Tutorial: Fully Torified Linux VM on a Windows USB Stick


3 years ago
This tutorial explains step by step how to create an encrypted USB stick with Linux OS which you can start directly from Microsoft Windows without rebooting.

It is mainly aimed at Windows users who never used Linux before and don't want to reboot their computer every time they use Tor. Following the tutorial produces a torified Linux installation, similar to Tails.
Some users may miss some features in Tails and Whonix and would find Ubuntu more convenient and easier to use, or they're DIY guys and like to have more control by understanding the steps of torifying Linux.

Don't be put off by the length of this tutorial, I mostly tried to mention every single click, so even your granny could successfully install it.
If you follow the steps in this tutorial you can't do much wrong, even if you never used Ubuntu/VirtualBox/TrueCrypt.
Also, don't be put off by having to type stuff in the command line, you will only have to do this during installation.

Once you've completed the tutorial, Xubuntu is quite easy to use. You can click your way through the desktop using your mouse, as you're used to.

Features:
* Runs in a virtual machine on your Windows desktop, but has no access to your hard drives
* Entirely encrypted, except for the TrueCrypt and VirtualBox executables
* Easily portable to another computer running Windows
* Torified with iptables (firewall)
* Safer GnuPG configuration
* Ubuntu is widely used and easy to use for Linux novices, extensive documentation and help is available on the internet
* Install any Ubuntu software you like through the Ubuntu Software Center
* Receives manual security updates until 2017, no need to install a new Xubuntu version all the time
* Synchronizes time by using tlsdate, which should be slightly more secure than htpdate used by Whonix and Tails
* All changes you make are persistent (unless you restore a snapshot)
* No program other than Firefox, torsocks and the package updater can contact the network/internet (through Tor only)
* Programs don't share the same Tor circuit (Stream Isolation of Tor Browser, torsocks, tlsdate, security updates)
* Copy and paste between Windows and Linux is possible (you should turn this feature off when it's not needed)
* Boots more quickly (~5 seconds) right into the browser window when you use the snapshot feature of VirtualBox
* If your browser gets attacked with malware, simply restore the VirtualBox snapshot you've created upon completion of this tutorial
* Does not install anything or leave traces on your Windows system after unplugging the USB stick (*)

(*) Note that after examining the Windows registry file, it may be possible to tell that TrueCrypt was run (and that a TrueCrypt volume was mounted). However no one can tell that Tor was run on your computer.

System requirements:
* Microsoft Windows XP or higher
* 8GB USB stick

Time needed to complete the tutorial: 2+ hours

CC-BY Bernd Liefert, 13.08.2013
Updated 20.08.2013

[WARNING]
As of now, despite best efforts, there may be some issues which allow websites to fingerprint the standard Firefox browser installed in this tutorial. This doesn't threaten to reveal your identity, but makes you more pseudonymous than anonymous. Therefor you should preferably use the latest version of the Tor Browser. Step 7. explains how to install it.

What is missing in the standard version of Firefox:
https://www.torproject.org/projects/tor ... ox-patches

Furthermore this installation is not as secured as Whonix and Tails, yet. The tutorial will be updated in the future.
For most users this installation should be safe enough however, as it reliably prevents unwanted connections and fingerprinting of the browser.
[/WARNING]

3 years ago
1. Prepare your 8GB USB stick or SD card

Format the USB stick either with NTFS (Windows Vista or later) or exFAT (Windows XP or later). Formatting the USB stick with FAT won't be sufficient due to file size limits.

2. Download software

2.1. TrueCrypt

Get the latest stable version of TrueCrypt for Windows from http://www.truecrypt.org/downloads

Start the installer and choose "Extract" instead of "Install". Choose your USB stick as destination.
If you don't want to use an USB stick, simply extract it to some folder.

2.2. VirtualBox (portable)

Get the portable version of VirtualBox from http://www.vbox.me/
(click "Download and run Portable-VirtualBox_xxxxx-Win_all.exe")

Run the installer and choose your USB stick as destination

2.3. Ubuntu

Download the latest version of Xubuntu 12.04 LTS. We are using Xubuntu in this tutorial because the default version of Ubuntu uses too much resources for the desktop.
We are not using the latest Xubuntu (version 13.04), because this version will only receive security updates for a short time. We'd have to install a new version of Xubuntu
in 2014 to receive important security updates. Xubuntu 12.04 LTS will receive security updates until 2017. There's also problems with GPG helper programs in version 13.04, which we try to avoid.

