Silk Road forums
Discussion => Security => Topic started by: Bazille on August 13, 2013, 12:23 pm
-
This tutorial explains step by step how to create an encrypted USB stick with Linux OS which you can start directly from Microsoft Windows without rebooting.
It is mainly aimed at Windows users who never used Linux before and don't want to reboot their computer every time they use Tor. Following the tutorial produces a torified Linux installation, similar to Tails.
Some users may miss some features in Tails and Whonix and would find Ubuntu more convenient and easier to use, or they're DIY guys and like to have more control by understanding the steps of torifying Linux.
Don't be put off by the length of this tutorial, I mostly tried to mention every single click, so even your granny could successfully install it.
If you follow the steps in this tutorial you can't do much wrong, even if you never used Ubuntu/VirtualBox/TrueCrypt.
Also, don't be put off by having to type stuff in the command line, you will only have to do this during installation.
Once you've completed the tutorial, Xubuntu is quite easy to use. You can click your way through the desktop using your mouse, as you're used to.
Features:
* Runs in a virtual machine on your Windows desktop, but has no access to your hard drives
* Entirely encrypted, except for the TrueCrypt and VirtualBox executables
* Easily portable to another computer running Windows
* Torified with iptables (firewall)
* Safer GnuPG configuration
* Ubuntu is widely used and easy to use for Linux novices, extensive documentation and help is available on the internet
* Install any Ubuntu software you like through the Ubuntu Software Center
* Receives manual security updates until 2017, no need to install a new Xubuntu version all the time
* Synchronizes time by using tlsdate, which should be slightly more secure than htpdate used by Whonix and Tails
* All changes you make are persistent (unless you restore a snapshot)
* No program other than Firefox, torsocks and the package updater can contact the network/internet (through Tor only)
* Programs don't share the same Tor circuit (Stream Isolation of Tor Browser, torsocks, tlsdate, security updates)
* Copy and paste between Windows and Linux is possible (you should turn this feature off when it's not needed)
* Boots more quickly (~5 seconds) right into the browser window when you use the snapshot feature of VirtualBox
* If your browser gets attacked with malware, simply restore the VirtualBox snapshot you've created upon completion of this tutorial
* Does not install anything or leave traces on your Windows system after unplugging the USB stick (*)
(*) Note that after examining the Windows registry file, it may be possible to tell that TrueCrypt was run (and that a TrueCrypt volume was mounted). However no one can tell that Tor was run on your computer.
System requirements:
* Microsoft Windows XP or higher
* 8GB USB stick
Time needed to complete the tutorial: 2+ hours
CC-BY Bernd Liefert, 13.08.2013
Updated 29.08.2013
[WARNING]
As of now, despite best efforts, there may be some issues which allow websites to fingerprint the standard Firefox browser installed in this tutorial. This doesn't threaten to reveal your identity, but makes you more pseudonymous than anonymous. Therefor you should preferably use the latest version of the Tor Browser. Step 7. explains how to install it.
What is missing in the standard version of Firefox:
https://www.torproject.org/projects/torbrowser/design/#firefox-patches
Furthermore this installation is not as secured as Whonix and Tails, yet. The tutorial will be updated in the future.
For most users this installation should be safe enough however, as it reliably prevents unwanted connections, profiling and fingerprinting of the browser.
[/WARNING]
-
1. Prepare your 8GB USB stick or SD card
Format the USB stick either with NTFS (Windows Vista or later) or exFAT (Windows XP or later). Formatting the USB stick with FAT won't be sufficient due to file size limits.
2. Download software
2.1. TrueCrypt
Get the latest stable version of TrueCrypt for Windows from http://www.truecrypt.org/downloads
Start the installer and choose "Extract" instead of "Install". Choose your USB stick as destination.
If you don't want to use an USB stick, simply extract it to some folder.
2.2. VirtualBox (portable)
Get the portable version of VirtualBox from http://www.vbox.me/
(click "Download and run Portable-VirtualBox_xxxxx-Win_all.exe")
Run the installer and choose your USB stick as destination
2.3. Ubuntu
Download the latest version of Xubuntu 12.04 LTS. We are using Xubuntu in this tutorial because the default version of Ubuntu uses too much resources for the desktop.
We are not using the latest Xubuntu (version 13.04), because this version will only receive security updates for a short time. We'd have to install a new version of Xubuntu
in 2014 to receive important security updates. Xubuntu 12.04 LTS will receive security updates until 2017. There's also problems with GPG helper programs in version 13.04, which we try to avoid.
If you have a 64bit Intel or AMD CPU download this image:
http://se.archive.ubuntu.com/mirror/cdimage.ubuntu.com/xubuntu/releases/12.04/release/xubuntu-12.04.2-desktop-amd64.iso
If you have a 32bit CPU download this image:
http://se.archive.ubuntu.com/mirror/cdimage.ubuntu.com/xubuntu/releases/12.04/release/xubuntu-12.04.2-desktop-i386.iso
If the above images are not available any longer, you can download the latest 12.04 images from here:
http://se.archive.ubuntu.com/mirror/cdimage.ubuntu.com/xubuntu/releases/12.04/release/
or here
http://xubuntu.org/getxubuntu/
-
3. Installation and configuration
3.1. TrueCrypt
Start "TrueCrypt.exe" from your USB stick and click the "Create Volume" button
Click "Next" to create an encrypted file container
Click "Next" to make it a standard TrueCrypt volume
Click "Select File" and open your USB stick, enter filename: "crypt" and click "Save"
Optionally check "Never save history", or keep it unchecked for more convenience
Click "Next" to leave the encryption algorithm at its default values
Select MB and enter "7500" to have a encrypted container with 7.5GB size. If your USB stick is larger than 8GB you may want to increase the size
Enter a reasonably long password, preferably with more than 20 characters, and click "Next"
Click "Next" because we don't need large files
Click "Format" and wait until the container creation is complete. Cook some coffee or roll a joint
Click "Exit" when done
Switch to the remaining TrueCrypt window or start TrueCrypt again and select a drive letter, in this tutorial it will be L:
Click "Select File", browse to your USB stick and select the "crypt" file you have created
Click "Mount" and enter the password of your TrueCrypt container
The TrueCrypt container will now appear as drive L: in your Computer. You will have to always use the same drive letter in future, or VirtualBox will not find the files.
