Schneier on Security
A blog covering security and security technology.
« Bomb-Sniffing Dogs on Subways |
| Surreptitious Lie Detector »
January 20, 2006
This seems like a really important development: an anonymous operating system:
Titled Anonym.OS, the system is a type of disc called a "live CD" -- meaning it's a complete solution for using a computer without touching the hard drive. Developers say Anonym.OS is likely the first live CD based on the security-heavy OpenBSD operating system.
OpenBSD running in secure mode is relatively rare among desktop users. So to keep from standing out, Anonym.OS leaves a deceptive network fingerprint. In everything from the way it actively reports itself to other computers, to matters of technical minutia such as TCP packet length, the system is designed to look like Windows XP SP1. "We considered part of what makes a system anonymous is looking like what is most popular, so you blend in with the crowd," explains project developer Adam Bregenzer of Super Light Industry.
Booting the CD, you are presented with a text based wizard-style list of questions to answer, one at a time, with defaults that will work for most users. Within a few moments, a fairly naive user can be up and running and connected to an open Wi-Fi point, if one is available.
Once you're running, you have a broad range of anonymity-protecting applications at your disposal.
Get yours here.
See also this Slashdot thread.
Posted on January 20, 2006 at 7:39 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Combine features of this, with a facility like the VMWare Player, and you might have a real "safe surfing" platform for those businesses which allow employees to surf the web.
I think, the whole point of the "anonymous" system is the built-in Tor integration that encrypts outgoing traffic.
First, users are not usually anonymous, because they do not want to be or they unintendly do things to not be anonymous even over the Tor net.
Second, if I am China government, I would make a law to ban any encrypted communication. Then I can simply arrest anybody who tries to use the secret form.
And third, if I am China government, I would insert a spy into the Tor (or any other) net which must be pretty simple with the number of Tor servers around the world.
Banning encrypted communication is hard now "the cat is out of the bag". Too many Internet services that rely on encryption are in use; not to mention DRM. BTW, how do you distinguish between encryption, encoding and random binary data?
Inserting "Spy nodes" in TOR is a possibility, but that won't help you too much, unless you control a significant number of nodes. Read up at tor.eff.org how TOR really works.
I can't be certain without testing, but I imagine running Anonym.OS in VMWare player may compromise some of its features due to the unique fingerprint the host OS may leave behind.
Of course, it didn't take long for some fruitnob to start whining in Wired's Rants & Raves that Anonym.OS would have benefits for "child pornographers, terrorists, drug smugglers, scam artists and other low-lifes."
It never ceases to amaze me that people honestly think that dedicated, experienced criminals are incapable of taking steps to protect their activities from scrutiny without help from presumably naive product inventors. You'd think that Kaos.Theory somehow invented Internet anonymity, and that the continued presence of online criminals and other annoyances was simply a side-effect of lazy or overworked law-enforcement.
But beyond that, the idea that something should be "abuse-proof" before it should be allowed into the public sphere is danderously stupid, and needs to be quashed.
I don't think it's valid to say that your average member of an organized crime organization would easily be able to take the kind of precautions this CD would afford. You could put this into any computer you're capable of rebooting, allowing for it to used by those traveling about and those lacking extensive knowledge about security and configuring operating systems.
That's not to say it should be banned or its existence doesn't have all kind of good aspects, but the argument that criminals would be able to do this just as easily anyway is fundamentally flawed.
You need to learn more about organized crime.
Hmmm.... great stuff. Only one hitch. If one were to try this software for real and suppose it does not deliver what it promises, then ..... too bad. I'll see you guys in jail!
> your average member
Not that I know anything about organized crime, but I imagine guys who have been trained since Prohibition not to put stuff down on paper probably don't rely overmuch on their computers, either.
The "grunts" probably still do things the real-old fashioned way, by word of mouth. Kinda hard to bust someone's kneecaps over email, anyway.
The guys handling the money and the records undoubtedly already have tools like this...
"I don't think it's valid to say that your average member of an organized crime organization would easily be able to take the kind of precautions this CD would afford."
That may very well be true. But I do believe that your "average cyber criminal" knows enough about hiding their tracks that Anonym.OS, while it might be useful, wouldn't be this sudden windfall, granting them capabilities that they wouldn't already have.
