The tool, ProxyHam, is the subject of a recently canceled talk at DEF CON 23 and its creator has been seemingly gagged from speaking about anything related to it. Something's off, as this doesn't seem like a typical cancellation.
[NOTE: Updates to this story are on page two.]
Privacy is important, and if recent events are anything to go by – such as the FBI pushing to limit encryption and force companies to include backdoors into consumer oriented products and services; or the recent Hacking Team incident that exposed the questionable and dangerous world of government surveillance; striking a balance between law enforcement and basic human freedoms is an uphill struggle.
Over the last several years, reports from various watchdog organizations have made it clear that anonymity on the Internet is viewed as a bad thing by some governments, and starting to erode worldwide.
Whistleblowers, journalists, human rights activists, or anyone who wishes to express their opinions against the state are being tracked and targeted by the very governments they're discussing or protesting.
The documents leaked by Edward Snowden prove that privacy is a basic right that's easily dismissed by some governments, and the Hacking Team incident shows there's a booming business market in helping them succeed.
Organizations such as Hacking Team or Gamma International have developed the tools and tactics needed to help oppressive governments, enabling them with the ability to track people no matter their location or how they connected to the Web.
While tools such as Tor or VPNs can help, the problem is that once a person's IP address has been linked to a physical location their anonymity ceases to exist.
Given that governments often control the infrastructure being used, unmasking people in this fashion has only gotten easier over the last decade or so.
While it is true that criminals can be flagged and arrested using pinpointing techniques and lawful interception tools – and that's a good thing – normal citizens expressing their basic human rights are also targeted and arrested (including journalists), which is horrendous.
Not every government is guilty of such acts, but several of them are, and that's why it's important that people be empowered to speak freely and to do so anonymously if there's a need.
Designed to augment existing privacy tools, ProxyHam is a Raspberry Pi computer with Wi-Fi enabled. There's three antennas; one is used to connect to a public Wi-Fi network, and the other two are used to transmit Wi-Fi signals over a 900 MHz frequency.
By using a 900 MHz radio, ProxyHam can connect to a Wi-Fi network up to two miles away, and blend-in with traffic on that spectrum. So if the person using it were to be tracked via IP address to a physical location, all anyone would find at that location is the ProxyHam box.
Caudill had planned a talk at DEF CON 23 centered on ProxyHam, which would've included a demonstration and the release of full hardware schematics, as well as source code. While everything needed to develop a device would've been offered, pre-configured units were planned for sale at a cost of $200.
On Friday, the talk was canceled. Caudill was vague in his responses to the public. Based on brief public remarks, it's clear that he cannot speak about the topic or explain further.
In fact, all he can say is that the talk is canceled, the ProxyHam source code and documentation will never be made public, and the ProxyHam units developed for Las Vegas have been destroyed. The banner at the top of the Rhino Security website promoting ProxyHam has gone away too. It's almost as if someone were trying to pretend the tool never existed.
Talks have been canceled at DEF CON before. So in that sense, this talk isn't the first and it won't be the last.
However, given the topic, the nature of the tool, and the current privacy climate – it's a strange coincidence that a tool with such value and usefulness would be promoted and then removed from the public.
I don't believe in coincidences.
Could have Caudill changed his mind? Yes, but that's unlikely, because he was excited to release this tool and share the information with the public and protect those who are most at risk for using their voice.
Therefore, while it is pure speculation on my part since no one can speak on record, it would look as if a higher power – namely the U.S. Government – has put their foot down and killed this talk.
It isn't perfect, but a tool like ProxyHam – when combined with Tor or other VPN services, would be powerful.
Such a combination would make tracking dissidents or whistleblowers (even with custom malware or tools from the likes of Hacking Team) increasingly difficult the more that ProxyHam was developed.
In fact, while the first version offered strong support to existing privacy tools, further developments were planned that would've not only improved things, but made them more affordable.
While the chance for abuse is also a valid point to make, and law enforcement certainly would, criminal elements have abused VPN and Tor before, so that's not a strong argument. Honestly, criminals have been twisting legitimate tools and resources for their own gain for quite some time now.
At the same time, that criminals could abuse the tool is the only argument a government needs to make.
When faced with legal threats, most researchers will bend because there's no other option available to them. No one wants to face fines and jail time over code.
Caudill isn't talking, and clearly he can't. Offering his apologies in an email when asked for comment, he responded to questions by repeating what was said on Twitter:
"...ProxyHam development would cease immediately, all existing units and prototypes destroyed, no further information or source code would be made available, and the DEF CON talk on whistleblowers and anonymity would be cancelled..."
Again, ProxyHam was under development for more than a year and Caudill was excited for it to go public. Now that's all gone, and there's nothing to suggest this was his intention.
Rather, given the state of things as they pertain to privacy and legal matters here in the U.S., it appears that his hand was forced – legally – complete with gags and destruction orders.
If a government agency killed this project, then it's a sad day for privacy and security research.
Salted Hash as reached out to DEF CON to see if they can offer any additional details. Updates to this story are on page two.