Recently, BoingBoing ran an article about how some librarians in Massachusetts were installing Tor software in all their public PCs to anonymize the browsing habits of their patrons. The librarians are doing this as a stand against passive government surveillance as well as companies that track users online and build dossiers to serve highly-targeted advertising.
It’s an interesting project and a bold stand for user privacy. But the good news is that if you want to browse anonymously, you don’t have to go to the library to use Tor. Connecting to the Tor network from your own PC is quick and painless thanks to the Tor project’s dead simple Tor Browser.
What is Tor?
Tor is a computer network run by volunteers worldwide. Each volunteer runs what is called a relay, which is just a computer that runs software allowing users to connect to the Internet via the Tor network.
Before hitting the open Internet, the Tor Browser will connect to several different relays, wiping its tracks each step of the way, making it difficult to figure out where, and who, you really are.
While Tor is gaining a reputation as a tool for buying illicit goods online, the software has numerous legitimate uses. Activists masking their location from oppressive regimes and journalists communicating with anonymous sources are two simple examples.
If, like the librarians in Massachusetts, you don’t have an exotic reason for using Tor, it’s still a good tool to keep your browsing private from your ISP, advertisers, or passive government data collection. But if the NSA or other three-letter agency decided to actively target your browsing habits that’s a whole different ballgame.
The easiest way to use Tor is to download the Tor Browser [official link]. This is a modified version of Firefox along with a bunch of other software that connects you to the Tor network.
Once you’ve downloaded the installer, you have two options: You can just install the software or you can check the installation file’s GPG signature first. Some people like to check the installation file to make sure they’ve downloaded the proper version of the browser and not something that’s been tampered with.
But checking the GPG signature is not a painless process and requires an additional software download. Nevertheless, if that’s something you’d like to do, the Tor Project has a how-to explaining what’s required [official link].
Whether or not you’ve checked the GPG signature, the next step is to install the Tor browser itself.
You can install the Tor browser on a USB stick.
For Windows, the Tor Browser comes as an EXE file, so it’s basically like installing any other program. The key difference is that the browser doesn’t have the same default location as most programs. Instead, it offers your desktop as the install location.
The Tor browser does this because it is portable software and doesn’t integrate into a Windows system the way typical programs do. This means you can run the Tor browser from almost anywhere—the Desktop, your documents folder, or even a USB drive.
When you arrive at the Choose install location window Click Browse… and then choose where you’d like to install the browser. As you can see in the image above, I installed it to a USB drive that I tote around on my key chain.
Once you’ve got your location selected, just press Install and Tor takes care of the rest.
Using the Tor Browser
Once the browser is installed, you’ll have a plain old folder called Tor Browser. Open that and inside you’ll see “Start Tor Browser.exe”. Click that file and a new window opens asking whether you’d like to connect directly to the Tor network or if you need to configure proxy settings first.
Most people can simply connect directly to the Tor network to get started. (Click to enlarge.)
For most people, choosing the direct option is best, so choose Connect. A few seconds later a version of Firefox will launch and you are now connected to the Tor network and able to browser in relative anonymity.
To make sure you’re connected to Tor go to whatismyip.com, which will automatically detect your location based on your Internet Protocol address. If your browser shows you coming from a location that is not your own, you are good to go. Just make sure you do all your anonymous browsing from the Tor Browser itself as other programs on your system are not connected to Tor.
But browsing anonymously on Tor isn’t quite as easy as booting up a program. There are also some rules of the road you should observe, such as connecting to every site possible via SSL/TSL encryption (HTTPS). If you don’t, then anything you do online can be observed by the person running your exit node. The browser has the Electronic Frontier Foundation’s HTTPS Everywhere add-on installed by default, which should cover your SSL/TSL needs most of the time.
The Tor Project has more tips on browsing anonymously [official link].
Also, remember that browsing in anonymity does not make you immune to viruses and other malware. If you are going to the seedier parts of the Internet, Tor cannot protect you from malicious software that could be used to reveal your location.
For the average Internet user, however, the Tor Browser should be enough to stay private online. You can also check available Tor friendly VPN services with no logs [link].
If you save anything on your computer, it is likely that you do not want just anyone to be able to see what you have saved. You want a way to protect that information so that you can access it, and absolutely no one else except those you trust. Therefore, it makes sense to set up a system which protects your information and safeguards it against prying eyes.
The best such system for this is called “True Crypt”. “True Crypt” is an encryption software program which allows you to store many files and directories inside of a single file on your harddrive. Further, this file is encrypted and no one can actually see what you have saved there unless they know your password.
This sounds extremely high tech, but it is actually very easy to set up.
Setting up Truecrypt
1. Go to http://www.truecrypt.org/downloads (or go to www.truecrypt.org, and click on “Downloads”)
2. Under “Latest Stable Version”, under “Windows 7/Vista/XP/2000?, click “Download”
3. The file will be called “True Crypt Setup 7.0a.exe” or something similar. Run this file.
4. If prompted that a program needs your permission to continue, click “Continue”.
5. Check “I accept and agree to be bound by these license terms”
6. Click “Accept”
7. Ensure that “Install” is selected, and click “Next”
8. click “Install”
9. You will see a dialog stating “TrueCrypt has been successfully installed.” Click “Ok”
10. Click “No” when asked if you wish to view the tutorial/user’s guide.
11. Click “Finish”
At this point, TrueCrypt is now installed. Now we will set up truecrypt so that we can begin using it to store sensitive information.
1. Click the “Windows Logo”/”Start” button on the lower left corner of your screen.
2. Click “All Programs”
3. Click “TrueCrypt”
4. Click the “TrueCrypt” application
And now we can begin:
1. click the button “Create Volume”
2. Ensuring that “Create an encrypted file container” is selected, click “Next”
3. Select “Hidden TrueCrypt volume” and click “Next”.
4. Ensuring that “Normal mode” is selected, click “Next”
5. Click on “Select File”
Note which directory you are in on your computer. Look at the top of the dialog that has opened and you will see the path you are in, most likely the home directory for your username. An input box is provided with a flashing cursor asking you to type in a file name. Here, you will type in the following filename:
You may of course replace random.txt with anything you like. This file is going to be created and will be used to store many other files inside. Do NOT use a filename for a file that already exists. The idea here is that you are creating an entirely new file.
It is also recommended though not required that you “hide” this file somewhere less obvious. If it is in your home directory, then someone who has access to your computer may find it easier. You can also choose to put this file on any other media, it doesn’t have to be your hard disk. You could for example save your truecrypt file to a usb flash drive, an sd card, or some other media. It is up to you.
6. Once you have typed in the file name, click “Save”
7. Make sure “Never save history” is checked.
8. Click “Next”
9. On the “Outer Volume” screen, click “Next” again.
10. The default Encryption Algorithm and Hash Algorithm are fine. Click “Next”
11. Choose a file size.
In order to benefit the most from this guide, you should have at least 10 gigabytes of free disk space. If not, then it is worth it for you to purchase some form of media (such as a removable harddrive, a large sd card, etc.) in order to proceed. TrueCrypt can be used on all forms of digital media not just your hard disk. If you choose to proceed without obtaining at least ten gigabytes of disk space, then select a size that you are comfortable with (such as 100 MB).
Ideally, you want to choose enough space to work with. I recommend 20 GB at least. Remember that if you do need more space later, you can always create additional TrueCrypt volumes using exactly these same steps.
12. Now you are prompted for a password. THIS IS VERY IMPORTANT. READ THIS CAREFULLY
READ THIS SECTION CAREFULLY
The password you choose here is a decoy password. That means, this is the password you would give to someone under duress. Suppose that someone suspects that you were accessing sensitive information and they threaten to beat you or worse if you do not reveal the password. THIS is the password that you give to them. When you give someone this password, it will be nearly impossible for them to prove that it is not the RIGHT password. Further, they cannot even know that there is a second password.
Here are some tips for your password:
A. Choose a password you will NEVER forget. It may be ten years from now that you need it. Make it simple, like your birthday repeated three times.
B. Make sure it seems reasonable, that it appears to be a real password. If the password is something stupid like “123? then they may not believe you.
C. Remember that this is a password that you would give to someone if forced. It is *NOT* your actual password.
D. Do not make this password too similar to what you plan to really use. You do not want someone to guess your main password from this one.
And with all of this in mind, choose your password. When you have typed it in twice, click “Next”.
13. “Large Files”, here you are asked whether or not you plan to store files larger than 4 GIGABYTES. Choose “No” and click “Next”
14. “Outer Volume Format”, here you will notice some random numbers and letters next to where it says “Random Pool”. Go ahead and move your mouse around for
a bit. This will increase the randomness and give you better encryption. After about ten seconds of this, click “Format”.
15. Depending on the file size you selected, it will take some time to finish formatting.
“What is happening?”
TrueCrypt is creating the file you asked it to, such as “random.txt”. It is building a file system contained entirely within that one file. This file system can be used to store files, directories, and more. Further, it is encrypting this file system in such a way that without the right password it will be impossible for anyone to access it. To *anyone* other than you, this file will appear to be just a mess of random characters. No one will even know that it is a truecrypt volume.
16. “Outer Volume Contents”, click on the button called, “Open Outer Volume”
An empty folder has opened up. This is empty because you have yet to put any files into your truecrypt volume.
DO NOT PUT ANY SENSITIVE CONTENT HERE
This is the “Decoy”. This is what someone would see if you gave them the password you used in the previous step. This is NOT where you are going to store your sensitive data. If you have been forced into a situation where you had to reveal your password to some individual, then that individual will see whatever is in this folder. You need to have data in this folder that appears to be sensitive enough to be protected by truecrypt in order to fool them. Here are some important tips to keep in mind:
A. Do NOT use porn. Adult models can sometimes appear to be underaged, and this can cause you to incriminate yourself unintentionally.
B. Do NOT use drawings/renderings/writings of porn. In many jurisdictions, these are just as illegal as photographs.
C. Good choices for what to put here include: backups of documents, emails, financial documents, etc.
D. Once you have placed files into this folder, *NEVER* place any more files in the future. Doing so may damage your hidden content.
Generally, you want to store innocent data where some individual looking at it would find no cause against you, and yet at the same time they would understand why you used TrueCrypt to secure that data.
Now, go ahead and find files and store them in this folder. Be sure that you leave at least ten gigabytes free. The more the better.
When you are all done copying files into this folder, close the folder by clicking the “x” in the top right corner.
17. click “Next”
18. If prompted that “A program needs your permission to continue”, click “Continue”
19. “Hidden Volume”, click “Next”
20. The default encryption and hash algorithms are fine, click “Next”
21. “Hidden Volume Size”, the maximum available space is indicated in bold below the text box. Round down to the nearest full unit. For example, if 19.97 GB
is available, select 19 GB. If 12.0 GB are available, select 11 GB.
22. If a warning dialog comes up, asking “Are you sure you wish to continue”, select “Yes”
23. “Hidden Volume Password”
IMPORTANT READ THIS
Here you are going to select the REAL password. This is the password you will NEVER reveal to ANYONE else under any circumstances. Only you will know it. No one will be able to figure it out or even know that there is a second password. Be aware that an individual intent on obtaining your sensitive information may lie to you and claim to be able to figure this out. They cannot.
It is HIGHLY recommended that you choose a 64 character password here. If it is difficult to remember a 64 character password, choose an 8 character password and simply repeat it 8 times. A date naturally has exactly 8 numbers, and a significant date in your life repeated 8 times would do just fine.
24. Type in your password twice, and click “Next”
25. “Large Files”, select “Yes” and click “Next”.
26. “Hidden Volume Format”, as before move your mouse around for about ten seconds randomly, and tehn click “Format”.
27. If prompted “A program needs your permission to continue”, select “Continue”
28. A dialog will come up telling you that the hidden TrueCrypt volume has been successfully created. Click “Ok”
29. Click “Exit”
Congratulations! You have just set up an encrypted file container on your hard drive. Anything you store here will be inaccessible to anyone except you. Further, you have protected this content with TWO passwords. One that you will give to someone under threat, and one that only you will know. Keep your real password well protected and never write it down or give it to anyone else for any reason.
Now, we should test BOTH passwords.
Testing TrueCrypt Volumes
Once you have completed the above section, you will be back at TrueCrypt. Go ahead and follow these steps to test the volumes you have made.
1. Click “Select File…”
2. Locate the file you created in the last section, most likely called “random.txt” or something similar. Remember that even though there is both an outer and
a hidden volume, both volumes are contained in a single file. There are not two files, only one.
3. Click “Open”
4. Choose a drive letter that you are not using (anything past M is probably just fine). Click on that, For example click on “O:” to highlight it.
