Tor was originally sponsored by US Naval Research Laboratory but it's a non-profit now (though it does receive research grants from some governments). It doesn't really matter who funds it, it's open source so anyone who can code can see how it works:
https://gitweb.torproject.org/tor.git
> is it truly anonymous and safe as it claims to be?
If you know how to use it, yes, but remember that anonymity is a spectrum, not an absolute. There are many things that you can screw up while using Tor that can deanonymize you or make it easier to find correlations of your activities (especially if you're watched by someone with a lot of resources, and over the long term). If you'd like to increase your awareness and knowledge on how to be anonymous, it can take some but I can recommend to start with acquainting yourself with Whonix:
https://www.whonix.org/wiki/Main_Page
It's a software package consisting of two VMs that can protect you against leaks (so that all of your connections always go through Tor which isn't simple to do as it may sound), especially if you're Windows/Mac or other closed sourced OS user, and using closed source software that connects with the Internet.
If you read all of their pages here:
https://www.whonix.org/wiki/Documentation
and take their advice to your heart, you will already be ahead of 95% of other Tor users.
edit: typo
also, Tails was mentioned, if you don't want or need persistence it's OK, otherwise I think whonix is better (a thorough comparison is in one of the links above).
I think we're all going to end-up getting Tor-based routers and running Whonix / Subgraph OS on our PCs in the end. This is starting to get way out of hand.
Isn't calling these two things 0-days a bit of a misnomer?
I mean you can get the OS with javascript just by inspecting navigator.UserAgent. I don't think I can remember Tor Browser being in state where you could safely run javascript and hide this kind of information, so how would this qualify as a 0day?
Also I believe, the issue of identifying a tor connection has always been a problem, even with pluggable transports*, so how exactly is this a 0day either?
*Whonix has a quite interesting list of such attacks https://www.whonix.org/wiki/Warning
Replace TOR with Whonix and it would be perfect.
With Whonix, if somebody hacks your OS while you're browsing TOR, you're still secure behind the relay, because it runs the entire OS behind TOR.
Qubes is Security, it is not "normal", and not that beginner friendly. (Whonix is built in)
Whonix is Privacy for VM, not too hard to use, install is also easy enough, it's nice since you can just start it.
Tails is Privacy for (live) usb, and travel/computers that are not yours, also not too hard to use, you do have to restart to use it, but might be worth the privacy/anonymity/security.
(The names are links to the websites)
And if you want privacy/security, don't use windows (even in everyday use), especially not as the host (when you run VirtualBox on windows).
If you want more information about each, do tell me. Or visit their websites.
Whonix 13.0.0.1.4 stable upgrade released, major changes include from Whonix 13 -> 13.0.0.1.4:
2) cosmetic apt-get server file size warning fix -
Did anyone here laughing at the "block Tor" part in the title actually read the fucking article?
>After the recent Paris terror attacks, the French government is proposing to forbid and block the use of the Tor anonymity network, according to an internal document from the Ministry of Interior seen by French newspaper Le Monde.
[...]
>As for how the French government might enforce a legal ban on the use of Tor, it may be possible for an internet service provider to tell when one of its customers is using the anonymity network (although the ISP cannot see what sites the user is visiting.)
This proposed law would make it illegal to use Tor, and your ISP can tell when you're using it if you aren't behind a VPN. The majority of people here already do the bare fucking minimum like use TBB on Windows, and even order on Android and iOS. You think anyone is actually going to get a VPN?
But yeah. If this law passed and LE wants a warrant to search your place, they can use the fact that you use Tor to get that warrant.
You posted on a subreddit dedicated to privacy and anonymity... and anonymity and smartphones simply do not mix. You should treat your device as an inherently insecure and hostile device.
You should read up on the concept of modes of anonymity. In a nutshell, don't mix them. Don't put data that conforms to one mode alongside data that conforms to another. Doing so effectively links them in the event of an unintended party gaining access to your data (which is extremely easy for a smartphone).
So, treat your phone as a phone and as a work and play device. Not a device to be private or anonymous. Of course, as a matter of basic privacy and security, use the device encryption and a PIN or password. Honestly, both Android and iOS have good implementations of this. Not sure about Windows Phone. That's about all you should worry about for a phone, especially if it's your main phone, linked with a Google or iCloud account, with mobile data and service attached to your real identity.
Yes. This is possible. You can run a Whonix Gateway to server as router behind which you connect all clients. (https://www.whonix.org/wiki/VirtualBox )
Depending on your needs and level of access control you can put an additional firewall like PFSense/OPNSense between the gateway and your clients.
Also: TPM has nothing to do with your ability to generate certificates, this can be easily done using OpenSSL
Just try unistalling your existing whonix templates (whonix-*) and then reinstall it from the repo packages. You can also refer this link under Whonix official site - https://www.whonix.org/wiki/Whonix_Debian_Packages#Meta_Package_Missing_Warning
When I tell you that figuring out what you actually need to secure is more important and difficult than actually securing it, don't just believe me, ask ANYONE that has any idea what they are doing and they'd probably agree. I'm plugging my guide, but there's a lot of really good information on privacy and privacy tools out there to read. If you've already read it all, read it again. I'll give you a quick answer, but I promise it won't solve your problem because the mindset and understanding of your specific privacy needs to be stablished before you find yourself deadbolting doors and setting up flamethrower turrets in your house to protect nana's cookie recipe. Tails, Whonix or Qubes for serious anonimity/pseudonimity as O.S. and Tor, VPNs and Virtual Boxes for everyday bullshit.
Not according to public information as far as I am aware at time of writing.
(And no, before you're asking, I don't have any other information either.)
Depends how you're using Tor.
If you're using Whonix to use Tor you can rest assured that every program on the Whonix workstation -- even skype -- is routing its traffic through Tor. Of course Skype can still compromise you in other ways, like taking pictures with your webcam, or listening to your conversations.
