Kushal Das4

FOSS and life. Kushal Das talks here.

kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion

Fedora 28 template is available on QubesOS

In case you missed the news, Fedora 28 is now available as a template in Qubes OS 4.0. Fedora 26 will end of life on 2018-06-01, means this is a good time for everyone to upgrade. Use the following command in your dom0 to install the template. The template is more than 1GB in size, means it will take some time to download.

$ sudo qubes-dom0-update qubes-template-fedora-28

After installation, remember to start the template, and update, and also install all the required applications there. Next step would be to use this template everywhere.

Btw, we do have the latest Python 3.6.5 in Fedora 28 :)

$ python3
Python 3.6.5 (default, Mar 29 2018, 18:20:46)
[GCC 8.0.1 20180317 (Red Hat 8.0.1-0.19)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

dgplug summer training 2018

dgplug summer training 2018 will start at 13:30 UTC, 17th June. This will be the 11th edition. Like every year, we have modified the training based on the feedback and, of course, there will be more experiments to try and make it better.

What happened differently in 2017?

We did not manage to get all the guest sessions mentioned, but, we moved the guest sessions at the later stage of the training. This ensured that only the really interested people were attending, so there was a better chance of having an actual conversation during the sessions. As we received mostly positive feedback on that, we are going to do the same this year.

We had much more discussions among the participants in general than in previous years. Anwesha and I wrote an article about the history of the Free Software and we had a lot of discussion about the political motivation and freedom in general during the training.

We also had an amazing detailed session on Aadhaar and how it is affecting (read destroying) India, by Kiran Jonnalagadda.

Beside, we started writing a new book to introduce the participants to Linux command line. We tried to cover the basics of Linux command line and the tools we use on a day to day basis.

Shakthi Kannan started Operation Blue Moon where he is helping individuals to get things done by managing their own sprints. All information on this project can be found in the aforementioned Github link.

What are the new plans in 2018?

We are living in an era of surveillance and the people in power are trying to hide facts from the people who are being governed. There are a number of Free Software projects which are helping the citizens of cyberspace to resist and bypass the blockades. This year we will focus on these applications and how one can start contributing to the same projects in upstream. A special focus will be given to The Tor project, both from users’ and developers’ point of views.

In 2017, a lot of people asked help to start learning Go. So, this year we will do a basic introduction to Go in the training. Though, Python will remain the primary choice for teaching.

How to join the training?

First, join our mailing list, and then join the IRC channel #dgplug on Freenode.

Remembering John Perry Barlow

I dream of a day, and it is not a crazy dream, when everybody on this planet who wants to know all about that is presently known about something, will be able to do so regardless of where he or she is. And and I dream of a day where the right to know is understood as a natural human right, that extends to every being on the planet who is governed by anything. The right to know what it’s government is doing and how and why. -- John Perry Barlow

I met John Perry Barlow only once in my life, during his PyCon US 2014 keynote. I remember trying my best to stay calm as I walked towards him to start a conversation. After some time, he went up on the stage and started speaking. Even though I spoke with him very briefly, I still felt like I knew him for a long time.

This Saturday, April 7th, Electronic Frontier Foundation and Freedom of the Press Foundation organized the John Perry Barlow Symposium at the Internet Archive to celebrate the life and leadership of John Perry Barlow, or JPB as he was known to many of his friends and followers.

The event started around 2:30AM IST, and Anwesha and /me woke up at right time to attend the whole event. Farhaan and Saptak also took part in watching the event live.

Cory Doctorow was set to open the event but was late due to closing down of SFO runways (he later mentioned that he was stuck for more than 5 hours). In his stead, Cindy Cohn, Executive Director of the Electronic Frontier Foundation, started the event. There were two main panel sessions, with 4 speakers in each, and everyone spoke about how Barlow inspired them, or about Internet freedom, and took questions after. But, before those sessions began, Ana Barlow spoke about her dad, and about how many people from different geographies were connected to JPB, and how he touched so many people’s lives.

The first panel had Mitch Kapor, Pam Samuelson, Trevor Timm on the stage. Mitch started talking with JPB’s writing from 1990s and how he saw the future of Internet. He also reminded us that most of the stories JPB told us, were literally true :D. He reminded us even though EFF started as a civil liberties organization, but how Wall Street Journal characterized EFF as a hacker defense fund. Pam Samuelson spoke next starting with a quote from JPB. Pam mentioned The Economy of Ideas published in 1994 in the Wired magazine as the Barlow’s best contribution to copyrights.

Cory Doctorow came up on stage to introduce the next speaker, Trevor Timm, the executive director of Freedom of the Press Foundation (FPF). He particularly mentioned SecureDrop project and the importance of it. I want to emphasize one quote from him.

It’s been observed that many people around the world, billions of people struggle under bad code written by callow silicon valley dude bros, those who hack up a few lines of code and then subject billions of people to it’s outcomes without any consideration of ethics.

Trevor talked about the initial days of Freedom of the Press Foundation, and how JPB was the organizational powerhouse behind the organization. On the day FPF was launched, JPB and Daniel Ellsberg wrote an article for Huffingtonpost, named Crowd Funding the Right to Know.

When a government becomes invisible, it becomes unaccountable. To expose its lies, errors, and illegal acts is not treason, it is a moral responsibility. Leaks become the lifeblood of the Republic.

After few months of publishing the above mentioned article, one government employee was moved by the words, and contacted FPF board members (through Micah Lee). Later when his name become public, Barlow posted the following tweet.

Next, Edward Snowden himself came in as the 4th speaker in the panel. He told a story which is not publicized much. He went back to his days in NSA where even though he was high school drop out, he had a high salary and very comfortable life. As he gained access to highly classified information, he realized that something was not right.

I realized what was legal, was not necessarily what was moral. I realized what is being made public, was not the same of what was true. -- Edward Snowden.

He talked about how EFF and JPB’s work gave direction of many decisions of his life. Snowden read Barlow’s A Declaration of the Independence of Cyberspace and perhaps that was the first seed of radicalization in his life. How Barlow choose people over living a very happy and easy life, shows his alliance with us, the common people of the world.

After the first panel of speakers, Cory again took the stage to talk about privacy and Internet. He spoke about why building technology which are safe for world is important in this time of the history.

After a break of few minutes, the next panel of speakers came up on the stage, the panel had Shari Steele, John Gilmore, Steven Levy, Joi Ito.

Shari was the first speaker in this group. While started talking about the initial days of joining EFF, she mentioned how even without knowing about JPB before, only one meeting converted Shari into a groupie. Describing the first big legal fight of EFF, and how JPB wrote A Declaration of the Independence of Cyberspace during that time. She chose a quote from the same:

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Later, John Gilmore pointed out a few quotes from JPB on LSD and how the American society tries to control everything. John explained why he thinks Barlow’s ideas were correct when it comes to psychedelic drugs and the effects on human brains. He mentioned how JPB cautioned us about distinguishing the data, information and the experience, in ways that are often forgotten today.

Next, Steven Levy kept skipping many different stories, choosing to focus on how amazingly Barlow decided to express his ideas. The many articles JPB wrote, helped to transform the view of web in our minds. Steven chose a quote from JPB’s biography (which will be published in June) to share with us:

If people code out for eight minutes like I did and then come back, they usually do so as a different person than the one who left. But I guess my brain doesn’t use all that much oxygen because I appeared to be the same guy, at least from the inside. For eight minutes, however, I had not just been gratefully dead, I had been plain, flat out, ordinary dead. It was then I decided the time had finally come for me to begin working on my book. Looking for a ghost writer was not really the issue. At the time, my main concern was to not be a ghost before the book itself was done.

I think Steven Levy chose the right words to describe Barlow in the last sentence of his talk:

Reading that book, makes me think that how much we are going to miss Barlow’s voice in this scary time for tech when our consensual hallucination is looking more and more like a bad trip.

When you talk to Dalai Lama, just like when you talk to John Perry Barlow, there is a deep sense of humor that comes from knowing how f***** up the world is, how unjust the world is, how terrible it is, but still being so connected to true nature, that it is so funny. -- Joi Ito

Joi mentioned that Barlow not only gave a direction to us by writing the declaration of the independence of cyberspace, but, he also created different organizations to make sure that we start moving that direction.

