Darknet for Beginners: Nightweb, I2P, Tor over Meshnet, and More

In the previous post, ‘Encryption for Beginners in an Era of Total Surveillance,’ the basics of setup of a simple system of encryption were covered, addressing how to communicate off the record with perfect forward secrecy, and providing guidelines for use of Tor and VPNs.

As circumstances change, so change the methods of communication. In this post, there will be covered recommendations for how to secure yourself against vulnerabilites associated with older versions of Tor or Tails, methods of ‘opsec’ or operational security, providing some general principles for communicating in a way that will allow you to communicate with greater anonymity, instructions of how to set up and run Nightweb and I2P (as well as how to run Tor over a meshnet), and also, how to deal with that broken and insecure web that you are encountering — with more vulnerabilities and intrusions into your privacy developing daily. The post is written for all users regardless of your familiarity with computers and software, while some of the resources in the post will be more relevant for people who build websites or run servers. In general, though, this post is meant to cover a broad range of topics in a way that will be useful to anyone.

You’ll find lots of information — and pageling people will appear to guide you, if you look deep enough.

General Operational Security Recommendations (OPSEC)

So, maybe you are someone who mostly browses the web to checking the news and social media. Perhaps you are a journalist, looking for a way to transmit information more securely. You could be doing research on a variety of legal topics, maybe you are a clerk, a law professor, or a student. Or, you are someone who likes looking at youtube instructions online on how to make things in your home, or maybe you like to develop your own microblogs or you post your own videos occasionally to get the word out about your business or your perspective on some subject or another. Whatever the case, whoever you are, there are plenty of reasons why you should consider diversifying the way you communicate. Diversification and Decentralization will be the watchwords for this little opsec spiel. The reason being is that if you grow accustomed to communicating in only one way, in one venue, with one particular system you hae relied upon forever, you fall prey to it, you essentially can get owned by it.

Having Diversity in your communication is vital if you are interested in maintaining ‘Privacy’ at any level regardless of what that means to you.
There are a lot of layers to this ‘communication diversity.’ A general overview of frequent modes of communication could be thought of as:
1) Person to person (we all talk to people in person, right?)
2) community communication (big groups, public events, a lot of people, meeting new people, chatting someone up)
3) things that happen on the phone, text messaging, chatting (voice calls)
4) things that happen on the phone…. on the internet (whatever software you have installed on your phone to communicate with – mobile internet)
5) tablets / laptops / towers (other mobile devices and traditional desktop style affairs hooked up to internet)

Within this basic set of modes of communication described above ranging from in-person, to group communication in person to different technologies that many people today possess, there are subsets of behavior. Traditional behavior in person often relies upon known or trusted contacts or upon making connections to other networks of people that you are comfortable making a ‘bridge’ or a connection to. Traditional behavior online, if it can be called traditional, often falls into a couple distinct categories: A) Social / Commercial
B) Open Source / Public
The reason for the distinction is as follows. If your online behavior generally causes you to fall into facebook, twitter, or similar social media posting, and if most of the software you use is that which you purchased (commercial), you’re like most people who use the internet for communication — although, it should be noted, just 1/7th of the world’s internet users actually use facebook, and approximately 1 in 5 adults online use twitter — so obviously this isn’t everybody. And that’s a good thing, because if it were, imagine how boring the web would be (and how little privacy people would actually have). Even so, as many as 72% of online adults are social networking site users. If your primary activity when online is spent on social media, you should reconsider how much of your time you will spend on social media and balance that time either with more time spent on in-person communication (open source / public) and / or with more of the time spent within the darknet (open source / public), which will be covered below as part of the recommendations for development of your online privacy potential.
Of course, another way to deal with this is simply to reduce your presence online – which is to say, spend less time online, and / or ditch accounts that you have. But, if you are remaining online you should do so in a way that enhances, and is beneficial to your privacy – by reducing what you reveal – which can still be done.

In general, for your own operational security and privacy, you should also look at the five listed (admittedly simplified) categories or layers of communication described above and determine if you feel that reducing one (or increasing another) may help you.

Frankly it shouldn’t matter whether you are particularly concerned about government, corporations that want your data, random malicious actors who may not like you, all of the above, or something else entirely. If you actually want that elusive thing called ‘privacy,’ then…

…Diversify, Decentralize.

There is also a pretty good set of OPSEC recommendations from grugq here: http://grugq.github.io/blog/2013/06/13/ignorance-is-strength/

Establishing Your Darknet

So here this will cover how to set up your darknet in the way you would like it. But first things first, before covering the programs themselves that will be suggested here, there are some general recommendations to follow.

1) Do I Need HTTPS And Is it Broken or Compromised

Yes, yes, and yes.

