/os/ - Online Security

News, techniques and methods for computer network security.

Posting mode: Reply

Check to confirm you're not a robot
Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Welcome to Online Security the place for internet and computer security, privacy and anonymity.
If you have some helpful tips please feel free to share your ideas. Start a new thread, or contribute to an existing thread.

Expand All Images

VPN/proxy/TOR general thread Anonymous 04/15/2016 (Fri) 22:12:39 [Preview] No. 2
Cool board idea.

What's the safest possible way to browse the internet anonymously and safely? There's a thread on /tech/ with the endwall developer talking about proxychains, and that seems pretty cool. Some of the links to proxy lists seem dead, and I have found some online but why should I trust these random 'free' proxies?

What about proxychains over VPN? I'm currently using Mullvad which is alright, and I'm curious about more security if need be. Does a VPN -> proxychain -> TOR connection work? Sounds horribly slow in theory, but I think we all know that privacy comes at a cost in our current world.

I suppose I could call this a 'VPN/proxy/TOR general thread.'

kripplekuk 04/16/2016 (Sat) 02:06:20 [Preview] No. 3 del
The thread on /tech/ is filled with info on tor, proxies, etc.

Has a good explanation on tor though vpn, vpn through tor, etc.

Imo TOR -> VPN OK.

Proxies are also not that good, especially the free ones. They could claim to keep no logs yet log everything. Watch out for "high anon" proxies. 90% of the time they're honeypots. But as long as you are using your VPN and websites that support HTTPS You should be okay with proxies. I personally avoid them.

Endwall 04/17/2016 (Sun) 22:01:01 [Preview] No. 6 del
> why should I trust free proxies

You probably shouldn't. It's just a technique to be used in certain situations.

I have experienced anecdotal evidence that tor doesn't provide anonymity when doing this.

$ torsocks youtube-dl link/list

while I have annectdotal evidence that

$ proxychains youtube-dl link/list

Goes un noticed when I chain 3 additional proxies from different countries.

I'm not going to explain what that evidence is.

My idea is to mess these surviellence analyzers up with randomness, and come from vectors that they aren't watching/expecting.

The list of exit nodes is published. I assume all traffic from entry and exit nodes is monitored. I also assume that deanonymization is happeinging by correlating bit rate on each end, and by correlating bit rate or some other information when you hit a prism service like youtube. Youtube has got to go.

I go Tor -> proxy1 ->proxy2-> proxy 3-> target.

The proxies die after about 2 days to a week so its more work to go and collect more fresh proxies and to test them. I've been lazy over the last 2 months and have just been using tor to target. I really need to refill my proxies.

Just my 2 cents, I'm no expert.

Endwall 04/17/2016 (Sun) 22:15:55 [Preview] No. 7 del

My Idea is : "Be Random, Blend In, Attack from Behind"

Tor gets you around the ISP and their surveillence and monitoring. Random user agent and user agent spoofing to the most common user agents blends you in. Randomize your download timing, so that it looks like a one off. Randomize your attack vector to come from behind or from the side where they aren't focusing.

Tor beats the ISP and local surveillance, proxies (hopefully) beat NSA and intertwined advanced surveillance.

Tor alone won't beat the NSA or millitary agencies with sufficient resources. I really don't care what Jacob Appelbaum says about this, or what that 1 slide from the Snowden leaks says about TOR being hard, that they keep bringing out to show people.

They have the best Computer Science PhD minds and $20 billion/year of resources to put devices anywhere and everywhere.

Its a hard problem, and a ridiculously strong advesary. I just want to watch the news on youtube unmolested...i'm not a criminal, but these people certainly are.

Anonymous 04/18/2016 (Mon) 06:10:16 [Preview] No. 9 del
Do you use per request randomization of user agents or a random change of user agents regardless of user agent requests? Which is "better"? Also, how the hell do you randomly download something?

Endwall 04/18/2016 (Mon) 07:01:24 [Preview] No. 11 del
as of right now I'm just using links /links2/xlinks behind tor with a fake user agent that I change every day or so. For youtube-dl I set the user agent in the config file and change it every day or so between a couple of different options.

I think that per request user-agent randomization would really mess the surveillance up.