Amelia Barlow was the last speaker of the day. She went through the 25 Principles of Adult Behavior.

The day ended with a marching order from Cory Doctorow. He asked everyone to talk more about the Internet and technologies and how they are affecting our lives. If we think that everyone can understand the problems, that will be a very false hope. Most people still don’t think much about freedom and how the people in power control our lives using the same technologies we think are amazing. Talking to more people and helping them to understand the problem is a good start to the path of having a better future. And John Perry Barlow showed us how to walk on that path with his extraordinary life and willfulness of creating special bonds with everyone around him.

I want to specially thank the Internet Archive for hosting the event and allowing the people like uswe who are in the cyberspace to actually get the feeling of being in the room with everyone else.

Recording of the event Header image copyright: EFF

Using ZNC on Tor Network for Freenode and OFTC

The Tor network provides a safer way to access the Internet, without local ISP and government recording your every step on the Internet. We can use the same network to chat over IRC. For many FOSS contributors and activists across the world, IRC is a very common medium for a chat. In this blog post, we will learn about how to use ZNC with Tor for IRC.

Introducing ZNC

ZNC is an IRC bouncer program, which will allow your IRC client to stay detached from the server, but still receive and log the messages, so that when you connect a client later on, you will receive all the messages.

In this tutorial, we will use znc-1.6.6 (packaged in Fedora and EPEL). I am also going to guess that you already figured out the basic usage of ZNC.

Installing the required tools

$ sudo dnf install znc tor torsocks

Tor provides a SOCKS proxy at port 9050 (default value), but, ZNC cannot use a SOCKS proxy easily. We will use torify command from torsocks package to use the SOCKS proxy.

ZNC service over Tor network

As a first step, we will make sure that we have the listener at the ZNC service listening as an Onion service. First, we will edit our /etc/tor/torrc file and add the following.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 8001 127.0.0.1:8001
HiddenServiceAuthorizeClient stealth hidden_service

After this, when we start the tor service, we will be able to find the .onion address and the HidServAuth value from the /var/lib/tor/hidden_service/hostname file.

# cat /var/lib/tor/hidden_service/hostname 
34aaaiwlmrandom8.onion SomeO/+yOOPjvaluetext # client: hidden_service

Now, I will be using a user account ftor in the server to run ZNC. The configuration files for ZNC is at /home/ftor/.znc directory.

I have the following values in the ~/.znc/configs/znc.conf file for the listener.

<Listener listener0>
        AllowIRC = true
        AllowWeb = true
        Host = 127.0.0.1
        IPv4 = true
        IPv6 = false
        Port = 8001
        SSL = false
        URIPrefix = /
</Listener>

Here, I am making sure that the listener only listens to the localhost. We already mapped the port 8001 of localhost to our Onion service. This way the web frontend of ZNC is only available over Tor.

Now you can start service, I will keep it running in the foreground along with debugging messages to make sure that things are working.

$ torify znc --debug

Connecting from web client

I am using xchat as the IRC client. I also have Tor installed on my local computer and added the following line the /etc/tor/torrc file so that my system can find and connect to the Onion service.

HidServAuth 34aaaiwlmrandom8.onion SomeO/+yOOPjvaluetext

If you just want to connect to the ZNC web frontend using the Tor Browser, then you will have to add the same line the Browser/TorBrowser/Data/Tor/torrc inside of the Tor Browser.

Connecting to OFTC network

Now we will connect to the OFTC IRC network. The Tor Project itself has all the IRC channels on this network. Make sure that you have a registered IRC nickname on this network.

Add the following configuration in the ZNC configuration file.

        <Network oftc>
                Encoding = ^UTF-8
                FloodBurst = 4
                FloodRate = 1.00
                IRCConnectEnabled = true
                JoinDelay = 0
                Nick = yournickname
                Server = irc4.oftc.net +6697

                <Chan #tor>
                        Buffer = 500
                </Chan>
        </Network>

Now let us start xchat with torify so that it can find our onion service.

$ torify xchat

Next, we will add our new ZNC service address as a new server, remember to have the password as zncusername/networkname:password. In the above case, the network name is oftc.

After adding the new server as mentioned above, you should be able to connect to it using xchat.

Connecting to Freenode network

Freenode provides an Onion service to it’s IRC network. This means your connection from the client (ZNC in this case) to the server is end-to-end encrypted and staying inside of the Onion network itself. But, using this will require some extra work.

Creating SSL certificate for Freenode

On the server, we will have to create an SSL certificate.

$ openssl req -x509 -sha256 -nodes -days 1200 -newkey rsa:4096 -out user.pem -keyout user.pem

Remember to keep the name of the output file as user.pem, I had to spend a few hours debugging thanks to a wrong filename.

We will have to find the fingerprint of the certificate by using the following command.

$ openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'
eeeee345b4d9d123456789fa365f4b4b684b6666

Now connect to Freenode normally using your regular client (xchat in my case), and add this fingerprint to your nickname.

/msg NickServ CERT ADD eeeee345b4d9d123456789fa365f4b4b684b6666

You should be able to see the details using whois.

/whois yournick

Enable SASL and Cert module in ZNC

Next, we will move the certificate file to the right location so that ZNC can use it.

$ cp user.pem ~/.znc/users/<yourzncuser>/moddata/cert/user.pem

Remember to put the right ZNC username in the above command.

Add the following configuration for freenode network in the ZNC configuration file and restart ZNC.

        <Network freenode>
                FloodBurst = 4
                FloodRate = 1.00
                IRCConnectEnabled = true
                JoinDelay = 0
                LoadModule = simple_away
                LoadModule = cert
                LoadModule = sasl
                Nick = yourusername
                Server = freenodeok2gncmy.onion +6697
                TrustedServerFingerprint = 57:2d:6f:dc:90:27:0e:17:b6:89:46:4f:6a:a4:37:6e:e9:20:e1:cd:ee:f5:42:cd:3c:5a:a8:6d:17:16:f8:71


                <Chan #znc>
                </Chan>
        </Network>

Remember to update the nickname. At the end of the blog post, I will explain more about the server fingerprint.

Next, go to the \*status tab in your client, and give the following commands to load cert and sasl modules.

/query *status
loadmod cert
loadmod sasl
/msg *sasl Mechanism EXTERNAL
/query *status
Jump

The Jump command will try to reconnect to the Freenode IRC server. You should be able to see the debug output in the server for any error.

The story of the server fingerprint for Freenode

Because Freenode’s SSL certificate is not an EV certificate for the .onion address, ZNC will fail to connect normally. We will have to add the server fingerprint to the configuration so that we can connect. But, this step was failing for a long time, and the excellent folks in #znc helped me to debug the issue step by step. It seems the fingerprint given on the Freenode site is an old one, and we need the current fingerprint. We also have an issue filed on a related note.

Finally, you may want to run the ZNC as a background process on the server.

$ torify znc

Tools versions

  • ZNC 1.6.6
  • tor 0.3.2.10
  • torsocks 2.2.0

If you have queries, feel free to join #znc on Freenode and #tor on OFTC network and ask for help.

Updated post

I have updated the post to use torify command. This will make running znc much simpler than the tool mentined previously.

Using Python to access Onion network over SOCKS proxy

Tor provides a SOCKS proxy so that you can have any application using the same to connect the Onion network. The default port is 9050. The Tor Browser also provides the same service on port 9150. In this post, we will see how can we use the same SOCKS proxy to access the Internet.

Using Python requests module

I used pipenv to install the dependencies.

$ pipenv install
$ pipenv shell
$ pipenv install requests[socks]
Installing requests[socks]…
Collecting requests[socks]
  Using cached requests-2.18.4-py2.py3-none-any.whl
Collecting chardet<3.1.0,>=3.0.2 (from requests[socks])
  Using cached chardet-3.0.4-py2.py3-none-any.whl
Collecting urllib3<1.23,>=1.21.1 (from requests[socks])
  Using cached urllib3-1.22-py2.py3-none-any.whl
Collecting idna<2.7,>=2.5 (from requests[socks])
  Using cached idna-2.6-py2.py3-none-any.whl
Collecting certifi>=2017.4.17 (from requests[socks])
  Using cached certifi-2018.1.18-py2.py3-none-any.whl
Collecting PySocks!=1.5.7,>=1.5.6; extra == "socks" (from requests[socks])
  Using cached PySocks-1.6.8.tar.gz
Building wheels for collected packages: PySocks
  Running setup.py bdist_wheel for PySocks: started
  Running setup.py bdist_wheel for PySocks: finished with status 'done'
  Stored in directory: /home/kdas/.cache/pip/wheels/77/f0/00/52f304b7dddcca8fca05ad1226382134ad50ba6c1662d7539e
Successfully built PySocks
Installing collected packages: chardet, urllib3, idna, certifi, PySocks, requests
Successfully installed PySocks-1.6.8 certifi-2018.1.18 chardet-3.0.4 idna-2.6 requests-2.18.4 urllib3-1.22

Adding requests[socks] to Pipfile's [packages]…
Pipfile.lock (711973) out of date, updating to (dcbf91)…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Updated Pipfile.lock (dcbf91)!
Installing dependencies from Pipfile.lock (dcbf91)…
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 6/6 — 00:00:01

After this, writing the actual code is very simple, we will be doing a GET request to https://httpbin.org to find out our IP address.

import requests

def main():
    proxies = {
            'http': 'socks5h://127.0.0.1:9050',
            'https': 'socks5h://127.0.0.1:9050'
    }
    r = requests.get('https://httpbin.org/get', proxies=proxies)
    print(r.text)


if __name__ == '__main__':
    main()

If you see closely, you will find that I am using socks5h as the protocol, instead of socks5. The request documentation mentions that using socks5h will make sure that DNS resolution happens over the proxy instead of on the client side.

The output of the code looks like below:

$ python usesocks.py 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Accept-Encoding": "gzip, deflate", 
    "Connection": "close", 
    "Host": "httpbin.org", 
    "User-Agent": "python-requests/2.18.4"
  }, 
  "origin": "137.74.169.241", 
  "url": "https://httpbin.org/get"
}

$ python usesocks.py 
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Accept-Encoding": "gzip, deflate", 
    "Connection": "close", 
    "Host": "httpbin.org", 
    "User-Agent": "python-requests/2.18.4"
  }, 
  "origin": "77.247.181.162", 
  "url": "https://httpbin.org/get"
}

Now, you can use the same code to access any standard webservice or access any Onion address.

How to delete your Facebook account?

I was planning to delete my Facebook account for some time, but, never took the actual steps to do it. The recent news on how the companies are using data from Facebook made me take that next step. And I know Snowden is talking about these issues for a long time (feel free to read a recent interview), I should have done that before. I was just lazy.

First download all the current information for archive

Login to Facebook, go to your settings page. Then you can see a link saying Download a copy of your Facebook data. Click on that. It will ask your password, and then take some time to generate an archive. You can download it after some time.

Let us ask Facebook to delete the account

Warning: Once you deleted your account, you can not get back your data. So, do the next steps after think clearly (personally, I can say it is a good first step to slowly gain back privacy).

Go to this link to see the following screen.

If you click on the blue Delete my account, it will open the next screen, where it will ask you to confirm your password, and also fill in the captcha text.

After this, you will see the final screen. It will take around 90 days to delete all of your information.

Remember to use long passphrases everywhere

Now, you have deleted your account. But, remember that it is just one single step to have privacy. There various other things you can do. I think the next step should be about all of your passwords. Read this blog post about how to generate long passphrases, and use those instead of short passwords. You should also use a proper password manager to save all of these passwords.

Next, read SURVEILLANCE SELF-DEFENSE from EFF.

Running Tor relay inside a docker container

The latest Tor project release is 0.3.2.10. But, that is not available on all the different versions of different Linux distributions. For example, CentOS 7 has tor-0.2.9.14-1.el7, and only Fedora 28 has the latest Tor.

