/cyb/ - cyberpunk and cybersecurity

>Secure tor usage and configuration,
In general you want to break "the rules" of the tor project as little as possible / not at all unless you have a valid reason for it. That being said, there's many cases where using tor or a VPN isn't going to help you.

>torrenting
You cannot torrent over tor. I use a VPN service - Private Internet Access - that supplies a proxy, and proxy my torrents through there. Another thing to watch out for is any VPNs which don't give you a dedicated IP address won't be accepted on many private trackers (laintracker is one exception, apollo is not).

>javascript
I don't think tor browser disables javascript by default or not, but you have to turn on noscript to get that to work. Fortunately, noscript comes preinstalled on tor. tor can be deanonymized with javascript, so you should use js as little as possible.

>openWRT router
There exists firmware software for routers that allows you to torrify all internet access: https://openwrt.org/ . Keep in mind that this is a non-standard usage of tor, and there may be other issues that arise from not using the tor browser bundle.

>Tails
TAILS is a live system that completely torrifies itself and deletes everything from the host machine after you remove it. This is useful for a number of reasons, however as a live system you'll have trouble saving documents or keeping configurations, aka maintaining it as a 'daily driver'. Do some research on that. In general to stay anonymous you don't want to change anything that will affect how you look on a network.

>Whonix
Whonix is a VPN you run on your computer using OpenBox or something else. It will anonymize everything you do through Whonix and makes it easier for the tor -> VPN connection.

>non-standard tor usage in general
Products which are not the tor browser bundle, but ship with tor, such as android applications, may be less secure than the TBB in general. They may allow you to torrify more applications, which enables anonymity across more mediums, but you will have to research any issues the individual project might have.

>Pros and cons of tor alternatives
I can't tell you about all the other anonymizing networks that you can't startpage / searx for yourself, but you should definitely do this. Maybe another lain could help you?

>VPNs
I know less about VPN usage and I think they will make you in general less anonymous. For complete anonymity, you want to connect to tor, and then connect to a VPN through tor. So the setup is tor -> VPN. This is because VPNs hide what you're doing, but tor hides who you are. However, this level of anonymity is not really necessary if you aren't being actively hunted by a TLA (NSA, CIA, FBI, etc) or someone with their tools (distribution is unknown). AKA don't need it unless you decide to hack some servers or become a high-profile enemy of the state.

>Purchase using bitcoin
You also want to anonymize your bitcoin wallet by setting it up over tor and exchanging your money to bitcoins using localbitcoins or some other cleaner. Since the blockchain is essentially a giant distributed log of all bitcoin purchases, bitcoin is not inherently anonymous. This I learned from the jolly roger's security guide - https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/ . There are bitcoin wallet services on the onion network itself.

>WebRTC
There's a vulnerability in the WebRTC protocol that leaks your IP address through VPNs. You can get a browser addon called "WebRTC control" that fixes this. Tor has WebRTC disabled, so you needn't worry about it, but if you choose to use a VPN it's important to do that. I believe the uBlock origin (emphasis on origin) addon also provides this feature, but I haven't gotten it to work properly.

>what VPN to get
simply using a VPN is not a magic bullet. You need to pick the right VPN. I've been suggested Trust Zone, but the exact one you choose is a personal decision based on your needs. This site should be useful to that end: https://thatoneprivacysite.net/

>And finally how does lain stay anonymous?
I use a mix of tor and VPNs depending on what I'm doing. However my non-anonymized IP address is shared with others, so the info that can be gotten to it will at best allow someone to track down what regional network I'm on. Because of this, and the banning of VPNs on different sites, I don't always use VPN usage. I also use a huge list of browser addons to give me marginally more anonymity:
generally, uBlock Origin + uMatrix is my go-to. uMatrix is a general request blocker, kinda like NoScript but for all web requests (like frames, css, images, plugin usage, XHR and setting cookies). uBlock Origin is the best aad-blocker I've come across that also allows blocking other requests that may track you, and I use it as a fallback in case uMatrix is disabled for some reason. I also use uBlock for tor because it makes websites go so much faster.

But I also have an addon to spoof / remove referrers, a "supercookie" blocker which manages flash cookies called BetterPrivacy, an addon called TrackMeNot which sends random google, yahoo, and bing searches of New York Times headlines, HTTPS everywhere, an EFF project that forces HTTPS usage on websites, Beef Taco which sets the "do not track" opt-out cookie for many websites, Cookies Manager + which gives you more control over the cookies you use, and Google Privacy which replaces links on google, facebook, and other sites away from their soykafty redirects that track you to the actual site you're using.

My setup is probably overkill / nominal in that I could do something simpler that gives me more anonymity, but the problem with doing that is that I don't have access to every website I'd like to use. You really have to make tradeoffs on what you value, which is soykafty, but welcome to the 2010s internet. In general, you want to have a good idea of threat modeling. Here's other helpful websites:
https://prism-break.org/en/
https://privacytools.io/
https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/
https://securityinabox.org/en/
https://en.wikipedia.org/wiki/Threat_model
https://www.eff.org/
http://www.logicalincrements.com/firefox/
take everything with the amount of salt you find appropriate.

>>76
Thank you kindly for that wealth of information. You've dropped enough names for me to continue research on my own for sure.

I'd still love to hear about other lainon's privacy / anonymizing set ups.

>>83
th-thanks :)

If anyone has a question I can answer to the best of my ability.

>>72
>>76
>You cannot torrent over tor. I use a VPN service - Private Internet Access - that supplies a proxy

That provides no privacy, the PIA socks proxy for tormenting is a joke.

If you want privacy stick to NNTP

>>76
You should also mention that instead of using a VPN for torrenting you can either use i2p as a http proxy for your clearnet tor client or use i2psnark to download torrents from i2p's own trackers instead.

The logicalincrements link is great but also make sure to use privacy-respecting builds of firefox like GNU-icecat, iceweasel, Palemoon, or special builds like from the AUR since the default Firefox build has telemetry and other nasty defaults.

https://aur.archlinux.org/packages/firefox-esr-privacy/

This page is a bit out-of-date, but should also be a bit helpful https://wiki.installgentoo.com/index.php/Firefox

>>92
>>90
Torrenting isn't a huge intrest of mine, nor is it something I do much of since what's demise; however, I imagine should I manage to anonymously purchase a vps with bitcoin, and only talk to that vps through tor, shouldn't I be able to torrent from the vps (has a dedicated ip) and then use a tor+sftp(+possibly more encryption?) to get the torrented files onto my home machine?

>>96
that setup should work fine. Jumpbox in a different legal jurisdiction and then obfuscate your access to it through whatever means you deem necessary in order to disconnect from it.

I don't personally use TOR much as it kills plausible deniability; it's a giant redflag on a network that you're up to no good whereas SSH and VPN's while not anonymizing are technologies which if they come under scrutiny have plenty of plausible deniability.

It's all about understanding what you're defending against; there is no magic pill 100% coverage solution to privacy+anonymity.

Just whatever you do make sure you don't leave anything else on the jumpbox that can be correlated back to yourself.

>>76
Thank you kindly and good work.

>>97
>it's a giant redflag on a network that you're up to no good
This does certainly seem to be the case, and all the propaganda the US' government is pumping out about how tor is evil isnt helping public opinion at all either. Most of anyone I've talked to about any anonymizing techniques believe they're exclusively for criminals.

Does anyone have any idea on how to combat this mass misinformation? I believe it would simply be for as many people as possible to use tor as often as possible. If there's a larger population concerned with being anonymous then it will be harder for governments to lie about how it's solely for criminals, and legislation like we've seen in the states won't get passed.

>>101
I don't think the red flag is just because of the current public association with spies/CP/drugs and contract killers. At the end of the day people are suspicious of people who want to hide what they're doing - our beloved privacy and anonymity is not that big a shared trait amongst the general public (granted this is changing post snowden). Since TOR is all about that it's always going to stand out.

For me TOR really shines when you can anonymise your usage of TOR as well - disconnect the network records of that usage from your meatspace identity. Prepaid burner data SIM's, public WIFI networks, and in general - internet pipes that aren't getting charged to your credit card (thanks housemates).

That's my approach to things at least, IANAL, YMMV, BYOB, et cetera, et cetera.

