Using Tor Anonymously
Using Tor Anonymously
You’ve been reading about privacy. You care about all your information getting leaked all over creation, but you have no idea what to do about it. You even downloaded the Tor Browser. Now what? How do you know that using it will even keep you safe? If you’re feeling overwhelmed, that’s normal. It’s even okay. What’s not okay, however, is doing NOTHING because you’re not sure where to start. That’s why we’re here. Let’s get you set up, shall we?
We’re going to assume that you’re not some creepy child pornographer desperately in need of a bullet to the head, you’re not trying to fleece people or steal their credit cards, and you’re not engaging in what you and I would consider criminal activity. I categorize it that way because let’s face it. What you and I consider standing up for rights and liberty is pretty much considered criminal activity now. So, let’s assume that you’re a patriot who values their unalienable rights to things like privacy, security, and self-defense, and therefore just want to be able to conduct your business on the internet without the NSA all up in your business, whatever that business is.
There are some great resources for Tor. Oddly enough, if you’re a reddit user, you’ll find that just reading the subreddit /r/onions or /r/Tor will teach you a lot, and yield some good starting links if you’re looking to explore onionland (the hidden sites accessible only by Tor). If you want to see what the NSA thinks of Tor, you can always check out their internal presentation called “Tor Stinks.” In the meantime, here are some big points to consider for those of you wanting hardcore privacy (and by hardcore, I mean that you consider yourself targeted by a persistent threat, or wish to not become targeted). My commentary on the stackexchange article is in bold below:
To date the NSA’s and FBI’s primary attacks on Tor users have been MITM (man in the middle) attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user’s computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
- Don’t use Windows. Just don’t. This also means don’t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI’s recent takedown of Freedom Hosting. [editor: Linux is free, and there are alternatives for pretty much any Windows program you can think of. Ubuntu in particular is incredibly easy to use, and far more secure. Windows 7 and 8 might as well be called “NSA OS.”]
- If you can’t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser, with all outgoing clearnet access firewalled, consider using Tails or Whonix instead, where most of this work is done for you. It’s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location. [editor: This sounds like a lot of techie nonsense but it’s really not. Tails is a portable operating system that you run off a USB stick. Basically, what he’s saying here is that if you aren’t a techie, there are still options for you.]
- If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it’s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn’t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats. [editor: TrueCrypt, as we’ve mentioned before, is a free program that allows you to encrypt files, folders, or even your whole drive. Its encryption is good enough that the FBI couldn’t crack it after a year.]
- Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available. [editor: Pretty self-explanatory, and by the way, another good reason not to use Windows. Quite frankly, every ‘security’ update in Microsoft could end up being just another or better backdoor for the NSA.]
- Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero. [editor: Again, cookies are bad. Does it really kill you to re-enter your password? Better yet, use LastPass with MaskMe.]
- Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed. [editor: even better if you don’t use it for anything BUT your private stuff. Designate the laptop that you’ll be using for private matters, and do not ever, ever, ever, EVER sign into your Gmail/Facebook/Twitter/etc. on it. Ever. For any reason. When you open that laptop, you are not you.]
- Don’t use Google to search the Internet. A good alternative is Startpage; this is the default search engine for TBB, Tails and Whonix. Plus it won’t call you malicious or ask you to fill out CAPTCHAs.
Perhaps one of the most important thing to remember when using Tor (or any kind of privacy actions) is mental discipline. The article I linked to above speaks to this extensively. As I mentioned earlier, don’t sign into your Facebook from Tor. In fact, don’t do anything on your private laptop that is “yours” if you’re doing something that you don’t think the Feds should have access to.
Before you get into the argument that “if you’re not doing anything illegal, why go to all this trouble?” The answer is simple: because you have the right to. Because it is no one’s business what you buy, what you read, where you go on the internet. Are you willing to post in the comments every website you’ve visited in the last week and what you did there? Every piece of information you’ve put into any form on the internet, including credit card numbers or bank info? Every photo that you uploaded to your computer from your camera? Every private email you’ve sent to your wife…or girlfriend? The bottom line is that it’s your info. To be guarded and protected.
No one’s saying you can’t use Facebook. In fact, I’ll be posting another article soon on how to use Facebook ‘safely’, if you must. But if you want to buy large tanks on Craigslist to store extra water in, or go on seattleguns.net and purchase a legal firearm in a private sale, or look at GunBot to see where the cheapest ammo is right this second, or buy biochem gear, or hang out at survivalblog.com, or talk to other folks that are just as worried as you, then you’re going to want to keep those activities separate from your cat pics on Facebook.
Remember: Information is power. The more info they have, the more power they have.
For more information, go read the whole article at stackexchange.