ProxyHam Canceled

The ProxyHam project (and associated Def Con talk) has been canceled under mysterious circumstances. No one seems to know anything, and conspiracy theories abound.

EDITED TO ADD (8/14): How to build your own ProxyHam.

Posted on July 16, 2015 at 11:00 AM • 45 Comments


d33tJuly 16, 2015 11:29 AM

ProxyHam may have gotten gagged, but 900mhz radios are really plentiful and work really well. Thankfully the concept will now live on the Internet of *nearly* "Foreverland" (til the lights go out someday .. Lib of Alexandria anyone?) We used to build wireless video scopes with them in 1998 ... 900mhz has been opened up for all kinds of license free use I guess. This kind of thing has happened repeatedly at hacker conferences. Maybe Dark Tangent will kick / ban the Feds again in protest? Can't really kick / ban the contractors, there are so many who are paying customers / speakers. I think I'm going to Toorcon this year. Haven't been since 2004.

Haven't looked yet, but someone should do a talk somewhere on moving away from RC4 sooner:

SergiyJuly 16, 2015 11:46 AM

I have really been taken back by people in authority, how they will make up stuff when they don't know, and downright lie. My theory is that this stems from contempt for the public - ie: "we're the good guys" ( because we say so ) and "you're the bad guys" ( because you're not us ), so it's OK to lie.

And that's why I think if you press authorities to tell how many times investigations of terrorist plots were thwarted by encryption, they will just lie. You will never know exactly why TrueCrypt left town in a hurry and you will probably never find out what happened to ProxyHam. And if you demand an answer they will lie. Maybe someone paid them enough cash to walk away. Suppose you ran a private email service and men in black offered you $100k to walk away, would you?

ArclightJuly 16, 2015 12:03 PM

This sounds a lot like "Employer got cold feet" for some unspecified reason. It could have been marketing saying "This isn't the type of fame we want," or it could have been pressure from a major government customer or potential client. Who knows. The circustances sound more like the researcher is under threat from job loss or violation of an NDA than any sort of criminal sanction.

We might want to reflect for a moment on how other researchers can prevent this:

1. Publish as you go. You can't seal/black patent/NDA something that is published widely from day one. If things get weird domestically, someone in Iceland can fork your design and carry on. I know everyone likes building up to the "grand reveal," but this strategy is not without the risk of losing all of the invested work.

2. Maintain a healthy "work/personal" boundary. Don't sign contracts that permanently assign all personal creative work to someone offering a temporary paycheck.

The risk of getting fired is bad enough - you don't need some finicky third party having legal leverage over you. And remember, all contracts can be "redlined" by you prior to signing. Many large employers are not flexible on this; many smaller ones are. It's also worth paying for a legal consultation - many of these provisions are unforceable in a lot of jurisdictions.

2a. Do not use company resources on research that is personally important to you and has a high likelihood of being controversial. Boundaries work both ways - avoid the temptation to do something that pulls your employer into the mix if at all possible.


d33tJuly 16, 2015 12:04 PM


I guess there is just not enough money (or power) for many in selling the truth? Thinking of "money" being a lie itself and the shackles on the feet (mind) maybe it makes sense for the truth to be worth very little if any money at all? Truth, if it does set a person free, works against the concept of money, centralized power and authority.

CallMeLateForSupperJuly 16, 2015 12:11 PM

But then there is this from Ars Technica:

"ProxyHam's early demise gives way to new and improved privacy devices"
(As usual, remove extra "h" in the lunk)

JesseJuly 16, 2015 12:29 PM

Given how boring the original project was and then how much hype it got, my guess is on publicity stunt. "I bought some stuff on Amazon and made up a long-shot privacy application and then the government silenced me" gets a lot more pageviews than "I bought some stuff on Amazon and made up a long-shot privacy application."

I've never even really understood what the thing is for. People realize that physical location of the hookup is not the only way you can be identified, right? I mean, you need to have physical access to the premises to install the head end. So even ignoring the possibility of tracking your payments to the ISP (which can be mitigated), police can proceed by figuring out who would have access to the premises where the head-end is located. Or are we saying that online privacy requires trespassing now? The bottom line is that I can't come up with a real person and real situation where the ProxyHam would be more than marginally effective. It seems to always be a privacy loss vs. existing public WiFI hotspots (and good opsec in using these).

