Hacker’s Guide to Stay out of Jail 7: VPNs vs. TOR

The Grugq dwells here on the issues of anonymity and privacy for freedom fighters, paying a particular attention to the tools for maintaining those.

Key difference between VPNs and TOR

Key difference between VPNs and TOR

In terms of technologies that you can use to help ensure that you maintain good OPSEC, on the subject of VPN vs. TOR, a lot of people seem to have thought that VPNs provide anonymity; that’s not the case. VPNs provide privacy, TOR provides anonymity, so the difference is: privacy protects your data, anonymity protects you. Therefore if you are using a VPN service, you have to make sure that you’ve gone through TOR first, otherwise that VPN is simply a link from the end point to yourself. So, TOR to VPN – ok; VPN to TOR – go to jail.

Choosing and purchasing a VPN

Choosing and purchasing a VPN

When you’re purchasing a VPN, the only safe currency you can use is Bitcoins. Liberty Reserve is monitored by the FSB, WebMoney is monitored by the FSB, if not administrated by the FSB. You might not care whether the FSB knows who you are, but you probably will be better off without them having that information. Again, when you purchase Bitcoins, do that only over TOR. If you’re looking for VPNs which do not keep logs, check out this link from Torrentfreak (see left-hand image). Again, I wouldn’t actually trust any of those VPNs who say that they don’t keep logs. PRQ and Mullvad are the ones that I would recommend. Ipredator is ok, except that it’s slow as hell.

A bit more on Bitcoins: you need to remember Bitcoins are anonymous, but they are not private, so all of the Bitcoin activity can be traced and can be used to connect back between different individuals, so make sure that when you’re using your Bitcoins, you do that in a way that is not going to contaminate between cover identities. At a bare minimum use unique wallets. Use mixers to do anything, apparently. I don’t actually have a good list of mixers that you can use to make sure that your Bitcoins have been mixed thoroughly. It’s something I need to address in future, but I don’t use VPNs, so it’s not a huge problem for me.

The Grugq's PORTAL

The Grugq’s PORTAL

The other thing is you need to make sure that you fail closed, so in the Infosec cartoon where he forgets to enable TOR, he gets fucked. And the reason is, if you use TORbutton or TOR Browser, these are technologies that can fail open. You don’t actually have a good backstop. That’s why I have developed PORTAL. PORTAL is the Personal Onion Router To Assure Liberty (see right-hand image).

So, we’ve got 2 examples. TP-Link VR703N would be one of them; it’s tiny, it’s awesome. The other one is an MR11U, and it has been chipped to have more RAM and more disc space, and it also has an onboard battery that can run 4 to 5 hours. When you log in, you get a really awesome display of my ASCII skills and some NC colors, which is pretty fucking cool. No logs – no crime.

Benefits of using PORTAL

Benefits of using PORTAL

PORTAL acts as a router between your operational console and your online targets. It ensures that all of your traffic is always going over TOR. Your operational machine is unable to actually access the router itself, it cannot conduct any administration activities, it cannot log in or access it at all, and any traffic it sends will always be routed over TOR. As a result, if your laptop gets compromised, it cannot be used to connect back to someone else’s shell and reveal your IP address.

Similarly, when you use an operational laptop, it should be one that has no radios – no Wi-Fi, no Bluetooth, it should have no webcam, and it should also not have an online battery, so that if the police do come down and lock down the door, you can pull the power plug out and it shuts down, and now they have to deal with your encryption rather than with trying to break your online passwords.

In this case I use a mobile uplink – in Thailand it’s very easy to get 3G connections, like, I can just walk into a 7-Eleven and buy any number of SIM cards – obviously, I don’t actually do that, I send my maid to go and get them for me, or have her get motorcycle guys to go and buy them and bring them to me. It’s a lot easier and means that I don’t end up on CCTV purchasing a particular SIM card.

By using mobile Uplink it’s safer than going to coffee shops. At a coffee shop your Wi-Fi can be monitored by people in the environment, and you also have the problem that if you’ve got your phone with you and it’s on and you haven’t pulled the battery out, when you’re at a coffee shop, if they are able to backtrack the attacks to that specific IP during that timeframe, they will also be able to correlate that with logs of your phone being at that specific location during that timeframe. So your mobile phone can be used to uncover your geographic location, and if your IP address can be used to also geolocate, then those 2 can be correlated and you can go to jail.

You can be a criminal, you can be famous, but you cannot be a famous criminal.

With PORTAL we had to use some additional tricks on the earlier versions to get enough disc space to install. The unmodified routers have only 4 MB of Flash, and it is not possible to install TOR on 4 MB, because TOR takes 1.2 MB by itself and the operating system takes 2.7, and you lose because you have no space. So it’s not actually possible to get TOR onto a non-modified router without using a microSD in a mobile and a 3G modem. We have the SD card configured to act as an overlay device which gets union mounted and you can have between 2 and 32 GB of disc space, which is excessive on a router, but maybe you want to run BitTorrent as well…

Supported hardware

Supported hardware

This is the hardware that’s going to be supported (see image): the MR-11U, and the MR-3040; I would recommend these, they are fairly small, they have an onboard battery, they come in a neat carrying case, they’re pretty awesome. The MR-3020 sucks; it’s basically the 703 but bigger with nothing else, and the 703 is tiny, which is awesome. They both have USB; you can hit up my Github, where I’ve put up some more information about it, it’s not actually complete yet, but it will be soon.

So, that would be the technology to use. It provides an initial layer. I’m now working on another project on developing an operational console that you would then use when you’re doing your actual online operations. I’m probably going to use Raspberry Pi for that, because it’s fairly easy to get.

So, in conclusion: you can be a criminal, you can be famous, but you cannot be a famous criminal; shut the fuck up.

Read previous: Hacker’s Guide to Stay out of Jail 6: Anti-Profiling
Read next: Hacker’s Guide to Stay out of Jail 8: Questions and Answers

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: