[or-cvs] r16358: Updating tag for 2008.1 release with trunk as of revision 16 (in incognito/tags/2008.1/root_overlay: etc/conf.d usr/sbin usr/share/incognito usr/share/incognito/walkthrough usr/share/incognito/walkthrough/img)
anonym at seul.org
anonym at seul.org
Sat Aug 2 14:50:46 UTC 2008
Author: anonym
Date: 2008-08-02 10:50:46 -0400 (Sat, 02 Aug 2008)
New Revision: 16358
Modified:
incognito/tags/2008.1/root_overlay/etc/conf.d/local.start
incognito/tags/2008.1/root_overlay/usr/sbin/create-homevol
incognito/tags/2008.1/root_overlay/usr/sbin/enable-persistent-vol
incognito/tags/2008.1/root_overlay/usr/share/incognito/docs.html
incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/img/pidgin-chat.png
incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/walkthrough.html
Log:
Updating tag for 2008.1 release with trunk as of revision 16357 to fix a few minor language issues.
Modified: incognito/tags/2008.1/root_overlay/etc/conf.d/local.start
===================================================================
--- incognito/tags/2008.1/root_overlay/etc/conf.d/local.start 2008-08-02 14:40:53 UTC (rev 16357)
+++ incognito/tags/2008.1/root_overlay/etc/conf.d/local.start 2008-08-02 14:50:46 UTC (rev 16358)
@@ -1,14 +1,3 @@
# For some reason, "/media" doesn't appear when running the liveCD although it
# is created by catalyst during build and is present within the image (FIXME).
[[ ! -e /media ]] && mkdir /media
-
-
-# The following detects if the persistent home creation guide has been
-# disabled and in that case puts the re-enabling option on the desktop
-
-# FIXME: we should get this from somewhere
-LOCK_FILE=/mnt/cdrom/LOCK_NO_PERSISTENT
-
-if [[ -e ${LOCK_FILE} ]]; then
- ln -s /usr/share/applications/enable-persistent-vol.desktop /home/__INCOGNITO_USER__/Desktop
-fi
Modified: incognito/tags/2008.1/root_overlay/usr/sbin/create-homevol
===================================================================
--- incognito/tags/2008.1/root_overlay/usr/sbin/create-homevol 2008-08-02 14:40:53 UTC (rev 16357)
+++ incognito/tags/2008.1/root_overlay/usr/sbin/create-homevol 2008-08-02 14:50:46 UTC (rev 16358)
@@ -12,14 +12,14 @@
TITLE="Create Persistent Home Volume"
BACKTITLE="__INCOGNITO__"
LOCK_FILE="${MEDIAROOT}/LOCK_NO_PERSISTENT"
-MIN_SIZE=$(( $(du -sk /home | awk '{print $1}') / 1024 + 11)) # 10 to 11 MB extra so that it works better
+MIN_SIZE=$(( $(du -sk /home | awk '{print $1}') / 1024 + 30)) # add another 30 MB just to be sure it will work.
MAX_SIZE=$(( ${MEDIAFREE} / 1024 ))
QUESTION_HOME_PART="Use the UP and DOWN arrowkeys, and TAB to navigate between different fields and buttons in this guide. You may press ESC/Escape at any time to exit this guide.
Would you like to create a persistent home volume that will keep your data over __INCOGNITO__ sessions? This means that application settings and file changes in your home directory will persist through computer shutdowns which is not normally the case with __INCOGNITO__ (normally everything is reseted on a reboot)."
QUESTION_DISABLE_PERSISTENT="Would you like to disable the previous prompt? That way the start sequence will not get interrupted when booting __INCOGNITO__ like it was this time.
-If you choose 'yes' here this can be undone by running \"Enable persistant home volume\" located on the desktop and in the K-menu once the graphical user interface has started."
+If you choose 'yes' here this can be undone by running \"Enable persistant home volume\" located in the Incognito section of the K-menu."
QUESTION_SIZE="Enter the size in megabytes for the home volume. ${MIN_SIZE} MB is the smallest we allow, but it is strongly recommended to use more. There will be a recommended value in the input field which work for most users. The recommended value will utilize most space but save a little so that future upgrades of __INCOGNITO__ will fit. If you plan to store other files on the media you should take that into account and decrease the volume size appropriately."
QUESTION_ENCRYPTION="Would you like to encrypt the home volume using TrueCrypt? This is strongly recommended as it will make your data unreadable for everyone that does not have the password you choose unless they can guess it. The only inconvenience added for this is that you will be prompted for the password at each start up."
QUESTION_HIDDEN_VOLUME="Do you want to use a hidden home volume?
Modified: incognito/tags/2008.1/root_overlay/usr/sbin/enable-persistent-vol
===================================================================
--- incognito/tags/2008.1/root_overlay/usr/sbin/enable-persistent-vol 2008-08-02 14:40:53 UTC (rev 16357)
+++ incognito/tags/2008.1/root_overlay/usr/sbin/enable-persistent-vol 2008-08-02 14:50:46 UTC (rev 16358)
@@ -3,8 +3,6 @@
# FIXME: we should get this from somewhere
LOCK_FILE=/mnt/cdrom/LOCK_NO_PERSISTENT
-sudo rm -f ${LOCK_FILE}
-
# Find the dialog command
DIALOG="$(which Xdialog 2>/dev/null)"
if [ -z "${DIALOG}" -o -z "${DISPLAY}" ]; then
@@ -14,11 +12,22 @@
DEFAULT_WIDTH=80
DIALOG="${DIALOG} --wrap --cr-wrap --left"
+if [[ ! -e ${LOCK_FILE} ]]; then
+ ${DIALOG} --msgbox "The persistent home volume is already enabled. If you want to disable it, that should be done during the guide next time you boot __INCOGNITO__." 0 ${DEFAULT_WIDTH}
+ exit 1
+fi
+
+if [[ ! -w ${LOCK_FILE} ]]; then
+ ${DIALOG} --msgbox "You do not have permission to perform this action." 0 ${DEFAULT_WIDTH}
+ exit 1
+fi
+
+rm -f ${LOCK_FILE}
+
if [[ -e ${LOCK_FILE} ]]; then
${DIALOG} --msgbox "Operation failed." 0 ${DEFAULT_WIDTH}
exit 1
else
- ${DIALOG} --msgbox "The option to create and use persistent home volumes is enabled. You should be prompted next time you start __INCOGNITO__." 0 ${DEFAULT_WIDTH}
- rm -f /home/__INCOGNITO_USER_/Desktop/enable-persistent-vol.desktop
+ ${DIALOG} --msgbox "The option to create and use persistent home volumes is enabled. The guide should start next time you boot __INCOGNITO__." 0 ${DEFAULT_WIDTH}
exit 0
fi
Modified: incognito/tags/2008.1/root_overlay/usr/share/incognito/docs.html
===================================================================
--- incognito/tags/2008.1/root_overlay/usr/share/incognito/docs.html 2008-08-02 14:40:53 UTC (rev 16357)
+++ incognito/tags/2008.1/root_overlay/usr/share/incognito/docs.html 2008-08-02 14:50:46 UTC (rev 16358)
@@ -1,10 +1,12 @@
<html>
<head>
-<title>__INCOGNITO_TITLE__ Documentation</title>
+<title>The __INCOGNITO__ Documentation</title>
</head>
<body>
+<h1>The __INCOGNITO__ Documentation</h1>
+
<h2>Contents</h2>
<ul>
<li><a href="#intent">Intent</a></li>
Modified: incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/img/pidgin-chat.png
===================================================================
(Binary files differ)
Modified: incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/walkthrough.html
===================================================================
--- incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/walkthrough.html 2008-08-02 14:40:53 UTC (rev 16357)
+++ incognito/tags/2008.1/root_overlay/usr/share/incognito/walkthrough/walkthrough.html 2008-08-02 14:50:46 UTC (rev 16358)
@@ -1,12 +1,12 @@
<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
- <title>__INCOGNITO__ Walkthrough</title>
+ <title>The __INCOGNITO__ Walkthrough</title>
</head>
<body>
-<h1>__INCOGNITO__ Walkthrough</h1>
+<h1>The __INCOGNITO__ Walkthrough</h1>
<h2>Contents</h2>
<ul>
@@ -27,7 +27,7 @@
<li><a href="#misc">Other applications</a>
<li><a href="#macchanger">Enabling MAC changer</a>
<li><a href="#usb">Running __INCOGNITO__ from USB</a>
- <li><a href="#cold">Cold boot attacks</a>
+ <li><a href="#cold">Protection against cold boot attacks</a>
<li><a href="#vm">__INCOGNITO__ and Virtualization</a>
<li><a href="#windows">Running __INCOGNITO__ from within Microsoft Windows</a>
</ul>
@@ -38,7 +38,7 @@
<p></a>In this document we try to present the __INCOGNITO__ LiveCD in an easy to understand and reasonably thorough manner in hope to give the new user a crash course in what might be a completely new set of applications and concepts regarding anonymity and security on the Internet. It is quite long so you might want to not read it in one go but instead read the introduction and conclusion, as well as the sections on only those applications you intend to use with the possibility to return to it whenever you want to try something new or use it for reference. If you have experience with these applications and concepts from elsewhere and feel comfortable with the user interface in general, reading this document is maybe not necessary at all. A word of caution to all users is not to alter the network, proxy and firewall settings unless you know what you are doing – poking around with them too much might spoil the built-in defences of __INCOGNITO__.</p>
-<h3>What is __INCOGNITO__?</h3>
+<h3><a name="what"></a>What is __INCOGNITO__?</h3>
<p>__INCOGNITO__, <strong>noun</strong>:</p>
@@ -60,9 +60,9 @@
<h3><a name="how"></a>How does __INCOGNITO__ provide with anonymity?</h3>
