Should You Use a VPN with Tor? (Well, No.)

vpn-graphic-100022486-orig

This seems to be a very frequently asked question, and on many sites, people will tell you that you should use a VPN with Tor, for “extra protection.”

Based on my research, however, I disagree – and this seems to be an unpopular opinion. One reference I’d like to cite is a blog post by Matt Traudt, a.k.a. system33-, who is someone I respect with regard to Tor. The post in question is VPN + Tor: Not Necessarily a Net Gain.

One of the points he brings up here is the following:

Tor is trustless, a VPN is trusted. Users don’t have to trust every Tor relay that they use in order to stay safe with Tor. As long as the right ones aren’t compromised, working together, or otherwise malicious, the user stays protected.

This is the main problem with insisting on combining Tor and a VPN. VPNs can keep logs of your activity online (though some claim not to), whereas Tor does not.

However, using a VPN can hide your Tor usage from your ISP, especially if said ISP is suspicious of Tor.

The Tin Hat, on their post Tor And VPN – Using Both for Added Security, also makes the point that “Where this setup fails is at hiding your traffic from a malicious Tor exit node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.”

My preference, personally, is to use a Linux distribution with Tor, like Tails or Qubes, or for the more advanced, Arch Linux or Manjaro Linux. These, of course, take time to learn and won’t do everything for you, but they are designed for security. While this doesn’t mean they are vulnerability-free, they can improve your protection, particularly if you understand their ins and outs.

Don’t get me wrong – Unix-like OS’s are not invincible – see Sophos: Don’t believe these four myths about Linux security, but depending on the situation, it’s preferable to using an OS like Windows.

Oddly enough, I haven’t “contracted” any malware via the dark web – at least not to my knowledge. This has happened more often on the clearnet, ironically. Maybe it’s because I don’t download mysterious files or install programs that I find randomly on networks like Tor.

I’m paranoid that way.

What about you, readers? What OS’s do you prefer to use (specifically in combination with Tor, I2P, Freenet, etc.)?

In the meantime, enjoy your dark web adventures, my friends – and please research any VPN or other “privacy” software before trusting it blindly.

16199cffb76fff8c74ad6dd8eac6afab

 

Advertisements

Secure Passwords and Usernames for the Dark Web (or Anywhere)

by Ciphas

secure-password-590x350

DISCLAIMER: I have not used any of the “passwords” in this post as real passwords. So go ahead and try them all you want!

An acquaintance contacted me recently, and was asking about how to use darknet markets. One of the things I had advised this person to do was to make sure that they used a secure passphrase and/or username.

This is just good internet advice in general, but I would say that it goes double for the dark web.

One of my earliest posts on this blog was entitled Dark Web: Fake Words and Secret Codes. In it, I had suggested the diceware method for generating strong passwords – and I still do, actually!

poker-casino-dice-colour-black-size-9370-10141_medium

Just to review: the way this is accomplished is that you roll a die (or pair of dice), and each 5-number set represents a word, number, or group of letters taken from a long word list.

They might look like this:

52121 ron

43453 noel

11243 acidic

53223 sequel

36514 llll

You then combine those words or numbers together, and that’s your password. Some people add periods or dashes in between the words, too. So, the final result would be “ron.noel.acidic.sequel.llll.”

For full details on how the diceware method works, see Diceware Passphrase Home.

This method, however, can be time-consuming. And the longer your password (or “passphrase”) is, the greater the chances are that you’ll make a mistake when typing it.

Throw Away the Dice??

My friend Arne Babenhauserheide, who is a programmer, came up with an alternate method of generating secure passwords, which he shared on his blog, Zwillingssterns Weltenwald.

The post in question is entitled Create secure passwords, usable on US and German keyboards.

Arne goes into detail about what denotes a strong password –

“Use blocks of four letters, chosen at random from a set of safely recognizable characters which are in the same position on German and US keyboards. Delimit blocks by a delimiter chosen at random from another set of characters.”

There’s a Javascript version of the password generator on the post itself, as well as code for it in Javascript, Python, and Wisp. You can read the full post if you want to find out more, but I also thought I’d show you some of the passwords that the generator came up with.

password_generator

For a 12-character password: m3M4+v0Tg+ENHS

15 characters: QXL3+GWbh!vUqP.6d3

20 characters: VMCt!u6sF+Mxc5/fSwe/g7Vm

50 characters: MMWW.ruR3+vejH-7s6a.BiQi,89R5-51oq-FsFT,RK1M,HWmG*wvuj,D1om.9g

Well OK, 50 is probably overkill. One thing to point out – though you can use the password generator online, it’s much safer to download the web page and do it offline. I tried it – it works just fine!

