Sustainable PirateBox Part 2

Some notes:


Tokumei is the image board I’m playing with.

Unfortunately the installation scripts are stale & depend on deprecated cert-bot software from eff. I have to hack together an update for making this thing work.

There are instructions for installing Tokumei.co in a self hosted environment.

They call a script that can be obtained with

wget https://tokumei.co/privclear.sh.

The script accepts input from the user and then tunes various configuration files for the image board & nginx. For example, you can specify the domain of a page. This is useful because we’ll have to set a hostname for the captive portal.

The script fails first because it expects to install ssl certificates using certbot.

Certbot is deprecated. If you run this script, you get 404’d.

So the first thing I need to do is create my own self signed certificates.

Then I need to hack the nginx.conf and sites-available/default pages.

I put a lot of effort into figuring out how to carve out a page to host static pdfs and MP3s. I tried very hard to document the edits. If you decide to do any work with nginx and creating static content, you might find this material helpful.

This is the sites-available default page.

The key points of this config:

  1. Shows you how to create a self signed certificate in the comments of the script
  2. Shows you where you put the cert and key file so that nginx can access it.
  3. Shows you how to reduce noise in the config by using snippets pointing to self-signed.conf and ssl-params.conf
  4. Shows you how to configure nginx to limit file uploads on the tokumei board.
  5. Shows you how to create the /offgrid uri that vends a directory listing within the skinning of Tokumei
  6. A minor hack to help you debug if nginx locations are not getting triggered because of aggressive / location definitions

I have a major //TODO:

If you look around here you see the reference to werc.

It references a fastcgi server running at localhost on 3333.

That cgi server is invoked with the following command:


sudo /usr/local/go/bin/cgd -f -c /var/www/ansibledest.local/bin/werc.rc > /dev/null 2>&1 &

Cgd is a daemon that can serve a CGI script over HTTP or FastCGI.

Useful to run CGI scripts that serve a whole domain (like werc) without need for a “real” HTTP server, or to wrap CGI scripts so they can be served by fcgi-only web servers like nginx.

//TODO: implement a startup script for launching the cgd daemon on boot in the final ansible playbook.

Creating a sustainable Piratebox Alternative

Piratebox was a fun project that got orphaned, which is sad.

I’m constructing a new one of sorts using my ansible automation.

The firmware will turn a Raspberry Pi into a wifi access point that will broadcast a network labeled “JoinMe.”

Users who connect to the network are forwarded to a captive portal hosted on the device. The captive portal app is a local communicty image board.

The board supports anonymous image posting & is based off the code from https://tokumei.co/. The design is an implementation of some interesting plan-9 inspired tooling called Werc. The licensing is public. It has a more inviting design than the 4chan futaba image boards.

When neighbors are attached to the network, they don’t get access to the Internet. They do get private access to whatever local community resources you insert.

In my implementation, I modified the entry tokumei page to include a link to a static directory of files. You can now host a private library of mp3 files, pdfs, zines and other culture for sharing with your neighbors.

Run an offgrid wifi community network that hosts a bulletin board and a shared library.

Create local community without logging off completely. It’s off the Internet and only accessible if you stop and connect to it when you’re in range. No Internet Trolls- only your local neighbors. No advertisers. No centralized control. I hope it will help you connect with people in your proximity.

Updates to the HackMeAP firmware

I have posted a new firmware update for turning a raspberry pi into a cybersecurity Wi-Fi practice lab. I ran a lab about a month ago and discovered several opportunities for improvement. I’ve also gotten a few inquisitive questions from some thoughtful security weirdos. Thanks for lots of feedback. Now I’ve made some improvements.

Some of you may have struggled to get past the first challenge of cracking a Wi-Fi network credential on the network. You might have realized that there are no active clients, so you can’t sniff a handshake and crack a key. The published scripts should help you find a path forward. Of course- some kids may chose to binwalk the firmware and find the cred used by HostAPD. Perhaps there are other methods for getting the credential?

I’ve made the following changes that required the creation of a new firmware image:

  • Wifi network SSID is now HackThisWifi. Emojis in the SSID were too challenging for kids to type
  • Numerous Build process changes to work using a BuilderHotspot and Containers.

I’ve also created a dedicated page for the project. Head on over to download the latest firmware, get instructions on how to use it, and tips for those of you stuck on the first challenge of cracking the Wi-Fi password.