TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
Location > Location > Location- Continued
The Dangers Lurking Up Front Every Time You Log On
This is a continuation of Part 2, which is here⚠️.
Bringing on the Browsers
Even behind Tor or a VPN, one major hole can easily leak all the information an adversary dreams of: the browser. In its 30 year life, the web has grown from a physicist's documentation utility into what scientists are calling "a clusterfuck" of capabilities. Video conferencing? A full-on alternative to Word? Screenshots? Whatever you want a browser's got. True happiness? Well, not that Check out /d/SpiritualHealing!
It's not all fun though, as my tone should make clear⁴¹. Part of the expanding power of websites to emulate installed software is increased access to data about your browser, device, and activities, all of which websites can also use to build a profile on you or fingerprint. That fingerprint is the holy grail for correlation that any adversary powerful enough could use to link even the most carefully distinguished identities. It's especially bad if what protection browsers do try to give is breached, a situation that is more likely the more code is added. In a way browsers are like houses. Bigger ones look cooler, but the extra space only ends up coated in dust and things you somehow ended up with despite not needing them. You could switch to a smaller house or choose a different browser, but it's a lot of work- and the lack of a fingerprint is itself a strong identifier in a world where the norm is the opposite!
To fight back, we must instead work from within. The Tor Project produces a browser that uses Tor and lots of anti-fingerprinting techniques by default. By limiting connections to embedded pages in websites and storage of "cookies" sent to it, for example, the browser helps thwart trackers like Google's DoubleClick in their quest to link connections made to different websites, while pretending to be Firefox on Windows keeps the browser working while reducing the chance of standing out in the crowd. Because of this, the Tor Browser is a good choice in most cases and the default on TAILS. Anyone not using Tor would instead do well to start with the popular open source browser Firefox and harden it in a similar way²⁸.
You'll want to go further though. To avoid breaking websites, a fresh install of Tor leaves one powerful feature enabled: JavaScript. A programming language, JS allows websites to send browsers complete computer programs to run in what is meant to be a safe way. Like all other features, it's useful but presents a threat to compartmentalization, potentially de-anonymizing users⁴². It's important in high-stakes operations, then, to mitigate this risk as well. in Tor Browser, click the shield in toolbar and change the settings on the page that pops up to Safest. In Firefox, install the NoScript extension for similar results.
Using a site-by-site approach, NoScript allows flexibly blocking JavaScript (and some other common but potentially problematic features) as the default without requiring you give it up entirely. There's good reason, though, to think twice before trusting any site in the extension: not only is it worth considering whether you'll be able to live with yourself if giving in proves the break an adversary needs, but site failure isn't always as serious as it seems. Right-clicking on an item in a web page that doesn't seem to be working and choosing "Inspect Element" can often reveal the URL or text of a missing element (sometimes after opening a few drop-downs nearby in the inspector), while going to the "Style Editor" tab in the box that appears from doing so and clicking on the eyes can sometimes expose hidden items. If you decide not to give exceptions to pages under any circumstances both suggested browser provides the option for extra insurance against leaks: go to about:config, accept the warning, search "javascript", and double-click the "javascript.enabled" box that appears to turn it bold.
The software is now ready to rumble, opsec-style.
Mindset
Are you ready, though? Technology is a good tool, but if things go wrong only a bad workman blames his fools. Sorry, tools- damn keyboard! Take note of these tips:
Compartmentalize. Did you read Chapter 1? Go back and read it again. And again. And again. This is critical stuff, so don't forget it. Be a perfectionist when it comes to acting your identities, because your adversaries will pick your mistakes with much less effort than it takes you to avoid them- and they aren't short of effort is you're a high value target.
Check your links and bookmark them. There is a plentiful supply of phishers, who will offer links that mirror popular websites (especially on the dark web where URLs aren't as memorable) while catching passwords and other confidential information that passes through for their own purposes. Attacks can even come from within the Tor network: browsers default to using the non-private HTTP if you enter a URL like "google.com", which "final hops" (more commonly exit nodes) can exploit to read everything you send and receive from websites entered by hand⁴³. By making sure you have the correct, secure versions of links you use bookmarked and accessing them that way, you can avoid falling victim to these attacks.
Insist on encryption- if you are going to communicate privately with someone, send nothing in plaintext except for questions about where you can find their PGP key. Though sometimes inconvenient, many people have been caught because of one time they decided they couldn't be bothered with full opsec measures. Don't let any time be your "one time".
Be careful with downloaded files. I don't mean viruses in your porn- these days you're probably more likely to get one outside! As the Tor Project notes though³⁹, files opened outside of Tor Browser may open internet connections without anti-fingerprinting measures and make a correlation attack possible. Disable your internet connection or work out how to make sure opening the files will not launch a network connection before you open them.
Think before you upload anything. I know, I know- if you're young enough I sound exactly like your parents nagging again! When it comes to high-stakes opsec the importance increases exponentially. Adversaries will eagerly jump on any slip up you make, and the masks you wear aren't a light weight at all. Live video and audio communication should never be used where text is an option, and even recorded media are best avoided. Images and text are safer, but it's important to think carefully and not act on time pressure or vanity. Review anything you intend to post with compartmentalization in mind. Is it consistent with your identity? What new information does it reveal? Is all of that information necessary and relevant? It's a strict process, but just like a piece of fiction writing your identity well demands a good proofreader.
