Silk Road forums
Discussion => Security => Topic started by: jameslink2 on October 07, 2012, 12:33 am
-
For those that do not know, the raspberry pi is a small single board open source computer costing $35. It is about the size of a credit card!
Full info can be found here -->http://elinux.org/R-Pi_Hub#About
I have had mine for a while and have been playing with it and ideas of how it could be used. I finally have something that works and works well.
I started with Raspbian which is a version of Debian Wheezy for the Raspberry pi. All the software repos are there and most of the software is available.
Lets start with a screen shot. This is the raspberry pi with Tor, Browser with tor button installed, GPA for gpg/pgp via the gui, and Electrum bitcoin wallet.
http://xfq5l5p4g3eyrct7.onion/view.php?image=e35859ec2a0279c1c5a8269288379918.jpg
So, here is what you have to do to get one working for your self.
I started by making the boot-able sd card of raspbian, you can find instructions on that at the raspberry pi site.
I only plugged mine into the network and did not hook up a keyboard or a monitor. So I checked my dhcp host (router) and got the ip that was assigned to the unit. Then connected to it via ssh.
I started by updating the repo lists using the following command.
sudo apt-get update
Next I installed tightvncserver to get a graphical connection via vnc
sudo apt-get install tightvncserver
Once it is installed you have to run the "tightvncserver" command to set it up and configure the password. It only asks for the password and if you want it to be readonly. Make sure to run this as your user, in my case it was the default user pi.
Now we need to set it so that the vncserver starts at boot.
I created a start up file by first doing the command
sudo nano /etc/init.d/vncboot
You can paste the following code into the window to create the start up file
### BEGIN INIT INFO
# Provides: vncboot
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start VNC Server at boot time
# Description: Start VNC Server at boot time.
### END INIT INFO
#!/bin/sh
# Set the VNCUSER variable to the name of the user to start tightvncserver under
VNCUSER='pi'
case "$1" in
start)
su $VNCUSER -c '/usr/bin/tightvncserver :1'
echo "Starting TightVNC server for $VNCUSER "
;;
stop)
pkill Xtightvnc
echo "Tightvncserver stopped"
;;
*)
echo "Usage: /etc/init.d/vncboot {start|stop}"
exit 1
;;
esac
exit 0
Once you save the file and exit the editor you need to set permissions and start the vnc server
sudo chmod 755 /etc/init.d/vncboot
sudo update-rc.d vncboot defaults
sudo /etc/init.d/vncboot start
Now you can connect with any vnc client over to the raspberry pi. It will prompt you for your password but once connected you should see the following screen.
http://xfq5l5p4g3eyrct7.onion/view.php?image=b1d9830f0527fd5306f9be944041ce0c.jpg
From here you can ether continue in the ssh window or open a terminal via the gui by going to accessories-->LXTerminal
For the rest of the setup you will need to install the packages in this order.
sudo apt-get install vidalia
sudo apt-get install xul-ext-torbutton
These two will install tor, vidalia, the browser and tor-button. After it is installed and before you can use it you will need to reboot the unit but you can wait and do the rest of the install before you reboot.
Now we start installing the packages needed for electrum bitcoin wallet. I chose this wallet because it is a thin client and does not require you download the bitcoin chain. However, it also does not support proxy so it will come from your IP. I would suggest using an online wallet if you can or transferring the btc to bitfog before sending it to SR.
sudo apt-get install python-pip python-qt4 pyqt4-dev-tools
sudo pip install ecdsa slowaes
sudo pip install http://electrum-desktop.com/files/Electrum-1.0.tar.gz?\#md5\=1796e04ba458e23b587a2d08535c9cbd
Once that is done there are a few items we can clean up. Stuff that is not needed because we are using it for tor and with tor button. This stuff is extra browsers that come installed but do not support proxying via SOCKS so they can not be used with Tor.
sudo apt-get remove midori
sudo apt-get remove dillo
sudo apt-get remove netsurf-gtk
sudo apt-get autoremove
Now that we have cleaned up a bit, we install gpa the gpg/pgp client
sudo apt-get install gpa
Once you have gotten here, you can reboot the raspberry pi with the following command
sudo reboot
Once it comes back up (less than 1 min) and you can connect with the vnc viewer, you are ready to roll on SR!
http://xfq5l5p4g3eyrct7.onion/view.php?image=e35859ec2a0279c1c5a8269288379918.jpg
-
I love my raspberry pi
Personally I don't run any gui stuff on it, it's a little too slow for me atm, but that will improve with later revisions.
atm I use it as a file server and proxy.
anyway,
I just wanted to say that tightvnc is unencrypted, so I wouldn't connect it to a wifi or switch, I guess a cat5 cable laptop to rpi would be fine though.
thanks for writing it up. nice work.
-
[2cents]
You should call this project/idea "Burnt Pie" (Dark Pi)
[/2cents]
-
I love my raspberry pi
Personally I don't run any gui stuff on it, it's a little too slow for me atm, but that will improve with later revisions.
atm I use it as a file server and proxy.
anyway,
I just wanted to say that tightvnc is unencrypted, so I wouldn't connect it to a wifi or switch, I guess a cat5 cable laptop to rpi would be fine though.
thanks for writing it up. nice work.
I had not even realized that tightvnc did not use the stock ssl connection. crap.... Guess Ill have to firewall the 590x port then use ssh to forward the local machine port to the remote machine port and pump the vnc traffic through the ssh encrypted pipe. Wonder if I can get that to work across tor and give a reasonable response time?
I overclocked the pi just a bit during install and to be honest, it is handling the gui and setup quite well. The load average is low and it is responsive.
You should call this project/idea "Burnt Pie" (Dark Pi)
That is a great idea!
-
ssh would work, turning off compression would help with interactivity, and blowfish encryption is quicker but weaker.
the other option is openvpn or ipsec, but openvpn is easier to set up.
what I also do is firewall outgoing traffic on port 80 and 53 (udp and tcp)
-
WOHOOO ! THANKS OP!
-
Great idea James! In a way I guess "disposable computing thin client"projects like this is the future. Here's some idea.
Imagine something like the Raspberry Pi, only smaller, more powerful and equipped with a powerful wi-fi srouter capability. Pi 2 or something. Then you obtain a pay as you go PAYG access in cash for net access to some city broadband provider (or you could scape some broadband some open providers I guess). Then you equip your Pi with the access instructions and drop it half way across the city or however far you can get it. (the geo caching people may have some badass ideas here)
Then back at the bat cave (you don't have a bat cave?) you have a holographic display widget combined with a laser keyboard + a super network card to connect to your proxy Pi. Pretty sure all this exists, must check out how expensive holographic displays are! Probably not strictly necessary I guess, but they and the keyboard look cool.
Result: When the LE agents come to visit, they have literally nothing to go on... There is no physical evidence you even have a machine, let alone the data you have on it. The actual computer is inside a canister magnetically attached on the outside of a building 4km away or something like that. Great reception and total anonymity unless our LE agents turn into spidermen and crawl up the walls of every building in the city. No messing around with various portable media anymore. That would mean you need to trust literally no 3rd party on any level I can think of (the helper software is open source and the binary of it would be cryptographically hashed etc).
--
I know you can do this "thin client solution" today in a way by using virtual machines on server farms and sshing into them (big advantage being this can be in a different country), but it requires some technical expertise that frankly 9/10 of the population don't have. The solution above could be used by literally anybody (they need to obtain Pi + PAYG card, there might be helper software for config), it could all be set up in such a way to be completely seamless. You have complete control and you don't need to trust anybody. You can't subpoena the virtual machine server farm provider or anything. Only trouble is obtaining the equipment to do this anonymously. I guess we could use the virtual office idea to dispose of that problem.
