Tor at the Heart: Security in-a-Box

This is one of a series of periodic blog posts where we highlight other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Security in-a-Box

More than ten years ago, Tactical Tech and Front Line Defenders started providing digital security trainings for human rights defenders at risk around the world. Soon thereafter, they created Security in-a-Box to supplement those trainings and to support self-learning and peer-education among those defenders.

Security in-a-Box offers general advice and practical walkthroughs designed to help its users secure their digital information and communication by choosing the right software and integrating it into their daily lives.

Hands-on guides

Security in-a-Box offers a number of Tool Guides that explain step-by-step how to download, install, and use digital security tools on Linux, Windows, Mac OS X, and Android. Some of these guides that were recently updated in 11 languages include:

  • Tor Browser for anonymity and censorship circumvention (on Windows & Linux)
  • Signal for encrypted messaging and Voice-over-IP calls on Android
  • VeraCrypt for file encryption (on Windows & Linux)
  • Thunderbird and OpenPGP for email encryption (on Windows & Linux)
  • KeePassX for secure password management (on Windows & Linux)
  • Firefox with add-ons for more secure web browsing (on Windows & Linux)
  • Jitsi and OTR for encrypted instant messaging (on Windows & Linux)

Other Tool Guides cover setting up a Riseup email account, securing the Windows operating system, and protecting data when using social networking platforms (like Facebook and Twitter).

Security in-a-Box also includes a few community-specific toolkits that are tailored for LGBTI communities in The Middle-East and North Africa and Sub-Saharan Africa, for Environmental rights defenders and for Women human rights defenders.

Tips and Tactics

As digital security is a process that extends well beyond the adoption of specific tools, Security in-a-Box also offers Tactics Guides that propose new ways of thinking about security and recommend practices that might strengthen it. Some of these include:

Community

Over the years, a community of digital security trainers, editors, translators, and privacy advocates has sprung up around Security in-a-Box. Many digital security trainers from Africa, Latin America, Central and Southeast Asia, Europe and North America rely on Security in-a-Box for their trainings and contribute to its development.

Thanks to the project’s community translators, Security in-a-Box is published in 17 different languages. Recently updated translations include: Arabic, Spanish, Farsi, French, Indonesian, Portuguese, Russian, Thai, Turkish, Vietnamese and Chinese. As a result, Security in-a-Box reaches well over a million people each year with advice on digital security, online privacy and censorship circumvention.

None of this would have been possible without the work of the software developers who create these tools in the first place, and to whom we are extremely grateful. Donate to the Tor Project today!

Written by Maria Xynou (Tactical Tech) and Wojtek Bogusz (Front Line Defenders)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Unfortunately, some of that advice has not been updated for a long time, to the point of being dangerous to use. Including one of the potentially most useful :

https://advox.globalvoices.org/past-projects/guide/

"Anonymous Blogging with WordPress & Tor – ARCHIVED
This guide was originally written in 2005 and has not been updated since 2009. Please DO NOT use it for practical purposes."

:-) OK !

Super :)))

Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers. Still now everyone knows that what we long feared is true: FBI agents do not need to seek any warrants or to ever tell any judge if they want to target anyone who they believe is "engaged in the development of communications security practices":

https://theintercept.com/2017/01/31/undercover-fbi-agents-swarm-the-internet-seeking-contact-with-terrorists/
Undercover FBI Agents Swarm the Internet Seeking Contact With Terrorists
The FBI’s online activities are so pervasive that the bureau sometimes finds itself investigating its own people.
Cora Currier
31 Jan 2017

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Individual FBI agents are given very wide latitude in how to interpret these manuals, so some of them probably consider that anyone operating a Tor node is "acting as a virtual courier".

> Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers.
mismatch : it is coming from an ancient law (uk usage) : 'legitimate suspicion' still applied since several centuries ; nothing to do with terrorism or FBI or internet, (it is only used against genuine people usually so the "trump ban" is not involved.).
In fact this law is became a standard in the rogue state and where mafioso / military force became the "legitimate government" _ nothing to do with usa (e.u & arab & east countries are a better example) ...

At my point of view ; the ISP provider is at the heart of Internet freedom.
when will we have a free/gratis access at internet ?
That's the point !

We don't need free access, we need reliable access!

no, we need free access (gratis) _ fiber is coming & a digital revolution could happen with a real free (without bug/backdoor) hardware _ that's the second logical step ...

Not for another 4 years at the very least, in the U.S.

do you know some project about that which have been stopped or should start according the concerned state (u.s.a) ?

