Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Streisand – Silence censorship, automate the effect (github.com/jlund)
234 points by jlund on July 24, 2014 | hide | past | favorite | 52 comments

Can you clarify what this does? Even after reading the readme it's not clear to me what it does or what the use case is. And the phrase "silence censorship, automate the effect" is confusing since censorship is an attempt to silence others. I am familiar with the Streisand effect, where an attempt to hide information serves to publicize it. Does this library propagate secure, encrypted servers? So if you feel in danger of being censored you can quickly spread your message to other servers? Something more than that?

It sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, or fellow activists that will help them connect to the new server.

The use case is to make it easier for people to set up servers that allow individuals who live in countries where the Internet is being blocked to circumvent these restrictions.

"Silence censorship" is meant to be sort of funny, but the idea is that censors have had it too easy for too long, and an automated and repeatable method of setting up an anti-censorship server can help change that.

"Automate the effect" is meant to reflect the fact that you can start as many of these servers as you want. If a country starts censoring the Internet, more servers will spring up in response.

I hope these explanations make sense. I will try to figure out a way to make the README more clear.

Cool, so this allows me to setup a server that can't easily be censored and send instructions to non-technical people in order to grant them access.

I found what you wrote in the above comment way clearer than the README :)

When you say "If a country starts censoring the Internet, more servers will spring up in response." can you confirm that you (or I, as the person running the servers/service) would have to initiate the spin up?

I want to read "more servers spring up in response" to mean that the program automatically detects censorship using proxies in each country (or some other magic?) and creates new servers if it detects blockages, but I have a sense that that would be too good to be true...

That would be extremely cool. Maybe someday!

I meant that people can easily start more servers when a censorship event happens.

...but how would people know when it happens if the information is censored before it can get out?!

Thanks for clarifying. That does make sense. I didn't mean to be too critical of your "Silence censorship" tagline, it is clever. But it is frustrating when something feels cleverly pitched without providing a clear explanation of what it actually does and why it's valuable.

I like the concept, but I am troubled by the idea of people running cookie-cutter scripts to set up systems which are then left in charge of real-world anonymity.

Could the suite of things installed by this software package be used as a profiling vector in the future? How could that be avoided if so? I know that your userbase is slim now and mass profiling probably doesn't apply yet, but it's something to consider.

Are the installed defaults known to be sane and secure? That's another huge worry when the configuration is taken out of my hands initially.

Sorry for the worrisome comments. I like the idea,

No problem. I totally understand.

I intentionally made it really easy to override the default values that I chose for port numbers. It wouldn't be difficult to mix those up in the future, if necessary.

I did my very best to make sure that I was configuring things in a secure way. My approach to installing OpenVPN involves several additional steps that harden its security, like setting up an HMAC firewall and changing the default cipher from Blowfish to AES, for example. I take this seriously and I want to do it right. I'm looking forward to getting contributions from the community too.

I think that automation has the potential to significantly increase security because painful tasks that might be tempting to skip when someone is setting things up by hand can become painless. In an ideal world every task can be performed correctly and repeatedly.

I also did my best to fully document every single action that is taken. You can see what is happening at at all times throughout the process. Ansible's syntax is also very readable, so you can examine the steps before you run anything too. I am optimistic that things will only get better :)

On the other hand, when everyone does it by hand every time, it's easy to make mistakes and bad design decisions.

When it's a distribution, we can all contribute bug fixes.

Security vs obscurity is bad!

Given the server starts were anonymous, your issues around profiling disappear: https://github.com/StackMonkey/utter-va#welcome-to-utterio-a...

Awesome! Thanks! Might be great to kick off the readme with some anticipated use-cases, just so people can understand right away who the target audience is without reading through all the features. I mean, if I'm from a place being censored, all the bullet points will probably scream at me, but if I'm not, it takes a bit to determine that this product isn't particularly meant for me :)

Thanks for the feedback! I'm excited to see how people use this and what new features might be helpful for them. I will be sure to incorporate that information into the README.


You are very welcome! Please let me know if you have any feedback or suggestions after you give it a shot. It sounds like you might be in a country where deep packet inspection is happening, and you are exactly the type of person I am hoping to help.

I am happy to answer questions about this, if anyone has any. Or if anyone finds any bugs or has other feedback, that would also be great.

I get this on DO TASK: [genesis-digitalocean | Add the SSH key to DigitalOcean if it doesn't already exist] * failed: [] => {"failed": true} msg: Access Denied

I cant figure out if the client id is supposed to be the token name when you create that in the control panel? I cant get it to work either way.

I had to:

    sudo pip install markupsafe  
in a fresh ubuntu to get it going for DO

I will add this to the README. Thanks!

am now getting this, still on DO:

    TASK: [genesis-digitalocean | Get the latest 'Debian 7.0 x64' image ID from the DigitalOcean API] *** 
    fatal: [] => a duplicate parameter was found in the argument string ()

    FATAL: all hosts have already failed -- aborting

    PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/root/digitalocean.retry                  : ok=4    changed=3    unreachable=1    failed=0

I just pushed a fix for this. If you pull, you should be good to go. The bug was introduced in the new version of Ansible that came out two days ago. I didn't catch it because I hadn't updated quite yet. Sorry about that!

Edit: I'm still working through a few other Ansible 1.6.8 issues as well.

Edit 2: I think that I got them all.

Ansible 1.6.9 should already handle any quote issues you may have (other than duplicate arg detection, which is intentionally there). Parsers! How do they work? :)

Ha. And many thanks to Tim G who's had a hectic couple of support days.

