问题
I would like to contribute anonymously to projects on github. Not to cause mischief, more in the spirit of anonymous donations.
The tool of choice for being anonymous online seems to be TOR, which works well for almost anything you can do in a browser. However, to contribute on github, it appears necessary to use the command line interface, or the Mac app.
How can I channel my git operations in this setup through Tor? And how can I verify that this is actually what is happening?
Edit: please note the difference between pseudonymous (with a fake e-mail address) and anonymous (with an IP address that cannot be associated with an identity). Pseudonymous access to github is trivial; however, I am looking for anonymous access.
回答1:
Have you considered going the old-fashioned 'mail them a patch' route? You could simply check out the repository (using Tor and Git-over-HTTPS if you want), make your improvements, then do a git diff
and send the project owners the patch using any anonymous messaging service. Freenet and postal mail come to mind.
Note that if I were the owner of a large(ish) project, I would never ever accept a patch from an anonymous entity, for a few reasons. Even if the person in question isn't necessarily nefarious, having code in the system that nobody is responsible for is a scary thought at best. Also, think about code ownership and copyright troubles.
回答2:
Configure git proxy server Getting git to work with a proxy server
or if this doesn't work with the TOR network, then simply run your git
command in a virtual machine where the host machine is using the TOR network to connect to the outside world
I assume this will obfuscate the origin of your commit, but the anonymous email part may still be difficult.
Anonymous email providers come and go, but as of 2015 Lelantos is currently a TOR hidden service that offers clearnet email addresses. Payable in Bitcoin but you can anonymize all bitcoin transactions using http://www.xmr.to which lets you pay bitcoin receipts using the more private Monero network.
Why not simply do a pseudonymous email that you also create while in TOR, never access it from outside of TOR, and use that for github compliance
回答3:
None of these answers give a full useable workflow, I want to git push
, not send an email! Here's how to do it properly but there's a bit of setup required. Instructions are for OSX
Publishing anonymously to github with tor+ssh
Download tor browser bundle AND the tor command line proxy
brew install tor brew cask install torbrowser
1.1 In tor browser, Create a new email address ( I used hmamail).
1.2 In tor browser, Create a new github account
Create a new ssh key, only for tor with your new email address
ssh-keygen -t rsa -b 4096 -C "satoshi_2@hmamail.com"
2.1. Give it a name like:
~/.ssh/private_tor_rsa
2.2. In github, go to SSH and PGP keys and add a new SSH key, make title memorable.
2.3. In github, set Key to the public key you've just created
clip < ~/.ssh/private_tor_rsa.pub
In github, create an empty repository, let's call it
ByteCoin
, don't initialise it with a readme.Edit the ssh config file
~/.ssh/config
(create if it doesn't exist)Host github-tor-alias User git HostName github.com IdentitiesOnly yes IdentityFile ~/.ssh/tor_only_rsa ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
You've created a hostname called
github-tor-alias
and tells ssh to use a proxy onlocalhost:9050
and use thetor_only_rsa
key to authenticate.Setup the config for your new project to use the tor proxy and credentials.
mkdir secret-project cd secret-project git init git config --add user.name satoshi_2 git config --add user.email staoshi_2@hmamail.com
This next line is bloody important
5.1. note the ssh://git and github-tor-alias
git remote add origin ssh://git@github-tor-alias/staoshi_2/ByteCoin.git
Remember how you installed the tor command line proxy? start it as a service. It listens on localhost:9050
brew services start tor
Are you ready? Try pushing to github:
git push origin master
Did it work? Go and double check everything, have I missed something? please edit this answer!
Congratulations
breath that free air and get creating!
So what have we just done? we've created a new identity who is associated only with the tor network, as far as github.com is concerned, you are staoshi_2 and could be anywhere in the world.
tor runs a proxy on 127.0.0.1:9050
, because we setup a ProxyCommand
in the ~/.ssh/config
file, all of your traffic goes through the tor proxy, git uses your new ssh key because you added IdentityFile
and IdentitiesOnly
to your ~/.ssh/config
file.