I wrote this for youtube-dl for downloading links in a *.txt list.


you just gave me a great idea. Each request I can switch the user agent. That would be gnarly. Great idea I'll work on that on the 29th of April. Should be easy to write that up for youtube-dl.

This is going to be rad.

Anonymous 04/18/2016 (Mon) 08:15:52 [Preview] No. 12 del
How about you do that for curl and wget as well? (What now, are you going to make it work with proxychains as well to satisfy your thirst for plausible deniability?)

Endwall 04/18/2016 (Mon) 08:35:00 [Preview] No. 13 del

You're reading my mind.

Here is a simplistic version of it so far.


A more complete version would have other types of common browsers and versions and go through and select them using case or an if statement depending on the random number.

A more complex version can add a a list of proxies and randomly seletct one using the
--proxy option, or switch from torsocks to proxychains in the command.

I'm going to do this kind of thing for wget and curl as well!! Great idea.

I actually lol'd when this worked.

I'll work on adding complexity to this later. I have to study for final exams, no time for hobby time this week.

Anonymous 04/18/2016 (Mon) 08:47:06 [Preview] No. 14 del

>Random user agent and user agent spoofing to the most common user agents blends you in


>Randomize your attack vector to come from behind or from the side where they aren't focusing.
>intertwined advanced surveillance.

hey kid, go read some more, write less, this is cringeworthy

Anonymous 04/18/2016 (Mon) 09:20:28 [Preview] No. 15 del
Let the man dream, all you can do is post copypasta like >>>/tech/2563 >>>/tech/2564

Anonymous 04/18/2016 (Mon) 09:25:41 [Preview] No. 16 del
(76.26 KB 450x526 crhea160418.gif)
This part is very simple: if you want anonymity you use Tor Browser, and you don't fuck with its default behavior (IOW, you do not alter it's fingerprint, otherwise you are reducing your anonymity set or, worse, deanonymizing yourself). Period.

Any other choice (currently) implies you don't really care much for your anonymity; which is not necessarily wrong in itself. For example, it might just mean that your threat model simply isn't that stringent, or "scary", so you don't actually need anonymity. (Actually, there are other arguments for demanding anonymity even if you think you, personally, don't need it. They relate to making population-scale monitoring and control harder and helping those that actually do need it by enlarging their anonymity set. So if you want to be a good net citizen, be anonymous!)

If you are using any other browser (even if you tunnel it over Tor) then you *might* have location-anonymity (IP-anonymity), that is, of course, assuming you configured everything properly and don't have leaks. But you will still be (rather easily I bet) fingerprintable. Your IP might be hidden, and, if don't reveal yourself with poor opsec, your identity might not be immediately obvious, but it will be possible to correlate and link all your browsing sessions. This might, or might not, be enough to deanonymize you. (I hope you are able to see, then, the following corollary: using the same fingerprintable browser over Tor and on clearnet is the same as only using it over clearnet.)

In the landscape of fingerpintable facets the user-agent string is such a small detail that it doesn't even matter if you change it or not, and, in fact, changing it, either statically or randomly, may very well make you even more fingerprintable because this could be yet another aspect that distinguishes you from the rest of the herd. Think about it: of the set of internet users who share all my _other_ fingerprintable facets, what percentage will also share with me this newly changed facet? IOW, by changing this facet (say the user-agent string) am I increasing the number of users who share it me? Or am I decreasing it, making myself more unique?

And don't fool yourself thinking that a randomized facet is not fingerprintable: fingerprinting algorithms do not have to be stateless, they can remember and correlate apparently-discrete observation data-points. IOW, they can realize that you are wearing a scramble suit and simply put the "scramble suit" tag on you. OK, so now the question is, how many other users share the "scramble suit" facet with you while also sharing all your other facets? You see? This is the same question we were asking previously. Randomizing a facet does not defeat fingerprinting in any way, the very act of randomization becomes fingerprintable. (Also remember that your fingerprint is not the result of observing a single facet, but a combination of all observable facets.)

So, in the end, the only defence against fingerprinting is to try and become as indistinguishable as possible from the largest possible group of anonymous users. So far it seems the best opportunity lies with the group of well-behaved Tor Browser users. (Read "well-behaved" as "non-idiotic": some people will even try to put Adobe flash on it.)

Anonymous 04/18/2016 (Mon) 10:28:40 [Preview] No. 17 del
I think "Endwall" anon is attempting to be fingerprintable as a normie while using Tor and additional three proxies in a chain. It's against the traditional concept of anonymity. By being pseudonymous/more fingerprintable in certain aspects, he attempts to be considered by the internet as some random schmuck but in reality, how a website's page renders to the user's end can easily unveil the actual web browser's engine, which disabling features would only contribute to the profile that they receive from your web browser. The best way to have anonymity through trackable fingerprinting is to do what RMS does which is to ask for permission to use other people's computers to look at proprietary shit at their expense. Unfortunately, not everyone can travel the world like RMS. In some ways, he's living the dream in avoiding being tracked down, but since airplanes and the flight info shit is pretty much public domain, depending on what kind of content that RMS is viewing, even proxy viewing of said link is not enough because of metadata concerning what RMS does and looks up and where he is. Unless RMS can pull off shenanigans like using a private aircraft which Sir Richard Dearlove (DOK) the head of MI6 along with Sir Stephen James Lander (POW) the head of MI5 came into US airspace after the 9/11 attacks of what should had been a no fly zone but like, doing that for literally all your flights to be off the record and unstoppable, even RMS is trackable and the general whereabouts as to what computer he would be using based off of where he would stay from decrypting PGP encrypted emails of the plans, use GPS to reverse search for the IP addresses of that building that he might go to.

Anonymous 04/18/2016 (Mon) 23:52:08 [Preview] No. 19 del
The whole finding out one's IP address via GPS location is my theory of how advanced their tech is. I figured that if one can find out a GPS location via IP address, the reverse could be possible. However, with "cooperation" of ISPs, they could find out though, if that's what they do instead of doing what I've suggesting they could do, I'm slightly disappointed in them. They could, depending on what website link, web browser, and what computer that URL is about to be viewed, it could be "bugged" remotely via ISP IP range for a short period of time, recording via canvas and webrtc tech and others to see what they do with it or even prevent access to it while blocking all known VPN IPs and Tor nodes via ISP so to make sure that they can't circumvent the great firewall, and if they don't use dns servers, they could simply snoop the easy way out while temporarily enforcing use of the ISP's dns servers or else no connection to the ISP and no internet. Again, this is all what I feel is plausible speculation, but that method is more effective in having people around said being to not have access to the internet or certain parts of the internet without being backdoored or hit with malware than tracking them to gather intel concerning what that Target Individual is trying to get through other people's computers. Through Facebook and such, the Targeted Individual's contacts are already known to the 3rd hop even if they don't have Facebook or Netflix and such. Also, what that "TI" seeks after in certain aspects are easily identified by what they snooped concerning the TI before they had realized their predicament. If a bunch of TIs seeks to look into information of the same website or link, it's easier to ban the said content via the country's firewall.

Endwall 04/19/2016 (Tue) 05:09:49 [Preview] No. 20 del

endtube.sh version 0.04


I've added cases and other user-agents for chrome. I don't know if these are the most common or best options. Send me a link ot the best user agents and I'll swap them out.

Let me know if it works.

The next step is to incorporate a list of proxies to cycle through with each download. I'll do that later. Try it out and comment.

Endwall 04/19/2016 (Tue) 05:47:56 [Preview] No. 21 del

Anonymous 04/19/2016 (Tue) 10:38:00 [Preview] No. 22 del
The default downloads folder has a capital/uppercase D, so was that intentional to use a lowercase d so that it won't mess with the uppercase D Downloads folder?

https://amiunique.org/stats shows the common user agents in their interactive pie chart though you have to disable lots of shit to make it work, maybe someone with a less autistic setup can list the two most used user agents per web browser from it. I'm unfortunately can't be bothered doing it.

Endwall 04/19/2016 (Tue) 16:06:29 [Preview] No. 23 del
that was a typo/ nothing intentional.I've changed it to Downloads. Its just meant to get you to put the videos somewhere seperate. You can do it anywhere once you add ~/bin to the path.

