Previous post
You’ve been reading about privacy. You care about all your information getting leaked all over creation, but you have no idea what to do about it. You even downloaded the Tor Browser. Now what? How do you know that using it will even keep you safe? If you’re feeling overwhelmed, that’s normal. It’s even okay. What’s not okay, however, is doing NOTHING because you’re not sure where to start. That’s why we’re here. Let’s get you set up, shall we?
We’re going to assume that you’re not some creepy child pornographer desperately in need of a bullet to the head, you’re not trying to fleece people or steal their credit cards, and you’re not engaging in what you and I would consider criminal activity. I categorize it that way because let’s face it. What you and I consider standing up for rights and liberty is pretty much considered criminal activity now. So, let’s assume that you’re a patriot who values their unalienable rights to things like privacy, security, and self-defense, and therefore just want to be able to conduct your business on the internet without the NSA all up in your business, whatever that business is.
There are some great resources for Tor. Oddly enough, if you’re a reddit user, you’ll find that just reading the subreddit /r/onions or /r/Tor will teach you a lot, and yield some good starting links if you’re looking to explore onionland (the hidden sites accessible only by Tor). If you want to see what the NSA thinks of Tor, you can always check out their internal presentation called “Tor Stinks.” In the meantime, here are some big points to consider for those of you wanting hardcore privacy (and by hardcore, I mean that you consider yourself targeted by a persistent threat, or wish to not become targeted). My commentary on the stackexchange article is in bold below:
Your Computer
To date the NSA’s and FBI’s primary attacks on Tor users have been MITM (man in the middle) attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user’s computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
- Don’t use Windows. Just don’t. This also means don’t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI’s recent takedown of Freedom Hosting. [editor: Linux is free, and there are alternatives for pretty much any Windows program you can think of. Ubuntu in particular is incredibly easy to use, and far more secure. Windows 7 and 8 might as well be called “NSA OS.”]
- If you can’t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser, with all outgoing clearnet access firewalled, consider using Tails or Whonix instead, where most of this work is done for you. It’s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location. [editor: This sounds like a lot of techie nonsense but it’s really not. Tails is a portable operating system that you run off a USB stick. Basically, what he’s saying here is that if you aren’t a techie, there are still options for you.]
- If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it’s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn’t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats. [editor: TrueCrypt, as we’ve mentioned before, is a free program that allows you to encrypt files, folders, or even your whole drive. Its encryption is good enough that the FBI couldn’t crack it after a year.]
- Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available. [editor: Pretty self-explanatory, and by the way, another good reason not to use Windows. Quite frankly, every ‘security’ update in Microsoft could end up being just another or better backdoor for the NSA.]
- Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for. [editor: The Tor Browser Bundle, or TBB, has the plugin NoScript by default. Highly recommend setting it to ‘Forbid all scripts globally.’ It will change how you browse the web, but how important is your privacy to you?]
- Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero. [editor: Again, cookies are bad. Does it really kill you to re-enter your password? Better yet, use LastPass with MaskMe.]
- Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed. [editor: even better if you don’t use it for anything BUT your private stuff. Designate the laptop that you’ll be using for private matters, and do not ever, ever, ever, EVER sign into your Gmail/Facebook/Twitter/etc. on it. Ever. For any reason. When you open that laptop, you are not you.]
- Don’t use Google to search the Internet. A good alternative is Startpage; this is the default search engine for TBB, Tails and Whonix. Plus it won’t call you malicious or ask you to fill out CAPTCHAs.
Perhaps one of the most important thing to remember when using Tor (or any kind of privacy actions) is mental discipline. The article I linked to above speaks to this extensively. As I mentioned earlier, don’t sign into your Facebook from Tor. In fact, don’t do anything on your private laptop that is “yours” if you’re doing something that you don’t think the Feds should have access to.
Before you get into the argument that “if you’re not doing anything illegal, why go to all this trouble?” The answer is simple: because you have the right to. Because it is no one’s business what you buy, what you read, where you go on the internet. Are you willing to post in the comments every website you’ve visited in the last week and what you did there? Every piece of information you’ve put into any form on the internet, including credit card numbers or bank info? Every photo that you uploaded to your computer from your camera? Every private email you’ve sent to your wife…or girlfriend? The bottom line is that it’s your info. To be guarded and protected.
No one’s saying you can’t use Facebook. In fact, I’ll be posting another article soon on how to use Facebook ‘safely’, if you must. But if you want to buy large tanks on Craigslist to store extra water in, or go on seattleguns.net and purchase a legal firearm in a private sale, or look at GunBot to see where the cheapest ammo is right this second, or buy biochem gear, or hang out at survivalblog.com, or talk to other folks that are just as worried as you, then you’re going to want to keep those activities separate from your cat pics on Facebook.
Remember: Information is power. The more info they have, the more power they have.
For more information, go read the whole article at stackexchange.
You say Linux, and not PC, but you don’t mention Macs, what’s your opinion about them, please?
Every private email you’ve sent to your wife…or girlfriend?
You linear, binary thinkers, you! Why does it have to be an ‘or’? Or should I not have posted that without using Tor? O.o
As an aside, the reason the guy got caught is because he signed onto the university network, then visited the Tor server – after he had already connected through what was essentially a surveillance device. In other words, he was a knucklehead. (Of course, he was trying to get out of a final exam with this, so you probably already figured that part out. Heh.)
This is a great article. Usually these kinds of articles are just cut and paste from other sources but the part about not using the Windows bundle is REALLY important. If you want to get on Tor you can always do it the easy way by using a router that has Tor embedded in it. I recommend PAPARouter (http://paparouter.com) because it’s inexpensive (less than $100.00), allows you to anonymize several devices at once and best of all it has non U.S. exit nodes hard coded into it . Given all the uproar that other countries are having with U.S. spying, making your last Tor relay outside of the U.S. to your target site is great security and using https would be massive protection.
Michael Reed, one of the original developers of the onion routing program wrote:
The original *QUESTION* posed that led to the invention of Onion Routing was, “Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?” The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better…I once told a flag officer that much to his chagrin).
—
Julian Assange recently told students at Cambridge the Internet is “not a technology that favors freedom of speech” or “human rights.” He added, “Rather it is a technology that can be used to set up a totalitarian spying regime, the likes of which we have never seen.”
If the government wants us to use Tor, does that make it bad thing? No. Tor can be used by good guys as well as by bad guys. Tor’s not perfect, but I still think the more people who use Tor as an anonymity tool, the better for everyone. If you want anonymity and privacy, the best thing to do is to encrypt.
http://www.networkworld.com/community/blog/no-conspiracy-theory-needed-tor-created-us-go
7 Comments