PhantomJS is a headless browser that when you use Selenium, turns into a powerful, scriptable tool for scraping or automated web testing in even JavaScript heavy applications. We’ve known that browsers are being fingerprinted and used for identifying individual visits on a website for a long time. This technology is a common feature of your web analytics tools. They want to know as much as possible about their users so why not collect identifying information.

I’ve updated the Raspberry Bridge build to 1.5.1Beta to update a few things and address a couple issues. The main changes are: updated Tor to latest stable release updated obfsproxy updated OS including some security patches Download Torrent: http://rbb.antitree.com/torrents/RBBlatest.torrent More info: http://rbb.antitree.com/

The Meek Protocol has recently been getting a lot of attention since the Tor project made a few blog posts about it. Meek is a censorship evasion protocol that users a tactic called “domain fronting” to evade DPI-based censorship tactics. The idea is that using a CDN such as Google, Akamai, or Cloudflare, you can proxy connections (using the TLS SNI extension) so that if an adversary wanted to block or drop your connection, they would need to block connections to the CDN, like Google; mutually assured destruction. The goal being, a way of connecting to the Tor Network that is unblockable even from nation state adversaries.

Over at rbb.antitree.com, you’ll see the details of a new project of mine: To build a Raspberry Pi environment to make it easy for anyone to run a Tor Bridge node. The goal here has been to release an RBP image that is minimalist (in terms of storage consumption as well as resource consumption) and provides the necessary tools to run and maintain a Tor Bridge Node on a Raspberry Pi.

If you’re like me, you’re probably getting inundated with posts about how the latest revelations show that NSA specifically tracks Tor users and the privacy conscious. I wanted to provide some perspective of how XKeyscore fits into an overall surveillance system before jumping out of our collective pants. As I’ve written about before, the Intelligence Lifecycle (something that the NSA and other Five Eyes know all to well) consists more-or-less of these key phases: Identify, Collect, Process, Analyze, and Disseminate. Some of us are a bit up-in-arms, about Tor users specifically being targeted by the NSA, and while that’s a pretty safe conclusion, I don’t think it takes into account what the full system is really doing.

Chutney is a tool designed to let you build your own private Tor network instance in minutes. It does so by using configuration templates of directory authorities, bridges, relays, clients, and a variety of combinations in between. It comes with a few examples to get you started. Executing this command, for example ./chutney configure networks/basic will build a ten client network made up of three directory authorities, five relays, and two clients. Each of which have their own TORRC file, their own logs, and in the case of the relays and authorities, their own private keys. Starting them all up is as easy as

BSidesROC is over. I thought it might be interesting to give a behind-the-scenes look at some of the stuff that makes BSidesROC run. OPs We have “Ops”. A few years ago we decided to try to organize BSides like an IRC network where each channel has an Op and an Op controls what happens in that channel. So for us Ops are trusted volunteers, and the channels are facets of BSidesROC such as the website, Hacker Battleship, or T-shirts. This is a cheeky way of letting people manage stuff they want to manage. So when someone says “Man the website is great!” We can say – well you should thank the Website Op. But that also means, “Hey can you put this on the website,” it’s expected that the Website Op handles this.

Rochester’s version of a Security B-Sides is coming up next week. There’s a rush to finalize everything and there might be a question about this new event I’ve referenced as “Privacy Workshop”, “OPSEC Training”, or just AntiTree talks for 3 hours. The Privacy Workshop Track is something that came out of an ad-hoc event that @CJP has been doing for the last couple of BSidesROC’s. He would walk in and say “I want to do a key signing party” and we’d go “Awesome!” and set him up with a table. This workshop/lecture series is an expansion on this idea where we said we’d like to do more than just key signing, we wanted to teach you what you’re doing get you started. As GPG is a pretty good answer to some of the surveillance out there, I thought I would expand it into a series of presentations focusing on other tools with a similar goal. I’ve broken it down into three parts; Connectivity, Communication, and Operations. The tools I’ll be focusing on will be Tor, TAILS, and GPG. Operational security with TAILS, anonymous connectivity with Tor, and secure communications with GPG.

Last year, I was bit by the idea of intel as a research project. I presented at BSidesDetroit on the topic of corporate espionage and the contrast between HUMINT and TECHINT. My Defcon Skytalk was titled “Bringin Intelligence Back To The Hacker Community” and I did a GRRConCon talk on the capabilities and structure of a normal private intelligence campaign. The research had a side-affect of replacing a generally apathetic outlook on the topic, with a more specific abhorrence toward the intelligence community as a whole — specifically private intelligence groups working under the auspices of the U.S government and other nation states.

For a few years now, I’ve been stating my plans for the rest of the year, and reviewing how the previous year went. Here’s the review: Last Year Major Con Presentation One of my goals was to be accepted into a “Major Con” for some definition of that word. This year I presented at Derbycon, GRRCon, Defcon Skytalks, BSides Detroit, and the Rochester Security Summit. I will say that my moon shot was to be accepted into 30C3 but I was aptly turned down.