Ephemeral Firefox as a Site-Specific Browser (3/3)

Site-Specific Ephemeral Firefox featured image showing a firewall between the facebook and firefox icons

This article is a part 3/3 of a series describing how to setup an Ephemeral Firefox session as a Site-Specific Browser. The ultimate goal is to be able to have a self-destructing browsing session that can only access a single company’s services, such as Google or Facebook.

After setting up the Site-Specific Ephemeral Firefox Browser, you can then blacklist services designated to your Site-Specific browser(s) (such as Google or Facebook) from your main browser. This significantly improves your ability to browse the internet without your activity being tracked by these companies — leaving your sensitive data vulnerable to being stolen by hackers.


. . . → Read More: Ephemeral Firefox as a Site-Specific Browser (3/3)

How to check Whonix version in Qubes

Whonix 14 just came out last month. I went to update, but I couldn’t figure out what version I was currently running. The documentation said to run this command, but the output didn’t make sense when I ran it on my whonix-gw TemplateVM.


. . . → Read More: How to check Whonix version in Qubes

Detecting Censorship or ISP Network Tampering with OONI

This article will introduce a tool to detect censorship or network tampering using the Open Observatory of Network Interference (OONI) android app, which is part of the Tor Project.

The OONI project’s mission is to collect data on network providers to determine where the Internet is free and where it’s being manipulated. For example, the OONI Explorer displays a world map of such data.

On the OONI explorer, you can drill-down on the world map into a specific country to get a list of websites that were detected as being blocked from within that country.

For example, when I looked at the history of OONI probe runs within the US, I saw a list of the usual suspects: gambling sites, pornography sites, torrenting sites, etc. More surprising (at least to me) was the number of pastebin sites that were banned. And, despicably, there was a network in the US blocking The Internet Archive

When I looked at the data from scans within another great “free country” = India, I saw a lot of cherry-picked censorship on facebook and news articles as it relates to the 2017 genocide of Rohingya Refugees in Burma and various muslim/hindu conflicts.

Anyone
. . . → Read More: Detecting Censorship or ISP Network Tampering with OONI

Bypassing Check Point firewall DPI Tor-blocking

This article will describe how to bypass censorship from within any network that uses firewalls using Deep Packet Inspection (DPI) built by the Israeli software company Check Point Software Technologies Ltd, such as is being used by the Miami-Dade’s Public Library System to censor on their public wifi.

I’ve been very fortunate to live in a country where freedom of speech is a well-protected human right and censorship is generally unaccepted. But, I’ve long been aware that many States prefer to assert their control over their citizens by controlling their available information. One of the shining achievements from the Tor Project is a system that allows these unfortunate souls to be able to bypass these censors and access the unfettered Internet. Indeed, the UN affirmed that a State’s attempt to prevent or disrupt dissemination of information online is a violation of international human rights law, as defined by article 19 of the Universal Declaration of Human Rights.

Of course, many States today continue to ban access to the Tor network. In response, Tor provided hidden entry-points called bridge relays that are harder to block. In response to Tor bridges, States purchased firewalls from companies like Check Point to analyze the
. . . → Read More: Bypassing Check Point firewall DPI Tor-blocking

Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

This post will describe what hardware to buy & how to configure it so that you have 2 wireless networks in your house: One that seamlessly forces all of the traffic on that network through a VPN–and one that connects to the Internet normally . When finished, the internet activity for any device connected to the first network will be entirely encrypted so that the ISP cannot see which websites are visited*, what software you use, and what information you send & receive on the internet.

* Assuming your config doesn’t leak DNS; see improvements section

Update 2017-08-25: Added “kill switch” firewall rule that prevents LAN traffic from escaping to the ISP unless it passed through the VPN’s vtun0 interface first. Following this change, if the VPN connection is down, the internet will not be accessible (as desired) over the ‘home’ wifi network (without this, the router bypasses the VPN by sending the packets straight to the ISP–giving a false sense of privacy).

Why

In April 2017, Trump signed Bill S.J.Res.34, which repeals the Broadband Consumer Privacy Proposal from October 2016. This enormous step backwards permits anyone’s ISP to sell their Internet activity. The EFF put it best:

companies
. . . → Read More: Howto Guide: Whole House VPN with Ubiquiti + Cryptostorm (netflix safe!)

Tor->VPN in TAILS to bypass tor-blocking

This post will describe how to route outgoing traffic in a python script running on TAILS first through Tor, then through a SOCKS proxy created with an ssh tunnel. This is helpful when you want to use the anonymizing capabilities of tor, but you need to access a website that explicitly blocks tor exit nodes (common with sites running CloudFlare on default settings).


. . . → Read More: Tor->VPN in TAILS to bypass tor-blocking

pycurl through Tor without leaking DNS lookups

This article describes the correct way to use pycurl over Tor, such that both DNS lookup data and HTTP(S) traffic is sent through Tor’s SOCKS5 proxy.

If you google “pycurl tor”, one of the first results is a stackoverflow post that describes how to configure pycurl using the pycurl.PROXYTYPE_SOCKS5 setting. Indeed, even the tutorial To Russia With Love on the Tor Project’s Official Website describes how to pass pycurl through Tor using the pycurl.PROXYTYPE_SOCKS5 setting.

However, using pycurl.PROXYTYPE_SOCKS5 will leak DNS queries associated with your HTTP requests outside of the Tor network! Instead you should use pycurl.PROXYTYPE_SOCKS5_HOSTNAME.

The –socks5-hostname argument was added to libcurl v7.26.0. The pycurl.PROXYTYPE_SOCKS5_HOSTNAME argument wasn’t added to pycurl until pycurl v7.19.5.1, which (at the time of writing) was less than 2 months ago!

This article will describe how to install pycurl v7.19.5.1 onto the latest version of TAILS at the time of writing, which is TAILS v1.2.3.


. . . → Read More: pycurl through Tor without leaking DNS lookups