[or-cvs] r16494: {incognito} Massive update of documentation. Now with something that sta (incognito/trunk/root_overlay/usr/share/incognito)
anonym at seul.org
anonym at seul.org
Sun Aug 10 23:03:42 UTC 2008
Author: anonym
Date: 2008-08-10 19:03:41 -0400 (Sun, 10 Aug 2008)
New Revision: 16494
Modified:
incognito/trunk/root_overlay/usr/share/incognito/docs.html
Log:
Massive update of documentation. Now with something that starts to look as a specification!
Modified: incognito/trunk/root_overlay/usr/share/incognito/docs.html
===================================================================
--- incognito/trunk/root_overlay/usr/share/incognito/docs.html 2008-08-09 21:15:53 UTC (rev 16493)
+++ incognito/trunk/root_overlay/usr/share/incognito/docs.html 2008-08-10 23:03:41 UTC (rev 16494)
@@ -9,417 +9,569 @@
<h2>Contents</h2>
<ul>
-<li><a href="#intent">Intent and goals</a></li>
-<li><a href="#download">Download</a></li>
-<li><a href="#contact">Contact</a></li>
-<li><a href="#approach">Approach</a></li>
-<li><a href="#impl">Implementation</a></li>
+ <li><a href="#intro">1 Introduction</a></li>
+ <li><a href="#spec">2 Privacy Enhancing LiveDistro Specification</a></li>
+ <ul>
+ <li><a href="#intent">2.1 Intent</a></li>
+ <li><a href="#threat">2.2 Threat model</a></li>
+ <li><a href="#dist">2.3 Distribution</a></li>
+ <li><a href="#operation">2.4 Operational requirements</a></li>
+ <li><a href="#kernel">2.5 Kernel requirements</a></li>
+ <li><a href="#net">2.6 Network requirements</a></li>
+ <li><a href="#apps">2.7 User interface and applications</a></li>
+ <li><a href="#usability">2.8 Usability</a></li>
+ <li><a href="#other">2.9 Other considerations</a>
+ </ul>
+ <li><a href="#impl">3 Implementation</a></li>
+ <ul>
+ <li><a href="#download">3.1 Download</a></li>
+ <li><a href="#software">3.2 Software</a></li>
+ <li><a href="#inter">3.3 Internationalization</a></li>
+ <li><a href="#conf">3.4 Configuration</a></li>
+ <li><a href="#vm">3.5 Running __INCOGNITO__ in virtual machine</a></li>
+ <li><a href="#windows">3.6 Running __INCOGNITO__ inside a Windows session<</a></li>
+ <li><a href="#usb">3.7 Persistent User Settings for a USB drive</a></li>
+ <li><a href="#hidden">3.8 Hidden services</a></li>
+ <li><a href="#build">3.9 Build process and maintenance</a></li>
+ <li><a href="#caveats">3.10 Caveats</a></li>
+ </ul>
+ <li><a href="#security">4. Security analysis</a></li>
+</ul>
+
+<h2><a name="intro">1 Introduction</h2>
+<p>In this document we present a specification of a Privacy Enhancing LiveDistro as well as an actual implementation of it called __INCOGNITO__.</p>
+
+
+<h2><a name="spec">2 Anonymity LiveDistro Specification</h2>
+
+
+<h3><a name="intent">2.1 Intent</h3>
+
+<p>The Privacy Enhancing LiveDistro (or PELD for short) aims at providing a software solution presenting the user with the technological means for using popular Internet technologies while maintaining the privacy of the user, in particular with respect to anonymity. While there are different techniques and services providing that functionality, this specification will assume the usage of <a href="https://www.torproject.org">The Tor™ Project</a>'s state-of-the-art anonymizing overlay network Tor.</p>
+
+<p>The PELD is supposed to be self-contained and portable (literally, not necessarily with respect to code portability), and thus possible to run in as many computing environments as possible fot the same single distribution. In addition, while the PELD's main objective indeed is to act as a traditional LiveDistro (i.e. a LiveCD or LiveUSB) it should also be compatible with popular virtual machine technologies for users that simply want a sandboxed environment within their normal operating system.</p>
+
+<p>The PELD's target user is the average user in terms of computer literacy, and who is using a computer of which he or she not necessarily have full control of. Examples would be a public computer in a library, coffee shop, university or a residence. The target user is assumed to not want to do any of the configurations (at least with respect to security and anonymity) of the various applications and tools used themselves, either because of insufficient knowledge, lack of interest or other reasons. The PELD should provide strong anonymity with no need of advanced configuration whatsoever. It should be made as difficult as possible for the user to unknowingly compromise anonymity.</p>
+
+<p>In short, the PELD aims at providing privacy on the Internet for anyone anywhere.</p>
+
+
+<h3><a name="threat"></a>2.2 Threat model</h3>
+
+<p>The goal of staying anonymous and keeping sensitive information protected stands in direct conflict with the gols of several entities "present" on the Internet. The following threat model is meant to describe the intentions and capabilities of such hypothetical attackers:</p>
+
+<h4>2.2.1 The goal of the attacker</h4>
+
<ul>
- <li><a href="#software">Software</a></li>
- <li><a href="#inter">Internationalization</a></li>
- <li><a href="#conf">Configuration</a></li>
- <li><a href="#usb">Persistent User Settings for a USB drive</a></li>
- <li><a href="#hidden">Hidden services</a></li>
+ <li><b>Identify the user's activities on the Internet</b></li>
+ <p>Information such as user-agent, locale and (especially) IP address can all be used in various degrees to identify the user.</p>
+ <li><b>Eavesdrop on sensitive data</b></li>
+ <p>Sensitive data sent through the Tor network will only be untraceable (with respect to Tor's threat model) and thus will be at least as likely to be eavesdropped.</p>
</ul>
-<li><a href="#maintenance">Maintenance</a></li>
-<li><a href="#caveats">Caveats</a></li>
-<li><a href="#security">Security</a></li>
+
+<h4>2.2.2 Capabilities, methods and other means of the attacker</h4>
+<ul>
+ <li><b>Eavesdropping</b></li>
+ <p>It is assumed that the attacker can observe any traffic that exits the Tor network.</p>
+ <li><b>Bypass attacks</b></li>
+ <p>It is conceivable for attackers to mount attacks which bypass the proxy and DNS setup in the applications which could then be used to identify the user, either by injecting data or social engineering.</p>
+ <li><b>Explot software vulnerabilities</b></li>
+ <p>The attacker might be able to run arbitrary code by exploiting unpatched vulnerabilities present in any of the software packages installed.</p>
+ <li><b>Application level attacks</b></li>
+ <p>The attacker can utilize certain applications' services and features to get identifying information. Examples are JavaScript and Java applets in web browsers, CTCP queries in IRC clients, etc.</p>
</ul>
-<p><strong>NOTICE</strong>: This distribution is provided as-is with no warranty of fitness for a particular purpose, including total anonymity. Anonymity depends not only on the software but also on the user understanding the risks involved and how to overcome those risks.</p>
-<h2><a name="intent">Intent and goals</h2>
-<blockquote>What are we trying to do?</blockquote>
+<h3><a name="dist"></a>2.3 Distribution</h3>
-<p>This CD provides a software solution for using various Internet technologies while staying anonymous. It is based primarily on <a href="https://www.torproject.org">Tor</a> while including supporting applications. The target use case is that of using a public computer, such as in a library, securely, or a home computer for easy setup. This distribution may is designed as a LiveCD, but may also be copied to a USB drive to provide persisted user settings, or run from virtual machines such as QEMU, VMWare and VirtualBox.</p>
+<p>The PELD should be distributed in a common format that can easily be used to install the PELD on the selected medium. For instance, if distributed as an ISO 9660 compatible image file it can be burned to a CD with almost any CD recording software available.</p>
-<dl>
+<h3><a name="operation"></a>2.4 Operational requirements</h3>
-<dt>Target User Base</dt>
-<dd>
-The target user is one who is using a computer that does not necessarily have full control of said computer and desires to access Internet services anonymously. Examples would be a public computer in a library, coffee shop, university or a residence. Also, users not wanting to bother with configuring all applications appropriately (with respect to anonymity) could use __INCOGNITO__ on their home computers for easy setup. The implementation should provide strong anonymity with no configuration. It should be difficult or impossible, for the user to unknowingly compromise anonymity. Users requiring more precise control over the application and network configuration may be disappointed.
-</dd>
+<p>This section handles mostly the criteria that the PELD should be portable and able to run in as many environments as possible. It also deals with issues such as virus infections and leaving traces.</p>
-<dt>Required Internet Services</dt>
-<dd>
-At minimum the following Internet services should be supported: WWW, E-Mail, IRC.
-</dd>
+<h4>2.4.1 Platform</h4>
-<dt>Recommended Internet Services</dt>
-<dd>
-The following Internet services are recommended to be supported: Instant Messaging, SSH, Remote desktop control, P2P file-sharing.
-</dd>
+<p>The binaries should all be executable on the most common computer hardware architecture(s). As of 2008, the x86 computer architecture seems to be the obvious choice as the vast majority of personal computers in use is compatible with it.</p>
-<dt>Supported Instant Messaging Protocols</dt>
-<dd>
-The following instant messaging protocols should be supported based on the constraint that the protocol itself does not require information that compromises anonymity: (TODO)
-</dd>
+<h4>2.4.2 Media</h4>
-<dt>Discouraged Instant Messaging Protocols</dt>
-<dd>
-The following instant messaging protocols should NOT be supported based on the constraint that the protocol itself requiress information that compromises anonymity: (TODO)
-</dd>
+<p>The PELD should be able to boot and run from either CD or a USB drive. While running the PELD in that mode it should be completely independent from the host operating system and all other storage media on the host computer unless the user explicitly tries to access any of them.</p>
-<dt>Maintainable</dt>
-<dd>
-The procedure to update the CD should not be prohibitive to provide timely software updates to address issues related to security or anonymity.
-</dd>
+<p>In all circumstances, binaries, dynamic libraries and other executable code susceptible to virus infections and similar should always be completely write-protected, even when running from a writeable USB medium. Such files should not even be modifiable temporarily, which could be the case even when running from CD if the filesystem is loaded into memory (e.g. tmpfs).</p>
-<dt>Media</dt>
-<dd>
-The implementation should be able to run off either CD or a USB bootable drive. The media must be bootable and not run from the host operating system, although the latter may be available for those willing to take risks.
-</dd>
+<p>Configuration files, temporary files, user home directories and similar files that most likely need to be modifiable during operation should only be saved temporarily in memory (e.g. by use of something like tmpfs or unionfs).</p>
-<dt>Persisted User Settings on USB Drive</dt>
-<dd>
-User settings and files should be persisted when using a USB drive. The user should have the option to store these settings and files encrypted.
-</dd>
+<p>It is tempting to utilize the possibility to write back data when running from USB as that could be used to allow user settings to be persistent. If this is considered, this feature should be optional and offer the possibility to use string encryption for the persistent storage.</p>
-</dl>
+<h4>2.4.3 Virtual machines</h4>
+<p>As an alternative to running the PELD natively from a CD or USB, it should also be possible to run from virtual machines. This is useful in situations where the user might not have the possibility to run the PELD natively, which often can be the case with public computers. Additionally, many users seem to prefer this mode of operation, and that alone is a reason for making sure it works.</p>
-<h2><a name="download">Download</h2>
+<h3><a name="kernel"></a>2.5 Kernel requirements</h3>
+
+<p>The role of the kernel is mainly to provide support for the features required elsewhere in this specification. This includes:</p>
+
+<ul>
+ <li><b>Good hardware support</b></li>
+ <p>"Good" is a sketchy word in a specification. The general idea is to include as much drivers for relevant hardware as possible, in particular for network cards (wire and wireless), video card and other things necessary for basic operation.</p>
+ <li><b>Support for a stateful firewall with packet filtering capabilities</b></li>
+ <p>It must be able to separate between traffic some how for the functionality of the transparent proxying mentioned in the <a href="#net">network section</a> to work. Similarly, it must be able to identify and drop non TCP traffic destined to the Internet.</p>
+ <li><b>Security features</b></li>
+ <p>With the dangers of exploitable vulnerabilities in any code running, attempts to mitigate these on the kernel level is a good idea. Executable space protection with the NX bit, address space layout randomization and similar techniques are all interesting in this respect. Access control in the form of Mandatory Access Control, Role-Based Access control and so on should also be considered.</p>
+</ul>
+
+
+<h3><a name="net"></a>2.6 Network requirements</h3>
+
+<p>In order to prevent accidental leaks of information, proxy bypass attacks on Tor and similar, the access to the Internet should be heavily restricted by a firewall:</p>
+
+<ul>
+ <li>All non-TCP protocols (except DNS) should be dropped as they are not supported by the Tor network.</li>
+ <li>All TCP traffic not explicitly targeting Tor should be redirected to the transparent proxy (i.e. to the TransPort as set in torrc).</li>
+ <li>All DNS lookups should be made through the Tor network (i.e. redirected to DNSPort as set in torrc).
+</ul>
+
+<p>Note that the above is not necessary (or desirable) for local network addresses.</p>
+
+
+<h3><a name="apps"></a>2.7 User interface and applications</h3>
+
+<h4>2.7.1 General user interface</h4>
+
+<p>The user should be able to do all relevant things with easy to use graphical interfaces. As such it should be presented a solid, user-friendly desktop environment with all the expected features (file managing, change system settings, support applications etc.) after booting.</p>
+
+<h4>2.7.2 Internet applications</h4>
+
+<p>At minimum, clients for the following Internet activities must be supported:</p>
+
+<ul>
+ <li><b>Web browsing</b></li>
+ <p>In the case of web browsing we really encourage the use of Mozilla Firefox as the Tor Project itself has an extension, Torbutton, specifically designed for mitigating the risks with non-HTTP features, such as JavaScript.</p>
+ <li><b>Emailing</b></li>
+ <p>Support for PGP or S/MIME is highly recommended. Also, beware that the EHLO/HELO sent to the SMTP-server will contain the host's IP address in many email clients</p>
+ <li><b>IRC and Instant messaging</b></li>
+ <p></p>
+</ul>
+
+<p>Other recommended client for Internet activities includes:</p>
+
+<ul>
+ <li><b>Bittorrent and/or other type(s) of P2P file-sharing</b></li>
+ <p>Note, however, that large scale file-sharing activity in general is frowned upon in the Tor community as it consumes extreme amounts of bandwidth compared to other kinds of services.</p>
+ <li><b>Remote desktop</b></li>
+ <li><b>SSH</b></li>
+</ul>
+
+<p>Given that these applications will be the user's interface to the Internet, these should be chosen with care and security in mind, and also configured in such a way. In general, as little information as possible should leak about the user, the applications used and the system settings.</p>
+
+<h4>2.7.3 Tor</h4>
+
+<p>Tor should be setup to use its DNS server (DNSPort) and transparent proxy (TransPort, TransListen) so the functionality specified in the <a href="#net">network</a> section is covered. Since Tor really is at the core of the PELD only stable releases should be considered. Also, while there are many other interesting configurations to consider in the Tor manual, none of them that impairs anonymity or security should be set.</p>
+
