write.privacytools.io

Reader

Read the latest posts from write.privacytools.io.

from WorldWideWebWizard

Apple Is Not Your Friend

Recently, Apple has been putting out many commercials with the slogan “privacy, that's iPhone”. While Apple can say they're for privacy, you really can't trust that they really are. You also can't rely that Apple cares about your freedom. I'm here to explain why.

First off MacOS and iOS are both proprietary/closed-source systems. Apple doesn't want you to view the source code of their software. This affects privacy, because if you can't view the source code, then you can't determine what Apple is really doing behind the scenes is good or bad. Another reason is, you are already making connections to services such as iCloud, and since these services are proprietary, you can't trust Apple to handle your data.

Apple also doesn't respect your freedom, Apple has does this by embracing DRM. DRM stands for Digital Rights Management, DRM restricts your ability to use your product, how you like, wherever, whenever. Apple forces people to use their store on iOS for security reasons. Except, this isn't security, this is really control. Apple has put themselves as the gatekeeper of your system, they want you to use it how they want you to use it. Apple also solders their ram in the latest MacBooks, this is not okay. The consumer has the right to make a decision regarding their product. It isn't Apple's choice of how I upgrade my system.

If Apple wants to be respected, here is what they need to do.

  1. Let the user upgrade their hardware from other vendors without penalty

  2. Let the user review the source code

  3. Let the user install from other software sources on iOS

  4. Stop using DRM through iTunes

  5. Give better freedom towards experimenting with their system

Sources: https://gizmodo.com/apples-war-on-upgrades-continues-with-the-new-touch-bar-1789002979, https://www.defectivebydesign.org/apple

 
Read more...

from Jose A. León

Este es un artículo diferente a lo habitual, pero hoy sentí la necesidad de hablar de ello.

La gente no conoce a los enfermos mentales.

Suponen que los conocen, pero cuando les hablan y los tratan te das cuenta de ello. Y ellos también lo notan, aunque lo disimulen.

Hay una gran ignorancia respecto a una enfermedad mental. De hecho, es muy posible que cualquiera de nosotros tengamos, tarde o temprano, alguna de ellas durante nuestra vida, aunque sean leves.

Hay quienes cuando se encuentran a una persona muy diferente a ellos suelen reirse interiormente con superioridad, o quizás sentir burla, pena, asco, rechazo y muchos otros adjetivos. Con los enfermos mentales ocurre algo parecido y en serio te digo que esto da pena y tristeza.

Cuando se trata a un enfermo mental, se le habla como si no te entendiera o fueran incapaces de ello. Ya sabes a qué me refiero: esa voz como cuando se le habla a un niño pequeño, como dándole una palmadita de tranquilidad en el pecho, hablándole bajito y muy despacio con palabras muy sencillas como si no pudiera entenderte...

Vamos a ver. Un enfermo mental puede entenderte como cualquier otra persona, únicamente tiene un trastorno mental, solo eso. Es igual que tu pero con un problema mental.

Hay enfermos mentales muy inteligentes y sabios, los hay que estudiaron carreras o tenían profesiones de alto nivel. No les hables como si no pudieran entenderte. Ni son niños pequeños ni son estúpidos. Piensa que únicamente tienen una enfermedad.

Aunque te hablen diferente, aunque actúen de forma diferente, aunque digan cosas que no puedas entender, aunque tengan problemas importantes y vean u oigan cosas que no existen, esto no los hace estúpidos. Tratalos como tratas a cualquier otra persona, solo eso. Te lo agradecerán. Necesitan sentirse normales y que los traten como a personas normales.

Es cierto que suelen tener altibajos en su enfermedad y que a veces se dan casos difíciles de tratar, pero intenta ser paciente y ayudarlos, y que un profesional pueda tratarlos cuanto antes, porque necesitan mantener un equilibrio sin derivar a los extremos, y esto no siempre es así.

No hablo aquí de agresividad por casos psicóticos ni nada semejante. Hablo de enfermos mentales pacíficos a los que se les nota su enfermedad.

Pues esto es todo, algo simple pero directo. Espero que este artículo ayude un poco para la comprensión de los enfermos y las enfermedades mentales. Si te encuentras a alguno de ellos, piensa en esto que leíste.

Porque efectivamente hablo desde mi experiencia personal. Trabajo con muchos de ellos cada día.

 
Read more...

from Jose A. León

Desconfía siempre si un servicio de internet es gratuito. En este caso, como siempre se dice, el producto eres tu. Es decir, buscarán rastrearte para vender tus datos, tu navegación o cualquier otra cosa que puedan.

https://invidio.us/watch?v=pxWcNhR_Jp8

Es cierto que hay algunos productos gratuitos que son libres y fiables (pocos, como por ejemplo los que luchan a favor de tu privacidad y viven de donaciones), pero en serio te recomiendo pagar por servicios como por ejemplo un correo electrónico. Seguramente te ofrecerán no solo email, sino también almacenar archivos con un límite de capacidad, calendario, notas... y sobre todo: el crear tu propio alias de email.

La utilidad de usar un alias en tu email es porque puedes crear (y suprimir y cambiarlo por otro alias cuando desees) el email con el nombre de quieras. Este alias lo podrás usar para rellenar servicios que sabes que luego te enviarán publicidad y posiblemente mucho spam. En el caso que ya terminaras la utilidad de usar ese email, y cuando veas que empiezas a recibir spam, es hora de borrar ese alias y ¡adios al spam!.

También es útil un alias para enviar y recibir emails sin dar el email principal con el que haces login, para evitar posibles pirateos de tu cuenta. Si necesitas un email para una web de juegos, puedes crear por ejemplo el alias juegos@xxxx.com (xxxx sería tu proveedor de email de pago). Para música o cualquier otra cosa lo mismo, ya según tus preferencias. Además, suelen ofrecerte el crear reglas para enviar los emails recibidos en tu alias a una carpeta especial creada para ese alias, por lo que todo quedará más ordenado.

También existen algunos servicios gratuitos para evitar spam, que te dejan crear un email temporal que dura cierto tiempo y luego desaparece. Normalmente traen rastreadores, que te recomiendo evitar por ejemplo con la extensión ublock origin, pero al menos es algo muy temporal. Te servirá para algunos registros en la web, concursos inmediatos, etc. No uses estos servicios si puedes recibir información importante a largo plazo. Para esto último mejor crearte un email de pago que te ofrezca crear un número alto de alias o ilimitado, como te decía más arriba.

