
Alternative Internet - selvan
https://github.com/rossjones/alternative-internet
======
rmrfrmrf
Since I know the skill gap on HN is pretty wide, I just wanted to chime in to
say that if this is some kind of counter-intelligence measure, it's not really
going to work considering that the US government is collecting information at
layer 1 (i.e. directly gathering information from the wire).

A true "alternative internet" would, at this point, require its own
infrastructure due to the routers and switches of the Internet using the
TCP/IP stack. (assuming that an alternative internet would be a variation on
the IP protocol).

The entire issue with the government surveillance of today is that they're
(allegedly) storing _all_ data, even the encrypted data, and holding it to
either brute-force crack, waiting until whichever cipher/protocol gets broken,
or waiting until computing power is abundant enough to crack the encryption-
du-jour in a reasonable amount of time.

This is why ideas like Raspberry Pis on balloons have been proposed as true
"alternative" internets. Not to get all tin-foily, but I would assume that any
undertaking that ambitious would have government agents working from the
inside.

If you're transmitting any data that could be illegal, your safest bet is to
use some kind of encryption that would take longer than the statute of
limitations for whichever crime you're committing to break (you'd probably
also have to factor Moore's law into your calculation and pray that quantum
computing doesn't become viable in the next x years).

~~~
Jd
Additionally, it is worth noting that the weakest target is very often the
human element. Although this was noted by Mitnick in his "hacking" (which
generally was just clever social engineering), it is equally true when
governments are targeting you. The stasi (or other pernicious organizations
organized to carry out state censorship) could easily have someone smeared in
the press, dismissed from their job, or many other means short of official
imprisonment.

To the point of encryption, as noted by the NSA (inclusive of present
revelations), it actually makes you a target for state surveillance. This is a
bizarre catch 22. If you are using facebook and "rah rah-ing" about Obama or
the latest political fever you probably are at very little current risk of
long term data retention. The government doesn't care about you. If you slip
into politically suspect views and/or start encrypting your messages simply
because you don't want the government to read them, you attract government
attention, including the likely possibility that your communications will be
retained.

Moreover (and this is where it gets scary, even if it wasn't already), the
likelihood is that the many people that are part of your social graph (even if
you aren't involved in social networks, some friends likely are and have
probably shared their email contacts at the very least), governments can very
easily figure out your social circles, and how suspect they may be from any
standpoint that the government cares about.

Today this may be "terrorism" (itself a vague term, but one that at least
nominally includes the threat of violent acts), tomorrow it may simply be
having politically incorrect opinions of some variety. As noted by many, even
the nominal but legally actionable protections for American citizens have been
eroded to the point that the executive branch can hold anyone in infinite
detention without trial. A world without borders has become the panopticon, a
jail where we are bound by ever-peering eyes of our peers.

"What you say, can and will be used against you in a court of law" \-- even if
you said it 10 years ago when you were drunk in a private message on Facebook.

Welcome to the Brave New World.

~~~
gnosis
_" encryption.. actually makes you a target for state surveillance"_

[https://en.wikipedia.org/wiki/Steganography](https://en.wikipedia.org/wiki/Steganography)

~~~
Jd
Fascinating. My preferred choice for transmitting arcane knowledge is poetry
(in fact, there is a long tradition of exchanging alchemical poetry in
cipher).

------
jpalomaki
I think one problem with these initiatives is that money is usually not
involved. When things like bandwidth are free, the demand tends to be higher
than supply. Limited bandwidth then limits the possibilities.

I'm not proposing a system where you would pay to "TOR Ltd" for their
services. Instead the "economy" should be network based, with no single entity
controlling it. If I wanted to send stuff through the network I could say that
I'm willing to pay x coins for this. The network would figure out cost
efficient route and the participating nodes would get the payment. If I wanted
to earn money (or credits), I could do so by putting my machine as part of the
network and offering my network capacity to others.

If thinks would work out well, there would be people earning some money by
running nodes on the network. Just like they are people investing in Bitcoin
mining rigs.

~~~
nhaehnle
At least right now, the problem is that the payments themselves might
undermine what the system is set up to do, because the payments might be
traceable.

There are proposals for truly anonymous and decentralized digital currencies
(ZeroCoin comes to mind). However, they are not exactly practical because
their overhead is quite high.

------
jpdoctor
Something that seems to be missing from the current world: A P2P noise
network.

