Kushal Das

FOSS and life. Kushal Das talks here.

kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion

Tor rpm package repository for Fedora and CentOS/RHEL

Now we have official Tor RPM repositories for Fedora, CentOS/RHEL. The support documentation is already in place.

Using this repository, you can get the latest Tor build for your distribution from the upstream project itself. Tor already provides similar packages for Debian/Ubuntu systems.

How to enable the repository in your Fedora box?

Add the following to the /etc/yum.repos.d/tor.repo.

[tor]
name=Tor for Fedora $releasever - $basearch
baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/fedora/public_gpg.key
cost=100

Then you can install the package via regular dnf command.

$ sudo dnf install tor

You will have to import the new keys used for signing these packages.

Importing GPG key 0x3621CD35:
Userid : "Kushal Das (RPM Signing key) <kushal@torproject.org>"
Fingerprint: 999E C8E3 14BC 8D46 022D 6C7D E217 C30C 3621 CD35
From : https://rpm.torproject.org/fedora/public_gpg.key
Is this ok [y/N]: y

If you run a Tor relay (which you all should, one of the easiest ways to contribute to the project and help people worldwide) on CentOS/RHEL, you can use similar repository configuration.

Python function to generate Tor v3 onion service authentication keys

Here is a small Python function using the amazing Python Cryptography module to generate the Tor v3 Onion service authentication services.

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import x25519
import base64

def generate_tor_v3_keys():
    "Generates public, private keypair"
    private_key = x25519.X25519PrivateKey.generate()
    private_bytes = private_key.private_bytes(
        encoding=serialization.Encoding.Raw	,
        format=serialization.PrivateFormat.Raw,
        encryption_algorithm=serialization.NoEncryption())
    public_key = private_key.public_key()
    public_bytes = public_key.public_bytes(
        encoding=serialization.Encoding.Raw,
        format=serialization.PublicFormat.Raw)
    public = base64.b32encode(public_bytes).replace(b'=', b'') \
                       .decode("utf-8")
    private = base64.b32encode(private_bytes).replace(b'=', b'') \
                        .decode("utf-8")
    return public, private

You can follow my previous blog post to setup an authenticated Onion service.

Started a newsletter

I started a newsletter, focusing on different stories I read about privacy, security, programming in general. Following the advice from Martijn Grooten, I am storing all the interesting links I read (for many months). I used to share these only over Twitter, but, as I retweet many things, it was not easy to share a selected few.

I also did not want to push them in my regular blog. I wanted a proper newsletter over email service. But, keeping the reader’s privacy was a significant point to choose the service. I finally decided to go with Write.as Letters service. I am already using their open source project WriteFreely. This is an excellent excuse to use their tool more and also pay them for the fantastic tools + service.

Feel free to subscribe to the newsletter and share the link with your friends.

When governments attack: malware campaigns against activists and journalists

Eva

This year at Nullcon Eva gave her talk on When governments attack: malware campaigns against activists and journalists. After introducing EFF, she explained about Dark Caracal, a possibly state-sponsored malware campaign. If we leave aside all technical aspects, this talk has a few other big points to remember.

  • No work is done by a single rock star; this project was a collaboration between people from Lookout and EFF.
  • We should take an ethics class before writing a "Hello World" program in computer science classes.
  • People have the choice of not working for any group who will use your technical skills to abuse human rights

Please watch this talk and tell me over Twitter what do you think.

Aadhaar, the mass surveillance system

If you are following me on Twitter, you have already seen a lot of (re)tweets related to Aadhaar. For the people first time hearing this term, it is a 12 digit unique identification number provided by the Unique Identification Authority of India (UIDAI). It is also the world’s largest bio-metric ID system. It is supposed to be a voluntary service.

From the very beginning, this project tried to hide the details from the Indian citizens. Let it be privacy advocates or security researchers or human rights activists, everyone predicted that this will become a monster, a mass surveillance system, a tool of choice of the power hungry dictators.

