Silk Road forums

Discussion => Security => Topic started by: wakannabi on June 18, 2012, 01:54 am

Title: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 18, 2012, 01:54 am
or the paranoid android setup!

I wanted to create a thread to gather all IT experts around the forum and try to create a tutorial for a safe system. We (buyers) do not need to go into extreme measures as vendors. But some of us have life's to protect and want to be as secure as possible. Even if the setup involves 3 desktops with 3 operating systems I don't care, the purpose of this thread is solely security and anonymity.

We should create a list with all the do's and dont's of security and of possible setups. Later it could evolve to a tutorial updated as needed.

I know there are a lot of things to worry about such as browse configuration, mac adress, dns requests. . etc.
I already read the Tor guides, black hat surfing, etc.. but

Wouldn't be great to gather all the info on the same topic?

I would organize it and update it here.

For now since I'm not an expert I will just leave some questions around and count with your valuable knowledge
Please feel free to post your thoughts and setups.
************************************************************************************************************
For now we have:

-> Operating System:
                                       *some OS are more "hacker resitant" than others.
                                       *linux and BSD are pretty good .
                                       *FreeBSD- a lot of security potential but you need some "advance" knowledge to configure them.(lacks ASLR)
                                       *Hardened Gentoo (Liberte)- can be secured in great detail if you have time and know what you are doing (has ASLR.
                                       *Tails can be used in a USB stick oe even in a live CD if you are paranoid about traces.
                                       *OpenBSD- good out of the box security but as soon as you install some software you can create some vulnerabilities.
                                       *Other solutions like plan9, inferno, sel4 are still developing so if you have any experince with them feel free to.


DO'S

*You should use bridges (public are ok but If you can find a private one that you trust it's even better)
If you're a vendor or someone that's a more valuable target to LE then I would suggest finding a trustworthy private bridge.
*You should spoof your mac adress If you are running wireless connection
*You can try to connect to a neighbor's wifi (be sure to change the mac adress) or even crack it if it's wep. (there is a lot of info out there related to wep cracking)
*If you are using VMware Workstation make sure you check the option
HardDisk -> Advanced -> Independet -> Nonpersistent
This changes the disks to nonpersistent mode so no info is saved to the disks, and the info is lost when the virtual machine is powered off or reset.
*You should use hidden volumes with True Crypt so if you get caught you can always open the first volume and they will not even know there is a second volume. Use a strong password for the "open" volume and a strong password for the hidden volume.
*You should remove the  exi metadata from all images you post. Not doing this can expose a lot of info including your GPS location if it was shot with a mobile phone. There will be a tutorial on how to do this.

DONT'S

*Do Not open .onion websites outside Tor Browser Bundle.
*Do Not surf both the darknet and clearnet at the same time (could be a problem  if connection dies for example so better be on the safe side)
*Do Not use JavaScript when using Tor because there is a greater security risk (althought it can give you a greater browser fingerprint)
*Do Not use a private bridge connected with any illegal activity if you don't trust the person or group who is running it
*Do Not use wireless connection (connect via ethernet instead) if you want less security risks (there is no problem with wireless connection you just have to take the adequate measures to use it)


Sub guides to include in the future:

#Spoofing Mac Adress
#Setting up private and public bridges
#Removing exi metadata from images

#Securing the entry node with VPN (https://tails.boum.org/todo/vpn_support/)
#Securing the exit node with proxy
# obfsproxy

Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: opentoe on June 18, 2012, 03:31 am
The ONLY way I access SR or anything to do with it is using MS VirtualPC. The entire OS is encapsulated in one big VM file. I think it is better then a USB card since I can lose that or someone can take it. If I have to ditch my VM quickly I can just delete the entire VM itself. Then I can use SDELETE multiple times on my drive. Then I'm safe. Now, if the ever chance I got busted on and charged through my door i may have a hard time doing all that. This is why I created a batch file which I just double click on that will erase the VM and run sdelete automatically. There are also hard drive killer programs out there that I may check out too. Also, when you communicate private/sensitive information ALWAYS use PGP. If you don't know how to use it, then LEARN IT. Never use a vendor that doesn't at least provide it.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: wakannabi on June 18, 2012, 05:12 am
thanks for your answe opentoe.

1- why did you need to create the batch file?
If you are not at home when you're raided you are f*cked! Wouldn't be easier to make whole disk encryption with TC for example. On top of that you could encrypt the VM with another software / password. With a strong password that would be difficult to decrypt right

2- Are there any temporary files leaking from VM usage to the other OS?
 
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: peach on June 18, 2012, 06:37 am
SMART SECURE SET UPS:

For anonymity:
==========
A Practical Setup:
Use Tor. Period

(Arguably) a little more secure:
Use a VPN first, then connect to Tor.

To hide stuff from prying eyes:
=====================
Use a Truecrypt volume.

To hide the fact that you hide stuff:
========================
Use a Truecrypt Hidden Volume.


PARANOID SETUPS:
All of above, but within a virtual machine.
The image of the virtual machine can be saved within a Truecrypt volume.

POINTLESS PARANOID-SCHIZO SETUP:
Within the Virtual Machine, use Sandboxie to open Tor and other browsers.

Honestly, paranoia can make you protect against imaginary threats, while leaving you exposed to stupid basic mistakes in the real world.
For practical purposes, just using Tor and TrueCrypt is more than enough. Anything beyond that is truly pointless and a waste of time and effort.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: kmfkewm on June 18, 2012, 07:22 am
SMART SECURE SET UPS:

For anonymity:
==========
A Practical Setup:
Use Tor. Period

(Arguably) a little more secure:
Use a VPN first, then connect to Tor.

To hide stuff from prying eyes:
=====================
Use a Truecrypt volume.

To hide the fact that you hide stuff:
========================
Use a Truecrypt Hidden Volume.


PARANOID SETUPS:
All of above, but within a virtual machine.
The image of the virtual machine can be saved within a Truecrypt volume.

POINTLESS PARANOID-SCHIZO SETUP:
Within the Virtual Machine, use Sandboxie to open Tor and other browsers.

Honestly, paranoia can make you protect against imaginary threats, while leaving you exposed to stupid basic mistakes in the real world.
For practical purposes, just using Tor and TrueCrypt is more than enough. Anything beyond that is truly pointless and a waste of time and effort.

Until you get your non encrypted communications intercepted, or like, get hacked with a CIPAV.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: wakannabi on June 18, 2012, 07:49 am
SMART SECURE SET UPS:

For anonymity:
==========
A Practical Setup:
Use Tor. Period

(Arguably) a little more secure:
Use a VPN first, then connect to Tor.

To hide stuff from prying eyes:
=====================
Use a Truecrypt volume.

To hide the fact that you hide stuff:
========================
Use a Truecrypt Hidden Volume.


PARANOID SETUPS:
All of above, but within a virtual machine.
The image of the virtual machine can be saved within a Truecrypt volume.

POINTLESS PARANOID-SCHIZO SETUP:
Within the Virtual Machine, use Sandboxie to open Tor and other browsers.

Honestly, paranoia can make you protect against imaginary threats, while leaving you exposed to stupid basic mistakes in the real world.
For practical purposes, just using Tor and TrueCrypt is more than enough. Anything beyond that is truly pointless and a waste of time and effort.

Hello Peach,

Why is it so simple and then again we have a lot of people discussing security methods and programs etc.?
Would you say that the biggest seller here would use only your setup and have peace of mind? I don't think so.

Would't TOR be fist to the VPN? (Tor always in the first place)

Is truecrypt still safe even if it is not endorsed for a lot of people anymore?


I would like to hear discussed things like for example:
1-Which operating system is your favourite for anonimity?
2-It it dangerous to try to enter .onion site on the clearnet browser?
3- Can we browse the deep web and clearnet ate the same time?
4-Why does the browser in liberte come with the javascript enabled?
5- Should we use bridges? Public or private?
6- DNS requests
7-Mac adress spoof
8- VPNs, privoxy, etc..