Te pongo los enlaces de algunos de estos servicios gratuitos:

https://10minutemail.com/

https://temp-mail.org/

https://maildrop.cc/

https://www.throwawaymail.com/

https://emailtemporal.org/

https://www.mohmal.com/es

 
Read more...

from Jose A. León

Si no te gusta Tor browser (en Android la app se llama Tor browser for Android) porque te da muchos problemas con diferentes webs y no sabes cómo cambiar las opciones o las extensiones, o no buscas tanta privacidad o complicaciones, puedes usar cualquier otro navegador basado en Mozilla Firefox en Android (como el mismo Firefox/Fennec y otros) entrando a través de la red Tor. Tan solo necesitas instalar Orbot y hacer unos pequeños cambios.

Para ello escribimos en la barra de navegación del navegador: about:config para así cambiar o rellenar algunas opciones. Pon en el buscador que trae la palabra: proxy y te saldrán muchas opciones.

  • En la opción que dice: network.proxy.socks coloca la dirección 127.0.0.1

  • En la opción que dice network.proxy.socks.port coloca el puerto 9050

  • En la opción que dice network.proxy.socksremotedns ponla a True

  • En la opción que dice network.proxy.socks_version ponla a 5

  • En la opción que dice network.proxy.type ponla a 1

A partir de ahora nunca podrás usar tu navegador con internet a través de una conexión de red directa, tan sólo funcionará en cuanto arranques Tor (con la app Orbot y esperando a que llegue al 100%) y todas tus conexiones irán únicamente a través de la red Tor.

Como te decía al principio de este pequeño artículo, lo suyo es usar Tor Browser for Android, ya que viene preparado y listo para usarse y protegiendo tu privacidad.

No todo es entrar en Tor y listo. Debes saber que hay muchas otras formas de rastrear quien eres y deberías tomar muchas medidas extras si buscas un mínimo de privacidad. Pero esto ya depende de ti y de lo que busques. Como mínimo necesitarás algunas extensiones y hacer algunos cambios en el navegador. Te puede servir también leer el artículo anterior a este.

 
Read more...

from Jose A. León

Hay muchas opciones de privacidad para Firefox, y ya en otro artículo os hablé de algunas opciones y de las más generales que incluye la web de privacytools. En idioma español teneis estas opciones en este enlace:

https://victorhck.gitlab.io/privacytools-es/#about_config

Pero esta vez vamos a enfocarnos en aumentar mucho más la privacidad y también la seguridad en Android a través de un archivo javascript.

Mozilla Firefox viene con rastreadores y muchas opciones que comprometen tu privacidad. En la tienda de F-droid lo puedes encontrar como Fennec:

https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/

Si tu smartphone android lo tienes rooteado, puedes usar las indicaciones que se dan en esta web para descargar e instalar el archivo user.js:

https://github.com/quindecim/fennec_user.js

También te servirá para IceCat, pero Icecat por desgracia no suele actualizarse a menudo.

Hay dos formas de instalarlo si tienes tu smartphone rooteado, como vereis en las instrucciones (que están en inglés).

Si vuestro smartphone no está rooteado, tendriais que hacerlo manualmente leyendo el contenido del script y a través de about:config ir buscando y cambiando cada opción. Un trabajo tedioso que seguramente os ocupará más de 1 hora, pero que os merecerá la pena una vez que hayais terminado.

Para ello tan solo teneis que pulsar en el archivo user.js y analizar cada opción para comprobar y cambiar:

https://github.com/quindecim/fennec_user.js/blob/master/user.js

Si quereis hacerlo en el Firefox de vuestro PC (Windows, Linux o Mac), en los navegadores Waterfox, Pale Moon o SeaMonkey, mejor usar este otro archivo de configuración mozilla.cfg (según vuestro sistema operativo teneis las indicaciones en el enlace):

https://github.com/quindecim/mozilla.cfg

 
Read more...

from hook

People sometimes claim that they have control over their content after they have published it, this is completely false and provides a false sense of privacy. The only way to ensure that something isn't redistributed is by not publishing it. With the recent rise in popularity in federated software, it's even more important to make sure that users understand that deleting content is only done as a best effort attempt. Mastodon (and most other software in the fediverse) seems to give users the impression that they're able to delete their posts from the entire fediverse, what actually happens is a request is sent to other instances in the fediverse asking them to delete it from their servers, they're not forced to.

Something else people oftentimes claim is that you can keep content private by asking crawlers to not touch certain pages through the robots.txt standard. This is oftentimes portrayed as “banning” crawlers from your site, this couldn't be further from the truth. It's essentially politely requesting that the crawler not go to those pages.

What I hear when people say they want to be able to control their publicly published content is that they want what would essentially be DRM for social media, which would be ineffective, just like any form of DRM.

By posting something publicly, you need to acknowledge that there's a chance it may be crawled, archived, or indexed. Not acknowledging this will just lead to you being disappointed when you find out that you can't delete your content off of the internet completely. If you don't want your content to be redistributed, you should think twice about publishing it. Anyone claiming that there's a good way to control the distribution of content after it has been published is misinformed.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Previous revisions of this article are available here.

 
Read more...

from My thoughts on security.

When I explained the myths surrounding Tor in my last post, I realized that in addition to outright myths about the protocol, inaccurate suggestions about how to use Tor properly are everywhere. This often includes worrying advice on connecting to Tor via VPN services, proxies, or other anonymity systems. So in this part of the “Slicing onions” series, I will attempt to clarify why you should not combine Tor with such networks and techniques and highlight the negative consequences if you do.

How This Technology Works

To help illustrate why combining Tor with other services is sub-optimal, here’s a recap of how Tor, VPNs and proxies work. Those who read the first blog in the series or are familiar with the protocols may skip this.

Tor Tor works by sending your traffic though a network of voluntarily run nodes (also called “servers” and “relays”) that bounce your traffic around three random nodes spread across the planet before reaching its final destination, a website for example. See below for a simple visualization:

To protect your traffic, Tor will encrypt your packets three times. Each node only has the key to remove its own layer. Once a node removes its encryption layer, it will be able to see which node the packets should go to next, and this continues until your traffic is decrypted at the last node, which forwards it to its final destination. The exact reverse process happens for return traffic, as shown in the graphic below:

So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The first node knows who you are, but not where you are going; the second node doesn’t know who you are OR where you are going; and the last node knows where you are going, but not who you are. Because the last node makes the connection, the destination website will never know who you are (the IP address of the originating device).

Proxies A proxy is a server that acts as an intermediary for requests from your device to other devices or services (websites etc.). An anonymous proxy will not forward your email address to the destination site, so it can protect your privacy. It will always be possible for the proxy owner to know both where you connect from (your IP) and what you connect to (the destination website/server). Proxies do not necessarily protect your traffic with SSL/TLS encryption so unless you connect to the destination via HTTPS they can see your content too.

