Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy The Internet News Your Rights Online

Anonymous, People's Liberation Front Build Anonymous Data-Sharing Site 137

Posted by timothy
from the for-all-your-library-science-needs dept.
suraj.sun writes with these snippets from an article at Ars Technica: "Hacker group Anonymous and the People's Liberation Front have created a data-sharing site called AnonPaste.tk, meant to host pastes of code and other messages without any moderation or censorship of the information posted. The new site, which uses a free .tk web address, allows users to set a time for the paste to expire. It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn't see any of the information included in the paste.The site says it's taking donations in the form of WePay or BitCoins. ... AnonPaste is built using open-source software called ZeroBin, created by French developer Sebastien Sauvage. According to Infoweek Sauvage has experience in creating online authentication systems for French banks, suggesting the creator knows a thing or two about encryption of data. Still, on the software's information page, Sauvage reminds potential users that ZeroBin software can not protect against potential Javascript attacks. 'Users still have to trust the server regarding the respect of their privacy,' he says. 'ZeroBin won't protect the users against malicious servers.'"
This discussion has been archived. No new comments can be posted.

Anonymous, People's Liberation Front Build Anonymous Data-Sharing Site

Comments Filter:
  • .tk, seriously? (Score:5, Insightful)

    by jamesbrx (2622061) on Sunday April 22, 2012 @08:29AM (#39762039)
    This site will get it's domain removed faster than I can post this comment. The .tk admins have a long history of blatantly removing anything that might cause trouble, are porn and/or hijacking domains that are popular. Great choice there, indeed.
    • .tks are just frames to another site. So just bookmark the real one [peopleslib...nfront.net] if you're concerned about the .tk breaking.
      • by rs79 (71822)

        I'm a bit leery about .tk too.

        You know, we don't really need to use a domain for this. What's google's DNS server? It probably does have a domain but everyone knows it's 8.8.8.8

        Use a domain by all means. But on the main page put the current IP and make sure the website works with an IP address as well as a domain.

        A good tld to use for a domain like this is .ARPA. They never expire and they're just another TLD. If you own an IP, you have an arpa address you can use for anything you want.

        You can use one in an

    • I suspect that it was because .tk is free... If they wanted to pay for a domain, then some Anonymous member would likely have to give up some personal details... (Disclaimer, haven't read TFA so what I said could be complete bull.)
      • I suspect that it was because .tk is free... If they wanted to pay for a domain, then some Anonymous member would likely have to give up some personal details... (Disclaimer, haven't read TFA so what I said could be complete bull.)

        But since they aren't giving us detailed technical specifications we "experts" cannot check it to determine what those problems might be. I'd like to discuss the technical specifications but I would think something like this would have to be set up with a special protocol and decentralized DNS. I would expect it to be on the darknet.

        • by spydir31 (312329) <{moc.nukrutsah} {ta} {rutsah}> on Sunday April 22, 2012 @11:05AM (#39763175) Homepage

          It runs on ZeroBin [sebsauvage.net], which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.

          It uses the Stanford Javascript Crypto Library [stanford.edu] for its AES code, and its codebase is available on github [github.com].

          The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content

          • by Meneth (872868)
            The server operator could modify the javascript it sends to the client, so that the client sends either the key or the plaintext to a place of the operator's choosing.
            • by spydir31 (312329) <{moc.nukrutsah} {ta} {rutsah}> on Sunday April 22, 2012 @12:08PM (#39763697) Homepage

              The server operator could modify the javascript it sends to the client, so that the client sends either the key or the plaintext to a place of the operator's choosing.

              That would fall under the same category as MITM in this case. You still need to trust the server (or a server, if you prefer)

              You could move the client side code to a browser addon/extension, but you'd still have the problem of trusting the extension to behave

              • by TheCarp (96830)

                Hmmmm yes...or javascript? Could be a bookmarklet even.

                Store it locally, so changes can't be made on the fly if the server gets 0wn3d. Individuals who really care can download the known good client from a specific source. Then they have to trust that source, but only once, and can verify their copy both at time of download and at any later date, with a simple hash.

                That removes the need to trust each server using it, and only needing to trust that you got it from a good repo where the code is being actively

          • by elucido (870205)

            It runs on ZeroBin [sebsauvage.net], which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.

            It uses the Stanford Javascript Crypto Library [stanford.edu] for its AES code, and its codebase is available on github [github.com].

