Author: John Durret

OnionMail an anonymous mail server running on Tor

OnionMail is an open source mail server developed by hacktivists fighting mass surveillance, it runs on the Tor network and is able to communicate with the Internet as well as Tor hidden nodes.

Running an OnionMail server and joining the federated network is open to everybody, connections in between servers are always encrypted with SSL, transition servers do not store any data, only in the final destination OnionMail server saves messages and it automatically erases them after reading or if they have not been picked up by the user in a period of days, using the wipe command (Linux) to make forensic recovery impossible.

An OnionMail email inbox is encrypted with RSA/AES asymmetric encryption keys and user passwords, data is then hashed and scattered around multiple OnionMail servers in the network, if a server is seized no meaningful information or metadata can be obtained. Another security feature is the ability to remotely nuke a server’s digital certificate, this is useful if an administrator loses physical access to the server, OnionMail checks the legitimacy of digital certificates in the network and servers not using a valid one will be disconnected.

OnionMail anonymous Tor email

In Tor you don’t have to worry about revealing your computer IP but a local email system clock can give away your approximate geographical location, to stop this, OnionMail spoofs your time zone, it will also spoof the PGP version you are using, helpful in case a vulnerability is discovered in a specific PGP release, an attacker would be unable to find out who is using it without testing everybody.

For internal email communications inside the Tor network you are assigned a cryptic .onion address, this is automatically transformed into a a clearnet comprehensible address using the Virtual Mail Address Translation protocol to append the .com/.net/.info of your Tor exit node so that people on Yahoo or Gmail can reach you.

For example, if you are using the onionmail.info exit node, your .onion email address will be transformed into test.serveraddress.onion@onionmail.info when you send an email message to the Internet. Spam is eliminated using custom blacklists that mail server operators can tweak.

You can find a few Tor email providers but they are not chained and their addresses can’t be used to contact people outside Tor. OnionMail stands out from the crowd uniting all email servers in a single network and allowing users to send and receive email to the Internet from within Tor.

More than a dozen OnionMail servers are listed in the homepage, to open an account you only need to select one of them with Tor installed in your computer, or download a python script that can be used in Tails to configure your email client. Windows users can download a beta version of OnionMail and the more technical advanced people can install OnionMail in a rooted Android device with Orbot, a free proxy app that runs Tor, the K9 Mail client, and APG, a PGP key manager.

OnionMail anonymous email

OnionMail does not hide that it has been specifically developed to stop the NSA and similar espionage agencies from following you. The developers know what they are up against and they make sure that their zero knowledge design will withstand rogue operators and mail server seizure, which leaves only a trojan horse or spear phishing attack as the only way to get into your email account.

A very well designed, thought out email system with good documentation and help screenshots that has all a security paranoid person can wish for, anonymity, encryption, free and running on Tor.

Visit OnionMail homepage

26 April, 2015
StegoTorus a camouflage tool to hide Tor traffic

StegoTorus is an open source tool that disguises Tor traffic simulating it is an innocuous protocol, this foils packet analysis making Tor harder to monitor and block. A client and server are both available for download, the software is available for Linux, Mac and Windows but is is command line operated and it has to be compiled from source, you will have to be knowledgeable in computers to benefit from it. StegoTorus website has clear instructions on how to do this, it is not exceptionally challenging.

Any Tor operator can run StegoTorus in their own bridge. Tor bridge relays not listed in the main directory, they are intended for people living in countries where public Tor nodes are blocked. Bridges can be acquired sending an email to bridges@torproject.org from Yahoo or Gmail accounts only.

Tor network bridge configuration

When you run StegoTorus with Tor an intermediate connection is created to an StegoTorus server acting as the first node to the network, the software running on that server will camouflage all traffic as PDF, JPEG or HTTP, a payload is introduced in the downstream data before passing it on to you with the real requested file or website visited hidden using steganography techniques. A StegoTorus proxy will make believe anybody watching network traffic that no Tor connection is taking place, your Internet browsing should not slow down noticeably, the payload injection is done within miliseconds.

If you are worried about Deep Packet Inspection by your ISP, used by China and Iran in between others, your only choice to avoid blockage is what the Tor project calls Pluggable Transports, these are used together with secret Tor relays, aka bridges, and they transform traffic to hide that you are using Tor. A few supported transport type Tor bridges are Obfsproxy, ScrambleSuit and the Format-Transforming Encryption, other schemes like SkypeMorph and StegoTorus can be deployed but they are not officially assisted, although both projects are listed in the Bridges Tor project website, bridges of this type can not be requested by email.