+<p>A GUI Tor controller application such as Vidalia or TorK is highly recommended. However, this requires opening the control port in Tor, and thus some means of authentication will be required (CookieAuthentication preferably) to hinder attacks on the Tor software.</p>
+
+<h4>2.7.4 Hardened tool chain and compiling</h4>
+
+<p>As an addition to the security against exploitable vulnerabilities <a href="#kernel">provided by the kernel</a>, compiling software with stack smashing protection, address space layout randomization and similar compiler security enhancements is recommended. Note that in some circumstances compiler level stuff is necessary for utilizing the kernel security features. Because of this it is recommended to compile essentially all software from sources to take benefit from these security features.</p>
+
+<h4>2.7.5 Cryptographic tools</h4>
+
+<p>Tools for securely signing, verifying, encrypting and decrypting files and contents should be available. In particular some implementation of OpenPGP should be available as it in practice is the de-facto standard. GUIs for managing keys and performing the relevant cryptographic tasks should be available. Tools for creating encrypted storage containers are also recommended.</p>
+
+<h3><a name="usability"></a>2.8 Usability</h3>
+
+<p>Security is usually hard to get. Therefore steps need to be taken in order to make the user more comfortable with the PELD, and also to educate the user about the specific risks and quirks with respect to anonymity on the Internet.</p>
+
+<h4>2.8.1 Internationalization</h4>
+
+<p>The user should be able to easily select his of her language of preference. User applications should be localized to fit this preference, as should system settings such as keyboard layout.</p>
+
+<h4>2.8.2 Education and user help</h4>
+
+<p>The PELD should include an easily read document explaining how to use it and its software securely. The user should be assumed to only have the knowledge of you average computer user, so there will be required some explaining of general security concepts.</p>
+
+
+<h3><a name="other"></a>2.9 Other considerations</h3>
+
+<h4>2.9.1 Maintainability</h4>
+
+<p>The procedure to update the PELD should not be prohibitive to provide timely software updates to address issues related to security or anonymity. A scripted, automatic build procedure is greatly preferred to manually setting up things.</p>
+
+<h4>2.9.2 Open-source transparency</h4>
+
+<p>For the sake of transparency the use of open-source software is encouraged. Binary blobs should only be used when no good alternatives exist, which could be the case with certain hardware drivers or driver firmwares.</p>
+
+<p>Similarly, it is recommended that the PELD itself is open-source, and that it is well documented to help security analysis by third-parties.</p>
+
+
+<h2><a name="impl"></a>3 Implementation</h2>
+<p>The __INCOGNITO__ LiveDistro is an implementation the <a href="#spec">PELD specification</a> above. It is licensed under the GNU GPL version 2.</p>
+
+<p><b>NOTICE</b>: This distribution is provided as-is with no warranty of fitness for a particular purpose, including total anonymity. Anonymity depends not only on the software but also on the user understanding the risks involved and how to overcome those risks.</p>
+
+<h3><a name="download">3.1 Download</h3>
+
<p>See the <a href="http://www.browseanonymouslyanywhere.com/incognito/index.php?option=com_content&task=view&id=26&Itemid=39">download section</a> on <a href="http://www.browseanonymouslyanywhere.com/incognito">__INCOGNITO__'s main site</a> for download information. Various development files (portage snapshot and stage3 tarball) as well as the current version of __INCOGNITO__ can be found at <a href="http://files1.cjb.net/incognito/">http://files1.cjb.net/incognito/</a>.</p>
-<p>The latest version of this document for the current relesase can be found <a href="http://www.anonymityanywhere.com/incognito/index.php?option=com_content&task=view&id=26&Itemid=39">here</a>. The development version of this document can be found at Incognito's subversion repository <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/share/incognito/docs.html">here</a>, although it should be noted that some information which is added dynamically at build will not be present (has mostly to do with information about which software packages that are installed).</p>
+<p>The sources are stored in a <a href="http://subversion.tigris.org">Subversion</a> repository. It can be viewed or checked out at <a href="https://tor-svn.freehaven.net/svn/incognito/">https://tor-svn.freehaven.net/svn/incognito/</a>.</p>
-<p>The build root for the CD is stored in a <a href="http://subversion.tigris.org">Subversion</a> repository. It can be viewed or checked out at <a href="https://tor-svn.freehaven.net/svn/incognito/">https://tor-svn.freehaven.net/svn/incognito/</a>.</p>
+<p>The latest version of this document for the current release can be found <a href="http://www.anonymityanywhere.com/incognito/index.php?option=com_content&task=view&id=26&Itemid=39">here</a>. The development version of this document can be found at __INCOGNITO__'s subversion repository <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/share/incognito/docs.html">here</a>, although it should be noted that some information which is added dynamically at build will not be present.</p>
-<h2><a name="contact">Contact</h2>
+<h3><a name="software">3.2 Software</h3>
-<p>As of november 2007, the maintainace of this distribution has passed from the founder, Pat Double, to anonym, who can be contacted through anonym (at) lavabit (dot) com. Please do not contact Pat for anything relating to the current development of __INCOGNITO__. Feature requests and (especially) bug reports are welcome and should be sent to anonym, and please include "__INCOGNITO__" in the subject line to ease mail sorting. Also, please be considerate of any major technology choices, such as <a href="http://www.gentoo.org/proj/en/releng/catalyst">Catalyst</a> and <a href="http://www.gentoo.org">Gentoo Linux</a>, <a href="http://www.kde.org">KDE</a>, etc. These have been chosen because of the developers' familiarity with them and will likely not change ever. If someone would like to maintain a parallell version with, say, Gnome instead of KDE or similar that would probably work just fine. However, since the whole development process is centered around Gentoo Linux' Catalyst, neither of them are negotiable.</p>
+<p>The following software is used in __INCOGNITO__. This list is not complete, but only contains packages deemed as important for whatever reason. The complete list of the packages is included in the distribution at /usr/share/packages.txt but note that this package list currently will contain a few false positives of packages that get uninstalled in order to conserve space.</p>
-<h2><a name="approach">Approach</h2>
-<blockquote>What is needed to reach our goals?</blockquote>
+<h4>3.2.1 __INCOGNITO__ core</h4>
+<ul>
+ <li><a href="http://www.gentoo.org">Gentoo Linux</a> (using <a href="<!-- #homepage(sys-kernel/hardened-sources) -->">hardened-sources</a> <!-- #version(sys-kernel/hardened-sources) --> as the system kernel)</li>
+ <p>The base operating system, provides hardware detection, infrastructure. Please note that the Gentoo Foundation does not provide or endorse this software distribution.</p>
-<h2><a name="impl">Implementation</h2>
-<blockquote>How did we implement our approach in order to reach our goals.</blockquote>
+ <li><a href="<!-- #homepage(net-misc/tor) -->">Tor</a> <!-- #version(net-misc/tor) --></li>
+ <p><!-- #description(net-misc/tor) -->. Our intention is to always use the latest stable version.</p>
+ <li><a href="<!-- #homepage(net-proxy/polipo) -->">polipo</a> <!-- #version(net-proxy/polipo) --></li>
+ <p><!-- #description(net-proxy/polipo) --></p>
