Can you clarify what this does? Even after reading the readme it's not clear to me what it does or what the use case is. And the phrase "silence censorship, automate the effect" is confusing since censorship is an attempt to silence others. I am familiar with the Streisand effect, where an attempt to hide information serves to publicize it. Does this library propagate secure, encrypted servers? So if you feel in danger of being censored you can quickly spread your message to other servers? Something more than that?
It sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, or fellow activists that will help them connect to the new server.
The use case is to make it easier for people to set up servers that allow individuals who live in countries where the Internet is being blocked to circumvent these restrictions.
"Silence censorship" is meant to be sort of funny, but the idea is that censors have had it too easy for too long, and an automated and repeatable method of setting up an anti-censorship server can help change that.
"Automate the effect" is meant to reflect the fact that you can start as many of these servers as you want. If a country starts censoring the Internet, more servers will spring up in response.
I hope these explanations make sense. I will try to figure out a way to make the README more clear.
I like the concept, but I am troubled by the idea of people running cookie-cutter scripts to set up systems which are then left in charge of real-world anonymity.
Could the suite of things installed by this software package be used as a profiling vector in the future? How could that be avoided if so? I know that your userbase is slim now and mass profiling probably doesn't apply yet, but it's something to consider.
Are the installed defaults known to be sane and secure? That's another huge worry when the configuration is taken out of my hands initially.
Sorry for the worrisome comments. I like the idea,
I intentionally made it really easy to override the default values that I chose for port numbers. It wouldn't be difficult to mix those up in the future, if necessary.
I did my very best to make sure that I was configuring things in a secure way. My approach to installing OpenVPN involves several additional steps that harden its security, like setting up an HMAC firewall and changing the default cipher from Blowfish to AES, for example. I take this seriously and I want to do it right. I'm looking forward to getting contributions from the community too.
I think that automation has the potential to significantly increase security because painful tasks that might be tempting to skip when someone is setting things up by hand can become painless. In an ideal world every task can be performed correctly and repeatedly.
I also did my best to fully document every single action that is taken. You can see what is happening at at all times throughout the process. Ansible's syntax is also very readable, so you can examine the steps before you run anything too. I am optimistic that things will only get better :)
Awesome! Thanks! Might be great to kick off the readme with some anticipated use-cases, just so people can understand right away who the target audience is without reading through all the features. I mean, if I'm from a place being censored, all the bullet points will probably scream at me, but if I'm not, it takes a bit to determine that this product isn't particularly meant for me :)
Thanks for the feedback! I'm excited to see how people use this and what new features might be helpful for them. I will be sure to incorporate that information into the README.
I get this on DO
TASK: [genesis-digitalocean | Add the SSH key to DigitalOcean if it doesn't already exist] *
failed: [127.0.0.1] => {"failed": true}
msg: Access Denied
I cant figure out if the client id is supposed to be the token name when you create that in the control panel? I cant get it to work either way.
Just a thought: in order to make these servers more undercover, you can bundle in a port-knocking daemon (knockd) and have all ports initially closed. This setting should be easily changeable, but it will also tremendously help impair a third party's possibilities of profiling and figuring out valuable info about the server.
I haven't ever done anything with port knocking before, but it's a neat idea that could also be entertaining.
It's worth pointing out that most of the services Streisand sets up have already been configured with countermeasures against passive scans. For example, Shadowsocks doesn't respond with any identifying information at all unless you have the proper symmetric key, and OpenVPN will drop all traffic immediately if the connecting client can't sign its requests properly for the HMAC firewall.
This is similar to a project I worked on a while ago, Lahana[1] but on steroids.
I like the approach, although it requires a little more knowhow to set up. What would be really cool (if not already in) would be to ask the user which services they want to run on setup. Not everyone will want/need to run all the services, running extra services may make it easier to compromise an instance.
Jlund - if you feel like it, take a look at the lahana code[2] and if you feel like implementing a VPN-Tor routing bridge feel free to use what you like. Drop me a message if you get stuck. I don't have a lot of free time but will help where I can.