-<p>First of all, true anonymity is impossible. Given enough resources an attacker will get you. What one can do is to make the cost of doing that so high that it becomes infeasible. __INCOGNITO__ tries to do this by sending all your Internet traffic through the <a href="https://www.torproject.org/">Tor™ network</a> which makes your Internet traffic very hard to trace. If someone tries to trace you when you are using __INCOGNITO__, the trail will stop somewhere in Tor network with the IP address of some of its participants, not your. Similarly, if someone tried to see where you ultimately want to send your traffic, they will only reach as far as some computer in the Tor network. In fact, you will be the only one knowing exactly what is going on – not even the computers in the Tor network that you send your traffic through will know the whole picture!</p>
+<p>First of all, true anonymity is impossible. Given enough resources an attacker will get you. What one can do is to make the cost of doing that so high that it becomes infeasible. __INCOGNITO__ tries to do this by sending all your Internet traffic through the <a href="https://www.torproject.org/">Tor™ network</a> which makes your Internet traffic very hard to trace. If someone tries to trace you when you are using __INCOGNITO__, the trail will stop somewhere in Tor network with the IP addresses of some of its participants, not your. Similarly, if someone tries to see destination of your traffic, they will only reach as far as some computer in the Tor network. In fact, you will be the only one knowing exactly what is going on – not even the computers in the Tor network that you send your traffic through will know the whole picture!</p>
-<p>As at least a rudimentary understanding of Tor currently is essential for using it securely (and knowing its limits) we strongly recommend reading the <a href="https://www.torproject.org/overview.html">Tor overview</a> and <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorALaymansGuide">Understanding and Using Tor – An Introduction for the Layman</a>. We also encourage you to read the following paragraphs about common misconceptions about the service offered by the Tor software:</p>
+<p>As at least a rudimentary understanding of Tor currently is essential for using it securely (and knowing its limits) we strongly recommend reading the <a href="https://www.torproject.org/overview.html">Tor overview</a> and <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorALaymansGuide">Understanding and Using Tor – An Introduction for the Layman</a>. At the very least you should read the following paragraphs about common misconceptions about the service offered by the Tor software:</p>
<p>By relaying your Internet traffic through the Tor network (which __INCOGNITO__ does per default) your communications should <em>only</em> be considered to be untraceable back to the computer you use, not encrypted or in any other way hidden. While the traffic <em>is</em> encrypted when it leaves your computer and when you get back your responses, it will not be so when sent between the Tor network and your destination (this is unavoidable for technical reasons). This means that an eavesdropper at some later point will be able see your traffic without Tor's encryption, but will not be able to link it back to your computer.</p>
@@ -79,20 +79,20 @@
<p align=center><a href="img/incognito-screenshot.png"><img src="img/incognito-screenshot.png" width=512 height=384 border=0></a></p>
-<p>The graphical user interface used in __INCOGNITO__ is called KDE and share many fundamentals with that of Microsoft Windows, Mac OS X and most other modern operating systems, so if you have used any of them, getting used to KDE will take no time. As this document is not intended as a complete guide for KDE there are only a few things we will mention here to spare you some time. First of all, in the lower left corner of the screen there is a blue button with a K in it, called the "K menu button". Pressing it opens the "K menu" where you will find short cuts to many different applications. Please explore the different categories of applications and try out those that seem interesting. If there are any KDE or system settings that you want to change, like the screen resultion or KDE's appearance, this can be done in the "Control Center", found at the first level of the K menu. Also notice that there is a category named __INCOGNITO__ which contains some things relevant for the user, like a short cut to this document. The __INCOGNITO__ category is also available from as a quick launch item, located right of the K menu button, among the short cuts to your home directory (where you store your files), Firefox and Thunderbird.</p>
+<p>The graphical user interface used in __INCOGNITO__ is called KDE and share many fundamentals with that of Microsoft Windows, Mac OS X and most other modern operating systems, so if you have used any of them, getting used to KDE will take no time. As this document is not intended as a complete guide for KDE there are only a few things about it that we will mention here to spare you some time. First of all, in the lower left corner of the screen there is a blue button with a K in it, called the "K menu button". Pressing it opens the "K menu" where you will find short cuts to many different applications. Please explore the different categories of applications and try out those that seem interesting. If there are any KDE or system settings that you want to change, like the screen resultion or KDE's appearance, this can be done in the "Control Center", found at the first level of the K menu. Also notice that there is a category named __INCOGNITO__ which contains some things relevant for the user, like a short cut to this document. The __INCOGNITO__ category is also available from as a quick launch item, located right of the K menu button, among the short cuts to your home directory (where you store your files), Firefox and Thunderbird.</p>
-<p>In the lower right corner you will find something referred to as the system tray, or simply systray, that has a couple of icons in it, each which offers an interface for some running application. One of them helps you keep an eye on the battery level (if you run from a laptop), one allows to instantly change the keyboard layout, and one helps you control the network settings, for instance. You are encouraged to check them out, but we will say more about some of them later on in this walkthrough. You will also see a clock showing its time in UTC (Greenwich Mean Time) which might not be appropriate for your location. To make it show your local time, right-click it and choose "Show timezone" and either choose one of the timezones available there or add your own with the "Configure timezones..." option.</p>
+<p>In the lower right corner you will find something referred to as the system tray, or simply systray, that has a couple of icons in it, each which offers an interface for some running application. One of them helps you keep an eye on the battery level if you run from a laptop, one allows to instantly change the keyboard layout, and one helps you control the network settings, for instance. You are encouraged to check them out, but we will say more about some of them later on in this article. You will also see a clock showing the time in UTC (Greenwich Mean Time) which might not be appropriate for your location. To make it show your local time, right-click it and choose "Show timezone" and either choose one of the timezones available there or add a new one with the "Configure timezones..." option.</p>
-<p>Some other important things that need to be understood before proceeding are the concepts of a <a href="http://en.wikipedia.org/wiki/Livedistro">LiveDistro, LiveCD and LiveUSB</a>. In essence a LiveDistro is an operating system (like Windows or Mac OS X, although __INCOGNITO__ uses Linux) that is run from some removable media like a CD or USB memory stick. Most likely you are running __INCOGNITO__ from a CD, which makes it into a LiveCD, and this brings some limitations to its operation. Most importantly, since a CD is read-only once it has been burned by CD recording software no changes persist through reboots. So, if you download a file or make some application settings they will disappear when you shut-down. This is both good and bad – on the plus side, if you screw up anything or get a virus, the system will be restored once you have restarted it. But not being able to save stuff is of course inconvenient in some cases. If you find that frustrating you might want to run __INCOGNITO__ from and USB memory stick instead, making it into a LiveUSB, which is writeable and where it is possible to make it so that the changes persist through reboots. You can read more about this and its implications <a href="#usb">later</a> in this walkthrough.</p>