Maybe we can come up with a bunch of workshops like this at some point, come up with a couple of "packages" to provide physical operational anonymity of this kind depending on your budget. I bet there's a mini-router widget with a powerful signal we can attach to the Pi right now in fact. And you could do this a dozen times because it'd be so cheap! Lots of installations everywhere. More research! SR should have a R&D division, let's promote James to Chief Scientist of SRRD's directorate :)
-
Nice tutorial james. I just have one quibble:
For the rest of the setup you will need to install the packages in this order.
sudo apt-get install vidalia
sudo apt-get install xul-ext-torbutton
These two will install tor, vidalia, the browser and tor-button. After it is installed and before you can use it you will need to reboot the unit but you can wait and do the rest of the install before you reboot.
The TorBrowser included in the browser bundle is more than just a portable version of Firefox with Torbutton. It's actually a fork of Firefox with lots of patches to plug potential leaks. It's supposed to be much safer than running vanilla Firefox with Torbutton. The Tor Project highly recommends running only the TBB and not a stock version of Firefox.
I agree but it is not bundled for the pi (arm based processor) and I was unable to find a port with the tor browser available. The tor button on IceWeasel was about as close as I could get.
-
Great idea James! In a way I guess "disposable computing thin client"projects like this is the future. Here's some idea.
Imagine something like the Raspberry Pi, only smaller, more powerful and equipped with a powerful wi-fi srouter capability. Pi 2 or something. Then you obtain a pay as you go PAYG access in cash for net access to some city broadband provider (or you could scape some broadband some open providers I guess). Then you equip your Pi with the access instructions and drop it half way across the city or however far you can get it. (the geo caching people may have some badass ideas here)
Try this, stock Raspberry Pi set up as a tor proxy with a Pay as you go 3g internet dongle. All you would need is a 5v USB to plug it into. The physical system could be anywhere and you could do the whole thing for less than $100. You could even mount it in one of the commercial rat traps. The black weather resistant ones that they put around businesses and simple stake it to the ground and plug it in on an outside plug at some business. You could hide one at grandma's house, or a friends place, I bet you could double face tape it to the under side of a bar at a pub and plug it in and no one would notice it for weeks. If you really want to have fun with it, get a sticker printed that says something like "Property of the Phone company, Tampering prohibited by law." Then find a way to mount it in some utility closet some where. I would bet it would go years without being touched.
Then back at the bat cave (you don't have a bat cave?) you have a holographic display widget combined with a laser keyboard + a super network card to connect to your proxy Pi. Pretty sure all this exists, must check out how expensive holographic displays are! Probably not strictly necessary I guess, but they and the keyboard look cool.
True Holographic displays are still a ways off, however you can get video glasses that take the pi's output as well as a projection keyboard. I have been looking at this for a wearable computer.
Result: When the LE agents come to visit, they have literally nothing to go on... There is no physical evidence you even have a machine, let alone the data you have on it. The actual computer is inside a canister magnetically attached on the outside of a building 4km away or something like that. Great reception and total anonymity unless our LE agents turn into spidermen and crawl up the walls of every building in the city. No messing around with various portable media anymore. That would mean you need to trust literally no 3rd party on any level I can think of (the helper software is open source and the binary of it would be cryptographically hashed etc).
--
I know you can do this "thin client solution" today in a way by using virtual machines on server farms and sshing into them (big advantage being this can be in a different country), but it requires some technical expertise that frankly 9/10 of the population don't have. The solution above could be used by literally anybody (they need to obtain Pi + PAYG card, there might be helper software for config), it could all be set up in such a way to be completely seamless. You have complete control and you don't need to trust anybody. You can't subpoena the virtual machine server farm provider or anything. Only trouble is obtaining the equipment to do this anonymously. I guess we could use the virtual office idea to dispose of that problem.