3.2. VirtualBox
Start "Portable-VirtualBox.exe" and click "New" to create a new virtual machine
Enter any name, e.g. "Ubuntu 2017"
Select Type "Linux"
Select "Ubuntu (64bit)" if you have a 64bit CPU and click "Next"
Choose something between 512MB and 2048MB as memory size
Click "Create" to create a new virtual hard drive
Click "Next" because using a dynamically allocated hard drive file is enough for our use
Use the slider to make the maximum size of the virtual hard disk file slightly smaller than 7.5GB
The virtual machine is now created and powered off
Click "Settings" in the VirtualBox window
In the settings tree select "General" and click the "Advanced" tab
Click the "Snapshot Folder" text box and select "Other"
Browse to drive L:, click "Make New Folder", enter "snapshots" and click "OK"
To be able to use copy + paste between the virtual machine and your Windows desktop, set "Shared Clipboard" to "bidirectional"
In the settings tree select "Display" and give the virtual machine more memory (up to 128MB) for desktop graphics
In the settings tree select "System", select the "Processor" tab and make the virtual machine use more CPU cores (if your CPU has more than one core)
In the settings tree select "Storage" and select "Empty" below "Controller: IDE"
On the right side ("Attributes") click the little CD icon and select "Choose a virtual CD/DVD disk file"
Browse to the folder where you downloaded Xubuntu to and select the .iso file (e.g. "xubuntu-12.04.2-desktop-amd64.iso")
(Optional) If you want to be able to share files between your Windows desktop and the virtual machine, select "Shared Folders" in the settings tree
(Optional) Click the folder icon on the right side of the settings window, e.g. your Downloads folder
(Optional) Check the "Automount" box after you selected the shared folder
Click "OK" to close the settings window
In the Oracle VM VirtualBox Manager window, open File -> Preferences and select "Update"
Uncheck "Check for updates" to conceal that you are using VirtualBox
3.3. Ubuntu
In the VirtualBox window click the "Start" button and click "OK" to remove the VirtualBox Information window.
If any errors occur click "OK" to close the error windows. You can ignore them, or they will probably pop up more often in the future.
The virtual machine should now successfully boot the Xubuntu installer. Click the "Install Xubuntu" button.
Check "Download updates while installing" and click "Continue"
Click "Continue" and "Install Now" to format the virtual hard disk
Select any time zone and click "Continue"
Choose your keyboard layout or click "Detect Keyboard Layout" if you are unsure, then click "Continue"
Enter any name (e.g. "Manning") and any computer name (e.g. "NSA")
This password can be weak, as it doesn't add much security. You need this password later to make administrator changes to Ubuntu
Change the username if you like or leave it as it is
Select "Login automatically" and click "Continue"
Ubuntu will now install a few packages. This will usually take less than 5 minutes. Once this is done, click "Restart Now".
If the virtual machine doesn't restart, open the "Machine" menu, select "Close", check "Power off the machine" and click "OK". Then start the virtual machine again with the "Start" button.
VirtualBox should now boot into the Xubuntu Desktop.
-
4. Setting up Ubuntu
4.1. Update packages
When the Xubuntu desktop is loaded, after a few seconds you will most likely get popups about new software being available. Click the red icon in the Xubuntu menu bar and select "Show updates".
Click "Install Now" to start the update process and enter your user password when prompted. Once this is done, click the "Restart Now" button.
After restart more software updates may be available. Wait a minute to see if the red icon shows up again, click it and install the updates, then restart Xubuntu again.
It is important that all updates were installed before proceeding to the next step. If you install any kernel updates later, you may have to repeat step 4.2.
4.2. VirtualBox Guest Additions
To use copy + paste between Windows and Ubuntu and some other useful VirtualBox features we need to install the VirtualBox Guest Additions.
Open the "Devices" menu in the VirtualBox machine window and select "Install Guest Additions"
On the Xubuntu desktop, doubleclick the VBOXADDITIONS CD icon
Doubleclick "autorun.sh" and enter your user password
When the installation is done ("Press Return to close this window"), restart the virtual machine by clicking the start button on the utter left of the Xubuntu menu bar, select "Log Out" and click the "Restart" button.
Enter your user password when prompted.
After rebooting copy + paste between Windows and Ubuntu should work. This will be quite useful later in the next step.
4.3. Installing Tor, Privoxy and Polipo
Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator
In the new terminal window you should see something like "manning@NSA:~$ ", which is the command prompt.
At the command prompt enter "sudo su", enter your user password when prompted
Paste these lines in the terminal window (copy them to your clipboard and select Edit -> Paste in the terminal):
echo "deb http://deb.torproject.org/torproject.org experimental-precise main" >> /etc/apt/sources.list
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt-get update
apt-get install deb.torproject.org-keyring
apt-get install tor tor-arm privoxy polipo
#
Enter Y to continue when prompted and wait until the packages are downloaded and installed.
4.4. PGP (Seahorse and Geany) and text editor
Geany is a text editor (actually an IDE), which we will use to encrypt PGP messages. Seahorse is a key manager which we will use to create and store PGP keys. Gedit is a simple text editor.
Click the start button in the Xubuntu menu bar and start "Ubuntu Software Center"
Enter "seahorse" in the search box of the Ubuntu Software Center, select "Passwords and Keys" and click "Install", enter your user password when prompted
Enter "geany" in the search box, select "Geany" and click "Install"
Enter "geanypg" in the search box, select "Pg plugin for Geany" and click "Install" - click "OK" to install untrusted packages
Enter "gedit" in the search box, select "Text Editor" and click "Install"
Enter "pinentry-gtk2" in the search box, select "GTK+-2-based PIN or pass-phrase entry dialog for GnuPG" and click "Install"
When this is done, restart the system by using the restart icon or start button -> Log Out
4.5. Change timezone
We set our timezone to UTC to reduce fingerprinting possibilities.
Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator
Enter "sudo dpkg-reconfigure tzdata"
Use the cursor keys to scroll down, select "Etc" and press enter
Use the cursor keys to select UTC and press enter
-
5. Firewall configuration
5.1. IPtables firewall
We only want Tor to be able to connect to the internet, so we setup the firewall accordingly.
Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator
In the terminal window enter
sudo gedit /root/firewall
and enter your user password when prompted
In the new text editor window paste these lines:
iptables -F
iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
iptables -A OUTPUT -j ACCEPT -o lo
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables-save >/etc/iptables.rules
Open the "File" menu in the text editor and select "Save", then close the text editor window
Back in the terminal window enter
sudo gedit /etc/network/if-pre-up.d/iptables
In the text editor paste these lines:
#!/bin/sh
iptables-restore < /etc/iptables.rules
Save the text and close the text editor window.
Back in the terminal window enter these lines:
sudo chmod +x /root/firewall
sudo /root/firewall
sudo chmod +x /etc/network/if-pre-up.d/iptables
sudo reboot
After the system rebooted we will test our firewall configuration. Firefox should not be able to connect to the internet anymore at this point.
Click the start button in the Xubuntu menu bar and start "Web Browser"
Firefox should start up and display a "Server not found" message. This means the firewall is running. Close the Firefox window again and proceed to the next step.
To be certain you could also open a terminal and type "sudo iptables -L -v" to see if the firewall is running.
