
Privacy Router Anonabox Gets $600K in Crowdfunding and Huge Backlash - ghosh
http://www.wired.com/2014/10/anonabox-backlash/
======
fabulist
Its inspiring to see so much financial commitment to an idea like this, but
disheartening to see it go to the wrong place -- a Kickstarter, not the Tor
Project.

Maybe we, as the FOSS community, need to start utilizing crowd sourcing more.
Maybe we can use the marketing from Heartbleed etc. to launch a Kickstarter to
audit OpenSSL, and use the NSA revelations to launch a Kickstarter to run more
exit nodes (which are depereately needed -- about 1k nodes for 2M users). The
project to audit Truecrypt seemed to reap the benefits of this quite
effectively.

I'm not familiar with the TOS for Kickstarter so maybe this isn't possible,
but clearly the general public clearly has more interest than we (I) thought.
They just don't know how to channel their support effectively.

~~~
hackerboos
Is there a Kickstarter alternative solely for raising funding for OSS with
little or no fees?

If not. Someone should build one.

~~~
ThePhysicist
Well, there's Gratipay (formerly Gittip), which is a great platform since it
allows you to support an open-source project through regular payments.
Unfortunately, the project has not yet received broad adoption, which I hope
will change in the future, though.

Here's the link:

[http://www.gratipay.com](http://www.gratipay.com)

In fact, there is a page for the Tor community, so if you want to support
them, go there and give them some money ;)

[https://gratipay.com/for/tor](https://gratipay.com/for/tor)

~~~
Argorak
I know it's common here to let the past be past, but it should be said that
depending on your world view, gittip is not a good option.

[http://geekfeminism.wikia.com/wiki/Gittip_crisis](http://geekfeminism.wikia.com/wiki/Gittip_crisis)

------
dogecoinbase
The current state-of-the-art in Anonabox skepticism:
[https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_to...](https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_false_representation/)

~~~
Canada
I don't what the point of lying about the source of the boards was. That was
just stupid. This user htilonom is just milking it for all it's worth though.

I've seen those devices retail for as much as $30. $50 isn't unreasonable.
That price should ensure they can deliver.

After it's done with Germar, the reddit mob should take its pitchforks over to
Starbucks. What a scam that place is. Slapping their logo on coffee from some
third world country, claiming they made it. Outrageous!

~~~
redthrowaway
Do you want to buy a tor router with default open wifi and admin password set
to 'developer!'?

~~~
shadowmint
...?

You understand that your router came with the username 'admin' and the
password 'password' when you bought it right?

(don't get me wrong, there's some weird stuff going on with that kickstarter,
but the password/username thing is such a strawman it hurts me to see people
talking about it)

~~~
vidarh
At least my router did not. It came with a sticker with a random password. My
other routers all have ethernet ports and came with wifi disabled.

~~~
shadowmint
What router is it?

I've literally never encountered a router that didn't have a default password
on it.

Some times service providers will set a random (or user) password before
shipping the device, but they all reset to the default one when you factory
reset it.

I thought it was just universal.

I'm actually quite interested to know which manufacturers ship a custom rom
per device with a unique password.

~~~
Xylakant
Fritz Boxes have a unique password, it's printed on the sticker on the back.
My consumer grade Telekom router does the same, same for the vodafone router
my brother owns. It's de-facto standard for all consumer grade adsl/cable
modems/routers that german telkos hand off to their customer.

~~~
shadowmint
Um. You might be confusing the password that is configured by the service
provider and the password that set by the manufacturer.

The fritz box default password is 'password'.

[http://www.routeripaddress.com/routers/10609/avm-fritz-
box-f...](http://www.routeripaddress.com/routers/10609/avm-fritz-box-fon-
wlan-7390_default_settings.html)

~~~
SyneRyder
Maybe confusing the WiFi password and the admin password? I just got a new
modem/router today and the WiFi is WPA2 secured by default with a random
passcode printed on a sticker on the base of the unit... but once connected,
the login for configuring the unit itself is your standard default
admin/password deal.

~~~
concerned_user
ADSL/Cable modems are usually set up to download firmware from the ISP, at
least in cable modems throttling is usually done on the device as well, so it
is sort of resets every time you turn it off and on.

------
sigkill
There are ethical questions about the person ripping off multiple different
products and not crediting them. He is taking a bunch of things and putting
them in a nice shiny box with almost zero end user configuration required.
Now, that's a moral question and I'll let you all decide if it's right or
wrong.

