Tor’s Tips On Staying Anonymous

The key to staying anonymous is understanding security is about layers, which is a great concept given we are talking about TOR.  In addition to understanding security is about layers, one must also determine where on the scale of security versus convenience they want to reside.  What are the acceptable risks?  Where does the return on investment tip?  How paranoid do you want to be?  Once you know where you are on the scale, then you can take the appropriate level of steps.

This is straight from the onions mouth, and can be found at:

Be safe.  Have fun.

Want Tor to really work?

You need to change some of your habits, as some things won’t work exactly as you are used to.

  1. Use Tor BrowserTor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
  2. Don’t torrent over TorTorrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
  3. Don’t enable or install browser pluginsTor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.
  4. Use HTTPS versions of websitesTor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF’s interactive page explaining how Tor and HTTPS relate.
  5. Don’t open documents downloaded through Tor while onlineTor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that’s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
  6. Use bridges and/or find companyTor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!


Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn’t complete, and we need your help identifying and documenting all the issues.

The Venezuelan Government Is Doing an Ethereum Token Sale to Support Its New Cryptocurrency

I am not sure why, but I would imagine this venture will have a difficult time finding worthwhile investors.  Anyone would simply have to ask themselves, “Do the people behind this have any sort of track record of success?”  And … with that … they would be out.

The Venezuelan Government Is Doing an Ethereum Token Sale to Support Its New Cryptocurrency

The government released the Petro’s white paper on Tuesday.

Jordan Pearson

Venezuela’s economy is in deep trouble. To dig itself out, on Tuesday the Venezuelan government unveiled its full plans for the Petro, a bespoke digital currency backed by the country’s oil resources.

Controversy has surrounded the Petro, the price of which will be pegged to the value of Venezuela’s oil per barrel—roughly $60 in early January, according to Reuters—since day one. Opposition legislators in Venezuelan Parliament see the currency as an “illegal” attempt by President Nicolás Maduro to essentially get advance payment for the eventual sale of its oil reserves. Cryptocurrency enthusiasts, meanwhile, have argued that a centralized government creating a decentralized currency defeats the purpose of the technology entirely.

The Petro white paper, released on Tuesday, will only add fuel to the fire of criticism. (The Petro site was offline all morning, but government-supported news outlet Alba Ciudad uploaded a copy, which we’ve re-uploaded below in case that goes offline too.) The white paper reveals that prior to the Petro’s launch, Venezuela will create a token on the Ethereum blockchain and sell it. Tokens are not cryptocurrencies, like the Petro will be—they’re digital assets created out of thin air and their value is only whatever people are willing to pay for them.

Most token sales on Ethereum (events known as Initial Coin Offerings) are used to raise money to fund development, but the real fundraiser for Venezuela will be the public offering of Petro itself. Instead, according to the white paper, the token pre-sale “will promote and guarantee demand for the Petro Initial Offer, which will be made later.”

The idea seems to be that people will snap up tokens in order to trade them in for Petros later, when those go on sale. The “reference sale price” for the tokens will be the same as Petro—$60—but discounts will be applied to promote token ownership, and in return Petro. Basically, it’s guaranteeing demand for the Petro by manufacturing a financial incentive.

According to the white paper, the token pre-sale will start on March 1, with the initial offering of Petros taking place on March 29. However, President Maduro said on Tuesday that the token pre-sale would begin on February 20.

The Venezuelan government will accept Petros as payment for things like taxes and public services, and will provide financial incentives for merchants in the country to adopt the Petro. The government also sees the Petro blockchain as being an information platform, much like how the Bitcoin blockchain can be used to host or track public records.

Just over half of the funds raised through the sale of Petro will be kept by the government in a “Sovereign Fund,” and the rest will be used to fund technological development.

Despite being clearly born of economic desperation, the Petro has a political bent as well. The white paper positions the currency as being a way to further free Venezuela from the grips of US financial control. “Its antecedents go back to proposals of financial and monetary coordination before the hegemony of the US dollar,” the white paper states, “which resurfaced after the financial crisis of late of the last decade.” It name-checks Bancor, an idea for a supranational unit of account to equalize trade between countries that was conceptualized by John Maynard Keynes in the 1940s.

Despite the sunny optimism of the white paper, the complexity of having a token pre-sale backing an ICO, which is then backed by oil reserves, casts an aura of doubt on Petro’s feasibility. There’s the feeling that Venezuela has been here before. The social gains made during the “golden decade” of Hugo Chavez’s socialism were buoyed by a black tide of oil money, and whether you believe the current state of affairs is due to crashing oil prices or mismanagement, the lesson is that oil is not a silver bullet in Venezuela.

And neither, perhaps, will cryptocurrency be.

Four Steps to Speaking with Purpose and Influence

Or, Four Steps of Using Wisdom in Your Speech

The four steps are, Message, Audience, Effect, and Timing.


Before speaking, be it to an individual, a room of people, or the world, ask yourself, “What is the message I want to convey?”


Once you have focused on the core concept you want to express, consider your audience. Ask yourself, “Who is my audience?” Another way to ask this is, “Who is listening?”