If you're instead using something like Tails or Tor Browser --- where the machine your on can make direct connections to the internet --- then be aware that Skype and most other programs will be connecting directly to the internet and not routing traffic through tor.
yes, there's nothing illegal about using onions that don't display CP or stolen/copy written shit. ordering drugs, fraud, etc is a different story. just make sure you're using different stylometry and username and such from anyone you use for anything questionable.
> The Free Software Foundation (FSF) is scathing in its analysis of Windows, due to the threats posed to user freedoms, privacy and security. Regardless of the version being used the FSF classifies Windows as "malware", meaning the software is designed to function in ways that mistreat or harm the user.
...
> Inescapable Telemetry
> The fact that there is no way to completely remove or disable telemetry requires further consideration. For instance, non-enterprise editions do not allow a user to completely opt-out of the surveillance "features" of Windows 10. Even if some settings are tweaked to limit this behavior, it is impossible to trust those changes will be respected. Even the Enterprise edition was discovered to completely ignore user privacy settings and anything that disables contact with Microsoft servers.
> Any corporation which forces code changes on a user's machine, despite Windows updates being turned off many times before, is undeserving of trust. Windows 10 updates have been discovered to frequently reset or ignore telemetry privacy settings. Microsoft backported this behavior to Windows 7 and 8 for those that held back, so odds are Windows users are already running it.
> https://www.whonix.org/wiki/Host_Operating_System_Selection
Tor and yes as long as you use it correctly. There are bugs in everything, they will be found, exploited and fixed. The human is easier to exploit most times.
The whonix guides are a good read https://www.whonix.org/wiki/Documentation
Incidentally even if you did not have noscript on, /r/whonix would have prevented the exploit being used from working (assuming it had targeted Linux and not just Windows)
Or to be a little more paranoid, I like whonix.
That way anything (chrome, firefox, whatever) run on that entire Whonix Workstation OS would have a hard time leaking information even if it tried, because that whole OS can only talk to the Whonix Gateway and can't even find out things like what "your" IP is.
No need for any excuses, yours are very good reasons, and in fact the steps you're taking so far are all good ones.
Redphone seems to work well over 3G data (I've got a 1 GByte/month data plan) inasmuch it can be considered to work well, the call quality varies a lot.
I wouldn't use a commercial VPN provider but rent a server in a third party and VPN from there. You can also install Owncloud & others things (postfix, though you don't use email, also other services) there.
I would suggest Tor (either TBB or Tails/Whonix potentially with Qubes https://www.whonix.org/wiki/Qubes). I also would suggest buying a MiFi device and consider it a part of untrusted Internet -- then using end devices with blobless open source WLAN drivers.
There's no difference between using Tor on Windows and using Tor on e.g. Ubuntu, except that Windows is a prime malware target simply because of how widely used Windows is. Linux is not what people are recommending; tailor-made operating systems like Tails and Whonix are likely what you're referring to.
If you just want to do casual browsing using Tor on Windows, use the Tor Browser.
I much prefer the approach taken by Whonix.
Whonix uses a separate Gateway and Workstation; with firewalls that ensure that all apps on the Workstation can ONLY communicate through Tor.
The Whonix Gateway is a minimal system that does nothing except act as a bridge between the Workstations and the Tor network. As such, it has a tiny attack surface.
The Whonix Workstation is unable of communicating in any way other than the Tor gateway running on the Whonix Gateway. That way even if you have a malicious app (including a Flash plugin) on the Whonix Workstation, it's kept sandboxed behind tor.
Overview here: https://www.whonix.org/wiki/About
Comparison with Tails here: https://www.whonix.org/wiki/Comparison_with_Others
Tails has some advantages (scroll down to "Proxy Circumvention Threats"), but Whonix has others.
VPN? Dude, anything less than a Qubes-Whonix, all JS disabled by default, and following everything in this article as a BARE MINIMUM (if we're talking nation state threat models, which is typically the case when mentioning 'lists') then you're asking for trouble.
Something like BAT Tor tabs can actually be harmful if it gives people courage to feel like they can do anything. It's a step up for clearweb privacy, yes, but some noobs are going to get pwned hard as a result of this, I guarantee it.
You can upgrade, but I used to use Tails and I've found Whonix less of a hassle to use. It's best with a decent PC/SSD.
As long as you use full disk encryption you're fine. You just download the two VMs, verify the signature (if you want) and run them. With virtual box you can share a folder and import your old pgp keys.
Whonix is WAY MORE SECURE.
You should be very secure. While using Tails/TOR it's important to have a good understanding of how your online activity can de-anonymise you. For more information the tails and whonix manuals are really good:
https://tails.boum.org/doc/index.en.html
https://www.whonix.org/wiki/Documentation
Keep in mind Tails isn't persistent, for a persistent OS you can reboot easily without losing files try Debian or a security oriented spinoff like Qubes.
https://www.whonix.org/wiki/Comparison_with_Others
Edit: Besides the stats, Whonix is essentially more fit to you if you are IT savvy and can run several machines. One for whonix, other for what not, etc. Although one laptop is enough. Security is much better than Tails.
The security community has been concerned about VirtualBox and Oracle for quite some time anyway.
The Whonix documentation has a good summary:
https://www.whonix.org/wiki/KVM#Why_Use_KVM_Over_VirtualBox.3F
>> Why Use KVM Over VirtualBox? >> >> Recently, the VirtualBox developer team have taken the decision to switch out the BIOS in their hypervisor with one that requires compilation by a toolchain that does not meet the definition of Free Software as per the guidelines of the Free Software Foundation. This move has been deemed problematic for free and open source software projects like Debian, on which Whonix is based. >> >> ... >> >> Besides this licensing issue which may or may not be of concern to users, a more tangible reason can be the security practices of Oracle, the corporation behind VirtualBox. Recent events and news (see Snowden leaks) have shown the urgent need for increased transparency and trust in the digital world. Oracle is infamous for their lack of transparency in disclosing security bugs details and for discouraging public full disclosure by third parties. Security through obscurity is the modus operandi at Oracle. >> >> Not going public with a vulnerability and its details only leads to laziness and complacency on part of the company that fields the affected products. A 0day reported privately to Oracle in 2008 by an independent security researcher has remained unfixed as of 2012 when this post was written.
