Late last week, Anonabox hit Kickstarter, glomming on to concerns over security, privacy, and censorship. The project was picked up on the usual tech blogs, lauding this project as the pinnacle of the Open Source, Open Hardware movement and a great investment for the privacy-minded technocrat in a post-Snowden world.
Then, the creator of Anonabox did an AMA on reddit. It was quickly discovered that the entire project was an off the shelf router found on AliExpress with reflashed firmware. The router sells for $20 in quantity one, and the Anonabox Kickstarter is giving them away with a minimum $51 pledge. The new firmware is basically a standard OpenWrt installation with a few changes to the config files. The project claims to solve the problem of hardware backdoors, but ships with a backdoor root password (the password is ‘developer!’), open WiFi, and ssh open by default. The Anonabox also claims to be a plug and play solution to security and privacy on the Internet, meaning if this project ever ships, there will be a lot of people who won’t change the default configuration. That’s rather hilarious in its implications.
According to the Kickstarter campaign, the Anonabox has gone through four years of development and four generations of hardware. [August] even has a great graphic demonstrating that each successive generation has reduced the size in half and doubled the system resources:
Anyone with the slightest eye for detail will quickly realize that components, like Ethernet jacks, SD cards, and CF cards are always the same size. I wonder what this graphic would look like if all the boards were scaled so they were in proportion to each other?
Oh. That’s not fishy at all.
As with most Kickstarters that have seen this much negative attention, the project was suspended just a few hours ago, but not before gathering more than $600,000 in pledges at its peak.
Although the Anonabox failed, there is a market for a Tor-enabled router, and luckily we have one on hackaday.io. It’s so great that some of the copy for the Kickstarter campaign was lifted directly from this project. With a wealth of market research available, we can only hope that [CaptainStouf] runs his own campaign for the UnJailPi.
The positive thing about this project is that we found out about the existence of those cheap, miniaturised and quite powerful routers :)
The router which Anonabox intended to use (their “version 4”) is an MT7620. Here’s the datasheet they released: http://anonabox.com/sauce/MT7620_Datasheet.pdf The MT7620 is used in the WRTNode: http://wrtnode.com/#4 which claims that:
“WRTnode is a totally OpenSourced hardware now. PS: The Schematic of WRTnode is: http://cn.wrtnode.com/w/wp-content/uploads/2014/05/WRTnode_sch_v01.pdf, the PCB layout and BOMlist will open soon later.” http://wrtnode.com/w/?p=223
Which is to say: “OMGWTFBBQ TOTALLY FLOSS. PS: JK BRO NOT REALLY FLOSS.”
One of the problems with the MT7620 is that it requires a proprietary piece of Ralink Tech firmware for the WiFi driver. The driver it needs it based on rt2860 and the fact that it is not included in OpenWRT can be seen in this ticket on OpenWRT’s bug tracker: https://dev.openwrt.org/ticket/14625 which points to the binary blobs for the firmware: https://code.google.com/p/rt-n56u/source/browse/#git%2Ftrunk%2Fvendors%2FRalink%2FMT7620%253Fstate%253Dclosed
All of that said, with all of the funds August’s Kickstarter, this would have been an excellent opportunity to find or create better hardware (like Bunnie’s Novena board) and securely deploy a real Tor Router ― with perhaps some help from kernel, hardware, and Tor Project developers would would love to see a secure Tor Router like this come into existence.
The Tor Project has some idea what R&D needs to be done to create a real Tor Router that we’re happy with. Some ideas are on our mailing lists (https://lists.torproject.org/pipermail/tor-relays/2014-October/005514.html and https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.html) and Jake (@ioerror) has put a significant effort towards pushing for us to do a Tor Router project, but we definitely need more helping hands and brains (ahem… and wallets) contributing!
♥Ⓐ isis
THIS -> https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.html
Everybody who thought about buying a anonbox should read this mail. Everybody who thought about creating their own anonbox should read this mail. Everybody who has even the smallest interest in tor should read this email.