If you know of a bridge that is running StegoTorus, you can connect to that node going to the Tor browser network settings and entering the custom bridge address that leads to it.

Visit StegoTorus homepage

25 April, 2015
Review free anonymous surfing proxy Browsec

Browsec is an anonymous Internet surfing addon for your browser, this is not a real VPN, applications you have installed, like FTP, Bittorrent and the like will not be tunnelled, Browsec only hides your computer IP for Internet browsing and nothing else. I am always very cautious when something is provided for free, my logic is that if I am not paying for it, the company must be covering expenses some other way.

Browsec’s privacy policy discloses that they collect information about your surfing habits when the proxy is switched on and data can be used for monitoring and research, it is also disclosed that after anonymising the data, it can be shared with business partners, a standard way of funding for most unlimited VPN providers, you normally get hassled to upgrade the service to a paid package or, like in this case the company makes money selling your data to outsiders.

It was alarming to me that there is no physical office and no information about the company behind Browsec, all they have is a support email address, obviously this is not a privacy friendly company but I was willing to give them a go to be able to read the news and playing online games behind a firewall, evading visits to banking or email accounts to ward off opportunities of passwords being captured.

Browsec anonymous surfing Firefox addon

There are two ways to get Browsec, you can install a Chrome browser extension from the official Chrome store, which gave me some reassurance knowing that Google monitors extensions for viruses, and another way is to download a portable Firefox browser with Browsec embodied or you can find it in the official Mozilla Firefox addons website.

I decided to download the portable Firefox browser, the first thing I did before launching the browser was to scan it for viruses with Bitdefender, nothing dangerous was found, I ran the package and extracted the files inside a folder in my hard drive, initialising the Firefox portable browser clicking on FirefoxPortable.exe, the first thing I noticed was that surprisingly the addon was not enabled by default, I had to access the Firefox menu and start Browsec manually, when this is done a shield button appears on the browser toolbar and clicking on it activates or deactivates the proxy.

Only a single location in the Netherlands is provided, you can’t choose in between countries or servers, speed was decent, I am on a 10Mbps home connection and I was getting 9Mbps, perfectly acceptable but a single location is not going to help you stream online content from USA or UK online TV, you can’t even use this proxy to stream online content from the Netherlands where the proxy is located, when you visit Google services like YouTube, Google believes that you are in Russia, you can only watch online content available in Russia.

Browsec Bitdefender virus detection

After a minute of browsing the Internet with Browsec, Bitfender warns me that it has found a potentially malicious application and it has deletes a file named brwsc.exe from my drive alleging that “the application’s behaviour can harm your computer“, this is when it comes to my mind that Bitdenfer detected the virus after I activated the addon, when it first scanned Firefox Portable it gave me the all clear but Browsec ships disabled.

Bitdefender didn’t name an specific trojan horse or virus, the detection was based on the addon behaviour, probably because Browsec collects data about my browsing habits. It would be unfair to claim that Browsec contains a trojan horse, this would not be first time that my antivirus wrongly claims a VPN service behaviour can be harmful and it inspires me a little trust that the Browsec addon can be downloaded from the official Chrome and Firefox websites, but, the red flag from my antivirus put me off.

The number of days that it would take me to do a clean reinstall if my computer is infected, and the economical damage that I would incur in if a trojan horse captures my passwords, persuaded me that it works out cheaper paying $5/month for a trusted VPN that does not sell my data, than living with the uncertainty of not knowing what is going on with the proxy when I surf the Internet.

My conclusion is that, the addon works, and speed is fantastic, but you are selling your data to Browsec and the file is flagged as harmful by some antivirus, do you really want to take that risk? Your call.

Visit Browsec homepage

23 April, 2015
Decentralised group communications with matrix

Matrix is a new open source standard for secure real time communications using end to end encryption, it can be used for video calls, voice, text, file transfers and anything that developers want to build on top of it. Matrix server infrastructure is made up of multiple nodes talking to each other, it ends with the current fragmentation of messaging apps forcing people to have the same software installed to be able to talk with each other.