If you care about security or privacy - be very wary of VirtualBox or any Oracle product.
You want Tor Browser ... not a VPN
https://matt.traudt.xyz/p/24tFBCJV.html
https://www.whonix.org/wiki/Tunnels/Introduction#Introduction
>It is possible to combine Tor with tunnels like VPNs, proxies and SSH. The traffic can be sent through both Tor and the second tunnel, in either order. However, this is an advanced topic and appropriate only for special cases. Adding a second connection does not automatically improve security, but it will add significant complexity. The potential positive or negative effects on anonymity [archive] are being controversiall [archive]y debated [archive]. On the balance of the evidence VPNs should be avoided, and these same arguments could be made against other tunnels too.
Risks of connecting to the VPN before Tor (also applies to non whonix Tor users.)
https://www.whonix.org/wiki/Tunnels/Introduction#VPN_Tunnel_Risks
>The consensus opinion of security professionals is that VPNs pose more risks than benefits, and it is for this reason Whonix ™ does not endorse their use.
Remote content in emails are usually images that are hosted on someone's website, which makes your browser being the one to reach their server just for that image, which is a privacy concern because it exposes your IP address, user agent, and other information to them. We should be grateful that ProtonMail is designed to block remote content by default.
Emails by themselves can't infect you with anything, unless you download and run a sketchy attachment. My rule of thumb, if you don't 100% trust the file, then don't even consider downloading it. But let's assume that you still want to open it and not affect your system in any potential way. The way how I do it is by opening it in a controlled, sandboxed environment, one that will not expose any of my information, or even "infect" me with anything.
Personally, every time I want to open a file, I do it inside the Whonix virtual machine, which has many benefits. Even if the file is a virus, then it will be sandboxed in a virtual machine and never reach the host system. On top of that, the entire operating system is designed to connect to the Tor network, which also makes you anonymous when connecting to any server, and protect you from data compromises.
I hope that answers your question.
And if you argue that it's a waste of time at this point anymore, does it make you a bad person?
I mean, I really wish Windows was privacy friendly. But it very much isn't, and as privacy conscious the sooner you realise it, the sooner you start putting your (limited) resources into learning something that can actually do the job.
First of all here is a overview how whonix (and other operating systems) deal with the MAC addresses: https://www.whonix.org/wiki/Comparison_with_Others#Hardware_Serials
Malware which can break out of a VM is very rarely and hard to build. So if you're not one of the top targets of the NSA it's unlikely that you have to face such an attack. For a detailed analysis of different attacks against whonix and their effects see this table: https://www.whonix.org/wiki/Comparison_with_Others#Attacks
If a malware could break out of the VM it would be more useful to send the real IP address and files on the computer to the attacker than "just" the MAC address.
To your last question: yes it never hurts to buy a computer with an untraceable method but you can also spoof your MAC address (for example with every reboot) with the macchanger: https://github.com/alobbs/macchanger
>urbit uses UDP, which is not compatible with tor.
Compatibility isn't easy, but it is <em>possible</em>, and I expect more people will be working on making it easier as (UDP-based) HTTP/3 takes off. I don't know of anyone applying this method to Urbit, or what that would mean for Ames' security, but it's at least possible.
It is acceptable and also precisely the reason why privacy is so important.
First, Use Whonix (https://www.whonix.org/) then continue on the below suggestions.
Create an emailadres on Tutanota or ProtonMail for that Twitter account only. Use a random name like ** for example. Don't use any information that can be linked to you personally. This applies to everything, be smart and be cautious.
I also wanted to suggest an email alias like SimpleLogin or AnonAddy but Twitter suspended my account when I used an alias so. It's still useful when you sign up for a service of which you don't want them to know your real emailadres or clutter it up with newsletters and spam.
Nobody might know the answer as such a setup are probably not very popular. Therefore, I suggest:
Using a container or e.g. having separate browsers are rather about multitasking purposes. There are no privacy advantages with these kind of approaches. Please read carefully the container add-on's documentation what it really does and what it can't do, as believing that it's similar to Tor Browser or VPN could only undermine your threat model and even undermining your own privacy. Note that, it's just a container for online accounts, cookies and separating them within the tabs; also blocking some few trackers, nothing more. It's similar to having multiple browsers, in which case you will still have the same IP origin, same browser fingerprints and what not. So, those kinds of things can still be correlated back to you along with online activity patterns. Some reading suggestions:
They both have their own purposes. My best suggestion would be to look at the comparison on the whonix website, although it's a bit outdated at first glance (e.g. it shows Tails latest version being 3.13.1 which was 2 releases ago.)
Remember that if you log in to your account, you are not anonymous, but pseudoanonymous. And
> E-mail itself is a pretty broken system from a privacy point of view. Too much metadata, too much data travelling in the clear.
Protonmail does not encrypt the mail header/metadata, which is one of the ways to identifie you. Related: https://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor.
> Alles, was ich kenne, kommt nicht über den Status Tech-Demo hinaus.
Genau das ist das Problem: wir koennen z.B. stock demos von Zeronet benutze, und ueber Tor routing aktivieren (derzeit noch optional, aber es kommt sicher noch soweit), sogar mit support von Whonix https://www.whonix.org/wiki/ZeroNet
Eigentlich braeuchten wir IPFS als storage backend, und das ist noch experimentell, wenn auch Cloudflare sich da langsam positioniert hat https://blog.cloudflare.com/tag/ipfs/ und auch sonst ueberraschendes von sich gibt https://blog.cloudflare.com/cloudflare-onion-service/
Was wir brauchen, ist ein Browser (ein Firefox-derivat ohne Mozilla-Telemetrie, oder gleich Tor Browser)-IPFS node bundle z.B. fuer Windows, und IPFS-JS mit DHT und NAT penetration das gut skaliert -- es wird das wahrscheinlich nicht tun. Auch ansonsten brauchen wir self-hosted IPFS nodes bei endusern, und generell im Netz. Also Anleitungen, und Docker etc. appliances, die man schnell ueberall hochziehen kann.
