Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Privacy

Peek-a-Boo(ty) 297

Posted by Hemos
from the pirate-treasure dept.
Anemophilous Coward writes "Tom's Hardware has a story detailing cDc's new anonymity app, just demonstrated Sunday. Peek-A-Booty is designed to let surfers access sites blocked by government restrictions, and is essentially, a distributed proxy network. It uses a peer-to-peer model, masking the identity of each node. This means the user can route around censorship that blocks citizens' access to specific IP addresses, because the censor doesn't know they're going there. There is also a website dedicated to the project."
This discussion has been archived. No new comments can be posted.

Peek-a-Boo(ty)

Comments Filter:
  • Isn't there a much easier way to do this? I know a lot of people that have simple proxies set up on an address that they know isn't blocked, then you can access everything you need to through them. (HTTP at least). Very simple solution to the problem.

    Aside - I first read cDc as 'Center for Disease Control', heh, sure changed the article.

    • by Nijika (525558)
      THe problem is restrictive governments have people on staff to look for stuff like this. This app (while I haven't tested it) pulls from multiple sources. I like the idea a lot. Sorta moving towards a P2P web network where you can browse content like you do now but peer to peer rather than client / server.
  • by Dark Paladin (116525) <jhummel@NospaM.johnhummel.net> on Monday February 18, 2002 @11:01AM (#3026712) Homepage
    I can see both the good and bad of this application.

    On the good side: China. Folks over there who have to deal with the gigantic "Firewall O' Death" (also known as the "Damn it, Communism works so stop reading about how it doesn't" Firewall) can possibly use this tool to get to the outside information they need to keep spreadin' the news that "Information good."

    On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job.

    So I've got mixed feelings on this utility.
    • On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com

      What exactly does that have to do with security? Doesn't a "security manager" have anything better to do? If anything, be concerned because it's an encrypted channel for information to move in an out, not that someone might <gasp> be doing some personal surfing on the job</gasp>.

      If these sorts of applications make it harder for security "managers" to play Network nazi (small 'n'--Godwin's law does no apply here), that that is an added benefit, so far as I see.

      • I hope you can keep your ideals when some bank employee surfing for his lunch break masturbation material hits a malicious site. You'll get your account balance back eventually, but not before a bunch of bounced checks and no cash from the ATM ruin your life for a while.

        And before you say that drones' computers don't have that kind of access, remember: it's always the higher ups that think the rules don't apply to them. How about Mr Branch Manager or Ms VP/Accounting getting their workstation compromised?
      • by YU Nicks NE Way (129084) on Monday February 18, 2002 @12:23PM (#3027186)
        I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.

        That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?

        Would you be willing to bet the company on their care?
        • First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company.

          This often-repeated argument will make sense to me once there are other "security" personnel going through people's desks and briefcases looking for porn. Until then, it's just a silly rationalization for cheap power trips.

          Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do".

          Sounds like a thought crime to me.

          Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?

          Those are problems for the security people to solve. Telling people "You can't bring your own food in for lunch because we don't know that you won't jam peanut butter in the locks" just makes me think you need to hire a better locksmith.

          Would you be willing to bet the company on their care?

          If the computer systems you provide are so easily compromised that any random input source spells doom for your company, then you clearly have selected the wrong computer systems.

      • Already, we have the "Internet 2" project for researchers, so they can have their own Internet, free of commercial traffic and home users clogging things up with streaming video/audio and file downloads.

        I see more of this coming. In the future, I predict businesses will get together and pay in to some sort of entity that builds (or promises to build) an independent Internet type network just for business purposes. If you're a porn provider or warez site, you simply won't qualify to be a part of this private network. The only question remaining is how many ties to the rest of the Internet will it have? It seems it has to have at least a few, because employees working from home will want to tunnel in via VPN to the workplace.
    • Where I work they have the drones' boxen locked down so they can't change their proxy settings. Thus PeekaBooty is not a problem.

      The more inspired drones have installed Opera, which doesn't require administrator access to install in Windows. They could presumably use PB. They're a small minority, though.
    • On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job.
      Here's a novel idea. How about monitoring employess productivity instead. I could care less if my employees look at porn as long as no one complains and the work gets done. As soon as one of those two criteria change, then I get involved.

      Cat
      • I could care less if my employees look at porn as long as no one complains

        I guess you haven't been sued under the "creating a hostile work environment" sexual harrasment theory. Yet.

