But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device.
Based on the Chinese-built WT 3020A—a small wireless router that appears identical to the box that was the basis for the Anonabox—the Invizbox will have similar specs to the cancelled Kickstarter: 64 megabytes of RAM, 16 megabytes of Flash storage, and the Linux-based OpenWRT embedded OS. The main difference, according to the Dublin, Ireland-based team behind Invizbox (Elizabeth Canavan, Paul Canavan, and Chris Monks) is that their Tor router will be locked down better—and they won’t pretend that they’re using custom-built hardware.
Even before Anonabox was pulled by Kickstarter, Elizabeth Canavan had the idea of doing what Anonabox was attempting in a more transparent and secure way. On October 17, her husband Paul posted about the project on Boards.ie, spelling out the strategy for the project—fixing what Anonabox project leader August Germar had allegedly gotten wrong:
Criticism: They lied about a heap of stuff.
Solution: No lying.
Criticism: They weren't open about the hardware being off the shelf.
Solution: Be open. Provide people with specs and ROM. If they want to make their own with a box off aliexpress then they can go for it.
Criticism: The firmware created by the anonabox people was a joke.
Solution: This was amateur hour and pointed to a serious lack of expertise on their side. It would be locked down properly.Criticism: Claims of anonymity.
Solution: Make it clear to people that some end user behaviour will effectively remove anonymity and that they shouldn't trust their lives or freedom to a box like this.
The Invizbox team expanded on this on their Indiegogo page in a section called “I’m worried after being burned by a similar project." They cited their qualifications: “Two of the project founders have security specific qualifications and all of us have many years of software industry experience and extensive Linux knowledge.” They promised that the build of the OpenWRT operating system on their router will be “properly locked down…No unnecessary daemons will be running on the box.”
They were also clear about things that they can’t promise. One is a guarantee against backdoors being put into the hardware or firmware by a third party—either in manufacturing or in transit. “We are not manufacturing directly,” they wrote. “We have been assured that there are no back doors and we will test for them, but…you should not trust your life to this box and we will provide clear documentation covering that.” To counter possible interception and modification of the firmware to introduce backdoors, the Invizbox team will offer downloads of the firmware to re-flash devices on delivery and use tamper-proof packaging.
The Invizbox team honestly laid out the potential pitfalls of its project—and of any privacy solution based on commercial hardware and Tor and OpenWRT software. Invizbox, they added, can’t stop “browser fingerprinting”—the use of device and browser configuration data that could be used to de-anonymize users as they visit various websites—but they’ll provide tips on how to avoid it. “We will provide documentation clearly outlining what the box is good for,” they wrote, “and especially what it's not good for (i.e. not to trust your life to it or assume that you're anonymous).”
Even if you don’t back Invizbox directly, you’ll be able to build your own—the team will provide the hardware specs and sourcing information, and you can flash your own hardware. That’s similar to what’s promised by the PORTAL project, an open source effort by security researcher “thegrugq,” Ryan Lackey of CloudFlare, and Marc Rogers of Lookout, though it’s based on different hardware. PORTAL also may have more Tor “pluggable transports” to help conceal Tor’s own network fingerprint.
Back on Kickstarter, there’s another Tor-based router project underway. Called TorFi, the project is based on the TP-Link TL-WR841N home wireless router—at least for its initial production run. Also based on OpenWRT, the TorFi project will include the option of using the Tor network or an OpenVPN-based virtual private network account.
The Berkeley, California-based team behind TorFi is not your usual set of developers: Jesse Enjaian is a recent law school graduate who is preparing for the Patent and Trademark Office bar exam, and David Xu is a material science engineer. The pair hopes to sell the TorFi for as little as $30 and to negotiate a reduced price for hardware if they get enough demand. But for right now they’re dependent entirely on the availability of TP-Link’s hardware.
Of course, if you’re looking for a fix right now that isn’t dependent on the success of a crowdsourcing campaign or flashing the ROM of a no-name Chinese pocket router purchased off a Russian website, there are existing (though more expensive) options. For instance, you could buy a Raspberry Pi-based Onion Router for $135—or build your own Onion Pi instead. Or, if you're feeling adventurous, you could probably reflash your existing router—Tor has been part of OpenWRT and other alternative router firmware for some time.
Listing image by TP-Link
reader comments
36