
Tor best practices - triberian
http://digital-era.net/tor-use-best-practices/
======
michaelt
Or you can read this in its original form, as a StackOverflow answer:
[http://security.stackexchange.com/questions/43369/best-
pract...](http://security.stackexchange.com/questions/43369/best-practices-
for-tor-use-in-light-of-released-nsa-slides/43485#43485)

------
SamReidHughes
An element of bad advice in this is the recommendation that you leave your
cell phone turned on at home during your activities.

If "the feds" considered the possibility that this pattern of Tor activity in
various wifi networks around the area all correlate to one person, they could
then correlate the set of Tor uses with cell phones that sit motionless during
those activities. This will completely out you unless you leave the cell phone
in the same location _all the time_ or for extremely large portions of time (a
(1 - O(1/n))-sized proportion of your time) where n is the number of Tor
sessions you want to perform. That's a bit pessimistic -- you could improve
things by scheduling your Tor activity at times you would never be moving your
cell phone anyway, and at times other people would consistently never be
moving theirs -- a certain hour of the day. For example, suppose you never
move your cell phone between 5 and 6 AM -- that's just a pattern in your life,
and a pattern in others' lives, and if you scheduled your activity in that
hour, you'd leak information much more slowly. But eventually, as more and
more active cell phone users have the occasion to use their phone in the wee
hours, it'll leak.

You also need to treat your personal internet activity and also perhaps
electricity consumption (depending on metering technology) the same way as
cell phone activity in this regard. You can't be going out using Tor at 5-6 AM
some days and then be home browsing YouTube at 5-6 AM a small-ish proportion
of the other days -- they'll nab you with 99.9999999% certainty in no time.

Edit: And you can't even be tired, or energetic, or have any measurable change
in social activity before or after the Tor session either, of course.

------
mihok
I don't think the article mentions it, but in addition to the tips in the
article, stay away from wireless or bluetooth connections, remove the card(s)
if possible... While it might seem tin foil hat, any over-the-air
communication is fairly trackable (not saying wired isn't). And while your
computer or device tries to connect to a network, The control packets sent out
to channel 0 will even send a list of preferred networks you've connected to
in the past...

~~~
dobbsbob
FBI also once had a carrier OTA update somebody's internet usb stick to
broadcast their location

~~~
delinka
[citation needed]

~~~
dobbsbob
[http://www.wired.com/threatlevel/2013/04/verizon-
rigmaiden-a...](http://www.wired.com/threatlevel/2013/04/verizon-rigmaiden-
aircard/all/)

------
middleclick
I really don't understand any of the points in "Your Environment".

> Never use Tor from home, or near home. Never work on anything sensitive
> enough to require Tor from home, even if you remain offline. Computers have
> a funny habit of liking to be connected…

How exactly? The entire point of Tor is that such stuff should not matter
since the first node doesn't know what you have requested.

> And while the jackboots are very unlikely to show up the same day you fire
> up Tor at Starbucks, they might show up the next day. I

Yeah, no. Wait, what?

> I recommend for the truly concerned to never use Tor more than 24 hours at
> any single physical location; after that, consider it burned and go
> elsewhere.

No?

~~~
Ellipsis753
Tor is far from perfect. Even if Tor does everything it's meant to. People can
still compare when you're using your internet on Tor and when you doing
activities online (on Tor). What this person is saying does make sense.

~~~
delinka
"using your internet on Tor" and "doing online activities (on Tor)" sound like
the same thing to me.

But this whole article sounds to me like the author's expecting people to only
ever use Tor when they want to hide something. What we should be doing is
encouraging everyone to use Tor all the time for everything, delays be damned.
That totally obliterates any correlative analysis.

