Through the Web, Darkly

© Copyright 2020 William von Hagen. All Rights Reserved. All opinions expressed in this document are the opinions of the author, except where explicitly attributed to someone else. They are just that - opinions. Free thought and speech are still legal, aren't they?

Released on Amazon and as donation-ware. If you didn't get this on Amazon and liked any part(s) of this document or found it to be useful, please make a small donation via PayPal to or in Bitcoin to 35DnXM3Fg9zvirbraGmUGecLy7EPZiBWsT. Thanks!

Comments welcome. Updates will be ongoing. Any errors are accidental. Please report them to to ensure that this document is corrected.

Heads up! The cover illustration is a public domain photograph of the skull of St. Wenceslaus. Merry Xmas, reader!

ISBN-13: 978-0-578-56194-3

Version 20200526-002

This legend may not be removed from this document by any party. That would be just plain wrong.

Table of Contents

About this book
1. Overview
Cast of hackers
Differentiating between privacy and anonymity
Ways of exploring
Non-reader's checklists
More reasons to worry abut privacy and anonymity
2. Selecting hardware and an operating system
Selecting your hardware
What OS to use when exploring
How Linux is distributed
To VM or not to VM?
Putting together a secure system
Dat Mofo' Linux
Just Browsing, honest!
Kodachi! Gesundheit!
Parrot Linux - Argv, matey!
Qubes OS
TAILS, I win
Whonix do you love?
Recommendation: Which Linux?
3. Installing Linux on a USB stick
Partitioning and formatting USB storage
Formatting the partitions on your USB storage
Writing a Linux distribution to USB storage
Now I have a bootable secure OS - Why read more?
4. How Free Can You Go - Hardware/Pre-OS Security
The Hardware to Software Hand-Off: The Boot Process and GNU
How Modern Booting Works
Boot Process and Other Low-Level Snooping
Finding Freedom with CoreBoot and LibreBoot
Other Low-Level Scheiss
5. Making a Windows 10 system secure
Overview of securing a Windows 10 system
Things to think about for a clean install
Which version of Windows to start with?
Storage encryption is job one
Installation requirements
Locking down a Windows 10 system
Creating a save point
Creating a new user for "experimentation"
Stopping personal data donation
Locking down and expediting Windows Updates
Selecting and running anti-virus software
Selecting a browser and maximizing browser security
Exensions for any browser
Random security and usability optimizations
6. Dress for success, er, privacy
Protecting your data and the box it comes in
Physical protection: Faraday cages and you
Counter-Surveillance Devices
Data protection: passwords and encryption
Encryption is still job one
Wiping your electronics quickly
7. My kingdom, or 0.005 bitcoin, for a VPN
Why a VPN?
What is 5 EYES and why do they suck?
How does the Patriot Act bite you in the ass?
Censorship is to knowledge as lynching is to justice
Avoiding DNS filtering, hijacking, and redirection
Freedom by proxy
Useful browser extensions
Censorship circumvention tools
Must-have VPN features
Some popular commercial VPNs
Free VPNs with a caveat or two
VPN alternatives
Smart DNS
SOCKS 5 tunnel for tor
Rolling your own really-close-to-a-Linux-VPN
Is my VPN working?
Using web sites for VPN testing
Testing your system for identity leaks
Manually examining network addresses
8. Obtaining, installing, and configuring the tor browser
Tor, good god, what is it good for?
Tor in a nutshell
Host lookups in Tor
Tor circuits
Obtaining and installing the Tor browser
Verifying download integrity
Installing and running downloaded Tor
Configuring Tor
Verifying and fine-tuning tor
Becoming a Tor relay
Using Tor bridges
Verifying connectivity and resolving timeouts
Avoiding browser fingerprinting
Developing good, paranoid browser habits
I insist on using some-other-browser
Opening .onion links in vanilla Firefox
Opening .onion links in Chrome
Using a SOCKS5 proxy and any browser with the Tor service
Browser tips for any browser or browser combo
Chrome by day, chromium by night
9. Creating secure email and alternatives
Creating a secure email account
Encrypting and decrypting email
Generating a public/private PGP key pair
Encrypting a message using a public key
Importing public user keys to your keyring
Encrypting a message using a GUI
Decrypting a message
Payment for my Heroin Order
Using a disposable account for notification
10. Hiding files, directories, and partitions
Block device encryption strategies
VeraCrypt kicks ass, er, is great!
Obtaining and installing VeraCrypt
Creating a decoy and hidden volume
Using the volumes
Mounting decoy and hidden VeraCrypt volumes
Listing mounted VeraCrypt volumes
Unmounting a VeraCrypt volume
Muddying the water
Creating litter and footprints
Hiding commands
11. Finding stuff on the dark web
Opening links in the "right" browser
Dark web directories
Dark web search engines
Dark web markets
Public services on the dark web
Bulletin boards, chats, and social sites
News and information sites
Commercial services
12. Crypotocurrency 101
What is a blockchain?
How does blockchain work with cryptocurrrency?
Earning cryptocurrency by adding to its blockchain
Getting Bitcoin and other currencies
DIY Mining: There's crypto coins in them there algorithms
Good times at the mining pool
Contract/Cloud Mining: They'll drive and pay for the power
Storing Cryptocurrency
Overview: Single currency and multi-asset wallets
Hardware wallets
Software wallets
Using an exchange
13. Buying and safely paying for stuff
Keys to buying (and paying) anonymously
Secure credit card payments
Choosing dark web payment models
Mixing payments to aid anonymity
Concluding payments and purchases

List of Figures

1.1. Hacker News image of web levels and types
2.1. Dat Mofo' Linux desktop
2.2. Just Browsing boot screen
2.3. The Kodachi Linux startup screen
2.4. The Parrot Startup Screen
2.5. Applications > anonsurf menu in parrot
2.6. Qubes OS desktop
2.7. The Startup Screen for TAILS Linux
2.8. Starting tor in TAILS
2.9. Whonix-Gateway desktop
2.10. Whonix-Workstation desktop
3.1. Using mkfs.ext2
3.2. Using mkfs.ext3
3.3. The unetbootin web site
3.4. Downloading unetbootin from its web site
3.5. Using unetbootin
3.6. Status screen while using unetbootin
3.7. The unetbootin success screen
5.1. Well, at least they're honest about one thing
5.2. Basic approaches to installation
5.3. Creating an account during installation
5.4. Creating a save point in the Control Panel
5.5. Enabling protection on your system drive
5.6. Creating a save/restore point
5.7. Returning to a restore point
5.8. Displaying a new local account
5.9. General Windows settings
5.10. A maze of twisty settings, all different...
5.11. Changing General privacy options
5.12. Disabling system-level speech recoognition
5.13. Disabling typing monitoring
5.14. Minimizing diagnstic and reporting feedback
5.15. Managing activity tracking
5.16. Customizing location
5.17. Disabling your camera
5.18. Configuring Windows Updates
6.1. Sample Phoenix BIOS settings screen
6.2. Sample Award BIOS settings screen
7.1. IP connection info from Perfect Privacy
7.2. IP test info from (Air VPN)
7.3. Top-level IP address info from
7.4. Various IP and browser tests from
7.5. A suspected DNS leak from
7.6. Linux/Mac OS script to look up IP address info multiple ways
7.7. Sample Linux routing table
7.8. Sample, simpler Linux routing table before starting a VPN
7.9. Sample, simpler Linux routing table after starting a VPN
8.1. Displaying a Tor circuit
8.2. The Tor project's download page
8.3. The tor browser on another Linux distribution
8.4. Connect to Tor dialog for tor browser on Windows
8.5. Tor browser running on Windows
8.6. The Tor browser's Configuration (hamburger) menu
8.7. Configuring Tor security levels
8.8. The Tor project's bridge integration page
8.9. Requesting a Tor bridge of different types
8.10. The Tor check project page
8.11. Checking for browser tracking and fingerprinting
8.12. Danger, Will Robinson, Danger!
8.13. Successful connection (check url!)
8.14.'s animated timeout page
8.15. Tor2web connection failure
8.16. Tor startup and SOCKS5 proxy script for MacOS
8.17. Checking Crome and the SOCKS5 proxy
9.1. The Protonmail secure email provider
9.2. Getting a user key for transaction messages
9.3. User key as part of user profile
9.4. A GUI for PGP Encryption
9.5. The Guerrilla mail disposable email provider
10.1. VeraCrypt hidden volume layout
10.2. VeraCrypt startup screen
10.3. VeraCrypt Volume Creation Wizard dialog
10.4. VeraCrypt Volume Type dialog
10.5. VeraCrypt Volume Location screen
10.6. The Specify a New VeraCrypt Volume dialog
10.7. VeraCrypt Outer Volume Encryption Options screen
10.8. VeraCrypt Outer Volume Size screen
10.9. VeraCrypt Outer Volume Password screen
10.10. VeraCrypt Outer Volume Format screen
10.11. VeraCrypt Hidden Volume Encryption Options screen
10.12. VeraCrypt Hidden Volume Size screen
10.13. VeraCrypt Hidden Volume Password screen
10.14. VeraCrypt (Hidden Volume) Format Options screen
10.15. VeraCrypt Cross-Platform Support screen
10.16. VeraCrypt Hidden Volume Format screen
10.17. VeraCrypt Informative screen
11.1. The Tor Hidden Wiki
11.2. The TorLinks directory
11.3. The Candle search engine
11.4. The Torch search engine
11.5. UnderMarket 2.0 market
11.6. R.I.P., Wall Street Market
11.7. Random items for sale at a random site
11.8. The Torum site
11.9. ProPublica investigative journalism site
11.10. The Protonmail secure email provider
12.1. Atomic Wallet
12.2. Exodus
12.3. Jaxx Liberty
12.4. web wallet

List of Tables

5.1. Additional device/app security settings
5.2. Customizing application use of personal data
5.3. Customizing phone number, call data, and email security
5.4. Customizing device and process security
5.5. Customizing personal data security
6. Common cyrptocurrencies and symbols

About this book

This book started out as a simple explanatory document - how to safely and anonymously access the dark web so that you can share in certain types of information and victim-less commerce without being arrested. A big part of how people can be arrested due to their actions requires that they can be identified and that their actions can be uniquely tracked back to them. Therefore, the more that I wrote about privacy and anonymity, the more scared I became regarding how supposedly private, personal information can be collected to enable tracking people and ideas on the web. Someone who's tracking people may just want to join a fan club, or they may want to collect people's info to sell ring-around-marketing, worm ouroboros-style to each other.

I have opinions and you should too. I don't even care if we agree, just that our opinions are honestly held and intelligently arrived at. Marketing, data collection, and advertising taken to their logical extremes can be very scary things. We all should have the right to think and make decisions for ourselves, and it just isn't that way any more. Witness the idiot who is our president, the greed of his entourage, and their wish to control everything for something as pitiful and sad as money. Personal data collection begat personal tracking, which begets monitoring people and locations, which begets control, which... I think you see where I'm going with this.

This book should help you protect yourself and to think about how personal information can and is being collected and could be used. A few extra seconds taken now to privatize and anonymize your communications and identity are seconds that are very wisely spent, regardless of whether you're worried about being arrested tomorrow or simply about being rounded up twenty years from now because of that verdamnt "free speech" thing.

This book is released on Amazon and as donation-ware. If you didn't get this on Amazon and liked any part(s) of this document or found it to be useful, please make a small donation via PayPal to or in Bitcoin to 35DnXM3Fg9zvirbraGmUGecLy7EPZiBWsT. Thanks!


I accept no liability or responsibility for the information that is contained in this book. It has all been tested and verified by some guy that I know with a CS degree and years of systems-level experience.

Comments welcome. Updates will be ongoing. Get them from my website, Any errors are accidental. Please report them to to ensure that this document is corrected.

Chapter 1.  Overview

When you access the Internet, you’ve finally reached a maze of twisty passages, all different - at least, what most people think of as the Internet. In reality, the Internet is just a zillion cables and connecting devices on which data is flowing back and forth; data that is reached and shared by many applications using many protocols, some of which are compatible. The big reason all of this exists is for sharing information. The military wanted the Internet, which was then called the ARPAnet (for the Defense Advanced Research Projects Agency network) and wanted this to preserve control during World War III or earlier. What they got was an open network for sharing information, a network that was designed by researchers, academicians, business people, hippies, and crackpots. In today’s most popular way of sharing information, the world-wide web (www, W3, or simply “the web”) , most of the information that is hosted on the web is public or password-protected, but is still intended for widespread use by commercial entities and/or regular people.

Luckily, there is also a large amount of network traffic on those same wires that isn’t as boring as buying a pair of shoes or investing in tulip bulbs. According to researchers and other randoms, only 4% of the network known as the Internet is visible to most people - the rest bubbles under the surface. Before you get all excited and buy a bathysphere, the invisible 96% is primarily a thick commercial oil slick that supports corporate Internets and commercial transactions. Of that 96%, a tiny sliver is information yearning to be free, which maintains that freedom using a security though obscurity model. If most people can't see or find it, its content can't offend or be destroyed by them. These layers of different audiences and types of content make it easy to think of the internet as being composed of three virtual layers:

  • Surface web - anything that can be indexed/found by a standard search engine (Google, Yahoo, etc.) and accessed with no special magic by regular or authorized users. This is the billion-site 4% that most people think of as “the web”. Also commonly referred to as clearnet due to its openness and lack of encryption - available to all and readable by all.

  • Deep web - anything that is not indexed/findable by a standard search engine or which is only intended for use by internal applications. This is generally site- or company-specific data that is designed to be accessed by privileged users using (under the covers) special query engines to locate content based on SQL, SQL-like, or NoSQL queries and applications.

  • Dark web - a subset of Deep web content, the Dark web is content that was hidden intentionally and cannot be found via standard tools, authentication models, or browsers. Often requires a special URL and access protocol. Discussing what’s out there and how to safely access and explore that content are the reasons for this book. There are other dark networks that are only discussed in passing in this document. How dark nets such as I2P, Freenet, and even GNUnet are accessed and work is outside the scope of this document.

Figure 1.1. Hacker News image of web levels and types

Hacker News image of web levels and types

So what is the dark web’s content? Amazing stuff with very few rules except technical ones about security and doing business there. Guns. Drugs. Dead drops for securely sharing top-secret information. Reporters without Borders. Political manifestos. Lists of potential hack targets. Fake jewelry. Stupid information about strange sexual practices and rituals that would make Aleister Crowley blush. Counterfeit currency. Fake birth certificates. More hacks. Fake IDs. It's like being catapulted back into the early wild west days of the ARPAnet, when freedom was just another word for liberation. The freedom of the dark web is due with thanks to the Tor project and the Tor browser (see the section called “ Tor, good god, what is it good for? ”). Read on!


As the previous paragraph indicates, there's an amazing variety of stuff out there on the markets of the dark web. Some things are only legally wrong because that's the result of short-sighted scumbags who force you to agree with them and punish you if you do not. But there certainly are things out there that are morally wrong. IMHO, I could care less if you want to smoke or ingest some flower bulb sap, plant leaves, or mold derivative, or want to give yourself a new identity.

This book explains how to go shopping, not what to buy or why. Some things, like carding (buying or using stolen account data or credit card numbers) or hiring a hit person (bang!) are not victimless, and thus aren't discussed here and and are definitely not advocated. AFAIAC, the whole idea of freedom is about freedom, personal responsibility, and not stealing from or harming your neighbor. Unfortunately, freedom applies to everyone, which means that you have the freedom to be stupid - a religious terrorist, a child-pornography manufacturer or propogater, a right-wing or facist lunatic, and so on. Again, true freedom is sadly for everyone. The ACLU once had to defend a white Nazi march though a Jewish area - the good guys have to good towards everyone, even the idiots. Please just try to be one of the good guys.

This book may not be as cool or counter-cultural as some other dark web books. You may just really want to know about the dark web and how to explore it, rather than looking for a new philosophy. You can make up your mind all by yourself! On the other hand, if you need somebody to protect you from something intangible or you’re afraid that you’ll cut yourself on a sharp word, take the door over there by the sign that says “This Way to the Egress”, and enjoy that legendary creature first. Call me later.

If everything I’ve said so far sounds like it might be interesting, illegal, or you simply don’t care because that’s up to the individual, the alternate river of information that is the dark web may be for you. Read on and remember to never, ever shoot the messenger.

Cast of hackers

Speaking of shooting the messenger, be aware that there are a few basic classes of people that understand how the web works and have the smarts to do something about it (or are curious enough that they’ll know RSN). The first are hackers (AKA white hats, grey hats, and black hats), which is the term that I use to describe smart, curious people who want to understand and experiment with how software and hardware work. Names like white hat, grey hat, and black hat come from the color of wizard’s hats and robes in role playing games and fantasy novels, and are used to identify sets of hackers with different motivations.

White hat hackers are the good guys of the software universe, exploring and experimenting with software and hardware to learn about it, identify problems, and report them (occasionally complete with fixes). Next in line, but in the same class, are the grey hats. The second line of true hackers, grey is almost white, but sometimes crosses legal lines to do the right thing. Finally, there are the black hats, who want to profit from their arcane knowledge and don't care how many other people get hurt while they're making their poisoned profits.

A separately-named second group of knowledgeable folks are crackers (often the same as your black hats), who have the same white/grey knowledge but also have malicious intent and are scummy enough to want to profit from their wizardly knowledge. They may exploit a known security hole to encrypt your data and then charge you for the encryption key so that you can get your data back. They may hack some corporate site, dump its customer data, and then sell it to the competition or other crackers who can use it for spam or to charge 10,000 pizzas to your MasterCard. Scumbags. They often also simply package up the hacks that they know so that others can do the same things but without having to understand or figure out how they worked. Selling or distributing pre-packaged sacks of hacks enables people known as script kiddies (AKA skiddie or skid) to use them to look like they’re smart. They’re not dumb either - in fact, they’re at least smart enough to avoid reinventing the wheel.

Various flavors of hackers are usually the good and the bad of computer-savvy folks on the web, but there’s another computer-savvy class that you must not overlook - the ugly. These are the cops and other people whose job it is to make sure that you play by their rules, even if the rules are stupid. Do not EVER make the mistake in thinking that law enforcement dweebs are stupid or “won’t notice” if you just buy one AK-47 or one kilo of cocaine off the dark web. They have a lot of smart people who believe that they are doing the right thing, which is an uninterruptible delusion. If you’re smart and the least bit paranoid (which doesn’t mean that they’re not after you), you’ll use some of the security tools we’ll discuss, and you’ll use them ALL OF THE TIME. There’s no real penalty in doing so, but not doing so can get you 5-10 and a lovely ankle bracelet that goes with any outfit but clashes with freedom.

The final group of people, the one that really matters the most, is you and me. Right now, we’re just curious - WTF is the dark web, what’s out there, and how can we access it if we want to? Maybe we’ll grow into hackers, but right now, we just want to know. This is the information age, and there are zillions of companies out there analyzing every character we type and packet we send so that they can get information that they can sell somewhere or which they can use to better target us when selling ads or whatever. The dark web is about accessing information that we want to see, without someone tracking it or us. Our ideas and our decisions. The dark web is all about seeing what we want to see without some monetary, social, or political scumbag forbidding that, tracking what we’re looking at, or monetizing our curiosity and interests.

Censorship comes from the idea that “It’s my network, so I get to control what’s on it.” This stupid idea is like saying “It’s my electric socket, so I get to control what’s plugged into it”. George Orwell ain’t got nothing on such dummies! It’s not my fault that the Internet has been commercialized rather than being treated like every other public utility, only paying for bandwidth, amount of power used, amount of water consumed, and so on - and not what that water, power, or connectivity is being used for.


One tip before you read further - the US sucks in terms of privacy and anonymity! Do not use any US-based VPN or security service because the US is a partner in the 5EYES eavesdropping system (see the the section called “ What is 5 EYES and why do they suck? ” for more information). In general, US companies seem to see selling customer information without asking as yet-another-revenue-stream. Sigh...

Information wants to be free, and so do we!

(And so, BTW, does Ross Ulbricht - he may have been a bit sloppy, but he doesn’t deserve crucifixion...)

Differentiating between privacy and anonymity

The core difference between privacy and anonymity is "what" versus "who". When surfing anywhere, you want to make sure that no one knows what you're saying. When surfing the dark web, you want to make sure that no one knows who you are. Anonymity is the difference between simply shouting "fuck you" in a crowded auditorium and standing up and shouting it. Privacy is when no one could understand you except the person that you were saying it to.

In nerdier terms, anonymity is security of identity, whereas privacy is security of content:

  • Anonymity: Using the tor browser, Tor service, or a proxy will provide anonymity because no one will know where/who your request is actually coming from. In the first two cases (Tor), it will appear to be coming some random host that is running a Tor exit node. In the proxy case, it will be coming from the proxy. in none of those cases, will it be coming from your IP address (whether assigned by your ISP or by whatever VPN you're using).

  • Privacy: Using HTTPS or other browser-based forms of encryption will guarantee privacy because no one except the recipient will be able to decrypt the content that you are sending. This will not guarantee anonymity because malicious randoms (like those working for the NSA or other three-letter acronym agencies) can still identify the IP address that you're coming from.

Some browsers have a "private" or incognito mode that had very lite to do with privacy of content. These modes do not use existing browser history and do not use existing cookies, but they do prevent your browsing from being tracked, do not conceal or change your IP address, and only delete web browsing history when you exit from the incognito/private mode. The goals of these modes are to enable you to surf without dragging along your usual web baggage, thereby reducing the value of this tracking to your favorite online data vampires`.

This document explains how to guarantee (as much as is possible) both of these by using a VPN and a privacy tool such as the tor browser. In the cases of anonymity and privacy, more is indeed better.


Just when you thought it was safe to go into the water, you also have to worry about browser fingerprinting, which is a way that TLAs try to identify you by usage patterns, browser characteristics, or both. For more information, see the section called “ Avoiding browser fingerprinting ”.

Ways of exploring

If you're like me, you have the patience of a fruit fly and just want to start exploring the dark web. Unfortunately, anonymity and privacy are the keys to exploring a "secret" network that contains questionable content, and they take some time to set up. Therefore, this document discusses several general hardware/software models for accessing the dark web, with notes about the security of each:

  • Customizing an existing system: while this is obviously the fastest and easiest way to get to the dark web, it is also the least secure and most dangerous. Your account and the existing system itself are probably already full of stashed browser cookies, information leaking browser extensions, "slightly incorrect" configuration, tattle-tale applications and accounts, and much more. An existing laptop or desktop system is also usually unencrypted and physically insecure.

  • Creating a new computer system: building a virgin system with encrypted partitions, installing the necessary software, and hardening everything is very safe and secure (content-wise), but has the same physical security concerns as using an existing system. Content security is the security of the information in your files; physical security is the security of the computer and storage devices that hold those files.

    If everything is encrypted and configured for security, a system such as this will protect your data from everyone except for the NSA and a secret grotto full of supercomputers. However, there are still two possible problems:

    • You could accidentally use the wrong system or leave clear data behind unless your new system is obviously different and thus easily recognizable

    • Your system itself can still be seized or stolen, so you could either lose everything (but it would still require decryption in order to have the content abused/stolen) or (worst case) have your data exposed due to some accidental misconfiguration. Maintaining secure backups is critical, and will be discussed later.

Non-reader's checklists

If you're already tired of reading and just want a checklist or two so that you can be sure you're doing the right things in the right order, here 'tis:

WARNING: Following the preceding list will only protect you if you never buy anything on the dark web, never sign up for anything on the dark web or give out your vanilla email address, and do not use the same browser to surf the surface and dark webs. If you want to do any of these things, for God's sake, read the appropriate parts of this book before you begin exploring the darkness!

More reasons to worry abut privacy and anonymity

In this document, I will call idiocy and close-mindedness "idiocy and close-mindedness" whenever I think it applies. I'm not wearing a tin-foil hat, nor do I even own one. If you think that I'm overly critical or paranoid, please read the articles and sites listed in this section.

Government and online personal information collection are runaway trains, and the engineer (at the moment) probably can't even figure out ROT13. We are wasting billions making plants and chemicals illegal and jailing violators, when plenty of actual victim-ful crimes exist to choose from. Stop the former, and use the cash savings to help people! Let Charles Darwin, not Adolph Hitler, deal with stupid people. Privacy and anonymity are inalienable rights, and we should always have the right to think, so please do so:

Fix the way things are, and avoid the crap until then!

Chapter 2.  Selecting hardware and an operating system

The word "security" usually invokes the idea of protecting something from intrusion by something else. In the case of our pursuit of the dark web, there are two sides to the security coin:

  • the traditional one of protecting your system against attacks, virii, and things that go hack in the night

  • protecting your and your system’s identity and not leaving footprints behind you as you explore the dark web

A zillion packages can fill the first role, from open source packages like ClamAV (with the ClamTk front end) to traditional commercial heavyweights like Norton (owned by Symantec). Lots of book and articles can help you find the best of those. (I pay for Malwarebytes myself. Both the package and the name are great!)

The second, privacy and anonymity role is a combination of software packages and security-oriented operating systems, and is germane to the dark web and this document. All in all, you can’t leave your IP address behind or access the dark web from an IP address that can explicitly be tracked back to anywhere, let alone to any specific geographic location, non-spoofed IP address, or (God forbid) a specific host owned or operated by a specific person - you (and if you’re not careful, soon also known as inmate 3.147159). You may want to avoid having your system preserve any browser history or many files of standard user data, and avoid exposing any network ports, services, or capabilities that it doesn’t have to so that there are as few opportunities for obfuscated ways of logging or preserving data as possible.

When should you use encryption such as that provided by a VPN? Always. Always encrypt or you might as well be turning a spotlight on what you’re working on when you do use it, saying “Hi, I’m important data, so check me out”.

This chapter introduces the basic characteristics of Linux, using it to browse and interact with the dark web, and how Linux is distributed. It focuses on accessing the dark web from an actual desktop, laptop, or tablet computer, NOT from a smart phone. Though I have had my fingers sharpened many times, I still can’t do real work from the dinky keyboards offered by today’s smart phones.

The rest of this chapter discusses some recommended operating systems you may want to use to access the dark web, and how you may want to run them. These sections also discuss the security requirements of different types of systems that are designed to let you safely explore the dark web. I’ll also discuss the types of packages that you would add to an existing system to make it safe to surf the dark web without picking up any virii or other unwelcome hitch-hikers.


Though I advocate using Linux, the Mac and *BSD* platforms are also excellent choices for an actually secure (unlike Windows) platform for exploring the dark web. After all, today's Macs run their GUI on top of a FreeBSD variant. For true newbies or Linux chauvinists, BSD stands for Berkeley Software/Standard Distribution, which is the name of the UNIX version forked from AT&T UNIX by Bill Joy and others before he moved on to help found Sun Microsystems, develop SunOS, and develop (gak!) Slowlaris, er, Solaris. I was originally a BSD fan, but I am much more familiar with the details of Linux nowadays. If you're curious about hacking the dark web from one of the *BSD* platforms, see TrueOS (a FreeBSD variant), which is an excellent flavor of *BSD*. There's always FreeBSD itself, NetBSD, and many more.

Selecting your hardware

If you're going to really follow this book's suggestions to the letter, you'll want to do a clean install of your OS of choice (more about Linux in the next section) on a virgin machine that you've bought for that purpose. I'm only going to discuss laptops here because (1) they're portable if you need to take the evidence out the back door and (2) they're also light and small enough to hide or throw into the ocean or under a bus if some TLA is closing in. Oh yeah - (3), the hardware is smokin hot.

There are a zillion good machines out there, but my recommendations are any of the following (though the list is in order):

  • Purism Librem systems - As their tagline once said Purism: Beautiful, Secure, Privacy-Respecting Laptops. (They now have desktops too, FYI.) These machines are designed by smart engineers and clever hackers using *only* open source processes and designs, and have some great features like physical switches that control whether sound and wireless networking are active. The only downside is that they top out at 32 gigabytes of memory, which is great for a hacking box, but not for a one-size fits-all system for handling, for example, audio and video editing. They are also beautiful. Kyle Rankin, Linux Journal's GOTO hardware and security editor is their Chief Security Officer and all-around pretty nerdy face. (That's a compliment!) Buy one today!

  • System 76 Systems - System 76 has been focused on Linux since day one of their corporate existence, and it shows. I got my first of their boxes in the very early 2000s, and have never regretted buying it or newer flavors. They have a complete line of Linux boxes for just about anything: laptops, desktop and mini boxes, and servers. Their laptop naming convention reeks of Ubuntu, but what the hack, er, I mean heck. They're also great because their support folks are knowledgeable without a script. Their laptops are a powerful delight, and max memory of 64GB means that you can have multiple accounts for work and play (whatever that is).

  • Alienware - Once an independent company, Alienware is now a wholly-owned subsidiary of Dell Computer, that proves that Dell can still build sexy machines. They're primarily marketed as gaming systems, which translates into "high power and nice looking" for our purposes. I disagree with some of their marketing, like "light-weight", since I have one of their laptops that would even induce a hernia in Arnold Schwarzenegger, but it would sure look nice beside his hospital bed. The Alienware boxes are powerful and attractive machines which are good for anything but beg for hacking. They come with Windows pre-installed, so they're great for the Windows hackers among you.

  • Pinebook - To help an OS that's hard to hack, Pinebook brings you laptops that use ARM processors, not those from Intel or AMD. All system hacks must therefore be specially compiled for these boxes which is rarely worth it given their (currently) small market. Forget about lots of the driver or OS hacks in the first place! Their focus on openness and community is as strong as Purism's, but it requires more work because you will have to do lots of thingsv yourself. Thankfully, you can get a Tor build for ARM, but no commercial Linux software - like a VPN - offers an ARM version that I'm aware of. These are completely open source machines that are also impressively affordable.

There are plenty of other great machines, and some that even focus on Linux, but with which I have no experience. I love experience though, so if you work at one of those companies, send me your highest end box! I'll take it for a lot of spins, and add it to the good list unless it sucks.

What OS to use when exploring

There are many operating systems out in the world today, the main ones being Microsoft Windows, Apple’s OS X, the *BSD* versions of modern Berkeley Unix, and a zillion flavors of Linux. While the choice of which operating system you want to run on your desktop computer is often both a philosophical and aesthetic choice, the choice of which operating system you want to use to explore the dark web is simply selecting which secure, controllable hammer to use. AFAIC, the answer is one of a few Linux distributions that have been created with powerful support for security, anonymity, and privacy, and focusing on that. Linux is open source, except for a few applications that we don’t care about for the purposes of this book.The open source nature of Linux, where you can get the source code for any application, read through it if you have the time and knowledge, and build it for yourself if you want, protects you against any virus or malware being inserted into the code without your knowledge. (Tip: watch out for external code that’s being linked in!) The Linux security model of installing and managing applications and services protects you from accidentally installing persistent viruses or malware, such as keyloggers, that always run on your system and ether corrupt it or call back to a hostile cracker’s mothership every five minutes.

The tools for exploring the dark web are available for all modern platforms, but the base for all platforms except the Linux ones is a generic one-size-fits-all commercial platform that includes a lot of system and basic commercial apps that don’t help explore the dark web and just provide virus or malware targets. Maybe that should be one-size-doesn’t-fit-anybody. As far as the dark web is concerned For this and related reasons, I’m going to focus on a few great Linux platforms that provide different approaches to the dark web, so that you know what’s out there, how they work, and you can pick the one you prefer. Don’t worry - I’ll also tell you what I use and why ;-) I’ll also provide a copy that ready to go, and is just a download away.

How Linux is distributed

Linux distribution are distributed or downloaded in one of two ways:

  • a bootable ISO (International Standards Organization) image that can either be booted from directly or burned to a CD or DVD which can then be booted from. In all cases, what you boot into from these media is either an installer, which lets you permanently install the distribution on some other media such as the hard drives in a system, or a live distribution which you can execute and run from directly. Some bootable ISO images come with other partitions that can be mounted and written to so that you have some form of persistent storage even when running from an ISO.

  • As an archived appliance (OVA) that you can install on a system using a virtual machine manager (VMM), and then run from the installed appliance within the context of that VM Each of these approaches to installation and execution has advantages, disadvantages, and caveats, which we’ll discuss throughout the rest of the chapter.

To VM or not to VM?

When selecting an operating system for safely and securely accessing the dark web, a good initial question is whether you should use real hardware or a virtual machine (VM). A virtual machine is a computer system that only executes as software which runs under other software (a virtual machine manager) on another host, typically a physical host. Using a virtual machine to access the dark web has a big advantage in that the most fundamental characteristic of a VM is that nothing crosses the real world/VM boundary except though a service that is intentionally hosted on the virtual machine. This prevents virii and malware from attacking the VM from the host computer system because they literally can’t reach the VM except when “invited in” just like one physical host infects another. Treating the VM like “just another machine” is a great thing except that, by default, all network services and virtual machines on a machine with a single Ethernet connection and which is part of a Virtual Private Network (VPN) go through the VPN. This means that any public services that you expect people to find at a given IP address (whatever is registered for that host via DNS or DHCP) will not be there because they are now using the IP address assigned to them through the VPN.


The whole "Should I use a VM?" question becomes somewhat moot if you decide to run a virtual machine-oriented version of Linux, such as Whonix (the section called “ Whonix do you love? ”) or Qubes OS (the section called “ Qubes OS ”), to access the dark web. Whonix must be run inside VirtualBox (at the moment - KVM support is coming, where Linux is the hypervisor), while Qubes OS requires the Xen hypervisor.

Using a VM (virtual machine) to access the dark web gives you an extra layer at which you can obfuscate your IP address or otherwise manage the security of your site and connections. The most important issue about whether you should access the dark web from a VM is the degree of control you have over the host on which the VM is running. A compromised host could send virtual machine information (IP address info, running process list and anything else that could be swapped from the VM into disk space on the host) and direct host information (keylogging, which could capture both host and VM info, the VM info being that which is in the VM which could be swapped out onto the host, and host-specific info (keylogging). If you “own” the host, this isn’t an issue, since you can protect both it and your VM with appropriate software.

A good stack on a host that you control is the following:

  • Vanilla Linux privacy-oriented host system running anti-virus, anti-malware, and VPN software with as many other services disabled as possible

  • Encrypted container located in the host filesystem that can be unpacked to expose a VM that, when mounted, runs privacy-oriented Linux and the Tor browser. Files can be saved in the VM filesystem to preserve those files across system boots.