-
6. Tor and security
6.1. Common configuration
Click the start button in the Xubuntu menu bar and start Accessories -> Terminal Emulator
In the terminal window, enter this line and enter your user password when prompted:
sudo gedit /etc/tor/torrc
In the new text editor window, scroll down to the bottom of the text, add a new line and paste these lines:
ControlPort 9051
ControlListenAddress 127.0.0.1
SocksPort 127.0.0.1:9050
SocksPort 127.0.0.1:9100 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9101
SocksPort 127.0.0.1:9102
StrictNodes 1
AvoidDiskWrites 1
DisableDebuggerAttachment 0
6.2. Exit nodes
6.2.1 (Optional) Define allowed exit node countries
Most people don't recommend this option, because it may make you less anonymous, but I prefer to have my exit nodes in countries which are not part of the NSA's PRISM program.
If you don't set any exit nodes yourself, then Tor will randomly choose exit nodes for you. As there is a huge amount of exit nodes running in the USA and other Five Eyes countries,
you will often use exit nodes which can be sniffed by the NSA. However, as many websites are in the USA and PRISM partner countries, this is no ultimate protection against getting sniffed by the NSA.
This step may reduce anonymity significantly, because there is only a limited amount of exit nodes in those countries. If you want to block servers in certain countries from becoming your exit node, you may want to have a look at step 6.2.2. instead.
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes in Asia, South Africa, Ukraine, Russia, South America and Saudi Arabia:
ExitNodes {ru},{hk},{tw},{za},{in},{id},{th},{vn},{cn},{ar},{br},{jp},{kr},{sa},{tr},{ua}
You can find a list of more country codes here (these are not always the same as internet top level domains)
http://dev.maxmind.com/geoip/legacy/codes/iso3166/
Note that not all countries have a large amount of ExitNodes, and to avoid deanonymization it's better if Tor has more than 50 ExitNodes to choose from.
6.2.2. (Optional) Define blocked exit nodes
Instead of using the above option it's possible to simply avoid exit nodes in certain countries.
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes outside of Five Eyes countries:
ExcludeExitNodes {us},{gb},{ca},{au},{nz},{ie},{a1},{a2},{o1},{??}
Note that you shouldn't add too many countries to that list, or this may contribute to deanonymizing you. Like option 6.2.1. this also doesn't really protect you from the clearnet traffic getting routed through cables sniffed by Five Eyes & friends.
6.3. (Optional) Define entry node countries
If there are enough Tor relays in your country, you should only use EntryNodes in your country. If you are in the USA, add this line to the end of /etc/tor/torrc:
EntryNodes {us}
If you are not from the USA, check the above list of country codes to find out which code your country uses. These are not internet top level domains.
If you want to use specific trusted EntryNodes in your country, e.g. because you always want to have a fast entry node with large bandwidth, then you can specify those by using fingerprints.
In this case You should at least add 3 EntryNodes then, better more.
manning2.torservers.net, bolobolo1.torservers.net and manning1.torservers.net are among the fastest EntryNodes in the USA (and the world) right now, so you may want to use them, if you live in the USA.
Instead of using the above EntryNodes example, you'd have to use something like this:
EntryNodes $D0236B1908B3CC686DB0A361F4931073A25793F1,$9F7A37446BC034B4FDB27CAE2C6CAAB83A40A361,$073F27934762FF8BA956FFCE136AAC1CCF45EA13
A configuration like this is recommended, if you don't use bridges.
To get more fingerprints of servers, go to http://torstatus.blutmagie.de/ and click on the servernames. Copy the fingerpint line and add a $ in front of each fingerprint. Seperate individual fingerprints in the config with commas. Remove spaces in the fingerprints. You should use 3-10 fingerprints as entry nodes.
6.4. (Optional) Tor bridges
Instead of using public EntryNodes you may want to use Tor bridges, but this may not help against NSA sniffing. They may know the bridges from https://bridges.torproject.org/ anyway. To have a very secret bridge you'd have to use hidden bridges run by your friends. As with the EntryNodes, you should use at least 5-10 bridges.
Using normal non-obfuscated bridges is pretty much useless, if someone with enough resources (China, Five Eyes, ...) is doing deep packet inspection.
If getting a list of obfuscated bridges is too much hassle for you, but you do need to hide the fact that you are using Tor, then you should use a VPN with cover traffic instead.
To use bridges you'd have to add the line
UseBridges 1
to the end of your /etc/tor/torrc. To get a list of bridges, go to https://bridges.torproject.org/bridges and copy the list of IP addresses it shows you. Paste the addresses at the end of your /etc/tor/torrc text file and add "Bridge " (note the space) before each IP address.
This will however not show you only bridges from your country, but from random countries. When you connect to a bridge in another country, then it is more likely that one or more secret services sniff your traffic. This would allow them to do time/size correlation when you browse clearnet websites.
It may be best if you skip the Tor bridges part and only use the EntryNodes part of this tutorial, unless you know how to find out in which countries those bridges are hosted. If you do use bridges, then the EntryNodes line will be ignored by Tor.
Once you're done with the Tor configuration text file, save it and close the text editor.
6.5. Privoxy and Polipo configuration
Back in the terminal type "sudo gedit /etc/privoxy/config"
At the end of the text file insert a new line and paste this line:
forward-socks5 / 127.0.0.1:9102 .
Save the text and exit the editor.
In the terminaltype "sudo gedit /etc/polipo/config" and paste the following lines at the end of the text file:
proxyAddress = "127.0.0.1"
socksParentProxy = "127.0.0.1:9101"
socksProxyType = socks5
Save the text and exit the editor, then enter "sudo reboot" in the terminal to reboot Ubuntu before proceeding to the next step.
6.6. Arm
We didn't install Vidalia, which we could easily do by using the Ubuntu Software Center. However for some reason this is not recommended by the Whonix developers.
Instead we will use "arm" to get a new Tor identity.
Click on the desktop background with your right mousebutton and select "Create Launcher"
Enter a Name, e.g. "Arm"
Check "Run in terminal"
Optionally click the "No icon" button and choose some fancy icon
In the "Command" text box, paste this line:
sudo -u debian-tor arm
Click the "Create" button
A new icon should now appear on your desktop. It will be explained later in this tutorial how to use it.
6.7. Time synching
Tor needs the correct date and time to function properly, and we need to avoid getting fingerprinted because our computer sends the local time of our virtual machine to some website or server.
Therefor we need to turn off time synching in VirtualBox and make our virtual machine fetch the correct time from the internet in a stealthy way.
6.7.1. tlsdate
First we need to get the latest version of tlsdate, a . For our installation of Xubuntu 12.04 we can't use the version from the Ubuntu servers, so we need to get the version for Debian/jessie instead.
Go to http://packages.debian.org/jessie/tlsdate and scroll down and click the amd64 version if you are using a 64bit CPU or the i386 version if you are using a 32bit CPU.