-<h3><a name="software">Software</h3>
+ <li><a href="<!-- #homepage(net-analyzer/macchanger) -->">macchanger</a> <!-- #version(net-analyzer/macchanger) --></li>
+ <p><!-- #description(net-analyzer/macchanger) --></p>
-<p>The following software is used in __INCOGNITO__. The version of the packages is included on the CD at /usr/share/packages.txt but note that this package list currently will contain a few package that are not already installed as it is generated before catalyst unmerges them in the last stage.</p>
+ <li><a href="<!-- #homepage(www-servers/lighttpd) -->">lighthttpd</a> <!-- #version(www-servers/lighttpd) --> (for hidden services)</li>
+ <p><!-- #description(www-servers/lighttpd) --></p>
-<dl>
+ <li><a href="<!-- #homepage(net-proxy/3proxy) -->">3proxy</a> <!-- #version(net-proxy/3proxy) --></li>
+ <p><!-- #description(net-proxy/3proxy) --></p>
-<dt><a href="http://www.gentoo.org">Gentoo Linux</a> (<a href="http://www.kernel.org">kernel 2.6</a> <!-- #version(sys-kernel/gentoo-sources) -->)</dt>
-<dd>The base operating system, provides hardware detection, infrastructure. Please note that the Gentoo Foundation does not provide or endorse this software distribution.</dd>
+ <li><a href="<!-- #homepage(mail-mta/mixminion) -->">Mixminion</a> <!-- #version(mail-mta/mixminion) --></li>
+ <p><!-- #description(mail-mta/mixminion) --></p>
-<dt><a href="<!-- #homepage(net-misc/tor) -->">Tor</a> <!-- #version(net-misc/tor) --></dt>
-<dd><!-- #description(net-misc/tor) -->. Our intention is to always use the latest stable version.</dd>
+ <li><a href="<!-- #homepage(net-dns/pdnsd) -->">pdnsd</a> <!-- #version(net-dns/pdnsd) --></li>
+ <p><!-- #description(net-dns/pdnsd) -->. Configured to do lookups through Tor.</p>
-<dt><a href="<!-- #homepage(net-proxy/polipo) -->">polipo</a> <!-- #version(net-proxy/polipo) --></dt>
-<dd><!-- #description(net-proxy/polipo) --></dd>
+ <li><a href="<!-- #homepage(app-crypt/truecrypt) -->">TrueCrypt</a> <!-- #version(app-crypt/truecrypt) --></li>
+ <p><!-- #description(app-crypt/truecrypt) -->. This is what is used for encrypting the <a href="#usb">persistent home partition while running on USB</a>. It also has a GUI for general usage.</p>
-<dt><a href="<!-- #homepage(www-client/mozilla-firefox-bin) -->">Firefox</a> <!-- #version(www-client/mozilla-firefox-bin) --></dt>
-<dd><!-- #description(www-client/mozilla-firefox-bin) --></dd>
-<dt><a href="<!-- #homepage(x11-plugins/torbutton-bin) -->">Torbutton</a> <!-- #version(x11-plugins/torbutton-bin) --></dt>
-<dd><!-- #description(x11-plugins/torbutton-bin) --></dd>
+</ul>
-<dt><a href="<!-- #homepage(x11-plugins/firegpg) -->">FireGPG</a> <!-- #version(x11-plugins/firegpg) --></dt>
-<dd><!-- #description(x11-plugins/firegpg) --></dd>
+<h4>4.2.2 Internet applications</h4>
-<dt><a href="<!-- #homepage(x11-plugins/refcontrol) -->">refcontrol</a> <!-- #version(x11-plugins/refcontrol) --></dt>
-<dd><!-- #description(x11-plugins/refcontrol) --></dd>
+<ul>
+ <li><a href="<!-- #homepage(www-client/mozilla-firefox) -->">Firefox</a> <!-- #version(www-client/mozilla-firefox-bin) --></li>
+ <p><!-- #description(www-client/mozilla-firefox-bin) -->. In addition, the following extensions are installed for security and usability reasons:</p>
+ <ul>
+ <li><a href="<!-- #homepage(x11-plugins/torbutton-bin) -->">Torbutton</a> <!-- #version(x11-plugins/torbutton-bin) --></li>
+ <p><!-- #description(x11-plugins/torbutton-bin) -->. It also provides protections against several attacks possible due to Firefox's non-HTTP features.</p>
-<dt><a href="<!-- #homepage(x11-plugins/adblock_plus) -->">Adblock Plus</a> <!-- #version(x11-plugins/adblock_plus) --></dt>
-<dd><!-- #description(x11-plugins/adblock_plus) --></dd>
+ <li><a href="<!-- #homepage(x11-plugins/firegpg) -->">FireGPG</a> <!-- #version(x11-plugins/firegpg) --></li>
+ <p><!-- #description(x11-plugins/firegpg) --></p>
-<dt><a href="<!-- #homepage(net-irc/xchat) -->">XChat</a> <!-- #version(net-irc/xchat) --></dt>
-<dd><!-- #description(net-irc/xchat) --></dd>
+ <li><a href="<!-- #homepage(x11-plugins/refcontrol) -->">refcontrol</a> <!-- #version(x11-plugins/refcontrol) --></li>
+ <p><!-- #description(x11-plugins/refcontrol) --></p>
-<dt><a href="<!-- #homepage(app-crypt/truecrypt) -->">TrueCrypt</a> <!-- #version(app-crypt/truecrypt) --></dt>
-<dd><!-- #description(app-crypt/truecrypt) --></dd>
+ <li><a href="<!-- #homepage(x11-plugins/adblock_plus) -->">Adblock Plus</a> <!-- #version(x11-plugins/adblock_plus) --></li>
+ <p><!-- #description(x11-plugins/adblock_plus) --></p>
-<dt><a href="<!-- #homepage(net-misc/openssh) -->">ssh</a> <!-- #version(net-misc/openssh) --></dt>
-<dd><!-- #description(net-misc/openssh) --></dd>
+ <li><a href="<!-- #homepage(x11-plugins/firefox-quick-locale-switcher) -->">Firefox Quick Locale Switcher</a> <!-- #version(x11-plugins/firefox-quick-locale-switcher) --></li>
+ <p><!-- #description(x11-plugins/firefox-quick-locale-switcher) --></p>
+ </ul>
-<dt><a href="<!-- #homepage(net-analyzer/macchanger) -->">macchanger</a> <!-- #version(net-analyzer/macchanger) --></dt>
-<dd><!-- #description(net-analyzer/macchanger) --></dd>
+ <li><a href="<!-- #homepage(mail-client/mozilla-thunderbird-bin) -->">Thunderbird</a> <!-- #version(mail-client/mozilla-thunderbird-bin) --></li>
+ <p><!-- #description(mail-client/mozilla-thunderbird-bin) -->. In addition, the following extensions are installed for security and usability reasons:</p>
+ <ul>
+ <li><a href="<!-- #homepage(x11-plugins/enigmail-bin) -->">Thunderbird OpenPGP (enigmail)</a> <!-- #version(x11-plugins/enigmail-bin) --></li>
+ <p><!-- #description(x11-plugins/enigmail-bin) --></p>
-<dt><a href="<!-- #homepage(www-servers/lighttpd) -->">lighthttpd</a> <!-- #version(www-servers/lighttpd) --> for hidden services</dt>
-<dd><!-- #description(www-servers/lighttpd) --></dd>
+ <li><a href="<!-- #homepage(x11-plugins/thunderplunger) -->">Thunder Plunger</a> <!-- #version(x11-plugins/thunderplunger) --></li>
+ <p><!-- #description(x11-plugins/thunderplunger) --></p>
+ </ul>
-<dt><a href="<!-- #homepage(net-proxy/3proxy) -->">3proxy</a> <!-- #version(net-proxy/3proxy) --></dt>
-<dd><!-- #description(net-proxy/3proxy) --></dd>
+ <li><a href="<!-- #homepage(net-irc/xchat) -->">XChat</a> <!-- #version(net-irc/xchat) --></li>
+ <p><!-- #description(net-irc/xchat) --></p>
-<dt><a href="<!-- #homepage(mail-mta/mixminion) -->">Mixminion</a> <!-- #version(mail-mta/mixminion) --></dt>
-<dd><!-- #description(mail-mta/mixminion) --></dd>
+ <li><a href="<!-- #homepage(net-misc/openssh) -->">ssh</a> <!-- #version(net-misc/openssh) --></li>
+ <p><!-- #description(net-misc/openssh) --></p>
-<dt><a href="<!-- #homepage(mail-client/mozilla-thunderbird-bin) -->">Thunderbird</a> <!-- #version(mail-client/mozilla-thunderbird-bin) --></dt>
-<dd><!-- #description(mail-client/mozilla-thunderbird-bin) --></dd>
+ <li><a href="<!-- #homepage(www-client/links) -->">links</a> <!-- #version(www-client/links) --></li>
+ <p><!-- #description(www-client/links) --></p>
-<dt><a href="<!-- #homepage(x11-plugins/enigmail-bin) -->">Thunderbird OpenPGP (enigmail)</a> <!-- #version(x11-plugins/enigmail-bin) --></dt>
-<dd><!-- #description(x11-plugins/enigmail-bin) --></dd>
+ <li><a href="<!-- #homepage(net-misc/openvpn) -->">OpenVPN</a> <!-- #version(net-misc/openvpn) --></li>
+ <p><!-- #description(net-misc/openvpn) -->. Can operate over TCP or UDP. Due to limitations of the Tor software only TCP is anonymized. UDP is currently blocked.</p>
-<dt><a href="<!-- #homepage(x11-plugins/thunderplunger) -->">Thunder Plunger</a> <!-- #version(x11-plugins/thunderplunger) --></dt>
-<dd><!-- #description(x11-plugins/thunderplunger) --></dd>
+</ul>
-<dt><a href="<!-- #homepage(net-dns/pdnsd) -->">pdnsd</a> <!-- #version(net-dns/pdnsd) --></dt>
-<dd><!-- #description(net-dns/pdnsd) -->. Configured to do lookups through Tor.</dd>