Awesome. I'm actually building a company right now around an almost identical product. We aren't open sourcing it yet but we will eventually. Would love to talk about this with you (email in profile).
Any plans to integrate AAA with radius or similar? Any plans for squidproxy?
Also, I'm planning on working on a tool to easily deploy Tor hidden services as soon as I get some time. I think there's value in that aspect of your project alone -- maybe consider breaking it off on its own.
I honestly hadn't even heard of AAA in the context of RADIUS before reading about it on Wikipedia just now. I only tangentially know about RADIUS from seeing it in various WiFi control panels over the years.
I considered using Squid somewhere in Streisand, thinking that it might be a nice feature for mobile users in particular. However, one of my main goals with this project was to set up servers that didn't log any information under any circumstances about the sites that clients were visiting or their IP addresses. A caching proxy by definition is going to have to store some of the assets that users are requesting, so I abandoned the idea. Perhaps you are using it differently though?
I appreciate the feedback! By the way, your email does not appear to be in your profile.
Probably worth pointing out that this wont anonymize your traffic — instead of coming from your home IP address, it will come from the IP address of a server registered against your name and payment details.
That's not to detract from the functionality it does offer; just making sure people don't get the wrong idea.
So, one has to just find a host that would respect their privacy and serve their country with a big warm fuck-you response when asked about owner details without a proper warrant, or - even better - that would only cooperate with local law enforcement and won't give a damn about other jurisdiction demands.
Or get a host with some form of anonymous payment, like Bitcoin.
One thought, you ask for AWS credentials. Mine are already stored in ~/.aws/config for use in the official aws cli which I think I recall wraps boto. It would be nice if the streisand setup could figure that out for me.
Thank you. I'm using Ansible's vars_prompt functionality to ask for these values. I'm not sure if there is a way to skip a prompt if the information is already available. I don't think there is right now, but Ansible is adding new features fast and I will keep this in mind.
I just walked through the live demo eof provided (thanks). It looks very promising and well thought out. How many users could the smallest Amazon box handle in a real world scenario?
Thanks! Bandwidth usage would probably become a limiting factor before CPU. It also depends on which mix of services was being used. The services are all lightweight enough that I don't think you'd have any issue with lots and lots of concurrent users, even on a Micro.
I made a long comment on the history of the right to be forgotten on another thread that just fell off the frontpage. Definitely relevant to this thread too!
https://news.ycombinator.com/item?id=8083211
Yes. OpenVPN (wrapped in stunnel), OpenSSH, Shadowsocks, and Tor (with the obfs3 and ScrambleSuit pluggable transports) are all effective against the Great Firewall. Streisand sets up and configures all of them.
[+] [-] ritchiea|11 years ago|reply
[+] [-] jlund|11 years ago|reply
The use case is to make it easier for people to set up servers that allow individuals who live in countries where the Internet is being blocked to circumvent these restrictions.
"Silence censorship" is meant to be sort of funny, but the idea is that censors have had it too easy for too long, and an automated and repeatable method of setting up an anti-censorship server can help change that.
"Automate the effect" is meant to reflect the fact that you can start as many of these servers as you want. If a country starts censoring the Internet, more servers will spring up in response.
I hope these explanations make sense. I will try to figure out a way to make the README more clear.
[+] [-] serf|11 years ago|reply
Could the suite of things installed by this software package be used as a profiling vector in the future? How could that be avoided if so? I know that your userbase is slim now and mass profiling probably doesn't apply yet, but it's something to consider.
Are the installed defaults known to be sane and secure? That's another huge worry when the configuration is taken out of my hands initially.
Sorry for the worrisome comments. I like the idea,
[+] [-] jlund|11 years ago|reply
I intentionally made it really easy to override the default values that I chose for port numbers. It wouldn't be difficult to mix those up in the future, if necessary.
I did my very best to make sure that I was configuring things in a secure way. My approach to installing OpenVPN involves several additional steps that harden its security, like setting up an HMAC firewall and changing the default cipher from Blowfish to AES, for example. I take this seriously and I want to do it right. I'm looking forward to getting contributions from the community too.
