Tor

Weekend Reading: Tor and Tails

Carlie Fairchild — Sat, 16 Mar 2019 14:04:18 +0000

Tails is a live media Linux distro designed to boot into a highly secure desktop environment. Tor is a browser that prevents somebody watching your internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.

Learn why anonymity matters and how you can protect yourself with this Linux Journal Weekend Reading.

T or Hidden Services

Why should clients get all the privacy? Give your servers some privacy too!

Tails above the Rest: the Installation

How to get and validate the Tails distribution and install it. We will follow up with what Tails can and can't do to protect your privacy, and how to use Tails in a way that minimizes your risk. Then we will finish with some more advanced features of Tails, including the use of a persistent volume (with this feature, depending on your needs, you could conceivably use Tails as your main Linux distribution).

Tails above the Rest, Part II

Now that you have Tails installed, let's start using it. Read on to find out how to get started.

Tails above the Rest, Part III

In the first two parts on this series, we gave an overview of Tails, including how to get the distribution securely, and once you have it, how to use some of the basic tools. Here, we cover some of the more advanced features of Tails, such as some of its log-in options, its suite of encryption tools and the persistent disk.

Tor Security for Android and Desktop Linux

The Tor Project presents an effective countermeasure against hostile and disingenuous carriers and ISPs that, on a properly rooted and capable Android device or Linux system, can force all network traffic through Tor encrypted entry points (guard nodes) with custom rules for iptables. This action renders all device network activity opaque to the upstream carrier—barring exceptional intervention, all efforts to track a user are afterwards futile.

A Bundle of Tor

The best way to set up Tor on your personal machine.

Dolphins in the NSA Dragnet

Go to Full Article

Weekend Reading: Privacy

Carlie Fairchild — Sat, 27 Oct 2018 12:59:01 +0000

by Carlie Fairchild

Most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Enter this weekend's reading topic: Privacy.

FOSS Project Spotlight: Tutanota, the First Encrypted Email Service with an App on F-Droid by Matthias Pfau

Seven years ago Tutanota was built, an encrypted email service with a strong focus on security, privacy and open source. Long before the Snowden revelations, Tutanota's team felt there was a need for easy-to-use encryption that would allow everyone to communicate online without being snooped upon.

The Wire by Shawn Powers

In the US, there has been recent concern over ISPs turning over logs to the government. During the past few years, the idea of people snooping on our private data (by governments and others) really has made encryption more popular than ever before. One of the problems with encryption, however, is that it's generally not user-friendly to add its protection to your conversations. Thankfully, messaging services are starting to take notice of the demand. For me, I need a messaging service that works across multiple platforms, encrypts automatically, supports group messaging and ideally can handle audio/video as well. Thankfully, I found an incredible open-source package that ticks all my boxes: Wire.

Facebook Compartmentalization by Kyle Rankin

Whenever people talk about protecting privacy on the internet, social-media sites like Facebook inevitably come up—especially right now. It makes sense—social networks (like Facebook) provide a platform where you can share your personal data with your friends, and it doesn't come as much of a surprise to people to find out they also share that data with advertisers (it's how they pay the bills after all). It makes sense that Facebook uses data you provide when you visit that site. What some people might be surprised to know, however, is just how much. Facebook tracks them when they aren't using Facebook itself but just browsing around the web.

Some readers may solve the problem of Facebook tracking by saying "just don't use Facebook"; however, for many people, that site may be the only way they can keep in touch with some of their friends and family members. Although I don't post on Facebook much myself, I do have an account and use it to keep in touch with certain friends. So in this article, I explain how I employ compartmentalization principles to use Facebook without leaking too much other information about myself.

Protection, Privacy and Playoffs by Shawn Powers

Go to Full Article

Tor Hidden Services

Kyle Rankin — Wed, 23 May 2018 12:00:00 +0000

by Kyle Rankin

Why should clients get all the privacy? Give your servers some privacy too!

When people write privacy guides, for the most part they are written from the perspective of the client. Whether you are using HTTPS, blocking tracking cookies or going so far as to browse the internet over Tor, those privacy guides focus on helping end users protect themselves from the potentially malicious and spying web. Since many people who read Linux Journal sit on the other side of that equation—they run the servers that host those privacy-defeating services—system administrators also should step up and do their part to help user privacy. Although part of that just means making sure your services support TLS, in this article, I describe how to go one step further and make it possible for your users to use your services completely anonymously via Tor hidden services.

How It Works

I'm not going to dive into the details of how Tor itself works so you can use the web anonymously—for those details, check out https://tor.eff.org. Tor hidden services work within the Tor network and allow you to register an internal, Tor-only service that gets its own .onion hostname. When visitors connect to the Tor network, Tor resolves those .onion addresses and directs you to the anonymous service sitting behind that name. Unlike with other services though, hidden services provide two-way anonymity. The server doesn't know the IP of the client, like with any service you access over Tor, but the client also doesn't know the IP of the server. This provides the ultimate in privacy since it's being protected on both sides.

Warnings and Planning

As with setting up a Tor node itself, some planning is involved if you want to set up a Tor hidden service so you don't defeat Tor's anonymity via some operational mistake. There are a lot of rules both from an operational and security standpoint, so I recommend you read this excellent guide to find the latest best practices all in one place.

Without diving into all of those steps, I do want to list a few general-purpose guidelines here. First, you'll want to make sure that whatever service you are hosting is listening only on localhost (127.0.0.1) and isn't viewable via the regular internet. Otherwise, someone may be able to correlate your hidden service with the public one. Next, go through whatever service you are running and try to scrub specific identifying information from it. That means if you are hosting a web service, modify your web server so it doesn't report its software type or version, and if you are running a dynamic site, make sure whatever web applications you use don't report their versions either.

Go to Full Article

May 2018 Issue: Privacy

Carlie Fairchild — Tue, 01 May 2018 18:57:47 +0000

by Carlie Fairchild

Most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Enter our latest issue with a deep dive into privacy.

After working on this issue, a few of us on the Linux Journal team walked away implementing some new privacy practices--we suspect you may too after you give it a read.

In This Issue:

Data Privacy: How to Protect Yourself
Effective Privacy Plugins
Using Tor Hidden Services
Interview: Andrew Lee on Open-Sourcing PIA
Review: Purism's Librem 13v2
Generating Good Passwords with a Shell Script
The GDPR and Open Source
Getting Started with Nextcloud 13
Examining Data with Pandas
FOSS Project Spotlights: Sawmill and CloudMapper
GitStorage Review
Visualizing Molecules with EasyChem

Subscribers, you can download your May issue now.

Not a subscriber? It’s not too late. Subscribe today and receive instant access to this and ALL back issues since 1994!

Want to buy a single issue? Buy the May magazine or other single back issues in the LJ store.

Go to Full Article

Facebook Compartmentalization

Kyle Rankin — Thu, 12 Apr 2018 15:06:49 +0000

by Kyle Rankin

I don't always use Facebook, but when I do, it's over a compartmentalized browser over Tor.

Whenever people talk about protecting privacy on the internet, social-media sites like Facebook inevitably come up—especially right now. It makes sense—social networks (like Facebook) provide a platform where you can share your personal data with your friends, and it doesn't come as much of a surprise to people to find out they also share that data with advertisers (it's how they pay the bills after all). It makes sense that Facebook uses data you provide when you visit that site. What some people might be surprised to know, however, is just how much. Facebook tracks them when they aren't using Facebook itself but just browsing around the web.

1. Post Only Public Information

The first rule for Facebook is that, regardless of what you think your privacy settings are, you are much better off if you treat any content you provide there as being fully public. For one, all of those different privacy and permission settings can become complicated, so it's easy to make a mistake that ends up making some of your data more public than you'd like. Second, even with privacy settings in place, you don't have a strong guarantee that the data won't be shared with people willing to pay for it. If you treat it like a public posting ground and share only data you want the world to know, you won't get any surprises.

