Peek-a-Boo(ty)

Anemophilous Coward writes "Tom's Hardware has a story detailing cDc's new anonymity app, just demonstrated Sunday. Peek-A-Booty is designed to let surfers access sites blocked by government restrictions, and is essentially, a distributed proxy network. It uses a peer-to-peer model, masking the identity of each node. This means the user can route around censorship that blocks citizens' access to specific IP addresses, because the censor doesn't know they're going there. There is also a website dedicated to the project."

Re:Good for some, nightmare for others

[base3]

On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com

What exactly does that have to do with security? Doesn't a "security manager" have anything better to do? If anything, be concerned because it's an encrypted channel for information to move in an out, not that someone might <gasp> be doing some personal surfing on the job</gasp>.

If these sorts of applications make it harder for security "managers" to play Network nazi (small 'n'--Godwin's law does no apply here), that that is an added benefit, so far as I see.

Re:Good for some, nightmare for others

[Rupert]

Where I work they have the drones' boxen locked down so they can't change their proxy settings. Thus PeekaBooty is not a problem.

The more inspired drones have installed Opera, which doesn't require administrator access to install in Windows. They could presumably use PB. They're a small minority, though.

Re:Good for some, nightmare for others

[cat_jesus]

On the other side, as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job.

Here's a novel idea. How about monitoring employess productivity instead. I could care less if my employees look at porn as long as no one complains and the work gets done. As soon as one of those two criteria change, then I get involved.

Cat

Re:Good for some, nightmare for others

[mosch]

As a security manager, you should learn how to lock down the computers that the users are using, thus preventing the installation and deployment of this utility.

Additionally, your security policy should have language forbidding the use of non-authorized software, thus making the use of said software a fireable offense.

Re:Good for some, nightmare for others

[Rogerborg]

• On the good side: China [...] to keep spreadin' the news that "Information good."

Er, good side: USA. To find DeCSS or similar tools without fear of prosecution, for example, or to keep spreadin' the news that "Censorship bad, even when it's done by a (heh) democratically (heh heh) elected (heh heh heh) administration."

• as a Security Manager in a bank who's sometimes asked to go find out if person XYZ has been accessing nakedhairyeyebrowedcheerleaders.com, I can see how this utility might make it impossible for me to do my job

Depends on what your job is. If your job is to protect the bank from liability, anonymised browsing allows you to state with certainty "Nobody can link us or our employees with porn surfing. Not us, not nobody."

If you've been tasked with catching a known baddie in the act (perhaps at preteenlolitas.com), then you've got keyloggers, machine caches (they don't have admin access, right?) or just drop VNC [att.com] on their machine and catch them with their pants down, so to speak.

I appreciate your concerns, but really, wouldn't it actually make your job easier if users showed a little courtesy and consideration, and stopped waving their dodgy surfing habits in your face (so to speak)?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Good for some, nightmare for others

[smallpaul]

So what you're saying is: "On the good side, fundamental human rights. On the bad side, makes life harder for pointy haired bosses who feel that lunch breaks spent playing cards are fine but lunch breaks surfing porn are an abomination.

And this gives you mixed feelings???

This still won't work!

[SMN]

Peacefire has been following Peek-A-Booty for a while, and we keep coming to the conclusion that a peer-to-peer anti-censorship system is impossible. There's a very basic problem that Peek-A-Booty still hasn't solved.

The problem: Say I'm a user who wants to connect to a Peek-A-Booty network. I need to get the address of a node to connect to. How do I get this? The obvious solution, and the one used for Gnutella and other peer-to-peer apps, is to publish a list of nodes (or at least one). But that won't work here -- because then the censors can use the same list to track down the nodes and block and/or disable them. This is especially problematic if you're using Peek-A-Booty as it claims it is meant to be: if you're in a country that filters access (say, China) and the government can track down the users trying to circumvent the filters, they can and will punish/torture/kill those people.

Peek-A-Booty has not solved this problem. Read what Tom's article has to say about it:

"For security, there's no attempt at initial discovery - you'll get sent details of a node by word of mouth, or from some other secure source. Baronowski and de Villa expect that citizens groups (NGOs) will become trusted servers."

That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective. Finding a node will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed. Government spies could give out addresses that the claim are Peek-A-Booty networks, then catch anyone who tries to connect to those. Worst of all, they could just offer some huge incentive to people for turning in their friends.