+<p>Some other important things that need to be understood before proceeding are the concepts of <a href="http://en.wikipedia.org/wiki/Livedistro">LiveDistro, LiveCD and LiveUSB</a>. In essence a LiveDistro is an operating system (like Windows or Mac OS X, although __INCOGNITO__ uses Linux) that is run from some removable media like a CD or USB memory stick. Most likely you are running __INCOGNITO__ from a CD, which makes it into a LiveCD, and this brings some limitations to its operation. Most importantly, since the CD is a read-only medium once it has been burned by your CD recording software no changes persist through reboots. So, if you download a file or make some application settings they will be gone once you shut-down. This is both good and bad – on the plus side, if you screw up anything or get a virus, the system will be restored once you have restarted it. But not being able to save stuff is of course inconvenient in some cases. If you find it frustrating you might want to run __INCOGNITO__ from and USB memory stick instead, making it into a LiveUSB. Since a USB memory stick is writeable medium it is possible to make it so that the changes persist through reboots. You can read more about this and its implications <a href="#usb">later</a> in this walkthrough.</p>
<h3><a name="nm"></a>Networking with NetworkManager</h3>
-<p>The name is quite self-explanatory – this is what you should use to set up your network, usually to establish an Internet connection. In many cases this is done more or less automatically. For example, if you are connected with wire NetworkManager will try to obtain network access automatically. If you are using a wireless connection you are basically two clicks away. First Right-click its icon in the systray to summon this menu:</p>
+<p>The name is quite self-explanatory – this is what you should use manage your network, which usually only consists of establishing an Internet connection. In many cases this is done more or less automatically. For example, if you are connected with wire NetworkManager will try to obtain network access automatically. If you are using a wireless connection you are basically two clicks away. First Right-click its icon in the systray to summon this menu:</p>
<p align=center><a href="img/nm-menu.png"><img src="img/nm-menu.png" width=240 height=194 border=0></a></p>
-<p>All wireless networks your computer is picking up are listed there, as are all wired networks you have access to (usually one per wire), so the second click is used for choosing any one of them. If the network is protected you will be prompted for a password. There are other options too, like connecting using dial-up and setting up VPNs although these will require further set-up in the "Options -> Configure..." section. Hopefully all your networking needs will be satisfied using this interface.</p>
+<p>All wireless networks your computer is picking up are listed there, as are all wired networks you have access to (usually one per wire), so the second click is used for choosing any one of these. If the network is protected you will be prompted for a password. There are other options too, e.g. for dial-up connections and setting up VPNs although these will require further set-up in the "Options -> Configure..." section. Hopefully all your networking needs will be satisfied using this interface.</p>
<h3><a name="tork"></a>Controlling Tor with TorK</h3>
@@ -101,26 +101,26 @@
<p align=center><a href="img/tork-main.png"><img src="img/tork-main.png" width=400 height=325 border=0></a></p>
-<p>The "Anonymous Email" entry is pretty interesting. Pressing the envelope icon will bring forth a dialogue which makes it possible to send anonymous email. Besides first routing the mail through the Tor network, it will also be routed through the <a href="http://en.wikipedia.org/wiki/Mixminion">Mixminion</a> network, which offers even greater anonymity than the Tor network, at least in theory. In practice the Mixminion network is a bit too small for offering much anonymity, but that extra layer of indirection will probably not hurt. Also, notice that this is one-way only, so the recipient cannot answer unless you specify a response address in the message. Of course, that could defeat the whole purpose of sending email anonymously. If you want the recipient to be able to answer you by attaching a response address you should consider encrypting the message. TorK does not offer an interface to GnuPG, who will have to do that manually, perhaps with PGP (<a href="#kpgp">KPGP</a> is an easy alternative for this).</p>
+<p>The "Anonymous Email" entry is pretty interesting. Pressing the envelope icon will open a window which makes it possible to send anonymous email. Besides first routing the mail through the Tor network, it will also be routed through the <a href="http://en.wikipedia.org/wiki/Mixminion">Mixminion</a> network, which offers even greater anonymity than the Tor network, at least in theory. In practice the Mixminion network is a bit too small for offering much anonymity, but that extra layer of indirection will probably not hurt. Also, notice that this is one-way only, so the recipient cannot answer unless you specify a response address or some other means of reaching you in your message. Of course, that could defeat the whole purpose of sending email anonymously. If you want the recipient to be able to answer you by attaching a response address you should consider encrypting the message. TorK does not offer an interface to GnuPG, so you will have to do the encryption manually, perhaps with PGP (<a href="#kpgp">KPGP</a> might be suitable for this).</p>
<p>Next we will have a look at the "Tor Network"
tab:</p>
<p align=center><a href="img/tork-network.png"><img src="img/tork-network.png" width=400 height=325 border=0></a></p>
-<p>In here, all the Tor nodes in the Tor network are listed, as are all your circuits and connections that go through the Tor network. All this requires a bit of technical knowledge of how Tor works in order to understand and use, but it is not strictly necessary. From the connection listing it should at least be relatively easy for you to see which exit node and country it appears your connections come from.</p>
+<p>In here, all the Tor nodes in the Tor network are listed, as are all your circuits and connections that go through the Tor network. All this requires a bit of technical knowledge of how Tor works in order to understand and use, but it is not at all necessary. From the connection listing it should at least be relatively easy for you to see which exit node and country it appears your connections come from.</p>
<p>One very useful thing when working with Tor is the following option, found in the TorK menu that you get by right-clicking its systray icon:</p>
<p align=center><a href="img/tork-menu.png"><img src="img/tork-menu.png" width=182 height=98 border=0></a></p>
-<p>The selected "Change Identity" option will tear down all you current circuits and build new ones which means that the computers you route your Internet traffic through will be changed to some others. This is very useful if you experience bad performance or even time-outs accessing some Internet resource as you might have better luck with the new circuits that are built. Also, if you ever want to make sure that one thing you are doing will not be linkable to the next thing you are going to do you should use this feature.</p>
+<p>The selected "Change Identity" option will tear down all you current circuits and build new ones which means that the set of computers you route your Internet traffic through will exchanged by some others. This is very useful if you experience bad performance or even time-outs accessing some Internet resource as you might have better luck with the new circuits that are built. Also, if you ever want to make sure that one thing you are doing will not be linkable to the next thing you are going to do you should use this feature.</p>
-<p>TorK also makes it easy to use some of the Tor Networks more advanced features. For example, if you switch back to the "Anonymize" tab you will find an entry for "Anonymous Websites and Web Services" which allows you to set up <a href="http://www.torproject.org/hidden-services.html">hidden services</a> by clicking its icon (an English style police hat). Another feature that might be useful when you are using __INCOGNITO__ from a restrictive network can be found in "Settings menu -> Configure TorK -> Firewall/Censor evasion". This makes it possible to use <a href="https://www.torproject.org/bridges.html">bridges</a> as entry points to the Tor network in order to circumvent censorship systems trying to block your access to the Tor network.</p>