        Personally I could care less what my employees do so long as they produce. However the governement makes me liable for certain on the job employee activities. Unfortunately that mean I have to keep a lid on things.

      • The biggest problem I see is management content to drop the whole Internet surfing problem in the lap of the I.T. department. What most I.T. workers are saying is "Hey, I want to spend my time taking care of the computer systems and network -- not becoming the Internet police."

        It's the job of a manager to oversee his/her employees and make sure they're using their time efficiently. As I've always said, employees who want to waste time will find a million ways to do it. If you restrict them from surfing the net, they'll just talk to friends on the phone, or bring in a newspaper to read, or walk the halls with a cup of coffee and try to look busy.

        I have no problem with putting the basics of an automated system in place to block known porn sites and other blatantly illegal sites. Just by doing that, you're showing you took measures to prevent sexual harassment in the workplace. I think most companies would like to be in a position to say they did that, if it ever came up in court.

        Beyond that, I think it's wrong for managers of other departments to request/expect I.T. to "fill them in on what so-and-so is doing on the web", or to complain that something's not "locked down tight enough". If you know you have employees surfing where you don't want them surfing, take care of it yourself!
        • Beyond that, I think it's wrong for managers of other departments to request/expect I.T. to "fill them in on what so-and-so is doing on the web", or to complain that something's not "locked down tight enough". If you know you have employees surfing where you don't want them surfing, take care of it yourself!

          At my last admin gig, I refused to provide managers with info on what sites were being accessed, what email was being rec'd, and what personal files were on hard drives. If a direct order didn't come from an executive or the IT Director, then it was not my place to rat out employees.

          Talk about liability! I have no way of knowing/proving that John Doe accessed this site. I only know that John Doe's PC accessed xxx.com. But PHB's won't understand the difference.

          Managers wouldn't ask someone in a cube famr what the guy next to him was surfing, why should I be put in that position? The other employees are my colleagues, and I refuse to disrespect them simply because I control the servers.

    • As a security manager, you should learn how to lock down the computers that the users are using, thus preventing the installation and deployment of this utility.

      Additionally, your security policy should have language forbidding the use of non-authorized software, thus making the use of said software a fireable offense.

    • by shut_up_man (450725) on Monday February 18, 2002 @11:18AM (#3026824) Homepage
      Dude, you're such a tease... nakedhairyeyebrowedcheerleaders.com doesn't even exist!

      And here I was getting all excited...
      • On the good side: China [...] to keep spreadin' the news that "Information good."

      Er, good side: USA. To find DeCSS or similar tools without fear of prosecution, for example, or to keep spreadin' the news that "Censorship bad, even when it's done by a (heh) democratically (heh heh) elected (heh heh heh) administration."

      • as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job

      Depends on what your job is. If your job is to protect the bank from liability, anonymised browsing allows you to state with certainty "Nobody can link us or our employees with porn surfing. Not us, not nobody."

      If you've been tasked with catching a known baddie in the act (perhaps at preteenlolitas.com), then you've got keyloggers, machine caches (they don't have admin access, right?) or just drop VNC [att.com] on their machine and catch them with their pants down, so to speak.

      I appreciate your concerns, but really, wouldn't it actually make your job easier if users showed a little courtesy and consideration, and stopped waving their dodgy surfing habits in your face (so to speak)?

    • by smallpaul (65919) <paul@@@prescod...net> on Monday February 18, 2002 @11:24AM (#3026859)

      So what you're saying is: "On the good side, fundamental human rights. On the bad side, makes life harder for pointy haired bosses who feel that lunch breaks spent playing cards are fine but lunch breaks surfing porn are an abomination.

      And this gives you mixed feelings???

    • as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job

      No problem. Whatever port is at the other end, the language spoken on the browser's connection will still be easily recognizable HTTP. You should already have an IDS running, and adding a signature for the "offending" HTTP traffic should be a no-brainer.

    • On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job.

      Well, having been at a bank myself, that's the least of your problems. :)

      I'd be more concerned if my tax dollars were used to buy filtering software for schools/libraries....
      Which I was against -- SEE! TOLD YOU SO! :)
      Next time, just buy another corporation another stadium.