I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

Re:public proxy

[crawling_chaos]

You'd have to be crazy to try and start blocking every IP or address block on the Internet because they offer public proxy services.

My guess is that that's exactly what will happen in restrictive environments if this becomes widespread. A corporate/state "whitelist" will be used to list acceptable sites and all others will be forbidden. If something is found that might be useful, the powers that be can be petitioned to add it to the whitelist. This will of course castrate the power of the net in those restrictive environments, but that's precisely the point, particularly in China.

There's a slight problem here

[zzyzx]

So you mean I can go to any website out there, even if my websurfing is blocked? Great! How do I get this software? Oh go to this website. Hey. It's blocked.

Re:There's a slight problem here

[zzyzx]

Yes but are the instructions on how to do that on that website? I still think there's a chicken and egg problem here.

Re:Good for some, nightmare for others

[YU Nicks NE Way]

I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.

That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?

Would you be willing to bet the company on their care?

Re:This still won't work!

[lysurgon]

I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

And they never will. Why? Because the problem they are attempting to solve is not a purely techincal one. Censorship is a political issue (e.g. involves people, not just machines) and as such demands a political component to it's resolution.

The merit of the program sits on the notion that repressive countries cannot afford to blockade the internet wholesale in order to control access to the proxy network. Ergo the success of the project is based on enough people in non-firewalled countries participating. And this doesn't just mean a lot of p2p proxy nodes, it also means a lot of people publishing a list of gateways.

Much like in the world of warez, the massive proliferation of information would make it difficult if not impossible for the censoring agent not only to keep up with the number of IPs that serve as proxy nodes, but also to keep up with the number of websites that point to potential gateways.

Look, this is a software project designed to break the laws of repressive countries. As such, it will never be a "technical solution" to the problem. At best (and this is what I think they're going for) it is a technical aid in the struggle for freedom. I say cheers to them.

Re:Good for some, nightmare for others

[trog]

No this makes it a security issue. Remember, all web browsers have remote expoits in them from time to time. Pr0n sites tend to be the first one's to exploit these holes (to get email addresses, install software, pop up ad pushing, etc.) Surfing pr0n sites at work is an almost for sure way to compromise the office network.

Look for the worst and you'll always find it.

[Perianwyr Stormcrow]

Information-type limiting works against the very idea of the system.

I don't mind helping everyone equally. Even sexual predators- there are other ways to catch them.

Sorry, kiddie porn is not a trump card with me.

Re:OK, but....

[Drakin]

From the sounds of it, that wouldn't work very well. It's based on P2P networking, so it would hop between known nodes, and likely have nodes added as other nodes inform your node of them.

So it would show up as a lot of connections to various IP's, not one single bannable IP.

Re:New trend in /. posting?

[wickidpisa]

Just because he doesn't fully explain the workings of a technological idea he has does not mean they are not tech, he is a writer not an engineer. If everything he wrote about was technologicly possible he would not be an author, he would be making billions off his inventions.

His media system is not perfect, but it follows some of the same principles that this new sofware follows. The Diamond Age was published in Feb 1995, if you can even remotely describe a technology that will not be invented for 7 years I will be impressed, even if you don't work out all the bugs right now.

This works now

[StrawberryFrog]

the only way to connect ... is word-of-mouth, which is horribly ineffective. Finding ... will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed.

Millions of drug users use this model quite happily.

Re:Good for some, nightmare for others

[R2.0]

How about something even simpler - Jane the VP has all her login names and passwords recorded in Gator (or Password Tracker, or an Excel File)

Nomenclature

[Dr. Carl Jung]

Technology merits aside, why did they have to choose the name 'peek a booty' ?? This really isn't helping us getting rid of the 'pron-fiend-p2p-user' stereotype. I can't imagine the company or technology being recognized by corporate types, either.

This should not be released under the cDc name.

[muffen]

I heard about this program a year ago. Back then I wasn't sure what to think about it, because cDc isn't one of the "software producers" I trust. Personally, I would never install anyhing written by them on my computer.

Peek-a-booty appears to be a valid program, and may even be really useful for people who have governments blocking them from freely accessing the internet. However, I do think that they should get rid of the cDc name, mainly because cDc is associated with lame backdoor trojans by a lot of people. Also, if it ever got mainstream media attention, it is likely that they would start the article by saying something like: "cDC, the makers of the infamous backdoor trojan program Backorifice...". This is likely to scare people from installing it.

Just my two cents...