This shows a simple proxy server without encryption:

VPN Services Strictly a VPN (Virtual Private Network) is the extension of a private network across a public one. The best example of this is connecting to a corporate network over the internet to access applications and files at your workplace. VPNs are encrypted to protect the content in the private network from being accessible outside of the VPN.

VPN services that we may use as consumers are a little different. These are really just groups of encrypted proxies that we can pick from instead of connecting directly to destination sites. This hides your IP from the destination site as described above, and the encryption hides your content and destination from your local network and ISP (anything between your device and your VPN provider’s server).

VPNs suffer from the same weakness as proxy servers, in that the VPN provider will always know your IP and destination and HTTPS is still required to hide your content from them.

Here is a VPN server in action, note the connection from you to the VPN server is encrypted, but not the connection from there to the destination:

The Issue With Centralized Trust

Now that we understand how these technologies work I will explain why the last two are problematic in the context of anonymity. With VPNs and proxies, the entire path is known to the provider of the service. Therefore, your anonymity is only as strong as the providers promise.

Imagine letting someone you don’t know put a gun against your head and being fine with it, because for $5 a month they will promise not to pull the trigger. That would be crazy now wouldn’t it? What if someone else offers them $500 to break their promise? $5000? $5000000?

With Tor, the entire path will never be known, and the user will be safe; trust is distributed across all the nodes you use. It’s like giving one person the gun, another the bullet, letting the third hold a rubber chicken to your head, and not paying any of them any money!

Another benefit of Tor is that with more then 6000+ nodes spread across the globe, watching all traffic going in, and all traffic going out, is much harder and more expensive than watching the servers of a VPN provider (most have tens or low hundreds). If your threat model includes capable adversaries working to de-anonymize you, Tor will make that much less likely.

Why 3 is better than 1

Now that you understand the issue you should start to see why a VPN is not an option for anonymity. It can make tracking harder, but you still have to trust one single party. With Tor, you don’t need to trust any single party. So lets spell out the pros and cons:

  1. Tor Pros: Hides your IP address; encrypts traffic, preventing local network or ISP snooping; and when using Tor browser, intelligently separates streams to avoid traffic correlation; free to use, which is a double benefit as it leaves no financial trail; easy to use with a simply app on Android or any desktop OS; most censorship can be evaded using bridges; fast enough to watch 720p and sometimes 1080p videos (nowadays!). Cons: Speed is often slower than a single hop VPN as depends upon all 3 nodes in your current circuit and is probably not going to play 4k video; some services block Tor nodes in a misguided attempt to deny access to bad actors, refreshing your circuit may find an unblocked node; exit nodes could snoop http traffic; torrenting will be slow and is strongly discouraged as it hurts Tor and breaks anonymity; no udp support (Signal requires this for VoIP calls).

  2. VPN services Pros: Generally fast and low latency; most are easy to use with apps for any OS; hides your IP address and encrypts traffic to the VPN server, preventing local network or ISP snooping; usually fast enough to watch high res 4k videos; torrents will work; UDP is possible. Cons: Absolute trust placed in a single point of failure. Your VPN provider can see who you are and where you are going, and when not using HTTPS, the content of your traffic; leaves a money trail unless paid for with cash or cryptocurrency; provider sees your real IP address and could be pressured in cooperation by the local government to hand over data; VPN server can be hacked to retrieve all data; anonymity depends on policies and the security of a single server.

Why 2 is not better than 1

The worst piece of advice I commonly see is to use both Tor and a VPN. Tor is not intended to be run with VPN or in combination with other services. I absolutely do not recommend you to ever run Tor with a VPN. By doing so you essentially create either a permanent entry or exit node, which often also has a money trail. You also create more attack surface for near zero theoretical benefit. The two commonly proposed configurations are:

Tor over VPN. Here a user will first connect to the VPN server, and then connect to Tor. The most common rationale behind this setup is to hide Tor usage from an ISP or circumvent censorship of the Tor network. This is unnecessary as you can hide Tor usage and circumvent censorship by using bridges. You can either use the bridges that are included in Tor Browser for this, or request other bridges from in any of the ways described here. A bonus of bridges is that they don’t leave a money trail, which VPNs often do. The last blog explained that even if you were to end up on a watch list, it would be a uselessly large list as Tor has more then 2 million daily users. It strikes me as very naive to imagine that someone powerful enough to trace you over the Tor network will be stopped by a $5 a month VPN service.

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.

Conclusion

As you can see, in the vast majority cases where a VPN could be used, Tor would easily suffice. Not only is it free to use, it actually allows you to browse anonymously. This is impossible with a VPN service by design. A VPN is privacy by policy, Tor is privacy by design. This isn’t to say VPNs are completely useless; they do protect your IP address from the websites you visit; protect you from local network adversaries; and they also allow you to watch 4k footage.

Generally, you should be using Tor if anonymity and privacy are your goals, or indeed if you just want to help improve the availability of anonymity to others who need it and make mass surveillance harder. There is more to consider though: your IP address is just one of the many ways you can be tracked. Another threat comes in the form of browser fingerprinting, which is the topic of my next blog post: [Slicing onions: part 3 – Don't leave your fingerprint!]()

If you have feedback on this article, or would like to debate the topic with me, then you can reach me in any of the ways listed on my About page

 
Read more...

from Jonah

If you run servers for public services, like I do with privacytools.io, you definitely want to monitor them for any successful logins to user accounts (via SSH, et cetera). The way I plan to accomplish this is to setup an automatic notification to the Pushover app on my phone in the event of any login. I'm going to implement this as part of PAM authentication, and configure it to fail any logins if the notification script fails for whatever reason.

If you want to implement this on your own server, I'll assume you already have a Pushover account and device setup, and an API key.

Create login-notify.sh, where we will store the actual script. I put it in /etc/ssh/ for example but you could put it anywhere:

#!/bin/bash

# Change these variables
API_TOKEN=abcdefg1234hijklmno567890pqrstuv
API_USER=vutsrqp098765onmlkjih4321gfedcba

if [ "$PAM_TYPE" != "close_session" ]; then
  TITLE="SSH: ${PAM_USER}@$(hostname -f) (${PAM_RHOST})"
  TEXT="$(date)"

  curl -s \
  -F "token=$API_TOKEN" \
  -F "user=$API_USER" \
  -F "title=$TITLE" \
  -F "message=$TEXT" \
  -F "priority=0" \
  https://api.pushover.net/1/messages.json >/dev/null 2>&1
fi

Just change API_TOKEN and API_USER to your own account's values. You can also change priority=0 to another value if you'd prefer more or less intrusive notifications.

