Category: Anonymity

Internet anonymity

Lelantos, a secure, anonymous email provider through Tor

Lelantos is a privacy email provider only accessible through Tor but able to communicate and receive messages from any Internet wide email services like Gmail or Yahoo. The owners, a small unidentied group of people, claim that all data in the server is encrypted, with data back ups located in different countries.

When you open a Lelantos email account you will initially get a @lelantos.org address, currently that domain name is registered to someone called Ryan Harris living in Canada and the DNS servers are set to Domains4Bitcoins, the little information one can gather from that is that Lelantos is paying the domain registration with Bitcoins, registration details in Canada might be fake or might not.

To stop other people from knowing that you are using a Tor email service Lelantos gives you a choice of multiple private clean domain names that are not listed anywhere and not linked to the Tor network. Lelantos obviously doesn’t have access to your computer IP since the only way for you to read and send messages is using Tor.

Anonymous Tor email provider Lelantos

Lelantos webmail has two interfaces, a SquirrelMail layout that does not need Javascript enabled to login and a RoundCube interface that needs Javascript. I have used both interfaces and there isn’t too much difference in between them, RoundCube, looks more modern and has drag and drop but the main functions work the same. If you are serious about privacy go for the SquirrelMail interface with no Javascript.

Another way to protect yourself against browser exploits is by using Lelando’s IMAP and SMTP .onion servers with TLS, for this you have to set up your email program with a socks proxy and run Tor in your computer. Unfortunately few email programs support socks proxies, I suggest the free open source Thunderbird email client from the Mozilla Foundation.

Lelando’s terms and conditions forbid using their email service to transmit child pornography, spam or sending violent threats, if you breach their Acceptable Use Policy your account could be terminated.

This is not a free email provider, you have to pay some Bitcoins to fund service maintenance, I think that it is not unreasonable since they also provide support, with a public PGP encryption key available to communicate with Lelantos staff. For extra security is best to anonymize your bitcoins with a laundering service like Bitlaundry, but, as long as bitcoin payments can not be linked to an specific email account it should be fine.

Lelantos Tor address: http://lelantoss7bcnwbv.onion

1 October, 2013
Tor service operator arrested, malware inserted in Tor sites

Freedom Host administrator has been arrested in Ireland, he is currently awaiting extradition to the US, being described by an FBI special agent as “the largest facilitator of child porn on the planet.” Freedom Host was a service inside the Tor network hosting anonymous content that could consist of anything, ranging from leaked documents to hacking tools and illegal images.

Tor Project’s Executive Director has confirmed in his blog that Freedom Host servers were breached before going offline and it is claimed that hidden Tor sites in Freedom Host had been injecting a javascript exploit in an attempt to identify its users. The vulnerability only worked in Firefox 17, on which Tor Browser Bundle is based and is therefore vulnerable, the developers had recently turned on javascript by default in an attempt to make it more user friendly. People using the the NoScript addon or Tails live DVD to access Freedom Host hidden sites should have been protected from the exploit.

Freedom Host Tor operator arrested

OnionNews posters also link FreedomHost administrator with Tormail and a Bitcoin escrow service called OnionBank, those services should be considered compromised by law enforcement as well.

It is important to remember that what has been seized are servers belonging to an individual running various Tor services, this is not a Tor network vulnerability, as long as you did not run the Tor Browser Bundle you should be safe. Hidden sites running on different servers should also be safe, but this sends a strong message that what has happened to one operator might happen to others. The lesson learnt here is that you should always disable javascript in your browser.

More info: Tor Project official blog

5 August, 2013
Anonymously submit documents to the press with StrongBox

Strongbox is a The New Yorker magazine tool to anonymously submit files and messages to journalist using the tor network, the project was put together by political activist Aaron Swartz, who died a few months ago, and Kevin Poulsen. StrongBox code is called DeadDrop and eventually will be released as open source for news agencies and particulars to implement as they wish. DeadDrop software runs on a hardened Ubuntu environment, it includes set up instructions and scripts, the code is written in Python, accepting document submissions and encrypting them with GPG for storage it then creates a random codename to be able to get back to the submitter anonymously without using email, there are three servers to anonymize the submission process one of them is public containing the interface, another server stores the encrypted messages and the third server monitors the other two for security breaches.

StrongBox anonymous document leak DeadDropWiki

The New Yorker public server is also using a plugged in USB dongle to strenghen encryption entropy helping create a pool of random numbers, their journalists use a VPN to download the encrypted data on to a USB thumbdrive, the information is decrypted using a laptop that has no Internet access, to avoid malware infection, and running a live CD to keep temporary files out of the computer hard drive and make data recovery impossible, GPG private decryption keys are contained in a different USB thumbdrive also plugged in the same laptop prior to viewing the documents. It is a smart set up that makes it impossible for a New Yorker journalist to learn the submitter computer IP so they can not be compelled to reveal something they don’t know. The only missing thing is a metadata scrubber, if the documents you are passing on contain metadata, and most government and company files do, the original leak source could be found out, you should use BatchPurifier first to get rid of hidden data before submitting any file.