Ich denke, wenn die Zensur wirklich stark spuerbar wird wird auch der Bedarf so stark steigen, dass sich Alternativen spontan kristallisieren. Auch wenn sie nicht auf Dauer bestehen, es gibt dann Traegheitsmoment dahinter, der das weitertraegt.
Der Rest von Internet wird Teletubbyland. Ist ja schon so teilweise. Die digital savages kann man da auch weitergehend vergessen, da sie komplett auf Google/Apple eingenordet sind, und unreflektiert Dinge wie WhatsApp einsetzen.
Was auf jeden Fall schon heute funktioniert wie damals ist Usenet z.B. mit Thunderbird oder anderem Usenet news reader. Es gibt da auch Innovation in Sachen self-hosted, aber ich bin da nicht informiert.
We keep it in virtual machines with no Internet access. Here is why:
https://www.whonix.org/wiki/Computer_Security_Education#Windows_Hosts
Personally, I hardly have a need to use Windows anymore. But I guess that's not the case for many other people.
First off, this is what your operating system itself broadcast to the mothership the moment it has internet access:
Computer make and model Version information for the operating system, browser, and any other Microsoft software for which updates might be available Plug and Play ID numbers of hardware devices Region and language setting Globally Unique Identifier (GUID) Product ID and Product Key BIOS name, revision number, and revision date
source: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks#WindowsUpdate
I'd argue that it's a lost game already, and you should avoid using Windows unless in airgapped (not networked) machine or in a networked VM.
You can use the clearnet as well with minimal tracking, so the government is well aware but have no idea who it is. It’s a great way to give the good old “fuck you” to the people in power
Edit: Do lots of research, Tor is not the end all be all of Op-sec two great articles to read are
https://www.whonix.org/wiki/Documentation
Stay safe
You can't have something that simply isn't there. There is no privacy on Windows. There is nothing you can do about it.
https://www.whonix.org/wiki/Computer_Security_Education#Windows_Hosts
> What resources should i be looking to take back as much privacy as i can from Windows 10?
Perhaps the ones that would tell you how to setup a virtual machine for your Windows installation, that you can easily exchange files with while not giving it Internet access.
Also, more and more games run on Linux these days. And there is WINE too,
There's no installation - you just start it from the console. Probably just not working, and not compromised.
Try adding (before ./monero-wallet-gui line) export QMLSCENE_DEVICE=softwarecontext
to the start-gui.sh. If the GUI will be too big, add also export QT_AUTO_SCREEN_SCALE_FACTOR=0
if you're paranoid, did you also verify that the hash file is signed with key 55432DF31CCD4FCD:
gpg --import fluffypony.asc gpg --verify hashes.txt
edit: oh cool, there's a guide on whonix site on how to set-up monero https://www.whonix.org/wiki/Monero
>When I am browsing adult sites like pornhub, youporn, ect, on Tor, will anyone know? I tried it and I was able to download the video and watch it offline after I disconnect.
Not at all - Tor hides your internet activity from your ISP (or local network snoopers) and your IP address from the website you're connected to. No one (online) will know that you're watching a video offline.
>All the adult oriented chat sites I know of need you to turn on javascript. They have Captcha tests. Are they still ok to use just for text chatting, not pictures or video?
Yes, you're safe for the time being - JavaScript exploits are extremely rare. And even if a JavaScript exploit is found it will rarely affect the (legal) websites you're using.
You should check out Whonix - IP leaks (including JavaScript) are impossible - even with root (administrative) privileges.
>I thought about opening a free email account for legal adult oriented chat with other consenting adults. Is that private with Tor? The free email accounts I know of use javascript.
Here's a Tor compatible E-Mail provider without JavaScript: https://danwin1210.me/mail/index.php
>One site I can't get to work on Tor at all. Its called chaturbate and I think it needs flash. If I use it in Private Browsing mode it will never show up in the history log right?
I think livestreaming uses the UDP protocol - Tor is TCP compatible only. But I might be wrong - try to temporarily disable all scripts - enable cookies and update your Flash player.
If you have to use Windows - the best way is to set it up similarly to whonix -- where the whole Windows VM is firewalled off to only be able to access a Tor Gateway.
That way no matter how malicious Windows itself is; it can't know your real IP address even if it wanted to.
Do not have Google or Microsoft accounts. You can't fight their tracking mechanism without extensive knowledge on the matter. Since you are asking general questions like these, you probably don't have that knowledge as of now.
Get Tails Linux working and do your research from there. At this point you will be making mistakes. That's the best and easiest to use cover up for your research right now.
Follow this guide first on what you shouldn't do while using Tor:
I don't think there is anything that makes the Tor traffic less safe, but it makes it much easier for you to make a mistake - eg. accidentaly entering something in the non-tor browser that was supposed to be anonymous.
If you want to be more careful, using something like Whonix or Tails can route all trafic on a workstation through Tor. This makes it harder to deanonymize yourself, though you can still do that like for example logging in to your Facebook account and messaging someone thinking you're anonymous.
Main problems:
A virus or other malware on your host OS can compromise your guest OS as well.
Your VM could be swapped out from RAM to the pagefile on your hard drive, leaving sensitive information, that should disappear when Tails is shut down, on your disk.
Workarounds:
Keep viruses and other malware off of your host. Run a different, less attacked host OS like Linux.
Disable swapping on your host OS. Encrypt your entire hard drive using something like VeraCrypt.
https://veracrypt.codeplex.com/
Running Tails in a VM does have some advantages:
Since Tails does not support VPNs, you could run a VPN client on your host OS and have all of the Tor traffic from the Tails VM routed over a VPN first. This may help prevent you from being identified if you are somehow de-anonymized via the Tor network.
Better security than running the Tor Browser bundle as a standalone program on your host OS. For instance, the Tails AppArmor settings would have prevented the recent Mozilla PDF exploit from gaining access to your local files and uploading them to the bad guys (probably US government agents). The Tails firewall protects you from other possible de-anonymizing exploits as well.
