Anonabox Already In Boiling Hot Water Even Before Shipping

If run of the mill products made behind closed doors can already have a number of detractors, those growing in the semi-open space of crowdfunding should expect even more scrutiny. The lastest high-profile Kickstarter case is one that we just shared two days ago. anonabox, a little open source device that claims to give easy and complete anonymity via Tor, might have been enjoying massive success, but now it is not so enjoying massive criticism, enough for some to call for its removal from Kickstarter.

The problem lies in the two pillars of hardware and software. anonabox's developers claimed to have gone through three other prototypes before settling on the last one that gave the smallest size without gimping functionality. The wording of the campaign made it sound like anonabox, similar to other Kickstarter projects, developed its own boards. But a post on Reddit and subsequent comments revealed that anonabox was apparently just reusing ready made components. In fact, the final board, supposedly the work of many years of engineering, is an off-the-shelf board from a Chinese supplier that costs only $20. That fact, if true, definitely doesn't bode well for a product and a funding method that is delicately built on trust.

The software half of the problem, however, is perhaps more devastating, considering that the product is supposed to be one that keeps your Internet presence anonymous and secure. Due to the popularity of anonabox, it was only natural that security experts would chime in on the project. It also helps that anonabox is pledged to remain open source, which also made it open to scrutiny, perhaps more than it would like. According to these security experts, anonabox's default configuration and its method of deployment is anything but secure. First is the fact that it clones the same SSHD host key for all anonaboxes, meaning anyone who owns one can access another anonabox on the same network quite easily. Add that to the fact that the distributed configuration files also contained a weakly protected root password of "developer", and you have an ironically insecure security box.

anonabox project leader August Germar claims that there is absolutely no deception involved, only miscommunication. He claims that he should have been clear from the start that he wasn't shipping a completely ready-to-use product but a sort of early adopter version that is targeted more at experts and developers that would help refine the product's future iterations. That, he said, also explains the default configuration and distribution method, since he expects that those using the device would know from the get go the things that need to be changed first and that he was planning on putting those pieces of information in a final manual. That said, the entire tone of the project's campaign made it sound like he was talking to those who would actually just plug the anonabox and use it without need for further fine tuning. Plus, he has also inadequately addressed questions about sourcing components instead of making them as he seemed to imply.

The backlash against anonabox has been so great that pledges actually started going down instead of up. That said, the project seems to still have many believers as it still sits at $589,000, exponentially more than its $7,500 asking price. The campaign still has 25 days left to convince current and future investors, because that is basically what Kickstarter backers are, that it is worth rooting for. That, and it also has to convince Kickstarter that it is not a total scam.