Runa A. Sandvik | encrypted.cc - Passionate about all things Internet security, online anonymity, privacy, and travel, works for the Tor Project.

What I did for the Tor Project in May

Top 5 things I did this month

Spoke about Internet Censorship and the Tor Project at the ITWeb Security Summit in Johannesburg. I also met with a group of journalists and talked about all things Tor, digital security, and encryption at a local Hacks/Hackers event.
Completed a forensic analysis of the Tor Browser Bundle on OS X (#6846).
Added a new resource, Tor Launcher, to Transifex (#8813).
Set up translation teams on Transifex; any user who wants to translate a Tor Project resource will first have to become a member of a translation team. All requests to join teams and translate are accepted automatically (#8717).
Attended an event at NATO HQ in Brussels to speak about nontraditional use of social media.

Top 5 things I would like to do next month

Write a final forensic analysis report with limitations, findings, mitigation plans, and so on (#7032, #7033).
Document the new support workflow (#8518), create per language article classes (for answer templates) associated with the support help queues (#8831).
Look at Stack Exchange as an alternative to AskBot for ask.torproject.org and figure out how to get the site up and running.
Add more Tails resources to Transifex (#8953, #8955).
Give a talk about Tor, online anonymity, privacy, and security at the Computers, Freedom & Privacy conference in Washington, DC.

torproject

Nontraditional Use of Social Media

A few weeks ago, I attended an event at NATO HQ in Brussels to speak about nontraditional use of social media. I was on a panel with Dr. Maura Conway from the University of Dublin and John Manley from the International Security Assistance Force (ISAF). The panel was moderated by Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO. The event was held under the Chatham House Rule. Below is a list of key topics discussed and questions asked:

Whether social media levels the playing field in giving protest groups, insurgents, and terrorist organizations as much power to shape events and mobilize people as governments and large organizations. In short, who has the advantage: governments or protestors, at the present time?
A number of articles have been written about how the Arab Spring was helped by social media (think crowd sourcing and rapid mobilization across frontiers), but we also saw traditional politics and political groups take over and the younger generation seemed to fade from the scene. When it comes to political rallying or social transformation, does social media really have a major impact?
Is it possible to censor social media or are there ways around such censorship? Should governments supporting democratic forces help them to better exploit social media and find ways around censorship? There was an article a few weeks ago suggesting that the United States should assist the opposition forces in Syria in precisely this way.
How do you see social media evolving in the years ahead? Does it represent the vox populi or a representative expression of democratic opinion, or is it really a tool being manipulated mainly by special interest groups? Will it remain largely the same or do you anticipate major new innovations which will also have an impact on the role of social media in our daily lives, as well as in politics?

Thanks to NATO for inviting me and for organizing a great event with a lot of interesting discussion.

torproject

Forensic Analysis of Tor on OS X

As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166) and part two covered Windows 7 (#6845). This third, and final, part will cover OS X 10.8 (#6846).

Process

I set up a virtual machine with a fresh install of OS X 10.8, created a normal, non-admin user account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the archive, then started the Tor Browser Bundle by clicking on the TorBrowser_en-US app.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Trash, clicking on it and choosing Empty Trash. I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 131 files had a hash that did not match any of the hashes in the clean set. I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on.

Apple System Log (ASL)

The following Apple System Log (ASL) files contain traces of the attached external drive and the Tor Browser Bundle:

/var/log/asl/2013.05.22.U0.G80.asl
/var/log/asl/2013.05.22.U501.asl

I have created #8982 for this issue. I have been not been able to open the following two files, but they may contain traces of the attached drive and the bundle as well:

/var/log/asl/StoreData
/var/log/asl/SweepStore

Crash Reporter and Diagnostic Messages

The Tor Browser Bundle did not crash or hang, but I still found traces of the Tor Browser Bundle in the following files:

/Library/Application Support/CrashReporter/Intervals_00000000-0000-1000-8000-000C2976590B.plist
/var/log/DiagnosticMessages/2013.05.22.asl

I have not been able to open the file StoreData, which can be found in the same DiagnosticMessages directory, but it may also contain traces of the bundle. I have created #8983 for this issue.

FSEvents API

The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:

/.fseventsd/0000000000172019

Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8984 for this issue.