    • If I'm a Evil Opressive Government (TM), does this really do anything to circumvent my ability to oppress the masses? Great, so a bunch of dissidents decide to go out and get their information on-line through this system. I, as the Evil Oppressive Government use my intelligence networks and eventually discover this system. So what I do is find several of these proxies and begin logging their activity.

      A few months later after I've seen a lot of people going to these systems I begin sending out visitors in the wee hours of the night to "educate" these people. Really these systems may actually make it EASIER to find incorrect thinking individuals. I don't have to compromise an entire network of dissidents, I just have to find a couple proxy sites and let the proxy logs do my work for me.

      I've spent a lot of spare brain cycles thinking about this stuff and it seems like you really need a way to obfuscate that nature of your communication over multiple channels. You need legitimate looking sites to act as proxies and to limit the frequency and size of transmissions to reduce their visibility. Anything that can make connection profiling possible rules it out as a viable solution.

      Now, this system does have a host of possible uses, don't get me wrong. It will make it possible for somebody at the library to work around net nanny software, etc. It will make it easier to avoid the snoopy firewalls at the office who want to keep track of how many times I visited Ebay today. But I don't think this will do dissidents much good.
    • I'm being told that you can access all major news sites on China - if you can read German.

      The situation in China is not as worse as you might think, and while there are repeated announcements about tightened Internet control, it does not seem to be of much relevance to the casual surfer.
    • It's a big game with no resolution. There will always be some who want pure freedom, and others who want to restrict it, and there will be people developing software on both sides.

      It will never end, and there will never be a winner. The game just goes on and on and on...move and counter move, move and counter move...

      It certainly is fun to make the other team (whoever they may be) squirm, though.

    • Wait a minute...those aren't pom-poms! Ewww, gross!
    • If the productivity of an employee is down because he's wasting his time playing around on the computer, than who's business is it *how* that time is being wasted? It should be no more of an offence to waste time with online porn than it is to waste time online on, say, slashdot. Why does the corporation care one way or the other? All that matters is whether the person is doing their job. If they aren't then it doesn't matter on *what* they are wasting their time.
    • Such acts to subvert the "Great Firewall of China" would be considered of course to be a breach of "ethics" in China, and they have ways to dealing with this:

      In Rural China, Mental Hospitals Await Some Who Rock the Boat [yahoo.com]

      There is nothing as cathartic as nerve stapling those little drone bastards to keep them in line...
      -- Chairman Sheng-ji Yang, The Human Hive

  • Anyone else see the irony of one of the world's largest "hacker" groups using phpNuke - a piece of software fraught with cross-site scripting and other vulnerabilities - for it's web site?
  • Hopefully this can bring uncensored internet to places like China, that don't have access except through government controlled (and censored) ISPs.

    Hey, let's start an open source version. Slashdoters might actually do something positive for free speech and all that for a change. Reply to this message if you're interested, and we'll get something set up.

  • by IIOIOOIOO (517375) on Monday February 18, 2002 @11:06AM (#3026755)
    That it's going to be pretty hard to gain mass-legitimacy with a name like that?

    Freedom Fighter: Acolyte, what tool do you suggest we use to access the world of internet while circumventing our government's oppresive restrictions?

    Acolyte: Peek-A-Booty

    Freedom Fighter:Please go away.

  • Although public proxies have been around forever, this takes them to a whole new level. If a business uses any kind of filtering software, those can be modified to block the public proxies.
    With a p2p type of services, anyone, anywhere can be a proxy. You'd have to be crazy to try and start blocking every IP or address block on the Internet because they offer public proxy services.
    My thoughts on the whole thing are: Why censor the Internet in the first place? Programs like this would be unnecessary.
    • Re:public proxy (Score:3, Insightful)

      by crawling_chaos (23007)
      You'd have to be crazy to try and start blocking every IP or address block on the Internet because they offer public proxy services.

      My guess is that that's exactly what will happen in restrictive environments if this becomes widespread. A corporate/state "whitelist" will be used to list acceptable sites and all others will be forbidden. If something is found that might be useful, the powers that be can be petitioned to add it to the whitelist. This will of course castrate the power of the net in those restrictive environments, but that's precisely the point, particularly in China.

      • This will of course castrate the power of the net in those restrictive environments, but that's precisely the point, particularly in China.

        At some point greed usually overwhelms power-hungriness. Do you think China wants its scientists, programmers, economists etc. to fall behind the rest of the world? I think that eventually the whitelist will crumble.

