API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 28th, 2014
45,000
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.66 KB | None | 0 0
raw download clone embed print report
  1.  
  2. ______________________________________________________
  3. /_ __/ __ \/ __ \ / ____/_ __(_)___/ /__
  4. / / / / / / /_/ / / / __/ / / / / __ / _ \
  5. / / / /_/ / _, _/ / /_/ / /_/ / / /_/ / __/
  6. /_/ \____/_/ |_| \____/\__,_/_/\__,_/\___/ v.0.5
  7.  
  8.  
  9. =========
  10. Glossary:
  11. =========
  12.  
  13. Clearnet: The regular internet
  14.  
  15. - http://www.somecrap.com
  16.  
  17. Darknet : One of the alternate internets
  18. - in tor, something like http://blahblahgibberish.onion (ONION sites)
  19. - in i2p, something like http://blahblahgibberish.i2p (forget this for now)
  20. - on freenet, something like http://127.0.0.0:d9w8dj98q23d8jq239080qdj90 (forget this for now)
  21. - could also mean any sites on clearnet that are not indexed in any of the search engines such
  22. as private webpages, databanks, encrypted sites and so on. But we won't use this meaning here.
  23. LEA : Law Enforcement Agency
  24. Onion : A website on TOR
  25.  
  26. ============
  27. What is TOR?
  28. ============
  29.  
  30. It is an alternate anonymous internet, only accessible with a special browser called the TorBrowser which is
  31. built on top of Firefox. TOR does not hide you in any way, it only allows you to interact
  32. with the internet in an anonymous way. It is virtually impossible for anyone to know what you are browsing as
  33. long as you use TOR, however, they will know you are browsing something using TOR (could be pictures of cats).
  34. Your ISP, forexample, can easily detect that you are using TOR. However, there are many legitimate uses for TOR
  35. and although you may be put you on a list, in essence there is nothing criminal about it. The more people that
  36. use it the more legitimate it becomes. Initially, Tor was designed and developed as part of the U.S. Naval
  37. Research Laboratory's Onion Routing program with support from ONR and DARPA. Currently, Tor development is
  38. supported by the Electronic Frontier Foundation. \\\\ There is nothing illegal about using TOR. ///
  39.  
  40. If you use TOR properly you will most likely remain anonymous. The following was found in a leaked NSA slide:
  41.  
  42. ---------------------------------------------------------------------------------------
  43. / \
  44. | β€œTor Stinks! [...] We will never be able to de-anonymize all Tor users all the time.” | |
  45. | |
  46. | (STRENGTH IS IN NUMBERS) |
  47. \ /
  48. ---------------------------------------------------------------------------------------
  49. The way it works is through high level encryption and routing of information from your computer to the final
  50. destination through a series of computers (nodes) linked together randomly all over the world on the TOR network.
  51. An onion is a good analogy to TOR. When you ask TOR to look at a page, say yahoo.com, TOR applies several
  52. layers of cryptographical protection to your message and sends it over the TOR network. As the message
  53. traverses the network of nodes (computers) it peels back each cryptographic layer at each node until it reaches
  54. the last node, called the EXIT node. This is the last computer on the TOR network which, has no idea about your
  55. IP address or where you are located. This node then forwards your request to yahoo.com on the clearnet. The EXIT
  56. node is the gatekeeper between the darnet and clearnet. Your message is completely peeled back by the time it
  57. arrives at the EXIT node to reveal the contents. Node A can only decrypt (peel) the layer A, under which it would
  58. see the address of the next node. After the packet reaches the next node, it can only decrypt (peel) layer B, and
  59. so on. For each layer, you use the respective node's public key, so only that exact node can decrypt the layer
  60. with its own private key. When the message reaches the EXIT node, all of the layers have been decrypted and
  61. message is now in plain text (it could also be encrypted if you're communicating with the server under SSL).
  62.  
  63. If you restrict yourself to browsing onion sites (darknet) then your entire communication stream is
  64. encrypted - from your computer to the end computer - this is because there is no need to exit the TOR network.