If you have a 64bit Intel or AMD CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... -amd64.iso

If you have a 32bit CPU download this image:
http://se.archive.ubuntu.com/mirror/cdi ... p-i386.iso

If the above images are not available any longer, you can download the latest 12.04 images from here:
http://se.archive.ubuntu.com/mirror/cdi ... 4/release/
or here
http://xubuntu.org/getxubuntu/

3 years ago
3. Installation and configuration

3.1. TrueCrypt

Start "TrueCrypt.exe" from your USB stick and click the "Create Volume" button
Click "Next" to create an encrypted file container
Click "Next" to make it a standard TrueCrypt volume
Click "Select File" and open your USB stick, enter filename: "crypt" and click "Save"
Optionally check "Never save history", or keep it unchecked for more convenience
Click "Next" to leave the encryption algorithm at its default values
Select MB and enter "7500" to have a encrypted container with 7.5GB size. If your USB stick is larger than 8GB you may want to increase the size
Enter a reasonably long password, preferably with more than 20 characters, and click "Next"
Click "Next" because we don't need large files
Click "Format" and wait until the container creation is complete. Cook some coffee or roll a joint
Click "Exit" when done

Switch to the remaining TrueCrypt window or start TrueCrypt again and select a drive letter, in this tutorial it will be L:
Click "Select File", browse to your USB stick and select the "crypt" file you have created
Click "Mount" and enter the password of your TrueCrypt container

The TrueCrypt container will now appear as drive L: in your Computer. You will have to always use the same drive letter in future, or VirtualBox will not find the files.

3.2. VirtualBox

Start "Portable-VirtualBox.exe" and click "New" to create a new virtual machine
Enter any name, e.g. "Ubuntu 2017"
Select Type "Linux"
Select "Ubuntu (64bit)" if you have a 64bit CPU and click "Next"
Choose something between 512MB and 2048MB as memory size
Click "Create" to create a new virtual hard drive
Click "Next" because using a dynamically allocated hard drive file is enough for our use
Use the slider to make the maximum size of the virtual hard disk file slightly smaller than 7.5GB
The virtual machine is now created and powered off

Click "Settings" in the VirtualBox window
In the settings tree select "General" and click the "Advanced" tab
Click the "Snapshot Folder" text box and select "Other"
Browse to drive L:, click "Make New Folder", enter "snapshots" and click "OK"
To be able to use copy + paste between the virtual machine and your Windows desktop, set "Shared Clipboard" to "bidirectional"

In the settings tree select "Display" and give the virtual machine more memory (up to 128MB) for desktop graphics
In the settings tree select "System", select the "Processor" tab and make the virtual machine use more CPU cores (if your CPU has more than one core)
In the settings tree select "Storage" and select "Empty" below "Controller: IDE"
On the right side ("Attributes") click the little CD icon and select "Choose a virtual CD/DVD disk file"
Browse to the folder where you downloaded Xubuntu to and select the .iso file (e.g. "xubuntu-12.04.2-desktop-amd64.iso")

(Optional) If you want to be able to share files between your Windows desktop and the virtual machine, select "Shared Folders" in the settings tree
(Optional) Click the folder icon on the right side of the settings window, e.g. your Downloads folder
(Optional) Check the "Automount" box after you selected the shared folder

Click "OK" to close the settings window

3.3. Ubuntu

In the VirtualBox window click the "Start" button and click "OK" to remove the VirtualBox Information window.
If any errors occur click "OK" to close the error windows. You can ignore them, or they will probably pop up more often in the future.

The virtual machine should now successfully boot the Xubuntu installer. Click the "Install Xubuntu" button.

Check "Download updates while installing" and click "Continue"
Click "Continue" and "Install Now" to format the virtual hard disk
Select any time zone and click "Continue"
Choose your keyboard layout or click "Detect Keyboard Layout" if you are unsure, then click "Continue"
Enter any name (e.g. "Manning") and any computer name (e.g. "NSA")
This password can be weak, as it doesn't add much security. You need this password later to make administrator changes to Ubuntu
Change the username if you like or leave it as it is
Select "Login automatically" and click "Continue"

Ubuntu will now install a few packages. This will usually take less than 5 minutes. Once this is done, click "Restart Now".
If the virtual machine doesn't restart, open the "Machine" menu, select "Close", check "Power off the machine" and click "OK". Then start the virtual machine again with the "Start" button.

VirtualBox should now boot into the Xubuntu Desktop.