And all technical articles which handles the likes of anonbox should must definitely read this email!
Its just too bad that anyone who uses Tor or linux in general is considered a possible domestic terrorist by the department of defence.
so amazon and google are terrorists?
I don’t think businesses are included in that. I think that leaked document was focusing mostly on the general public.
More like “how to fail horribly at techno-grifting.”
Yea, they should have done a DAMAFT (Don’t ask me a ****ing thing) on Reddit.
But with “rounded corners” we can imagine what people will do next…
rounded corners? if you are talking about the sparkfun meters verses fluke meters sparkfun finally got their own design
https://www.sparkfun.com/products/12966
He’s almost certainly referring to the “rounded corners” patent that Apple filed a few years ago. Rectangles with rounded corners are obviously a key and unique innovation that deserve protection from those evil Koreans and Japanese cell phone makers.
it was part of the description of a design patent (equivalent to a registered design over here in Europe), and pretty much all of the description needs to match in order for infringement to be found. You can spot Apple haters easily by their repeated quoting of that one point and ignoring the other things that went with it.
The diagram from the design patent used solid lines to indicate claimed shapes, and dashed lines to indicate illustrative shapes. The only solid line was a rounded rectangle.
And there’s another one. Factors like radius and proportion play a factor in design patents, as does the category of device. Many companies found it perfectly possible to create tablet designs that didn’t infringe on Apple’s following the iPad, and anything not a tablet PC wasn’t covered, but still the cry of “patented rounded corners”.
A dead give away if you have 2 generation of the product. Even if it *were* real, a company won’t have much future if it doesn’t know what it is trying to sell. Constantly up rev’ing shows that you have no clue. What happened to the 2 older generations? Did it even sell? Is the company more interested in making prototypes than selling them? That kind of burnt rates kills a company.
Two, I can understand if you are a startup and it takes a while to develop a working proto for proof of concept, and by then you want to catch up to the bleeding edge. (need NDA with vendors to get their preproduction parts etc.)
there were no generations, there was no product, those are generic devboards, KS fraudster NEVER even had them in hand, he probably doesnt own the final router either so he had to photoshop Alibaba picture instead
why did they get suspended? If people at kickstarter are stupid enough to let him start this then why close it? I tried a few times to do LEGIT kickstarters but was denied. And that was for trying to raise about $500…
Kickstarter sux and id never be cought buying from there.
Or spelling sucks and caught correctly.
He got suspended for basically false advertisement, claiming that he had designed the hardware and that it was open-source when in reality he hadn’t.
Kickstarter is – in my opinion – good for legitimate startups who have a finished design that’s at least mostly production-ready and just need the money to bootstrap their production, but finding such projects and figuring out if they’re legit can be more trouble than it’s worth.
I hear ya. They denied me when I tried to make a $500 Kickstarter for a USBHID board that’d let people turn any switches hooked up to GPIO into HID/Gamepad ‘buttons’… They gave me some cock and bull story about how Kickstarter was primarily for ‘creative arts projects’ (wtf?!) and that my project didn’t fit.
Sorry to hear that but flad im not alone.
Take it over to Tindie…
This story is why I both love and hate the internet. Kudos to those who uncovered the fraud before naive folks got swindled. EABOD to the scumbags who tried to pull this scam and game Kickstarter.
Is it a scam though? All across America you have people selling China-made crap for 100s of times what they paid for it. If it’s sold as described, it’s not a scam.
It’s called capitalism, people.
False advertisement makes it a scam.
Here’s the link to the device in English. It looks like he got a Chinese company to make a slightly modified version of their existing product. Perhaps he had them change to a larger program flash chip (as he hints about in the kickstarter) and removed the USB port for external USB flash/disk (the off-the-shelf device seems to be able to support external storage).
http://www.aliexpress.com/item/New-2014-300Mbps-WT3020A-Multiprotocol-Portable-Mini-WIFI-Router-with-USB-data-line-Wireless-Router-wi/1691403728.html
Perhaps this is the same silicon as the wrtnode people are using (rt2860v2).
http://www.wrtnode.com
I think wrtnode has higher specs (and more hackable) than the AliExpress router. Not too bad for $25.
