I'm not usually this nervous when I write. I'm about to share something I've invested two years of work into with the world. Something that is not kosher to a great number of people. I have a great deal of ethical concerns around this as I don't understand the maturity of the human condition. We are capable of making incredible things, the Internet, the atomic bomb, firearms, and medicine, and yet do we let these things make our lives better or worse? Do we harm ourselves with our ingenuity? Is our push for bigger, faster, smaller, actually moving us somewhere? Or perhaps we're just hamsters spinning the wheel, thinking it's going faster and faster. And maybe it is, but our actions are every bit as insignificant. Worse yet, maybe the faster the wheel turns, at a point, our abilities destroy ourselves.
I want to share what I've been up to for the past two years. Some of you know that I've been up to a couple things, and that is true. There was something else I was working on. If it didn't take up more of my time, it certainly took up more of my mental energy. A couple years ago, give or take a couple of months, I had launched my fourth Bitcoin accepting service. I was living with a very kind friend spending $400 a month renting a room in his house. I made money doing odd jobs, from working on motorcycles, scooters, painting, and even Postmates for a brief period of time. I also wrote and published a book, Fifty-two. Normally, I do fairly well financially being in software/systems engineering. Going from that to nothing was a bit of a jump, and pinching my finances was a good experience for me. Actually, it was one of the happiest moments in my life. The dynamic life was enjoyable, but I wanted more steady income and something "autonmous".
My latest attempt at making more money was SporeStack, which unlike my first three Bitcoin accepting services, had customers in the first week. Bitcoin blogs and The Register picked up on SporeStack which helped drive interest. With all of the traffic to SporeStack and my blog, someone saw my post looking for half-time, half-pay remote work. I don't know who this person is, still to this day.
This person had me work on a project which they envisioned. Interestingly as I found what it was, I saw that it was very much along the lines of things I had imagined prior. The project was largely to kill many birds with one stone, and naturally I led in a particular direction with it. This evolved in time and I was paid to solve some of the most interesting problems I've ever heard of. Sometimes I would get an assignment that sounded like science fiction at the beginning of the week, and I had a working prototype at the end of the week. Working for an anonymous figure is confusing and took a long time for my mind to come to terms with. I've wondered many times if I've been working for a three letter agency, an crypto anarchist millionaire, or Satoshi Nakamoto, himself. I don't know if any of these are true, but the anonymous friendship has been interesting to say the least. I am very grateful for the job, especially working on something that seems so much up my alley, and more so for the push to finally do it. At different points I had accepted my fate as living a somewhat calm and collected life. This does not help push me in that direction.
I could write on and on about this in some story-esque way. This thing I've been working on has been at times a huge burden on my shoulders. And it's not just one thing, sometimes it's concepts. There's many parts to the whole that I believe are unique, powerful, and not yet tapped into.
I'll try to name the sum of the parts. Well, I guess I have some time ago. While I was a vagabond, driving across the country, working from motel room to motel room, paying for my life with Bitcoin, I just called it Vagabond Workstation. You don't have to be a vagbond to use it, but the name has stuck thus far.
It's, in a nutshell, a Linux distribution designed to enable a user to have multiple identities with zero crossover and run anonymous corporations or services. Something like that.
In other language, it's like TAILs on steroids. It's different than Qubes/Whonix, maybe inferior in some ways, though sadly I've never ran either.
SporeStack has been powered by this for some time and I've been unable to consider having anyone look at the core code without exposing the thing as a whole. So now, I open source perhaps 80% of SporeStack with this.
There's a number of innovations and ideas that make this up. I'm not sure where best to begin.
brainvault, is the tool and concept of generating as much as possible deterministically. Let's say you were kidnapped and tossed into a city on a different continent. Your online persona has been removed, your online backups, etc. You remembered one phrase. How much does that get you?