Yeah I'm having problems getting the stats to show as well. I have a clean browser with Javascript enabled (Iceweasel) and it won't work on that either...I'll try it again later.

Thanks for the review/comments.

Endwall 04/19/2016 (Tue) 21:38:32 [Preview] No. 24 del
endtube.sh version 0.06


This now randomizes a plaintext list of proxies and uses one of them for the download front end over torsocks. Also if the proxy list is not present then it operates as previously with just torsocks.

I was trying to do something fancy with character arrays (arguments) and randomly selecting one of the arguments, but gave up and did something sloppy that works instead.

if you switch the torsocks to proxychains and add 2 proxies as front end this would be the original protocol that I described earlier.

Endwall 04/19/2016 (Tue) 21:55:52 [Preview] No. 25 del
endtube.sh version 0.07


fixed some typos. Should be good to go. I'll update this by git from now unless there are serious changes. Let me know if it works for you. Review and critique are welcomed.

Anonymous 04/23/2016 (Sat) 02:52:14 [Preview] No. 27 del
Common web browsers: chrome: 39, 47 firefox: 34, 38 IE: 11 (who the hell uses Tor with IE) Opera: 26, 12.17 iOS app (who uses Tor with the iOS web browser)
Common OS: win: 7, 8.1 mac: 10.10 linux: ubuntu (no stats concerning specific versions of linux nor ubuntu available in the shitty pie chart)

Anonymous 05/03/2016 (Tue) 11:47:35 [Preview] No. 35 del
If you use a VPN or a proxy, you have to fully trust them. Trusting third parties is bad opsec.

If you chain regular proxies together, the first proxy knows both who you are and where you're going. This is horrible.

If you use Tor, you're reasonably safe. The main weaknesses of the technology are correlation and fingerprinting.

Your Tor traffic has two weak points - the point of entry, and the point of exit. If you add any additional proxies, each represents an additional weak point.

Anything that deviates from the default Tor Browser behavior makes you stand out. You don't have to use Tor Browser, but you better make sure that whatever you use has the exact same fingerprint.

Endwall 07/07/2016 (Thu) 13:56:50 [Preview] No. 151 del
Hak5 2019
OpenVPN from scratch
Hack5 2017
How to build an OpenVPN access point pt 1
Hack5 2018
How to build an OpenVPN access point pt 2

Anonymous 07/09/2016 (Sat) 21:36:48 [Preview] No. 160 del
(39.25 KB 926x716 bestvpn.png)
choose one fagit

Anonymous 07/12/2016 (Tue) 10:20:25 [Preview] No. 167 del
OP here

Lessons learned:
1) proxychains are not very useful I don't see much point in using them, Tor and VPN is the way to go if you want to access the clearnet. I2P is cool too, but I'm waiting for integration of I2P router in Whonix Gateway to really give it a chance. The classic

"Hey Proxy1, can you please forward "forward to Proxy3; forward to Proxy4; forward to Proxy5; forward to https://encrypted.google.com 'c8e8df895c2cae-some-garbage-here-(encrypted)-166bad027fdf15335b'" to Proxy2? Thanks!"

really proves my point here. The only time this might be OK is if you're on a VPN through Tor session. At that point, your connection is secure from tampering and so far away from yourself, maybe you could use it to not get your VPN account b&? I'm not sure.

2) VPN through Tor is the best. It's the perfect for browsing clearnet sites, as it avoids the usual captcha or ban you get with Tor, it stops MITM attacks from the Exit Node, and it's not horribly slow. I was streaming youtube content without any stutters at 720p. That's good enough for me. Shoutouts to cryptostorm for letting Tor users not only connect up, but allowing anonymous payment with BTC and through Tor. I didn't like them for a while after one of the main guys got busted, but if I never have to show my true IP I feel safe anyway.

3) Qubes is good. Like, really good. TBH, I feel with Intel ME and SMM on modern CPUs, you're pretty much owned already. Hopefully Xen cleans up their act and secures their hypervisor more to stop these recent VM escape bugs. For serious, if you're using anything that can't libreboot, and you have 8GB+ of RAM, consider using Qubes. The only thing I'd consider more secure would be a classic parabola install on libreboot with the libre kernel and all that jazz. Qubes still has some distinct advantages over that though.

