OpenITP partnered up with FreedomBox Foundation, Information Security Coalition and the Internet Society of New York to host a hackfest in early July. We timed this event to pull in coders and human rights folks in town for the Hackers On Planet Earth conference.
The hackfest was well attended and hugely productive. We had a great group of attendees who worked on Guardian, Access, Tor, CryptoCat, Commotion Wireless, EFF, TrackMeNot and other projects. We also had a few people stop by from the human rights field, Ali Mousavi from the International Campaign for Human Rights in Iran, and Sarah McGregor from the Columbia Journalism School, and others who stopped by to gain some advice on internet security, anti-censorship and anti-surveillance tools to help their operation.
There was a lot of cross-pollination between projects. While many people brought tasks with them, a lot of folks showed up to help wherever they could. And a lot of people moved between their own project and others fluidly throughout the event. People jumped in to projects and filled gaps in each other's knowledge and experience. Several projects made large progress as access to new skills boosted them past milestones and bottlenecks. Many people pulled together collaborators for further work.
After a week of such intense collaboration, there are a lot of people to thank. Ray Short jumped in and brought InformSec with him. Dragana Kaurin and Willie Theaker kept the wheels turning during the event. Elizabeth Boylan was our interface to Columbia Law School and we could not have pulled this off without her. Ian Sullivan pitched in pre-event logistics from the FreedomBox Foundation. David Solomonoff and Joly Macfie documented many projects and participants on video. Without this team, we could not have had a hackfest at all.
Most importantly, we owe a big thank you to all the participants, hackers, volunteers and human rights activists that stopped by to share their projects and help with others. We'll do it again soon!
Pics and more details below! See something you want to work on? Email kaurin AT openitp.org and she'll put you in touch people at any of these projects.
A lot of great work came out of the Guardian Project this week. Abel Luck worked on a secure cam Android app that stores media for citizen journalists. With audio and photo recording for radio reporters, the app also has a news oriented video production tool with privacy enhancing features such as secure upload to an SFTP server or Youtube over Tor, and face obscuring/redaction.
Hans-Cristoph Steiner worked on a fork of the Barnacle Wifi Tether Android app that sets up ad hoc OLSR mesh networks. The aim of the application is to make mesh networking as easy to use as wifi. He selected OLSR protocol because it runs on the IP layer and might be more portable across device architectures than protocols that run on the hardware level. As Adhoc networking is not built into Android, Barnacle disables the Android Wifi Manager and instead shares the 3G connection as a wifi point. However, if 3G is not available and the Wifi manager is disabled, Android applications are unable to access networks. Hans is developing workarounds that allow applications such as the Android browser to access the internet through connected nodes. Hans decided to deploy a preliminary trial of the app at HOPE and in the near future will be usable enough for everyday.
Harlo Holmes worked on an Android camera app that preserves complex metadata, such as yaw and pitch, to establish a chain of custody for digital evidence created on smartphones. This application is being developed in collaboration with the International Bar Association and will be released to the general public after a pilot study.
Nathan launched AweSoMe (Always Secure Messaging), a coalition between ChatSecure, the Guardian Project, and Cryptocat, which was officially announced at HOPE. Miron, the primary developer for Gibberbot, worked with Nadim and Abel on chat interoperability. Patrick Baxter re-flashed phones with Android 4.0 and the latest builds of Guardian Project apps for a group of Chinese dissidents. He also used a small x86 computer to spoof SSL traffic to see which Android applications correctly identify invalid and spoofed certificates. This research will reveal information about the possibility of Man in the Middle and transparent bridge attacks on Android platforms.
FreedomBox and FreedomBuddy
Nick Daly considered, but ultimately rejected including CryptoCat on the default FreedomBox image because of its reliance on PHP. The UI for FreedomBuddy, which offers and shares services, was quickly internationalized and features rudimentary support for Spanish and Farsi. In the coming weeks, work will be completed to support Python's standard approach to internationalization, GetText.
FreedomBuddy also gained a command-line interface to query other FreedomBuddy hosts and will soon be able to add, edit, and remove data from hosted services. The interface’s current reliance on the HTTP(S) interface will also be removed. Finally, and most importantly, Nick is in the finishing stages of implementing a self-configuring OpenVPN system using the FreedomBuddy's command-line interface. Nick also made sure that Freedombuddy was in compliance with the AGPLv3.