+<p>TorK also makes it easy to use some of the Tor Network's more advanced features. For example, if you switch back to the "Anonymize" tab you will find an entry for "Anonymous Websites and Web Services" which allows you to set up <a href="http://www.torproject.org/hidden-services.html">hidden services</a> by clicking its icon (an English style police hat). Another feature that might be useful when you are using __INCOGNITO__ from a restrictive network can be found in "Settings menu -> Configure TorK -> Firewall/Censor evasion". This makes it possible to use <a href="https://www.torproject.org/bridges.html">bridges</a> as entry points to the Tor network in order to circumvent censorship systems that blocks normal access to the Tor network, intentially or not.</p>
-<p>Lastly TorK will assist you setting up yourself as a Tor server, helping out the Tor Network by relaying other people's traffic. You also have the possibility to act as an exit node, which means that other Tor users' traffic will exit in the clear from your computer. You should really think through if you want to do the latter (act as an exit node) as your ISP might start sending you complaints for other people's file sharing traffic that happens to exit from you, and potentially even worse things that might attract the attention of the police. But simply relaying traffic is completely safe and will only cost you some bandwidth (how much can be configured). However, at the same time you will get more anonymity – it will be impossible for eavesdroppers to distinguish the Tor traffic you are relaying from that you are generating for your own Tor usage use (while web browsing etc.). So if you have bandwidth to spare, you might want to consider doing this.</p>
+<p>Lastly TorK will assist you setting up yourself as a Tor server, helping out the Tor Network by relaying other people's traffic. You also have the possibility to act as an exit node, which means that other Tor users' traffic will exit in the clear from your computer. You should really think through if you want to do the latter (act as an exit node) as your ISP might start sending you complaints for other people's file sharing traffic that happens to exit from you, and potentially even worse things that might attract the attention of the police. But simply relaying traffic is completely safe and will only cost you some bandwidth (how much can be configured). However, at the same time you will get more anonymity – it will be impossible for eavesdroppers to distinguish the Tor traffic you are relaying from your own traffic generated by web browsing etc. So if you have bandwidth to spare, you might want to consider doing this.</p>
-<p>In order to succeed with setting up a relay you might have to do something about your firewall or router if you have one, like enable port-forwarding for ports 9001 and 9030 – if you do not know what this is or how to do it you should either look it up on your favourite search engine or simply skip it. The next step would be to actually enable it in TorK, which only requires a few clicks. First press the button with a plus icon called "More options" which will make a few more buttons appear. One of them says "Run as a server" when you hover the mouse cursor above it. Simply click it and choose "Relay Tor traffic" and follow the instructions. After that you will just have to wait for a while before the connections start rushing in.</p>
+<p>In order to succeed with setting up a relay you might have to do something about your firewall or router if you have one, like enable port-forwarding for ports 9001 and 9030 – if you do not know what this is or how to do it you should either look it up on with favourite search engine or simply skip it. The next step would be to actually enable it in TorK, which only requires a few clicks. First press the button with a plus icon called "More options" which will make a few more buttons and options appear. One of them says "Run as a server" when you hover the mouse cursor above it. Simply click it and choose "Relay Tor traffic" and follow the instructions. After that you will just have to wait for half an hour or so before the connections start rushing in. Due to this delay and some technical reasons it is best if you only act as a Tor server if you <a href="#usb">run from USB</a> as that will speed things up a little next time and also spare you of the time taken to set-up the server.</p>
<h3><a name="ff"></a>Browsing the web with Firefox</h3>
@@ -129,7 +129,7 @@
<p align=center><a href="img/ff-ssl.png"><img src="img/ff-ssl.png" width=404 height=311 border=0></a></p>
-<p>Notice the locks in the status bar and address bar (which also has turned yellowish) and that the address begins with "http<strong>s</strong>://" – these are the indicators that a secure connection using <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer">SSL</a> is being used. You should try to only use services that use secure connections when you are required to send sensitive information (like passwords), otherwise its very easy for an eavesdropper to steal whatever information you are sending. In this case what we are trying to do is logging in on an email account at <a href="http://lavabit.com/">lavabit</a>, using their <a href="https://lavabit.com/apps/webmail/src/login.php">webmail interface</a>. Let us proceed with logging in there so we can se how it is possible to send end-to-end encrypted email with any webmail service out there with the nifty <a href="http://getfiregpg.org/">FireGPG</a> extension:</p>
+<p>Notice the locks in the status bar and address bar (the latter which also has turned yellowish) and that the address begins with "http<strong>s</strong>://" – these are the indicators that a secure connection using <a href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer">SSL</a> is being used. You should try to only use services that use secure connections when you are required to send sensitive information (like passwords), otherwise its very easy for an eavesdropper to steal whatever information you are sending. In this case what we are trying to do is logging in on an email account at <a href="http://lavabit.com/">lavabit</a>, using their <a href="https://lavabit.com/apps/webmail/src/login.php">webmail interface</a>. Let us proceed with logging in there so we can se how it is possible to send end-to-end encrypted email with any webmail service out there with the nifty <a href="http://getfiregpg.org/">FireGPG</a> extension:</p>
<p align=center><a href="img/ff-compose-1.png"><img src="img/ff-compose-1.png" width=404 height=311 border=0></a></p>
@@ -139,7 +139,7 @@
<p align=center><a href="img/ff-firegpg.png"><img src="img/ff-firegpg.png" width=96 height=137 border=0></a></p>
-<p>In the menu we choose "Sign and encrypt" and we get a dialogue asking us to select the public key to encrypt it with (Bob's) and the private key to sign it with (your). After doing this the message is only readable by Bob, and in addition Bob will be able to verify that the message was written by you. The signed and encrypted text will look something like this:</p>
+<p>In the menu we choose "Sign and encrypt" and we get a dialogue asking us to select the public key to encrypt it with (Bob's) and the private key to sign it with (your). After doing this the message is only readable by Bob, and in addition Bob will be able to verify that the message was in fact written by you. The signed and encrypted text will look something like this:</p>
<p align=center><a href="img/ff-compose-2.png"><img src="img/ff-compose-2.png" width=404 height=311 border=0></a></p>
@@ -157,9 +157,10 @@
<p align=center><a href="img/ff-youtube-2.png"><img src="img/ff-youtube-2.png" width=404 height=311 border=0></a></p>
-<p>If you are reading this document as a local file in __INCOGNITO__ (which is the case if you have used the provided bookmarks) you might have noticed that most links do not work. This is also due to Torbutton since it is possible for others to steal any file from you otherwise. In order to visit them you will need to disable Torbutton and reload the page in a new tab. Indeed there are a few similar oddities related to toggling Torbutton on and off. If a web site does not work as expected after toggling Torbutton and pressing refresh you might have to do any of the following to get it to work:</p>
+<p>If you are reading this document as a local file in __INCOGNITO__ (which is the case if the address begins with file://) you might have noticed that all links that point outside of this document do not work. This is also due to Torbutton since it is possible for others to steal any file from you otherwise. In order to visit them you will need to disable Torbutton and reload the page in a new tab. Indeed there are a few more oddities related to toggling Torbutton on and off. If a web site does not work as expected after toggling Torbutton you might have to do any of the following to get it to work:</p>
<ul>
+ <li>Press the "Refresh" button in the navigation bar, or imply use the F5 keyboard short cut.
<li>Click the address field and press ENTER.
<li>Open a new tab and re-enter (or copy and paste) the address into the address field of the new tab and then press ENTER.