If you cannot control the host, you can still explore the dark web with a USB-based Linux distribution with both a VPN and the Tor browser installed. The USB stick can even be partitioned so that a partition can be mounted to enable you to save large files as required and unmounted to preserve those files across USB boots. Linus distributions that run a Ubuntu-based Linux kernel can also support persistent storage, where the filesystem records changes and stores them in disk space that is overlaid on the base root filesystem.

Several of the distributions discussed in this chapter provide releases that can be written directly to and booted from a USB stick. You can take the USB stick to any machine that can boot from USB, boot from the stick and do whatever you want on the dark web (or anywhere), then shut down, remove the USB stick, and no one knows what you've done, or where.

The downside of a non-encrypted bootable system for dark web exploration is that if stolen or seized by the law, its contents can be explored and possibly used to incriminate the operator.

Putting together a secure system

On an Internet-capable system, your Internet Protocol (P) address is the easiest way of locating and identifying network traffic to and from your computer. No big surprise there - that’s how systems know where to send packets in response to queries or simple network traffic that you or your system originated. I’d say that an IP address obfuscation mechanism (which I’ll soon discuss in the context of a Virtual Private Network (VPN)) is the key component of a secure system were it not for the fact that a secure operating system is the best context for secure network communications. The next section discusses many popular and secure Linux distribution and systems, and explains some of the pros and cons of each. The beauty of comparing and selecting a secure Linux system is that they are all alike at some level, so one explanation usually works for many Linux distributions.

I’ll talk more about VPNs in Chapter 7, My kingdom, or 0.005 bitcoin, for a VPN , but let’s first finish discussing the OS. Regardless of whether you want to use a virtual machine or a physical one, that machine should run Linux. Why? Most of that was explained earlier, but another very real reason is that the Linux kernel is the powerful and flexible cornerstone supporting a tremendously wide range of utilities that include everything you’ll ever need to use with the dark web. There are also many, many users of Linux distributions that target security and anonymity, and many of the creators of these distros actually read the code. The chance of some cracker slipping malicious code into one of these distros is extremely small. The chance of any one of these distros being very secure and a great thing to learn from is very high.

The next few sections discuss some amazing secure/anonymous/small Linux distros with details about each and a discussion of features and potential problems. A big thank-you shout out goes to the Deep Web Sites links site for keeping us up to date!

Dat Mofo' Linux

(Home Page:

A big part of my first computer science job out of college involved morphing Vaxen running 4.1 BSD into Vaxen running 4.2 BSD when the latter was released. As part of this "effort", I built and installed a Usenet application named jive as a pre-processor for the man command, which simply replaced every instance of "Unix" with the phrase "dat mofo' Unix", much to the delight of co-workers. That was quickly followed by orders from management for its removal, who did not seem to think that official systems repeating "dat mofo' Unix" over and over was very mature. (Their exact request was phrased slightly differently.) Imagine my delight when I spotted Dat Mofo Linux as a serious contender for Linux distributions that focused on anonymity, privacy, and “defeating state censorship”.

Supporting anonymity, privacy, and “defeating state censorship” are worthy goals that are well-addressed by Dat Mofo Linux. The current release at the that this document was last updated, Dat Mofo Linux 7.0 is based on Ubuntu 18.04.2, and features a version 4.20 of the Xanmod Linux kernel, a fine-tuned Linux kernel with many desktop/gaming timing, latency, and performance enhancements. Though it's rare to find a GPL project with multiple streams that are under active development at the same time, the Linux kernel is one of the cases in which the code is huge enough and the changes associated with different development paths are pervasive enough to justify forking the source code base.

Figure 2.1. Dat Mofo' Linux desktop

Dat Mofo' Linux desktop

Dat Mofo Linux (hereafter referred to as DML) comes pre-bundled with the following applications and services, to name a few:

  • Tor Browser, Onion Share (file sharing over Tor), Tor Messenger

  • Psiphon and Lantern domain fronting proxies

  • I2P and Freenet for dark web access

  • OpenVPN, SoftEther, Outline, and WireGuard VPNs

  • Streisand and Algo VPN Server Managers

  • Interplanetary File System (IPFS) - peer-to-peer distributed file system

  • Signal, Telegram, and Riot instant messaging

  • Kodi media center, WebSDR, OpenWebRX software defined radio

  • Veracrypt, zuluCrypt, and Ecryptfs file/folder/partition encryption

  • Bleachbit disk wiping utility

  • DNS-Over-TLS

All history, caches, and logs are automatically and thoroughly purged at system shutdown. DML can be booted from a CD, DVD, or USB stick, meaning that it can be used as a live OS.

The system requirements for DML are much the same as for Ubuntu 18.04, with the exception of those that are necessary to take advantage of the XanMod kernel. XanMod is a general-purpose Linux kernel distribution with custom settings and new features. Its goal is to provide a more rock-solid, responsive and smooth desktop experience. it can be used with any recent 64-bit Debian and Ubuntu-based system.

Just Browsing, honest!

(Home Page:

Just Browsing Linux is, well, just for browsing the web, leaving no footprint on your own machine and nothing but web data on anybody else's. Just Browsing is a live distribution that requires no login, has no shell login environment, features a browser that you can select from a menu, and that's about it. Once booted, it also offers a few web-based applications such as a calculator, clock, text editor, and so on.

Figure 2.2. Just Browsing boot screen

Just Browsing boot screen

Just Browsing further serves your privacy by using DuckDuckGo as the search engine that's integrated into the browser, which does not track your search history or (as they say) "filter bubble". Your browsing history is erased when you turn off the computer. It even comes with a lockscreen to continue to protect your privacy if you have to leave the computer for a short time.


While a great idea, I've had problems getting Just Browsing to boot, and it is totally out of date, last having been built in 2014. I'm including it here because it is a great idea and you might be luckier than I have been, boot-wise.

Kodachi! Gesundheit!

(Home Page:

Kodachi is an Xubuntu 18.04-based Linux distribution that is designed to provide you with a secure, anti-forensic, and anonymous operating system. It contains all of the features that someone concerned with privacy and anonymity would need (and want) to have for security.

Kodachi comes as a bootable ISO that is both pre-installed with favorite tools like a VPN, Tor, and DNSEncrypt, and is pre-configured to route all Internet activity through these tools default. This configuration even lets you choose your Tor exit nodes without hacking configuration files all over the place..Like all good bootable privacy/anonymity distributions, Kodachi flushes all configuration and state information on exit - and that's flush as in toilet, not as in "force pending writes to media".

Figure 2.3. The Kodachi Linux startup screen

The Kodachi Linux startup screen

The default desktop shown in Figure 2.3, “The Kodachi Linux startup screen” can be slightly confusing at first, grouping conceptually-related applications into clusters along the bottom of the screen, but quickly turns into "the right thing" once you use it for a little while. (The reflection of the dock beneath it doesn't help your initial understanding much, either, though it certainly looks nice.) The Panic Room cluster on the right is a thing of beauty if problems arise, grouping memory wiping and other critical tools together for convenience before you get molested by John Law.

Minimum system requirements for Kodachi 6.0 are only slightly greater than those for Xubuntu 18.04, namely:

  • Dual core processor, 2GHZ or better

  • Graphics card and monitor capable of at least 800x600 resolution

  • 512MB system memory (1 GB recommended; 2 GB recommended for running in a virtual machine)

  • 5 GB storage minimum for local install. (20 GB storage recommended for local installation, add-on applications, and local data storage)

While I am a huge fan of Ubuntu-based distributions, I personally Xubuntu-based distributions somewhat slow unless you install on hardware that is more powerful than the recommended minimums. Application and configuration-wise, Kodachi provides a truly powerful distribution, including tools such as Pidgin messenger, FileZilla, Transmission, the Exodus crypto wallet, Audacity, Blender, the Chromium web browser, I2P and GNUnet support, Enigmail, Zulucrypt, and VirtualBox, and many more. It's feature-rich and powerful enough to be a daily driver, let alone a powerful distribution with which to explore the furthest reaches of the dark web. I'm not a huge fan of its initial color palette (my eyes are old) but it's Linux, so my local install mantra is "...if you don't like it, change it."


Kodachi uses Conky to display a lot of system information on the desktop, so you should consider using a display resolution that is wider than vanilla desktops.

Parrot Linux - Argv, matey!

(Home Page:

“Parrot is a great GNU/Linux distribution [that is] based on Debian testing and is designed with Security, Development, and Privacy in mind. It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net.” I couldn't have said it better myself.

Figure 2.4. The Parrot Startup Screen

The Parrot Startup Screen

Parrot is based on Debian Testing, but features a custom Linux kernel and provides the MATE desktop environment. (Other desktop environments are available.) Parrot provides two primary distributions for your computing pleasure:

  • parrot-sec - the core Parrot distribution, targeting developers and casual secure surfers, and which focuses on the tools for those audiences

  • parrot-home - the core Parrot distribution, wrapped in a higher-level software set that enables you to surf the dark web when you want to but use your Parrot system as a daily-driver Linux system the rest of the time.

These two Parrot distribution versions are available as downloadable appliances (ova files) that you can install as a virtual machine or burn onto a USB stick for portable surfing. Each of these includes a copious set of security tools including those for penetration testing and digital forensics, which can be very useful if you are using Parrot to surf the dark web and want to be sure that you’re really secure.

In addition to these flavors, Parrot also provides ISO versions of each for pure, virgin hardware installs, and a Parrot-KDE distribution if you’re a KDE 5+ fan or don’t remember how GNOME works. Parrot does a lot of cool things to support it pen test/forensics starting points. Applications are sandboxed, disks are only mounted when needed, package updates are regularly scheduled to guarantee that they’re the latest and greatest, everything goes through tor after you fix some initial problems like missing iptables in the path (update packages), missing atk-bridge (install package libatk-adaptor), and so on. The distribution is great! It provides the tools that we can all use to figure out just how secure/anonymous/private we are - identifying any holes in the bathtub so that you can fix them!

The following list summarizes the requirements for a Parrot 4.5.1 system, which was the latest stable release at the time that this document was last updated:

  • 32-bit or 64-bit, x86-64 or ARMHF desktop or server system

  • 512 MB or more RAM

  • 16 GB or greater SSD, SATA, PATA, or USB storage

  • DVD reader or the ability to boot from a USB stick

Figure 2.5. Applications > anonsurf menu in parrot

Applications > anonsurf menu in parrot

Parrot is reminiscent of Kali Linux, a pioneering Linux distribution for security and digital forensics, except that the parrot-home distro resolves most of the complaints that people have often made about Kali: designed for experts, not mere mortals; missing (by default) many of the tools that users want in a daily-driver Linux system; doesn’t feature truly minimal hardware requirements while still providing a usable and well-organized desktop. Some of these will continue to evolve away (tools will increase, hardware will get more powerful, etc.) but why wait for Kali to continue to evolve? Parrot-home is just a download away.

Qubes OS

(Home Page:

Qubes OS is a cool distribution for secure and private surfing of the dark web (and anywhere else for that matter), and has some pretty impressive members in its fan club, including Edward Snowden. The great thing about Qubes is that it starts virtual machines atop the Xen hypervisor, which provides it with an intermediate management, analysis, and priority level for interacting with those VMs Those VMs isolate (compartmentalize) processes and services appropriately for secure process execution. Qubes provides fast, light-weight “disposable VMs” to execute and exit processes quickly, with results and modified files automatically being merged back into a common filesystem. It also provides template VMs that enable you to quickly define and compile the software and infrastructure required to support distribution-specific executables. (These per-application execution stacks are known as “qubes”, but in this section, I generally use the term "Qubes" to refer to the Qubes OS operating system.). Different isolated processes, process families, and security levels within the Qubes OS are easily identifiable because sets of processes and related items share border colors within the window manager (xfce4 by default). Several of these qubes/groups are created for you by default: work, personal, and untrusted.

Figure 2.6. Qubes OS desktop

Qubes OS desktop

Qubes OS comes with template VMs for secure versions of Fedora, Fedora Minimal (lightweight, small footprint), Debian, Debian Minimal (lightweight, small footprint), Archlinux, and Ubuntu. For Dark Web exploration, Qubes OS comes with templates for Whonix, another Xen-based Linux distribution. Whonix works by hosting two VMs: Whonix-Gateway and Whonix-Workstation. Whonix-gateway serves as a Proxy VM that routes all of its traffic through Tor, while the workstation supports all application VMs. Unfortunately, Invisible Things Lab (creators of the Qubes OS), does not provide an installable distribution that is based on Whonix, so a fair amount of work and testing is required before you should use the Qubes OS with Whonix for safe dark net exploration. When you’re done, however, you’ll have a modern, secure, and trustworthy OS that deeply and elegantly integrates tor for all your private and anonymous dark web surfing needs.

The following list summarizes the requirements for a Qubes OS 4.0.1 system, which was the latest stable release at the time that this document was last updated:

  • 64-bit, x86-64 desktop or server system

  • Intel VT-x with EPT, AMD-V with RVI, Intel VT-d, or AMD-Vi processor. AMD IOMMU not supported.

  • 4 GB or more RAM

  • 32 GB or greater SSD, SATA, PATA, or USB storage

  • Non-USB keyboard

  • DVD reader or the ability to boot from a USB stick

  • Graphics (Recommended): Intel GBP or AMD Radeon RX580 and earlier

TAILS, I win

(Home Page:

Linux geeks are nothing if not hilarious and fun at parties. Tails stands for “The Amnesiac Incognito Live System”, which has to be the best/worst backronym ever. Tails is a small Linux distribution that is based on Debian with the exception of not following Debian’s “only completely open source” mantra.

TAILS is an amazing distribution to use for browsing and interacting with the dark web. It comes as a live CD image that boots from an ISO image by default, but which you can easily burn to a USB stick and boot/run from there. TAILS includes tor and automatically routes all port-remapped Internet traffic though a SOCKS proxy.

Figure 2.7. The Startup Screen for TAILS Linux

The Startup Screen for TAILS Linux

TAILS also comes with a wide variety of utilities that help you accomplish common administrative tasks:

  • create, inspect, and use secure, persistent storage Tails Persistence Setup, Onionshare, tools for decrypting and using VeraCrypt volumes, luksformat and cryptsetup for creating encrypted partitions, and so on.

  • inspect and monitor network use (aircrack-ng)

  • cryptocurrency tools (Electrum Bitcoin Wallet)

TAILS includes many other standard privacy/anonymity utilities like KeePassX for key management. It also features some clever nuggets that are designed to resolve traditional anonymity/privacy problems with VMs, such as erasing memory on shutdown to ensure that no temporary file contents are still visible (though deleted) after editing or system swapping.

Figure 2.8. Starting tor in TAILS

Starting tor in TAILS

TAILS delivers a complete GNOME-3 desktop environment, though its menu appearance on the default desktop has, of course, been customized. The following list summarizes the requirements for a TAILS 3.13.1 system, which was the latest stable release at the time that this document was last updated:

  • 64-bit, x86-64 desktop or server system

  • 2 GB or more RAM

  • 10 GB or greater SSD, SATA, PATA, or USB storage

  • DVD reader or the ability to boot from a USB stick

TAILS’ release notes state that it is relatively fast to rebuild live TAILS if you want to add additional utilities, which is cool. Though you’d really have to work hard to get a virus into a Linux distribution, let alone a live Linux distribution, it would be nice if TAILS included some free anti-virus software like Malwarebytes or similar tools, just for peace of mind.

Whonix do you love?

(Home Page:

Whonix is a Debian-based Linux distribution that lives atop virtual machine environments such as KVM and VirtualBox, and provides two complementary virtual machines, Whonix-Gateway and Whonix-Workstation. These combine to isolate the workstation/user environment from the gateway which ensures that all external network events are routed through Tor. As virtual machines, Whonix must be installed on the host that provides a supported virtual machine environment, which opens it up to use on most Linux systems, as well as on Windows and Mac OS systems - Tor, a VPN, and the virtualization software are the key requirements of the software environment.


The Whonix web site is wallpapered with warnings about the fact that Whonix is actively under development, and therefore shouldn't be trusted to guarantee anonymity. I appreciate those warnings, but they feel a lot like excuses in advance so that the Whonix folks can say "...but we warned you..." when the thought police take me away and give me an adjoining cell to the hillside strangler. Whonix is a great idea and I have donated money to them in the past, but I would wait to use it until they stop apologizing in advance for potential problems. If you're that worried, you may be reading the wrong document in the first place.

Figure 2.9. Whonix-Gateway desktop

Whonix-Gateway desktop

Even though its warnings can be disconcerting, Whonix's ease of installation, ease of operation, and its technical elegance mean that it has a lot going for it. The isolation of the user/desktop environment from the actual desktop environment preserves anonymity and helps guarantee privacy. MAC addresses can't be directly tracked back to a system that can't be talked to directly - at best, its existence can be inferred. This isolation also basically guarantees protection from IP/DNS leaks and fingerprinting. Traffic and thus conversations can't be eavesdropped on, because all traffic from the gateway is encrypted. Even though the gateway participates in all communications, traffic to and responses from the dark web is impressively fast, largely bound by the response time and throughput of the remote system.

Figure 2.10. Whonix-Workstation desktop

Whonix-Workstation desktop

As far as software goes, the whonix workstation features a rich selection of pre-installed/pre-configured dark web-related tools, from the tor browser, XChat (configured as described in the Tor project wiki), and the Thunderbird email client, to desktop user applications such as VLC. n addition, any Debian desktop application can easily be installed using the familiar apt and apt-get tools.

Recommended minimum system requirements for Whonix (the latest version at the time that this book was last updated) are the following:

  • Dual core processor, 2GHZ or better

  • Graphics card and monitor capable of at least 800x600 resolution

  • 6 GB memory recommended for running VirtualBox and 2 virtual machines

  • 10 GB storage recommended (minimum) for local of VirtualBox, the two virtual machines, add-on applications, and local data storage

Recommendation: Which Linux?

The Linux distributions that were discussed in this section each have their advantages and disadvantages, and are all suitable for us to explore and learn from the dark web. My favorites are:

If you're installing Linux on a hard disk or SSD, MOFO or TAILS Linux seem to be the best out-of-the-box distributions for dark web exploration, and have been my favorite for a while. Both are excellent, powereful, and well-supported. (TAILS has a bigger fan club, bt maybe you and I can help fix that.)

If you're trule paranoid and fairly techy, you can then install a VPN on the desktop distro and also install VirtualBox on the system. Configure the VPN to start and connect automatically. Within VirtualBox, install the Whonix XFCE Gateway and Workstation as virtual machines. You can then either surf the dark web from the desktop distro after activating its anon-surf mode or a VPN or, for the height of paranoia, surf from within the Whonix Workstation under VirtualBox. The MOFO and TAILS distributions provide all of the power, security, and privacy you’ll need as you become one with the dark web while you can still use either for your daily driver desktop.


You’ll still need to integrate encryption into your files or filesystems, just in case.

If you're going to run Linux from a USB drive so that you have a portable surfing platform, install Dat Mofo Linux on that drive. After booting, activate the SoftEther VPN, and you're good to go. See Chapter 3, Installing Linux on a USB stick for more information.

Of the rest, Qubes OS is the most interesting, but its hardware requirements and the extent to which it has to be customized and re-updated after each regular update makes it likely that you may miss or simply misconfigure something during an update or upgrade. TAILS is popular and powerful, but it has been around for a while and most people will want to add a fair number of applications to be comfortable.

Chapter 3.  Installing Linux on a USB stick

As mentioned earlier, booting a live, secure Linux distribution from a USB stick is a great way to introduce yourself to exploring the dark web without building a complete system from scratch. Combined with the persistent storage provided by modern Linux kernels and Ubuntu-based distributions, a USB-based distribution can be a temporary learning experience or a long-term, portable, and secure dark web surfing machine.

The next few sections explain how to burn a Dat Mofo Linux 7.0 (hereafter just referred to just by the initials DML) distribution to a USB stick that is 8 GB or larger. An 8 GB stick provides plenty of space for the DML kernel and distribution (both of which are in the image that the DML folks provide), and plenty of space for 4 GB for persistent stage across reboots. In this example, I'll use a 32 GB USB stick that I'll partition into two partitions, one for Linux and persistent storage, and another that I can mount for additional storage, if needed (such as when transferring large files between systems). Doing this (and choosing the type of filesystem that you want to use) is discussed in the beginning of the next section.


This section and its subsections are written in lots of detail so that even a Linux noob can follow them. If you're more wizardly, I apologize in advance for all the extra words. Everyone deserves privacy and anonymity, and everyone should learn Linux, so... lowest common denominator and all that.

Partitioning and formatting USB storage

It's a good idea to put bootable USB distributions on a USB stick that also contains a regular Microsoft Windows, Apple MacOS, or Linux partition. You can mount the regular partition and use it to store files when running from the live USB distribution. After shutting down, you can mount the regular partition on another machine to copy the files there. This enables you to easily access those file from another machine even when you're not running the live Linux USB distribution.

If you're using a USB stick that's larger than 8 GB, you should first partition it to create a permanent partition in the extra space. This can be formatted with any format that is supported by your other systems:

  • FAT32, VFAT, or NTFS - for easy interchange with Microsoft Windows 2000 and later systems, as well as with Apple MacOS systems. Mac OS X has always been able to read NTFS drives, but its NTFS write support must still be manually enabled and is considered experimental (i.e., not guaranteed and not deeply supported). For best results, use NTFS for exchanged with Windows systems, and VFAT for exchange with MacOS systems. Paragon Software offers a more robust MacOS driver for MacOS if you insist on read/write NTFS.

  • EXT2, EXT3, or EXT4 - for data exchange with Linux systems. EXT4 is primarily EXT3 with support for extents, while EXT3 is EXT2 with journaling support, so I typically use EXT2 on spare partitions. (Both of these filesystem comparisons are trivial Reader's Digest version of a real comparison.) Paragon Software offers an EXT2/EXT3/EXT4 driver for MacOS and one for Windows, if you insist on EXT* but need to coexist with a Mac or Windows box.

  • HFS - Really? You can use the Mac's old Hierarchical File System on a USB stick if you've installed the hfsplus and hfsutils packages on the version of Linux that you're writing to the USB stick, but... Really? OTOH, I admire the fact that you're still using your Fat Mac.


If you have another filessystem type on your stick or other external medium and you Linux system can't read it, you may need to load a FUSE (Filesystem in User Space) driver for it. Check your system's log and package list to see what packages you need.

I generally suggest using VFAT for maximum read/write compatibility with other systems (Windows, Mac OS X, or Linux) and EXT3 if you just need to coexist with a post-2007 Linux system.

The Linux utility to use to partition a disk drive (including USB disk drives) is fdisk (fixed disk) command. This utility is found on almost all Linux distributions. The process of using fdisk to partition a USB stick is the following:


Make absolutely sure that you are addressing the right disk before issuing any command that writes to the USB stick. It is very difficult, if not impossible, to recover or restore data from a disk that has been re-partitioned and reformatted.

  1. Execute the sudo -s command to ensure that you have the permission required to read the system logs and modify fixed media. Supply your password if required.

  2. Use the system log to make sure that you're going to specify the right drive when starting the fdisk command: If the USB stick is currently plugged into your Linux system, unplug it and then plug it back in. If the USB stick is not plugged in, plug it in.

    Look at the end of the system log to see how the system identified the USB stick. The section in which it is identified will look something like the following (irrelevant prefix data has been redacted):

    ...[11559.211237]  sdc: sdc1
    ...[11559.213020] sd 3:0:0:0: [sdc] Attached SCSI removable disk
    ...[11559.204571] scsi 3:0:0:0: Direct-Access  VendorCo ProductCode 2.00 PQ: 0 ANSI: 4
    ...[11559.205709] sd 3:0:0:0: Attached scsi generic sg3 type 0
    ...[11559.206280] sd 3:0:0:0: [sdc] 61440000 512-byte logical blocks: (31.5 GB/29.3 GiB)
    ...[11559.207721] sd 3:0:0:0: [sdc] Write Protect is off
    ...[11559.207724] sd 3:0:0:0: [sdc] Mode Sense: 03 00 00 00
    ...[11559.208797] sd 3:0:0:0: [sdc] No Caching mode page found
    ...[11559.208803] sd 3:0:0:0: [sdc] Assuming drive cache: write through

    In this example output, the USB stick has been identified as sdc, and currently only has one partition, sdc1. Common ways to see the end of the system log are:

    • If the file /var/log/syslog exists, execute the tail command to see the end of the log

    • On systems where the system log is binary because they use systemd, execute the command journalctl -b | tail to see the end of the system log that was recorded since the last system boot.


      By default, the tail command displays the last 10 lines of its input. If you need to see more lines from the end of the file, use the -n num option.

    For the rest of this section, I'll call the USB stick by its right name - a USB drive - and use /dev/sdc as the basename of the example USB drive. You should obviously replace /dev/sdc and /dev/sdc1 with the basename of your USB drive and the name of the first partition on that drive.

  3. Execute the fdisk command followed by the name of your USB drive. The fdisk command displays an introductory message, and then finally displays a prompt:

    # fdisk /dev/sdc
    Welcome to fdisk (util-linux 2.31.1).
    Changes will remain in memory only, until you decide to write them.
    Be careful before using the write command.
    Command (m for help):
  4. Execute the p to see the current partitioning scheme to ensure that you are working with the correct disk:

    Command (m for help): p
    Disk /dev/sdc: 29.3 GiB, 31457280000 bytes, 61440000 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x023fbda6
      Device           Boot Start  End Sectors  Size Id Type
      /dev/sdc1  *	   64 61439999 61439936    29.3G  c W95 FAT32 (LBA)
  5. Execute the d command to delete any existing partitions. If only one partition exists (as in this example), no partition number is required as an argument. Otherwise, multiple d commands are required, each of which must be followed by an integer that identifies the partition to delete:

     Command (m for help): d
     Selected partition 1
     Partition 1 has been deleted.
  6. Execute the n command to create a new partition. The fdisk then prompts you for the partition type, either primary or extended. Primary partitions are specific portions of the physical storage, whereas extended partitions are logical portions of a part of the physical drive.

     Command (m for help): n
     Partition type
      p   primary (0 primary, 0 extended, 4 free)
      e   extended (container for logical partitions)
    Select (default p):
  7. Since a standard drive that uses the traditional MBR (Master Boot Record) partition table can have up to three primary partitions, we'll create the partition as the default, which is a primary partition, by pressing <return>. We'll also create the the default partition (by number) by pressing <return>, and have the partition start at the first sector that is not part of another partition, which is sector 2048 in this case. by pressing <return> again.

    Using default response p.
    Partition number (1-4, default 1):
    First sector (2048-61439999, default 2048):
  8. The fdisk program then prompts you for the last sector to be assigned to assigned to the partition. Since 30719999 is half of the total, I enter that value. That's the last data that the fdisk program needs, it creates that partition and re-displays its prompt.

    Last sector, +sectors or +size{K,M,G,T,P} (2048-61439999, default 61439999): 30719999
      Created a new partition 1 of type 'Linux' and of size 14.7 GiB.
    Command (m for help):
  9. Execute all of the previous fdisk command again to create the second partition, accepting all of the default values since partition 1 has already been created, filling the first half of the disk.

    Command (m for help): n
    Partition type
     p   primary (1 primary, 0 extended, 3 free)
     e   extended (container for logical partitions)
    Select (default p):
    Partition number (2-4, default 2):
    First sector (30720000-61439999, default 30720000):
    Last sector, +sectors or +size{K,M,G,T,P} (30720000-61439999, default 61439999):
      Created a new partition 2 of type 'Linux' and of size 14.7 GiB.
  10. Execute the fdisk command's w command to write the new partition table to disk and exit the fdisk program.

    Command (m for help): w
    The partition table has been altered.
    Calling ioctl() to re-read partition table.
     Syncing disks.

Congratulations! You've just partitioned your USB drive/stick into two new equal-sized partitions. Now, in order to use them, we'll format them both. formatting the first one as an EXT2 partition so that it can be mounted and used by the unetbootin program (discussed in the section called “ Writing a Linux distribution to USB storage ”), and the second as EXT3 so that we can mount it and use it to hold files after booting from the finished USB stick.

Formatting the partitions on your USB storage

Partitioning the USB stick was fun, but the next step before actually writing the disk image to the USB stick is to create filesystems on those partitions so that we can write data to them. Hewlett-Packard put it best in a manual for one of their early UNIX (actually, HP-UX) systems when they said:

"On a clear disk, you can seek forever."

Ah, those nerd jokes! At any rate, we'll now create filesystems in the partitions that we created so that we can write data to them (and read it back afterwards, if we need to):

  • /dev/sdc1 - We'll create an EXT2 filesystem on the first partition because it must be auto-mounted by unetbootin. This is the utility that we will use to write the bootable Dat Mofo Linux distribution to the USB stick. This includes 4 GB of filesystem overlay space that provides persistent storage for any changes that we make or files that we create. Using unetootin is explained in the section called “ Writing a Linux distribution to USB storage ”.

    This partition is created as EXT2 because it must be mounted by the unetbootin utility, and because we will allocate some space for an overlay filesystem to save changes, and overlay filesystems should not be journaled because that delays writes and makes it more difficult to stay in sync with the use of the changes to the base filesystem.

  • /dev/sdc2 - We'll create an EXT3 filesystem in this partition because we will be mounting for extra persistent storage and data interchange with other systems. Journalining will defer writes and thus improve responsiveness when using this filesystem from Dat Mofo Linux.

To create an EXT2 filesystem on the first partition of the USB stick, execute the mkfs.ext2 command via sudo. (I use sudo -s so that I can execute multiple command as root without prefacing each with"sudo".) The mkfs.ext2 /dev/sdc1 command and its output is shown in Figure 3.1, “Using mkfs.ext2”.

Figure 3.1. Using mkfs.ext2

# mkfs.ext2 /dev/sdc1
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 3839744 4k blocks and 960992 inodes
Filesystem UUID: 1666b928-6eff-45e5-b60e-ffd95d9de366
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done118
Writing inode tables: done118
Writing superblocks and filesystem accounting information: done

To create an EXT3 filesystem on the second partition of the USB stick, execute the mkfs.ext3 /dev/sdc2 command via sudo. The mkfs.ext3 /dev/sdc2 command and its output is shown in Figure 3.2, “Using mkfs.ext3”.

Figure 3.2. Using mkfs.ext3

# mkfs.ext3 /dev/sdc2
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 3840000 4k blocks and 960992 inodes
Filesystem UUID: 16387ed5-9b53-4e7c-b813-36b5e280bfe0
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done118
Writing inode tables: done118
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Since these are making an EXT2 and EXT3 filesystem, respectively, the only difference is that making the EXT3 filesystem adds the journal.

Writing a Linux distribution to USB storage

You won't be surprised to hear that there are a zillion different tools that you can use to create a bootable USB stick from an ISO image of a zillion different Linux distributions. This section uses UNetbootin to write a bootable Linux USB stick because it's a graphical tool that lets you do this from a Windows, MacOS, or Linux box. Regardless of whether you're a Windows or MacOS refugee or a Linux fan who just wants to dabble with the dark web without messing with their existing Linux desktop, unetboootin is a great, easy-to-use tool.


The other tools that I'm familiar with are primarily Linux software, but still relative easy-to-use. Of these, mkusb (dus) is my favorite, and there's a nice How-To Geek article on using it from a Linux box. There's also something called the LinuxLive USB Creator for Windows that burns a bootable Linux USB stick but doesn't currently support persistent storage.

Before doing anything, download the Dat Mofo Linux 7.0 distribution by clicking the Direct Download button on their web site and saving the downloaded ISO file to the local disk.

Next, regardless of the platform that you're using, the first step in using UNetbootin is getting it from their web site, shown in Figure 3.3, “The unetbootin web site”.

Figure 3.3. The unetbootin web site

The unetbootin web site

After getting to their web site, click the button for the platform on which you be running UNetbootin. Clicking the Windows or MacOS buttons immediately starts a download of the UNetbootin installer for that platform (EXE or DMG, respectively), while clicking the Linux download button takes you to the page shown in Figure 3.4, “Downloading unetbootin from its web site”. This page gives information on how to install UNetbootin from the Ubuntu PPA (Personal Package Archive) if you're running Ubuntu, or how to simply download statically-compiled 32-bit or 64-bit binaries for Linux if you're not. The page also provides links to platform-specific binaries for Linux distributions such as Ubuntu, Debian, Fedora, SuSe, Arch, and Gentoo, plus a tarball of the source code and a link to the live source code in Github.

Figure 3.4. Downloading unetbootin from its web site

Downloading unetbootin from its web site


If you're running Ubuntu, using the PPA is a good idea because this lets you download the most recent version of UNetbootin and also keeps you plugged in for any updates that are released in the future.

If you've downloaded the binaries from Figure 3.4, “Downloading unetbootin from its web site”, you have to make them executable in order to run them. To do so, either:

  • from a terminal window, change directory (cd) to the directory to which you downloaded the binary, and execute the command chmod +x ./unetbootin-linux

  • from the graphical desktop, navigate to where you downloaded the file, left-click on the file that you downloaded, select Properties->Permissions and check the Execute checkbox)

You can now start the application by double-clicking on the file in your graphical desktop or by executing sudo ./unetbootin-linux from the terminal window. I recommend the latter so that you are guaranteed to have the privileges necessary to mount and format drives. Otherwise, the unetbootin command will prompt you for a privileged password when you begin to write to the USB stick.

Figure 3.5. Using unetbootin

Using unetbootin

You will see a screen like the one shown in Figure 3.5, “Using unetbootin” when UNetbootin finally starts. This is the only screen n which you will enter data. The screen shown in Figure 3.5, “Using unetbootin” shows the screen with all of the values configured for writing our DML IO to the USB stick. In order, the fields on this screen are the following:

  • Select Distribution and Select Version - each of these buttons activate a drop-down that (big surprise!) enable you to select a Linux distribution and a version of that distribution that you want to install. Using these drop-downs is really cool because you don't have to download the distribution/version that you select, because UNetbootin will do it for you. Unfortunately, Dat Mofo Linux (DML) is not on the list, which is why we downloaded it at the beginning of this section. Maybe it will be on the drop-downs in the future, and I'll get to delete these sentences. Until then, the next item in this list will have to do...

  • Diskimage - enables to select ISO or floppy from a drop-drown, navigate to the location where you've stored or downloaded an image, then select that image.