5. Click “Mount”
6. Now you are prompted for a password. Read the below carefully:
The password you provide here will determine WHICH volume is mounted to the drive letter you specified. If you type in your decoy password, then O: will show all the files and directories you copied that you would reveal if forced. If you type in your real password, then O: will show the files and directories that you never intend anyone to see.
7. After successfully typing in your password, you will see additional detail to the right of the drive letter, including the full path to the file you selected as well as the kind of volume it is (for example, hidden).
8. Right click on your “Windows Logo”/”Start Menu” icon, and scroll down to the bottom where you can see your different drive letters. You will see the drive letter you selected, for example: “Local Disk (O:)”. Click on that.
9. If you selected your decoy password, you will see all the files and folders that you moved there during the installation phase. If you selected the real password, you will see whatever files and directories you have placed so far into the hidden volume, if any.
If you selected your hidden volume password, you may now begin moving any sensitive information you wish. Be aware that simply moving it from your main hard disk is not enough. We will discuss how to ensure deleted data is actually deleted later in the guide.
“What is happening?”
When you select a file and mount it to a drive, you are telling your computer that you have a new drive with files and folders on it. It is the same thing as if you had plugged in a usb flash drive, a removable harddrive, or an sd card into your computer. TrueCrypt causes your computer to think that there is an entirely new disk drive on your computer. You can use this disk drive just as if it *was* actually a usb flash drive. You can copy files to it, directories, and use it just as you would use a usb flash drive.
When you are done, simply close all open windows/folders/applications that are using your truecrypt drive letter, and then click “Dismount” from within TrueCrypt while you have the drive letter highlighted. This will once again hide all of this data, accessible only by re-mounting it with the correct password.
VERY IMPORTANT SAFETY INFORMATION
When a true crypt hidden volume is mounted, someone who has access to your computer can access anything that is inside that hidden volume. If for example you left your computer running while a truecrypt volume was mounted, then if someone gained access to your computer they would be able to see everything you have in that volume. Therefore:
ALWAYS REMEMBER TO DISMOUNT ANY TRUECRYPT VOLUME CONTAINING ANY SENSITIVE INFORMATION WHEN YOU ARE NOT USING YOUR COMPUTER
You can tell that it is dismounted because the drive letter inside of “TrueCrypt”‘s control panel will appear the same as all of the other drive letters, with no information to the right of the drive letter.
You should practice Mounting and Dismounting a few times with both passwords to make sure you understand this process.
Once you have copied files/folders into the hidden volume, do NOT touch the files or folders in the outer volume anymore. Remember that both volumes occupy the same single file, and therefore changing the outer volume can damage the hidden volume. Once you have copied files/folders into the outer volume during the installation process, that is the last time you should do so. From that point forward, use ONLY the hidden volume. The outer volume exists only as a decoy if you need it.
Part 0 – Introduction
Here’s my basic guide for PGP on OS X. The OS in question is OS X 10.9 Mavericks, but it should still work for other versions. As for the tool itself, we’ll be using GPG Suite Beta 5. This is my first time using OS X in… years. If you see anything I’m doing wrong, or could be done easier, feel free to correct me in the comments.
If you’ve done your research, you’ll see it’s not recommended to do anything darknet related on OS X, but I’m not going to go over the details here. You’ve obviously made your decision.
Part 1 – Installing the software
Like I said above, we’ll be using GPG Suite Beta 5. If you’re curious and want to see the source code, you can do so here.
- Head on over to https://gpgtools.org, and download ‘GPG Suite Beta 5’
- Open the file you downloaded, you should see this screen. Double click on ‘Install’
- Follow the installation process. If successful, you should see this screen. You can now close the window
Part 2 – Creating your keypair
GPG Suite actually makes this a super simple process. Just like the Linux guide, we’ll be using 4096 bit length for encryption.
- Open up GPG Keychain, you should be greeted by this beautiful window
- Click ‘New’ at the top left of the window
- You should see a small popup. Click the arrow beside ‘Advanced options’, make sure the key length is 4096. For our purposes, we’ll uncheck ‘key expires’. Put your username where it says ‘full name’, fill out what you want for email, and create a secure passphrase. Check the picture for an example on how to fill it out. When complete, click ‘Generate key’
- GPG Keychain will begin generating your key. Move the mouse around, mash keys in a text editor, have something downloading. Do random stuff to create entropy for a secure key.
- annndddddd we’re done!
Part 3 – Setting up the environment
This is where OS X differs from other platforms. The suite itself doesn’t provide a window to encrypt/decrypt messages, so we need to enable some options.
- Go into system preferences, open up ‘Keyboard’
- You should see this window. Click the ‘Keyboard Shortcuts’ tab at the top, then ‘Services’ in the left pane. Scroll down in the right pane to the subsection labeled ‘Text’, and to the OpenPGP options. Here you can create keyboard shortcuts. We’ll uncheck everything OpenPGP that’s under ‘Text’, and delete their shortcuts. Now we’ll enable ‘Decrypt’, ‘Encrypt’, and ‘Import key’. Create keyboard shortcuts for these if you wish. Check the picture to make sure you’re doing everything correctly. You can now close the window.
Part 4 – Obtaining your public key
This part is super simple.
- Open up GPG Keychain, select your key
- At the top of the window, click ‘Export’
- Give it a name, make sure ‘include secret key in exported file’ is unchecked, and click ‘save’
- Open your text editor of choice, browse to where you saved the key, open it
- There it is. Copy and paste this on your market profile to make it easier for people to contact you
Part 5 – Obtaining your private key
Again, super simple.
- Open up GPG Keychain, select your key
- At the top of the window, click ‘Export’
- Keep the file name it gives you, check ‘Include secret key in exported file’, then click save
Keep this file in a safe place, and don’t forget your passphrase. You’re fucked without it!
Part 6 – Importing a public key
This is really easy.
- Find the key you want to import.
- Copy everything from ‘—–BEGIN PGP PUBLIC KEY BLOCK—–‘ to ‘—–END PGP PUBLIC KEY BLOCK—–‘
- Paste it into your favourite text editor, highlight everything, right click, go to ‘Services’, then ‘OpenPGP: Import key’
- You’ll see this window pop up confirming the key has been imported, click ‘Ok’
- Open up GPG Keychain just to confirm the key is there
Part 7 – Importing a private key
Again, really easy.
- Open GPG Keychain, click ‘Import’ at the top
- Browse to where your key is, click it, then click ‘Open’. It should have a .asc file extension
- You’ll see this pop up confirming your key has been imported. Click ‘Close’
Part 8 – Encrypting a message
- Open your text editor of choice, write your message
- Highlight the message, right click, ‘Services’, ‘OpenPGP: Encrypt’
- A window should appear. Select who you’re sending it to, sign it with your key if you wish, click ‘Ok’
- Copy everything, and send it to the recipient
Part 9 – Decrypting a message
Pretty much the same process as encrypting
- Open your text editor of choice, paste the message
- Highlight everything, right click, ‘Services’, ‘OpenPGP: Decrypt’
- A window should pop up. Enter your passphrase, then click ‘Ok’
- aannnddddd there’s your message
Part 10 – Conclusion
That wasn’t too hard, was it? Like I said in the intro, you shouldn’t be using OS X for DNM activities due to privacy issues, but I won’t go into it. This took forever to complete because OS X is a bitch to get running properly in a virtual machine. A guide for Windows will be coming next week!
Full credit goes to MLP_is_my_OPSEC for writing this tutorial – Thanks for publishing and giving us your permission to post it!
Part 0 – Introduction
I promised it, and here it is! The PGP guide for Linux! Great timing too for Moronic Monday. For this guide we’ll be using GnuPG with Gnu Privacy Assistant as a graphical front-end. We will be using CLI to install these two pieces of software, and creating the keypair. The example OS in question is Linux Mint, so the commands for install may differ from your current OS. Don’t fret though! That’s the only part that may not be relevant to your OS, the rest of the guide will be the same across distros.
Part 1 – Installing the software
Like I said in the intro, we’ll be using GnuPG with Gnu Privacy Assistant. I like GPA as a graphical front-end because its layout is really easy to understand and follow.
- Open up Terminal
- Type, without quotes, ‘sudo apt-get install gpa gnupg2’, then hit ‘enter’
- Enter your password, hit ‘enter’
- It will pull the dependancies needed for both to work properly, tell you the space needed, and ask you to confirm. Type ‘y’ then hit ‘enter’ to confirm
- Wait a bit as everything installs
This should only take a few minutes to complete. See this picture to confirm you’re doing the steps correctly:
Part 2 – Generating your keypair
Part 1 was easy, eh? Don’t worry things don’t get much harder. The next step is to create your keypair. We’ll be using 4096 bit RSA to keep things extra secure!
- In your Terminal, type without quotes ‘gpg –gen-key’, then hit ‘enter’
- It will ask you what kind of key you want. For our usecase, we want option ‘1’ :
- Next step is key length. The longer the length, the more secure it is. We’ll go with 4096 bits:
- It will now ask if you want your key to expire after a certain amount of time. This is up to personal preference, but we’ll choose ‘key does not expire’, so just hit ‘enter’
- Confirm that yes, the key will not expire. Type ‘y’, then hit ‘enter’
- The next step will be to enter an ID to make it easier for people to identify your key. If you’ve made it this far, you should know what to do
- It will ask if this information is correct. If it is, type ‘O’ and hit ‘enter’
Here is a great XKCD comic on creating secure passphrases
- Enter a passphrase to protect your secret key.
- Here comes the fun part. It’s going to generate your key, and will ask you to do some random stuff to create entropy. I like to have a Youtube video going with a torrent running in the background, while randomly mashing keys in a text editor. See the picture for an example of what will be output in the terminal
- annnddddd we’re done!
Part 3 – Obtaining your public key
So we’ve installed the software, generated our super secure keypair. Now what? Well if you want to actually use it we need to obtain our public key. Everything from here will be done through the graphical front-end.
- Open Terminal, type ‘sudo gpa’, hit ‘enter’. Type in your password yeahIknowwhatyou’rethinking
- You’ll be greeted by this beautiful window
- Click on the keypair you just created, click ‘Keys’ up at the top, then ‘Export keys…’
- Select where you want it saved, enter a filename, and click ‘Save’
- Browse to the location in your file manager, open up that file with a text editor
There’s your public key! Don’t forget to put this on your market profile so people can contact you easier.
Part 4 – Obtaining your private key
If you ever want to switch operating systems or PGP programs, you’ll need to do this. It’s just as easy as obtaining your public key. Make sure you keep this file safe!
- Hopefully you still have GPA open. If not, follow step #1 of Part 3
- Click on your keypair, click ‘Keys’ up at the top then ‘Backup’
- Select where you want it saved, keep the filename it gives you, and click ‘Save’
- A window will pop up, you can back up to a floppy if you’re stuck in the ’80s
Remember to keep this file safe! Don’t forget your passphrase!
Part 5 – Importing a public key
So you want to buy some dank marijuanas, you’ll need to encrypt your message unless you want LE kicking down your door and putting a boot to your throat. How is this done? Easy!
- Obtain the recipients public key, which can hopefully be found on their profile
- Copy everything, paste into a text editor, save it somewhere
- Up at the top, click ‘Keys’, then ‘Import key…’
- Select the key, then click ‘Open’. You’ll see this window
- We’re done!
I used some random key found on DDG. Thanks Alan!
Part 6 – Importing a private key
You finally realized that Microsoft/Apple is spying on you, and want to switch to an operating system that respects your right to privacy. How do you bring your key over?
- Up at the top, select ‘Keys’, then ‘Import Keys…’
- Select your backup, it should have a file extension of .asc
- This window will appear
- Your key is now imported
I could do this blindfolded!
Part 7 – Encrypting a message
GPA makes this easy as pie. Seriously, if you still can’t do it after following the below steps you shouldn’t be here.
- Click ‘Windows’ at the top, then ‘Clipboard’
- This beautiful window will appear
- Type in your message
- Click the envelope with the blue key
- Select the recipient of the message, sign it with your key if you want, then click ‘Ok’
- Your encrypted message will now appear in the buffer. Copy everything and send this to the recipient
Part 8 – Decrypting a message
You sent your message, and the vendor responded! Now what? You’ll want to decrypt the message with your public key.