Powerful stuff.
Let's double check that you're really anonymous
stop
tor
and try togit push
again, it had better fail!ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository.
8.1. If that git push succeeded well guess what, you weren't using tor, github.com knows your IP, figure out how to get it working and then start again with a new email address.
9. Happy freedom!
anon.
回答4:
Before Tor there were cyber-cafes and wi-fi hotspots. Just because there's an IP associated with your commits doesn't mean it has to be yours.
回答5:
You could try using the Cloud 9 IDE
Access it via Tor, create new Github and Bitbucket accounts.
Fork whichever project you want to contribute to, make your changes, send the pull request or patch
win
回答6:
Most of the answers in this thread do not go about replying question asked.
You asked: Is it possible to use all applications of my operating system through tor, so as to make anonymous contributions. It might be necessary to do so in occasions where contributing to software projects puts you in legal risks (e.g. contributing to cryptography libraries where cryptography is illegal.)
You have been suggested to use postal mail (currently the most popular answer?), to go to the cyber-cafe next to your home, which very probably has a camera, and to use very brittle configurations which put you at risk. Some answers are outright stupid, and some others are valid enough, though they require everything to be setup perfectly to work.
It may happen that you (or some software you install) accidentally misindents or breaks a configuration file, causing your connections to go to github in the clear. Furthermore, it is possible that an ISP level attacker see which packages you are installing for development, and he is able to identify what sort of project you are working on.
This is in most cases, unacceptable. For me, and my current setup, it is necessary that:
- All connections to Github are guaranteed to go through TOR.
- All non-tor connections are dropped, and all DNS goes through TOR.
- All TCP traffic from your machine is routed through tor. This includes apt-get, all the connections your IDE makes, everything.
This is very complex and is far out of my league. Luckily, there are distros which allow for this kind of thing, such as Tails or Whonix. There is another distro, Attack Vector, which might come with development tools, but is not as proven.
After installing one of these, you will be able to access github's interface through tor browser, and you will be able to commit either through SSH or HTTPS, whatever your preference, without special configuration.
I would suggest Whonix, since it's easier to persist data you need to work, and guarantees a root level compromise on the main machine does not compromise your identity.
回答7:
In Linux:
Install tor and head over to http://tormail.org/ to get yourself an anonymous email account.
Make yourself a new linux user on your local machine and generate a new ssh key for that user so that your anon account does not have the same public key as your other github accounts :-) You'll do all your anon work through this user account
Next sign up to github w/ your tormail email and install the public ssh key you just generated
Now install socat http://freecode.com/projects/socat. But you'll probably find it in your distro's package manager.
Now edit /etc/ssh/ssh_config and add
HOST *
ProxyCommand socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050
Make sure that your tor is configured to use port 9050. You should see this in your torrc file:
SocksListenAddress 127.0.0.1
SocksPort 9050
Now ALL your SSH is going to go through TOR, including any github access through the ssh protocol. so use the ssh protocol to do the clone: git clone git@github.com:bitcoin/bitcoin.git
use wireshark to verify that nothing goes direct to github.
回答8:
You could commit locally on a clone of the project, and then use git format-patch
to send the commits via e-mail.
回答9:
You can use tsocks
or torify
to make any application work through Tor.
回答10:
Another simple solution:
$ git remote add tor https://github.com/yourUser/yourProject
$ torsocks git pull tor
$ torsocks git push tor
You obviously need to remember to put tor
postfix in your git commands, or maybe you can configure aliases:
$ alias gpushtor="torsocks git push tor"
$ alias gpulltor="torsocks git pull tor"
(Note: it will only work with https://
remotes)
来源:https://stackoverflow.com/questions/10274879/how-to-contribute-on-github-anonymously-via-tor