4) RUN A RELAY IF YOU HAVE THE BANDWIDTH. If you use the same internet everyday like me, and if you're pushing tons of traffic (primarily downloading) then it's easier for an APT to deanonymize you. Running a middle relay forces your internet to connect to Entry nodes and Exit nodes all day. You can't possibly know what's going through the relay, so it's like free masking Tor bandwidth. Early NSA papers on the studies of traffic correlation suggested that users who run relays are much harder to deal with.

All in all, I've learned a bunch over time. If anyone is curious about how to run VPN through Tor, I would be willing to write up a simple guide. I know of two ways that would definitely work, one in Qubes specifically and one at the router level, along with possibly another way running from one machine. I'm not too sure if it'd work, I don't have a machine without Qubes on it that'd make it easy to test.

Anonymous 07/12/2016 (Tue) 10:35:52 [Preview] No. 168 del
>VPN after TOR
Do you think this is a fucking game? Do you you think this is a fucking game m8? If you use a VPN then you can safely start TOR. That's what it is for. You connect to the vpn then bye-bye. I will seriously suggest you know this is not some little game ok. I am pretty angry right now anon this is textbook fed talk.

Anonymous 07/12/2016 (Tue) 21:13:14 [Preview] No. 175 del
Well, I could see that being a problem if you live in a country where using Tor is against the law/could possibly get the cops knocking on your door. In my home country though, it's nothing to worry about.

much like >>35 has said, you have to trust that your VPN doesn't care that you use a fuck ton of Tor. If you route your traffic through Tor first though, you only have to trust one of the relay's to have anonymity. It's been shown in NSA documents that even if they own the entry and exit nodes they have issues correlating users. ESPECIALLY WHEN YOU RUN YOUR OWN NODE.

While I was sleeping, my relay pushed over 6GB and I currently have over 1000 connections in and out with Entry and Exit nodes. Does that not seem anonymizing to you? Plus, if you want to make the Tor network stronger then you should run a relay anyway.

Anonymous 07/12/2016 (Tue) 21:23:51 [Preview] No. 176 del
I can see there being an exception with a VSP or DPS Run through tor. Though I really do not feel comfortable connecting unless I am using a privacy implement such as a VPN and or Virtual Machine Beforehand.

Anonymous 07/12/2016 (Tue) 21:24:59 [Preview] No. 177 del

Anonymous 07/13/2016 (Wed) 03:44:42 [Preview] No. 182 del
How To make a VPN Gateway in Qubes

Anonymous 07/13/2016 (Wed) 04:19:46 [Preview] No. 183 del

Yeah, you can also attach your VPN ProxyVM to your Whonix Gateway ProxyVM and create user -> Tor -> VPN connection. You need to use a VPN service that supports TCP and doesn't block Tor users.

Special note: If you're following the guide, and need a username/password, change the line in .ovpn file that says 'auth-user-pass' to 'auth-user-pass credentials.txt' and create a file with your username and password ie:



and then save it so when OpenVPN starts it will read the file for your credentials. Then you can chown and chmod to protect against possibly getting owned.

Email Endwall 07/27/2016 (Wed) 07:09:19 [Preview] No. 224 del

I'm setting up the tor hidden service email version of this. That plus tls 1.2 + gpg RSA:4096 should be interesting.

Endwall 07/29/2016 (Fri) 01:56:56 [Preview] No. 225 del
My email hidden service is up. Can someone send me some email so that I can test it out?


You will need starttls.

Endwall 07/29/2016 (Fri) 05:57:06 [Preview] No. 231 del
Hak 5 Episode 2022
Title:Fast, Free, and Easy VPN Build in Minutes

Anonymous 07/29/2016 (Fri) 10:07:40 [Preview] No. 233 del
Have you tried Confidentmail?

Also I still disagree with having tor (Anonimity) start before the vpn (privacy).

Endwall 07/30/2016 (Sat) 02:08:56 [Preview] No. 236 del
Can someone try this and tell me if you see it?