What is the expert's opinion about this guide?
http://www.cyberguerrilla.info/?p=3322
http://hackingalert.blogspot.pt/2011/12/complete-guide-to-staying-anonymous-on.html
http://www.breakthesecurity.com/2011/08/guide-to-online-anonymity-how-can-i-be.html


Until you get your non encrypted communications intercepted, or like, get hacked with a CIPAV.

What's the best away to protect agains CIPAV? Run in a distro or use a program like malware bytes?
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: kmfkewm on June 18, 2012, 08:59 am
Quote
1-Which operating system is your favourite for anonimity?

Strictly speaking, the operating system has not a whole lot to do with anonymity although some are more resistant to hackers than others. Hackers can indirectly pwn your anonymity by rooting you and getting your IP address around Tor. They could also directly pwn Tor by either hacking you through a vulnerability in it or by rooting the relays you use. There are several nice operating systems. Anything Linux or BSD is pretty good. OpenBSD focuses heavily on out of the box security, although the box doesn't have much in it until you add programs that are probably not anywhere near as secure as a base OpenBSD install. It does have technologies for making some sorts of vulnerabilities non exploitable though, for example ASLR. FreeBSD is another OS that has a lot of security potential, it has a very extensive and highly configurable selection of security modules, but you will need to learn how to use them and this is not trivial. FreeBSD also lacks ASLR which is pretty shitty imo. Hardened Gentoo has probably got the most depth to its potential security, in that it has a lot of configurable security modules as well as having out of the box features like ASLR. I think that Hardened Gentoo can probably be secured to a greater degree than OpenBSD or FreeBSD if you know what you are doing and take the time to do it. There are various other solutions that are much more esoteric: plan9, inferno, sel4, etc.... I honestly know little about these solutions, but I am under the impression that they can be much more secure than either Linux or BSD. sel4 is a formally verified microkernel meaning that it is in theory probably impossible to hack  (but in reality some of the assumptions they make don't hold yet, so it is not unhackable in practice yet). It is also not open source, although it has been reviewed by several people. I think sel4 is seen as largely an academic exercise still.

Quote
It it dangerous to try to enter .onion site on the clearnet browser?

Unless you are very sure that you don't need to, you should use the Tor Browser Bundle.


Quote
Can we browse the deep web and clearnet ate the same time?

It can open you up to some problems, especially if you are browsing the same site anonymously and nonanonymously simultaneously and you connection dies. In general, it is pretty safe if you avoid this, I would not worry about it. Especially if you are only surfing .onion sites

Quote
Why does the browser in liberte come with the javascript enabled?

Probably because they are dumbasses and like javascript. Having javascript enabled does give you a bigger browser fingerprint crowd to hide in, but I personally find the increased risk to haxx0ring to be unacceptable.

Quote
Should we use bridges? Public or private?

Ideally you will use a private bridge that you find anywhere other than SR (or other illegal channels), public bridge is okay though. I strongly suggest using bridges.

Quote
DNS requests

what about them ?
Quote
Mac adress spoof

I suggest frequently spoofing your mac address.

Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: wakannabi on June 18, 2012, 09:51 am
Thanks for the detailed answers kmfkewm. Nice info!
That's what i'm talking about a lot more people should join discussion and take it to the maximum detail. Even if there are people that do not agree on some points that's how you create solutions for problems.

I will compile it and revise it as the discussion goes on. So far…



-> Operating System:
                                       *some OS are more "hacker resitant" than others
                                       *linux and BSD are pretty good
                                       *FreeBSD- a lot of security potential but you need some "advance" knowledge to configure them.(lacks ASLR)
                                       *Hardened Gentoo (Liberte)- can be secured in great detail if you have time and know what you are doing (has ASLR)
                                       *OpenBSD- good out of the box security but as soon as you install some software you can create some vulnerabilities
                                       *Other solutions like plan9, inferno, sel4 are still developing so if you have any experince with them feel free to post



DO'S and DONT'S


*You should use bridges (public are ok but If you can find a private one that you trust it's even better)
*You should spoof your mac adress If you are running wireless connection


*Do Not open .onion websites outside Tor Browser Bundle.
*Do Not surf both the darknet and clearnet at the same time (could be a problem  if connection dies for example so better be on the safe side)
*Do Not use JavaScript when using Tor because there is a greater security risk (althought it can give you a greater browser fingerprint)
*Do Not use a private bridge connected with any illegal activity if you don't trust the person or group who is running it
*Do Not use wireless connection (connect via ethernet instead) if you want less security risks (there is no problem with wireless connection you just have to take the adequate measures to use it)



Sub guides to include in the future:

#Spoofing Mac Adress
#Setting up private and public bridges


Questions:

1- What  ASLR stands for?
2- What Hardened gentoo could be used? I suspect tails, liberte. What about qubes?
3- What's the difference in security on running liberte with the pen drive or inside a VM? Liberte warns us when on a VM…
4- Is Mac osX Lion any good anonimity wise? What about windows?
5- which software is better(security wise) to use as a VM? Vmware, parallels, virtual box? I guess it's all the same the only difference is that virtual box  is free and open source i think.
6- Which free open source alternatives do we have similiar to truecrypt? Not for whole disk encyption but rather for a folder. Strong encprytion also.
7- What is browser fingerprint and why is it so important? I know that your browser can have unique characteristics that can diffenceriate from others but how is that going to reveal who you are or where you are? Any good website to test browser fingerprint? What's an acceptable minimum number of browsers equal to our broswser?

I could go on but that's it for now otherwise it gets to confusing to get straight answers.

If anything is wrong just correct me!

Thanks for the support
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: Catnip on June 18, 2012, 03:30 pm
I use VMWare Workstation and the Image is stored in an Truecrypt container. In VmWare check the Option : HardDisk -> Advanced -> Independet -> Nonpersistent.Changes to disks in nonpersistent mode are not saved to the disks, but are lost when the virtual machine is powered off or reset.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: Meister on June 18, 2012, 06:30 pm

Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.

I would argue using a VPN to connect to Tor would be very beneficial in protecting your IP from the Tor entry node which is the most vulnerable to sniffers to obtain origin IP's, as well as hiding the fact you are even using Tor from your ISP.

Basically my understanding and thinking is Tor is very secure with it's weakest points being the entry and exit nodes. Securing these is of the most importance - whether that's by using a VPN with Tor and then an encrypted proxy to hide the exit node as well or any other method.

Tor is so innovative in that out of the box it can provide novice users with such powerful anonymity that avid hackers a decade ago would have seen as a godsend. The problem is when you're trying to secure Tor's vulnerable entry/exit nodes, by whichever method, it's important to both understand and keep up to date on these methods or you're going to end up more vulnerable than you were without using them at all.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: Delta11 on June 18, 2012, 08:27 pm
I was doing VPN > TOR for a while until I kept reading it was a bad thing to do, mainly the creators of tails made me think twice before using a VPN with TOR.

https://tails.boum.org/todo/vpn_support/


1- Which operating system do you prefer?
I prefer using tails on a usb because it's easily accessible and is very secure.

2-It it dangerous to try to enter .onion site on the clearnet browser?
Yes.

3- Can we browse the deep web and clearnet ate the same time?
If you absolutely have to make sure to use a different browser like chrome.

4-Why does the browser in liberte come with the javascript enabled?
Javascript can be dangerous and used to track you or hack into your computer so I would always disable it. The browser in liberte is only to be used when you need to access sites you can't normally access via TOR such as mtgox.

5- Should we use bridges? Public or private?
Public bridges are okay to use but if you're a vendor or someone that's a more valuable target to LE then I would suggest finding a trustworthy private bridge.


Secure Tor Setup:
-Install tails on a usb stick or a cd if you're paranoid that you might leave data on the usb (cd is read-only)
-Get a second usb/memory card and encrypt it using truecrypt but make sure to encrypt with a hidden partition.
-Select an easy/crackable password for the outer volume and then make the password for the hidden partition very strong/secure.
-On your outer volume put embarrassing things (Pictures of your ex, naked pics of dudes, etc) that way if you're ever forced to decrypt your drive you'll just facepalm and say "Okay you found my secret you asshole."
-On your hidden partition keep all of your sensitive info and make sure to even PGP text files just in case.
-Try to connect to a neighbor's wifi, chances are there are some unsecured ones. If there aren't any unsecured networks then check to see if any of them are locked with WEP, they are easy to crack but you'll have to figure that out on your own.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: Meister on June 18, 2012, 08:52 pm
Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.

