pastebin - collaborative debugging tool RSS

Posted by Anonymous on Tue 13th Dec 2011 21:39
raw | new post

  1. Origin of discussion:
  4. @querent:
  6. "First, I want to use TOR to download .pdf files"
  8. First, how have you setup Tor? (it's not TOR btw, it's Tor)
  10. Have you installed the Tor Browser Bundle? (TBB) It contains a (limited) preconfigured Tor environment (you need to reconfigure the included Noscript properly as by default it is set to allow everything, which is bad) and includes Vidalia, a Tor GUI front-end. If you have, you can right click on most .PDF file download links and select your local destination for the PDF to download to and it runs through Tor without leaping outside of the Tor client. Some PDF file downloads are caught by Tor button for unknown reasons, it thinks you're trying to load it directly and not download it when you're trying to download it. This may be a bug which appears at random. TBB's preconfigued Tor environment does not modify files like wgetrc (more on this later) or other application's files outside of the applications it provides.
  12. My preferred method of handing PDF files when using Tor is to load them remotely via this free web service:
  15. I don't see that website as having any ads, but I block ads anyway, nor are there any posts begging for money, nor do they push an application to download in order to view the PDFs. It's the most simplistic layout I've seen for loading PDFs remotely and safely so they don't touch your system (your web cache should be disabled and is disabled if you use TBB, your swap and home partitions, if not your whole system should be encrypted). But does the admin track PDFs and IPs? Simple, always use Tor with that site with nothing personal.
  17. It should be noted the moment you begin using your real name and playing about on Facebook with your friends or acquaintances via Tor, you've lost the plot. Do not mingle your personal Internet use with your Tor Internet use. Do not use Tor while at the same time accessing your personal e-mail outside of Tor (you shouldn't load it inside Tor, for that matter, either). Don't boast through Tor to one of your chums that you're using Tor.
  19. The PDF files (at are transformed into single paged graphics which you may navigate through easily. 99% of the time it works, some PDFs it chooses not to load and spits out an error. It doesn't
  20. require Flash and works without cookies or javascript enabled. I don't know who runs the site or their privacy and data retention habits, but I recommend it above all other sites offering to convert PDFs on-line. I have not tested uploading local PDF files to that service so I cannot suggest others do so, I don't know whether or not there would be any privacy leaks in doing so, so just copy/paste urls into that service.
  22. In using that free PDF converter website, I can preview the document to determine beforehand whether it is worth the time, space, and effort in manually downloading the PDF and storing it for future access. Should you access PDF files on your system, I would recommend burning them to a CD or DVD, a read only medium, and accessing them from a non-networked environment such as a Linux LiveCD with the network cable unplugged, using an open source PDF reader, never use the proprietary PDF reader from Adobe, unless you're reading off-line from read only media, in addition to pulling the network cable prior to booting from a fresh and verified LiveCD and pulling the cable and power plugs from any hard drives (before you turn your system ON), to eliminate any possible contamination. Remember, you're downloading PDF files through Tor, and unless you verify each file through checksum verification (like MD5 or GPG) there's a chance they could've been trojaned by a rogue exit node, or contain phoning home instructions or any other type of malicious "feature". No amount of open or closed source virus/trojan scanners can convince me a file is entirely free of malware.
  24. If you're booting from a LiveCD to use Tor, I heavily recommend pulling the plug/power cord from any hard drives just in case, before you start your LiveCD session and before you've powered the system ON, so no data is transferred/shared through the use of the LiveCD sessions. I strongly recommend against using a preconfigured Tor LiveCD, not limited to but including the recent, "Tails LiveCD". You have no method
  25. to inform you on whether or not the binaries have been modified to whatever end. While not pointing
  26. the finger at any one such project, I can imagine the temptation would be great for a malicious user or project team to poison the well, so to speak, with compromised binaries naive users would trust their security/privacy to.