A sufficient amount of encrypted noise emitting from many nodes makes the task
of capturing and decoding _everything_ quite a bit more challenging for an
intrusive regime. Effectively, this is steganography: Everything should be
encoded in cat pictures with an accompanying text of hot keywords.

~~~
antocv
Ive been thinking about this and how to implement it, my conclusion was that
NSA has the resources to filter out noise, especially seemingly random
communication, as they already possess the social graph and have pretty good
idea of who talks to whom and when. If suddenly a browser extension or app
started sending "noise", to whom will it send it? A network? Where to get the
list of IPs to spam? Just randomly? Just randomly is detectable! Thats easily
filtered out - just exclude the network from the important data they tap. What
if you randomly send a bunch of cat pictures and random noise to people of
your contact list? This is called spam and receiving such, is not nice, as we
can filter it on the receiving end, so can NSA filter it from their important
calculations. But then you might think, lets send noise randomly and in the
random noise let us communicate... meh, basically what a "P2P noise network"
would do is increase the hassle and usability of computing systems for
everyone involved but wouldnt really offer privacy for us.

When you kind of begin to make it less random, then you basically introduce
plausible deniability and onions and begin solving problems that people are
already working on and who need your help there more than "p2p noise network",
then youre back to "lets make a good usable p2p anonymous/deniable
communication system that can withstand NSA as advesary".

Still, it is an interesting idea, how to flood NSAs/FRA/GHCQs systems? Can we
make a browser extension thats easy to use that would randomly GET pages from
your history while you are actually away from computer - generating false
content and increasing bandwidth usage, or a configurable spider to follow
links/pages or even friends streams of choice? Would you use spammers
techniques of markov chains to post random crap on open systems? Meh, thats
still just an inconvenience for NSA.

What seems to be really important is who talks to who then how do you get in
contact with strangers on the internet without NSA knowing? How would you know
the stranger youre talking to isnt a cover agent?

~~~
jpdoctor
> _Just randomly is detectable!_

Only after analysis, and only after some confidence level has been exceeded.
And that is the point: Such analysis takes time and resource.

~~~
antocv
I believe the time and resources required for us to develop such a tool and
the time invested of users to run it is much more than the total inconvenience
it would cause to surveillence systems.

But please prove me wrong, Id love to run such a tool quite easily, even if it
doesnt work, just for shits and giggles and just perhaps for that extra cent
of cost and resources wasted of powerful organizations. (still kind of our
taxpayer cents but...)

Would you run a simple browser extension that would GET pages while you are
away, pages that your browser has seen in your history, and an advanced mode,
pages on pastebin and a selection of forums/sources? Meh, could be done with a
simple bash script and curl I guess for the advanced users. Would be nice if
it could also crawl most news sources.

Stepping the idea up a bit, random but seemingly valid User-Agents, exchange
of tracking cookies with other users of the extension, and click on all the
ads! Would you use such a tool?

------
znowi
Most (if not all) of the "Currency Clones" listed are scams. Be careful.
Generally, the only coins you want to pay attention to are BTC and LTC.

Here you can watch the steady stream of altcoins and their scam practices.

[https://bitcointalk.org/index.php?board=67.0](https://bitcointalk.org/index.php?board=67.0)

~~~
rossj
I'd like to keep them for completeness sake, but will try and make it more
obvious that they should be avoided.

~~~
tlrobinson
If you want a "complete" list you're missing a lot of other scams:
[https://bitcointalk.org/index.php?topic=134179.0](https://bitcointalk.org/index.php?topic=134179.0)

I'd suggest only including the "major" ones listed on that page. The rest are
trivial knockoffs.

~~~
rossj
Okay. At least fourth person who's told me now. Will remove the non-major
ones.

------
cpfohl
Suggested Pull:

@user: NSA

\---

+++

In order to comply with NSA Directive [REDACTED] and FISA Court Order
[Classified], anyone using these technologies will be required to install
LiterallySpyingOnYou.exe or an equivalent binary for your OS of choice.

Failure to comply will result in <strikeout>your immediate offshore
imprisonment</strikeout> a fair and impartial trial by your peers.