What do you think about obfsproxy so far? I'm still hesitant to use it since it's still very early in development. I read a thread on wilders a while back talking about how insecure it was because obfsproxy passes Tor's environment variables along.

I was doing VPN > TOR for a while until I kept reading it was a bad thing to do, mainly the creators of tails made me think twice before using a VPN with TOR.

I don't know why that would be. If you use a VPN with Socks VPN Proxy then you're much safer off than just using Tor itself. Then if you go to Tor's settings then network tab you can select that you use a proxy to access the internet.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: wakannabi on June 19, 2012, 12:35 am
FIRST POST UPDATED WITH INFO! NEW QUESTIONS ARE ALWAYS ON THE LAST POST.

I use VMWare Workstation and the Image is stored in an Truecrypt container. In VmWare check the Option : HardDisk -> Advanced -> Independet -> Nonpersistent.Changes to disks in nonpersistent mode are not saved to the disks, but are lost when the virtual machine is powered off or reset.

Thanks for the tip! what OS are you using with the VMware?



Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.

I would argue using a VPN to connect to Tor would be very beneficial in protecting your IP from the Tor entry node which is the most vulnerable to sniffers to obtain origin IP's, as well as hiding the fact you are even using Tor from your ISP.

Basically my understanding and thinking is Tor is very secure with it's weakest points being the entry and exit nodes. Securing these is of the most importance - whether that's by using a VPN with Tor and then an encrypted proxy to hide the exit node as well or any other method.

Tor is so innovative in that out of the box it can provide novice users with such powerful anonymity that avid hackers a decade ago would have seen as a godsend. The problem is when you're trying to secure Tor's vulnerable entry/exit nodes, by whichever method, it's important to both understand and keep up to date on these methods or you're going to end up more vulnerable than you were without using them at all.

I think this are really important points we have to discuss!

---> Securing the entry node with VPN ( does it get you safer or is it wor?) I want to hear some opinions.

---> Securing the exit node with proxy

---> the use of obfsproxy  (it's still quite new but if someone has more info about the subject)

And I think an important discussion was started in other thread:

Just set up your own bridge. Purchase shell access/VPS on some offshore server using e-currency or a prepaid credit card, then install a tor bridge on port 443. Keep changing servers and/or use VPNs to connect to tor, and mix in a few public bridges along with the private one from time to time. Don't do anything at regular intervals; keep shit random! Also, open wifi FTW!!! <--- don't forget to randomize your MAC addresses if using wifi!!


What do you guys think about this guide?
http://www.cyberguerrilla.info/?p=3322&page=6
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: kmfkewm on June 19, 2012, 02:19 am

Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.

I would argue using a VPN to connect to Tor would be very beneficial in protecting your IP from the Tor entry node which is the most vulnerable to sniffers to obtain origin IP's, as well as hiding the fact you are even using Tor from your ISP.

Basically my understanding and thinking is Tor is very secure with it's weakest points being the entry and exit nodes. Securing these is of the most importance - whether that's by using a VPN with Tor and then an encrypted proxy to hide the exit node as well or any other method.

Tor is so innovative in that out of the box it can provide novice users with such powerful anonymity that avid hackers a decade ago would have seen as a godsend. The problem is when you're trying to secure Tor's vulnerable entry/exit nodes, by whichever method, it's important to both understand and keep up to date on these methods or you're going to end up more vulnerable than you were without using them at all.

but adding a VPN before Tor just changes the entry point. It all low latency systems, entry and exit are vulnerable points.
Title: Re: Extreme Secure Anonymous Setup (ESAS)
Post by: wakannabi on June 19, 2012, 02:47 am

Quote
VPNs, privoxy, etc..

VPNs are pretty much worthless imo, I prefer obfsproxy bridges for membership concealment and Tor is better than any VPN. Privoxy is not needed, use tor browser bundle. Avoid polipo entirely.

I would argue using a VPN to connect to Tor would be very beneficial in protecting your IP from the Tor entry node which is the most vulnerable to sniffers to obtain origin IP's, as well as hiding the fact you are even using Tor from your ISP.

Basically my understanding and thinking is Tor is very secure with it's weakest points being the entry and exit nodes. Securing these is of the most importance - whether that's by using a VPN with Tor and then an encrypted proxy to hide the exit node as well or any other method.

Tor is so innovative in that out of the box it can provide novice users with such powerful anonymity that avid hackers a decade ago would have seen as a godsend. The problem is when you're trying to secure Tor's vulnerable entry/exit nodes, by whichever method, it's important to both understand and keep up to date on these methods or you're going to end up more vulnerable than you were without using them at all.

but adding a VPN before Tor just changes the entry point. It all low latency systems, entry and exit are vulnerable points.

So the VPN would help or changing the entry point is a bad thing?
here is a discussion about VPN and TOR:
https://tails.boum.org/forum/VPNs_and_Tor__44___Tor_and_VPNs
https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN


Hey Delta11 can you use TC on Tails? I think they stopped supporting it....
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on June 19, 2012, 06:03 am
lol, stacking stuff together doesn't make things more secure.
This is as ridiculous as those n00bs discussing about key-lengths in cryptographic systems.

Using Tor first and then to VPNs is a bad idea, and it doesn't add more security.
In fact, those noobs talking about "rooting" you through TOR, I dare them to show me a single case of such thing happening.

Tor is not just a chain of sockets, it has a very definite architecture that is designed to be very resilient.
Researchers around the world still didn't find a single serious weakness in it.

The operating system is important, but more than the OS that you are using what really matters is what services/daemons you are running in the background.
In fact, generally speaking if you are not running a server, the opportunities of being "rooted" is close to nil, unless you fall in a social engineering attack.

A windows workstation with no services running will be infinitely more secure than a old linux installed by a n00b with an outdated sendmail daemon.
It is not what you are using, but how the hell you use it and how well you know your shit.

The VPN before Tor is not really to strengthen Tor at all, Tor is very good by itself alone. And no, it is not to protect you from the entry node. That statement just demonstrates that they don't understand a shit about how Tor works.

The ONLY reason of why you should be using a VPN before starting a Tor session is just as a extra safety measure in the case that there is a leak from your computer, ie. if you have forgotten to turn of Java or Flash (or asx, docx, etc...) and someone tries to create a side-channel leak by creating a direct connection to you circumventing the Tor network.
The VPN would offer a second layer of defense to that kind of attacks, it is a safety net in the case that Tor is bypassed.

Of course, if you are using the Tor Bundle, such type of attacks are prevented by default, but still. Someone could have found an obscure vulnerability and be exploiting a side-channel, and in the remote event that that happens, you are already covered.

In short, VPN+TOR is a good combination.
TOR+VPN is dumb, and the explanation of why it is dumb is very long. But believe me, it is stupid.

If you are worried about exit nodes, just use HTTPS always by default. Period.
I honestly don't give a shit about exit nodes because I only use hidden services.

Now regarding to your questions:
1-Which operating system is your favourite for anonimity?
OS has nothing to do with anonymity.
It is irrelevant, I can be perfectly anonymous in any OS.

2-It it dangerous to try to enter .onion site on the clearnet browser?
If it is regarding to anonymity, you MUST be sure to disable all plugins, add-ons, scripts, java.
Although counter-intuitive, you should leave javascript on. Turning Javascript off makes you very easily uniquely identifiable in browser fingerprinting, therefore it makes you less anonymous, even when you are using TOR.

The best advice is to use the TOR Bundle which it comes pre-configured properly to keep you anonymous.
If you don't know what you are doing, just don't touch anything and use it as it comes.

3- Can we browse the deep web and clearnet ate the same time?
Sure. Although who knows, maybe one "deep web" site is vulnerable to CSRF and a clearnet exploits it, but nah... what are the odds.

4-Why does the browser in liberte come with the javascript enabled?
Read #2

5- Should we use bridges? Public or private?
No need really, unless tor is being censored by a government,

6- DNS requests
Use Tor Bundle and don't worry about DNS leaks.

7-Mac adress spoof
Ludicrous, mac addresses are never leaked to the internet.
You can spoof it for fun if you want, but it is neither going to increase your security nor anonymity.

8- VPNs, privoxy, etc..
Bleh, I am done.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 19, 2012, 06:56 am
Thanks peach for your contribution.

The operating system is important, but more than the OS that you are using what really matters is what services/daemons you are running in the background.
In fact, generally speaking if you are not running a server, the opportunities of being "rooted" is close to nil, unless you fall in a social engineering attack.

A windows workstation with no services running will be infinitely more secure than a old linux installed by a n00b with an outdated sendmail daemon.
It is not what you are using, but how the hell you use it and how well you know your shit.

1- How could one person block all other services besideds the Tor Browser Bundlle on windows? I know that for example on mac you have little snitch wich is a very good firewall. How do you think it's better to do it on windows? Wouldn't for example tails already be configured to use only torriefied connections?

2- Tor Browser bundle has no DSN leaks? Are you sure about that?Doesn't the ISP know wich sites you are acecsing or if you are using TOR?

3- Wouldn't bridges help if you leave in the middle of nowere in a country with few TOR users because of restrictions?

4- Spoofing mac adress becomes essential if you use a public wireless network right? What other dangers can one have from using public networks?


Although counter-intuitive, you should leave javascript on. Turning Javascript off makes you very easily uniquely identifiable in browser fingerprinting, therefore it makes you less anonymous, even when you are using TOR.
5-But still javascript is dangerous turned on right?


all the best
waka
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on June 19, 2012, 08:06 am
1- How could one person block all other services besideds the Tor Browser Bundlle on windows? I know that for example on mac you have little snitch wich is a very good firewall. How do you think it's better to do it on windows? Wouldn't for example tails already be configured to use only torriefied connections?

Why do you need to torify everything?
This is not only impractical, but also it might make you susceptible to correlational attacks.

2- Tor Browser bundle has no DSN leaks? Are you sure about that?Doesn't the ISP know wich sites you are acecsing or if you are using TOR?

Firefox comes preconfigured with the DNSprefetch fixed.
The ISP has no effing clue about where you are browsing with Tor. The only thing they can know is that you are using Tor, because they see encrypted traffic, but they can't know what, where or how you are using it.

3- Wouldn't bridges help if you leave in the middle of nowere in a country with few TOR users because of restrictions?

As I said.

4- Spoofing mac adress becomes essential if you use a public wireless network right? What other dangers can one have from using public networks?

Meh, yeah, and still it is quite irrelevant.
With only a MAC address, they can't know who you are.
Also, if Mac addresses are so easy to spoof, how will they prove that it is actually you and not somebody else spoofing your Mac Addr?

5-But still javascript is dangerous turned on right?

No, it is not. Javascript by itself can't reveal your true IP.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Meister on June 19, 2012, 01:07 pm
The VPN before Tor is not really to strengthen Tor at all, Tor is very good by itself alone. And no, it is not to protect you from the entry node. That statement just demonstrates that they don't understand a shit about how Tor works.

The ONLY reason of why you should be using a VPN before starting a Tor session is just as a extra safety measure in the case that there is a leak from your computer, ie. if you have forgotten to turn of Java or Flash (or asx, docx, etc...) and someone tries to create a side-channel leak by creating a direct connection to you circumventing the Tor network.
The VPN would offer a second layer of defense to that kind of attacks, it is a safety net in the case that Tor is bypassed.

http://www.wilderssecurity.com/showthread.php?t=320677 & hundreds of other threads on wilders.

Tor = ISP can see your using Tor
VPN > Tor = your ISP cannot see your connecting to Tor, only your VPN who I trust far more ;)

So given the nature of SR and the potential for an agencies investigation, they will no doubt request this information from your ISP, where in my case all they would get is a clearnet and me connecting to a random IP that happens to be my VPN, no confirmation that I have or even used Tor.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 19, 2012, 01:55 pm
When using a VPN before tor the isp would not know that you are using tor. But what information would the VPN have access? one thing is your isp knowing you use TOR other is giving your IP to the VPN provider.
If you could clear that doubt for me =)
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Meister on June 19, 2012, 02:27 pm
If you use a VPN service to connect to Tor, then yes they will have your IP and could see you connect to a Tor IP. This isn't an issue if you create your own VPN. My thinking on this is you can change your IP often, on the fly with a socks proxy, so if LE did get your ISP to provide information, they wouldn't see an IP pattern and would have to go through every IP you connect to 1 by 1? Not likely, but the first thing they would likely do is look and see if you connected to any Tor IP's.

Here's a post from tor-talk that is very similar to my setup:
Setup your own Tor VPN. Similar like JanusVM. Really create your own Tor VPN as JanusVM is closed source, unsecure and unmaintained. One virtual machine running Linux will provide a VPN server and forward all traffic trough Tor. Then use another virtual machine which has no direct internet access but lan-only access to the Tor VPN virtual machine. And connect the VPN. After the VPN is running you can add a proxy to firefox. I tested that myself and it worked perfectly. Unfortunately I tested it with JanusVM and not my own Tor VPN, I am still working on that. This setup could be great, Tor is hiding your ass, Tor Browser is well configured, https everywhere helps a bit to stop eavesdropping of exit servers and proxy servers and you might be even able to use the firefox addon steatlhy to comfortable turn on/off some untrusted extra proxy.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 19, 2012, 05:51 pm
If you use a VPN service to connect to Tor, then yes they will have your IP and could see you connect to a Tor IP. This isn't an issue if you create your own VPN. My thinking on this is you can change your IP often, on the fly with a socks proxy, so if LE did get your ISP to provide information, they wouldn't see an IP pattern and would have to go through every IP you connect to 1 by 1? Not likely, but the first thing they would likely do is look and see if you connected to any Tor IP's.

Here's a post from tor-talk that is very similar to my setup:
Setup your own Tor VPN. Similar like JanusVM. Really create your own Tor VPN as JanusVM is closed source, unsecure and unmaintained. One virtual machine running Linux will provide a VPN server and forward all traffic trough Tor. Then use another virtual machine which has no direct internet access but lan-only access to the Tor VPN virtual machine. And connect the VPN. After the VPN is running you can add a proxy to firefox. I tested that myself and it worked perfectly. Unfortunately I tested it with JanusVM and not my own Tor VPN, I am still working on that. This setup could be great, Tor is hiding your ass, Tor Browser is well configured, https everywhere helps a bit to stop eavesdropping of exit servers and proxy servers and you might be even able to use the firefox addon steatlhy to comfortable turn on/off some untrusted extra proxy.

So you are basically saying that with VM'S it's possible to create a VPN inside the same computer right?

*You isp will not know you are connected to TOR but what information would they be able to get from the VPN ip? Why are you saying to change it a lot of times?

Can somebody comment this setup?

Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Meister on June 19, 2012, 06:06 pm
If you use a VPN service to connect to Tor, then yes they will have your IP and could see you connect to a Tor IP. This isn't an issue if you create your own VPN. My thinking on this is you can change your IP often, on the fly with a socks proxy, so if LE did get your ISP to provide information, they wouldn't see an IP pattern and would have to go through every IP you connect to 1 by 1? Not likely, but the first thing they would likely do is look and see if you connected to any Tor IP's.

Here's a post from tor-talk that is very similar to my setup:
Setup your own Tor VPN. Similar like JanusVM. Really create your own Tor VPN as JanusVM is closed source, unsecure and unmaintained. One virtual machine running Linux will provide a VPN server and forward all traffic trough Tor. Then use another virtual machine which has no direct internet access but lan-only access to the Tor VPN virtual machine. And connect the VPN. After the VPN is running you can add a proxy to firefox. I tested that myself and it worked perfectly. Unfortunately I tested it with JanusVM and not my own Tor VPN, I am still working on that. This setup could be great, Tor is hiding your ass, Tor Browser is well configured, https everywhere helps a bit to stop eavesdropping of exit servers and proxy servers and you might be even able to use the firefox addon steatlhy to comfortable turn on/off some untrusted extra proxy.