Bitcoin cash wallet
Deterministic password manager
That's without storing any data.
brainvault makes it easy to register with MEGA.nz and upload your home folder there, and subsequently retreiving it. I can retreive my data with one command, at least what's most important to me. I can do it from any machine with Vagabond Workstation installed.
The username generation is something I've never quite seen before. At some point, it'd be good to update it so you can provide your own username. But at the moment, you might want to try a few phrases until something sounds cool to you.
$ brainkey public ManyPasswordSuchWow drumbeatdecadence03 $ brainkey public ManyPasswordSuchWow1 plutogetaway50 $ brainkey public ManyPasswordSuchWow2 slingshottelephone75 $ brainkey public ManyPasswordSuchWow3 blackjackfrequency05
I guess I don't need to get too detailed with this, but your Bitcoin wallet, public username, etc, are all derived from a heavily hashed version of your passphrase. Thus, your "password" for Bitmessage,
walkingliberty, etc, is 64 hex characters and from a very intensive hash function to begin with. And if say Bitmessage was compromised, it's from a different hash than say your Bitcoin wallet, so they should be kept isolated. I would rekon that in terms of bruteforceability,
brainvault-derived Bitcoin, Bitcoin Cash, Bitmessage, etc, is extremely difficult.
Now, these memory-based identities that you carry around your in your head can be deployed to any number of identity_vm's that you run on your system. They run on separate Tor processes entirely, with DNS and all traffic either dropped or pushed through the Tor network. The isolation is such that your VM should not be able to know where it is, nor if someone had root access to that VM and another of yours, they would not be able to correlate the two (other than maybe timing analysis of files, and/or management commands (which are issued with unique SSH keys)) VMs.
Which brings us to
keyplease, a simple way to generate SSH keys per host. These keys are not deterministic. Let's say you wanted to launch a server on SporeStack. You could use your regular key, which allows myself and perhaps Digital Ocean or others to determine that the same user launched two different servers. Or you could have a different key per server, then replace it once you configure it with automation.
Or if you really wanted to hide your tracks, you could make the disk useless for inspection. But how do you do that? The hedron.one_time_filesystem state. gocryptfs with randomly generated keys on the most important/interesting folders and mount points. Coupled with some being tmpfs (/root, /home/user, /tmp), it makes for a server that won't come back after a reboot, but for the most part should leave no trace on disk. Whether you're trying to protect your intellectual property, protect your family photos, or keep from leaving a trace with whatever you're running, this may not be a bad idea if you can live without reboot persistence. The alternative is quite a bit more difficult, and this allows for "securing" a system from disk inspection that's already running in an easy way.
Now let's say you're sick of hitting captchas everywhere using Tor. Another innovation is using a SOCKs proxy on a clearnet VM to browse, exiting out of that VM rather than a traditional Tor exit. To improve speed, the hidden service is non-annonymous (because the service doesn't care if it's found, only the user), and security, it's a V3 service. I have been using this for well over a year, having most of my browsing go through Tor and exiting out of one of my VMs. It works really well on the whole. Obviously more for maintaining a consistent identity than general browsing where you just want to cover your tracks.
There's been a number of features and rewrites and things found not to work well, so going back to the drawing board. There's some handy utilities, like a distributed rqlite backed basic numbers database (hedron.settlers_of_cryptotan), salt wrappers, testing interfaces, etc, etc. An installed identity_vm comes with the tools needed to develop the workstation, as well.
I know I've been rambling. I think I'll write another post about the ethics of anonymity as I've thought a lot about that. For now, I hope this spreads more good in the world. Now, maybe it will be used for more evil than good. Some day, perhaps it will be one of the few ways to share free thought and participate in free markets. I hope Tor in general changes from a tool for vices to a tool for liberty. Of course, liberty is hopeless without responsibility.
If what I said did not make sense and you want to browse Tor, TAILs is probably for you. If what I said made a little bit of sense and piques your interest, maybe it's worth poking around. It's built on Debian Stretch with heavy use of SaltStack and Python. This is currently geared towards your a Tor user who knows what configuration management is, knows bash, and uses a tiling window manager.