$ torsocks telnet tmg3kli67jlbcduh.onion 25

I can see it and send myself email using postfix.
My hidden service mail server won't be up all the time for now, but I'll put up a dedicated computer for it later.

Send mail through torsocks by modifying the master.cf.


Step 1.
In /usr/local/etc/tor/torrc
uncomment the lines

HiddenServiceDir /usr/local/var/lib/tor/
HiddenServicePort 25

Restart tor

Step 2.
Then go get the domain name in /usr/local/var/lib/tor/hostname and write it down.

Step 3.
Then change the postfix domain to the hidden service domain in /etc/postfix/main.cf, as well as changing your host name to include your new hidden service domain name.

Step 4.
Replace smtp with smtp_tor and make the file smtp_tor executable in the directory /usr/lib/postfix/

Create /usr/lib/postfix/smtp_tor with the following content:
torsocks /usr/lib/postfix/smtp $@

Step 5.
Then modify /etc/postfix/master.cf

smtp unix - - n - 1 smtp
relay unix - - n - - smtp

to be

smtp unix - - n - 1 smtp_tor
relay unix - - n - - smtp_tor

Step 6. Setup an account and login/password for your anonymous name, postmap it in /etc/postfix/virtual, then reload and restart postfix.

Then when you're able to, send me a test email using TLS.


I think this is how I'm going to email anonymously, if it works. Hidden service + TLS 1.2 + pgp RSA:4096, self hosted. Set it up and try it out.
Edited last time by Endwall on 07/30/2016 (Sat) 04:45:43.

Endwall 08/02/2016 (Tue) 03:15:11 [Preview] No. 240 del
I just setup 2 postfix hidden services and tried to send email using this method. It didn't work. I can telnet to each server and they seem to be up. However the command substitution smtp_tor is not working. Postfix gives the error:

warning: process /usr/lib/postfix/bin/smtp_tor pid 5513 exit status 1
warning: /usr/lib/postfix/bin/smtp_tor: bad command startup -- throttling

However it works when sending mail to yourself on the same server. I think it is having a name resolution problem. Any ideas on how to fix this?

Endwall 08/02/2016 (Tue) 08:08:11 [Preview] No. 243 del

$ torsocks pacman -S swaks perl-net-ssleay

$ nano notes.txt
$ torsocks swaks --server tmg3kli67jlbcduh.onion --to endwall@tmg3kli67jlbcduh.onion --from me@returnaddress.onion --helo "returnaddress.onion" --tls --body notes.txt

encrypt notes.txt with my public key for extra points.

Status: Just tested it, working.

Endwall 08/05/2016 (Fri) 07:30:04 [Preview] No. 254 del
Hak 5
Episode 2023
Fast, Easy and Free SSL Certificates with Let's Encrypt - Hak5 2023

Anonymous 08/06/2016 (Sat) 23:09:27 [Preview] No. 260 del
(665.90 KB 666x666 666.jpg)

TOR and VPNs will likely be illegal in the U.S. come 2017. FBI's reach extended globally


Anonymous 08/07/2016 (Sun) 14:59:35 [Preview] No. 264 del
(1012.81 KB 250x251 1456432007579-1.gif)
Why is nobody interested in this? Considering the shit hits the fan December 1st...

Endwall 08/15/2016 (Mon) 06:10:35 [Preview] No. 284 del
change this to

digest_algorithm_t alg = DIGEST_SHA1;

Leave this alone, it's required for the signature checking with each router (don't change it or it will break your connection)

If you know of any other good mods for tor post below. Thanks.
Edited last time by Endwall on 12/22/2016 (Thu) 05:13:26.