HFS+

HFS+ is the default filesystem on OS X; it supports journaling, quotas, Finder information in metadata, hard and symbolic links, aliases, etc. HFS+ also supports hot file clustering, which tracks read-only files that are frequently requested and then moves them into a “hot zone”. The hot file clustering scheme uses an on-disk B-Tree file for tracking.

I have not been able to open /.hotfiles.btree and /.journal, but they might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8985 for this issue.

Preferences

OS X applications store preference settings in plist files, and the files below are related to system fonts, the file manager, recent items, and the Tor Browser Bundle. These files contain traces of the Tor Browser Bundle and the attached external drive. I have created #8986 for this issue.

/Users/runa/Library/Preferences/com.apple.ATS.plist
/Users/runa/Library/Preferences/com.apple.finder.plist
/Users/runa/Library/Preferences/com.apple.recentitems.plist
/Users/runa/Library/Preferences/org.mozilla.torbrowser.plist

Saved Application State

Resume is one of the new features in OS X 10.7 and 10.8. The feature allows applications to save their last known state when they are closed, and then return to this state when they are later reopened.

While the Tor Browser does not use this feature, it does leak information in the files which are written to the /Users/runa/Library/Saved Application State/ directory:

/Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/data.data
/Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/window_3.data
/Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/windows.plist

The windows.plist file contains the HTML title tag of the last active tab in the Tor Browser (or currently active tab, if the browser is still open). If the last active tab was torproject.org, then the following string will be present in the file:

Tor Project: Anonymity Online

I have created #8987 for this issue.

Spotlight

Spotlight, and the Metadata Server (mds), indexes all items and files on a system and allows the user to perform system-wide searches for all sorts of items; documents, pictures, applications, system preferences, etc.

I have not been able to open the files in /.Spotlight-V100 and /var/db/mds/messages/, but I would say it is likely that Spotlight and mds picked up the Tor Browser Bundle and the attached external drive at some point. I have created #8988 for this issue.

Swap

OS X relies on swap files and paging for memory and cache management. I have not been able to open the swap file, but I would say it is likely that /var/vm/swapfile0 contains traces of the Tor Browser Bundle and/or the attached external drive. I have created #8989 for this issue.

System Log

The system log file, /var/log/system.log, contains traces of the attached drive.

Temporary data

OS X stores per-user temporary files and caches in /var/folders/. The following files contain the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:

/var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.LaunchServices-036501.csstore
/var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/index.sqlite
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.LaunchServices-0360.csstore
/var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/thumbnails.data

These files also contain strings such as org.torproject.torbrowserbundle, org.mozilla.torbrowser, torbrowser_en-us.app, torbrowser.app, net.vidalia-project.vidalia, and vidalia.app. I have not been able to open the last file, thumbnails.data but it might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8990 for this issue.

Forensic Analysis of Tor on Windows

As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166), this part will cover Windows 7 (#6845), and part three will cover OS X 10.8 (#6846).

Process

I set up a virtual machine with a fresh install of Windows 7, logged in with the default admin account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the file, then started the Tor Browser Bundle by going into the Tor Browser folder and clicking on Start Tor Browser.exe.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Recycle Bin, right-clicking on it and choosing Empty Recycle Bin.

I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine. I also used Noriben, written by Brian Baskin, to create a report of everything the Tor Browser Bundle did while it was running.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 256 files have hashes that do not match any of the hashes in the clean set. Additionally, the Noriben output shows the Tor Browser Bundle create, edit, and remove a bunch of files.

I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on. Windows 7 has built-in symbolic links designed for backward compatibility, which is why Noriben and hashdeep list the same files in different locations.

Prefetch

Windows keeps track of the way the system starts and which programs the user commonly opens. This information is saved as a number of small files in the prefetch folder:

C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf
C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf
C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6_EN-US.EX-1354A499.pf
C:\Windows\Prefetch\TOR.EXE-D7159D93.pf
C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf

The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:

C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\runa\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
C:\Windows\AppCompat\Programs\RecentFileCache.bcf

I have created #8916 for this issue.

SetupAPI

SetupAPI and the Plug and Play (PnP) manager write entries to SetupAPI.dev.log and SetupAPI.app.log about operations that install devices and drivers. The following files contain information about the attached external drive:

C:\Windows\inf\setupapi.dev.log
C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_ neutral_0725c2806a159a9d\usbstor.PNF

Thumbnail Cache

Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:

C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. I have created #8921 for this issue.