+<h4>3.2.3 Other GUI applications</h4>
-<dt><a href="<!-- #homepage(net-misc/vidalia) -->">Vidalia</a> <!-- #version(net-misc/vidalia) --></dt>
-<dd><!-- #description(net-misc/vidalia) --></dd>
+<ul>
+ <li><a href="<!-- #homepage(net-misc/vidalia) -->">Vidalia</a> <!-- #version(net-misc/vidalia) --></li>
+ <p><!-- #description(net-misc/vidalia) --></p>
-<dt><a href="<!-- #homepage(app-crypt/gnupg) --><">GnuPG</a> <!-- #version(app-crypt/gnupg) --></dt>
-<dd><!-- #description(app-crypt/gnupg) --></dd>
+ <li><a href="<!-- #homepage(app-crypt/gpa) -->">GPA</a> <!-- #version(app-crypt/gpa) --></li>
+ <p><!-- #description(app-crypt/gpa) --></p>
-<dt><a href="<!-- #homepage(app-admin/keepassx) --><">KeePassX</a> <!-- #version(app-admin/keepassx) --></dt>
-<dd><!-- #description(app-admin/keepassx) --></dd>
+ <li><a href="<!-- #homepage(app-admin/keepassx) --><">KeePassX</a> <!-- #version(app-admin/keepassx) --></li>
+ <p><!-- #description(app-admin/keepassx) --></p>
-<dt><a href="<!-- #homepage(net-analyzer/thcrut) -->">thcrut</a> <!-- #version(net-analyzer/thcrut) --></dt>
-<dd><!-- #description(net-analyzer/thcrut) --></dd>
+ <li><a href="http://www.kde.org">KDE 3.5</a></li>
+ <p>K Desktop Environment, a reduced install with parts that could be useful on an anonymity CD.</p>
-<dt><a href="<!-- #homepage(net-analyzer/nmap) -->">nmap</a> <!-- #version(net-analyzer/nmap) --></dt>
-<dd><!-- #description(net-analyzer/nmap) --></dd>
+ <li><a href="<!-- #homepage(kde-base/konqueror) -->">KDE - Konqueror </a> <!-- #version(kde-base/konqueror) --></li>
+ <p><!-- #description(kde-base/konqueror) --></p>
-<dt><a href="<!-- #homepage(net-wireless/airsnort) -->">airsnort</a> <!-- #version(net-wireless/airsnort) --></dt>
-<dd><!-- #description(net-wireless/airsnort) --></dd>
+ <li><a href="<!-- #homepage(kde-misc/tork) -->">TorK</a> <!-- #version(kde-misc/tork) --></li>
+ <p><!-- #description(kde-misc/tork) --></p>
-<dt><a href="<!-- #homepage(app-misc/screen) -->">screen</a> <!-- #version(app-misc/screen) --></dt>
-<dd><!-- #description(app-misc/screen) --></dd>
+ <li><a href="<!-- #homepage(kde-base/kontact) -->">KDE - Kontact</a> <!-- #version(kde-base/kontact) --></li>
+ <p><!-- #description(kde-base/kontact) --></p>
-<dt><a href="<!-- #homepage(net-misc/openvpn) -->">OpenVPN</a> <!-- #version(net-misc/openvpn) --></dt>
-<dd><!-- #description(net-misc/openvpn) -->. Can operate over TCP or UDP. Due to limitations of the Tor software only TCP is anonymized. UDP is currently blocked.</dd>
+ <li><a href="<!-- #homepage(kde-base/ksnapshot) -->">KDE - KSnapShot</a> <!-- #version(kde-base/ksnapshot) --></li>
+ <p><!-- #description(kde-base/ksnapshot) --></p>
-<dt><a href="<!-- #homepage(net-misc/vpnc) -->">vpnc</a> <!-- #version(net-misc/vpnc) --></dt>
-<dd><!-- #description(net-misc/vpnc) --></dd>
+ <li><a href="<!-- #homepage(kde-base/akregator) -->">KDE - Akregator</a> <!-- #version(kde-base/akregator) --></li>
+ <p><!-- #description(kde-base/akregator) --></p>
-<dt><a href="<!-- #homepage(net-misc/netkit-telnetd) -->">telnet</a> <!-- #version(net-misc/netkit-telnetd) --></dt>
-<dd><!-- #description(net-misc/netkit-telnetd) --></dd>
+ <li><a href="<!-- #homepage(kde-base/krfb) -->">KDE - krfb</a> <!-- #version(kde-base/krfb) --></li>
+ <p><!-- #description(kde-base/krfb) --></p>
-<dt><a href="<!-- #homepage(net-misc/socat) -->">socat</a> <!-- #version(net-misc/socat) --></dt>
-<dd><!-- #description(net-misc/socat) --></dd>
+ <li><a href="<!-- #homepage(net-p2p/ktorrent) -->">KDE - KTorrent</a> <!-- #version(net-p2p/ktorrent) --></li>
+ <p><!-- #description(net-p2p/ktorrent) --></p>
-<dt><a href="<!-- #homepage(www-client/links) -->">links</a> <!-- #version(www-client/links) --></dt>
-<dd><!-- #description(www-client/links) --></dd>
+ <li><a href="<!-- #homepage(kde-base/kgpg) -->">KDE - KPGP</a> <!-- #version(kde-base/kgpg) --></li>
+ <p><!-- #description(kde-base/kgpg) --></p>
-<dt><a href="http://www.kde.org">KDE 3.5</a></dt>
-<dd>K Desktop Environment, a reduced install with parts that could be useful on an anonymity CD.</dd>
+ <li><a href="<!-- #homepage(net-misc/kvpnc) -->">KDE - kvpnc</a> <!-- #version(net-misc/kvpnc) --></li>
+ <p><!-- #description(net-misc/kvpnc) --></p>
-<dt><a href="<!-- #homepage(kde-base/konqueror) -->">KDE - Konqueror </a> <!-- #version(kde-base/konqueror) --></dt>
-<dd><!-- #description(kde-base/konqueror) --></dd>
+</ul>
-<dt><a href="<!-- #homepage(kde-misc/tork) -->">TorK</a> <!-- #version(kde-misc/tork) --></dt>
-<dd><!-- #description(kde-misc/tork) --></dd>
+<h4>3.2.4 Miscellaneous software</h4>
-<dt><a href="<!-- #homepage(kde-base/kontact) -->">KDE - Kontact</a> <!-- #version(kde-base/kontact) --></dt>
-<dd><!-- #description(kde-base/kontact) --></dd>
+<ul>
+ <li><a href="<!-- #homepage(app-crypt/gnupg) --><">GnuPG</a> <!-- #version(app-crypt/gnupg) --></li>
+ <p><!-- #description(app-crypt/gnupg) --></p>
-<dt><a href="<!-- #homepage(kde-base/ksnapshot) -->">KDE - KSnapShot</a> <!-- #version(kde-base/ksnapshot) --></dt>
-<dd><!-- #description(kde-base/ksnapshot) --></dd>
-<dt><a href="<!-- #homepage(kde-base/akregator) -->">KDE - Akregator</a> <!-- #version(kde-base/akregator) --></dt>
-<dd><!-- #description(kde-base/akregator) --></dd>
+ <li><a href="<!-- #homepage(net-analyzer/thcrut) -->">thcrut</a> <!-- #version(net-analyzer/thcrut) --></li>
+ <p><!-- #description(net-analyzer/thcrut) --></p>
-<dt><a href="<!-- #homepage(kde-base/krfb) -->">KDE - krfb</a> <!-- #version(kde-base/krfb) --></dt>
-<dd><!-- #description(kde-base/krfb) --></dd>
+ <li><a href="<!-- #homepage(net-analyzer/nmap) -->">nmap</a> <!-- #version(net-analyzer/nmap) --></li>
+ <p><!-- #description(net-analyzer/nmap) --></p>
-<dt><a href="<!-- #homepage(net-p2p/ktorrent) -->">KDE - KTorrent</a> <!-- #version(net-p2p/ktorrent) --></dt>
-<dd><!-- #description(net-p2p/ktorrent) --></dd>
+ <li><a href="<!-- #homepage(net-wireless/airsnort) -->">airsnort</a> <!-- #version(net-wireless/airsnort) --></li>
+ <p><!-- #description(net-wireless/airsnort) --></p>
-</dl></p>
+ <li><a href="<!-- #homepage(app-misc/screen) -->">screen</a> <!-- #version(app-misc/screen) --></li>
+ <p><!-- #description(app-misc/screen) --></p>
+ <li><a href="<!-- #homepage(net-misc/netkit-telnetd) -->">telnet</a> <!-- #version(net-misc/netkit-telnetd) --></li>
+ <p><!-- #description(net-misc/netkit-telnetd) --></p>
-<h3><a name="inter">Internationalization</h3>
+ <li><a href="<!-- #homepage(net-misc/socat) -->">socat</a> <!-- #version(net-misc/socat) --></li>
+ <p><!-- #description(net-misc/socat) --></p>
+</ul>
+
+
+<h3><a name="inter">3.3 Internationalization</h3>
+
<p>The following locales are installed. If you'd like to see another locale, please let us know.</p>
<ul>
-
-<li>ar_EG (Egyptian Arabic)</li>
-<li>de_DE (German)</li>
-<li>el_GR (Greek)</li>
-<li>en_GB (British English)</li>
-<li>en_US (American English)</li>
-<li>es_ES (Spanish)</li>
-<li>fa_IR (Persian)</li>
-<li>fr_FR (French)</li>
-<li>he_IL (Hebrew)</li>
-<li>it_IT (Italian)</li>
-<li>ja_JP (Japanese)</li>
-<li>pt_PT (Portugese)</li>
-<li>ru_RU (Russian)</li>
-<li>sv_SE (Swedish)</li>
-<li>zh_CN (Chinese)</li>
+ <li>ar_EG (Egyptian Arabic)</li>
+ <li>de_DE (German)</li>
+ <li>el_GR (Greek)</li>
+ <li>en_GB (British English)</li>
+ <li>en_US (American English)</li>
+ <li>es_ES (Spanish)</li>
+ <li>fa_IR (Persian)</li>
+ <li>fr_FR (French)</li>
+ <li>he_IL (Hebrew)</li>
+ <li>it_IT (Italian)</li>
+ <li>ja_JP (Japanese)</li>
+ <li>pt_PT (Portugese)</li>
+ <li>ru_RU (Russian)</li>
+ <li>sv_SE (Swedish)</li>
+ <li>zh_CN (Chinese)</li>
</ul>
See <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/locale.gen">/etc/locale.gen</a> for the selected languages. See <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a> for how this configuration is applied.
