It took a while, but it’s there. There is a mention of Netsweeper and that they provide products and services to Yemen, Qatar and the United Arab Emirates but it misses what these products are really for.
This is actually pretty simple to get going once you know how. This is a short “HOWTO use Tor on Android”
First of all, you’re going to want to install OrBot. It’s available from the Google Play store. There is absolutely no harm in leaving this running all the time in the background. I have found it to have zero impact on battery life of my phone (the Battery thing in settings doesn’t show OrBot at all).
With OrBot running, you now have a HTTP and SOCKS proxy available on your phone. This means you can set any app that can use a HTTP or SOCKS proxy to do their Internet access through Tor instead of directly through your Wifi or cellular network.
The Twitter client wonderfully has built in support for using a HTTP proxy. You just need to go into the Twitter app’s Settings, click “Enable HTTP Proxy”, and set “Proxy Host” to localhost and “Proxy Port” to 8118. You are now done. You can test this by disabling OrBot and then trying to refresh your Twitter stream. If it doesn’t work, then Twitter is trying to use the (not running) Tor proxy. Re-enable OrBot to be able to use your Twitter client. This “just works”.
There is pretty much no excuse not to have your phone Twitter client go through Tor. We all know that Twitter gets all sorts of legal queries for information about users. We also know that they’ve been fairly good about it, and indeed hats off to Twitter for being awesome. But… guess what? We can just ensure they don’t have any information worth handing over :)
Next step… Web Browsing. The Firefox Beta is pretty awesome. It’s fast and usable (which is exactly what you want in a web browser). This may also work with the standard Firefox browser (I’m not sure when they’ve updated it to be on par with the Firefox Beta version I’ve been using).
There is no place to specify proxy settings in the normal UI (I do hope Mozilla add this). But not to worry, Firefox on Android is built on the same base as Firefox on the desktop, so it does support it (there just isn’t a good UI).
What you need to do is go to the URL bar and go to “about:config”. This shows every little thing you can tweak in Firefox (a lot). Luckily, there’s a search bar. Search for “proxy” and modify the following settings to the following values (the = sign means “click modify and enter the value after the =”):
- network.proxy.http = 127.0.0.1
- network.proxy.http_port = 8118
- network.proxy.socks = 127.0.0.1
- network.proxy.socks_port = 9050
- network.proxy.ssl = 127.0.0.1
- network.proxy.ssl_port = 8118
- network.proxy.type = 1
- UPDATED: network.proxy.socks_remote_dns to “true” (click “toggle”)
Then head to http://check.torproject.org to check that it’s working!
This doesn’t provide you with all the features and benefits of using the TorButton in the desktop firefox, but it will stop your mobile phone provider spying on all the web sites you visit (unless they break into your phone itself).
Luckily, Android is fairly awesome and whenever you try to open a URL it can ask you what program you want to use to do that with. Guess what? Just select the Firefox you configured with Tor to open it and you’re browsing through Tor. Brilliant and easy with no need to go and “root your phone” or anything else that may turn people off from doing so.
Update: Thanks should also go to François Marier for his site that helped me get this right: http://feeding.cloud.geek.nz/2012/06/browsing-privacy-and-ad-blocking-on.html
Update: Added setting of socks_remote_dns
The big news:
“We are stopping all collection of website addresses for the development of this new product,” Telstra said in a statement.
This does not change their association (and presumed financial support) of Netsweeper, helping make its technology affordable to its government customers who use it to suppress free speech and access to information.
This post inspired by https://twitter.com/BernardKeane/status/217535549731389440
So, we know that Netsweeper is used by Telstra - http://www.zdnet.com.au/telstra-logs-customer-history-for-new-filter-339340337.htm
We know that Netsweeper is used in Qatar, the UAE and Yemen ( http://en.wikipedia.org/wiki/Internet_censorship - see also http://www.guelphmercury.com/news/local/article/577673–aiding-repression-or-just-doing-business ) and these states use it to suppress free speech and access to information.
