Tunnels and Proxies

Summary

After working with tunnels and proxies in Variable we moved to La Poissonnerie where Wendy Van Wynsberghe, one of the hosts of this session, relates the major events of this workshop. We are sitting in the fridge of the former fish shop. She is on a small stage with a webcam, plates, fluorescent green cardboard cutouts of words. People are sitting around the stage and by the fireplace. There is a bar serving organic local beers and wines.

A beetle walks onto a dinner plate with a paper cutout of the word Jitsi. Jitsi1 (or Жици in Bulgarian which means “cables”) is a voice over IP application2. We carry our voice over the Internet Protocol. “We’re numbers.”


From Wendy Van Wynsberghe’s performance following her “Tunnels…” and “Boxes…” workshops, live translation by An Mertens.


 
 

The beetle slides off the plate when Wendy removes the cutouts. Dramatic twist of events. But the tragic hero finds its way back to the plate, together with a cutout of the word XMPP protocol. We talked to each other, we found out the IP address2 number of our machines and spoke to each other via the machines, encrypted! Wendy shakes a cutout with an encryption key on it. We wanted to create a VPN (Virtual Private Network)3, a tunnel back to the IP address2 where information floats through a tunnel allowing us to communicate to another machine in a secure way.

Why did we want to do that? Sometimes a government does not allow for certain kinds of communication. Of course it has to be encrypted.

We got lost in configuration, Wendy concludes.


Notes

Read the live notes at: <http://vj14.constantvzw.org/r/notes::friday>


Aim of the workshop: from IRC4 chat to Jitsi1 and from IPsec5 to OpenVpn6 or TincVpn7; come dig a communication tunnel with us. Will we reach the other side? Or will we get lost in configuration?


We’ll talk about communication but also about hiding. Talking to each other through encrypted channels. Configuring VPN3 . “We’ll go under.” What started all this hiding? Verification. Verifying you’re really dealing with the person you want to communicate with. First step is a message of authentication using Jitsi <https://jitsi.org>. Jitsi1 runs a little server which constantly listens to the ports. You need someone’s IP address2 tomake phone or video calls. if you know the IP address and you’re in the same network, it listens and you can phone each other. All IP addresses have to be in the same range. Local network addresses are not routable so you cannot be reached by someone outside of the local network.

full house,
Guillaume is cooking,
smell of soup arriving through glitch under door,
small sounds are coming from the kitchen tools while Wendy is reading

Wendy explains how Jitsi1 works and what it can do… An example: Wendy wants to talk to Femke, who is at a location where all communications go through Pieter, who wants to block, or spy on, their exchanges. How is this communication blocked? Through the blocking of IPs2. A proxy is a server which is functioning as a relay station, passing communication through so that blocked IPs2 are not visible. When you inspect a package, you can see the second part is being read by the router to see where to send the package, the rest it just sends on. Jitsi puts for instance XMPP/Jabber inside this wrapper/enveloppe. Our situation has a router communicating between the public and private network. The Jitsi1 application sets up a service to do session initiation. Here Jitsi1 can find us all because we are all on the same network.

Jitsi uses lots of protocols, XMPP
[we go offline, the network does not do the job, we lose info —sad, because it is nice to write together]
Workshop Tunnels, dig into communication


Audience
What is a tunnel?

Wendy
A tunnel is a point-to-point connection through the use of dedicated connections, encryption or a combination of the two.

Audience
What is a port?

Wendy
On a computer there are different processes. The Operating System (OS) needs to know to which process it should send the data. Through assigning port numbers, the OS will be able to tell by which process the data needs to be processed.

Wendy and Denis give an example of a port block work-around. Denis’ Etherpad uses port 8000 but this was blocked at Namur University. If you want to use Etherpad when you’re on a network that blocks a certain port, you need to change or add a port on the webserver that is running Etherpad, so that packets from, for instance, port 80 are also processed by Etherpad.

e.g. SMTP uses port 25; webserver listens to port 80
point-to-point: be precise on how to communicate

doorbell! Two people come in
Who wants to be the webserver?
Pieter is a proxy!
proxy: relay station of web, not for chat...
“we’ll go under”
proxy = http
tunnel = speaking into Pieter’s mouth ~ ssh

In the case of Virtual Private Networks (VPN)3, the tunnel is a wrapper with packages inside. Tunnels might look suspect but ISPs cannot decrypt the communication. Using VPN3, all envelopes are stamped with Pieter’s name, and a specific port number they agreed on. Pieter will open the package, on the inside envelope Wendy will have put Femke’s name. Encryption protects who can open what kind of layer. Pieter sees all traffic that is going on: he sees when it is locked, thinks it may be suspicious.

Audience
Is Tor a darknet or a tunnel?

Pieter
Tor is being monitored, so they keep rewriting, relaying etc. Tor originated 6 or 7 years ago from a USA military lab. It is still being sponsored by them to initially conceal heavy diplomatic traffic… Using Tor means there are many different signals from proxies linking before the transfer is linked to the final destination. It is always changing random links throughout the network so nobody would know anymore where the packages comes from and where they go to.

Audience
Is TOR secure and anonymous?

Denis
Yes and No.

Audience
It is not really anonymous? Is it still traceable?

Denis
My project <http://domainepublic.net> became a Tor exit node8 for a month but received legal notice that it was under investigation because the address that was used was usually attributed to pedophile pornography images. I wanted to be a final node to be able to provide anonymous and secure access to the Internet. We replied with a very polite letter explaining what Tor is and why we had decided to do what we did and they never bothered us again. We could have been fined or even taken into custody or put in jail for not logging our IP addresses, for instance. We would have needed a whole team of lawyers to get us out of there. If the servers that host the Tor nodes would have less constraining legislation, it could be alright.
Still you can never know who was the originator of any channel. Tor numbers show that banned sites receive a lot of visits. Tor uses tunnels to reach the other nodes so it’s the same mechanism as Jitsi1.