Coming to the technical aspects of the box, the product is fine in the sense
that it does exactly what it says technically - routing your connection via
Tor. Using verified credentials over Tor is a bad idea for that specific
identity. If you're the kind of person who's going to buy this, I can take a
guess that a large percent of the population wouldn't really know how it works
and will think "I'm anonymous and private now, thanks to this little box" and
use the Internet exactly as they were using it before - bad idea. The concept
is flawed simply because a layman will use email and facebook over Tor and
then bam! you can identify him instantly.

TL;DR - Operation successful, patient is dead.

~~~
peteretep

        > He is taking a bunch of things and putting them in a 
        > nice shiny box with almost zero end user configuration 
        > required
    

This is a stronger value proposition than most social media startups.

~~~
agumonkey
Reminds me of debates in the movie
en.wikipedia.org/wiki/Flash_of_Genius_(film)

About what is to invent or not.

------
downandout
Forgetting the fact that it very well may be a crappy product, I am not sure I
see the issue that has caused the pitchforks to come out on this one. The
controversy seems to be over this statement:

 _" Little did we know, it would take over four years, and a lot more tacos
and beer, to create a device with the security, speed, functionality and easy-
of-use that is the anonabox."_

It certainly could have taken them four years, even if that only means they
were tinkering with it for four years before they stumbled across a $20 board
from China that finally made it feasible given their apparent lack of skills
necessary to create a custom device. While I certainly won't be buying one of
these, the description on the site seems fairly accurate. It's an OpenWRT-
based router that they pre-configure to work with TOR. It seems like it
probably does what it says.

I just don't see pitchfork-worthy issues here.

~~~
noyesno
A bit further down the product description:

    
    
      By our fourth round of prototypes we had created a model 
      with 64mb memory and a 580mhz CPU. This not only runs the 
      software well, it flies! At last happy with the board, we 
      designed a simple, minimalist case in plain white to house 
      it. The end result is our current model. We decided to name 
      it the anonabox.
    

They did not create the board nor did they design the case.

~~~
dagw
And nowhere in what you quoted did they say that they created the board.

~~~
number_six
>we had created a model with 64mb memory and a 580mhz CPU.

I'm not sure about you but saying "we had created" is a pretty clear
indication of where they thought they stood in the creation process here.

~~~
smsm42
It just says they created the complete box, it says nothing about the
components. For anybody that has any experience with assembling hardware, it
is completely common case to use components from other manufacturers. Apple
says "we created iPhone" but they use Samsung chips inside, should they say
"Samsung created iPhone" instead? No, because they added their own work to the
components, things that the components didn't do before. So the question is -
did the source components do what Anonabox is doing? If not, they created
something new and have valid claim to that. They don't have to make the
silicon and extract the metal from ore to have right to claim that.

~~~
Dylan16807
It definitely implies they designed the board. Apple certainly designed their
own board.

If Apple was buying fully-functional iPhone hardware that only lacked a case
then it would be ridiculous for them to claim they had created the iPhone.

For you to say 'complete box' is misleading, because the plastic shell doesn't
actually do anything, the bare board is functionally already complete.

The board is not a mere component, it is 95% of the end result.

And especially the wording of creating a model, then evaluating the
performance of the board, then designing a case... creation can _only_ apply
to the uncased board in that paragraph. If they didn't make the board it's a
pack of lies.

~~~
smsm42
It says about technical specs of the product, and it says about how they
looked for the hardware that would work for them, but it never says they
soldered the board themselves. At least I don't see any of such language on
the Kickstarter page, maybe they claimed this in AMA, I didn't read that. The
product is what is sold, and if 95% was already there, I personally see no
problem in that - a lot of great things were done as adding the final 5% to
what already existed but was not as practical. I'm also not sure why anybody
would care where the board comes from - as long as it works as a consumer
product that didn't exist before, what's the problem?

~~~
Dylan16807
I'm fine with anything that isn't deceptive.

~~~
smsm42
Right, so I'm not sure yet if there was intent for deception. Sure, the
product needs work - like default password, etc. - it should be fixed before
it can be reasonably considered a security product, and that's all valid
points, but that is not a fraud - it's just a product needing some work, not
an uncommon thing on kickstarter. Now if they did claim they built it from
scratch then it would be outright deception, and that changes the picture
completely.

------
danso
According to a user in the Reddit IAMA thread with the Anonbox creator, the
idea (and some of the wording) is plagiarized from a Hackaday semi-finalist:

[http://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_augus...](http://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_august_germar_a_developer_for_the_anonabox/cla3ydz)

> By the way, here is the original project, Hackaday Prize (not yet finished)
> semi-finalist, and based on the Adafruit onionPi :
> [http://hackaday.com/2014/09/06/secure-your-internets-with-
> we...](http://hackaday.com/2014/09/06/secure-your-internets-with-web-
> security-everywhere/)

> There are many obvious similarities and anonabox are even using almost the
> same sentences I'm using for my HaD project, same arguments.