Simo worked with Nick to test his installation instructions for the freedombox in a virtual machine. They also tested setting up an ad-hoc virtual private network to relay traffic between 2 FreedomBoxes using openvpn. Daniel Howe focused on developing and bugtesting http->https mappings in freedombox-privoxy. He also collaborated with Boruch on multi-threaded and content-based verification for privoxy https rewrite rules.
Boruch Baum and finished a Bash script that combs through a list of 10,000 URLs from the HTTPS Everywhere project to check for errors and down sites. The updated list will be used by Privoxy.
Brian Newbold planned and implemented a configuration backend for Freedombox that can be called by Plinth. This crucial component will allow owners to setup and customize their FreedomBox as easily as possible.
Ariel Jatib worked up a plan for user experience during first boot of a FreedomBox. Ariel created graphical documentation to walk a developer through the experience.
The Commotion Wireless team continued to iron out the bugs in their OSLR network implementation in preparation for a demonstration at HOPE. By Thursday the Commotion wireless demo was up and running without a hitch. Users can now run Cryptocat and tidepools on an OSLR network. Any client can connect to the mesh and any server can broadcast services. Jordan McCarthy worked with Seamus Touhy and Brian Duggan to monitor network output of smartphone applications to check for data leakage and the deliberate sending of data. When completed, the strategies developed by Jordan and Brian should allow users to run audits of mobile apps quickly and efficiently. Will Hawkins ported OTI reporting tools to Amazon EC2. George Rosamond was working on a grant for Tor, to ensure Tor continues to become more usable and accessible. He had several discussions with Tor developers to gain insight regarding Tor’s UI and Orbot.
Daniel Bryg patched OpenWRT to support the latest version of Tor, overcoming a serious obstacle at during compilation. The new build has improved stability and memory management for bridges and relays, and uptime for routers running Tor can now be measured in weeks rather than hours. Full hardware testing is still needed. Gustaf Björksten continued work on a program for the Chokepoint project to import and process data from five disparate sources of data. This information will be used to develop maps of internet censorship to monitor and identify interference in near real time. This tool will allow users to identify people who have control of infrastructure, censorship, throttling, and whether parts of the network have been switched off.
Internet Democracy Support for West Africa
Oluwakemi Hambolu (Kemi) came to the Hackfest with an interesting project in planning stage. She recognized a need for ensuring secure communications on untrusted hosts and was considering her options. The quick fix solution of using a secure GNU/Linux distribution on a livecd isn't an option for a large population in West Africa where internet cafes and libraries often control internet access using Windows-only tools. Kemi consulted with several developers and decided that virtualizing Tails, a privacy focused GNU/Linux distribution, on a live USB drive was the best approach. Virtualbox was ruled out as it requires administrator access so so Kemi worked on setting up QEMU with a Tails image.
QEMU proved to be too slow and Kemi discussed alternatives with Abel, who suggested the Android SDK emulator. After some difficulty with the speed of the Android SDK ARM emulator, Kemi switched to an x86 image which seemed to run fast enough. As the latest version of Android supports full disk encryption, Kemi attempted to enable dm-crypt using telnet, but was unable to do so. With some possible solutions in hand, her next step is working on reinstalling Eclipse to see if the Android SDK emulator can be run without administrator privileges.
At some point, it might be clear that secure computing on an untrusted PC is impossible without administrator access. Solutions to that problem were explored and Kemi will continue to investigate that route.
Blogging and Documentarians
We had some bloggers and writers record the progress made at Hackfest like Becky Kazansky, who got some great interviews for the Berkman Center podcast and spoke to a lot of participants to get a sense of the problem sets that everyone is working with at the moment. Joly MacFie and David Solomonoff recorded interviews with a lot of projects to put them in context. Video from those interviews will be available from the ISOC-NY site soon.
Matt Hollingsworth talked to OpenITP about how he and others want to share a common location where we can link to the sites of all the projects. He also distributed code review guidance, including links and methodology used for code review and auditing within Microsoft.
Morgan Marquis-Boire and Eva Galperin collaborated on a few blog posts on the Hackathon and pro-Syrian government malware. Morgan is working with August Huber to identify and take down backdoored copies of circumvention software on public hosting sites such as Megaupload and Uploading.com. This project is in the initial phases of development and is currently comparing the MD5 checksums of Tor binaries hosted by various unofficial mirrors.
James Vasile, August Huber, Ella Saitta, Ray Short and Matt Hollingsworth all talked about assembling a peer review board to help the community do code review. Some of them will meet soon to move that forward as best they can.