3 years ago
4. Setting up Ubuntu

4.1. Update packages

When the Xubuntu desktop is loaded, after a few seconds you will most likely get popups about new software being available. Click the red icon in the Xubuntu menu bar and select "Show updates".
Click "Install Now" to start the update process and enter your user password when prompted. Once this is done, click the "Restart Now" button.

After restart more software updates may be available. Wait a minute to see if the red icon shows up again, click it and install the updates, then restart Xubuntu again.
It is important that all updates were installed before proceeding to the next step. If you install any kernel updates later, you may have to repeat step 4.2.

4.2. VirtualBox Guest Additions

To use copy + paste between Windows and Ubuntu and some other useful VirtualBox features we need to install the VirtualBox Guest Additions.

Open the "Devices" menu in the VirtualBox machine window and select "Install Guest Additions"
On the Xubuntu desktop, doubleclick the VBOXADDITIONS CD icon
Doubleclick "autorun.sh" and enter your user password
When the installation is done ("Press Return to close this window"), restart the virtual machine by clicking the start button on the utter left of the Xubuntu menu bar, select "Log Out" and click the "Restart" button.
Enter your user password when prompted.

After rebooting copy + paste between Windows and Ubuntu should work. This will be quite useful later in the next step.

4.3. Installing Tor, Privoxy and Polipo

Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator
In the new terminal window you should see something like "manning@NSA:~$ ", which is the command prompt.

At the command prompt enter "sudo su", enter your user password when prompted

Paste these lines in the terminal window (copy them to your clipboard and select Edit -> Paste in the terminal):


echo "deb http://deb.torproject.org/torproject.org precise main" >> /etc/apt/sources.list
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt-get update
apt-get install deb.torproject.org-keyring
apt-get install tor tor-arm privoxy polipo
#


Enter Y to continue when prompted and wait until the packages are downloaded and installed.

4.4. PGP (Seahorse and Geany) and text editor

Geany is a text editor (actually an IDE), which we will use to encrypt PGP messages. Seahorse is a key manager which we will use to create and store PGP keys. Gedit is a simple text editor.

Click the start button in the Xubuntu menu bar and start "Ubuntu Software Center"
Enter "seahorse" in the search box of the Ubuntu Software Center, select "Passwords and Keys" and click "Install", enter your user password when prompted
Enter "geany" in the search box, select "Geany" and click "Install"
Enter "geanypg" in the search box, select "Pg plugin for Geany" and click "Install" - click "OK" to install untrusted packages
Enter "gedit" in the search box, select "Text Editor" and click "Install"
Enter "pinentry-gtk2" in the search box, select "GTK+-2-based PIN or pass-phrase entry dialog for GnuPG" and click "Install"

When this is done, restart the system by using the restart icon or start button -> Log Out

4.5. Change timezone

We set our timezone to UTC to reduce fingerprinting possibilities.

Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator
Enter "sudo dpkg-reconfigure tzdata"
Use the cursor keys to scroll down, select "Etc" and press enter
Use the cursor keys to select UTC and press enter

3 years ago
5. Firewall configuration

5.1. IPtables firewall

We only want Tor to be able to connect to the internet, so we setup the firewall accordingly.

Click the start button at the utter left of the Xubuntu menu bar and start Accessories -> Terminal Emulator


In the terminal window enter


sudo gedit /root/firewall


and enter your user password when prompted

In the new text editor window paste these lines:

iptables -F

iptables -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
iptables -A OUTPUT -j ACCEPT -o lo
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables-save >/etc/iptables.rules


Open the "File" menu in the text editor and select "Save", then close the text editor window

Back in the terminal window enter

sudo gedit /etc/network/if-pre-up.d/iptables


In the text editor paste these lines:

#!/bin/sh
iptables-restore < /etc/iptables.rules


Save the text and close the text editor window.

Back in the terminal window enter these lines:

sudo chmod +x /root/firewall
sudo /root/firewall
sudo chmod +x /etc/network/if-pre-up.d/iptables
sudo reboot


After the system rebooted we will test our firewall configuration. Firefox should not be able to connect to the internet anymore at this point.

Click the start button in the Xubuntu menu bar and start "Web Browser"
Firefox should start up and display a "Server not found" message. This means the firewall is running. Close the Firefox window again and proceed to the next step.

To be certain you could also open a terminal and type "sudo iptables -L -v" to see if the firewall is running.