Next, ask yourself, “What is the desired effect?” “What do I want to accomplish right now?”


If you have your message, know your audience and know your desired effect, ask yourself, “Is this pertinent right now?” “Does it really matter right now?” “Is now the best time to say this?”

Throughout this process, keep in mind one of Former U.S. Secretary of Defense Robert Gates’ favorite adages, “Never miss a good chance to shut up.”

If you have used these four steps and have determined to speak, do so confidently and with purpose.

At first, challenge yourself to use these four steps for an hour. Then progress to an entire day. Use this mental exercise to strengthen your mind, words, and influence.

PDF: Four Steps to Speaking with Purpose and Influence

Creative Commons License
Four Steps to Speaking with Purpose and Influence: Or, Four Steps of Using Wisdom in Your Speech by Javier Odom is licensed under a Creative Commons Attribution 4.0 International License.

Politician Accidentally Doxes His Old Boss By Reading Encrypted Signal Messages in Front of a Bunch of Cameras

It is a scene in a movie, where the keystrokes or keypad presses of an unsuspecting person are captured by the highly sophisticated method of looking over their shoulder, be it literally, with a telescope, or from a security camera.  Either way, Wetware is by far the largest security gap.

Politician Accidentally Doxes His Old Boss By Reading Encrypted Signal Messages in Front of a Bunch of Cameras
All the encryption in the world is not going to help if someone can read over your shoulder.

Lorenzo Franceschi-Bicchierai
Jan 31 2018, 9:25am

Using a secure messaging app to communicate with your political allies is a great idea in this day and age, where government hackers actively try to break into the email accounts of high-profile politicians and staffers in order to plaster them online. But all the unbreakable encryption in the world isn’t going to save you if you read the supposedly secret messages in front of a camera.

Even though that scenario sounds like the subplot of a Mr. Robot episode, that’s precisely what happened to recently ousted Catalan president Carles Puigdemont.

On Wednesday morning, a Spanish TV station showed a photo of a series of messages apparently sent by Puigdemont to another Catalan politician using the popular encryption app Signal. Puigdemont appeared to admit the end of his attempt to lead Catalonia to secede from Spain and become an independent country.

“I guess you’ve realized that this is over,” reads one message from Puigdemont to his former Catalan health minister Toni Comin. “Our people have sacrificed us. Or at least me.”

As a Spanish journalist said during the TV show that broke the news, “Comin didn’t notice we were just behind him.”

Comin and the journalists were attending a public event in Belgium where Puigdemont was supposed to speak. He didn’t show, but instead sent a video message. During the event, Puigdemont sent Comin the messages, in which he apparently admitted his defeat in his attempt to make Catalonia, one of the richest regions in Spain, independent.

In October of last year, the Catalan government, then led by Puigdemont, celebrated a referendum where a majority of the voters sided with independence. Spanish authorities ruled the referendum unconstitutional and illegal, and ousted the Catalan government, calling for new elections.

Hours after the news broke, Puigdemont wrote on Twitter that, as a journalist himself, he has “always understood that there are limits, including privacy, which should never be violated.”

“I’m human and there are moments where I have doubts. I’m also the president and I will not give up nor back down,” he added. “We continue!”

This incident is a good reminder that just using a certain technology—no matter how secure it is—won’t save you if there are prying eyes all around you. If you are writing and reading sensitive stuff over Signal, make sure you don’t do that in a place where others might see it. Especially if the place is filled with journalists and you’re a very interesting politician. Be aware of your surroundings. And remember that anything you send can be screenshotted and shared by the person you’re sending it to.

In other words, there’s more to good OPSEC than just using an app.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382 (I promise I will read it in a safe place), OTR chat at, or email

New Tool Automatically Finds and Hacks Vulnerable Internet-Connected Devices

Perhaps the best quote from this article is from Richard Bejtlich, “This will end in tears.”

Motherboard’s article, “New Tool Automatically Finds and Hacks Vulnerable Internet-Connected Devices” provides a good quick snapshot of the situation.  The gem link is the GitHub link to the source though.

The description of the tool, AutoSploit, according to Motherboard, is, “AutoSploit on the other hand, combines Shodan, a sort-of search engine for internet-connected devices, and Metasploit, a well-known penetration testing tool for executing of exploits.”  Now, do you remember the best quote of the article?

This will end in tears.


Cisco drops a mega-vulnerability alert for VPN devices

Something no enterprise, individual or entity wants to hear “Oh, BTW, all your VPN are belong to us.”

Check out this quote from Cisco, “A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.”

Cisco gives a shout out to Cedric Halbronn, of NCC Group.  On Twitter: @saidelike.  Something worth checking out are NCC G’s related publications and tools, which are linked to from Cedric’s Publications page.  The publication starts out at with a title of, “Cisco ASA series part one: Intro to the Cisco ASA,” then they move into, “We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets.”

“We took the time to write some tools to more effectively analyse or debug certain aspects of the exploits and automate a lot of the tasks we found repetitive. Many of these tools help speed up investigations of problems/bugs, debugging vulnerabilities and exploit states, and the general poking around of Cisco devices for research.”

Good stuff, considering they are the credited source.