Wendy launches Tor.
We decided not to have tor in the workshop,
it’s off-topic
[hey people! Tor was not on the program, on purpose]

Audience
Last question on Tor! What extra services do you need to be an exit node for Tor?

Denis
You need money for a lawyers team to protect your rights, resistance capacity, etc.

$ ifconfig
$ ping 192.168.42.107

It will be a one-on-one communication where each person gives their IP2 to another and sets up Jitsi1 to start a chat. People start wearing their IP on papertape stuck to their shirt. IP addresses2 have to be in the same range —with us all connected to the same router, it’s the case. Inside a router you have one leg in the local network and one leg at the provider. After installing Jitsi from <http://jitsi.org> people try to connect to each other. Get IP address with command-line tools: ifconfig. After starting Jitsi1 you need to add a SIP account, you simply create a username and password. Then you sit with someone and add them as a contact by adding their username. SIP figures out their IP. It is only working for a few.

INTRANET created in many countries for censorship.
TUNNELS against censorship.
PROXY is http and tunnel is a relay station.
VPN3 virtual private network becomes a “tunnel”
A VPN3 extends a private network across a public network, such as the Internet.
PORT which processes to get a parcel where it needs to go.
PORT NUMBERS.
PORTS are like docks for info, parcels they pass by them.

Calling Istanbul…

We’re going to connect to someone, to Baris Fidaner, who is in Istanbul, through Freenode <http://webchat.freenode.net>. People who use these techniques are situated in countries where there is censorship.


Contribution of Baris in #vj14 @ webchat.freenode.net:

1. An announcement with three quotes from the tragedy _Antigone_ by Sophocles (-441);
2. A brief statement on its significance;
3. An image with an explanatory phrase to register this significance.

http://fidaner.wordpress.com/2013/12/13/right-to-encryption/


But to reach Istanbul, it is different, Fidaner has no public IP address2, only a local one with the router in between. So Jitsi1 sets up this service relaying Jabber messages. Fidaner has an account there, and so does Wendy. In the middle is this machine relaying messages, so the problem is bypassed. Bulgarian servers are doing the relaying. So you are relying on Jitsi for this and there is still a third party in the middle, but the data is encrypted so communication is safe in that sense.

When the call gets initiated, Wendy receives a code she has to verify with Fidaner. She is not receiving sound/video (using zrtp, encrypted audio/video with “secret key” which both need to accept by a one-on-one captcha (point-to-point), no man in the middle). The packets are sent directly to the public IP of the person we’re talking to (not through Jitsi-servers in Bulgaria). For some reason, he is only receiving video, so they cannot verify.

This verification code is part of the encryption, you should both have the same key in your display and read the key to each other to know you’ve established a connection (with the right person).

Trying out another time with 2 local machines and it’s working perfectly. Sound and video and feedback. Lasse is connected with a Jabber account in Austria. Luisa and her friend managed to use Jitsi1 with XMPP.

12h56

Fidaner waited for 3 hours in Istanbul to connect to us, so now we’re writing something for him on the whiteboard, since audio is not working. Femke and Maaike do a live video performance introducing themselves with drawings and gestures via webcam getting text back from Fidaner over the chat.


Wendy apologizes for getting stuck in configuration.


Fidaner
We are always stuck in configuration, there is nothing else to get stuck in.

  1. Jitsi Жици is an audio/video Internet phone and instant messenger written in Java (a F/LOSS VoIP client). It supports some of the most popular instant messaging and telephony protocols such as SIP, Jabber/​XMPP (and hence Facebook and Google Talk), AIM, ICQ, MSN, Yahoo! Messenger. 

  2. An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g. computer, printer) participating in a computer network that uses the Internet Protocol for com­mu­ni­ca­tion. An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: “A name indicates what we seek. An address indicates where it is. A route indicates how to get there.” 

  3. A VPN or Virtual Private Network extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the func­tion­ality, security and man­age­ment policies of the private network. This is done by es­tab­lishing a virtual point-to-point connection through the use of dedicated connections, en­cryp­tion, or a combination of the two. 

  4. You’ve reached Freenode <http://webchat.freenode.net>, an IRC network providing discussion facilities for the Free and Open Source Software communities, not-for-profit organizations, and related communities. In 1998, the network had about 200 users and less than 20 channels. 15 years later, the network peaks at over 80.000 users. Freenode is run entirely by volunteers hailing from the wider FOSS communities which we serve. Our combined network staff and development base is made up of around 40 dedicated men and women. We can all be found in #freenode on the network. 

  5. IPsec or Internet Protocol Security is a protocol suite for securing Internet Protocol (IP) communications by au­then­ti­cating and encrypting each IP package of a communication session. IPsec includes protocols for es­tab­lishing mutual au­then­ti­cation between agents at the be­gin­ning of the session and ne­go­ti­a­tion of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). 

  6. OpenVpn is an open source software application that im­plements Virtual Private Network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL). OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. 

  7. Tinc is a self-routing, mesh networking protocol, used for compressed, encrypted, virtual private networks. 

  8. You can choose to be a Tor node or a Tor end-node. When you are a node, you accept connections from other Tor nodes, you’ll unpack and repack data, and send it on to the next node. All these exchanges stay within the Tor network. Then the data needs to leave the network. You can also choose to be an end-node, that makes data exit. Your IP will be linked to the data (Pieter: “you need to be willing to attach your IP to this data that is sent to this smelly stinky server.”) Denis mentions Domaine Public which used to be a Tor end-node, but it received legal notice that it was under investigation. It could have been forced to log IP adresses2 and could have gotten a fine.