A configuration for cheap VPS providers who provide a limited range of ports on one IPv4 address (plus one or more IPv6 addresses) would be great.




That's a great idea. Ansible doesn't natively support those providers through an official API yet, but I don't think it would be difficult to do. I will look into it!

For now, Streisand can execute on any standard Debian 7 server and configure it appropriately. It only needs an open SSH port and an account on the system with root permissions. AWS, DigitalOcean, Linode, and Rackspace are the options it supports for creating a brand new server from scratch as well.

Just a thought: in order to make these servers more undercover, you can bundle in a port-knocking daemon (knockd) and have all ports initially closed. This setting should be easily changeable, but it will also tremendously help impair a third party's possibilities of profiling and figuring out valuable info about the server.

I haven't ever done anything with port knocking before, but it's a neat idea that could also be entertaining.

It's worth pointing out that most of the services Streisand sets up have already been configured with countermeasures against passive scans. For example, Shadowsocks doesn't respond with any identifying information at all unless you have the proper symmetric key, and OpenVPN will drop all traffic immediately if the connecting client can't sign its requests properly for the HMAC firewall.

Maybe you should look into the more secure fwknop as an option instead of knockd.

This is similar to a project I worked on a while ago, Lahana[1] but on steroids.

I like the approach, although it requires a little more knowhow to set up. What would be really cool (if not already in) would be to ask the user which services they want to run on setup. Not everyone will want/need to run all the services, running extra services may make it easier to compromise an instance.

Jlund - if you feel like it, take a look at the lahana code[2] and if you feel like implementing a VPN-Tor routing bridge feel free to use what you like. Drop me a message if you get stuck. I don't have a lot of free time but will help where I can.

[1] - http://lahana.dreamcats.org/

[2] - https://github.com/stevelord/lahana

Dockerized "pre-reqs" for streisand:https://github.com/gdoteof/docker-streisand

so you can just do

    docker run -i -t streisand

Very cool! I'll try to find some time to test the other providers, and assuming everything looks good then I can add a link to this in the README.

Awesome. I'm actually building a company right now around an almost identical product. We aren't open sourcing it yet but we will eventually. Would love to talk about this with you (email in profile).

Any plans to integrate AAA with radius or similar? Any plans for squidproxy?

Also, I'm planning on working on a tool to easily deploy Tor hidden services as soon as I get some time. I think there's value in that aspect of your project alone -- maybe consider breaking it off on its own.

I honestly hadn't even heard of AAA in the context of RADIUS before reading about it on Wikipedia just now. I only tangentially know about RADIUS from seeing it in various WiFi control panels over the years.

I considered using Squid somewhere in Streisand, thinking that it might be a nice feature for mobile users in particular. However, one of my main goals with this project was to set up servers that didn't log any information under any circumstances about the sites that clients were visiting or their IP addresses. A caching proxy by definition is going to have to store some of the assets that users are requesting, so I abandoned the idea. Perhaps you are using it differently though?

I appreciate the feedback! By the way, your email does not appear to be in your profile.

Whoops -- it's there now.

(currently live) instruction example: http://jsbin.com/wutonaka/1/

Probably worth pointing out that this wont anonymize your traffic — instead of coming from your home IP address, it will come from the IP address of a server registered against your name and payment details.

That's not to detract from the functionality it does offer; just making sure people don't get the wrong idea.

So, one has to just find a host that would respect their privacy and serve their country with a big warm fuck-you response when asked about owner details without a proper warrant, or - even better - that would only cooperate with local law enforcement and won't give a damn about other jurisdiction demands.

Or get a host with some form of anonymous payment, like Bitcoin.

Nice work. Love that streisand leverages ansible.

One thought, you ask for AWS credentials. Mine are already stored in ~/.aws/config for use in the official aws cli which I think I recall wraps boto. It would be nice if the streisand setup could figure that out for me.

Thank you. I'm using Ansible's vars_prompt functionality to ask for these values. I'm not sure if there is a way to skip a prompt if the information is already available. I don't think there is right now, but Ansible is adding new features fast and I will keep this in mind.

I hope that, besides Starcadian, you also listened to this: https://www.youtube.com/watch?v=9VQdVA2hjsA

Ha! This is going to be stuck in my head all day now.

I just walked through the live demo eof provided (thanks). It looks very promising and well thought out. How many users could the smallest Amazon box handle in a real world scenario?

Thanks! Bandwidth usage would probably become a limiting factor before CPU. It also depends on which mix of services was being used. The services are all lightweight enough that I don't think you'd have any issue with lots and lots of concurrent users, even on a Micro.

Has anyone run this on an amazon micro instance? I'm wondering how much is needed for this to run, I'm guessing not much, hence the question :)

It works great on micro instances. That's actually the default option for new EC2 instances that it creates.

Sweet thanks, great project!

I'm kinda concerned that if I star this project I'll get flagged in some NSA database.

Don't worry, you probably already are, as "person that worries too much about his privacy, most probably has something to hide" ;)

This kind of work is so important to offset the threat of complete top-down control. Thank you!

I made a long comment on the history of the right to be forgotten on another thread that just fell off the frontpage. Definitely relevant to this thread too! https://news.ycombinator.com/item?id=8083211

Question is will this circumvent the great firewall of China

Yes. OpenVPN (wrapped in stunnel), OpenSSH, Shadowsocks, and Tor (with the obfs3 and ScrambleSuit pluggable transports) are all effective against the Great Firewall. Streisand sets up and configures all of them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact