 So my name is Alex Nasonov. I'm a member of the NetBSD project. So I worked on, you know, I work on the kernel side, like my biggest project was BPFjit, and also I added AAS XTX disk encryption to NetBSD. I also maintain a dozen packages and package source, I think several lower packages and some random packages like Walgrain. Even though it does run on NetBSD, it runs on Linux and package source is a multi-platform package management system. So, yeah, it can run on Linux. So I maintain non-official mirror which is hosted on Tor. It's called package source by Dj for the, you know, Dotonian, where you can download these files. Yeah, I had to run some special program to guess, you know, to pick a good name for it. So you can download these files, you know, source tables from there, or you can install binary packages for NetBSD. For all architectures, you know, I basically mirror some German mirror of NetBSD of French, I don't remember, but it's complete, you know, a mirror of packages for NetBSD, but not for... I also became a contractor recently, I live in London, and I work on latency high-performance software, DC++ assembly and low agit. It's probably not... It has nothing to do with this package management, but I often... Well, I use my package source all the time. You know, every time I start at a new place, I install a bunch of packages. Package source allows you to install unprivileged builds, so I don't have to have a root. And they eventually grow to like, you know, 200, 300 packages, just my local packages for my convenience. So, yeah, also build mini-compilers and domain-specific languages. Yeah, like, it's a lot of fun to generate assembly on the fly and, you know, execute it. Yeah, so, and this is my, you know, I have two kids and I ask them to draw a picture how they, you know, understand the tour. And this, you know, this is my daughter's picture. She thinks, oops, I keep pressing the wrong buttons. She thinks it's you in the middle of the tour and you connect to those nodes, blue rectangles or squares, which is internet or clear net. And the idea of the tour is this is you in the middle, the client, and instead of connecting to your website, you want to, you know, you want to connect to directly, you go through hopes and there are three hopes. Your guard entry point, middle relay and your exit and your exit and when you connect or when you send traffic to those nodes, it's encrypted multiple times and each node decrypt one layer. So, that's why it's called the tour, you know, the onion router. Each node peels off one layer of encryption and each node knows about where the traffic came from, where it's going to but because there are more than two nodes or three nodes, it does know a final destination. It only knows about, you know, two neighbors and that's it. So, this is if you want to connect to clear net or internet, you, you know, you go through three hopes in the tour network but if you want to connect to hidden service like my packages, bad, DJ, blah, blah, blah, dot onion, instead of going to a website, you go to a rendezvous point and this is where your client meets with a server, with that hidden service. So, both parties connect to rendezvous points through, you know, they go through hopes and then this is where they meet and this guarantees privacy while maintaining real-time characteristics of the tour network. And the next picture is by my son. He draws some, you know, people around the globe or tour sending messages and then I mentioned that, you know, for sending messages you don't have, you know, you don't need real-time, you can use mixed nets and, you know, then he asked, can I, you know, put mixed nets inside the tour and I said, yes, you can and that's why you see this MN mixed nets but it's a different concept. Yeah, so this one, this slide was, I decided to finish it, you know, at the very last moment but instead of putting all this, you know, my thoughts together I spent all this morning troubleshooting some interesting problem because I want to give you a live demo and I couldn't, you know, I couldn't do it in the morning but hopefully it will work. So it's not very organized, this one. So, yeah, if you install packages over clearnet every time you download it's observable so they, you know, whoever is watching you they know that you connected to netbusy.org and they know your IP and if you connect over playing HTTP they see the content, they know what software you downloaded and what versions, and whether that particular version is vulnerable or not. If you use HTTPS they see a connection from your endpoints to your website but they don't know a content of it but they still see sizes of your downloads they can guess, you know, which package you are downloading and also the things called Middlebox is essentially some companies can buy a certificate a value certificate specifically to sell products which intercept HTTPS traffic because this thing is HTTPS is centralized it's possible to, and it's quite common in corporate environments to have Middleboxes which listens to your interceptor traffic and, you know, because you're not going to check like every time, you know, you're not going to open your, you know, a long list of certificates and check whether, you know, to which particular certificate you use and whether it's good or not so good. So, yeah, that's essentially man-in-the-middle attack they can not only intercept well, yeah, interception is a bit different but it's passive but they can also send a different traffic ensure some, themselves in the middle and send a different traffic like a different version of software besides it's observable my friend suggested to host a mirror like, you know, instead of downloading only packages you're interested in he suggested downloading the whole thing like 20 gigabytes of packages or whatever and then install what you need but if you do RC it's also incremental and they can observe deltas and stuff like that