  28. If you're running a system with sufficient memory, you should be able to download a Linux LiveCD of your choosing, verify it with MD5 or GPG, verify it with the bootable option to, "Verify This CD", extract the
  29. previously downloaded TBB into the home directory, disable all extra network services, configure
  30. a few files like hosts.deny and others as well as changing the password on the LiveCD user account.
  31. Since the LiveCD user runs with elevated privileges, you should consider creating your own LiveCD
  32. for TBB use, stripping it down to only the basics to minimize bugs in some packages in the repositories
  33. which could compromise your Tor operational security/privacy.
  35. There are free tools like remastersys which allow you to put together a LiveCD with packages of your choosing. You may configure a proper limited user account beforehand and use this with TBB from your customized LiveCD. I'm not recommending remastersys or any other LiveCD creation tool as I have not audited their source
  36. code nor do I blindly trust binaries, but it's an option.
  38. It would be wise to consider all binary transfers via Tor as potentially trojaned by a rogue exit node,
  39. modifications to data by a rogue exit node AND sniffing of plain text traffic occurs and is well
  40. documented. Some good preventative methods for browsing in Tor:
  42. 1. offers encrypted searches AND proxying of web content, you may surf in Tor
  43. through Ixquick's web proxy for excellent SSL protection.
  44. 2. offers encrypted searches but offers no secure web proxy. Using Scroogle
  45. or Ixquick over Google or Yahoo among others is encouraged as you don't hit a brick wall with an
  46. error message (Yahoo) or a message saying you have to verify you're a human (Google). By default
  47. Torbutton will redirect you to one of a few alternative search engines. Ixquick may require javascript
  48. to yield more search results than the first page presented to you, so I suggest Scroogle for
  49. web searches and Ixquick's free SSL web proxy for browsing. Do not, under any circumstances,
  50. enable the use of Javascript without Noscript loaded and configured properly. There are many
  51. ways to decloak and otherwise poison Tor traffic with javascript enabled and no Noscript plugin.
  53. Flash: Don't install the plugin, don't try alternatives, they won't be torrified.
  54. Some have claimed, on Tor's or-talk mailing list discussions, to have enabled YouTube's HTML5
  55. option and, without the use of a Flash plugin, enabling the  content to be shot through Tor
  56. but I haven't tried it. There are methods of downloading flash videos through Tor, such as
  57. through a third party website or by using clive or youtube-dl, both are listed in the
  58. Ubuntu repositories but each must be configured to use a proxy with Tor like Polipo
  59. or Privoxy.
  61. Second, if you haven't installed Tor via the TBB, you've opted to install and configure Tor with a proxy like Polipo or Privoxy. If this is so, it's easier to download PDFs as you don't need to accomplish this through the browser, instead you modify your /etc/wgetrc file with a proxy configuration matching the proxy port you're using with Tor.
  63. $cat /etc/wgetrc | grep proxy
  65. (default wgetrc displays as follows):
  66. #https_proxy =
  67. #http_proxy =
  68. #ftp_proxy =
  69. # If you do not want to use proxy at all, set this to off.
  70. #use_proxy = on
  72. sudo nano /etc/wgetrc
  74. or
  76. gksudo gedit /etc/wgetrc
  78. You would specify the proxy as port number here
  79. If you're using a proxy port of 12345, for example, it would be
  80. I don't know what port Polipo and Privoxy use, but use whatever value they specify.
  82. With wgetrc configured properly and proxy lines uncommented, you can test it by using
  83. wget in a Terminal to manually download the PDF files, copy/paste the url into the
  84. Terminal following the wget command, and I recommend using the -c option in case the
  85. download fails somewhere during your download:
  87. wget -c
  89. This would download the TBB for Linux (current as of 12/12/2011). While on the subject, please
  90. verify every Tor package you download using GPG, instructions are on their site, as well
  91. as instructions to torrify your gpg key fetching if you don't wish to grab gpg keys in the
  92. clear.