  • Space used to preserve file across reboots - if the distribution that you're installing on the USB stick is an Ubuntu-based distribution, you can use this text-box to enter an integer number of megabytes (between 0 and 9999) that UNetbootin should allocate for an overlay in which changes to the filesystem on the USB stick will be recorded. (Hint: use a power of two for best results.) Specifying some amount of storage here enables you to expand and upgrade DML, adding additional packages, adding a different editor, or whatever else would make you happy to see the next time you boot from the USB stick.

  • Type - enable you to select a type of storage (USB drive, sdcard, etc.) that UNetbootin has detected as being present on your system.

  • Drive - enables you to select the device associated with the type of storage device that you selected previously.

  • OK or Cancel - clicking OK begins writing to and creating the bootable USB stick. Clicking Cancel terminates and closes UNetbootin.

In this example, I chose the settings shown in Figure 3.5, “Using unetbootin”: selecting DiskImage, navigating to and selecting my downloaded ISO of Dat Mofo Linux 7.0, specifying 4096 MB of space (this is, 4 GB) to preserve files, and selected the right device that corresponds to my USB drive. After double-checking that I didn't typo anything, I clicked OK to begin the process of creating a bootable version of DML on my USB stick.

Figure 3.6. Status screen while using unetbootin

Status screen while using unetbootin

Beginning the write process displays status screens such as the one shown in Figure 3.6, “Status screen while using unetbootin”. These are nice because I like to know that something is happening. Otherwise you could look at your USB stick to see if it lights up and flickers as it is being written to, but not all of them do that.

Figure 3.7. The unetbootin success screen

The unetbootin success screen

When the write process completes, the screen shown in Figure 3.7, “The unetbootin success screen” displays. Safely eject the USB stick by doing the right one of the following for the operating system that you're using:

  • Linux - in a terminal window, type the following command: eject /dev/your-device.

  • MacOS - open a finder window and click the name of the dr(Taive in the left column. Select Eject from the pop-up menu that displays.

  • Windows - from the system tray in the lower right-hand corner of the Windows 10 screen, select the Eject icon. You may need to click the upward-facing arrow in the left side of the tray to see it. This displays a drop-down menu that includes the name of your USB drive. Select that and Windows will finalize all writes to the disk and display a message when it's safe to remove the drive. Other versions of Windows are similar.

After you've ejected the drive, it's a good idea to test it immediately. Reboot your system, plugging in the drive when the existing system goes down. When you see the grub screen, type e to edit the boot command, and add the word persistent to the kernel boot line (after the filename of the kernel). Press the F10 key to continue the boot process. When DML comes up, displaying a background image with two workspaces available, congratulations!

Now I have a bootable secure OS - Why read more?

Sorry to perhaps disappoint you, but just having a car doesn't mean you know how to drive, where you want to go, or how best to get there. Subsequent sections of this document are important for the following reasons:

  • Chapter 7, My kingdom, or 0.005 bitcoin, for a VPN - explains why you should run software on your system so that your system is part of a VPN (virtual private network). This is critical to help guarantee your anonymity. VPN software also encrypts the network communication over the VPN, making packet-sniffing useless and helping ensure your privacy. If no VPN software is included with the system you're using, this section identifies some possibilities.

  • Chapter 8, Obtaining, installing, and configuring the tor browser - anything that you look or search for on the dark web should be done in a secure, non-packet-traceable browser. For your safety, purchases in dark web markets must be made in a secure browser.

  • Chapter 11, Finding stuff on the dark web - one you're on the dark web, you'll need to find whatever you're interested in, whether you browse a relevant site or market, or use a dark web search engine.

  • Chapter 9, Creating secure email and alternatives - if you purchase an external VPN package, buy anything on the dark web, or simply want to communicate with another dark web user, you'll want to receive secure mail through an account that isn't tied to you personally in any way.

  • Chapter 13, Buying and safely paying for stuff - whatever you buy on the dark web, you'll want to be able to pay for it anonymously, and you'll need to understand the payment process and the different ways that you can pay for it.

Chapter 4.  How Free Can You Go - Hardware/Pre-OS Security

In case you thought that installing the best security software and your favorite VPN, using Tor and an anonymized account, and wearing those black glasses with a fake nose and moustache would be sufficient to completely protect your computer system and your data from anybody anywhere, you'd be wrong. Unfortunately, chip makers are way ahead of you already in terms of giving you a hand but tying it behind your back.

To "help you out", Intel provides its Intel Management/Manageability Engine (IME), an autonomous VM-Based subsystem in virtually all of Intel's processor chipsets since 2008 (as part of the Platform Controller hub). AMD provides its AMD Platform Security Processor (also known simply as "AMD Secure Technology" to its friends and marketing literature) as an actual part of its CPUs since 2013. These systems manage low-level system functionality and updates, but also provide a mainline for siphoning off personal and usage information. The IME even operates whenever your system is receiving power, regardless of whether the system is on or off. AMD is a bit sloppier and a little wild 'n' crazy .- its Secure Technology only runs if your system is turned on. Maybe next year...

The next few sections discuss the history of the Free Software Foundation's quest for a completely free and open source system, starting with the BIOS and the boot process, followed by a discussion of Intel and AMD's efforts in obfuscating these areas. These chipset vendor discussions explain what they've done and are doing, what secrets they're spilling to whoever asks, how one asks for this level of information, and what you can do to avoid this data blow job.

The Hardware to Software Hand-Off: The Boot Process and GNU


Much of this section is cleverly summarized from the Free Software Foundation's Free BIOS campaign document. See that document for a more details and more words. I didn't even have to add any crankiness or politics - like Ragu, it was already "in there". All errors or typos ae mine.

In 1984 the GNU Project set out to make it possible to operate a computer in freedom - to operate it without any non-free software that would deny or compromise the user's freedom.

At the time, the obstacle to this was simply the operating system. A computer won't run without an operating system, but all the modern operating systems of 1983 were proprietary, user-subjugating software. There was no way to use modern computers in freedom. We set out to change the situation by developing a free software operating system, called GNU.

When the kernel Linux became free software in 1992, it filled the last gap in GNU. The combined GNU/Linux operating system achieved our goal: you could install it in a bare PC, and run the computer without any installed non-free software.

Strictly speaking, there was a non-free program in that computer: the BIOS. But that was impossible to replace, and by the same token, it didn't really count.

The BIOS was impossible to replace because it was stored in ROM: the only way to to put in a different BIOS was by replacing part of the hardware. In effect, the BIOS was itself hardware - and therefore didn't really count as software. It was like the program that (we can suppose) exists in the computer that (we can suppose) runs your watch or your microwave oven: since you can't install software on it, it may as well be circuits, not a computer at all.

The stakes went up when the scope of the BIOS expanded. As the BIOS "grew" to support maintenace, remote control, and political tasks such as system administration in a given context, the BIOS actually became updateable, to enable fixes and enhancements. While it grew into a modifiable non-free software/hardware component (referred to as firmware), it also grew into an attack vector for revealing user information, and especially so when it could be communicated with when the computer was turned off. The only happy consequence of super-charging the scope of the BIOS arose when it became updateable and was thereforestrom in PROM (Programmable Read-Only Memory) rather than plain old ROM, which was writtewn once at the factory and then never touched again. PROM can be written multiple times by any authorized user, which now included the owner of the machine. As Dr. Marin Luther King might have said Free at last - good god, the BIOS is free at last!

The way to resolve the ethical problem of YAMSC (yet-another-modifiable software component) and the sleazy possibility of leaking user and usage information and becoming YAAP (yet-another-attack-point) is to write and run a free BIOS. Luckily, the open source community jumped at the chance, producing multiple free BIOSs, my favorite of which is libreboot. Their own web site,, is a better location for describing all of their bells and whistles (and any current limitations) than this text could ever be.

While the number of computers for which a free BIOS is available is growing, it is just a tiny fraction of all computers available for purchase. Whereas "PC clones" were and are quite similar, and fully-documented as regards what the kernel and user-space programs need to know, the commands that the BIOS must execute in order to initialize the machine are varied, and in most cases secret. How to install a new BIOS is also secret on many machines. And so far, most manufacturers have not given the free BIOS development teams the necessary cooperation of providing these specifications. Some desktop machines can run a free BIOS, but no currently available laptop seems to be able to do so. Some older ThinkPad models can, and are discussed in the next sectio.


Some of the laptops used at the FSF were donated by IBM. This was one among several ways IBM cooperated with the GNU Project. But the cooperation is incomplete: when the Free Software Foundation asked for the specifications necessary to make a free BIOS run on these laptops, IBM refused, citing, as the reason, the enforcement of "trusted computing", which is kind of ironic in a closed, invisible system. Treacherous computing is, itself, an attack on our freedom; it is also, it seems, a motivation to obstruct our freedom in other ways.

Not all of the open source community perceives the non-free BIOS as an acute problem. However, much of the community supports the open source philosophy, which says that the issue at stake is choosing a development model that produces powerful, reliable software. The open source philosophy doesn't say that "closed source" software is unethical, only that it is pricey, who knows what it contains and how it was written, and thatr it therefore is likely not to be as reliable. People who hold those views might not care about the loss of freedom imposed by a non-free BIOS, because in their philosophy, freedom is not the issue. For those who are heavily involved in the the free software movement, freedom is the main issue; and that freedom must be attained, whether any industry figures help or not.

How Modern Booting Works


Much of this section was siphoned from OS Dev's UEFI page. See that site if you want more details and acronyms!

UEFI (Unified Extensible Firmware Interface) is today's acronym to lean instead of BIOS (Basic Input Output System ). UEFI is a specification for x86, x86-64, ARM, and Itanium platforms that defines a software interface between the operating system and the platform firmware/BIOS. The original EFI was developed in the mid-1990s by Intel as the firmware/BIOS for Itanium platforms. In 2005, Intel transitioned the specification to a more general working group called the Unified EFI Forum, consisting of companies such as AMD, Microsoft, Apple, and Intel. All modern PCs ship with UEFI firmware, and UEFI is also aupported by open source. Backwards compatibility is provided for legacy BIOS-oriented operating systems.

It's a common misconception that UEFI is a replacement for the BIOS. Not so. Both legacy and UEFI-based motherboards come with BIOS ROMs, which contain firmware that performs the initial power-on configuration of the system before loading some third-party code (often referred to as a "payload", an operating system or embedded application) into memory and jumping to it. The differences between legacy and UEFI BIOS firmware are where they find that code, how they prepare the system before jumping to it, and what whizzy functions that payload provides for the code to call while running.

On a legacy system, the BIOS performs all the usual platform initialization (memory controller configuration, PCI bus configuration and BAR (Basic Address Register) mapping in the PCI configuration space, graphics card initialization, etc.), but then drops into a backwards-compatible real mode environment. The bootloader must enable the A20 gate, configure a GDT and an IDT, switch to protected mode, and for x86-64 CPUs, configure paging and switch to long mode.

"What is the A20 gate?", I hear you cry. it is the appendix of computer anatomy, which sadly controls being able to switch from real to protected mode. In case those are unfamiliar terms, think of them as "1980" and "today" in terms of accessing and using more than 1MB of memory. In 1980, you couldn't, but nobody could afford more anyway. Today, you can (afford it) and must (use it).


This section wordsmiths prose that was inspired by Wikipedia, trying to make the process palatable as an overview that doesnt make your eyes glaze over. I am also trying to maintain at least a lofty OAPP (One Acronym Per Paragraph) standard.

The PCI Bus introduced a flexible configuration mechanism that is elegant in its simplicity. In addition to the standard memory-mapped and I/O port spaces, each device function on the bus has a configuration space that is addressable by knowing the eight-bit PCI bus, five-bit device, and three-bit function numbers for the device (commonly referred to as the BDF or B/D/F (Bus/Device/Function). Each PCI bus or expansion card can itself respond as a device and must implement at least function number zero.

To address a PCI device on whatever bus, it must be enabled by being mapped into the system's I/O port address space or memory-mapped address space. The system's firmware, device drivers or the operating system program the Base Address Registers (BARs) to inform the device of its address mapping by writing configuration commands to the PCI controller. The PCI controllers identify themselves by using the per slot IDSEL (Initialization Device Select) signal.

Since there is no direct method for the BIOS or operating system to determine which PCI slots have devices installed (or to determine which function(s) a device implements) the PCI bus(es) are explored by enumeration. That's where even cooler flexibilitybegins, via tabular lookup! Bus enumeration is reads the vendor ID and device ID (VID/DID) register for each combination of bus number and device number at the device's function #0. The device number, different from the DID, is just a device's sequential number on that bus. For each bridge/PCI bus, a new bus number is defined, and device enumeration restarts at its device number zero.

Popping back up a level or six out of the low-level PCI/BIOS weeds, UEFI firmware performs those same steps, but also prepares a protected mode environment with flat segmentation and, for x86-64 CPUs, a long mode environment with identity-mapped paging. The A20 gate is enabled, too - let's not forget our favorite red-haired step gate!

Boot Process and Other Low-Level Snooping

The process described in the

The Intel Mis-Management Engine (IME)



For laughs or to waste a small amount of disk space, you can get the Intel tools for manipulating and probing the IME and its environment here. Not too surprisingly, the tools run under DOS or Windows. Downloading the tools also gets you their documentation in XML format.

As mentioned before, Intel's IME is a VM-based system with its own operating system and which always runs as long as the motherboard is receiving power, even when the computer itself is turned off. In a typical, heirarchical ring/level-based security model, the IME really is one ring to bind them all, because it runs at level 0 - higher privileges than the kernel or an operating system-oriented hypervisor.

The IME is an attractive target for government snoops and hackers, since it has top level access to all devices and completely bypasses the security provided by an operating system. The Electronic Frontier Foundation has understandably complained about the IME, as have the developars of alternate boot systems like CoreBoot and LibreBoot.

Itel vPro

A combination of hardware and firmware, vPro technology is found in a wide variety of devices. In terms of notebooks, vPro is found in thin-and-light business laptops and 2-in-1s, mobile workstations, and high-end gaming hardware. Specifically, vPro hardware is found in a device's CPU or chipset (or both), as well as in its wireless (and wired when available) connectivity chips. corei7vproinside 6th generation1 Image: Intel Intel's latest vPro processors are the 8th Gen Intel Core series, which launched in April 2019. The company's 8th Gen vPro chips promise up to 65 percent better performance than systems from three years ago, and up to 11 hours of battery life. The CPUs come equipped with Intel's new Optane memory H10, which is built to help you launch documents during big file transfers twice as fast. The latest vPro processors also support Wi-Fi 6 to allow for faster internet connections than ever. At the bare minimum, vPro requires a Trusted Platform Module (TPM) cryptoprocessor chip and wired or wireless internet connectivity. How Does vPro Work? IT departments manage vPro devices using pre-existing console software, so the technology doesn't involve a learning curve. The most commonly used console client is Microsoft's System Center Configuration Manager (SCCM), which Constant estimated is used by 90 percent of IT departments. The other 10 percent receive suppvort, too, as Intel creates software tools for other consoles as well. What Is vPro Used For? The primary use of vPro today is "to remotely manage, diagnose and update a PC without having to be there," said Constant. vPro comes in handy when a user in the field needs immediate care. For example, Constant hypothesized, "let's say a user gets a virus and they're at an airport. IT has two options. You can either send someone out there or take over the device using vPro, update and reset it back to working order without leaving your own office." IT departments can also log in to vPro systems to manage software installations on clients in a company's fleet. That could mean updating the operating system, BIOS or third-party software; vPro allows a company to make sure everyone is using the same versions of applications and that all devices are up to date. platform of hardware and firmware, vPro technology is found in a wide variety of devices. In terms of notebooks, vPro is found in thin-and-light business laptops and 2-in-1s, mobile workstations, and high-end gaming hardware. Specifically, vPro hardware is found in a device's CPU or chipset (or both), as well as in its wireless (and wired when available) connectivity chips. corei7vproinside 6th generation1 Image: Intel Intel's latest vPro processors are the 8th Gen Intel Core series, which launched in April 2019. The company's 8th Gen vPro chips promise up to 65 percent better performance than systems from three years ago, and up to 11 hours of battery life. The CPUs come equipped with Intel's new Optane memory H10, which is built to help you launch documents during big file transfers twice as fast. The latest vPro processors also support Wi-Fi 6 to allow for faster internet connections than ever. At the bare minimum, vPro requires a Trusted Platform Module (TPM) cryptoprocessor chip and wired or wireless internet connectivity. How Does vPro Work? IT departments manage vPro devices using pre-existing console software, so the technology doesn't involve a learning curve. The most commonly used console client is Microsoft's System Center Configuration Manager (SCCM), which Constant estimated is used by 90 percent of IT departments. The other 10 percent receive support, too, as Intel creates software tools for other consoles as well. What Is vPro Used For? The primary use of vPro today is "to remotely manage, diagnose and update a PC without having to be there," said Constant. vPro comes in handy when a user in the field needs immediate care. For example, Constant hypothesized, "let's say a user gets a virus and they're at an airport. IT has two options. You can either send someone out there or take over the device using vPro, update and reset it back to working order without leaving your own office." IT departments can also log in to vPro systems to manage software installations on clients in a company's fleet. That could mean updating the operating system, BIOS or third-party software; vPro allows a company to make sure everyone is using the same versions of applications and that all devices are up to date. If a vPro system also includes an Intel Pro SSD hard drive, IT departments gain the power to perform a remote secure-erase. Without this option, Constant explained that "IT would have to go to that device, take out the SSD, slave it to another PC, go in and erase the drive, repurpose and reload the drive, and go put it back in the PC." Constant said manual secure hard drive wipes take at least 20 minutes, and IT departments often forego this step "and tend to just shred the drives." Easy-to-perform remote secure-erases become even more valuable if a PC is stolen or if an employee has been let go, as the company needs to make sure sensitive data isn't leaked. How Secure Is vPro? Because vPro provides direct access to fleets of equipment, it's important that these channels be protected. Constant didn't quantify how secure vPro is, but he did tell me that vPro offers "Intel's latest and greatest software and security features for PCs." Intel recently strengthened vPro by adding Intel Authenticate (IA) to the vPro found on Intel's 6th Generation Core processors in January 2016. Constant told me IA "can lock hardware down to access by a specific user," who must "sign in with the combination of fingerprint and protected PIN or phone proximity." Constant explained that the upside of IA is the eradication of passwords, saying that Intel watched as "large retail chains and home improvement stores" were hacked, which created "a serious financial impact, and stolen user credentials were at the root of the loss." vPro also offers Intel's Software Guard Extensions (SGX), which provide secure enclaves for application developers. Those enclaves are safe, protected spaces for programs to be developed without entailing security risks, including data loss or disclosure. Can the Average Customer Use vPro? vPro wasn't designed for the general public. Constant said the console-management software requires an "Enterprise OS and administrator console that users would need IT expertise to understand." Which Size Business Is vPro Best For? Constant said vPro is mostly suited for large enterprise businesses (those with greater than 1,000 employees), "but we also see medium businesses [500 or more] using vPro." This is because vPro is marketed toward "any business that has a managed IT environment" and organizes employees by groups that have different access levels and security needs. Since Intel offers plug-ins and support for a variety of consoles, vPro works with existing technology, rather than forcing IT to adapt. As Constant told me, "[Intel's] goal is for vPro to snap right into the technology that everyone's already using." Now that you know about this security feature, learn how to open a port in Windows Firewall to whitelist applications. According to Intel, it is possible to disable AMT through the BIOS settings, however, there is apparently no way for most users to detect outside access to their PC via the vPro hardware-based technology.[26] Moreover, Sandy Bridge and future chips will have, "...the ability to remotely kill and restore a lost or stolen PC via 3G ... if that laptop has a 3G connection"[27] On May 1, [2017] Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel Active Management Technology (Intel AMT), Intel Standard Manageability (Intel ISM), or Intel Small Business Technology (Intel SBT). The vulnerability is potentially very serious, and could enable a network attacker to remotely gain access to businesses PCs and workstations that use these technologies. We urge people and companies using business PCs and devices that incorporate Intel AMT, Intel ISM or Intel SBT to apply a firmware update from your equipment manufacturer when available, or to follow the steps detailed in the mitigation guide.[28][29] Many vPro features, including AMT, are implemented in the Intel Management Engine (ME), a distinct processor in the chipset running MINIX 3, which has been found to have numerous security vulnerabilities. Unlike for AMT, there is generally no official, documented way to disable the Management Engine (ME); it is always on unless it is not enabled at all by the OEM.[30][31] foobar

AMD In-Secure Technology (AST)

Finding Freedom with CoreBoot and LibreBoot

Other Low-Level Scheiss

Chapter 5.  Making a Windows 10 system secure

  A guy walks into a bar full of nerds and says,
     "How do I secure my Windows computer?"
  The nerds reply, "Install Linux".
          - Traditional Saying

Fortunately, yes, Virginia, there is a Santa Claus, and it is also possible to make a Microsoft Windows 10 system reasonably secure. Windows 10 represents 30 years of development, and is also a shining example of "learn from your mistakes". (Cough! Vista! Cough! Bob! Cough!) A good analogy to all this history is that today's humans represent the current culmination of hundreds of thousnds of years of evolution and development, but there are still plenty of popular but fucking stupid people out there. You may notice that I'm not a big Windows fan, but it is the most common home computer operating system, so let's at least make it as reasonable as possible.

Figure 5.1. Well, at least they're honest about one thing

Well, at least they're honest about one thing

The most important thing you have to do if you have to use Windows 10 (or, for some reason, want to) is to recognize and resolve its many built-in information leaks, the number of times it "phones home" to report on what you're doing, and other security "issues". This chapter explains the most important and popular fixes and corrections that you should make on a Windows 10 computer. The first section summarizes the things that you should think about when installing a new Windows 10 system. The remainder of the chapter lists things that you should do and set correctly on any Windows system, new install or old.

Overview of securing a Windows 10 system

Let's face it - not everyone wants to recreate their computer universe "just in case". The need to maximize privacy and anonymity depends on what you're doing and ho much you care about proteting your identity (or should If you want to buy things on the dark web or share some kind of porn, you'll need to maximize hiding your identity so that it doesn't just end up inked on the front of your jumpsuit when you spend a few years in jail. For most people, maximizing privacy and anonymity in the context of your existing system is good enough:. Either way, here is a quick list of the things that you should do orc think about:

  • Shut down as many data leaks as possble in your operating system (whether or not you're newly installing it) and for any user accounts that you create. Originally, operating systems just ran your computer. Later, companies like Microsoft and Apple realized that if they collected information about ther users, they could use that information or sell it to people who could and would use it. Bad companies, but that's why you're reading this now. We'll fix as much as we know about!

  • Create a new account and start using that for all new private work. Creating a new account on an existing system is explained in the section called “ Creating a new user for "experimentation" ”. This gives you an account that we can keep as clean as possible and with which we can follow some good practices to ensure that we isolate your persona identity from whatever data they manage to collect. (Creating a new account as part of the installation of a new system is discussed in the section called “ Creating a new account ”.)

  • For future secure communication, set up a secure email account as explained in Chapter 9, Creating secure email and alternatives . You should use this secure account as the one with which you register any privacy-related software that you purchase.

  • Get a good VPN and always use it. See Chapter 7, My kingdom, or 0.005 bitcoin, for a VPN for information about why to do so and what your options are.

  • Shut down as many data leaks as possble in your browser and any other software that you use to surf/explore the web. Shutting down these "leaks" is different from shutting down data leaks in the operating system itself, and is discussed in the section called “ Selecting a browser and maximizing browser security ”. Use the Tor browser whenever possible, as discussed in Chapter 8, Obtaining, installing, and configuring the tor browser .

  • Think about changing your disk partitioning or organization so that you have a location in which to store private files, as explained in Chapter 10, Hiding files, directories, and partitions . This does not always require repartitioning the actual disks, but can just be done by ceating new logical partitions on your existing physical partitions.

Things to think about for a clean install

Don't worry, I'm not going to bore you (and me) by walking through the entire installation process. The followng sections are simply things to consider before beginning you journey into privacy and anonymity if you're starting from scratch.

Which version of Windows to start with?

First off, use Windows 10 rather than any previous version of Windows. The latest version of Windows is always closer to being "secure" in the Microsoft sense of the word than any previous version of Windows. Microsoft doesn't consider exposing your personal information to Microsoft as a security problem. They typically disguise this exposure and data sharing" as " help us improve Windows..." regardless of the extent to which they can monetize this assistance.

There are multiple versions of Windows 10, with the same user interface but with different internal capabilities and different price tags (surprise!). See this page for a chart that compares the different versions of Windows 10. This chapter therefore deals with securing a Windows Professional, Windows Enterprise, or Windows Education system. The vanilla Windows 10, Windows Home, is missing too many of the high-level capabilities that a secure system requires to make it worth trying to make secure. Why try to turn a Volkswagen into a Porsche when you can spend a few more bucks and start with some flavor of Porsche (which, of course, still requires some customization)? Unless, of course, you're reading this by accident or because you hate Linux and free speech and are hoping for some secret info. (Read on!)

Storage encryption is job one

Why storage (i.e., partition or disk) encryption? Isn't securing the system itself good enough?

In a word, "No". Locking down the system protects the system itself while it's running, but encrypting your disk(s) protects the most important aspect of a computer system - the data that your system contains - at all times. It's pretty trivial to take a disk out of a computer system, attach it to another computer system that can read disks in that format, mount that disk, and all your secrets are suddenly readable. Some operating system support indivually encrypting user directories and using different passwords or keys for each, which only gives away one user's data at a time when cracked using this mechanism. This is optimal, but encrpting a whole disk at a time is the next best thing - especially if there will only be one primary user of a given desktop or (especially) laptop computer system.

Using Microsoft's Device Encyption

All system that are running any edition of Windows 10 include Microsoft device encryption software, which encrypts PATA (parallel ATA) and SATA (serial ATA) disk devices and stores the key that it used for the encryption in a Microsoft or local domain account. (The latter is usually the networked domain of some SOHO, academic, or larger business organization.) This level of encrytion is fine for many home= users, and is automatically enabled in many new PCs if you (1) are on a network and (2) use an online Microsoft or organizational domain account to log in to the PC.

To check if Device Encryption is enabled, open the Settings app, navigate to System > About, and look for a "Device Encryption" setting at the bottom of the About pane. If you don't see anything about Device Encryption here, your PC doesn't support Device Encryption and it's not enabled. If Device Encryption is enabled - or if you can enable it by signing in with a Microsoft account - you'll see a message saying so here.

Using Microsoft's BitLocker disk encryption

The most "popular" (i.e. most commonly used) disk encryption mechanism for Microsoft Windows systems that does not store the keys to your kingdom at Microsoft is Microsoft's BitLocker system. BitLocker was introduced in Windows 7 Ultimate, and is available in the Professional, Enterprise, and Education editions of Windows 10.


BitLocker is not available on any Home version of Windows. There the only "built-in" encryption mechanism is the disgustingly privacy invasive mechasnism discussed in the previous section. For Home - and any other handicapped - editions of Windows, you may simply want to use Veracrypt, an open source and free encryption suite that is discussed in the section called “ Using third-party disk encryption ”.)

As a "built-in" encryption mechanism that is provided by Microsoft, BitLocker has a huge target painted on its back, with every hacker and Microsoft hater wanting to break it, or more commonly break into it. Also, if Mcrosoft were the type of company to do something for their own benefit behind the user/customer's back, BitLocker would the most central location in which to insert a back door or logic bomb. Luckily, we all know that's not the case. (Nudge nudge, wink wink, sadly you know what I mean.)

The most important things about an encryption mechanism are:

  • the storage that is being encrypted. Any amount of storage can be encrypted - as my wife told me many times (for some reason), size doesn't matter.

  • the algorithm used to do the encryption

  • the password, passphrase, or key used to do an instance of that encryption. Each encrypted disk uses a separate password, passphrase, or key. The same password or passphrase can be used on multiple disks, but it is stored and handled differently for each disk.

  • a location to store the password, passphrase, or key. BitLocker uses the host system's TPM () by default, but can save to a USB drive or other location if the appropriate group policy has been set (as explained in the next inch or two).

BitLocker normally requires a Trusted Platform Module, or TPM, chip on the host system's motherboard. This chip generates and stores the actual encryption keys, and can automatically unlock the encrypted storage when the host system boots so that a user or administrator can sign in just by typing s Windows login password.


You can bypass the TPM requirement by making a Group Policy change, typically as a network administrator in a networked environment or by using the Local Group Policy Editor to change the setting for a non-networked computer system.

To activate BitLocker on a disk:

  1. Type Windows-E to bring up the File Explorerv (formerly known as Window Explorer).

  2. Drill down into the This pc section and locate the hard drive you want to encrypt.

  3. Right-click the target drive and choose Turn on BitLocker from the pop-up menu.

  4. Choose Enter a Password and enter a secure password.

  5. Choose How to Enable Your Recovery Key which you'll use to access your drive if you lose your password. You can print it, save it as a file to your hard drive, save it as a file to a USB drive, or save the key to your Microsoft account.

  6. Choose Encrypt Entire Drive. This option is more secure and encrypts files you marked for deletion.

  7. Unless you need your drive to be compatible with older Windows machines, choose New Encryption Mode.

  8. Click Start Encrypting to begin the encryption process. Note that this will require a computer restart if you're encrypting your boot drive. The encryption will take some time, but it will run in the background, and you'll still be able to use your computer while it runs.

Once you've enabled disk encryption and the initial encryption process has completed, the data on your disks is protected and the disk cannot be mounted and used without you supplying the password or encryption phrase that you originally specified.

Using third-party disk encryption

Besides the BitLocker disk encryption software that comes "free" with certain versions of Windows, other disk/data encryption software is also available. This software comes from companies that specialize in encryption, and often offers multiple encryption algorithms and multiple ways of interacting wth data, including using different encryption scheme on different partitions.

Though outside the purpose of this section, it's important to realise that thrd-party encryption packages offer some interesting and powerful additional capabilities, such as sharing encrypted files with specifiedc users. This gives you both the advantages of file-sharing and the security that encryption provides. Collaborative encryption can be very useful if you're working on shared hacking projects.


The most important aspect of third-party disk encryption software is that third-party encryption software is not from Microsoft. This means that you do not need a Microsoft account or Microsoft tools to interact with it. This therefore makes it untraceable by Microsoft and its minions, and reduces/eliminates the chance of leaking your data back to Microsoft. Data can still be leaked back to someone, but at least it isn't Microsoft. Would you prefer the devil that you know or the chance of sharing with someone else who might not be the devil at all?

Some popular third-party disk/data encryption packages are:

  • VersaCrypt - Open source and truly amazing. This is an extremely powerful encryption package that encrypts devices or partitions using one or a sequence of encryption algorithms. It also notably provides the ability to create a hidden partition with an encryted overlay. Decrypting it with one password shows contants A, while decrypting it with another reveals contents B. VeraCrypt was formerly known as TrueCrypt, up to version 1.7.0, when most of its developers bailed to work on the VersaCrypt fork. Highly recommended. Using VeraCrypt to hide file and folders is explained in Chapter 10, Hiding files, directories, and partitions .

  • NordLocker - ($8/user/year. Cheaper plans available based on duration, Limited freevplan available.) - From the geniuses who brought you NordVPN, so I like them already. Great collaborative capabilities! Also NordPass, though that is centralized like Keepass, and therefore depends on network state and availability.

  • WinMagic SecureDoc -($110 for 1-9 users/year) - A powerful package that lets you use other encryption packages, including BitLocker, to encrypt partitions or disks. This enables you to use the BitLocker technology with wn entirely different GUI that adds additional capabilitires.

  • DiskCryptor Free and open source. Supports Windows Server 2003 and newer and supports Windows 2000 via DiskCrypt 0.9. One problem: specifying a key file for use on the boot partition is accepted, but fails on reboot and renders system unusable due to the authentication failure. Yikes! (Other partitions and disks OK.)

  • Sophos SafeGuard Encryption - ($53/user/year) - Complex for new users, but acceptable once you get your head around it. Works with any hard-disk encryption technique including Microsoft’s BitLocker, Apple’s FileVault 2, and Opal self-encrypting drives. The authentication system supports cryptographic and biometric tokens, and multiple users can share encrypted computers without sharing passwords.

  • Symantec Endpoint Encryption - ($10/user/year) - Slow, complex, and fragile, like any Symantec product. Also, it works - again, like any Symantec product.

  • McAfee Complete Data Protection Advanced - ($90/ user/year) - Always a leader in securinga system, starrting with its legendaryanti-virus package, McAfee's data protection system is equally powerful and advanced. Supporting windows Vista and newer and MacOS El Capitan and later, it provides encryption and security for files, folders, removable and fixed full devices (not partitions), the cloud, and anywhere else from a single central Orchestrator console.


The previous list left out client-only, Windows 7, 8.8, and 10 packages like CryptoExpert and Check Point Full Disk Encryption Software Blade because they only support a subset of machines and operating systems.

Microsoft also offers EFS, the Encrpting File System but (1), it only encrypts specific files on demand and (2), it's from Microsoft.

I personally use VeraCrypt for everything, and trust its power and flexibility. The opportunity to read the code is great too, if I need to see how something really works or if I can't get a sleeping pill.


See Wikipedia's Comparison of Disk Encryption Software for more packages and related - though skeletal - information.

Installation requirements

Now we have some important setup to do....

I'm not going to walk step-by-step through the installation process, since we can all do that - instead, I'm going to focus on installation generalities and the ways in which you can instll Windows 10 to minimize the amount of data that it collects for anyone. Subsequent sections will then focus on minimizing user-specific data collection. At the end of all of this, you should have a Windows box whose message-of-the-day is not your name, social security number, and political affiliation.

Figure 5.2. Basic approaches to installation

Basic approaches to installation

The basic installation approach in today's connected world is that you install a system in one of two basic ways, as shown in Figure 5.2, “Basic approaches to installation”:

  • As an essentially standalone system, where all identity, authentication, and personal data is going to be local to that machine

  • As part of a centrally networked environment, where it can be used by anyone, and thus gets most of its user and environmental information from central authentication and file servers

We're obviously going to focus on the first (standalone) case, but even there the water is primarily muddied by the fact that you need an account on a machine on the net somewhere in order to proceed. You could infer that this is there to be helpful and have somewhere to send info about the installation, but you'd be wrong. Instead, it's just one more way of connecting internet accounts and pulling the drawstring a bit tighter around our collective info-necks. Paranoid? Just because I'm suspicious doesn't mean that there's no reason to be...