Choose any mirror to download it to your Downloads folder.
Start the Terminal Emulator and paste the following lines:
cd Downloads
sudo dpkg -i tlsdate*
Enter your user password when prompted. Once the installation is done, enter "sudo gedit /etc/tlsdate/tlsdated.conf"
Change the value of "should-sync-hwclock" to "no"
Change the value of "jitter" to "1800"
Change the value of "min-steady-state-interval" to "60"
Change the value of "steady-state-interval" to "3600"
Change the value of "subprocess-wait-between-tries" to "10"
Change the value of "proxy none" to "proxy socks5://127.0.0.1:9100"
Save the text file and exit the editor.
6.7.2. Restart tlsdate through NetworkManager
When using virtual machine snapshots instead of booting the machine normally, tlsdate may not synchronize the time.
Open the Terminal Emulator and enter
sudo gedit /etc/NetworkManager/dispatcher.d/10tlsdate
In the text editor paste these lines:
#!/bin/sh -e
case "$2" in
up)
sleep 10
/etc/init.d/tlsdate restart
;;
*)
exit 1
esac
Save and exit the text editor, then enter
sudo chmod +x /etc/NetworkManager/dispatcher.d/10tlsdate
6.7.3. Disabling vboxadd-service
In the terminal enter
sudo gedit /etc/rc.local
In the text editor, before the line "exit 0" add
(sleep 20s; service vboxadd-service stop) &
In the terminal, type "sudo halt" to shutdown the virtual machine.
6.7.4. VirtualBox advanced configuration
Once the virtual machine is shutdown, close all VirtualBox windows on your Windows desktop.
To hide our hardware identifications from the OS and to disable time synching we have to make a few change to a XML file.
Open your USB stick folder on the Windows desktop, find and open the file "Ubuntu 2017.vbox" (or whatever you called your virtual machine) in a text editor.
Note that for this step to succeed there must be no VirtualBox snapshots present, or the values may get reverted later. Before doing this you have to delete the snapshots.
Find the <ExtraData> section and add the following lines to it:
<ExtraDataItem name="VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" value="1"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/ATAPIProductId" value="product"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/ATAPIRevision" value="revi"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/ATAPIVendorId" value="vendor"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" value="firmware"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" value="model"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" value="serial"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" value="product"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" value="revi"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" value="vendor"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" value="firmware"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" value="model"/>
<ExtraDataItem name="VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" value="serial"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" value="3"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" value="4"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" value="BIOS Release Date"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" value="1"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" value="2"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" value="BIOS Vendor"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" value="BIOS Version"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" value="System Family"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" value="System Product"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" value="System SKU"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" value="System Serial"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" value="9852bf98-b83c-49db-a8de-182c42c7226b"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" value="System Vendor"/>
<ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" value="System Version"/>
Find the <BIOS> section and change the TimeOffset value from 0 to something random between -60000 and +60000. Example: <TimeOffset value="-31337"/>
Find the <CPU ....> section and add
<SyntheticCpu enabled="true"/>
Change <Hardware version="2"> to <Hardware version="2" uuid="{05f2222c-9697-485b-b105-267a36c401fc}"> (this is the same as in Whonix)
If it's not already enabled, change <PAE enabled="false"/> to "true"
Find the <Network> section and change the first <Adapter ...> section to
<Adapter slot="0" enabled="true" MACAddress="080027070B08" cable="true" speed="0" type="Am79C973">
Change the <DNS ...> section below to
<DNS pass-domain="false" use-proxy="true" use-host-resolver="true"/>
Save the text file and exit the editor.
When this step is complete, boot the virtual machine again and proceed to the Firefox/Tor Browser installation.
You may want to load the .vbox configuration file into the text editor again to see if the values you changed are still in place. If they are not, this may lead to deanonymization or worse.
When starting the virtual machine in future, make sure that the time is actually synchronized with the UTC timezone and doesn't lag behind UTC significantly before making connections through Tor.
If your time is not synchronized with UTC you can be fingerprinted under certain circumstances ("oh look it's the Tor with the wrong clock again").
Sometimes tlsdate may not synchronize the time properly after restoring a snapshot (this may take a minute), then you should reboot the virtual machine.
For more information about the previous steps see http://zo7fksnun4b4v4jv.onion/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection
6.8. Hardening Ubuntu
To make Ubuntu a little more secure we install some security packages.
Open the Terminal Emulator and enter this line and enter Y to all questions
sudo apt-get install tiger harden-servers harden-clients
For more informations about these and additional hardening packages see http://www.debian.org/doc/manuals/securing-debian-howto/ch-automatic-harden.en.html
-
7. Firefox and Tor Browser
It is not recommended that you use the standard version of Firefox, unless you are aware of the fingerprinting issues. The following steps are only left in the tutorial for educational reasons, and we may want another installation of Firefox because sometimes Tor Browser may not do what we want.
7.1. Firefox (pre-installed)
7.1.1. Firefox configuration
Start Firefox (start button -> Web Browser) and select Edit -> Preferences in the Firefox menu bar
In General preferences, change the "When Firefox starts" setting to blank page or tabs from last time, to prevent connection to Google
In Advanced preferences, select the "Data Choices" tab and uncheck both "Enable Firefox Health Report" and "Enable Crash Reporter"
In Advanced preferences, select the "Update" tab and uncheck "Search Engines"
In Advanced preferences, select the "Network" tab and click Settings ("Configure how Firefox connects to the internet")
In the Connection Settings check "Manual proxy configuration"
In the "HTTP Proxy" line enter HTTP Proxy: 127.0.0.1 Port: 8118
Check "Use this proxy server for all protocols", click OK and Close the Firefox Preferences window
Note that as of today you shouldn't "Tell websites that I do not want to be tracked", yet.
We don't want to connect to Google, so we change the default Firefox search engine.
Enter https://startpage.com (or https://ixquick.com/ if you don't even want to use Google through the Startpage proxy) in the URL bar of Firefox and click "Add to Firefox" on the webpage.
On the next page click the "Install" button (HTTPS), check "Start using it right away" and click "Add"
Startpage.com is now your default search engine in Firefox. You may want to remove the other search engines, but they won't bother you unless you select them manually.
Enter http://3g2upl4pq6kufc4m.onion/ in the URL bar and bookmark it. This is the hidden service of the search engine DuckDuckGo, with it you can search the web without using the clearnet.
7.1.2. Firefox addons
First we want to disable all the default addons of Ubuntu.