Endwall 08/20/2016 (Sat) 19:51:24 [Preview] No. 346 del
Regenerate intermediate term signing key in tor

$ tor --keygen

This will ask you to create a passphrase
make a strong one up before hand and store it somewhere (in your mind, in a notebook, in an encrypted file etc) use a random password generator for inspiration for pieces of the password:
$ passgen

Endwall 11/13/2016 (Sun) 02:22:34 [Preview] No. 671 del

tor 2.9.5 alpha Endwall 11/26/2016 (Sat) 06:09:14 [Preview] No. 689 del


Changes in version - 2016-11-08 Tor fixes numerous bugs discovered in the previous alpha version. We believe one or two probably remain, and we encourage everyone to test this release. o Major bugfixes (client performance): - Clients now respond to new application stream requests immediately when they arrive, rather than waiting up to one second before starting to handle them. Fixes part of bug 19969; bugfix on o Major bugfixes (client reliability): - When Tor leaves standby because of a new application request, open circuits as needed to serve that request. Previously, we would potentially wait a very long time. Fixes part of bug 19969; bugfix on o Major bugfixes (download scheduling): - When using an exponential backoff schedule, do not give up on downloading just because we have failed a bunch of times. Since each delay is longer than the last, retrying indefinitely won't hurt. Fixes bug 20536; bugfix on

tor mods Endwall 11/26/2016 (Sat) 06:24:17 [Preview] No. 690 del

else if (build_state && build_state->desired_path_len >= 4)
cutoff = fourhop_cuttoff

change 4 to PATH_LEN + 1
so for a 5 hop length route use 6 for a 6 hop length route use 7 etc.

Tor Browser Endwall 01/06/2018 (Sat) 02:31:17 [Preview] No.1097 del
Tor Browser

Step 0) Make some directories
$ mkdir -p ~/tor
$ mkdir -p ~/bin
$ cd ~/tor

Open a browser and go look here : https://dist.torproject.org which is where the files will be pulled from

Step 1) Get the relevent files
( using wget, endget or torsocks wget, I'll assume the user is just getting started and has a 64 bit distribution of linux )

Get the SHA256 sums
$ wget https://dist.torproject.org/torbrowser/7.0.11/sha256sums-signed-build.txt
$ wget https://dist.torproject.org/torbrowser/7.0.11/sha256sums-signed-build.txt.asc

Get the file and signature
$ wget https://dist.torproject.org/torbrowser/7.0.11/tor-browser-linux64-7.0.11_en-US.tar.xz
$ wget https://dist.torproject.org/torbrowser/7.0.11/tor-browser-linux64-7.0.11_en-US.tar.xz.asc

Step 2) Check the sha256sum and gpg signature

$ gpg --receive-key 0xD1483FA6C3C07136
$ gpg --verify sha256sums-signed-build.txt.asc

$ cat sha256sums-signed-build.txt
$ grep *linux64* sha256sums-signed-build.txt

$ grep tor-browser-linux64-7.0.11_en-US.tar.xz sha256sums-signed-build.txt >> tor_sha256sum.txt

$ sha256sum -c tor_sha256sum.txt
$ gpg --verify tor-browser-linux64-7.0.11_en-US.tar.xz.asc

## If these don't say GOOD SIGNATURE or the sha256sum outputs BAD CHECKSUM delete the file and try again.

Step 3) Unpack the zipped tar file

$ tar -xvf tor-browser-linux64-7.0.11_en-US.tar.xz
$ cd tor-browser_en-US
$ cd Browser
$ ls
$ pwd

Copy the present working directory into the clipboard or a text file
Now test to see if the binary works:
$ ./start-tor-browser

If so make a link

Step 4) Link and add to $PATH

$ cd ~/bin
$ ln -s ~/tor/tor-browser_en-US/Browser/start-tor-browser tor_browser
$ echo $PATH
$ export PATH=~/bin/:$PATH
$ echo $PATH
$ cd ~

Step 5) Start Tor Browser from command line
$ tor_browser

tor_browser Endwall 01/06/2018 (Sat) 04:55:57 [Preview] No.1098 del
(72.09 KB 1000x500 tor_browser_7hops.png)
Tor Browser 7 Hops

step 0) Modify the tor source and compile
Do the modification recommended here:


change this to


Also change this

else if (build_state && build_state -> desired_path_len >= 4)

to be:

else if (build_state && build_state -> desired_path_len >= 8 )

Now compile from source according to:

Step 1) copy the tor binary into place

$ cd ~/tor/tor_browser/Browser/TorBrowser/Tor/
$ mv tor tor_old
$ cp ~/tor/tor_stable/src/or/tor tor