</ul>
@@ -173,7 +174,7 @@
<h3><a name="tb"></a>Emailing with Thunderbird</h3>
-<p>Not everyone is happy using webmail (like the authors) but want to use a <em>real</em> email client instead. For that we have included Mozilla Thunderbird which looks like this:</p>
+<p>Not everyone is happy using webmail (like the authors) but want to use a <em>real</em> email client instead of some fragile web-based interface. For that we have included Mozilla Thunderbird which looks like this:</p>
<p align=center><a href="img/tb-main.png"><img src="img/tb-main.png" width=453 height=305 border=0></a></p>
@@ -183,16 +184,16 @@
<p>Notice that there are buttons for PGP encryption in both of the above windows (labelled with "Decrypt" and "OpenPGP"). These are provided by the <a href="http://http://enigmail.mozdev.org/">Enigmail</a> extension, and pressing any of them for the first time will start a guide for setting up PGP, possibly generating new keys if you do not have any. Their web site is a great resource for learning how PGP encryption works so make sure to check it out.</p>
-<p>Setting up your email account requires a tiny amount of knowledge, like what <a href="http://en.wikipedia.org/wiki/Post_Office_Protocol">POP</a>, <a href="http://en.wikipedia.org/wiki/IMAP">IMAP</a> and <a href="http://en.wikipedia.org/wiki/SMTP">SMTP</a> is, and indeed that your email service supports these. Also, this initial configuration requires writing down the addresses of the servers involved, downloading mail, etc. which takes some time. This might be annoying to do each time, which is necessary when running __INCOGNITO__ from a CD, so you might want to consider using a persistent home directory by <a href="#usb">running __INCOGNITO__ from USB</a> if you want to use Thunderbird often. One more thing to consider is that Tor exit nodes usually block the plaintext SMTP port (25) in order to prevent spam. This is easily fixed by enabling end-to-end encryption with the email server through SSL, which you should do any way for all of POP, IMAP and SMTP as your password otherwise will be sent in plaintext.</p>
+<p>Setting up your email account requires a tiny amount of knowledge, like what <a href="http://en.wikipedia.org/wiki/Post_Office_Protocol">POP</a>, <a href="http://en.wikipedia.org/wiki/IMAP">IMAP</a> and <a href="http://en.wikipedia.org/wiki/SMTP">SMTP</a> is, and indeed that your email service supports these. <a href="http://opensourcearticles.com/articles/thunderbird_15/english/part_01">This step-by-step guide</a> might be useful. However, this initial configuration requires writing down the addresses of the servers involved, downloading mail, etc. which will take some time. It is a bit annoying to have to redo everytime you start __INCOGNITO__, which is necessary when running from a CD, so you might want to consider using a persistent home directory by <a href="#usb">running from USB</a> if you plan to use Thunderbird often. One more thing to consider is that Tor exit nodes usually block the plaintext SMTP port (25) in order to prevent spam. This is easily fixed by enabling end-to-end encryption with the email server through SSL, which you should do any way for all of POP, IMAP and SMTP as your password otherwise will be sent in plaintext.</p>
<h3><a name="konq"></a>Managing files with Konqueror</h3>
-<p>Konqueror is KDE's file manager, (s)FTP client, web browser and more and it looks like this while in file managing mode:</p>
+<p>Konqueror is KDE's file manager, (S)FTP client, web browser and more and it looks like this while in file managing mode:</p>
<p align=center><a href="img/konq.png"><img src="img/konq.png" width=354 height=257 border=0></a></p>
-<p>As we already have mentioned, we recommend that you do your web browsing in Firefox instead since there is nothing like Torbutton for Konqueror. If you <em>really</em> want to use Konqueror you should make sure to disable all plugins, JavaScript and cookies in order to expect some anonymity, but even then Firefox and Torbutton is probably a more secure (and usable) alternative. There are no problems using Konqueror for file managing or as an FTP client however. In the latter case, just enter "ftp://" followed by the address to the FTP server in order to connect, and the same applies for SFTP although you prepend "sftp://" to the address instead.</p>
+<p>As we already have mentioned, we recommend that you do your web browsing in Firefox instead since there is nothing like Torbutton for Konqueror. If you <em>really</em> want to use Konqueror you should make sure to disable all plugins, JavaScript and cookies in order to expect some anonymity, but even then Firefox and Torbutton is probably both a more secure and usable alternative. There are no problems using Konqueror for file managing or as an FTP client however. In the latter case, just enter "ftp://" followed by the address to the FTP server in order to connect, and the same applies for SFTP although you prepend "sftp://" to the address instead.</p>
<h3><a name="pidgin"></a>Chatting with Pidgin</h3>
@@ -205,20 +206,20 @@
<p align=center><a href="img/pidgin-chat.png"><img src="img/pidgin-chat.png" width=370 height=218 border=0></a></p>
-<p>OTR and other Pidgin plugins are enabled in the "Tools menu -> Plug-ins" section. Simply check the appropriate box for enabling any plugin you want, and possibly you might also want to configure it by pressing the "Configure Plug-in" button. When this is done for the OTR plugin you get a dialogue that can be used to manage your keys among other things. The use of OTR is recommended as many instant messaging protocols normally send your messages in plaintext. Force your friends to migrate to clients with support for OTR!</p>
+<p>OTR and other Pidgin plugins are enabled in the "Tools menu -> Plug-ins" section. Simply check the appropriate box for enabling any plugin you want, and possibly you might also want to configure it by pressing the "Configure Plug-in" button. When this is done for the OTR plugin a window that can be used to manage your keys will be opened. The use of OTR is recommended as many instant messaging protocols normally send your messages in plaintext. Force your friends to migrate to clients with support for OTR!</p>
<h3><a name="misc"></a>Other applications</h3>
-<p>There are several other interesting security or Internet related applications included in __INCOGNITO__ which we list and present briefly here. Those that have graphical user interfaces (which most of them do) can be found in the K menu.</p>
+<p>There are several other interesting security or Internet related applications included in __INCOGNITO__ some which we list and present briefly here. Those that have graphical user interfaces (which most do) can be found in the K menu.</p>
<ul>
<li><a href="http://www.gnupg.org/">GNU Privacy Guard</a> (GnuPG) – A Free implementation of OpenPGP used for encryption of all sorts.
<li><a name="gpa"></a><a href="http://www.gnupg.org/gpa.html">GNU Privacy Assistant</a> – A graphical user interface for GnuPG. This application is very useful for generating and importing new keys.
<li><a name="kpgp"></a><a href="http://developer.kde.org/~kgpg/">KGPG</a> – Another graphical user interface for GnuPG, very similar to GNU Privacy Assistant. This one has a text editor under the "File" menu which can be used to easily sign and/or encrypt any texts you write or paste into the text box. This might be useful for sending encrypted, anonymous email with TorK's Mixminion interface.
- <li><a href="http://mixminion.net/">Mixminion</a> – A type III anonymous remailer. Remember that <a href="#tork">TorK</a> has a nice graphical interface for Mixminion.
+ <li><a href="http://mixminion.net/">Mixminion</a> – A type III anonymous remailer. <a href="#tork">TorK</a> has a simple graphical interface for Mixminion.
<li><a name="keepassx"></a><a href="http://keepassx.sourceforge.net/">KeePassX</a> – A password manager and generator. For password generation, look in the "Extras" menu. The generator has a pretty cool feature, namely that it show the quality (or <a href="http://en.wikipedia.org/wiki/Information_entropy">information entropy</a>) of the password it will generate.
- <li><a href="http://www.kde-apps.org/content/show.php/Kvkbd?content=56019">Kvkbd</a> – A virtual keyboard that can be used to safely enter passwords using the mouse when you suspect that a hardware keylogger may be present.
+ <li><a href="http://www.kde-apps.org/content/show.php/Kvkbd?content=56019">Kvkbd</a> – A virtual keyboard that can be used to safely enter passwords using the mouse when you suspect that a hardware keylogger may be present. It starts automatically with __INCOGNITO__ and is accessed by the keyboard icon in the systray.
