privacy

Guest Post: The Library Freedom Project: Bringing privacy and anonymity to libraries

Hi, Tor community! My name is Alison, and I'm the founder of the Library Freedom Project, an initiative that aims to make real the promise of intellectual freedom in libraries. It's a partnership among librarians, technologists, attorneys, and privacy advocates to teach librarians about surveillance threats, privacy rights, and privacy-protecting technology tools. So far, we've been all over Massachusetts and parts of New England, and we have been awarded a generous grant from the Knight Foundation to bring privacy training to libraries across the United States.

We teach librarians three things. Kade Crockford of the ACLU of Massachusetts teaches the current state of digital surveillance. Jessie Rossman, an attorney and surveillance law expert also from the ACLU of Massachusetts, offers a privacy-focused “know your rights” training. I teach technology tools – like Tor and Tails .

Libraries have historically been staunch defenders of privacy, taking public stands against surveillance initiatives like the USA PATRIOT Act. Libraries offer public internet terminals, and librarians like me teach free computer classes to the public. Our patrons come from all walks of life, but we tend to serve communities particularly vulnerable to surveillance (including immigrants, Muslim Americans, people of color, people who are homeless, and those who have been incarcerated) in higher numbers than in the general population. For all of these reasons, libraries are an obvious place to promote and protect online privacy and anonymity and fight against digital censorship and surveillance – that's why I started the Library Freedom Project.

While we focus on US libraries, we are eager to speak to our colleagues in other countries, since privacy is a right for everyone in every country (and privacy is threatened everywhere).

In the tech part of my trainings, I teach tools like the Tor Browser, Tails, HTTPS Everywhere, and DuckDuckGo. I show librarians how to install these on public PCs, and provide curricula for librarians who want to teach privacy-focused computer classes. I help library staff configure Tor relays and set their library websites to run on HTTPS by default. They are thrilled to learn about these tools – as I said, librarians as a profession have always valued privacy, but the development of mass surveillance technologies has outpaced their technical ability. They want to protect their patrons, but they don't know where to start. Thanks to the tools developed by folks in the Tor community, I've been able to teach librarians the skills they need to take anti-surveillance tools to the public. Librarians whom I've trained have started teaching their own classes to library patrons, and the public response has been overwhelmingly positive and moving – these classes make a real difference in the lives of everyday people who are desperate to learn practical ways to take back their digital privacy. The work of the Tor community makes it possible for me and other librarians to help them do this.

So please allow me to express my heartfelt thanks for all that you do. Without tools developed by the Tor community, my work would not be possible. On a personal level, I'm awed by how welcoming and helpful this community has been to me. Tor community folks have offered me feedback, encouragement, and assistance at every turn. Tor Project core member Nima Fatemi even helped build my website (thanks again Nima, I owe you big time!). Now that I run the Library Freedom Project full time, I look forward to working even more closely with folks from the Tor community, and I'd love to give back to your community the way you've given to mine. One specific way that librarians can help the Tor Project is with usability issues – we have lots of experience helping ordinary users with common usability problems. I'd like to introduce developers to librarians who've installed anonymity tools and other free software in their libraries. Librarians can also run dev sprints, help update documentation, and generally advocate for tools that help safeguard privacy and anonymity.

With Knight funding, our goal is to conduct 100 librarian trainings in two years, and build a website of resources for librarians who want to teach their communities how to protect themselves against online surveillance. I'll be traveling all over the US to do this, so please get in touch with me to see if I'm coming to your city! I'd love to bring Tor community members with me to my trainings and help develop a partnership between our two communities.

For more information about the Library Freedom Project, to get involved in the fight for digital civil liberties in libraries, or to offer your own ideas for how this project can move forward, visit our website or contact me.

Transparency, Openness, and our 2013 Financials

2013 was a great year for Tor. The increasing awareness of the lack of privacy online, increasing Internet censorship around the world, and general interest in encryption has helped continue to keep us in the public mind. As a result, our supporters have increased our funding to keep us on the leading edge of our field, this of course, means you. We're happy to have more developers, advocates, and support volunteers. We're encouraged as the general public talks about Tor to their friends and neighbors. Join us as we continue to fight for your privacy and freedom on the Internet!

After completing the standard audit, our 2013 state and federal tax filings are available. We publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.

Part of our transparency is simply publishing the tax documents for your review. The other part is publishing what we're working on in detail. We hope you'll join us in furthering our mission (a) to develop, improve and distribute free, publicly available tools and programs that promote free speech, free expression, civic engagement and privacy rights online; (b) to conduct scientific research regarding, and to promote the use of and knowledge about, such tools, programs and related issues around the world; (c) to educate the general public around the world about privacy rights and anonymity issues connected to Internet use.