  65. On the other hand, if you browse clearnet sites your communication stream is only partially encrypted. In the
  66. example above, the EXIT node is the one requesting the information from yahoo.com, and that part of the
  67. communication stream is unencrypted (obviously, it could also be encrypted if you're communicating with the server
  68. under SSL). From your point of view, you are anonymous whether you are browsing the Darknet or the Clearnet. They
  69. have no way of knowing who you are, the EXIT node is the only IP address that is visible. One thing to note is that
  70. if you visit sensitive sites on the Clearnet you risk putting the person/entity that is hosting the TOR EXIT node
  71. in trouble since the communication stream portion from the EXIT node to the requested site may be unencrypted and
  72. susceptible to prying eyes.
  73.  
  74. --------------------------------------------------------
  75. / \
  76. | Get the browser bundle here. This is all you need. |
  77. | |
  78. | - https://www.torproject.org/download/download.html.en |
  79. \ /
  80. --------------------------------------------------------
  81.  
  82. FIRST THING YOU MUST DO AFTER YOU INSTALL IT AND BEFORE YOU BEGIN BROWSING: DISABLE JAVASCRIPT IN THE TOR BROWSER.
  83.  
  84. Everytime you upgrade TOR, which you should do everytime there is an update, REMEMBER TO DISABLE JAVASCRIPT and
  85. re-configure any settings you had previously on your old Tor browser setup.
  86.  
  87. Not sure why but, in the new TOR/Firefox, they removed the option to disable Javascript from the menu. In any case,
  88. you should be OK if you do the following:
  89.  
  90. (these guidelines are updated for the latest version of TOR as of 27 May 2014, they may change, you have been warned)
  91.  
  92. 1) click the small S (NoScript icon) which is to the left of the address bar and hit Options. From there, navigate
  93. to the embeddings tab and check to forbid
  94.  
  95. - Java
  96. - Adobe Flash
  97. - Microsoft Silverlight
  98. - "other plugins"
  99. - IFRAME
  100.  
  101. 2) open a new tab (if you want to) and type in "about:config". This will bring up Firefox's advanced settings, say it is
  102. OK, you will be careful. Type "javascript" into the search box and look for "javascript.enabled" in the list. Double click
  103. on this and the boolean value will change from True to False (if you plan on doing the next step don't close the window yet).
  104.  
  105. 3) It is good practice to have the referrer automatically disabled (as long as it does not hamper your browsing,
  106. otherwise feel free to skip this step). If you click on a link, the website you go to knows where you came from,
  107. if you follow this procedure, that feature is disabled and the website will have no idea where you came from.
  108.  
  109. There are two steps, a) and b):
  110.  
  111. a) Type about:config in your browser - Find/locate network.http.sendRefererHeader - Change the number 2 to 0
  112. b) Find network.http.sendSecureXSiteReferrer and set it as false.
  113.  
  114. 4) This step is also good practice but probably not crucial so feel free to skip it if you deem it necessary. Open
  115. Torbrowser options and browse to privacy. There choose:
  116.  
  117. - Tracking: Do not tell sites anything about my tracking preferences
  118. - History: Never remember history
  119. - Location Bar: Nothing
  120.  
  121. 5) Remove all addons in your tor browser (its known that lea have been working together with mozilla plugin developers before
  122. and inserted malicious software that can potentially get your real identity)
  123.  
  124.  
  125. For the record, I use all 4 steps listed above. Just a couple more things before you proceed, make sure you read everything that
  126. is below this line. Then you can start browsing with TOR as safely as I know. That's important, because after all, I'm just some
  127. guy on the internet.
  128.  
  129.  
  130. ============= --------------------------------------------------
  131. Safety Rules: | MOST IMPORTANT MAKE SURE YOU READ EVERY ITEM |
  132. ============= --------------------------------------------------
  133.  
  134. This is a list of things to do and not to do, to help preserve your anonymity, the list is not definite and it
  135. certainly is not exhaustive. Be wary.
  136.  
  137. -------
  138. Do NOT:
  139. -------
  140.  
  141. - Do NOT enable javascript (ever)
  142.  
  143. - Do NOT recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or
  144. otherwise harm your anonymity and privacy.
  145.  
  146. - Do NOT turn off/override/disable any of the add ons that come pre-installed with TOR Browser bundle.
  147.  
  148. - Do NOT sign up for anything with your clearnet name or password, that means no information at all about your
  149. clearnet activity should ever cross into the darknet activity (that was what the silkroad guy did, and it
  150. ended up costing him big time). Yes, passwords too.