            The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content

            Revealing the posters identity is worse than revealing the posters content! That is a huge security hole.

            Also where is the key stored? Expect the government to investigate and interrogate whoever has the keys.

            • Also where is the key stored? Expect the government to investigate and interrogate whoever has the keys.

              According to the ZeroBin website [sebsauvage.net], the key is not "stored;" it is part of the URL string (which never goes to the server). For example:

              http://sebsauvage.net/paste/?e4af05540340d85a#zLtQuuHWSJgl3z12lIAJy3ZZeyTdC3dVarlGH8R+TZ4=

              You give the link to your friends. The link contains both a paste ID as well as a key. You and your friends' browsers use the key to decrypt the data for the given paste ID.

              Also, there's no inherent reason to distrust Javascript running on an "Anonymous"-run website any more than y

              • by CodeHxr (2471822)

                You give the link to your friends. The link contains both a paste ID as well as a key. You and your friends' browsers use the key to decrypt the data for the given paste ID.

                So, anyone that uses it not only has a potential key stored in their browsing history (if they are a newbly-type user), but even more importantly, their ISP has a history URLs requested, which *definitely* has the key posted.

                Granted, the key is random every time and, in theory, the server should be deleting what you posted after the time you specified, but one can't really verify that and we're back to trusting the server again.

    • Re:.tk, seriously? (Score:4, Insightful)

      by cloricus (691063) on Sunday April 22, 2012 @09:11AM (#39762299)
      Why would they want to take down what may become the most effective honey pot in history?
    • by Anonymous Coward on Sunday April 22, 2012 @09:15AM (#39762327)

      They should have set their servers up in Judea.

    • by Monty Worm (7264)
      (disclaimer: I am a former employee of Dot.TK)

      The reason most domains get removed from the .tk name space is that they breach the terms and conditions that users supposedly agreed to when signing up. This includes (but probably isn't limited to): Drugs, alcohol, tobacco, sexual content, piracy, and other illegal activities.

      And in an attempt to reply to as many of the points raised in other replies as possible:

      • Most of the hijacked domains were (in the time I was there) taken down after requests by thei
  • by xiando (770382) on Sunday April 22, 2012 @08:33AM (#39762073) Homepage Journal
    I am NOT about to let you or your anonymous friends run JavaScript in my browser. No. That would compromise my security. The idea outlined in the summary sounds good, but the JavaScript-based implementation is bad. EPIC FAIL. Think of the Tor-users! They are not about to let their anonymity go by submitting to the evil JavaScript World Order.
  • Cool, but... (Score:5, Interesting)

    by betterunixthanunix (980855) on Sunday April 22, 2012 @08:34AM (#39762079)
    ...we already have lots of ways to do this. We can encrypt and post to Usenet. We can use extensions like FireGPG to encrypt on post to websites. So why use a system where we place all our trust in the service provider, which is both theoretically risky and has failed in the past:

    http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ [wired.com]
    • by gl4ss (559668)

      well yeah, but could you provide a one liner url to those?

      • Probably not; more like one URL and a decryption key that would be pasted in somewhere. Really though, an extension like FireGPG that provides this capability would be a lot better -- I do not want to trust some server to send me my decryption program every time I want to access a file. This may even be worse than Hushmail, since any of the people who are accessing the file could be targeted; the server could merely flag the data it wants to decrypt, and wait for the first person with that URL to come alo
        • by elucido (870205)

          Probably not; more like one URL and a decryption key that would be pasted in somewhere. Really though, an extension like FireGPG that provides this capability would be a lot better -- I do not want to trust some server to send me my decryption program every time I want to access a file. This may even be worse than Hushmail, since any of the people who are accessing the file could be targeted; the server could merely flag the data it wants to decrypt, and wait for the first person with that URL to come along and open it.

          If it's a honeypot it's not going to work anyway. But honestly I don't see the PLF offering a honeypot. Anonymous and the PLF are two different entities. PLF are serious and are highly skilled while Anonymous is populated but anybody whether they are serious with skills or just teenagers looking for lulz.

    • by elucido (870205)

      ...we already have lots of ways to do this. We can encrypt and post to Usenet. We can use extensions like FireGPG to encrypt on post to websites. So why use a system where we place all our trust in the service provider, which is both theoretically risky and has failed in the past:

      http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ [wired.com]

      Exactly.

      The other problem is it takes specialists to actually use this encryption in the context they are talking about. Anyone with the special skills to have to use this sort of encryption would exercise great caution.