There are a number of other sites that have a similar feature, but with any of these, I would recommend the same thing – download the page and generate the password offline.

Even if you don’t want to use these for your passwords, they can be fun to try out:

Strong Random Password Generator

password_generator

XKPasswd – Secure Memorable Passwords

xkpassword

 

GRC – Ultra High Security Password Generator

grc_passwords

Create Safe & Secure Passwords

norton_password

I confess that I don’t know which of these “generators” are the most or least secure, but if you come up with a passphrase that works for you, then more power to you.

That’s Utter Nonsense!!!!

Oh, I almost forgot – the username part! It’s up to you, but if you want a more pseudo-random username, I like to use nonsense word generators (which I also mentioned in the earlier blog post).

I used to use the one on http://www.soybomb.com/tricks/words/, but it seems to be having errors a lot lately.

There are quite a few more of these as well, some of which I’ll share:

Fake Word Generator For Great Made-Up Words!

fakewordgen

Unique Word Generator

uniquewordgen

 

Nonsense Word Generator

parsley_nonsense

Generate a list of random words

listofrandomwords

Obviously, you don’t have to do this, but it can be fun, and can also take the effort out of the whole, “What do I pick for a username?”

Here’s a random (or pseudo-random) result:

Username –

  • zo¥ᄀtomic

Password:

  • ET5h*XHd1*CUus.E6W

And there you go. Have fun, kids!

Oh, and you might want to use a VPN too.

 

 

 

Leaving the Dark Web (for Now)

silent_ponyville_by_kyuubi_fox_demon-d4kv0j8

This statement may come as a surprise to some of you, since this blog was originally built around the subject of the dark web.  For the time being, I’m walking away from it.

I’ve encountered a few things that have really made me question whether or not I should be there, and I don’t think it’s worth the risk.

On the bright side, this doesn’t mean I’ll stop writing the blog; I think I’ll just alter the subject matter more toward privacy-themed technology, and security (which I’m interested in anyway).

I do understand that my page views tend to go up whenever I talk about the dark web – and I may still discuss it from time to time, but that doesn’t mean I need to actively be in it.

Red Flags!

danger-darkweb

To be fair, I had received some warning signs already.  Several times, I was nearly the victim of an XSS (Cross-Site Scripting) attack, and had I not been using the NoScript plugin, I likely would have received the full brunt of it.

I also once attempted to visit a site with, shall we say, “questionable” motives, and I received a message that my IP address had been banned. It looked something like this (but a little less dramatic):

Your-Ip-Banned.png

So, if those experiences weren’t warning enough, I’d hate to think what other horrifying things lay in store for me.  I certainly don’t want be doxed and have my personal details posted on the dark web, or to have my identity stolen…or worse.

On the bright side, as someone said to me, “You can only write about the dark web so much before it gets old.”  As I thought about that, many of the YouTube videos and blog posts about it say the same things: “Ooh, it’s shocking!  There are hitmen!  There are drugs!  There are cats!”

I may as well find some things that aren’t being said everywhere else.  So, don’t be disappointed, readers!

I have been looking more into bitcoin and cryptocurrencies, so there’s plenty more to say about that. Plus, there are hundreds of different privacy apps and general security issues that I’m becoming more aware of each day.

I’ll keep the blog interesting.  Just give me some time to do more research.

 

Q & A with a Member of Anonymous (Italy)

by Secrets of the Dark

anonymous_hacked

If you already have an interest in the dark web and/or hacking, the name “Anonymous” might immediately come to mind.  Yes, I’m referring to the people in the Guy Fawkes masks.

For my readers who have never heard of Anonymous or don’t know what they stand for, check out The Anonymous FAQ on Reddit.  (Hope you can handle a dose of snarkiness.)

I recently became friends with a member of Anonymous from Italy (via social media), and decided to interview him about his hacking experience, as well as some of the objectives of the organization. (The members of this particular derivative refer to their group as “Xud Anon.”)

NOTE: There were a few language barriers between us;  I’ve attempted to fill in the gaps, but it may not be perfect.  Enjoy, anyway!

Secrets of the Dark: I’m curious – how did you initially learn to hack (if you’re willing to say)?

Xud Anon: I worked in [a] bank…which I will not name, my interest was then related to this kind of thing.  But since sometimes I had free time, I spoke with the head of communications, who worked as a clerk in there…and I [tried to learn about] computer topics (in general), and from there I started to try to learn that kind [of thing], and I saw that my interest was growing day by day…

SOTD: What attracted you to this kind of thing?