Like any other complex system, the majority of the people only see the advertisements from the government and completely miss all the problems and horror stories this project is creating. Here are a few links below for the interested people to read.

Neither my wife, nor our daughter has an Aadhaar (I also don’t have one), that means Py (our daughter) did not get admission to any school last year.

Whenever security researchers or journalists tried to report on the project, the UIDAI tried to hide behind denials and police complaints against the journalists or researchers. There are various reports on how one can get access (both read/write) to the actual production database with as little as $10-30. We now have examples of terrorist organizations having access to the same database. The UIDAI kept telling how this is an unhackable technology and for security they have a 13 feet wall outside of the data center which in turn will keep all hackers away.

They have already build 360 degree databases on top of Aadhaar, and now they are trying to link DNA to the same system.

The current government of India tried their level best to argue in the Supreme Court of India to tell that Indians don’t have any rights to privacy. But, thankfully they failed in this effort, and the Supreme Court ruled privacy as a fundamental right. We are now waiting for the judgment on the Aadhaar (which will hopefully come out in the next few weeks).

Meanwhile, the evil nexus is pushing down Aadhaar to the throats of the Indian citizens and Pakistani spies and gods.

A few days ago, in an event in Jaipur, they asked Edward Snowden the following question.

How big of an issue is privacy?

The answer started with from where that argument comes from.

The answer is that Nazi Germany. The nazi minister of propaganda Joseph Goebbels did this. Because he was trying to change the conversation away from “What are your rights?” and “What evidences must the government show?” to violet them, to intrude into your private life and instead said “Why do you need your rights?”, “How can you justify your rights?”, “Isn’t strange that you are invoking your rights? Isn’t that unusual?”. But, in a free society this is the opposite of the way it is supposed to work. We don’t need to explain why you have a right. You don’t need to explain why it is valuable, why you need it. It is for the government to explain why you don’t deserve it. They go to a court, they show that you are a criminal. This is increasingly falling out of favor, because the governments and companies think that it is inefficient. It is too much work. Life would be easier, life would be more convenient for them, life would be more profitable for them if we didn’t have any rights at all.

But, privacy isn’t about something to hide, privacy is about something to protect. And that is the very concept of liberty. It is the idea that there can be some part of you, of your life, of your ideas that belong to you, not to society. And you get to make the decision about who you share that with. -- Edward Snowden

Why are we reading this in your blog?

This might a question for many of you. Why are reading this in a blog post or in a planet? Because we, the people with the knowledge of technology are also part of these evil plans. We now know about many private companies taking part with their local government to build 360 degree profiles, to track the citizens and to run the mass surveillance systems. For example, related to Aadhaar, for the last 4 years, Google silently pushed the Aadhaar support phone number (which now UIDAI is trying to stay away from) to every Google Android phone in India. When they got caught red handed, they claimed that they did it inadvertently. Finacle software by Infosys denies creation of bank accounts without Aadhaar. Microsoft is working to link Skype with Aadhaar. Bill Gates is trying to push the idea that Aadhaar is all good, and does not have any issues.

What can you do?

You can start by educating yourself first. Read more about the technologies which controls our lives. Have doubt about the things and try to understand how they actually work. Write about them, ask questions to the people in power. Talk about the issues to your friends and family.

This is not gong to be an easy task, but, we all should keep fighting back to make sure of a better future for our next generation.

Job alert: Associate Site Reliability Engineer at FPF

We (at Freedom of the Press Foundation) are looking for an Associate Site Reliability Engineer.

This position is open to junior and entry-level applicants, and we recognize the need to provide on-the-job mentoring and support to help you familiarize yourself with the technology stack we use. In addition to the possibility of working in our New York or San Francisco offices, this position is open to remote work within American time zones.

Skills and Experience

  • Familiarity with remote systems administration of bare-metal or virtualized Linux servers.
  • Comfortable with shell and programming languages commonly used in an SRE context (e.g., Python, Go, Bash, Ruby).
  • Strong interest in honing skills required to empower a distributed software development and operations team through automation and systems maintenance.