  • re: peek-a-boo (Score:2, Informative)

    by chill_17 (552639)
    hmmm, makes me think of:
    Triangle Boy [rfa.org] end the Freenet project [freenetproject.org]

    anybody knows which program is actually the most practical?
    • They addressed safeweb (triangle boy) in the demo. Turns out there is a bug where a given site you visit can get your whole browsing history if you use safeweb....so not a good idea
  • by Rogerborg (306625) on Monday February 18, 2002 @11:08AM (#3026766) Homepage

    See also the earlier Crowds [att.com] project courtesy of att.com (and while you're at it, if you use a network of systems [X, Windows, Mac, or anything with a Java browser] check out the amazing VNC [att.com] project).

    Problem is, Crowds fell foul of the [brzzt, crackle] VERY SENSIBLE AND FOR YOUR OWN GOOD [bzz, pop] US laws on exporting encryption, and required you to sign a Declaration of Patriotic Fervour [att.com] to get your hands on it, which rather limited its usefulness in restrictive regimes that monitor and censor their citizens (other than the US, I mean).

    Hopefully cDc will be able to get this thing prospering in the wild before they get charged with Conspiracy to Share Knowledge, or whatever. Good luck, guys, and remember, get that source out there early, and get it out there often.

  • Excellent! (Score:4, Funny)

    by 1stflight (48795) on Monday February 18, 2002 @11:10AM (#3026774)
    For countries living under such horrible restrictions as government monitoring, and censorship with the threat of armed arrest this product will really help restore some sense of freedom...especially here in the United States ....
  • Isn't it ironic... (Score:5, Interesting)

    by devaldez (310051) <devaldez.comcast@net> on Monday February 18, 2002 @11:13AM (#3026792) Homepage Journal
    ...that the peek-a-booty website requires registration?! I thought the whole thing was directed toward anonymity.

    The day an anonymous website gets registration info from me is the day I cross completely into PHB syndrome.
    • ...that the peek-a-booty website requires registration?! I thought the whole thing was directed toward anonymity.

      Create an anonymous email address and use that to register. You can get free pop mailboxes from Portland [portland.co.uk], or use www.sneakemail.com's anonymizer. [sneakemail.com]

    • by Cycon (11899)
      ...that the peek-a-booty website requires registration?! I thought the whole thing was directed toward anonymity.

      From the Peek-A-Booty Website [peek-a-booty.org]:

      Peek-a-booty.org and anonymity
      Posted on Monday, February 18 @ 14:46:12 PST by MrHappy

      [Peek-a-booty.org] On Slashdot devaldez wrote: Isn't it ironic that the peek-a-booty website requires registration?! I thought the whole thing was directed toward anonymity.

      While I suspect this might have just been intended as a cheap shot nevertheless it is a good and valid question. So to answer...

      First: this site doesn't require registration. You are more than welcome to post anonymously. Your posting name will be "Anon" and no identifying information about you will be recorded.

      Second, and more importantly, we don't actually care who *you* are per se, we're more interested in you creating an identity (or identities) here. Why? Because it allows others to recognize you; it builds familiarity and trust.

      Take for example the identity of someone who consistently submits excellent, insightful material. As you read this person's submissions you might begin to develop a trust metric around them: articles they submit are better than articles submitted by someone else. Their having an identity creates a particular value for you and vice versa.

      The only thing required to register on this site (and remember: you don't have to register) is an email address. By all means create a free one somewhere, use that to get your password and then forget about it.

      There's you, there's your identity, there's anonymity. It's all up to you.

      --Cycon

  • by kryzx (178628) on Monday February 18, 2002 @11:14AM (#3026799) Homepage Journal
    Ok, the premis sounds good, peer to peer to route around restrictions. But if I'm in the peer network, does that mean others are accessing sites they can't get to through my computer? So will goatse.cx be showing up in the company logs next to my computer's ip address? If I'm proxy serving for someone who can't get to it, it seems likely.
    • Any time you run a service open to the internet, you don't know who is using your computer. The whole point is that any one can. Put a webserver up? Anyone can use it. Put an ftp server up? anyone can use it.
    • by Rogerborg (306625) on Monday February 18, 2002 @11:48AM (#3026987) Homepage
      • I'm in the peer network, does that mean others are accessing sites they can't get to through my computer?