CuriousJuly 16, 2015 12:43 PM

Not knowing much about such technology, I have no idea what to think of this concept, beside thinking that it might be very useful for less risky, or even accomplishing having a very private communication with someone.

Instead of me trying to describe some wild idea (all too easy) about how a project like ProxyHAM might be some kind of ploy to try get people to use it based on bad intentions, I thought perhaps that the whole concept was bought up for some sum of money, but I don't know if thát makes good sense or not (presumably, the whole concept isn't overly technical, so why pay one or a few people, if there is a risk of it being reproduced?).

Would patent law be some kind of obstruction for showing off or promoting such ideas as ProxyHAM?

I can also imagine that a government agency intimidated the people to have presented this concept.

I sort of get the feeling that the whole concept isn't overly technical, given what has apparently been written about it so far.

Ultimately, I guess I would have wanted to see some kind of eh evaluation about the presumed 'opsec' for how something like ProxyHAM would work. Presumably, any flaw in the perceived security of this concept by using radio waves would be fairly obvious to a lot of people.

I would also like to have known if there might have been additional features that otherwise wouldn't be obvious with this concept.

Maybe the whole concept is similar to some other technology (as in, different purpose, different usage) that are used by three letter agencies? Maybe, some kind of internet relay tech, that for some reason could be used to bridge a connection where a wifi connection otherwise wouldn't be useful? (This last thought doesn't make good sense to me though, because of how I perceive radio and wifi to be similar in natur so to speak.)

SALUBRIOUSBUBBLEJuly 16, 2015 12:55 PM

If TLAs have been stupid enough to ban this talk (I'm not convinced they actually have), they would have done themselves a major disservice.

1. There's an obvious Streisand effect
2. The concept is brutally simple. There is no actual "secret" to be kept hidden away. Anyone can replicate it! Basically, it's a raspberry pi connected to a local wifi, beaming the signal through the other end via RF (like a wifi bridge on steroids).

I wonder whether it would be even easier to use an off-the-shelf wifi bridge and add the RF element, instead of tinkering with a raspberry pi from scratch. In fact, that's Saturday morning accounted for. I'm off to the hardware store!

JacobJuly 16, 2015 1:35 PM

I don't understantd the usefullness of ProxyHam.
Assume you want to run some illegal bits over the internet by using the device. Where will you stick the far end box? It requires mains connection for power so it must be in a place that possibly know you and let you do such things. And remember that it appears to be a one-way system due to the transmitted power and antenna directionality requirements.

So you send your illegal bits, and the police comes to the remote box and confiscates it. Therefore, it must be used for burst, not long term, activities. How is that different from using your cheap second hand phablet (or notebook with a USB wifi stick) at the library and leaving the premises after you are done and, if you are in a high stake game, to possibly dump the phablet/stick afterward?

CuriousJuly 16, 2015 1:42 PM

Any chance such a system could so to speak "piggy back" on some other communication system?

molinJuly 16, 2015 1:44 PM

@Jacob: anonymity is not about sending illegal bits. raspberries can be hooked to batteries (like the ones you use to charge cellphones on the move).

CKJuly 16, 2015 1:45 PM


The OPSEC potential here is pretty good, install the "head unit" as it was referred to earlier in a bathroom AC vent or above a drop ceiling in a public space. Do all of your nefarious online activities via that link.

that's my top of the head idea.

MrCJuly 16, 2015 2:06 PM

@ Jesse, Jacob:

Be a little more creative:

Scenario 1: Weatherproof case, solar panel, 3AM drone drop onto the roof of Starbucks.

Scenario 2: Visit random business in a large Manhattan office building (attorneys are a good choice because blind disclosure of client list is an ethics violation for them), excuse oneself to the bathroom, exploit shoddy construction to deposit unit into wall, ceiling, or other interstitial space, wire directly to mains.

