Safest way to transfer information (Paranoid Mode)

Discussion in 'privacy general' started by lordraiden, Jun 15, 2016.

  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    I'm trying to figure out to safest (secure and anonym) way to transfer information from 1 PC to another, I already have something in mind but I need your help to improve it and complete it. So:

    1. A PC with Qubes + Whonix (same in the other side)
      • I guess this would be a very safe setup any better alternative?
    2. Use a VPN to connect to the Tor network in Whonix
    • Any alternative? a better way?
    1. Now I have a few doubts but I would like to hear the options. It would require
      • A quick method of interaction, like a chat (encrypted and without servers in the middle) and it shouldn't store information locally or in any server.
      • A way to transfer files (different from the method above)
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,188
    Location:
    in a remote land :)
    Demonsaw; P2P-based encrypted chat and file sharing soft.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Whonix in Qubes is arguably more secure than in VirtualBox. But more work. So it's your call.

    I would probably just create SIGAINT accounts in both Whonix VMs, and email GnuPG-encrypted files. For sure, there's stuff left on the mailserver, and there is metadata. But the files are encrypted, and the metadata doesn't reveal anything that's very useful.

    But you want no intervening servers. You could setup an onion service in each Whonix VM, and use OnionCat to create a VPN-like tunnel between them. Then you're basically just transferring stuff through a LAN.
     
  4. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    thanks both for your replies.

    @mirimir
    Would work to run Qubes in virtualbox and then virtualize Whonix in Qubes?
    I guess is more secure to use Qubes and Whonix but if we take into account that Whonix will only be use for a specific purpose, does Qubes provide any advantage at a network, privacy or anonymity level? or its only another anti hacking layer. Assuming that whonix will be the SO to use and the information will be on it so I don't know if Qubes provides any advantage.

    Would work to run a VPN (any) to access to the Tor network and then use OnionCat (another VPN) to connect both computers?

    I guess I could use demonsaw inside OnionCat? right?

    EDIT: I would like to add this articles which I find interesting: https://www.bestvpn.com/blog/42672/using-vpn-and-tor-together/
    https://www.bolehvpn.net/blog/2012/...n-with-tor-for-greater-anonymity-or-security/
    It looks like the first on says that VPN through Tor is better than Tor through VPN and the second article has the opposite opinion. What do you think is better in my case?
     
    Last edited: Jun 15, 2016
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    As far as I know, Qubes only runs on bare metal.
    Right, Qubes just gives you a host that resists attack better that VirtualBox does. It'd be harder to break out from a Qubes VM to the host. Otherwise, I don't believe that there's a privacy advantage.
    Yes. You use a VPN to reach the Internet, and then hit Tor through that. OnionCat is a "VPN" that only works between Tor onion services.
    You can use any IPv4 or IPv6 protocol inside OnionCat :)
    That bloody question, again :eek:

    It depends on what you want. Hitting Tor through a VPN, your ISP doesn't know that you're using Tor. If one of your entry guards is a honeypot or pwned, adversary just sees the VPN exit IP. The VPN sees that you're using Tor, but can't see any plaintext traffic.

    Hitting a VPN through Tor, websites don't see that you're using Tor, so you can evade anti-Tor blocks. But the VPN connection prevents Tor from changing circuits, so you have less anonymity. Most seriously, however, the VPN provider may know who you are. Through a money trail. Even using Bitcoin, if it's not anonymized well enough. Using free VPNs like SecurityKISS gets around that.
     
  6. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    But the VPN can know who am I in any case right? I have to pay the VPN anyway.
    It looks like it's a better solution to connect to the VPN through tor, right?
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's only worth connecting to the VPN through Tor if you pay "anonymously" for the VPN. Otherwise, you don't gain enough to bother. VPN through Tor is slow and likely to disconnect. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-7 It's somewhat dated, but still valid, I think.

    Edit: But @Palancar is the Bitcoin guru on Wilders :)
     
  8. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    DVD in the post? What latency are you after?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's outdated. Simply running the VPN client in Whonix workstation VM works fine now.

    For routing Tor through VPN, see https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-2

    For routing a VPN client in pfSense through Tor, using Whonix, you'd need to do serious surgery on both the pfSense VM (to make it use a Tor socksproxy port in the gateway VM) and the workstation VM (to undo protections to route everything through Tor socksproxy ports in the gateway VM). Nontrivial :( Easier is just creating a Debian Tor gateway VM.
     
  11. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I never succeeded in getting Qubes to run on anything but bare metal , and even then it was pretty picky about
    which particular " flavor " of bare metal it liked .
    Lovely concept though :)

    But I'm talking about a year ago so maybe things have changed .
    My attention wandered , and I sort of put it aside , and started looking at Subgraph ..... and then I put that aside :)

    Ha ! .... If I were you I'd learn to live with it ..... it's not going away anytime soon :)
     
    Last edited: Jun 15, 2016
  12. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    The new version of Qubes comes with an option to preinstall whonix so it should be quite easy
    https://www.qubes-os.org/news/2016/03/09/qubes-os-3-1-has-been-released/
    https://www.qubes-os.org/doc/whonix/
     
  13. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    Last edited: Jun 16, 2016
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't know IPSec. But in OpenVPN, you can add the socks-proxy option in the config on both ends, and use Tor's SOCKS5 proxy. You can also run the OpenVPN server as an onion service, and use the socks-proxy option in the config on client side. In Whonix, you don't need the socks-proxy option. If you want the VPN app and Tor on different VMs, I wouldn't use Whonix. Just use a pfSense VPN-gateway VM with a Debian Tor gateway VM.
     
  15. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    Thanks mirimir, in this thread we have talked about many configurations, using pfsense, onioncat, openvpn... but I would like to focus on something and start to research about it, so I would like to ask you which one is the best setup in your opinion and why.


    I have a question, whonix gateway routes all the traffic that whonix workstation generates through tor? I have been testing it and it looks like workstation only uses tor when I use tor browser and if I use firefox I bypass the tor server in the gateway. How does it work exactly?

    Thanks a lot for you help
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I'd say that OnionCat between onion services on each end is the best. I've never used OnionCat, but people I trust recommend it. And it's all through Tor, with no exit relays or clearnet traffic involved, and no intervening servers (except Tor relays). Supposedly, it's not hard to configure. I gather that it's being used for BitTorrent via Tor, with trackers, seeders and clients running as onion services. But it's still a bandwidth hog :(
    Even if you install a new browser in the workstation VM, I don't believe that it's possible for it to bypass Tor. If it's not setup with a SOCKS5 proxy, it just won't connect to anything. With Firefox, however, https://check.torproject.org/ will warn you that you're not using Tor browser.
    De nada :)
     
Loading...