Creating a new account

Figure 5.3. Creating an account during installation

Creating an account during installation

Selecting the first option and clicking Next displays the screen shown in Figure 5.3, “Creating an account during installation”. To proceed and to ensure your anonymity and privacy, you need to create a new, virginal account, so click Create account to proceed.

When creating a new account on a system where you want to preserve your anonymity, you will have to create an account with no ties to your actual identity. When asked to provide an email account for verification, you will therefore need to use one of the anonymous email approaches discussed in Chapter 9, Creating secure email and alternatives for verification purposes. When creating an anonymous user account, I prefer to use a short-lived anonymous account (discussed in the section called “ Using a disposable account for notification ”) as a temporary target during the creation process, and use a secure email service like Protonmail (discussed in the section called “ Creating a secure email account ”) for a more permanent target when necessary.

An island is better than a peninsula

During installation, you will als be asked whether or not to activate certain services and levels of data sharing. Ones that you should say "no" or "skip" to are the following:

  • Share activity history - No other account or the system itself needs to roll your personal activity into any shared or system-wide totals.

  • Android phone sync - The system should not know a real phone number at which you can be reached, so syncing phone data to a random target is difficult. Letting the system know your phone number does have its advantages if you lose the system, because it lets the finder reach out to you to report its finding, but that means that the data must be located on an unencrypted partition. My advice about losing your laptop is simply "don't do that". wwwwwwwwwwwwww

  • Office 365 free trial - For God's sake, no! Open Office is free and similarly capable. If yuou want to reserve disk space, just create some large fies full of null characters, and delete them as needed to recover the space that you are reserving.

  • Decline Cortana - Cortana is cute but unnecessary. Its search capabilities are active regardless, just not its speech capabilities.

These options are all individual, security-related options. There are many more, system-wide privacy-related options that you should configure to ensure your privacy and anonymity by making it harder to rack or identify you or your system. Correctly configuring these options is discussed in the next few sections.

Locking down a Windows 10 system

The phrase "Locking down" is the cool way of saying "securing" - creating a system that is protected from random drive-by hackers, from 11 year-old Rumanuian kids with too much time and lots of skill on their hands, or from criminals from whatever-land who just want to add your system to their botnet. These invasive hackers may even just want to prove that they're smarter than the aging author of some book on hacker protection. Regardless of who they are, your job is to lock the doors, close data leaks and friendly/convenient "holes", and to generally batten down the hatches to protect your system from any hacking attack that passes by.

The first step in hardening your system is to create a save point (also connonly referred to as a restore point), which is basically just a bookmarked system configuration that is safe - or is on the way to being safe - but is at least one which you know all of the characteristics of. This gives you a known configuration that you can fall back to if you screw something up in the lockdown process. If you accidentally open a window while you're locking a door, you can fall back to the save point prior to that change and try again. I'm going to use the term "save point" because i never make any mistakes, so they're just insuance policies. If you believe that "no mistakes" thing, I've also got this great bridge that I'll give you a really good deal on...

You can have any numbder of save points. I generally create two just after completing installation. I save one forever without changing it, and then use the second as a current configuration marker. Each time I complete some significant security improvement, I create a new save point, and then either punt the old one or keep it around while I'm testing the new configuration. I'll eventually either delete it (and rename the new one to "current") or keep it as an archived save point.


As you can tell, knowing what's in a save point is the most critical thing about it, because that's the key to knowing what state you're returning a system to.

Creating a save point

To define a save point, you must be able to monitor the status and contents of your system drive. You only need to enable this once. To do so:

  1. Enter system restore in the Cortana search box as a quick way of displaying the right portion of the Windows Control Panel. The control panel displays, as shown in Figure 5.4, “Creating a save point in the Control Panel”.

    Figure 5.4. Creating a save point in the Control Panel

    Creating a save point in the Control Panel

  2. Make sure that your system drive is listed and highlighted in the Available Drives window and clickConfigure. The screen shown in Figure 5.5, “Enabling protection on your system drive” displays.

    Figure 5.5. Enabling protection on your system drive

    Enabling protection on your system drive

  3. In the Restore Setting section at the top of this part of the Control Panel, click the Turn on system protection radio button. Click OK to close this pagec of the dialog and re-display the page shown in Figure 5.4, “Creating a save point in the Control Panel”. You will notice that the Create button can now be selected to crearte a save point,

Once you've enabled monitoring on your system drive, you can create a save point at any time by doing the following:

  1. Enter system restore in the Cortana search box as a quick way of displaying the right portion of the Windows Control Panel. The control panel displays, as shown in Figure 5.4, “Creating a save point in the Control Panel”.

  2. Click Create. The dialog shown in Figure 5.6, “Creating a save/restore point” displays.

    Figure 5.6. Creating a save/restore point

    Creating a save/restore point

  3. Enter a name for this save point, and press return to create a save point that reflects the current configuration of the machine. It's a good idea toadopt some convention for these names so that they are instantly meaningful to you.

Once you've defined and saved a restore point, you can return your system to that point by displaying the control panel and selecting System Restore. A series of dialogs display, including the one shown in Figure 5.7, “Returning to a restore point” displays, on which you can select the restore point that you want to return to.

Figure 5.7. Returning to a restore point

Returning to a restore point

You can also use this dialog to purge restore points by selecting them and confirming their deletion on a subsequent dialog.

Creating a new user for "experimentation"

Now the fun really begins! Part of using a Windows system safely is to be able to do scary, powerful things as a login user. You may have created such a user account when installing your system, but chances are just as good that you bought a system pre-installed or just did your install and configuration long ago. Now you're older and wider, or maybe just wiser, and it's time to get less visible by creating an account that you can use for "experimentation".. As a normal account that is unrelated to your actual identity, it is one that you can register with Google, Facebook, and their ilk without having to spill the beans about who you really are and what (if anything meaningful) you're really doing.

To quickly create a new user acount on a Windows 10 system:

  1. Select the Start button, select the Settings (gear) icon, select Accounts, and then select Family & other users.

  2. In the Other users section, select Add someone else to this PC.

  3. To quickly create a traditional account that is only local tov this PC, select I don't have this person's sign-in information, and click Next. On the next page, select Add a user without a Microsoft account.

  4. Enter a user name, password, and select or specify three In case you forget your password questions and personal answers. When finished, click Next.

The account that you just created displays as a local account in the Other users section, as shown in Figure 5.8, “Displaying a new local account”. As a local account, no network authentication or privileges are required (or possible). This makes it a very safe account to use for your hacking... er, experimentation... purposes.

Figure 5.8. Displaying a new local account

Displaying a new local account

After creating an account, adding adminstrator privileges to that acciount is very simple:

  1. On the display shown in Figure 5.8, “Displaying a new local account”, select the account that you want to modify. Next, select Change account type.

  2. Click the Account type list box, select Administrator, then click OK.

The panel shown in Figure 5.8, “Displaying a new local account” redisplays, this time indicating that the selected account is now an administrator.


Windows 10 still supports some older, more granular privileges. Because they are being phased out, they can only be assigned to an account through a hidden User Accounts control panel. To access that control panel. To doisplay that control panel that, press the Windows key + R, and type control userpasswords2 (that is not a typo!) into the command box, then press Return. This control panel and those poermissions will be updated or removed in a future update or release of Windows. So don't get used to them or it...

Stopping personal data donation

In the previous section, we created a local account for "experimentation" purposes. This account should really have nothing to do with you or your identity, but MacroSludge will still be monitoring and collecting data from that account, Even after we turn data collection off (as much as we know about), your "experimental" actions will still add data to a vast collection somewhere. Just because that account and its user aren't "real" doesnt't mean that data can't be collected from them and woven into the big fourth reich tapestry in the sky.

Figure 5.9. General Windows settings

General Windows settings

To reach Windows main Settings page, click the Start icon in the lower-left corner of any Windows screen, and click the gear that displays on the pop-up menu. The screen shown in Figure 5.9, “General Windows settings” displays.

The next few sections explain how to minimize the tracking, recording of, and reporting on various actions that are like kindling for some future Microsoft marketing bonfire. One thing to remember is that there are two sides to how all of this infornmation is being used;

  • turn a "feature" on or off to manage how Windows collects and uses information from a device or protocol

  • how or if specific applications use a device or protocol

For example, Windows can collect information from a camera and integrate that into a login screen or for authentication in general, while a camera-oiented app like meeting software ala Zoom or Webex can interact with the canmera simply as a display device.

Disabling general eavesdropping and data collection

The Privacy link in the screen shown in Figure 5.9, “General Windows settings” leads to a complex page of settings, which itself conains links to many other pages with other settings. These highlght how many data-leak, er, privacy options Windows "offers". This general page of privacy settings is shown in Figure 5.10, “A maze of twisty settings, all different...”.


If the screen shown in Figure 5.10, “A maze of twisty settings, all different...” looks different on your machine, try making the window wider. The single-column view has the same "features", but they're harder to access (and they don't look just like the screenshots).

Figure 5.10. A maze of twisty settings, all different...

A maze of twisty settings, all different...

Like other Windows Setting entries, the left column of each page displays an index to this page and related sub-pages, while the right column of ths page provides the settings on the page.

General privacy options

Figure 5.11. Changing General privacy options

Changing General privacy options

The right column enables you to modify the setting of the following general privacy options:

  • Use advertising ID - Microsoft’s “Advertiser ID” (formerly known just as “relevant ads”) is a unique identifier that is associated with the logged-in user and enables ads for Dr. Scholl's footspray to show up on your phone minutes after you complete a desktop search for "athlete's foot". Your unique ID makes such personalized, "smart" adverising possible. You don't see a different number of ads after disabling this, they're just not eerily reflective of your interests as borne out by your historical Internet Explorer and Edge searches and personal information that you've shared with Microsoft.

    Turn ths option off. Doing so disassociates your browser session from your advertising identifier. Information that is collected will be associated with a generic personal identifier rather than being recognized as coming from you. Collection will not update your pool of peronal information.

  • Provide locally relevant content - This option requires that Windows "knows" your physical location, which will be untrue but will still be a relevant, related location if you use a VPN.

    Turn this option off just in case.

  • Track app launches - Tracking this information is supposed to improve search results, but should really not add value beyond personalization that we are trying to prevent.

    Turn this option off just in case.

  • Show suggested content in Settings app - Thisc suggested content is supposed to be restricted to that shown in the Settings app and should be based on other infrmation that we are not collecting or updating.

    Turn this option off just in case.

Disabling all of the privacy options on this page disables most Windows 10 data collection and its association with you but (as we'll see in subsequent sections) not everything. These partricular data collection and spying roaches are very tricky and well hidden no matter how pointy your shoes are!

Eliminating data collection details

After the General page and its general option come a number of sub-pages with more detailed options that can (and often should) be disabled to further increase the ilolation and virtual silence of your system and its reporting goes. The following sections discuss each sub-page and its options.

Disabling speech recognition

Figure 5.12. Disabling system-level speech recoognition

Disabling system-level speech recoognition

It would be tempting for some light-hearted Microsoftie to just put a single option here that said or "Don't listen to me", but that wouldn't be techie enough and is a general "feature" of Windows anyway. Instead, this page phrases it as a single option that enables you to disable speech recognition, which you should do. Doing so also disables the big bell and whistle feature of Cortana, but your Amazon Alexa or Google Home/Nest devices are probably doing that anyway, though in a more general context.

This system-level speech recognition "feature" relies on Microsoft's cloud-based speech-to-text service. After disabling this, you can still use the Windows speech recognition app and any others with their own speech nalysis features. If you like the speech recognition capability but are not a Microsoft fan, you can try replacing this service with a third-party one like Nuance's Dragon Home AKA Dragon Naturally Speaking, which only uses your spoken data to help understand you, as far as I know.

Disabling ink and typing personalization

Figure 5.13. Disabling typing monitoring

Disabling typing monitoring

Now things get even creepier, as Windows not only watches what you type, but as how you type it. This is scary and confusing for someone like the author, whose typing style was once described as "looking like an epileptic spider", but I guess that some AI geeks can even get what they think is water from what the think is a dry well.

Disabling this option is, ahem, optional, because it only controls whether Windows creates a user-specific typing style database - the system's typing style database still exists and is updated/maintained. However, I suggest disabling it just in case your habit of typing Hot and Sour soup on a lunch order adds your name to the goverment's database of lunch preferences. This could be used in the next pandemic to help identify the U.S. citizens who like enemy foods, and require re-education just in case. I'm just saying...

Minimizing diagnostics and similar reporting

Figure 5.14. Minimizing diagnstic and reporting feedback

Minimizing diagnstic and reporting feedback

Now we start to see the evil empire as just a friend, honest. The options on ths page determine the voume and type of information that your system sends back to Microsoft for performance, profiling, and debugging purposes. The options on this page and their recommended settings are the following:

  • Diagnostic Data - Controls the type and amount of diagnostic and helpful user data that your system sends to Microsoft. Options are Full and Basic, and is noticably missing the option None. You should definitely select Basic to spy on yourself as little as possible. See the You're sending what where? side, later in this section, for a potential workaround for the missng value.

  • Improve inking and typing - sends typing dats to Microsoft to help with speech recognition and suggestions. This option is automatically deselected (and says so) if you do not send full diagnostic data to the Microsoft mothership.


    in case Mrcrosoft believes that your diagnostic and feedback setting prevent "full disclosure" to Microsoft (i.e., if you have selected Basic on the Diagnostics & feedback screen), the Improve inking and typing option on that panel displays the warning Your current Diagnostic data setting prevents inking and typing data from being sent to Microsoft or the warning What are you trying to hide?.

  • Tailored experiences - let Microsoft provide you with a custom (i.e., "tailored") user experience based on your diagnstics settings, where the tailoring is composed of ads for Microsoft products and services that will make life better for you. And no, it's not just a blank screen. What ever this is, you can safely turn it off.

  • View diagnostic data - uses a Diagnostic data window to show you the diagnostic data that you're sending to Microsoft. Though you generally want to turn this off to save screen real estate, it can be useful to see that data when you're experimenting with settings.

  • Delete diagnostic data - deletes any diagnostic data in the standard location that has been collected on your system to date. Copies of that data which you have copied elsewhere or have special permissions must be manually deleted.

  • Feedback frequency - determines the freqency that Windows will request personal information from the system's users one of Automatically, Always, Once a day, once a week, or Never.

Managing activity history tracking

Figure 5.15. Managing activity tracking

Managing activity tracking

This settings page determines where and if Windows tracks your activities so that it can snapshot and later restore those applications. The tasks whose state is being recorded must be executed by a user that is associated with the current Micrsoft accunt. The task state information can either be stored on the machine that you are using or in Microsoft's cloud. The storage location determines which device(s) you can switch to and resume certain tasks - only storing task information locally means that you must return to the same machine.

Introduced in a 2018 update of Windows 10, the timeline is an easy way to visualize and resume tasks that are associated with the same Microsoft account, regardless of where you were executing them. This network-aware task history is quite a mouthful, and quite a huge hole in the "whole" concept of privacy! Hacking this timeline gives crackers access to everything that was ever executed by a certain Microsoft account or an assocted one.


This universal account, unifying all activities that are executed on all devices as long as they are executed under the purview of the same or an associated Microsoft acccount, is completely safe if you trust Microsoft online security and believe that it is absolutely bullet proof. If... hey, stop laughing. You too - I'm serious, stop laughing!!!! Now everybody - stop it! Don't laugh at trusting universe-wide network security from Microsoft! Oh for Christ's sake...

To avoid raucus laughter and the subsequent rape and resale of all of your accounts, don't use or trust either local or remote (Microsoft) activity tracking!

Options on this page are:

  • Store my activity history on this device - enables you to see and resume tasks that you have executed on the current device as a user associated with the current Microsoft account. This is a capability that we don't want to take advantage of, so leave this item un-checked!

  • Send my activity history to Microsoft - This is another capability that we do not want to take advantage of, since we do not want to track (or remember) our activity history and especially not across multiple machines. Leave this option un-checked!

  • Show activities from these accounts - precedes a list of accounts wth a check box for each. To exclude a user's activities from the Windows timeline in the Task view, un-check that user.

  • Clear activity history - pressing the Clear button purges any activity history that is stored on the current machine.

Customizing application and personal security

The first portion of the Privacy settings page (discssed in the previous subsections) lets you customize Windows security settings as they apply to anything that is touched upon (or interfered with) by the operating system. The renainder of the items on this page let you customize application permissions and how Windows interacts with specific applcations or the subsystems and devices that they use.

Not all of the settings on the remainder of this page are relevabt to personal privacy or anonymity on the Internet. Therefore, the following sections only discuss those that are. Many of the settings are only relevant to devices and data sources that only exchange data within the cconfines of your system, not to the Internet as a whole.

Please send mail to the author if you believe that some additional setting should be discussed!

Customizing location

Figure 5.16. Customizing location

Customizing location

This page controls the information about your location that applications can use to personalkize theirc displays, qeries, and so on. It isn't very useful to see informaton about a half-off sale in East Bumfuckistan if you're sitting in upstate New York, or vice versa. Location data can be read via GPS, inferred from you IP address, or multiple similar mechanisms. Any non-GPS location information will be less meaningful if you're using a VPN whose endpoint shows you using an IP address in East Bumfuckistan, but that location "confusion" is part of what you pay for with a good VPN.

The specific settings on this page are the following:

  • Allow access to location on this device - Enables Windows and Microsoft to determine your geographic location and use that information to locate you, improve the locality of ads that they deliver, and various similar convenient but creepy feature. To disable this, click Change and move the slider in the "Location Access" dialog to Off, then cick outside the dialog to close it. Turning this setting off disables the next setting, Allow apps to access your location.

  • Allow certain apps to access your location - enables you toselect applications that can access your device's location. Disabled if Allow access to location... is off/disabled. This does not apply to third-party apps that you have installed and which use other mechanisms to determine your location. These are what are referred to as "desktop apps" here.

  • Default location - Clicking the Set default button displays a map of the world from which you can set the default location that Windows return if Allow access to location... is off. My systems are usually found at 9420, Tierra del Fuego, Argentina. Feel free to drop by if you're in the neighborhood.

  • Location history - Keeps a record of changes in location if Allow access to location... is off. Clicking the Clear button deletes any stored location history information. It never hurts to click.

  • Choose which apps... - If Allow access to location... is on, displays a list of applications which you can enable to receive precise location information.

  • Geofencing - enables you define a perimeter that youwill be notifies if your location crosses. I love the word "geofencing", though I clould care less about the operation. It sounds like can evil parental trick to set on your non-nerdy kid's laptop if they carry it around. O maybe a theft-protection setting?

Protecting camera settings

Figure 5.17. Disabling your camera

Disabling your camera

As seen in Figure 5.17, “Disabling your camera”, the camera settings for Wiindows 10 are configured much like the "Location" settings as shown in Figure 5.17, “Disabling your camera”. This screen enables you to configure te applications that can use your computer's camera to watch you flossing your teeth or taking a shower. The settings are the following:

  • Allow access to the camera on this device - enables applications, yours or incoming, to access the camera. Blocked applications include apps that you've installed and all standard Windows apps except Windows Hello, which is all of the login (sign-in) mechanisms supported by Windows 10 except the familiar password and the ATM-style PIN. To disable camera access, click Change and drag the slider in the status dialog to Off. Click anywhere outside this dialog to close it. A summary line over the Change button shows the camera access state.

    After making sure the camera is off, you can pick your nose in peace and only alienate people in the same physical location as you and your computer.

  • Allow apps to access your camera - Blocks almost all applications from accessing the camera, except for Windows Hello and apps that you've installed the use a clever and circuitous mechanism to access the camera.

  • Choose which Microsoft Store apps can access your camera - Enables you to allow or disallow selected applications from the Microsoft Stare from accessing and using the camera. You can only enable per-application camera access if you are allowing apps to acces the camera on the computer.

  • Allow desktop apps to access your camera - If Allow access to the camera on this device and Allow apps to access your camera are enabled but Choose which Microsoft Store apps can access your camera has no apps selected, you can still enable a device to acces and use the camera if you enable the Allow desktop apps to access your camera option is enabled, you can add the app to the list of really, really not excluded apps that follow the option. Yiokes! Too many rabbit holes!

Controllng addiional settings

The tables in this section group related settings (when possible) and show default and recommended values. These tables are:

Table 5.1. Additional device/app security settings

Allow access to the microphone on this deviceStatus of the microphone on this systemOnOff
Allow apps to access your microphoneEnable apps to use the microphoneOnOff
Choose which Microsoft store apps can access your microphoneList of "official" apps from the store and the stats of eachSome OnAll Off
Allow desktop apps to access your microphoneEnable user-installed apps to use the microphoneEmpty ListUser-Set List
Voice activation
Microphone access for this device is...If "On", apps can listen for an audio keyword and thereafterOnOff
Allow apps to use voice activationIf "On", apps can listen. Apps that do so are specified further down on this page.OnOff
Allows apps to use voice activation when this device is locked and displaying screen saverIf "On", listen even when lockedOnOff
Choose which apps can use voice activationOnly app listed by default is Cortana. Remove it!In list means "On"Other settings "Off" should disable Cortana, but removal is more complete.
 Let Cortana respond to "Cortana" keyword - in other words, when someone says "...fucking Cortana...", they've got its attention.OffOff
 Use Cortana even when my device is locked - In other words, snoop and listen in even when my computer appears locked and not being used. The ear remains pressed to the door. This is done on the off chance that this data is being collected and sent somewhere. Amillion users create a lot of data - let's hope the SQL Server ingestion engine somewhere is up to it!OnOff

Table 5.2. Customizing application use of personal data

Account Info
Allow access to account info on this deviceEnable programmatic access to all account/user data on this deviceOnOff
Allow apps to access your account infoEnable programmatic access to current user's account dataOnOff
Choose which apps can access your account infoList of system applications that can access personal account data, each accompanied by a software On/Off switch(list)(list)
Allow access to contacts on this deviceEnable system applications to access user contacts. This and related contacts settings if often use by maware thatsed phishing or spam to all of the addresses on your contact list. You will want to disable this value unless you broadcast things to your contact list. You can always at least disable access to your contact list and then watch to see if disallowing this access causes problems.OnOff
Allow apps to access your contactsEnable applications run by the user to access that user's contact information. See the previous entry. OnOff
Chooose which apps can access your contactsIf you continue to allow applications to access your contacts, you can use this option to ientify specific applications that should beenabled to access it.OnOff

Table 5.3, “Customizing phone number, call data, and email security” shows the capabilities and applications that can access phone numbers, phone call data, and email made from or through the current computer. Malicious applications can reap phone numbers, email addresses, or the contents of phone calls or email to retrieve phone numbers or email addesses to which they will send malware or other sinister software.

Table 5.3. Customizing phone number, call data, and email security

Phone Calls
Allow access to phone calls on this deviceEnables applications to access the data contained in all phone calls that involve this computer.OnOff
Allow apps to access your phone callsEnables applications to access the data contained in phone calls that you have made or received on this computer. It is generally a good idea to disable this unti you find that an appliction requires it, and to then activate tis option and identify the application that needs access in the next one.OnOff
Chooose which apps can access phone callsSpecify the applications that can access the data in phone calls that have been made or received from this computer. If you choose to enable applications to acess your call history in general, you can use this setting to restrict the applications that can do so.(list)(list)
Call History
Allow access to call history on this deviceEnable access to the list of phone numbers that have been contacted from this computer.OnOff
Allow apps to access your call historyThis option enables applications to access the history of phone numbers that you have contacted from this computer. It is generally a good idea to disable this unti you find that an appliction requires it, and to then activate tis option and identify the application that needs access in the next one.OnOff
Choose which apps can access your call historySpecify the applications that can access the phone calls that you have made or received from this computer. If you choose to enable applications to access your call history in general, you can use this setting to restrict the applications that can do so.(list)(list)
Allow access to email on this deviceEnables applicatios to access all email that is sent from or stored on this computer. Many hacks access existing email to reap users to whom phishing or general bogus email can be sent. Disallowing access to email may disallow some access that you do want (such as notifications of incoming mail), but privacy can occasionally have a cost.OnOff
Allow apps to access your emailEnables applicatios to access all of your email that is sent from or stored on this computer. It is generally a good idea to disable this unti you find that an appliction requires it, and to then activate tis option and identify the application that needs access in the next one.OnOff
Choose which apps can access your emailSpecify the applications that can access the email that you have sent from or received on this computer. If you choose to enable applications to access your email in general, you can use this setting to restrict the applications that can do so.(list)(list)
Allow access to messaging on this deviceEnables applications to access all messages that were sent or received by users of this computer.OnOff
Allow apps to access your messagesEnables applications to access all messages that you have sent or received on this computer system.OnOff
Chooose which apps can read or send messagesSpecify the applications that can access the messages that you have sent from or received on this computer. If you choose to enable applications to access messages in general, you can use this setting to restrict the applications that can do so.(list)(list)

Table 5.4. Customizing device and process security

Allow access to control radios on this deviceEnables applications to access radio devices on the computer. In computers, radios are most ccommonly used to send/receive data wirelessly as in WiFi communications. Computers can also ccntain radios to receive traditional AM (Amplitude Modulation) and FM (Frequency Modulation) radio signals, typically processing and playing them through dedicated DSP (Digital Signal Processing) devices for those purposes.OnOn
Allow apps to control device radiosEnables applications to proceess and modify radio devces and their actions.OnOn
Choose which apps can control your device radiosEnables you to specify the applications that can conrol and modify radio devices and their actions on the computer system(list)(list)
Other devices
Choose which apps can communicate with other devicesEnables devices to interact and interoperateOnOn
Use trusted devicesRestricts device access and control to those devices that are identified as trusted devicesOn 
Background apps
Support background appsEnables application to continue to function while they are not in focus and operating as the "current" application. This option is necessary for many types of system applications that monitor and interact with devices such as printers (line printer daemon). It can also be very dangerous because it enables malware to run in the background and monitor and interact with communication streams and device interaction. You shaould check the list of active processes on the system often too detect and terminate malware applications that have somehow slipped through your security and are running in the background.OnOn
Choose which apps can run in the backgroundEnables you to specify the applications that can run in the background on the computer system(list)(list)
App Diagnostics
Allow apps to access diagnostic info on this deviceEnables application to access diagnostic daa that may be generated by applications or the system in the event of problems.OnOff
Allow apps to access diagnstic info about your other appsEnables applications to access diagnostic data that may be generated by other applicationsOnOff
Choose which apps can access diagnostic info about other appsProvdes a list of applications that cab access the dignostic data produced by other applications(list)(list)
Automatic File Downloads

Table 5.5. Customizing personal data security

File System
Allow access to the file system on this deviceEnables access to the file system so that applications can read and write files there. This is *any* application in *any* scenario, not just web downloads or similar applications.OnOn
Allow apps to access your file systemGlobal switch for whether every application can access files in any location that an account has access to. If you regularly use multiple file system locations, enable this option; otherwise, disable it and select the applications that require file system access in the next option.OnOn
Choose which apps can access your file systemEnables you to specifically grant file system access to specific application if file system access for all applications is disabled.(list)(list)

Locking down and expediting Windows Updates

Windows Upates literally update Windows in response to changes in internal components due to improvements, bus fixes, and the like. As asynchronous changes, how and when Windows updates are seached for and applied has its own configuration section, reachable by selecting Updates & Security in the Windows Settings application. This displays the screen shown in figure Figure 5.18, “Configuring Windows Updates”.

Figure 5.18. Configuring Windows Updates

Configuring Windows Updates

The screen shown in figure Figure 5.18, “Configuring Windows Updates” features the following commands, notification areas, and links to other screens:

Selecting and running anti-virus software

Anti-virus software is like having a gun in the glove compartment of your car - it's your last line of defense before some scumbag gets in and really starts f'ing things up - screwing up your computer, stealng data, hiding itelf for the future, trying to propagate, and God knows what else.

Selecting a browser and maximizing browser security




Exensions for any browser

Random security and usability optimizations

Chapter 6.  Dress for success, er, privacy

Like you, I know lots of people who accidentally dress for privacy and anonymity. Some are simply following the current fashion trend, which helps guarantee anonmymity because you look like everybody else. Others dress like a cretinous frankenstein that no one wants to talk to, thereby guaranteing privacy of a sort. Those are both fashion statements, and I'm not going to discuss "style" (or the lack of it) in this section.

Instead, this section discusses how to protect your electronics, both against an atomic bomb (after which a charger might be the hardest thing to find) or against day-to-day EMP and the strange signals of daily life. I'll also talk about the flip side of this coin, which is how to protect, preserve, or wipe your precious data when a horde of TLA dweeebs descends on you. Curious but somewhat scared? Good attitude!

Protecting your data and the box it comes in

There are multiple ways of looking at compter security, which can basicaaly be divided into two classes:

  • physical secrity - First is the physical security of your machine, which is basically protecting the device against being dropped or caught in gunfire, as wel as protecting it against accidentally being erased or damaged by airport devices or the occasional EMP (Electro-Magnetic Pulse). The latter most commonly accompanies a nuclear blast, but I'm sure we'd all like to blog about that if one occurs. "Be the first one on your block..." Sorry - I got a lttle carried away there.

  • data security - Second, protecting the informaton, in 1's and 0's in the "right" order, that it contains. The scanning devices and associated signals that can cause data erasure or corruption are very common nowadays - every school, government building, and most office buildings have one. Electronic devices like computers often go around these, but not always, plus which it's easy to forget the random external hard drive. It can even be tricky at times to prove that what you're carrying is a computer. I used to work for an embedded Linux company and would fly to customers or prospects with circuit boads, power supplies, and so on, which the occasional double-digit IQ security gaurd would try to demand that I boot to prove that they were computers. I can't help you with that except to comiserae, but protecting the data on a computer is a very real concern.

Physical protection: Faraday cages and you

To quote Wikipedia, "A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. A Faraday shield may be formed by a continuous covering of conductive material, or in the case of a Faraday cage, by a mesh of such materials." Carrying your laptop inside a Faraday cage protects it against being scanned. It does not necessarily protect against erasure if the "attacking" magnetic field is sufficietly strong.

You can always build a Faraday cage yourself, or you can simply purchase one that is sufficiently portable. Flexible plastic Faraday cage bags are available for purchaseat multiple siteson the Internat, including eBay. I use and reccomend the ones from Blackout Privacy Protection Security. They may cause extra hassle fr you when your laptop is scanned at an airport, but persnal data security is worth it - and you may be able to use your laptop for a few hours after a nuclear attack.

Counter-Surveillance Devices

Though often seen as locking the barn door after the horse has escaped, counter-survillance devices are really a combination of an insurance policy and a periscope - ways of seeing what's going on around you and protecting against unwanted intrusion. They won't catch the kid next door who's peeping through your windows, but they will help you detect and protect against the hacker next door who's taking advantage of the fact that you're running Windows or some other non-secure software. They'll also alert you to facts like whether your computer's microphone is always on (usually), the occasional insecure wireless network, and any open or insecure network ports and interfaces on your system.

Much counter-survellance hardware is surprisingly affordable, and much counter-surveillance software is free or usable at different commercial levels. You don't have to be James Bond or a three-letter agency to afford surveilllance protection hardware, and you don't have to be Kevin Mitnick or Bill Joy to set up scheduled scans of your system for vulnerabilities. The next two sections discuss affordable counter-surveillance hardware and operating systems/software, in the latter case also discussing specific software packages and how to automate the use of whatever software you select. Great software is only great if you use it.

Counter-Surveillance Hardware Devices

eBay :

Counter-Surveillance Software

counter-survellance vs intrusion detection. Watching the watchers s finding them in the first place. eBay: My favorite is their entry for trip wire. You’ll find that IDS is typically divided into two groups: There’s signature-based IDS, which scans for known malicious traffic patterns and alerts when it discovers them, and there’s anomaly-based IDS, which looks at baselines rather than signatures to expose deviations from the norm. Also Host-based Intrusion Detection System (HIDS) – this system will examine events on a computer on your network rather than the traffic that passes around the system. and. Network-based Intrusion Detection System (NIDS) – this system will examine the traffic on your network. snort - Gui via Snorby or Base suricata - zeek - Formerly Bro. Breaks comm into sets of actions that can be watched for and/or analyzed. Slightly diff approach. Coolest motto "Zeek and ye shall find." kismet - wireless ossec - Host-based and centralized. opendlp - Data Loss Prevention - old and possibly quite dated but concept is unique. SolarWinds Security Event Manager - - Ala fail2ban, logwatch, etc. Analyzes logs from Windows, Unix, Linux, and Mac OS systems. commercial but with free trial. Samhain Straight-forward host-based intrusion detection system for Unix, Linux, and Mac OS. Gotta love German IDS software. File integrity software ala tripwire and log anaysis. Tripwire - and

Data protection: passwords and encryption

Account passwords and BIOS/UEFI passwords are very different animals, and serve different neds. A Windows, Linux, or MacOS account password prevents people from easily using your computer. It doesn’t prevent someone from breaking in. Common ways of breaking in include:

  • logging in using another account with a weak password or a system account with a known password. This only enables access to unprotected files and directories, but it's a start...

  • rebooting the machine with a live CD or DVD containing an operating system or a hacker's shell to avoid local protections on unencrypted partitions, directories, and files. You may need to first change the boot order to enable booting from an optical disc, and then reboot again.

  • attaching a portable, external hard drive, rebooting, and changing the boot order to boot from the portable drive. You can then reboot the machine from the portable hard 1 drive that contains an operating system or hacker's shell to avoid local protections on unencrypted partitions, directories, and files

  • after enabling booting from an optical disk and verifying that this is first in the boot order, boot from a Windows installer disc and install a new copy of Windows over the current copy on the machine. Once again, this will ony enable access to unencrypted partitions, directories, and files on the computer.

Your computer’s BIOS or UEFI firmware provides the ability to set lower-level passwords, as close to the metal as you can get, enabling you to avoid any of these sorts of attacks. The BIOS or UEFI passwords allow you to restrict people from chsnging the boot order, recogizing and using new external devices, or changing the BIOS or UEFI passwords or other settings without your permission.

The next few sections explain how to password-protect a laptop itself, regardless of what famiy of bootloader you run on a Wintel, Lintel, or MacOS box. Those sections are followed by a discussion of our friend encryption, and how best to use it to protect your machine in clever ways.