Windows Defender

Windows Defender is the default anti-virus software on Windows 7. Windows Defender will write log files to the following location:

C:\ProgramData\Microsoft\Windows Defender\Support\

The log files will contain traces of the Tor Browser Bundle if Windows Defender ever decides to flag it as malware. This is true for any anti-virus software.

Windows Error Reporting (WER)

Windows Error Reporting (WER) captures and logs information about software crashes and other issues. I found information about the attached external drive in the following file:

C:\Users\runa\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_ 84cd279a5e83221bfa7edcb36665592c1974e4_cab_0b21673a/DMI671B.tmp.log.xml

The logs will probably contain traces of the Tor Browser Bundle if any part of the bundle, such as the Tor Browser or Vidalia, ever hangs or crashes.

Windows Event Log

The following two event logs contain information about the attached external drive:

C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\System.evtx

Windows Paging File

Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not currently fit into physical memory. The file C:\pagefile.sys contains information about the attached external drive, as well as the filename for the Tor Browser Bundle executable. I have created #8918 for this issue.

Windows Registry

The Windows Registry is a database that stores various configuration settings and options for the operating system. HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user’s settings are stored in files called NTUSER.DAT and UsrClass.dat.

The path to the Tor Browser Bundle executable is listed in the following two files:

C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1

I did not find traces of the Tor Browser Bundle in any of the NTUSER.DAT files. I have created #8919 for this issue.

Additionally, the output from Noriben indicates that the Tor Browser Bundle touches the registry by creating keys and setting values. The following value points to the Tor Browser Bundle executable on the attached external drive:

[Set Value] Explorer.EXE:1196 > HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\E:\tor-browser-2.3.25-6_en-US.exe = 7z SFX

The output also makes it look like the Tor Browser Bundle adds the following keys and values:

[Set Value] tbb-firefox.exe:1124 > HKCU\Software\Classes\Local Settings\MuiCache\11\52C64B7E\LanguageList = en-US, en
[CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
[CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
[CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
[CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

I found that these keys and values are present on a clean Windows 7 system where the Tor Browser Bundle has never been used. I also downloaded and tested the German version of the Tor Browser Bundle to make sure that the LanguageList value does not represent the language of the Tor Browser Bundle.

Windows Search

Windows Search, which is enabled by default, builds a full-text index of files on the computer. One component of Windows Search is the Indexer, which crawls the file system on initial setup, and then listens for file system notifications to index changed files. Windows Search writes a number of files to the following location:

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

I have not found a way to read the Windows Search database files, but I would say it is likely that Windows Search picked up the Tor Browser Bundle at some point. I have created #8920 for this issue.

What I Did for the Tor Project in April

Top 5 things I did this month

Completed a forensic analysis of the Tor Browser Bundle on Linux (#8166).
Started on a forensic analysis of the Tor Browser Bundle on Windows (#6845).
Updated the Tor Cloud images with new options for BandwidthRate and BandwidthBurst (#7849, #8193), updated the step-by-step instructions on the Tor Cloud website (#8392), and documented the contents of the images (#7848).
Tried to configure, test, and update ask.torproject.org, our new Q&A site (#8603). AskBot has a few bugs here and there, and I’m not sure if it can do everything that we need and/or want it to do (#5995). I will continue this work as soon as ask.torproject.org is fully set up.
Visited New York to be interviewed by PBS for their Off Book series, attended the International Engagement on Cyber conference in DC, visited San Francisco, and attended the OpenITP Circumvention Tech Summit in Hong Kong.

Top 5 things I would like to do next month

Configure, test, and update ask.torproject.org (#8603).
Document the new support workflow (#8518), look at setting up translation teams on Transifex (#8717), and create per language article classes (for answer templates) associated with the support help queues (#8831).
Finish the forensic analysis of the Tor Browser Bundle on Windows (#6845) and document my findings.
Start on a forensic analysis of the Tor Browser Bundle on OS X (#6846).
Visit Brussels and speak at NATO’s Social Media Lessons Learned for International Organizations discussion forum.

torproject

Forensic analysis of Tor on Linux

As part of a deliverable for two of our sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle. This post will cover Debian Linux (#8166), part two will cover Windows 7, and part three will cover OS X 10.8.

Process

I set up a virtual machine with a fresh install of Debian 6.0 Squeeze, logged in once and shut it down cleanly. I then connected the virtual drive to another virtual machine and used dd to create an image of the drive. I also used hashdeep to compute hashes for every file on the drive, and rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to my Debian home directory. I extracted the package archive and started the Tor Browser Bundle by running ./start-tor-browser inside the Tor Browser directory.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser directory and the tarball using rm -rf.