      Exactly. Although the request may come from an intermediary, and you may forward it on to another intermediary. The idea is that you'll never know, nor will you be able to view the SSL encrypted packets to even know what the data is.

      • will goatse.cx be showing up in the company logs next to my computer's ip address?

      Unfortunately, this is exactly what it means. However, your company will doubtless have a firewall in place that will stop you servicing incoming Peek-a-Booty request anyway. Chances are though you will still be able to use it though if you want to surf for donkey porn from work, so Peek-a-Booty is in (slight) danger of dying a quick death through leeching.

      Incidentally, most residential cable and DSL customers will find that their contracts prohibit "providing services" to the internet community. Peek-a-Booty is definitely such a service. It doesn't even have the post-Napster excuse that you're necessarily getting anything in return (as a patriotic consumer should). Expect Peek-a-Booty to be about as popular with ISPs as a surprise IRS audit.

  • Those who need this most are perhaps people fighting against human rights abuses and living under oppressive regimes. The problem is that the simple act of installing Peek-a-Booty could potentially put these people at risk.

    Furthermore, since the software acts as a proxy service, this means that anyone, anywhere could potentially be hosting controversial material at any given time.

    The cDc acknowledges this, in an interview with The Register [theregister.co.uk]:

    "The app can be obscured, but not hidden as you correctly point out. We are going to give advance briefings to grassroots organizations who will act as one distribution chain; risk assessment will be part of that. Obviously, if someone is already on 'state radar', they would not be a suitable candidate," cDc member Oxblood Ruffin told us.

    The above is from an article dated July 2001, so it might not be entirely up to date. Still, think twice and do your own research before installing if you for some reason are afraid of having the authorities come knocking on your door.

  • by SMN (33356) on Monday February 18, 2002 @11:28AM (#3026889)
    Peacefire has been following Peek-A-Booty for a while, and we keep coming to the conclusion that a peer-to-peer anti-censorship system is impossible. There's a very basic problem that Peek-A-Booty still hasn't solved.

    The problem: Say I'm a user who wants to connect to a Peek-A-Booty network. I need to get the address of a node to connect to. How do I get this? The obvious solution, and the one used for Gnutella and other peer-to-peer apps, is to publish a list of nodes (or at least one). But that won't work here -- because then the censors can use the same list to track down the nodes and block and/or disable them. This is especially problematic if you're using Peek-A-Booty as it claims it is meant to be: if you're in a country that filters access (say, China) and the government can track down the users trying to circumvent the filters, they can and will punish/torture/kill those people.

    Peek-A-Booty has not solved this problem. Read what Tom's article has to say about it:

    "For security, there's no attempt at initial discovery - you'll get sent details of a node by word of mouth, or from some other secure source. Baronowski and de Villa expect that citizens groups (NGOs) will become trusted servers."
    That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective. Finding a node will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed. Government spies could give out addresses that the claim are Peek-A-Booty networks, then catch anyone who tries to connect to those. Worst of all, they could just offer some huge incentive to people for turning in their friends.

    I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

      • the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective

      Bear in mind that you'll also have to find out about and then get Peek-a-Booty in the first place. If you can do that, chances are you'll be able to find a list of nodes as well. Once this is up and running, a Google search and some patience should get you settled in.

      I completely agree that it's not easy, that there is no magic technical solution, and that even using Peek-A-Booty may be risky for people in some areas.

      The thing is: what's the alternative? Accept the firewalling? Use non-SSL public proxies that leave your traffic visible? Peek-a-Booty is one solution. What's your alternative?

    • by lysurgon (126252) <joshk@NoSPam.outlandishjosh.com> on Monday February 18, 2002 @12:46PM (#3027322) Homepage Journal
      I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

      And they never will. Why? Because the problem they are attempting to solve is not a purely techincal one. Censorship is a political issue (e.g. involves people, not just machines) and as such demands a political component to it's resolution.

      The merit of the program sits on the notion that repressive countries cannot afford to blockade the internet wholesale in order to control access to the proxy network. Ergo the success of the project is based on enough people in non-firewalled countries participating. And this doesn't just mean a lot of p2p proxy nodes, it also means a lot of people publishing a list of gateways.

      Much like in the world of warez, the massive proliferation of information would make it difficult if not impossible for the censoring agent not only to keep up with the number of IPs that serve as proxy nodes, but also to keep up with the number of websites that point to potential gateways.