<li><a href="http://www.truecrypt.org/">TrueCrypt</a> – Disk encryption software. If you have access to some writeable media you can use TrueCrypt for creating an encrypted container (which in reality will take the form of an ordinary file on that media) on it that you can store files in securely.
<li><a name="vidalia"></a><a href="http://www.vidalia-project.net/">Vidalia</a> – An alternative Tor controller.
<li><a href="http://ktorrent.org/">KTorrent</a> – A Bittorrent client. Please use bittorrent with care as it is a real burden for the Tor network and generally frowned upon in the Tor community because of this. Just downloading a 10 MB file could be equivalent of hours of standard web browsing. Therefore you should only download small files when absolutely necessary.
@@ -229,7 +230,7 @@
<h3><a name="macchanger"></a>Enabling MAC changer</h3>
-<p>If you paid attention when you started up __INCOGNITO__ you might have noticed an odd option in the language selection menu, namely the "Enable MAC changer" entry. Some further explanation is probably required in order to understand whether this is relevant for you or not.</p>
+<p>If you paid attention when you started up __INCOGNITO__ you may have noticed an odd option in the language selection menu, namely the "Enable MAC changer" entry. Some further explanation is probably required in order to understand whether this is relevant for you or not.</p>
<p>First of all, you should know that all network cards, both wired and wireless, have a unique identifier stored in them called their MAC address. This address is actually used to address your computer on the <em>local</em> network, but it will <em>never</em> get out on the Internet so people can <em>not</em> use it to trace you. However, other computers on the network could log it which then would provide proof that your computer have been connected to it. As such, this is not a concern if you are using __INCOGNITO__ with your home Internet connection as that can be linked to you any way, but if you are connecting your computer to an untrusted, public wireless network you might consider enabling it. It is never useful enabling this option if you are using a public computer – only use this if you are using a computer that can be linked to you on a public network.</p>
@@ -240,31 +241,31 @@
<p>Running __INCOGNITO__ from a CD has its virtues but it certainly also have its limitations. While CDs are portable they usually do not fit in your pocket in a comfortable manner. But a USB memory stick certainly fits any pocket or your key ring. In addition, CDs are read-only and thus no data can be saved to them, but that is, again, not the case with USB memory sticks. However, storing sensitive data on a USB memory stick could be dangerous if it got into the wrong hands. Similarly, if we get a virus or manages to damage the system in other ways, the system is tainted or unusable from that point and all consecutive boots, either with or without your knowledge. Clearly that is not good.</p>
-<p>It is actually possible to get the best out of these two worlds at the same time. When running __INCOGNITO__ from a USB memory stick you have the option to create an encrypted container wherein your home directory is stored so that any files stored and settings made are saved persistently. If you use a good password this deals with the dangers of storing sensitive data on it. But what about virus threats and the like? Well, when running from a USB memory stick, the system is still set up to not be writeable – it is loaded to RAM so any changes stay only there and are not persistent. It is only your home directory which will be persistent.</p>
+<p>It is actually possible to get the best out of these two worlds at the same time. When running __INCOGNITO__ from a USB memory stick you have the option to create an encrypted container wherein your home directory is stored so that any files stored and settings made are saved persistently. If you use a good password this deals with the dangers of storing sensitive data on it. But what about virus threats and the like? Well, when running from a USB memory stick, the system files are still set up to not be persistently writeable. It is only your home directory which will be persistent.</p>
-<p>In order to get __INCOGNITO__ running on USB you currently first have to get the usual LiveCD installation first. Once __INCOGNITO__ has started up from CD you will find a short cut to an installation guide in the &Incognito; section of the K menu, aptly called "Install Incognito to USB". The guide will tell you about your options and is self contained, and in most cases you only need to insert a USB memory stick and hit the OK button to get it done. Then you restart the computer without the CD in, but with the USB memory stick connected instead. __INCOGNITO__ will start to boot just like from the CD but at a certain point a guide will start asking about if you want a persistent home directory or not. The encryption we mentioned earlier is optional but definitely recommended.</p>
+<p>In order to get __INCOGNITO__ running on USB you currently have to get the usual LiveCD installation first. Once __INCOGNITO__ has started up from CD you will find a short cut to an installation guide in the "__INCOGNITO__" section of the K menu, aptly called "Install __INCOGNITO__ to USB". The guide will tell you about your options and is self contained, and in most cases you only need to insert a USB memory stick and hit the OK button to get it done. Then you restart the computer without the CD in, but with the USB memory stick connected instead. __INCOGNITO__ will start to boot just like from the CD but at a certain point a guide will start asking about if you want a persistent home directory or not. The encryption we mentioned earlier is optional but definitely recommended.</p>
-<p>The encryption is protected with a password, so it is very important to choose a strong password. But what is a strong password? Of course, there are many different opinions on that. What can be said is that to utilize the encryption algorithm used to its full extent you will need a password consisting of 40 randomly chosen characters of those available on the standard (western) keyboard. There should be around 90 different characters. Of course, such a password is almost impossible to memorize, so you will probably have to go for something shorter. It can also help to device mnemonics to help remember them. Be creative! If you need help with generating the passwords you should check out <a href="#keepassx">KeePassX</a>'s built-in password generator.</p>
+<p>The encryption is protected with a password, so it is very important to choose a strong password. But what is a strong password? Of course, there are many different opinions on that. What can be said is that to utilize the encryption algorithm used to its full extent you will need a password consisting of 40 randomly chosen characters of those available on the standard (western) keyboard layout, which have around 90 different characters. Such a password should remain uncrackable for the remainder of this universe's life span and the same goes for the actual encryption. Of course, such a password is almost impossible to memorize, so you will probably have to go for something shorter. 20 random characters is probably more than enough. It can also help to device mnemonics to help remember them but stay away from dictionary words of any language you know. Be creative! If you need help with generating the passwords you should check out <a href="#keepassx">KeePassX</a>'s built-in password generator.</p>
-<h3><a name="cold"></a>Cold boot attacks and memory sweeping</h3>
+<h3><a name="cold"></a>Protection against cold boot attacks</h3>
-<p>What happens if the police knocks on your door when you are running __INCOGNITO__? This is a tough one to deal with, and there is not that much that can be done actually. If you are really unlucky they have brought with them freeze spray and other equipment which can be used to mount a <a href="http://en.wikipedia.org/wiki/Cold_boot_attack">cold boot attack</a>. This is done in order to get the contents of your RAM. Due to how modern computing works, basically everything that you are doing is stored in the RAM, so all information – including passwords, encryption keys and the secret plans you wrote in a text editor but then erased – may be stored in it in plain text. The more resent the activity, the more likely it is that it is still in the RAM.</p>
+<p>What happens if the police knocks on your door when you are running __INCOGNITO__? This is a tough one to deal with, and there is not that much that can be done actually. If you are really unlucky they have brought with them freeze spray and other equipment which can be used to mount a <a href="http://en.wikipedia.org/wiki/Cold_boot_attack">cold boot attack</a>. This is done in order to get the contents of your RAM. Due to how modern computing works, basically everything that you have been doing for a good whike is stored in the RAM, so all information – including passwords, encryption keys and the secret plans you wrote in a text editor but then erased – may be stored in it in plain text. The more resent the activity, the more likely it is that it is still in the RAM.</p>
-<p>RAM is usually considered to be extremely volatile, meaning that its data starts to disintegrate rapidly once power is removed. However, it has been shown that the data might be recoverable for seconds or even minutes after this happens, and apparently freeze spray can be used to increase that period significantly. Once the power is restored the RAM state will keep getting refreshed, so if the power supply is portable the removed RAM modules' contents are in the hands of the attacker. Alternatively the computer can simply be reset (i.e. switched off and back on quickly), which barely even effects the power fed to RAM. Then a tiny LiveCD system is loaded with the ability to dump the RAM to some writeable media. In both cases the RAM contents can be analysed in a computer forensics laboratory which might turn into a major disaster depending on what they find.</p>