Make your script executable:

chmod +x login-notify.sh

And add the following line to the end of /etc/pam.d/sshd:

session optional pam_exec.so seteuid /path/to/login-notify.sh

We made this optional mainly for testing purposes. You can leave it as it is, or change it to required after you've made sure it works to prevent logins entirely unless the script runs, if that is what you want.

Try logging in to SSH and it should send you a notification!

In theory, this method can also be applied to essentially any /etc/pam.d/ module. For example, you could add that last line to /etc/pam.d/login for notifications on TTY logins.

Thanks to this answer from Fritz on Ask Ubuntu and this post on Nology for guidance with the script.

Discuss this post on the Privacy Forum

#sysadmin

 
Read more...

from WorldWideWebWizard

Family Privacy: Part 2

In our last discussion, I discussed about using Firefox to protect your privacy. Now, I will be talking about GNU/Linux, and how to you can get started.

What is GNU/Linux?, GNU, was started by Richard Stallman, and is run by the Free Software Foundation. Linux is a kernel, created by Linus Torvalds. The Linux kernel helped fill in the gap, that the Free Software Foundation had yet to fulfill. That is why any system using GNU software, and the Linux kernel, is called GNU/Linux. Many People just call it Linux, but this isn't technically correct, as Linux is just the kernel.

You may be asking. Why should I use GNU/Linux over Windows? Here are my reasons on why you should make the switch.

  1. Windows does not respect your freedom:

When you use Windows, you are using an operating system that is controlled by a software giant. Microsoft has many examples of not respecting the freedom of its users. Like when Microsoft employed DRM in Windows Vista, that controls what people can do with their media.

  1. Windows is closed source:

Windows is a proprietary operating system. Microsoft does not want you to know what Windows is doing behind the scenes. Because of that, you cannot trust what Windows is doing.

  1. Windows invades your privacy:

With the release of Windows 10, Microsoft has added many privacy invading functions in the operating system. There is location tracking, native advertising, and more. With Windows 10, you have become a prime target for tracking.

Here is a list of the benefits of GNU/Linux.

  1. Your freedom is respected:

With GNU/Linux, its your system. You can do whatever you wish with it.

  1. GNU/Linux respects your privacy:

You shouldn't have to worry about user tracking. With GNU/Linux you are free from tracking.

  1. Open-Source:

GNU/Linux is open-source, so you can look and see what is happening with your operating system.

Now on to getting started. My recommended distribution is Linux Mint. Mint provides a familiar desktop, for people who use Windows. Mint comes with support for multi-media out of the box. Mint is based on Ubuntu Long Term Support Release, so you get a stable experience with Mint. To get started download a ISO file from https://linuxmint.com. Next, write that image to a disk, or USB drive. I recommend balena etcher for writing to a USB drive. Then, boot into the live environment. Select what how you want to install Mint. If your family member won't be missing Windows, then select erase disk and install Mint. If your family member still needs Windows for some applications, then select install Mint alongside Windows. Follow the instructions in the install prompt. After that, you should be ready to go.

Note: For laptops, make sure you check “install third-party components”. The third-party components contain software and firmware, that allow your laptop to connect to Wi-Fi, and more.

Thanks for reading, I hope this was informative for you. Stick around for part 3!

Resources: https://fsf.org/, https://linuxmint.com/, https://www.fsf.org/windows/upgrade-from-windows#abuses, https://www.balena.io/etcher/, https://fossbytes.com/install-linux-mint-19-tara-guide/, https://www.fsf.org/about/what-is-free-software

 
Read more...

from My thoughts on security.

The Tor network is an anonymity system designed to protect the privacy and anonymity of its users. Unlike a VPN service, Tor is both free to use and decentralized. Sadly, there is plenty of misinformation around about Tor. This post aims to clearly explain Tor and to debunk various myths surrounding it.

How does Tor work?

The Path Tor works by sending your traffic over a network of thousands of voluntarily run nodes (sometimes referred to as relays). Each node is a server that is run by volunteers to help you improve your privacy and anonymity. Every time you connect to Tor, it will choose three nodes to build a path to the internet; this is called a circuit. Each of these nodes has its own function:

  • The Entry Node: often called the guard node, this is the first node your computer connects to. The entry node sees your IP address, but does not see what you are connecting to. Unlike the other nodes, the Tor client will randomly select an entry node, and stick with it for 2 to 3 months. I’ll expand on the reasons for this in a future blog.

  • The Middle Node: the second node to which your Tor client connects. This node can see which node traffic came from (the entry node) and which it goes to next. It does not, however, see your IP address, or the domain you are connecting to. This node is randomly picked from all Tor nodes for each circuit.

  • The Exit Node: is where your traffic leaves the Tor network and is forwarded to the destination domain. The exit node does not know your IP (who you are) but it knows what you are connecting to. The exit node will, like the middle node, be chosen at random from the Tor nodes(if it runs with an exit flag).

A quick visualization:

The Encryption Tor will encrypt each packet three times, with each key in turn from the exit, middle and entry node in that order. Once Tor has built a circuit, browsing is done as follows:

1. When the packet arrives at the entry node the first layer of encryption is removed. In this encrypted packet it will find another encrypted packet with the middle node’s address. The entry node will then forward that to the middle node.

2. When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and find an encrypted packet with the exit nodes address. The middle node will then forward the packet to exit node.

3. When the exit node receives its packet, it will remove the last layer of encryption with its key, and find the destination address that the user wanted to connect to, and forward the packet to that address.

Here is an alternative visualization of the process. Note how each node removes its own layer of encryption, and when the destination website returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it DOES know which node it came from, so it adds his own layer of encryption, and sends it back.

So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are OR where you are going; and the exit node knows where you are going, but not who you are. Because the exit node makes the connection, the destination website will never know who you are (the IP address of the originating device).

Myths and facts.

Although Tor is one of the best ways out there to protect your privacy and security these days, it sadly suffers from a bad reputation. This is the result of a number of myths which we’ll now attempt to debunk:

  1. But Tor was created by the US government, it must have a backdoor! Tor was not written by the government. Tor was written by Roger Dingledine, later on joined by Nick Matthewson, with the funding from the Naval research lab through Paul Syverson. The claim that that it must therefore contain a backdoor does not hold up for the following reasons: First of all, the US government uses Tor to hide its own activities online; if it had a backdoor, it would not be safe for them to use. One could argue that they could make their own anonymity systems, but this wouldn’t be effective. If the government would build their own system, and only let themselves use it, then ALL traffic is known to be automatically CIA/NSA/FBI traffic, making it pointless to use in the first place. One must not forget that you cannot be anonymous alone, you need similarly anonymous peers to form a crowd for you to blend into. The more people you throw into the mix, the harder any individual is to find.