600MHz
SPI FLASH is 128Mb = 16MB
DDR2 is 512Mb, so 64MB
Note: They are using small letter b (bits) not B (byte)
AliExpress is russian witch is even worse since remember the soviet union?
the soviet union is spies so the router could be a honeypot.
if you are going reflash off the shelf hardware then say so dont say it is proprietary or custom hardware.
AliExpress is not Russian, it is Chinese! It is an AliBaba sister website:
http://news.alibaba.com/article/detail/help/100888800-1-what%2527s-diffrence-between-alibaba-aliexpress%253F.html
The Chinese may be doing something that the USA’s NSA has AREADY been caught doing.
Economic cost is around 54% of CISCO sales this year.
Why not focus on building better systems…. rather than stealing other peoples’ worthless crap in the first place…
The Soviet Union hasn’t existed in over 20 years. What rock have you been living under?
Maybe Soviet Union doesn’t. Remember black hole exploit hit!
The one where Putin is the new Hitler.
time to lay off the weed, bro. you’re drifting…
These sorts of scams are good forus as a society. People need to learn to take a deeper look at things and not just jump on hype trains. One day they might even realize that Apple puts out expensive products with weak specs.
+1
Those people who wait in line for the next iPhone aren’t buying specs but a brand they use to climb the social ladder among idiots.
…or it could just be a sleek device with excellent usability and a friendly learning curve.
Products are more than just their raw specs, nerd.
That doesn’t justify standing in line to get one 23 minutes before your friend.
The only time I have waited in line unnecessarily was for Lord of the Rings Return of the King. My iPhone 5 was easily bought instore a month or so after release.
If by exellent usability you mean a lackluster feature set and clauatrophobic user interface? All apple products are overpriced trash. Their OpenGL and graphics drivers are even behind the times. And lets not even mention Apple has no f-ing idea what a Retina even is (hint: it’s a sensor not an output). Coby makes products on par with Apple.
Also when you “buy” an Apple phone you are really renting it, they control everything on it. They can access anything on it, and police can too, without a warrant. It’s not your phone or device, it’s apple’s. And sadly microsoft is heading down that road. At least android can be forked and run on custom hardware.
Thanks, but i couldnt get past the first sentence because my brain kept going
“WTF is an AMA????????????????????”
“Ask Me Anything”, ever heard of Google? Kinda of a lazy mf
Ever heard of using the full name for the first time and putting the acronym in brackets to show people what you will use the next time, like this:
“Anonabox did an ‘ask me anything’ (AMA) on reddit”
That is what i remember from school. Where did you learn practical language you illiterate fool?
“Google is hard! Learning the terminology of a community is hard! I expect everything handed to me on a silver platter!”
I expect everyone who has gone to school to produce the same minimal quality of writing, especially once they start writing for news sites.
Terminology and acronyms are not the same thing, people can use whatever terminology they want, but there are rules for using acronyms for English, Go learn them.
Yeah, fries, okay, granddad. Back to the nursing home with you.
I sincerely doubt you’d have as much of a problem if the article had referenced RAM, or ROM, or CD-ROM, or any number of other terms despite AMA being as well-established on the Internet as any of the former ones are. Don’t blame the HaD writers for your own pathological inability to get with the times. Just go back to sipping mint juleps and screaming at kids to get off your lawn while the rest of us actually keep up with the world.
+1 @fries
@fries: +11 for making it rhyme.