This is where a container can help. The official builds from Tor Project are for Debian, means we can build and use a Debian based container.

The Dockerfile

FROM debian:stretch
LABEL MAINTAINER Kushal Das <mail@kushaldas.in>

RUN apt-get update
RUN apt install vim gpg -y


RUN echo "deb http://deb.torproject.org/torproject.org stretch main\ndeb-src http://deb.torproject.org/torproject.org stretch main" > /etc/apt/sources.list.d/tor.list

# Let us get the key for Tor
RUN gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
RUN gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 > tor.gpg
RUN apt-key add tor.gpg

# Finally install Tor
RUN apt update
RUN apt install tor deb.torproject.org-keyring -y
ADD ./torrc /etc/tor/torrc

# Add the tor user
RUN groupadd -g 1000 tor && useradd -m -d /home/tor -g 1000 tor


# Now drop to the actual user
USER tor
RUN mkdir -p /home/tor/.tor/keys

VOLUME ["/home/tor/.tor"]

EXPOSE 9001 9051

ENTRYPOINT ["tor"]

I have a configuration file named torrc, you can copy the sample configuration and edit as required. I have the following entries there.

SOCKSPort 0

ORPort 9001

Nickname NICKNAME_FOR_THE_RELAY

ContactInfo  <YOUR_EMAIL_ADDRESS>

ExitRelay 0

Next, we will create a directory in the host system to keep the keys, and other files. We want to restart the container and still have the same details, mounting a directory from the host system into the container will help us in that.

mkdir /mnt/tor
chcon -R -t svirt_sandbox_file_t /mnt/tor

Please also make sure that you have correct ownership of that directory.

Running the container

docker run -d -v /etc/localtime:/etc/localtime -v /mnt/tor:/home/tor/.tor --restart always -p 9001:9001 -name relay kushaldas/tor:0.3.2.10

After starting the container, you can check the logs for any error. If you can see the following message in the log, then it means that you configured the relay properly.

# docker logs -f relay

Self-testing indicates your ORPort is reachable from the outside.

The official relay guide

Tor project recently published an updated relay guide for anyone new to running a relay. Please go through that document first. If you need help, there is a mailing list of Tor relay operators, and #tor channel on OFTC IRC server is also very welcoming.

Tor Mumbai meetup

On 20th January, we had a Tor meetup in Mumbai. Hasgeek organized the event, with OML providing the meeting space. I noticed the announcement over Twitter, and made sure that I registered for the event. Two contributors from the core team, Sukhbir Singh and Antonela Debiasi, were present at the event.

Getting there

Bhavin joined me on the trip. We started early in the morning to make sure that we skip all the traffic, and reach Mumbai with enough time on hand. The venue was surrounded by many excellent food places, which was really helpful.

The meetup

There were around 15 participants. Folks came from different cities. We started a small round of introductions, and both of the core contributors explained how they contribute to different parts of the project. Mentioning names (of the participants) were voluntary, and it was a no photograph event. Harish Pillai also joined us in the meetup.

Antonela described the work, the Tor UX team is doing. Only 2-3 days ago, I’d heard about their work in a discussion with Simply Secure. Antonela explained how they are doing user testing, and later, many participated in the same. We should also do similar kind of user testing in every conference/meetup.

We also tested the Tor network speed. Feel free to run the same test in your system using this link.

Next, Sukhbir gave a detailed talk on the Tor project. This was filled with many interesting facts and how-to(s). Discussions ranged from the Tor Browser itself to other parts of the Tor ecosystem. He also mentioned lot of dos/don’ts while using Tor. While talking about Tor Exit relays in India, Sukhbir mentioned that he never met any of the Exit relay operators in India before.

In the later half of the meetup, I demoed the SecureDrop project. We discussed about how the Freedom of the Press Foundation is helping journalists and whistleblowers worldwide. How to leak securely? was the next topic of discussion. Sukhbir had already mentioned most of the points. I made sure to repeat and refer back to those. I have a separate blog post on the topic. The discussion then moved to the Indian press and why we don’t have any SecureDrop instances running in India. People talked about their concerns and the current situation related to privacy in India.