All of this means you can look through our source code, including our design documents, and all open tasks, enhancements, and bugs available on our tracking system. Our research reports are available as well. From a technical perspective, all of this free software, documentation, and code allows you and others to assess the safety and trustworthiness of our research and development. On another level, we have a 10 year track record of doing high quality work, saying what we're going to do, and doing what we said.

Internet privacy and anonymity is more important and rare than ever. Please help keep us going through getting involved, donations, or advocating for a free Internet with privacy, anonymity, and keeping control of your identity.

Transparency, openness, and our 2012 financial docs

After completing the standard audit, our 2012 state and federal tax filings are available. Our 2012 Annual Report is also available. We publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.

Part of our transparency is simply publishing the tax documents for your review. The other part is publishing what we're working on in detail. We hope you'll join us in furthering our mission (a) to develop, improve and distribute free, publicly available tools and programs that promote free speech, free expression, civic engagement and privacy rights online; (b) to conduct scientific research regarding, and to promote the use of and knowledge about, such tools, programs and related issues around the world; (c) to educate the general public around the world about privacy rights and anonymity issues connected to Internet use.

All of this means you can look through our source code, including our design documents, and all open tasks, enhancements, and bugs available on our tracking system. Our research reports are available as well. From a technical perspective, all of this free software, documentation, and code allows you and others to assess the safety and trustworthiness of our research and development. On another level, we have a 10 year track record of doing high quality work, saying what we're going to do, and doing what we said.

Internet privacy and anonymity is more important and rare than ever. Please help keep us going through getting involved, donations, or advocating for a free Internet with privacy, anonymity, and keeping control of your identity.

Transparency, openness, and our 2011 financial docs

After our standard audit, our 2011 state and federal tax filings are available. We publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.

Part of our transparency is simply publishing the tax documents for your review. The other part is publishing what we're working on in detail. We hope you'll join us in furthering our mission (a) to develop, improve and distribute free, publicly available tools and programs that promote free speech, free expression, civic engagement and privacy rights online; (b) to conduct scientific research regarding, and to promote the use of and knowledge about, such tools, programs and related issues around the world; (c) to educate the general public around the world about privacy rights and anonymity issues connected to Internet use.

All of this means you can look through all of our source code, including our design documents, and all open tasks, enhancements, and bugs available on our tracking system. Our research reports are available as well. From a technical perspective, all of this free software, documentation, and code allows you and others to assess the safety and trustworthiness of our research and development. On another level, we have a 10 year track record of doing high quality work, saying what we're going to do, and doing what we said.

The world is moving towards new norms for reduced personal privacy and control. This makes anonymity all that more rare and valuable. Please help keep us going through getting involved, donations, or advocating for a free Internet with privacy, anonymity, and keeping control of your identity.

Activists in Iran and Syria targeted with malicious computer software

In February 2012 we learned that activists in Iran and Syria were targeted with two different types of malicious computer software. We received a copy of each malware, and Jonathan Tomek from ThreatGRID helped with the analysis.

How you get infected

The malicious software is spread as email attachments, and as files sent via Instant Messaging and Skype. The software looks like two completely harmless files; a Microsoft PowerPoint slide show and an image file. The malicious software will silently install itself on your computer when you open one of the files.

Malicious software, such as the two copies we analyzed, is normally designed to gather sensitive information and gain unauthorized access to a computer system. The seemingly harmless PowerPoint slide show turned out to be a keylogger, while the image file was really a backdoor, providing the attacker with full access to the system.

Both the keylogger and the backdoor will transfer data to www(dot)meroo(dot)no-ip(dot)org, on port 778. This domain name used to point to a server at a government-owned telecommunications company in Syria, but was later updated to point to a Linode server in London, UK. No-IP have since pointed the domain name to an invalid IP address (0.0.0.0).

Most anti-virus software will be able to detect and remove both the keylogger and the backdoor. You may try updating your anti-virus software, running it, and using it to remove the malware if anything pops up. However, the safest course of action is to re-install the operating system on your computer.

The EFF wrote a blog post called How to Find and Protect Yourself Against the Pro-Syrian-Government Malware on Your Computer. In the post, they recommend "that you take steps to protect yourself from being infected by not running any software received through e-mail, not installing software at all except over HTTPS, and not installing software from unfamiliar sources even if recommended by a pop-up ad or a casual recommendation from a friend.".