But good news, anyway.
a) HTTPS Everywhere and NoScript still will help secure your connection, despite problems that have been reported recently on CRIME and BREACH attacks.
HTTPS Everywhere: https://www.eff.org/https-everywhere NoScript: http://noscript.net/
No matter who you are, you need to check out and get the stuff from the above links!
b) General observations: It’s assumed here that TLS is done for (kaput!) and so is PPTP, although some other things (SPDY, SSH, OpenVPN, and XMPP) are still OK.
c) It seems that not enough people have heard of the BREACH problem and thus haven’t disabled TLS or taken other measures to mitigate this issue (this applies for people who manage websites or run servers). So, here are the posts on it.
1) A story on it (kind of depressing, but hey!)
2) Background on CRIME (parent of BREACH)
3) The BREACH attack
4) Mitigations, or thoughts on how to deal with BREACH from the Django perspective
5) More Mitigation Ideas for BREACH (this is important stuff, worth reading through)
6) Hardening your server’s SSL ciphers against CRIME and stuff (you’ve done all this already if you manage a server right? It’s a non-issue, right?)
(From February 2013)
7) Examine the cipher suites within your browser https://cc.dcsec.uni-hannover.de/

So you’ve done all that and now you feel pretty good about your SSL and encryption. Well, sort of.
OK, time to burst your bubble again.
There’s no good answer to this. The best thing that you can do is to secure your connection (encryption) and make reasonable efforts to connect to who or what you trust.
If you don’t trust something, it’s best not to connect to it.*

*If you have a little time and are interested in evolving crypto protocols and want to participate in their development, see:
Web Cryptography API (Early Release!) from W3C Web Crypto Working Group Chair
To get involved in discussions about cryptography and its development, go here: https://cpunks.org/mailman/listinfo/cypherpunks
To get involved in working on OTR (off the record / deniability), go here: https://whispersystems.org/blog/simplifying-otr-deniability/

2) Perfect Forward Security and Key Verificaton
So, here goes with a brief section (very brief, but important)on perfect forward security. This is something that simply hasn’t been implemented or used a lot, but interestingly, it is one of the best things you can do to keep data out of the hands of corporations and governments. Essentially, perfect forward security relies upon the notion of ephemeral keys — which are used once for a particular type of communication, and then they go away. That’s an oversimplification to be sure. Pidgin with OTR and Adium (programs covered in our prior post, ‘Encryption for Beginners in an Era of Total Surveillance) implement perfect forward security. This article will describe how you, too can ensure that it is implemented in what you are doing. (Because if it isn’t, then the ‘keys’ being used will eventually get owned by someone else.)
a) Implementing Perfect Forward Security – What’s it About:
b) How to get Perfect Forward Security (also called Forward Security) on SSL Servers
The following is for Apache, Nginx and OpenSSL
The following (notes/guides on key verification, etc.) are primarily for those who are working with websites or servers:
b) Verifying ACS-Minted Symmetric Keytype (see also Access Control Service, Windows )
(The following is stuff that you probably have already done if you manage a website or server, it is posted here for reference.)
c) OK… So What is a CSR? (It’s a Certificate Signing Request for SSL, here’s how it’s done)
d) How to do CSR on Apache
e) Verifying the Modulus of the CSR, Private Key, and Certificate (DO THEY MATCH? Well??)
f) NOTE: An alternate course for addressing the Certificate Authority trust / lack of trust / broken-ness issue is here:
http://convergence.io/ Described as “An agile, distributed, and secure strategy for replacing Certificate Authorities” – currently available for Firefox as a way to get off the CA system should you desire to do so.

3) Can You Trust Your DNS?
This site has a Domain Name Server spoofability test. It will automatically check your DNS for any problems. https://www.grc.com/dns/dns.htm IMPORTANT – to read the notes BEFORE you proceed with hitting that button to start the DNS test!
More, on VPN and DNS leakage, can be found here: https://www.cyberguerrilla.org/a/2012/?p=6857

4) Get Picky as a User
When you see that there is another site popping up suggesting itself as a new alternative to corporate communication, don’t take it at face value. In fact, interact with whoever is the contact for the site or system. You should, as should any other user of the internet, ask them the following:
a) Is the site encrypted (SSL)? [If that little green lock (or a lock with some information) doesn’t appear on the left hand side of the browser bar when you are accessing a site, you need to ask the site provider/manager/contact person to get the site encrypted.]
b) Is the site / server implementing perfect forward secrecy? Is the encryption malleable (deniable encryption)?
c) For anything involving chat, does it have OTR (off the record) design?
d) Dos the site / service / software have a “no logs” policy / setting option (and / or is it “no logs” by default)?
e) Does the servce implement zero knowledge (zero knowledge proofs employed such that no-one can see what files you have, what password you use (regardless of what service we are talking about), in a manner that satisfies the three prerequisites of zero knowledge proofs: completeness, soundness, and zero knowledge?

It may seem that you are just being annoying if you are asking these questions to everyone who has a site or a service that you use. But guess what. If just 100,000 people were asking these questions of their sites / services / ISPs all the time, we’d have a lot less privacy problems to deal with. These are standards that should be adopted.