I repeated the steps with dd, hashdeep, and rsync to create a copy of the tainted virtual machine.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 68 files had a hash that did not match any of the hashes in the clean set. The most interesting files are:

~/.local/share/gvfs-metadata/home: contains the filename of the Tor Browser Bundle tarball: tor-browser-gnu-linux-x86_64-2.3.25-5-dev-en-US.tar.gz. GVFS is the virtual filesystem for the GNOME desktop, so this result will probably vary depending on the window manager used. I have created #8695 for this issue.

~/.xsession-errors: contains the following string: “Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x3800089 (Tor Browse)”. It is worth noting that a file named .xsession-errors.old could also exist. I have created #8696 for this issue.

~/.bash_history: contains a record of commands typed into the terminal. I started the Tor Browser Bundle from the command line, so this file contains lines such as ./start-tor-browser. I have created #8697 for this issue.

/var/log/daemon.log, /var/log/syslog, /var/log/kern.log, /var/log/messages: contains information about attached devices. I had an external drive attached to the virtual machine, so these files contain lines such as “Mounted /dev/sdb1 (Read-Write, label “THA”, NTFS 3.1)” and “Initializing USB Mass Storage driver…”.

What I Did for the Tor Project in March

Top 5 things I did this month

Started on a forensic analysis of the Tor Browser Bundle on Linux (#8166).
Talked to a few people about organizing Tor talks/trainings in Prague, London, Johannesburg, Cape Town, Tel Aviv, and Jerusalem. I’m hoping to have dates and details all figured out by the end of April.
Sent out a welcome email to our new support assistants, created RT accounts for everyone, set up help-ar@rt.tpo, help-es@rt.tpo, help-fr@rt.tpo, and help-zh@rt.tpo, updated the documentation which explains how to work with our support system, and created help.torproject.org (#8517).
Attended the Rethinking censorship conference in Copenhagen, the Tor developer meeting in Boston, and a digital security event in London.
Resolved 31 tickets in the Tor help desk system. I will send out a full summary to the tor-reports mailing list in a few days.

Top 4 things I would like to do next month

Configure, test, and update ask.torproject.org, our new Q&A site (#8603), and document the new support workflow (#8518).
Finish the forensic analysis of the Tor Browser Bundle on Linux, document my findings, and start on either OS X or Windows.
Update the Tor Cloud images with new options for BandwidthRate and BandwidthBurst (#7849, #8193), update the step-by-step section on the Tor Cloud website with new screenshots (#8392), and document the contents of the images (#7848).
Visit New York and San Francisco, and attend the OpenITP Circumvention Tech Summit in Hong Kong.

torproject

Intro to digital security with the CIJ

On Monday the 25th of March, the Centre for Investigative Journalism in London organized a free event where journalists could learn more about digital security. I was invited to speak about Tor, other speakers covered OTR, TrueCrypt, GPG, and mobile security.

The attendees were divided into five groups, and each speaker had 20-25 minutes with each group. I gave out USB sticks with the Tor Browser Bundle, the Pluggable Transports Bundle, the short user manual, and the 2012 annual report.

I talked a bit about the history of Tor and the Tor Project, discussed a few different threats, mentioned hidden services, listed a few examples of real world use, and helped everyone get the Tor Browser Bundle up and running. I did not have access to a projector or whiteboard, so I did my best to illustrate how Tor works by drawing boxes, arrows, blobs, and stick figures on a piece of paper.

A number of people asked if we had some sort of document or manual explaining all the topics covered at this event. I mentioned Security in a box and the FLOSS Manuals, but also pointed out that there is currently no single document available, that I am aware of, which explains all of these topics.

I have previously discussed creating such a document with the Rory Peck Trust, which is a London based organization that specializes in safety, security and professional development for freelance journalists. I mentioned this again when I met with them the day after the CIJ event, and I’m looking forward to seeing the end result in a few months.

Thanks to the Centre for Investigative Journalism for hosting the event and inviting me.

torproject

Social Media and Online Anonymity during the Arab Spring

NATO first published this post on the WE-NATO blog in July 2012. The blog appears to be gone now, which is why I am re-publishing the post here.

