How to contribute on github anonymously via Tor?

git privacy github tor anonymous

I would like to contribute anonymously to projects on github. Not to cause mischief, more in the spirit of anonymous donations.

The tool of choice for being anonymous online seems to be TOR, which works well for almost anything you can do in a browser. However, to contribute on github, it appears necessary to use the command line interface, or the Mac app.

How can I channel my git operations in this setup through Tor? And how can I verify that this is actually what is happening?

Edit: please note the difference between pseudonymous (with a fake e-mail address) and anonymous (with an IP address that cannot be associated with an identity). Pseudonymous access to github is trivial; however, I am looking for anonymous access.


Have you considered going the old-fashioned 'mail them a patch' route? You could simply check out the repository (using Tor and Git-over-HTTPS if you want), make your improvements, then do a git diff and send the project owners the patch using any anonymous messaging service. Freenet and postal mail come to mind.

Note that if I were the owner of a large(ish) project, I would never ever accept a patch from an anonymous entity, for a few reasons. Even if the person in question isn't necessarily nefarious, having code in the system that nobody is responsible for is a scary thought at best. Also, think about code ownership and copyright troubles.


None of these answers give a full useable workflow, I want to git push, not send an email! Here's how to do it properly but there's a bit of setup required. Instructions are for OSX

Publishing anonymously to github with tor+ssh

  1. Download tor browser bundle AND the tor command line proxy

     brew install tor
 brew cask install torbrowser

    1.1 In tor browser, Create a new email address ( I used hmamail).

    1.2 In tor browser, Create a new github account

  2. Create a new ssh key, only for tor with your new email address

    ssh-keygen -t rsa -b 4096 -C "[email protected]"

    2.1. Give it a name like: ~/.ssh/private_tor_rsa

    2.2. In github, go to SSH and PGP keys and add a new SSH key, make title memorable.

    2.3. In github, set Key to the public key you've just createdclip < ~/.ssh/private_tor_rsa.pub

  3. In github, create an empty repository, let's call it ByteCoin, don't initialise it with a readme.

  4. Edit the ssh config file ~/.ssh/config (create if it doesn't exist)

    Host github-tor-alias
User git
HostName github.com
IdentitiesOnly yes
IdentityFile ~/.ssh/tor_only_rsa
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

    You've created a hostname called github-tor-alias and tells ssh to use a proxy on localhost:9050 and use the tor_only_rsa key to authenticate.

  5. Setup the config for your new project to use the tor proxy and credentials.

    mkdir secret-project
cd secret-project
git init

git config --add user.name satoshi_2
git config --add user.email [email protected]

This next line is bloody important

5.1. note the ssh://git and github-tor-alias 

    git remote add origin ssh://git@github-tor-alias/staoshi_2/ByteCoin.git

  1. Remember how you installed the tor command line proxy? start it as a service. It listens on localhost:9050 

    brew services start tor

  2. Are you ready? Try pushing to github:

    git push origin master

Did it work? Go and double check everything, have I missed something? please edit this answer!

Congratulations

breath that free air and get creating!

So what have we just done? we've created a new identity who is associated only with the tor network, as far as github.com is concerned, you are staoshi_2 and could be anywhere in the world.

tor runs a proxy on 127.0.0.1:9050, because we setup a ProxyCommand in the ~/.ssh/config file, all of your traffic goes through the tor proxy, git uses your new ssh key because you added IdentityFile and IdentitiesOnly to your ~/.ssh/config file.

Powerful stuff.

Let's double check that you're really anonymous

  1. stop tor and try to git push again, it had better fail!

    ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.

    8.1. If that git push succeeded well guess what, you weren't using tor, github.com knows your IP, figure out how to get it working and then start again with a new email address.

9. Happy freedom!

anon.


Before Tor there were cyber-cafes and wi-fi hotspots. Just because there's an IP associated with your commits doesn't mean it has to be yours.


Configure git proxy server Getting git to work with a proxy server

or if this doesn't work with the TOR network, then simply run your git command in a virtual machine where the host machine is using the TOR network to connect to the outside world

I assume this will obfuscate the origin of your commit, but the anonymous email part may still be difficult.

Anonymous email providers come and go, but as of 2015 Lelantos is currently a TOR hidden service that offers clearnet email addresses. Payable in Bitcoin but you can anonymize all bitcoin transactions using http://www.xmr.to which lets you pay bitcoin receipts using the more private Monero network.

Why not simply do a pseudonymous email that you also create while in TOR, never access it from outside of TOR, and use that for github compliance


Most of the answers in this thread do not go about replying question asked.

You asked: Is it possible to use all applications of my operating system through tor, so as to make anonymous contributions. It might be necessary to do so in occasions where contributing to software projects puts you in legal risks (e.g. contributing to cryptography libraries where cryptography is illegal.)

You have been suggested to use postal mail (currently the most popular answer?), to go to the cyber-cafe next to your home, which very probably has a camera, and to use very brittle configurations which put you at risk. Some answers are outright stupid, and some others are valid enough, though they require everything to be setup perfectly to work.

It may happen that you (or some software you install) accidentally misindents or breaks a configuration file, causing your connections to go to github in the clear. Furthermore, it is possible that an ISP level attacker see which packages you are installing for development, and he is able to identify what sort of project you are working on.

This is in most cases, unacceptable. For me, and my current setup, it is necessary that:

  • All connections to Github are guaranteed to go through TOR.
  • All non-tor connections are dropped, and all DNS goes through TOR.
  • All TCP traffic from your machine is routed through tor. This includes apt-get, all the connections your IDE makes, everything.

This is very complex and is far out of my league. Luckily, there are distros which allow for this kind of thing, such as Tails or Whonix. There is another distro, Attack Vector, which might come with development tools, but is not as proven.

After installing one of these, you will be able to access github's interface through tor browser, and you will be able to commit either through SSH or HTTPS, whatever your preference, without special configuration.

I would suggest Whonix, since it's easier to persist data you need to work, and guarantees a root level compromise on the main machine does not compromise your identity.

Related

How to use C++ std::ostream with printf-like formatting?
How to slice data from a middle index until the end without using `length` in R (like you can in python)?
angular trigger changes with $watch vs ng-change, ng-checked, etc
cordova.js is missing on a new project
illegal use of break statement; javascript
Looking for a logically coherent book for the self-study of differential equations
Manifold and maximal atlas
Prove Parseval for the Fourier transform
Intersection of cosets
Closed formula for the sums $\sum\limits_{1 \le i_1 < i_2 < \dots < i_k \le n} i_1 i_2 \cdots i_k $?
Why negating universal quantifier gives existential quantifier?
Irreducibility of $X^n - 2$ over $\mathbf Z[i]$.