Private Tor Network: Chutney

Apr 15 2014

Chutney is a tool designed to let you build your own private Tor network instance in minutes. It does so by using configuration templates of directory authorities, bridges, relays, clients, and a variety of combinations in between. It comes with a few examples to get you started. Executing this command, for example

will build a ten client network made up of three directory authorities, five relays, and two clients. Each of which have their own TORRC file, their own logs, and in the case of the relays and authorities, their own private keys. Starting them all up is as easy as


So bam! You’ve created a Tor network in less than a few minutes. One item to note, the configuration options in the latest version of Chutney use initiatives like “TestingV3AuthInitialVotingInterval” which require you to have a current version of Tor. In my case, I compiled Tor from source to make sure it included these options.

Building custom torrc files

It’s first job during configuration is to build a bunch of torrc files to your specification. If you tell it you’d like to have a bridge as one of your nodes, it will use the bridge template on file, to create a custom instance of a bridge. It will automatically name it with a four digit hexadecimal value, set the custom configuration options you’ve dictated, and place it into its own directory under net/nodes/.

The very useful part here is that it builds an environment that is already designed to connect between one-another. When you create a client, that client is configured to use the directory authorities that you’ve already built and that directory authority is configured to serve information about the relays you’ve built. The real value here is that if you were to do this manually, you’d be left to the time consuming process of manually configuring each of these configuration files on your own. Do-able, but prone to human errors.

Running multiples instances of Tor

Chutney builds a private Tor network instance by executing separate Tor processes on the same box. Each node is configured to specifically be hosted on a certain port, so for a ten node network, you can expect 20 more more ports being used by the processes.

CaptureUse case

Chutney is perfect for quickly spinning up a private Tor network to test the latest exploit, learn how the Tor software works, or just muck around with various configurations. Compared to Shadow which focuses more on simulating network events at a large scale, Chutney is more of a real-world emulator. One weakness is that it is not a one-to-one relationship between The Tor Network’s threat model and a Chutney configured one. For example, the entire network is running on a single box so exploiting one instance of Tor would most likely result in the entire network being compromised. That being said, depending on your needs, it offers a great way of  building a test environment at home with limited processing power. It’s still a rough-cut tool and it sounds like NickM is looking for contributors.


BSidesROC 2015: Behind the Scenes

Apr 06 2014

BSidesROC is over. I thought it might be interesting to give a behind-the-scenes look at some of the stuff that makes BSidesROC run.


We have “Ops”. A few years ago we decided to try to organize BSides like an IRC network where each channel has an Op and an Op controls what happens in that channel. So for us Ops are trusted volunteers, and the channels are facets of BSidesROC such as the website, Hacker Battleship, or T-shirts. This is a cheeky way of letting people manage stuff they want to manage. So when someone says “Man the website is great!” We can say – well you should thank the Website Op. But that also means, “Hey can you put this on the website,” it’s expected that the Website Op handles this.

So this is why Ops are an important part of BSidesROC. For the most part they need to manage their respective channel (with the support of the rest of the group). They’re also under a lot of pressure because if something goes terribly, they go down with their ship. :)

Our Venue

Some of you know that we needed to switch venues this year. That’s because our last spot at the Auditorium Center turned into a full blown church. I’m happy with the results at the German House. It required some extra money and logistics but the end result was what I would describe as more “adult.” It’s a legitimate venue as opposed to the ad-hoc setup that we did at the Auditorium. I was very nervous about traffic flow at The German House but attendees seemed to manage it alright.

One interesting issue was that at 4pm, what we labelled Track 1 needed to turn instantly back into a restaurant. So while the rest of the conference finished up, Zeppa was opening up shop downstairs. That made it a little stressful but everyone was awesome enough to make it work.

Tor and Privacy

I’ll be honest, I did not know how well a Tor talk was going to be received at BSidesROC. That is until I showed up to give my presentation to a packed room. The backgrounds were pretty wide. Some people I spoke with before the talk honestly admitted that they knew that Tor was a tool for anonymity, but not sure how it worked. Others said they have been using Tor for a long time and had even given presentations on the topic before. If I could do it again, I would probably spit it up into an Introduction to Tor and an Advanced Tor talk. I’d really love to hear from people that are working on Tor related things in the Rochester area. Get in touch if you are.


I haven’t really been asked about money, but I do think it’s important to be transparent about where it goes. Primarily to show that we’re not lying when we say that we are a 100% volunteer organization. I’d rather not give itemized details about venue and food, just in case Zeppa doesn’t want that information public but I’m happy to share other data.

  • 100% of cash goes into the organization. No one is paid a dollar.
  • At the beginning of the year, we try to budget a small portion for “infrastructure” such as new projectors, better screens, etc. This year, this was radios that ended up being a life saver.
  • The biggest line item this year was food costs. The second biggest item was venue costs.
  • None of the speakers were paid. :( If we had more money, we would have.
  • At the end of the conference every year, we have little more than a few hundred dollars left in the bank.
  • We aren’t lying when we say sponsors are important to us

Food and Tickets

When people purchased a Breakfast, Lunch, or All The Things! ticket, BSidesROC paid for most of your meal. That meant that whenever someone bought a meal ticket, we had to pay more money. The problem with this is that it didn’t scale to the 250-300 attendees that we had. If everyone bought a food ticket with those numbers, we would have lost at least $5000 when the event was over. So that’s the main reason we had to stop selling tickets.

2 Weeks prior to the event, we had sold 115 tickets. When we saw that in the last 2 weeks, we sold over 150 more tickets, we got very scared about food. We didn’t want people to have to wander around the city not knowing where to go and we didn’t want people to have to go to a restaurant and sit for an hour to get fed. So one of the volunteers, Pee, said “We should get food trucks next year.” To which I replied, “Why not this year?” It turned out to be a great idea because Hello Arepa and Marty’s Meats did a great job at feeding the flood of people that poured out in the afternoon. I think we’ll modify our food options next year to play better into what attendees are willing to pay and still find a way of predicting how many people will be arriving the day of the conference.


Parking has always sucked at BSidesROC let’s be honest. Last year we had a case where people parked in the wrong place and got towed. This year we had an angry church lady yelling at our people. Just to share some info, Zeppa had let us know that there were 3 spots to park. The main parking lot, the one on South Ave, and then the church. But once again, a church got in our way. :) I don’t know why, but the church decided it didn’t want to allow any attendees to park there. When I spoke to Zeppa they freaked out and ran over there to fix it. Unfortunately it was too late. Most of the people had to find other parking.

Hiring and Sponsoring

One of my goals last year was to do a hiring station. Somehow figure out how to tie employers that are hiring, to people looking to get hired. It turns out this is a really difficult problem to coordinate. Between figuring out an appropriate style of the event and talking with companies, the logistics are overwhelming. We’re still trying to stick this for next year but if someone has an idea, please email me.

Hacker Battleship

I really like the idea of hacker battleship (but I’m biased of course) and I think a lot of people do  too. Especially college students. It’s a fun game. The problem was this year they re-used some of the challenges from last year and the game didn’t work for a variety of reasons, etc . It needs some help. Our hacker battleship op (who is also in charge of a dozen other things) could use some help if someone wanted to join in for next year.

Shirts and Doge

The shirts this year were Doge Meme based. This meme is still funny to me so I worked with local designer, Brian Boucheron to put them together. We didn’t plan on the insane draw of Dogecoin especially for my Doge Dancers that entertained us at the end of the day. If you missed it, I’m sorry. :)

BSidesROC 2014 and whatever a privacy workshop is

Mar 25 2014

Rochester’s version of a Security B-Sides is coming up next week. There’s a rush to finalize everything and there might be a question about this new event I’ve referenced as “Privacy Workshop”, “OPSEC Training”, or just AntiTree talks for 3 hours. The Privacy Workshop Track is something that came out of an ad-hoc event that @CJP has been doing for the last couple of BSidesROC’s. He would walk in and say “I want to do a key signing party” and we’d go “Awesome!” and set him up with a table. This workshop/lecture series is an expansion on this idea where we said we’d like to do more than just key signing, we wanted to teach you what you’re doing get you started. As GPG is a pretty good answer to some of the surveillance out there, I thought I would expand it into a series of presentations focusing on other tools with a similar goal. I’ve broken it down into three parts; Connectivity, Communication, and Operations. The tools I’ll be focusing on will be Tor, TAILS, and GPG. Operational security with TAILS, anonymous connectivity with Tor, and secure communications with GPG.

With Tor, my main goal is to address the most common questions like “But I bet the NSA has a backdoor in Tor, right?” So I’ve turned it into a discussion about how Tor works, and ways it can be broken. I’d be happy to discuss real threats to Tor, but I’m pretty bored with the “Tor is funded by the government” tin-hat talk. I find it actually really interesting the challenges that Tor has so in other words, I’m just looking for people to have conversations with. :)

GPG and TAILS are both hands on workshops aimed at getting your hands dirty with both of the tools. GPG is pretty straight forward for the most part and I’ll go into a few extra tips that I think are interesting and then to go through if there’s time.

With TAILS, I’ve even built some USB sticks with TAILS prebuilt on them. I thought it might be interesting for the workshop to provide a hands on experience as quickly as possible.

Of course all of this is still up in the air, so I reserve the right to change everything. :) I’m just hoping that with all the time I’m putting into putting this together, there are people actually interested. :)

Older »