Preamble Anonymity, privacy, and security. All good things, you'll agree if you're reading this post. But what we can't all quite agree on is where one stops and the next begins. It is my opinion that security is an umbrella term: a more general word that encompasses both of the others. Everything that makes you more anonymous (or private) also makes you more secure. There is a notion that comes up every now and then that Tor doesn't make you more secure, but it only makes you anonymous. Read more...

I have two dogs, a fast car, and I'm currently obsessed with poker. Here's some pictures before this turns into a proper resume. 2013 Corvette Grand Sport. I had a 1988 Corvette too, but have since sold it. Riley (left) and Vinny (right). Australian Cattle Dog / Australian Shepherd. Same parents, different litters ~1 year apart. Read more...

Background I have a 2013 Corvette Grand Sport. I'm slowly dipping my toes into performance driving. Before this weekend, I have done two autocross events (temporary cone track set up in a parking lot), and one ride along during an HPDE event (High Performance Driver Education, actual road racing around a track). Trackcross is a stepping stone between these two styles of racing. It's on a real permanent track, but you don't do the whole thing, you're unable to go quite as fast, and it's only one car on the track at a time. Read more...

In the previous post we built a docker image for an apt package cache. Here we will use it as part of a new base Debian image, from which future feature-filled images can be based on. This will appear a little extra difficult only because I want to include torproject.org's Debian package repository. I'll call out below what you can ingore if you only want Debian's repos. First the Dockerfile. Read more...

This how I've set up an apt package caching host. You may want this for: Reducing the load you are putting on some upstream Debian package repository. Kind of the same thing as the previous point, but framed differently: keeping as much traffic internal to your "stuff" as possible, perhaps because it's cheaper. Some amount of privacy regarding what packages you're downloading, when you're downloading them, and how many hosts you have that are using them. Read more...

Be on a Debian host. Install debootstrap. Have docker. Do this, but replace all instances of bullseye with whatever version of Debian you want. . $ debootstrap --variant=minbase bullseye bullseye-minbase $ ls bullseye-minbase $ tar -C bullseye-minbase -c . | docker import - bullseye-minbase Done. https://wiki.debian.org/Debootstrap https://docs.docker.com/develop/develop-images/baseimages/

I was recently asked how I setup my websites to: Redirect HTTP to HTTPS when not accessed via an onion service. Serve the website over HTTPS when not accessed via an onion service. Serve the website over HTTP when accessed via an onion service. I will further explain: How the .onion available button is obtained in my setup. How to add an onion Alt-Svc that works. I have a very simple setup. Read more...

This post first appeared on my old blog in February 2021. It is preserved, but maybe not updated, here. Last summer Dr. Neal Krawetz AKA "Hacker Factor" made a series of posts on his blog about Tor "0days." This post is a summary of Tor Project's response to one of his posts. Neither this post nor Tor Project's tweet serve as a perfect point-by-point rebuttal of everything he claims in the post, nor all of his "0day" posts. Read more...

Updated: August 2022 to backpedal on Tor not standing for "the onion router." It can stand for two things depending on whether you ask Paul or Roger. Warning: pedantry. I'm writing this down once so I have something to refer to in the future when I want to find this PDF again. Dr. Paul Syverson is "the father of onion routing." He and his colleagues at NRL 20 years ago created onion routing, and he plus Nick Mathewson and Roger Dingledine wrote the origin tor code (adapted from code Matej Pfajfar wrote) in the early 2000s. Read more...

The following post was not written by me. It was written by Julien Voisin and posted on his blog in October 2018. I am sharing it here, unedited except as noted below, according to the CC BY-SA license of the post. Edits made: Add table of contents. Change local links to point to my copies of the paper and its figures, not Julien Voisin's copies. The paper it talks about is old news at this point (from 2018), but I see someone stumble upon it every few months . Read more...

Major update 28 Jan 2021 (UTC): It's happening again, but this time the large amount of directory traffic is coming from exits. We've missed three consensuses, so v3 onions will be going down. Dirauths are already discussing and trading patches to mitigate the issue in the short term. The long-term solution for not allowing people to use exits to do this is tracked here. Read the main body of this post for more information on, e. Read more...

This post first appeared on my old blog in January 2021. It is preserved, but maybe not updated, here. The repo is on Github here, and in case that turns out to be a lie in the future, the code as of the initial writing of this post is here. About brainfuck Brainfuck is an esoteric programming language with only eight commands (i.e. it's meant to be fun/challenging, not useful). Read more...

What follows are three posts announcing new major releases of BM (Blog Maker), the software I wrote and "maintained" that hosted my old blog, in January 2017 and March 2020. These are preserved here, but not updated. Links will be broken. BM v3.0.0 is Released Today I've released a new major version of BM, consisting of about 140 commits! See the changelog for a summary of all the changes, and please report issues at the issue tracker. Read more...

This post first appeared on my old blog in November 2019. It is preserved, but maybe not updated, here. The focus/organization of this post is poor and it does not contain much technical information. You might want to skip this one. I spent about an hour searching the web for the phrase "the hidden wiki" and collected all the resulting websites I could find that called themselves that or some slight variation of that. Read more...

This post first appeared on my old blog in October 2019. It is preserved, but maybe not updated, here. In most cases. Untruth: VPNs protect you from local network hackers This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help. Read more...