Unlike WhatsApp/Viber/LINE/Kik and similar apps needing sovereign installation, matrix is identity agnostic, the ecosystem runs an open federation model where anybody can run their own matrix server and join the network.

Identity servers track which emails and messages belong to which matrix ID, chat rooms do not exist on any single server, they are shared across multiple participating servers and each participating server can choose to publish their own alias, several different aliases can lead to the same room depending on what server you are using.

Decentralised private chatroom matrix

I joined a matrix test server, it was only necessary to pick a username and a password, there is no obligation to provide any email address, although specifying one lets other users find you on Matrix more easily and gives you a way to reset your password in the future. If you opt for email registration a verification code is sent to your address, the registration process took me less than a minute.

After logging in you can see multiple public chat rooms, this is nothing like IRC, matrix is more multimedia centric and it lets you call and post inline photos to the whole chatroom, you can have an avatar, notification settings that are triggered when somebody types a keyword in the chatroom and sending SMS messages to a phone number using the web gateway, currently free during beta testing but a Paypal account must be linked for security to stop abuse.

The interface was fairly easy to use and it certainly looks better than the old IRC but I am just happy using a jabber instant messenger to communicate, I don’t see a special need for a matrix network. I favour the idea of not having to adopt multiple providers to communicate with other people and not relying on a single cloud server for communications but as a user I don’t care if it is a matrix or XMPP server, I couldn’t see that many differences in between them, most of things that matrix can do can also be achieved with a jabber client.

Visit matrix homepage

22 April, 2015
Android encrypted video recording app Strongbox

Strongbox is a free open source app for human rights and privacy activists to be able to record video with their phones without having to worry about the device being lost or seized, although in some countries you can be charged for not revealing your password to law enforcement.

The app is really simple to use, when you launch it for the first time you will be prompted to compose a passphrase to locally encrypt the videos, if you forget the passphrase, all data will be unrecoverable and lost.

Straight away after login you enter the video mode with two big buttons at the bottom of the screen, the one represented by a camera logo starts the recording when tapped, the other button represented by a memory card logo gives you access to the video library.

Stored videos have timestamps next to them, you can view the video on your phone, delete it or upload it to a server. Strongbox gives an internal IP address where the video should he uploaded, I found it confusing, being an internal IP many people will not realise it is their own computer IP, another thing is that when you erase a video no confirmation is asked for and files can be deleted by mistake.

Android encrypted video recorder Strongbox

Footage is encrypted on the fly as you film, files never touch the memory card, videos are stored inside the encrypted container in Strongbox. The encryption algorithm used is AES256bit in GCM mode, this provides confidentiality and integrity, a lock allows you to instantly close down the app preventing access to the videos with one tap.

I would use this app to keep my own videos private and not much more, I found the sharing options lacking, that is a problem if your phone is seized. An oppressive law enforcement agency will not be able to view the recordings but you will have lost access to what could be indispensable footage of abuse, I wish there was an easy way to quickly get the videos out of the phone.

This is a basic app with basic functions using standard encryption that can be checked for bugs and backdoors, probably useful to keep video clips of your girlfriend intended for personal viewing encrypted.

Visit Strongbox in Google Play

13 April, 2015
Top anonymous digital currencies for untraceable payments

The aim of the currencies below is to make it impossible for an investigator to analyze a public ledger, known as block chain in Bitcoin, and to hide the identities of those making and receiving payments. Other advantages are that the money can not be seized and transaction fees are very low or non existent.

WARNING! The world of cryptocurrencies contain elaborate scams, pump and dump and pyramid schemes. I am not endorsing any of the currencies below, it is your duty to double check claims about anonymity and trust.

Dash (DASH): One of the most popular, Digital Cash is a Bitcoin based electronic currency focused in privacy. The wallet contains a coin mixer, you have the choice to make your financial operations public or anonymous, using a decentralized network of servers called masternodes that anonymize the transaction, the level of anonymity can be configured to in between 2 or 8 node hops. Digital Cash coins can be earned if you help the network running a masternode but this is not necessary.

CloakCoin (CLOAK): Every CloakCoin user becomes part of the network which increases anonymity, in exchange for keeping your wallet open and helping others be anonymous, you earn interest on the CloakCoins you hold. A built in decentralized market called OneMarket can be used to spend your currency anonymously, anybody can advertise and buy services or goods in OneMarket, or you can exchange your coins in CloackTrade.

anonymous cryptocurrency cloakcoin

ShadowCash (SDC): Decentralised cryptocurrency with the choice of making public or private anonymous payments. When you open your wallet it will help run the peer to peer network and you will be compensated with electronic cash. ShadowCash comes with an embedded private messenger that encrypts communications and allows you to talk with other users on the network.