Maybe we can come up with a bunch of workshops like this at some point, come up with a couple of "packages" to provide physical operational anonymity of this kind depending on your budget. I bet there's a mini-router widget with a powerful signal we can attach to the Pi right now in fact. And you could do this a dozen times because it'd be so cheap! Lots of installations everywhere. More research! SR should have a R&D division, let's promote James to Chief Scientist of SRRD's directorate :)
I bet a simple web interface could be done to provide ease of setup as well as a .onion address to communicate with it. It is not that far off or hard to set one up as a tor proxy. Many years ago we used to build small switches that would detect an incoming call and connect two phone lines. Then clip them on at a phone box. The upshot of which was you could tall the first number and get the dial-tone of the second then use it to make calls. But that was a different time and you could still find x-bar switches back then. lol
Heck the Asterisk VOIP PBX will run on a raspberry pi so there is a lot of fun stuff you can do with one of these little things.
I bought a bunch of SD cards so I can play with setups and test some of the ideas I have!
-
thanks for this!
-
FOR PINE & JAMES
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (GNU/Linux)
hQGMA0P3BMLjijOqAQwAmHwHmxXIr9FBz567gTGoXbrfHzmogjGsaxJN97wFGP25
vcBTBiohHXOga2Jc43x10vxteevETpuSop1/wqELFrKHO9D3fw+00ndWbT7fIufX
gvQu8XMWwa5ugZtX9lwhIKRIzgzYw1iZkw3Zxmq8oee8aK5qgwEn3QT4jgNfrGnT
oIag9MRBPGBD2gs2ihi6AjfdaBJjc7eopPIFcg1bvrPKMrq5iskvGOKWkErCKyKA
hOpkHx64/4QrgueMVxc4Q07pPMtS+orgFrjq16j+BnS4Jhq5c8eAUqD0D241ex+E
Ea4Apy0FkgTfkebpxBv6U4hT3P7DkULkyJdAowsyKy0cIfSbzGoKQxmmC9AZ2CVG
tpMpYQlM6VZmoNpVsaXsaRab+X7hziYu7dIM9idLnmdkK4WiKCqOTBp+/VOi/Vev
88g/BbD0e119lTZrXyAVCGRnOYify3MZipt92bg2ojhgSLMp6KPmz/EjRcYZc2Wf
/C15A9vybBOQfLzrGT7KhQIMA0+6jEiXxNMGARAAuCwfZpc1F96PiyFd8JamIZOH
zXBM3Nt02OsJnbi5gRR84Yvm4z4ICURoTOsSpZ35uu/MXwBtbdbdd/1VPh/I2tF7
w4mVpST8FAT9b44eqCDCi43ErYPq8wMx7ODXvmKOx8m/ron7kOcVP2xNF7ZBslv1
HR7FKSNkOZKfHnUbdI8ZdDPk4BFwSFU33h3VQ06bj7Eo/JY8EXryelwoUw5/dftE
HMrsF0bfGQ6r4uEIKS1y25bXqtStp8UM80rFQfKyMcyLfnjNPp5P0eKE2ve1Y3dA
gDagBBpkHrc76dv2I3yCBeWah7g69rWwIGLKrlN0OME4coxrk2epoVDKjOUyyOUR
u+PPKuWRdgRvHicPfyjcfRYdz/70+eQHdsmNTTE9jiy7v+QKJgARW0rfUktu0W/Y
glsV5/AvGJJlivaRLqS+LEFZ1yUHKANeJHqLZ56k15MGwjjL+McTIFwLlbw7HQXJ