Visit StrongBox homepage

16 May, 2013
Anonymous P2P encrypted messages with Bitmessage

Bitmessage is an open source P2P program utilizing a Bitcoin like protocol that instead of sending money sends anonymous encrypted messages to one or multiple people at once, the application has a portable mode that does not need installation, it uses 2048-bit RSA encryption keys stored inside a keys.dat file which can be opened with any text editor and OpenSSL for cryptographic functions. Bitmessage cryptic addresses closely resemble a Bitcoin address, the best part is that both keys are compatible, Bitmessage uses the other part public key to print their Bitcoin address in the console which can be used to send them money.

Bitmessage sends data over its own P2P network, the nodes store messages for two days before erasing them, new nodes joining the network will download and broadcast the pool messages from the last two days. To stop spam the sender is required to spend computational processing power for each message he sends, modelled like the Hashash antispam scheme and the Bitcoin mining system, the protocol has been designed to be scalable as needed. I sent a small text message to a friend and it only took a few seconds of wait for it to be processed, a “Doing work necessary to send message” warning will be displayed while you wait and your computer CPU works, I also subscribed to an open Bitmessage mailing list using the subscription tab by simply adding the address “BM-BbkPSZbzPwpVcYZpU4yHwf9ZPEapN5Zx”

Bitmessage anonymous encrypted messages

Other tabs in the program allow you to blacklist and whitelist addresses, add contacts to your address book broadcasting to everyone listed there or selecting just one contact, the tabbed system makes Bitmessage usage spontaneously easy, you can also change the default listening port “8444” and network settings entering a Socks proxy, only the key management was very primitive, it opened up Bitmessage keys using Notepad.

You can create as many Bitmessage addresses as you like, creating and abandoning them is encouraged, there is an “Identity” tab from where to manage your addresses, they can be labelled. Addresses can be generated using random numbers or a passphrase, called “deterministic address“, you can recreate this address on any computer from memory without having to back up your keys.dat file as long as you remember your passphrase but you will need to know the passphrase to recreate the keys if you lose them, you will also need to remember the address version and stream number, choosing a weak passphrase could result in a brute force attack and your identity stolen, deterministic addresses can be made one or two characters shorter spending a few extra minutes of computational processing power, these addresses are optional, I believe the random cryptic addresses to be more secure for those paranoid.

Bitmessage encrypted mailing list

Bitmesssages are first encrypted and then sent to a common message pool shared by all users to hide sender and receiver, only those listed in the receiving address will be able to decrypt and read them, the program has been designed to only send text without any attachments, I did not test it but theoretically it should be possible to send a jpeg photograph. After erasing a message there is no trash can to retrieve it but it will still be present in your hard drive to manually view it with a bit of work.

I used Bitmessage with a VPN and I did not experience any problem besides a coloured network status code that turned yellow indicating that my firewall or router couldn’t forward TCP connections, this is not a big problem, it only meant that my node was not relying messages to other nodes for other people but I could still receive and send them, as long as someone in the network has the green network status messages can be passed on in between peers.

Note: The sofware is currently a beta release in testing.

Visit Bitmessage homepage

2 March, 2013
KProxy Agent, a portable Internet browser with proxy

KProxy Agent is a Chrome based portable browser that comes preconfigured to handle HTTP requests through one of the free KProxy network of IPs to bypass Internet filtering. People using public computers at work and college will find it useful to access Facebook, YouTube and other typically blocked entertainment sites. The browser runs in Incognito mode by default (known as Private Browsing in Firefox). Chrome Incognito mode executes in RAM memory and does not store browsing history, cookies or cache in the hard drive, browsing traces will be gone and non recoverable after you close KProxy Agent, the developers claim that proxies encrypt data in between the browser and the sites you visit, any passwords or email you send can not be intercepted by anyone listening in, which makes this tool suitable for security in public Wi-fi access points.

The speed tests I carried out on the free proxies gave me around 2MB-4MB, this is enough to watch online TV, taking advantage of this I managed to bypass geoblocking filtering and I was able to watch Hulu from outside the US without problems, unfortunately the ping rate wasn’t so impressive and browsing Internet sites at times it felt slow, I solved it by choosing a different proxy server closer to home.