Passwords and the boot sequence



Setting a Win/Lintel BIOS or UEFI password

The BIOS or UEFI passwords are set in a BIOS or UEFI settings screen. (Surprie!) On most Win/Lintel systems, you’ll need to reboot your computer and press the appropriate key during the boot-up process to bring up the BIOS/UEFI settings screen. The key that you need to press in order to access te BIOS/UEFI Settings screen varies from computer to computer, but is usually one of F2, Delete, Esc, or F10. If none of these keys work, consult the documenation for your motherbard or seach the web for the model name of your computer or motherboardj and “BIOS or UEFI key”.

Figure 6.1. Sample Phoenix BIOS settings screen

Sample Phoenix BIOS settings screen

In the BIOS/UEFI settings screen, locate the Password option. It may be locaed in the System -> Security section or somethiing similar, depending on your system's BIOS or UEFI cofiguration screens. Once found, configure the password and related settings however you like. You may be able to set multiple passwords, typically User and Supervisor or Administratorh, but if so, the critical ones are the one that allows the computer to boot (the User passwords) and the one that enables you to modify the BIOS/UEFI settings (the Supervisor or Administrator password).

Figure 6.2. Sample Award BIOS settings screen

Sample Award BIOS settings screen

While you're in there, you should also visit the Boot Order section and make sure that the boot order is locked down and does not include an optical drive or USB/external disk.


Make sure that you save your changes before or when you exit the BIOS/UEFI settings acreens!

Setting a Firmware password on MacOS

Even though Macs are Intel-based nowadays, their electronics and firmware are completelyvdifferent than Win/Lintel hardware. Still, the process for sedtting a firmware password is relatively simple. Do the following:

  1. Boot in recovery mode. To do so, reboot and press/hold Command-R immediately after turning on your Mac, and release the keys when you see the Apple logo or a spinning globe.

  2. When the utilities window appears, click Utilities in the menu bar, then select Firmware Password Utility or Startup Security Utility. This utility is available only on Mac models that support use of a firmware password.

  3. Click Turn On Firmware Password.

  4. Enter a password of your choice in the fields provided, then click Set Password. Remember this password!

  5. Quit the utility, then reboot your Mac.

Your Mac asks for the firmware password only when you attempt to start up from a storage device other than the one selected in Startup Disk preferences, or when starting up from macOS Recovery. Enter the firmware password when you see the lock icon and password field.

Encryption is still job one

We used to have to get lead-lined bags to hold camera film when we put it through airport scanners. Today, film is over except for specialists and artists, but scanning devices are much more common than ever, used to detect an Uzi or blunderbus in the luggage of a stupid terrorist going to a school or the post office, and some use magnetism as well as x-rays. It's better to be safe than very, very depressed when your machine won't boot due to data corruption.

Much like the old adage about the only secure machine being a machine in a locked room that isn't connected to anything, the only secure data itself is a printout on a metal sheet or carved into something else that's hard to destroy, like a rock. Secure, but not great for reading back in.

Wiping your electronics quickly

Chapter 7.  My kingdom, or 0.005 bitcoin, for a VPN

Ordinarily, your computer system's IP address can be used to determine your computer system's location. Most computer systems get their names based on their IP address via network requests using DHCP (the Dynamic Host Control Protocol), which typically constructs host names from the sequence of hosts that your machine must traverse to reach it within the context of your ISP. You may subscribe to a service that gives you a fixed IP address or which maps it to a static host name, but you almost certainly have a hierarchically-constructed host name lurking out there somewhere.

Commands like traceroute make it easy to see the network path that packets take to get from your machine to another. This is obviously unsuitable for private or anonymous network use, since you might as well point a huge illuminated sign at your machine if you decide to do anything that you don't want to share with any interested cracker or three-letter agency. What's a girl to do?

The answer is to create and use a VPN - a Virtual Private Network. All done via software, the process is basically:

  1. Create a virtual network and virtual network adapter on your system. When creating the virtual network, define the type of encryption that it will use.

  2. Assign one end of that network to a remote host, and assign your computer to be a member of that network via that adapter

  3. Make that virtual adapter be the primary network interface used by your system

In other words (in nerd speak), a VPN is a set of one or more virtual network interfaces that appear to be on their own network, are encrypted with a shared key or secret, and whose IP addresses are independent of those that are assigned to the corresponding physical network interface(s) of the actual hardware.

VPNs function as an encrypted tunnel over less secure networks, and enable you to use shared, potentially unprotected or insecure infrastructure while maintaining security and privacy via tunneling and standard network security mechanisms and protocols. A VPN enables you to create a secure connection to another network over the same or another network. Because the data flowing over this virtual network and connections to it is encrypted, the data cannot be intercepted and read by a third party or your least favorite hacker. An additional level of encryption hides the sending and receiving addresses.


See a contrarian view of VPNs for more/different opinions about the value of VPNs and Tor in general.

Why a VPN?

Beyond the lower-level security-related issues listed at the end of the previous section, there are a number of good reasons to use a connection to a VPN at all times:

  • Complete anonymity when using the Internet. No one knows you're a dog when you're using a VPN, let alone where your doghouse is located.

  • Eliminate geo- or location-locked limitations on the content that you can view. The network can be logically “positioned” wherever any connection to it is located, enabling access to region-restricted websites by assigning one end of the VPN to a network region that is allowed access). Porn, anyone? Torrents?

  • Last line of defense when using tor. Because of its complexity and power, Tor can be vulnerable to flaws which reveal your IP address, location, identity, and so on, and which may just have been discovered by the Cercetasii Romaniei (boy scouts) in Romania. Using a VPN with Tor can prevent against or at least obfuscate A VPN affords privacy, while Tor supports anonymity. Internet providers can detect when Tor is being used because Tor node IPs are public. If you want to use Tor privately, you can use either a VPN or Tor Bridges (Tor nodes that are not publicly indexed). US Tor users in particular should use a VPN, which will be faster and more reliable.

  • Eliminate centralized services that are sometimes required by streaming software to work around or legally interact with open-source services such as Kodi.

  • State of the art encryption to protect your personal information, chats, emails, bank details, photos, sensitive business documents, etc. This is especially valuable when you are using public Wi-Fi.

What is 5 EYES and why do they suck?

Each of the VPN descriptions provided later in this chapter identifies where the headquarters of its parent company are located because that plays directly into privacy concerns such as the 5 Eyes effect. This is the term (often abbreviated as 5EYES) for an English-speaking intelligence alliance comprised of Australia, Canada, New Zealand, the United Kingdom, and the United States (i.e., the anglosphere. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence, a classic misnomer if ever there was one. 5EYES participants are the real scumbags that you want to protect your information from, but no such luck.

Originally created just to monitor communication to/from/in Soviet republics, UKUSA is now used to monitor billions of private communications all over the world as long as they originate in or are being sent to one of the participating countries. 5EYES is a great example of an attractive houseplant that turned into kudzu. In addition to active monitoring, 5EYES cooperation also enables logs and other information to be demanded from parent companies that are located in a participating country.

If 5EYES eavesdropping isn't nauseating enough because 5 is a small number, there is also 9 Eyes and 14 Eyes. 9 Eyes is 5EYES plus Denmark, France, the Netherlands, and Norway, with the same touchy-feely goals, lack of morals, and cockiness that made us all detest 5EYES. Not wanting to be left out, most of the rest of Europe jumped in to form 14 eyes, which is 9 Eyes plus Germany, Belgium, Italy, Sweden, and Spain. I'm sure that Portugal, Luxembourg, Monaco, and Finland are coming soon in 18 Eyes. Israel is an honorary member of 5 Eyes and therefore of `every superset, but they don't count towards the total.


For more information about 5, 9, and 14 (or more) EYES, either see 5, 9, and 14 EYES or just place a call about drugs, money, and revolution and wait for the men in black.

Every map of the United States, especially, should come splashed with the legend "Here there be bogons.". For a place that started out based on the idea of freedom of speech, the USA today is really an onerous mess.

How does the Patriot Act bite you in the ass?

One of the most ironically named government policies ever is the one about data theft and government misappropriation of information, known as the Patriot Act. This Act is a blistering collection of knee jerk, sphincter-tightening rules put in place after 9/11/2001 to make us all feel safer by widening the government's ability to monitor,inspect, and capture various types of data communications.

In the middle of this shit sandwich lurks Section 215, which controls information collection for counter-terrorist purposes. As nicely summarized by the EFF (Electronic Frontier Foundation):

Section 215 of the USA PATRIOT Act allows the government to obtain a secret order from the Foreign Intelligence Surveillance Court (FISC) requiring third parties like telephone companies to hand over any records or other "tangible thing" if deemed "relevant" to an international terrorism, counterespionage, or foreign intelligence investigation.

My favorite part is the "secret order" part. Why get a warrant if you don't have to - it just slows things down. The NSA has also obtained unprecedented access to the data processed by various leading U.S. Internet companies. To collect such information, the government uses a computer program named PRISM from a Beagle Brothers catalog. Just kidding about the source of the program - it was developed by the NSA and is therefore your tax dollars at work raping data, falling under the domain of Section 702 of the Foreign Intelligence Surveillance Act (FISA). (This government crap is almost as cryptic as PL/1!)

At any rate, the companies involved include little ones like Google, Facebook, Skype, and Apple. Initial reports said that the NSA can use PRISM to "pull anything it likes" from these companies' servers. Government officials and corporate executives have responded that the NSA only obtains data with court approval and with the knowledge of the companies. If something doesn't already stink in here, some companies simply denied knowledge of PRISM, so you can certainly trust the statements from government officials and corporate executives.

As the final turd on top of this sundae of evil, section 215 orders may have been combined with requests under other provisions of the Patriot Act, such as Section 216, which governs access to online activity, such as email contact information or Internet browsing histories.

After all that complexity, you might be comforted by the fact that most of this was restricted to data and communication outside the US, so you and your friends across the US can discuss building an A-Bomb in safety and with impunity. BZZZT! Absolutely not true, Do not collect a million dollars, get your prison uniform, and head for the nearest unnumbered cell. Today's distributed, cloud-based server and data storage computing environments mean that you don't know where your data is being stored or replicated to. Firms such as Google store backup and replicated data in multiple locations and time zones to reduce restoration time if a server in one location goes done hard and will require significant restoration time. This is great for them but not so much for you because once data travels outside US borders, it can be recorded, grabbed, and analyzed by your friends at your favorite TLA, and all without your knowledge or intent. Oops, sorry - busted!

Censorship is to knowledge as lynching is to justice

Censorship, AKA cloistering information, means to block access to supposedly dangerous or politically questionable information so that you and I don’t hurt ourselves by knowing too much or getting correct information. Henry David Thoreau, a white hat before there were computers, once said:

“If I knew for a certainty that a man was coming to my house with the conscious design of doing me good, I should run for my life.”

Hackers have no malicious intent, and help us all by opening resources so that we can access them, understand them, fix problems, and really know what's going on. Thanks, Edward Snowden, for letting us know that tin foil hats are often justified - you deserve a Nobel prize!

I am proud to be an American due to our history of freedom, innovation, and invention. I am disgusted to be an American when I see things like 5 EYES and friends, or legislation like SOPA (the Stop Online Piracy Act and PIPA (the Protect IP Act) being proposed and hotly debated. These are bills that purport to do good, but really just benefit the greedy media companies. We already have the greedy and disgusting RIAA (Recording Industry of America)? How many Satans do we need? Luckily, SOPA and PIPA were defeated, and even though they may have had some good points, they offered other censorship and anti-freedom possibilities that would have made Hitler and Goebbels blush. Remember the death of the original Napster? Shot to pieces like a dog in the street.

The point of that little rant was to highlight that knowledge is power, and withholding information for whatever reason is the abuse of power. The next few sections discuss how get around some governments' abuse of power in this fashion, discussing common censorship tricks and how to (try to) get around them.


This is a good point at which to mention that supporting the Electronic Frontier Foundation (EFF) is one of the best things that you could ever do. Freedom isn't itself free, and just like Superman, the EFF is always on the side of truth, justice, and the intent of the American way. Donate!

When you are affected by site or content blocks, the first thing you should always try as a fix is to install and activate a VPN. After all, you should always be running a VPN for basic privacy and some anonymity help (because it changes your geo-location). Depending on how active the blockers are at blocking the IP addresses used by the VPN, that may be all you have to do to get around content and site-blocks based on your physical location.

Some good sites with a vast amount of such information are the following (if they aren't blocked, that is):

Avoiding DNS filtering, hijacking, and redirection

If you are being blocked when you try to access a site by host name, there are a number of workarounds that you can try. Their success depends on how accessing the host by name is being blocked:

  • Try accessing a blocked host by IP address rather than by host name. If you don't know the host's IP address, try using the dig command to retrieve it. If that is blocked because your default name server does not contain an entry for it, use a known safe name server and syntax like:

              dig  @nameserver  host-name

    Some open and trustworthy name servers are the following:

                # Google
                # Google
              208,67.222.22      # OpenDNS
         # OpenDNS
  • Check if your VPN software supports augmenting DNS with other name servers. If it does, enter the name servers from the previous bullet as alternatives. Many VPN providers run their own nameserver that are immune to the changes that censors make, but they may be blocked. Providing safe, public alternatives is always a good idea (as long as they are not blocked).

  • Try entering the IP address of the site that you want to access in another base, such as octal or hexadecimal.

  • Use the Tor browser. The use of Tor's multi-hop resolution and display routing technique will circumvent many URL blacking schemes because the multi-hop nodes may not be filtered or blocked.

  • Try to use the Wayback Machine to see a recant version of the site. The Wayback Machine crawls most of the internet frequently, and has more disk drives than god.

Freedom by proxy

According to Merriam-Webster:

"Proxy comes from a contracted form of the Middle English word procuracie (meaning “procuration”). A proxy may refer to a person who is authorized to act for another or it may designate the function or authority of serving in another's stead."

In the web context, a proxy refers to a web server that effectively replaces the front end of one or more search engines It submits your queries and displays the results for you so that the query appears to be coming from the proxy's IP address and geo-location, not yours. This is effective method of working around blocks of search engine sites by name and/or IP address. Some examples of such sites are:

Even if one or more of these proxy sites work for you at first, they will eventually be blocked if the Nazis who are censoring your queries know what they are doing.(IT-wise, not evil-wise, since they're certainly good at the latter). A better solution in this case is to set up your own proxy server. All you need to do that is a friend in a free country who is willing and competent enough to install and configure some proxy server on a machine that they have admin privileges on.


If you're happiest with someone else providing your proxy but need to stay up-to-date with what's available, MyIPHide offers free lists of US, UK, SSL, Google, and Anonymous proxies. You can also purchase larger up to the minute lists of HTTP proxies and SOCKS proxies. You can also purchase access to their fast, encrypted proxy service.

Some free proxy servers that you can get someone to download, install, and configure are the following:

  • - this proxy runs on Microsoft Windows platforms. It is free but not GPL.

  • Squid is everyone's favorite GPL proxy, and I can attest to the fact that it is powerful but still easy to compile, install, and set up. See Wikipedia for more praise and general information. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

  • - free, GPL, and well-regarded. See

  • - A secure SOCKS5 proxy that must be compiled, installed, and configured. installed.

  • - Tinyproxy is an incredibly small but robust HTTP/HTTPS proxy daemon. If you can get around censorship with a proxy, Tinyproxy makes it easy to clone Raspberry Pi systems and share them with any friends who are also interested in freedom. GPL, of course.

Useful browser extensions

One usually wants to configure things so that you whole machine is ready to go anywhere, at any time. On the other hand, a bird in the hand is worth an infinite number in the bush. That's the theory behind customized tools like tor (see Chapter 8, Obtaining, installing, and configuring the tor browser ), and that's also the theory behind browser extensions that can increase privacy for any browser session. The next few sections discuss some handy browser extensions that can help you get around traditional search blockage, and increase content privacy wherever you go.

HTTPS Everywhere

As discussed in the section called “ Differentiating between privacy and anonymity ”, anonymity is security of identity, whereas privacy is security of content. HTTPS (Hypertext Transfer Protocol Secure) helps guarantee privacy by encrypting communication between a remote web server and your browser so that you can look at whatever you want. TLAs and other misguided voyeurs will know the IP address and port of the site that you are visiting, but not what particular pages you're viewing.

HTTPS Everywhere is a browser extension that forces trying for an HTTPS version of the sites that you visit, before falling back to an insecure HTTP version. The encryption that HTTPS provides increases privacy and thus makes your browsing more secure. This content security makes it more difficult for censors to see what you are viewing, but not what site you're visiting. You should always use this extension to get as close to privacy as possible

Chrome Ultrasearch extension

Ultrasearch provides a sanitized search extension for Chrome that was originally developed to fight Chinese censorship. Their slogan is "Privacy, Security and Freedom". Easy to install, and enables you to browse the web safely and freely!

Censorship circumvention tools

Hola, Lantern, Psiphon, and others are free or freemium and open-source Internet censorship circumvention tools. These are privacy tools, not anonymity tools, and use a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy) to circumvent web and IP blocks that are implemented by modern Nazis to prevent people from accidentally learning about "forbidden" topics. (Forbidden topics are generally those that don't agree with the party, government, or prevailing moral line.) Since this is the modern, open source universe, there are many similar projects aren't discussed here, that may never have gotten off the ground, or which may have died the mung fade (RIP Haystack, for example). I just don't know them all, but knowing that some exist will hopefully inspire you to look for others if you want to know more. Please let me know if I've missed something, and one of us can add it to a future version of this document.

  • Hola - collaborative, community-powered, peer-to-peer (P2P) proxy software that shares the idle resources of its users for the benefit of all. The Hola VPN combines traditional VPN architecture and peer-to-peer technology routes traffic through other peers (nodes) in the Hola VPN network, reducing costs by eliminating the requirement for power-hungry, easily seized, centralized servers.

  • Lantern - peer-to-peer proxy software that leverages a network of trusted users who share their bandwidth with those who are in countries where the network is partly blocked. Connections are dispersed between multiple computers running Lantern so that this proxying does not put undue stress on or point virtual fingers at on a single connection or computer. (Thanks for that summary, Wikipedia!) One of the primary people behind Lantern is a former lead developer for Limewire, a cool and powerful music sharing application that was unfortunately crushed under the jackboots of the insipid and foul RIAA.

  • Psiphon - proxy software that leverages a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single and multi-hop architecture. Psiphon is specifically designed to support users in countries considered to be "enemies of the Internet" - in other words, that are enemies of the free, open, and un-censored sharing of information. The codebase is developed and maintained by Psiphon, Inc. which operates systems and technologies designed to assist Internet users to securely bypass the content-filtering systems used by governments to impose censorship of the Internet. (Thanks for that summary, Wikipedia!)

Free and commercial (i.e., freemium) versions of all of the packages listed in the previous list are available.

Must-have VPN features

To provide all possible goodness in a truly secure fashion, VPNs and their developers should provide features such as the following:

  1. No logging. If the FBI or NSA raid your provider, no activity or other logs should be discoverable with a paper finger pointed firmly at you.

  2. High performance, regardless of remote connection location

  3. A fast kill switch for the VPN and for applications that you can specify because you are specially concerned about them, in case connectivity is interrupted or evil government scumbags are eagerly snooping around or closing in

  4. TOR compatibility and interaction

  5. Doesn't step on specific applications and their protocols (bittorrent, Netflix, and so on)

  6. Nice-to-have: Supported on all popular platforms

Some popular commercial VPNs

There are more VPNs than there are word processors nowadays. including free solutions and open source software (OSS) toolkits that enable you to roll your own. While I am a hard-core advocate of open source software, I am also an expert in knowing what I am not an expert in - and that is low-level security software. My favorite VPNs are the following (in order), based on my personal experience. Monthly cost at the time that this document was last updated is provided if you want to try any of these out for your use case.

  • NordVPN - (My personal favorite) Good: no logging; high performance, works great with services like Netflix, works fine with torrenting or peer-to-peer, no problems with dark web URLs, offers add-ons like double VPN (encrypts data twice) and dedicated IP (be careful when and why you use this!), enables VPN routing before Tor, anonymous payments supported via multiple cryptocurrencies. Headquartered in Panama. 5000+ servers worldwide. Problems: occasional speed hiccups and not much more. Chrome browser extension (not required and not recommended) causes frequent restarts, logouts, and per-country selection failures. (Just don't use it!) Cost: monthly, $12 US std, longer-term but less expensive subscription/purchase plans available.

  • ExpressVPN - Good: no logging, high speed, provides good access to Netflix and other streaming services, good support for BitTorrent and P2P, over 3000 servers available world-wide, provides its own encrypted DNS service, anonymous payments supported (Bitcoin), supports split tunneling (simultaneous VPN and non-VPN user-specified applications), features nice UI. Problems: Headquartered in the British Virgin Islands, so not immune from 5 EYES scrutiny - see their privacy policy for more info. (Sad, because this is otherwise a great package!) Seems to restrict the number of simultaneous connections from multiple devices, which can be avoided by installing it on a home router. Cost: monthly, $12.95 US, longer-term but less expensive subscription/purchase plans available. Look for coupons!

  • SoftEther VPN - The SoftEther VPN Project has created a powerful, FREE, open source VPN that is multi-platform, but is especially easy to set up and use on Linux systems. (You can download its source code for *BSD* systems, but they do not build it for *BSD* systems themselves. Native Mac OS X client support is still identified as experimental at the time that this document was last updated.) As an open source VPN (Apache 2.0 license), it is especially handy to integrate if you are assembling a Linux/*BSD* platform for redistribution.

    Good: No logging, high performance, no payment necessary. Problems: can be slow to start, since it walks through a list of possible providers in its primary configuration file, not all of which may be currently available. SoftEther VPN is structurally very similar to OpenVPN, its better known open source brother. The SoftEther controller/client is included in the Dat Mofo Linux distribution.

  • AzireVPN - Good: no logging; high performance, offers own super-secure WireGaurd protocol betweeen your client and their servers, works great with services like Netflix, works fine with torrenting or peer-to-peer, no problems with dark web URLs, anonymous payments supported via multiple cryptocurrencies. Account login and password are your choice, not autogenerated, so see Chapter 9, Creating secure email and alternatives . Headquartered in Sweden, 7 server locations in various countries. Problems: Must install tools (140+ packages, depending on what's already installed) and compile any Linux client. Cost: monthly € 5, longer-term but less expensive subscription/purchase plans available.

  • IVPN - Good: no logging, great performance in my experience, dedicated IP available, anonymous payment. Headquartered in Gibraltar. Problems: some problems with streaming services such as Netflix. Cost: monthly, $15 US, longer-term but less expensive subscription/purchase plans available.

  • CyberGhost - Good: no logging, good performance in my experience, dedicated IP available, anonymous payment. Headquartered in Romania. Problems: good UI with some issues, usually solved by a restart. Questionable Israeli parent company specializing in malware. Cost: monthly, $13 US, longer-term but less expensive subscription/purchase plans available.

  • Private Internet Access (PIA) - Good: no logging, high performance, anonymous payments. Problems: Not all servers deliver unblocked content. Headquartered in the United States, so legal protections against government data theft such as 5 EYES may be nil even though they say no logs. Cost: monthly, $4 US.


    Former Mt. Gox CEO Mark Karpelès is CTO of PIA at the time this document was last updated. That can be a good or bad thing - he's obviously clueful, but bad things have happened under his watch before. One may be an aberration, but who knows...

  • PureVPN - Good: good performance, headquartered in Hong Kong, with over 2000 servers spread across more than 140 countries, bittorrent friendly, 256-bit encryption, and some cool add-ons. Problems: super-fast claims are just super-claims, add-ons are actually added and thus cost extra money, customer reports of DNS and IP leaks, no logging policy is unclear and questionable. Cost: monthly, $10.95 US, frequent specials on longer-term subscriptions.

  • IPVanish - Good: no logging, high performance, anonymous payments. Problems: doesn't always enable access to certain applications or when using certain protocols. Headquartered in the United States, so legal protections against government data theft such as 5 EYES may be nil even though they say no logs. Cost: monthly, $10 US

  • WindScribe - Good: no logging; strong encryption; ad blocking; feature-rich desktop app. Headquartered in Canada (and thus potentially susceptible to 5 eyes scrutiny). Problems: can be slow. Cost: FREE with fewer servers and 10 GB monthly limit, otherwise monthly, $9

  • Perfect Privacy - Good: no logging; strong encryption; offers verification of functionality through a number of online tests that are available on their web site. Headquartered in Switzerland, which you would ordinarily think would make them immune from 5 EYES scrutiny, but it turns out that they will fold like a cheap suit in response to a 5 EYES information/log request. I used to respect Swiss neutrality, but that now seems to have more holes than their cheese. Problems: can be slow, and things like Netflix support are highly server-dependent. Cost: monthly, $9.99 (yearly rate)


VPNs such as ExpressVPN, NordVPN, PIA, PureVPN, Windscribe, and many more are available pre-installed on a Linksys router to avoid simultaneous device access limitations. See FlashRouters for more information.

This is just the tip of the VPN iceberg. A great source for comparing VPNs is That One Privacy Site, which is even recommended by the Electronic Frontier Foundation (EFF), so you know it's good.


After selecting which VPN, always pay for it securely using properly-mixed bitcoin, some other cryptocurrency, or a pre-paid credit card. Set any email to go to a secure email account that uses a name that can't be traced to you. You should also consider changing VPN hosts (and possibly providers) at least yearly, so that the set of IP addresses that you're coming from changes at that point. Changing VPN providers changes the set of alternate hosts the the VPN will use, helping avoid establishing a usage pattern that could be tracked.

Free VPNs with a caveat or two

The previous section discussed various commercial VPNs, listed in order of personal preference. However, I am not a hardcore security person (and have never even been asked to play one on TV) - my basis for personal preference is things like performance, number of servers, headquarter location, add-on bells and whistles, cost, and bittorrent support. However, the ones discussed in the previous section still all cost something, even some that are based on OpenVPN, SoftEther, and other free software projects. Surely, in these open source days, there must be some free VPNs out there?

I'm proud to be able to say "Yes, Virginia, there is a Santa Claus." There are actually a number of them, and the free VPNs that they've developed have been carefully compared in an impressive article by Paul Bischoff called 20+ free VPNs rated side by side, 2019 list. I'm not going to bloat this document by pilfering from Paul. If you don't have the time or inclination to read that, or can't find a free one that meets your needs, check the SoftEther site, the OpenVPN site, or buy a commercial package. YMMV. However, remember that it's your privacy that you may be messing with.


People deserve to be rewarded for their work, especially if that's all they have time to do. In the Linux and *BSD* spheres, it's quite rare to have software that costs money, and that leads many people not to be willing to pay for anything. I'm sure that Richard Stallman is starting a voodoo doll with my likeness, and I'm sorry about that, but it's worth it to me to support great software if I need to. An example of great commercial software for Linux is SoftMaker's TextMaker, part of their excellent office suite, all components of which are fully compatible with anything I've ever had to deal with. (I am not being compensated in any way for that recommendation, I just like the software. Sorry, Richard!)

VPN alternatives

The next sections describe real or perceived alternatives to commercial VPNs that you may want to consider for various reasons. A VPN or similar solution is key to using the dark web safely and securely over the standard Internet. These next few sections describe alternatives to various aspects of a VPN when you may need or want to implement another solution.

Smart DNS

Ome of the most common reasons for using a VPN is to make your network traffic appear to be coming from another location, enabling you to circumvent content or service blocking based on geo-location. Some location-based content blocking is driven by greed (Netflix, broadcast networks, and so one), while other s blocking is driven by the desire to emulate Nazi Germany (China, Iran, and so on). On the other hand, geo-location based content blocking simplifies the term "world wide web" by removing two w's - those pesky "world wide" ones.


This section uses the term smart DNS in the conceptual sense, not as a company name. If a smart DNS server fulfills your needs, a company that happens to have that name is a well-respected provider of that specific service.

Semantically, a smart DNS service provides a DNS service proxy that hands off its information requests to geographically correct DNS servers that enable a user to reach the sites that are normally unavailable due to geo-restrictions. If this is all that you need to do, smart DNS services are generally faster than using a VPN for this purpose because they do not do the extra encryption/decryption that a VPN does.

There is really no easy way to provide a smart DNS service yourself, due to the need to identify and then use the DNS servers that are specific to each geo-location. A VPN is generally preferable to a smart DNS service to resolve location-based content blocking as long as the VPN does not interferes with content delivery. A smart DNS server does not provide the privacy guarantees that a VPN provides because it does not perform the end-to-end encryption that is done by a VPN. Similarly, it does not obscure your IP address because it focuses on modifying DNS provider information without modifying your IP information.


Checking the browser language of incoming requests and serving up text in that language is all the geo-location (ethno-location?) that anyone should ever have to do. There are companies that provide geo IP blocking as a service, but I don't know any of them. If you are interested in geo blocking information on your web site, check out their booths outside the next Nuremberg rally.

SOCKS 5 tunnel for tor


This section describes a higher-performance mechanism for securely using the tor browser to surf the dark web. If you want to use this mechanism rather than a VPN, note that using this mechanism does not provide the anonymity guarantee that a VPN provides. It is focused on privacy - that is, protecting the private contents of whatever you type and browse to. This will provide privacy for any browser, but not anonymity, because all your packets will all seem to come from wherever you tunnel to. You don't have to be a rocket scientist to know that whoever is behind them is someone with access to that SSH server, and even the government may be able to figure out or demand that information. Choose well, grasshopper.

For anonymity's sake, DO NOT start the tor browser without this tunnel mechanism in place (or your favorite VPN), and do not exit from either mechanism while the tor browser is running. Just to be on the safe side, courtesy of the Department of Redundancy Department, DO NOT use the tor browser unless this proxy or a VPN is running.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. A SOCKS server proxies TCP and UDP connections to an arbitrary IP address.

The primary differences between a VPN and a SOCKS proxy is the time delays that a VPN may introduce, so every time you ask "VPN or SOCKS?" there's always at least one hand up for SOCKS. SOCKS is attractive for performance reasons, because VPNs can introduce delays due to the time delays involved in routing across tunnel endpoints, depending on network load and where those endpoints are. A lack of encryption used to be an issue with previous versions of SOCKS, but this is "fixed" by using the latest version of SOCKS with a single protocol. The latest generation of SOCKS, SOCKS5, introduces the support for and use of authentication. Because the SOCKS5 proxy servers use an SSH (secure socket shell) protocol, not just anyone can connect, and someone trying to gain access improperly has a large amount of encryption to deal with.

Another advantage of a SOCKS5 proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time.

The process of creating a SOCKS5 tunnel that you can use with the HTTP traffic used by the tor browser is the following:

  1. Open a terminal program

  2. Set up the tunnel with this command (replace items in this font with your own values):

    sudo ssh -D 1234 -C -q -N -f

    The options and parameters to this command have the following meanings:

    • -D - tells SSH to use the specified port (which can be any unused port between 1024 and 65536) for the tunnel

    • -C - compress all data before sending it

    • -q - Uses quiet mode

    • -N - Tells SSH that no command will be sent once the tunnel is up

    • -f - Starts the tunnel in the background, returning control to you at the command line

  3. Verify that the tunnel is up and running with this command:

    ps aux | grep ssh

    If you see a process listing command (i.e., from the ps aux command) that was the same as that in 2, congratulations! Your tunnel is running. You can quit your terminal application and the tunnel will stay up, because we used the -f argument to put the SSH command (the one that that opened the tunnel) into the background and detach.

Now that you have an SSH tunnel, configure the tor browser to use it:

  1. In the upper right hand corner of the main tor browser window, click on the hamburger icon to open the browser menu

  2. Click on the Preferences menu item and navigate to the Network Proxy section. Click the Settings button. A new pane displays.

  3. Select the radio button for Manual proxy configuration. (It should already be selected).

  4. Enter for the SOCKS Host (in other words, localhost, and for Port number, enter the same port number that you specified when creating your SSH tunnel.

  5. Click OK to save and close your configuration

Now, open another tab in the tor browser and start browsing the web! You should be all set for secure browsing through your SSH tunnel.


To verify that you are using the proxy, go back to the Network settings in the tor browser. Try entering a different port number. Click OK to save the settings. Now if you try to browse the web, you should get an error message The proxy server is refusing connections. This proves that Firefox is using the proxy and not just the default connection. Revert to the correct port number, and you should be able to browse again. Hooray!

When you are done using the SSH tunnel, go back to the Preferences > Advanced > Network > Settings pane in the tor browser. In the Network proxy settings section, click on the radio button for Use system proxy settings and click OK. The tor browser will now read data over your normal connection using the normal settings, which are probably unsecured.


As mentioned before, this section describes a higher-performance mechanism for securely using the tor browser to surf the dark web. If you want to use this mechanism rather than a VPN, DO NOT start the tor browser without this mechanism in place, and do not exit from this mechanism while the tor browser is running. Just to be on the safe side, DO NOT use the tor browser unless this proxy or a VPN is running.

To terminate the tunnel, use the ps command given earlier to find the process ID (PID) of the proxy server, and then terminate it using the kill command:

ps aux |grep ssh
      wvh    98765   0.0  0.0  2462228    452   ??  Ss    6:43AM   0:00.00 ssh -D 9876 -f -C -q -N
kill -9 98765

Rolling your own really-close-to-a-Linux-VPN

It's hard to choose a single VPN solution, especially in the open source world where you have at least 15,384 to choose from, including commercial ones, as of 12:30 PM on the day that I'm writing this. The open source universe has room for everyone's creativity, with room for an infinite number more. One or more of them may be exactly what you need/want. And the source code is always available if you think a certain project/package is almost perfect.



All Linux distributions are not created equal, especially if you're running Linux on a less common platform or if someone else hosts and supports the system that you're using. Some platforms are uncommon because they're obscure or old, while others are simply up-and-coming. If there is no commercial VPN for your hardware or you cannot install one on a shared system, you should definitely consider at least using a more light-weight solution such as sshuttle's proxying, as discussed in this section.

I can't tell you all of the networking background, details, and nuances that you would need to write a completely new VPN client and server that is bulletproof and tighter than Silas Marner's purse strings. Open source projects like SoftEther or OpenVPN are huge, complete, and still growing. Explaining either of those in detail deserves its own book and is just a subset of the dark web access that this document is about, so it's out of scope here. Sorry.

As far as other open source projects that are, or are really, really close to, a VPN, one of my favorites is sshuttle, which proxies all IP traffic through a remote host's SSH server, as long as you can SSH to that host in the first place. This gives you the benefit of the encryption that SSH provides, reduces your administrative wishlist on a network that does not provide a VPN, and also hides your IP address (though it paints a really large target on the machine whose SSH server you're using). It will hide your identity from randoms and driveby hackers, but not from the NSA. OTOH, it is open source, so here's your chance to help foster a project rather having to do that and give birth to it in the first place.

One huge advantage that sshuttle has over other VPN-like solution is that it requires no administrative privileges, and it also requires no special thousand port-forwarding to be set up on your machine - all ports (including all DNS queries) are forwarded.

You can get sshuttle from its GitHub repository, through the repositories of many Linux distributions, or through tools like Homebrew on Mac OS. Once you've installed it, running sshuttle is quite simple by using a command like the following:

sshuttle --dns -r user@sshserver

You'll be prompted for the password that you need to use to access the sshserver as user@sshserver, and the proxying/forwarding/rerouting begins!. Because you specified the --dns, this command forwards all TCP and DNS traffic to the specified SSH server. If you want to continue using your existing DNS server(s), do not specify this option. The sshuttle currently does not forward other requests such as UDP, ICMP ping, and so on.


Ordinarily, the sshuttle command does not display status information while it's running, but you can make it more verbose by adding one or two -v options to the command-line. Each -v option increases its verbosity.

As specified in the sample command, the sshuttle command continue to run in the foreground. To cause it to detach after starting (writing verbose log information to the system log rather than just to stdout), add the -D to the command line.

The sshuttle application, enabling you to exclude certain IP address traffic from its forwarding, only forwards traffic headed for certain networks, and so on. As always on a Linux box, the man command is your friend.


To verify that the sshuttle command is working, you can use a command like curl and check its output to make sure that the address that it returns is the address of the SSH server that you specified.

Is my VPN working?

If you think you're hidden because you paid someone money and because the software you're running that claims to be a VPN is now displaying different numbers/addresses than it used to, I have a bridge (and not a Tor bridge) that I think you'll be interested in. I'll take you on a guided tour as soon as it stops raining gumdrops.

Seriously, trust, yet verify is the right way to go with any security software, including some package that you read a good review of or which someone recommended to you. This is especially true of something like VPN software, which turns knobs for you under the covers, and changes something that is usually assigned to you - something that you usually don't have to mess with or even know in the first place. Most ISPs assign you an IP address when you connect to them, but whether is your home or an IP from a VPN in Croatia is hard to tell, initially. The next two sections identify some ways in which you can obtain IP and related information about your system.

Using web sites for VPN testing

Seriously, trust, yet verify is the right way to go with security software, especially something like VPN software, which changes something that is usually assigned to you and which you usually don't have to know. Most ISPs assign you an IP address when you connect to them, but whether is your home or an IP from a VPN in Croatia is hard to tell, initially. Here are few sites to visit that will give you information about your IP address, whether you're using a VPN, and the browser that you're using to connect with:

  • Perfect Privacy Connection Details - This site's primary Check IP connection test, shown in Figure 7.1, “IP connection info from Perfect Privacy”, displays basic IPv4 and IPv6 address and DNS info (or You do not seem to have IPv6 connectivity for the latter if that's the case), HTTP header metadata, and the status of Java, JavaScript, and Flash support in the browser that you're testing with. There's also a nudge nudge wink wink entry about whether you're using the Perfect Privacy VPN software (which you obviously don't have to be in order to run the tests). Other tests (selectable by buttons at the top of the page) or from its parent page) include the following:

    • DNS Leak Test - tests if you are using the provider's DNS server directly rather than the one that is provided by the VPN

    • WebRTC Leak Test - determines whether the WebRTC API enables remote systems to identify your "real" IP address (the one that was originally assigned by your ISP)

    • MSLeak Test -tests whether Microsoft login data and system services are available directly. Only meaningful if you are running the Internet Exploder or Edge browsers from a Microsoft Windows system. The easiest fix is, of course, to stop running Windows and to switch to a real operating system rather than incremental ambergris.

    Figure 7.1. IP connection info from Perfect Privacy

    IP connection info from Perfect Privacy

  • - provides a huge amount of information about your IP connection and the browser and system that you are using, including: IPv4 and IPv6 addresses, location, WebRTC tests, DNS info, Torrent Address info, and a very cool Geek Details section that provides browser capabilities and plugins info, screen size info, and general detectable system info. Very pretty.

    Figure 7.2. IP test info from (Air VPN)

    IP test info from (Air VPN)

  • WhatIsMyIP - displays hi-level local and public IP address info, with buttons that enable you to drill down into pages that provide additional information. These subsequent pages also provide detailed information about the new data that is being displayed.

    Figure 7.3. Top-level IP address info from

    Top-level IP address info from

  • IP X Test Suite - displays IPv4 and IPv6 (if available) address and geographic location info, DNS server info, WebRTC leak info, and a tremendous amount of browser analysis and header info, including whether the "Do Not Track" bit is set in HTTP headers. Extremely useful test suite!

  • - provides a huge amount of browser fingerprinting information about your IP connection and the browser that you are using, including: IPv4 and IPv6 addresses, location, JavaScript, Flash, WebGL, and Silverlight capabilities, and so on. The icons at left enable you to jump to the results of a specific set of tests. A truly impressive test suite - and you can't beat the price!

    Figure 7.4. Various IP and browser tests from

    Various IP and browser tests from

  • DNS Leak - fast but minimal test for DNS leaks in your web queries. Figure 7.5, “A suspected DNS leak from” show the information that this site displays when used with a VPN that seems to be leaking DNS information, in this case about the DNS server that is being used .

    Figure 7.5. A suspected DNS leak from

    A suspected DNS leak from

The sites in this list are just the tip of the information iceberg that you can find on the net. Each provides a different subset of the information that can be culled from your site. Take your pick - I wanted to potentially save you a bit of surfing by listing the ones that I personally have found useful in the past.

Testing your system for identity leaks

Most of this book is about how to keep yourself anonymous on the Internet, but there is much more to anonymity than protecting your IP address and where you are physically located (the latter is commonly referred to as your geo-location). The additional information that can be captured and tracked also includes things like:

  • a unique hardware/machine identifier

  • a system-level login identity (a Windows, MacOS, Linux, Android, iOS, or similar login)

  • some service account identity (account/login to a specific service or vendor account)

  • a service account that provides cross-service authentication or proof of identity, such as a Facebook or Google identity

Beyond empirical collectable data like these things, there is also observable data that can be collected and used to try to infer your identity or provide a basis for identifying you by usage patterns, like browser fingerprinting.

Together, all of this makes up a veritable smorgasbord of trackable information, with you lying on the buffet table.

The following sections each discuss a different software tool that probes some aspect of your system and the hardware/software configuration information that it contains. The goal of this section is to explain how to use these tools to make you comfortable with the facts that your data is secure and untraceable after following the mechanisms that are explained in this book.


Class: network probe

Nessus is a very popular vulnerability and system status scanner. Originally free and open source, the Nessus source (version 2.2.11) was closed in 2005 and the software has been through several packaging methods since then. A free "Nessus Essentials" version is still available, but the full version ("Nessus Professional") now costs $2,190 per year. Its closure has led to many forked open source projects based on Nessus like OpenVAS and Porz-Wah.

Nessus Professional's network scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure. (Nice summary, Wikipedia! Nessus Professional is often used for configuration and compliance audits, SCADA audits, and PCI compliance testing. This would all be great if the full version was still free.


Porz-Wahn is yet another security scanner based on the last open source release of Nessus. It hasn't been updated since sometime in 2014, so it's probably defunct. You may hear about it, so I'm listing it here.


The Nmapapplication is the best known and best established Network scanner around. It has more options than you can shake a port at. It scans/probes network ports for a number of different states (i.e., packet states returned) and also has different default behavior depending on whether you run it as root or not (that is, whether you can read the raw packet data or not). Common states to scan for are:

  • SCTP INIT scan (-sY) - SCTP is a relatively new alternative to the TCP and UDP protocols, combining most of their characteristics and adding new features like multi-homing and multi-streaming. To quote the nmap docs, "...the SCTP INIT scan is, the SCTP equivalent of a TCP SYN scan. Like a TCP SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states...

  • SYN scan (-sS) - In SYN scan, only half of a TCP connection is established. When running as root on Linux, nmap does a SYN scan by default, and SYN scanning requires root privileges in general on Linux systems. SYN scanning is faster than TCP scanning since it does not establish a full TCP handshake, which can also make it harder to detect.

  • TCP connect (-sT) - In TCP connect scan, a full TCP connection is established to verify the existence of a port. When running as non-root on Linux, nmap does a TCP connect scan by default.

  • UDP scan (-sU) - While services running over the TCP protocol are much more common, UDP services (such as DNS, SNMP, and DHCP) are still widely deployed. UDP scanning is much slower than TCP scanning but can be done at the same time as TCP scans to reduce overall scan time.

The nmap application supports many other, more specialized states to scan for - see the nmap documentation for details.

Some common examples of using nmap are the following:

  • Simple TCP port scan (non-root): nmap IP addresses or range

    $ nmap
    Starting Nmap 7.80 ( ) at 2019-09-28 14:21 EDT
    Nmap scan report for (
    Host is up (0.035s latency).
    Not shown: 996 filtered ports
    25/tcp	 closed smtp
    80/tcp	 open	http
    443/tcp  open	https
    8080/tcp open	http-proxy
  • Simple TCP port scan (root): nmap IP addresses or range

    Starting Nmap 7.80 ( ) at 2019-09-28 14:49 EDT
    Nmap scan report for 172,16.100.49
    Host is up (0.040s latency).
    All 1000 scanned ports on are filtered
    Nmap done: 1 IP address (1 host up) scanned in 40.03 seconds
  • Simple UDP port scan (must be done as root):

    nmap -sU
    Starting Nmap 7.80 ( ) at 2019-11-23 13:52 EST
    Nmap scan report for
    Host is up (0.048s latency).
    All 1000 scanned ports on are open|filtered
    Nmap done: 1 IP address (1 host up) scanned in 49.41 seconds
  • TCP SYN and UDP port scan (as root):

    nmap -sS -sU
    Starting Nmap 7.80 ( ) at 2019-09-22 06:21 EDT
    Nmap scan report for
    Host is up (0.010s latency).
    Not shown: 1987 closed ports
    PORT      STATE         SERVICE
    22/tcp    filtered      ssh
    23/tcp    filtered      telnet
    53/tcp    open          domain
    80/tcp    open          http
    443/tcp   open          https
    705/tcp   open          agentx
    53/udp    open          domain
    67/udp    open|filtered dhcps
    514/udp   open|filtered syslog
    520/udp   open|filtered route
    1100/udp  open|filtered mctp
    1900/udp  open|filtered upnp
    34796/udp open|filtered unknown
    Nmap done: 1 IP address (1 host up) scanned in 1632.09 seconds
  • After installing a web server (nginx), TCP SYS scan as root:

     nmap -sS
    Starting Nmap 7.80 ( ) at 2019-09-21 13:25 EDT
    Nmap scan report for
    Host is up (0.022s latency).
    Not shown: 989 filtered ports
    53/tcp   closed domain
    80/tcp   open   http
    88/tcp   closed kerberos-sec
    89/tcp   closed su-mit-tg
    90/tcp   closed dnsix
    443/tcp  open   https
    1080/tcp closed socks
    1233/tcp open   univ-appserver
    1234/tcp open   hotline
    5060/tcp open   sip
    8080/tcp open   http-proxy
    Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
  • After installing a web server (nginx), predictive OS scan (-O) with banners of running services (-sV):

     nmap -O -sV
    Starting Nmap 7.80 ( ) at 2019-09-14 20:48 EDT
    Nmap scan report for
    Host is up (0.011s latency).
    Not shown: 997 filtered ports
    80/tcp	  open	 http	 nginx 1.14.0 (Ubuntu)
    443/tcp   closed https
    20000/tcp closed dnp
    MAC Address: 64:6E:69:3C:92:AE (Liteon Technology)
    Aggressive OS guesses: Linux 2.6.32 - 3.13 (95%), Linux 2.6.32 (92%), Linux 3.2 - 4.9 (92%), Linux 2.6.32 - 3.10 (92%), HP P2000 G3 NAS device (91%), Infomir MAG-250 set-top box (91%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (91%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (90%), Linux 2.6.32 - 3.1 (90%), Linux 3.7 (90%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 19.56 seconds

A good set of example of nmap commands is here, and a simple Google search will give you plenty more!

Manually examining network addresses

The web sites that were discussed in the previous section were both useful and fancy, but you might be from the state of Missouri, also known as the Show Me state. The next few sections provide some useful commands that show how to query different aspects of a Linux, *BSD*, or Mac OS system to make sure that your VPN software is doing something other than still handing out your system's vanilla IP address.


If you can, it's easiest to look at your system's network address before and after you activate the VPN in order to see what (if anything) your VPN software is really changing. If your address is the same before and after, either something is wrong with your VPN and it didn't activate, or it was actually already on and you didn't know that. In that case, try the WhatIsMyIP web site (discussed in the section called “ Using web sites for VPN testing ”) to double-check your public and local IP addresses.


If you are using a browser-based extension to activate your VPN, make sure that it affects your system's IP address for all application, not just for browser communication.

Figure 7.6, “Linux/Mac OS script to look up IP address info multiple ways” shows a good number of cmdline (that is, command line) tests that you can use to get information about the network interfaces and IP addresses that your machine has. The next few sections walk through using some of these to get that information - I just put a bunch of them in the script for your copy-and-paste convenience, and also to show subtle differences in what you get back from different applications and queried locations.

Figure 7.6. Linux/Mac OS script to look up IP address info multiple ways


echo "Ifconfig thinks:"
ifconfig -a | grep '^[_a-z0-9]*:\|netmask'
echo ""

echo "OpenDNS (via dig) thinks:"
dig +short
echo ""

echo "Google (via dig) thinks:"
dig TXT +short | sed -e 's;";;g'
echo ""

echo "Akami (via dig) thinks:"
dig +short
echo ""

echo "Akami (via nslookup) thinks:"
echo ""

echo "BrowserLeak (wget from says:"
wget -qO -
echo ""

echo "Current routing:"
if [[ "$OSTYPE" == "linux-gnu" ]]; then
        route -n
elif [[ "$OSTYPE" == "darwin"* ]] || [[ "$OSTYPE" == "freebsd"* ]]; then
        netstat -nr -f inet | grep -v "Routing tables"
elif [[ "$OSTYPE" == "cygwin" ]]; then
         route print
        echo "  Sorry, I don't know"

Getting network interface addresses

The first step in determining the state of networking on your machine is figuring out what IPv4 network interfaces your system has and what addresses they currently have. I'm looking forward to the day when IPv6 is the primary addressing scheme, but until then IPv4 is where it's at.

You can locate your original IPv4 address with the ifcfg (interface configuration) command.. This command lists the interfaces that exist on your system in a detailed nerdy way, so I typically filter the output using a fancy regular expression to show which of these are actual interface definitions (by beginning a stanza), and which lines contain IP addresses by looking for the associated netmask keyword, as in the following example:

ifconfig -a | grep '^[a-z0-9]*:\|netmask'

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet netmask 0xff000000
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC250: flags=0<> mtu 0
EHC253: flags=0<> mtu 0
	inet netmask 0xffffff00 broadcast
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
	inet --> netmask 0xff000000


In English, the GNU grep command's argument expands to " that matches the beginning of a line followed by any number of alphanumeric characters up to a colon OR lines containing the string "netmask"...". You can either use this explanation to check my nerd fu, or you're welcome.

By scanning this output, you can see that this system's internal IP address is


This address is the system's local address, which is the IP address that was assigned via DHCP when you booted your system, or perhaps your system's fixed IP address if you bought one from your ISP and hardwired it into your networking configuration.

The previous command output was captured on Mac OS, which includes GNU grep as part of the FreeBSD infrastructure behind all the whizzy graphical stuff. To demonstrate that this also works on Linux, here's the same command and its output on a Mofo Linux box (and because it is a different box, it therefore has a different local address or else the network is broken):

ifconfig -a | grep '^[a-z0-9]*:\|netmask'

enp1s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast

Thank God for the FSF, the GNU project, and Richard Stallman! Or maybe they're all the same thing?

Checking your network routing table

The routing table is the internal data that shows the addresses to which packets destined for various types of addresses are forwarded so that they can eventually delivered to the host that they were addressed to, or which is running a specific service for an address family (such as the email service for a domain). It's really not necessary to check your system's routing table when determining if your VPN is working, but it may provide you with some insights into how your VPN software works internally. Knowledge is power, right?

Figure 7.7.  Sample Linux routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0   U     0      0        0 vmnet8   U     0      0        0 vmnet1   U     0      0        0 virbr0     U     1002   0        0 eth0         UG    0      0        0 eth0

Figure 7.7, “ Sample Linux routing table ” shows a sample routing table, as displayed by the output of the Linux route command with the -n option, which does not attempt to translate numeric IP addresses into host/domain names. The entries in this sample network routing table have the following meanings:

  • The first route (that is, line) says that IP addresses of the form 192.168.6.X are sent directly to Ethernet interface eth0 - this is because Ethernet interfaces that match this range are non-routable IP addresses which are not routed/forwarded to any other network device (see non-routable IP addresses in the glossary).

  • The second and third lines are for other patterns of non-routable IP addresses that are sent directly to the network interfaces vmnet8 and vmnet1, respectively, which are virtual network interfaces that, in this case, are used for virtual machines on my sample network.

  • The fourth line directs IP traffic for addresses that match 192.168.122.X to the interface virbr0, which is the bridge to the virtual machine network.

  • The fifth line ( is used for Automatic Private IP Addressing, or APIPA. If a DHCP client attempts to get an address but fails to find a DHCP server after the timeout/retry period, it will randomly assume an address from this network. (This explains why DHCP failures result in hosts receiving addresses on this network.)

  • The sixth/last line directs any traffic for addresses that were not matched by any other entry through the Gateway for this entry. The G flag identifies the gateway defined on this line as the default gateway.

Figure 7.8.  Sample, simpler Linux routing table before starting a VPN

Kernel IP routing table
Destination	Gateway 	Genmask 	Flags Metric Ref    Use Iface 	UG    303    0	      0 wlp2s0	U     1000   0	      0 wlp2s0	U     303    0	      0 wlp2s0

Figure 7.8, “ Sample, simpler Linux routing table before starting a VPN ” shows the routing table for a system that I use to surf the dark web (and which therefore is a simpler machine, network-wise) before a VPN has been activated. No virtual machine networking or bridges are present because most dark web surfing systems follow the K.I.S.S. mantra (Keep It Simple, Stupid, which was coincidentally also followed by a band by that name, long ago).

Figure 7.9, “ Sample, simpler Linux routing table after starting a VPN ” shows the routing table for that same system after a VPN has been activated. Note that it's now knee-deep in new tun0 entries, which are the virtual network interfaces that were created in order to support packets traveling over the VPN. (See TUN/TAP in the glossary for a slightly more verbose definition.)

Figure 7.9.  Sample, simpler Linux routing table after starting a VPN

Kernel IP routing table
Destination	Gateway 	Genmask 	Flags Metric Ref    Use Iface	UG    0      0	      0 tun0 	UG    303    0	      0 wlp2s0 UGH   0      0	      0 tun0 UH    0      0	      0 tun0	UG    0      0	      0 tun0	U     1000   0	      0 wlp2s0	U     303    0	      0 wlp2s0 UGH   0      0	      0 wlp2s0

To loop back to the reason why this information is in this section, if a system's network device list (examined via the ifconfig command, as discussed in the previous section, the section called “ Getting network interface addresses ”) contains one or more TUN devices, and the system's kernel routing table contains one or more of the same, there's an extremely good chance that VPN software is installed and running on that system. Whether it's doing the right thing™ is an entirely different matter, which you can usually figure out by:

  1. tracing what happens to standard network packets as they arrive and depart, and

  2. by seeing if your before and after output from the script shown in Figure 7.6, “Linux/Mac OS script to look up IP address info multiple ways” (or from just a single command from that script) differs

The next section contains a short discussion that illustrates the second point in this list.

Checking your true external address

The "final" step in trying to determine whether your VPN configuration is actually working is checking what other (i.e., external) systems see as your system's IP address. The easiest way to do this is use a name resolver to see where requests to your system (by name) are sent. The easiest (modern) way to do this is to use the dig command, as in the following example:

dig +short

This command sends an request for the IP address of the host to the DNS server If this special host is requested, the resolver returns the IP address from which the request originated.

Since the IP address in the output of the example dig command differs from the IP address that was originally assigned to the system's external Ethernet address, my VPN appears to be working. This could also be confirmed by the web-based tools that were discussed in the previous section, especially those that include geo-location information for the system's external IP address information.

Depending on how your VPN software works and which interface it uses, the instructions in this section aren't bulletproof or may at least be too simplistic, but the core point is true - your system's internal idea of its IP address will differ from external systems' idea of your IP address via the VPN.

Chapter 8.  Obtaining, installing, and configuring the tor browser

A big part of cruising any portion of the Internet anonymously is being able to use tools that preserve and promote that anonymity. The VPNs discussed in the previous section don't provide anonymity, but instead focus on increasing your privacy by encrypting the data that you send and receive over the VPN and potentially associating a different physical location to your connection by binding the VPN to a network at another location. To provide anonymity in addition to this, you need a tool that completely hides the relationship between your original and VPN-assigned IP addresses.

Tor stands for the onion router which does exactly that by routing data requests through multiple layers, decrypting and re-encrypting data with each layer as it passes through, and assigning a new IP address to your packet as it exits Tor (oddly enough, through what is known as an exit node). The relationship between you and your VPN connection can still be determined if you have the bill mailed to your house and pay by check, but that would make you a dummy and we'll talk about anonymizing payments later in this document. Software-side, both your privacy and anonymity are assured unless you manage to do something that gives away your secret (i.e. real) identity.

The remainder of this chapter explains how to install the tor browser, how to plug a few holes by configuring the tor browser correctly, and how to start and use the tor browser for all your private, anonymous dark web surfing needs.


I swear to god that I understand that the Tor project develops and ships a customized version of the Firefox web browser that is, perhaps mistakenly, commonly referred to as the tor browser. I am common, and therefore refer to it that way too, and browser customizations are just one of the many great things that the Tor project does. If you refuse to use a Firefox variant for whatever reason, accept the facts that this document said not to do that, you ignored such comments and don't mind possibly (eventually) being arrested, and skip ahead to the section called “ I insist on using some-other-browser.

Tor, good god, what is it good for?

This chapter focuses on using tor as part of your suite of anonymity and privacy applications in order to explore and participate on the dark web. It's quite ironic that tor was originally developed by the US Navy for secure information sharing. I never thought I'd get anything for my tax dollars, but what do you know!

Tor provides benefits to a wide range of people, many of whom use it for widely different purposes. The tor folks have a good deal of information about this on their site, but since you're currently reading this and their information is therefore at least a click away, here are some of the highlights:

  • Secure information sharing - Though originally designed to protect government communications from snooping and interception by our enemies, now that our government is frequently the enemy of any free-thinking citizen, tor is useful to support secure communication between citizens. This includes whistle-blowing and similar actions that could cause an improvement in ethics and morals at the cost of a drop in stock price.

  • Protecting purchasing privacy - Voracious marketeers want to know who sent and read what so that they can market related items or antidotes to those same folks. Tor solves this by obfuscating who looks at what. Problem solved unless you're a business person sitting on top of a million cases of unwanted product.

  • Protecting research and interest privacy - Though you may genuinely be researching AIDS for a paper that you are doing, Focus on the Family and other feeble-minded Nazis probably want to know who you are so that they can kill you "just in case". Tor makes it possible for you to ask uncomfortable questions and study unpopular topics without finding a cross burning` in your lawn.

  • Enabling online surveillance and stings - Anonymity and privacy are coins that can be spent by anyone, even slack-jawed law enforcement Nazis who want to crush anything they don't agree with or which is against short-sighted laws. Everyone means everyone whether or not they have a soul. Be careful - you need more than just tor to be safe!

See the tor site for a much longer and slightly less opinionated list.

Tor in a nutshell

Looking up and connecting to a .onion site is very different than looking up and connecting to a vanilla site. The Tor service (and therefore the to browser) differs from standard/traditional lookups and site contacts in two core ways, which are explained in the next two sections.

Host lookups in Tor

Tor host lookups use DNS differently or not at all, depending on the type of address your Tor-aware application is looking up.

When using the tor browser or just the Tor service, only hosts in domains other than .onion use DNS, and then by forwarding the DNS request to one of the nodes in a Tor circuit (the exit node) for resolution.

Nodes in the .onion domain (known as Tor hidden services or simply "hidden services") follow a different mechanism than DNS to enable Tor-aware applications can find them. They must first announce their existence to nodes in the hidden network, where a substring of their host names is a base32 string of the first 80 bits of the SHA1 hash of the public key of the server. (Yikes! You may want to breathe now.) This is propagated through hidden service nodes to reach being stored in a hidden service directory. At this point, the hidden service can be contacted by looking up an introduction point for that service via the hidden service directories. A rendezvous point is then set up where the hidden service and the target client meet.


The previous paragraph provided a mile-high view of the host name propagation and lookup process for .onion hosts. For more detailed information, see the Tor documentation or the Tor Stack Exchange.

Some companies have posted news relating to DNS-like services for .onion hosts. One of the most interesting is Cloudflare's Hidden DNS Resolver A well-known cloud-oriented company (and therefore 110% network-aware), Cloudflare's entry into supporting other networks is well worth a look to see how it might benefit your networking applications, which might benefit from being able to contact resources on the dark web. A related Tor project is discussed on the Tor Project's DNS Resolver/Server page.


The easiest way to integrate .onion host name lookup into whatever you're doing is to set up a SOCKS5 proxy and route your network traffic through it, as explained in the section called “ Using a SOCKS5 proxy and any browser with the Tor service ”

Tor circuits

As mentioned earlier, one of the primary ways that Tor benefits users is by routing network requests through multiple hosts to improve your chances of anonymity. The hosts though which a network request to a given host or service is routed make up the tor circuit being used by your application/host and a remote application/host to communicate with each other. This routing obscures the real IP addresses that are communicating with each other, and is an implementation of onion routing, which encrypts and then randomly routes communications through a network of tor relays (nodes) that are being run by volunteers around the globe. Communication between each pair of nodes in the circuit is encrypted, which helps guarantee the privacy of your communication along each circuit.

When using the vanilla tor browser, you can display the tor circuit that you're currently using by clicking on the information symbol to the left of the host address. This displays a drop-down that provides details about the Tor circuit that is being used to communicate with the host listed in the address bar, as shown in Figure 8.1, “Displaying a Tor circuit”.

Figure 8.1. Displaying a Tor circuit

Displaying a Tor circuit

Tor remembers the entry and exit nodes being used by the current browser and circuit. If you suspect any nodes has been compromised or communication between nodes is simply taking too long, you can create a different circuit at any time by selecting the tor browser's File -> New Tor Circuit for this Site command.

The only node in a Tor circuit that knows your IP address is the entry node and the relay node that it is forwarding packets to. Each relay node knows the host that it received packets from and the host that it should forward packets to. There are typically three or six relay nodes between the entry and exit nodes in a Tor circuit. The last relay node in the circuit knows the address that it received packets from and the address of the exit node. The exit node finally delivers the packets to your host application or service. Responses traverse the same circuit, but in the opposite direction.

Obtaining and installing the Tor browser


If you're using either the Mofo Linux, Parrot, or TAILS Linux distributions as suggested in Chapter 2, Selecting hardware and an operating system , you'll be happy to know that tor and all of its dependencies are already installed, and you can skip this section.

If your system's package management tool does not enable you to select tor as an installable package, you can always get the latest version from the tor project's download page, as shown in Figure 8.2, “The Tor project's download page”.

Figure 8.2. The Tor project's download page

The Tor project's download page

The icons across the bottom of the screen represent the primary platforms for which the tor project builds its releases in the English language. If none of these are the platform, distribution, or language that you're using, the link at the bottom left of this figure takes you to a page that contains some others that be more appropriate for you.

After downloading a tor release, you'll still want to verify the integrity of what you've downloaded. See the next section, the section called “ Verifying download integrity ”, for information about how to verify the integrity of a download using its signature file.

Verifying download integrity

The gpg utility enables you to verify that the content in the file that you downloaded matches the content of the file as posted on the web by its distributor. It does not verify that the binaries or libraries in file that you downloaded work correctly or contain no bugs. It just verifies that you will see the same features and bugs that everyone else who downloaded the file successfully will see.

In order to verify the integrity of the downloaded archive, you first have to download the public key that the tor project folks uses to sign the archives that they release. You can do this with the following command:

gpg --keyserver --recv-keys 0x4E2C6E8793298290

The output of this command will be something like the following:

gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 289 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2021-03-19
gpg: Total number processed: 1
gpg:               imported: 1

The meaningful lines in this output are the last two, which state that one key was processed and imported.

After importing the key, you should electronically double-check and verify that the fingerprint is correct. The command to do so and its output are something like the following:

$gpg --fingerprint 0x4E2C6E8793298290

pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
      EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid           [ unknown] Tor Browser Developers (signing key) <>
sub   rsa4096 2018-05-26 [S] [expires: 2020-09-12]

To get the signature file, left-click on the SIG link below the icon for the platform whose version of tor you downloaded. When the Save File dialog displays, save the file in the same location as the downloaded version of tor was saved.

From a terminal window, change directory to the directory where the tor archive and its signature file were both saved. Execute the following command to receive the following output to verify that the content of the tor matches the hash stored in the signature file:

gpg --verify TorBrowser-8.0.8-osx64_en-US.asc TorBrowser-8.0.8-osx64_en-US.dmg

gpg: Signature made Fri Mar 22 19:45:06 2019 EDT
gpg:                using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

The important part of the output is the good signature line - everything else is gravy that indicates that you haven't certified this as a trusted key, which is outside of the scope for this verification. See the GPG documentation for detailed information about trusted signatures.

Installing and running downloaded Tor

If you've chosen to ignore my suggestions and want to run tor on a Linux distribution other than Parrot or TAILS (where tors is pre-installed), another Linux distribution that packages tor for you and can deliver it though its package management system, or on a Mac OS or Windows system, you will have to install the downloaded version yourself. After downloading tor for your platform and verifying that it is indeed tor, you should fell comfortable enough with it to actually install it, and then run it!

The next few sections explain how to install the downloaded version on another Linux distribution, on a Mac OS system, or on a Windows system.

Installing and running on Linux

Different Linux distributions have their own disciples and adherents, and almost every one of these has a different package management system, each of which has its own way of identifying and resoling dependencies. Therefore, unlike the version of the tor archive for other platforms, the tor archive for Linux contains all of the libraries and other dependencies that must be satisfied for it to run on almost any Linux system, regardless of the distribution that is being run. Since it is self-contained and NP-complete, it can be installed anywhere on your system. I always install it on my desktop (and will do so in the section), but you can install it anywhere that you prefer.

To install the tor distribution for Linux on your Linux system, do the following:

  1. Download the architecture-appropriate tor package, save it somewhere, then run one of the following two commands to extract the package archive:

    tar -xvJf downloaded-archive-name
  2. Change directory to the directory that was created by the previous command (where LANG is the language that was listed if the name of the archive file:

    cd tor-browser_LANG
  3. Move the contents of this directory (thebrowser directory and the start-tor-browser.desktop file, in this case) to the location where you want to install tor (the desktop, in this example):

    mv * ~/Desktop
  4. On your desktop, double-click on the start-tor-browser.desktop file to configure it for the install location. The name of the file changes to Tor Browser as it is configured to run from this location, and the tor browser starts as shown in Figure 8.3, “The tor browser on another Linux distribution”

Figure 8.3. The tor browser on another Linux distribution

The tor browser on another Linux distribution

Congratulations! The tor browser is now installed on your system and can be executed at any time by double-clicking on the Tor Browser icon.

Installing and running on Mac OS

Downloading tor for Mac OS produces a DMG (Disk iMaGe) file, which is a container for an application (the tor browser in this case). Double-clicking this file mounts the disk image on your desktop as a virtual disk, just like a real one, and opens it.

Drag the file from the virtual disk window into your Applications folder to install the tor browser. Eject the virtual disk by dragging the disk image from your desktop into the trash. You can then pin on your Dock by dragging its icon from your Applications folder to a position on your dock.

Double-click the tor icon in your dock to start the tor browser.

Installing and running on Windows

Downloading tor for Windows gives you an executable installer. Double-click the installer to begin the installation process:

  1. The installer displays a dialog that enables you to select the language that will be used during the rest of the installation process. The default language is English. To use another language, click the drop-down and scroll as necessary to select the language used by the installer and click OK to continue. the Install location dialog displays.

  2. The default install location is a Tor Browser folder on the current user's desktop. To change the install location, click Browse, navigate to the new location, and click OK.

    Once the install location displays the full path to the folder where you want to install tor, click Install to proceed. The installer begins the installation process, which displays a progress dialog as files are installed. After the physical installation process completes, the Completing Tor Browser Setup dialog displays.

  3. The Run Tor Browser and Add Start Menu & Desktop Shortcuts items are pre-selected. De-select any options that you do want to execute when closing the dialog, and press Finish to complete the installation process and return to Windows.

    Figure 8.4. Connect to Tor dialog for tor browser on Windows

    Connect to Tor dialog for tor browser on Windows

  4. Exiting the tor browser installer on Windows automatically starts the tor browser's Connect to Tor dialog (shown in Figure 8.4, “Connect to Tor dialog for tor browser on Windows”), which enables you to set network proxy or bridge options related to its execution on systems running in countries where content is censored or blocked in some fashion. To do so, click Configure. When you have set bridge or proxy options (if necessary) and have returned to this dialog, click Continue.

  5. The tor browser starts, as shown in Figure 8.5, “Tor browser running on Windows”.

Figure 8.5. Tor browser running on Windows

Tor browser running on Windows

Congratulations! You've completed installing and setting execution options for running the Tor browser on Windows. Sorry about that Windows thing, but that was your decision and at least you can run tor! DO NOT DO ANYTHING SERIOUS IN TOR UNTIL YOU HAVE INSTALLED AND ARE RUNNING A VPN! Sorry for shouting, but I'd hate to have to visit you in jail.

