The past few weeks has seen plenty of conversation about a $45 router that was barely half the size of your hand.
Named Anonabox, it achieved early success due to an appearance in Wired and the promise of up to $600,000 in crowd-sourced funding via Kickstarter, 82 times its original $7,500 goal. However the wheels soon fell off the hype, as flaws were discovered in the box and its promise of anonymity and security that led to Kickstarter freezing those pledges.
I caught up with Steve Lord, technical director of Mandalorian and co-founder of 44CON, to understand how a project that seemingly offered so much and was initially embraced, completely failed to deliver.
Lord said that the concept, born over a Mexican meal and conversation about the Arab Spring, was between the developers believing that all you need for a secure and anonymous communication was an embedded device and Tor (the Onion Router). They expected to sell 150-1,000 and after it received coverage for the “magical anonymity device” that you plug in at one end and plug out the other, it became notoriously popular overnight.
“The problem is it doesn’t exist,” Lord said. “The first thing that looked wrong was that there were four protocols and two of them were off the shelf motherboards that they designed themselves, and they said it would all be open source and they designed the pictures of the device and of the motherboard, and people realised that it was the same as something that sold on Ali Express, high speed technology on the cheap.”
He said that there are fundamental problems with trying to build a device that magically promises anonymity, and it is the difference between anonymity and privacy as with privacy, you are trying to protect your transport and your communications from someone trying to intercept it, while anonymity is about not being identified on the internet at all. “The problem is that if you have one of these magical devices and you have a device that is desperately trying to tell the world and your social networks and OS vendors who, what and where you are, then those two are going to be in conflict,” he said.
“At the end of the day, it is the operating system and applications that win as you can go through through Tor all you like, but if it comes out the other end and goes to an Apple server, then that is your anonymity blown.”
He also detailed the transparency proxy leak problem, that can only be fixed with two pieces of kit, and specifically with Anonabox’s designers not being familiar with the platform to a level that they were using that they could provide the level of security that was needed. “The side that goes on to Tor, went through an open, unencrypted wireless LAN, so you would go through that to Tor and do what you want, while police van watches you from down the road,” he said.
Lord said that the problem wasn’t in the size of it, but it was in the kit, especially if you try and shoehorn something that doesn’t work into it and you consider that whistle blower’s lives were at risk, it needs to work correctly.
He also said that another reason that Kickstarter pulled this is because the rule is “you have to have built it yourself”, and this is leading to clones appearing because of the amount of money that was pledged. “None of them really offer anonymity, and none of them really solve the problem of a device that has been produced by The Grugq called PORTAL,” he said.
“Anonabox does everything that Portal did and what is worse is that they took stuff from Portal to implementing on their box, and it existed in a different form factor. Portal will provide you with some degree of anonymity and it is the best thing out there in terms of widget, but it is not a substitute to what you can and cannot do.”
Lord also questioned the hardware, which Anonabox said was open source, but instead was an archive of configuration files. “The files I reviewed were pretty terrible and leaking stuff and didn’t route through Tor,” he said.
I concluded by asking Steve if he felt that this was jumping on the bandwagon of the privacy and anti-surveillance movement, he said 99 per cent of it was, as one project called Cloak were looking at it properly with schematics and tools posted. “You can see it is legitimate with all of the CAD drawings and that is the sort of transparency you need for that sort of device, and we know that the NSA take devices and add extra kit to it,” he said.
Steve Lord, technical director of Mandalorian, was talking to Dan Raywood