      That website Anonpaste is going to have to have a darknet backend of some sort. It's also going to need a distributed decentralized DNS because governments are going to attack the DNS when they figure out they cannot DDOS the servers.

      Finally these servers have to be protected and secure. Th

  • as DDoSing websites.

  • Trying another false-flag operation? Going for #Anti-Sec 2?

    • by elucido (870205)

      Trying another false-flag operation? Going for #Anti-Sec 2?

      It's not that simple although I do see your point considering Sabu was their snitch. I doubt the FBI infiltrated the PLF though. PLF are far more skilled and very much professionals.

      I'll say it again, anyone who actually has a need to use encryption of this sort properly would need specialized skills to begin with. The PLF is not going to provide any sort of training. So basically if you have a need to use this then you already know how to become Anonymous on the internet. If you don't then you shouldn't be

    • I knew that this was a false flag operation as soon as I saw Anonymous was teaming up with the People's Liberation Front, and not the Liberation Front of the People. Splitters!
  • by Sun (104778)

    It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn't see any of the information included in the paste.

    And where does the key come from? If from the server, then the data is not encrypted at all.

    Shacahr

    • by Sun (104778) <shachar@shemesh.biz> on Sunday April 22, 2012 @08:53AM (#39762203) Homepage

      Okay, I take it back. It seems that the reading URL contains the decryption key. That's actually quite nice.

      The key seems to be stored in the in-page bookmark (the part after the "#"), so there is even a chance it won't be available through the server's logs. I have not checked whether it is the client or the server that produces the URL for reference. That might mean a trip to the server after all, but given the design of the rest, there is hope it was done properly after all.

      Shachar

      • by terrox (555131)
        why wouldn't the # part of the URL be stored in logs? anyone with the URL and anyone looking at the URL history/logs etc can therefore unencrypt the text, this makes no sense to me.
        • by Sun (104778)

          Because the # part is intended for the local browser. It is not part of the URL sent to the server, it is intended to tell the browser to go to a certain bookmark (anchor, in HTML jargon) inside the page.

          You will notice that if you change just the part after the # and hit "enter", the browser does not refresh the page. That's because it does not think anything changed that is worth notifying the server.

          Shachar

      • where does the decrypting code come from?

        lets assume an attacker has the server under his control. he will not only be able to modify the scripts to send the content of the decrypted paste back, he can even send the entered password to the server.

        so its still more insecure than crypting off-browser and pasting it then. But better an encryption, which is secure most the time, than no attempt at all. You can just not guarantee, it will be encrypted or safe. So do not use it, if you know better. But encourage

        • by iserlohn (49556)

          Actually, a much more secure version of this is https://ezcrypt.it/ [ezcrypt.it] with which the decryption key can also be further encrypted with a password.

          • by allo (1728082)

            as long as its done by javascript, which comes from this site, they may replace the javascript with a logging version. so you cannot win without using a trusted program (which should be installed locally, so nobody can secretly replace it).

    • It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn't see any of the information included in the paste.

      And where does the key come from? If from the server, then the data is not encrypted at all.

      Shacahr

      http://beta.piratepad.net/front-page/ [piratepad.net]

      Actually I'd say piratepad is slightly better.

  • Oh yeah? (Score:4, Funny)

    by Rydia (556444) on Sunday April 22, 2012 @09:07AM (#39762279)

    Well, Anonymous is going to start their OWN pastebin! With hookers! And blackjack!

  • Isn't "peoples" and "libertarian" together a contradiction? Most forms of "libertarianism" appear to me to be "I'm all right Jack and the people can just go and suffer if they didn't manage to get rich".
    • "liberty" and "libertarian" are separate concepts.

    • oh, I thought Palestinians did it!

      the "People's Liberation Front", which no one has ever heard of till now, can be easily mistaken for the Popular Front for the Liberation of Palestine.

    • Only in the US has the word "libertarian" been co-opted by the free-market uber alles, Ayn Rand worshiping, "I've got mine so fuck you!" crowd.

      In the rest of the world, the word "libertarianism" is quite similar in meaning to "anarchism". In fact, many anarchists (including Noam Chomsky) use the term "libertarian socialism" to describe their philosophy, as the term "anarchism" has been tainted with connotations of rioting, looting, burning police cars, and punk-rock wannabees.