Configuring Tor


The next few sections explain some additional ways that you may want to configure Tor for alternate security or to fine-tune it is some other way.

Verifying and fine-tuning tor

The Tor project and the Linux distributions that deliver the Tor browser through their package management system provide a version of tor that is configured to provide general, rather than absolutely strict, privacy. Tor can still be further improved, but there improvements often come at a price - slower performance, some web sites may not render perfectly, and so on. Some options and configuration settings that you may want to further tune improve are the following:


It's common practice is to modify your Tor configuration and set your home page to a Tor Status page or to a Tor directory page or search engine page. See Chapter 11, Finding stuff on the dark web for more information about directory pages and search engines.

Figure 8.6. The Tor browser's Configuration (hamburger) menu

The Tor browser's Configuration (hamburger) menu

  • Completely disable JavaScript - (only in extreme cases). The tor browser uses the NoScript plugin to limit, where possible, the usage of JavaScript. To be completely safe from JavaScript leakage of your intellectual property and IP address, you can disable it in the configuration of your Tor browser. Go to about:config and set the javascript.enabled variable to false.


    JavaScript is required to successfully render and use shared style and content in most modern websites, so many surface web sites will not render correctly if disable JavaScript. Only disable this setting if you plan to use the Tor browser to surf both the dark web and surface web, and then only if you are running a VPN and if running JavaScript is truly necessary, such as when a site that you need to visit (and which you know to be safe) requires JavaScript.

  • Set the Tor browser security level - Tor's configuration menu, shown in Figure 8.6, “The Tor browser's Configuration (hamburger) menu”, includes a Security Level section (Figure 8.7, “Configuring Tor security levels”) in which you should select the radio button that corresponds to the highest possible security level that still enables you to visit the site(s) that you want to visit.

    Figure 8.7. Configuring Tor security levels

    Configuring Tor security levels

  • Disable referers - The referer header tells the browser which page you came from, so you may want to disable it for privacy reasons. To do so, enter about:config in the search bar, and change the value of network.http.sendRefererHeader from 2 to 0.

  • Disable iframes - Iframes can be used to spread a malware through your browser. As with JavaScript, iframes are used everywhere, so disabling them is an extreme measure. To disable iframes, go to about:config and disable noscript.forbidIFramesContext by changing its value to 0.

  • Use bridges - Bridges enable you to mask the fact that you are using Tor. See the section called “ Using Tor bridges ” for a detailed discussion of why and how to use bridges.

Becoming a Tor relay

Using tor makes it very difficult to trace the endpoints of your browsing sessions. Tor does this by bouncing connections through a chain of anonymizing relays, consisting of an entry node, a relay node, and an exit node:

  • entry node - only knows your IP address and the IP address of the relay node, but not the final destination of the request

  • relay node - only knows the IP address of the entry node and the IP address of an exit node, but not the origin or the final destination of the request

  • exit node - only knows the IP address of the relay node and the final destination of the request. The exit node is also the only node that can decrypt traffic before sending it over to its final destination

Relay nodes create a cryptographic barrier between the source of the request and its destination. Even if exit nodes are controlled by scumbags intent on stealing your data, they will not be able to know the source of the request without controlling the entire Tor relay chain.

Your privacy is protected as long as there are plenty of relay nodes for Tor to use. You can become a truly good Tor party member if you have the resources to run a relay node. You should only run a relay node on a system that is always (well, usually) up, because it's little use to anyone if it's often down. Relay nodes are therefore usually run on servers as yet another service or on small dedicated systems that are intended for the purpose. It's safe to run a relay node on dedicated ports on a server because relay nodes only receive and forward encrypted traffic and do not access any other sites or resources, so you don't need to worry that running one will allow someone to access other sites directly from your home IP address.

After running a relay node for a day or so, you should probably check if its bandwidth consumption violates any resource limitations that your ISP made you agree to. Doing so will always make your ISP take a closer look at you, which is never a good thing.

Using Tor bridges

As strange as it may sound, improvements in privacy and anonymity are really a team effort. Not just because of the open source movement, but also because people occasionally do "the right thing" and share resources for the benefit of everyone. Tor normally stores the addresses of all its relays in a central directory that any tor software can query to determine a relay to use as part of the onion. However, it didn't take long for privacy-hating maroons to discover that's what's good for the goose is also good for the weasel. Many IT groups use the relay directory as a way to construct filtering rules to block all of those addresses and their related traffic as being used by tor. To work around this, the Tor project introduced bridges, which are simply relays that are not listed in the directory. Using a bridge as the first step in your onion routing makes it more difficult for censors to empirically identify that you are using tor.


At first glance, a bridge seems like something that would be good to use, no matter what. In reality, bridges can introduce performance delays when they are up, and even greater performance delays or outright failures when they are unavailable. Only use a bridge if explicitly required to work around some type of censorship or blocking, or if the system on which you are running the bridge is highly-available, such as a server or dedicated bridge system.

Since Tor bridges are not listed in the relay directory, there have to be alternate ways to identify bridges to those who want to use them. These are the following:

  • Request a bridge address by querying Tor's bridge database.

  • Request a bridge by sending email to with the line “get bridges” in the body of the message. To receive a bridge address via email, you must send that email from an address from Gmail, Riseup, or Yahoo, so that it can be parsed correctly.

  • Configure your host to automatically become a bridge relay, which means that it is not published to the standard relay directory, but is instead published to the bridge directory, from which it address will be given out in response to email queries or bridge database requests.

    To use this mechanism, manually edit your /etc/torrc file to contain just these four lines:

    SocksPort 0
    ORPort auto
    BridgeRelay 1
    Exitpolicy reject *:*
  • Use a trusted bridge address that you obtained from someone

Figure 8.8. The Tor project's bridge integration page

The Tor project's bridge integration page

Figure 8.8, “The Tor project's bridge integration page” shows the page on the Tor project's web site that enables you to download tor and request bridges in the first two of the mechanisms listed previously.

A bridges entry as returned in email or by querying the database ` looks like the following: 4334457EC9AA003BE9085D72A881089E7D502BBD 1C41B62A48C9B86E2D0AA6C27F25D73CCC848D83

Querying the bridge database directly is preferable because it let you choose between bridges of different types, shown in Figure 8.9, “Requesting a Tor bridge of different types” and known as pluggable transports, and because it is secure since solving a capcha is required before you can get the bridge entry. The obfs4 bridge type is the currently-recommended types of bridge, though others are supported and may work better for you in various locations. A bridge definition for a pluggable transport precedes each line with the pluggable transport type.

Figure 8.9. Requesting a Tor bridge of different types

Requesting a Tor bridge of different types

The first time that you start tor, a dialog displays that enables you to select Configure to request and define a bridge or define a proxy. You then select Continue to start Tor with those options. To subsequently reconfigure Tor, you must select the Tor Status icon at left in the address bar and select either the Network Configuration or Proxy Configuration item to display the appropriate dialog to change that aspect of Tor's networking configuration.

Verifying connectivity and resolving timeouts

Like all tools, Tor is great when it works. After you've verified that it's actually connecting to remote sites, the most common problem you'll encounter are resource timeouts, which you can often resolve by fine-tuning its configuration.

  • Verifying connectivity and functionality - As mentioned earlier, you can use the Hamburger -> Preferences -> Home Page configuration item to set your home page to the Tor Project page. If the page displays your IP address and a message that you are connected to Tor, try the Tor Onion page, which lists onion sites run by the Tor project. You can click several of these to ensure that you have no problems connecting to standard Tor sites. (This list may include sites that are down - try a few.)

    Figure 8.10. The Tor check project page

    The Tor check project page

  • Minimizing or eliminating timeouts - A timeout message usually means that the site that you are trying to reach is unavailable, but you can try the following settings to either fix the problem or certainly minimize the chance that Tor itself is the source of the problem. In Tor, enter about:config in the address bar and search for the following settings, making the indicated changes if necessary:

    http.response.timeout 0

Avoiding browser fingerprinting

Browser fingerprinting is a "mechanism" whereby scumbags (that is, tracking companies or TLAs) attempt to identify the sender of packets by miring browser packet metadata, usage patterns, sites visited, and so on. The goal is to find an alternative way of identifying a user or location because the user has been too clever to provide trvial tracking data such as login, other per-site data, an IP address, or a crumpled envelope containing the recipient and the sender's return address.

Figure 8.11. Checking for browser tracking and fingerprinting

Checking for browser tracking and fingerprinting

Figure 8.11, “Checking for browser tracking and fingerprinting” shows the Electronic Frontier Foundation's Panopticlick tracking analysis tool, which performs various tests to assess how well protected your browser is against various tracking and browser fingerprinting attacks. The EFF is a great organization, and this is a great tool! Feel free to make a small donation to them to say thanks.

Some common ways to defeat the active swine who are attempting browser fingerprinting, or at least to make it harder to do so, are the following:

  • Use only the vanilla tor browser as installed and a VPN when surfing the web. Doing so enables you to avoid reading the rest of this section, only using it as a checklist or for educational purposes. Become a privacy and anonymity advocate in your spare time!

  • Use the most common browser possible. You don't have to completely sacrifice your taste and sense of aesthetics, but remember that each browser identifies itself to other web tools via a specific User Agent string. For more precise identification, scumbags can also remotely inspect browser plugins, plugin versions, OS version, screen resolution, and installed fonts on desktop and laptop browsers. There are common sets of these that are often found together on phones, but (as of today), there is little dark-web surfing done on smart phones. Perhaps that should change...

  • Disable JavaScript. While lots of fun and easy to use, JavaScript is to browser fingerprinting as albumin is to the Petri dishes in a lab. JavaScript supports or directly provides most of the tools or functions that people use to query websites for browser, plugin, and font data. Friends don't let friends use JavaScript.

    That said, if you don't want to disable JavaScript because not supporting it in your browser makes too many websites look like crap, at least try running a plugin like Chrome/Chromium's uBlock Origin that does its best to identify the trackers that are hungry for your browsing data and lets you disable it for specific sites or pages if you need to view them "normally" for one reason or another. You can also selectively block popups, large media elements, cosmetic filtering, and remote fonts, or even enable JavaScript on a specific page. However, always remember that the JavaScript gun is loaded - don't look down the barrel to check for bullets.

  • Disable Flash. Flash has always been the plugin environment with more holes than a colander, so it should be no surprise that its API has been exploited for many evil purposes, including advertising and fingerprinting. Turn it off!

  • Use as few plugins as possible, verify them, and make sure that you really need them long-term. It's hard to control yourself when you find some bright and shiny plugin that promises to do exactly what you wanted to do once. In a previous life, I used to accumulate plugins in case I ever had to do that task a second time. Nowadays, the notion that such a plugin exists is enough for me and, because I'm rightfully paranoid, I install one-shot plugins only for as long as I need to use them.

  • Change footprint data frequently. A fundamental part of the data that makes up your browser footprint is the user-agent string. This variable identifies the type and version of OS browser that you're running. Changing this string to "Chrome 32 on Windows 10" is great for giving you a substantially different footprint. It's also useful for testing the compatibility of pages and sites with specific browsers and versions. Even though you may feel sick to your stomach when claiming that you're running some version of Windows, pretending to be a dummy can certainly mask your true identity (as far as browser fingerprinting goes).

    I've used and been happy with User-Agent Switcher for Chrome and User-Agent Switcher and Manager for Firefox, though several others exist. You can also change the User-Agent string in Microsoft Edge, but I think that an easier way to do that is to install and use Chrome, Chromium (many flavors), Iridium, or Firefox.

  • Disable Canvas API fingerprinting. Like the User-Agent variable component of standard browser fingerprinting, the Canvas API provides calls that are often misused for simple fingerprinting purposes. This is a JavaScript API, so if you've turned off JavaScript, you're already safe. You can explicitly block the Canvas API by using the CanvasBlocker extension for Firefox or the Canvas Defender for Chrome.

The BrowserSpy page provides some interesting insights into the information that can be collected from a browser after visiting many different pages, each of which probes for something different.


If you've heard of a Firefox browser extension named TorButton and are wondering why the hell I didn't mention it, that's because it's no longer supported by the Tor folks. See their documentation for the official statement.

Developing good, paranoid browser habits

This section provides some tips for securely browsing the dark web, as well as some environmental tips for using and testing your browser (your computing environment, that is). Some good habits to acquire are the following:

  • Use the Tor browser exclusively. Even if it is possible to make every browser connect to the Tor network, it is recommended to use the Tor browser that is fine tuned with this purpose in mind. The other browsers, in fact, all have issues with their configurations that could lead to the leakage of your identity.

    If you insist on using some other browser than the Tor browser, see the section called “ I insist on using some-other-browser for some suggestions on how/if you can do that.

  • Never use the Tor browser to log in on any surface web or other clearnet site with any browser identity other than the one that you use to browse the dark web. Mixing your online identities will eventually make it easy for some TLA snoop to establish a relation between them and may make it easy for them to track you down at your physical location.

  • Don’t torrent over Tor. It is well known that the torrent file-sharing applications can ignore proxy settings, giving away your real IP to the external world. A further reason, is that torrenting over Tor can heavily slow down the entire network.

  • Consider using a non-caching web proxy such as privoxy as a front-end to the Tor browser to improve support for and integration of pluggable transports and thereby protect Tor traffic against DPI (Deep Packet Inspection).

  • Use the NoScript browser extension to ensure that you disable JavaScript support. JavaScript is well-known for leaking IP address information, which will eventually leak you IP address information to someone. However, even the vanilla NoScript extension whitelists JavaScript for several domains. The ultimate way to quickly and fully disable JavaScript is to go to about:config, find the javascript.enabled variable, and set it to false. (You should still use the NoScript extension, JIC.)

  • Integrate VPN startup into your login process so that you are always using a VPN.

  • Use the HTTP Everywhere browser extension. The HTTPS Everywhere plugin forces websites to use HTTPS, if possible. This results in using end to end encryption.

  • Don’t enable or install extra browser plugins. Other plugins could leak your real identity.


    If you are ignoring me and running other browser extensions anyway, make sure that you are not running any (cough FoxyProxy cough) that enable the tor browser to circumvent the DNS settings that are automatically configured by Tor. You want to be SURE that you are doing DNS lookups as configured by Tor, and not using your system's /etc/resolv.conf before or rather than the Tor network's DNS service.

  • Don’t open documents that you downloaded with the Tor browser when you’re online. Such documents might contain links that connect to a website without passing through Tor, and could reveal your identity if you are not actively running the Tor service and proxying everything.

I insist on using some-other-browser

Hello, my name is Bill, and I am a Chrome fan. There, I said it. Therefore, I don't blame people who prefer using another browser than Firefox or a variant thereof. OTOH, the tor browser, a Firefox variant, is customized and configured to provide guaranteed privacy (as much as possible). It is designed to work when surfing the web in general, and specifically understands .onion addresses and has a cool DNS-alternative to make it possible to easily surf the dark web.

Other browsers can be made to work with Tor by setting up a SOCKS5 proxy, starting tor as a service, and then starting the alien browser. If you're running a VPN, you appear to be safe according to the Tor checker but that doesn't mean that you're not leaking your real IP address like a sieve or giving away other info that paints a big target on your identity and location. The ultimate test would be to do something really stupid like buying drugs and a bazooka and shipping them to the home of someone you don't like. If they get arrested and you do not, then you're safe. If both of you get arrested, you have an enemy for life, and I hope that you get separate cells.


Do not do this!

Do not follow the instructions in this section unless you are wizardly and understand the implications of IP and DNS leaks, deep packet inspection, 5/9/14 Eyes, the NSA, the tragic and misguided falsehoods of the DEA, and the real horrors of spending time in jail. I believe the tips and tricks presented in the next few sections to be correct and sufficient, but I rarely use them. That's what the Tor service and the tor browser are for. It could be that I've connected to honeypot city and just haven't been busted yet. Maybe once this document is more widely spread... Hey, that's not meant as a challenge!

Figure 8.12. Danger, Will Robinson, Danger!

Danger, Will Robinson, Danger!

Opening .onion links in vanilla Firefox

Firefox's default mode is to actively block .onion host names from being sent to DNS for resolution. However, any recent version of Firefox can be made to attempt to handle .onion addresses by going to about:config, accepting the risk of turning low-level knobs (as shown in Figure 8.12, “Danger, Will Robinson, Danger!”, and double-clicking the network.dns.blockDotOnion configuration variable to toggle it to false. Voila! Your browser can now attempt to handle .onion sites as well as all the traditional ones! But more has to happen before you can actually open one... skip to the section called “ Using a SOCKS5 proxy and any browser with the Tor service ” for the exciting conclusion of this story...

Opening .onion links in Chrome

Unlike Firefox, Chrome's access to .onion sites is either enabled by an extension, by accessing sites that rewrite the .onion URLs so that you can use regular DNS to contact them, or by proxying. Proxying is the only one of these that forwards packets to the Tor service, and therefore the only "safe" one. If you want to use Chrome via proxying, skip ahead to the section called “ Using a SOCKS5 proxy and any browser with the Tor service ” unless you're curious about a less-safe, but perhaps more convenient way to continue to use a browser other than the tor browser.


The Tor project formerly provided a graphical application named Vidalia as a bridge, relay, and client, the last of which enabled other network applications to be routed through the Tor service. Because of the complexity of configuring Vidalia for the various roles, Vidalia was first split into separate installable pages for a relay, bridge, and client, and was eventually discontinued as more and more functionality was subsumed by the tor browser and support for the Tor service's SOCKS5 proxy was improved.

The majority of the Tor support that is available for Chrome involves rewriting URLs (which actually work with any browser). I'm listing them here in case you simply want to look around on the dark web rather than buying an AK-47 and having some strange fun with that. The approaches that involve rewriting URLs are the following:

  • - enables you to surf .onion sites just like those with more familiar extensions. As they themselves say, " sacrifices client-anonymity for convenience.". lets you visit .onion sites from the clearnet (without your having to run tor), taking you to that site just like a typing a URL in the address bar. The folks who run this service also provide a Chrome extension to automagically do the same thing for you.

    Figure 8.13. Successful connection (check url!)

    Successful connection (check url!)

    Unfortunately, the Tor2web service often cannot proxy communication with the .onion site and get a response quickly enough, instead displaying the screen shown in Figure 8.14, “'s animated timeout page”. This page displays a nicely animated onion graphic as a small consolation.

    Figure 8.14.'s animated timeout page's animated timeout page

  • - enables you to append various domain names to the .onion URL, which tells the Tor2web service that is listening on *, *, *, *, and more, which then strip everything after .onion, forward the remaining .onion host to the onion service via Tor, and relays any responses back to you.

    I have had mixed results from this service, more often seeing Figure 8.15, “Tor2web connection failure” than the remote web site. As they say, "Using Tor2web trades off security for convenience and usability." Like, Tor2web is very convenient to use when checking an information-only site on the dark web, but is not the mechanism to use for a last-minute order of your favorite drug when you're running low.

    Figure 8.15. Tor2web connection failure

    Tor2web connection failure

Using a SOCKS5 proxy and any browser with the Tor service

Traditional Internet activity depends on using DNS, a local database, or the text file /etc/hosts to find the IP address that is associated with a host. Hosts with the .onion suffix use a completely different key and rendezvous point mechanism, and do not use DNS.

The process that Tor uses to resolve .onion host names into IP addresses is every bit (sorry!) as complex as you would think, and is therefore hard to replace or emulate, A much easier solution for resolving and contacting .onion hosts is to let Tor do it no matter what browser you're using. You can do this by setting up a SOCKS5 proxy/tunnel so that all TCP traffic is routed through the Tor service so that it can be both encrypted and handled if necessary. Setting up this type of proxy was explained in the section called “ SOCKS 5 tunnel for tor ”, but is explained here in a slightly different fashion because it's buried in a script for convenience.

Figure 8.16.  Tor startup and SOCKS5 proxy script for MacOS

#!/usr/bin/env bash

# 'Wi-Fi' or 'Ethernet' or 'Display Ethernet'

# Ask for the administrator password upfront
sudo -v

# Keep-alive: update existing `sudo` time stamp until finished
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

# trap ctrl-c and call disable_proxy()
function disable_proxy() {
    sudo networksetup -setsocksfirewallproxystate $INTERFACE off
    echo "$(tput setaf 64)" #green
    echo "SOCKS proxy disabled."
    echo "$(tput sgr0)" # color reset
trap disable_proxy INT

# define proxy
sudo networksetup -setsocksfirewallproxy $INTERFACE 9050 off
# turn me on, dead man
sudo networksetup -setsocksfirewallproxystate $INTERFACE on

echo "$(tput setaf 64)" # green
echo "SOCKS proxy enabled."
echo "$(tput setaf 136)" # orange
echo "Starting Tor..."
echo "$(tput sgr0)" # color reset


This script was not written by me (but is used by me). The script is from the excellent article at Simple Tor setup on macOS.

After running this script, using the Chrome browser to visit our beloved Tor check page displays the screen shown in Figure 8.17, “Checking Crome and the SOCKS5 proxy”. Hooray! My favorite line is "However, it does not appear to be [the] Tor browser." The project folks who designed that page seem to have thought of everything.

Figure 8.17. Checking Crome and the SOCKS5 proxy

Checking Crome and the SOCKS5 proxy


The Linux version of Figure 8.16, “ Tor startup and SOCKS5 proxy script for MacOS ” and a discussion of both are coming soon, but you should really just use the tor browser.

Browser tips for any browser or browser combo

  • Completely segregate your browser use and site/browser logins depending on what you're doing in the different browsers:

    • Never use the same browser to log in on any surface web or other clearnet site that you use to browse the dark web.

    • Never use the same browser identity in multiple browsers, even though they are different browsers. Mixing your online identities in the dark web and clearnet browsers may eventually make it possible for some TLA eavesdroppers to draw a line between them and may make it easy for them to track you down at your physical location.

  • If you're using Firefox as your other browser, make sure that the Privacy & Security section of the browser preferences is configured not to save cookies and site data across browsing sessions, enables strict content blocking, does not save logins and passwords, and does not remember history. This is just plain smart to do so in case your machine is ever lost, stolen, or seized. Your filesystems are encrypted anyway, right?

  • Don’t open documents that you downloaded with Tor when you’re online. Such documents might contain links that connect to a website without passing through Tor, and could reveal your identity.

Chrome by day, chromium by night

Eeryone knows that Google developed and released the Chrome browser out of the goodness of their heart, right? If that's the case, that bridge that I've been trying to sell you throughout this document is still available. Google is a great company, but their corporate "do no evil" slogan has gotten a bit tarnished and timeworm over the years, as the reality of being a corporate entity has crept in further and further. Chrome is still my favorite browser, but it simply has to be more advertising aware than any other Linux browser to better support the corporate feeding trough, also known as advertising.

Luckily, because Chrome is open source, the Chrome source tree also gave birth to the Chromium broser. Chromium is Chrome with the branding and non-essential "phone home" functionality stripped out. All of the usability with none of the built-in identity-leakage is a hard combination to beat!

If you decide to use Chromium rather than Chrome, the first thing that you may want to do is to import your bookmarks in HTML formet from Chrome into Chromium. To do so:

  1. In Chrome: Select the hamburger icon (AKA the vertical ellipses at far right in the URL/extensions menu bar), select the Bookmarks menu item, and select the Bookmarks Manager command. Once the Bookmarks Manager screen displays, left-click its hamburger menu and select the Export bookmarks menu command. Specify the location to which to save your bookmarks in HTML text format, and click Save. Voila!

  2. In Chromium: (This command sequence will be a big surprise!) Select the hamburger icon, select the Bookmarks menu item, and select the Bookmarks Manager command. Once the Bookmarks Manager screen displays, left-click its hamburger menu and select the Import bookmarks menu command. Specify the location from which to load your bookmarks in HTML text format, and click Open. Voila!

Importing bookmarks from another browser is always a good point at which to review those bookmarks and winnow them dowb so that they only contain the booknmarks that you really need, as opposed to the "oh yeah, that might be interesting someday" bookmarks that always bloat mine, but you may be more deterministic than I. If you insist on surfing the dark web from the same desktop system that you use during the day, at least:

  1. Log out of the computer system that you are using and log back in as another user as whom you surf the dark web.

  2. Makesure that you are running your VPN software and start it if you are not.

  3. Make sure that you are connected to the VPN and conect to it if you are not.

  4. Start the Tor browser and use it to connect to the dark web.

Chapter 9.  Creating secure email and alternatives

A secure email account is useful for lots of things, including establishing a new online identity based on your new expectations of privacy and anonymity, ordering things that you don't want to be traceable back to you personally, and so on. The key here is not creating a new account that is untraceable to you because of a a generic name like "John Doe" (though that's fine to do), but rather creating an account that can't be tied to you in any way and is secure from outside access or intervention. As long as you can access it, you can then do whatever you want through it - it's all yours and only yours.

The remainder of this chapter discusses the process of creating a secure email account that is not associated with any of your previous account information. This helps guarantee the security of the email that you send and receive except while that email is in transit. This chapter therefore then discusses encrypting and decrypting email so that your mail is even secure while being sent or received. The chapter concludes by discussing disposable email services that give you a temporary account which you can use to receive initial email about any other account or service, but which you don't want to go to an account that can be traced back to you, and is also mail that you don't want or need to permanently preserve. I'm not suggesting that you use such an account to threaten the president to to send him pizzas, but...

Creating a secure email account

A secure email account in the dark web context has two basic characteristics:

  • The account is anonymized - none of the account information ties back to a personal account that is in any way related to you (names, address, phone, email, etc.)

  • The account is secure - password-protected, the mail system supports end-to-end encryption, no logs are kept, the system is not headquartered in a 5EYES country (see the section called “ What is 5 EYES and why do they suck? ” for more information), and so on.

Some well-known free providers of secure email services are the following, in order of my personal preference from the voice of experience:

  • - a secure surface web and onion email provider headquartered in Switzerland, Protonmail provides end-to-end encryption and hardware-level security with no provider access to user date. The free level provides 500 MB of storage and one email address, with a maximum of 150 messages per day. Other levels (Plus, Professional, and Visionary) have actual costs, but also provide increasing amounts of all of these plus the addition of custom domains for sending/receiving email.

    Figure 9.1. The Protonmail secure email provider

    The Protonmail secure email provider

  • - a secure surface web email provider headquartered in Israel, supports the POP3 protocol to receive non-encrypted emails, or the POP3 SSL/SMTP SSL or IMAP SSL/SMTP SSL protocols for end-to-end encryption. The free level has interesting limitations such as 200 email messages per folder is 200, a maximum number of 10 folders per account, and 3MB of total storage. Safe-mail is the purchasing entry point for private and business email pages with increased or unlimited amounts of all of these, multiple levels of secure document storage, plus many add-on services such as additional security, backup and disaster recovery, calendaring, chat, bulletin boards, and much more.

  • Mailfence - a secure surface web email provider headquartered in Belgium, Mailfence provides a secure and private email service with browser-side encryption and full support for OpenPGP and digital signatures. Mailfence supports secure document storage, The free level of Mailfence supports 10 MB of attachments and 500 MB maximum mailbox storage, with increasing levels of each for the Entry and Pro service levels that cost real money.

  • - a secure surface web email provider headquartered in Iceland, Unseen supports end-to-end encryption, file sharing, and full support for OpenPGP for email and other encryption mechanisms for audio/video encryption, including some that are apparently proprietary. Messages sent to non-Unseen hosts using proprietary encryption mechanisms t5hat are not supported by the recipient's system will be sent in the clear. The free level of Unseen supports sharing files of up to 50 MB, and a reasonable amount of message storage. The premium version supports 2GB of storage, sharing files of up to 40GB in size, and group audio/video calling.

If you plan to purchase anything on the dark web, especially something that is illegal or questionable legal in the eyes of gap-toothed, self-righteous morons who don't understand victim-less crimes, you MUST use an anonymous email account based outside the USA and other 5EYES moron countries. Actually, you don't have to if a stiff fine, jail sentence, and 6x8 foot locked concrete cell are your idea of a good time - like any choice, it's up to you.

Encrypting and decrypting email

Most of the mailers discussed earlier in this document support end-to-end encryption, which means that the email is encrypted while it is in flight, that is, while it is in transit from sender to receiver. Only the intended recipient can decrypt and read the message. No one in between can read the message or tamper with it. End-to-end email encryption provides the highest level of confidentiality and protection for email communication.

End-to-end encryption is typically done via key exchange, which requires both sender and recipient to have a pair of cryptographic keys, one private key and one public key. The sender encrypts the message locally on their device using the recipient’s public key. The receiver decrypts it on their device using their private key. The canonical example of this is the following:

  1. Alice (sender) and Bob (recipient) both generate their key pairs and share their public keys with each other. They keep their private key ‘private’ as the name suggests. You only need to generate your keys once when creating an encrypted email account.

  2. Alice encrypts the message using Bob’s public key in her device and sends it to Bob.

  3. Bob receives the encrypted message on his device and decrypts it using his private key.

With real end-to-end encryption, also called “client-side encryption” or “zero access encryption”, all encryption and decryption happen on the users’ devices. End-to-end encryption thus prevents any intermediary from reading email or other user data and guarantees the confidentiality of the data much more than SSL/TLS or mechanisms such as STARTTLS.

Figure 9.2. Getting a user key for transaction messages

Getting a user key for transaction messages

Messages associated with commercial transactions on the dark web are typically sent encrypted in this fashion to avoid snooping. As seen in Figure 9.2, “Getting a user key for transaction messages”, a link near the center of the form (in the blue region above the Trade Method label) enables you to retrieve the seller's key, which you use to encrypt your message as described in the rest of this section. A user key is part of the user profile information in this transaction system, as shown in Figure 9.3, “User key as part of user profile”.

Figure 9.3. User key as part of user profile

User key as part of user profile

The next few sections discuss how to work with encryption keys from the command-line. Each mail application on each platform has its own special way of working with keys and encrypting and decrypting messages, but the command-line version of the OpenPGP tools can be executed on every platform and operating system. The GNU version of OpenPGP is called GNU Privacy Guard, and the command-line examples used in these sections help to make it clear what things are going on under any platform-specific and graphical covers.


This chapter uses the terms OpenPGP and GNU Privacy Guard interchangeably, though they are different software packages from different organizations. Sorry - that's how cheapos like me think of them. I also apologize profusely to Phil Zimmerman, the kind-hearted genius who developed PGP and gave a chance for privacy back to all of us.

Generating a public/private PGP key pair


To generate a new public and private key pair, do the following:

  1. Log in to your system. If you know that you have existing keys and want to reuse them, or don't have any keys yet, skip to the next step. To back up and clean up your existing keys, use the following commands:

    cd $HOME
    cd .ssh
    mkdir OLD
    mv id_rsa OLD
    cd $HOME
  2. Execute the following command to generate your new OpenPGP keys:

    ssh-keygen -t rsa -C ""

    You should replace the address "" with the primary email address that you will use on the dark web. The people to whom you send encrypted email will need to know this address in order to specify which key to use to decrypt your email.

  3. Depending upon the platform, software manufacturer, and software version that you are using, the ssh-keygen application may prompt you for items such as the directory location and filename for your keys, a passphrase to use to help protect your keys, and to move the mouse to help truly randomize your keys.

When the prompt re-displays, your new keys have been created and stored in the default location.


If you are unsure whether you have already added a user's public key to your keystore, use the gpg --list-keys command to list the contents of your keystore and use the grep command to scan the output for the user's email address (or whatever else you may have used as an index.

Encrypting a message using a public key

Encrypting a message from the command-line is simple. All you have to provide is:

  • an option identifying the operation that you want to perform (--encrypt)

  • the name of the recipient (to look up the recipient's public key in the keystore)

  • the name of the file containing the input message

An example of a command to do this is the following:

gpg --encrypt --recipient sample-mail.txt

By default, the name of the output file that is produced is the name of the input file with the .gpg extension appended.

Depending on the type of platform you are using, you may be able to skip specifying the input file, and use shell redirection ('<') to identify the source of the input text. Since the name of the output file is created from the name of the input file, in this case you would also have to identify the name of the output file. The following is an equivalent command using shell redirection:

gpg --encrypt --recipient < sample-mail.txt > sample-mail.txt.gpg

The gpg command's support for redirection makes it easy to integrate the command into graphical mail clients.

Importing public user keys to your keyring


OpenPGP and application such as gpg that adhere to it standard, store public keys in a database that is cleverly known as a keystore. Keys stored in the keystone are hashed on the owner name to improve lookup speed.

Adding a key to the keystore requires two arguments to the gpg command:

  • an option identifying the operation that you want to perform (--import)

  • the name of the file that contains the public key that you want to import

An example command to import a key is the following:

gpg --import input-filename

Encrypting a message using a GUI

An easy way to encrypt a message based on a public user key is to use one of the web-based tools to do so. My favorite, shown in Figure 9.4, “A GUI for PGP Encryption”, is iGolder's PGP encryption tool.

Figure 9.4. A GUI for PGP Encryption

A GUI for PGP Encryption

Using a form like this one is convenient when you are, for example, encrypting your address and any instructions to the seller as part of a darkweb transaction, as discussed in Chapter 13, Buying and safely paying for stuff .

To use the form shown in Figure 9.4, “A GUI for PGP Encryption”:

  1. Copy a user's public key (such as a seller's) from another form to the PGP Public Key field.

  2. Type or paste your message into the Message to Encrypt field.


    Because I am lazy and a poor typist, I keep my shipping address in a text file that I can simply copy and paste into text fields such as this.

  3. Click Encrypt Message.

  4. Copy the contents of the Encrypted Message field into the appropriate form that you will be using to submit your encrypted message.

Decrypting a message

Messages that are intended for you (or were created by you) can be read by you using either your public or private key. The gpg command to do this requires two options:

  • an option identifying the operation that you want to perform (--decrypt)

  • the name of the file that contains the public key that you want to import

An example command to decrypt a message is the following:

gpg --decrypt message-filename

If only these options are specified and you have used a passphrase to protect your key, you will be promoted for the passphrase and, if correct, the decrypted message is displayed. To quote the folks at SSH.COM, a passphrase differs from a password in the following way:

A passphrase is similar to a password. However, a password generally refers to something used to authenticate or log into a system. A password generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.

You can also specify the passphase by using the --passphase option.

