I cant figure out if the client id is supposed to be the token name when you create that in the control panel? I cant get it to work either way.
sudo pip install markupsafe
TASK: [genesis-digitalocean | Get the latest 'Debian 7.0 x64' image ID from the DigitalOcean API] ***
fatal: [127.0.0.1] => a duplicate parameter was found in the argument string ()
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/root/digitalocean.retry
127.0.0.1 : ok=4 changed=3 unreachable=1 failed=0See:
For now, Streisand can execute on any standard Debian 7 server and configure it appropriately. It only needs an open SSH port and an account on the system with root permissions. AWS, DigitalOcean, Linode, and Rackspace are the options it supports for creating a brand new server from scratch as well.
The use case is to make it easier for people to set up servers that allow individuals who live in countries where the Internet is being blocked to circumvent these restrictions.
"Silence censorship" is meant to be sort of funny, but the idea is that censors have had it too easy for too long, and an automated and repeatable method of setting up an anti-censorship server can help change that.
"Automate the effect" is meant to reflect the fact that you can start as many of these servers as you want. If a country starts censoring the Internet, more servers will spring up in response.
I hope these explanations make sense. I will try to figure out a way to make the README more clear.
I found what you wrote in the above comment way clearer than the README :)
I want to read "more servers spring up in response" to mean that the program automatically detects censorship using proxies in each country (or some other magic?) and creates new servers if it detects blockages, but I have a sense that that would be too good to be true...
I meant that people can easily start more servers when a censorship event happens.
Could the suite of things installed by this software package be used as a profiling vector in the future? How could that be avoided if so? I know that your userbase is slim now and mass profiling probably doesn't apply yet, but it's something to consider.
Are the installed defaults known to be sane and secure? That's another huge worry when the configuration is taken out of my hands initially.
Sorry for the worrisome comments. I like the idea,
I intentionally made it really easy to override the default values that I chose for port numbers. It wouldn't be difficult to mix those up in the future, if necessary.
I did my very best to make sure that I was configuring things in a secure way. My approach to installing OpenVPN involves several additional steps that harden its security, like setting up an HMAC firewall and changing the default cipher from Blowfish to AES, for example. I take this seriously and I want to do it right. I'm looking forward to getting contributions from the community too.
I think that automation has the potential to significantly increase security because painful tasks that might be tempting to skip when someone is setting things up by hand can become painless. In an ideal world every task can be performed correctly and repeatedly.
I also did my best to fully document every single action that is taken. You can see what is happening at at all times throughout the process. Ansible's syntax is also very readable, so you can examine the steps before you run anything too. I am optimistic that things will only get better :)
When it's a distribution, we can all contribute bug fixes.
Security vs obscurity is bad!
It's worth pointing out that most of the services Streisand sets up have already been configured with countermeasures against passive scans. For example, Shadowsocks doesn't respond with any identifying information at all unless you have the proper symmetric key, and OpenVPN will drop all traffic immediately if the connecting client can't sign its requests properly for the HMAC firewall.
Any plans to integrate AAA with radius or similar? Any plans for squidproxy?
Also, I'm planning on working on a tool to easily deploy Tor hidden services as soon as I get some time. I think there's value in that aspect of your project alone -- maybe consider breaking it off on its own.
I considered using Squid somewhere in Streisand, thinking that it might be a nice feature for mobile users in particular. However, one of my main goals with this project was to set up servers that didn't log any information under any circumstances about the sites that clients were visiting or their IP addresses. A caching proxy by definition is going to have to store some of the assets that users are requesting, so I abandoned the idea. Perhaps you are using it differently though?
I appreciate the feedback! By the way, your email does not appear to be in your profile.
so you can just do
docker run -i -t streisandThat's not to detract from the functionality it does offer; just making sure people don't get the wrong idea.
Or get a host with some form of anonymous payment, like Bitcoin.
One thought, you ask for AWS credentials. Mine are already stored in ~/.aws/config for use in the official aws cli which I think I recall wraps boto. It would be nice if the streisand setup could figure that out for me.
I like the approach, although it requires a little more knowhow to set up. What would be really cool (if not already in) would be to ask the user which services they want to run on setup. Not everyone will want/need to run all the services, running extra services may make it easier to compromise an instance.
Jlund - if you feel like it, take a look at the lahana code[2] and if you feel like implementing a VPN-Tor routing bridge feel free to use what you like. Drop me a message if you get stuck. I don't have a lot of free time but will help where I can.