central server vulnerable to attack, there are future plans to change it by creating a P2P decentralized storage system making impossible even for Privly staff to read your messages, another vulnerability that the developers are working on is preventing the browser from caching encrypted messages.

Social network encrypted messages Priv.ly

Privly is an asymmetric public/private encryption key system, you could do this yourself encrypting your messages with PGP/GPG before posting them to a social network, Privly advantage over manual encryption is that it saves people time and makes the process easy by only needing a browser addon, their central delivery server also makes it possible to change or destroy a message after posting. You could try to achieve the same result using a self destructing messaging system but few of those services, if any, is open source. Privly is a good initiative to stop abusive social networks data retention policies and to stop censorship from software scanning the Internet for keywords.

The key for Privly to work is adopting a standard that everyone will understand as soon as they see it, in this case a URL, having too many ways of doing the same thing does not help spreading a technology, it all comes down to everyone agreeing on a system. You still have to solve the anonymity side of your messages as your computer IP is visible when you post a Privly link to a website.

Visit Privly homepage

Note: The project is still in development and might not be stable.

7 April, 2012