Go to Tools -> Addons menu and select Extensions
Click the "Disable" button next to all Ubuntu addons and click "Restart now"
Select the "Get Addons" tab and search and install these addons:
Cookie Monster
NoScript Security Suite
RefControl
User Agent Overrider
Go to https://www.eff.org/https-everywhere and click "Install in Firefox", click "Allow" to install it and restart the browser
After restart, when HTTPS Everywhere asks you if you want to use the SSL Observatory, click No
Go to Tools -> RefControl Options and click Edit
Select "Block - Send no referer", check "3rd Party requests only" and click OK to close the RefControl options window
Go to Tools -> Addons and click Extensions
Click the "Preferences" button of the Cookie Monster addon
Check "Block all Cookies" and close the Cookie Monster configuration window
Check View -> Toolbars -> Add-on Bar in Firefox, so you can allow cookies for each site later to you stay logged in forums etc.
Click the "Preferences" button of the User Agent Overrider
At the top of the text enter a new line and paste this line:
Firefox 17/Windows: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Close the Add-ons Manager tab
At the top right of Firefox click the User Agent Overrider button and select "Firefox/17"
Site-specific or filter-based addons such as AdBlock Plus, Request Policy, Ghostery, Priv3, and Sharemenot are to be avoided.
7.1.3. Change about:config
Type "about:config" in the URL bar of Firefox and push the "I'll be careful" button
Search for "lang" in the new window and doubleclick "intl.accept_languages"
Change "en-US, en" to "en-us, en" (upper case "US" to lower case)
Search for "track" and doubleclick "noscript.doNotTrack.enabled" (Value should be "false")
Search for "security.tls.version" and change the value of security.tls.version.max to 3 (this may cause problems with some websites but it can use better encryption for SSL connections)
7.1.4. Disable automatic updates of add-ons
Go to Tools -> Add-ons -> Extensions
For each add-on click the "More" link and turn "Automatic updates" off
7.1.5. Change Firefox repository
To always have the latest version of Firefox installed the Firefox PPA repository has to be added.
Start the Terminal Emulator and enter
sudo su
torsocks add-apt-repository ppa:ubuntu-mozilla-security/ppa
apt-get update && apt-get dist-upgrade
7.1.6. Test the browser settings
While configuring Firefox we tried to make it appear as if it was the Tor Browser Bundle, thus giving us more anonymity. Now we test if we were successful.
Quit and restart Firefox and go to http://ip-check.info , click START TEST!
Do not install the Flash or Java plugin.
The most important part is that the "Signature" attribute is green. As of now it should show "8ab3a24c55ad99f4e3a6e5c03cad9446 (Firefox)". This means that our HTTP headers look like the headers of Tor Browser Bundle.
Some exit nodes seem to add headers, so it may sometimes show a different signature.
Every attribute except "Authentication" should be either green or orange. Note that if you resized the virtual machine window of VirtualBox your browser window may have an odd size. This could be used by websites to fingerprint you, because no one else has the exact same resolution. This issue may be neglectable however.
Another test you can run is https://panopticlick.eff.org
If everything went well, it should show a message like this:
"Within our dataset of several million visitors, only one in 492 browsers have the same fingerprint as yours."
This means that a lot of other browsers have the same signature as yours, making you more anonymous.
As of now, Firefox pretends that it runs on Windows, which can confuse exploits which attack the browser and make them useless. As you shouldn't install any Flash plugins etc. this should not create any problems with websites. If it does create problems, you can change the User-Agent header to a Linux version with the User Agent Overrider button.
7.2. Tor Browser
7.2.1. Installation
7.2.1.1. Download and extract
Download the latest version of Tor Browser (English, 64bit if you have a 64bit CPU) for Linux from
https://www.torproject.org/projects/torbrowser.html.en#downloads
When the download is complete, open your Home -> Downloads folder on the desktop
Move the downloaded file from your Downloads folder to your Home folder
Click the downloaded file with the right mouse button and select "Extract Here"
You will have to repeat step 7.2.1.1. if there is a Tor Browser update available.
7.2.1.2. Making it work
The "start-tor-browser" icon will not work properly with our installation, so we have to create our own Tor Browser starter.
Open the "tor-browser-en-US" folder
Click the folder background with the right mouse button and select Create Document -> Empty File
Enter any name, e.g. "Tor Browser"
Click the "Tor Browser" file with the right mouse button and select "Open With Leafpad"
Paste these lines into the text editor:
#!/bin/sh
cd ~/tor-browser_en-US
./App/Firefox/firefox -profile ./Data/profile -no-remote
Save the text file and close the text editor, then click the "Tor Browser" icon with the right mouse button again
Select the "Permissions" tab and check "Allow this file to run as a program"
Click the "Tor Browser" icon with the right mouse button and select Send To -> Desktop (Create Link)
7.2.2. Configuration
Start Tor Browser by clicking the icon on the desktop
You may want to deactivate Javascript by clicking the "S" icon next to the green onion icon in the browser and selecting "Forbid Script Globally". This is however not recommended by the Tor developers.
In the browser, go to Edit -> Preferences, click the "Advanced" tab and push the Settings button in the Network tab
Enter these values:
HTTP Proxy: 127.0.0.1
Port: 8118
Check "Use this proxy server for all protocols"
You can then configure your browser as desired, but don't change the language. Otherwise you may become more pseudonymous than anonymous.
If you want to save cookies for a website (e.g. to stay logged in in forums), click the Tor button -> Cookie Protections and protect the cookies for the website
-
8. Preparing PGP
Click the start button in the Xubuntu menu bar and start Settings > Passwords and Keys
In the Passwords & Keys window, click the "New" button, select "PGP Key" and click "Continue"
Enter a fake name (first + last name) and a fake email address
Click "Advanced key options" and increase key strength to 4096, click the "Create" button and enter a reasonable passphrase for your PGP key
Click "Cancel" to close the "Create New" window (don't cancel the "Generating Key" window).
While the key is being created, this can take a while, open Firefox and browse some website, preferably a hidden service (OnionNews: newsiiwanaduqpre.onion ), or test some programs from the Xubuntu start menu.
When the PGP key is created, close the Passwords and Keys window (click "Cancel"). You can use Passwords and Keys later to add and delete keys of your contacts.
Click the start button in the Xubuntu menu bar and start Development -> Geany
In the Geany window, open Tools menu -> Plugin Manager, check "GeanyPG" and click "OK"
To stop GPG from being too open about itself we restrict the information which is passed on in a public PGP key and encrypted messages.
Open the Terminal Emulator and type
gedit ~/.gnupg/gpg.conf
Scroll down to the end of the text file and enter these lines:
no-emit-version
no-comments
#throw-keyids
display-charset utf-8
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Save the text and exit the editor.
9. Security updates
Due to possible time/size correlation attacks it's not recommended to turn on the automatic security updates feature all the time. Instead we setup the package updater to only update packages when we manually request it.
Click the start button in the Xubuntu menu bar and start Accessories -> Terminal Emulator
Enter "sudo gedit /etc/apt/apt.conf.d/00aptitude", enter your user password when prompted and paste this into a new line in the text editor:
Acquire::http::Proxy "http://127.0.0.1:8123";
Save the file and exit the text editor.
Click the start button, start System -> Update Manager and click the "Settings" button
In the Updates tab change "Automatically check for updates" to "Never" and click the "Close" button, enter your user password when prompted
In the Ubuntu Software tab uncheck "Proprietary drivers for devices"
It's probably best when you change "Download from" to another country, e.g. Russia: mirror.yandex.ru
Close the current window and the update manager.
10. Create a snapshot of the virtual machine
Congratulations! You are now done with installing Xubuntu.
Now that the installation is complete, we can create a snapshot of the virtual machine. If we break something in Xubuntu or we receive some malware, we can revert back to the snapshot later.
Before taking a snapshot, you should turn off the Shared Clipboard feature of VirtualBox, and only turn it on again when you need it.
Open the "Devices" menu in the running virtual machine window and select Shared Clipboard -> Disabled.
To create a snapshot, click the "Machine" menu in the running virtual machine window and select "Take Snapshot".
You can basically create an unlimited number of snapshots, this is only limited by the size of your TrueCrypt container. You may want to create another snapshot later, after adding PGP public keys and bookmarks.
Deleting a snapshot will merge it with the previous machine state, so the changes you made before taking the snapshot will be made permanent.
To create a backup of this system, simply copy the contents of the USB stick to a folder or another USB stick.
This is recommended, as the USB stick may cease to function after some months or years, if a lot of data gets written on it regularly.
-
11. Using Ubuntu
11.1. Booting the virtual machine
Plug the USB stick into a Windows computer, open the USB drive and start Truecrypt.exe
Select the drive letter you used while creating the TrueCrypt container (in this tutorial we used drive letter L:)
Click the "Select File" button and choose the "crypt" file on your USB stick
Click "Mount" and enter your TrueCrypt password
Start Portable-VirtualBox.exe from the USB stick
If it displays an error message you can usually ignore it
Click the "Snapshots" button and click the snapshot you want to restore with the right mousebutton
Select "Restore Snapshot", then uncheck "Create a snapshot of the current machine state" and click "Restore"
Click the green "Start" arrow to start the virtual machine
11.2. Manually checking for updates
You should manually check for updates about once a month, by starting System -> Update Manager.
If there is a Tor Browser update, repeat step 7.2.1.1.
11.3. Using PGP
11.3.1. Adding public PGP keys to your keyring
To add a public PGP key to your list, copy it to your clipboard and start the Settings -> Passwords and Keys
Open the "Edit" menu and click "Paste"
Click the "Other Keys" tab
(Important) Click the newly imported key with your right mousebutton and select "Sign Key"
(Important) In the "Sign Key" window select "Casually" or "Very Carefully", click the "Sign" button and enter your PGP passphrase
You can now close the "Passwords and Keys" window again or add some more keys. The last 2 steps are important because otherwise Geany will refuse to encrypt your messages later.
11.3.2. Encrypting text with Geany
Start Development -> Geany and type or paste your text into the editor
Select the whole text, either with Edit -> Select All or by pressing CTRL + A
Open Tools -> GeanyPG -> Encrypt, select the recipient(s) and click the "OK" button
Select the encrypted text and copy it to your clipboard.
11.3.3. Decrypting text with Geany
Start Development -> Geany and paste the encrypted text into the editor
Select the whole text, either with Edit -> Select All or by pressing CTRL + A
Open Tools -> GeanyPG -> Decrypt/Verify and enter your PGP passphrase
11.3.4. Copying your own public PGP key to the clipboard with Seahorse
Start Settings -> Passwords and Keys and select the "My Personal Keys" tab
Click the key you want to copy with the right mousebutton and select "Copy"
You can now paste the key into your browser, text editor etc.
11.4. Using shared folders
If you specified shared folders at 3.2., they will be available in the "media" folder of the "File System". To open it as admin, push ALT + F2, enter "gksu thunar /media" and enter your user password.
11.5. Getting a new Tor identity
Click the "Arm" icon you've created earlier on the desktop and enter your user password.
Press "n" to get a new identity. More options are availabe when you press "m", use the cursor keys and the enter key to navigate through the menu.
11.6. Torsocks
Command line programs which need a connection to the internet may have a proxy option, where you can use proxy host 127.0.0.1 port 8118 or 8123. A quicker solution is using torsocks. Usually you can ignore the errors.
Usage example: torsocks wget http://google.com
Do you have any suggestions or questions about this tutorial? Was there any problem during installation?
Post it in this thread.
-
Your the man. I have been using tails and some other options for a while. Thanks for the step by step all this would have taken me a while to figure out.
-
Nice job! This tutorial gives people another option in securing their setup.
I have some thoughts below.
Advantages over Tails (tails.boum.org):
* all changes you make are persistent (unless you restore a snapshot)
* everything is encrypted, not just the persistent storage
* more control over the Tor configuration (specify EntryNodes in your country or use Tor bridges etc.)
* not using the Tor Browser Bundle, so Firefox is more uptodate, with all security/privacy updates etc.
One thing I'd like to point out is that if your primary goal is unlinkability, the Tor Browser Bundle is safer than running regular Firefox. You will be in a much smaller anonymity set if you run Firefox 23, and Tor Browser includes many patches that reduce linkability. However, if your primary goal is untraceability, this setup is safer than running TBB on Windows. Also, I'm not sure that newer versions of Firefox are more secure, since Firefox ESR receives security updates. Firefox 22 and 17.0.7 were both patched against the FH exploit.
* no need to reboot the computer, you can use Windows and Ubuntu at the same time
This makes it less secure than Tails, because the VM is exposed to exploits on the host OS, especially if you are running this on Windows. For example, malware could read the contents of the Truecrypt volume when it is decrypted, or it could steal the encryption key when it is in RAM, or a keylogger could steal your password when you open the Truecrypt volume.
Of course, Whonix on Windows is subject to the same problems, which is why I've held off on publishing my Whonix tutorial (yet again).
* install any Ubuntu software you like through the Ubuntu Software Center user interface
* no need to reinstall anything to update the packages
* copy and paste between Windows and Linux is possible
A shared clipboard is a security vulnerability. If you copy a password on Windows, an exploit in the VM could read it, or vice versa. Shared folders and clipboards should be disabled for maximum VM isolation.
* if your browser gets attacked with malware, simply restore the VirtualBox snapshot you've created upon completion of this tutorial
I love disposable VMs and use them a lot myself.
Disadvantages compared with Whonix (whonix.org):
Like in Tails, if your browser gets attacked and executes a root exploit, the attacker may change the firewall rules to get your IP address. This is unlikely if you regularly download security updates and don't use javascript.
So why not add a separate Tor VM? In fact, why not modify this setup and run it over the Whonix Gateway?
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes in Asia, South Africa and Russia. Note that Russias traffic often goes through european backbones, with several european secret services potentially sniffing your traffic. This may be an issue (possible time/size correlation attacks when browsing clearnet websites) if you're european and your entry node is in Europe. So you may want to remove the ,{ru} part at the end of the line.
Add this line to a new line in the text editor:
ExitNodes {hk},{tw},{za},{in},{id},{th},{vn},{cn},{ru}
Excluding huge swaths of exit nodes like this harms your anonymity by making your circuits more fingerprintable, and can potentially make the Tor experience terrible with long lags and frequent time outs, while at the same time providing minimal benefit. This option doesn't affect hidden services like the Silk Road market and forum, and most clearnet sites are in the US anyway, so your connection will cross the US border and be exposed to the NSA.
Other than these things, it's a nice tutorial though!
-
Tor Browser includes many patches that reduce linkability.
Where can I have a look what has been patched out of Tor Browser? To me it looks like they're just using plugins and security update patches, but maybe I'm wrong. It may be possible to make the latest version of Firefox (Linux) look exactly like the Tor Browser Bundle (Windows), I'll have to play around with it more.
This makes it less secure than Tails,
I've already mentioned that it's possible to break out of the virtual machine, just as it is possible in Whonix. However using a 64bit OS in combination with AMD-V or Intel VT-X probably makes this less likely. You can't use AMD-V / VT-X with Whonix. Intel VT-X has to be enabled in the BIOS in some cases, AMD-V is already enabled for newer 64bit CPU's.
A shared clipboard is a security vulnerability.
It's more convenient though. For more security one might want to use Host-to-Guest instead of Bidirectional clipboard sharing, and turn the feature off while it's not needed. I'll add this to the tutorial tomorrow.
So why not add a separate Tor VM? In fact, why not modify this setup and run it over the Whonix Gateway?
Already working on it. There will be another tutorial in a few days, which works together with this Xubuntu setup. It won't use Whonix however, it will use a minimal installation of Debian.
For buyers of small amounts a single virtual machine without gateway should be enough though. LE most likely doesn't like to waste their 0-day exploits on small-timers, because it could be detected and exposed on the internet. High profile vendors should better use 2 virtual machines, or even better some Alix or Mini-ITX hardware firewall/router setup. Maybe I'll write a tutorial for that too in future. Though I don't have the hardware yet.
Excluding huge swaths of exit nodes like this harms your anonymity by making your circuits more fingerprintable, and can potentially make the Tor experience terrible with long lags and frequent time outs, while at the same time providing minimal benefit.
There are quite a few exit nodes in those countries, especially if you keep the {ru} part. This is still preferable to getting a random entry node in the USA (NSA) and a random exit node in the UK (GCHQ). When both the route from your computer to the entry node, and the route from the exit node to the clearnet website are in PRISM countries, then Tor is pretty much useless. Some people already say Tor is dead because of this. The EntryNodes and ExitNodes lines are there to make it safer again. Though they may need some finetuning and it depends on the country you live in.
If you don't set it yourself, then you are dependent on the random nodes Tor chooses for you. It will happily choose the entry node in the USA and the exit node in the UK, thus negligently exposing your IP address to PRISM. Then I'd rather be fingerprintable because I always "only" use the same 30 exit nodes. But yea, it can get quite laggy that way, and it's quite useless if your entry node is in the USA/UK and the clearnet website you browse is in the USA/UK.
-
Where can I have a look what has been patched out of Tor Browser? To me it looks like they're just using plugins and security update patches, but maybe I'm wrong.
https://www.torproject.org/projects/torbrowser/design/#firefox-patches
Some specific ones that address linkability:
Block Components.interfaces
Make Intermediate Cert Store memory-only
Add a string-based cacheKey property for domain isolation
Disable SSL Session ID tracking
Limit Device and System Specific Media Queries
Limit the number of fonts per document
Randomize HTTP pipeline order and depth
Add mozIThirdPartyUtil.getFirstPartyURI() API
Do not expose physical screen info to window.screen
Do not expose system colors to CSS or canvas
Isolate the Image Cache per url bar domain
Isolate DOM Storage to first party URI
I've already mentioned that it's possible to break out of the virtual machine, just as it is possible in Whonix. However using a 64bit OS in combination with AMD-V or Intel VT-X probably makes this less likely. You can't use AMD-V / VT-X with Whonix. Intel VT-X has to be enabled in the BIOS in some cases, AMD-V is already enabled for newer 64bit CPU's.
I was more concerned about an attack from the other direction, where malware on the Windows host can attack the VM, figure out what you're doing, etc.
A shared clipboard is a security vulnerability.
It's more convenient though.
That's not an excuse. :)
So why not add a separate Tor VM? In fact, why not modify this setup and run it over the Whonix Gateway?
Already working on it. There will be another tutorial in a few days, which works together with this Xubuntu setup. It won't use Whonix however, it will use a minimal installation of Debian.
Nice!
Excluding huge swaths of exit nodes like this harms your anonymity by making your circuits more fingerprintable, and can potentially make the Tor experience terrible with long lags and frequent time outs, while at the same time providing minimal benefit.
There are quite a few exit nodes in those countries, especially if you keep the {ru} part. This is still preferable to getting a random entry node in the USA (NSA) and a random exit node in the UK (GCHQ).
Not really. If the clearnet site you are visiting is in the US, as most English speaking web sites are, you're better off with an exit node in the US, since the chances of being surveilled by the NSA are higher at the borders. If you are in the US and using a non-US entry guard along with a non-US exit node and a connection that comes back into the US to a clearnet site, then you may really be screwed.
When both the route from your computer to the entry node, and the route from the exit node to the clearnet website are in PRISM countries, then Tor is pretty much useless. Some people already say Tor is dead because of this.
Yep, I know, but the majority of clearnet sites that people are likely to visit are in the US, so you are slightly safer by using a US exit node. It's better for the NSA to sniff the encrypted circuit between your middle and exit node then the unencrypted circuit between your exit node and the destination web site, just as it's better for the NSA to sniff the encrypted circuit between your entry and middle node than between your home and the entry node. Thus it's better for US citizens to use US entry guards or better yet bridges.
It depends on the network topology and where exactly they are watching, of course. If your connection between the exit node and the web site traverses an IX that is tapped by the NSA, you're screwed anyway.
If you don't set it yourself, then you are dependent on the random nodes Tor chooses for you. It will happily choose the entry node in the USA and the exit node in the UK, thus negligently exposing your IP address to PRISM.
It is my understanding that crossing the US border increases your chances of being surveilled, so US citizens are better off with a US entry node, or even better would be a US bridge.
-
Another thing you may notice from this debate is how complex it is to avoid the NSA, and how dependent it is on your geographical location and the sites you are visiting. You shouldn't make one blanket recommendation for everyone.