5) Darknet Distributed
Here follow some recommended programs for accessing what is known as the darknet. Use some or all of them as you see fit.

a) Nightweb https://nightweb.net/
What is Nightweb?
It is a program that connects your Android device or PC to an anonymous, peer-to-peer social network.
You can write posts and share photos, and your followers retrieve them using BitTorrent running over the I2P anonymous network.
By starting up Nightweb a user account is created which actually is a key stored on your device. This is different than having an identity such as
a traditional username, password, etc. Your identity is a key.
Privacy considerations: before you install Nightweb on a phone, get a fresh Android, cycle out the SIM,
get Orbot and Orweb on the phone ( see: https://guardianproject.info/apps/ and https://www.youtube.com/watch?v=Dcf5sh99ze0 ) and then run it,
making sure that the phone is accessing the Tor network. (In some countries or areas you will need to connect via a bridge to make it work.)
Then go to the Nightweb site (which you will now be accessing without disclosing your address to the network).
If you are also using this phone for calls, it is recommended you get the Whisper Systems app(s) for text and voice (TextSecure and RedPhone) — and use them every time you text or call. They are solid, have survived tests that similar apps have failed, are secure, and extremely reliable.

b) I2P http://www.i2p2.de/
What is I2P? http://www.i2p2.de/how_intro
I2P is program in which “messages are addressed to cryptographic keys (Destinations), and can be significantly larger than IP packets.” It is designed to provide
“good anonymity,” not, in the words of the I2P introduction, “true anonymity.” I2P is intended to allow “some users (to) avoid detection by a very powerful
adversary, while others will try to evade a weaker entity, all on the same network, where each one’s messages are essentially indistinguishable from the others.”

c) Tor over Open Garden – and Hyperboria
What is Tor over Open Garden?
When you are using Tor, you probably are using it to mask your IP while browsing across a network managed by a internet service provider.
However, Tor over Open Garden is a way to use Tor over localized networks (or, depending on your location, on larger networks) known as
mesh networks that are not managed or controlled by any provider. Tor over Open Garden is simply putting an already common tool to work over the mesh network.
The following links describe the download and settings necessary to do this.
You will need: Open Garden
The settings for Tor over Open Garden are here:
http://opengarden.net/2013/07/using-tor-over-open-garden/
Once you are set up and have run this over an Open Garden mesh, just for fun, try Hyperboria. 🙂
Here is the join page. http://hyperboria.net/#join
And here is the hyperboria map. (It’s growing) http://atlas.projectmeshnet.org/
Aaaand… yes, there’s a hyperboria-only mesh e-mail service. http://www.reddit.com/r/darknetplan/comments/18svfu/new_service_from_hyperborianame_the/

d) Various Darknet Communication Tools: “With Tormail gone, How Will the Darknet Communicate?”
http://www.dailydot.com/lifestyle/tor-tormail-dark-web-communication-pgp/
This is an great article covering in detail (some of) the many ways in which one can communicate via the darknet.
It includes links to BitMessage, TorChat, PrivNote, SMS4TOR, I2P-bote (which is on github), Privatdemail (which I don’t recommend), Riseup, Nym, MixMail, and more.
Heml.is is about ready to go and it is very well done. https://heml.is/ (chat)
OnionCloud is being developed. https://github.com/Miserlou/OnionCloud
Also notable: BitTorrent Sync came out in beta as reported in TorrentFreak on July 17, 2013.
Download: http://labs.bittorrent.com/experiments/sync.html
This is a cool app – you want to check it out.

e) More Reading from Cyberguerrilla on Darknet
Here is a good, long past post on I2P setup, Tor stuff, and more (oldie but goodie, Mar. 2012):
https://www.cyberguerrilla.org/a/2012/?p=5178
For something much more recent, see: https://darkmatter.cyberguerrilla.org/
and: the darkmatter launch announcement
Great reading.

f) The Deepest Dark

LOVE

Love is our resistance.

VISIONS OF THE FUTURE

For some reason I had this vision of a near future where people begin to locate servers (and services) on the high seas – completely outside of any known governmental jurisdiction. There are already precursors to this sort of development happening, see: https://blueseed.co/
Notice that software / internet is the single biggest startup heading literally offshore into the open ocean in the blueseed model: https://blueseed.co/come-aboard/results/
It’s also significant to note that most of them are coming from the United States (although they come from all over the world). The United States is the most restrictive in terms of how it controls the finances of its land-based citizens and pursues them all over the world (no matter what country they choose to reside in) to extract taxes from them to fund the US’s military adventures and surveillance. This is a big reason why people are starting to migrate completely away from the geographic limits of the United States — once you are outside the territorial seas of a country, as the Blueseed vessel will be, there is effectively no ability for a nation-state to enforce its laws upon you.
Perhaps one day we will live on floating homes in the ocean, essentially free of nation-state laws. (Here’s a nice one on a navigable water near Berlin) http://tinyhouseswoon.com/floating-dome-home/

Speaking of laws it is important to discuss what the terms are for commonly used websites and what these limitations are in the current legal climate which currently is resulting in the US and UK (and many other jurisdictions) prosecuting people simply for accessing information.

