As I wrote previously, I started a work-from-home internship with the Open Technology Institute last Wednesday. The project I was placed with has me working on boosting privacy and anonymity in wireless mesh networks. I spent some time orienting myself with the task and organizing my thoughts.
Commotion mesh nodes are capable of being configured to enter directly into the Tor network. We need an intern to configure, package, and document the process of making a tor-entry node. If the intern completes this task within the time frame they will have the opportunity to tackle custom configurations that will allow for Tor exit nodes on the mesh that allow small bandwidth Tor traffic from elsewhere to be run over the network to further obfuscate it.
Great! So….what does that mean? This was a good exercise in self-management and breaking a project apart into achievable bits. I started with some clarifying questions.
- What is Commotion and what does it do? For whom?
- What is Tor and what does it do? For whom?
- What is the advantage of combining them and who would be interested in using such a tool?
What is Commotion and what does it do? For whom?
First, I took on Commotion. The project website describes it as “an open-source communication tool that uses mobile phones, computers, and other wireless devices to create decentralized mesh networks.” More specifically, it’s a set of customizations on top of the OpenWRT, which is a Linux distribution for embedded devices and is best known for being tuned for wireless routers. It’s not uncommon for people to re-flash their home routers with OpenWRT or Tomato to get better control over how they operate. Commotion has a wide range of potential uses including distribution of Internet access, provision of community intranets, use in disaster recovery, and creation of autonomous networks in politically sensitive situations. I’ll dig deeper into use cases a little later, but it is hoped that someday Commotion could be used to make a mesh network out of whatever wireless devices people have around. This is really ambitious because wireless chipsets and configurations vary quite widely and it’s tough to build an easy-to-use system that would work in a variety of use cases on arbitrary hardware. Realistically, for development and for known use cases, OTI mostly uses the Ubiquiti brand of wireless nodes.
As I probed for background on use cases, I dug into the software itself. The tech lead at OTI, Josh King, gave me a rough sketch of how to get Commotion onto a node. You start by pulling the code with git:
$ git clone git://git.chambana.net/commotion/commotion-openwrt.git
Then run a ./setup.sh script which pulls the OpenWRT code from their SVN repository and gets all the necessary packages and config files, then follow the make instructions that the script outputs to finish the flashable image.
I built an image and just for kicks tried to flash it onto a Linksys wireless access point that we had around the house. It didn’t work, failing about 30% of the way through the upload onto the device. I did some reading and found out that the model I was working with has very little memory so I’d have to make a custom, stripped down build with no web gui to make it work. We decided that wasn’t worth the hassle. But it got me reading some documentation and playing around in the directory structure of the Commotion build system.
That prepared me to spend last Monday at the OTI offices where I sat down with my project mentor Will Hawkins. He had recently spent a lot of time puzzling out the directory structure and menuconfig system that prepares and configures the Commotion image to the user’s specifications. In about 20 minutes he explained things that would have otherwise taken me hours of fumbling to figure out. He showed me how features are connected to source code and makefiles, and how to rebuild individual components of Commotion. Then, using these very clear instructions, I flashed a vanilla image onto a Ubiquiti PicoStation node that I’m using to test for the duration of the internship. With surprisingly little pain, I was able to browse to the newly flashed node and see the web interface.
What is Tor and what does it do? For whom?
When I felt like the Commotion build system was no longer a mystery, I moved on to Tor. On Tuesday, I just read the Tor FAQs. All day. I almost always find that this kind of activity, which feels very passive, teaches me more than I realize as I’m reading. I have a much better sense of the pieces of Tor, how it is and is not abused, and some of the complexities that are likely for users of a wireless mesh.
So what is it? Tor is a routing program that makes it possible to communicate over the internet anonymously and with encryption. When you have Tor loaded into your browser and you go to a website, Tor first bounces your traffic to a bunch of other computers that are also running Tor, each of which knows very little about where the traffic is coming from or going to. By the time it reaches your destination, that end point computer is not able to find out where your traffic started. Along the way, the meat of your network traffic, or the payload, is encrypted so that if it is intercepted, the contents are pretty safe from prying eyes. Tor stood for “The Onion Router” back in the misty days of onion routing work, funded by the Office of Naval Research. From what I understand, it got that name because for every node in the Tor network that your traffic travels through, there is a layer of encryption which is then peeled away at the destination.
You can imagine that anonymity and privacy might be very useful to, say, a pro-democracy activist working in the national borders of a dictatorship. The Tor FAQ goes out of its way to point out that while people doing nefarious things benefit from anonymity and privacy as much as activists or regular people, that criminals have better and faster tools like identity theft and botnets available to do nasty things, and thus Tor is not a great choice for bad actors. However, a legal and harmless tool for regular people to secure their online privacy is a Good Thing.
What is the advantage of combining them and who would be interested in using such a tool?
This gets into use case questions that I’ll delve into more deeply in a future post. But the type of situation that gets a lot of attention is pro-democracy protests like we saw during the Arab Spring. Commotion could be used to make a new or protected network that could bypass censors or ensure communication among users if connections to the Internet were but off. See this New York Times article for high level what-if scenarios. But if an authority wanted to find out who was sharing photos or information about the protests, a protected, anonymous network could prevent that, and potentially protect those people from retaliation.
So those are some of my initial thoughts to organize and guide my next 3 months of work. My general strategy is to work on a component until I know enough that a different component seems more mysterious, then work on that. A round-robin approach like that helps me build up my knowledge across a project and keeps me from getting too stuck on any one question.