-<h3><a name="conf">Configuration</h3>
+<h3><a name="conf">3.4 Configuration</h3>
+<p>In this section we briefly present the setup of several key software packages and system settings of __INCOGNITO__ with respect to security and anonymity. There are of course other minor tweaks here and there, but those are mainly for usability issues and similar.</p>
-<h4>The Tor™ software</h4>
+<h4>3.4.1 The Tor™ software</h4>
<p>The Tor software is currently configured as a client only. The client listens on SOCKS port 9050 with a control port 9051 (using cookie authentication), as a transparent proxy on port 9040 and as a DNS server on port 8853. Only connections from localhost are accepted. It can be argued that running a server would increase your anonymity for a number for reasons but we still feel that most users probably would not want this due to the added consumption of bandwidth.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
</ul>
-<h4>Mixminion</h4>
+<h4>3.4.2 Mixminion</h4>
<p>Mixminion cannot be configured as a server as these servers need to be very reliable. As a client the default configuration seems to be acceptable. Note that TorK has built-in support for Mixminion with an easy to use interface (lacking PGP support, unfortunately).</p>
-<h4>DNS</h4>
+<h4>3.4.3 DNS</h4>
<p>DNS leaks are controlled by using a local caching DNS server, pdnsd, that in turn performs its DNS lookups through the Tor network. pdnsd is the server configured in /etc/resolv.conf, listening on localhost. There is a security concern that some application could attempt to do its own DNS resolution without consulting /etc/resolv.conf, and therefore UDP packets are blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward UDP lookups to the local DNS server.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/resolv.conf">/etc/resolv.conf</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/conf.d/pdnsd">/etc/conf.d/pdnsd</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/conf.d/net">/etc/conf.d/net</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save">/var/lib/iptables/rules-save</a> (loaded by the standard Gentoo /etc/init.d/iptables service)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/resolv.conf">/etc/resolv.conf</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/conf.d/pdnsd">/etc/conf.d/pdnsd</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/conf.d/net">/etc/conf.d/net</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save">/var/lib/iptables/rules-save</a> (loaded by the standard Gentoo /etc/init.d/iptables service)</li>
</ul>
-<h4>HTTP Proxy</h4>
+<h4>3.4.4 HTTP Proxy</h4>
-<p>Polipo provides with caching HTTP proxy funtionality. It contacts the Tor software via SOCKS5 to make the real connections.</p>
+<p>Polipo provides with caching HTTP proxy functionality. It contacts the Tor software via SOCKS5 to make the real connections.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/polipo/config">/etc/polipo/config</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/env.d/99proxy">/etc/env.d/99proxy</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/kdesession/kioslaverc">/var/lib/kdesession/kioslaverc</a> (copied to /home/__INCOGNITO_USER__/.kde/... during build)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/polipo/config">/etc/polipo/config</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/env.d/99proxy">/etc/env.d/99proxy</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/kdesession/kioslaverc">/var/lib/kdesession/kioslaverc</a> (copied to /home/__INCOGNITO_USER__/.kde/... during build)</li>
</ul>
-<h4>SOCKS libraries</h4>
+<h4>3.4.5 SOCKS libraries</h4>
-<p>tsocks (patched for Tor usage as per the ebuild's tordns USE flag) and dante are installed. Note that it is unnecessary with the Linux network filter (see below) and the local DNS server to socksify or torify apps. This is done at a lower level. These libraries are here due to dependencies and configured for completeness.</p>
+<p>tsocks (patched for Tor usage as per the ebuild's tordns USE flag) and dante are installed. Note that it is unnecessary with the Linux network filter (see below) and the local DNS server to socksify or torify applications. This is done at a lower level. These libraries are here due to dependencies and configured for completeness.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/socks/">/etc/socks/</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/env.d/99proxy">/etc/env.d/99proxy</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/socks/">/etc/socks/</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/env.d/99proxy">/etc/env.d/99proxy</a></li>
</ul>
-<h4>Network Filter</h4>
+<h4>3.4.6 Network Filter</h4>
<p>One serious security issue is that we don't know what software will attempt to contact the network and whether their proxy settings are setup to use the Tor SOCKS proxy or polipo HTTP(s) proxy correctly. This is solved by forwarding all direct TCP connections through Tor's transparent proxy. Linux has a kernel level network filter that accomplishes this.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save">/var/lib/iptables/rules-save</a> (loaded by the standard Gentoo /etc/init.d/iptables service)</li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/iptables/rules-save">/var/lib/iptables/rules-save</a> (loaded by the standard Gentoo /etc/init.d/iptables service)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/tor/torrc">/etc/tor/torrc</a></li>
</ul>
-<h4>Random MAC Address</h4>
+<h4>3.4.7 Random MAC Address</h4>
<p>The macchanger program can be used to change the network card MAC addresses to a random value. Gentoo has direct support for macchanger so all we need to do is configure it. The configuration is set to "random-ending" which is equivalent to "macchanger -e", meaning the vendor and media type are not changed. This is done to not draw attention to the changed MAC address in case someone is watching. Using a random MAC address may improve anonymity with respect to the LAN and prevent mapping the user to a specific physical location.</p>
<p>This functionality is not enabled by default as some DHCP servers may be configured with specific MAC addresses. In the boot menu there is an "Enable/Disable MAC changer" option that can be set before a language is chosen and the system starts booting.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/macchanger">/etc/init.d/macchanger</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/macchanger">/etc/init.d/macchanger</a></li>
</ul>
-<h4>Mozilla Firefox</h4>
+<h4>3.4.8 Mozilla Firefox</h4>
-<p>Firefox uses Torbutton in order to prevent attacks using JavaScript, plugins and other non-HTTP features. It is configured to always be enabled on Firefox start and uses polipo as HTTP(s) proxy and Tor as SOCKS proxy. SOCKS is configured to perform name resolution through the proxy. Firefox is also configured to not cache (mainly to reduce memory usage for CD users as disk writes will be stored there), history (just in case) and many other things. The Firefox config is pretty heavily commented, so any other relevant settings may be invastigated by looking in it.</p>
+<p>Firefox uses Torbutton in order to prevent attacks using JavaScript, plugins and other non-HTTP features. It is configured to always be enabled on Firefox start and uses polipo as HTTP(s) proxy and Tor as SOCKS proxy. SOCKS is configured to perform name resolution through the proxy. Firefox is also configured to not cache (mainly to reduce memory usage for CD users as disk writes will be stored there), history (just in case) and many other things. The Firefox config is pretty heavily commented, so any other relevant settings may be investigated by looking in it.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/">/var/lib/firefox-config/</a> (copied to /home/__INCOGNITO_USER__/.mozilla during build)</li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/firefox/o2e6y2eh.default/prefs.js">Firefox config</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/">/var/lib/firefox-config/</a> (copied to /home/__INCOGNITO_USER__/.mozilla during build)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/firefox/o2e6y2eh.default/prefs.js">Firefox config</a></li>
</ul>
-<h4>Mozilla Thunderbird</h4>
+<h4>3.4.9 Mozilla Thunderbird</h4>