And I'm sure some of the more technically knowledgeable regular posters can come up with something much better.

WaelJuly 16, 2015 2:42 PM

Reinforces my "theory" and this proxyHam was mainly about "annonymity"!

Suppose this device is developed and some TLA cannot decipher texts going through the network. Do you think they’ll leave it alone? Of course not!?

Implementation isn't the "barrier"; coming up with the idea is the real barrier! Advertising a title like that at a conference is equivalent to guaranteeing a product will be developed -- gag order or not!

I have a feeling it's a false alarm, there are no real conspiracies, and the presenters couldn't get the "product" to work well enough for presentation. A "gag order" sounds cooler than: "We don't know why it's not working" :) Then again, they maybe in violation of some regulation FCC or other...

At any rate, the idea isn't new, and highlights some weaknesses in "Geofencing"

AnuraJuly 16, 2015 2:57 PM

My guess is that the frequency they were using was being used by extraterrestrials, and upon discovering their nefarious plot to convince humans that global warming was real in order to get us to cut back on fossil fuels, the researchers were killed and replaced with shapeshifters who are now trying to act like the government suppressed them so no one else risks building another of these devices.

Nick PJuly 16, 2015 3:39 PM

@ Jacob

Most locations with Wifi are businesses or residential. The businesses often have cameras or are seen by others' cameras. Having logs + footage gives people a good start. Using residential WiFi avoids that albeit with risk of sticking out. Using a long-range antenna from woods becomes best option.

Yet, that does implicate a residence in what you do vs a company that's decided to take on some risk. So, combining best of the two is hiding a box onsite with two wireless connections: one go wifi; one to your box or relays leading to it. Now, you can work from a spot off camera and with concealment enough to spot those that might track you.

Many of us built tech like this in 90's and such. I think some used amateur radios. A COTS, cheap solution is an improvement in theory. However, I'd bet money the spooks were watching credit card details and shipping addresses of such things. The traceability of this vs cash at RadioShack is why it's a step backward in practice.

albertJuly 16, 2015 3:39 PM

No, no ,no. The FEEBS come in and use RDF to track the signal right back to your house:)
Better yet, they tap it and sit on it for a while. It's loads of fun for the whole Family.
Yeah, that makes a lot more sense...(:)
"...Would patent law be some kind of obstruction for showing off or promoting such ideas as ProxyHAM?..."
. No. Patents, when granted, are published. (Some patent applications can be classified. I don't know exactly how this works, but it amounts to a gov't-controlled black hole) Patents don't 'protect' anything. They only provide a legal monopoly for the holder. Even gov't lawyers wouldn't approve a NATSEC classification order on a lame idea like ProxyHam.

rgaffJuly 16, 2015 4:08 PM

Look at the updates to the first link Bruce posted, on page two:

Apparently they got comments from the guy, and he verbosely answered, "no, it has nothing to do with that" to everything they questioned him about (FCC rules, patents, etc)... except for one thing: an NSL... to which he answered "no comment" instead....

Could he have been much clearer than that without going to prison?

AnuraJuly 16, 2015 4:44 PM


I don't buy the NSL theory. What can this so that is not already available in the first place? It's somewhat interesting, but not exactly groundbreaking.

FigureitoutJuly 16, 2015 5:02 PM

As has been said, cool project but can be and has been replicated ( and erratasec have posts on it, samy has a PoC all built up of course). I was going to document one here (just the actual connecting a 2.4ghz yagi to another router, it's nice just having a clean antenna rather than some of the builds online w/ pringle cans and paper clips lol..
) but blew up a pc w/ a pci card that I really liked (i've never f-d up a pc so bad before, no beep codes even..) and I have to share a connection so I only had a little while to get this dumb router working and it failed so getting rid of stock firmware, so I'm still licking my wounds. BUT that really looks sketch unless in an apartment/hotel in urban area. Plus opsec concerns. And this doesn't have to be for illegal means, it can actually be a way to order a pc or router when you're under attack and need to retreat and recover (downloading new images or other software too), do it from your owned router and attackers simply follow to next one.

Also digital radio people, like ditty bopper said, I can hook up a radio from 1980's to a computer w/ soundcard, and the connections are all over audio ports (mic is tx and speaker is rx). Just have to look up the connections in manual for a 4-pin mic. I'd airgap the pc too.

Clive RobinsonJuly 16, 2015 6:12 PM

@ Wael,

At any rate, the idea isn't new, and highlights some weaknesses in "Geofencing"

Indeed it does...

If you go back in time around ten years to the border between The Republic of Ireland and Northern Ireland, you would have seen 2.5GHz ISM equipment such as television "set top box" extenders and WiFi kit being used by Pirate Radio stations in the North "linking" to their transmitter sites in the Republic.

The reason for this was that the UK OfCom agency had become the prosecuting authority for such dubious legislation as "The Marine Offences Act" and more recent even more draconian legislation.

OfCom however did not find the work glamorous in any way for two reasons, firstly because it was financialy a hole in the ground and secondly because it was entirely politicaly motivated, with various people in power getting a take of the radio business controled by the "big three" dumping on OfCom's seniors on behalf of the paymaster three. Thus OfCom did not spend sufficient on detection equipment or training of their staff, and at that time could not DF in the ISM band.

Over in the republic however their radio regulatory authority realy did not care about Pirates broadcasting into "the north" so made no effort to close down the very well known transmitter sites.

More interestingly was the tie up to Rupert "the bare faced lier" Murdoch, and the Pirates... It's well known that Rupert hates the BBC with a loathing that can not be belived of a rational person. Further Rupert owned News International which controlled Sky, and it can easily be shown that people working at Sky were facilitated by Sky to aid their "engineering" work for the Pirates. Several companies that sold equipment to "Sky engineers" that was also delivered to them at Sky premisses, were some what surprised to have "their collars felt" by OfCom, because equipment the thought had been sold to Sky ended up on Pirate sites...

As people might know News International changed it's name and various other aspects of the operation over the Met Police "phone hacking" enquires. Apoarently the changes were done in order to protect "papa murdoch" and certain people were prepared to do many things, that were not just questionable. Thus if you dig a little you will learn of the outrageous behaviour of seneior News International members such as Will "thirsty" and Rebeca "ride my police horse". Thirsty decided the best way to protect "papa" was to get him out of the UK then throw journalists and their confidential sources at the Met Police as a diversionary tactic. In return papa Murdoch got thirsty out of the UK because he had become a "dead man walking" with people making public his home address and other details about his family etc. Unfortunatly thirsty has got home sick and wants to come back to a "rewarding position" in the UK. It will be interesting to see how long it will take for him to be stabed in the back both figurativly and literally. Unlike "Lady Macbeth" it's not a case of "out dam spot" levels of "bad blood" it's much more biblical and "rivers of blood" just doesn't do it descriptive justice either. I suspect several people are currently plotting his early demise within the company if not a dark ally as well.

Mean while Murdoch with his controling hand firmly up the nether regions of his puppet UK Prime Minister David Cameron, is now getting an early Xmas with regards the BBC, the fix is in, and the BBC has been criticaly wounded in the current "charter changes" a view effectivly espoused by two old Thatcherites....

rgaffJuly 16, 2015 9:03 PM

@ Anura

You're right about it not being ground breaking. But, as implausible as the NSL theory may sound, the government is not known for always being reasonable nor logical and the guy is feeding that particular conspiracy by freely answering every question but that one!

WaelJuly 16, 2015 11:05 PM

@Clive Robinson,

It's well known that Rupert hates the BBC with a loathing that can not be belived of a rational person.

That's just jealousy :) Rupert says: Say that one more time, and I'll stick those fingers in you eyes :)

Just passin' thruJuly 16, 2015 11:10 PM

I've always wondered about the legal basis for classifying Hedy Lamarr's patent on frequency hopping technology top secret duing WWII. The patent paperwork was deep-sixed, and Lamarr & partner were told (IIRC) that public discussion would lead to prosecution. While this situation is not exactly analogous, what prevents the govt from doing the same here (and/or using contrived legal justifications despite prior publication)?

Jonathan WilsonJuly 16, 2015 11:23 PM

My guess is the simple explanation, namely that the FCC got wind of this talkand sent the guy an official letter saying "your product is illegal under part xyz of FCC regulations, if you build it, sell it, tell other people how to build it etc, you will get in trouble under xyz law" and he decided that canceling the talk was better than whatever penalty the FCC was threatening him with.

And quite frankly if his device did things on the 900MHz band that are not permitted on that band, he deserves to get in trouble for it.

As for the "his employers forced him to cancel the talk" argument, someone over on pointed out that he is his own boss so that argument isn't valid.

Mr bellicheckJuly 16, 2015 11:33 PM

@ Jacob

Interesting. This is what I think of it.
Its stuff like these that were created or dreamed up as possible counters to mass surveillance watch. Be rested assured these devices if discovered will be handed over to authorities possibly with DNA all over them for id's. Theoretically they are throwaways would work if you got a friend to favor it at the private hotspot.

CuriousJuly 17, 2015 4:05 AM

I guess something like the ProxyHAM could perchance be disguised to look like something else, or even be hidden entirely within some other shape. I have ofc, no idea to what degree that might impact the quality of radio reception and radio emission.

CuriousJuly 17, 2015 4:20 AM

Maybe this concept could be useful for having some clever early warning system, or just a warning system.

CuriousJuly 17, 2015 4:22 AM

How about using this concept for perimeter warning system? As if thinking of it as some kind of potential movement detection system for a large area or a large room.

JacobJuly 17, 2015 5:03 AM

This ProxyHam does not provide any meaningful level of anonymity:

1. Define user-side (i.e. protected) box as Box A, remote box and Box B
2. Box A transmits data via radio link to Box B. Box B is connected to the internet via WiFi.
3. On the internet, Adversary (mostly authorities) detects interesting activity, trace it to the WiFi AP, tap the AP, optionally shut down known nearby clients and fairly quickly finds Box B.
4. Tapping Box B, Adversary can sync Box B WiFi data activity with RF activity, and with the help of RF direction-finding antenna can vector in on Box A.

CuriousJuly 17, 2015 8:06 AM

If you had a bazillion ProxyHAM like boxes, maybe you could transmit data/datagram UDP style (sry, I don't know much about UDP standard) and perhaps not worry about people knowing where the radio transmitters are? A message would be thought of as being spread like a virus that multiplies, making it difficult if not impossible to locate the start of a message being sent, and difficult if not impossible to locate where the message is picked up. A message would be picked up at the receiving end before a message stopped propagating around and outwards and inwards again.

CuriousJuly 17, 2015 8:09 AM

How about having a delayed transmission/re-transmission in intermediary boxes, as a kind of security feature, for burst transmission only.

GJuly 17, 2015 8:16 AM


4. Tapping Box B, Adversary can sync Box B WiFi data activity with RF activity, and with the help of RF direction-finding antenna can vector in on Box A.

So unless they have onsite access with a direction finding antenna they are out of luck. NSL is the obvious reason he was taken down. What tech they are so scared of is the only question left. What I want to know is why is encrypted 900mhz still illegal?

cryptololkittenJuly 17, 2015 9:19 AM

RE: encryption over 900 mhz

is it legal to transmit noise over 900 mhz?
if yes then indistinguishable crypto over 900 mhz is legal as well.
or what about steganography? nobody cares about the photos of your baby, or your food anyway.

Clive RobinsonJuly 17, 2015 10:33 AM

@ blob,

The problem with the method you point to with the link you give, is that it does not provide any real security, in that the locom devices are designed to be "transparent" in use.

Realy you need a firewall-router at either end between the WiFi unit and the locom.

As I've pointed out several times over the years on this blog, any comms link that has sufficient bandwidth has utility in this respect. I've used X or Ku band microwave setups that the bits for cost less than $100 (or you can steal of of traffic light systems and peoples satellite TV dishes which is what happened in Northern Ireland). Also "laser pointers" with binoculars and off the shelf Ham / Amateur Radio kits / equipment.