EXPORT CONTROLS
1) The US government has become far more aggressive against the internet than many realize — even to the point that it attacks public distribution of certain encryption technology (in turn, which limits the viability of the technical infrastructure upon which the government itself relies). In a recent (July 26 2013) announcement from Defense Distributed, it was stated that “The International Traffic in Arms Regulations (“ITAR”), administered by the Departmentof State Directorate of Defense Trade Controls(“DDTC”), requires prior DDTC authorization for exports and temporary imports of “defense articles” and “technical data” described on the ITAR U.S. Munitions List (“USML”) unless anexemption or exclusion from the ITAR applies.” However, it went on, “DDTC does not recognize information on the Internet as per se within the public domain exclusion. Instead, DDTC focuses on whether such information was validly placed on the Internet, emphasizing that prior approval from the U.S.Government is required prior to transmitting technical data into the public domain regardless of whether the information is privately generated technical data, technical data subject to government contract restrictions on dissemination, or national security classified information.” In other words, the US government has come to believe that it can actually control what can be placed on the internet, and continues to try to do so. In the case of Defense Distributed, this had to do with plans for weaponry which people could build at home. (One can legitimately make the argument that information should be free, and not constrained by geography or the politics of the state, regardless of what the information is that is being transmitted, and in the case of Defense Distributed, this just shows that individual sovereignty and technology will ultimately have greater influence than state controls.) However, regardless of what your views are on the subject of Defense Distributed specifically, the same regulations and governmental approach are also applied in the context of cryptography, which is increasingly viewed by the US government as a weapon, or to any information the US government simply doesn’t want to appear. To wit, “DDTC takes the position in informal industry guidance that information on the Internet remains ITAR controlled if it was transmitted into the public domain without requisite authorization.” (This is for all “technical information” and is not subject specific.) As was revealed in 2012
through a presentation on the issue, the US continues to try to control all available forms of encryption. While the US did concede at one point to remove items related to encryption as you can see here
the fact remains that any encryption matter related to computers or the “sending, receiving or storing of information” is something that the US “government” still obstinately tries to pursue control over, even claiming that people who make it available for download are supposed to register with the US government before the “export” (read: download from your site to anywhere in the world via the internet) occurs.
Of course, it’s not like we care about this… everybody should make whatever software they want available to everyone in any link they can create from anywhere. But the point is made: We are dealing with governments that have an aggressive stance against the internet, that don’t even understand the meaning of the word “download” or even what the “internet” actually is, and who see the use and distribution of encryption as an “export” matter rather than as a natural process of free, open source ecology and distribution – which is what it is.
2) The Wassenaar Arrangement is again being developed, essentially behind closed doors and at the request of governments, to try to stop the flow of public cryptography. Originally, this arrangement was devised (with respect to the cryptography section) to ensure that participating nations would at least authorize use of cryptography with short key-lengths (56-bit for symmetric encryption, 512-bit for RSA) so that those would no longer be export-controlled. However, the problem is that encryption is still viewed in this system as something subject to export controls, and people will keep developing it in efforts to outpace governmental controls and regulations surrounding it – as they should. Currently, in the U.S., “mass market encryption commodities, software and components with encryption exceeding 64 bits” (75 F.R. 36494) requires encryption registration with the BIS. Additionally, other items require a one-time review by or notification to BIS prior to “export” to most countries. For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. This is an example of ridiculous regulation that almost nobody complies with, unless you are a developer producing products that are being prepared for commercialization.
But in reality, with the growth of encryption everywhere, who is complying?

Nobody in their right mind is going to comply with the US government in the matter of its desire to control and register instances in which software or hardware with encryption is made available.

Any self-respecting open-source developer will establish anonymity, develop code, and release it to the world with no authorization whatsoever.

The code will live or die on its own merit.

VULNERABILITIES
Here some of the vulnerabilities of systems which rely upon encryption are explored:
Bitcoin integration is run in github. https://github.com/ Looking purely at github’s certificate alone, which is DigiCert, https://www.digicert.com/ssl-cps-repository.htm we see that it places some limitations on the user of the certificate, including the fact that DigiCert “may revoke a Certificate, without notice, for the reasons stated in the CPS, including if DigiCert reasonably believes that” (…) “Applicant is added to a government list of prohibited persons or entities or is operating from a prohibited destination under the laws of the United States” (…) “the Private Key associated with a Certificate was disclosed or Compromised” (and other factors that DigiCert stipulates). In other words, if a government decides to threaten github because it serves as an integration point for bitcoin, it is possible that the certificate could be revoked unless the bitcoin users of github who contribute as commenters, designers, or people who offer up adjustments or fixes, are kept off of github. In such a scenario (as an example), one could see government pressure being placed on DigiCert that would cause https://github.com/bitcoin/bitcoin to be removed from github in order for the github site to retain use of DigiCert. (If such a situation were to occur it is likely there would be a great uproar, but given the development of the U.S. position regarding the internet, such an occurrence cannot be ruled out, and one cannot simply assume that “it won’t happen.” In fact, if you can imagine it happening, it probably will.) It is unlikely that the mere fact that the disclosure or compromise of the private key of the certificate by a government, and disclosure by a government of that fact, would cause problems for github comprehensively. Yet this language makes it clear that the terms which certificate users have agreed to when they create and maintain sites such as github create a problem for development of innovations such as bitcoin. Bitcoin.org has no certificate, no encryption — a situation which has its own obvious problems. Bitcoin.org currently sends users to download the bitcoin-qt client from sourceforge. Sourceforge is encrypted and has a certificate based on GeoTrust: https://www.geotrust.com/resources/repository/legal/ The circumstances for revocation associated with GeoTrust appear to historically have been reasonable and not directly tied to or reliant upon governmental action.
However, a review of these statements should make clear that the terms that are associated with the certificates are important. It shouldn’t just be viewed as “something to buy to get the certificate / for SSL” or whatever. In today’s legal climate, an examination of the company’s terms is important.

