How to contribute on github anonymously via Tor?

Question

I would like to contribute anonymously to projects on github. Not to cause mischief, more in the spirit of anonymous donations.

The tool of choice for being anonymous online seems to be TOR, which works well for almost anything you can do in a browser. However, to contribute on github, it appears necessary to use the command line interface, or the Mac app.

How can I channel my git operations in this setup through Tor? And how can I verify that this is actually what is happening?

Edit: please note the difference between pseudonymous (with a fake e-mail address) and anonymous (with an IP address that cannot be associated with an identity). Pseudonymous access to github is trivial; however, I am looking for anonymous access.

Answer 1

Have you considered going the old-fashioned 'mail them a patch' route? You could simply check out the repository (using Tor and Git-over-HTTPS if you want), make your improvements, then do a git diff and send the project owners the patch using any anonymous messaging service. Freenet and postal mail come to mind.

Note that if I were the owner of a large(ish) project, I would never ever accept a patch from an anonymous entity, for a few reasons. Even if the person in question isn't necessarily nefarious, having code in the system that nobody is responsible for is a scary thought at best. Also, think about code ownership and copyright troubles.

Answer 2

Configure git proxy server Getting git to work with a proxy server

or if this doesn't work with the TOR network, then simply run your git command in a virtual machine where the host machine is using the TOR network to connect to the outside world

I assume this will obfuscate the origin of your commit, but the anonymous email part may still be difficult.

Anonymous email providers come and go, but as of 2015 Lelantos is currently a TOR hidden service that offers clearnet email addresses. Payable in Bitcoin but you can anonymize all bitcoin transactions using http://www.xmr.to which lets you pay bitcoin receipts using the more private Monero network.

Why not simply do a pseudonymous email that you also create while in TOR, never access it from outside of TOR, and use that for github compliance

Answer 3

None of these answers give a full useable workflow, I want to git push, not send an email! Here's how to do it properly but there's a bit of setup required. Instructions are for OSX

Publishing anonymously to github with tor+ssh

1. Download tor browser bundle AND the tor command line proxy

    brew install tor
    brew cask install torbrowser
   

   1.1 In tor browser, Create a new email address ( I used hmamail).

   1.2 In tor browser, Create a new github account

2. Create a new ssh key, only for tor with your new email address

   ssh-keygen -t rsa -b 4096 -C "satoshi_2@hmamail.com"
   

   2.1. Give it a name like: ~/.ssh/private_tor_rsa

   2.2. In github, go to SSH and PGP keys and add a new SSH key, make title memorable.

   2.3. In github, set Key to the public key you've just createdclip < ~/.ssh/private_tor_rsa.pub

3. In github, create an empty repository, let's call it ByteCoin, don't initialise it with a readme.

4. Edit the ssh config file ~/.ssh/config (create if it doesn't exist)

   Host github-tor-alias
   User git
   HostName github.com
   IdentitiesOnly yes
   IdentityFile ~/.ssh/tor_only_rsa
   ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
   

   You've created a hostname called github-tor-alias and tells ssh to use a proxy on localhost:9050 and use the tor_only_rsa key to authenticate.

5. Setup the config for your new project to use the tor proxy and credentials.

   mkdir secret-project
   cd secret-project
   git init
   
   git config --add user.name satoshi_2
   git config --add user.email staoshi_2@hmamail.com
   

This next line is bloody important

5.1. note the ssh://git and github-tor-alias

    git remote add origin ssh://git@github-tor-alias/staoshi_2/ByteCoin.git

6. Remember how you installed the tor command line proxy? start it as a service. It listens on localhost:9050

   brew services start tor
   

7. Are you ready? Try pushing to github:

   git push origin master
   

Did it work? Go and double check everything, have I missed something? please edit this answer!

Congratulations

breath that free air and get creating!

