Rootconf 2019

On infrastructure security, DevOps and distributed systems.

Up next

Onion Services for devops


Kushal Das


The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor’s users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features.

Any organization or person can take advantage of these, and deploy any network service in the Tor network without exposing it to the rest of the Internet. The communication between clients and servers will stay inside of the Tor network, and will get all default Tor security and privacy features on their existing systems.

This workshop will teach how to deloy web services and other network services (say ssh) over Tor network.


  • Introduction to Tor project
  • Onion services 101
  • Deploying a website as an onion service
  • Deploying ssh access as an onion service
  • QA


  • Any modern Linux distribution in the Laptop (or in a VM in the laptop). Say latest Debian or Ubuntu or Fedora 30.

Speaker bio

Kushal Das is a public interest technologist at the Freedom of the Press Foundation, who is a maintainer of the SecureDrop project, and part of Tor Project core team. He is a CPython core developer, and also a director in Python Software Foundation. He has given talks in various conferences including previous PyCons (and once in a previous version of rootconf), a list of such talks can be found here



Up next

Defensive and Offensive Applications of Open Source Intelligence

Karan Saini

In real life, a footprint can be used to distinguish and confirm the identity of an individual. The same is true on the Internet, where activities and transactions that have been carried out leave behind a digital footprint, which at times can be leveraged for gathering intelligence about a particular individual and their activities. As an example, websites which reveal partial phone numbers can allow attackers to piece together an individual’s phone number in full, or an attacker attempting to break into an online account could use information available on a target’s Facebook page (e.g., name of hometown, or name of first school) in order to take guesses at their security answer. In a similar fashion, organisations may unknowingly give away sensitive information online, which could potentially be used by an attacker looking for an entry into their network. Attackers often seek to target employees as a part toward ultimately compromising their employing organisation. The question then arises, how much information is available online right now which could potentially assist an adversary in carrying out an attack at your workplace or organisation? Open Source Intelligence (“OSINT”) traditionally refers to the practice of gathering information that is available publicly, and then analysing and piecing it together with other knowledge for use as intelligence. An adversary may be interested in accumulating open source intelligence for several reasons; acquiring business edge, sabotage, theft, et cetera. How does an organisation protect against this threat? Further, how can organisations utilise the defensive gains of OSINT?

Jun 7, 2019

Read more