Taking this a step further, we should also examine where sites are hosted and the vulnerability of those sites based on their location. Looking at bitcoin.org as an example, a simple check on whois.net shows that it is registered in Helsinki, Finland. This makes sense, since the Central Bank of Finland has stated that bitcoin is legal to use in Finland. Also, Finland has recently done well at crowdsourcing development of its copyright law – a more inclusive approach to its legislative action. However, beyond this, one also wonders what is the record of websites being taken down in Finland upon government request. ZDNet reports that “UK courts have begun ordering ISPs to block access to sites that host copyright-infringing or ‘pirated’ content, or help people to share this material. The same thing has happened in France, Denmark, Italy and Finland.” One place to look for potential signs of govermental abuse is at the Google Transparency Report link, which identifies governments that have reqested that material be removed or taken down. https://www.google.com/transparencyreport/ (This is not a complete list.) Given the attitude of governments towards the internet these days, it would seem appropriate to mirror the site (and the code provided) – whether it is bitcoin.org or any other site that offers vital code or other innovative information — in different countries to minimize risk.
How-To: See HTTrack details at http://btmash.com/article/2011-05-25/mirroring-website-using-httrack or – if you want something simpler –
(Simpler:) A guide to mirroring censored blogs and other material
Additional info: Open Source Cloud Method for Saving Info in An Encrypted, Distributed Way, For Those Moments when your Site is Taken Down And you Need to Get the Content Back From a Vault Somewhere and Toss it Back Into the Web

In the case of bitcoin, all of this information such as the bitcoin-qt client and everything else is very decentralized and is squirreled away in many places by many people. However, just as a case in point, because of the U.S.’s aggressive stance against the internet itself, it may be wise to post obvious mirrors of everything you are doing from your site, if you care about it, in addition to maintaining mirrored sites that you do not post links to publicly from your primary site. Redundancy means that in the event your site is smashed by some stupid government, you will still be up and running.

MESH NETWORKS PRO AND CON
As part of this post mesh networks were covered and some people have criticisms of mesh networks. That’s well and fine so to address that here is included a critique of mesh networks – mesh vs. the hub-spoke approach: http://openitp.org/mesh-networks/trevor-ellermann-on-mesh-networks.html
On the other side, speaking in favor of mesh networks, here is Bryce Lynch:
http://openitp.org/mesh-networks/interview-with-bryce-lynch-from-project-byzantium-on-mesh-networks.html
My own take on this is that mesh networks are going to grow and different approaches will be used to establish them in many cities across the globe. Already we see them in broad use in some cities. It is a growing area and it implies that we must take more responsibility for our communication – both for building and maintaining our networks.

Following up on this I’m going to make a brief pitch here for a project which, at the time of this post, has less than a month in its funding campaign. It’s a mesh networking project on indiegogo. I hope you’ll support it. I think the video speaks for itself so I’ll let the Serval Project folks do the talking. This is truly amazing stuff and I hope you contribute.
http://www.indiegogo.com/projects/speak-freely

TORSPLOIT AND OH-NOES WHAT TO DO
First, is the US government behind “torsploit,” the recent exploit / attack on Tor? Well, yes. Here’s a pretty good article describing the ProPublica perspective on that.
https://www.propublica.org/nerds/item/is-the-u.s.-government-behind-torsploit
Second, what to do about it?
There has been a lot of talk about what you should or should not do. But one thing is obvious – if you are using Tor, make sure and keep your software updated.
Periodically, go check at http://torproject.org/ for new versions. Do this often. (Experimental versions are not recommended. As of the time of the authoring of this post, Tor had released Tor Browser with new Firefox 17.08ESR as the most recent release.)
Likewise for Tor Tails https://tails.boum.org/ (this does not require an install to your computer or phone, as it includes an OS which along with everything can be downloaded to a USB or CD) which from here appears to perform in a more secure manner for general use than Tor Browser Bundle itself. Make sure and check on that page and download the latest updates.
If you know how, and wanted to, you could also pull Iceweasel / Iceweasel for Windows off sourceforge and run it in VM together with Tails (within Windows).
Regardless of whether you are using Tor / Tor Browser Bundle or Tails, obtain and run NoScript http://noscript.net/ NoScript comes with Tor.
With NoScript in place, it is recommended you go to your NoScript settings and disable Java and Javascript as these are likely to eventually result in persistent vulnerabilities. Alternatively you can leave Java on and disable Javascript, and whitelist specific sites for Javascript (that you really need to have using it) as you go. One thing you don’t want to do is assume the default settings are just going to take care of you – because they aren’t. You have to be on top of it.
Inevitably there will be “browser footprint / loss of anonymity” comments here. It seems to have been the classic response: “We have to have java and javascript on all the time! The web will be broken without it!” No, it won’t. To leave Javascript on for everything even with the fixes that have been made to Tor Browser Bundle is just inviting the creation of a giant gaping security hole the size of a Sarlacc. Keep javascript off in your NoScript settings unless it is cleared to run on something by virtue of your whitelisting a site or sites.

VPNs
Virtual Private Networks were covered in the last post, ‘Encryption for Beginners in an Era of Total Surveillance’ and things have not changed substantially with respect to VPNs since then — except to state that you need a VPN to ensure that communications are both private and encrypted end to end. If you are already running Tor, and don’t have a VPN, you need to add a VPN as well.
In addition to the 2013 recommended list of VPNs shown here,
check out Cyberguerrilla’s VPN (go to Comms, CgAN VPN) and Cryptocloud’s VPN.
Make sure to secure your VPN against leaks though.
In the case of VPNWatcher, it is designed to shut down uTorrent and keep it from running if your VPN were to drop off suddenly.
Additional instructions for Windows users who are interested in setting it up so that only VPN traffic is allowed should review
this http://practicalrambler.blogspot.com/2011/01/windows-7-firewall-how-to-always-use.html
and this http://practicalrambler.blogspot.com/2011/05/how-to-block-all-internet-traffic.html
If you are also running Tor within a VPN you’ll want to carefully check to make sure you are not inadvertently blocking your Tor traffic, and adjust your settings accordingly.

A BRIEF REVIEW OF THE CHROME EXTENSION KNOWN AS ‘ILLUSION’
https://inputs.io/illusion/project
Illusion functions by making shadow web requests in the background defined at a frequency set by the user. The shadow (background) requests are intended to mask somehow your actual web activity so as to make it less obvious what you are actually doing. If someone is surveilling all of it they would see all of the requests that are made including your web requests and the shadow web requests, but would be unable to distinguish which are yours and which are generated by Illusion. The problem with this is twofold. One is that Illusion appears to defer to the idea of being monitored and surveilled as long as the user can counter the surveillance with a lot of confusing data. In general the approach should be to strengthen and develop systems of encryption, and begin the move to shift to what is known as ECC encryption – but not assume that all is lost in the battle against surveillance. The other problem with Illusion is that the shadow background requests, according to the Illusion page, “are real requests from a pool of what sites other Illusion users have been visiting.” So, in other words, the Illusion extension for Chrome is grabbing records of what you have been visiting and putting this into a pool of sites. It will do this for anyone who uses Illusion.
This would be a more reasonable extension if the pool was generated by random acceptable keyword search (that the user could approve) from each user’s shadow background request, rather than being generated from sites that Illusion users are actually using. However, as it stands, Illusion does not marginally solve the problem of traffic analysis by corporate or governmental actors. It appears to only compound it.
(At least, though, the Illusion site did recommend https://prism-break.org/ – an excellent site which everyone should visit.)
This does raise the interesting question, however, if there are persistent surveillance threats present to a system, such as a system of encryption, which may include a VPN and usage of other software, would use of a technique that allows for massive amounts of confusing and irrelevant information to surround the encrypted system be useful as a defensive mechanism? Possibly, if it were developed in a manner that would protect the encrypted system without resulting in another layer of unintended (self-generated) data disclosure [and thus, surveillance].

TOO MANY VULNS TO PATCH SO NOW WHAT?
Threatpost has a good response to that.
https://threatpost.com/relax-you-dont-have-to-fix-every-vulnerability/101927
At the very least, it gives you an idea of what you need to prioritize before everything really hits the fan.

THERE ARE QUESTIONS I WOULD ASK
for example, what country or countries should the server(s) that your web site is hosted on, be located in? (Not just who are you doing hosting with, but where are you doing the hosting?) Where something is hosted MATTERS — do a little homework on https://www.1984.is/ and see where they are located. (Hint, it starts with an I.) Are their servers located where their postal / contact address is, or are the servers somewhere else? What would be a good standard for people to adopt in order to disclose where their content is hosted, (website hosted in country x, server(s) in country Y) and how would an abbreviation system work to allow this to be noted quickly as a footnote to a website or a microblog/social bio? How could individual sovereignty be expressed through such a a disclosure as people migrate away from the nation-state model and adhere more to a boundary-less, internet-ish model of expression and movement? How do you go about effectively implementing a “no logs” policy while knowing that nearly the entire web is being surveilled and attempts are being made to log much of its traffic? There are questions I would ask.