  151.  
  152. - Do NOT open PDFs on a computer with an internet connection, if you download them, when you open them just make
  153. sure it is on a machine with the internet disabled. In fact, you should be cautious with opening any document
  154. you download on TOR with a machine that is onlineor offline. If it is some sort of malware it can attach to your
  155. machine and wait until you turn internet back on. Your antivirus/malware scanners will not detect it.
  156.  
  157. - Do NOT carry on your writting style from clearnet to darknet.
  158.  
  159. - Do NOT post anything that could correlate you with your clearnet identity.
  160.  
  161. ---
  162. Do:
  163. ---
  164.  
  165. - Do DISABLE JAVASCRIPT. You can also turn off cookies, which can be used to track you. Or at least set it to
  166. clear them everytime you turn off the TorBrowser. Third party cookies should probably always be disabled.
  167.  
  168. - Do write on forums, as long as you leave no identifiable mark. Not even a small one.
  169. As long as you post anonymously, write all you want, it's safe.
  170.  
  171. - Do feel at ease about accessing text based information (where there is no room for malicious scripts).
  172.  
  173. - Do participate in the topics you align yourself with.
  174.  
  175. - Do browse Darknet/Clearnet at will, but use common sense and be cautious, and above all - religiously abide
  176. by the do nots*.
  177.  
  178. * That being said, with experience and due dilligence, you will be able to safely bend some of the rules in
  179. the dos and donts. For example, if you are on a site that you know, with absolute certainty, that it would
  180. not use a malicious javascript hack then you could potentially enable javascript for that one transaction.
  181.  
  182. ============================
  183. Useful resources (Clearnet):
  184. ============================
  185.  
  186. If you are paranoid, access the following links with the TORBrowser (I don't bother since they are all
  187. clearnet and on reddit where millions of people go everyday).
  188.  
  189. - http://www.reddit.com/r/privacy
  190. - http://www.reddit.com/r/silkroad
  191. - http://www.reddit.com/r/tor
  192. - http://www.reddit.com/r/onions
  193. - http://www.reddit.com/r/darknetplan/
  194. - http://www.reddit.com/r/onions
  195. - http://www.reddit.com/r/netsec
  196. - http://www.reddit.com/r/freespeech
  197. - http://www.reddit.com/r/gnupg
  198. - http://www.reddit.com/r/crypto
  199. - http://www.reddit.com/r/stand * Internet activism
  200. - http://www.reddit.com/r/tails
  201. - http://www.reddit.com/r/i2p
  202.  
  203. ================
  204. Links (Darknet):
  205. ================
  206.  
  207. This is the best assortment of onion links that I have found, from there you can find pretty much everything you
  208. would want to find. However, be very very careful with what you do in any sites on this directory. There are very
  209. good resources, and you can find great things, but proceed with caution, use common sense and follow all the safety
  210. rules above.
  211.  
  212. - http://skunksworkedp2cg.onion/sites.html
  213. - http://dirnxxdraygbifgc.onion/
  214.  
  215. ============
  216. Scary Stuff:
  217. ============
  218.  
  219. The only sure way the other side has to get to you (which is extremely unlikely but possible) is through
  220. time matching. This is because TOR is anonymous but it is NOT invisible. There are many ways in which your
  221. ISP can know if you are using TOR. That does not mean, however, that they know anything about what you are
  222. posting or what websites you are visiting since that is all encrypted. They just know that you are using
  223. TOR, and there are LOTS of legitimate uses for TOR. That allows them, if for some reason they should suspect
  224. you, to set up a van outside your home. Now, lets say you have just arrived home turn on lights and computer.
  225. Now you visit a particular forum on TOR, which LEA has control of. If, simultaneously, they are watching your
  226. home and see you turn on your lights at the same time that you log onto TOR and log on to that particular
  227. forum. Then they have reasons to fuck with you. Beware.
  228.  
  229. =======================
  230. Are you super paranoid?
  231. =======================
  232.  
  233. __________________________________________________________________________________________________________________
  234.  
  235. Disclaimer:
  236.  
  237. The text henceforth is not my own. I cannot attest to the veracity or quality of the assertions which
  238. in some cases seem pretty wild, but given recent Snowden revelations, I cannot say it is not possible with
  239. absolute certainty. As usual, take everything with a grain of salt.