For more details, please visit the job posting.

Are you thinking if you should apply or not?

YES, APPLY!. You are ready to apply for this position. You don’t have to ask anyone to confirm if you are ready or not. Unless you apply, you don’t have a chance to get the job.

So, the first step is to apply for the position, and then you can think about Impostor syndrome. We all have it. Some people will admit that in public, some people will not.

dgplug summer training 2018

dgplug summer training 2018 will start at 13:30 UTC, 17th June. This will be the 11th edition. Like every year, we have modified the training based on the feedback and, of course, there will be more experiments to try and make it better.

What happened differently in 2017?

We did not manage to get all the guest sessions mentioned, but, we moved the guest sessions at the later stage of the training. This ensured that only the really interested people were attending, so there was a better chance of having an actual conversation during the sessions. As we received mostly positive feedback on that, we are going to do the same this year.

We had much more discussions among the participants in general than in previous years. Anwesha and I wrote an article about the history of the Free Software and we had a lot of discussion about the political motivation and freedom in general during the training.

We also had an amazing detailed session on Aadhaar and how it is affecting (read destroying) India, by Kiran Jonnalagadda.

Beside, we started writing a new book to introduce the participants to Linux command line. We tried to cover the basics of Linux command line and the tools we use on a day to day basis.

Shakthi Kannan started Operation Blue Moon where he is helping individuals to get things done by managing their own sprints. All information on this project can be found in the aforementioned Github link.

What are the new plans in 2018?

We are living in an era of surveillance and the people in power are trying to hide facts from the people who are being governed. There are a number of Free Software projects which are helping the citizens of cyberspace to resist and bypass the blockades. This year we will focus on these applications and how one can start contributing to the same projects in upstream. A special focus will be given to The Tor project, both from users' and developers' point of views.

In 2017, a lot of people asked help to start learning Go. So, this year we will do a basic introduction to Go in the training. Though, Python will remain the primary choice for teaching.

How to join the training?

First, join our mailing list, and then join the IRC channel #dgplug on Freenode.

Remembering John Perry Barlow

I dream of a day, and it is not a crazy dream, when everybody on this planet who wants to know all about that is presently known about something, will be able to do so regardless of where he or she is. And and I dream of a day where the right to know is understood as a natural human right, that extends to every being on the planet who is governed by anything. The right to know what it’s government is doing and how and why. -- John Perry Barlow

I met John Perry Barlow only once in my life, during his PyCon US 2014 keynote. I remember trying my best to stay calm as I walked towards him to start a conversation. After some time, he went up on the stage and started speaking. Even though I spoke with him very briefly, I still felt like I knew him for a long time.

This Saturday, April 7th, Electronic Frontier Foundation and Freedom of the Press Foundation organized the John Perry Barlow Symposium at the Internet Archive to celebrate the life and leadership of John Perry Barlow, or JPB as he was known to many of his friends and followers.

The event started around 2:30AM IST, and Anwesha and /me woke up at right time to attend the whole event. Farhaan and Saptak also took part in watching the event live.

Cory Doctorow was set to open the event but was late due to closing down of SFO runways (he later mentioned that he was stuck for more than 5 hours). In his stead, Cindy Cohn, Executive Director of the Electronic Frontier Foundation, started the event. There were two main panel sessions, with 4 speakers in each, and everyone spoke about how Barlow inspired them, or about Internet freedom, and took questions after. But, before those sessions began, Ana Barlow spoke about her dad, and about how many people from different geographies were connected to JPB, and how he touched so many people’s lives.

The first panel had Mitch Kapor, Pam Samuelson, Trevor Timm on the stage. Mitch started talking with JPB’s writing from 1990s and how he saw the future of Internet. He also reminded us that most of the stories JPB told us, were literally true :D. He reminded us even though EFF started as a civil liberties organization, but how Wall Street Journal characterized EFF as a hacker defense fund. Pam Samuelson spoke next starting with a quote from JPB. Pam mentioned The Economy of Ideas published in 1994 in the Wired magazine as the Barlow’s best contribution to copyrights.