- Copy everything the vendor sent you, paste it into the buffer
- Click the envelope at the top with the yellow key
- Enter your passphrase
- Read your message
Part 9 – Conclusion
There we have it, an easy to follow PGP guide for Linux with pictures! PGP can be overwhelming at first, but with persistence and the willingness to learn anyone can do it. Hopefully this guide will keep you guys safe on the DNM! I’ll have an OS X guide coming soon, and possibly a Windows guide following that. Any and all constructive feedback is appreciated, as well as suggestions for other guides!
In this article, I’m going to be outlining how to securely erase data on a device while running a GNU/Linux-based operating system. This process can be used to wipe a device, such as a USB drive, while running your normal GNU/Linux operating system; or it can be used to wipe your hard drive from a GNU/Linux live CD/USB.
There are many reasons you might want to erase data from a device. It’s possible that you are selling an old computer, and need to eliminate private data. It’s possible your identity has been compromised, and you need to eliminate evidence. Whatever the situation is, simple deletion of files will not securely erase data. If you truly need to erase data from a device, you will need to wipe the device. What’s the issue with simply deleting your data? Deletion of a file does not actually remove the data from a disk; it only deletes the entry in the filesystem metadata. This informs the operating system that the space is free and can be written to. The actual raw data is still located on the disk. Even if a disk is reformatted or repartitioned, the raw data may still remain on the disk. With widely-available data recovery software, most of this data can be quickly recovered. The only way to assure that data cannot be recovered is by verifying that all space on a disk, including inodes, are overwritten with new data.
How does data wiping work? The term “wiping” is actually a bit misleading, because wiping is not just the removal of data. Wiping software actually overwrites all sectors of a disk or partition, ensuring that none of the original raw data remains. Software generally overwrites this data with a combination of zeros and random numbers. These random numbers are produced by a random number generator. /dev/random is a random number generator in the Linux kernel. When /dev/random is read, it will return pseudo-random bits generated from sound produced by device drivers. /dev/random and /dev/urandom are both commonly used to produce pseudo-random bits. However, /dev/urandom reuses the bits in the internal pool to more quickly produce more bits. /dev/urandom is generally considered to be less secure than /dev/random; however, it is much faster and less resource-intensive than /dev/random. For something like cryptographic key generation, you would want to use /dev/random. However, for something like data wiping, the use of /dev/urandom is considered secure.
The wiping utility of my choice is sfill, a small command-line utility that is lightweight but very effective. If you are running a Debian-based distribution, the package should be included by default. Otherwise, this tool is included in the ‘secure-delete’ package. If you are wiping the primary hard drive in your computer, you will need to use a bootable Linux Live CD. You also need to locate the partition or disk you want to wipe (ex. /dev/sda2). For this, you can use GParted or any partition editor. At this point, be sure to verify that you have identified the correct disk. Once you locate this, you will need to run sfill from the command line, pointing it to this disk. The default parameters are secure, so you only need to apply additional arguments if you want to use verbose mode or want additional options. The technical process used by the software is outlined in the sfill Manpage. sfill first overwrites data with zeros. This is only one pass. The next 5 passes overwrite the data with random data from /dev/urandom. After this, data is overwritten 27 passes with values defined by Peter Gutmann, the developer of sfill. The next 5 passes again overwrite with data from /dev/urandom. After this process, temporary files are created to fill inode space. Inode stands for “index node”, and these are used to index the files on a partition. After all free space on the partition is filled, the temporary files are removed and the wiping is finished. At this point, the data wiping process is complete. You can now be confident that your data cannot be recovered.
Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP. This makes it a safer way to access the Deep Web opposed to just using Tor on your current operating system. It is especially discouraged to be using Tor with a Windows operating system because of the direct access that the NSA has to Microsoft’s systems and the information that Microsoft is willing to hand over to them.
Before using Whonix, it is helpful to understand how exactly it works. Whonix is made up of two parts. There is one that solely runs Tor and acts as a gateway, aptly called Whonix-Gateway. The second part which the user actually uses is called the Whonix-Workstation. It is on a completely isolated network that only allows connections through Tor. Both of these parts are run in their own virtual machines on your computer and this keeps what you docontained within Whonix.
To start you will first want to download VirtualBox. This will allow you to create the virtual machines for running Whonix on your computer. Then download both Whonix-Gateway and Workstation. There are a couple download options and you can choose which one you think is best. It is also suggested that you verify the images using the Signing Key if you understand how to do so. If not, you may want to learn how with the guide on PGP encryption.
After installing VirtualBox, open up the program and just follow a few simple steps:
- Click File > Import Appliance…
- Click “Choose” and select the downloaded Whonix-Gateway.ova file.
- Click next and then “Import” without changing any of the settings.
- Wait for the progress bar to complete the import.
- Repeat those steps for the Whonix-Workstation.ova file.
- Now start both the Whonix-Gateway and Whonix-Workstation.
For your first use you will have to go through a quick setup process and then wait for Whonix to search for and install any necessary updates. Keep in mind you will need to keep Whonix-Gateway running but you don’t actually use it for anything besides updating. You will conduct all your activities within the Whonix-Workstation virtual machine window.
Now you can use Whonix to browse in a safer and more secure way, all without having to make drastic changes to your computer.
Hey everyone! First off, thanks a lot to everyone at DeepDotWeb for allowing me to make this and many more posts to come! I really hope everyone on the website finds it useful! So, on to the tutorial. Tor, as we all know, Tor is a network that uses peer-to-peer connections. These connections from one person to another are very strongly encrypted, not only allowing people to securely go to websites without leaving a trace of who they are, but they allow people to encrypt everyday internet connections. Today, I will be focusing the main part of today’s tutorial on connecting to IRC networks via Tor. Keep in mind, I will be explaining this from complete start to end as if you are just learning about what Tor is.
The first thing you are going to need is obviously the latest version of Tor from the Tor website. It’s going to download an exe file for you to open and extract. Go ahead, and extract the files to a place where you are going to have easy access to it. I personally extract all the files to a folder on my Desktop so I can get to it at any time.
Now that you have Tor ready to go, you will see four folders and one file called “Start Tor Browser.exe”. All you have to do to get Tor started is run the “Start Tor Browser.exe”. You will then be greeted with a screen asking if you would like to just connect to the Tor network, or if you would like to configure how you connect to the Tor network. All you need to do is push the “Connect” button, and you will be directed to another screen that goes through the process of connecting to the network automatically.
Now that all the menus have been taken care of, your life will be much simpler, since it is the last time you will have to deal with it. After all of those menus are closed, you will be greeted with a nice webpage that says you are configured to use Tor and that you are ready to go! Feel free to click the “Test Tor Network Settings” button for a double check. That step is optional, but you absolutely should go up to the little “S” with an exclamation point on it, click it, and check the “Forbid Scripts Globally” button. This will protect you from accidently leaking important information while browsing the internet.
Alright. Your Tor browser is now up and running. For the next steps, you must keep the Tor Browser open. If it is closed at any time, the connection will close. For this example, I will be using the HexChat IRC client. Finding an IRC server will be up to you, but a simple search on a directory website will surely get you some results. So firs you will need to open up HexChat or your favorite IRC client and get to the settings and/or preferences area. From that menu, you will need to get to the “Networking” and/or “Proxy” section.
From this menu, you will need to enter the proxy settings for the connection. Using this example, the “Hostname” will need to be “127.0.0.1” or “localhost”. Either one will work. The “Port” will need to be set to “9150”. The “Type” will be set to “Socks5”. And finally, “Use proxy for” will be need to be set to “All Connections”. Breaking this down, the IRC client connects via the Socks5 proxy at 127.0.0.1 on port 9150 to the IRC server over all the IRC connections so all the connections will be encrypted. After all this is entered, just hit the “OK” button.
After this, all you need to do is add a server to connect to, select your usernames, if you wish to use SSL, and other personal settings which will depend on your personal preferences. And that is it! You are now connected to an IRC server via Tor with the full encryption benefits of Tor! And this isn’t just used for IRC. This can be used on pretty much anything that allows a proxy connection such as Firefox, Chrome, Pidgin, FTP connections, PuTTY, and much more!
With that, I once again thank DeepDotWeb for allowing me to write for them, and I thank you the reader for reading this tutorial. I hope this helps you as much as it helps me, weather you are brand new to the use of Tor, or an old user such as myself!
Since people expressed interest in running relays, I’ve written a guide that can get you set up. There are many ways to run a relay, so for the sake of simplicity, I will focus on virtual private servers running Ubuntu 12.04. Feedback is definitely welcome.
This guide includes instructions for Windows users. I will write Linux instructions in a separate post, and if someone would like to add Mac instructions, I’d greatly appreciate it.
Finding a Hosting Provider
In order to run a relay, you will need a dedicated server or a virtual private server. There are two features you should look for:
1. Geographical location
Other specs like RAM and CPU tend not to matter until the bandwidth gets really high, like on an unmetered server. Most of the time, your bandwidth limits will keep the Tor client well below your RAM and CPU limits.
There is no minimum amount that you need to spend on a server. You can lease a VPS for under $10 a month or a dedicated server for hundreds of dollars. I think every little bit helps, especially if the servers are geographically diverse. For this guide, I’m going to assume you don’t want to drop hundreds of dollars on your first server, so we’ll focus on setting up a small to medium sized VPS. The price range I’m thinking is $10 – $50 a month, which should give you 512 MB to 1 GB of RAM and 200 GB to 1 TB of bandwidth.
I’m not going to make specific recommendations for hosting providers, for obvious reasons, but most relays are in North America and Europe. It would be nice if we had more relays in South America, Asia and Africa. The infrastructure in Africa is the most underdeveloped, so you may want to focus on finding providers in South America and Asia. They will be more expensive than providers in North America and Europe. If you can’t find providers in your price range, it’s OK to run a relay in North America and Europe. As I said, every little bit helps.
Another thing to consider when searching for a VPS is that there are different virtualization technologies. These include OpenVZ, Xen, VMWare, Virtuozzo, and KVM. For this guide, I’m going to recommend running your relay in an OpenVZ container, because it is one of the most popular virtualization technologies, it is generally cheaper than the others for the same specs, your operating system will be installed for you by the hosting provider, and the OpenVZ connection limits aren’t really a problem with low bandwidth relays. If you want your relay to push more than 1 TB of traffic a month, you should switch to something like Xen or KVM, or a dedicated server.
It’s a good idea to read reviews of the hosting provider before ordering, but this can be tricky. There are a lot of fake web sites with shill reviews. In general, well-known forums with large communities (like webhostingtalk.com) are a better place to look for reviews than random web sites.
When you find a provider that you like, look for their Acceptable Use Policy (AUP), which will sometimes be part of their Terms of Service (TOS). Most hosting providers have links to these documents on their main page. Read through them to find out if they ban proxies. If there is no mention of Tor, “proxies” or “open proxies” almost always include Tor. Some hosting providers specifically ban Tor. Some only ban exit nodes. The latter case is OK, because we will be setting up non-exit relays. You don’t want to waste time setting up a relay that will be shut down a week later because it violates your hosting provider’s AUP.
Ordering a Server
Once you find a hosting provider, you can create an account and order the VPS. I don’t see a problem with leasing a VPS with your real identity. There are 4300 relays at the moment. You will be lost in a big crowd. However, you shouldn’t mention that you set up a relay in this thread or anywhere else on the forum! You shouldn’t use information (like a username) that links you to your Silk Road identity! If you really want anonymity, at the end of this guide there’s a section that offers some suggestions, but keep in mind that takes a lot more work.
During the ordering process, you will be asked to choose an operating system. Select Ubuntu Server 12.04, so we can simplify things. Every VPS provider should have an OpenVZ image for that OS. If the VPS has 512 MB of RAM or less, use the 32 bit version. If it has 1 GB or more, use the 64 bit version.
A common box that you have to fill out is the “domain name”. You don’t need a domain name to order a VPS. You can fill in anything, like example.org. For the server name, put anything you want, it will become the hostname. If it asks for DNS information, just put ns1 and ns2, it doesn’t matter.
Also, lease the VPS on a monthly basis for the first few months, even if there are discounts for longer terms. Your VPS may turn out to have crappy networking or frequent reboots, so you don’t want to pay for a year of hosting and be forced to abandon the VPS after a month.
After ordering, you’ll get an email with the IP address and login details of your VPS.
Configuring the Relay
The first thing we need to do is figure out the RelayBandwidthRate based on the monthly bandwidth limit of the VPS. Keep in mind that most hosting providers count both incoming and outgoing bandwidth, so Tor relay traffic gets counted twice. A VPS that pushes 1 TB of traffic from the perspective of the hosting provider, actually pushes 500 GB of traffic from the perspective of the Tor network (it’s the same data, coming and going).