  94. I haven't tested wget while using the TBB, I don't know what would be required here, installing
  95. Polipo or Privoxy and appending the proper local address with port within Vidalia and giving
  96. it a go or by some other method. All this rests on the belief you're downloading legal PDFs.
  98. "or .torrent files"
  100. I can't help you with that and it's considered bad etiquette to run torrent traffic
  101. through Tor.
  103. "An external application is needed to handle:
  104. file.pdf
  105. NOTE: External applications are NOT Tor safe by default and can unmask you!
  106. If this file is untrusted, you should either save it to view while offline or in a VM,
  107. or consider using a transparent Tor proxy like Tails LiveCD or torsocks.
  109. "Am I OK? Can I proceed safely and anonymously?"
  111. No, not when it pops up with that warning. Don't click on the PDF url, right click on
  112. the url and save it locally and the transfer will traverse through the Tor network.
  113. As above, I mentioned Tor button randomly pops up with this warning even though I've
  114. right clicked on the PDF url, probably a bug but it thinks you're trying to view it
  115. directly. You should see that Tor button warning most of the time for when you're
  116. trying to access non-torrifyed content directly. Always click CANCEL when this
  117. warning appears.
  119. My best suggestion would be to use wget with a properly modified wgetrc file, this
  120. likely means you'll have to download and configure Polipo or Privoxy. If you're
  121. using the TBB, you're on your own, I haven't explored it.
  123. "Also, I want to use a web-based email service via TOR so as to have anonymous email capabilities. Gmail worked for a while, but just asked me what city I usually log in from, cause it thought my account was hijacked. Know any web-based email providers that will work with TOR?"
  125. There are several options, you may google for a result or post to Tor's or-talk mailing list, see the Documentation page on Tor's official website for instructions on signing up and posting to the public
  126. list, which consists of Tor developers and users. I cannot advise you here as some TOS for free web-mail
  127. may stipulate you may not mask your origin of transit with their services, which is just what one
  128. would be doing by using their service. G-mail is not recommended, you want to look for a web service
  129. which maintains a constant SSL connection from the beginning to the end of your session. In addition,
  130. one which does not require the use of javascript, cookies, or any other of the privacy busting
  131. potentials.
  133. @Dangertux:
  134. "Hushmail might work with Tor pretty well"
  136. Does Hushmail not require Java installed to function? Java is a big no no when using Tor, for
  137. many reasons not limited to rogue exit nodes manipulating your traffic to unmask or otherwise
  138. poison your Tor session and possibly exploit the java user's system. In the ideal Tor setup,
  139. no plugins should be installed, this is where the TBB for Linux works well, it has no
  140. plugins by default, it does have some extensions, such as Tor button, Noscript, and's
  141. HTTP-Everywhere, but no plugins. Hushmail also has a checkered history, in my opinion,
  142. concerning privacy and I don't approve of their methods of encryption or use of Java.
  143. Wait a second... Well l00ky what we have here:
  145. "Hushmail Turns Data Over to Government"
  148. Furthermore, you shouldn't install other extensions unless
  149. you are certain they work well with Tor, they could leak, Tor's website offers a page suggesting
  150. which plugins work well. I would stick with the three TBB contains, and configure them correctly
  151. as I mentioned earlier, Noscript is setup by default to allow everything by default which is bad.
  152. To verify no plugins (don't confuse with extensions) are installed, type about:plugins in your
  153. browser's address bar. No plugins should be listed. I find TBB useful as I can use it for
  154. Tor only, and use another browser outside of the TBB directory, installed from Ubuntu's repositories,
  155. for non-Tor use, why mix the two in one browser? It's complicated and messy. And, unless I'm
  156. mistaken, TBB's version of Firefox (Aurora) has been tweaked by the Tor developers to address
  157. certain issues vanilla Firefox would otherwise contain.