PowerPoint slide show: keylogger

When you first try to open the PowerPoint slide show, you will get a security warning asking if you really want to allow this file to run. The Name field points to the following executable file: C:\Program Files\Common Files\VMConvert32\wmccds.exe

If you ignore the warning and click Run, a self-extracting rar file will install the malware (the wmccds executable) onto your computer. The PowerPoint slide show will then open and you will see a series of images and some text in Farsi. The malware will not activate until you reboot your computer.

The first time you reboot, the malware will activate and start logging your keystrokes. If you are running Windows 7, you will see the same warning as mentioned above, and you have to click Run before the malware is actually activated. Older versions of Windows will not display this warning when you reboot.

The malware will modify the Windows startup script to ensure that the keylogger is always running when you are using the computer. The keylogger will affect your whole system, and it will even send the contents of your clipboard to the attacker. The Tor Browser Bundle does not protect you if you have a keylogger on your system.

Windows screen saver: backdoor

The Windows screen saver contains a type of malware that is a bit more complex than the one described above. When you run the Windows screen saver, it will start an image program and show you a picture (we saw a picture of a rifle, but that is not always the case). Meanwhile, the malicious software installs a backdoor onto your computer and opens a connection to www(dot)meroo(dot)no-ip(dot)org, using port 778.

The backdoor (1122333.exe in the Documents and Settings folder), which is similar to the DarkComet Remote Administration Tool, allows the attacker to connect to your computer and do anything that he or she wants, including logging keystrokes and acting as the system administrator. The malware will modify the Windows startup script to ensure that the connection is always open.

GSoC 2011: Metadata Anonymisation Toolkit

This is a guest blog from one of our 2011 Google summer of code students, jvoisin.

It's the end of the GSoC. It was a really nice experience, I learned a lot, met a lot of nice people on irc, and earned some money.

My project was to create a Metadata Anonymisation Toolkit (MAT), to improve privacy of online file publications. First, I heavily based my code on hachoir (a nice, but a slightly complex library), but now, must of the formats that the MAT supports do not use hachoir.
Despite several code restructuring and re-factorizations, silly ideas, re-implementations, and re-writing/... the MAT is living !

I made two big mistakes. The first being using python2.7, and pygobject. Neither of these were in Debian stable/tails, so I had to rewrite those parts.

MAP consists of a modular API (feel free to add support for other formats !), a command line interface, and a graphic user interface (powered by pygtk).

It was my first "serious" project in python, and I was the first surprised about the ~3000 lines of code I produced. I'm pretty proud of the "pdf processing part", and I'm sad about the setup.py/packaging part (that are the most ugly/dirty/painful things that I ever touched/coded ).

I'm still unhappy with my code/piece of software, so I'll continue to improve it, so expect great work in the future, such as an exiftool binding, watermark counter-measures, ..

Thank you mikeperry for being my mentor, thank you google for the amazing GSoC project, thank to every user that gave me feedback (and even more stuff to fix!), and special thanks to haypo, Mc2`, Kiri, intrigeri, bertagaz, Lunar^ and all #tails/#tor-dev !

Hope to see you next year.

Reading links, 15 April

Google Chrome Incognito Mode, Tor, and Fingerprinting

A few months back, I posted that we have been in discussion with Mozilla about improving their Private Browsing mode to resist fingerprinting and the network adversary. As I mentioned there, we have also been doing the same thing with Google for Google Chrome. Google has taken the same approach as Firefox for their Incognito mode, which means that it provides little to no protections against a network adversary.

This means that Chrome Incognito mode is not safe to use with Tor. read more »

Firefox Private Browsing Mode, Torbutton, and Fingerprinting

Last week, Peter Eckersley and I met with the Mozilla team in Mountain view to discuss web fingerprinting, privacy and Torbutton. I gave an updated version of my Torbutton Design talk, and Peter discussed Panopticlick. Mozilla was primarily interested in hearing about these projects in the context of their Private Browsing Mode, which they unveiled in Firefox 3.5. read more »

HTTPS Everywhere Firefox addon helps you encrypt web traffic

Today the EFF and the Tor Project are launching a public beta of a new Firefox extension called HTTPS Everywhere.

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted, including the search box and URL bar features. At the same time, we were also able to encrypt most or all of the browser's communications with other popular sites that support SSL, but don't provide it by default.

Our approach is based on the NoScript STS implementation, but is more expressive in the manner in which HTTPS-enforcing rules are written. read more »

Syndicate content Syndicate content