+<p>RAM is usually considered to be extremely volatile, meaning that the data it stores starts to disintegrate rapidly once power is removed. However, it has been shown that the data might be recoverable for seconds or even minutes after this happens, and apparently freeze spray can be used to increase that period significantly. Once the power is restored the RAM state will keep getting refreshed, so if the power supply is portable the removed RAM modules' contents are in the hands of the attacker. Alternatively the computer can simply be reset (i.e. switched off and back on quickly), which barely even affects the power. Then a tiny LiveCD system is loaded with the ability to dump the RAM to some writeable media. In both cases the RAM contents can be analysed in a computer forensics laboratory which might turn into a major disaster depending on what they find.</p>
-<p>So, what should you do when you hear them knocking? You should calmly make a clean shut-down of __INCOGNITO__ using the "Log out" option in the K menu, then selecting "Turn off computer" in the window that appears. Then you wait, possibly trying to buy valuable time by barricading your door. The reason for this is that one of the last things __INCOGNITO__ does before shutting down completely is filling the RAM with random junk, erasing everything that was stored there before. Unfortunately this might take a couple of minutes depending on the speed of your processor and the amount of RAM installed, so while this is clearly not a perfect solution it seems it might be the best thing to do.</p>
+<p>So, what should you do when you hear them knocking? You should calmly make a clean shut-down of __INCOGNITO__ using the "Log out" option in the K menu, then selecting "Turn off computer" in the window that appears. Then you wait, possibly trying to buy valuable time by barricading your door. The reason for this is that one of the last things __INCOGNITO__ does before shutting down completely is filling the RAM with random junk, thus erasing everything that was stored there before. Unfortunately this might take a couple of minutes depending on the speed of your processor and the amount of RAM installed, so while this clearly is not a perfect solution it seems it might be the best thing to do.</p>
-<p>In general this is of equal concern to both CD and USB users, but there is one exception. If you run from USB and use an encrypted home partition you are not safe any longer. The key will be stored in RAM if you did not have time to shut-down __INCOGNITO__ cleanly. As such, a cold boot attack against a system with mounted encrypted partitions is very severe as it will give the attackers access to all data stored on them.</p>
+<p>In general this is of equal concern to both CD and USB users, but there is one exception. If you run from USB and use an encrypted home partition you are not safe any longer. The key will be stored in RAM if you did not have time to shut-down __INCOGNITO__ cleanly. As such, a cold boot attack against a system with mounted encrypted partitions is very severe as it likely gives the attackers access to all data stored on them.</p>
-<p>As far as the authors know this is not standard procedure within law enforcement and similar anywhere in the world yet, but it might still be good to be prepared and stay on the safe side.</p>
+<p>As far as the authors know cold boot attacks are not standard procedure within law enforcements and similar organisations anywhere in the world yet, but it might still be good to be prepared and stay on the safe side.</p>
<h3><a name="vm"></a>__INCOGNITO__ and Virtualization</h3>
-<p>Certain users might not want to restart the computer every time they wish to use the Internet anonymously with__INCOGNITO__. For those, a so called <a href="http://en.wikipedia.org/wiki/Virtual_machine">virtual machine</a> can be used to run __INCOGNITO__ inside the "host" operating system installed on the computer (e.g. Microsoft Windows, Mac OS X, etc.). Essentially these programs emulate real computers that you can run "guest" operating systems in so they appear in a window within the host operating system. Using one of these technologies allows for convenient access to __INCOGNITO__'s features in a protected environment while you at the same time have access to your normal, host operation system.</p>
+<p>Certain users might not want to restart the computer every time they wish to use the Internet anonymously with__INCOGNITO__. For those, a so called <a href="http://en.wikipedia.org/wiki/Virtual_machine">virtual machine</a> can be used to run __INCOGNITO__ inside the "host" operating system installed on the computer (e.g. Microsoft Windows, Mac OS X, etc.). Essentially these programs emulate real computers that you can run "guest" operating systems (in this case __INCOGNITO__) in so they appear in a window within the host operating system. Using one of these technologies allows for convenient access to __INCOGNITO__'s features in a protected environment while you at the same time have access to your normal operation system.</p>
-<p>There are a few security issues with this approach though. The main issue is if the host operating system is compromised with a software keylogger or virus, which __INCOGNITO__ does not provide any protection against (in fact, it is impossible). Secondly, performance is a usually a bit worse compared to running it on its own. As such, this is only recommended when the other alternative is not an option or when you are absolutely sure that your host system is clean. Additionally, some of these virtual machines are closed-source, so it is very difficult to determine if they do something that could break __INCOGNITO__'s security. In conclusion, use virtual machines with care.</p>
+<p>There are a few security issues with this approach though. The main issue is if the host operating system is compromised with a software keylogger or virus, which __INCOGNITO__ does not provide any protection against (in fact, that is impossible). Secondly, performance is a usually a bit worse compared to running it on its own. As such, this is only recommended when the other alternative is not an option or when you are absolutely sure that your host system is clean. Additionally, some of these virtual machines are closed-source, so it is very difficult to determine if they do something that could break __INCOGNITO__'s security. In conclusion, use virtual machines with care.</p>
<h4>QEMU</h4>
<p>The open source <a href="http://bellard.org/qemu/">QEMU</a> processor emulator and virtualizer handles __INCOGNITO__ nicely. In fact, QEMU is included in the __INCOGNITO__ distribution for Microsoft Windows users (more about this <a href="#windows">below</a>). In order to start it from the command-line, simply type something like:</p>
@@ -276,39 +277,39 @@
<p>If you have severe performance problems you should look into KQEMU which is an accelerator module for QEMU, granting a more direct access to the systems hardware for additional speed. You will most likely need administrator privileges for installing KQEMU.</p>
<h4>VMWare</h4>
-<p>__INCOGNITO__ works very well in <a href="">VMWare</a> with the following <a href="http://files1.cjb.net/incognito/incognito-vmware-1.0.zip">VMWare Virtual Appliance</a> (<a href="http://files1.cjb.net/incognito/incognito-vmware-1.0.zip.asc">signature</a>) devised by the __INCOGNITO__ developers. Simply unzip the file and follow the provided instructions in <code>README.txt</code> which is provided with the archive. The free (<a href="http://en.wikipedia.org/wiki/Gratis_versus_Libre">as in beer</a>) <a href="http://www.vmware.com/products/player/">VMWare Player</a> might be useful for this. In order to get good performance you will probably need administrator privileges when you install VMWare. Note that VMWare is closed source, so it might be hard to determine of it does anything that is bad for anonymity, although it is unlikely.</p>
+<p>__INCOGNITO__ works very well in <a href="http://www.vmware.com/">VMWare</a> with the following <a href="http://files1.cjb.net/incognito/incognito-vmware-1.0.zip">VMWare Virtual Appliance</a> (<a href="http://files1.cjb.net/incognito/incognito-vmware-1.0.zip.asc">signature</a>) devised by the __INCOGNITO__ developers. Simply unzip the file and follow the provided instructions in <code>README.txt</code> which is provided with the archive. The free (<a href="http://en.wikipedia.org/wiki/Gratis_versus_Libre">as in beer</a>) <a href="http://www.vmware.com/products/player/">VMWare Player</a> might be useful for this. In order to get good performance you will probably need administrator privileges when you install VMWare. Note that VMWare is closed source, so it might be hard to determine of it does anything that is bad for anonymity, although it is unlikely.</p>
<h4>VirtualBox</h4>
-<p>Unfortunately __INCOGNITO__ does not work perfectly in <a href="http://virtualbox.org">VirtualBox</a> yet, but we are working on it. That is not to say it does not work at all, just that you will have to tweak it a little. All will go well until the X server is starting, as it will fail due to problems with the auto-detected graphics driver. For some reason the correct driver is not detected, so when you get to the console you will have to change the graphics driver used in <code>/etc/X11/xorg.cong</code> to "vboxvideo", and then run the following command:</p>