> The anonabox campaign started one day before the contest judging, and his
> website has been registered on 18 of september, (after I released the
> project details). This is a very aggressive move and everyone should be
> carefull about this campaign.

~~~
unethical_ban
A router preconfigured to use Tor and other services is not that original.

------
lnanek2
This is a common Kickstarter scam. Take a Chinese product off alibaba, maybe
tweak the software, brand it, and sell it on kickstarter. It has happened time
and time again for things like Android watches, Bluetooth low energy devices,
almost anything currently being made.

------
dewey
There's an interesting email thread on the tor-relay mailing list with people
from the torproject itself commenting and sharing their thoughts on that
project:

[https://lists.torproject.org/pipermail/tor-
relays/2014-Octob...](https://lists.torproject.org/pipermail/tor-
relays/2014-October/005511.html)

------
timdorr
And funding is now suspended:
[https://www.kickstarter.com/projects/augustgermar/anonabox-a...](https://www.kickstarter.com/projects/augustgermar/anonabox-
a-tor-hardware-router)

~~~
justtheguy
Can someone enlighten me on this? Does this mean the creators will not receive
the funding, or not that no further funding will be accepted?

~~~
baddox
I'm assuming both, at least until it's resolved.

------
Cybershambles
Hey @kickstarter It's time to kill the @anonabox - @torproject needs to make a
statement disowning this project too.

I've got a pile of money and an idea... let's make a mint by stealing peoples
ideas.....

"Well, we have enough capital to do anything we want. We could have a new
board made in the US with a new layout if we wanted. Its ultimately up to all
of you, the backers"

[https://www.kickstarter.com/projects/augustgermar/anonabox-a...](https://www.kickstarter.com/projects/augustgermar/anonabox-
a-tor-hardware-router/comments?cursor=8135947#comment-8135946)

It's more than time to boycott this thing.

~~~
paulhauggis
According to filesharing rules and many people here on HN, you can't "steal"
an idea. After all, it's not like a car. The idea is still there to be used by
the original owner.

Oh, and I can't forget the other motto in business: "ideas are
worthless...execution is everything"

~~~
toomuchtodo
You jest, but its the truth. Your idea is worthless until its in production.

------
Cybershambles
Let's count the ways this could have been done better. For starters, Let's not
spend most of the time lying to people (apart from the straight up amaturish
parts of their project), second, start the project by including the costs of
security based milestones in the price of admission.

This results in higher costs because people are being altruistic... so let's
make the cost $80 starters... $40 for Hardware (There are better mini routers
out there for the price). $10 for Shipping. $10 for Software. $10 for Security
Audit. $10 for TOR donation, because you're exploiting them for profit (higher
pledges to TOR = TOR merch).

The more you sell, the better bulk hardware (increases in RAM/decreases in
cost) order you can manage... but for 10,000~ units you'll need somebody with
feet on the ground in China to deal with the local team. plus QA and taxes and
lawyers and.. ARGGHHHHH

plus, should have an open and detailed platform with a threat model and design
documentation before you even start.

Which OS/disto?, which packages/why these packages?, GCsecurity? firewall?
administration UX? Update path? Stretch goals?! Feature set? Less is more in
this kind of thing...

------
sschueller
I think a big part of the backlash was that the hardware is not open source.
Sticking existing things together is fine but he can't guarantee the safety
which is unfair to those wo purchase one an trusting it.

Btw you can achieve the same thing with open hardware:
[http://www.pcengines.ch/apu.htm](http://www.pcengines.ch/apu.htm) \+ pfSense
+ tor

~~~
pgl
I think a lot of the anger is also related to the consistent and blatant lies
given by August Germar. The AMA on reddit[1] was a disaster - August was
repeatedly called out on various statements, and repeatedly made obviously
debunked replies.

It was embarrassing to read, but it also leaves a bad taste in the mouth with
regards to the integrity of the project.