g3TgL72y2BRzkMeGBeygPRtLheHSTENf6ATZf1SclahcUvn7YV6xVrUXZfTbrkd8
2DB3jYFiy0ytZwTvN3eJqEYuIJAh11io0+n3ZXQJKdSwCwu+4Udc737Yh6j5OUZD
WAhzoLdUH9lwMTEsB1DyBpxwNTggoMco8Ip1dgjgZI/nDHRzgXzDT2A3IoGClccX
gnj23KK11XXIDXneD1jSwMQBQzqpTYEekKwfY+oFT5W6ka16k4ROiV5u+Gct932T
g6GuVhqqspxfSyDTeEuKanQ0VdMYBfVMGyeKlvu4wTz1Bk2gkA4ENSXUnV7FWmy2
ICdXfVzgac+ZK9oh36XhIPgiDNQ93lQIfpf1d3fSpeLC84+pz6uFJessBM36cIgD
49NubJ5u3VQPOdO6tQgNZMHABlcpkvnnpzejnYlcBLWn8mBGIJrwwzX2M8dpoxPB
gxLK3KsnlQIUEtZS6CtNw8AxrP73C/uTa5ymblIRyG1ovk6HIEBjh/l0/N5JHTLK
uAYhTbXirrjUpIht3MlC9Py/sLINky3uhA8wCXS3Y7UNNLaJEr0ViZQmeHBwD1OE
k95XwRKgdKXQcrLNjktIUjbrzbJvXadO8jMWZX2NGMPW86xAYzO8Ls71lWmMxaSt
UFOM/QBX8bqTRzKeUaAO6adXTHqur5pJYqEUcHnJK5eEau/V0rO88WIgMsOi4DTJ
3qmDqRdjptbP7CmgjsnBvaPXW5rt
=3k1Z
-----END PGP MESSAGE-----
-
FOR PINE & JAMES
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Sorry Bungee, it isn't encrypted to my public key. (PGPClubRevolution)
-
FOR PINE & JAMES
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Sorry Bungee, it isn't encrypted to my public key. (PGPClubRevolution)
It is encrypted to pine (at) sr.
Yeah, that was an old public key I used, but it's deleted now :)
This is my new public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBFADOKYBDADV/2Sube83ObzlrxXO0Cq7mL8+999Xeclm9CMGKiKrR19OMcDt
3e8RL7yMuiwsfA9RSFhhxdmCJk0V+hiZt46atNtfZCuN54cGh7hw9j2ZdcPNYPr0
SlgqsFgEHnoVAVGHB6Eq7cQ2ZyLiHl2QCyYQecX5CFA1eRj2l2pZxcBcT9Gp0f64
b81CB8vSn3CaWWJpXOuzk2RMjPCVWyIrsFXtqf+ABGRsZm6HCg2t34vrGK7CiAtM
Tv1X4i75sfBYETyaa1ny7rbkKDMgEitLMFp7W33wQNM18Hoa571pJXbN5g9x1MBy
G/jh0bJSoLZKFIV0MI9a52RtpnprFLBR7nAtc8nAJvkOzUzDM7usvJdlhfwaPpN0
jEbjE5sVSMcAcVZVnmiXO/YXrLahvwHQJ55CUUo2cndSQCYhLKI5BQxAwp220aJo
PeAmNLQ5/nFD9u8GpT9uVG1ecjvUUy6d5ApVbYl9h8Rl9NVxuz0fF/awa+9hh3ni
sjnPhCuDiGhnguUAEQEAAbQ/UEdQQ2x1YlJldm9sdXRpb24gKFdlbGNvbWUgY29t
cmFkZSEpIDxub3N1Y2hlbWFpbEBub3doZXJlLm5hZGE+iQG4BBMBAgAiBQJQAzim
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZtjtx6QlK+cn2DADFFDXb
Qky92Bvz1QfLFKb71Pughu8aVNxRbZpZDSE6M+dqJjic0gwPUvTX6tpTFw3I7muv
YD3WcgAqN0f3r9PvshQDF5iE0k+ABVqbzGnQKBOr+5YUEsIQM7w54W8JM0KOaAnQ
W8B453YqF0+CJOCQwi+aorfXyhZFuUUaH9BXBnyeG9IdFQyJ+FFGVAF3Jmxvl9Km
gpbHTIcn8y3SzGL9UzABHq4m+h6o5M/lb+wn5y7cfvg0TDtxg4naexygHUBcaBb0
xX2mYvp+SN6/Yxuwa6ZQ9p+m9A3GVnjeNI1JwOtGA4EWhsm7eABbfrVOwRHl4Yt1
BlW4ywosCYxNPhb6JYh443zJ1eofDE9Ry3PcQwrZfz1lNlf5TDr79GrO1bbjAFS0
MjJrqvfdMuSqAs8hRCVZLKzLOvTpk/04j1RsaT8VItxXEEf9+y8QmMf1DGG/egqx