      Look, this is a software project designed to break the laws of repressive countries. As such, it will never be a "technical solution" to the problem. At best (and this is what I think they're going for) it is a technical aid in the struggle for freedom. I say cheers to them.
    • I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

      The best is the enemy of the good. It doesn't make sense to hold up a solution with some flaws in favor of an impossible system with no flaws. Freedom fighters take risks. That's their choice. We should help them to understand the risks they are taking but we should not deny them the right to even try to work around the system. Proxies are popular today even though they have the problems you describe. Peek-a-booty just ups the ante a little bit.

    • The obvious solution, and the one used for Gnutella and other peer-to-peer apps, is to publish a list of nodes (or at least one). But that won't work here -- because then the censors can use the same list to track down the nodes and block and/or disable them.

      If a node list is published on many sites which also have desirable content, filtering becomes much more difficult. Not impossible, but consider publishing node lists inside discussion forums such as slashdot, yahoo groups, bravenet, ezboard, myforum, hostboard, etc.

      Sure, a censor could search out the node lists, but a simple countermeasure would be to make sure the node lists are updated regularily with short-lived hosts. Another simple countermeasure would be to poison the list with hosts a censor would not wish to block. The software could maintain a local cache of hosts NOT running the proxy to avoid swamping normal sites with invalid proxy requests. Forged node-lists posted by censors could (maybe) be detected by checking signatures and some sort of "ring of trust" public key infrastructure, PGP style.

      It's probably impossible to make censorship completely impossible... but it is possible to make it more difficult and expensive for censors. It sounds like a lot more is yet to be done. There are a lot of creative people out there and I'm sure some of them won't have any problem coming up with some really good ideas (I just made up these on the spot as I read your message... and there are certainly a lot of people who've put a lot more throught into this than I have).

    • This works now (Score:4, Insightful)

      by StrawberryFrog (67065) on Monday February 18, 2002 @02:11PM (#3027819) Homepage Journal
      the only way to connect ... is word-of-mouth, which is horribly ineffective. Finding ... will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed.


      Millions of drug users use this model quite happily.

      • "Millions of drug users use this model quite happily."

        Drug users are slightly safer. If a single Peek-A-Booty user of a given node is compromised, the government can start watching all traffic to that node and build a giant list of criminals. If a single drug customer is compromised, there're practical limits on how many other clients they can catch during a sting.

    • That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective.

      Don't worry, now they can send you the list of nodes on a self-shredding e-mail [slashdot.org].
  • Spooky prediction (Score:5, Interesting)

    by Rogerborg (306625) on Monday February 18, 2002 @11:38AM (#3026939) Homepage

    The Great Rogerborgio will make a spooky prediction. When Peek-a-Booty 1.0 reaches 100,000 downloads, a story will break that the client contains a hostile trojan that lets "evil hackers" take control of your machine, impersonate you, steal your credit card details, and screw your shrieking girlfriend in the ass while you watch helplessly, tears of frustration streaming down your shocked, betrayed face.

    The story will be submitted by a "credible group of anonymous white hat hackers" and run - unquestioned - by BBC Online and - slightly questioned, at best - by Reuturs, and every other online news source will pick it up from there and spread it as gospel truth.

    It will not be true. It will be Fear, Uncertainty and Doubt, pure and simple. Many interested parties will want Peek-a-Booty to fail. In fact, there are so many - governmental and industrial - that even the Great Rogerborgio cannot peer through the mists of time sharply enough to determine the culprit.

    But it will happen. And remember, you read it here first.

  • So you mean I can go to any website out there, even if my websurfing is blocked? Great! How do I get this software? Oh go to this website. Hey. It's blocked.
  • Aims & Reality (Score:2, Interesting)

    by greygent (523713)
    While the aims and goals of this project are commendable, I can't help but think that this program will be utilized moreso by old men wanting to look at kiddie porn safely, than those in oppressed countries.

    One can simply see this trend with the GNUtella network, and monitoring the search strings people send out. They're full of stuff such as "hairless pre-teen sex" and "dogs fucking women".

    I'd be much more interested in running Peek-A-Booty if it had some sort of information-type limiting, but this would go against the whole basic concept of the program. I'd be glad to assist those who are oppressed, but WILL NOT help sexual predators and the like.

