Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
XenJ
Aug 1, 2014
Mod Note: Don't actually use this, it's horribly dangerous, feel free to discuss below however!

Tails is a little Linux based operating system that you can use from a USB stick, DVD or SDCard. It's perfect for a "safe*" access to your internet banking stuff or If you're not at home and have to check your mails but know the PC you use is not so reliable as our own at home :p
It is easy to use, and all is ready to work, you have no long mauals to read (If they do not want it) after start.

tipp: use a USB3 Stick with mechanical write protection switch (it need not be expensive).

what is Tails: http://en.wikipedia.org/wiki/Tails_%28operating_system%29
where you get it: https://tails.boum.org/index.en.html

what they should not forget to read: https://tails.boum.org/doc/index.en.html

little helper you need: http://universal-usb-installer.en.softonic.com/ to bring Tails on an USB stick.

Steps to bring Tails on the USB Stick: https://tails.boum.org/doc/first_steps/installation/manual/windows/index.en.html
1. download USB Installer and dubble klick it.
2. Agree License Agreement (no worrys its under open source license)
3. follow the 3 steps in the window.. tails is near bottom in the pulldown menue..
4. That's It!

It's all Open-Source! [url] http://en.wikipedia.org/wiki/Open_source[/url]

have fun :)

* "safe" nothing is realy safe, but some way's are harder for people that want rob your stuff.

Somebody fucked around with this message at 13:51 on Aug 3, 2014

Adbot
ADBOT LOVES YOU

Space Gopher
Jul 31, 2006

BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.
Tor is glacially slow, it's an active target for the FBI, NSA, and other surveillance organizations, and exit nodes are a perfect place to run man-in-the-middle attacks. The point isn't to keep your information secure; it's to keep you anonymous (which you immediately throw out the window if you're accessing a bank account tied to your personal information). Avoid Tor, and Tails, unless you have a very good reason to use it.

If you worry about online banking over untrusted networks, either wait until you get home to do your banking, or use a cheap Chromebook and SSL.

xtal
Jan 9, 2011

by Fluffdaddy

Space Gopher posted:

Tor is glacially slow, it's an active target for the FBI, NSA, and other surveillance organizations, and exit nodes are a perfect place to run man-in-the-middle attacks. The point isn't to keep your information secure; it's to keep you anonymous (which you immediately throw out the window if you're accessing a bank account tied to your personal information). Avoid Tor, and Tails, unless you have a very good reason to use it.

If you worry about online banking over untrusted networks, either wait until you get home to do your banking, or use a cheap Chromebook and SSL.

For what it's worth, it's not terribly slow anymore (you can get a couple megabytes of download, which is enough to saturate my lovely Internet) and MITMs aren't an issue if you use HTTPS or hidden services only. I would definitely hope a banking website is using HTTPS. I encourage everybody to use Tor, but I would never encourage anybody to use plaintext communication like HTTP.

If your primary concern with Tor is its speed, consider running or sponsoring a relay (not an exit node) to increase the amount of bandwidth available. You can contribute to increasing the speed of the network without any chance of legal repercussions: relays never see plain text.

Space Gopher
Jul 31, 2006

BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.

xtal posted:

For what it's worth, it's not terribly slow anymore (you can get a couple megabytes of download, which is enough to saturate my lovely Internet) and MITMs aren't an issue if you use HTTPS or hidden services only. I would definitely hope a banking website is using HTTPS. I encourage everybody to use Tor, but I would never encourage anybody to use plaintext communication like HTTP.

The MITM concern with Tor is that you're letting a single untrusted node control your communication with the internet at large. Even if you're running an SSL implementation with some vulnerability, the chances for someone to exploit it are generally pretty small - either the attacker needs to have control over the local network (router, DNS server, or something similar), or national-agency level resources to pick your traffic out of backbone networks and gently caress with it. When you use Tor, the "local network" includes some node that you don't know, who can do whatever they please to your traffic.

Using Tor is effectively similar to finding an open ethernet jack in a shady alley, and connecting to the internet through it. You're effectively anonymous (any attempt to trace your use will come back to "shady alley ethernet jack" rather than your home), but you don't know what the person using that ethernet jack might be doing to monitor or even modify your traffic. If you use SSL for everything, you're probably safe, but if there's an unknown/undisclosed vulnerability in your implementation that the jack's owners have access to, you're screwed. The fact that you're using the shady alley instead of your home certainly didn't make you any safer for everyday internet stuff. It's only helpful if you're already a target for some reason, and you think your home's being monitored.