Let’s say your VPS is allowed 1 TB of traffic per month. That’s 1,000,000 MB. So the rate (per second) that you would use in your Tor configuration is:
1,000,000 / 30 / 24 / 60 / 60 / 2 = 0.192 MB or 192 KB
This is a good place to start. In practice, most relays don’t max out their bandwidth. In fact, many relays only use 30-50% of their max bandwidth rate. You can watch the bandwidth of your relay for a few weeks and increase it if you are using much less than your limit. For example, if in the first two weeks it uses 250 GB (and could have used 500 GB, because that’s half of your 1 TB per month), then you can double the RelayBandwidthRate. It can take a few weeks of adjusting to find the right balance.
After you get the login information, download PuTTy from the web site:
This program lets you connect over a protocol called SSH, or Secure Shell, which creates an encrypted connection to a command prompt on the server. Run PuTTy and fill out the following information:
Host name (or IP address): <your VPS IP address>
Connection type: SSH
Before we go any further, click on the words “Default Settings” under “Saved Sessions” and click the Save button to the right of it. That way you don’t have to enter the IP address each time.
Then click Open. You’ll see a prompt to accept the server’s host key, click Yes. You only have do this the first time.
login as: root
password: <what you were given>
Note that you can resize the window if it’s too small.
The first thing you should do after logging in is change the root password, especially since it was emailed to you in plaintext. Do that with the following command:
And enter the password twice.BTW, for all of these commands, you can copy them from this guide and paste them into PuTTy by right-clicking in the command prompt window.
Add this line at the end of the file:
deb http://deb.torproject.org/torproject.org precise main
Enter the following sequence to save the file and exit: ctrl+x, y, enterEnter the following lines into the command prompt to install Tor and the relay monitor ARM:
apt–get install deb.torproject.org–keyring
apt–get install tor tor–arm
Hit Y[enter] whenever it asks you to confirm an action. The first install command will give you a warning because you haven’t imported the PGP key for that software repository yet, which is what you’re doing with that command.Now we’ll edit the configuration file to turn our Tor client into a relay. First, backup the original configuration file:
cp /etc/tor/torrc /etc/tor/torrc.backup
If you screw something up, you can restore Tor to its default state with the following commands:
cp /etc/tor/torrc.backup /etc/tor/torrc
service tor restart
Let’s edit the configuration file:
Find the following lines and remove the # at the beginning. Anything that follows a # is treated as a comment instead of an instruction to Tor, so we are adding these instructions.
ControlPort 9051 # This is a comment that Tor ignores, but everything before the hash is an instruction that Tor reads
ORPort 9001 # Change this to ORPort 443 !!!!
Nickname ididnteditheconfig # Change ididnteditheconfig to whatever nickname you want, no spaces, nothing drug or SR related
RelayBandwidthRate 100 KB # Change 100 KB to whatever you calculated for your server earlier
RelayBandwidthBurst 200 KB # Make this double the value above. If you server is using too much bandwidth, make this the same as the line above
ContactInfo Random Person <nobody AT example dot com> # Create a throwaway email address and put it here
ExitPolicy reject *:* # This line makes your relay a non-exit
Then type: ctrl+x, y, enter
service tor reload
Congratulations, you’re running a relay!The RelayBandwidthRate and RelayBandwidthBurst are what you will probably want to adjust after a few weeks of watching your relay’s bandwidth.
A note about the contact info. You don’t need to enter a name. Remove the “Random Person” part entirely. However, you should enter a real email address. The purpose of providing an email address is if your relay is misconfigured, the Tor people can contact you and tell you about it. On the other hand, this email address will appear in your relay’s descriptor, which is public, so use an alternate address from any of your main ones.
There is a program called ARM (Anonymous Relay Monitor) that lets you monitor your relay. To run it, type:
You can click the left and right arrow keys to see the different panels of info. To exit arm, type: q, qAnother way to view info about your relay is to search for it on https://atlas.torproject.org
Finally, to exit the SSH session, type:
Securing Your ServerThe following is not necessary, but it’s an extremely good idea.
A better way to log in to your server is to create a regular user account, disable root logins, create an SSH key for your regular user, and disable password logins. That makes it virtually impossible for someone to break into your server (people try to hack into servers through SSH all day long).
To create a regular user account, enter this command:
Change <username> to any one-word username you want.Enter the password for that user twice, and make it different from root’s password. Leave the rest of the prompts (like Full Name) blank by hitting enter through them, then hit y at the end.
You can test out your new user. Exit the SH session and launch PuTTy again. Now that you have a regular user, you can add it to the PuTTy configuration so you don’t have to type it in every time.
In the configuration window that you get when PuTTy launches, go to Connection -> Data
Auto-login username: <the regular user you created>
Go back to the Session section, highlight “Default Settings”, and click Save again. Connect to your server. You should only have to enter the password this time, and of course it will be your regular user’s password.
When you login as the regular user, you can’t do much outside of your home folder. You can’t install or remove software. This is a security feature. You have to become root. In order to do that, type:
And enter root’s password.To exit being root, type exit, and to completely exit the SSH session, type exit again.
Let’s make this even more secure by adding an SSH key.
Download this program and run it:
Next to “Generate a public/private key pair”, click Generate. This will take a few minutes. Click around randomly to create entropy and speed it up.
When it’s done, it’ll say “Public key for pasting into OpenSSH authorized_keys file”. Copy the entire thing in the box. Log into your server as the regular user and type this:
Paste that public key in (by right-clicking once, as before). Then hit ctrl+x, y, enter.Back in PuTTyGen, enter a key pass phrase and confirm it, then click “Save private key” and save it somewhere on your computer. The pass phrase protects your private key just like with PGP. At this point you can exit out of PuTTyGen.
Now launch PuTTy again, and in the configuration window, go to Connection -> SSH -> Auth.
Find the field that says Private key file for authentication, click Browse and select your private key.
Go back to Session, highlight “Default Settings” and Save.
Connect to your server again. This time it will ask you for the pass phrase to your private key, not the password to the regular user.
If you login successfully, great! You can disable root and password logins. Type:
Find these lines:
PermitRootLogin yes # Change it to no
#PasswordAuthentication yes # Remove the # at the beginning and change it to no
Save and exit with ctrl+x, y, enter.Restart the SSH server:
service ssh restart
Exit completely out and log back in as the regular user. You should login just fine. To test your settings, you can change PuTTy to login as root and it should deny you.Now think about what an attacker has to do to get into your server. First he has to guess your regular username. Then he has to steal your private key or brute force one that works with your public key. That’s like having a 2048 bit password! Then he has to guess root’s password. Your server is very secure.
You should login in to your server every once in a while and update the software. Login as the regular user, change to root (su), and issue these commands:
Purchasing a Server AnonymouslyAs I said before, I don’t think it’s necessary, but if you want to get a server anonymously, here are some ideas that may or may not work. Suggestions are definitely welcome.
The first thing you need to realize is that the vast majority of hosting providers use fraud detection services, because hackers and spammers love leasing servers anonymously or with stolen credit cards. You almost certainly can’t sign up with a hosting provider from a Tor exit node. A popular fraud detection service called MaxMind claims to block VPNs and open proxies too:
If you really want to be anonymous, I don’t think you should be using a VPN anyway, because you’re trusting their word that they don’t log, or that LE won’t compel them to log in the future. The best way to find a “clean” IP address is to point Tor browser at a web proxy. There are web sites that list thousands of them, but for obvious reasons I won’t list them here. You may have try many web proxies before you find one that isn’t blocked.
The other issue is payment method. There are a few dozen hosting providers that accept bitcoins, which you could use by anonymizing them your normal way, but all of the ones that I know about are in North America and Europe, which doesn’t help the diversity of the Tor network. Again, if you really want to be anonymous, that’s fine because a relay in NA or EU is better than no relay.
Other than bitcoins, there are a few potentially anonymous payment methods with fiat currency.
1. Prepaid debit cards
2. e-currency and precious metals exchanges, like Pecunix
3. an anonymous PayPal account
MaxMind claims to block prepaid debit cards:
So I don’t know if that will work.
As far as e-currency exchanges go, Liberty Reserve is gone, so I don’t know what else exists other than Pecunix, but by routing money through several exchanges, you can potentially anonymize it. You’ll have to find a hosting provider that takes these payment methods, or cash out to a different payment method.
Also, you might be able to register a PayPal account by pointing Tor Browser at a web proxy, and use fake info that is geographically close to that proxy, then go to Freenode #bitcoin-otc or localbitcoins.com and sell BTC for PayPal credit that gets deposited to your account, then use that to pay for the server.
All of these methods involve some work and a high chance of failure, but you’re welcome to try them.
In the wake of the Freedom Hosting exploit, I think we should reevaluate our threat model and update our security to better protect ourselves against the real threats that we face. So I wrote this guide in order to spark a conversation. It is by no means comprehensive. I only focus on technical security. Perhaps others can address shipping and financial security. I welcome feedback and would like these ideas to be critiqued and expanded.
As I was thinking about writing this guide, I decided to take a step back and ask a basic question: what are our goals? I’ve come up with two basic goals that we want to achieve with our technical security.
1. Avoid being identified.
2. Minimize the damage when we are identified.
You can think of these as our _guiding security principles_. If you have a technical security question, you may be able to arrive at an answer by asking yourself these questions:
1. Does using this technology increase or decrease the chances that I will be identified?
2. Does using this technology increase or decrease the damage (eg, the evidence that can be used against me) when I am identified?
Obviously, you will need to understand the underlying technology to answer these questions.
The rest of this guide explains the broad technological features that decrease the chances we are identified and that minimize the damage when we are identified. Towards the end I list specific technologies and evaluate them based on these features.
First, let me list the broad features that I have come up with, then I will explain them.
3. Minimal execution of untrusted code
To some extent, we’ve been focusing on the wrong things. I’ve predominantly been concerned with network layer attacks, or “attacks on the Tor network”, but it seems clear to me now that application layer attacks are far more likely to identify us. The applications that we run over Tor are a much bigger attack surface than Tor itself. We can minimize our chances of being identified by securing the applications that we run over Tor. This observation informs the first four features that we desire.
Short of not using computers at all, we can minimize threats against us by simplifying the technological tools that we use. A smaller code base is less likely to have bugs, including deanonymizing vulnerabilities. A simpler application is less likely to behave in unexpected and unwanted ways.
As an example, when the Tor Project evaluated the traces left behind by the browser bundle, they found 4 traces on Debian Squeeze, which uses the Gnome 2 desktop environment, and 25 traces on Windows 7. It’s clear that Windows 7 is more complex and behaves in more unexpected ways than Gnome 2. Through its complexity alone, Windows 7 increases your attack surface, exposing you to more potential threats. (Although there are other ways that Windows 7 makes you more vulnerable, too.) The traces left behind on Gnome 2 are easier to prevent than the traces left behind on Windows 7, so at least with regard to this specific threat, Gnome 2 is desirable over Windows 7.
So, when evaluating a new technological tool for simplicity, ask yourself these questions:
Is it more or less complex than the tool I’m currently using?
Does it perform more or fewer (unnecessary) functions than the tool I’m currently using?
We should favor technologies that are built by professionals or people with many years of experience rather than newbs. A glaring example of this is CryptoCat, which was developed by a well-intentioned hobbyist programmer, and has suffered severe criticism because of the many vulnerabilities that have been discovered.
We should favor technologies that are open source, have a large user base, and a long history of use, because they will be more thoroughly reviewed.
When evaluating a new technological tool for trustworthiness, ask yourself these questions:
Who wrote or built this tool?
How much experience do they have?
Is it open source, and how big is the community of users, reviewers, and contributors?
===Minimal Execution of Untrusted Code===
The first two features assume the code is trusted but has potential unwanted problems. This feature assumes that as part of our routine activities, we may have to run arbitrary untrusted code. This is code that we can’t evaluate in advance. The main place this happens is in the browser, through plug-ins and scripts.
You should completely avoid running untrusted code, if possible. Ask yourself these questions:
Are the features that it provides absolutely necessary?
Are there alternatives that provide these features without requiring plug-ins or scripts?
Isolation is the separation of technological components with barriers. It minimizes the damage incurred by exploits, so if one component is exploited, other components are still protected. It may be your last line of defense against application layer exploits.
The two types of isolation are physical (or hardware based) and virtual (or software based). Physical isolation is more secure than virtual isolation, because software based barriers can themselves be exploited by malicious code. We should prefer physical isolation over virtual isolation over no isolation.
When evaluating virtual isolation tools, ask yourself the same questions about simplicity and trustworthiness. Does this virtualization technology perform unnecessary functions (like providing a shared clipboard)? How long has it been in development, and how thoroughly has it been reviewed? How many exploits have been found?
Encryption is one of two defenses we have to minimize the damage when we are identified. The more encryption you use, the better off you are. In an ideal world, all of your storage media would be encrypted, along with every email and PM that you send. The reason for this is because, when some emails are encrypted but others are not, an attacker can easily identify the interesting emails. He can learn who the interesting parties are that you communicate with because those will be the ones you send encrypted emails to (this is called metadata leakage). Interesting messages are lost in the noise when everything is encrypted.
The same goes for storage media encryption. If you store an encrypted file on an unencrypted hard drive, an adversary can trivially determine that all the good stuff is in that small file. But when you use full disk encryption, you have more plausible deniability as to whether the drive contains data that would be interesting to that adversary, because there are more reasons to encrypt an entire hard drive than a single file. Also, an adversary who bypasses your encryption would have to cull through more data to find the the stuff that is interesting to him.
Unfortunately, using encryption incurs a cost that the vast majority of people can’t bare, so at a minimum, sensitive information should be encrypted.
On a related note, the other defense against damage is secure data erasure, but that takes time that you may not have. Encryption is preemptive secure data erasure. It’s easier to destroy encrypted data, because you only have to destroy the encryption key to prevent an adversary from accessing the data.
Finally, I’d like to add a related non-technical feature.
In some cases, the technology we use is only as safe as our behavior. Encryption is useless if your password is “password”. Tor is useless if you tell someone your name. It may surprise you how little an adversary needs to know about you in order to uniquely identify you. Here are some basic rules to follow:
Don’t tell anyone your name. (obv)
Don’t describe your appearance, or the appearance of any major possessions (car, house, etc.).
Don’t describe your family and friends.
Don’t tell anyone your location beyond a broad geographical area.
Don’t tell people where you will be traveling in advance (this includes festivals!).
Don’t reveal specific times and places where you lived or visited in the past.
Don’t discuss specific arrests, detentions, discharges, etc.
Don’t talk about your school, job, military service, or any organizations with official memberships.
Don’t talk about hospital visits.
In general, don’t talk about anything that links you to an official record of your identity.
===A List of Somewhat Secure Setups for Silk Road Users===
I should begin by pointing out that the features outlined above are not equally important. Physical isolation is probably the most useful and can protect you even when you run complex and untrusted code. In each of the setups below, I assume a fully updated browser / TBB with scripts and plug-ins disabled. Also, the term “membership concealment” means that someone watching your internet connection doesn’t know you are using Tor. This is especially important for vendors. You can use bridges, but I’ve included extrajurisdictional VPNs as an added layer of security.
With that in mind, here is a descending list of secure setups for SR users.
Starting off, I present to you the most secure setup!
A router with a VPN + an anonymizing middle box running Tor + a computer running Qubes OS.
Advantages: physical isolation of Tor from applications, virtual isolation of applications from each other, encryption as needed, membership concealment against local observers with VPN
Disadvantages: Qubes OS has a small user base and is not well tested, as far as I know.
Anon middle box (or router with Tor) + Qubes OS
Advantages: physical isolation of Tor from applications, virtual isolation of applications from each other, encryption as needed
Disadvantages: Qubes OS has a small user base and is not well tested, no membership concealment
VPN router + anon middle box + Linux OS
Advantages: physical isolation of Tor from applications, full disk encryption, well tested code base if it’s a major distro like Ubuntu or Debian
Disadvantages: no virtual isolation of applications from each other
Anon middle box (or router with Tor) + Linux OS
Advantages: physical isolation of Tor from applications, full disk encryption, well tested code base
Disadvantages: no virtual isolation of applications from each other, no membership concealment
Qubes OS by itself.
Advantages: virtual isolation of Tor from applications, virtual isolation of applications from each other, encryption as needed, membership concealment (possible? VPN may be run in VM)
Disadvantages: no physical isolation, not well tested
Whonix on Linux host.
Advantages: virtual isolation of Tor from applications, full disk encryption (possible), membership concealment (possible, VPN can be run on host)
Disadvantages: no physical isolation, no virtual isolation of applications from each other, not well tested
Advantages: encryption and leaves no trace behind, system level exploits are erased after reboot, relatively well tested
Disadvantages: no physical isolation, no virtual isolation, no membership concealment, no persistent entry guards! (but can manually set bridges)
Whonix on Windows host.
Advantages: virtual isolation, encryption (possible), membership concealment (possible)
Disadvantages: no physical isolation, no virtual isolation of applications from each other, not well tested, VMs are exposed to Windows malware!
Advantages: full disk encryption (possible), membership concealment (possible)
Disadvantages: no physical isolation, no virtual isolation
Advantages: full disk encryption (possible), membership concealment (possible)
Disadvantages: no physical isolation, no virtual isolation, the biggest target of malware and exploits!
Assuming there is general agreement about the order of this list, our goal is to configure our personal setups to be as high up on the list as possible.
Thanks for your attention, and again I welcome comments and criticism.
The version lines that are usually shown by default in PGP keys and PGP signature blocks, often reveal which OS the person is using.
PGP/GPG Version strings:
You can tell a fair bit about a user’s PGP/GPG setup from their Version: string. Here are some typical examples:
Version: GnuPG v1.4.11 (GNU/Linux)
This key belongs to a Linux user.
Version: GnuPG v2.0.19 (MingW32)
This key belongs to a Windows user.
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
This key belongs to a Mac OS X user.
Versions that should make you nervous:
This person is using the official PGP version, as published by Symantec. I’ve read statements by Kevin Mitnick that he no longer trusts PGP, since it was acquired by Symantec. In his post, Mitnick refers to the case of Diskreet, which back in the early days, was an encryption package sold by Symantec. This software purported to use the full 56-bit DES cipher algorithm, which was quite strong for its day. Mitnick stated that he acquired a copy of the Diskreet source code, and discovered that the actual key was nowhere near 56-bits, but was incredibly weak. He went on to say that based on his experience, he would not trust any version of PGP published by Symantec.
His caution is only underscored by the Snowden revelations earlier this Summer, which set out the NSA’s campaign of attempting to weaken or backdoor crypto.
I, for one, would not trust any closed-source crypto software published by an American company — that goes double for companies with a history like Symantec.
To the best of my knowledge, Symantec does not publish PGP source code, and as an American company, their crypto software is now suspect.
Versions of PGP that should make you run away screaming:
Versions of PGP with these Version: strings are based on the BouncyCastle Java crypto libraries. They should be avoided like the plague.
Version: BCPG v1.45
Version: BCPG v1.47
These versions of PGP are absolutely NOTORIOUS for generating MASSIVELY UNSAFE PGP keys by default. These versions typically generate DSS/Elgamal keys
with signing keys with a size of 1024-bits, and an encryption sub-key of as little as 512-bits.
512-bit keys are so unsafe, that they were being broken by hobbyists on spare hardware a dozen years ago. 1024-bit keys were deprecated by NIST more than 3 years ago.
Version: BCPG C# v184.108.40.206
This version of PGP generates by default a PGP key of 1024-bits, with NO encryption sub-key. Again, these keys are unsafe/obsolete.
Any software that uses the Java Bouncycastle crypto libraries (like PortablePGP) should be avoided like the plague. These typically contain BCPG in the Version: string.
GPG4Win/Kleopatra/GPA are also deprecated — Kleopatra generates RSA keys without an encryption sub-key. Dual RSA keys, with one RSA key for signing, and the other exclusively for encryption have been standard since the Fall of 2009.
GPA will not generate keys over 3072-bits in length.
GPG4USB or Gnu Privacy Tray (GnuPT) are recommended, as they are:
* Easy to use
* Standards compliant
GnuPT, in particular, is frequently updated. Usually, when there is a new GPG version (e.g. 1.4.15), the GnuPT developers issue an update with a day or two, reflecting the change.
GnuPT: http://www.gnupt.de/ (Site is in German)
Right up there with Whonix as a contender for the best OS to access the deep web is Tails. The Amnesic Incognito Live System or “Tails” is a live system that aims to preserve your privacy and anonymity which is very important when accessing the deep web. Unlike Whonix, it is not made to be run on a virtual machine but instead off of a DVD, USB stick or SD card. While this is a bit more of a hassle, you may want to go with this option because of the additional features that serve to protect your identity.
Tails uses Tor to connect to the internet and blocks any attempts to connect directly to the Internet. This means that all the software it comes with is configured to automatically connect using the Tor network. What is most useful about the OS though is the fact that it doesn’t store anything on your hard-drive. The only storage space used is the RAM which is automatically erased when the computer shuts down. This is where the “amnesic” part of the name comes from. Sensitive documents can still be saved to another external device of your choosing but unless you specifically do that – anything you were working on will be gone without a trace. It also includes a variety of encryption tools to assist the protection of your identity while using Tails.
To get started, go to their official download page and torrent or direct download their latest version.
After doing so you will want to verify the integrity of the ISO image to make sure that you haven’t been victim of a man-in-the-middle attack. If you already understand OpenPGP (which you really should by now) then this step will be easy. If not then they have a guide to explain how to use it to check the integrity of what you just downloaded with their signing key.
You now have to decide whether or not you want to burn it to a DVD or use Tails Installer to put it onto a USB stick / SD card. There are benefits and drawbacks to each which are described here.
Now insert the DVD or USB/SD and restart your computer. If the OS doesn’t boot up then you will have to go into your BIOS and change the boot order to put whatever drive you want to boot from first on the list. You can get to the BIOS settings menu by pushing the key that is prompted when starting up your computer. Once you have changed the boot order then just restart your computer again and TAILS will start.
There is more documentation on their website for how to use all the functions of TAILS but it is quite self-explanatory. It provides a very safe way for you to browse the web, access the Deep Web, and work with sensitive documents.
If this sounds like too much of a hassle and you want an OS that can be run in the background while you are doing other work then try Whonix instead. Don’t just browse on your default operating system.
When it comes to keeping your activities out of the prying-eyes of Evil-Alphabet-Agency’s, one must not slack on beefing up security on both their computer’s and networks. The consequences for those who are involved are just too serious to take lightly. If you are accessing the Dark Net at home at all, there’s a few simple steps you can take to ensure you’re anonymity stays a secret. In this tutorial I am going to go over installing and configuring tor, privoxy, and a free VPN.
First of all, absolutely do not use Windows thinking it’s safe. Use Windows at your own risk, I am not going to chance it. Especially when it is publicly known that since the release of Windows Seven Microsoft has been working the NSA, installing secret back doors to pretty much what ever they could scare people in to doing. The NSA can access everything that is accessible on the windows partition of your machine if its not encrypted (Yes, you can remove the back doors within Windows, but that is to say, you can remove the ones that we KNOW about, and I would not put it past the NSA to have a few tricks up their sleeves) I prefer using Linux anyway, I understand that some have difficulties making the transition from Windows to Linux, but that’s why they created man pages, my friend.
(If you don’t know what a command does, just type man <COMMAND> in a terminal, read the manual page, and you’re good to go. Honestly, once you use any flavor of Linux for a while, the scripting will come naturally and Windows will become obsolete (well aside from a small, encrypted partition for what ever Windows applications you can not live with out, but please do make sure you encrypt you hard-drives and make sure you disable WPS on your modems and routers and such (because it is a lot easier to crack a WPS key than to sniff out a handshake sequence, then crack that against a .pcap sniffing file). In windows, use Veracrypt, and while installing Linux, wipe the disk completely and encrypt it all with VSLM. Of course back ups should be made first, but an encrypted hard-drive really give me piece of mind. I do not do anything illegal even I just get sick when I think about Government Agents who are supposed to protect us, pilfering through my computers, and precipitating the demise of American’s Right to Privacy. Since 9/11. they have basically made The Right To Privacy a joke, and it was done in the name of Patriotism. My retort to their Ranging Rover Taps and Legalized Racism.
Anyway, so now to the technical stuff (Sorry it’s kind of boring, but our Right To Privacy as a Nation is at stake, not to mention our personal freedoms (which is a really good reason to put up with the boring) If we don’t take a stand and take hold of this situation now, privacy as we know it will become another yet another causality of war.
I am defiantly not here to tell you what you should do, mind you, just here to urge you to do something. As for which flavor of Linux you should (if you’re not already using one), I would recommend Kali-Linux. It is Debian-based (which even if you don’t know already, it’s still way worth it to get use to Debian-based distributions (because Ubuntu is cool or what not, but, all the sudooing is tiresome) and plus Kali is a security-auditing distribution of Linux, meaning it can easily achieve the things we need it for. You can install the same things on any distribution of Linux, it just may require a little more reading (but if you use Kali you can just follow these steps and then you’re good to go.
Now you should download what ever Kali*.iso is compatible with your machine (32 or 64 bit, AMD or Intel, etc) from Offense Security, install it and I recommend completely wiping your system (unless it is good already 🙂 and encrypting the entire hard-drive with VSLM. It is an option when installing, do it, just remember the key you use because if you forget it it’ll will be a hassle.
After the install, go to this website and follow these instructions (things like installing the proper audio-drivers, which is a trademark problem of Debian-based flavors, but the pros defiantly outweigh the cons here, defiantly. This is the url you need. After those things are done, we need to install Viadalia (the gui-front-end-to-Tor), tor itself, privoxy, proxy-chains, and open dns (to prevent people from being able to see the dns address of the ISP you use). Also when making pgp keys please don’t put your normal email address, I recommend trying to figure out how i2p email or FreeNet mail works (kind of easier said than done, but the reward will be piece of mind and a clean, anonymous email address, because they are more secure than using a Gmail account, for example. Also, if you use your computer at home for accessing the DarkWeb, I highly recommend the use a VPN with these measures, then I would consider it pretty safe, or at least, way too much of a hassle for people to go through.
In prompt, type $’sudo -s’ for a root shell, enter your password, then enter these commands as Root:
#apt-get install network-manager-openvpn-gnome
#apt-get install network-manager-pptp
#apt-get install network-manager-pptp-gnome
#apt-get install network-manager-strongswan
#apt-get install network-manager-vpnc
#apt-get install network-manager-vpnc-gnome/etc/init.d/network-manager restart
The after that, use this server (for US, for other country’s just google it.)
PPTP Username: justfreevpn
PPTP Password: USA Free VPN Account
That will configure your VPN properally, now to install tor and the other tools (and to make sure they are working properly).
#apt-get install tor
#apt-get install privoxy
#apt-get install vidalia
Now, we have to edit a configureation file, simply type
And go down to line (it was 699 on my config file)
697 # Default Value:
699 # 127.0.0.1:8118
Now, take the # sign out of line 699 and make it read
699: listen–address 127.0.0.1:8118
And then go to the very bottom of the file, and add these lines:
forward–socks4 / 127.0.0.1:9050 .
forwardsocks4a / 127.0.0.1:9050 .
*Make sure you put a period at the end of the address:port combination. (Copying and pasting would probably be how I would do it) I forgot that once and it took a while to realize what I had done wrong. We are almsost finished! Now Type,
#service privoxy stop && service tor stop
#service privoxy start && service tor start-tor
Now, you need to set you browser to use the proxy (or just download the add-on FoxyProxyStandart and once installed Go > File > Tor Wizard, and just choose the options that come (all you have to is hit enter, then chose that proxy configuration you just made, and go to Google and search am I using Tor. Assuming you were successful, there is just one last step.
#leafpad /etc/tor/torric and put this line at the end of the file: “DNSPort 53”
Then, you save it, and #leafpad /etc/resolv.conf, delete everything in the file (it’s about three to five lines in length), and replace it “nameserver 127.0.0.1”, then save it.
If it were me I would just restart the computer (to see if Tor and Privoxy are both installed and starting during the other init.d daemons.) but you could just restart the services, but you’re through the process now. To make sure you are safe, check out “http://www.ipchicken.com” or “https://www.whatismyip.com” and make sure both your current IP Address is masked as well as you’re ISP’s DNS is hidden as well. This is an example of a properly configured box:
All Credits go to beac0n, thanks for contacting us and contributing the guide you created!
As people requested – here is a link to download this guide as a PDF.
The goal is to bring together enough information in one document for a beginner to get started. Visiting countless sites, and combing the internet for information can make it obvious your desire to obtain anonymity, and lead to errors, due to conflicting information. Every effort has been made to make this document accurate. This guide is image heavy so it may take some time to load via Tor.
For more general guides checkout:
EFF Surveillance Self-Defense project
Riseup.net Security Guide
Security in a box
TAILS Documentation – for those looking for a solid starting place TAILS OS is a great choice.
EFF and EPIC
For educational purposes.
Not legal advice or call to action.
Table of Contents
- 1 Intro
- 2 Some general sources/Big Thanks
- 3 Technical Information
- 3.1 Strong Passwords
- 3.2 Internet Connectivity
- 3.3 Operating Systems
- 3.4 Secure Data-Wiping Linux
- 3.5 Physical Destruction
- 3.6 Cold-Boot Attack
- 3.7 Basic Communications
- 3.8 GNUPG/PGP Basics
- 3.9 Validating Files with MD5 or SHA1:
It’s difficult to remember many passwords. First off it’s good to select a strong password manager. Keepassx is cross-platform, and has good security features, like encryption by password and using a keyfile. It also allows you to generate strong passwords, so if you’re not worried about memorization it’s good practice to let Keepassx generate secure random passwords.
It’s best not to use services that store your passwords in the cloud. If you need you can back up your encrypted password database, on a secure server, in an encrypted directory, and store your keyfile in a separate location.
Passwords for encryption and critical access should be prioritized. Even a long randomized password may not be a secure enough method. EFF recommends you try the diceware method, or basically randomly chain a number of words selected from a word list based on dice roles. Full details are available here.
Although it’s an annoyance, passwords are the ever present key to what matters most to you.
No service provider should be presumed to completely protect your privacy. Even if your VPN/Proxy or other ISP promises no logs, or identifiable information, time and time again information has been collected and used against those seeking anonymity. Open-Source technologies where you are able to examine source, yet trust is still ultimately placed in the hands of developers, are better than trusting a Government of other entity with your security.
Consider reading the Terms of Service any time you sign up for a service or install something.
Also remember that the times you use technology can be used to build a profile of your location for identification. Consider changing up your times of connectivity. On forums, chat and other services, it may be worthwhile to disable the notification that outwardly displays when you are on line or select invisible mode when applicable.
UFW (Uncomplicated Firewall) is a great general firewall for linuux
- sudo apt-get install ufw
- sudo ufw enable
- sudo ufw default deny incoming
as some malware may utilize outgoing traffic, like encrypted udp, it may be worthwhile to limit outgoing ports
- sudo ufw default deny outgoing
it may be better to specifically allow/deny the specific ports of concern.
- sudo ufw allow port/tcp
- sudo ufw allow port/udp
Then when you’re done check the status
sudo ufw status
you can see I’ve blocked some specific ports in this example
For more advanced configuration visit.
A MAC Address is a hardware specific identifier for you network interface. In some cases it may be useful to change your mac address to avoid detection.
sudo apt–get install macchanger
for a gui
sudo apt–get install macchange–gtk
heck your current mac addresses for future reference
for a random macaddress
sudo ifconfig wlan0 down
sudo macchanger –r wlan0
This will change the mac address to a random value
macchanger –e wlan0
will change the mac address but keep it as the same vendor. This can be useful if you’re spoofing your address but you don’t want it obviously coming from a device not on the network.
sudo macchanger –A wlan0
This will change the devices MAC to a random MAC of any kind, regardless of the original device.
sudo macchanger —mac=XX:XX:XX:XX:XX:XX interface
Will change to a specific mac address of your choice
You may want to write a script to start automatically on network manager start, and network manager shut down.
sudo nano /etc/init/macchanger.conf
description “change mac addresses”
start on starting network–manager
/usr/bin/macchanger –A wlan0
/usr/bin/macchanger –A eth0
/usr/bin/macchanger –A wmaster0
/usr/bin/macchanger –A pan0
#/usr/bin/logger wlan0 `/usr/bin/macchanger -s wlan0`
#/usr/bin/logger eth0 `/usr/bin/macchanger -s eth0`
you can switch out -A for -r or whatever other configuration you might want.
sudo nano /etc/network/if–post–down.d/random–mac
[ “$IFACE” != “lo” ] || exit 0
# Bring down interface (for wireless cards that are up to scan for networks), change MAC address to a random vendor address, bring up the interface
/sbin/ifconfig “$IFACE” down
macchanger –A “$IFACE”
- sudo chmod +x /etc/network/if-post-down.d/random-mac
- sudo service network-manager restart
The basic premise is monitoring the system for unusual activity. First is to keep an eye on the logs, and the next step is to consider an IDS like snort. There’s a learning curve, but here are some useful tools, that with some research can increase security especially if you allow others to access the system.
You may want to get yourself acquainted with some of the common security tools available. Here’s a good list, definitely nmap, tcpdump, netcat and wireshark are useful.
On first install of a linux operating system you should be prompted to create an encrypted LVM partition, and encrypt your home folder. This is a good start. For further security there is veracrypt.
Veracrypt is a fork of Truecrypt that is better at patching vulnerabilities. I see a lot of tutorials touting Truecrypt, and it’s in most package managers. However, you should download Veracrypt.
How to create a hidden encrypted volume with Veracrypt
Select Create Volume
Select Create an Encrypted File Container
Select Hidden Veracrypt volume
Choose volume location and select never save history:
Select your encryption algorithm, AES is fine, but you may chose more secure
Select Hash Algorithm, SHA-512 is sufficient
Select Use Key files and click the key files box… optional:
Generate save the new key.
Click add files and add the key
Click Generate Random Keyfile box if you want another key
You may also use existing keys:
Click format to create the volume that will be visible:
Now it’s recommended to load this volume with contents that appear sensitive
You will follow the same steps, remember this is the hidden volume consider it’s security most important.
When complete you will see this warning, read it carefully.
Download at: torproject.org
All Tor network addresses will be followed with .onion, not .com. It is far more secure browsing .onion services.
In depth explanation of Tor by its head developer Arma.
Once you’ve download tor browser, expand the zipped file. Then
Configuring Security Settings
Privacy and security settings can be easily configured. Click on the Onion in the top left.
Select “Privacy and Security Settings” Adjust the slider to your desired level of security.
Depending on your security level selected in Tor, Noscript may not provide any advantage. That main advantage of Noscript is it’s easier to tailor allowing on specific sites, or for specific elements on the fly. Click the S in the Top Left next to the Tor Onion symbol and select forbid scripts globally. You should see a red line across the S. If you allow specific sites, you should check that the red line is there for those you do not allow. Allowing only specific sites may create a fingerprint of your activity. There are some advanced settings under options worth taking a look at.
in some cases if Tor is blocked or you wish to conceal the use of Tor a bridge can be configured. This makes it more difficult for an ISP to detect Tor. Bridges can help avoid censorship, and if your ISP Blocks Tor Traffic it is much more difficult to detect the nature of the traffic unless deep packet inspection is employed. It’s one of those things that since it’s there, might as well set it up as a per-cautionary measure and see if your connection is still, reliable and fast enough for your standards.
- Click Open Settings on the Pop-up Connection Box
- Click configure
- Select Yes to ISP Censors or Blocks
- obfs3 is fine, see below for information on other options.
- Most likely just skip use a local proxy
- Click connect
Optionally if Tor is already started you can:
- click the onoin icon in the top left of the browser and select
- Open Network Settings
- check My ISP Blocks Connections and hit OK.
- Use obfs 3 which is recommended, see next section on other types.
Pluggable Transports are extensions to Tor which utilize it’s pluggable transport API. These are more advanced ways to disguise traffic flow, for instance making it appear as skype traffic or utilizing a flash proxy. Many are now included in the Bridge Option Menu, so this is a good resource to learn more about the specifics. Some may require custom installation.
If you need to use another browser Firefox is preferred. Here are some configuration settings and extensions that can be helpful.
In the URL Bar enter: about:config
- geo.enabled = false
- geo.wifi.uri =leave blank
- network.http.accept.default = text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
- network.http.use-cache = false
- network.http.keep-alive.timeout = 600
- network.http.max-persistent-connections-per-proxy = 16
- network.proxy.socks_remote_dns = true
- network.cookie.lifetimePolicy = 2
- network.http.sendRefererHeader = 0
- network.http.sendSecureXSiteReferrer = false
- network.protocol-handler.external = false #set the default and all the sub-settings to false
- network.protocol-handler.warn-external = true #set the default and all the sub-settings to true
- network.http.pipelining = true
- network.http.pipelining.maxrequests = 8
- network.http.proxy.keep-alive = true
- network.http.proxy.pipelining = true
- network.prefetch-next = false
- browser.cache.disk.enable = false
- browser.cache.offline.enable = false
- browser.sessionstore.privacy_level = 2
- browser.sessionhistory.max_entries = 2
- browser.display.use_document_fonts = 0
- intl.charsetmenu.browser.cache = ISO-8859-9, windows-1252, windows-1251, ISO-8859-1, UTF-8
- dom.storage.enabled = false
- extensions.blocklist.enabled = false
Other useful options:
- Disable all plugins: tools → addons → plugins
- Disable all live bookmarks: bookmarks → bookmarks toolbar → R/click latest headlines → delete
- Disable all updates: tools → options → advanced → update
- Enable ‘do not track’ feature: tools → options → privacy
- Enable private browsing, configure to remember nothing & disable 3rd party cookies: tools → options → privacy
it’s best to keep plugins at a minimum but here are some to consider
- HTTPS Everywhere
- Privacy Badger
- Close n forget
- Modify Headers
- User Agent Switcher
- Adblock plus
You may consider visiting ip-check.info to see what data your browser is sending.