In the end, we all moved to the microbrewery next door, and discussions continued.

While coming back, we were stuck in Mumbai traffic for a few hours, and reached home late.

Antonela has also shared her views about the meetup in the Tor Blog.

The Onion service to access my blog

I am happy to announce the availability of my website as an Onion hidden service at http://kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion/. This is a complete different instance than the regular https://kushaldas.in.

The .onion hidden service addresses are generated based on the hash of the public key. It means the Tor browser will take you to the right service which has access to the private key. The Onion services are always inside the Tor network, means you are not exiting the circuit/network. It is also end-to-end encrypted. These features together help to have confidentiality and integrity. If you want to read more about how the Tor hidden services work, read this document.

Things different on this site

  • This website has all the resources local to the server. Saptak helped to identify the external resources. Anwesha and I both wrote two different versions of the Python scripts to make things available locally. It was a fun programming problem.
  • No user-tracking JavaScript in the site.
  • No Disqus comments either. As it would require to load external Javascript, which in turn can be used to identify users.

Visiting the site using Tor Browser

Just in case you never encountered any .onion address before, you can visit these addresses using the Tor Browser. Download the latest version of the site. Remember to download Tor Browser only from the official website. Because my service is using version 3 of hidden service, you will need at least Tor Browser 7.5 to visit it.

Here are a few quick tips for using Tor Browser:

  • Do not install any plugin on the browser. They can be used to find your IP address.
  • Do not change the default browser window size. Browser window size can be used as metatdata to identify the users.
  • Use https versions of the websites you want to visit. The Tor Browser uses HTTPS Everywhere plugin to help you with that. As I mentioned earlier, the onion hidden services are already end-to-end encrypted, and you don’t get out of the Tor network, you can use them without the SSL certificates.

You can find more tips on the Tor project website.

Btw, DuckDuckGo also provides the search engine over a hidden service which you can use all the time.

How to configure Tor onion service on Fedora

You can set up a Tor onion service in a VM on your home desktop, or on a Raspberry Pi attached to your home network. You can serve any website, or ssh service using the same. For example, in India most of the time if an engineering student has to demo a web application, she has to demo on her laptop or on a college lab machine. If you set up your web application project as an onion service, you can actually make it available to all of your friends. You don’t need an external IP or special kind of Internet connection or pay for a domain name. Of course, it may be slower than all the fancy website you have, but you don’t have to spend any extra money for this.

In this post, I am going to talk about how can you set up your own service using a Fedora 26 VM. The similar steps can be taken in Raspberry Pi or any other Linux distribution.

Install the required packages

I will be using Nginx as my web server. The first step is to get the required packages installed.

$ sudo dnf install nginx tor
Fedora 26 - x86_64 - Updates                     10 MB/s |  20 MB     00:01
google-chrome                                    17 kB/s | 3.7 kB     00:00
Qubes OS Repository for VM (updates)             98 kB/s |  48 kB     00:00
Last metadata expiration check: 0:00:00 ago on Wed Jan 17 08:30:23 2018.
Dependencies resolved.
================================================================================
 Package                Arch         Version                Repository     Size
================================================================================
Installing:
 nginx                  x86_64       1:1.12.1-1.fc26        updates       535 k
 tor                    x86_64       0.3.1.9-1.fc26         updates       2.6 M
Installing dependencies:
 gperftools-libs        x86_64       2.6.1-5.fc26           updates       281 k
 nginx-filesystem       noarch       1:1.12.1-1.fc26        updates        20 k
 nginx-mimetypes        noarch       2.1.48-1.fc26          fedora         26 k
 torsocks               x86_64       2.1.0-4.fc26           fedora         64 k

Transaction Summary
================================================================================
Install  6 Packages

Total download size: 3.6 M
Installed size: 15 M
Is this ok [y/N]:

Configuring Nginx

After installing the packages, the next step is to setup the web server. For a quick example, we will just show the default Nginx index page over this web service. We will have to change the web server port to a different one in /etc/nginx/nginx.conf file. Please read about Nginx to know more about how to configure Nginx with your web application.

listen 8090 default_server;

Here we have the web server running on port 8090.