LEOCoin (LEO): The Learning Enterprise Organisation coin has a focus on being user friendly, it has a decentralized peer to peer payment system with proof of work and proof of stake validation. The public ledger is encrypted. An article in Coindesk has scam accusations against the developers of this currency, I would be very careful with it, the accusations are somehow substantiated with real facts.

AnonCoin (ANC): Anonymous cryptocurrency with native support for the I2P network, it can also be used over Tor, AnonCoin will not only decentralized operations but it also anonymizes computer IPs when you connect to a client. This currency has been around for two years and development is very active, with good documentation, a Wiki and discussion forum, it can be traded in various exchanges.

Anoncoin wallet

Monero (XMR): Open source untraceable currency using peer to peer transactions and a distributed public ledger, receipts and money transfers remain private by default. Ring signatures add a degree of ambiguity to make it harder to link a transaction with an individual computer. This currency can be integrated in the I2P anonymous network and you can run a full node if you want to, another choice is to use a web based Monero account.

BitcoinDark (BTCD): It has a very novel unproven approach to currency anonymity, BitcoinDark uses what they call Teleport to clone and exchange currency denominations out of the block chain. A hard to understand technology, first generation cryptocurrency. BitcoinDark is part of SuperNET, a decentralized currency exchange that makes it very difficult to steal digital currency by storing it in multiple nodes.

9 April, 2015
Zendo a One Time Pad encryption messaging app

Zendo is a free iPhone and Android app for encrypted chat, users communicate directly with each other using One Time Pad encryption keys that will have previously exchanged in person.

After installing the app you will see two options on the screen, one displaying a QR code and a second button to scan other people’s codes. Pointing your camera phone to the QR code seen on the screen of your friend’s phone authenticates both devices via Wi-fi direct and encrypts the connection with AES256, it then exchanges multiple One Time Pad encryption keys (o.5MB). If anybody listened nearby and captured the exchange you would not have to worry as the connection was initially encrypted.

The strength of One Time Pad encryption is that a new key is used for each one of your messages, this is why you need multiple keys, and why if anybody managed to crack one of the keys they would only be able to read a single message, to be able to decipher a whole conversation taking place your adversary would have to crack hundreds or thousands of encryptions keys.

smartphone encrypted chat Zendo

Another security feature is that the messages and photos you send are encrypted before they leave your phone, to extend the longevity of One Time Pad encryption keys, photos are encrypted with AES256bit.

In advanced settings an “Out-of-Band Messaging” option enables you to send encrypted Zendo messages via email or SMS, you are not required to use Zendo servers to deliver messages to other users you have exchanged keys with, another option deletes all messages on close, ticking the box will automatically erase all messages and photos when you close the app while keeping your contacts and encryption keys you have exchanged, and a third option steps up security to paranoid level allowing you to exchange large encryption keys, this choice will reduce phone performance in low end devices.

For privacy, Zendo servers do not log any IP, they are quickly erased, and you never facilitate the company any email address or phone number, contact list, messages and photos remain in your phone and not in Zendo servers. The company can’t spy or help anybody spy on you with the information and capabilities they have.

One Time Pad encryption app Zendo

When you run out of One Time Pad encryption keys you will have to meet again in person and top up, this will seem annoying to many people but it is a good excuse to have a face to face meeting with somebody, there is a certain social element in Zendo. This is an app to communicate with people you know in real life and are close to you. The biggest downside of high security is usability as Zendo proves, you can’t use this app to chat with people you just met, keys can not be sent over the Internet.

Zendo is a niche app where the person you are chatting with will be as overtly suspicious about privacy and security as you are, I see next to zero options to convince my friends to use it otherwise. The app is not open source but the code was opened for an independent audit. The developers say that Zendo will always be free, monetization will be made in the form of premium features to be added in the future.

Before using this app remember that, no matter how secure your messaging app is, if somebody manages to introduce a virus in your smartphone, they will be able to read everything, security has to be implemented all over the device.

Visit Zendo in the Apple Store or Visit Zendo in Google play

7 April, 2015