It has been more than a year and a half since demonstrations broke out in central Tunisia at the funeral for Mohamed Bouazizi. Bouazizi, a fruit vendor, set himself on fire in protest of police corruption and ill treatment. The protests sparked by his death spread rapidly throughout Tunisia, and the Arab world soon erupted in revolution. Protests followed in Egypt, Libya, Iran, and Syria, as well as a number of other countries, with strikes, demonstrations, marches and rallies. Social media was also used to organize protests, communicate with other activists, and uncover state attempts at repression and Internet censorship.

In the months that followed the first protests in December 2010, videos, pictures, and stories from activists spread quickly via the Internet. Social media played a central role in the shaping of political debates and has proven a powerful tool for mobilizing support quickly. Social networking sites - such as Facebook and Twitter - allowed the world to stay updated and facilitated ongoing protests. Meanwhile, activists continued using social media as a way to organize protests and spread awareness. That changed, however, when authorities started to censor more and more websites.

Egypt blocked both Facebook and Twitter on January 26, 2011, and other countries in the region followed suit. A day or two later, Egypt completely shut down the Internet, along with the cellphone services in the country.

Activists looked for ways to circumvent this censorship in order to tell the world about the recent developments. Many users reached out for free proxy servers, VPN services in other countries, and anonymity tools - such as Tor - as means to bypass the blocks.

Tor is a software that allows users all over the world to connect to the Internet anonymously and securely. It is free, open source, and developed and maintained by the Tor Project. Tor prevents anyone watching an Internet connection from learning what sites the users are visiting, and it prevents the sites being visited from learning the users’ real IP address and physical location. The software was originally developed by the U.S. Naval Research Laboratory for the purpose of protecting government communications. Today, it is used by a wide variety of people for different purposes.

An estimated 500,000 people use Tor on a daily basis, which makes it more than just a tool for activists. Some use Tor to keep websites from tracking them and their family members, some use Tor to research sensitive topics, and some use Tor to connect to news sites when these are blocked by their local Internet providers. Tor enables citizen journalists to write about local events to encourage social change, helps human rights activists safely and anonymously report abuses from danger zones, gives abuse victims basic privacy when browsing online, and is recommended for anonymous blogging.

The number of people who use Tor daily has skyrocketed since the beginning of the Arab Spring. Tor has seen an increase in users from around 200,000 in the beginning of 2010 to around 500,000 in the middle of 2012. Users in Iran have increased from 7,000 to 40,000; in Tunisia from 800 to 1,000; in Egypt from 600 to 1,500; in Syria from 600 to 15,000. These numbers suggest that more and more people are concerned about - and aware of - censorship, surveillance, and lack of privacy on the Internet.

In addition, research shows that the use of surveillance technology to watch Internet users, censor websites, and block Tor is increasing; new cases have been exposed so far in 2012, with deep packet inspection being deployed and used in China, Iran, Kazakhstan, and Ethiopia. The Tor Project continue to work on making the Tor software both easier to use for people around the world, and harder for authorities to censor and block completely.

meta

Little Printer Auth Bypass

The Little Printer, created by BERG, holds a compact, inkless, thermal printer and prints messages filled with things like your schedule, tweets, news headlines and friends’ birthdays.

The website remote.bergcloud.com is used to communicate with the Little Printer; set up print subscriptions, send messages to the printer, give friends permission to send messages, and so on. I discovered an authentication/authorization bypass issue on this site which allows an owner of a Little Printer, as well as any user who has been authorized to print messages to at least one Little Printer, to print messages to any of the Little Printers out there — without prior authorization from the owners.

The HTTP POST which is sent when you message the Little Printer contains the following payload:

utf8=%E2%9C%93&authenticity_token=TOKEN& \ message%5Bbot_id%5D=ID&message%5Bstyle%5D=1& \ message%5Bmessage%5D=Hello!

The field message[bot_id] contains the ID of the Little Printer, which is a sequential numeric identifier. Changing the ID allows a user to send a message to another Little Printer without being authorized by the owner. The user is also able to print messages without authenticity_token present in the payload.

After printing a message, the site will normally display a box saying Message sent. When printing to another Little Printer, without really having permission to do so, the site displays an error and it seems like printing was not successful. However, that’s not the case.

I reported this issue directly to Nick Ludlam, the CTO at BERG, yesterday. He replied an hour later saying that the issue had been patched on the live system. More information about this can be found in BERG’s security announcement.

security