The reason to use Raspberry Pis is to do the firewall and encryption for the comms link very flexibly and cheaply, you could use almost any suitable SoC based board, but as far as CPU power, electrical power and ease of use, for the price the Pi is difficult to beat.

@ Cruptololkitten,

Is it legal to transmit noise over 900 mhz? f yes then indistinguishable crypto over 900 mhz is legal as well.

Sorry No and No.

You are supposed to use a "recognised mode of modulation", none of which alow "encryption" to be used. The reasons for this are many and some very historical (ie WWI). The legal requirment is that the licencing authorities can demodulate the signal and ensure that the device is being used in an approved application.

This was all "hunky doory" untill WiFi came along, and the legislation has not been suitably amended, so encryption is still technicaly a punishable violation, though the use of SSL etc is standard at the application level and --originaly-- RC4 for WEP.

I've seen argument that the "meta-data" at the respective levels act as "call signs" which "makes it all OK" etc...

Each country has it's own historic legislation, that was often used not for valid legal reasons but as a method to "close the market from foreign competition" which failed spectacularly and had the exact opposit effect. Which is one of the reasons why we have Far Eastern mobile phones etc, as they are the only people that get the margins required to leap through the regulatory hoops. Thus to try to reverse the situation a lot of rules got bent or ignored, but by then it was way to little way to late.

@ Curious,

How about having a delayed transmission/re-transmission in ntermediary boxes, as a kind of security feature

Nothing "kind of" about it, if TOR used "store and forward" nodes then it would be much more immune to traffic analysis.

Have a dig back on this blog and you will find that store and forward plus continuous fixed rate transmission is a cure for most traffic analysis issues. But to do this effectivly TOR should not have "gateways", that is all clients form part of the mixing network with the data coming in and data going out being the same... Thus "no hooks to hang a hat on".

J on the river letheJuly 17, 2015 11:07 AM

Proxyham didn't particularly impress me for purposes. A yagi pointed at a high rise hotel might be better. Fairly easy to guess passwords for most. I seem to remember some worked on web access on shortwave radio. Slow. And almost certainly goes against ww1 laws. Some nasty penalties there for encryption over airwaves. And absolutely no way to track simple reception. Transmit, yes.

The problem is in mans heart so to speak. The idea that the power for destruction is rising in relation to what just one individual can do with knowledge and mental illness (what I would call it) Realistically, society must "control" the individual, but government is just as broken. It is an interesting pickle we find ourselves in. The catch 22 and perhaps the Great Filter. Maybe we need to colonize planets and separate groups? They would would probably still wipe themselves out. Ugg.

paulJuly 17, 2015 11:45 AM

What sprang to mind for me (and what I think some of the comments implicitly bear out) is that doing this kind of bridge is easy, but doing it with a maximum (or even optimum) of safety is hard. So cancelling a talk by someone who has spent a fair amount of time thinking about the details of this kind of setup does buy security services something. Imagine how insecure TOR-like services would be if you had everybody implementing their own from first principles, with a few nods to interoperation but a sense that any large gathering of developers might be treated as a criminal conspiracy.

Tony H.July 17, 2015 12:59 PM

"I don't buy the NSL theory. What can this so that is not already available in the first place? It's somewhat interesting, but not exactly groundbreaking."

So what if this guy did come up with something that does pose a serious threat to some aspect of the Powers That Be? And he gave his talk a title and summary that would attract the right audience, even though the actual talk was going to have a quite different slant maybe only loosely related to encrypted coms over 900MHz? And the PTB got wind of it, and that is why he got the NSL?

Well that would be just another wild conspiracy theory, of course...

TomTrottierJuly 18, 2015 9:52 PM

If talks are so easily cancelled at DEFCON by the Three Letter Agencies, perhaps DEFCON should be moved to Germany or Switzerland. Some place near a beach.

TomTrottierJuly 18, 2015 10:34 PM

If enough Proxy ATs were installed near free wifi sources with mesh networking, you could have a local darknet.

@g @jacob Radio Direction Finding is not trivial with spread spectrum signals, especially if there are many, many signals. At higher GHz there are also lots of reflections.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.