3 years ago
6. Tor and security

6.1. Common configuration

Click the start button in the Xubuntu menu bar and start Accessories -> Terminal Emulator

In the terminal window, enter this line and enter your user password when prompted:


sudo gedit /etc/tor/torrc


In the new text editor window, scroll down to the bottom of the text, add a new line and paste these lines:


ControlPort 9051
ControlListenAddress 127.0.0.1
SocksPort 127.0.0.1:9050
SocksPort 127.0.0.1:9100 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9101
SocksPort 127.0.0.1:9102
StrictNodes 1
AvoidDiskWrites 1
DisableDebuggerAttachment 0


6.2. Exit nodes

6.2.1 (Optional) Define allowed exit node countries

Many people don't recommend this option, because it may make you less anonymous, but I prefer to have my exit nodes in countries which are not part of the NSA's PRISM program.
If you don't set any exit nodes yourself, then Tor will randomly choose exit nodes for you. As there is a huge amount of exit nodes running in the USA and other PRISM partner countries,
you will often use exit nodes which can be sniffed by the NSA. However, as many websites are in the USA and PRISM partner countries, this is no ultimate protection against getting sniffed by the NSA.

This step may reduce anonymity significantly, because there is only a limited amount of exit nodes in those countries. If you want to block servers in certain countries from becoming your exit node, you may want to have a look at step 6.2.2. instead.

By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes in Asia, South Africa and Russia:


ExitNodes {hk},{tw},{za},{in},{id},{th},{vn},{cn},{ru}


You can find a list of more country codes here (these are not always the same as internet top level domains)
http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Note that not all countries have a large amount of ExitNodes, and that it's better if Tor has more than 20 ExitNodes to choose from. Most ExitNodes in this example will most likely be slow, except the ones in China (probably run by their secret service) and Russia. South Korea and Japan also has a lot of ExitNodes, but they may be too friendly with the NSA, so they haven't been added to the list.

6.2.2. (Optional) Define blocked exit nodes

Instead of using the above option it's possible to simply avoid exit nodes in certain countries.
By adding the next line to the bottom of /etc/tor/torrc we make Tor only use ExitNodes outside of first class PRISM partner countries:


ExcludeExitNodes {us},{gb},{ca},{au},{nz}


6.3. (Optional) Define entry node countries

If there are enough Tor relays in your country, you should only use EntryNodes in your country. If you are in the USA, add this line to the end of /etc/tor/torrc:



EntryNodes {us}


If you are not from the USA, check the above list of country codes to find out which code your country uses. These are not internet top level domains.

If you want to use specific trusted EntryNodes in your country, e.g. because you always want to have a fast entry node with large bandwidth, then you can specify those by using fingerprints.
In this case You should at least add 3 EntryNodes then, better more.

manning2.torservers.net, bolobolo1.torservers.net and manning1.torservers.net are among the fastest EntryNodes in the USA (and the world) right now, so you may want to use them, if you live in the USA.
Instead of using the above EntryNodes example, you'd have to use something like this:

EntryNodes $D0236B1908B3CC686DB0A361F4931073A25793F1,$9F7A37446BC034B4FDB27CAE2C6CAAB83A40A361,$073F27934762FF8BA956FFCE136AAC1CCF45EA13

A configuration like this is recommended, if you don't use bridges.

To get more fingerprints of servers, go to http://torstatus.blutmagie.de/ and click on the servernames. Copy the fingerpint line and add a $ in front of each fingerprint. Seperate individual fingerprints in the config with commas. Remove spaces in the fingerprints. You should use at least 3-10 fingerprints as entry nodes.

6.4. (Optional) Tor bridges

Instead of using public EntryNodes you may want to use Tor bridges, but this may not help against NSA sniffing. They may know the bridges from https://bridges.torproject.org/ anyway. To have a very secret bridge you'd have to use hidden bridges run by your friends. As with the EntryNodes, you should use at least 5-10 bridges.

To use bridges you'd have to add the line

UseBridges 1

to the end of your /etc/tor/torrc. To get a list of bridges, go to https://bridges.torproject.org/bridges and copy the list of IP addresses it shows you. Paste the addresses at the end of your /etc/tor/torrc text file and add "Bridge " (note the space) before each IP address.

This will however not show you only bridges from your country, but from random countries. When you connect to a bridge in another country, then it is more likely that one or more secret services sniff your traffic. This would allow them to do time/size correlation when you browse clearnet websites.

It may be best if you skip the Tor bridges part and only use the EntryNodes part of this tutorial, unless you know how to find out in which countries those bridges are hosted. If you do use bridges, then the EntryNodes line will be ignored by Tor.

Once you're done with the Tor configuration text file, save it and close the text editor.

6.5. Privoxy and Polipo configuration

Back in the terminal type "sudo gedit /etc/privoxy/config"

At the end of the text file insert a new line and paste this line:



forward-socks5 / 127.0.0.1:9102 .


Save the text and exit the editor.

In the terminaltype "sudo gedit /etc/polipo/config" and paste the following lines at the end of the text file:



proxyAddress = "127.0.0.1"
socksParentProxy = "127.0.0.1:9101"
socksProxyType = socks5



Save the text and exit the editor, then enter "sudo reboot" in the terminal to reboot Ubuntu before proceeding to the next step.

6.6. Arm

We didn't install Vidalia, which we could easily do by using the Ubuntu Software Center. However for some reason this is not recommended by the Whonix developers.
Instead we will use "arm" to get a new Tor identity.

Click on the desktop background with your right mousebutton and select "Create Launcher"
Enter a Name, e.g. "Arm"
Check "Run in terminal"
Optionally click the "No icon" button and choose some fancy icon
In the "Command" text box, paste this line:


sudo -u debian-tor arm


Click the "Create" button

A new icon should now appear on your desktop. It will be explained later in this tutorial how to use it.

6.7. Time synching

Tor needs the correct date and time to function properly, and we need to avoid getting fingerprinted because our computer sends the local time of our virtual machine to some website or server.
Therefor we need to turn off time synching in VirtualBox and make our virtual machine fetch the correct time from the internet in a stealthy way.

6.7.1. tlsdate

First we need to get the latest version of tlsdate, a . For our installation of Xubuntu 12.04 we can't use the version from the Ubuntu servers, so we need to get the version for Debian/jessie instead.

Go to http://packages.debian.org/jessie/tlsdate and scroll down and click the amd64 version if you are using a 64bit CPU or the i386 version if you are using a 32bit CPU.
Choose any mirror to download it to your Downloads folder.

Start the Terminal Emulator and paste the following lines:


cd Downloads
sudo dpkg -i tlsdate*


Enter your user password when prompted. Once the installation is done, enter "sudo gedit /etc/tlsdate/tlsdated.conf"

Change the value of "should-sync-hwclock" to "no"
Change the value of "jitter" to "1800"
Change the value of "min-steady-state-interval" to "60"
Change the value of "steady-state-interval" to "3600"
Change the value of "subprocess-wait-between-tries" to "10"

Change the value of "proxy none" to "proxy socks5://127.0.0.1:9100"

Save the text file and exit the editor.

6.7.2. Restart tlsdate through NetworkManager

When using virtual machine snapshots instead of booting the machine normally, tlsdate may not synchronize the time.

Open the Terminal Emulator and enter


sudo gedit /etc/NetworkManager/dispatcher.d/10tlsdate


In the text editor paste these lines:


#!/bin/sh -e

case "$2" in
up)
sleep 10
/etc/init.d/tlsdate restart
;;
*)
exit 1
esac


Save and exit the text editor, then enter


sudo chmod +x /etc/NetworkManager/dispatcher.d/10tlsdate


6.7.3. Disabling vboxadd-service

In the terminal enter


sudo gedit /etc/rc.local


In the text editor, before the line "exit 0" add


service vboxadd-service stop


In the terminal, type "sudo halt" to shutdown the virtual machine.

6.7.4. VirtualBox advanced configuration

Once the virtual machine is shutdown, close all VirtualBox windows on your Windows desktop.

To hide our hardware identifications from the OS and to disable time synching we have to make a few change to a XML file.

Open your USB stick folder on the Windows desktop, find and open the file "Ubuntu 2017.vbox" (or whatever you called your virtual machine) in a text editor.
Note that for this step to succeed there must be no VirtualBox snapshots present, or the values may get reverted later. Before doing this you have to delete the snapshots.

Find the section and add the following lines to it:































Find the section and change the TimeOffset value from 0 to something random between -60000 and +60000. Example:

Find the section and add





Change to
If it's not already enabled, change to "true"

Find the section and change the first section to





Change the section below to





Save the text file and exit the editor.

When this step is complete, boot the virtual machine again and proceed to the Firefox/Tor Browser installation.
You may want to load the .vbox configuration file into the text editor again to see if the values you changed are still in place. If they are not, this may lead to deanonymization or worse.

When starting the virtual machine in future, make sure that the time is actually synchronized with the UTC timezone and doesn't lag behind UTC significantly before making connections through Tor.
If your time is not synchronized with UTC you can be fingerprinted under certain circumstances ("oh look it's the Tor with the wrong clock again").
Sometimes tlsdate may not synchronize the time properly after restoring a snapshot (this may take a minute), then you should reboot the virtual machine.

For more information about the previous steps see http://zo7fksnun4b4v4jv.onion/wiki/Prot ... Protection

6.8. Hardening Ubuntu

To make Ubuntu a little more secure we install some security packages.

Open the Terminal Emulator and enter this line and enter Y to all questions


sudo apt-get install tiger harden-servers harden-clients


For more informations about these and additional hardening packages see http://www.debian.org/doc/manuals/secur ... en.en.html

3 years ago
7. Firefox and Tor Browser

It is not recommended that you use the standard version of Firefox, unless you are aware of the fingerprinting issues. The following steps are only left in the tutorial for educational reasons, and we may want another installation of Firefox because sometimes Tor Browser may not do what we want.

7.1. Firefox (pre-installed)

7.1.1. Firefox configuration

Start Firefox (start button -> Web Browser) and select Edit -> Preferences in the Firefox menu bar

In General preferences, change the "When Firefox starts" setting to blank page or tabs from last time, to prevent connection to Google
In Advanced preferences, select the "Data Choices" tab and uncheck both "Enable Firefox Health Report" and "Enable Crash Reporter"
In Advanced preferences, select the "Update" tab and uncheck "Search Engines"

In Advanced preferences, select the "Network" tab and click Settings ("Configure how Firefox connects to the internet")
In the Connection Settings check "Manual proxy configuration"
In the "HTTP Proxy" line enter HTTP Proxy: 127.0.0.1 Port: 8118
Check "Use this proxy server for all protocols", click OK and Close the Firefox Preferences window

Note that as of today you shouldn't "Tell websites that I do not want to be tracked", yet.

We don't want to connect to Google, so we change the default Firefox search engine.
Enter https://startpage.com (or https://ixquick.com/ if you don't even want to use Google through the Startpage proxy) in the URL bar of Firefox and click "Add to Firefox" on the webpage.
On the next page click the "Install" button (HTTPS), check "Start using it right away" and click "Add"

Startpage.com is now your default search engine in Firefox. You may want to remove the other search engines, but they won't bother you unless you select them manually.
Enter http://3g2upl4pq6kufc4m.onion/ in the URL bar and bookmark it. This is the hidden service of the search engine DuckDuckGo, with it you can search the web without using the clearnet.

7.1.2. Firefox addons

First we want to disable all the default addons of Ubuntu.
Go to Tools -> Addons menu and select Extensions
Click the "Disable" button next to all Ubuntu addons and click "Restart now"

Select the "Get Addons" tab and search and install these addons:

Cookie Monster
NoScript Security Suite
RefControl
User Agent Overrider

Go to https://www.eff.org/https-everywhere and click "Install in Firefox", click "Allow" to install it and restart the browser
After restart, when HTTPS Everywhere asks you if you want to use the SSL Observatory, click No

Go to Tools -> RefControl Options and click Edit
Select "Block - Send no referer", check "3rd Party requests only" and click OK to close the RefControl options window

Go to Tools -> Addons and click Extensions
Click the "Preferences" button of the Cookie Monster addon
Check "Block all Cookies" and close the Cookie Monster configuration window

Check View -> Toolbars -> Add-on Bar in Firefox, so you can allow cookies for each site later to you stay logged in forums etc.

Click the "Preferences" button of the User Agent Overrider
At the top of the text enter a new line and paste this line:


Firefox 17/Windows: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0


Close the Add-ons Manager tab
At the top right of Firefox click the User Agent Overrider button and select "Firefox/17"

Site-specific or filter-based addons such as AdBlock Plus, Request Policy, Ghostery, Priv3, and Sharemenot are to be avoided.

7.1.3. Change about:config

Type "about:config" in the URL bar of Firefox and push the "I'll be careful" button
Search for "lang" in the new window and doubleclick "intl.accept_languages"
Change "en-US, en" to "en-us, en" (upper case "US" to lower case)
Search for "track" and doubleclick "noscript.doNotTrack.enabled" (Value should be "false")

7.1.4. Test the browser settings

While configuring Firefox we tried to make it appear as if it was the Tor Browser Bundle, thus giving us more anonymity. Now we test if we were successful.

Quit and restart Firefox and go to http://ip-check.info , click START TEST!
Do not install the Flash or Java plugin.

The most important part is that the "Signature" attribute is green. As of now it should show "8ab3a24c55ad99f4e3a6e5c03cad9446 (Firefox)". This means that our HTTP headers look like the headers of Tor Browser Bundle.
Some exit nodes seem to add headers, so it may sometimes show a different signature.