  240. __________________________________________________________________________________________________________________
  241.  
  242. --------
  243. Disable:
  244. --------
  245.  
  246. (Some disables on the list are already done by TOR.)
  247.  
  248. - 3rd Party Cookies *
  249. - Java
  250. - Javascript *
  251. - Flash / Shockwave (TOR does this)
  252. - CSS3 Webfonts
  253. - OCSP Validation
  254. - Web Sockets
  255. - Geolocation
  256. - Battery Status API FF11+
  257.  
  258. * these ones should be disabled even if you aren't paranoid, covered above.
  259.  
  260. -------
  261. Do you?
  262. -------
  263.  
  264. - Run TOR from a Virtual Machine
  265. - Use tails or whonix?
  266. - Run TOR from an encrypted partition
  267. - Run TOR from a Virtual Machine
  268. - Wipe all temporary files, empty space, even if using full disk encryption?
  269. - Know that sites can identify your region through the TorBrowser language preferences under
  270. Options -> Content -> Language. choose a generic language e.g. "en" (instead of en-US), de (instead of de-de),
  271. and so on.
  272.  
  273. ----------------------------
  274. Dangerous Operating Systems:
  275. ----------------------------
  276.  
  277. - Microsoft - Verified by the German government to have back doors. Windows Nothing to hide? Are you .. sure?
  278. Back door means they can plant evidence without your knowledge. Back doors mean they can steal your company
  279. secrets. Back doors mean agencies can spy on each other and steal credit for take downs.
  280.  
  281. - Mac OS X - Logs what you do. Apple can and will decrypt any encryption set by Mac OS X. Non corporate PGP disk
  282. encryption with TrueCrypt volumes on top of that for your downloads is a slightly safer, if you must use a Mac.
  283.  
  284. - Ubuntu - By default will log all sites you visit and post back to canonical. Reformat the drive and install
  285. Linux. Ubuntu is no longer true linux. For those that like Ubuntu, use Mint. Other options are Fedora, CentOS,
  286. Gentoo, Slax/Slackware, Linux From Scratch, TinyCore, Damn Small Linux. A distro that boots from USB and runs
  287. in RAM is safest. Store files on encrypted USB and use a crazy strong pass phrase. It should be impossible for
  288. you to type this when drunk or drugged. Be sure to run Bastille hardening scripts and enable Apparmor on Ubuntu
  289. variants and SELinux on Redhat variants. Be sure to remount /proc with hidepid=2,gid=0 from a script in your
  290. encrypted volume.
  291.  
  292. - Cell Phones - All mobile OS have embedded SSL CA certs and most have vendor root kits that
  293. anti-virus companies are not allowed to call spyware or remove, or they will face legal issues.
  294.  
  295. - Mobile or - Anything created by a marketing company such as Google or by a wireless Tablet OS provider has back
  296. doors in it. This is not theory. It is well documented. These OS are designed to be compromised by LEA with
  297. simple memory cards and USB devices.
  298.  
  299. --------------------
  300. Dangerous Practices:
  301. --------------------
  302.  
  303. - Cloud Storage - All your data is encrypted with common root keys. Someone else is targeted, they have your data
  304. too!
  305.  
  306. - Cloud Backups - same Tor Mail - No safer than ClearWeb mail. Your messages are stored as clear text. Was
  307. recently hacked. Hope your emails were encrypted by you.
  308.  
  309. - Tor Gateways - If you use a username/pw through a Tor gateway, Logins others already have your username/pw.
  310. Yes, even if the site uses HTTPS. Many Tor exit gateways are running ssl-strip and metaslpoit.
  311.  
  312. - Private Messages - There are no such thing as private messages. If you and your friends are not using your own
  313. encryption software with your own pre-shared secrets, then you have no secrets.
  314.  
  315. - Rubber Stamping - Using the same username or password on any two sites or on any site and your cell phone is the
  316. same as printing your username and password on your forehead. Anything you put in your cell phone is available
  317. to authorities with NO effort on their part. Using the same pw on a Tor site as a ClearWeb site is daft.
  318.  
  319. -----------
  320. Easter Egg:
  321. -----------
  322.  
  323. Did you really make it this far? There you go, good job!
  324.  
  325. http://allyour4nert7pkh.onion/tracker/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!