Jitsi is the most bugged XMPP client in existence.

Pidgin.im is better

pidgin is recommended but who has 100 correspondents & could say : it is safe & no one know whom and why & where i use it ?
* i tried it several time for communicating with few 'unknown' friends but i was not a target.

Pidgin is super scary, at least to me.

That's why I use Ricochet and Tor Messenger, and I avoid anything with libpurple in it.

"Other Tool Guides cover setting up a Riseup email account,"
Not a good idea. Riseup may have been compromised.
Even if users use pgp, admins of a email server can know, who is talking to who, and all contacts in address book. What time user online.

https://theintercept.com/2016/11/29/something-happened-to-activist-email-provider-riseup-but-it-hasnt-been-compromised/

From article:
""Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say," the collective member told me. "So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.""

"And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly."

Hope not compromised.
:(

More on riseup email maybe compromised:

https://www.whonix.org/blog/riseup

if i had to choose from Riseup , yahoo, gmail , ill choose the guys that are tiring to protect me over the guys that are tiring expliot

need more work around metadata , add Ricochet

> There is an excellent freeware anti-virus program for Windows called Avast, which is easy to use, regularly updated and well-respected by anti-virus experts. It requires that you register once every 14 months, but registration, updates and the program itself are all free-of-charge.

Recommending Avast ... :/

You going to disclose your affiliation with the Avast organization?

What about Avast silently uploading information from your computer to sell and make money from your "free" SW (like some others)?

Don't mention Avast's spying extension they were caught installing in 2014 (http://www.howtogeek.com/199829/avast-antivirus-was-spying-on-you-with-adware-until-this-week/).

- why have i "query OCSP responder servers checked on" on advanced tab ?
- is it recommended or can i check off ?
Calomel says that it is better unchecked ...

- i love ricochet but it is still in version 1.1.0 (1.1.2) does not work oops !) not yet updated ?

Why there's some usa and UK ip-ranges in tor circuits? As far as I know the whole usa and UK is under control of NSA. So where is the logic of using tor browser that is controlled by NSA?

Post an answer on your main page pls.

as soon as you prove it (under control of the nsa) i should stop use it.
afaik it is an open project promoting the freedom of speech with independence & responsibility.

I'm not an employee of Tor Project, just a user, but I'll take a stab at this:

> Why there's some usa and UK ip-ranges in tor circuits?

The Tor network relies upon volunteers who provide Tor nodes at their own expense. Many of them live in the US/UK, and cheap rates are often available for servers in the US/UK. Further Tor is not yet outright illegal in the US/UK (although that might soon change). Hence it is not surprising that many Tor nodes are in the US/UK.

The country which hosts the most Tor nodes is currently FR, by the way. Because that nation has enacted a law which appears to mandate backdoors in "mobile devices", I am not sure how legal it is to operate a Tor node in FR, but I assume it must still be legal, if only just barely so.

> As far as I know the whole usa and UK is under control of NSA.

That's quite a leap. It would be more true to say that NSA maintains an illicit presence in many, even most, IXs, national backbones, commercial telecoms/ISP networks, banking networks, around the world, for the purpose of cyberespionage/cyberwar. As such NSA is virtually a "global adversary", of the kind which, in past years, Tor traditionally did not attempt to defend against.

However, many ordinary people, NGOs, and even government officials in the US/UK oppose the rapid growth and "normalization" of the technostasi in these formerly democratic nations, and NSA (and allied actors) cannot easily deter them all from speaking out.

Ideally, there would exist many "safe haven" nations which encourage people to run Tor nodes without interferrence, and if that were true, it would indeed make sense to try to encourage volunteers to set up nodes in such nations. But alas, it is not true--- as all the "Western" governments appear to be turning in unison to abandon the ideals of the Enlightenment in order to adopt a peculiarly vicious new form of technologically enabled fascism, there are perhaps no "safe havens" left.

That is why every citizen of every nation has a duty to resist government oppression, even though this puts them at severe risk of retaliation: if adults don't resist today, life in a police state will become unbearable for our children by the time they become adults, if indeed they do not become victims of the genocides for which figures like Trump are plainly preparing the way.

> So where is the logic of using tor browser that is controlled by NSA?

Again, quite a leap. NSA's illicit presence in numerous networks implies that it can "easily" collect packets as they (i) pass between a user and an ISP gateway to a Tor entry guard (ii) pass from an entry guard to a Tor relay node (iii) pass from a Tor relay node to a Tor exit node (iv) pass from a Tor exit node to a destination server. However, because tor circuits are strongly encrypted as per the basic idea of the "onion" design, NSA may not be able to easily read the underlying plaintext.