<p>Thunderbird's proxy settings are set up to use Tor. An old version of Torbutton (1.0.4.01, when it still supported Thunderbird) is installed solely for the purpose of scrubbing the <em>real</em> IP address and hostname from the EHLO/HELO messages which otherwise would be sent in the clear to the SMTP server. Furthermore, the first ten or so accounts that a user will create are pre-configured to not use HTML as that otherwise may break PGP usage. See the comments in the Thunderbird config for more settings.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/thunderbird-config/">/var/lib/thunderbird-config/</a> (copied to /home/__INCOGNITO_USER__/.thunderbird during build)</li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/thunderbird-config/rhy4kriw.default/prefs.js">Thunderbird config</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/thunderbird-config/">/var/lib/thunderbird-config/</a> (copied to /home/__INCOGNITO_USER__/.thunderbird during build)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/thunderbird-config/rhy4kriw.default/prefs.js">Thunderbird config</a></li>
</ul>
-<h4>Bookmarks</h4>
+<h4>3.4.10 Bookmarks</h4>
<p>Firefox have preset bookmarks related to anonymity.</p>
<ul>
-<li>Firefox: <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/firefox/m7m1jk79.Default%20User/bookmarks.html">bookmarks.html</a></li>
+ <li>Firefox: <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/firefox-config/firefox/m7m1jk79.Default%20User/bookmarks.html">bookmarks.html</a></li>
</ul>
-<h4>XChat</h4>
+<h4>3.4.11 XChat</h4>
<p>XChat is configured to use the Tor software as a SOCKS5 proxy. It will pass the hostname through SOCKS5 so that the exit node does the DNS resolution. In addition all ctcp responses except PING are disabled as they otherwise could disclose useragent, system time and other information.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/xchat-config">xchat-config</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/ctcpreply.conf">ctcpreply.conf</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/xchat-config">/var/lib/xchat-config</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/ctcpreply.conf">/var/lib/ctcpreply.conf</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
</ul>
-<h4>Pidgin</h4>
+<h4>3.4.12 Pidgin</h4>
-<p>Pidgin is configured to not log anything and to use the Tor SOCKS proxy. Additionally the Off-the-record Messaging plugin and two IRC enhancing plugins are loaded automatically. The IRC More plugin is patched to not report useragent and to use empty part/quit messages to prevent fingerprinting.</p>
+<p>Pidgin is configured to not log anything and to use the Tor SOCKS proxy. Additionally the Off-the-record Messaging plug-in and two IRC enhancing plugins are loaded automatically. The IRC More plug-in is patched to not report useragent and to use empty part/quit messages to prevent fingerprinting.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/pidgin-config/prefs.xml">Pidgin config</a></li>
-<li>a href="https://tor-svn.freehaven.net/svn/incognito/trunk/portage.overlay/x11-plugins/purple-plugin_pack/files/hide-stuff.patch">hide-stuff.patch</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/lib/pidgin-config/prefs.xml">/var/lib/pidgin-config/prefs.xml</a></li>
+ <li>a href="https://tor-svn.freehaven.net/svn/incognito/trunk/portage.overlay/x11-plugins/purple-plugin_pack/files/hide-stuff.patch">hide-stuff.patch</a></li>
</ul>
-<h4>Host system RAM</h4>
+<h4>3.4.13 Host system RAM</h4>
-<p>When shutting down the system RAM is securely wiped. RAM can actually be read after the machine shuts off with the right equipment. The software doing this is smem, part of the <a href="http://www.thc.org/">secure-delete</a> package. This process can take a while. If you are booting from a CD it should eject, and if you are booting from a USB drive you can remove the drive once prompted. In either case you can leave the computer and let it finish on its own, or simply turn it off if you are not worrie about this attack.</p>
+<p>When shutting down the system RAM is securely wiped. RAM can actually be read after the machine shuts off with the right equipment. The software doing this is smem, part of the <a href="http://www.thc.org/">secure-delete</a> package. This process can take a while. If you are booting from a CD it should eject, and if you are booting from a USB drive you can remove the drive once prompted. In either case you can leave the computer and let it finish on its own, or simply turn it off if you are not worried about this attack.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/patches/secure_halt.patch">/var/patches/secure_halt.patch</a> (applied during build)</li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/var/patches/secure_halt.patch">/var/patches/secure_halt.patch</a> (applied during build)</li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
</ul>
-<h4>Passwords</h4>
+<h4>3.4.14 Passwords</h4>
<p>There are two users that are intended to be used for logins, '__INCOGNITO_USER__' and 'root'. Since this is a CD/USB the passwords are empty. This should not be a security concern because the user will remove the CD/USB when done and there should be no services allowing logins from the network. Suggestions for better solutions are welcome, though.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/fsscript.sh">fsscript.sh</a></li>
</ul>
-<h4>Running __INCOGNITO__ in virtual machines</h4>
+<h3><a name="vm">3.5 Running __INCOGNITO__ in virtual machines</h3>
<p>__INCOGNITO__ may of course be run in virtual machines. Due to the popularity of <a href="http://www.vmware.com/">VMWare</a> we include <a href="http://open-vm-tools.sourceforge.net/">open-vm-tools</a> (an open-source alternative to VMware tools) as well as special video and input divers for an improved user experience in that environment. Due to the closed-source nature of VMWare we try to encourage users of open VMs, like <a href="http://virtualbox.org/">VirtualBox</a> and <a href="http://fabrice.bellard.free.fr/qemu/">QEMU</a>, by making sure that these also work. In the case of VirtualBox both video and input drivers are included.</p>
<p>Security concerns for all VMs are a keyloggers, viruses and other malware in the host OS which a guest OS like __INCOGNITO__ cannot defend against.</p>
-<h4>Running __INCOGNITO__ inside a Windows session</h4>
+<h3><a name="windows">3.6 Running __INCOGNITO__ inside a Windows session</h3>
<p><a href="http://fabrice.bellard.free.fr/qemu/">QEMU</a> for Microsoft Window ships with __INCOGNITO__ and is used to run the CD/USB in a virtual machine whenever native boot is impossible or not desirable. Note that this will work for Windows 2000/XP or greater only.</p>
-<h3><a name="usb">Persistent User Settings for a USB drive</h3>
+<h3><a name="usb">3.7 Persistent User Settings for a USB drive</h3>
<p>The CD may be copied to a USB drive. Why do that? USB drives are easier to carry, harder to break, offer file storage and persistent user settings between sessions. There is a script provided that will copy the CD to a USB drive and make the drive bootable. Note the script depends on the Gentoo LiveCD structure, it probably won't work when run on another LiveCD setup.</p>
-<p>The persistent home volume can be stored as a <a href="http://www.truecrypt.org">TrueCrypt</a> volume or unencrypted. For the Un*x savvy, the unencrypted volume is stored as an ext3 file on the USB drive. The file home.tc (TrueCrypt) or home.ext3.img (unencrypted) on the USB drive and can be removed to reset to the CD defaults or copied elsewhere for a backup. You will need to do a clean shutdown to make sure your settings are saved. When booting from a writable media and there is no home volume you will be prompted to create one, you may choose not to do so and to disable the feature altogether with the possibility to enable it again from within the GUI.</p>
+<p>The persistent home volume can be stored as a <a href="http://www.truecrypt.org">TrueCrypt</a> volume or unencrypted. For the Un*x savvy, the unencrypted volume is stored as an ext3 file on the USB drive. The file home.tc (TrueCrypt) or home.ext3.img (unencrypted) on the USB drive and can be removed to reset to the CD defaults or copied elsewhere for a backup. You will need to do a clean shut-down to make sure your settings are saved. When booting from a writeable medium and there is no home volume you will be prompted to create one, you may choose not to do so and to disable the feature altogether with the possibility to enable it again from within the GUI.</p>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/external-config-setup">/etc/init.d/external-config-setup</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/create-usb">/usr/sbin/create-usb</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/create-homevol">/usr/sbin/create-homevol</a></li>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/enable-persistent">/usr/sbin/enable-persistent</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/external-config-setup">/etc/init.d/external-config-setup</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/create-usb">/usr/sbin/create-usb</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/create-homevol">/usr/sbin/create-homevol</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/usr/sbin/enable-persistent">/usr/sbin/enable-persistent</a></li>
</ul>
-<h3>Configuration copied from USB drive</h3>
+<h4>Configuration copied from USB drive</h4>
-<p>Certain configurations are copied from the USB drive on boot if no persistent drive is mounted. The following table lists the configuration, where it should exist on the USB drive and where it is copied into.</p>
+<p>Certain configurations are copied from the USB drive on boot if no persistent drive is mounted. Note that this feature is pretty secret at the moment. A more elaborate and general filesystem overlaying thing is in the works as a replacement.</p>
+<p>The following table lists the configuration, where it should exist on the USB drive and where it is copied into.</p>
+
<table border="1">
<tr><th align=left>Software</th><th align=left>USB drive location</th><th align=left>Destination</th></tr>
<tr><td>OpenVPN</td><td>/keys/openvpn</td><td>/etc/openvpn</td>
@@ -427,26 +579,26 @@
</table>
<ul>
-<li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/external-config-setup">/etc/init.d/external-config-setup</a></li>
+ <li><a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/external-config-setup">/etc/init.d/external-config-setup</a></li>
</ul>
-<h3><a name="hidden">Hidden Services</h3>
+<h3><a name="hidden">3.8 Hidden Services</h3>
<p>Hidden HTML content may be served if running from an USB drive. Content is limited to static HTML pages. The content is stored in the home directory and so takes advantage of TrueCrypt encryption. The directory structure follows.</p>
-<dl>
-<dt>/home/hidden/[name]</dt>
-<dd>Base directory for hidden content where [name] can be anything (sane) that you'd like.</dd>
-<dt>/home/hidden/[name]/conf</dt>
-<dd>Configuration directory mostly used for Tor hidden service information. It will include the hostname and private key, keep it safe, i.e. don't copy it over to your buddy's USB drive.</dd>
-<dt>/home/hidden/[name]/conf/port</dt>
-<dd>Optional port for the hidden service. This is what you'd give out to others. If you will have multiple services it is best to specify the port. The default is 80, increasing from there for each additional service.</dd>
-<dt>/home/hidden/[name]/conf/torrc</dt>
-<dd>Optional config to append to /etc/tor/torrc after the hidden service description. An example would be a HiddenServiceNodes directive, etc.</dd>
-<dt>/home/hidden/[name]/www</dt>
-<dd>The HTML content. Use index.html for your default page.</dd>
-</dl>
+<ul>
+<li>/home/hidden/[name]</li>
+<p>Base directory for hidden content where [name] can be anything (sane) that you'd like.</p>
+<li>/home/hidden/[name]/conf</li>
+<p>Configuration directory mostly used for Tor hidden service information. It will include the hostname and private key, keep it safe, i.e. don't copy it over to your buddy's USB drive.</p>
+<li>/home/hidden/[name]/conf/port</li>
+<p>Optional port for the hidden service. This is what you'd give out to others. If you will have multiple services it is best to specify the port. The default is 80, increasing from there for each additional service.</p>
+<li>/home/hidden/[name]/conf/torrc</li>
+<p>Optional config to append to /etc/tor/torrc after the hidden service description. An example would be a HiddenServiceNodes directive, etc.</p>
+<li>/home/hidden/[name]/www</li>
+<p>The HTML content. Use index.html for your default page.</p>
+</ul>
<p>The <a href="<!-- #homepage(www-servers/lighttpd) -->">lighttpd</a> server is used to serve the content. Configuration of the server is done at boot time in the <a href="https://tor-svn.freehaven.net/svn/incognito/trunk/root_overlay/etc/init.d/hidden-service">/etc/init.d/hidden-service</a> init script.</p>
<p>The host name to use for the hidden service can be found in the /home/hidden/[name]/conf/hostname file for that service. This file is created by the Tor software when configuring the hidden service. The host name will be the same across sessions and machines as it and the private key are stored in the /home/hidden/[name]/conf directory.</p>
@@ -460,37 +612,37 @@
</ul>
-<h2><a name="maintenance">Maintenance</h2>
-<blockquote>(How to keep the implementation current for anonymity, security and usefulness.)</blockquote>
+<h3><a name="build">3.9 Build process and maintenance</h3>
-<p>The Gentoo Catalyst release build tool is used to build the CD. This tool is designed to make the CD easy to maintain. For an update of only the Tor software it takes a simple version bump and 30 minutes for the tiny CD, two hours for the full version. Human effort is minimal, Catalyst does most of the work. A full update of all software takes several hours to compile, but this is seldom done or needed and again generally requires little human effort. Adding or removing software to/from the CD is also generally trivial.</p>
+<p>The Gentoo Catalyst release build tool is used to build __INCOGNITO__. This tool is designed automate the build process of the target distribution, which also make them easy to maintain. Since essentially everything is compiled from sources, building __INCOGNITO__ from scratch takes several hours or even a few days to complete. But this is seldom done or needed and catalyst makes it possible to cache already built packages so they need not be compiled again. Adding or removing software to/from the distribution is also generally trivial but might require altering the ebuild or writing new ones.</p>
+<p>For detailed instructions on how to build and modify __INCOGNITO__, see <code>building.html</code> and <code>hacking.html</code> in the source root.</p>
+
<p>The following applications are kept up to date as soon as possible. Others may be updated sooner if a major security problem occurs (Firefox, Thunderbird etc.)</p>
<ul>
-<li>Tor</li>
-<li>TorK</li>
-<li>Vidalia</li>
-<li>Polipo</li>
-<li>Mixminion</li>
+ <li>Tor (stable releases only)</li>
+ <li>TorK</li>
+ <li>Vidalia</li>
+ <li>Polipo</li>
+ <li>Mixminion</li>
</ul>
<p>Remaining applications, including the base system, will be updated to whatever Portage deems is stable in each new release. It takes a long time to compile everything from scratch and sometimes there are problems that need to be addressed. Most of the packages are marked stable by Gentoo so there are not many problems.</p>
-<h2><a name="caveats">Caveats</h2>
-<blockquote>Side effects of the implementation that may be undesirable.</blockquote>
+<h3><a name="caveats">3.10 Caveats</h3>
-<p>UDP is a problem. The Tor software does not provide anonymity using UDP yet. Outgoing UDP packets are dropped altogether.</p>
+<p>UDP is a problem. The Tor network does not support UDP yet, only TCP. Outgoing UDP packets are dropped altogether by netfilter for this reason.</p>
<p>When using a USB drive your user settings are stored on the drive unsecured. If any personal information is stored by the applications you use then you must keep your drive secure from potential threats, for example by using the optional encryption and a strong passphrase.</p>
-<h2><a name="security">Security</h2>
-<blockquote>Agreements and disagreements with our approach or implementation.</blockquote>
+<h2><a name="security">4 Security</h2>
<p>(It would be great to have links to peer reviews here.)</p>
+
</body>
</html>
More information about the tor-commits
mailing list