Keep in mind, this could use a security audit. And this could be a honeypot. I'd like to write more about why I decided to put my name in association with the development of this, but that will come later.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFx+nuEBEAC0TwtPU9okEvJtduV/hHCkKDklSXVa7UZxXIxJg0X5a9hQ2l+y yWD2jDo0YA+gwsXQCdBhV8I2AxsXf4Tleh3K9f0VK/7FsEX/cMz2hGf+aqm7XT9w xIzMg9OyzMD35FXu8tRZmSCFAI9eQgFKlFlmDzA0TBNoPCJa0BnyIuF6Yjtr1OEi Jb2ZB111uXWNmbyvbF7yb3hsOCJxuoJMnjVwaBInz1gl9oo0NU4wPMt09YXSOpeG DriAYGa70Krv2HJ89ShfhRTE7ZqQUyhloIeOISLWKa3nXLDhchZU0r+DBktBE1UT rrfwE1YXSnL3X94ziw2FMeFixNvJSmW9F7KpxOYnW40FM8iK8OCwyo7tElXoqaJZ aVvy26iiUYm+dkSGmxsU8R+GAto+ALoXKGNxcl6dO79RtkhFu6dDgXQd/vyBxi8K gFKJ68c6QK9mkBquE/2N9/DmHNuA49ZrlWBuw97W38i4V/uEWGfY6v1IdYv3Rg4j FPJUOYAIv9aarwhcNlnFljmOb1PB0tu/noYPZ0QJnlOA7P7pjtg15fTcWz7QJtd/ WKlzk0zo31FMuODK8WV+273RXQWpo9LEiGcZlEv/5kIihBwUdMkjOHk0cc/Mfzc4 +PeoHtYmWrpJIVDqhbUGgUvwI6J3LDHVXr/0os3jy/V6M5afDcSzXJnDmQARAQAB tDNWYWdhYm9uZCBXb3Jrc3RhdGlvbiA8ZXllZ2xhc3N3aGltc2ljYWwxNkBlbHVk ZS5pbj6JAk4EEwEIADgWIQTi6SXYmwBuUTjh9D51OMvZKfx9wwUCXH6e4QIbAwUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRB1OMvZKfx9w3T6D/9DHWX0TZ3j0tHw 1SjXFCLDxCw+dC9Ia1AJ5M82Kkh8yd0P1iaJ6dDqEuj9xDQ12/VRnlMXyAEeDKcJ AHCX1psey5FcEYQcJyJZ5oUAo05ekYBOTyNz1JJ4YpRVNS6Fa1lS8Wmcj2epM0W9 fGWpt+Gqt7EpILwpkC9sUfnkLX5/5dTZVOVtxUrm3tNTJ6vFwJKAUc7CAXYh6Foe 2WJkqyWi3NnoROysHAUjcg6tPf1jxtGKvglN5azPiCTU02kSNmx8JjUYjdDQsQHM mtIwhU/vLqkCYjOB0zDc2m5T5qV9BK1w+zAwzAWIjOamgXmuf2nwbhLYY5o+LFSL rXT3qeixkKdkFOA1rBGbJFAW7RKGd2OWNckuaWKzVdcT3Ho0qA+r+A0nd4NDuW2b Mc4p+SnOJGI64jeqqM9YU4x4lvn1ZJkyygltZYglddbV/x1oalZakIpeA1zjzdoe Q71xIgckWZj6+ltggwrfe/C66eczRRpMFJt/TGegomjeSAhpCTI21NET18rY8NIT jgHldzHVs1hsT3tPr1u9HGa2pSkQ+E1FJ3/nqWHEucioONCTvL9WtGhpIzHR4e89 