I agree that the "upper level" of criminals wouldn't have must use for this. However, in the same way virus scripting created a lot of "script kiddies", this type of OS could bring additional capabilities for hiding to the "dumb" criminals, or the criminal wannabes.
Very possible. But the $64,000.00 question is whether or not these potential additional capabilities warrant suppressing the technology, or even being harshly critical of Kaos.Theory for making it available to the public. My personal (and not particularly humble) opinion is that uninformed and/or fearful critics tend to make too much of the possible risks and avenues of abuse, and to downplay the benefits.
"Hmmm.... great stuff. Only one hitch. If one were to try this software for real and suppose it does not deliver what it promises, then ..... too bad. I'll see you guys in jail!"
Only if we use it for illegal purposes, which we shouldn't be doing anyway - or if we live in a country where unpopular political speech can make one disappear. Far more likely, you'd see us embarassed, or we're using it because we realize that, like anyone, we may have something to say/hide eventually and want the option available.
And how can I use my Password Safe database in Anonym.OS?
Seriously, I don't remember any of my passwords used for Internet services (e-mail, IMs, etc.)
If you are lucky, he included the OpenBSD Linux emulation stuff which lets you run some Linux programs.
Then you maybe able to use Password Gorilla located at:
Source is also available, so maybe you can just compile it, though dunno how that would work on a livecd. Probably have to setup a chroot env on a pen drive.
Finally, I can't recall where, but there is/was a java Password Safe equivalent.
The java one and Gorilla use the same database format.
I tried it and it works well, at least from a user standpoint. It booted up fine and appears to work as advertised. A few simple checks for anonymity returned bogus (and changing) results. But I don't know of any really good sites to check anonymity against. Anyone know of some?
The one I see mentioned a lot is:
You could also do some Google searches for Porn, bombs, etc and when Google is forced to turn over their logs, see if the feds show up. If they do, then the Anon.OS didn't work.
Maybe do it from a disliked coworkers computer :)
I set up my own page to show IP address, proxy server use (if known), IP behind the proxy (if known) and HTTP headers, partly to test such "anonymous" systems. I put it on the network at http://www.ioerror.us/ip/ . Enjoy!
It seems to me that this pretty much ignores traffic analysis. I mean all of a sudden somebody starts producing encypted Tor traffic from a cyber cafe. That's gonna stand out like a sore thumb and is going to be easy as all hell to track down. Also, and I need to dig further into their code to see if they do this, but it would need to deal with the fact that Tor, by default, send DNS traffic in the clear. I'm thinking this would be pretty hard to deal with on a livecd.
Tor can be useful but it is *only* useful if the LAN that you are starting from is trusted. And I don't see this being used in those environments.
I'm also not seeing how this would deal with hardware keyloggers.
I'm having a hard time seeing the point in a world where WiFi is pretty much everywhere and a basic laptop that can run an opensource (I happen to run OpenBSD on the desktop) OS is very cheap.
> It seems to me that this pretty much ignores traffic analysis.
Not really. Or, to be precise, somewhat. Yeah, obviously the tor traffic is going to stick out to anyone monitoring any network between the client machine and the tor network, but all they're going to see is someone running an anonymized machine. They only get part of the traffic analysis (someone's doing something maybe sneaky). Depending on how well the network is set up, it might just look like a VPN connection.
> Tor, by default, sends DNS traffic in the clear
This would be a pretty big thing to miss, but it's easy enough to test. I'm going to play around with this thing myself, so I'll let you know how well it works out.
> I'm also not seeing how this would deal with hardware keyloggers.
Not well at all, I'd imagine. But I can think of at least one legitimate use -> if you're travelling, rather than carry around your own computer, that may have critical information on it, you can carry a boot cd, stick it in a public terminal, check the keyboard cable for a hardware logger, and ssh to wherever to read your mail. It's pretty easy to check for hardware keyboard loggers (they're pretty uncommon, in any event), but it's virtually impossible to check the integrity of a public terminal's operating system.
Boot from this, and you don't have that problem. You can use a bot-netted machine perfectly safely.
You can also boot public terminals in your own enterprise with this for guests to use. You don't have to give them a login to your enterprise systems, just boot from this, hand them the keyboard, and let them do their thing.
> Tor, by default, sends DNS traffic in the clear
According to their documentation, that's actually not the case:
Although the application you're running on a Tor-ed machine may be sending the DNS request in the clear.