So what have we just done? we've created a new identity who is associated only with the tor network, as far as github.com is concerned, you are staoshi_2 and could be anywhere in the world.

tor runs a proxy on 127.0.0.1:9050, because we setup a ProxyCommand in the ~/.ssh/config file, all of your traffic goes through the tor proxy, git uses your new ssh key because you added IdentityFile and IdentitiesOnly to your ~/.ssh/config file.

Powerful stuff.

Let's double check that you're really anonymous

8. stop tor and try to git push again, it had better fail!

   ssh_exchange_identification: Connection closed by remote host
   fatal: Could not read from remote repository.
   

   8.1. If that git push succeeded well guess what, you weren't using tor, github.com knows your IP, figure out how to get it working and then start again with a new email address.

9. Happy freedom!

anon.

Answer 4

Before Tor there were cyber-cafes and wi-fi hotspots. Just because there's an IP associated with your commits doesn't mean it has to be yours.

Answer 5

You could try using the Cloud 9 IDE

Access it via Tor, create new Github and Bitbucket accounts.

Fork whichever project you want to contribute to, make your changes, send the pull request or patch

win

Answer 6

Most of the answers in this thread do not go about replying question asked.

You asked: Is it possible to use all applications of my operating system through tor, so as to make anonymous contributions. It might be necessary to do so in occasions where contributing to software projects puts you in legal risks (e.g. contributing to cryptography libraries where cryptography is illegal.)

You have been suggested to use postal mail (currently the most popular answer?), to go to the cyber-cafe next to your home, which very probably has a camera, and to use very brittle configurations which put you at risk. Some answers are outright stupid, and some others are valid enough, though they require everything to be setup perfectly to work.

It may happen that you (or some software you install) accidentally misindents or breaks a configuration file, causing your connections to go to github in the clear. Furthermore, it is possible that an ISP level attacker see which packages you are installing for development, and he is able to identify what sort of project you are working on.

This is in most cases, unacceptable. For me, and my current setup, it is necessary that:

• All connections to Github are guaranteed to go through TOR.
• All non-tor connections are dropped, and all DNS goes through TOR.
• All TCP traffic from your machine is routed through tor. This includes apt-get, all the connections your IDE makes, everything.

This is very complex and is far out of my league. Luckily, there are distros which allow for this kind of thing, such as Tails or Whonix. There is another distro, Attack Vector, which might come with development tools, but is not as proven.

After installing one of these, you will be able to access github's interface through tor browser, and you will be able to commit either through SSH or HTTPS, whatever your preference, without special configuration.

I would suggest Whonix, since it's easier to persist data you need to work, and guarantees a root level compromise on the main machine does not compromise your identity.

Answer 7

In Linux:

Install tor and head over to http://tormail.org/ to get yourself an anonymous email account.

Make yourself a new linux user on your local machine and generate a new ssh key for that user so that your anon account does not have the same public key as your other github accounts :-) You'll do all your anon work through this user account

Next sign up to github w/ your tormail email and install the public ssh key you just generated

Now install socat http://freecode.com/projects/socat. But you'll probably find it in your distro's package manager.

Now edit /etc/ssh/ssh_config and add

HOST *
ProxyCommand socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050

Make sure that your tor is configured to use port 9050. You should see this in your torrc file:

SocksListenAddress 127.0.0.1
SocksPort 9050

Now ALL your SSH is going to go through TOR, including any github access through the ssh protocol. so use the ssh protocol to do the clone: git clone git@github.com:bitcoin/bitcoin.git

use wireshark to verify that nothing goes direct to github.

Answer 8

You could commit locally on a clone of the project, and then use git format-patch to send the commits via e-mail.

Answer 9

You can use tsocks or torify to make any application work through Tor.

Answer 10

Another simple solution:

$ git remote add tor https://github.com/yourUser/yourProject
$ torsocks git pull tor
$ torsocks git push tor

You obviously need to remember to put tor postfix in your git commands, or maybe you can configure aliases:

$ alias gpushtor="torsocks git push tor"
$ alias gpulltor="torsocks git pull tor"

(Note: it will only work with https:// remotes)