9CCiWz5zcJr2TUPuKbO/4vyP2BLS6DxFp3vYe81WUCkdz2Yf6frBtpXILWC5AY0E
UAM4pgEMALVCbCJ9ndwNaDbOyScLJfz5sRX8Ti0TZlX58DIPNlW0l2cMjeE3CeOM
qyxqvZ6hG9U2u33Dd69vVj68MVdPPHQxv4oK0jg0oMC2EjfB6LxHIC2B9jlnHffa
gjN+98M5VC9GWDBB7vQbzoKaZ8lBW92gNjelcxuJjHTw3ftzbGLEY2O/p5q0+V/J
XXcGSIJdS93LJKxdmmi1wecMjjfggcx4tpPkiE3FdOChwUftpV2wcTwjNT1PO7bx
eP7AwhTokPNPgvmzNrO/jkgFJB6kIPo0EofrGykticDeLm/ytx3mq6GroZ39YOd0
Mdz0Kn31a/sjZmfkb1ygaAHVZP/YHVMGSff2I5FvkxfFm8kKb3uKUfpBnZzIGmpF
D4tV5lSXE7b4+ElBHGbBp59qpvarOrepe/S8+mrRi6/IBdqecBZT7V3QjfNFkeLw
i59//B8KySthgJkNw+XJ1f32gV+gzwuLe9x1PNmCSYgnnqiw4b2dyvwZBn6FrsEy
obyAG2WGLQARAQABiQGfBBgBAgAJBQJQAzimAhsMAAoJEBm2O3HpCUr5U+8L/ied
exLDTb4MMjQSy9Vibt8zOQF1e9eARpg8NqFFaBfpfmkwzQJA/e4QfDAkz+Leq+W8
fgEzUBBTta8DRh41ZP4e3+snxUd4y9zJU/xy5t+e4oALN/SZ83kAMdhQvSlvr8yZ
0x6S5Xp4g6/qVgfbO/ZP+C1SM6X4Zyja4JJqL2ArpQC9u2nz0wktbHQMdxlNrKzf
PoKRiESkjcX/Ljs/3hvO3Ih3Ur7iuOpS+Od35kuEfWZYJ/xYlI4ZSKOyM9gvZdce
Dhz/SeUL2wuOZ7BjOUF0u3gbKQrD9c5GpASDVPUSOT0PwRWSktvfL30O1Y85ep1e
/oXR5V5j9/ClfgxNMr8MJxVABWNBrjRoaukpHrpRg77p8zE5uG00Q9VAHvWc4aox
/De1UN2goWfQhvSHVqdZJSGdwqOP92K8bGhTmhfld//wND/Ea9pLEt5t842EVnb3
BG5vhT4X+KT9wUwTMolwGTB/qae/5gL4U3MhN9WLCcoW+1zPxQigmzh4+EaNjw==
=FH7/
-----END PGP PUBLIC KEY BLOCK-----
-
Damn :)
You sent us that one some time ago :)
No we cannot remember what we exactly wrote lol
James ..can you be so kind and forward the message to Pine?
and then we can clean up our posts to stay on topic :)
-
Damn :)
You sent us that one some time ago :)
No we cannot remember what we exactly wrote lol
James ..can you be so kind and forward the message to Pine?
and then we can clean up our posts to stay on topic :)
Hi Bungee,
There is a solution for this kind of problem!
Find your gpg.conf file and append this to it:
hidden-encrypt-to KEYID
where KEYID is your SR PGP key's key ID.
Advantages:
1. Every message you encrypt is also encrypted to yourself automatically. Makes life easier with troubleshooting of this kind.
2. Even though (1) is true, if the enemy intercepts your messages, they won't be able to figure out that your public key was used to encrypt the message, that information will be hidden, (you can also hide the other public key used to encrypt (person receiving the message) so no information is available for traffic analysis. This makes sense in certain situations).
-
VERY NICE! thx a bunch!
-
Ok I messaged it over to her
-
Ok I messaged it over to her
Thank you Sir !