+++

------
Afforess
I've always been curious about I2P. I2P is more decentralized than TOR, as TOR
has the weakness of needing exit nodes, and today it is very hard to set one
up yourself (and not be arrested/shutdown). However, I don't know enough about
network/protocol security to even be able to tell if I2P is legitimately
secure, and I haven't seen any scientific analysis of it. Anyone else aware of
such an analysis?

~~~
gw
Well the reliance on exit nodes isn't really what separates Tor from I2P; the
latter requires exit nodes for accessing publicly-facing servers as well.
Neither requires them for accessing servers that are internal to their
network. This is sometimes confused because Tor puts more emphasis on
outproxying, and I2P on inproxying, but both networks are capable of both
activities.

------
wfn
Haven't heard of Drogulus before, sounds interesting.

Anything that implements a Kademlia-like decentralized key-value datastore
(basically, a DHT) gets my curiosity. Kademlia is a system/protocol how to
implement a DHT and how to perform searches on it. The idea is that all
network nodes are identified by a (traditionally, 160bit I think) hash. If you
want to implement a P2P filesharing network based on Kademlia (like Gnutella),
you hash each file to a bitstring of the same hash length.

Now, when you want to reach a particular node (and you have its hash but not
its IP), you can do an efficient search by traversing the nodes in the
_direction_ of the target nodes. For direction, a distance metric is needed in
this case. The distance between two given hashes is simply the result of
[hash1] xor [hash2]. This is rather simple and ingenious: you get a value
representing the amount of bits by which the two hashes differ. Hence you have
a way to measure distances in the hashspace.

Therefore, when trying to locate a node, you don't need to do an exhaustive
exponential "ping all my neighbours and get all _their_ neighbours" search;
one could say that you are able to follow a vector in the hashspace. _edit:_
by which I simply mean, the most simplistic way to achieve this would be -
pick a node from pool/neighbourhood with id/hash _closest_ to target; get
id/hash from its pool closest to target; continue until reaching a critical
distance within which nodes will be responsible for holding the desired
key->value pair. (I'm sure the actual algo will need to be somewhat more
complex, as it's very easy to run into dead-ends this way, and so on.)

When there are files involved, nodes whose hashes are close enough to a given
key (which is a hash of a file, more or less) are responsible for storing
those key->value pairs ('value' differs on implementation, but basically it's
another hash pointing to the node which actually has the file in question, if
I'm not mixing things up; the whole thing is more complex, with a way to
search using (hashed) keywords, etc.) Hence one can implement an efficient
distributed search algorithm, where you focus on the hash-neighbourhood of a
particular file hash, and get key->value responses from the nodes responsible.

This kind of a system has its disadvantages and possible points of attack. See
the wiki article on Kademlia. [1] Probably the most well known type of attack
is Sybil attack: [2]

    
    
        In a Sybil attack the attacker subverts the reputation system of a peer-to-peer network by creating a large number of pseudonymous identities, using them to gain a disproportionately large influence. A reputation system's vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.
    

Now, Drogulus seems to propose at least a partial way around this, though I
suppose it'd still be possible to actually flood/populate the hashspace with
garbage(?): [3]

    
    
        The drogulus has three core components:
        * A distributed hash table (DHT) that provides the data store and replaces DNS.
        * Trust and identity enforced via cryptographic signing of digital assets.
        * Logos [...] (say "log-oss"), a simple implementation of a Lisp like programming language for asynchronously working with data stored in the DHT.
        
        The drogulus implements a version of the Kademlia distributed hash table. The innovation the drogulus brings is that keys and values (items) are signed in such a way that their provenance can be proven and content shown to be intact. Furthermore, users cannot interfere with each other's items stored within the distributed hash table unless they have access to the same private key. Items are self contained and any that do not pass the cryptographic checks are ignored and nodes on the network that attempt to propagate such values are punished by being blocked by their peers.
    

I don't have time to actually delve into this now, but the next paragraph
piqued my curiosity even more - if anyone is into this, would be interesting
to hear some comment :)

 _Logos programs are themselves values stored within the DHT, run in
asynchronous "ensembles" that arrive at a consensus and process other items of
data stored within the DHT. They are sandboxed and intentionally limited in
terms of time (how long a computation may last) and space (how much memory may
be used). Since Logos programs are also data there is a mind-bending side
effect that Logos programs can rewrite other Logos programs in order to extend
the Logos programming language itself. This is an important property: users
have the autonomy to grow the Logos programming language to suite their own
needs._

So, something something - Kademlia-like crypto-signed homoiconic datastore -
something. Hmm.

[1]:
[http://en.wikipedia.org/wiki/Kademlia](http://en.wikipedia.org/wiki/Kademlia)

[2]:
[http://en.wikipedia.org/wiki/Sybil_attack](http://en.wikipedia.org/wiki/Sybil_attack)

[3]: [http://drogul.us/how.html](http://drogul.us/how.html)

~~~
ntoll
Hi,

I'm the originator of the drogulus.

First things first: it's an unfinished work in progress and an _experiment_ on
which I've been hacking during my 40 minute train journey in to work. So, yes,
"something something - Kademlia-like crypto-signed homoiconic datastore -
something" just about sums it up.

I can't spend a lot of time answering right now, but I gave a short
presentation about the drogulus at this year's Opentech in London which
resulted in the following blog post (giving a high-level overview of my
motivations and intentions):
[http://ntoll.org/article/ppdd](http://ntoll.org/article/ppdd) I followed up
with some clarifications in this post: [http://ntoll.org/article/drogulus-
questions-and-clarificatio...](http://ntoll.org/article/drogulus-questions-
and-clarifications)

I have several more blog posts in draft form about other aspects of the
system.