It’s recommended to get a router compatible with an open source firmware. The two major recommended firmwares are Tomato and dd-wrt. In some cases Tor, or a vpn can be run directly on the router, and this can be useful if you find yourself forgetting at times to enable your desired connection. A backup router only used for specific connections may also be useful to swap in and out when secure connection is needed.. For the crafty, a Raspberry Pi can be configured as a local device to route connections through.
Installation is device specific navigate to either the Tomato or dd-wrt site for more information.
Tor: do your own research
The stand alone Tor daemon can be be found in the Ubuntu/Debian/Arch package manager.
sudo apt-get install tor
sudo pacman -S tor
However, you may wish to visit this link and add their PPA to get the latest version.
You can use Tor as a socks proxy once the service is started, either with the browser bundle or Tor daemon.
Navigate to the Network Settings, and Proxy section of the desired application.
Select Socks 4 Proxy and enter 127.0.0.1 port 9050.
This will route desired connections through Tor. TAILS automatically routes all connections through Tor.
Alternative to Tor, not as widely used since it requires some more dependencies and not as simple setup. i2p addresses always display as .i2p
Unlike tor i2p is a self contained network, it does not function as a proxy with traditional exit nodes. It is generally used to browse with the network of what are called eepsites.
Ubuntu/Debian based systems
- follow guide to add i2p to package list
- for ubuntu: sudo apt-add-repository ppa:i2p-maintainers/i2p
- for debian
- other see, and download necessary java files.
- sudo apt-get update
- sudo apt-get install i2p
starting i2p in terminal:
do not run as root or use sudo
- i2p router start
If you have issue connecting to .i2p addresses check configuration by visiting: localhost:7657/confignet
One main issue is your firewall or router is blocking connections. Click networking.
Basic port unblocking
- sudo iptables -A INPUT -p tcp —dport i2p port here -j ACCEPT
- sudo iptables -L
- sudo ufw allow i2p port here/tcp
- sudo ufw status
Other Anonymity Networks and Software
I don’t recommend these at all but will list one that has been reliable. You’ll have to search for more.
Unfortunately you should have no expectation of privacy on a free VPN but for one time use if you have no other choice it may be helpful.
Of the free VPNs seems most reliable, please delicately read terms of service and
utilize Tor on-top of the VPN with any sensitive content. Free VPNs are often banned
from posting on many services due to trolling. You can search for others but so far VPNBOOK just works.
Sometimes it may be necessary to use a proxy after the Tor exit node, for instance to appear in a desired location, or if exit nodes are banned on a service.
The setup is relatively simple on Linux.
- sudo apt-get install proxychains
- sudo nano /etc/proxychains.conf
- following ProxyList add
socks4 127.0.0.1 9050 #Tor must go first
socks5 ipaddress port
You will need to search for public socks proxy lists to populate.
start firefox in terminal: proxychains firefox
The best first step is stop the use of Windows and MAC OSX, and stick with Linux.
Locate the firmware model of the motherboard on your computer and flash it with a fresh version. Some deeper level attacks embed themselves in the firmware, so it’s good practice for a clean start.
Usually f12 to enter BIOS, find security section (UEFI may be different)
Recommended: TAILS, Alternatives: Whonix, Liberté Linux and QubesOS
This guide shows how to install TAILS on a USB Drive from a Virtual Machine
- Download Virtual Box
- Download the latest extension package
- Double click on the extension package and it should open Virtual Box, click install
- Download TAILS
- Verify file identity with PGP
- Open Virtualbox and connect the USB drive
Click new in the top left:
Name your VM and select Linux 64bit or 32bit depending on which you downloaded:
Set memory size at least 1024 for smooth performance
Create a virtual hard drive
VDI Image is suitable
You can select dynamically allocated and set a starting amount at a couple gigabytes
Select the image and click start
Select the location of the .iso file you downloaded.
Once started go to Applications→Tails→Tails Installer
Make sure the USB Drive is present you will see a green plus, over the usb icon in this image
Select clone and install and follow the steps for installation
Once you’ve started tails you can create a persistent volume to store static content
- Next reboot you will be prompted if you wish to use persistent or not, only use when necessary.
Recommended base Operating Systems: Archlinux, or Kali, alternatives: Debian Mint Ubuntu
although just using Tails as a bootable OS and having some persistent storage is probably better than most can do in terms of hardening their base system.
Secure VM with Whonix and Virtualbox
- Download both Whonix-Gateway and Workstation
- Download Virtual Box
- You may want to verify the file identities using the Signing key see other sections on this.
Click file import appliance and select the Whonix Gateway .ova file:
Keep the settings default and click import
Repeat for workstation, select the .ova
Import without changing settings
Select both and start both at the same time.
Once workstation has finished booting you will see this screen.
You will keep both VM Windows open but all activities will be within the Whonix-Workstation VM Window
Disk encryption – LVM Encryption during install, encrypt home directory
Bleachbit – clearing day to day files (RAM wiping is experimental but worth it on shutdown)
secure-delete package – secure wiping content
Intro guides on hardening other recommended base systems.
(may be out of date look for hardening guides)
Consider using an OS like TAILS with minimal persistent storage and automatic memory wiping to make this easier.
Proceed with extreme caution, man pages are your friend.
easy, less effective
sudo apt-get install bleachbit
You can “Shred” files and folders from the file menu, and wipe free space, which may remove excess data that still exists, without pointers.
file→wipe free space
advanced, boot from usb/cd ideal when discarding a hard drive
go to dban.org download the dban.iso and either burn CD/DVD or write to USB and boot off the device.
Select “RCMP TSSIT OPS-II” for the deletion method
Select the drive
Prepare to wait 12+ hours
hard mode, more secure deletion that bleachbit, easier to use if you want to remove specific partitions or files, rather than complete wipe with DBAN
you will need to boot off a usb/cd if you wish to wipe your primary hard drive.
Properly deleting a drive will take time, if you’re in a hurry, you can at least use fast mode.
sudo apt–get secure–delete
If you’re wiping a disk
find the disk/partition name: should be /dev/sdxx
at this point if you haven’t already, consider encrypting the partition, see veracrypt.
wipe space considered free (-f is fast mode “insecure mode”)
sudo sfill /dev/sddisk#
if you need to clear swap space-
(-f is fast mode “insecure mode”)
- cat /proc/swaps
- sudo swapoff /dev/sddisk#
- sudo sswap /dev/sddisk#
- sudo swapon /dev/sdFdisk#
if you are strapped for time, use -m for 7 passes or -s for simple 1 pass “insecure mode”
sudo srm file
sudo srm –r /directory
At the end you may also be interested at the end to wipe memory on the system.
(-f is fast mode “insecure mode)
Try to at least encrypt the disk first, if you have time to spare, follow the instructions for disk erasure with DBAN.
Open the drive. Find the platter, score it, smash it. Then you will need to locate any memory chips which may store cached files, and destroy them as well. This is an important step, and can be missed easily. Remember not to dispose in normal garbage as it’s not secure. Consider alternate means of disposable for best measure.
Fun Fact: To “officially” destroy all remnants of magnetic data you’ll need to heat it to 1500 kelvin.
Older attack method recovering encryption keys stored in RAM. If possible use DDR3 or better memory. When not at the computer always shut down completely.
Consider using Bleachbit or more advanced sdmem to wipe RAM contents.
Keep in mind that your use of grammar, spelling and language can be used as identifying factors. It is possible to single you out based on your specific ways of communication and link you to other public content linked to your alternate identities. When attempting to communicate anonymously remember not to mention nicknames, locations favorite music, weather or any other information that can be used to reveal your identity. Something that seems mundane and friendly can quickly be used for identification.
JPG, JPEG, TIF and WAV files store EXIF data, or Exchangeable image file format, that can store sensitive information, including GPS-location, and the unique ID of the device used. It is recommended to always use the PNG format, and scrub any metadata, if you need to exchange an image. One option is the Metadata Anonymisation Toolkit that comes with TAILS, and also available at https://mat.boum.org/
No mail provider can be trusted completely no matter what their security claims are. Utilize PGP as often as possible and utilize an anonymous connection when connecting.
Protonmail is currently invite only and requires a wait time of anywhere from a month or more to get in. However, it’s a highly respected secure email solution. You can employ PGP and encrypted storage. They have a favorable location
Tutanota offers encrypted mail-storage and the use of a one time password, however PGP has to be done manually as there is no smtp or imap mail servers. They have a favorable location that is difficult to retrieve data from with legal orders.
While tor based mail providers have had a storied history. If PGP is utilized for all communications, the threat is eliminated. If you receive something compromising in plain text, don’t consider this information secure, and inform any correspondents to employ PGP.
United States based privacy centric collective that offers mail and other privacy capabilities.
free, secure email provider
pgp webmail client
offshore hosting more protected from spying
free, no personal information
encrypted data storage
user details like ip address and user agent stripped from headers
privacy centric collective offering email, hosting, vpn and other anonymity service
- sudo apt-get install pidgin
- go to tools→preferences
- Logging: disable log all instant messages/log all chats
- Go to proxy
- Select Socks 4
- enter: 127.0.0.1 9050
- Go to this link
- Under Security
- Download/Install: Off-The-Record, Pidgin-GPG
- Install any dependencies Activate Plugins in: Tools→Plugins
- Once activated, select configure plugin for both
- you will need to generate a unique key
- Enable Private messaging
- Disable logging
- Automatically initiate private messaging (optional)
- Select show OTR in tool-bar
- If a conversation is not private you will see a box saying Not Private
- Click Start Private Conversation
- If your partner has OTR properly configured it will display private.
- select main key in options
- toggle encryption mode in conversations:
- options→toggle openpgp encryption
forward secure, asynchronous messaging for the discerning. Pond messages are asynchronous, but are not a record; they expire automatically a week after they are received. Pond seeks to prevent leaking traffic information against everyone except a global passive attacker.
secure messaging between scramble users
p2p encrypted messaging, like sending messages as Bitcoins
bitmessage.ch (tor and i2p urls available)
webmail gateway for bitmessage with instant send to other users with @bitmessage.ch address
A PGP Key is a unique identifier, do not re-use across accounts and especially not with any public address.
Simple PGP On Linux
Ubuntu- sudo apt-get install gpa gnupg2
Arch- sudo pacman -s gpa gnupg2
- in terminal enter: gpg –gen-key or open gpa in terminal and it will prompt you to create one.
- follow the prompts
in most cases select option 1 – RSA and RSA (default)
select at least 2048 key size
key expiration, hit enter if not needed.
do not enter real information for contact (unless intended)
use a secure passphrase for the key
it will then ask you to move the mouse, type etc to create entropy
Simple PGP with GNU Privacy Assistant
If you open gpa it will guide you through creating your first key
don’t put real information unless intended, obviouslyEither click refresh or restart gpa and the keys will appear
Click the clipboard
Enter your message
Select the key you wish to sign it with
You will now see an encrypted message.
To decrypt a message click the mail icon with the key, and it will allow you to choose the appropriate key.
More details on GPA
Exporting/Importing Public Key
- select your key-pair, and then select keys→export or import keys and proceed
Exporting/Importing Private Key
- select your key-pair, and then select→keys→export or import keys and proceed
- either choose where to save or paste the desired key
Verifying a message
- paste the public key
- Select window→clipboard
- Paste the entire text
- Click icon with the green key (hover over for title if hard to see)
- If the information is genuine it will display the name of the previously imported public key.
Verify a file
- paste the public key
- back to terminal
- gpg —verify file
PGP with Email
Thunderbird is probably the most widely known, if you prefer reference the Ubuntu guide below which explains alternates.
- sudo apt-get install thunderbird enigmail
- Open Thunderbird
- Open Preferences→enigmail→Preferences
- Set the GPG path, in Ubuntu default is /usr/bin/gpg
You can also cut and paste your messages from GPA into the message window.
