How to contribute on github anonymously via Tor?
I would like to contribute anonymously to projects on github. Not to cause mischief, more in the spirit of anonymous donations.
The tool of choice for being anonymous online seems to be TOR, which works well for almost anything you can do in a browser. However, to contribute on github, it appears necessary to use the command line interface, or the Mac app.
How can I channel my git operations in this setup through Tor? And how can I verify that this is actually what is happening?
Edit: please note the difference between pseudonymous (with a fake e-mail address) and anonymous (with an IP address that cannot be associated with an identity). Pseudonymous access to github is trivial; however, I am looking for anonymous access.
Have you considered going the old-fashioned 'mail them a patch' route? You could simply check out the repository (using Tor and Git-over-HTTPS if you want), make your improvements, then do a git diff
and send the project owners the patch using any anonymous messaging service. Freenet and postal mail come to mind.
Note that if I were the owner of a large(ish) project, I would never ever accept a patch from an anonymous entity, for a few reasons. Even if the person in question isn't necessarily nefarious, having code in the system that nobody is responsible for is a scary thought at best. Also, think about code ownership and copyright troubles.
None of these answers give a full useable workflow, I want to git push
, not send an email! Here's how to do it properly but there's a bit of setup required. Instructions are for OSX
Publishing anonymously to github with tor+ssh
-
Download tor browser bundle AND the tor command line proxy
brew install tor brew cask install torbrowser
1.1 In tor browser, Create a new email address ( I used hmamail).
1.2 In tor browser, Create a new github account
-
Create a new ssh key, only for tor with your new email address
ssh-keygen -t rsa -b 4096 -C "[email protected]"
2.1. Give it a name like:
~/.ssh/private_tor_rsa
2.2. In github, go to SSH and PGP keys and add a new SSH key, make title memorable.
2.3. In github, set Key to the public key you've just created
clip < ~/.ssh/private_tor_rsa.pub
In github, create an empty repository, let's call it
ByteCoin
, don't initialise it with a readme.-
Edit the ssh config file
~/.ssh/config
(create if it doesn't exist)Host github-tor-alias User git HostName github.com IdentitiesOnly yes IdentityFile ~/.ssh/tor_only_rsa ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
You've created a hostname called
github-tor-alias
and tells ssh to use a proxy onlocalhost:9050
and use thetor_only_rsa
key to authenticate. -
Setup the config for your new project to use the tor proxy and credentials.
mkdir secret-project cd secret-project git init git config --add user.name satoshi_2 git config --add user.email [email protected]
This next line is bloody important
5.1. note the ssh://git and github-tor-alias
git remote add origin ssh://git@github-tor-alias/staoshi_2/ByteCoin.git
-
Remember how you installed the tor command line proxy? start it as a service. It listens on localhost:9050
brew services start tor
-
Are you ready? Try pushing to github:
git push origin master
Did it work? Go and double check everything, have I missed something? please edit this answer!
Congratulations
breath that free air and get creating!
So what have we just done? we've created a new identity who is associated only with the tor network, as far as github.com is concerned, you are staoshi_2 and could be anywhere in the world.
tor runs a proxy on 127.0.0.1:9050
, because we setup a ProxyCommand
in the ~/.ssh/config
file, all of your traffic goes through the tor proxy, git uses your new ssh key because you added IdentityFile
and IdentitiesOnly
to your ~/.ssh/config
file.
Powerful stuff.
Let's double check that you're really anonymous
-
stop
tor
and try togit push
again, it had better fail!ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository.
8.1. If that git push succeeded well guess what, you weren't using tor, github.com knows your IP, figure out how to get it working and then start again with a new email address.
9. Happy freedom!
anon.
Before Tor there were cyber-cafes and wi-fi hotspots. Just because there's an IP associated with your commits doesn't mean it has to be yours.
Configure git proxy server Getting git to work with a proxy server
or if this doesn't work with the TOR network, then simply run your git
command in a virtual machine where the host machine is using the TOR network to connect to the outside world
I assume this will obfuscate the origin of your commit, but the anonymous email part may still be difficult.
Anonymous email providers come and go, but as of 2015 Lelantos is currently a TOR hidden service that offers clearnet email addresses. Payable in Bitcoin but you can anonymize all bitcoin transactions using http://www.xmr.to which lets you pay bitcoin receipts using the more private Monero network.
Why not simply do a pseudonymous email that you also create while in TOR, never access it from outside of TOR, and use that for github compliance
Most of the answers in this thread do not go about replying question asked.
You asked: Is it possible to use all applications of my operating system through tor, so as to make anonymous contributions. It might be necessary to do so in occasions where contributing to software projects puts you in legal risks (e.g. contributing to cryptography libraries where cryptography is illegal.)
You have been suggested to use postal mail (currently the most popular answer?), to go to the cyber-cafe next to your home, which very probably has a camera, and to use very brittle configurations which put you at risk. Some answers are outright stupid, and some others are valid enough, though they require everything to be setup perfectly to work.
It may happen that you (or some software you install) accidentally misindents or breaks a configuration file, causing your connections to go to github in the clear. Furthermore, it is possible that an ISP level attacker see which packages you are installing for development, and he is able to identify what sort of project you are working on.
This is in most cases, unacceptable. For me, and my current setup, it is necessary that:
- All connections to Github are guaranteed to go through TOR.
- All non-tor connections are dropped, and all DNS goes through TOR.
- All TCP traffic from your machine is routed through tor. This includes apt-get, all the connections your IDE makes, everything.
This is very complex and is far out of my league. Luckily, there are distros which allow for this kind of thing, such as Tails or Whonix. There is another distro, Attack Vector, which might come with development tools, but is not as proven.
After installing one of these, you will be able to access github's interface through tor browser, and you will be able to commit either through SSH or HTTPS, whatever your preference, without special configuration.
I would suggest Whonix, since it's easier to persist data you need to work, and guarantees a root level compromise on the main machine does not compromise your identity.