-
im guessing virtual box doesn't work with windows 8? i just get stuck at the "portable virtualbox **extract // or compress **" or whatever screen.
-
I think I may be wrong about the AMD-V/VT-X CPU features. It probably works with a 32bit Guest-OS, too. So using a 64bit Guest-OS does not improve security. However using a 64bit Host-OS probably does slightly improve security.
https://www.torproject.org/projects/torbrowser/design/#firefox-patches
Some specific ones that address linkability:
Thanks, I'll have a closer look later, maybe it's possible to further secure this installation of Firefox without compiling it yourself. Though some of those patches aren't necessary when using the virtual machine and the Firefox plugins.
Another issue I found after reading about Whonix is that the setup in this tutorial fetches the time from the host OS. That creates some more fingerprinting issues, when using clearnet websites. So for now it's probably best if you only use this Xubuntu installation to browse hidden services. If you want to browse the clearnet, use Tails or Whonix. Don't use Tor Browser Bundle on your Windows desktop however, this Xubuntu installation is still safer than that. I'll update the tutorial after improving these issues.
Tails and Whonix fix the time problem, TBB alone does not:
https://tails.boum.org/contribute/design/Time_syncing/
There are quite a few exit nodes in those countries, especially if you keep the {ru} part. This is still preferable to getting a random entry node in the USA (NSA) and a random exit node in the UK (GCHQ).
Not really. If the clearnet site you are visiting is in the US, as most English speaking web sites are, you're better off with an exit node in the US, since the chances of being surveilled by the NSA are higher at the borders. If you are in the US and using a non-US entry guard along with a non-US exit node and a connection that comes back into the US to a clearnet site, then you may really be screwed.
True, so with this Xubuntu installation it may be best to choose the clearnet websites you use wisely. E.g. use a search engine outside of the USA, mail provider in Russia etc. The entry guards used in this tutorial will all be in the country you chose anyway. As mentioned in the tutorial you could find 10-20 trusted entry nodes in your country and add their fingerprints to the EntryNodes line in the torrc config file. Or you find some trusted bridges (the NSA can run bridges too) of which you know that they are within your country. However even using only trusted entry nodes or bridges doesn't add much security, I suppose.
I personally only use trusted entry nodes with a short route (less than 10 hops) between my computer and the Tor service, and avoid entry nodes where the route goes through/near territory with US facilities in my country. Some politicians in my country say "the NSA is not breaking privacy laws within our country (and of course we blindly believe everything the NSA says)", but certain US facilities in my country are basically US territory. So technically, politicians are not lying when they say the NSA doesn't break any laws here. It's probably similar in South Korea, Japan etc.
im guessing virtual box doesn't work with windows 8? i just get stuck at the "portable virtualbox **extract // or compress **" or whatever screen.
It should work with Windows 8. Does it show any error message? You're supposed to extract it to your USB stick.
-
Any reason why Xubuntu over Lubuntu?
-
Not really. I prefer the looks of Xubuntu, and it doesn't use much more resources than Lubuntu. The tutorial will work with Lubuntu too, I suppose.
-
There have been some minor updates to the tutorial. You can ignore this post if you didn't complete the tutorial already.
Whoever posted this tutorial on torforum.org, you may want to update it too (the entire postings which include steps 3,6,7 and 8). You should also have a closer look at step 6, which doesn't get displayed properly on torforum.org. You may have to uncheck "HTML" while posting or something like that.
In the Oracle VM VirtualBox Manager window, open File -> Preferences and select "Update". Uncheck "Check for updates" because it would tell someone who sniffs your clearnet connection when you are using VirtualBox.
Another optional step has been added to the Tor configuration, if you want to prevent exit nodes in PRISM/Five Eyes countries from getting used for clearnet connections (instead of defining countries which are allowed as exit nodes).
ExcludeExitNodes {us},{gb},{ca},{au},{nz},{ie},{a1},{a2},{o1},{??}
If you use Firefox instead of Tor Browser, go to Tools -> Add-ons -> Extensions
For each add-on click the "More" link and turn "Automatic updates" off, because that can be used for fingerprinting/profiling.
To create a backup of this system, simply copy the contents of the USB stick to a folder or another USB stick. This is recommended, as the USB stick may cease to function after some months or years, if a lot of data gets written on it regularly.
-
If you are using a system like this then you may want to make your /etc/apt/sources.list use the latest experimental version of Tor, because of the botnet which is terrorizing Tor.
Using version 0.2.4 gives your connection a higher priority than the botnet connections (v0.2.3), if the relay is also running the latest version of Tor.
To do this, enter "sudo gedit /etc/apt/sources.list" in the Terminal Emulator and scroll down to the line
deb http://deb.torproject.org/torproject.org precise main
Change that line to
deb http://deb.torproject.org/torproject.org experimental-precise main
Save the text file and enter "sudo apt-get update && sudo apt-get upgrade" in the Terminal Emulator. Reboot the virtual machine when downloads and installation are done.
-
The tutorial has been updated. Step 7.1.5 has been added which explains how to add the Firefox PPA repository to the system.
This makes sure that the latest version of Firefox will get installed when updating the Xubuntu software packages.
Start the Terminal Emulator and enter
sudo su
torsocks add-apt-repository ppa:ubuntu-mozilla-security/ppa
apt-get update && apt-get dist-upgrade
Step 7.1.3. has been changed. It explains how to make Firefox use TLS 1.2 when possible:
Enter about:config in the URL bar and search for "security.tls.version" and change the value of security.tls.version.max to 3 (this may cause problems with some websites but it can use better encryption for SSL connections)
See http://kb.mozillazine.org/Security.tls.version.* for more information.
-
I'm pretty sure Firefox gets updated in any Ubuntu LTS without the PPA. Mine does. Since Mozilla doesn't maintain older versions (except the ESR), each new version is considered a "security update", so they are updated in the LTSes.
-
Right. I just checked it in another installation of Xubuntu. However it only seems to apply to security updates of Firefox. Normal updates of Firefox don't seem to get updated. I didn't get version 23.1 here.
-
There is no version 23.1. I was upgraded to version 24 today. That is the security (and feature) update to 23. :)
-
There was a version 23.0.1. I didn't get that on Xubuntu 12.04 LTS
-
hmmm, apparently there was a 23.0.1, probably an important security fix for 23, that came about 2 weeks after version 23, but they are on a 6 week release cycle, and no minor versions come out after the next major version. You can see it in their release history:
https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/
There was a 19.0.1 and 19.0.2, but no more versions of 19 came out after 20 came out. 20 was the next version and got all the security fixes. 24 got all the security fixes for 23(.0.1).
You can also see it in their release notes from today. They say to upgrade to 24 or 17.0.9 ESR. Those are the only versions getting security fixes. There won't be a 23.0.2.