2. Give Facebook Its Own Browser

I mentioned before that Facebook also can track what you do when you browse other sites. Have you ever noticed little Facebook "Like" icons on other sites? Often websites will include those icons to help increase engagement on their sites. What it also does, however, is link the fact that you visited that site with your specific Facebook account—even if you didn't click "Like" or otherwise engage with the site. If you want to reduce how much you are tracked, I recommend selecting a separate browser that you use only for Facebook. So if you are a Firefox user, load Facebook in Chrome. If you are a Chrome user, view Facebook in Firefox. If you don't want to go to the trouble of managing two different browsers, at the very least, set up a separate Firefox profile (run firefox -P from a terminal) that you use only for Facebook.

Go to Full Article

The Linux Journal NSA Reading List: Tails and Tor

Carlie Fairchild — Sun, 25 Mar 2018 19:33:50 +0000

by Carlie Fairchild

Learn why anonymity matters and how you can protect yourself by reading the following archived Linux Journal articles:

Tails above the Rest: the Installation by Kyle Rankin: how to get and validate the Tails distribution and install it. I will follow up with what Tails can and can't do to protect your privacy, and how to use Tails in a way that minimizes your risk. Then I will finish with some more advanced features of Tails, including the use of a persistent volume (with this feature, depending on your needs, you could conceivably use Tails as your main Linux distribution).

Tails above the Rest, Part II by Kyle Rankin: now that you have Tails installed, let's start using it. Read on to find out how to get started.

Tails above the Rest, Part III by Kyle Rankin: in the first two parts on this series, I gave an overview of Tails, including how to get the distribution securely, and once you have it, how to use some of the basic tools. Here, I cover some of the more advanced features of Tails, such as some of its log-in options, its suite of encryption tools and the persistent disk.

Tor Security for Android and Desktop Linux by Charles Fischer: the Tor Project presents an effective countermeasure against hostile and disingenuous carriers and ISPs that, on a properly rooted and capable Android device or Linux system, can force all network traffic through Tor encrypted entry points (guard nodes) with custom rules for iptables. This action renders all device network activity opaque to the upstream carrier—barring exceptional intervention, all efforts to track a user are afterwards futile.

A Bundle of Tor by Kyle Rankin: the best way to set up Tor on your personal machine.

Go to Full Article

Tor Security for Android and Desktop Linux

Charles Fisher — Wed, 12 Apr 2017 15:32:53 +0000

by Charles Fisher

Introduction

Internet service providers in the United States have just been given the green light to sell usage history of their subscribers by S J Res 34, opening the gates for private subscriber data to become public. The law appears to direct ISPs to provide an "opt-out" mechanism for subscribers to retain private control of their usage history, which every subscriber should complete.

This comes at an interesting time for the new Trump presidency, as he appears to be preparing the Justice Department to prosecute Susan Rice for accessing telephone records of his associates while she was the National Security Advisor for the Obama administration. It is ironic and unconscionable that President Trump has chosen to erode internet usage privacy for his constituents while fiercely defending the telephone records of those closest to him.

Orbot for Android

A rooted Android device is required for the highest levels of service for Tor and is now a "must-have" for users who place great value on privacy. Android stock devices (where root is controlled by the Original Equipment Manufacturer [OEM] and/or the carrier) are able to use the network with applications that are aware of the local Tor client, but full root control of User ID zero is a precondition for total obfuscation of device network traffic. Carriers and OEMs work very hard to lock devices and prevent users from rooting, but they are also quite lazy in applying security updates, and a thriving industry has emerged for Android owners seizing privileged access by exploiting security flaws. A few relevant resources for rooting are Sunshine, KingRoot and KingoRoot. Depending upon the hardware model, these programs can be effective in breaking Android systems free. Research on these tools and methods is best conducted in the discussion forums for XDA Developers.