[1]
[https://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_augu...](https://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_august_germar_a_developer_for_the_anonabox/)

------
tdurden
does Anonabox have anything that sets it apart from Onion Pi
([https://learn.adafruit.com/onion-
pi/overview](https://learn.adafruit.com/onion-pi/overview))?

~~~
AlyssaRowan
As it doesn't have a source of hardware entropy, and the Raspberry Pi actually
_does_ (bcm2708-rng/bcm2835-rng), I'd say it's clearly worse from one
perspective.

From another perspective, the network on the Pi's connected via USB so it's
not particularly great but it ought to be just fine for Tor. (Never actually
tried an Onion Pi setup myself, but I have a few lying around, so I might do.)

------
edgecrafter
I cancelled my pledge on kickstarter for the Anonabox. Surely looks like the
projectowner has been "a bit to clever"

------
frozenport
I would like him to spend $150k on a full time developer to verify the
security on the box.

------
dobbsbob
[https://mobile.twitter.com/kpoulsen/status/52246310994522931...](https://mobile.twitter.com/kpoulsen/status/522463109945229313)

All they did was smear away the logo in photochop, though their OEM might have
provided this image. Anybody can make their own Anonbox with a Cubieboard or
similar Allwinner A1x/A20 box for under $60. Or use thegrugqs PORTAL on a
chipped TP-Link router you can find plenty on amazon/ebay for $40
[https://github.com/grugq/portal/blob/master/README.md](https://github.com/grugq/portal/blob/master/README.md)

------
shadowmint
ha, I think the real take away from this is that there's a great opportunity
for someone who knows what they're doing to create a very similar product
without any of controversial baggage, and make a killing.

------
zetx
I wouldn't give my money to someone who thought "The default password is
developer! because developers are the only ones who would be looking at the
code." [1]

[1]
[https://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_augu...](https://www.reddit.com/r/anonabox/comments/2ja22g/hi_im_august_germar_a_developer_for_the_anonabox/cl9wphy?context=3#cl9w58p)

------
jmspring
This is an interesting phenomena to watch. A startup I was involved with years
ago considered the use of the TOR network as an added service - mostly using
the technology but with a managed set of nodes - to provide something like VPN
services. This was very early in the reddit/social media days. I'm curious if
it had seen the light of day what sort of press it would have received.

~~~
TeMPOraL
Looking at the amount of pledges they collected, that start-up likely had not,
because on Reddit people _like_ Tor. Issue here seems to be about general
dishonesty - consequences of which I really think more companies could use to
think about.

------
ericd
Sorry, how is this different from, say, Barracuda Networks packaging commodity
hardware with open source software in nice boxes and selling them for a mint?
Where is the outrage coming from on this if he's making this stuff easier to
buy and deploy, even if the hardware wasn't developed in-house?

~~~
vidarh
The issue is lying about it, and making other false claims. Such as claiming
its "open hardware" when they are relying on closed off the shelf devices.

It also doesn't help that it appears that their default setup is hideously
insecure.

------
brohoolio
During a bout of insomnia I came across the project and funded it. Seemed like
an easy way to get something I would use.

I just pulled my funding. This is way to sketchy. If the Tor project can put
something together I'd be happy to put my money into that instead.

------
rlvesco7
It's ironic that the outrage came from Reddit because that site was built on
lying to people (in the beginning)

[http://motherboard.vice.com/read/how-reddit-got-huge-tons-
of...](http://motherboard.vice.com/read/how-reddit-got-huge-tons-of-fake-
accounts--2)

Now that they have solved the chicken-and-the-egg problem, they're legit.

Point being, lot's of startups over-promise (and exaggerate) in the beginning.
It takes time fix bugs and find things. If you waited for a perfect product
and were 110% honest you would likely not get any traction.

That's not to say that this guy shouldn't be penalized for lying about where
he sourced his products though!

~~~
jo_
I certainly agree that startups over-promise in the beginning, but they need
to be very explicit and very clear as far as human safety is concerned. I work
(up until the end of the day today) for a medical startup. We speak highly of
our own product, but we make it unambiguously, blatantly clear that our
product is NOT an emergency feedback system. If we lie and say we're a system
like that, people could get killed. In this case, the publishers lied
critically about the source of the parts and the system that was running on
top. While perhaps not as immediately and spectacularly fatal as a medical
device malfunction, if journalists or revolutionaries are using the product
and there's a backdoor, there will be lives lost. They were NOT clear that the
hardware they were using was actually a Chinese manufactured product from a
Chinese design company. When it comes to surveillance, the Chinese government
doesn't have a great reputation. There's plenty of reason to believe the
device may have a hardware backdoor, as has happened before. Second, the
software installed on the device is itself highly insecure. The original
Reddit post pointed out that the device had a web-exposed remote
administration panel open with the default username and password.

The only thing worse than no security is the illusion of security. This
product, as sold, provided just that -- a minimal but ultimately illusory
security.

~~~
rlvesco7
I think you make a good point. It's a security product that can harm people's
lives. So in that way, it's different then lots of other startups.

------
apkjet
This is a great idea and I think the future home router should provide a
switch button to switch between normal mode and TOR mode.