Hidden services are a different thing entirely, but for the online banking and email mentioned in the OP, it's not really relevant. Banks and email providers generally don't provide Tor access to their services.

xtal
Jan 9, 2011

by Fluffdaddy

Space Gopher posted:

The MITM concern with Tor is that you're letting a single untrusted node control your communication with the internet at large. Even if you're running an SSL implementation with some vulnerability, the chances for someone to exploit it are generally pretty small - either the attacker needs to have control over the local network (router, DNS server, or something similar), or national-agency level resources to pick your traffic out of backbone networks and gently caress with it. When you use Tor, the "local network" includes some node that you don't know, who can do whatever they please to your traffic.

Using Tor is effectively similar to finding an open ethernet jack in a shady alley, and connecting to the internet through it. You're effectively anonymous (any attempt to trace your use will come back to "shady alley ethernet jack" rather than your home), but you don't know what the person using that ethernet jack might be doing to monitor or even modify your traffic. If you use SSL for everything, you're probably safe, but if there's an unknown/undisclosed vulnerability in your implementation that the jack's owners have access to, you're screwed. The fact that you're using the shady alley instead of your home certainly didn't make you any safer for everyday internet stuff. It's only helpful if you're already a target for some reason, and you think your home's being monitored.

Hidden services are a different thing entirely, but for the online banking and email mentioned in the OP, it's not really relevant. Banks and email providers generally don't provide Tor access to their services.

You're right, and in fact Tor seizes every opportunity to remind you that using it alone is not enough to make you safe. Anybody using Tor should augment it with encryption, be it HTTPS, SSH or GPG. There is still the danger that an exit node recording all traffic could retroactively crack your encrypted data if they later discover the keys or a vulnerability in the cipher, but your ISP, the sysadmin or any number of other people could just as easily do the same thing.

I've been using full-system Tor for ideological reasons for over a year now and feel safe, because I would never send data over a plaintext protocol anyway. The irritating thing is the small but growing number of websites that indiscriminately block Tor users, which I feel is a lazy alternative to proper network security. Cloudflare, Cloudfront and Google either block me or make me fill out a CAPTCHA, so I made a key bind to establish a new Tor identity and hit it until I get an IP address they haven't seen yet.

To be more on-topic regarding Tails, I would also suggest people check out Liberte Linux, a different Linux in the same realm.

pram
Jun 10, 2001

xtal posted:

The irritating thing is the small but growing number of websites that indiscriminately block Tor users, which I feel is a lazy alternative to proper network security. Cloudflare, Cloudfront and Google either block me or make me fill out a CAPTCHA, so I made a key bind to establish a new Tor identity and hit it until I get an IP address they haven't seen yet.

This is mostly to deter spammers fyi, not really security.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice
Routing your traffic through Tor is much less secure than not doing so. Tor provides a measure of anonymity, but also adds additional opportunities for man-in-the-middle attack. If you're a dissident in a jurisdiction that probably doesn't have the resources to monitor Tor and you need the anonymity, this is good for you. If you live in the US then using Tor is basically handing your data to criminals and hoping they won't be able to make use of it if you follow best practices and don't gently caress up.

There are two main reasons it's bad to use a computer you don't own to access the Internet: The computer could have spyware on it, and it could have malicious SSL certificates or issuers trusted so that bad certs are accepted by default. Booting from your own USB drive fixes the latter, but not the former: it's still possible for the owner of the machine to keylog everything you do. It is harder than just running keylogger software under Windows though, so this is still a substantial improvement in security.

As a cynical overview, Tor is a honeypot network operated jointly by the NSA and Russian carders. The NSA likes Tor because for some reason people are willing to selectively route their most "interesting" traffic through it for them to monitor. Russian carders like Tor because anyone stupid enough to do that will probably send valuable data unencrypted at least sometimes, especially given malicious nodes that try to make that more likely (SSL stripping, attempting to force insecure authentication, etc).

xtal
Jan 9, 2011

by Fluffdaddy
It's definitely possible that Tor is backdoored, but because leaked internal slides reveal candid frustration with Tor, and their only attack on Tor to date was an exploit in an old version of Firefox, we don't have any reason to think it's a honeypot. They could be very good liars and not want to show their hand, but I would feel much much more safe placing a bet on the security of HTTPS than the competence and integrity of my ISP or VPN provider. It's a matter of "could be attacked by a government's concerted effort" versus "absolutely definitely all traffic being logged."