So you are basically saying that with VM'S it's possible to create a VPN inside the same computer right?

*You isp will not know you are connected to TOR but what information would they be able to get from the VPN ip? Why are you saying to change it a lot of times?

Can somebody comment this setup?

They wouldn't be able to get any information from the VPN, other than confirming that you connected to it which is less damning than confirming you connected to a Tor IP on several hundred/thousand occasions.

You don't have the change the IP, I'm just saying that you can, and can quickly change it at any moment. They know what your ISP is, the only trouble for them is getting your ISP to hand over your logs. They don't know what your VPN is unless they confirm the IP from your logs.

Security depends on who you're trying to protect yourself from. I'm more interested in protecting my freedom from LE and MPAA than protecting myself from a hacking attempt.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 19, 2012, 07:35 pm
If you use a VPN service to connect to Tor, then yes they will have your IP and could see you connect to a Tor IP. This isn't an issue if you create your own VPN. My thinking on this is you can change your IP often, on the fly with a socks proxy, so if LE did get your ISP to provide information, they wouldn't see an IP pattern and would have to go through every IP you connect to 1 by 1? Not likely, but the first thing they would likely do is look and see if you connected to any Tor IP's.

Here's a post from tor-talk that is very similar to my setup:
Setup your own Tor VPN. Similar like JanusVM. Really create your own Tor VPN as JanusVM is closed source, unsecure and unmaintained. One virtual machine running Linux will provide a VPN server and forward all traffic trough Tor. Then use another virtual machine which has no direct internet access but lan-only access to the Tor VPN virtual machine. And connect the VPN. After the VPN is running you can add a proxy to firefox. I tested that myself and it worked perfectly. Unfortunately I tested it with JanusVM and not my own Tor VPN, I am still working on that. This setup could be great, Tor is hiding your ass, Tor Browser is well configured, https everywhere helps a bit to stop eavesdropping of exit servers and proxy servers and you might be even able to use the firefox addon steatlhy to comfortable turn on/off some untrusted extra proxy.

So you are basically saying that with VM'S it's possible to create a VPN inside the same computer right?

*You isp will not know you are connected to TOR but what information would they be able to get from the VPN ip? Why are you saying to change it a lot of times?

Can somebody comment this setup?

They wouldn't be able to get any information from the VPN, other than confirming that you connected to it which is less damning than confirming you connected to a Tor IP on several hundred/thousand occasions.

You don't have the change the IP, I'm just saying that you can, and can quickly change it at any moment. They know what your ISP is, the only trouble for them is getting your ISP to hand over your logs. They don't know what your VPN is unless they confirm the IP from your logs.

Security depends on who you're trying to protect yourself from. I'm more interested in protecting my freedom from LE and MPAA than protecting myself from a hacking attempt.

If that works as mentioned then it's very nice setup! can someone comment on it? not saying it does not work, just want to hear more opinions ;)

You referenced hackers, would this setup put you at greater risk of being hacked?  If so that would be complicated to decide way to go because LE can have someone trying to hack your laptop too.

But I like the idea of having your own VPN and not revealing IP to anyone else. And plus the ISP does not know you are using Tor.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: head on June 19, 2012, 08:01 pm
From the official Tor site:

Quote
you -> VPN/SSH -> Tor

You can route Tor through VPN/SSH services. That prevents your ISP etc from seeing that you're using Tor. Generally, VPNs are more popular than Tor, so you won't stand out as much. SSH tunnels are not so popular.

Once the VPN client has connected, the VPN tunnel will be the machine's default Internet connection, and the Tor Browser Bundle will route through it.

This can be a fine idea, assuming your VPN/SSH provider's network is in fact sufficiently safer than your own network.

Another advantage here is that it prevents Tor from seeing who you are behind the VPN/SSH. So if somebody does manage to break Tor and learn the IP address your traffic is coming from, but your VPN/SSH was actually following through on their promises (they won't watch, they won't remember, and they will somehow magically make it so nobody else is watching either), then you'll be better off.

I don't understand what your problem with VPN + TOR is. It is maybe a bad with Tails, but not everyone is using Tails, so just fuck off with your VPN+TOR=BAD talk. What exactly is so bad to route Tor through an anonymous VPN with no logging?
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: sourman on June 19, 2012, 11:02 pm
^There's nothing wrong with it at all. It's just a redundant step for MOST. Connecting through a VPN/SSH tunnel first would benefit anyone who doesn't want to be flagged as a tor user. If you don't use bridges (and even then...), it is pretty easy to fingerprint you as a tor user. This can be very bad for some, like the last lulzsec guy, who was caught thanks to a tor timing correlation attack.

If you receive suspicious packages in the mail that some agent/cop thinks came from SR, it can be very bad for you to be identified as a tor user, especially if they have a way to watch SR and correlate the timing between the packets you are exchanging with them. If they tap your internet connection or wifi and see that you are connecting to a Swedish VPN rather than a known tor node or public bridge, then they are SOL. If they somehow gain the VPN's logs (don't believe the no logs BS -- there are always logs at some level), they may see that you are using tor, but they likely won't be able to correlate it with your activity unless they have live access.

I'm not saying it can't be done, but it will take far more resources for them to get past the "Oh damn, he's using a VPN and not tor like we expected" part. Unless you're a vendor, I highly, highly doubt they would bother going this far. OK, maybe for one buyer just to make an example out of you, but not everyone else. Believe it or not, this is not some routine stuff they do all day every day. Only a few dozen agents throughout all the LEAs are actually trained in this shit; the rest have a basic understanding and can't do much without the use of third party tools from private contractors, a la skiddies. I really wouldn't worry about the later unless you are extremely careless, and the former are wayyyy too busy dealing with foreign government sponsored hackers and whatnot to care right now.

Please continue to be paranoid, just know that at some point you reach a level where your preparations cost more than they provide. Make sure security is tight everywhere: your PCs, your mobile phones, MP3 players, smart phones, dumb phones, the front of your house, your toilet, and most importantly: YOUR MOUTH. Don't waste all your time turning your computer into a barely usable fortress if you're going to brag about all the keWL dRuGz ur ordering on the interwebs. That does for posting your personal details throughout your stay on SR and the SR forums too. Something like 90% of convictions (and even the initial arrests) are a result of self incrimination. Don't be a witness against yourself and STFU when it comes to SR, especially if you are ever questioned. Politely decline any questions and ask for a lawyer if pressed. I know it's been said a million times before, but I'll say it again because it's THAT important.

It's tough not to talk about SR with your friends, EVER (NOT EVEN FUCKING ONCE). Same goes for slipping personal details onto the forums or to vendors. Just remember, the hardest things are always the most important. Want to make some cash? Even better! Don't tell anyone where you get your pure MDMA or that strain of bud that makes your eyes roll back. Instead of letting them know about SR so they can try to buy the shit themselves (probably leaving more clues for LE along the way), save your money and buy the shit in bulk, then resell it to the same pricks who are likely begging you for your source, just so they can have it all to themselves. At least now you'll have a reason to encrypt your hard drive and cover your tor traffic with a VPN, bridges, or whatever :). If you keep this operation small, it will pay for your drugs and allow you to brag to your friends without revealing your connection to SR. Everyone wins! Well, except your friends, but would THEY tell you about SR if they were the ones getting the cool drugs off the internets? LOL
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 20, 2012, 03:38 am
thnks sourman for all the input!!
You made some important points there..
Do you think that a user from SR would be better only accessing wifi hot spots ?
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: sourman on June 20, 2012, 10:46 pm
No problem!

If there are hotspots readily available nearby, I'd say do that instead of using something registered to yourself, although I wouldn't recommend going out of your way to find them if you're just ordering personal use amounts in the US, unless of course you have reason to believe your house/area is being watched. If you do use them, make sure you change your MAC address every time and don't stick to the same wifi if possible. The more random and unpredictable your movements, the better.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on June 21, 2012, 02:29 am
No need to move physically, just buy a yagi antenna and use wifi from miles away.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: oscarzululondon on June 21, 2012, 02:58 am
No need to move physically, just buy a yagi antenna and use wifi from miles away.