I did use google, and this is what i got:
American Medical Association
American Medical Association
American Medical Association
Academic & Science » Psychology
American Medical Association
American Marketing Association
American Music Awards
American Management Association
American Motorcyclist Association
Against Medical Advice
Automatic Message Accounting
Academy of Model Aeronautics
Anti-Mitochondrial Antibody
Advanced Maternal Age
American Motorcyclist Association
Ask Me Anything
Argentinean Manitoban Association
American Music Abroad
Anti Mitochondrial Antibodies
Adaptive Management Area
Agencia del Medio Ambiente
Alleenstaande Minderjarige Asielzoeker
Amateur Martial Arts
Amarillo International Airport, Amarillo, Texas USA
Airplane Modelers Association
Automotive Manufacturers Association
So now what? I just start guessing? You’re a moron.
“Hmm, none of those seem to be what I’m after, I probably need to be more specific. The article mentioned reddit, let’s add that. Google “AMA reddit” and oh hey it’s the very first result!”
google fu is a art not known by all. :)
ooooh, beat me to it. Yes, try Googling in context next time. It’s how I skipped yellow and went straight from white to orange belt in Google-fu.
You could, I dunno, click the link right next to it? Just a suggestion…
Classic how pissed you got instantly, trying to slam me as a person and my intelligence left and right, you might be fluent in English, but your far more fluent in asshole. Even with the ability to regulate your speech with text, you still couldn’t control your anger and hatred. With 10% of a person’s language expressed as words, I can’t imagine how much of a loser you must have acted like, huffing and puffing while you write.
He’s probably one of those 50-something assholes who rants about “them Twitters” and “those Facebooks” while polishing his gun and screaming at kids to get off his damn lawn, lamenting internally about how much better life was back when everything was based around the transistor rather than when those Jap-uh-NEEZ-made integrated circuits took over. No need to worry about him – old age, Alzheimer’s, or a combination of the two will take him soon enough, while the rest of us who can actually be fucked to keep up with the world will continue to make progress.
Instead of spending time being angry at someone for something you yourself could have prevented, perhaps you should fix your writing style to fit to everyone instead of your closet group of boys that live on the internet?
Being old is not a crime, and now knowing what a term is on a site that no one in the real world actually cares about is nothing new. Unless you all of the sudden think a Fortune 500 is going to start listening to Reddit-ers for investing advice now.
OMG! LMFAO! (NTTAWWT)
i’ll just leave this here:
http://www.google.com/insidesearch/landing/powersearching.html
It is the responsibility of the writer to inform his readers.
DAGS (Do/Did A Google Search) that is what I did when someone commented with EABOD earlier. That is also how I found out about FOMO, ESAD, and ACRONYMs
(Abbreviated Coded Rendition Of Name Yielding Meaning) B^) DAMHIKT
PMFJI but my SO says “FWIW IMNSHO ‘KUTGW’ is rare; OTOH it may be useful.”
wait wait wait… Acronym. Acronym is an acronym? Mind blown.
No, it’s only been retconned to be so.
acronym (n.): word formed from the first letters of a series of words, 1943, American English coinage from acro- + -onym “name” (abstracted from homonym; see name (n.)).
Notice “name” comes from “nym,” that’s the clue.
Acronym is no more an acronym than MARZIPAN.
Actually, it’s a bacronym.
“Kinda of a lazy mf” LOL what a retard
Lol! Frakkin’ hilarious!
On a more serious note though, there’s a lot to be said for “reading comprehension”, and simply being smart enough to determine something’s meaning by the context in which its used.
D00d is a lazy MF, and I’d be more than happy to cure him of that… if I thought he could make it one day on my job site, which I don’t.
If we’re worried about embedded backdoors…. Why isn’t there an open source effort that uses an FPGA? Kinda hard to sneak a hardware backdoor into that right?
Technically, “yes” it would be easier to check for backdoors in the circuit logic language, remember the FPGA isn’t magical, it still runs on actual hardware. Besides the fact that a lot of manufacturers purposefully place backdoors in software, cough “Microsoft/Apple” to name a two, but with 64-bit CPUs, opcodes are getting so long, no one will know what backdoors are in CPUs. Always remember the only unhackable computer is one that doesn’t accept input, or isn’t on. If your interested and have about a hour, watch http://www.youtube.com/watch?v=bCVT1BtlZn0, and watch the successive parts and you’ll learn, understand, and realize, a computer does nothing but what its told to do, it has no brain or thought, so just change the input and blam, hacked.
I don’t know if my point really came across correctly but let me illustrate the point by a story from Defcon 2014. This one guy was hired by a corporation to try to infiltrate their facilities. The main floor and all major doors were monitored, guarded, IDs checked etc. But in the back was an exit for the main execs on the top floor, where there was an elevator that only went from the top to the bottom. So this guy picked the lock to the door, got in the elevator, used a set of service operator keys, then manually controlled the floor of the elevator, took it up, then got off a few floors up. Because the company had such strict restrictions and procedures to prevent unauthorized access, once he got there he had full freedom. When he told the execs how he got in, they replied with, “I was told that doesn’t go up.” Ding, ding, ding. there in lies the problem with all hardware, software, etc. So long as it accepts input (therefore changeable), its hackable. Try to always think back on that story, when you ask, “Is it hackable?” If the hardware already does it, then any statement saying it doesn’t is flawed logic. The computer can’t tell between good software and bad software, it doesn’t have a soul, it just runs anything possible.
There is a difference between ‘input from user’ and ‘input from programmer’. One is (or at least should) be handled as data only or given limited capability, the other is what fundamentally tells the computer what to do. Any programmer can write a program that accepts input and whatever anyone enters into that input the computer won’t come under their complete control (provided whatever libraries the programmer uses to accept input and the computer hardware are secure). Problems are only caused when programmers make errors in handling input (bugs) or intentionally have the program ‘listen’ for certain inputs (backdoors). Your elevator example is a case of the former: the executives failed to account for all possibilities and when an unexpected possibility arose the ‘program’ (the security system and the elevator, which contained the bug) was exploited. Hardware design is similar.
You are correct however in noting that the design in an FPGA could potentially be given a backdoor via the FPGA’s silicon (its real hardware).
You don’t get it, and you are wrong, to put it bluntly. You clearly don’t design hardware, so try to learn rather than teach. All hardware is hackable. There is no universal law that says the way someone intended for it to be used, is exactly or possible to enforce. So long as hardware isn’t self aware, then the person that determines the route in which the hardware takes, is in COMPLETE control. That’s why input is all that is necessary. Software isn’t some magical language that runs on nothing, its just 1s and 0s, so just change the 1s and 0s at the right point, a vwah lah, hacked. YOU CANNOT CONTROL INPUT, EVER. That type of mentality is why hackers can hack so easily, because the assumption is, “If I design it like this, its the only way it can work” yet you fail to realize the logic and reality, just like the elevator principle, it still it identical to 1s and 0s everywhere, every time, in everything else, NO DIFFERENCE, you just reordered the sequence, that’s it. The ONLY computer not hackable, is one with no input, or off, period.
Two problems:
FPGA on a performance/price point of view isn’t that great especially when you are trying to implement things like a processor. You would be lucky to get 200MHz off a core when priced at the target price for the BOM of the final product. SO you are looking at ~$10-ish for that magical FPGA. You’ll also need a much larger and more expensive part if you want to implement the data path of a router and use a simpler uC for control path. Not quite what you can sell at $50 for a final product either.
You would still need to reflash it with something you trust (better). So basic trust issue not solved.
So obviously you are not familiar with the SPARAC designs for Xilinx with cross switched logic
Also ASIC or FPGA IS the way to go on this, there is no high speed routing fabric inside many of these SOC’s used in ‘cheap’ routers, after all , you take a packet from one port and shove it to another one, that is not a job for a CPU ( in fact MANY of these shitty CPU’s string the ethernet ports off I2C or USB… way to bury ANY throughput)
In the case of switches and routers it is about parallel processing not MHz rating in some second rate pipelined CPU
I dream of this, but opensource and FPGA are two words that do not go together. Pretty much all FPGAs on the market are tied up in expensive propriatary software with confusing liscencing agreements. A few open source projects are happening but most of them are just IDEs that just call xilinx/altera’s synthesizer binaries.
sure
http://www.h-online.com/security/news/item/Backdoor-found-in-popular-FPGA-chip-1585579.html
This backdoor is via the jtag port, so as long as it’s limited to that, one would need physical access to the inside of the hardware.