Every attribute except "Authentication" should be either green or orange. Note that if you resized the virtual machine window of VirtualBox your browser window may have an odd size. This could be used by websites to fingerprint you, because no one else has the exact same resolution. This issue may be neglectable however.

Another test you can run is https://panopticlick.eff.org
If everything went well, it should show a message like this:
"Within our dataset of several million visitors, only one in 492 browsers have the same fingerprint as yours."
This means that a lot of other browsers have the same signature as yours, making you more anonymous.

As of now, Firefox pretends that it runs on Windows, which can confuse exploits which attack the browser and make them useless. As you shouldn't install any Flash plugins etc. this should not create any problems with websites. If it does create problems, you can change the User-Agent header to a Linux version with the User Agent Overrider button.


7.2. Tor Browser

7.2.1. Installation

7.2.1.1. Download and extract

Download the latest version of Tor Browser (English, 64bit if you have a 64bit CPU) for Linux from

https://www.torproject.org/projects/tor ... #downloads

When the download is complete, open your Home -> Downloads folder on the desktop
Move the downloaded file from your Downloads folder to your Home folder
Click the downloaded file with the right mouse button and select "Extract Here"

You will have to repeat step 7.2.1.1. if there is a Tor Browser update available.

7.2.1.2. Making it work

The "start-tor-browser" icon will not work properly with our installation, so we have to create our own Tor Browser starter.

Open the "tor-browser-en-US" folder
Click the folder background with the right mouse button and select Create Document -> Empty File
Enter any name, e.g. "Tor Browser"
Click the "Tor Browser" file with the right mouse button and select "Open With Leafpad"
Paste these lines into the text editor:

#!/bin/sh
cd ~/tor-browser_en-US
./App/Firefox/firefox -profile ./Data/profile -no-remote


Save the text file and close the text editor, then click the "Tor Browser" icon with the right mouse button again
Select the "Permissions" tab and check "Allow this file to run as a program"
Click the "Tor Browser" icon with the right mouse button and select Send To -> Desktop (Create Link)

7.2.2. Configuration

Start Tor Browser by clicking the icon on the desktop

You may want to deactivate Javascript by clicking the "S" icon next to the green onion icon in the browser and selecting "Forbid Script Globally". This is however not recommended by the Tor developers.

In the browser, go to Edit -> Preferences, click the "Advanced" tab and push the Settings button in the Network tab
Enter these values:
HTTP Proxy: 127.0.0.1
Port: 8118

Check "Use this proxy server for all protocols"

You can then configure your browser as desired, but don't change the language. Otherwise you may become more pseudonymous than anonymous.
If you want to save cookies for a website (e.g. to stay logged in in forums), click the Tor button -> Cookie Protections and protect the cookies for the website

3 years ago
8. Preparing PGP

Click the start button in the Xubuntu menu bar and start Settings > Passwords and Keys
In the Passwords & Keys window, click the "New" button, select "PGP Key" and click "Continue"

Enter a fake name (first + last name) and a fake email address
Click "Advanced key options" and increase key strength to 4096, click the "Create" button and enter a reasonable passphrase for your PGP key

Click "Cancel" to close the "Create New" window (don't cancel the "Generating Key" window).
While the key is being created, this can take a while, open Firefox and browse some website, preferably a hidden service (OnionNews: newsiiwanaduqpre.onion ), or test some programs from the Xubuntu start menu.
When the PGP key is created, close the Passwords and Keys window (click "Cancel"). You can use Passwords and Keys later to add and delete keys of your contacts.

Click the start button in the Xubuntu menu bar and start Development -> Geany
In the Geany window, open Tools menu -> Plugin Manager, check "GeanyPG" and click "OK"

To stop GPG from being too open about itself we restrict the information which is passed on in a public PGP key and encrypted messages.

Open the Terminal Emulator and type

gedit ~/.gnupg/gpg.conf



Scroll down to the end of the text file and enter these lines:


no-emit-version
no-comments
#throw-keyids
display-charset utf-8

personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed



Save the text and exit the editor.


9. Security updates

Due to possible time/size correlation attacks it's not recommended to turn on the automatic security updates feature all the time. Instead we setup the package updater to only update packages when we manually request it.

Click the start button in the Xubuntu menu bar and start Accessories -> Terminal Emulator
Enter "sudo gedit /etc/apt/apt.conf.d/00aptitude", enter your user password when prompted and paste this into a new line in the text editor:


Acquire::http::Proxy "http://127.0.0.1:8123";



Save the file and exit the text editor.