~~~
mhurron
Ya the anonymity sometimes isn't because I'm doing anything illegal. I've been
considering setting up Tor on my firewall/router and starting to funnel
connections to google, bing, facebook and things like that through it.
Probably eventually funnel all http and https through it.

~~~
mintplant
Any unencrypted traffic you funnel through Tor can trivially be intercepted
and logged by an exit node.

------
dobbsbob
Don't really like Whonix, a bunch of VMs stacked on each other for critical
isolation. I'd rather use a hardware firewall box running openbsd or portal by
thegrugq. What kind of RNG is being handed out by the Tor daemon Whonix VM
that has no human interaction too.

------
dictum
There are too many third party requests/tracking scripts (Google Adsense,
Analytics, webfonts; icon font from bootstrapcdn.com; Twitter avatars) in this
blog.

The blog itself is hosted in Wordpress.com. I don't if this is good or bad for
visitors' privacy, but it feels bad.

(I know this kind of comment — X advocates Y but does Z, where Z != Y — is
often annoying and shortsighted. That said, hypocrisy, even when it's
unintended, reduces your authoritativeness.)

------
belorn
While reading advice like those in the article, they seem to always leave out
the most central aspect of security - the threat model. Doing some guessing,
the following threats are mitigated by the article:

• An attacker has access to zero-day vulnerabilities to the software running
on your device¹.

• You are storing non-Tor files on your device that can be used to build a
profile against you. That or you are running OSX².

• That Flash and Java are horrible messes of software, and will break your
security³.

• That Online tracking of your anonymous activities can later be used to
connect your real identity with an anonymous session of tor usage.
Deanonymization is a big research area but with rather little known results in
the real world. Search data, social network profiles and large written texts
have all been subject of deanonymization research.

• That Correlation attacks are practical if an attacker knows the entry node
traffic and the exit node traffic. This is also a hot research subject, and
the threat model can be created by for example reading the linked research on
the tor blog⁴.

• Mixing you real identity with anonymous identity can cause harm.

• If you rent time at virtual hardware, the real hardware owners can see
everything you do.

• An attack, presented in a 2013 research paper⁵, to verify if a hidden
service is using a guard node owned by the attacker. It then assumes that a
hidden service will randomly pick at least one of of 23 tor nodes with a
probability of 90% if run under a period of 8 months for the cost of 60 USD
per node per month.

I could not guess a threat model for "Your workstation must be a laptop". As a
last line of defense, my workstation hard drive is equally easy to destroy
with a hammer as my laptop. The cell phone advice is also quite bad - see
SamReidHughes comment.

1: [http://security.stackexchange.com/questions/40072/could-
some...](http://security.stackexchange.com/questions/40072/could-someone-
explain-parts-of-the-fbis-firefox-0-day)

2: [https://research.torproject.org/techreports/tbb-forensic-
ana...](https://research.torproject.org/techreports/tbb-forensic-
analysis-2013-06-28.pdf)

3:
[https://www.torproject.org/docs/faq.html.en#UseTorWithJava](https://www.torproject.org/docs/faq.html.en#UseTorWithJava)
and
[https://www.torproject.org/docs/faq.html.en#TBBFlash](https://www.torproject.org/docs/faq.html.en#TBBFlash)

4: [https://blog.torproject.org/category/tags/entry-
guards](https://blog.torproject.org/category/tags/entry-guards)

5: [http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf](http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf)

~~~
seiji
_• If you rent time at virtual hardware, the real hardware owners can see
everything you do._

Reminder: the same goes for all your favorite hosted-because-we're-too-lazy-
or-inept-to-run-it-ourselves services too.

It still amazes me thousands of high profile companies just give all their
communications to Google for free.

~~~
janvidar
> It still amazes me thousands of high profile companies just give all their
> communications to Google for free.

No, they even pay for it.

------
rocketeerbkw
> Never insert its battery or turn it on if you are within 10 miles (16 km) of
> your home...

wouldn't that leave a huge hole which stands out in a map of prev locations?

------
dandare
Why do they sat that rubber hosing is legal in UK? Did I miss something?

------
blahbl4hblahtoo
"1\. don't use windows"...I realize how unpopular it is to question the
groupthink on this site but this strikes me as simplistic. The public
takedowns related to tor have been more about firefox than windows. But I get
that Linux fans like to think that this is their sole bailiwick.

If you are using tor and you are using a web browser as your primary means of
communication AND YOU REQUIRE SAFTEY you have already made a serious mistake.

Using a JSON or XML based API would be much safer since you aren't having to
trust any level of javascript, css, or html...fetching executable code over
the internet from a third party is the ROOT of the problem.

It all comes down to what you are trying to do...why are you using tor? who is
your adversary?

Just using tails or whonix and being super paranoid...because security...is
kind of a shit lifestyle decision. It can also lead to a false sense of
security.

~~~
nilved
> The public takedowns related to tor have been more about firefox than
> windows. But I get that Linux fans like to think that this is their sole
> bailiwick.