The majority of countries that implement suppression of free speech on the internet could not afford the high cost of developing such software. The only thing that makes it possible is the subsidies from companies in the free world. With Telstra using Netsweeper, they directly contribute to the development costs of this software.
In years gone past free speech was suppressed by members of secret police and guns. Now you can do a lot of that with software. Software that is made affordable because the development costs are shared with companies such as Telstra.
See also my last two posts on the topic:
I’d suggest going and reading: http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/ to learn a bit about anonymization failures.
What we know:
- Telstra has the ability to monitor every URL you visit on a NextG connection
- Telstra is, in fact, monitoring every URL you visit through your NextG connection and piping that to some computer system that then takes action on it.
- None of this was disclosed to customers.
- Telstra is building a system for censorship.
What we don’t know:
- If this is a violation of any Australian privacy law (I’m not a lawyer)
- Who else has access to this “anonymised” data (hellooo US legal system)
- What universal surveillance infrastructure they have running
Update: this is a followup from yesterday’s post: http://www.flamingspork.com/blog/2012/06/25/on-telstra-tracking-nextg-http-requests/
http://lists.ausnog.net/pipermail/ausnog/2012-June/013833.html and http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx were recently published saying that Telstra NextG users were seeing some interesting things. (Yes, there’s a Whirlpool post too, but since they block requests from Tor I’m not going to link to them)
Basically, on their servers they were seeing HTTP requests to the same URL as they had just visited with their phone, but from an IP address that certainly wasn’t their phone.
I started to investigate.
I put up a simple HTML page on a standard HTTP server and then got a NextG device to query it. I saw a log that came from a TELSTRA owned block of IPs. I didn’t see any suspicious second request though. Sadness.
Turns out you have to request the URL twice to get this other request. It is after this second request that you get a query from a Rackspace/Slicehost IP (cloud provider, so it is unlikely Rackspace itself is involved any more than as a Cloud provider) with the same URL (although via HTTP/1.0 instead of 1.1). On a subsequent request, I didn’t see a corresponding one from this IP. Also, when accessing this URL from a different NextG device, I did not see a request from the Rackspace/Slicehost IP block.
If I change the content of the file and try to fetch again, it doesn’t download it anew. This suggests that there is not inspection of the content of what’s coming back from the HTTP server.
The User Agent pretends to be Firefox running on Windows. I have not yet found out anything specific about it.
What can we learn from this?
- If you think that putting a URL up and only telling 1 person about it is private you are very, very, very much mistaken
- Telstra is quite possibly spying on you, from servers in the USA, which is under a different set of laws than if it was done in Australia.
- Telstra is sending what websites you visit on your NextG connection to the USA. If you are at all involved in anything that may make the US government unhappy (e.g. disagreeing with it) this may have interesting implications. Further research is needed as to what exactly
- Telstra keeps a record of all URLs as otherwise it could not implement “on the second request”
- The iPhone needs Tor more than ever and it needs it on a system level.
Update: I have been pointed to http://v3.mike.tig.as/onionbrowser/ which is an Open Source Web Browser that uses Tor on iOS.
So… having secure SMS really isn’t hard. Onec upon a time you may have been forgiven to think that your SMS messages weren’t recorded forever by telecommunications companies or various government agencies, but those times have long passed. At the very least you should be concerned about somebody getting hold of your phone and going through all your SMSs (phones no longer just store 20 messages).
TextSecure (Free and Open Source Software up on github) does both local encryption (messages are encrypted on your phone) and over the wire encryption. That’s right kids – you can send encrypted text messages to each other.
It’s a drop-in replacement for the built in Android text messages application, so it all “just works”.
No, You Can’t Do That With H.264 is an excellent write up of how H.264 (“MPEG-4″) is fraught with problems that you just would not have if using Free (as in Freedom) formats such as Ogg Vorbis and Theora.
It is amazing that Final Cut “Pro” cannot actually be used to create H.264 content for commercial (i.e. “Pro”) use!
It’s the same for MPEG-2.
Oh, and if you use it to decode video that was encoded by somebody without the proper license… well, then you’re also screwed. How the heck you’re meant to work that one out I have no idea.