      • Only in the US has the word "libertarian" been co-opted by the free-market uber alles, Ayn Rand worshiping, "I've got mine so fuck you!" crowd.

        As one of Kim Stanley Robinson's characters put it, "That's libertarians for you -- anarchists who want police protection from their slaves."

        The typical usage in the U.S. is different because right-wong people opposed to the regulation of big business [blackened.net] tried to steal the term in the 1950s. They've managed to bamboozle a lot of folks over the years, but more and more

  • by elucido (870205) on Sunday April 22, 2012 @10:05AM (#39762709)

    According to what Pastebin says about Anonpaste just using Anonpaste could mean you have something to hide and if you have something to hide it means you need to be investigated.

    Although Anonymous has used the news of AnonPaste to taunt Pastebin, Vader isn't worried about the popularity of his own site. He does see problems with the general idea of the new paste site though. "Having this new anonymous paste service online will most likely mean that less 'sensitive information' is posted on Pastebin.com, which we like," Vader told Ars, "But we think this new totally anonymous Paste site will be used mainly by people who have something to hide, people who are posting things that really shouldn't be posted. We see no benefit for normal legitimate users to use it over the currently existing paste websites. We are afraid that this site will be bombarded with people's personal information, credit-card details, and things such as child pornography."

    If you use Anonpaste then the governments will claim you're a credit card thief, a child pornography, or a terrorist, because why else would you want to use something like Anonpaste?

    My advice is don't post on Anonpaste. Read Anonpaste but don't post a damn thing. If someone really knows what they are doing they probably don't need Anonpaste but if they somehow did then they weighed the risks already.

    • If you use Anonpaste then the governments will claim you're a credit card thief, a child pornography, or a terrorist, because why else would you want to use something like Anonpaste?

      Politicians are a lot less quick to use that, "Only criminals demand their right to privacy" routine after a few demands for public strip-searches.

      Interestingly, the political corruption in the U.S. is getting resolved by, of all people, the military [wordpress.com].

  • by Anonymous Coward on Sunday April 22, 2012 @10:06AM (#39762717)

    Would that be the Peoples Liberation front of Judea or the Judean Peoples Liberation Front?

  • I thought most of anonymous was in prison after that last big bust a month or two ago. Didn't even know they were still operating.
  • ... the Judean People's Front?
  • Can someone please tell me what's supposed to be so politically edgy about creating yet another disordered, unregulated system?

    That kind of jumbling and lack of accountability is pretty much the problem with our political system, and yet Anonymous sells it as subversive and avant-garde. It's not.

    Then when you ask Anonymous what it thinks it's trying to accomplish, rather than sending you a sheaf of redacted government memos they just tell you, "There is no such thing as Anonymous." If life were a party, A

  • by kangsterizer (1698322) on Sunday April 22, 2012 @01:57PM (#39764657)

    Make sure you don't put the URL that matter in the article!
    That could be thousand of ads prints for missed !

    The link is http://www.anonpaste.tk/ [anonpaste.tk]

  • Is it the Judean People's Liberation Front, or the People's Liberation Front of Judea?

  • Woao. (Score:3, Informative)

    by sebsauvage (771545) on Sunday April 22, 2012 @02:32PM (#39764925) Homepage
    Woao. My name on the front page of Slashdot. Now I can die. :-D

    If you don't trust AnonPaste, you can just install ZeroBin [sebsauvage.net] (the opensource software AnonPaste is based on) on your own website.
  • And lest anyone forgets, because it's supposed to drag out forever, Anna Ardin (a k a Anna Bernardin), the accuser of Wikileaks' Julian Assange, worked for (and may still work for them) the Bonnier family through one of their tabloids, while the two sisters of Claes Borgstrom (one of the two partners of the law firm representing Anna Ardin in trying to get Assange extradited to Sweden) work for the Bonnier family, and Thomas Bodstrom (the other partner of that law firm, who was the Justice Minister of Swede
    • And Assange works for RT, Russia's state-owned Putin-controlled Fox News equivalent.

      It might be best to ignore the figureheads, and concentrate on the content.

  • Sounds great.

    Now, how can I be sure that the Javascript executing in my browser, a:. isn't malicious, and b:, hasn't been intercepted and changed by someone in the middle?

  • Congratulation Sebastien for finally making it on Slashdot !! Ca ne te fait pas l'effet d'un gateau d'anniversaire ? Au plaisir de continuer à te lire via shaarli ;0)

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...