Step 2) Start Tor Browser
$ cd ~
$ tor_browser

Anonymous 02/11/2018 (Sun) 21:51:01 [Preview] No.1112 del
A key server needs to be appended to gpg --recieve key, otherwise it defaults to internally configured keyservers, which might or might not be there. Also, keyservers interaction is done over http, which is a no no. As long as Tor is running, you can do
gpg --keyserver hkp://jirk5u4osbsr34t5.onion --recv-key 0xD1483FA6C3C07136
Or your onion keyserver of choice. Don't know what you're doing for the cat and grep combo, checking to see if it has any sums and then those for linux64? Grep is off, either way, should be "linux64" if you're using GNU Grep 3.1. Second/last grep is good, but not for the most recent 7.5 release.
grep "linux64-7.5_en-US.tar.xz" sha256sums-signed-build.txt >> tor_sha256sum.txt
And also switch for newest release:
gpg --verify tor-browser-linux64-7.5_en-US.tar.xz.asc
tar -xvf tor-browser-linux64-7.5_en-US.tar.xz
Otherwise, can confirm this process work. Only confused why you would install it under home and with user/wheel permissions? This is convoluted (key checking in general), might write up a script right now to do something quicker.

Anonymous 02/12/2018 (Mon) 18:43:08 [Preview] No.1115 del
And I did, here's the script for anyone that wants to do this quickly: https://gitgud.io/gaddox/Private-Tor-Browser-Installer/raw/master/downloadTorBrowser.sh

Endwall 02/13/2018 (Tue) 02:48:58 [Preview] No.1116 del

Nice. Your script looks well designed. I'll read it over in detail on Saturday. See we need more people like you over here to share good work and good ideas on these kind of problems.

The easier it is for more people to download, install, and use security, privacy and anonymity tools, the better off we will all be in the long run. Good work. Keep it up. A positive feedback loop has just been initiated. A Free Software Virtuous Cycle. Thanks for sharing Gaddox!

Anonymous 02/13/2018 (Tue) 03:31:06 [Preview] No.1117 del
Cheers, Endwall. Any updates in the interim will be published at that link. And hopefully with another living soul around, it'll attract others and we can turn this closed cycle into a growing fibonacci spiral.

Anonymous 02/14/2018 (Wed) 14:25:42 [Preview] No.1120 del
One thing people will notice but never say is that normies WANT TO USE VPNS THEY THINK THEY CAN USE ONE ON A PHONE.

Look at android and itunes top apps paid and free. Those lists are LITTERED with BULLSHIT VPN apps that DO NOTHING for privacy. Hypocrites. Anyone who says "lets microchip everyone I aint got nothing to hide" They do they are hiding behind that talking point instead of an actual opinion. Somehow the media has convinced the people to want to ban vpns while the top apps for mobile are vpn apps aside from games and shit like tinder.

These cucks want all they microchips laws to go through. They think hola free vpn .apk is going to hide them as they downvote something they are supposed to downvote. Look at chrome extentions firefox extensions. All browser fingerprint spoofing.Look at the most torrented proprietary software. All virus protection programs like mcaffe and norton antivirus.
they think that they are not supposed to use vpns or shit that actually works. A bunch of incognitos pretending they dont need privacy. They dont need privacy now that being a pathetic homosexual that does nothing but pout about liberal nonsense is the ideal citizen.

Anonymous 02/14/2018 (Wed) 15:20:36 [Preview] No.1122 del
Perhaps the most loud are the most unaware. I would bet my money the ones who care know anything about VPNs aren't dumb enough to yell and scream about muh terrorists or such. Or atleast there may be a little overlap.

Anonymous 02/14/2018 (Wed) 21:49:40 [Preview] No.1124 del
Yes I am a sec beginner so I am loud in my observation of this lol.Any politicizing of technology is dangerous. Also proprietary companies like google are a threat too.

Anonymous 02/15/2018 (Thu) 01:24:08 [Preview] No.1125 del
Ah mate, I'm on your side, there's been some miscommunication. What I meant was the age old "vocal minority" being the loudest, while the majority quietly enjoys their lot, with a slyly opportunistic smirk.

Top | Return | Catalog | Post a reply