I would just like to say that there are generally three broad sorts of security mechanisms when it comes to protecting from hackers. These are isolation, correctness and randomization. I wish I still had the picture from Polyfront showing the various things to protect from, but generally: Forensic analysts -> They primarily attempt to analyze your computer system, primarily hard drive, in order to find damning evidence or intelligence for future investigations. Forensics is a broad terminology and can mean various things when it comes to computers, but this is the traditional role of computer forensics. This sort of forensics is also called dead forensics because they are dealing with already seized computer equipment. Live forensics is what the FBI attack against users accessing FH sites is called, better known as hacking. Traffic Analysts / Signals Intelligence -> They primarily gather and analyze communication carrying signals in an attempt to determine who is talking with who, or to trace the origin of a signal. These are the people who would launch a direct attack on Tor, for example carrying out the attack that traces hidden services to their entry guards. They are not generally very concerned with the content of a signal but rather with its meta-characteristics. Network Analysts -> They are primarily interested in mapping out groups of people and the relationships between them. They could use traffic analysis to do this, or various other techniques. Communications Intelligence -> Is primarily concerned with finding out what people say to each other. Whereas signals intelligence is interested primarily in the meta-characteristics of communication carrying signals, communications intelligence is primarily interested in the content of communication carrying signals. A communications intelligence attack may be running a server like Tor mail and gathering drug shipment addresses from everybody who doesn't encrypt them. In some cases meta-characteristics of communication signals can be used to determine the communications, in these cases communications intelligence would be interested in the meta-characteristics. Hackers / Live Forensics -> Is primarily concerned with gaining unauthorized access to remote computers. This is very dangerous because it can be used as a hard to protect from vector through which all other sorts of intelligence can be gathered (by passing Tor removes the need for traffic analysis and leads to easy communications gathering, network analysis, remote forensics, etc). Open Source Intelligence -> I believe an example of Open Source intelligence would be running a Tor exit node in an attempt to identify interesting servers on the clear net. ________ Traditional forensic analysts (dead forensics) are confounded almost entirely by FDE with strong passphrases. In some cases the feds may attempt to circumvent FDE by carrying out cold boot attacks, using keyloggers or hidden cameras, etc. The first level of security comes from using FDE in the first place. The second level of security comes from protecting from the various ways in which FDE keys can be obtained covertly. To protect from Cold Boot attacks you may use a system like Tresor which stores encryption keys in CPU registers rather than in RAM. You can use a motherboard with chassis intrusion detection support and set it to wipe encryption keys immediately if the case is breached. You can configure a system similar to tails, where you have a USB stick that once removed immediately results in the computer shutting down into a memory wipe (tails does this but you can configure similar things for any OS). You could tether this USB stick to a wrist strap and wear it while you work on your computer, so even if the feds rush in and tackle you they will result in the USB stick being pulled out of the PC. You can have hot key combinations on your keyboard, or even a single key, that immediately shuts down into a memory wipe in case of emergency. You also need to follow good operational security procedures. Don't leave your system booted up when you are not near it. Use multiple layers of encryption. FDE is the catch all, but you should also have any stored information individually encrypted with some symmetric algorithm via GPG. If you have stored content keep it encrypted with GPG in a Truecrypt container on a drive that is FDE encrypted, and compartmentalize your stuff, there is no need for your entire FDE drive to have its entire content available in plaintext when it is booted. Various OS allow the home folder to be encrypted separately and mounted with the root password during login, and will automatically dismount it and take you to a login screen after some period of time. Using various layers of encryption like this makes it less likely that all of them will be compromised. The hardest thing to protect yourself from is a covertly placed keylogger or pinhole camera. These can be used to gather all of your encryption passphrases without you even noticing. There are only a few ways to protect from this. The first method is to use a laptop that you literally never let of your sight, and that you sleep next to even. The second method is to use a laptop that you keep in a strong safe when you are not using. The third method is to use battery powered hidden cameras that monitor all entrance points to your PC, and to check for previous surreptitious entry every time before you type your password in. Even if you follow all of these steps you are not totally protected. TEMPEST attacks and remote keylogging attacks (such as laser microphone on a nearby window to gather the sound of you typing, for analysis that can lead to the keystrokes you have made) are still possible. In some cases what you type can even leak into the power grid for semi-remote gathering, if you have your system plugged into a power outlet while you type on it. Taking care of every possible attack like this is next to impossible without having something near a SCIF , secure compartmentalized information facility. This is not realistic for us to do. However, it is rare that the police will go to such lengths, and every additional layer of security you add makes it less likely they will be able to obtain a complete plaintext copy of your drive. Traffic analysts and signals intelligence is very difficult to protect from, especially if the NSA is your adversary. Using Tor offers some level of protection, it is probably breakable by the NSA in many cases but there is not much better right now. To get the most out of Tor you need to make sure you are using it correctly. In my opinion this entails not using tails, because it causes too much entry guard rotation and makes it so Tor does not offer you as much protection as it can. Hopefully using regular Tor is enough for now, if it is not there isn't much you can do other than look at Freenet perhaps. I2P is not really something I would even consider, and it is horrible for our threat model. Hopefully a new generation of anonymity technology is around the corner. Communications intelligence can be protected from by always making sure to use GPG , OTR, or similar. There is still a risk of MITM attacks so it is a good idea to check public keys over multiple independently operated channels (not key servers though), and to create and utilize OTR shared secrets for authentication. OTR without authentication is actually very weak to MITM attacks. Live Forensics is what I would be most worried about because it is the hardest to protect from and stands to gain the most. The techniques for protecting from this generally fall into three broad categories, isolation, correctness and randomization. I think that there are more methods than this though. Isolation would entail running Firefox in a virtual machine that isn't aware of an external IP address and which also don't have the ability to access the Tor process. There are other isolation tools as well, primarily mandatory access controls, these are hard to configure but can provide a great deal of security as well. Correctness means that the programs you are running are implemented properly and without bugs. Almost all programs have security bugs in them, they just might not have any currently known at a specific point in time. Keeping everything fully patched and updated is a requirement for security, the more you lag behind a patch the more likely you are to get pwnt. Additionally, different operating systems and programs have different levels of correctness due to the skill level of the people who implemented them as well as the sort of analysis they have been subjected to. Generally you want to use the most correct OS possible with the most correct applications included. This means you would opt for Debian stable over Ubuntu, Debian stable has a slow release cycle and prior to a release of the OS it and its included applications have been analyzed significantly. Ubuntu on the other hand puts more focus on features than it does on stability. At the extreme end of the spectrum you have operating systems like OpenBSD which have been subjected to continuous security audits for many years and are thought to be largely correct. I personally would actually probably opt for qubes though due to the sophisticated way it has implemented isolation. Randomization refers to features such as ASLR, which can make vulnerabilities that are present much harder to exploit. So once you find the right balance of isolation, correctness and randomization in the OS and software you use, you still are not done. You need to configure the system in a secure way still. This could entail firewall rules, individual hardening of applications (particularly the browser, which at the very least should have javascript disabled), and general hardening of the OS. There are other security programs that can be added as well, such as intrusion detection systems, etc. I think both are serious threats, I would be more worried about application layer attacks as well but I would not ignore the possibility of direct attacks on Tor by any means. BitMessage is another good example of this. Indeed, and it all comes back to complexity. Routing your traffic through an old computer that you turned into a Tor router that runs on OpenBSD is much more secure than running an OS in virtualbox that routes through Tor on the host. If your primary computer is rooted in the first case, the attacker will very likely need to exploit Tor to deanonymize you on the application layer. If the guest OS is rooted in the second case, the attacker could exploit virtualbox to break out of the isolation OR they could exploit Tor to break out of the isolation. Using virtualbox for isolation adds an entire large chunk of code that you need to trust not to be exploitable, versus the hardware solution where you are primarily only trusting the Tor code to not be exploitable. On the other hand, if you use no isolation at all, then you are not getting any additional protection, and as soon as your network facing application is pwnt you are deanonymized (as we saw in the freedom hosting attack). It is also worth noting that firewall rules could have prevented the freedom hosting attack from working, as could have mandatory access controls. A combination of mandatory access controls + virtual or hardware isolation + firewall rules would have added three different layers of security via isolation that an attacker would have needed to overcome before they could get their payload to phone home. Also ask yourself "Does this virtualization based isolation tool support ASLR? does it support NX-bit?". Xen is probably the most secure virtualization system in that it will be hardest for the attacker to break out of. This is why Qubes uses Xen. On the other hand, Xen doesn't support ASLR. This means that if you run Firefox in a Xen VM, it is probably more likely that an attacker can exploit its vulnerabilities than it is that the same attacker could exploit its vulnerabilities if it was in a virtualbox VM. On the other hand, it is more likely that the attacker will be able to break out of the virtualbox isolation than it is that they will be able to break out of the xen isolation. I am not sure where the correct balance is, but the answer is probably to use hardware isolation because it is the strongest isolation possible and it also supports ASLR and everything else. Or maybe the solution is to use Hardware isolation + virtual isolation, but then we are back to square one, should we use virtual isolation that is harder to penetrate or virtual isolation that allows us to use other important security mechanisms as well. Physical isolation with Tor on an OpenBSD box = 2 orders of magnitude more secure than running vanilla TBB. Physical isolation with GPG keys on an air gapped machine = 2 more orders of magnitude more secure. Physical isolation of the network facing applications from Tor, and air gapped GPG keys is probably close to the best you can hope for when it comes to protection from hackers. I agree, but don't forget to air gap your GPG keys and plaintext messages . You could always use Xen or something else yourself. Most people only really want to isolate a few applications, maybe Pidgin and Tor Browser and GPG. You don't really need Qubes for this, it just tries to make it easier and prettier. And Xen is very well tested and widely used. This is a good bet as well, and the biggest advantage is ease of use versus Qubes I would say. A big plus for qubes is virtual airgapped GPG, but this can be configured manually with Xen or VB as well. No persistent entry guards is a massive disadvantage, if you don't set persistent bridges don't use Tails. If they add persistent entry guards I would consider it a fine solution and although not on the level of Whonix or Qubes it would be a solid third place. They shoot themselves in the foot by not having persistent entry guards though, so make sure you use bridges if you use Tails. It is worth noting that had the FH attackers targeted Linux, their payload would have failed to phone home because of their firewall rules (but it didn't target Linux in the first place). Definitely on the insecure side of the spectrum, although it would have protected from the FH attack. Definitely on the insecure side of the spectrum as well, it only protected from FH attack because of security via obscurity which is never what you want to rely on. Isolation is important. Tails is a bit of an exception because even if Linux had been targeted Tails would have prevented the exploit from phoning home. Technically you could configure similar firewall rules on any Linux OS, but you didn't specify that in the description, and virtualization based isolation is much better anyway. This is about as insecure as you can get.