Configuring Tor

Next, we will set up the Tor onion service. The configuration file is located at /etc/tor/torrc. We will add the following two lines.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8090

We are redirecting port 80 in the onion service to the port 8090 in the same system.

Starting the services

Remember to open up port 80 in the firewall before starting the services. I am going to keep it an exercise for the reader to find out how :)

We will start nginx and tor service as the next step, you can also watch the system logs to find out status of Tor.

$ sudo systemctl start nginx
$ sudo systemctl start tor
$ sudo journalctl -f -u tor
-- Logs begin at Thu 2017-12-07 07:13:58 IST. --
Jan 17 08:33:43 tortest Tor[2734]: Bootstrapped 0%: Starting
Jan 17 08:33:43 tortest Tor[2734]: Signaled readiness to systemd
Jan 17 08:33:43 tortest systemd[1]: Started Anonymizing overlay network for TCP.
Jan 17 08:33:43 tortest Tor[2734]: Starting with guard context "default"
Jan 17 08:33:43 tortest Tor[2734]: Opening Control listener on /run/tor/control
Jan 17 08:33:43 tortest Tor[2734]: Bootstrapped 5%: Connecting to directory server
Jan 17 08:33:44 tortest Tor[2734]: Bootstrapped 10%: Finishing handshake with directory server
Jan 17 08:33:44 tortest Tor[2734]: Bootstrapped 15%: Establishing an encrypted directory connection
Jan 17 08:33:45 tortest Tor[2734]: Bootstrapped 20%: Asking for networkstatus consensus
Jan 17 08:33:45 tortest Tor[2734]: Bootstrapped 25%: Loading networkstatus consensus
Jan 17 08:33:55 tortest Tor[2734]: I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Jan 17 08:33:55 tortest Tor[2734]: Bootstrapped 40%: Loading authority key certs
Jan 17 08:33:55 tortest Tor[2734]: Bootstrapped 45%: Asking for relay descriptors
Jan 17 08:33:55 tortest Tor[2734]: I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6009, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
Jan 17 08:33:56 tortest Tor[2734]: Bootstrapped 50%: Loading relay descriptors
Jan 17 08:33:57 tortest Tor[2734]: Bootstrapped 56%: Loading relay descriptors
Jan 17 08:33:59 tortest Tor[2734]: Bootstrapped 65%: Loading relay descriptors
Jan 17 08:34:06 tortest Tor[2734]: Bootstrapped 72%: Loading relay descriptors
Jan 17 08:34:06 tortest Tor[2734]: Bootstrapped 80%: Connecting to the Tor network
Jan 17 08:34:07 tortest Tor[2734]: Bootstrapped 85%: Finishing handshake with first hop
Jan 17 08:34:07 tortest Tor[2734]: Bootstrapped 90%: Establishing a Tor circuit
Jan 17 08:34:08 tortest Tor[2734]: Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 17 08:34:08 tortest Tor[2734]: Bootstrapped 100%: Done

There will be a private key and the hostname file for the onion service in the /var/lib/tor/hidden_service/ directory. Open up Tor browser, and visit the onion address. You should be able to see a page like below screenshot.

Remember to backup the private key file if you want to keep using the same onion address for a longer time.

What all things can we do with this onion service?

That actually depends on your imagination. Feel free to research about what all different services can be provided over Tor. You can start with writing a small Python Flask web application, and create an onion service for the same. Share the address with your friends.

Ask your friends to use Tor browser for daily web browsing. The more Tor traffic we can generate, the more difficult it will become for the nation-state actors to try to monitor traffics, that in turn will help the whole community.

WARNING on security and anonymous service

Remember that this tutorial is only for quick demo purpose. This will not make your web server details or IP or operating system details hidden. You will have to make sure of following proper operational security practices along with system administration skills. Riseup has a page describing best practices. But, please make sure that you do enough study and research before you start providing long-term services over the Tor.

Also please remember that Tor is developed and run by people all over the world and the project needs donation. Every little bit of help counts.