  159. The preferred method of removing the possibility of any Tor leakage is to change my network
  160. settings during Tor use to list no DNS servers. If, by error, you launch an application
  161. outside of Tor, there are no DNS servers to catch the application's requests, they are
  162. stonewalled and will turn up an error. Despite what some may tell you, Tor functions
  163. well with no DNS servers listed. After you modify your network settings with DNS servers
  164. removed, check your resolv.conf file, it should look like this:
  166. $cat /etc/resolv.conf
  167. #Generated by NetworkManager
  169. With no DNS servers listed.
  171. You may also opt to block DNS during your Tor session with ufw by blocking all communication
  172. with port 53. You may also choose to, as in my thread within the Security section here details,
  173. block all ports except those you need and configure Vidalia or your torrc file if not using Vidalia,
  174. to use only port 80 and 443 for its operation.
  176. Lastly, get to know and love using Tor bridges:
  179. Why tell everyone on your network you're using Tor? Tor use may stand out in other ways,
  180. but by using bridges, you're obscuring your use of Tor, instead of telling everyone on
  181. your network you're connecting to known Tor nodes. It's simple to determine you're using
  182. bridges, but it's more difficult than using the standard method of Tor connectivity.
  184. Has your network provider setup a honey-pot virtual Tor network and you're connecting
  185. to it rather than the genuine Tor network? How would you know? Again, this is where
  186. using bridges is the preferred method for Tor access. Clear documentation of using
  187. bridges is on Tor's official site, but made easier by using Vidalia and accessing
  188. the Tor bridges page, and copy/pasting the Tor bridges into Vidalia's GUI section
  189. under Vidalia's Settings, Network, and box tic for "My ISP blocks connections to
  190. the Tor network". If you have a legit connection to the Tor network without
  191. using bridges, how may you know whether or not your network provider is limiting
  192. the nodes you're able to access and hasn't blacklisted many in order to better
  193. monitor your Tor usage?
  195. The subject of a network provider setting up a fake Tor network has been documented
  196. and if memory serves me has appeared in at least one White-paper.
  198. If in doubt during any Tor use, Wireshark may be used to verify traffic is
  199. contained within the Tor network, it's in the Ubuntu repositories.
  201. I've waddled outside your request with more information than the OP
  202. requested, but it's useful information for all. (and to all a good night!)
  204. Bonus material: from a verified trusted and true LiveCD, run rkhunter and
  205. chkrootkit against your hard disk drives, extra points for using a tool
  206. such as hexdump or objdump to check binaries and space on the hard drive
  207. for any potential virus or trojaned software/sectors. Trojans targeting
  208. the system's BIOS are becoming more common, standard practice for any
  209. new system you obtain is to set the BIOS write protect within the
  210. BIOS options and question whether bundled system update programs
  211. which may want to update your BIOS is really required, and source
  212. verified (has your DNS been poisoned? A new project called DNSCrypt
  213. has been floating around in recent tech news as a potential solution to
  214. these attacks).
  216. Extra credit: Employ TEMPEST shielding techniques, never use a program
  217. which claims to keep your computer passwords safe or simply holding them
  218. for you, they are vulnerable to TEMPEST based attacks (and keeping them
  219. on any r/w medium is stupid on so many levels). Use a Frequency Counter
  220. and test for through-the-air leakage. Never use Tor on a Windows based
  221. system! Not even within a VM. If you trust it, it's closed source:
  222. install Wine and run a freeware program called, "Zero Emission Pad"
