May 10, 2013

Protect Yourself Online With Tor, TAILS, and Debian

Our privacy and rights to our own data mean nothing on the Internet as businesses and governments freely capture, mine, and sell as much personal information on Web users as they can possibly grab. There is no oversight or accountability, and we have little say. Sure, there are always people who shrug and say "I have nothing to hide and I don't care." Fine for them, but not fine for Web users who do care about this. I daresay they would care if the consequences were as immediate as multitudes of strangers entering their homes and snooping into all of their stuff, but it's abstract and the consequences are not as obvious as physical trespass. Though for some Internet users the consequences are drastic, such as whistleblowers and journalists who live in  The anonymous TAILS desktop.countries where they face arrest or worse.

There are some tools we can use to try to protect ourselves, and one of them is Tor, the onion router. Tor was originally developed by the U.S. Naval Research Laboratory for protecting government communications. Tor is a distributed, anonymous network of thousands of relays that obscure your pathways as you use the Internet. Tor aims to foil traffic analysis, which is widely used to track sites that you visit, your location, and your identity. Encrypting your data doesn't protect you from traffic analysis, because packet headers must be unencrypted, and a whole lot of information is gleaned from packet headers. Most Internet users don't bother to encrypt their data, so it's a feast for snoopers.

Tor creates private network pathways for you by building chains of encrypted TCP connections. Each link in the chain only knows about the previous link and the next link, so your "footprints" are erased as you go.

If you tried Tor in the past and struggled to configure it, it's easier than ever to use, thanks to the Tor Browser Bundle. This is a pre-configured Web browser all ready to anonymize your Web surfing. Tor also supports the Thunderbird mail client, the Tor Cloud project creates anonymous bridges across Amazon EC2, and Orbot anonymizes Android users.

What Tor Does Not Do

Tor is about hiding your location, not encrypting your communications. It cannot encrypt the exit node from the Tor network to your destination, and if anyone is in a position to snoop your computer and any of your destinations it is possible for them to connect the dots and do some traffic analysis. For end-to-end encryption you're on your own and need SSL or SSH.

Anyone running a Tor exit node has the ability to perform mischief; this is the weakest point in Tor. A security researcher ran several Tor exit nodes to see what information he could snoop, and it was a lot. The Tor documentation warns about this-- again, you are responsible for your own end-to-end security.

Tor can't protect you from yourself; it can't stop you from clicking on scammy email links, downloading scammy games and apps, or revealing everything about yourself in Web forms and on Facebook. Tor does not support IPv6. Tor is slower than unprotected Internet travels.

TAILS, the Anonymous Distro

TAILS, the Amnesic Incognito Live System, is a complete live Debian distro that routes all network traffic through Tor, and erases all traces of your network activities from your local storage devices, unless you explicitly allow it. TAILS is not just for Web surfing, but routes all of your Internetworking through Tor-- email, IRC, the works. It is a complete Debian system all ready to do actual work as it includes the usual system tools and productivity applications such as OpenOffice, Scribus, Audacity, and GIMP. Use it like any live distro: copy it to a DVD or USB stick and boot it up. Figure 2 shows what it looks like after booting. Click the big green button and it will confirm that you're protected. TAILS boots to Tor-enabled Iceweasel.

TAILs uses the Iceweasel Web browser (Debian's version of Firefox) and enables HTTPS Everywhere by default. This is a plugin that ensures your Web sessions use HTTPS on sites that support it. (It won't magically make HTTPS work on sites that do not deploy it.) There is a handy CS Lite cookie manager button, NoScript, and the Torbutton. The Torbutton gives you a great deal of control and the default configuration is very safe. Some of the options include not writing cookies to disk, setting the User Agent for Tor usage, controlling your History, disabling plugins and isolating dynamic content. It sends a minimum of browser identifying information, and the "New Identity" options clears your browser state and starts over with a new Tor session. Try the EFF's Panopticlick to see how trackable your Web browser is.

Pidgin is included for anonymous IRC, and Claws-Mail for anonymized emailing. You can create a persistent storage volume on a TAILS USB stick with Tails > Configure Persistent Volume, and delete it just as easily with Tails > Delete Persistent Volume.

Running TAILS from a USB stick is faster than from a DVD-R, and you have the persistent storage option, but it's also less safe because a USB stick is writable, and a DVD-R is not.

I used TAILS for my daily work for a week, and it's definitely a lot slower for Internet activities. Though it might help to keep in mind that reading and communicating online is a lot faster than visiting people and libraries in person. It's very easy to use, and I figure something that you can actually use is always better than something that isn't used because it's difficult.