I think that automation has the potential to significantly increase security because painful tasks that might be tempting to skip when someone is setting things up by hand can become painless. In an ideal world every task can be performed correctly and repeatedly.
I also did my best to fully document every single action that is taken. You can see what is happening at at all times throughout the process. Ansible's syntax is also very readable, so you can examine the steps before you run anything too. I am optimistic that things will only get better :)
[+] [-] fdsary|11 years ago|reply
When it's a distribution, we can all contribute bug fixes.
Security vs obscurity is bad!
[+] [-] kordless|11 years ago|reply
[+] [-] patcon|11 years ago|reply
[+] [-] jlund|11 years ago|reply
[+] [-] jlund|11 years ago|reply
[+] [-] brasky|11 years ago|reply
I cant figure out if the client id is supposed to be the token name when you create that in the control panel? I cant get it to work either way.
[+] [-] eof|11 years ago|reply
[+] [-] georgiapeach|11 years ago|reply
See:
http://lowendspirit.com/
https://definedcodehosting.com/
[+] [-] thegeomaster|11 years ago|reply
[+] [-] jlund|11 years ago|reply
It's worth pointing out that most of the services Streisand sets up have already been configured with countermeasures against passive scans. For example, Shadowsocks doesn't respond with any identifying information at all unless you have the proper symmetric key, and OpenVPN will drop all traffic immediately if the connecting client can't sign its requests properly for the HMAC firewall.
[+] [-] _b8r0|11 years ago|reply
I like the approach, although it requires a little more knowhow to set up. What would be really cool (if not already in) would be to ask the user which services they want to run on setup. Not everyone will want/need to run all the services, running extra services may make it easier to compromise an instance.
Jlund - if you feel like it, take a look at the lahana code[2] and if you feel like implementing a VPN-Tor routing bridge feel free to use what you like. Drop me a message if you get stuck. I don't have a lot of free time but will help where I can.
[1] - http://lahana.dreamcats.org/
[2] - https://github.com/stevelord/lahana
[+] [-] eof|11 years ago|reply
so you can just do
[+] [-] jlund|11 years ago|reply
[+] [-] chatmasta|11 years ago|reply
Any plans to integrate AAA with radius or similar? Any plans for squidproxy?
Also, I'm planning on working on a tool to easily deploy Tor hidden services as soon as I get some time. I think there's value in that aspect of your project alone -- maybe consider breaking it off on its own.
[+] [-] jlund|11 years ago|reply
I considered using Squid somewhere in Streisand, thinking that it might be a nice feature for mobile users in particular. However, one of my main goals with this project was to set up servers that didn't log any information under any circumstances about the sites that clients were visiting or their IP addresses. A caching proxy by definition is going to have to store some of the assets that users are requesting, so I abandoned the idea. Perhaps you are using it differently though?
I appreciate the feedback! By the way, your email does not appear to be in your profile.
[+] [-] eof|11 years ago|reply
[+] [-] paulannesley|11 years ago|reply
That's not to detract from the functionality it does offer; just making sure people don't get the wrong idea.
[+] [-] drdaeman|11 years ago|reply
Or get a host with some form of anonymous payment, like Bitcoin.
[+] [-] dmourati|11 years ago|reply
One thought, you ask for AWS credentials. Mine are already stored in ~/.aws/config for use in the official aws cli which I think I recall wraps boto. It would be nice if the streisand setup could figure that out for me.
[+] [-] jlund|11 years ago|reply
[+] [-] organman91|11 years ago|reply
[+] [-] jlund|11 years ago|reply
[+] [-] heyalexej|11 years ago|reply
[+] [-] jlund|11 years ago|reply
[+] [-] arj|11 years ago|reply
[+] [-] jlund|11 years ago|reply
[+] [-] rbliss|11 years ago|reply
[+] [-] mixologic|11 years ago|reply
[+] [-] smsm42|11 years ago|reply
[+] [-] aridiculous|11 years ago|reply
[+] [-] cpa|11 years ago|reply
[+] [-] nomnombunty|11 years ago|reply
[+] [-] jlund|11 years ago|reply