  223. to modify/read your text documents in, as it claims (strong emphasis
  224. on claims) to prevent TEMPEST attacks. It's a Windows only freeware
  225. program which I haven't vetted for possible leaks but it is interesting,
  226. google for it and you'll eventually find it. At least one software
  227. vendor in the U.S. offers a proprietary and commercial application
  228. which does the same job, but I have no trust in commercially
  229. developed, closed source software, which is a reason why trusting
  230. GPG over PGP is a great idea.
  232. Related OPSEC reading:
  234. TEMPEST (or, "Hey! Who owns that van/RV/delivery truck outside? It never moves!"):
  235. -
  236. -
  237. -
  238. -
  239. -
  240. - [PDF]
  241. -
  242. -
  243. -
  244. -
  245. -
  246. -
  247. -
  249. TEMPEST ; Stealing Data Via Electrical Outlet
  250. -
  252. TEMPEST ; Compromising Wired Keyboards:
  253. -
  255. TEMPEST-for-eliza - demonstrate electromagnetic emissions from computer systems
  256. (it's in the Ubuntu repositories, verify the tech threat for yourself)
  257. -
  258. -
  260. Frequency counter devices:
  261. -
  263. DNS:
  264. -
  266. DNSCrypt (not usable at this time AFAIK):
  267. -
  269. ARP:
  270. -
  272. RF:
  273. -
  274. -
  275. -
  276. -
  278. AX25 (is someone being sneaky and controlling your computer remotely through the air?)
  279. (the dirty hidden secret of AX25 and packet radio, or how your computer is capable of much
  280. more than you think, are we all rooted remotely?) (note: has nothing to do with Wifi)
  281. -
  283. Packet Radio:
  284. -
  286. Anti-malware:
  287. -
  288. -
  290. Apt:
  291. -
  293. Package Manager Security:
  294. -
  296. Packet Filtering Firewalls:
  297. -
  299. Detecting Packet Injection:
  300. -
  302. Encryption: (TBB from within an encrypted Truecrypt container within an encrypted Ubuntu install? woot!)
  303. -
  305. DHCP OPSEC:
  306. -
  307. -
  309. EMF:
  310. -
  312. Tor:
  313. -
  314. -
  315. -
  316. -
  317. -
  318. -
  319. -
  320. -
  321. -
  322. -
  323. -
  324. -
  325. -
  326. -
  327. -
  328. -
  329. -
  330. -
  331. -
  332. -
  334. Tor OPSEC And General Articles:
  335. -
  336. -
  337. -
  338. -
  339. -
  340. -
  341. -
  342. -
  343. -
  344. -
  345. -
  346. -
  347. -
  348. - [PDF]
  351. -
  353. Firefox addons:
  354. -
  355. -
  356. -
  358. Acoustics:
  359. -
  360. -
  361. -
  363. Writeprint (thought your words were anonymous via Tor, right? WRONG!):
  364. -
  365. -
  366. -
  367. -
  369. ELF:
  370. -
  371. -
  373. Reverse Engineering:
  374. -
  375. -
  376. -
  378. Why, what a BEAUTIFUL scarf I received for the Holidays! Wait, what!?
  379. -
  380. -
  382. Why are my windows constantly vibrating? What the... !!! "You'll shoot your eye out, kid!"
  383. -
  385. StegFS:
  386. - [PDF}
  388. DBAN:
  389. -
  391. ENF:
  392. -
  394. Tinfoil hat reading / remote system compromise through the air on a grand scale! (omg CONSPIRACY?
  395. Or, I forgot to take my pills?)
  396. -
  398. To conclude, Google for:
  400. - powerline vulns (or, "Hey, my key-presses can be picked up via powerline!")
  401. - additional through-the-air attacks
  402. (or, "What!? Someone in the other room or building can pick up my key presses?)
  403. - temperature vulns (or, "Hey, my cpu can be compromised by temperature attacks?
  404. Wait a minute, why WAS that cute red head spending so much time looking inside my
  405. computer when I had it open and asked me to go into the kitchen to make an elaborate
  406. meal? How miniature modifications to hardware can escape your sight!) Don't forget
  407. Timing and Side Channel attacks!
  409. Walking in a winter wonderland....
  410. "Behold, I give unto you power to tread on serpents and scorpions,
  411. and over all the power of the enemy" - Luke 10:19

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:

To highlight particular lines, prefix each line with {%HIGHLIGHT}

All content is user-submitted.
The administrators of this site ( are not responsible for their content.
Abuse reports should be emailed to us at