RANDOM RESEARCH (You know, just to add to the reading list)
1) ASICMiner Devices: Rack, ASICMiner, Satoshi Stick, Block Erupter Blade http://www.asicminer.co/devices.html
2) Bitmit (Where ASICMiners, Satoshi Sticks, and Raspberry Pi Host Miners go to be sold…) https://bitmit.net/
(Note: If local governments are giving people hundreds of thousands of dollars to go live in abandoned houses in Detroit, what’s to keep people from using some of that housing renovation money for Butterfly Labs devices, http://www.butterflylabs.com/ ASICMiner devices and whatever other bitcoin miner stuff they can fill the houses with? Increasingly, vacant homes will be used as part of the infrastructure of a new bitcoin economy.
Article reference (for the Detroit vacant homes being given away or people being paid to take them): http://www.businessinsider.com/abandoned-houses-detroit-2011-2
3) Crypto St, Other Converters for Multiple Decentralized Virtual Cryptocurrencies
http://www.coindesk.com/altcurrency-exchange-crypto-st-converts-bitcoin-litecoin-and-feathercoin/
4) The Standard Thing In Your House Should be a Microwave, a Fridge, and a (Non-USA Chip) Bitcoin Generator http://www.coindesk.com/a-look-inside-kncminer/
5) Stupid Ideas are Stupid (Regulators that Pretend Not to Be Regulators are still Regulators)
http://www.coindesk.com/data-reveals-plans-to-get-us-government-states-and-banks-on-board-with-virtual-currency/
6) Onion Pi Tor Proxy ~ Using Raspberry Pi http://learn.adafruit.com/onion-pi/overview / Roll Your Own https://www.adafruit.com/category/105
7) Tor Relay ~ Using Raspberry Pi http://lifehacker.com/5953155/use-a-raspberry-pi-as-a-tor-relay-and-help-others-browser-anonymously
8) Wearable / Easily Placeable Electronic Platform https://www.adafruit.com/products/659
9) Encryption Unraveling (Well, Sort of): The Discussion from Black Hat 2013 of the Shift from One Thing To Another
http://searchsecurity.techtarget.com/news/2240203039/Black-Hat-2013-Experts-urge-elliptical-curve-cryptography-adoption
10) Tor Problems (As Discussed in May 2013…) https://www.cyberguerrilla.org/blog/?p=15358
11) The 20,000 Leagues Under the Sea Analogy (See How Neat It Was, They Hide What They Are Doing, Then they Destroy It, People Do Nothing About It, But Secretly They Like It How It Was) http://www.20kride.com/photos_after.html (Change happens, it isn’t always good, it’s up to us to figure out what we want, if we don’t decide for ourselves, someone else comes along and decides for us)
12) But Browsers Are Inherently Insecure, and Metadata, and Traffic Analysis!
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/comment-page-1/#comment-111205
(Primary Post: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ )
13) Do Most Software Sites Essentially Operate Like a Covey Range Feeder? https://www.qualitywildlife.com/shop/store/category/covey-range-feeder/ (Attract The Target, Feed The Target, Kill The Target) In our search to get the latest greatest cloud-provided service or software, are we just behaving like quail?
[Tor Suggestion 1 https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable#comment-32316 ]
[Tor Suggestion 2 – the AnonyOdinn / Lilith piece https://lilithlela.cyberguerrilla.org/?p=4959 ]
[Tor Commentary / Reminder – the rooted piece “Tor of May” https://www.cyberguerrilla.org/blog/?p=15358 ]
[Tor Exit Nodes, Dealing with Port Scanning and Port Blocking, More… See Comments https://blog.torproject.org/running-exit-node ]
14) The Mind-Boggling Implications of a Bitcoin Economy http://caeconomics.wordpress.com/2013/07/21/american-thinkerthe-mind-boggling-implications-of-a-bitcoin-economy/
15) TorWallet, BitCoinFog, BitCoin Laundry: Trust Without Jurisdiction http://www.forbes.com/sites/jonmatonis/2012/06/19/torwallet-sparks-trust-without-jurisdiction-debate/
16) Constant Backdoors Everywhere (And You’re A Fool If You Think It Is “Just a Windows Problem”) http://www.jasonvolpe.com/should-microsoft-help-nsa-exploit-vulnerabilities/ ~ The “You Wouldn’t Let Police Build A Back Door Into Your House, Would You?” Analogy
[That link was found in torblog as a comment in the original post at: https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable [Tor Security Advisory, Aug. 5, 2013]]
17) It’s Here: Terahash Level Mining from Home, With No Equipment (If You Trust Alydian – a US Company) http://www.alydian.co/ | Note: Alydian is the first venture to be funded by Coinlab http://techcrunch.com/2013/08/07/coinlab-the-bitcoin-incubator-announces-first-funded-company-alydian/
18) OpenWatch Designs OnionCloud as an Alternative to Freedom Hosting (Being As Freedom Hosting Has been Taken Down). The Github is Here… https://github.com/Miserlou/OnionCloud
Interestingly, the OpenWatch mailing list is hosted on GOOGLE…
at openwatch-dev+subscribe@googlegroups.com
19) Even if corporations or government get access to “Master Keys,” those aren’t worth a thing if the keys you are using are EPHEMERAL (a.k.a., Perfect Forward Secrecy) http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/ Same thing for the “Microcode Updates ~” http://steveblank.com/2013/07/15/your-computer-may-already-be-hacked-nsa-inside/ which can be defeated by use of EPHEMERAL keys.
20) Speaking of Perfect Forward Secrecy… http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-encrypted-web-pages-maybe-so
21) Metadata Wrangling
a) For Adobe Photoshop / Lightroom users, a free plugin that will remove almost any metadata http://regex.info/blog/lightroom-goodies/metadata-wrangler
b) For all kinds of things (including stripping and gettng rid of metadata as it heads away from your server) check out http://www.digitalconfidence.com/ConfidentSend.html (ConfidetSend, MailValve, etc)
c) For selecting just a couple files at a time to get rid of their metadata before sending / posting / etc http://www.softpedia.com/get/System/File-Management/FreeScrub.shtml
22) Traffic Analysis: Just a Taste of the Monster https://www.networkworld.com/news/2013/072913-npulse-272174.html
23) Don’t Pretend XKeyscore and Stuff Like that doesn’t Exist http://nakedsecurity.sophos.com/2013/08/02/nsas-xkeyscore-is-a-global-dragnet-for-vulnerable-systems/
But Don’t be Frightened By It Either (Excellent Post by CryptoCloud) https://www.cryptocloud.org/viewtopic.php?f=17&t=2944&hilit=xkeyscore
24) The NSA Lawsuit Tracker (This Doesn’t Show All the Lawsuits, By the Way) https://projects.propublica.org/graphics/surveillance-suits
Open, decentralized systems will ultimately defeat more centralized systems, which are more prone to total compromise by state or corporate actors. Open source isn’t just for software — hardware can be open sourced too, it’s the principle.
25) Homemade CPUs – From Scratch (You Can Make A Processor from Low-Frequency Transistors, Too) http://3.14.by/en/read/homemade-cpus
( Thanks to Mikhail Svarichevsky for this neat page, he also has done review of Bitfury and other bitcoin stuff –> http://3.14.by/en/read/bitfury-bitcoin-mining-chip )
26) Concerned about hardware being backdoored? Do It Yourself – or Contribute to One of These: http://opencores.org/
27) Not happy with the state of bitcoin wallet services? Roll Your Own! http://coinpunk.org/
28) Even the Cloud Can Be Open Sourced https://tahoe-lafs.org/trac/tahoe-lafs
[[See also: Syncing Data with Tahoe on Tails https://tahoe-lafs.org/pipermail/tahoe-dev/2013-August/008643.html ]]
29) Even journalists are getting more into open source hardware and software… They must know something. 🙂
http://ijnet.org/blog/how-latest-open-source-hardware-and-software-could-change-journalism
30) An example of a well-done Open Source Community Platform https://dukgo.com/
31) Check out the development of / debate on social platforms and some potential alternatives at http://secushare.org/