Cory Doctorow came up on stage to introduce the next speaker, Trevor Timm, the executive director of Freedom of the Press Foundation (FPF). He particularly mentioned SecureDrop project and the importance of it. I want to emphasize one quote from him.

It’s been observed that many people around the world, billions of people struggle under bad code written by callow silicon valley dude bros, those who hack up a few lines of code and then subject billions of people to it’s outcomes without any consideration of ethics.

Trevor talked about the initial days of Freedom of the Press Foundation, and how JPB was the organizational powerhouse behind the organization. On the day FPF was launched, JPB and Daniel Ellsberg wrote an article for Huffingtonpost, named Crowd Funding the Right to Know.

When a government becomes invisible, it becomes unaccountable. To expose its lies, errors, and illegal acts is not treason, it is a moral responsibility. Leaks become the lifeblood of the Republic.

After few months of publishing the above mentioned article, one government employee was moved by the words, and contacted FPF board members (through Micah Lee). Later when his name become public, Barlow posted the following tweet.

Next, Edward Snowden himself came in as the 4th speaker in the panel. He told a story which is not publicized much. He went back to his days in NSA where even though he was high school drop out, he had a high salary and very comfortable life. As he gained access to highly classified information, he realized that something was not right.

I realized what was legal, was not necessarily what was moral. I realized what is being made public, was not the same of what was true. -- Edward Snowden.

He talked about how EFF and JPB’s work gave direction of many decisions of his life. Snowden read Barlow’s A Declaration of the Independence of Cyberspace and perhaps that was the first seed of radicalization in his life. How Barlow choose people over living a very happy and easy life, shows his alliance with us, the common people of the world.

After the first panel of speakers, Cory again took the stage to talk about privacy and Internet. He spoke about why building technology which are safe for world is important in this time of the history.

After a break of few minutes, the next panel of speakers came up on the stage, the panel had Shari Steele, John Gilmore, Steven Levy, Joi Ito.

Shari was the first speaker in this group. While started talking about the initial days of joining EFF, she mentioned how even without knowing about JPB before, only one meeting converted Shari into a groupie. Describing the first big legal fight of EFF, and how JPB wrote A Declaration of the Independence of Cyberspace during that time. She chose a quote from the same:

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Later, John Gilmore pointed out a few quotes from JPB on LSD and how the American society tries to control everything. John explained why he thinks Barlow’s ideas were correct when it comes to psychedelic drugs and the effects on human brains. He mentioned how JPB cautioned us about distinguishing the data, information and the experience, in ways that are often forgotten today.

Next, Steven Levy kept skipping many different stories, choosing to focus on how amazingly Barlow decided to express his ideas. The many articles JPB wrote, helped to transform the view of web in our minds. Steven chose a quote from JPB’s biography (which will be published in June) to share with us:

If people code out for eight minutes like I did and then come back, they usually do so as a different person than the one who left. But I guess my brain doesn’t use all that much oxygen because I appeared to be the same guy, at least from the inside. For eight minutes, however, I had not just been gratefully dead, I had been plain, flat out, ordinary dead. It was then I decided the time had finally come for me to begin working on my book. Looking for a ghost writer was not really the issue. At the time, my main concern was to not be a ghost before the book itself was done.

I think Steven Levy chose the right words to describe Barlow in the last sentence of his talk:

Reading that book, makes me think that how much we are going to miss Barlow’s voice in this scary time for tech when our consensual hallucination is looking more and more like a bad trip.

When you talk to Dalai Lama, just like when you talk to John Perry Barlow, there is a deep sense of humor that comes from knowing how f***** up the world is, how unjust the world is, how terrible it is, but still being so connected to true nature, that it is so funny. -- Joi Ito

Joi mentioned that Barlow not only gave a direction to us by writing the declaration of the independence of cyberspace, but, he also created different organizations to make sure that we start moving that direction.