  2. Tor will get me on a watch list! The claim that using Tor gets you on a watch list in a western society makes no sense at all. Not because it won't ever happen, but because it would be useless in the case they did it. Analysis shows that the Tor network gets as many as 2 million users a day. That’s a huge list, big enough that targeted surveillance is no longer possible, and governments would have to rely on mass surveillance. Hey, mass surveillance, wasn’t that already happening somewhere? Oh yeah, it's called the internet! The only place where using Tor could be dangerous is in nations with an oppressive government, but in that case a VPN is just as likely to arouse suspicion and get you on “the list”. Also with Tor, one can try to avoid detection by using bridge relays, which are entry nodes that are not publicly listed. Finally, it is worth considering what use of Tor protects you from, and whether that is more important than what the theoretical list would expose you to. It’s a little like thinking that using HTTPS will get you on a list, so you will no longer use HTTPS to protect yourself.

  3. But exit nodes can do spooky stuff with my traffic! This one is partially true, although your traffic is encrypted while entering and traveling through the Tor network, the connection between the website and your exit node is not. If I were to login into a webpage using HTTP, an exit node could intercept my password. And while this was a big issue in the past, the massive adoption of HTTPS, which went from 67% of all websites in 2017 to 77% in 2018 , has made most manipulation done by the exit node impossible, as the exit node will only see an encrypted HTTPS packet that it has to forward, so even it does not know what the packet contains.

  4. But the government can set up a lot of nodes to de-anonymize people! While Tor is indeed not a silver bullet, setting up a lot of nodes is a very unlikely attack, that can either be fairly trivially detected, or become VERY expensive, depending on how it is done. First of all to really DE-anonymize someone this way, you need to at least have the entry node and exit node of a Tor user. Remember when I explained above that entry nodes are chosen once, and are kept for 2/3 months? This is exactly why: if the government wants to become your entry node it has N% chance to be picked by you out of 6000+ nodes. If I am lucky, and pick a non-government node, the government will have to keep all their nodes running (costing lots of money) for at least two months before they get another chance of becoming your entry. Also it takes At least 8 days, maximum of 68 days before it gets up to full speed, to become a Guard node, as you see, this is slow, expensive, and generally a very unattractive way of finding a Tor user. While yes, they COULD do it, it wouldn't make sense for them to do it as there are a lot of attacks out there that are a lot cheaper to execute and try out. In the Tor stinks slides that were leaked in the Snowden documents, it was stated that they could de-anonymize a very small fraction of people, but it can not be used to target specific people on demand. which makes this expensive attack, not worth it in a real life scenario.

  5. But Tor is only used by criminals on this thing called the dark web, we should not support it! Firstly, while Tor can be used to reach websites anonymously on the “dark web”, the VAST majority of Tor traffic is used to reach normal websites. While some people are convinced Tor is enabling pedophiles and should be taken down, this is not a solution and will not help anything. If you take away Tor, all that would happen is that criminals will use another (illegal) medium to conduct their business, where an activist in Iran may be killed and tortured without the protection of Tor. Tor may be a two edged sword, but the side of the benefits to society cuts a whole lot sharper then the criminal side.

  6. I heard attack XYZ can break Tor! As I said above, Tor is no silver bullet, there can be attacks out there that could be used to try and de-anonymize Tor users. But it is currently the best we have, and as Tor grows, with each user and each new node, attacks become harder and more expensive to execute. All we currently know is that in 2013, as part of the Snowden leaks, the NSA was not able to reliably trace Tor users.

  7. But what about this drug market that got busted? It was hosted on Tor! It is true that there are certain individuals that abuse Tor to hide illegal websites, and many have been caught doing it. However, in each and every one public case of a take down, Tor was not the cause. One has to understand that even if your connection is anonymous, other things might be not. Tor is not magic security dust, it will not make your server “unhackable”. Software bugs are still a thing, government infiltration is still a thing, and simply user error is still a thing. These tactics are WAY cheaper, and also often a lot easier, to execute then any attacks directed at Tor itself.

  8. But Tor is funded by the US government! This one is partially true. While most current funding of the Tor project comes from the US government, people first have to realize that again, the government uses Tor themselves, so it makes sense for them to fund its development. Secondly, the US government is enormous, and it makes perfect sense that one part of the government is trying to improve it, while the other part wants to break it. Furthermore it's worth mentioning that the Tor project is actively trying to diversify their funding sources, with success. In 2015 85% of Tor's funding came from the US government, it went down to 76% in 2016, and even 51% in 2017. Do you want to help out diversifying Tor's funding even further? You can do so by heading to their webpage, by donating you will help their important work. It is also worth mentioning that all Tor code is completely FOSS, all discussions and meetings, all research, everything the Tor project does is transparent and available for anyone online to crawl through and investigate; meaning that if the Tor project were to do something sketchy, people can see it.

So you are saying Tor is unbreakable?

No, Tor is, like I mentioned above, not a silver bullet. While it is currently the best option we have, there are certain attacks that could be used against Tor (like traffic confirmation attacks) to try and de-anonymize its users. For this however, other technical measures can be taken to protect yourself further. What Tor is though, is a way to make mass surveillance so expensive, so hard, that governments will now have to scale down, and focus their resources on specific targets, essentially dumping mass surveillance. And that is the power of Tor.

Where to next?

Now that we got most Tor myths out of the way, we can move on to the next post in the Slicing onions series. Here I will explain how Tor relates to VPNs, what their use cases are, and when you should use one above the other: [Slicing onions: part 2 – Don't mix onions with a VPN]()

About the author Other articles by this author

 
Read more...

from Jose A. León

Poca gente conoce lo que ocurre cuando instala una app desde Google Play, y aún menos la información que recibe el desarrollador de dicha app.

La política de privacidad de Google Play puedes leerla aquí:

https://policies.google.com/privacy

Los desarrolladores reciben desde Google Play una información resumida sobre la instalación de cada app, incluyendo el número de instalaciones. Dicha información consiste en:

  • Versión de Android (p.ej. Android 9)
  • Dispositivo (p.ej. Huawei P30)
  • Tabletas (p.ej. Tabletas de 10” y superiores)
  • País (p.ej. España)
  • Lenguaje (p.ej. Español [España])
  • Versión de la app (p.ej. 5)
  • Operador (p.ej. Movistar – España)

También les informa de la valoración que se ha dado a su app con la misma información anterior, excepto el Operador.