The Dangers Lurking Up Front Every Time You Log On
This is a continuation of Part 2, which is here⚠️.
Bringing on the Browsers
Even behind Tor or a VPN, one major hole can easily leak all the information an adversary dreams of: the browser. In its 30 year life, the web has grown from a physicist's documentation utility into what scientists are calling "a clusterfuck" of capabilities. Video conferencing? A full-on alternative to Word? Screenshots? Whatever you want a browser's got. True happiness? Well, not that Check out /d/SpiritualHealing!
It's not all fun though, as my tone should make clear⁴¹. Part of the expanding power of websites to emulate installed software is increased access to data about your browser, device, and activities, all of which websites can also use to build a profile on you or fingerprint. That fingerprint is the holy grail for correlation that any adversary powerful enough could use to link even the most carefully distinguished identities. It's especially bad if what protection browsers do try to give is breached, a situation that is more likely the more code is added. In a way browsers are like houses. Bigger ones look cooler, but the extra space only ends up coated in dust and things you somehow ended up with despite not needing them. You could switch to a smaller house or choose a different browser, but it's a lot of work- and the lack of a fingerprint is itself a strong identifier in a world where the norm is the opposite!
To fight back, we must instead work from within. The Tor Project produces a browser that uses Tor and lots of anti-fingerprinting techniques by default. By limiting connections to embedded pages in websites and storage of "cookies" sent to it, for example, the browser helps thwart trackers like Google's DoubleClick in their quest to link connections made to different websites, while pretending to be Firefox on Windows keeps the browser working while reducing the chance of standing out in the crowd. Because of this, the Tor Browser is a good choice in most cases and the default on TAILS. Anyone not using Tor would instead do well to start with the popular open source browser Firefox and harden it in a similar way²⁸.
You'll want to go further though. To avoid breaking websites, a fresh install of Tor leaves one powerful feature enabled: JavaScript. A programming language, JS allows websites to send browsers complete computer programs to run in what is meant to be a safe way. Like all other features, it's useful but presents a threat to compartmentalization, potentially de-anonymizing users⁴². It's important in high-stakes operations, then, to mitigate this risk as well. in Tor Browser, click the shield in toolbar and change the settings on the page that pops up to Safest. In Firefox, install the NoScript extension for similar results.
Using a site-by-site approach, NoScript allows flexibly blocking JavaScript (and some other common but potentially problematic features) as the default without requiring you give it up entirely. There's good reason, though, to think twice before trusting any site in the extension: not only is it worth considering whether you'll be able to live with yourself if giving in proves the break an adversary needs, but site failure isn't always as serious as it seems. Right-clicking on an item in a web page that doesn't seem to be working and choosing "Inspect Element" can often reveal the URL or text of a missing element (sometimes after opening a few drop-downs nearby in the inspector), while going to the "Style Editor" tab in the box that appears from doing so and clicking on the eyes can sometimes expose hidden items. If you decide not to give exceptions to pages under any circumstances both suggested browser provides the option for extra insurance against leaks: go to about:config, accept the warning, search "javascript", and double-click the "javascript.enabled" box that appears to turn it bold.
The software is now ready to rumble, opsec-style.
Mindset
Are you ready, though? Technology is a good tool, but if things go wrong only a bad workman blames his fools. Sorry, tools- damn keyboard! Take note of these tips:
Compartmentalize. Did you read Chapter 1? Go back and read it again. And again. And again. This is critical stuff, so don't forget it. Be a perfectionist when it comes to acting your identities, because your adversaries will pick your mistakes with much less effort than it takes you to avoid them- and they aren't short of effort is you're a high value target.
Check your links and bookmark them. There is a plentiful supply of phishers, who will offer links that mirror popular websites (especially on the dark web where URLs aren't as memorable) while catching passwords and other confidential information that passes through for their own purposes. Attacks can even come from within the Tor network: browsers default to using the non-private HTTP if you enter a URL like "google.com", which "final hops" (more commonly exit nodes) can exploit to read everything you send and receive from websites entered by hand⁴³. By making sure you have the correct, secure versions of links you use bookmarked and accessing them that way, you can avoid falling victim to these attacks.
Insist on encryption- if you are going to communicate privately with someone, send nothing in plaintext except for questions about where you can find their PGP key. Though sometimes inconvenient, many people have been caught because of one time they decided they couldn't be bothered with full opsec measures. Don't let any time be your "one time".
Be careful with downloaded files. I don't mean viruses in your porn- these days you're probably more likely to get one outside! As the Tor Project notes though³⁹, files opened outside of Tor Browser may open internet connections without anti-fingerprinting measures and make a correlation attack possible. Disable your internet connection or work out how to make sure opening the files will not launch a network connection before you open them.
Think before you upload anything. I know, I know- if you're young enough I sound exactly like your parents nagging again! When it comes to high-stakes opsec the importance increases exponentially. Adversaries will eagerly jump on any slip up you make, and the masks you wear aren't a light weight at all. Live video and audio communication should never be used where text is an option, and even recorded media are best avoided. Images and text are safer, but it's important to think carefully and not act on time pressure or vanity. Review anything you intend to post with compartmentalization in mind. Is it consistent with your identity? What new information does it reveal? Is all of that information necessary and relevant? It's a strict process, but just like a piece of fiction writing your identity well demands a good proofreader.