+<p>Unfortunately __INCOGNITO__ does not work perfectly in <a href="http://virtualbox.org">VirtualBox</a> yet, but we are working on it. That is not to say it does not work at all, just that you will have to tweak it a little. All will go well until the X server is starting, as it will fail due to problems with the auto-detected graphics driver. For some reason the correct driver is not detected, so when you get to the console you will have to change the graphics driver used in <code>/etc/X11/xorg.conf</code> to "vboxvideo", and then run the following command:</p>
<pre>
<code>/etc/init.d/xdm restart</code>
</pre>
-<p>in order to restart the X server. Of course, it is unacceptable to have to do this procedure at every startup, so this is only for testing purposes. Hopefully this will be fixed in a future release.</p>
+<p>in order to restart the X server with the new driver in place. Of course, it is unacceptable to have to do this procedure at every startup (but this can be mitigated by making a snapshot of the VM state when you have fixed this), so this is only for testing purposes. Hopefully this will be fixed in a future release.</p>
<h3><a name="windows"></a>Running __INCOGNITO__ from within Microsoft Windows</h3>
-<p>Thanks to QEMU, presented <a href="#vm">above</a>, __INCOGNITO__ can be run within Microsoft Windows without the need to restart the computer. QEMU ships with __INCOGNITO__, and is set up so you only have to insert the media when Windows is running and a menu should appear with the option to start __INCOGNITO__ through it. This is especially useful when you are using a computer you are not allowed to shut-down, which can be the case for public computers in certain Internet cafés or libraries. Also, for some some general remarks on QEMU and __INCOGNITO__ as well as some security concerns about this mode of operation, see the above section on <a href="#vm">__INCOGNITO__ and Virtualization</a>.</p>
+<p>Thanks to QEMU, presented <a href="#vm">above</a>, __INCOGNITO__ can be run within Microsoft Windows without the need to restart the computer. QEMU ships with __INCOGNITO__, and is set up so you only have to insert the media when Windows is running and a menu should appear with the option to start __INCOGNITO__ through it. This is especially useful when you are using a computer you are not allowed to shut-down, which can be the case for public computers in certain Internet cafés or libraries. Also, for some some general remarks on QEMU and __INCOGNITO__, and some security concerns about this mode of operation, see the above section on <a href="#vm">__INCOGNITO__ and Virtualization</a>.</p>
<p>Since the __INCOGNITO__ developers do not have access to any Windows computers at the moment, any input if this actually works and how it performs etc. is welcome.</p>
<h2><a name="conclusion"></a>Conclusion</h2>
-<p>By offering you __INCOGNITO__ we hope that you have the technological means to stay anonymous on the Internet. However, we want to emphasize that staying anonymous is <em>not</em> only a technological problem – there is no tool, including __INCOGNITO__ and Tor, that will magically make you anonymous on the Internet. You will have to behave as well. While deep technical knowledge of the architecture of the Internet, cryptology and traffic analysis techniques, and the applications used certainly can help you with that (mainly by knowing what <em>not</em> to do), we believe that some good ol' fashioned common sense and caution will be enough in most cases. Among other things, that includes:
+<p>By offering you __INCOGNITO__ we hope that you have the technological means to stay anonymous on the Internet. However, we want to emphasize that staying anonymous is <em>not</em> only a technological problem – there is no tool, including __INCOGNITO__ and Tor, that will magically make you anonymous on the Internet. You will have to behave as well. While deep technical knowledge of the architecture of the Internet, cryptology, traffic analysis techniques and the applications you use certainly can help (mainly by knowing what <em>not</em> to do), we believe that some good ol' fashioned common sense and caution will be enough in most cases. Among other things, that includes:
<ul>
- <li>Choosing good passwords and not writing them down in stupid places.
+ <li>Choosing good passwords and not writing them down in unprotected places.
<li>Using end-to-end encryption whenever possible.
<li>Not trusting everyone and everything but being a bit suspicious in general.
- <li>;aking an effort for properly authenticating with everyone you are communicating with.
+ <li>Making an effort for properly authenticating with everyone you are communicating with.
<li>Being very careful when dealing with identifying information such as name, whereabouts, the local time and so on. Any such piece of information that you leak will help a would be adversary to get closer to you.
</ul>
-<p>Also, please try to follow the instructions given by security tools as much to the letter as possible. There are situations where one can be creative or improvise solutions, but you should really try to learn when that is appropriate before you do it. For instance, when using PGP encryption you are often asked to verify the authenticity of any new public key that you have just got. If you do not do this it is possible that you are using a compromised key sent by an attacker in a <a href="http://en.wikipedia.org/wiki/Man_in_the_middle_attack">man-in-the-middle attack</a>. Usually the authentication works by presenting you with the key's so called fingerprint, which is a unique identifier for that key. Verification should then be done by asking the other party to send you the fingerprint through some safe channel, which could be anything from telling it by telephone or VoiP (which is hard for an attacker to manipulate on the fly) or even face-to-face, and then making sure that they are the same. Assuming the channel is safe the key sent by the other party and the one stamped on the key should be identical, otherwise something is wrong.</p>
+<p>Also, please try to follow the instructions given by security tools as much to the letter as possible. There are situations where one can be creative or improvise solutions, but you should really try to learn when that is appropriate before you do it. For instance, when using PGP encryption you are often asked to verify the authenticity of any new public key that you have just got. If you do not do this it is possible that you are using a compromised key sent by an attacker performing a <a href="http://en.wikipedia.org/wiki/Man_in_the_middle_attack">man-in-the-middle attack</a>. Usually the authentication works by presenting you with the key's so called fingerprint, which is a unique identifier for that key that cannot be faked. Verification should then be done by asking you friend to send you the fingerprint through some safe channel, which could be anything from telling it by telephone or VoiP (which is hard for an attacker to manipulate on the fly) or even face-to-face (but hen you can exchange the actual keys securely instead), and then making sure that they are the same. Assuming the channel is safe the fingerprint sent by your friend and the one you get from the key should be identical, otherwise something is wrong.</p>
-<p>The above methods of fingerprint verification are of course not always possible, but here is one of those places you can be creative. For example, you could send the fingerprint hidden in an innocent looking image by some means, although this is admittedly not bulletproof. You could make this method safer by first sending the picture to your unknowing recipient and telling him or her how the fingerprint is hidden when you know that it has been received. Additionally, these kinds of tricky exchanges are always better to make over interactive communication channels such as IRC or with instant messaging since that will decrease the window of opportunity for any eavesdropper to interfere. Email is not very suitable as delays are long which gives the attacker ample time to act. An alternative authentication method to fingerprints, used by OTR, is to simply ask both parties of a shared secret that both should know. In this case, do not choose just anything – if someone is watching you they probably know which high school you went to, the size of your shoes and similar facts.</p>
+<p>The above authentication methods are of course not always possible, but here is one of those places you can be creative. For example, you could send the fingerprint hidden in an innocent looking image by some means, although this is admittedly not bulletproof. You could make this method a bit safer by first sending the picture to your unknowing recipient and telling him or her how the fingerprint is hidden when you know that it has been received. Additionally, these kinds of tricky exchanges are always better to make over interactive communication channels such as IRC or with instant messaging since that will decrease the window of opportunity for any eavesdropper to interfere. Email is not very suitable as delays are long which gives the attacker ample time to act. An alternative authentication method to fingerprints, used by OTR, is to simply ask both parties of a shared secret that both should know. In this case, do not choose just anything – if someone is watching you they probably know which high school you went to, the size of your shoes and similar facts.</p>
<p>This is probably the place where we are expected to wish you good luck, but we will not. Relying on luck simply is not good practice in these situations. Stay cool and be smart! Thanks for you time!</p>
More information about the tor-commits
mailing list