Y por supuesto reciben información de las reseñas o las opiniones que dan a sus apps. Además del nombre del que dio la opinión, la puntuación y el texto de dicha reseña (que por otra parte están disponibles públicamente) también reciben esta información:

  • Código de versión (p.ej. 9)
  • Nombre de versión (p.ej. 2.5)
  • Versión de Android (p.ej. Android 7)
  • Dispositivo (p.ej. Galaxy S6 Edge+ [zenlte])
  • Fabricante (p.ej. Samsung)
  • Tipo de dispositivo (p.ej. Teléfono)
  • Marca de CPU (p.ej. Samsung)
  • Modelo de CPU (p.ej. Exynos 7420)
  • Densidad de la pantalla (p.ej. 560 dpi)
  • Tamaño de la pantalla (p.ej. 2560 x 1440)
  • RAM (p.ej. 4096 MB)
  • Plataforma nativa (p.ej. armeabi-v7a,armeabi,arm64v8a)
  • Versión de OpenGL ES (p.ej. 3.1)
  • Lenguaje del dispositivo (p.ej. Español)

Por supuesto la política de privacidad casi nadie la lee.

Es por esto que es siempre mucho mejor usar una tienda de apps más libre como F-droid. Veamos lo que hacen:

F-Droid respeta tu privacidad. No te rastreamos, ni a ti ni a tu dispositivo. No rastreamos lo que instalas. No necesitas una cuenta para utilizar el cliente, y no envías datos de identificación adicionales cuando “hablas” con nuestro servidor web aparte de tu número de versión. Ni siquiera te permitimos instalar otras aplicaciones desde el repositorio que puedan rastrearte, a menos que habilites `Seguimiento' en la sección de preferencias de AntiFeatures. Cualquier dato personal que decidas darnos (por ejemplo, tu dirección de correo electrónico cuando registres una cuenta para publicar en el Foro) no va más allá de nosotros, y no será utilizado para nada más que para permitirte mantener tu cuenta.

https://f-droid.org/en/about/

 
Read more...

from WorldWideWebWizard

Pointing Your Family In A Private Direction

Many of our family members use online services such as Facebook, Twitter, and Instagram. Today I'm going to give a brief rundown about taking your family in a better direction. I'm going to start with web browsing. In a second part, I will discuss about private messengers. So lets get right down to it.

Web Browser: A web browser, is an application that displays content on the world wide web. Many browsers have come and gone, but the popular ones active today are, Firefox, Google Chrome, Internet Explorer, Opera, Safari, and Microsoft Edge.

Many people in your family may use Google Chrome as their primary browser. However, many people are unaware that Google Chrome employs tracking to know more about you such as, your location, what you've recently visited, and your favorite things. Talk to your family about these concerns, and talk to them about trying out Firefox. Firefox is a web browser from Mozilla, an organization that has many people who strive for an open, and private web. Firefox supports a wide range of add-ons that can be used to help protect their privacy. Facebook container can restrict Facebook from tracking you around the web. Ublock Origin, can help block trackers and ads while you browse. Firefox also offers their own tracking protection in the browser. Firefox offers sync, to allow your family member to use their profile across their devices.

There are many more add-ons out there, visit addons.mozilla.org to get started. You can also visit support.mozilla.org, and walk your family member through the basics.

Stick around for part two!

 
Read more...

from My thoughts on security.

Yesterday, a user on our forum opened a thread asking about the differences between secure messengers. Rather than listing a bunch of different messengers and their features, I thought I should start off by defining “secure”, and other key terms in the context of instant messaging. This is because a messenger that is “secure” for me, does not automatically mean it is “secure” for someone else.

First of all we need to deconstruct the meaning of security, let’s start with the acronym CIA: confidentiality, integrity, and availability. Confidentiality means that only the intended parties were able to read the message. Integrity means being sure that your message is not modified before it arrives, this is something most people take for granted. Lastly comes availability, which means to ensure that all parties receive proper access to your messages. You can read more about this here if you are interested.

So we want a “secure” messenger, what should we look at?

The answer to that is four things: security, privacy, anonymity, and usability.

  • Security: Remember CIA. In summary security means that only the intended recipients got your message, that they have proper access to it, and that the message has not been modified by third parties.

  • Privacy: Privacy is protecting the content of communications from external parties, but not necessarily the identities of those communicating. An example is two colleagues at work going into another room to speak to each other: you know who is in there and that they are talking, but not what they say; the conversation is private.

  • Anonymity: Anonymity is protecting the identities of the communicating parties, but not necessarily the content. An example here is an anonymous whistle-blower leaking a document to the public; the contents of the leak are known and no longer private, but you don’t know who leaked it; they are anonymous.

  • Usability: Usability is about how easy it is to use something; it is often the most overlooked element of secure messaging. If an application is too difficult or frustrating to use, many people will simply settle for less secure, more usable alternatives. Poor usability is the reason why PGP encrypted email never took off for the masses: it is a pain in the ass to use. Roger Dingledine of the Tor Project wrote a nice paper on why usability is so important in secure systems.

Now we understand the most important facets of secure messaging, we have to talk about threat modeling.

Threat modelling is something you have to do before before choosing your messenger; this is because there is no one ultimate messenger that works universally for everyone. Few people seem to understand their threat model well. To start threat modelling there are a few questions you can ask yourself:

  • What am I protecting? Are you protecting your message content? Your identity? The metadata? Your location? Perhaps a combination or all of these?

  • Who am I protecting against? Are you protecting against advertising companies? Governments? Hackers? An abusive spouse? Each of these have their own weaknesses and strengths; a government has more funding, but a hacker can break the law. These are often referred to as adversaries.

  • What is the impact if the thing I am protecting is available to my adversary? The messengers that best protect your message content and metadata are often the least convenient to use, so consider how much usability you are willing to give up to protect it. Is this about you hiding your secret passion for flashlights, or is it a life or death situation?

Okay, I have thought about my threat model; what's next?

Once you have threat modeled, and know what you are protecting from whom, we can start looking at some of the messengers out there. Let’s consider two examples:

Signal: Signal is an open source, end-to-end encrypted, private messenger. It is very easy to use and does not require users to know anything about cryptography or security in general. It provides privacy by end-to-end encrypting messages and calls, and because it is so darn easy to use, it will make the task of moving your contacts over to a new messenger a bit easier. However, since Signal requires a phone number to register it is not, and has never claimed to be, anonymous.

Briar: Briar is an end to end encrypted messenger which utilizes the Tor network to stay anonymous. Briar works as a peer-to-peer messenger (meaning there are no servers forwarding messages between users) inside Tor, your metadata and message content are protected. The downside of Briar’s peer-to-peer nature, is that both parties must be online at the same time to send messages, which harms usability.

Now, picture if you or a contact believes you may be targeted by government agencies, Briar would be a better choice to keep your identities safe. This is because while Briar is not the most convenient service, it will not expose metadata that could reveal your who, when, or even whether you interacted with another user at all.