KProxy Agent portable proxy browser

KProxy Agent has been developed in Java, it will not work if this is not installed. Java has had numerous security problems in the past but it benefits from being multi platform, this portable browser will run in Windows, Mac and Linux or any other OS that has Java installed. Switching in between proxies can be done in a matter of seconds within a couple of mouse clicks but only US and German proxies could be found in the proxy list. KProxy Agent could benefit of a more detailed proxy information, instead of having ten different public proxies with the American flag next to them they could point out where exactly in the US each proxy is located, East or West coast and enumerate server load for each one of the proxies so that the user can choose the best one.

It seems that KProxy Agent developers intend to make money with this program by getting people to upgrade to their faster premium proxy service, you will find KProxy Pro mentioned around but in a non obstructive way, if you only use an Internet censorship bypass tool occasionally the free version is just fine, you only need to trust KProxy owners with your data just as it happens with all other proxy or VPN services.

Visit KProxy Agent homepage

21 January, 2013
Post anonymous encrypted Twitter messages with AnonTwi

AnonTwi is an open source project to encrypt Twitter and Identi.ca public and private messages hiding the poster’s computer IP. The program interacts with Twitter API using SSL, which stops ISP eavesdropping for certain keywords, connection to Twitter servers can be anonymised with a socks or tor proxy and sending random HTTP header values. Long messages that do not fit in a single Tweet will be split, decryption of URLs and raw data is automatic for anyone using AnonTwi client, messages can be stored in your hard drive, even if Twitter deletes the account you would still be able to read the messages.

Encryption is performed with AES and SHA1, meant to be uncrackable if implemented correctly, since AnonTwi source code is available for download it can be checked for hidden backdoors and coding quality.

AnonTwi anonymous encrypted Twitter messages

Other privacy options include the possibility of sending fake GPS geolocation to appear that you tweeting from a different country, the client can be instructed to insert a random GPS value with each tweet, another choice called “suicide” will attempt to delete all of your tweets, private messages and close your account. AnonTwi supports UTF-8 and Unicode characters to write in Arabic or Chinese and post symbols with detailed colourful outputs, it works in Windows, Mac OS and Linux. Originally released as a command line only tool, it now has an interface that goes with it. You will need to get a Twitter API before you can use AnonTwi, this is not difficult, anyone can open a Twitter developers account and retrieve the API tokens with tor.

Normally you would want as many people as possible to read your Twitter messages, it is probably best to use this tool to simply hide your computer IP when posting public Tweets and keep the encrypted option for private messages only. The other part will need to know a previously agreed password before he can read encrypted communication.

Visit AnonTwi homepage

16 November, 2012
Review of VPN provider Kepard

Kepard is a new comer to the crowded VPN arena, they have not been around for long but show some commitment to their business having invested in an easy to navigate website, various VPN locations across continents and an user friendly VPN client that works in Windows, Linux, Mac, Android and iOS supporting PPTP; L2TP and OpenVPN protocols in UDP or TCP (to bypass firewalls) mode.

Kepard has server locations in the USA, Canada, Netherlands, UK and Germany I tested their speed a few times and I got an average of 5Mbps, this is plenty to stream high definition video, I had no problem watching US TV websites like ABC and Hulu from abroad. The Netherlands server can be used for filesharing and there are no bandwidth restrictions, you can connect up to two devices at the same time with a single account.

I really loved their lightweight VPN software, you should be able to appreciate in the screenshot below that it is very easy to configure and set up and it has a very clear layout that allows you to see at all times what country you are connected to and change your computer IP using a single click. I was disconnected a couple of times while using L2TP and my computer IP did not leak, when this happened I would get page not found message while trying to surf the Internet. If you can’t make the VPN client work in your computer if necessary the support team will use Teamviewer to help you out, support tickets are logged and replied to in around 24 hours or less,

Kepard OpenVPN software

Kepard can be used during 30 minutes everyday for free allowing you test their services at no risk. The websites you visit aren’t logged and connection IP logs are kept for 3 days to deal with spammers and abuse, after this they are gone for ever. The VPN headquarters are located in the Republic of Moldova, a non EU country, making it difficult for US authorities to abuse their power and issue a malicious international subpoena before the logs have been erased.

All I could find against Kepard is that pseudo-anonymous payment systems like Bitcoin are not available, they only accept Paypal and credit card and they do not have as many server locations as some of the big VPN companies but how many people really use all of those locations? I have been before with a VPN service that had over two dozen servers spread worldwide and I found myself always using the same three countries and unable to use any of their Asian servers because the ping rate to my home country in Europe was too high and it slowed down my internet browsing.

This can be a good VPN for those who value privacy, due to their clear low retention log policy found in their FAQ, and their high speed servers with unlimited bandwidth, with no outsourced support team able to give you a personal reply to your problems instead of a copy and paste answer and they also have a refer a friend program rewarding customers with a 1 month free VPN service for each of your friends signing up with them.

Visit Kepard homepage

10 October, 2012