I'm not going to comment on when, where or why but oh memories....  ;D
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: sourman on June 21, 2012, 03:12 am
No need to move physically, just buy a yagi antenna and use wifi from miles away.

I mentioned high gain yagi antennas and whatnot, and they definitely help in any case (CCTV is way less of a threat), but you still have to move around somewhat for optimum security, especially if you're in a rural area. In a large city, this isn't much of a problem though. Chilling in a big apartment building with tons of other wifi users surrounded by other buildings filled with wifi activity on every channel obviously makes for some good cover, especially if you're accessing an AP at a moderate distance. In this situation, I would still switch APs at random though, just in case. Hacking small WEP keys is simple with the right equipment, and you can find sites that will instantly convert older Verizon FIOS router SSIDs (the ones that look like "FDZR1") to their default WEP keys.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Meister on June 21, 2012, 01:34 pm
No need to move physically, just buy a yagi antenna and use wifi from miles away.

I'm not going to comment on when, where or why but oh memories....  ;D

I'm going to assume sitting in a hotel room with the antenna by the window scanning for vulnerable wifi entries ;p
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: workforit69 on June 21, 2012, 07:34 pm
^There's nothing wrong with it at all. It's just a redundant step for MOST. Connecting through a VPN/SSH tunnel first would benefit anyone who doesn't want to be flagged as a tor user. If you don't use bridges (and even then...), it is pretty easy to fingerprint you as a tor user. This can be very bad for some, like the last lulzsec guy, who was caught thanks to a tor timing correlation attack.

thanks for the info ie. vpn's. i was also under the impression that if you use a vpn and are downloading to your system it would also protect you because all of that first goes through your VPN before getting back to you. so even if they were able to see what you were dl'ing through an exit node, the destination would still be unknown.

i would also like to point out a flaw in paying for your vpn using an anonymous currency like bitcoin. i recently signed up for a VPN service that accepts btc but realized that since i am connecting to my vpn directly they can easily obtain my source IP. i even brought this up with the provider and they agreed.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on June 22, 2012, 04:16 am
^There's nothing wrong with it at all. It's just a redundant step for MOST. Connecting through a VPN/SSH tunnel first would benefit anyone who doesn't want to be flagged as a tor user. If you don't use bridges (and even then...), it is pretty easy to fingerprint you as a tor user. This can be very bad for some, like the last lulzsec guy, who was caught thanks to a tor timing correlation attack.

thanks for the info ie. vpn's. i was also under the impression that if you use a vpn and are downloading to your system it would also protect you because all of that first goes through your VPN before getting back to you. so even if they were able to see what you were dl'ing through an exit node, the destination would still be unknown.

i would also like to point out a flaw in paying for your vpn using an anonymous currency like bitcoin. i recently signed up for a VPN service that accepts btc but realized that since i am connecting to my vpn directly they can easily obtain my source IP. i even brought this up with the provider and they agreed.


This is basic.
1) You must use a VPN service where they have strong privacy ethics and reside where the laws of privacy are strong.
2) You must use hosts from countries where diplomatic relations are broken and extradition laws are incompatible with the country of your target. ie. if you are going to attack the US, use servers from venezuela, iran, china or russia.

That's why it is childish to make blanket statements. People who preach to be away from US servers are n00bs.
Security is always relative to its target. If you are going to attack targets within the US, obviously DON'T BE stupid to use proxies/vpns from the US, or from countries that have very close diplomatic relationships with the US (any country in europe)

But if you are attacking China, the safest host to jump from might from one within the US.
The paperwork itself to get the logs it would make the passive tracing a nightmare.

The key of intraceability when dealing with governmental tracking relies on exploiting the political and economical limitations, not in technical ones.
The key of intraceability when dealing with individuals (hacker teams, mafia, cartels) relies on technical limitations, not in political ones.

If you neither know what game you are playing nor you know how the game is played, you better not to play it at all.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 23, 2012, 07:29 pm
^There's nothing wrong with it at all. It's just a redundant step for MOST. Connecting through a VPN/SSH tunnel first would benefit anyone who doesn't want to be flagged as a tor user. If you don't use bridges (and even then...), it is pretty easy to fingerprint you as a tor user. This can be very bad for some, like the last lulzsec guy, who was caught thanks to a tor timing correlation attack.

thanks for the info ie. vpn's. i was also under the impression that if you use a vpn and are downloading to your system it would also protect you because all of that first goes through your VPN before getting back to you. so even if they were able to see what you were dl'ing through an exit node, the destination would still be unknown.

i would also like to point out a flaw in paying for your vpn using an anonymous currency like bitcoin. i recently signed up for a VPN service that accepts btc but realized that since i am connecting to my vpn directly they can easily obtain my source IP. i even brought this up with the provider and they agreed.


This is basic.
1) You must use a VPN service where they have strong privacy ethics and reside where the laws of privacy are strong.
2) You must use hosts from countries where diplomatic relations are broken and extradition laws are incompatible with the country of your target. ie. if you are going to attack the US, use servers from venezuela, iran, china or russia.

That's why it is childish to make blanket statements. People who preach to be away from US servers are n00bs.
Security is always relative to its target. If you are going to attack targets within the US, obviously DON'T BE stupid to use proxies/vpns from the US, or from countries that have very close diplomatic relationships with the US (any country in europe)

But if you are attacking China, the safest host to jump from might from one within the US.
The paperwork itself to get the logs it would make the passive tracing a nightmare.

The key of intraceability when dealing with governmental tracking relies on exploiting the political and economical limitations, not in technical ones.
The key of intraceability when dealing with individuals (hacker teams, mafia, cartels) relies on technical limitations, not in political ones.

If you neither know what game you are playing nor you know how the game is played, you better not to play it at all.

so basically what you mean is if we want to "hide" from government the best bet is to study their political and economical limitations and use that for example for choosing the country where the VPN is established?   
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: DomesticShrooms on June 24, 2012, 05:33 am
I just bought a prepaid android with cash on the corner.

I run orweb and orbot and connect to only wifi coffee shops.

I will never even activate this turd.

Its the 40.00 throwaway option*
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: kmfkewm on June 24, 2012, 06:18 am
^There's nothing wrong with it at all. It's just a redundant step for MOST. Connecting through a VPN/SSH tunnel first would benefit anyone who doesn't want to be flagged as a tor user. If you don't use bridges (and even then...), it is pretty easy to fingerprint you as a tor user. This can be very bad for some, like the last lulzsec guy, who was caught thanks to a tor timing correlation attack.

thanks for the info ie. vpn's. i was also under the impression that if you use a vpn and are downloading to your system it would also protect you because all of that first goes through your VPN before getting back to you. so even if they were able to see what you were dl'ing through an exit node, the destination would still be unknown.

i would also like to point out a flaw in paying for your vpn using an anonymous currency like bitcoin. i recently signed up for a VPN service that accepts btc but realized that since i am connecting to my vpn directly they can easily obtain my source IP. i even brought this up with the provider and they agreed.


This is basic.
1) You must use a VPN service where they have strong privacy ethics and reside where the laws of privacy are strong.
2) You must use hosts from countries where diplomatic relations are broken and extradition laws are incompatible with the country of your target. ie. if you are going to attack the US, use servers from venezuela, iran, china or russia.

That's why it is childish to make blanket statements. People who preach to be away from US servers are n00bs.
Security is always relative to its target. If you are going to attack targets within the US, obviously DON'T BE stupid to use proxies/vpns from the US, or from countries that have very close diplomatic relationships with the US (any country in europe)

But if you are attacking China, the safest host to jump from might from one within the US.
The paperwork itself to get the logs it would make the passive tracing a nightmare.

The key of intraceability when dealing with governmental tracking relies on exploiting the political and economical limitations, not in technical ones.
The key of intraceability when dealing with individuals (hacker teams, mafia, cartels) relies on technical limitations, not in political ones.