Turtles all the way down.
Why would that be?
No…. it is remarkably easy…. there are multiple papers written about this subject
Kickstarter – keeping “a fool and his money is soon parted” firmly alive in the 21st century.
They suspended the campaign. So they’re actually doing their best to protect fools.
Preventing the scammer from taking their money, just so they can pledge it to the next scammer in line is not what I would call “protecting fools”. Protecting themselves, yes, but not the fools.
How many of these people are actually going to learn from this experience and do actual research next time? Most will probably just shrug, go back to the KS homepage, and start searching for another too-good-to-be-true, vaporware scam to “invest in”.
It sucks that douche bags like this guy (and the Scribble Pen guys) put projects like this on Kickstarter which could potenitally weaken or even kill crowd funding in the future, ruining it for the rest of us.
Guys, was just wondering something.
What’s the point of a TOR enabled router? I’d see that more of a danger than an anonymizer for normal users, since they’d still use it like their everyday router, for all of their critical data to be sent to TOR nodes for easy listening.
You could use it as an “anonymiser 101” for whenever you need some anonymity and you’re too lazy to do it yourself, and then turn it off when you’re done, but then again, the people really needing this should already have done their homework and created the proper tools.
If there’s a real interest out there for that, it must be for a reason, but i don’t see it, so it’d be grateful if someone could tell me
Scumbags like this August guy really piss me off, That funding could’ve gone to a legitimate privacy project such as PriveDrive – https://www.indiegogo.com/projects/prive-drive-a-secure-browsing-environment/x/8887254
There is this STUPID myth, that if you have a computer and pass the traffic through TOR either as a service or as a ‘magic box’ , that you will be protected on all your internet traffic.
It is bollox , it is that simple,
It is akin to taking a picture of yourself with a unique signboard, then sticking a Mc Donald’s bag over your head, taking another picture, posting both on the internet and challenging people to identify you.
TOR only works as a very carefully controlled service and is only capable of protecting specific traffic, moving the ‘gateway’ further out from your computer only has the potential to weaken any protection the service may give you…….
Are you saying facebooking through tor isn’t anonym?,??, WTF man?
That is pointless, I want a anonimizer box, so I can freely troll on facebook!:)
Yep… that is the problem, the number of complete cretins that use TOR, but then log into a known account, even torrents are not secure.
It is as if someone read a little about TOR, then saw the warnings about links that are triggered outside of the Tor secured browser, and though “Hay I know how to fix that…. I can secure ALL the traffic with a black box” so now we have these idiots logging into their secured bank accounts via TOR, better still routing emails to/from their email server without TLS now means that you have UNSECURED textual traffic going via an unknown route possibly via a sniffing gateway…. and all because some tosser thought it was a ‘good idea’ to make a TOR router….
It’s not really a scam, it’s just misleading. The product exists and does what they say.
They just lied about creating the hardware and have made some very poor security decisions.
This isn’t unusual, most of the projects I see on Kickstarter are already available on Ali or eBay in a slightly different format. For example on Kickstarter you might see a wireless bathroom speaker shaped like a whale. The same thing is being sold on eBay from China for a fraction of the price but instead of a whale, it’s a Dolphin. Same electronics, same plastic, same everything.
GOML == Get Off My Lawn
( ItsThatIdiotAgain Goes back to polishing his thermionic valve powered Troll eliminator).
Hah they are here also i think:
https://www.indiegogo.com/projects/invizbox-privacy-made-easy