Make sure that Firefox or the Tor Browser doesn't leak anything. Disable javascript, go to about:config and see what could leak your IP, compromise your security or fingerprint you. Compare https://github.com/pyllyukko/user.js/ to your settings. Use https://panopticlick.eff.org/ to see how many bits of identifying information you have. Also, besides the add-ons suggested by >>76, I think you should check No Resource URI Leak, Decentraleyes and Privacy Badger (on the EFF site). But don't install too many add-ons blindly; always double check that the code is open source and that it doesn't call home / make other connection (even HTTPS everywhere if it's bugged it can use your IP to query the SSL observatory ). To do that you could monitor your connection with Wireshark to see if every packet is sent to your entry node or if there're some other servers. If you can sandbox the browser with something like firejail. You should probably install DNSCrypt and configure it to use an OpenNIC server. If you're planning to connect to public WiFi you should spoof your MAC first, or you can randomize it at every boot with an init script. Also, remember Intel ME and AMD PSP: if you have a libreboot compatible device or you can purchase it, do it. VPN1 -> Tor -> VPN2 is probably nice (ONLY if you pay in a total anonymous way) because sites won't see the IP of an exit node (some sites blacklist them, and you'll hate cloudflare) and you hide the Tor traffic to your ISP. That's important because the situation with ISP has gotten worse with the new laws, and if you're one of the few Tor user in your city it will be easy for a three-letter agency to identify you.
OPSEC is important too in my opinion, even if we're shifting from anonymity to security, having a hardened kernel and being able to sandbox programs will only make you safer. If you want to have a minimal attack surface use only the packages that you need, keep a clean environment and don't install bloated programs. You can keep a read-only USB with AIDE to create a database with the hashes of /bin, /boot etc. so you can compare it later to check if you're system has been compromised. If you didn't already you should probably encrypt your whole disk and set-up a GPG encrypted keyfile on an external device, so somebody needs both a password and a physical device to encrypt your data.
Don't give root access to daemons (and programs) unless really necessary, they should either run with their own user (like tor) or with yours.
When using Tor with anything that it isn't your TBB/Firefox remember that many applications can leak your IP, so you should set up iptables to allow only Tor traffic.
Then, of course, your attitude is probably more important than then setup itself. Don't browse anything that can be directly linked to you.

>>168

>go to about:config and see what could leak your IP, compromise your security or fingerprint you.

There's a really neat extension called Privacy Settings (https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/) that helps with this.

>>168

Decentraleyes is safe then? I was hesitant to use it. I don't know enough about this stuff, but my gut was telling me it was something that could do a lot of harm if it was sketchy or flawed.

>>168
Thanks so much for sharing all that information.

Does anyone have any hardware recommendations for a libreboot / bsd netbook?

>>90
thanks. I haven't torrented anything illegal anyway, I've just used it to mask traffic to my university.

>>92
thanks, I didn't realize i2p could do that.

>telemetry and other nasty defaults
can you please expand on this? I was asked if I consented to telemetry when installing FF for the first time. I'm reading about iceweasel currently on wikipedia and some of the security "features" it added were dubious at best. I'm also wondering if there's a standard metric you used to mean privacy-respecting between all of these because I couldn't find one.

>>107
>granted this is changing post snowden
Most normalfags don't even remember Snowden by now.

>>90
Yeah, the SOCKS proxy is a joke. So don't use the SOCKS proxy. Actually use the VPN as it's intended.

From what I've heard, AirVPN is much better for torrenting as it gives you much better control over port forwarding.

Hey Sibe.

Anybody know how legit Blur is? Does it provide some legitimate rudimentary protection or is it just a cyber-security blanket?

>>101
>Does anyone have any idea on how to combat this mass misinformation?

Who would win? A global media campaign with all the money it could possibly need and then some? Or some handful of basement dwellers?

Let's face it, you will never save normalsoykafs from their own stupidity. They don't even want to be saved.

>>342
I don't know what that is and it doesn't look open source so I don't care.

>>370
The way you sell the public on Tor is by normalizing it. Until around the time your grandma got on Facebook, nobody wanted to carry around a computer all the time and the Internet itself was viewed with comical amounts of suspicion.

>>372
>comical amounts of suspicion
My favorite part of your post is that that isn't even an exageration.

>>76
Nice

>>90
or use i2p for torrenting

When it comes to VPNs I use mullvad because I can pay them in cold cash.

>>76
>tor can be deanonymized with javascript,
is there a known way to exploit this, or we just don't know for sure that it's safe?

>>3955

there are multiple ways to do this, and multiple exploits used in real life already.

but i wouldn't call it "deanonymizing tor", in fact it's getting around tor. (probably helps if your whole system is configured to prohibit every kind of traffic outside the tor proxy, but you still have to do countermeasures against fingerprinting and things like that. the tor browser solve most of this problems without having to configure things and write codes yourself, and completely disabling javascript is also a good choice)

>>3955
>>3956
If this is something you're worried about, Tails is much better than just the TBB and Whonix can be better than Tails but there's more for you to screw up there.