If you neither know what game you are playing nor you know how the game is played, you better not to play it at all.

so basically what you mean is if we want to "hide" from government the best bet is to study their political and economical limitations and use that for example for choosing the country where the VPN is established?   

People who get hung up on countries where VPNs are located and finding the VPN provider with the best policy are largely playing a game of fooling themselves. I could get some servers in FucktheUSAistnia, set up an "anonymous vpn!" and monitor all of the traffic going through them, so can the feds. VPNs are vastly over rated. Security by policy fails over and over and over only security by technical design stands up time after time after time. I prefer to host in countries like this, and sure I would get a VPN with a node in Russia over Texas, but it is silly to trust a promise or a law over a technical design or a math formula.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: kmfkewm on June 24, 2012, 06:30 am
Also keep in mind that even if you enter with a node in Fuckamericastan and exit with a node in Allahzakia , if you are in the USA you are passively exposed to USA infrastructure on your way to the entry, and if you are visiting a server in USA (or even one that is in some other country but the route to it passes through USA) you are passively exposed to USA infrastructure between your exit and the server. So a fully USA based passive timing attack will still work, even if the VPN nodes you are using are not actively owned by the FBI (which of course they could be, if I was the FBI I would certainly want to have some "anonymous VPN!" nodes in both Fuckamericastan and Allahzakia)
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Wazup7 on June 24, 2012, 08:38 am
For an occasional user (ie. once every few days), simply moving your location should be sufficient.  I typically drive by hotels, coffee shops, etc. and use my laptop to connect to TOR, via a Tails LiveUSB.  I also travel alot, so I don't really have a "home base" location to get caught from.  My laptop has no HDD, FDD, or CDROM drive, so the only evidence I can get caught with is CCTV, or my USB thumb drive (easily destroyed--plus it's encrypted).

VPNs kind of scare me, since if a VPN provider gets busted, my real info is exposed.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on June 24, 2012, 08:18 pm
@DomesticShrooms & @kmfkewm
When you guys bring me ONE case of such attacks used by the federal government to track down anybody, I will buy you both a beer keg for each one.
Theoretical analysis of weaknesses is fine for academics, but law enforcement needs practicality and something that can be admissible as evidence in a court of law, being freaking sure that it is acquired without violating the forth and the fifth amendment. It is quite trickier than you think.
Unlike what people commonly believe, these agencies don't have unlimited resources... unless it is an incident with public interest with high political value.

Remember, everything is about economics: Is it worth the trouble? Which means:
1) Is anybody really giving a shit about it?
2) Is it pissing off a lot of powerful people?
3) Is the incident making the government look weak or stupid?
4) Is it critically endangering our national security?

If none of above is true, then they will have to juggle with limited budget, and if it is not solvable in reasonable amount of time it will go straight to the file cabinet.
Btw, this strategy is not only based on VPNs, which you might have to provide personal information to hire such service which would defeat the whole purpose.
The mindset I am trying to explain to you guys is "the" strategy for seasoned people who have rooted boxes or use open socks around the world.

Regarding to commercial VPNs, obviously having an IP address from X country doesn't make you legally secure. What you really have to look at is what country is that company registered and what court of what country they are willing to work in the case of litigations, that's called JURISDICTION and GOVERNING LAW (aka. applicable law or choice of law) clauses in either their Legal Notice or Privacy Policy or in your contract.
You must browse and read carefully your contract, the Term of Services and their privacy policies of ANY company in the world, no matter if it is a online or offline company.
Therefore if you are planning to attack the US and you feel safe because you just bought a VPN node with a Russian IP, without checking the legalese to see if the company is actually registered in the US, you are being an absolute idiot.

Actually using any commercial VPN which is not funded/administered by pirate/hacktivist groups, it is a very dumb move if you are planning to do something very shady.

In any case, neglecting the power of politics in traceability is being n00b.

PS:
Also, as I said before: one thing is to be playing against the government.
Another whole different game is to be playing against an active team of fierce hackers who don't give a fuck about bureaucracy, chain of custody, constitutionality, having one single objective: to catch you.

For the mentality of the nerdy hacker it might seem trivial to be a single click away to deploy a honeypot or execute a remote exploit.
But if you are working for the federal government you can't just click enter and get away with it, before doing that you must send memos to five different departments, wait to get it approved from them all, get the order from a judge. If the target is overseas, then after all that you'll have to get in contact with the chancellor or the ambassador, get a translator, get it notarized and apostilled, get in touch with the judges of the foreign country, get their authorization, wait until they release their subpoena or the equivalent to that, get in contact with the isp, pray that their legal team don't fight back... etc... and if you were smart enough whenever they get an authorization to finally take a peek at the logs (if any was saved) your trail will be long cold if you were smart enough to move on.
(If you were wise in your choices, they will have no logs to do any type analysis)

You guys can't think about the weaknesses of the government, maybe because you are inexperienced or too young to understand bureaucracy. You simply think "If I was the fbi...", no the fbi can't do that, and don't have the time to do that, and they simply don't operate that way.
Say thanks to our constitution, to international treaties, political conflicts, and the cuts in their budgets
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: workforit69 on June 27, 2012, 11:27 pm
thanks for all the info re: vpn's. first off i just want to say that i am not doing anything too shady and only started looking into using one because i torrent a lot and know that next month the
'secret' spying/sharing of user logs by ISP's and the government will go into effect. this is in response to them not being able to pass SOPA.

basically my thinking is that having this extra layer over others will keep me off their easy target list. also, i found that when using a vpn my ISP no longer can track my download usage so I can use it to circumvent their download quotas.

here is the torrentfreak article for those that are interested.
http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: anonaddict on June 28, 2012, 02:39 am
The best setup would be a bootable flash drive encrypted with truecrypt. The drive would have a dummy OS (ubuntu) and the actual one you would use to hold all the info on and connect through (some form of BSD).

http://www.truecrypt.org/docs/?s=hidden-operating-system

By using the above tutorial you could give LEO a password to gain access to the drive but it would be the dummy OS that they can boot to. NEVER give them the password for BSD... they will never find it.

Now as far as using tor goes... Its great for hiding your location from the sites you choose to visit, but it has some flaws. First being that it doesn't encrypt your traffic from the entrance node to your computer or from your computer to the entrance node. so a security standpoint it looks like....

Your computer ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Your ISP will be able to do deep packet inspection and find out all the tor sites and other shit you decide to do through tor.

In order to hide that from your ISP you need to rent a VPS anonymously.
https://btclot.com/web/cp.php?op=vps&type=linux (just to through one out there.)
Once you have secured a VPS next you need to set up a TOR and socks proxy.
https://www.torproject.org/docs/debian.html.en
http://lifehacker.com/237227/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy

After that you need to set a redirect the incoming traffic to the TOR port.
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/

So it should look like this now.
Your Computer ----ssh encrypted--- VPS ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Here is a discussion about how to jack up the encryption on the SSH proxy
http://www.gossamer-threads.com/lists/openssh/dev/45097


Let me know if I am way off base or any other ideas about a better setup.

anonaddict
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on June 28, 2012, 10:06 am
The best setup would be a bootable flash drive encrypted with truecrypt. The drive would have a dummy OS (ubuntu) and the actual one you would use to hold all the info on and connect through (some form of BSD).

http://www.truecrypt.org/docs/?s=hidden-operating-system

By using the above tutorial you could give LEO a password to gain access to the drive but it would be the dummy OS that they can boot to. NEVER give them the password for BSD... they will never find it.

Now as far as using tor goes... Its great for hiding your location from the sites you choose to visit, but it has some flaws. First being that it doesn't encrypt your traffic from the entrance node to your computer or from your computer to the entrance node. so a security standpoint it looks like....

Your computer ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Your ISP will be able to do deep packet inspection and find out all the tor sites and other shit you decide to do through tor.