Or imagine you are an average citizen conversing with friends or family about non-sensitive topics, Signal would probably be more appropriate. Conversations in Signal are end-to-end encrypted and private, but due to the use of phone numbers it is possible to identify users’ contacts and other metadata. The key benefit of Signal is that it is extremely easy to use, essentially the same experience as WhatsApp, so less privacy/security conscious users are more likely to stick with it.

Okay, so we have a threat model and know the difference between security, privacy, anonymity, and usability. Now how do I know which messenger provides what?

Good question! There are a few things one can look out for when choosing a messenger:

  • End-to-end Encryption: this mean that only you and the person you send your message to can read the message content.

  • Open Source: This means that the source code of the application is available to read, allowing those with the time and knowledge to verify it is as secure as advertised. (Bonus points if reproducible builds are available. This means you can copy the source code, follow the build instructions and end up with an exact copy of the application distributed by the developers. This allows us to ensure that the app in use is actually the same as the source code.)

  • P2P: P2P (also known as peer-to-peer) means that your messages go directly to your contacts device, and that there is no third party involved. Warning: while this means that no central entity is collecting your metadata and messages on their server, without IP protection anyone watching your connection will be able to see who you message and for how long, potentially breaching your anonymity. As mentioned above, Briar achieves this by using the Tor network.

  • Metadata: Metadata is all the information about a message except for the content of the message. Some examples of metadata are: sender, recipient, time sent, and sender location. You could describe metadata as “activity records”. Depending on your threat model, it may be important to ensure certain metadata is not available to your adversary.

  • Registration Information: What information does the service require before you can use it? Where a phone number is required, like Signal, achieving anonymity will be hard because phone number are usually tied to your real identity, so if anonymity is part of your threat model, look for a messenger with minimal requirements to register.

Remember, sometimes it is better to settle for a less than perfect solution, if it offers superior usability that will help keep your contacts away from less secure alternatives. For example, getting your family to join Signal, or even WhatsApp is a huge improvement over SMS, this is because SMS is send in plain text. Sure, it's not anonymous. Sure, you will leak metadata, but it's already a big step up in security, and you’re better off with that, than trying to get them to use your ultimate secure anonymous private messenger that is a pain in the ass to use, and watching them run back to using SMS instead. As Voltaire put it: Perfect is the enemy of good.

Well, this post turned out longer then I thought it would! Anyway, I hope you now have a clearer picture of how secure messaging works, what the differences are, and how you can pick a secure messenger according to your needs. Oh and if you want to join the discussion on this topic and future topics. you can find me at our Mastodon instance or at our new forum

That’s it for today folks, see you later!

About the author Other articles by this author

 
Read more...

from Jonah

Some people called for me to write a more technically detailed/in-depth guide to setting up Tor with alt-svc after we set it up on privacytools.io, so while I do it all over again on our Mastodon server, I figured I'd write this post! Plus, it'll make it easier for me if I need to do this again in the future :)

When Cloudflare introduced their Onion Service last year, it marked an important milestone in Tor adoption and connectivity. Not only did they add Tor support to nearly all their websites, which will certainly help with reducing the number of captchas seen by Tor users across the internet, it introduced a new and very interesting way to handle Tor traffic.

What we're doing here is reimplementing Cloudflare's setup on our own machines. The privacytools.io websites and services are now Tor-enabled completely transparently to all users using the Tor browser, because of an HTTP header called alt-svc.

What is alt-svc?

alt-svc is a HTTP header that allows your server to inform a web browser about alternative ways to reach your website. Initially it was developed for SPDY and now QUIC support for websites in browsers that support it, but now we can use it to tell browsers (the Tor Browser specifically) that our site is available at an .onion domain rather than a clearnet IP address.

What this means is when you connect to privacytools.io in your Tor browser, instead of your computer running a DNS lookup and making TCP requests to 145.239.169.56:443, it will see that a .onion connection is available and make TCP requests to privacy2zbidut4m4jyj3ksdqidzkw3uoip2vhvhbvwxbqux5xy5obyd.onion:443 instead, completely transparently and keeping the hostname identical!

This is highly beneficial for server administrators for the following reasons:

  1. The domain name stays the same. Instead of adding a .onion domain to Nginx, we're sending all requests using the same hostname. If you're familiar with the OSI 7 layer model, we're replacing the Transport (layer 4) TCP layer with a .onion connection while not touching anything on the Application layer (layer 7).
  2. It requires no special webserver configuration. Because the hostname stays the same, requests will reach your webserver with the same Host header. To Nginx and your web application, it should appear the same as a normal connection.

Because of this, using alt-svc is a drop-in replacement for TCP connections and should be able to be implemented on any web application stack without making any modifications to your code. All you need is Tor installed, and a single header added to Nginx.

Using alt-svc headers is not necessarily a replacement for .onion domains. It's an opportunistic use of the Tor network, not enforced. Some downsides to keep in mind:

  1. Initial connections will go through an exit node! The Tor Browser won't know about your .onion address until it connects to the site for the first time.
  2. It isn't quite 100% supported. It is supported in Tor Browser 8.0 and Tor Browser for Android, but not necessarily anything else. It's an HTTP header, so it won't work for other protocols.
  3. There's (currently) no visual indicators a connection is secure. This is an open issue (#27590) so I hope it will be fixed soon, but currently it just appears as if you're connecting via an exit node.

The first point is probably going to be the most concerning for most service hosters. We decided that for our purposes this didn't matter that much: We currently host all our services in the clearnet anyways, we enforce HTTPS use for End-to-End Encryption, and we don't need to hide ourselves. Using alt-svc is just added security for Tor users, and it functioning essentially transparently means that people don't need to change their current behaviors when visiting our websites. We're also willing to wait for visual indicators to be implemented in the browser.

If you need all your users to connect via the Tor network, or if visual security is important to your services/industry/etc, you do need to host your services on an .onion domain directly, no way around it for the moment (until perhaps alt-svc is implemented in DNS and there's a way to enforce its use).

Setting up a Hidden Service

First thing's first, we need to actually install Tor. I'm going to be installing Tor on Ubuntu 18.04 for the following steps. But you should consult the latest Tor instructions to make sure you're doing things however they currently want you to, or to find guides for your own platform.

If you don't have it installed already, install apt-transport-https:

apt update
apt install apt-transport-https

This will allow your package manager to access all metadata and packages over HTTPS when using apt.

Now we'll need to add the official Tor browser sources. Open /etc/apt/sources.list with your favorite editor and add the following lines to the end:

deb https://deb.torproject.org/torproject.org bionic main
deb-src https://deb.torproject.org/torproject.org bionic main

Then, add their signing key:

curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Now, update your packages:

apt update

Finally, we'll install tor. We'll also install deb.torproject.org-keyring, which keeps the signing key up to date, which the Tor project recommends:

apt install tor deb.torproject.org-keyring

Hidden Service Configuration

Now we can setup our .onion domain. Open /etc/tor/torrc and add the following setting:

SocksPort 0

Then, find the # This section is just for location-hidden services section and add the following configuration:

HiddenServiceDir /var/lib/tor/service1/
HiddenServiceVersion 3
HiddenServicePort 443 127.0.0.1:443
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
SafeLogging 1

SocksPort 0 disables the socks proxy, which we don't need since we're only functioning as a service.

HiddenServiceDir /var/lib/tor/service1/ is the directory that will store our private keys, and should not be publicly accessible. It is not your web root.

HiddenServiceVersion 3 enables the new v3 onion addresses, which are more secure and longer than v2 addresses.

HiddenServicePort 443 127.0.0.1:443 redirects traffic to youronion[...]domain.onion:443 to 127.0.0.1:443, which should be your webserver. You can point this IP to another server on your LAN as necessary, or add similar lines for other ports you want to host.

HiddenServiceSingleHopMode 1 is used to optimize latency a bit. It removes two hops in the Tor circuit by moving your server closer to the “rendezvous point”.

HiddenServiceNonAnonymousMode 1 is enabled because of the last setting. Removing the two hops in the circuit decreases the anonymity of your server significantly, but has no effect on the security or anonymity of your users!

The last two options are enabled because we're assuming you're not really running an anonymous service, rather just want to add additional security to an existing clearnet service. In that situation, trading the anonymity of your server for increased performance makes sense, but you can omit those two lines if that's a concern for you.

SafeLogging 1 further prevents potentially sensitive information from being leaked to logs.

Now we can save the torrc file and restart Tor:

systemctl restart tor

Sidenote: if you're running Tor in an LXC container, sometimes it doesn't start correctly, but there's a workaround. For most people this won't matter, but I use LXC containers heavily so this would've saved me a good hour of research.

Adding Headers

You can find your hostname at /var/lib/tor/service1/hostname:

root@social:~# cat /var/lib/tor/mastodon/hostname 
2tjcxjzxgql6wilo3bu777pkvigx2wqwauxf7lyvvmsotjgrqiwwg7id.onion

And that address should be accepting traffic on port 443. The important thing to remember is, your users will never need to use or know this address! This entire process is transparent to your users.

To enable traffic on this address, we just need to add an alt-svc header formatted like this:

alt-svc: h2="2tjcxjzxgql6wilo3bu777pkvigx2wqwauxf7lyvvmsotjgrqiwwg7id.onion:443"; ma=86400; persist=1

Of course, replace 2tjcxjzxgql6wilo3bu777pkvigx2wqwauxf7lyvvmsotjgrqiwwg7id.onion with your own hostname.

The field “ma” (max-age) indicates how long in seconds the client should remember the existence of the alternative service and “persist” indicates whether alternative service cache should be cleared when the network is interrupted.

To add this header in Nginx, add the following to your server { ... } block:

add_header Alt-Svc 'h2="2tjcxjzxgql6wilo3bu777pkvigx2wqwauxf7lyvvmsotjgrqiwwg7id.onion:443"; ma=86400; persist=1';

For other webservers, consult their instructions for adding HTTP headers.

Confirm your Nginx configuration is correct:

nginx -t

...and reload your webserver!

systemctl reload nginx

Now if you view the headers of your site (using Inspect Element or a service like securityheaders.com), you should see your alt-svc service listed, and you're good to go!

Conclusion

Unfortunately there's no easy way to definitively tell if it's working at the time of writing. alt-svc support is very new to the Tor network, but it's making great progress.

This isn't a suitable replacement for actual hidden services, but if you operate a clearnet website, this is a great way to help speed up your site for Tor users and reduce load on the exit nodes in the network.

Almost every privacytools.io service is using this method already, I hope this inspires you to convert your own clearnet websites to Tor compatible ones!

Discuss this post on Privacy Forum!

#tor #sysadmin

 
Read more...

from jobsuchend.

Ich suche einen Job und eigentlich sieht alles gut aus. Recht spät bin ich nun endlich mit der Uni fertig und suche einen Programmier-Job ohne Berufserfahrung.

Ich bin kurz vor einem neuen Abschnitt meines Lebens und weiß nicht was als nächstes passiert.

  • Wo werde ich wohnen?
  • Welche Freunde werde ich dadurch aus den Augen verlieren und welche kennenlernen?
  • Womit werde ich mein Geld verdienen?

Ich bin in einer unglaublich angenehmen Position. Ich habe gerade nur Freizeit und genug Geld, um eine Weile nach Jobs Ausschau halten zu können. Der Arbeitsmarkt ist reich gefüllt mit Anzeigen, ich kann mir also aussuchen, wohin ich will, doch meine Ansprüche sind noch recht hoch.

Irgendwie lähmt mich die große Auswahl und natürlich auch das Wissen, bald 8 Stunden 5 Tage die Woche arbeiten zu müssen.

Einige Eckpunkte meiner Suche:

  • Aus familiären Gründen möchte ich eher Richtung Norddeutschland.
  • Ich mag Firmen die ein Produkt haben, das sich nicht erst noch beweisen muss.
  • Ich will nicht den coolen Job, bei einer Firma, die Leute ausbeutet.
  • Ich muss hinter der Idee der Firma stehen.

Ich suche lieber endlos nach Jobs, statt mich zu bewerben. Meine Tabelle führt mittlerweile mehr als 50 Jobs, von denen 23 in die engere Auswahl gefallen sind. Ungefähr drei davon nenne ich Leuten seit Tagen mit den Worten: Bei der Firma bewerbe ich mich morgen. Beworben habe ich mich erst bei 3 Firmen. Meist gar nicht die, zu denen ich am besten gepasst habe. Daher ist es nicht überraschend das ich sehr schnell Absagen bekommen habe.

Bis jetzt suche ich hauptsächlich auf StackOverflow und bei Hackernews ging letztens eine Liste mit No-Whiteboard-Job-Interviews rum.

Nächste Themen

  • Templates für Lebenslauf und Anschreiben
  • Meine Meinung zu Firmen-Vorteilen (Benefits) und Firmen-Videos
  • Wohin: unterschiedliche Gehälter, Mietkosten, Nähe zu Freunden + Familie
 
Read more...

from jobsuchend.

Ich bin jobsuchend und irgendwie komme ich nicht aus dem Knick. Ich hoffe, darüber zu schreiben (und es auch zu veröffentlichen) motiviert mich, daran etwas zu ändern.

 
Read more...