You also might want to look into running Whonix in a pair of VMs instead of Tails:
discreet linux has a focus on privacy as well as Whonix
But if you just want a regular linux distro, it should be ok with debian. The iso with propietary drivers is a must for a laptop if you want to avoid configuration after the install
You didn't specify but I'm reckoning you know a bit about linux. If not pick Ubuntu LTS (just turn off telemetry if you want), an Ubuntu flavour (I suggest Kubuntu) or an Ubuntu based (like Pop_OS!)
Check: https://www.whonix.org/wiki/Comparison_with_Others
> This page contains a detailed comparison of Whonix ™, Tails, Tor Browser, Qubes OS TorVM and corridor.
Whonix doesn't require any incoming connections however it does require all outgoing connections. So what I would do is install uncomplicated firewall (ufw) on your host linux machine and set it to block all incoming traffic but allow all outgoing, whonix has documentation on this: https://www.whonix.org/wiki/Host_Firewall_Basics#How-to:_Install_and_Configure_a_Firewall
> Additionally, if I use Google browser but DuckDuckGo search engine, how much activity does Google see?
On default settings, a lot.
> For instance, if I use Firefox or IE browser but Google search engine, how much is Google tracking me?
All of your queries, browser fingerprint, cookie information, IP. Plus, if you use IE are you screwed by Microsoft on top of that, because you are likely to use Windows too which is also a real mess.
You can hide that you are using TOR from your ISP by using TOR bridges. Using VPN -> TOR -> Internet also hides that you are using TOR from your ISP, but your VPN provider knows who you are and could monitor unencrypted traffic you send over the connection. Using TOR -> VPN -> Internet hides that you are using TOR from the target (e.g. the site you visit.), however for this you must make sure that the VPN provider does not know who you are (pay it with anonymized bitcoin and never connect to it without TOR). Another solution would be connecting like this: TOR bridge -> TOR -> VPN -> Internet. As this would hide your TOR connection both from your ISP and the target on the internet. The VPN provider would still know you are using TOR and it can see your Internet traffic and read it if it's not encrypted, but it should not know who you are. Read more..
About Tails/Whonix/Qubes, it really depends on your threat model and use cases. Tails is amnesic, it will not leave any traces of what you did on your machine. Whonix only makes sure no connection is made without TOR, but you leave plenty of evidence on your machine, also you can use it as a gateway to "torify" connections of other machines. Qubes is really nice if you have a lot of different use cases, you can use it like Tails and also like Whonix or like a regular machine for your different use cases. Check out this comparison.
Here's some easy instructions:
Download Whonix-Workstation
Open VirtualBox, click "File" > "Import" and add the Gateway and Workstation files
Choose all the default settings for both of them
Start the Gateway virtual machine
During setup, choose "Understand" and all the default options
Do the same to the Workstation virtual machine
In the workstation machine, start the Tor Browser. Download a new version if it asks.
Download OpenBazaar (Linux i386 Deb Version)
Open the File Manager in the Start Menu and navigate to the OpenBazaar file
In the File Manager choose "Tools" > "Terminal"
Type: "sudo dpkg --install *.deb" (no quotes, password is changeme) then press Enter
Type: "sudo apt-get install -f" (no quotes) then press Enter
Type: "sudo dpkg --install *.deb" (no quotes)
Start OpenBazaar in the Start Menu
IMPORTANT: When OpenBazaar starts, it asks if you want to use Tor -- DO NOT CHOOSE THIS OPTION.
You can checkout /r/tor, /r/privacy, /r/vpn and /r/vpnreviews for better info.
I also started reading about this very recently, so triple check before believing anything I say.
People at /r/tor recommend VirtualBox + Whonix + Tor Browser for better privacy. Check in YouTube "defcon tor" to get an idea of how it has been compromised in the past. I have seen people mentioning that they use a VPS with VPN for better anonymity.
Generally, they say not to use any extensions with Tor browser. Even then, it looks like there may be ways to find out who you are. I usually use VirtualBox's snapshot feature for browsing websites I don't trust. It's not for anonymity, but for better security.
I use the following extensions with Firefox: uBlock Origin, Disconnect, HTTPS Everywhere, Privacy Badger, WOT, NoScript.
My advice would be not to do anything illegal that has the potential to destroy your life. I wouldn't be surprised if one day somebody say Tor had been run and monitored by authorities all along.
LINUX. even something like vanilla debian would be more private and secure than current iterations of windows. if you're really concerned about privacy and security qubes w/ whonix would be something to consider. or tails.
>So, I just download TOR and i'm safe?
No, not necessarily.
Right click on the green onion to the left of the URL bar and select "Privacy and Security Settings".
Make sure you set the "Security Level" to High to disable JavaScript.
For more security, you might consider running the Tails OS:
For even more security, you could run Whonix in a set of virtual machines:
Start by reading this:
https://www.whonix.org/wiki/Comparison_with_Others
> would they be at any risk
They would be at greatly reduced risk, compared to other configurations, but no system is perfect, and not all possible risks are even known.
Whonix, being virtual, can fake identifiers like hardware serial numbers. Whonix actively corrects some other identifying information. Running NoScript (or better, disabling Javascript) will significantly reduce your attack surface and risk of being infected.
Since Whonix is a VM and many users run copies of it: installed fonts, etc are the same for everyone, they are only unique if you change them. So don't make any changes other than to disable Javascript, to update on schedule, and get your clock set correctly by NTP (the milliseconds by which your clock is out is an identifier).
> does that information require root access for a program to access it as well?
No, for the most part, not on the host. In the VM these things are as accessible but are what Whonix says they are. Don't take my word for it - test yourself:
(browser fingerprint)
(graphics stack / font rendering fingerprint by HTML5 canvas)
https://www.browserleaks.com/canvas
Note that not all identifying information is technical, some is personal. There exists spyware which tries to learn your typing cadence, and analysis programs which distinguish between different people's writing styles, vocabulary, etc. Nothing is completely safe, but adversaries are not infinitely resourced. I don't think you'll find a solution much better than the one you describe, you're doing great, keep learning and don't get complacent.