XA: I do not know what attracted me to this kind of thing but it…slowly became like a drug.

SOTD: Interesting – I could see how it would be addictive.  Do you think that your goals, personally, are in sync with the rest of Anonymous?

XA: Maybe or maybe not, but I am sure that their (or rather, our) interests are very much reflected with [mine].  [Therefore] now seeing how to run things in the world, I try to support this movement to the best of my ability.

SOTD: What are you trying to achieve as a hacker?

XA: What we try to achieve, and what I think now…most people in the world [want], [is] a dramatic change of the system in which today we are REQUIRED to submit to people who do nothing but create confusion in people’s minds through their issuers.  Television, newspapers – tell us that we are free – but ask those who will read this: “Are you really sure about this?”

SOTD: That’s a good question.  Is your society supposedly a “free society”?

XA: The only thing I am proud of [is] the fact and the will to live, and in my own way [I do what] I can to follow the lines of the other…

SOTD: What do you mean by “follow the lines of the other”?  Of the opposite side?

XA: A free society – for me it would be a society without distinctions, social castes and distribution…present goods in the world are in the hands of a few.

SOTD: Some people call it socialism, what you’re describing.  But do you think change is possible?

XA: …Tell me [what] one person can be worth [in the sum of] a day’s work.  And this in my opinion [is] not absolutely beneficial.  [In the] sense that, with all the advanced technologies now present in the world, everyone [should] be able to have enough food.  Same thing for the work…housing [and] health.

SOTD: That sounds like a worthwhile goal to me!

XA: And [is it] possible that a signed paper (like the dollar or the euro) can create so much suffering in the world and those who inhabit it?

SOTD: Yes it is.  You’re right!  Even if it wasn’t meant to.  So, one last question…[do you officially] consider yourself a member of Anonymous?  What name do you go by?

XA: I would prefer to define [myself] as just one of many Italian XUD Anon…and I would also add that if you want it and believe in similar ideals, [you] may also be defined almost too (on other levels) one of many Anonymous, because our strength is in the group moving as if it were only one person.

screen-shot-2012-02-18-at-5-11-24-pm

 

 

Dark Web: Fake Words and Secret Codes

It should come as no surprise to anyone who’s used the dark web that concealing your identity is a priority.

Even if you aren’t involved in anything criminal, it’s still a good idea. So, if you’re creating an account for a site of some kind, it’s definitely safer if you don’t use the same login credentials as you do on other sites.

What I sometimes do, when trying to come up with a login name, is use a nonsense word generator. One of the best ones is at Soybomb.com (yeah, it’s named after this dude):

gty_soy_bomb_grammy_wy_120209_wg

The program generates a list of 50 nonsense words each time you click the “generate” link.  I don’t know if you can actually read those, but that aside…

soybomb

It’s crazy, but some of these actually make perfect login names (in my opinion, anyway)!  Another great site for this is Fake Word Generator For Great Made-Up Words!  That site, though, tends to repeat words more often than Soybomb does.

fake word generator

Anyway, let’s say you pick a name off one of those lists, like “andocide.”  Now comes the second part – your password/passphrase.  Weak passwords are often one of the reasons that people’s accounts get hacked easily, whether on the dark web or the surface web.

Dice or No Dice?

A good technique for generating more secure passwords is to use the “diceware” method, which comes up with random words based on a series of dice rolls.  This may not work for everyone, but hear me out.

The way diceware works is that you use dice (actual, physical dice) to come up with a series of random numbers.  You arrange the numbers into sets of five digits, each of which represents a word.

For example: 11651 =aloft /  11311 = addle

What words am I talking about, you ask?  There are several standard lists of diceware words, listed in numerical order.  One of those can be found here: Diceware Passphrase FAQ.  But, if you want to take the time and effort, you can also randomly generate your own diceware words using the same system – it’s just more tedious.

So, here’s an example of a passphrase generated with the diceware technique (not one I’ve actually used for anything):

“lyman.shrank.cross.welsh.percy.lamb.jukes.loy.chute”

That might not seem that secure, but the key is that a human didn’t come up with it.  People, in general, are pretty predictable when it comes to things like passwords (like using someone’s birthday, favorite color, favorite food, etc.).  A pair of dice is a lot more unpredictable.  You do still have to remember the passphrase that comes out, so you might want to record it somewhere.

Onto the Websites!

Now that you have your randomly generated name and randomly generated passphrase, you’re better prepared for exploring the dark web.  Again, you don’t have to do it this way, but it seems like a smarter option than using the same login you use for, say, your email or bank account.

Yes, it takes a little extra time to do, but I think the result is worth it.