    Maybe people who want to help those in oppressive countries should throw up rogue squid proxy servers with bandwidth rate limiting and perhaps some client access limiting (*.cn, *.ru, and soon, *.us). This is what I do and it works quite well.

    I don't even advertise it, but quite a few people find it and use it (mostly people in southeast asia, actually)
    • by Perianwyr Stormcrow (157913) on Monday February 18, 2002 @01:02PM (#3027413) Homepage
      Information-type limiting works against the very idea of the system.

      I don't mind helping everyone equally. Even sexual predators- there are other ways to catch them.

      Sorry, kiddie porn is not a trump card with me.
      • And I respect your opinion.

        As obvious, the opinions I voice are merely my own. While my ethics do not align exactly with law, I have a particular distaste for sexual predators and child molestors, and it's a great enough issue that I do not want to potentially help them.

        I'd like to also clarify my "I'd be much more interested in running Peek-A-Booty if it had some sort of information-type limiting" comment. I meant this at the participant-level, and not a network-wide level. Some sort of mechanism where the participant has the freedom to disallow his resources to be used for certain ideologies of which he does not want to take part.

        But again, this goes against the entire Peek-A-Booty concept, and I may even be alarmist.

        The proxy idea works great for me, and my proxy server hasn't been firewalled from China as of yet.

        I get a significant amount of traffic from China, and they seem to look at a lot of democracy-oriented and (non-child) porn sites from the rare times I've taken a glance at the traffic.

        Please note, I am all for this project, and not against it in the least. I merely have some concerns.
  • this supposdly "non vaporware" still isn't downloadable from the peekabooty website.

    Just because people have seen it run, doesn't make it non vaporware, it has to be distributed.

    So where's the Beef? ([lame joke]or should that be dead cow?[/lame joke])
  • by wickidpisa (41827) on Monday February 18, 2002 @12:03PM (#3027069) Homepage
    Doen't this system remind anyone of the media network in Neal Stephenson's The Diamond Age? Information gets passed from one place to another by different people, so that no one can tell where the person on the other end is. Looks like another one of Stephenson's ideas has become a reality.
    • by Slothrop (22808)
      'Look! Neal Stephenson was right in !' He's not that great people, nor all that presicent. Most of the science in the Diamond Age was bad or ill-concieved, and even the media system is somewhat mangled and unworkable. It involves a really major paradigm shift that he never bothers to explain. That said, I like most of his books, except for the constant and irritating moralizing that he's doing more and more with each book. The Diamond age is stuffed to the ears with 'magic', not tech, so I wish that people would stop crowing that the man is right all the time. He's basically a conservative commentator that writes Sci-Fi. That doesn't make him bad, but it also doesn't make him a futurologist (which wouldn't make him nessecarily more correct anyway, looking at some of the lastest stories here.).
  • ... some cracker will set up a node that, when asked for a web page, issues spam instead.

    ... or worse yet the web page requested with spam interspearsed.

    That will be the end of that.

    The End. (uggh) Nice idea though!
  • Hey guys, this ain't released yet, and for good reason. There's still work to do. If you have an attack which you think is probable of success, you would do good to let them know so they can design countermeasures.
  • Its easy, just block the proxy network, and boom... its blocked again. That was easy!
  • Blocked! (Score:2, Funny)

    by Anonymous Coward
    I'd like to use this, but my company has blocked access to the site.
  • The Net interprets censorship as damage, and routes around it.
    -- John Gilmore

    What if censorship is in the router?
    -- Seth Finkelstein

    Is routing-around true in practice, rather than than simply a trivial underground? It doesn't seem to ever work for "the masses". We're seeing another experimental test of this principle. I wish it well, but the past failures are sobering.

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

  • by nomadicGeek (453231) on Monday February 18, 2002 @01:31PM (#3027600)
    I see a lot of posts which seem to imply that employee surfing should be ignored. Why is it a big deal if an employee does some personal surfing? Why not measure an employee's productivity and leave it at that?

    I used to work at a company that had a very liberal internet use policy. We were pretty early adopters as far as the corporate world goes. We wanted people to use the Internet as a tool and didn't want to micromanage or scrutinize its usage.

    Over the years we had to tighten our policy as abuses started to mount. The final straw was an idiot who was collecting kiddie porn and saving it on our network server! We immediately notified the police and he has arrested and prosecuted. The guy literally had hundreds of pictures carefully organized into directories to categorize them. It was obvious (1) that he had been doing it for a while, (2) he had invested a great deal of thought and time in these activities.