I would not create a key on an android device. I would create it on an offline air-gapped machine. I would create a master key pair that will never be on an online device and create sub-keys for every day usage. That subkey can be revoked if it ever gets lost or compromised, in order to do that you also need to create a revocation certificate. That way you don't lose all your trust / signatures on your main key just because a sub-key was lost / compromised.
You can then just copy one of your everyday sub-keys to your android device.
Here is a tutorial: https://www.whonix.org/wiki/Air_Gapped_OpenPGP_Key
Yes you can definitely run whonix without qubes, it is just supposed to run in a VM, it can run even on windows:
Qubes is often coupled with whonix because it is a good match. Qubes run all of your applications in different VMs (Qubes) in different so called "domains". So you would have a "whonix domain" that runs everything through tor. It uses the Xen hypervisor which makes it very secure, and completely separate from other applications.
If you wish to thank me, toss a coin in to the Whonix tip jar.
It doesn't go to me, but it does go to some very deserving folks who are working for all our privacy
Using a VPN will not keep your browsing habits anonymous, nor will it add additional security to non-secure (HTTP) traffic.
If you are looking for anonymity, you should use the Tor Browser instead of a VPN.
If you're looking for added security, you should always ensure you're connecting to websites using encrypted DNS and HTTPS. A VPN is not a replacement for good security practices.
If you're looking for additional privacy from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand the risks involved.
Solely using Tor/Tor Browser in isolation will not protect one's identity; it is also necessary to modify online behavior. For example it is essential to use strong encryption, obfuscate writing style, not reveal personal interests, distrust strangers, limit online disclosures, and follow a host of other tips to stay anonymous. Ignoring these rules is a fast track to deanonymization
You need to be more specific because there are many linux variations. One thing for sure is that it’s safer than using TOR with windows and macosx.
TAILS is one of the most secure live bootable linux systems by erasing activity since it doesn’t write to the disk. However, it can be hacked and compromised. Here’s an example.
Whonix separates the gateway and workstation aside to minimize malware attacks and routes all traffic through the TOR network. It’s pretty secure as long as you don’t make idiotic mistakes.
Heres the documentation of Whonix for more info on what it can do and cannot do: https://www.whonix.org/wiki/Documentation
If your hardware is really that old it would make sense that Whonix is unable to run on that machine. In that case just use Tor browser if your threat model permits.
If you're insistent with Whonix, you might wanna check these out: https://www.whonix.org/wiki/System_Requirements & https://www.whonix.org/wiki/RAM
There will be only a small privacy advantage or maybe no real benefit depending on some aspects. Believing that it will be similar to Tor Browser could only undermine your threat model and be detrimental to your own privacy. Some reading suggestions:
>Abstract—In this paper, we propose a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine. Specifically, our approach utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed writing scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.
>Our evaluation shows that our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset. Further, our approach can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.
Source: (Cross-)Browser Fingerprinting via OS and Hardware Level Features [PDF]
Use Tor Browser instead.
Most of the reputable VPN providers don't have slow connections unless you are talking about free, unknown and untrustworthy providers.
Tor Browser is good but you are only anonymous within that browser and not the rest of your connections, it might be this that you meant to say that it's slow. In any case, VPN is your best bet and it would suffice you.
Also there is difference between private vs. anonymous. You are not anonymous per se with VPN but all connections are encrypted, hence the wifi you are connecting to, the owners of the router won't be able to tell your online activities as well as the ISP. From wiki:
>VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security.
I suggest you to read:
I did not know what whonix was, i saw its webpage and says:
​
" Whonix is a desktop operating system designed for advanced security and privacy. Whonix mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks. Commonly used applications are pre-installed and safely pre-configured for immediate use. The user is not jeopardized by installing additional applications or personalizing the desktop. Whonix is under active development and is the only operating system designed to be run inside a VM and paired with Tor. "
​
Just use Whonix adding a different number of hops isn’t the way to be harder to track/hack. Whonix is isolated in a VM and has a separate environment to route Tor through. Even if your attacker had root access to your workstation, they’d have no way of knowing your real IP. But also tools aren’t the end all be all of anonymity, you gotta change your habits, and make smart OPsec choices. Whonix plus smart OPsec is the way to go
Get rid of GAPPS. If your device doesn't support it, sell it off Craigslist or similar service and get a LineageOS compatible one instead. That's not rocket science.
As for Windows, there is no hope.
Is there a way to flawlessly route through the Tor proxy now? I remember torrents couldn't be routed through that. Though he said he wants to route most of his traffic, so it depends on his threat model.
Also be sure to check out this https://www.whonix.org/wiki/DoNot
I don't personally use it, but you can have Tor Browser without Tor. This way you can browse without being slowed down through Tor network but with Tor Browser's privacy enhancements. Beware it's a very rough setup at the moment.
I looked for stuff like that maybe five years ago, and everything I found apart from DNMs was boring. Could be a different story now, I suppose. Or I could have been looking badly... I wasn't very serious about it.
To reduce security risks when browsing tor websites, use whonix. It runs the tor browser in a virtual machine, and runs the tor network stack in a separate virtual machine. This reduces the risk that your host machine will be contaminated by at least two orders of magnitude, and also provides better protection of your source IP address.
I don't see a reason to run Tails on daily basis either.
One of the main reasons I run Qubes is that it does stream isolation for Whonix Workstation instances. Identity correlation is a huge problem in using proxies for privacy in general.
Any kind of wifi extender will do the trick.
Yes It is kind of illegal to steal someone's wifi.
No the ISP that provides Internet to the business won't see that the business added a new device (your wifi extender) to the network. They'll see that some traffic from this box IP is going through TOR or VPN's, but again, they're paying attention to that If LE ask them to pay attention mate -> It's not the fucking NSA :D
However, the business owners might find you If there is someone tech savvy enough to check if everybody got off the wifi when closing the shop (I ask my clients to do that for example).
All in all I don't see the point of your scheme -> Use Whonix or Tails; follow all the Opsec rules of the DNM bible and you'll be fine !