It's not exactly fanboyism that makes security-conscious people prefer Linux.
In fact, anybody with even a basic understanding of infosec knows that Windows
should be considered wide open: Microsoft has backdoors, they give the NSA
backdoors, and their code isn't open to peer review. Moreover, the Tor Freedom
Host attack only exploited Firefox on Windows.

> Just using tails or whonix and being super paranoid...because security...is
> kind of a shit lifestyle decision.

Don't you think this is a little rude? Or even just presumptive?

~~~
blahbl4hblahtoo
I love that "Microsoft has backdoors"...no one credible has said that they
have proof of that. They give the US Government early access to vulnerability
data...they give those updates to several governments and large corporations
early as the result of agreements they have made with big customers. They also
let these same entities audit the source code for windows. Look it up. If you
have the money and its important to you then, yes, you can audit the windows
code base.

"security-conscious people prefer Linux"...That's kind of a sweeping
statement. What does security conscious even mean?

To me it sounds like this..."People who talk about security a lot use Linux by
and large"..."but some of them are really partial to OpenBSD"..."and lots of
Windows security experts really use Windows a lot."

I say that its a shit lifestyle decision because what is it accomplishing? You
use this really restricted platform to make sure that people can't track you
doing ??? What exactly? Communicating with your team of spy's??? Downloading
midget porn??? Why do you think that you can have a single workstation that's
good for every security corner case? What in the history of computer security
makes you think that is a good idea or even desirable?

Let's take the example of the Iranian dissident trying to avoid the oppressive
badies in their weird ass government...what does tails or Linux buy you? You
are better off with the "throw away laptop" plan using good opsec and running
tor from public places. Don't use it for anything but tor and tweeting your
pics of black helmeted assholes. Get a new one as soon as possible. Rotate
them with other people. The OS means next to nothing.

People keep conflating tor's uses with every possible InfoSec edge case. The
dissident has different needs than a guy trying to make sure that the NSA
doesn't catch him posting documents. The whistleblower has different needs
than the guy buying drugs.

In all cases applying some critical thinking about what you are trying to do
is a bigger exercise than "Winblows is the suxor at securitehz!"

Unix doesn't have a monopoly on security. I'm not saying windows does, but
Unix people are kind of crazy about their pet platform.

~~~
foodbarf
Microsoft employee, pls leave.

~~~
blahbl4hblahtoo
I'm not a MS employee or even a stockholder. I just get tired of the group
think around here. It doesn't do anybody any good to let some of these
"everybody knows" style truisms pass unquestioned.

The accusations of being a shill are also pretty annoying...but hey...

~~~
shredfvz
What do you need Windows for anyway? Especially in a "secure computing"
context, modern distros are cheaper, easier and quicker to install than
Windows, and yes, often more secure. Plus, learning GNU/Linux will make you a
better programmer and a more capable team player. What do you have to lose?

~~~
blahbl4hblahtoo
Learning Linux makes you a better programmer? That's what I'm talking about in
a nutshell. "Learning GNU/Linux" doesn't make one a better programmer. I'm not
even sure how that's supposed to work...you know that there are really good
programmers that use other platforms, right?

~~~
shredfvz
Ever heard the term, "don't knock it til you try it"? What do you have to lose
by trying free operating systems? It costs nothing to run GNU/Linux in
VirtualBox on Windows, and learning to interact with your machine from the
command line will expand your skillset and your horizons, making you a better
programmer and more valuable team player. Regardless, you're bashing people
for using free operating systems in a security context, which is just asinine.
This is not the holy war you're making it out to be.

~~~
blahbl4hblahtoo
Do you honestly think that I have never tried Linux? Seriously? The first time
I installed Linux I had to download the floppy images over a 2400 baud modem
connection to a bulletin board.

I'm not bashing people for using Linux...I'm saying that its not good security
to say..."Linux is secure"...and not review your security needs from the
standpoint of what you are actually trying to accomplish. I'm not making it
out to be a holy war...I'm saying that people are just accepting that "Linux
is more secure" on blind faith.

------
tux
It looks like author of this article is doing some shady shit. Using TOR and
moving so much in different locations O_o Seems like his very paranoid. I
think he forgot about "Faraday cage".

~~~
sligi
The only real reason people use Tor at all is for shady shit. They'll deny it
all they want and bullshit on about "freedom", but not even Stallman is this
autistic. Come on.

~~~
Karunamon
Please take this crap back to 4chan /g/ where it belongs.