    The company was dragged into the employee's defense trial. We spent a lot of time and money on attorneys, depositions, etc. It was a nightmare. We were forced to implement a system to control and monitor access to the Internet to insure that this type of thing did not happen again. It is one thing to get caught in that type of situation once but it can't happen again.

    So we spent a lot of time and money watching and controlling Internet access. It sucks but it only takes one idiot to mess things up for everyone and there are a lot of idiots out there.

    I still think that ideally Internet usage should be the employees' responsibility but in the real world things often get much more complicated.
  • by Anonymous Coward on Monday February 18, 2002 @02:15PM (#3027843)
    http://cultdeadcow.com/details.php3?listing_id=426

    PEEKABOOTY UPDATE
    FOR IMMEDIATE RELEASE

    LUBBOCK, TX, February 7 -- The CULT OF THE DEAD COW (cDc) would like to clarify a few matters in relation to Peekabooty, an anti-censorship software application currently under development.

    Peekabooty was originally the brainchild of the Hacktivismo group, an international cadre of hackers founded by the cDc's Oxblood Ruffin. Hacktivismo's mandate was and is to develop technology in the service of human rights. Peekabooty was its first project; others are in various stages of planning and development.

    The CULT OF THE DEAD COW has supported this work from its conception, because we view censorship of the Internet as a cancer that must be excised. However, it should be noted that the cDc membership have not been contributing code or driving the development schedule for Peekabooty. This project was entirely the concern of Hacktivismo group.

    Two years ago, Bronc Buster and Mr. Pink wrote the proto-code for the current iteration of Peekabooty. Paul Baranowski (who until recently used the handle "Drunken Master") later became its chief architect and took charge of the Peekabooty programming effort. Some months ago, Paul chose to dedicate himself full-time to refactoring the codebase and finish implementing the remaining functionality.

    Paul has recently decided to sever ties with the Hacktivismo group but he will continue to develop the Peekabooty app. Occasionally developers can't find the environment they need to do their best work and now is one such time.

    Paul will be leaving Hacktivismo and taking on full responsibility for his work and all future development of his software. So from now on, Paul is directing all aspects of the Peekabooty project. It is no longer a Hacktivismo production. The Hacktivismo group will shift its main focus back to other projects in the pipeline.

    We continue to wish Paul the best of luck. We believe that Peekabooty will prove itself to be a liberating force on the Net. Although Hacktivismo has severed formal ties with the project, some members intend to informally contribute their testing skills, etc. to the ongoing effort.

    Paul will be presenting a recent snapshot at CodeCon, February 15 - 17, in San Francisco. Go check it out. But please be aware that this is not a launch; Peekabooty is still a work in progress.

  • Most of the comments I've seen for this story talk about how it will be good (or bad) for employee surfing. It occurs to me that this will also be a way to defeat the websites that try to lock out certain regions from being able to access them, for matters of national licensing and such. (I saw a story about that sort of thing on /. a while back, but I'm too lazy to go look it up. :)
  • Nomenclature (Score:2, Insightful)

    by Dr. Carl Jung (559378)
    Technology merits aside, why did they have to choose the name 'peek a booty' ?? This really isn't helping us getting rid of the 'pron-fiend-p2p-user' stereotype. I can't imagine the company or technology being recognized by corporate types, either.
  • Quick Browse (Score:2, Informative)

    by kevinoshea (559828)
    I wonder if a program like Quick Browse - http://www.quickbrowse.com - might also do the trick?
  • I heard about this program a year ago. Back then I wasn't sure what to think about it, because cDc isn't one of the "software producers" I trust. Personally, I would never install anyhing written by them on my computer.

    Peek-a-booty appears to be a valid program, and may even be really useful for people who have governments blocking them from freely accessing the internet. However, I do think that they should get rid of the cDc name, mainly because cDc is associated with lame backdoor trojans by a lot of people. Also, if it ever got mainstream media attention, it is likely that they would start the article by saying something like: "cDC, the makers of the infamous backdoor trojan program Backorifice...". This is likely to scare people from installing it.

    Just my two cents...

You see but you do not observe. Sir Arthur Conan Doyle, in "The Memoirs of Sherlock Holmes"

Working...