GkO0Q7VuUAMLjzTjRu05y8mnm9uzKjX8uAbdmcqviO6Lz1sKGFqr0HxLBm0amu7v e6GfB7ixcubj0wq+6xN+B0nqACcTcrkCDQRcfp7hARAAzgJj1QBEp4wziDWz6h1g IBW/ZWJVQlLYz55sb4LpmRFDvnPKu42j926rTsL6xVeWJYL7PpjnFcZ5Zs78YjYD DNjPoURla4l+vXPyO56JnO77/z2VYhhCM53VgTYNg4p1Q7P3vDvcsUHLR1I126Of ZELdDCnWrwmMtCv04L1EHNCQZgLtQxqMIXMvZIgDt16cC5LDh8GGH2Ch3F0dKIO8 TGM3N1b3g5+WvFuXRQ0GkNvPp3i66Rr+aqKZMZOh3Y4Jf2Xb+ovUlJ0NSkJiae87 rJXRl1pyJ5MckVq226AODY4TnAFXnlUFCejn3sGuZTf4ZdG+zUgeSryi6qV6yQy4 xqy5pmkodk2WYgnZleSRWZ/+x5J8cKwGH9jADC4Dv1bU9hitefBgNA/XlQzS8zw+ i8MErYKAVY4nzNO5NWLwlpDD/Y8705tjZGiQIVChwaua6WbFsD7ngGQ7c/HOh7RN Yapl7FvTQK99oNXzLnQDaJIR/PiaI0NhQmJB3MZ/aGFoXY2mo6Fr7Je9wU4ky3Sg KuV/LL0NXgVYgwdGLyo0LQ+lyF/RR2+ZFWUUODaAJklQQ0N3SWfABQGgo/D86rUn yM846RrfWyzPbjRdOUGWa2G/dsLG8lEfpsFlG9j3ieQlfyCY1YoQswKTY55P0vGL jUROrho/l5OOyh08SHfuaukAEQEAAYkCNgQYAQgAIBYhBOLpJdibAG5ROOH0PnU4 y9kp/H3DBQJcfp7hAhsMAAoJEHU4y9kp/H3DehgP/0BovXMQypgZxAFzQ+lHu2kA fmzeix7W6IbxQDIZaoFu885vnyXj5mg9EpgA1QMqcC2VLvRYJVRWtMPw0HY3ATIf O5JLgMC5hnnrJjqDrbe8GfEze7uS6+ovPe9FQUyhF8nI04a6d9YgI2ffHJB4RW+j vYZKL4eeSjz0zPoTtPq3GdNzip1VThn95WKnh5DV4wvA8hIUISKYnGxW1ul/1gGi KCc0/UGxmDmBkbsPAsvohWseXAgEEBIYj7phq/W8LQT6Xv7HsZixdrW344MMwDXr M/jF5PFoS+t4E5a+HEE8Avfn3Sg1/kPh1qZOdpkiIzM9yuaDl8X7chKDrgsgNrMF OIDrqJEhtMxcJH1vtayng3PqeQfIG2mUen95Vyi+ip8Yn9F/+YUvkZekgvskOLdi 9BIsX4w2BHKD8o8UOwceWBUAPW/mujPnMUPqChRruZLZ3P0Zcvn4r4eD8VpkeGpj h2RpG0B7ngLvFqljM+OxfkoKR2iU4uyCP6dSzCXLRV+GTe1w3/2lC+JW8ejLMzCc S8g5HT+WddisN2iFvCzPmcfXInGqwiV1ScRMbJXVs5lM4sJ5Ed2jaF6bvrOh+yWD Nv7oJSQhIM4Umlq9HehCn/F+wrHVyyhDehEIxZx+RlbVLJVgibZfpAiYF1ilxMOs C4gDBNbOKCHwgYZJRfCd =dNcE -----END PGP PUBLIC KEY BLOCK-----
"I'm too impatient for Tor and want to be tracked": https://vagabondworkstation.github.io/