It is true that NSA has poured enormous resources into illegally accessing all manner of electronic devices, no doubt including Tor nodes, all over the world, and is also suspected of itself operating some nodes for illicit purposes, but this makes them a criminal adversary of the Tor network, not a "controller" of the Tor network.

And while NSA's power and resources are indeed frightful, the agency is struggling under complex problems which tends to reduce or even undermine its real-world capabilities.

It would be better to think of it like this: NSA is a deadly enemy, in fact the enemy of the entire world (even the US), but Tor is a powerful force for good which is helping to prevent them from too easily grabbing everything they want "because they can".

Followup to the "Tor at the Heart" post about reproducible builds:

Italy is about to adopt reproducible builds--- for government hackers. BoingBoing says the bill is actually rather sensible:

https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html

Comments have been closed in all blog posts but this one. Is Tor blog shutting down?

> https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html
bullshit !
Nothing to with terrorism or maffia ; they do not need a trojan !
In fact since dalla chiesa period , their methods are well known and never did or do attack the civil rights !
uk or us laws are not italians laws : misinformation & fake news are polluting the web.
The article (follow the italian link above pls) is about police force and judges who are working on the side of the organized crime and are afraid to be behind the bars : they are legalizing illegal methods - (romania tried to do the same about corruption few days ago).

I don't know if the developers will read this I not going out of my way to inform them using other methods of communication than this, means no email or otherwise etc. Simple things like that there should be easy to access feedback that doesn't need a sign-up or sign-in etc. If you know how to contact them tell them of this feedback. I post here instead.

First impression with Tor v6.5 FUGLY well that is firefox fault they lost the plot years ago when they wanted everything mobile like YUK. Anyway at least it is not google or its clones or should that be opera and its clones. Nor thankfully is it IE.

Big FUG is the wasted space at the top of the browser stealing desktop space so less screen to read web pages. Firefox there's no need for this whatsoever, go back to v2 and take another look that browser was far better than is now. That FuckFox out of the way now on with Tor.

The older tor could easy let me choose any country from a panel list. With this version needs to keep pressing new circuit. Yes sure exit nodes and all that crap what do I care for the setting they should be available in the browser Tor settings since no one or the many will never use them including myself.

Suggest have again the old panels that used to be so able to adjust country instead of cycling new circuit with a hope of getting the country correct. This is poor foresight and lack of thought. Or how about have a drop list on new circuit where we can pick the country we need as an IP.

These are the major first gripes I guess I hate this Tor and the old one is far superior and far simpler to understand.

And what does it mean for min security slider no security but has NoScript unknown and not going to look for that either. That should be on the security slider details as is with the other two settings. Again poor lack of forethought, foresight and planning. And how many people are involved with Tor surely someone must have suggested these things to make using tor easy and more enjoyable.

At least it starts quicker than the old Tor but I would expect that with amount of time in between the versions.

Someone inform the Tor developers so they can come and read copy and inform other developers. And rightly so then delete this once they have the information.

Why is there no way to chat live with tor or not to Tor this is what would be expected. Or at least a feedback panel like this here. But then maybe Tor are thinking to many people would write to complain and rightly so.

Anyway thanks for keeping Tor going it has gone backwards dumbed down. The old version a young 4 year old could easily use it, I guess with this version it would be less so.

Don't shoot the messenger I am trying to help Tor to be better than it is now using this feedback.

I think it's terribly important that Tor Project to everything it can to encourage more people to use Tor. At times this might lead to minor (or even major) design decisions which seem repugnant to we long-time users (or even a bit scary, e.g. the lowballed default settings in the security slider). It probably helps to bear in mind that every design decision involves tradeoffs. In the case of Tor, the most difficult and hardest to avoid include tradeoffs between usability/security, security/anonymity, simplicity/complexity (maybe just a different way of restating the usability/security issue), boldness/risk-aversiveness. Not only Tor coders but Tor users must continually make this kind of tradeoff.

Stay safe out there!

yeh, I agree with you about mobile like fugly UI, plus it glitching and slower than the previous versions but with all the advanced options that you need without necessarily getting into the about:config.

They shall left the previous (windows 95 like or win2k, whatever) UI for ppl to decide what better to use.

Everything is terribly conspirative these days and fugly simplified, that's the point.

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content