Amelia Barlow was the last speaker of the day. She went through the 25 Principles of Adult Behavior.

The day ended with a marching order from Cory Doctorow. He asked everyone to talk more about the Internet and technologies and how they are affecting our lives. If we think that everyone can understand the problems, that will be a very false hope. Most people still don’t think much about freedom and how the people in power control our lives using the same technologies we think are amazing. Talking to more people and helping them to understand the problem is a good start to the path of having a better future. And John Perry Barlow showed us how to walk on that path with his extraordinary life and willfulness of creating special bonds with everyone around him.

I want to specially thank the Internet Archive for hosting the event and allowing the people like uswe who are in the cyberspace to actually get the feeling of being in the room with everyone else.

Recording of the event Header image copyright: EFF

The Onion service to access my blog

I am happy to announce the availability of my website as an Onion hidden service at http://kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion/. This is a complete different instance than the regular https://kushaldas.in.

The .onion hidden service addresses are generated based on the hash of the public key. It means the Tor browser will take you to the right service which has access to the private key. The Onion services are always inside the Tor network, means you are not exiting the circuit/network. It is also end-to-end encrypted. These features together help to have confidentiality and integrity. If you want to read more about how the Tor hidden services work, read this document.

Things different on this site

  • This website has all the resources local to the server. Saptak helped to identify the external resources. Anwesha and I both wrote two different versions of the Python scripts to make things available locally. It was a fun programming problem.
  • No user-tracking JavaScript in the site.
  • No Disqus comments either. As it would require to load external Javascript, which in turn can be used to identify users.

Visiting the site using Tor Browser

Just in case you never encountered any .onion address before, you can visit these addresses using the Tor Browser. Download the latest version of the site. Remember to download Tor Browser only from the official website. Because my service is using version 3 of hidden service, you will need at least Tor Browser 7.5 to visit it.

Here are a few quick tips for using Tor Browser:

  • Do not install any plugin on the browser. They can be used to find your IP address.
  • Do not change the default browser window size. Browser window size can be used as metatdata to identify the users.
  • Use https versions of the websites you want to visit. The Tor Browser uses HTTPS Everywhere plugin to help you with that. As I mentioned earlier, the onion hidden services are already end-to-end encrypted, and you don't get out of the Tor network, you can use them without the SSL certificates.

You can find more tips on the Tor project website.

Btw, DuckDuckGo also provides the search engine over a hidden service which you can use all the time.

Share files securely using OnionShare

Sharing files securely is always a open discussion topic. Somehow the relationship between security/privacy and usability stand in the opposite sides. But, OnionShare managed to create a bridge between them. It is a tool written by Micah Lee which helps to share files of any size securely and anonymously using Tor.

In the rest of the post I will talk about how you can this tool in your daily life.

How to install OnionShare?

OnionShare is a Python application and already packaged for most of the Linux distributions. If you are using Windows or Mac OS X, then visit the homepage of the application, and you can find the download links there.

On Fedora, you can just install it using dnf command.

sudo dnf install onionshare -y

For Ubuntu, use the ppa repository from Micah.

sudo add-apt-repository ppa:micahflee/ppa
sudo apt-get update
sudo apt-get install onionshare

How to use the tool?

When you start the tool, it will first try to connect to the Tor network. After a successful connection, it will have a window open where you can select a number of files, and then click on Start sharing button. The tool will take some time to create a random onion URL, which you can then pass to the person who is going to download the files using the Tor Browser.

You can mark any download to stop after the first download (using the settings menu). Because the tool is using Tor, it can punch through standard NAT. Means you can share files from directly your laptop or home desktop. One can still access the files using the Tor Browser.

Because of the nature of Tor, the whole connection is end to end encrypted. This also makes the sharer and downloader anonymous, but you have to make sure that you are sharing the download URL in a secure way (for example, you can share it using Signal). OnionShare also has a rate-limit so that an attacker can not do many attempts to guess the full download URL.