I imagine this is cleared up in Anonym.os, since they have very few applications and they're bundled, but I've emailed the dev team to ask.
Just install a separate minimal installation of linux with iptables and without any of the unnecessary network services installed. That should do the trick.
Just to add, I think this perfectly describes the sorry state of software and operating systems in general. It generally means going back to the old amiga times and having physical write protection on disks whenever you're not going to write to them.
This OS does indeed affect the resident hard drive. I've been testing it on a laptop that had SUSE Linux installed and working. The hard drive activity light is on nearly constantly and after several lockups/reboots of Anonym.OS, the SUSE install is toast and won't boot. I'm thinking Anonym.OS may use the resident hard drive as a swap file and does not clean up well when it locks up and you're forced to do a hard reboot.
Regarding tor and DNS request leaks: the Anonym.OS image also includes "privoxy" (http://www.privoxy.org), which when used in conjunction with tor will strip out the DNS information.
@all "the SUSE install is toast and won't boot".
Has anyone else tried this and had the same, or similar, problems as Mark J.?
I cannot find any reports on the Internet to suggest this is a common problem.
I cannot say definitively that Anonym.OS and the total meltdown of my hard drive were at all related, except in time. But the hard drive is now completely useless. I couldn't even run a low level format. It was, however, an older hard drive. I have also not read of even one other incidence of file or hard drive corruption related to the use of Anonym.OS, so I'll give Anonym.OS the benefit of the doubt. Just bad timing, it seems.
Just as an aside, even with the useless hard drive installed, Anonym.OS still runs fine. So at least the laptop has some use while I await delivery of a new hard drive. :-)
Thanks for the clarification Mark. I will let the group know if I have problems.
I can't find the netstat binary anywhere on the live-cd. Is it the ISO I downloaded, or has everyone else experienced the same thing ? The man-page for netstat is there, but the binary is nowhere to be found.
Regarding the guy that said about wireless being so 'secure'... Wireless is infact exceptionally easy to trace, the signal is analog, and it degrades in magnitude as you progress further from it's centre.. Anyone who thinks that wireless is the future for anonymity can think again...
This blog posting was of great use in learning new information and also in exchanging our views. Thank you.
hmm, apparently the first time I timed out so it wasn't displayed :s.
Take two :D
Let me first introduce myself; I am a Dutch LLM student writing a paper on TOR servers (anonymity and privacy in conjunction with Data retention in the EU).
After having read ALOT about TOR (I won't bore you with all the academic publications, suffice it to say it is alot), I (still) have the following question(s);
What degree of anonymity can be reached when using TOR servers? (I think complete anonymity would be a stretch)
And what parts can be found out if a government does have access to all traffic data?
I can understand that if indeed you are the only one using TOR in a certain area you would be easily traced.
But considering the vast amount of people using TOR, and hosting TOR servers, in European countries would it not be virtually impossible to retrieve a single identity?
Or am I missing a technological aspect of TOR which DOES make it possible for a malevolent government (e.g. China) to ascertain the identity of a TOR user?
Thank you all in advance,
Puppy linux is WAAAAAAAY faster...
Legal issue with any non-Microsoft software mimicking Win (although I'm not a lawyer): You may be legally required to buy a copy of Win (in this case, Win XP SP1), keep it, and not install it. Sounds like this program (and perhaps, probably, its planned likely successor, S.A.M.A.E.L.) uses this version of Win's look and feel, which is protected by copyright, and I think Microsoft's position would be that if you want their look and feel you have to buy the program that supplies it, one copy per installation occurring at a time, per their license. (Whether this would apply where the Win look and feel would be invisible because installed where there is no exposure to visitors, I don't know.) (I've sent a like message to .)
My post above said at the end that I had sent a like message to kaos.to (Anonym.OS website) (I guess the less-than and greater-than symbols as URL delimiters are rejected in comments, probably a security measure to prevent HTML tagging, which tagging wasn't my intent).
Anonym.OS's developer says essentially that it doesn't infringe on Microsoft's look and feel. Maybe that's right. In that case, there's no need to buy Win.
OK i'm a real novice...How do i boot from the Anonym.OS iso file? I mounted the iso file on a virtal CD (http://www.daemon-tools.cc)
how do you install anonymous os onto hard drive booting from live cd
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.