Fundraiser far exceeded expectations, but raised security questions.
by Cyrus Farivar and Sean Gallagher
Kickstarter removed a fundraiser for a popular Tor-based router project on Friday afternoon.
The Anonabox, which was created by August Germar, of Chico, California, aimed to be an “open source embedded networking device designed specifically to run Tor.” Its fundraising goal was $7,500, and in five days, it raised $585,549 from nearly 9,000 backers—including three Ars editors.
Germar told Ars that he was not aware that it had been suspended until Ars forwarded him an e-mail from Kickstarter outlining the possible reasons why it could have been cancelled.
In recent days, many Kickstarter commenters pointed out notable flaws in the project, including the fact that Germar claimed to have made the hardware on his own—other commenters found links on other sites that show nearly-identical devices.
"I don't know what to say other than I never expected any of this, I was expecting to make a batch of 100 and that's it," he told Ars in an instant message chat. "The hardware that is being linked to did not exist when I started working on this, otherwise I would have done a Kickstarter four years ago. I think those are just generic knockoffs, they were being made in China. I don't mind, I'm glad the hardware is available now. I always told people they could build their own at home and that I would help them. Now they can buy the hardware directly from China, it doesn't bother me. I just wanted more people to be able to have a device like this."
In a comment he posted to Kickstarter on Tuesday, Germar wrote:
Our board is custom and we have put a lot of work into it. If it were as easy as installing Tor on a regular router everyone could just do it with their current home devices now, but it takes a lot of system resources to make Tor run smoothly. You need at least 16mb flash memory (not ram) just for the Tor binaries themselves. Our current image is just over 10mb which will not fit on most routers you could find even at Best Buy unless you paid $300.
Wired reported that despite the fact that Germar proudly declared that it was a fully open source project, it has only made a series of configurations files available. However, the configuration files are the majority of what is custom about Germar's image—Tor is already a part of the OpenWRT project's code. Germar recompiled the OpenWRT code for the Anonabox hardware.
"I put all the config files in the /etc directory so it would be as portable as possible," Germar told Ars."That way you can do it with any openwrt install." When asked what the difference was between Anonabox and PORTAL, another Tor router project that was unveiled at Def Con in August, Germar said, "This is not a branch of the portal code, but we integrated some of their ideas. There is nothing wrong with the portal code, its just compiled for the wrong architecture, a different chipset."
Redditors and others discovered that there was a hashed root password installed on all Anonaboxes—that password was cracked, and found to be “developer!” an obviously weak password. When asked about the password, Germar responded, "There was no way to log in from the outside anyway, you'd need physical access to the device anyway."
David Gallagher, a Kickstarter spokesman, declined to explain precisely why Anonabox’s fundraiser was pulled, citing company policy. He did, however, provide a link as to possible explanations for such a suspension.
“Project suspensions are permanent,” he said. “It's important to note that on Kickstarter, backers aren't charged and no money changes hands until a project's funding period ends, and then only if it has reached its goal. We work hard to safeguard the long-term health and integrity of the Kickstarter system.”