This post first appeared on my old blog in January 2019. It is preserved, but maybe not updated, here. If you've written a script that tries to access random onion services, or all onion services in order, or something else that attempts to brute force the namespace of onion services ... You don't realize how unlikely it is that you will ever find a working link. There's about 100,000 v2 onion services that are running right now (as of Jan 2019) Of those, an unknown fraction are listening on port 80/443 (web sites). Read more...

This post first appeared on my old blog in January 2019. It is preserved, but maybe not updated, here. If you're going to browse the web, use Tor Browser. Don't try to make Firefox, Chrome, or something else proxy its traffic over Tor. There is no combination of settings tweaks that produces as good of a product as Tor Browser. You will be essentially uniquely fingerprintable. You will not get Tor Browser's awesome state and traffic isolation. Read more...

This post first appeared on my old blog in January 2019. It is preserved, but maybe not updated, here. This post is about v3 onion services with 56 characters in their name. For the old post for creating private v2 onion services, see here. In that old post I talked about some of the great features of Tor onion services. The features still apply with the new onion services: they are still end-to-end encrypted, they still assure you that it is impossible for anyone to modify your traffic, etc. Read more...

This post first appeared on my old blog in December 2017. It is preserved, but maybe not updated, here. Unless you're an edge case (which you aren't). Why you would want HTTPS Let's talk about why you normally want HTTPS. Let me know if I missed something. End-to-end encryption You already get this with Tor. Everything between your local Tor client (using Tor Browser? It runs Tor in the background) and the Tor client providing the onion service is encrypted. Read more...

This post first appeared on my old blog in June 2017. It is preserved, but maybe not updated, here. I'm in the process of setting up a new server and I'm trying to be super ultra mega secure about it. It's running FreeBSD with some fancy security options enabled, blah blah blah, oh and I made SSH over Tor the only way to remotely access it for administration. It's a private onion service, which is super cool in itself, but since I don't mind leaking the location of this server, it is also a single-onion service. Read more...

This post first appeared on my old blog in May 2017. It is preserved, but maybe not updated, here. I made a thing. http://jptvwdeyknkv6oiwjtr2kxzehfnmcujl7rf7vytaikmwlvze773uiyyd.onion/ At various times, it used to be available at jld3zkuo4b5mbios.onion, vwx4mjvwoszgnagzcrwdjlsq3pq3zyob3zpq5qissxdoivnuyylzn7yd.onion, onions.system33.pw, and ypqmhx5z3q5o6beg.onion Most of what I wanted to say about it I've already said at those links above. It got picked up by Motherboard, and then a few other sites picked it up. Read more...

This post first appeared on my old blog in February 2017. It is preserved, but maybe not updated, here. January 2019 Update: This post applies to v2 onion services that are 16 characters long such as mattttttssi4lhud.onion. In January 2019, Tor 0.3.5.7 was released as the first stable release of the 0.3.5 series. Among other things, it is the first stable release of Tor that supports client authorization of v3 onion services (like zfob4nth675763zthpij33iq4pz5q4qthr3gydih4qbdiwtypr2e3bqd. Read more...

This post first appeared on my old blog in December 2016. It is preserved, but maybe not updated, here. This also applies to onion.cab onion.city, onion.direct, and any onion domain that does not end in exactly .onion. These are called Tor2Web proxies and they can be very dangerous if you don't know how they work. Update 4 (June 2019): Many Tor2Web proxies are doing the malicious things I talk about in this post (archive) I've seen Tor2Web proxies that seem to have manually added v3 onion support for themselves (since, as far as I know, Tor Project hasn't done it and won't do it). Read more...

This post first appeared on my old blog in November 2016. It is preserved, but maybe not updated, here. So many people share the advice to use a VPN in conjunction with Tor, usually by way of placing the VPN between the user and her guard node (connecting to Tor through a VPN). More rarely, the advice is given to place the VPN between her exit and her destination (connecting to a VPN through Tor). Read more...

This post first appeared on my old blog in September 2016. It is preserved, but maybe not updated, here. Furthermore, It's December 2020 and I stopped running a public Gogs onion service a long time ago. Maybe I'll do so again in the future, but for now, keep in mind that this post references an onion service that doesn't exist. So you want to be a super l33t h4xx0r who stores his code on an onion service, huh? Read more...

This post first appeared on my old blog in September 2016. It is preserved, but maybe not updated, here. Furthermore, this blog post is largely irrelevant bad practice since the implementation of Onion-Location and onion Alt-Svc headers. If interested about the latter, ask me to write a tutorial. If you host a web onion service that is also available on the clearnet, then your guests may appreciate it if they can type your clearnet address and automatically get redirected to your onion address. Read more...

This post first appeared on my old blog in September 2016. It is preserved, but maybe not updated, here. A common question people ask when they first start using the Tor Browser Bundle is "why does the browser recommend I don't change my window size?" Reasonable question. And if you disable JavaScript, you may think that's enough to make window size irrelevant. Not quite. Nov 2019 update: Tor Browser 9. Read more...

*This post first appeared on my old blog in August 2016. It is preserved, but maybe not updated, here. My latest about me page is here. I work for the Naval Research Lab. From 2016-2020 I worked among world experts on privacy and security performing research and development on Tor, and sometimes the Internet in general. You will find this reflected in my publications below. As of 2021 I still work for NRL but not to work with Tor. Read more...