Click the start button, start System -> Update Manager and click the "Settings" button
In the Updates tab change "Automatically check for updates" to "Never" and click the "Close" button, enter your user password when prompted
In the Ubuntu Software tab uncheck "Proprietary drivers for devices"
It's probably best when you change "Download from" to another country, e.g. Russia: mirror.yandex.ru

Close the current window and the update manager.

10. Create a snapshot of the virtual machine

Congratulations! You are now done with installing Xubuntu.

Now that the installation is complete, we can create a snapshot of the virtual machine. If we break something in Xubuntu or we receive some malware, we can revert back to the snapshot later.
Before taking a snapshot, you should turn off the Shared Clipboard feature of VirtualBox, and only turn it on again when you need it.

Open the "Devices" menu in the running virtual machine window and select Shared Clipboard -> Disabled.

To create a snapshot, click the "Machine" menu in the running virtual machine window and select "Take Snapshot".
You can basically create an unlimited number of snapshots, this is only limited by the size of your TrueCrypt container. You may want to create another snapshot later, after adding PGP public keys and bookmarks.

Deleting a snapshot will merge it with the previous machine state, so the changes you made before taking the snapshot will be made permanent.

3 years ago
11. Using Ubuntu

11.1. Booting the virtual machine

Plug the USB stick into a Windows computer, open the USB drive and start Truecrypt.exe
Select the drive letter you used while creating the TrueCrypt container (in this tutorial we used drive letter L:)
Click the "Select File" button and choose the "crypt" file on your USB stick
Click "Mount" and enter your TrueCrypt password

Start Portable-VirtualBox.exe from the USB stick
If it displays an error message you can usually ignore it
Click the "Snapshots" button and click the snapshot you want to restore with the right mousebutton
Select "Restore Snapshot", then uncheck "Create a snapshot of the current machine state" and click "Restore"
Click the green "Start" arrow to start the virtual machine

11.2. Manually checking for updates

You should manually check for updates about once a month, by starting System -> Update Manager.
If there is a Tor Browser update, repeat step 7.2.1.1.

11.3. Using PGP

11.3.1. Adding public PGP keys to your keyring

To add a public PGP key to your list, copy it to your clipboard and start the Settings -> Passwords and Keys
Open the "Edit" menu and click "Paste"
Click the "Other Keys" tab

(Important) Click the newly imported key with your right mousebutton and select "Sign Key"
(Important) In the "Sign Key" window select "Casually" or "Very Carefully", click the "Sign" button and enter your PGP passphrase

You can now close the "Passwords and Keys" window again or add some more keys. The last 2 steps are important because otherwise Geany will refuse to encrypt your messages later.

11.3.2. Encrypting text with Geany

Start Development -> Geany and type or paste your text into the editor
Select the whole text, either with Edit -> Select All or by pressing CTRL + A
Open Tools -> GeanyPG -> Encrypt, select the recipient(s) and click the "OK" button

Select the encrypted text and copy it to your clipboard.

11.3.3. Decrypting text with Geany

Start Development -> Geany and paste the encrypted text into the editor
Select the whole text, either with Edit -> Select All or by pressing CTRL + A
Open Tools -> GeanyPG -> Decrypt/Verify and enter your PGP passphrase

11.3.4. Copying your own public PGP key to the clipboard with Seahorse

Start Settings -> Passwords and Keys and select the "My Personal Keys" tab
Click the key you want to copy with the right mousebutton and select "Copy"
You can now paste the key into your browser, text editor etc.

11.4. Using shared folders

If you specified shared folders at 3.2., they will be available in the "media" folder of the "File System". To open it as admin, push ALT + F2, enter "gksu thunar /media" and enter your user password.

11.5. Getting a new Tor identity

Click the "Arm" icon you've created earlier on the desktop and enter your user password.
Press "n" to get a new identity. More options are availabe when you press "m", use the cursor keys and the enter key to navigate through the menu.

11.6. Torsocks

Command line programs which need a connection to the internet may have a proxy option, where you can use proxy host 127.0.0.1 port 8118 or 8123. A quicker solution is using torsocks. Usually you can ignore the errors.
Usage example:

torsocks wget http://google.com





Do you have any suggestions or questions about this tutorial? Was there any problem during installation?
Post it in this thread.

3 years ago
An updated and fixed version of this tutorial has been posted here:
viewtopic.php?f=2&t=18324

Reply

You are not logged in. Login or register to reply on this thread.