Go to Full Article

A Bundle of Tor

Kyle Rankin — Thu, 03 Jul 2014 18:15:46 +0000

by Kyle Rankin

I don't know how many readers know this, but my very first Linux Journal column ("Browse the Web without a Trace", January 2008) was about how to set up and use Tor. Anonymity and privacy on the Internet certainly take on a different meaning in the modern era of privacy-invading software and general Internet surveillance. I recently went back and read my original column, and although the first few paragraphs were written six years ago, they seem just as relevant today:

Is privacy dead? When I think about how much information my computer and my gadgets output about me on a daily basis, it might as well be. My cell phone broadcasts my general whereabouts, and my Web browser is worse—every site I visit knows I was there, what I looked at, what browser and OS I use, and if I have an account on the site, it could know much more.

Even if you aren't paranoid (yet), you might want to browse the Web anonymously for many reasons. For one, your information, almost all of it, has value, and you might like to have some control over who has that information and who doesn't. Maybe you just want to post a comment to a blog without the owner knowing who you are. You even could have more serious reasons, such as whistle-blowing, political speech or research about sensitive issues such as rape, abuse or personal illness.

Whatever reason you have for anonymity, a piece of software called Tor provides a secure, easy-to-setup and easy-to-use Web anonymizer. If you are curious about how exactly Tor works, you can visit the official site at http://tor.eff.org), but in a nutshell, Tor installs and runs on your local machine. Once combined with a Web proxy, all of your traffic passes through an encrypted tunnel between three different Tor servers before it reaches the remote server. All that the remote site will know about you is that you came from a Tor node.

The rest of the article went into detail on how to use the Knoppix live disk to download and install Tor completely into ramdisk. Tor has come a long way since those days though, so I decided it was high time to revisit this topic and explain the best way to set up Tor on your personal machine today.

Get the Tor Browser Bundle

In the past, Tor installation meant installing the Tor software itself, configuring a proxy and pulling down a few browser plugins. Although you still can set it up that way if you want, these days, everything is wrapped up in a tidy little package called the Tor browser bundle. This single package contains Tor, its own custom Web browser already configured with privacy-enhancing settings and a user interface that makes it easy to start and stop Tor on demand.

Go to Full Article

NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance

Kyle Rankin — Thu, 03 Jul 2014 16:51:46 +0000

by Kyle Rankin

A new story published on the German site Tagesschau and followed up by BoingBoing and DasErste.de has uncovered some shocking details about who the NSA targets for surveillance including visitors to Linux Journal itself.

While it has been revealed before that the NSA captures just about all Internet traffic for a short time, the Tagesschau story provides new details about how the NSA's XKEYSCORE program decides which traffic to keep indefinitely. XKEYSCORE uses specific selectors to flag traffic, and the article reveals that Web searches for Tor and Tails--software I've covered here in Linux Journal that helps to protect a user's anonymity and privacy on the Internet--are among the selectors that will flag you as "extremist" and targeted for further surveillance. If you just consider how many Linux Journal readers have read our Tor and Tails coverage in the magazine, that alone would flag quite a few innocent people as extremist.

While that is troubling in itself, even more troubling to readers on this site is that linuxjournal.com has been flagged as a selector! DasErste.de has published the relevant XKEYSCORE source code, and if you look closely at the rule definitions, you will see linuxjournal.com/content/linux* listed alongside Tails and Tor. According to an article on DasErste.de, the NSA considers Linux Journal an "extremist forum". This means that merely looking for any Linux content on Linux Journal, not just content about anonymizing software or encryption, is considered suspicious and means your Internet traffic may be stored indefinitely.

One of the biggest questions these new revelations raise is why. Up until this point, I would imagine most Linux Journal readers had considered the NSA revelations as troubling but figured the NSA would never be interested in them personally. Now we know that just visiting this site makes you a target. While we may never know for sure what it is about Linux Journal in particular, the Boing Boing article speculates that it might be to separate out people on the Internet who know how to be private from those who don't so it can capture communications from everyone with privacy know-how. If that's true, it seems to go much further to target anyone with Linux know-how.

Go to Full Article