so it would be nice to hide your activity from whoever is watching so, yeah, this gives you anonymity you, you know, when you connect through three nodes if they are not, like if they cannot be all absorbed like if it's not, like if it's some local enemy whatever, you know, you are fighting with then if they don't control the whole network of the world then it's very hard to track because you jump through hopes and also if you don't load something from a hidden service, hidden service cannot be you know, the name itself is a proof that is a proof of identity so when you create a hidden service it creates a private key and the name of that service is derived from a private key and if you know the name it's a proof that whoever is behind on the other end owns the private key and if you can trust the security of the private key you can trust your connection because end-to-end encrypted multiple times yeah, I think that's it unfortunately I wanted to, I think to put something else here but yeah, I spent a lot of time troubleshooting so prior art, so there are on Debian you can install this up-transporter package and also some derivatives I'm shortly going to mention Tails which, you know, which comes with this software pre-installed and pre-configured to download everything via Tor and on other Debian if they have this package you can just add I'm sorry, I don't use Debian, I don't use Linux I don't know much about it but I think that's pretty much it if you want to connect over Tor or manage packages over Tor then I think that's probably the only option available to you and one thing to note is that it requires non-standard Tor plus HTTP scheme or protocol in here it's probably something simple, I've not looked at it but, you know, usually you, you know if you have a non-standard scheme here then you expect some special handling for it somewhere in your stack so ideally it should be HTTP HTTP because you can trust HTTP over Tor because the names themselves are proof of identities and this is not centralized, it's decentralized so what is package source? package source is cross-platform package management system it runs on NetBSD where it came from it runs on Linux and I use it because, you know, I've used it for about a modern decade you know, at Dejo and Mac OS, I tried it it worked, but I don't use Mac FreeBSD and OpenBSD, otherBSDs Solaris and it works on Windows and historically I think it worked on I forgot the name, it was unique services for Windows or something like that but these days you can install Ubuntu and this is what I did, my presentation is based on this setup, on Windows so this Windows, which is quite unusual for me because I bought it only a few months ago to one particular task but when I discovered Ubuntu it became so much fun I can just keep using it, I guess so yeah, what you need to start managing packages over Tor you need Ubuntu on Windows or you can use Tel's Live CD I tried both, but I used Windows for the presentation, you use Tor browser basically you, from the Tor browser you only need a Soxbox but because it's on Windows it's much easier to just launch a Tor browser which will give you proxy and then you can do your stuff instead of trying to find download the service which provides a proxy maybe it exists, but I I'm not bothered, I just use Tor browser and a nice side effect, if you use Tor browser you can, if you close the Tor browser all your connections will close and you can check whether you're connected via Tor or not so you also need to understand basics of package source there you can go to packagesource.org and read the guide, this is what I did long time ago I just read the whole thing to understand what it's capable of and how to work with it so you need to prepare your host because you're not doing it on NetBSD you're doing it on something else like Linux, Ubuntu, Windows you need to download some compilers, libraries not many, just a couple of libraries and then you need to clone package source over Tor then bootstrap to create a minimal working package source system then build essential packages and then build other packages yeah, and then you can, once you build all packages you can host your binary packages on the hidden service and then you can download and update your binary package download over that hidden service your binary packages, this is what I do I have a server at home which builds packages for my notebook not this one, because this one is on Windows my other notebook and for my Tor relay and my main web server DNS server and soon mail server it's all updated over Tor from my server in my house I don't even need an external IP for that so yeah, you need for first you need, well it's a good idea to update your host environment first if you do it on Tails it will already download everything over Tor on Windows it will be visible but you know it's not the end of the world so then you can install essential packages like GCC compiler C++ compiler and Encourages development because it needs some header files and stuff yes, it's a concurrent version control system it's very old, don't laugh at me there was a talk York gave a talk you know earlier today about migrating to something else but it works and then you can you need to install some package some you need some tool to download your source star balls and you need a tool to connect to a source proxy so this too gives you those two abilities so yeah, in order to start using CVS or anything else that connects to SSH or including SSH itself you need to add a special proxy command to your SSH config file, it can be global or local in this case it's a local file and it's only for you know, wildcard.netBSD.org and for all audience services and when you want to connect one of those hosts it will pipe your your traffic will go through this tool which will connect to this source port this is what the browser uses by default and it will connect to your hosting port it's on Ubuntu on Tails you can