As one of the overall goals of the agency is to enforce the fractal cipherspace, it is of vital importance that the basic building blocks of secure ciphers are communicated to internauts. So, in this little text I will introduce the CLAMP technology, which has been researched by the agency in various setups. Also, I strongly recommend anyone to participate in the Telecomix Cyphernetic Assembly, where you have the opportunity to get a free training in cipher communications. No matter your previous skills, we will make sure you learn the theory and practice of secure communications!
Now, what is the CLAMP? It is not a shellfish, even though the inhabitants of the oceans are our friends. No, the CLAMP is a further development of the software bundle LAMP, which stands for Linux, Apache, MySQL, PHP. The LAMP was a vital building block for the full realization of the computer world view of politics, and gave internauts the software needed to install one of the strongest interactive web-servers available to humankind. LAMP servers make large sections of the internet run smoothly, every day, and it has almost become a gold standard in commercial as well as community applications. And it runs all of free software.
Then came internet surveillance, data retention, internet censorship, Google/Skynet, Hatebook and iPads. The interwebs became harsh environments, where politicians and enterprises strived towards a vanilla internet; the networks were supposed to be ”clean” and computer programs were supposed to be ”apps” bought in a TV-shop style store. Some of these changes were harmless, others fatal. Egyptian bloggers were arrested, Iranian netizens were tracked down, Chinese dissidents were silenced as the European economies looked the other way… it is a long and sad story, but instead of protesting and screaming, some internauts began working on solutions.
One of the most advanced solutions to the problem of the dangerous vanilla internet, soaked by government and corporate surveillance, is the I2P-darknet. I2P is basically an internet inside the internet, which means that almost everything that you can do on the regular interwebs can be done inside the encrypted and routed I2P-network. With I2P, cyberspace becomes cipherspace, and properly exploited, this system can be used to create an autonomous network without the limitations of the vanilla interweb.
But it takes a little effort. If you just want to surf the I2P-network you have to learn how to use the I2P router, which runs on almost any system. But to really build services, you will need to face the CLAMP, the Cipherspace-Linux-Apache-MySQL-PHP war server.
Let me present to you a sketch on how to build a CLAMP. It is written from the perspective of a non-advanced user, since I’m not very good with computers really. I’m just very angry with the treatment of the internet nowadays, and that energy can apparently be used for better purposes than protesting the leaders of our societies. So I kind of force myself to learn stuff instead of ”having opinions”. Here we go:
Step 1. – Setting up a basic crypto-system
Find a computer, anything less than ten years old will do the job. Be amazed by the fact that you are looking at an advanced crypto-device which can be used to tear down corrupt regimes used properly!
Then you need an operating system that conveniently comes with the basic LAMP software and disk encryption. The latter is important in case your physical system gets compromised. I recommend Debian Linux since it runs on most hardware and has everything you need. While installing the base system there is one very important thing that will make the first step towards a CLAMP system – you need to select LVM disk encryption. This takes a little time, but let the installer do this overnight. Use a very long password and don’t forget it. Your harddrive is now encrypted and the data you store there can only be accessed by you. Maybe some advanced intelligence agencies can crack it, but at least you have made it very difficult for them. As the installer proceeds, you tell it to install also Apache and MySQL, and de-select a graphical user interface. You won’t need it.
Step 2. – Securing internetworks and setting up sites
Since the I2P-network runs inside the existing internet, you don’t actually need your server to ever go on the ordinary interwebs. You can have it go straight into the darknet!
Following this video-tutorial you will learn how to install the I2P-router on a debian system. The I2P-router already comes with another web server called Jetty, and if you just want to get a basic web page up and running quickly, you can simply follow this video-tutorial.
However, I kind of like Apache as a web server. It is of course a personal taste of mine, but I find it easier to use because I can find most answers to my questions simply by searching on the internet. With Apache you can set up multiple sites easily, and you can use the full benefits of the MySQL database.
Now, what differs a LAMP from a CLAMP is that an ordinary LAMP would simply have an IP-number on the internet and listen to the default port 80 for web pages. With the CLAMP you have to dig tunnels. Your I2P router is up and running, and it slowly integrates with the darknet. To connect Apache to the network you will have to point a tunnel to port 80, or any other port that you set it to listen to. The video-tutorial above showed you how to do this with Jetty, and basically you do the same thing, but instead of pointing the tunnel to the default Jetty port, you make it go to port 80.
To set up a new apache site, you need to add it to /etc/apache2/sites-enabled by writing a file called thenameofyoursite.i2p in that directory. Here is an example file:
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
CustomLog /dev/null combined
Then you copy this file to /etc/apache2/sites-available and you put your html-files (or whatever) in /var/www/nameofyoursite.i2p/. Then you reload and restart apache with the following commands:
Now you are almost done. The video tutorial showed you how to add a tunnel. It now has a 500 character long address, which is not very convenient. By adding that to one of the address-books in I2P, such as stats.i2p, you can add nameofyoursite.i2p to a general address book, and you also get a base32-url which is a bit longer.
Now you have a CLAMP; the full benefits of the coolest web server around, with added cipher capabilities. Yoursitename.i2p can not be physically located since it uses the I2P-address system rather than vanilla internet IP-numbers. People visiting your site can not be intercepted since all traffic is encrypted. If your computer gets confiscated, it can not be read since the disk is encrypted, and you will not reveal the identity of the users who have visited your site, since there are no Apache log files, even if the encryption was compromised (this feature is described in the Apache configuration file above, where all logs go to /dev/null/, which means that they are instantly erased).
This is a sketchy description written for educational purposes. I want to end this little story with an important disclaimer: Setting up a system like this is still work-in-progress research. There are numerous security concerns with a system like this. The LAMP was never designed with cipherspace in mind, it was developed for plaintext communications on the open internet. Apache, MySQL and PHP are full of security holes that may reveal your identity to someone with bad intentions. There is no such thing as a bullet-proof system, and a setup like this needs constant review to function properly. So, use this with great care.
However, cipherspace computing in any forms are the active means of securing communications. We don’t have to ask our leaders to guarantee our privacy and the free flow of information. We can create networks that endure even harsh environments.
Update: On IRC my fellow internauts told me about security holes especially in Apache, which I warned for above. For example running multiple i2p-sites may be a security concern, because an advanced intruder can determine that if you run site1.i2p you also run site2.i2p. Thus, running mypersonalblog.i2p and mydissidentblog.i2p can be hazardous. Also there is a page in i2p for camouflaging Apache here.
Please comment on this post for more vulnerabilities!