In order to hide that from your ISP you need to rent a VPS anonymously.
https://btclot.com/web/cp.php?op=vps&type=linux (just to through one out there.)
Once you have secured a VPS next you need to set up a TOR and socks proxy.
https://www.torproject.org/docs/debian.html.en
http://lifehacker.com/237227/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy

After that you need to set a redirect the incoming traffic to the TOR port.
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/

So it should look like this now.
Your Computer ----ssh encrypted--- VPS ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Here is a discussion about how to jack up the encryption on the SSH proxy
http://www.gossamer-threads.com/lists/openssh/dev/45097


Let me know if I am way off base or any other ideas about a better setup.

anonaddict

bump!
can someone please review  anonaddict setup?
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: sourman on June 28, 2012, 07:02 pm
The concept of using a VPS to set up a private VPN/SSH tunnel to hide your tor traffic is legit; in fact I think I mentioned it in this thread. I recommend such a technique for anyone who either purchases large amounts of drugs off SR (especially from overseas), or vends anything illegal. It will add an extra step to any attempt at confirming your use of tor or to traffic timing correlation attacks aimed at said service.

Can't speak for the exact steps anonaddict listed, but I did notice this part:
Quote
Your ISP will be able to do deep packet inspection and find out all the tor sites and other shit you decide to do through tor.

DPI will not decrypt tor traffic. An ISP can use DPI to see that you are connected to tor, but it will not tell them what you are actually doing on it.

I also don't recommend using the hidden operating system thing, especially if you aren't familiar with IT. If you accidentally boot up the fake OS, you risk overwriting data on the hidden OS, which is contained within the free space on the same partition. Depending on which country you're in and who your opponent is, you won't get much plausible deniability when they look up the fake OS and identify that it's never been used by studying the file access dates and system logs. If you do use it, try and make it look like the disk/thumb drive containing your fake and hidden OS is a backup drive in order to explain the lack of modifications.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: workforit69 on June 28, 2012, 09:11 pm

Your ISP will be able to do deep packet inspection and find out all the tor sites and other shit you decide to do through tor.

In order to hide that from your ISP you need to rent a VPS anonymously.
https://btclot.com/web/cp.php?op=vps&type=linux (just to through one out there.)
Once you have secured a VPS next you need to set up a TOR and socks proxy.
https://www.torproject.org/docs/debian.html.en
http://lifehacker.com/237227/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy

After that you need to set a redirect the incoming traffic to the TOR port.
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/

So it should look like this now.
Your Computer ----ssh encrypted--- VPS ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Here is a discussion about how to jack up the encryption on the SSH proxy
http://www.gossamer-threads.com/lists/openssh/dev/45097


Let me know if I am way off base or any other ideas about a better setup.

anonaddict


OK just off the bat I took a look at the terms of VPS provider you gave a link to and saw this -

-anonymizers/proxies without password protection and sufficient logging (including open mail proxies, anonymous web surfing proxies);

So essentially they are saying that if you create a socks proxy like you want to you are violating their rules if you don't log everything. Doesn't this defeat the purpose of setting up one of these yourself since you have to log all of your own activity that goes through it, doing exactly what it is you were scared private vpn's would be doing to you? More importantly will the provider you are using have access to a 'super' log  that contains info on all of their customers since they oversee the servers that you are renting space from them on?

Also, I asked this above but what is the point of using btc if you are planning on accessing their servers from your home using a source IP that can be traced back to you?

Maybe I am being naive but when asked about logging , etc my VPN responded with the following::

1. Do you keep ANY logs which would allow you or a 3rd party to match an IP address and a time stamp to a user of your service? If so, exactly what information do you hold?

“We absolutely do not maintain any VPN logs of any kind. We utilize shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP. These are some of the many solutions we have implemented to enable the strongest levels of anonymity amongst VPN services. Further, we would like to encourage our users to use an anonymous e-mail and pay with Bitcoins to ensure even higher levels of anonymity should it be required. Our core verticals are privacy, quality of service, and prompt customer support.”


2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

“Our company currently operates out of the United States with gigabit gateways in the US, Canada, UK, Switzerland, and the Netherlands. We chose the US, since it is one of the only countries without a mandatory data retention law. We will not share any information with third parties without a valid court order. With that said, it is impossible to match a user to any activity on our system since we utilize shared IPs and maintain absolutely no logs.”


Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: bogben on June 28, 2012, 09:15 pm
The set up seems good though i am not a expert so there may be holes I don't see. As sourman pointed out, DPI will not reveal what sites you visit ect, all they can see is that you used tor - not yet illegal :p
I would say that I don't see the need for a VPN, surely using a simple SSH tunnel (like the free shellmix one) would be just as good? The ISP could see you accessing the tunnel but good luck to them picking out your traffic from the huge volume that must be flowing through a big public tunnel like that :p I suppose you could use obfsproxy on top of that as well if you think LE are THAT determined to get you, though running tails from a DVD compiling it from scratch each and every time means I only use for buying rather than browsing though with more peristance that wouldn't really be an issue.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on July 02, 2012, 05:51 am
Now as far as using tor goes... Its great for hiding your location from the sites you choose to visit, but it has some flaws. First being that it doesn't encrypt your traffic from the entrance node to your computer or from your computer to the entrance node. so a security standpoint it looks like....

Your computer ----unencrypted---- Entrance Node ----2048 bit encryption---- Relay ----2048 bit encryption--- Exit Node ----unencrypted--- Target Site

Your ISP will be able to do deep packet inspection and find out all the tor sites and other shit you decide to do through tor.

Edit: I just realized about your misconception. You are wrong, your traffic with the first node is encrypted.
The only part that is not encrypted and can't be encrypted is the traffic coming out the exit node.
But as long as you use SSL in every website while using TOR, your traffic will be encrypted end to end, covering the last mile between the exit node and your destination.

YOUR ISP can't do a "deep packet inspection" (a pompous term for sniffing traffic) simply because, as I said, your link to tor is encrypted. Even if the exit node is in the same ISP (rare, unless you are forcing it), they can't tell whose traffic coming out of the node belongs to whom.
The only thing they could do is a correlation attack, but that type of attack is more an academic exercise and not really that practical in the real world.

A correlation attack can only be done if:
1) Both entry node and exit nodes are reachable for monitoring (ie. if both entry and exit nodes are in the same isp)
2) They must have the hunch that your specific encrypted traffic (out of millions of customers) corresponds to the unencrypted traffic coming out of a specific exit node (out of hundreds), to then compare the traffic of these two specific nodes for statistical analysis.

The countermeasure that TOR has to avoid this is to randomly choose entry nodes and exit nodes, therefore *your* isp will never have both ends available for analysis.
And even if they had them both, it is like finding a needle in a haystack.

Of course, the worry about the exit nodes is superfluous if you are only using hidden services, no point in worrying about exit nodes when you are never exiting tor. Some people seems to be confused about it, so I thought it was worth mentioning.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: klaw239 on July 02, 2012, 06:20 am
My logic could be flawed here but if you lock your laptop down and do some wardriving and make sure you are encrypted why not just drive around till you hit an open network.  Logiin to SR make your order or make your payment  and be in and out in 5 minutes on your way home.

Why even  risk doing it from your home/address? When this option is available? Unless you just do not own a laptop.

If there are flaws to this  please tell me  cause I would like to know and always welcome to further educating my self.

Thanks.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: wakannabi on July 02, 2012, 10:03 am
thank you  guys for keeping the thread alive.

In a couple of days I will reorganize all the info and edit the first post so we can get more organized and specific.

Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: ballervision on July 18, 2012, 09:16 am
Great thread. *BUMP*

Peach, you seem to have a deep understanding.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: Eatshitanddie69 on July 18, 2012, 09:18 am
damn, great thead idea!
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: peach on July 18, 2012, 09:53 am
Great thread. *BUMP*

Peach, you seem to have a deep understanding.

I must, considering the type of business that I am running.
I survived several attempts of raids, undercover purchases, and yet here I am, untouched and undetected.
Title: Re: Extreme Secure Anonymous Setup (ESAS) (updated 19June)
Post by: ballervision on July 18, 2012, 03:41 pm
Good to know.

I like to hear people argue about this topic, even if they disagree. This kind of shit is sometimes difficult for me to wrap my head around and it's only possible when informed people assert their opinion on it.