All that said, the relay early attack in the news right now is interesting and may be the first practical attack on the Tor network to successfully deanonymize users. Exciting times for cryptography nerds.

Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice
What you're basically saying is that you trust the bad guys (Tor) more than your ISP or VPN provider, which is a little insane. While if done correctly you should be able to maintain security, a lot of the sites you visit are unencrypted and its pretty easy to break or interfere with HTTPS, so arguing that you're safe because the sites you visit have HTTPS is not true.

Again, the point of Tor is that you're trading somewhat reduced risk that you will be identified as the sender of data for increased risk that the data you send will be intercepted by the bad guys. For most people that is the exact opposite trade you want to make from a security perspective, especially because your data identifies you anyway.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

xtal posted:

They could be very good liars and not want to show their hand

What kind of discovery would have to be made that would be worth revealing Tor has been backdoored this whole time, and who's decision would it be to expose it?

XenJ
Aug 1, 2014
My intention was to present an easy-to-use operating system that boots from a USB stick and is used under the face point that one just does not have his own computer there. This program leaves on third-party computers no data.
This was my focus easy to use and "safe" if you use it on third_party computers such as Internet cafes...
and thanks Xtal your link Liberte linux looks interesting too but I have not had the time to try it out.

Please do not misunderstand that. I find the posts on the safety of the "TOR" network really interesting and it's a thing, it must really be discussed.

But don't forget the other points and her pro and contra.
So please go one or two steps back and think about importance. Is it for normal people on the road not a good program with a good level of safety for personal communication on third party computers.
Is it not really easy to use and a very low entry level for maybe first linux experience without crashing your windows PC? All good points for me to take a look or?

Adbot
ADBOT LOVES YOU

Space Gopher
Jul 31, 2006

BLITHERING IDIOT AND HARDCORE DURIAN APOLOGIST. LET ME TELL YOU WHY THIS SHIT DON'T STINK EVEN THOUGH WE ALL KNOW IT DOES BECAUSE I'M SUPER CULTURED.

Bob Morales posted:

What kind of discovery would have to be made that would be worth revealing Tor has been backdoored this whole time, and who's decision would it be to expose it?

Releasing that kind of information doesn't always come down to a calculated decision about what's "worth revealing."

Snowden had access to a huge amount of internal NSA materials, including a lot of things they really didn't want out in public. It included a lot of ways to mitigate Tor anonymization (browser attacks, fingerprinting, etc), but nothing that would even hint at a wide-open break. Unless you think that the NSA's hypothetical Tor attack is so secret that they'd go to huge lengths to hide it even among trusted employees who get access to politically sensitive intercept information and the spy-gadget catalog, it doesn't make sense for them to have a generally useful Tor exploit.

The most likely scenario is that the NSA runs exit nodes and actively investigates and modifies traffic, but they can't just arbitrarily reverse Tor anonymity at will.

XenJ posted:

My intention was to present an easy-to-use operating system that boots from a USB stick and is used under the face point that one just does not have his own computer there. This program leaves on third-party computers no data.
This was my focus easy to use and "safe" if you use it on third_party computers such as Internet cafes...
and thanks Xtal your link Liberte linux looks interesting too but I have not had the time to try it out.

Please do not misunderstand that. I find the posts on the safety of the "TOR" network really interesting and it's a thing, it must really be discussed.

But don't forget the other points and her pro and contra.
So please go one or two steps back and think about importance. Is it for normal people on the road not a good program with a good level of safety for personal communication on third party computers.
Is it not really easy to use and a very low entry level for maybe first linux experience without crashing your windows PC? All good points for me to take a look or?

The whole point of Tails (and Liberte) is to have a pre-rolled Linux distribution that routes as much traffic as possible over Tor. This means that, if you use them, you're exposing yourself to the Tor vulnerabilities we're discussing, plus any subtle vulnerabilities in the configuration of those distributions.

If you're just concerned about spyware on the local machine stealing your online banking password (a very real concern in places like internet cafes!) then you're likely better off using some mainstream Linux live image that doesn't try to put everything through Tor. Ubuntu is a good choice: it has a wide support base, good learning resources, and lots of eyes on any security issues that might come up.

By the way, if you're looking for media with a hardware write-protect, remember that SD cards don't have one. The write-protect switch is just a polite request to the drivers to not send write commands; if some rootkit is messing with things, then it's free to ignore the switch. The good news is that cross-OS malware that can pick up, "oh, the user is on Windows right now but that card has a Linux image, I'll hit it with a Linux attack" is incredibly rare.

  • Locked thread