use NetCAD and actually I don't think you need to do anything on Tails because they already have this command it's a bit different minus X source proxy version 5 so yeah, you can now that you set up your SSH you can clone and this for those of you who think that CVS is old, so this is really old when I first started using CVS two decades ago this command was already archaic because no one used SSH anymore everyone used SSH at that time so and then you can export CVS route and then you can check out package source, it will take a while and if you want to check whether it's don't want it over, you can just close the top browser it will terminate this program immediately because it's connecting over the top if you have a github account you can use this why do you need to have a github account because it will use CVS or SSH, sorry, this will use SSH and if you try to do load via HTTPS here, then it will you will need not the source proxy, you will need HTTP proxy which we don't have at the moment so yeah, next step is bootstrap and package source so you are going, after the installation you will have the main configuration file called mk.conf and you can actually specify parts of it, important parts of it before you start building bootstrap start a bootstrap process and you can specify make jobs run for jobs in parallel generate external host dependencies try to build self-contained system update target depends target, it's when you every time you make manually type make package package install it will also create binary packages for all dependencies and this one is when you do make update manually it will also create binary packages for everything, which is handy because you want binary packages to later update on a different host for example so package source not required but it's handy for some tools and this is important, you say fetch using this tool and use source proxy on your local host listening on this port and every time you do load it will connect through the source proxy I put this one because you cannot so ideally you should use you know curl from package source but what happens there is a chicken and egg problem when you try to update this package itself and I tried it because there was an update recently of curl package and it failed but you can always if you have a tool installed because you installed it previously then it should work and master site override means every time you need to do load a source star ball first you go to a master site, usually it's like gnu.org or github this is main distribution of a particular package but if you specify this, first it will try to use my onion service to do load over and then if it's not available then it will try other alternatives so this is for very advanced users if you are prepared to deal with problems it's like hardening your system it works on not BSD I think it builds on my windows machine but not everything and I switched I just don't do it I'm not ready to deal with the problems bootstrapping is easy you just go to where you don't load your package source directory you go to the bootstrap type directory and then you do bootstrap unprivileged means you don't everything will be installed under your username you don't need root in this prefix in this directory with this fragment this file I showed you earlier and this one is on some linuxes there is no projects enough I believe you need to specify which works with this script build essential packages package tools digest I don't normally build it because it's available but I think when you specify package source this is like md5 check sums yeah it's probably because it's not available in Ubuntu in my setup so you need md5 check sums it checks the integrity of the file using check sums and then to build it you just do bmake package install it's a good idea to add this path to your path package bin and package sbin but it works without adding it to the path yeah this is well hopefully it will be new and better version this is htp proxy which can connect to your sox proxy which is in your tor browser and this is required for some tools which or for all tools which download binary packages or install binary packages simple web server for hosting your packages it just package check allows you to build a list so you specify a list a long list of packages you want to install then you can do you can say with a single command you say install everything from source it will build everything or you can also say install everything from binary packages on for example in different books and you point to your directory where your packages are hosted and it will download them and build them p bulk it's I used it for a while but I will probably come back to it but I switch back to package check so if you want to build all packages or a lot of packages then you can use it and it's better than package check but it's more difficult to set up package in it's very simple tool which also can be used to do package management over tor it's like apt you can do install remove, update, full upgrade clean I think it's very similar this is just for fun if you want to see dependencies of all your installed packages and you want to visualize them and by the way I built all those packages and I also built lot of packages because I decided to use lot of and build everything on this machine in using packages built with package source so it's all it's set up is quite advanced and it can generate pdf from latex, bima packages so, yeah demo time okay so do you see okay so I have this Ubuntu and every time I close it I think it's like a need process it kills the need process and it kills everything okay and it's it's I think it's clean setup let me check if I still have okay so first let me go through the steps first sorry I'm probably creating a noise because my mic is dropped so yeah first we configure and start a new hidden service then we start a web server to host binary packages and then we remove some packages