32) Threw this one on at the last minute: Lamassu Bitcoin Machine is now available for pre-order. It’s a new world out there folks. Say goodbye to the dollar. https://lamassu.is/

***final note*** Added at 5:00 PM PST Aug 12, 2013: Due to the wholly unjustified governmental assaults on investors associated with bitcoin, an attack which appear to be coordinated presently from the government of New York, one of those great bastions of fascism that just got its ass handed to it on a platter because of its illegal stopping and frisking of millions of people, this is a call for anyone and everyone reading this to boycott all business in New York effective immediately. Please reblog and repost within your blogs and forum discussions.
Any state which makes a practice of subpoenaing either investors in bitcoin or users of bitcoin – clearly a means of threatening people who simply want an alternative to an unjust system – should be boycotted. New York’s continued pursuit of stop-and-frisk in its state and even, as we see, beyond its borders as exemplified by the subpoenas and virtual stop and frisk of bitcoin people clearly justify the boycott. If you are unable to boycott the State of New York due to your residence in it, please boycott any business that contracts directly with the State, and do not engage in any government business that would provide revenue to the State. In this way you will be localizing your boycott.
In addition, please support the following efforts with your time and energy:
Help make Bitcoin anonymous – join the discussion on the Zerocoin protocol here https://github.com/Zerocoin/libzerocoin
Check out the site: http://zerocoin.org/
If you aren’t already, start using services that obscure and hide bitcoin transactions, like:
http://www.bitcoinfog.com/ and http://www.bitcoinlaundry.com/
Together we can stop the insanity of state assaults on our freedom to transact as we wish!
********

IN CLOSING

Do you believe this man? –> http://www.usatoday.com/story/news/politics/2013/08/09/obama-privacy-nsa-surveillance/2635735/
You’re not alone if you don’t. Protect yourself. Protect your privacy and communications. You have only that privacy that you are willing to secure for yourself by your own efforts.

Hope this has all been useful. To wrap up, here is a Song for Friends.

3 Comments

  1. unready
    unready October 6, 2013 at 11:24 pm . Reply

    Great and useful article, however, the author’s horrible and infantile taste in music should have no place in it. Geesus, the Muse just degrade everything written here to a new low, because they suck so much.

  2. […] (who, for protecting his sources, is being persecuted by a judge) has 1000 followers, and I am preparing new blog post for odinn.cyberguerrilla.org which will mostly deal with open source OS’s (and will discuss why people should consider […]

Post Comment

Skip to toolbar
Member of The Internet Defense League