Tor’s Tips On Staying Anonymous

The key to staying anonymous is understanding security is about layers, which is a great concept given we are talking about TOR.  In addition to understanding security is about layers, one must also determine where on the scale of security versus convenience they want to reside.  What are the acceptable risks?  Where does the return on investment tip?  How paranoid do you want to be?  Once you know where you are on the scale, then you can take the appropriate level of steps.

This is straight from the onions mouth, and can be found at:

Be safe.  Have fun.

Want Tor to really work?

You need to change some of your habits, as some things won’t work exactly as you are used to.

  1. Use Tor BrowserTor does not protect all of your computer’s Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
  2. Don’t torrent over TorTorrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
  3. Don’t enable or install browser pluginsTor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.
  4. Use HTTPS versions of websitesTor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF’s interactive page explaining how Tor and HTTPS relate.
  5. Don’t open documents downloaded through Tor while onlineTor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files, unless you use the PDF viewer that’s built into Tor Browser) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
  6. Use bridges and/or find companyTor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you’re using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!


Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn’t complete, and we need your help identifying and documenting all the issues.

Politician Accidentally Doxes His Old Boss By Reading Encrypted Signal Messages in Front of a Bunch of Cameras

It is a scene in a movie, where the keystrokes or keypad presses of an unsuspecting person are captured by the highly sophisticated method of looking over their shoulder, be it literally, with a telescope, or from a security camera.  Either way, Wetware is by far the largest security gap.

Politician Accidentally Doxes His Old Boss By Reading Encrypted Signal Messages in Front of a Bunch of Cameras
All the encryption in the world is not going to help if someone can read over your shoulder.

Lorenzo Franceschi-Bicchierai
Jan 31 2018, 9:25am

Using a secure messaging app to communicate with your political allies is a great idea in this day and age, where government hackers actively try to break into the email accounts of high-profile politicians and staffers in order to plaster them online. But all the unbreakable encryption in the world isn’t going to save you if you read the supposedly secret messages in front of a camera.

Even though that scenario sounds like the subplot of a Mr. Robot episode, that’s precisely what happened to recently ousted Catalan president Carles Puigdemont.

On Wednesday morning, a Spanish TV station showed a photo of a series of messages apparently sent by Puigdemont to another Catalan politician using the popular encryption app Signal. Puigdemont appeared to admit the end of his attempt to lead Catalonia to secede from Spain and become an independent country.

“I guess you’ve realized that this is over,” reads one message from Puigdemont to his former Catalan health minister Toni Comin. “Our people have sacrificed us. Or at least me.”

As a Spanish journalist said during the TV show that broke the news, “Comin didn’t notice we were just behind him.”

Comin and the journalists were attending a public event in Belgium where Puigdemont was supposed to speak. He didn’t show, but instead sent a video message. During the event, Puigdemont sent Comin the messages, in which he apparently admitted his defeat in his attempt to make Catalonia, one of the richest regions in Spain, independent.

In October of last year, the Catalan government, then led by Puigdemont, celebrated a referendum where a majority of the voters sided with independence. Spanish authorities ruled the referendum unconstitutional and illegal, and ousted the Catalan government, calling for new elections.

Hours after the news broke, Puigdemont wrote on Twitter that, as a journalist himself, he has “always understood that there are limits, including privacy, which should never be violated.”

“I’m human and there are moments where I have doubts. I’m also the president and I will not give up nor back down,” he added. “We continue!”

This incident is a good reminder that just using a certain technology—no matter how secure it is—won’t save you if there are prying eyes all around you. If you are writing and reading sensitive stuff over Signal, make sure you don’t do that in a place where others might see it. Especially if the place is filled with journalists and you’re a very interesting politician. Be aware of your surroundings. And remember that anything you send can be screenshotted and shared by the person you’re sending it to.

In other words, there’s more to good OPSEC than just using an app.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382 (I promise I will read it in a safe place), OTR chat at, or email

New Tool Automatically Finds and Hacks Vulnerable Internet-Connected Devices

Perhaps the best quote from this article is from Richard Bejtlich, “This will end in tears.”

Motherboard’s article, “New Tool Automatically Finds and Hacks Vulnerable Internet-Connected Devices” provides a good quick snapshot of the situation.  The gem link is the GitHub link to the source though.

The description of the tool, AutoSploit, according to Motherboard, is, “AutoSploit on the other hand, combines Shodan, a sort-of search engine for internet-connected devices, and Metasploit, a well-known penetration testing tool for executing of exploits.”  Now, do you remember the best quote of the article?

This will end in tears.


Cisco drops a mega-vulnerability alert for VPN devices

Something no enterprise, individual or entity wants to hear “Oh, BTW, all your VPN are belong to us.”

Check out this quote from Cisco, “A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.”

Cisco gives a shout out to Cedric Halbronn, of NCC Group.  On Twitter: @saidelike.  Something worth checking out are NCC G’s related publications and tools, which are linked to from Cedric’s Publications page.  The publication starts out at with a title of, “Cisco ASA series part one: Intro to the Cisco ASA,” then they move into, “We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets.”

“We took the time to write some tools to more effectively analyse or debug certain aspects of the exploits and automate a lot of the tasks we found repetitive. Many of these tools help speed up investigations of problems/bugs, debugging vulnerabilities and exploit states, and the general poking around of Cisco devices for research.”

Good stuff, considering they are the credited source.