Category Archives: tor

Fact-checking Pando’s smears against Tor

Neil deGrasse Tyson is a badass

If you’ve been able to ignore Pando Daily’s 100% non-technical smear campaign against the Tor Project and its developers and supporters, you’re lucky, and you may wish to stop reading now. Otherwise, read on, and perhaps prepare to lose a few brain cells.

Yasha Levine’s “investigation” against Tor unveiled what’s already prominently displayed on Tor’s website: that it was designed by the Navy and that it receives a lot of federal funding, the bulk of which comes from the Department of Defense.

To be clear, talking about Tor’s government funding is a very important discussion to have. But Yasha didn’t discuss potential threats to Tor users’ anonymity that this funding might cause, nor what potential solutions would be. Instead, he implied that there’s some sort of conspiracy between Tor developers and the US government, and that the Tor network cannot be trusted, apparently oblivious that the decentralized and open nature of the Tor network and it’s codebase makes planting backdoors nearly impossible.

Continue reading

Using Tor Browser Launcher in Qubes

I maintain a piece of software called Tor Browser Launcher. It takes care of downloading Tor Browser Bundle for you, verifying the gpg signature, making sure you’re always using the latest version of Tor Browser, and making it easier to launch.

I originally only made Tor Browser Launcher work in Debian-based distributions, but since the default templates in Qubes are based on Fedora, I recently ported it to RPM-based distributions as well. Here’s how to set it up.

Continue reading

The Operating System That Can Protect You Even if You Get Hacked

This was originally published on the Freedom of the Press Foundation’s blog.

We wrote about the importance of the Tails operating system to all of the NSA journalists last week, but there’s also another little-known operating system that journalists should consider using if they find themselves in high-risk scenarios. It’s called Qubes.

I’ve only been using Qubes for a few weeks, but I feel like my operating system is now a digital fortress. Let me try to explain why, and how Qubes differs from Tails.

Qubes’ design is based off an important law of software: all programs contain bugs. Some of these are security vulnerabilities. Your computer can get hacked by viewing a Flash video or using javascript in your web browser: this is likely how NSA’s QUANTUM/FOXACID programs hack people. Your computer could also get hacked by opening a PDF, or a Microsoft Word or LibreOffice document, or just by viewing a JPG or GIF.

If any piece of software gets compromised, your whole computer is compromised. The attacker can look at your files, log your keystrokes, take screenshots, steal your encryption keys, and read the emails that you type before you even have a chance to encrypt them.

Continue reading

Two really simple things Microsoft can do to make Windows more secure against NSA

Thanks to Edward Snowden and journalists at Der Spiegel, today we learned about Tailored Access Operations (TAO), NSA’s world-class hacking team. There was a lot of interesting information in that article (like how they divert shipping of electronics to a secret warehouse where they can modify it to install backdoors!).

But I’m just going to talk about how they use Microsoft error reports to gather private information about Windows computers that can be used to compromise their security — a problem that’s trivially easy for Microsoft to fix.

Continue reading

sudo apt-get install torbrowser

TL;DR: I wrote a piece of software called Tor Browser Launcher that downloads and auto-updates Tor Browser Bundle for you, in your language and for your architecture, and verifies signatures. I’d like help finding bugs before the initial release.

Over the years, Tor Project has done an amazing job at making Tor more user-friendly. In the past if you wanted anonymity you had to download and install Tor, maybe hand-edit your torrc file, and configure your browser to use a proxy server. You had to make sure that you didn’t have browser plugins like Flash or Java enabled that would compromise your anonymity. Eventually, this got easier when you could install the TorButton Firefox add-on, but even then you had to keep manually separate your own identity and your anonymous browsing.

Now all you have to do is head to, click the large “Download Tor” button, and then download the Tor Browser Bundle (TBB). Then you extract it (normally to somewhere in your home directory, or to a USB stick) and run start-tor-browser, and wait to connect to the Tor network and for your anonymous browser to pop up with the friendly green “Congratulations. Your browser is configured to use Tor.” page.

Continue reading

Bradley Manning’s statement shows that US intelligence analysts are trained in using Tor

This morning I had the opportunity to help Freedom of the Press Foundation publish the full, previously unreleased audio recording of Bradley Manning’s statement to the military court in Ft. Meade about his motivations for leaking over 700,000 government documents to WikiLeaks.

In his statement Bradley Manning not only explains his motivation for leaking documents to WikiLeaks (he contacted the Washington Post and the New York Times first), but also technically how he went about doing it, including the software and protocols he used.

This clip, about his use of Tor, stood out to me:

Continue reading

Mobile Location Anonymity: Proxying Twitter, IM, and Email through Tor on Android

Each time your computer makes a connection to a server on the internet, you tell the remote server, as well as your ISP and every router in between, your IP address. If you’re using the internet on your phone you might be disclosing the IP of your 3G or 4G connection, or the IP of the wifi network you’re connected to.

If your phone checks for new emails or tweets every couple minutes, or keeps up a consistent connection to your instant messenger server, any of those services is almost definitely logging a history of your IP addresses.

Continue reading