It's very early days and I'm pretty sure there are lots of problems with what
I'm doing. But, as I mentioned in the first post referenced above, I'm having
too much fun to stop. ;-)

Happy to answer questions and constructive feedback, comment and critique is
most welcome.

N.

~~~
Rhapso
I've been working on a similar project for about a year now. Interested in
exchanging notes? We are basing ours on a Chord DHT for better robustness.
benshoof@cs.gsu.edu

~~~
ntoll
Hey, I get user unknown from cs.gsu.edu.

~~~
Rhapso
And that is my fault. I left out a letter. Now that you have displayed
interest and I feel less awkward about directly approaching you I just went
ahead and emailed you.

Thanks!

------
batgaijin
There's also Hyperboria, which is based on cjdns nodes.

[https://github.com/dansup/Hyperboria](https://github.com/dansup/Hyperboria)

------
praguebakerr
Makes sense to have good decentralized tools but what about endpoint security
? We have to suppose that average OS does have many 0day vulnerabilities so
it's easy to get all important data from your computer.

To have good firewall & IDS, automatic analysis, secured kernel - that's was
should concern you people.

And that's not all - we cannot be sure if hardware itself does not send any
unique IDs to vendors... or network card can mark some packet by unique
signature and agency can capture those packet as they pass through internet. I
remember i read that few years ago :
[http://www.slideshare.net/the_netlocksmith/defcon-2012-hardw...](http://www.slideshare.net/the_netlocksmith/defcon-2012-hardware-
backdooring-slides) I would bet there is many backdoors hidden in hardware.

------
synctext
Some time ago I wrote a requirements document for the "Alternative Internet",
published by Internet Society Journal:

[http://www.internetsociety.org/articles/moving-toward-
censor...](http://www.internetsociety.org/articles/moving-toward-censorship-
free-internet)

This was discussed within the IETF and slowly moving forward. Key point is:
too many fragmented single-person projects exist. No structured approach with
documentation, unit testing and related work tracking.

------
Interception
Why is Project Byzantium not on the list when FNF is.

These guys work on a very advanced mesh network, and would love community
collaboration & support.

project-byzantium.org

~~~
rossj
Because nobody sent a pull request? Have added it.

------
abdullahkhalids
Why is Tor not on the list?

~~~
rossj
Because it was so obvious I missed it. I'll add it now.

~~~
stevenleeg
Also cjdns[0] is a good one to add!

[0] [http://cjdns.info/](http://cjdns.info/)

------
icarus127
Does anyone know anything about Project Meshnet?
[http://projectmeshnet.org/](http://projectmeshnet.org/)

I discovered it a few days ago and it sounds promising but some of the cjdns
whitepaper was over my head. Apparently there are a few hundred people
participating in their alternative internet on a daily basis already.

------
everyone
Oooohh!! Hey I will have a look at some of these myself. But what would some
of ye with experience recommend for... irc/sharing some files with a network
of friends only? I'd like to be able to have private chats with only one or
multiple people aswell. cheers!

------
cmpctyd
I2PBote[0]: distributed, p2p, encrypted, anonymous (internal) email. It uses
I2P's DHT.

[0] [http://i2pbote.i2p.us/](http://i2pbote.i2p.us/) (or
[http://i2pbote.i2p](http://i2pbote.i2p) from inside I2P)

------
GigabyteCoin
Anybody who hasn't taken a look at Namecoin in the last month or so should
take another peek.

A GUI client with name registration platform came out recently and it's quite
the change from the command-line-only options we have had available for the
last few years.

------
apgwoz
It's things like these that are illegal in a SOPA[0] nation

[0]:
[https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act#Autocra...](https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act#Autocratic_countries)

------
mtgx
What about the Phantom Protocol? Is it abandoned? Not feasible? I haven't
heard much about it in the past few years:

[https://code.google.com/p/phantom/](https://code.google.com/p/phantom/)

~~~
rossj
I've added it because the homepage has links to some interesting papers.

~~~
mtgx
I know, that's why I've been such a fan of it. In theory it sounds almost
perfect, but I haven't seen anyone put it into practice yet.

------
nkoren
Firecloud is an architecture currently being explored within Mozilla that
should be added to this list:

[http://literaci.es/firecloud](http://literaci.es/firecloud)

~~~
rossj
Yeah, I'm just waiting on Vinay to give me a full list of what's involved.

------
mrcactu5
for the uninitated, what does he mean decentralization?