Happy browsing :)
>Whonix is WAY MORE SECURE. >https://www.whonix.org/wiki/Comparison_with_Others
Looks just marginally more secure IF you use Cubes as well. What bothers me is some of the information is outdated. It says Tails uses Icedove but Tails has used Thunderbird for the past 3-4 updates. I don't expect Whonnix to ,monitor all their competitors in real time and update their comparison chart but by the same token since they don't there is the possibility that the update in Tails has brought it on par or better then Whonnix.
I'm interested in Whonnix, I just don't like the idea of using a dedicated system that is no Amnesia but I guess since with persistance it's the same thing it's just that with tails you have a much better chance of hiding/destroying everything as a pose to LEO having your computer trying to break into it.
Runnign a vm with tor is fine. Running tor on your local machine is also fine but I can understand how that can seem scary.
Checkout Whonix it is basicly two virtual machine
If that seems to complicated just download a tails iso and run a vm with that as its virtual cd-rom.
> 1. Do really need a burner laptop or tails to explore..
No.
> 2 Do I risking my host os by using tor on it.
No. I use tor on my main machine with all my secrets on it for most of my connections, from browsing reddit to downloading system updates.
Internet without tor isn't any more secure than with tor. Use the same caution when using tor as you would use when not using tor.
> 3. I have a slow internet connection do I risk my anonymity..
No.
> 4. And do I really need to surf tor through some public hotspot or through someone else's connection..
No. The whole point of tor is that no single agent knows both the source and destination of any traffic. The only potential problem with running tor is that someone looking at your network traffic learns you are using tor (but not what your are using tor for).
> 5. Is Fedora is safe or do I need other distribution....
Fedora is totally fine. Most Gnu/Linux distros and *BSD are fine.
I realize where you are coming from. You want to use Tor and have it be as secure as possible. So a few things:
The Tor Browser in your normal desktop (without the virtual machine) is already very secure, well tested, well maintained, and easy to use correctly. Making things more complicated than they need to be can actually make you less secure.
However, if you still want go the extra mile to glean security benefits that can come from a virtual machine, including the added certainty that all online transactions are being routed through Tor, use Whonix that is designed to run in a virtual machine and is being used and tested by a community.
If you want to go to something more secure, use Tails. Like the Tor Browser, there is a large community testing and maintaining it, and it has all kinds of added security features like never touching your hard drive and scrambling your RAM when you are done, etc...
Eu diria mais, olha o Qubes com o Whonix instalado nele. Segurança é um negócio que tem que ser cauteloso, toda corrente é tão segura quando o elo mais fraco. Não adianta usar Qubes, Whonix, criptografar seu celular, usar 2FA e o diabo a quatro se sua senha é sua data de nascimento ou o nome do seu cachorro. Sobre a senha eu gosto muito da dica do xkcd.
Para um exílio voluntário sempre resta a opção uruguaia, não resolve 100% mas já dificulta.
are you asking if tor is automatically setup to block all outgoing traffic except for tor? if so, then no.
If that's what you want, you need to setup tor as a transparent proxy, and then use another vm / machine on a private network that can only get to the internet through the proxy. there's a how-to here: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
Alternatively, you can use whonix, which is a pre-configured set of VMs that do the same thing: https://www.whonix.org/
This type of advice can't be half-assed, it is an incredibly important topic. The OP is PRVACY not ANONYMITY
Do lots of research(and know the differences), and understand how the internet works and how to become anonymous and learn how engage with the digital world in a secure way. If you want to be anonymous, it is a lifestyle. Nothing about it is easy. Keep in mind faraday cages, they are a great tool. Whonix documentation is a great starting point: https://www.whonix.org/wiki/Documentation
Also, this is very useful to newcomers: https://www.eff.org/pages/tor-and-https
Thanks,
TOR Browser is ok, fast and customizable.
TOR Network [in my case] use [ https://www.whonix.org/ ] workstation/gateway
You have to know what you are doing...
For regular web surfing you need javascript... no point to use tor network
For deep web surfing 2-3 hours i recommend tails [ usb ] and public network
Also Whonix
But Qubes OS is a more secure design.
Tails however is the easiest way of having a secure OS (just not as secure as the alternatives which require far more technical knowledge)
VPN before Tor is okay, but don't think it makes you invincible. It adds a good amount of security, though. But in some cases it can harm you
Also, a VPN doesn't solve one of the serious issues with Tor: Traffic correlation.
For example if I request file A which is 20mb in size from a website, then a global attacker like the NSA would see this:
My ISP (20mb) -> VPN server (20 mb) - > Tor relay 1 (20mb) -> Tor relay2 (20mb) -> Tor relay 3(20mb), etc. They could potentially correlate that to you.
If you really need high anonymity, I recommend spoofing your MAC address and using public wifi, plus VPN & Tor (make sure you anonymously purchase the VPN access).
Also, never do tor->VPN.
> Why is everyone saying not to run it in Virtualbox on Windows?
This should be obvious. The Host OS can see the Guest OS's RAM.
> What about on Linux in Virtualbox or KVM?
KVM ok. Virtualbox less good.
The Whonix project has an excelent FAQ entry for "Why Use KVM Over VirtualBox?".
>> VirtualBox developer team have taken the decision to switch out the BIOS in their hypervisor with one that requires compilation by a toolchain that does not meet the definition of Free Software .... Besides this licensing issue which may or may not be of concern to users, a more tangible reason can be the security practices of Oracle, the corporation behind VirtualBox. Recent events and news (see Snowden leaks) have shown the urgent need for increased transparency and trust in the digital world. Oracle is infamous for their lack of transparency in disclosing security bugs details and for discouraging public full disclosure by third parties.
TL/DR - some important VirtualBox components are not F/OSS, and Oracle has a history of lack of transparency in security issues so shouldn't be trusted to provide non F/OSS components.
> Is there a recent security vulnerability that I'm unaware of?
Probably. Probably even intentional back doors as alluded to in the Whonix quote above. But you'll never know for sure, thanks to non-F/OSS components in Windows and VirtualBox.
This is a very complex thing to do, ive been working on it for some time, its possible but you cant use Tails to do it, it requires an OS like whonix or qubes.
https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_proxy
Here's the link to WhoNix - although I wouldn't run it through VirtualBox as /u/bigfondue said. There's a couple ways you can approach this:
WhoNix is probably your MOST secure but also MOST inconvenient option (because it's not Windows and because you have to boot to something besides your hard drive + nothing persists after reboot). I would suggest using WhoNix only if you actually have anything you care about hiding. Feel free to set it up and have some fun messing around, but other than that it's probably overkill :)
As another comment points out, Kali isn't really designed to be used as your primary OS, especially not from a security standpoint. It's purpose-built, and it does what it's designed to do very well, which is to provide you tools to survey and penetrate networks, web applications, etc.
If you're looking for enhanced security and anonymity, you should look into using TAILS linux, or Whonix, which both have Tor built-in. TAILS will be easier for you to setup; just download the .iso (verify the checksum and signature for good measure) and write it to a USB drive and boot from there. Whonix is a bit different to setup, and takes an interesting approach to connectivity by actually using 2 separate environments: a workstation and a gateway, which eliminated DNS leaks. More on that here: https://www.whonix.org/
There are different ways in which you can leak potentially identifiable information, such as DNS leak. Even though you're connecting through a VPN or Tor, applications can still attempt to resolve DNS queries themselves, which could broadcast some information about your connection, as well as potentially allow your ISP to view the requests you've made to their DNS servers. You can use DNSLeaktest.com to test in your browser; use their 'Extended' test.
Regarding your other questions: 2. I'm not sure about 'flashing' adapters. 4. You shouldn't use Kali as your primary OS, but you could certainly setup a firewall if you wanted, though it would probably mess with any actual pentesting you're doing if not properly configured. 5. What do you mean install programs to different directories. What program are you installing, and how are you installing it?
If you wanted to run a virtual machine look up 'Whonix' which is a lightweight OS with tons of advanced security features built in and forces all your network traffic through tor.
Read more here: https://www.whonix.org/
Whonix is much stronger than tails, the only advantage tails has is it doesnt store information on your HDD whereas Whonix does so you should sanitize regularly and maybe keep a copy of dban handy.
It mentions Qubes but not Whonix. Will read more later.
Whonix is a rather comprehensive and impressive effort recently attracting funded development so should be mentioned IMHO https://www.whonix.org/
It tries to address information leakage rather thoroughly, something most ToR users don't seem to get.
It depends on what you're after:
https://tor.stackexchange.com/questions/38/what-threat-model-is-qubes-os-torvm-most-appropriate-for
For a good breakdown of the differences in features:
You don't. Tails is very limited and does not support any additional layer of security. In fact they recommend you don't even try. You could play around that using virtualisation technology but I didn't try yet
I recommend running a Whonix VM on a clean GNU based OS(I like fedora) as it is fully customizable and safer than Tails (No DNS leaks, Rootkit doesn't know your IP) and on top of that comes with it's own gateway.
Update: ProxyChain Whonix Guide: https://www.whonix.org/wiki/Tunnel_Proxy_or_SSH_or_VPN_through_Tor
Alternatively if you have sophisticated technical skills you can try military-grade secure Linux distributions like the Lightweight Portable Security (LPS) the US-Airforce uses. (But I still have some trouble running VMWare on it, since I'm far from a professional).
I assume that you're using whonix so you should read the whole documentation (and especially the part about the physical separation). Furthermore you should also read the TOR documentation, keep an eye on your HSDirs (or better control them) and in general know the different possible attacks against hidden services, get rid of the JS code (it would've been easier if you didn't use JS right from the start) and keep your code simple by not using too much frameworks, get some experienced developers and security experts, establish a bug bounty program, read basically every tutorial about OPSEC,...
EDIT: and stay tuned to every news about security/anonymity/TOR/...
It uses a VM in the way of chrooting stuff. Chrooting an application/set of applications and services is basically the same as putting them in a jail. Said applications only have access to dummy hardware, which redirects to the actual hardware.
Tails also uses Chrooting, the unsafe browser, for example, has no access to audio features. It'll be a hassle if you want to move files between chroot jails in Tails.
>Can you set up a linux os to clear the system when you shut down?
Depends on what you want cleared in the system. Whonix does not clear the RAM, nor does it clear the hard drive, since it's installed on that and is not amnesic.
Please take in both of these pages and note the differences between the 2 operating systems.
What kamn74 said. Although if you're considering the VM route, look into Whonix run from an encrypted container. It has its own strengths and is designed for this purpose, where Tails is built around some different assumptions about how it will be used:
I personally wouldn't do this from Windows, since Windows machines commonly have malware, spyware and all kinds of commercial trackers, sometimes from first boot as with the Lenovo Superfish debacle.
For something that does it out of the box see https://www.whonix.org/
"Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[1], Debian GNU/Linux[2] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible."
Notice that this recipe is not specific to Tor.
For a less secure approach, try https://openvpn.net/index.php/open-source/documentation/howto.html#redirect Terminate the OpenVPN tunnel on a remote server of your choice.
This can be improved by isolating the network, and running the OpenVPN on the router itself.
Anything is possible. Just needs code.
Current recommendation is "do this manually": https://www.whonix.org/wiki/Pre_Install_Advice#Recommendation_to_use_Whonix_on_External_Media
But why run workstation inside gateway? I mean, perhaps it could be made to work, but then a compromised workstation could control the gateway. I think this gateway inside workstation idea is unrelated to Live USB.
Its possible, I have done it before, however it is considered to be not as secure. If you want to use virtual box I would recommend whonix. The neat thing about whonix is that you can run the whonix gateway VM and then run another VM with whatever OS you choose and set the whonix VM as its router and all traffic on the second VM (the OS you choose) will be routed through tor. This shows how to configure the second VM - https://www.whonix.org/wiki/Other_Operating_Systems
This is almost spot on, but you should REALLY run Whonix in a VirtualMachine inside Linux. It's the next best thing to Tails, and it's really a piece of cake to setup.