TAILS has an OpenPGP Applet – Visual Guide
Recommended Best Practices for PGP from Riseup.net or:
PGP Versions can reveal the users operating system, and you should research strange versions as some PGP Libraries are known to have weak encryption.
When the file is provided ideally a SHA1/MD5/PGP Sum will be provided. It will look like a long string of characters.
In Linux terminal type: sha1sum filename
The output should be the same as the supplied string.
When a file is provided ideally an SHA1/MD5/PGP Sum will be provided. It will look like a long string of characters.
In Linux terminal type: md5sum filename
The output should be the same as the supplied string.
Here’s an easy to follow noobs guide to Tails. Tails is by no means just a noobs OS, it does a lot of the hard work for you and makes connecting to and browsing the .onion network easy as hell. Edward Snowden used it to help stay anonymous during the initial NSA spying leaks. We’ll go over verifying the ISO, installing to USB, setting up persistence, and setting up the environment. For this guide we’ll be using Linux Mint as our operating system. Most steps will be the same across operating systems.
#What we’ll need
- Flash drive, minimum of 4GB
- Host OS (your computer)
- Guest OS (Tails .iso file)
- Virtualbox and Virtualbox Extensions
- PGP knowledge
Part 1 – Installing Virtualbox and Extensions
Unlike the other methods this one only requires one flash drive. We’ll be booting the live Tails system on Virtualbox, and installing it to the USB stick from there. The interface in the pictures may look a little different from what you see, but all of the options are in the same places.
Virtualbox allows you to run other operating systems on top of your current one, kind of like an emulator. This is what we’ll be using to boot Tails so we wont have to reboot during the install. Head over to the download page and select the download appropriate for your current OS.
After downloading, install it like you would any other program. Open it up and you should see the following screen.
This is what will allow the USB stick to communicate with our guest OS, which will allow us to install the live system without needing to reboot. Go to the download page, and download the extension pack for the most recent version. When it’s finished downloading, double click it to open it with Virtualbox.
The above should appear. Click install, follow through with the install process. If successful you should see the following window appear.
We’re done with Virtualbox for now. We’ll come back to it later when setting up the virtual machine.
Part 2 – Downloading and verifying Tails
We need to download the Tails .iso file, and verify that it’s authentic. Tails, or The Amnesic Incognito Live System, is a GNU/Linux distro with a focus on anonymity and privacy. It does this by routing all traffic through the Tor network, deletes all files on shutdown unless explicitly asked not to (persistence storage), and comes with all the other tools you need. Persistant storage will be needed for saving our wallet and keypairs.
Visit the official Tails website and click the download button on the right side. Scroll down a bit on the download page to ‘Download the ISO image’. Click on the ‘ISO image’ button and the ‘signature’ button to download the .iso and the signature. Save these two files in the same location.
Next you’re going to want to download the ‘signing key’ from this link. Import the key into your PGP program of choice. We’ll be verifying the .iso by checking the PGP signature. If you don’t know how to use PGP, check out the guides we have for GNU/Linux, OS X, and Windows.
Verifying the ISO is an important step. We want to make sure what we’re getting is actually from the Tails project. Like the intro said, we’ll be using the command line in Linux Mint . If you’re using Windows or OS X check out this link for instructions.
First we need to import the Tails signing key. Change into the directory where you saved it, then import the key into GPG. Once it’s imported, the output from gpg should reflect that. Take a look at the below picture to make sure you did this step right. If you get an error saying “gpg: no ultimately trusted keys found” this means that you haven’t created your own keypair yet. This is fine just for verifying the .iso file, you can ignore it.
Now we’re going to verify the .iso with the signature we downloaded earlier. Change into the directory where you saved the .iso and signature, and use gpg to verify it with their key. This could take several minutes so be patient. If the .iso image is genuine, you’ll see the output saying that the signature is good. If you see “gpg: This key is not certified with a trusted signature!”, the .iso is still genuine according to the imported key, you just haven’t signed the Tails key with your own. See this link for more details on how to trust the Tails signature key. If you did things correctly, your CLI of choice should look similar to the picture below.
If the .iso isn’t valid you’ll get an error saying “gpg: BAD signature from “Tails developers (signing key) <[email protected]>”. This will most likely be due to a corrupted download, so try downloading the .iso again if this happens.
Part 3 – Booting the .iso
Now that we’ve confirmed the .iso is genuine we can install it on the USB stick.
#Creating the virtual machine
Open up VirtualBox and plug in your USB stick. The first thing you’re going to do is click where it says ‘New’ in the top left corner, which should open a window titled ‘Create Virtual Machine’. Create a name, select ‘Linux’ as type, and version as ‘Linux 2.6 / 3.x (32 bit). See picture for an example.
VirtualBox will now ask how much memory you want to give to Tails. It will default to 256MB, but change it to 1024MB to make sure we don’t run into any issues. If you have less than 2GB of RAM in your computer you can set it to 512MB and everything should be fine. Click ‘Next’.
The next screen will ask if you want to reate a virtual hard drive. Since we’ll be booting the .iso directly, there’s no need to create a hard drive. So click ‘Do not add virtual hard drive’, then click ‘Create’.
It will give you a warning about not having a hard drive, that’s fine. Just click ‘Continue’. You should now see our newly created virtual machine listed.
#Preparing the virtual machine
In order for Tails to boot properly and recognize the USB stick we need to edit some settings. Click on the virtual machine, then click ‘Settings’ up at the top. The following window should appear.
First we need to make sure it’ll boot the Tails .iso file. On the left click ‘Storage’. You’ll now see the Storage tree, with ‘Controller: IDE’ being empty and ‘Controller: SATA’ having nothing listed. Click where it says ‘Empty’, and there will be some new options on the right side. Under ‘Attributes’ you’ll want to check the box that says ‘Live CD/DVD’, then click the CD/DVD symbol to the right of ‘CD/DVD Drive’ and browse to where you saved the .iso file. If done correctly your window should now look like below.
Next select the ‘USB’ option in the left sidebar. You’ll want to check off the boxes that say ‘Enable USB Controller’ and ‘Enable USB 2.0 (EHCI) Controller. On the right, click the USB icon that has the green “+” symbol on it, and select the USB device you want to install Tails on. Your window should look like below.
Now our VM is prepped to install Tails. Click ‘Ok’ at the bottom right, click your Tails virtual machine, then click Start. The virtual machine will boot the Tails live image, and give you two selections. With your arrow keys highlight ‘Live’ then hit ‘enter’ on your keyboard. It will take a minute or so to load. You’ll then see the below picture, leave ‘No’ selected then ‘Login’.
Ignore the message about it being on a virtual machine, we’re not using it for anything other than installing the .iso to USB. Welcome to Tails!
Part 4 – Tails on USB
I hope you aren’t bored yet, we’re almost done. Click on ‘Applications’, then ‘Tails’, then ‘Tails Installer’. You’ll see the following window. Click on ‘Clone & Install’, and you should see something like the second picture.
Your USB drive should already be selected for the ‘Target Device’, if not do so. Then click ‘Install Tails’. It will confirm that you want to install Tails on the USB drive. Do so, then click ‘Yes’. This will take several minutes, and you’ll be able to see what part the installer is at during the process. Once finished, a pop up will appear reflecting such. Click ‘OK’ to close the installer.
Tails is now installed on the USB drive. The last thing we need to do is configure it.
In order to do this you’ll need to boot your computer from USB. Close the virtual machine, and reboot your computer. You’ll need to change the boot order of the connected devices, the key that needs to be pressed on boot will be different across manufacturers. It’s usually listed on the BIOS splash screen on reboot. If not, consult your computers manual or do a search for which key needs to be pressed on boot. You may also need to disable Secure Boot if you’re using Win8, 8.1, or 10. Check out this link for more info on that.
Follow the same steps as above. Select ‘Live System’, then keep ‘No’ highlighted and click ‘Login’. You’ll now be at the Tails desktop.
The first thing we’ll do is set up persistent storage. This will take up the rest of the free space on your USB drive. Go to ‘Applications’, ‘Tails’, then click ‘Configure persistent volume’. The following window should appear. You’ll want to create a strong password, confirm it, then click ‘Create’. This will take several minutes.
Once that’s finished, it will ask what kind of files you want to store on the persistent volume. What you select is up to you, but for the purposes of this guide we’ll be selecting ‘Personal Data’, ‘GnuPG’, ‘GNOME Keyring’, ‘Network Connections’, ‘Browser Bookmarks’, and ‘Electrum Wallet’. Once that’s done click save. It will now ask you to reboot your computer for the settings to take effect.
After you have rebooted, you’ll see a new option on the start up screen. It will ask if you want to use the persistent storage. Click ‘Yes’, then enter the password you’ve used. Make sure ‘Read-only’ is unchecked.
At the top right you should see an icon that looks like two computer monitors. This is how you’ll connect to your network. Click it, select the network, enter your password if any, and it will begin connecting to the Tor network. Once it’s connected you’ll see the Onion icon in the system tray.
To access the internet through the Tor network, just click on the green globe icon on the left of the system tray. You will also want to disable scripts globally, which you can do by clicking on the NoScript icon to the left of the URL bar. There is also a so-called ‘Unsafe Web Browser’ which you can use if you need to get on a website that doesn’t allow Tor connections. You can find that by going to ‘Applications’ then ‘Internet’.
Tails uses Electrum as the default wallet, this can be found under ‘Internet’ in the ‘Applications’ menu. When creating the wallet make sure to back up your seed in a safe place, this is the only way you can recover a lost wallet. Writing it down on a piece of paper is a good idea.
Tails uses GnuPG for PGP, and Seahorse as a graphical front-end. This can be found by going to ‘Applications’, ‘System Tools’, ‘Preferences’, then ‘Passwords and Keys’. It will also work just fine from the command line.
Part 5 – Conclusion
Congratulations! If you’ve followed this guide you now have an anonymous and secure operating system for browsing the dark web. There are a few more things to Tails such as Pidgin+OTR messaging, Claws Mail, and a metadata anonymization toolkit, but those are beyond the basics. If you want to learn more check out the documentation at https://tails.boum.org/doc/index.en.html.
Hey guys. Dave here again, back to teach you how to chat safely and securely via the XMPP/Jabber messaging protocol. This tutorial will be done on Windows 7, but the same idea should be transferred across Linux distros and Mac OSX.
The first thing you are going to want to download the XMPP client called Pidgin. This can be downloaded here. Once it is downloaded, go ahead with the install to completion.
Once it is installed, start up Pidgin. You will be presented with two different Windows. Ignore them for now. We have to first go grab the software that will allow us to chat securely. It is called OTR, which stands for Off-the-Record messaging, and can be downloaded here.
Download and install it. Make sure that the Pidgin application is closed out from your screen and taskbar before installing OTR.
Great. OTR and Pidgin are now installed! No more downloads from here out in the tutorial, just a few simple configurations to Pidgin. The first thing we need to do is make the OTR plugin active in Pidgin. Do this by opening Pidgin, going to the “Tools” drop down, selecting “Plugins”, and clicking on the checkbox next to “Off-the-Record Messaging”.
Once we are done with that, we can enter our XMPP account details and start chatting, or make a new account if you do not have one. If you need a list of free XMPP service providers, you can get one at this link.
The first step to register from the client will be to enter the username, password, and domain. The username and password will be your choosing, but the domain will be “wtfismyip.com” without the quotation marks. The “Resource” box should be left blank. Next, check the “Create this new account on the server” box at the bottom of the screen. It should look something like this.
The next steps, to take one more step to be even more secure, will to set Tor as a SOCKS5 proxy, so that not only are the messages encrypted with OTR, but the traffic is encrypted with Tor. To do that, click on the “Proxy” tab, and set your “Host” and “Port” accordingly. Make sure that Tor is running as well, or you will get connection errors!
Once this is done, click on the “Add” button, go back to the “Buddy List”, click on the “Accounts” drop down, click on “Manage Accounts”, and finally click the checkbox next to your account. This will send the request to the server, and ask you to confirm your new account.
If you get an error that pops up, don’t be worried. Sometimes, there is an error with the server, and you will have to register online. This has happened to me several times, and is normal. Just register on the website of the XMPP host you are using.
Once you have done all of this, you need to add your buddy and get in a chat with him or her. I will be using a fake account for this example, but the same actions transfer over to when you chat with a real account. All you need to do is click on the “OTR” button in the chat room, and click “Start a Private Conversation”. Wait a few seconds, and just like that, you are chatting securely via XMPP.
I hope this tutorial has been helpful, and as always, if you have any questions or problems, feel free to post a comment, and I will do my best to help. Thank you so much.