Payment for my Heroin Order

See how your eyes were drawn to that title? Even if you're using encryption or an anonymous mail system, there are still a few things that you should remember in order to send messages that fly under the radar.

As the title of this section suggests, encrypted email does not encrypt the subject of the email message, so make sure that your subject line is something like "Jesus Loves You", rather than something that might alert a scanner or surveillance system that something is not up to snuff in your message. If tobacco is illegal or you are a minor, you probably shouldn't use the word "snuff", either.

If you're going to encrypt any of your email from one of your email addresses, you should probably encrypt all of it from that address. Only encrypting some of it from an address is the same as attaching a label to those messages that says "I wanted to hide something in this message." On the other hand, encrypting all of your mail from an account could raise a similar flag, but if you're using a VPN, a truly anonymous mail system, and encrypting everything, you'll probably just cause someone a migraine. Good for you!

Using a disposable account for notification

A disposable email provider is a password-free email provider that provides pre-defined accounts, accepts mail to those accounts and deletes that mail after a specified period of time. Disposable email providers are therefore perfect for receiving mail when you do not want or need that mail to be associated with any existing account of yours, even if that account is a secure account. The fewer places for cross-contamination, the better.

For example, when creating an account that gives you access to some service, like an account with an email provider, the account creation process typically involves providing an email address at which you can receive mail about the account. When the account creation process for the new service generates a password that enables access to that service, it typically sends that password to the specified email address as part of a "Welcome" message.

Examples of disposable email providers that you may want to use are the following:

  • Guerrilla Mail - visiting the site generates a random email address without requiring registration. You can also choose your own address. Email is deleted 60 minutes after receipt, whether read or not.

    Figure 9.5. The Guerrilla mail disposable email provider

    The Guerrilla mail disposable email provider

  • ThrowAway Mail - ThrowAway Mail generates a temporary email address and Inbox for you, which continues to exist for 48 hours beyond the last time you use it. Cookies and JavaScript are required in your browser to use this service.

  • - Temp Mail provides a temporary, secure, anonymous, and free email address. Email sent to this address us deleted after 10 minutes.

  • - provides a free throwaway email address that is temporary, transient, and disposable. The Inbox can contain up to 10 messages, and is cleared when no message is received within 24 hours.


    MailDrop does not allow any email messages that have to do with illegal activity in your country, state, city, or region, and also has very active spam filters. If your email is about the "Stealing Drugs" song by The Marijuana Mercenaries, you may just as well delete it yourself and save MailDrop the trouble. If you don't want your mail to be scanned, look elsewhere.

Chapter 10.  Hiding files, directories, and partitions

Using a computer for whatever you do generally involves creating and storing data of some sort - even gamers need to save high scores. Whether you're writing personal letters to friends and family, saving unpopular political manifestos, or keeping a record of whatever you've bought on the dark web, this is all stuff that you don't want randoms to be able to see. Sure, they have to get access to your computing device to be able to see it. However, that's rarely a problem for jackbooted thugs from some TLA who just kicked open your door or crashed through a window and are now holding you and your computing devices at gunpoint. At that "point" (pardon the expression), you are "free" to give them access to your data either before or after your first few waterboarding or electric shock sessions. Lucky you! Remember, security is a pain until it saves you from loss or jail.

We all know how files, images, and whatever else are stored on a computing device. A hierarchical set of directories, each containing related files, yada, yada, yada... The way you store things is up to you, but the same hierarchy that helped you organize things is probably going to be similarly useful to Adolph TLA in seeing what you were doing and when you were doing it.

The remainder of this section discussed some common Windows, MacOS, and Linux block device encryption strategies for disks, partitions, and more. It concludes with sections explaining how to create a hidden volume inside a filesystem, how to hide its existence, and how to mount and use it.

Block device encryption strategies


The title of this section refers to block devices, which is what disks, partitions, and files that look like them are. Block devices are accessed/addressed by raw storage chunks (blocks, whose size depends on the device and device driver) rather than being accessed some number of characters at a time, like traditional files.

One way to protect yourself from letting Joe Hitler be able to read all your personal data is to encrypt everything. the section called “ Encrypting and decrypting email ” already explained how to do that in the context of email, and encrypting/decrypting your files one-by-one with PGP (Pretty Good Privacy) is pretty much the same thing. Sadly, doing that is still a PITA and isn't even that useful if the machine they've seized contains your private keys. Windows and MacOS systems both feature built-in encryption tools that are only a menu click away and enable you to password-protect your files, but giving up your password may only be 10,000 volts away. The government or your competitors would never do that, of course - and if you believe that, I can give you a great price on the Brooklyn Bridge as soon as you help my Nigerian cousin get a few million bucks out of the country.

A far easier method is to store your data on encrypted volumes that you mount in certain places. If you're a Linux fan, you've probably used LUKS (Linux Unified Key System), which encrypts partitions and enables you to specify a password when you mount them. This protects the entire partition but is pretty easy to detect:

  • If you encrypt an entire partition that holds a entire well-known directory hierarchy like /home and that partition is automounted, the system will prompt for a password when it is booted and sit there until you supply the password. So will Mr. TLA.

  • If you encrypt an entire partition containing some non-LSB (Linux Standard Base) partition that is mounted somewhere on demand (at which point you're prompted for the password), the partition is identified in /etc/fstab, which makes it fairly trvial to spot. 10,000 volts, here we come - plus, the TLA dweebs are even more curious now because you've tried to hide something (and done a pretty shitty job of it, so they're sure that the can outwit you).

  • If you encrypt an entire partition and don't list it in /etc/fstab, the TLA dweebs will probably notice that you can only account for 200 GB of partitions on a 500 GB disk. From there it's only an sudo fdisk -l disk-device or an sudo lvdisplay -m command (or some equivalent) away from identifying the hidden partition or logical volume and forcing you to mount tt at gunpoint or while holding your breath underwater.

This all assumes that you'll fold like a cheap suit when threatened. You may be more resistant to electric shock, partial drowning, or some number of years in jail than I am, I don't know. Privacy and protecting the intellectual property of your business are perfectly good reasons for security through encryption, but you'll have a hard time convincing some an airport security rocket scientist that you're not hiding kiddie porn. Those guys don't make minimum wage for nothing!

The preceding material treated your computer as, basically, a single-user system, which is pretty accurate nowadays. On multi-user systems, you still have encryption options at the user level, like encrypting each user's home directory when you create their account. That way, users can't look at other users' data even if they have the root password to defeat directory-level non-permissible file protections. If such a multi-user system is stolen, each user's password is different, and thus each home directory is separately encrypted. (I'm going to ignore the multi-user case from now on since it's 2019 and the last VAX 11/785 was gutted and made into a nerdy closet long ago.)

Encryption is a always good idea to protect your data if your machine is stolen, but is pretty obvious at the disk or partition level. If you want to try to protect your data against being discovered if your machine is seized, you have to be a bit more clever. I take the following approach to help safeguard my private data in this, single-user case:

  1. Optional: Use LUKS to encrypt the whole disk except for a small /boot partition. - I rarely do this in the single-user case because (1) it interrupts the system's boot process until the password is entered, (2) when there only is one user, it's functionally equivalent to encrypting the user's home directory, (3) if you're using logical volumes, you're already stacking disk and partitions and therefore slowing the system down slightly, and (4) it slightly slows all writes to anywhere on the system, including the creation and use of temporary files by the system or by applications.

  2. Encrypt home directories as they are created - I do this to protect the privacy of the user's data in case the system is lost or stolen. Logging in as the user allows read/write access to the data in their directory and any public areas.

  3. Use VeraCrypt to create a real and a hidden volume that are mounted on demand - The hidden volume is where the user's most private data is stored. As I'll explain later in this chapter, this type of volume is reallocated but hidden, and the volume that you create actually contains two volumes that are selected between by mount password - a placebo volume containing arbitrary files that makes it appear that the volume does not also contain another, truly hidden volume. You can even put mounting the placebo volume in /etc/fstab, just never supply the hidden volume's mount password in response to any police or TLA "request", no matter how many volts accompany it.

When stacking encryption and other abstractions (like logical volumes), make sure that you understand the performance impact of doing so. Each level of encryption that you add increases the time that it takes to access content, sometimes exponentially, For security and privacy purposes, it might be amusing to nest encryption models like Matryoshka or Babushka dolls, but it will definitely be slower than normal.


For the love of God, USE STRONG PASSWORDS! Now that we're talking about serious local system topics, the strongest file, directory, volume, or partition security possible doesn't do much good id your password is "qwerty", "123456", "password", or even "god". No one who is reading something like this would even consider using passwords like those, right? I thought not, but felt compelled to say it anyway. If you do use passwords like those and refuse to change, save yourself some jail time by blowing your brains out now.

VeraCrypt kicks ass, er, is great!

Aside from being cross-platform yet compatible with each system's disk/partition/volumrme management system, VeraCrypt's coolest feature is its ability to create a hidden volume where you can store you most private data - for example, any evidence of illegal purchases or thought-provoking documents. I am not slyly referring to kiddie porn. If you're into that, I spit on you and would appreciate it if you delete this document before reading any further.

For the rest of us, VeraCrypt has this amazing cool mechanism where you create a standard password-protected VeraCrypt volume that contains a hidden password-protected VeraCrypt volume. The password that you supply at mount-time determines which volume is mounted. Because VeraCrypt volume data is stored in an apparently random fashion, it is impossible to tell that what appears to be free space in the enclosing volume is actually a hidden volume plus free space. Figure 10.1, “VeraCrypt hidden volume layout” show this graphically, in case I was just too excited to explain it clearly. (I have been told that some people prefer pictures to words - I just don't get it.)

Figure 10.1. VeraCrypt hidden volume layout

VeraCrypt hidden volume layout


The image in Figure 10.1, “VeraCrypt hidden volume layout” was cheerfully lifted from the actual VeraCrypt documentation. Thanks! The VeraCrypt documentation is excellent, and is well worth reading even if you have no problem using the software.

After creating a non-hidden and hidden volume, I generally mount the non-hidden partition and salt it with a few important but non-secret file. Your resume, a scan of your passport, tax file for the past few years, and a few (safe) letters to friends. Maybe even some over-18 porn. If the TLA scum find VeraCrypt and insist forcibly that you mount your VeraCrypt volumes, they can scrutinize them all they want, and not find anything really bad. (Maybe jerk off to the porn!) They may not realize that real data hides under the surface.

The only clue that a forensics expert would have that a hidden volume was present is that the size of the files in the partition plus the amount of free space available does not match the size of the volume itself. The fact that you can mount the non-hidden volume (which I refer to as the "placebo" volume, since I really just use it as a distraction) or the hidden volume, and store files in each, is a very useful feature for hiding things. I map unmounting the hidden volume to a hotkey so that f the Gestapo ever break my door down, the existence of the hidden volume is invisible. If the TLA thought police force to mount that volume, I can mount the non-hidden version, and my secrets are still mine. They can examine the files I put in the non-hidden version to their hearts content (if they have a heart, that is).


When editing or creating file on a hidden volume, make sure that any temporary files created by the application that you are are using are also created on the hidden volume. This can usually be achieved by setting environment variables to create backup/checkpoint files in the same directory as the original file, or not to create them at all.

Obtaining and installing VeraCrypt

Different operating systems and graphical desktop environments provide different levels of access to platform-specific compression and disk utility applications. The MacOS and Microslush Windows desktops provide compression utilities om standard popup menu entries. All platforms support graphical and/or command-line utilities for portioning and formatting disks and other block devices.

Here the goal is not to hawk or explain a specific operating system's approach to traditional storage, but rather to provide a platform-independent discussion of how to hide sensitive data so that Erwin Rommel and TLAs don't roll over your right to privacy when they eviscerate your computer system in their latest legal panzer attack. As such, I'll use a program that I absolutely love, VeraCrypt, which is (as they put it) "...a free open source disk encryption software for Windows, Mac OSX and Linux." (They forgot about FreeBSD, which they also support.) They go on to say that VeraCrypt is based on the last version of TrueCrypt. TrueCrypt was a well-known and well-respected disk encryption tool, support and developers for which vanished one day in the worst possible amalgam between an open source development team and rats leaving a buggy sinking ship. What bobbed to the surface immediately thereafter was VeraCrypt, which you should absolutely donate to. You'll see why soon.

To get started with VeraCrypt, download the version of VeraCrypt for your platform and install it by running the executable (Windows), copying the executable to the Applications folder (MacOS - OSX FUSE is also required), or uncompressing the downloaded bzip2 tar archive (tar xjvf archive-file) and then running the 32 or 64-bit console or GUI installer, depending on your system and preference (Linux).

Creating a decoy and hidden volume

To use VeraCrypt to create a decoy and hidden volume, do the following:

  1. Stat VeraCrypt. A screen like the one shown in Figure 10.2, “VeraCrypt startup screen” displays. Click Create Volume. The VeraCrypt Volume Creation Wizard screen, shown in Figure 10.3, “VeraCrypt Volume Creation Wizard dialog”, displays.

    Figure 10.2. VeraCrypt startup screen

    VeraCrypt startup screen

    Figure 10.3. VeraCrypt Volume Creation Wizard dialog

    VeraCrypt Volume Creation Wizard dialog

  2. Select the Create an encrypted file container radio button, then click Next. The Volume Type screen, shown in Figure 10.4, “VeraCrypt Volume Type dialog”, displays.

    Figure 10.4. VeraCrypt Volume Type dialog

    VeraCrypt Volume Type dialog

  3. Select the Hidden VeraCrypt volume radio button. The Volume Location, shown in Figure 10.5, “VeraCrypt Volume Location screen”, displays.

    Figure 10.5. VeraCrypt Volume Location screen

    VeraCrypt Volume Location screen

  4. Click the Select File button to display the dialog shown in Figure 10.6, “The Specify a New VeraCrypt Volume dialog”, which enables you to navigate to the the location where you want the decoy volume to be created.

    Figure 10.6. The Specify a New VeraCrypt Volume dialog

    The Specify a New VeraCrypt Volume dialog

    Enter the name that you want the decoy volume to have in the Save As field, and click Save to close this dialog. Note that the full path to the new volume now displays in the Volume Location dialog.

    Optionally select the Never save history button to avoid saving any references to actions within this new volume in your shell history, which could reveal the existence of the hidden volume and whatever files and directories it contains.

    Click Next to proceed. The dialog shown in Figure 10.7, “VeraCrypt Outer Volume Encryption Options screen” displays.

    Figure 10.7. VeraCrypt Outer Volume Encryption Options screen

    VeraCrypt Outer Volume Encryption Options screen

  5. Use the dropdown beside the Encryption Algorithm field to display the list of available encryption algorithms or sequences of encryption algorithms that you want to use to encrypt any data that is stored on the decoy volume. Select the one(s) that you want to use from this list.

    After selecting the encryption algorithm(s) that you want to use in the decoy volume, you can optionally click the Test button to display a dialog that enables to to see the effects of the algorithm(s) that you selected. You can then click the Hash Algorithm field to drop down a list of the available hash algorithms to be used by VeraCrypt's random number generator as a pseudo random function during mixing and header key derivation. Select a value from the list or leave the default SHA-512 value selected.

    After changing these values or accepting the defaults, click Next to proceed. The screen shown in Figure 10.8, “VeraCrypt Outer Volume Size screen” displays.

    Figure 10.8. VeraCrypt Outer Volume Size screen

    VeraCrypt Outer Volume Size screen

  6. Enter the size that you want the decoy volume to have in gigabytes, megabytes, or kilobytes (seriously?). The minimum size is 340 KB, just slightly less than the size of a double-sided DOS floppy and almost as useful as one.

    After entering this value, click Next to proceed. The screen shown in Figure 10.9, “VeraCrypt Outer Volume Password screen” displays.

    Figure 10.9. VeraCrypt Outer Volume Password screen

    VeraCrypt Outer Volume Password screen

  7. Enter the password that you want to use for the decoy volume, then enter it again to ensure that you entered it correctly. If VeraCrypt complains that the passwords don't match, select the Display Password checkbox to locate and correct the differences. This password must be very different than the one that you use for the hidden volume, so use an easy-to-remember one for the decoy volume. This is the one you may be forced to reveal to some TLA, so you probably don't want to tease them by making it "The-NSA-Suck5" or anything along those lines.

    Click Next to proceed. The screen shown in Figure 10.10, “VeraCrypt Outer Volume Format screen” displays.

    Figure 10.10. VeraCrypt Outer Volume Format screen

    VeraCrypt Outer Volume Format screen

  8. Preparatory to actually formatting the decoy volume, VeraCrypt collects information to use in its "randomness", which the randomness it uses when filling the new volume with random data after formatting it. Once you have moved the mouse "enough", click Format to begin formatting and filling the decoy volume. VeraCrypt display a quick dialog to say that it is beginning the format process.

    When the format process completes, VeraCrypt displays a dialog telling you that it has mounted the new volume, and that you should populate it with some sensitive-appearing data, the size of which it will use to calculate the maximum size of the hidden volume that you can create.

    When you have populated the decoy volume with some sensitive-appearing data, click Next to proceed. Another informative dialog displays, letting you know that the maximum possible size of the hidden volume has been determined. Click Next to proceed. The dialog shown in Figure 10.11, “VeraCrypt Hidden Volume Encryption Options screen” displays.

    Figure 10.11. VeraCrypt Hidden Volume Encryption Options screen

    VeraCrypt Hidden Volume Encryption Options screen

  9. Select the encryption and hash algorithms that you want to use when creating the hidden volume, just as you did when creating the decoy volume in FOOBAR.

    When you are finished, click Next to proceed. The dialog shown in Figure 10.12, “VeraCrypt Hidden Volume Size screen” displays.

    Figure 10.12. VeraCrypt Hidden Volume Size screen

    VeraCrypt Hidden Volume Size screen

  10. Enter the size that you want the hidden volume to take up. Its maximum size, based on the size of the data with which you populated the decoy volume, is the initial value that is suggested. I generally reduce this by 5 GB or so, so that I can continue to update and add files to the decoy volume to make it look like a normal value that is being used normally.

    After specifying the size of the hidden volume, click Next to proceed. The dialog shown in FOO displays.

    Figure 10.13. VeraCrypt Hidden Volume Password screen

    VeraCrypt Hidden Volume Password screen

  11. Enter the password that you want to use for the hidden volume, then enter it again to ensure that you entered it correctly. If VeraCrypt complains that the passwords don't match, select the Display Password checkbox to locate and correct the differences. This password must be very different than the one that you used for the decoy volume,

    Click Next to proceed. The screen shown in Figure 10.14, “VeraCrypt (Hidden Volume) Format Options screen” displays.

    Figure 10.14. VeraCrypt (Hidden Volume) Format Options screen

    VeraCrypt (Hidden Volume) Format Options screen

  12. Click the down arrow at the right of the Filesystem type field to see a list of the types of filesystems that you can create in the hidden partition, select one, and then optionally select the Quick format checkbox if you want to do a quick job of creating the filesystem, which only writes necessary data to reformat the filesystem - it does not write all blocks from scratch.

    Click Next to proceed. The dialog shown in Figure 10.15, “VeraCrypt Cross-Platform Support screen” displays.

    Figure 10.15. VeraCrypt Cross-Platform Support screen

    VeraCrypt Cross-Platform Support screen

  13. Indicate whether you will use this volume with other operating systems by selecting either the I will mount the volume on other platforms or the I will mount the volume only on Mac OS X radio buttons.


    The screenshots for this tutorial were captured on Mac OS X. These options will differ when running VeraCrypt on other platforms, but the idea will be the same - on other platforms or only on the current one.

    Click Next to begin the format process. The dialog shown in Figure 10.16, “VeraCrypt Hidden Volume Format screen” displays.

    Figure 10.16. VeraCrypt Hidden Volume Format screen

    VeraCrypt Hidden Volume Format screen

  14. Preparatory to actually formatting the hidden volume, VeraCrypt collects information to use in its "randomness", which the randomness it uses when filling the new volume with random data after formatting it. Once you have moved the mouse "enough", click Format to begin formatting and filling the hidden volume. VeraCrypt display a quick dialog to say that it is beginning the format process.

    When the format process completes, VeraCrypt displays a dialog telling you that it has formatted the hidden volume, and proving some references to the section of the documentation that are relevant to hidden volumes, shown in Figure 10.17, “VeraCrypt Informative screen”.

    Figure 10.17. VeraCrypt Informative screen

    VeraCrypt Informative screen

  15. A final Volume Createdscreen displays, enabling you to format another volume by clicking Next or to exit, well, by clicking Exit.

Well, that was easy!

Using the volumes

So far, I've focused on using VeraCrypt's excellent GUI for creating an encrypted, hidden volume. The GUI makes it easy to specify things like the size of the decoy and hidden volumes, and to select, experiment with, and switch between the encryption algorithms used during volume creation. However, once you've created a volume, a GUI is not the right thing to integrate into largely textual, command-line sequences of system-level commands like a system's boot process. A flurry of mouse moving, cursor tracking, object selection, menu expansion, and button clicking looks silly when just bringing up a systrm. You just want some things to happen in a predetermined sequence without the need for interaction and intervention - if a system is rebooted, you shouldn't need to be present while it rises, phoenix-like, from its own ashes or a simple power-off state. Making storage volumes available for use, known as mounting them, is a part of bringing up every system, and generally takes place before a system's GUI is available.

The folks at VeraCrypt didn't want mounting their volumes and making them available to be left out of a system's boot process, especially because VeraCrypt can encrypt system and similar volumes where all the binaries you're running live in the first place. They therefore added command-line switches that control every aspect of VeraCrypt, making it easy to integrate VeraCrypt into any system's boot process and its associted shell scripts, command files, and other easy-to-use textual control for bring up a system. You don't even have to learn any new tools when working with this aspect of the boot process and these types of files - you already know how to use such a tool, and it's called emacs, er, I mean, a text editor. Hey, how did that soapbox get under my feet?

The next few sections explain how to use VeraCrypt's command-line interface to perform standard system tasks like mounting and cleanly unmounting volumes. Your system's power switch provides a quick and dirty way of unmounting volumes, but it doesn't always leave them ready for reuse without burning some incense and sacrifing a chicken or two. Let's use VeraCrypt's command-line interface first, but keep those chickens handy, just in case.

Mounting decoy and hidden VeraCrypt volumes

The basic syntax of the command used to mount a VeraCrypt volume from the command-linen is the following:

      veracrypt -t --non-interactive volume -p password mountpoint

These optiopn and arguments have the following meanings:

  • -t - specifies that VeraCrypt is being used in text mode, without GUI

  • --non-interactive - specifies that arguments and options will be supplied on the command-line - VereCrypt does not need to prompt for additional arguments or values

  • volume - specifies that name of the volume that is to be mounted

  • -p password - specifies the password for the volume thatv you are mounting

  • mountpoint - specifies the directory non which the volume is being munted

Mounting a VeraCrypt volume can take 30 seconds or so. Unless the volume contains the operating system or system binaries, it is therefore often a good idea to mount VeraCrypt volumes outside of the linear system boot process.


If you are mounting a hidden volume, it is generally a bad idea to mount it while its enclosing decoy volume is also mounted.

When the mount command competes successfully, you will see a message like "Volume volume-name has been mounted.".

Listing mounted VeraCrypt volumes

VeraCrypt provides an equally concise command to list all of the VeraCrypt volume that you have mounted or have access to. This command is the following:

      veracrypt -t --list

This command returns something like the following:

      1: /home/wvh/Personal /dev/disk2 /home/wvh/DARK

In this sample output fragment, the fields have the following meanings:

  • 1: - the VeraCrypt "slot" that holds the information about a specific mounted volume, which isa VeraCrypt volume to mount point mappoing

  • /home/wvh/Personal - the name of the VeraCrypt volume

  • dev/disk2 - the name of the internal system disk device that is assigned to this mounted vomlume

  • /home/wvh/DARK - the directory on which the specifed VeraCrypt volume is mounted and therefore through which it can be accessed

For hidden volumes, the same device, internal disk, and mountpoint are used - the password used to mount the volume determines whether the decoy or hidden volume is mounted.

Unmounting a VeraCrypt volume

VeraCrypt provides a more concise command to unmount a specific VeraCrypt volume, identifying it by its mount point. This command is the following:

      veracrypt -t -d mountpoint/

The options and arguments to this command are the following:

  • -t - specifies that VeraCrypt is being used in text mode, without GUI

  • -d mountpointspecifies that you want to dismount the volume that is currently mounted at the specified mountpoint

After running this command and having the shell re-display its prompt, the volume mounted at the specified mountpoint has been dismounted. As with many Linux and Unix commands, the lack of complaint indicated success.

Muddying the water

Previous sections have explained how to create and mount real and decoy volumes so that you have some place to do real work and store real data without advertising its existence. This section takes the concept of hiding data a bit further by providing some suggestions about how to "decorate" decoy volumes so that it looks like you are actually working in them, and therefore no one thinks that real data may be hiding under the floorboards.

Creating litter and footprints

The best and easiest way to make a decoy directory look lived in is to litter it with the types of temporary files that tools such as editors create while working. After all, if you weren't actually using an editor and working on the files in a given directory, you'd hardly create temporary fies manually and just leave them there to fool people. Would you?

If you've actually read this book rather than just living in the table of contents or the index, you may have noticed that I use an editor called emacs ("editing macros") for just about everything. For every file that you use emacs to create or modify, emacs creates the following temporary files:

  • a backup copy of the file as it was before you last edited it. This is known as thee . By default, this file has the same name as the real file, but is preceded by a period (to "hide" it from a standard directory listing) and has a tilde ('~') appended to it. For example, the backup copy of the file foo.txt is the file .foo.txt~.

  • a temporary copy of the most recent modifications to the file, up to the last 200 modifications. This is known as the and is used to hold in-progress changes to the file. If the editor "exits abnormally", you can recover the most recent changes from this file. The checkpoint file for the file foo.txt is the file .#foo.txt#

When using emacs, these files are automatically created, used, and cleaned up for you as you use and then terminate the editor. If you use emacs to modify a file but do not save your changes, the associated temporary files may be left behind to expedite restoring the changes. Therefore, you can make it look as though you were working on a certain file in a certain directory by manually creating backup and checkpoint files for that file in that directory. If you vreally want to fool someone, make sure that the contents of those files follow the rules.

Hiding commands

Figure 10.2, “VeraCrypt startup screen” shows VeraCrypt's startup screen, which displays the slots that VeraCrypt maintains for its mounted volumes. This makes it easy for you to see the encrypted and/or hidden volumes that are currently mounted. Unfortunately, this interface is just as easy for Herman Goering to use to see that same list of volumes after he or some other TLA cronies have seized and are dissecting your running laptop. The same is true of the command-line mechanism for listing mounted volumes, as explained in the section called “ Listing mounted VeraCrypt volumes ”.

Commands like these are hard to hide, especially if the TLA goons know about VeraCrypt - and I apologize if they did so through this book. Let's assume/hope not.

My favorite trick for hiding tools like VeraCrypt is to rename the binaries to something similar but innocuous. One of my favorite renames for VeraCrypt is purge-logs, which could obviously take directories as arguments. This will only delay the marginally clueful, but any delay is a win, and renaming could actually cause Joe TLA to overlook something.

Chapter 11.  Finding stuff on the dark web

Welcome! Now the fun begins, as you poke around on the dark web, looking for something interesting. Each of the sections in this chapter describes sites that I've spent time on and found to be interesting, useful, or both. I'm not going to bloat this document by summarizing everyone else's favorite sites on the web - that's what search engines are for.


It's common practice to modify your Tor configuration and set your home page to a Tor Status page or to a Tor directory or search engine page. If you already know where you want to go, you're probably going to click on it directly, type it in, or have bookmarked it on a previous visit; if you're just poking around, a directory or search engine page give you a blank canvas to start with.

Dark web directories

There was a time on the internet before search engines (ask your grandfather), when the primary web sites were nested pages that contained hand-curated, hand-organized collections of links that helped you find anything that you were looking for on the web. Yahoo! got its start this way. The dark web sports a few of these, which can be very useful in finding a starting point or in just getting some idea of what you subsequently want to search for.

  • - a clearnet site that provides many links to onion sites. You must be running Tor (or any other software that handles .onion links) in order for these links to resolve correctly. The darknet hidden wiki frequently changes location (and can be searched for), and features many scams, but is currently here.

  • The Tor Hidden Wiki - the dark web version of the hidden wiki - lots of links to lots of sites, updated at random times. and moves frequently. Some versions of this site are among the best-known, most commonly references sites.

    Figure 11.1. The Tor Hidden Wiki

    The Tor Hidden Wiki

  • ParaZite - Much like the earliest versions of Yahoo!, ParaZite has a clever name and consists of a combination of curated links and a rudimentary search engine. The curated links are great for dark web newbies who want to find sites that are related to a noun or concept rather than randomly searching for them.

  • https://3g2upl4pq6kufc4m.onion/TorLinks - a moderated replacement for the Hidden Wiki, TorLinks serves as a link/url list of Tor hidden services. A great source of information for matches regrading certain terms if you are not exactly sure what to search for. Regularly updated, though I'm not sure of the update schedule.

    Figure 11.2. The TorLinks directory

    The TorLinks directory

  • - yet another clearnet site that consists of links that only resolve if you're visiting it in the Tor browser.

Dark web search engines

  • - a great search engine to start with because it searches both the surface web and the dark web at the same time. It's often used as a home page for this reason and for convenience in general.

  • Candle - somewhat modeled after Google, but without the complex syntax for advanced searches. Only indexes .onion sites.

    Figure 11.3. The Candle search engine

    The Candle search engine

  • - Page of up-to-date dark net infobytes followed by a long listing of the online/offline status of various popular .onion markets and related sites.

  • DuckDuckGo - a high quality search engine second only to Google in popularity, but far superior to it in privacy. DuckDuckGo does not have the commercialism and privacy/anonymity tracking violations that infest Google, but it does have a vast index and quality search engine. The Onion version of DuckDuckGo includes hits for the clearnet in addition to .onion matches. The clearnet version of DuckDuckGo does not include .onion links in its index

  • Grams - search dark web markets for just about anything, preferably something illegal. This site doesn't seem to be up very often, but the wait ca be worth it.

  • News Group File Search - Eeasily searched, but limited to news group content. Quite useful at times, but not always.

  • not Evil - as witty a search engine as you can get in two words, and with an obscure reference to something the Google used to believe was their motto, not Evil has a simple UI that lets you search within titles, URLs, or full text. The About link at the bottom makes it clear that this site is philanthropic and philosophical.

  • searX - a metasearch engine, aggregating the results of other dark web search engines while not storing information about its users. Supports plugins, including web search and ad-blocking by default. Inspired by the Seeks project, a web search proxy and collaborative distributed tool for websearch.

  • Tor Search - a search engine for Tor hidden services. Tor Search makes it easier to find these because it is restricted to things that are hidden (but not too well, apparently).

  • Tor66 - a search engine limited to .onion sites, and therefore displays a very different set of results than other search engines Results are displayed in a traditional list or a matrix-like "gallery" view. First search engine to deliver an "amputees porn" site in response to a search for "bitcoin".

  • Torch - one of the broadest and best-known dark web search engines. They crawl and index more than a million pages, and is a great place to start and search. Like most search engines, the Torch site is paid for by ads, which can be handy if you're looking for something that matches an ad, though the rotating, blinking GIFs may occasionally induce an epileptic seizure.

    Figure 11.4. The Torch search engine

    The Torch search engine

  • VisiTOR - this site seems like a little bit of everything. You can get to various things (link directory, search engine, etc.) though per-section buttons across the top of the screen, and you can see those sections if you scroll down far enough. The link directory is especially interesting because it seems very different from others.

Dark web markets

One of the best things about the darkweb is your opportunity to buy just about anything. Caveat emptor - and that means you!


Law enforcement scum often seize sites and turn them into honeypots, which is the nerd term for a site that is set up to entrap the unwary. Be very careful when attempting to buy something on the dark web - make sure that the ste from which you are attempting to make a purchase hasn't been taken over by someone who wants to force you to agree with them in the name of some stupid law or supposed morality.

  • Black Market Guns - large selection of pistols, hand guns with butt stocks, and ammunition. Some night vision hardware.

  • Dream Market - has had some interesting history recently, when its operators modified its home page to announce that it was going down on 30-April-2019) perhaps to change hands. This message disappeared a few days later, so it either changed hands or morphed into the world's largest and trickiest honeypot. Since legal folks have to do something to justify their existence, use and order with caution.

  • EuroGuns - Small selection of quality hand guns. Desert Eagle, Walther PPK, SIG Sauer. Shipped from the Netherlands and Germany, and only guaranteed within the EU.

  • Silk Road 3.1 - Silk Road is probably the best known of the markets on the dark web, having been busted several times and made clearnet headlines for selling things that are "illegal" according to someone's bogus ideas of what laws are for. However, like a resilient cockroach, the site keeps coming back, though some sites referenced on it are probably still honeypots so that John Law can arrest people for victim-less crimes.

  • UnderMarket - a newer, yet well-populated market, tabs enable you to jump directly to various parts of the market. The site is definitely oriented towards hacks, crack, and other services. DDOS for two, anyone?

    Figure 11.5. UnderMarket 2.0 market

    UnderMarket 2.0 market

  • Valhalla - another of the best-known and most popular markets for goods and services, Valhalla (AKA its Finnish name, Silkkitie) once required an invitation, but now seems to be freely available (when it's available at all).

  • Wall Street Market - one of the best known dark web markets, the Wall Street market features the usual assortment of drugs, literature, and services. DANGER: Supposedly siezed by law enforcement scum early in 2019.

    NOTE: Things change just as quickly on the dark web as on the surface web. In the time between my writing the first draft of this document (including the warning in the previous paragraph) and now (29-May-2019), the jackbooted thugs that support the law rather than moral or ethical good siezed the Wall Street Market and shut it down. Figure 11.6, “R.I.P., Wall Street Market” shows what you see now - check the tab at the top of the screen. The site should never be trusted again, lest it rise phoenix-like, coming back as a zombied honeypot. Alas, poor Wall Street Market, I knew thee well...

    Figure 11.6. R.I.P., Wall Street Market

    R.I.P., Wall Street Market

Figure 11.7. Random items for sale at a random site

Random items for sale at a random site

Public services on the dark web

The dark web has a "softer" side, which is to provide some sites that support its other goals, primarily along the lines of information sharing. These sites are not guaranteed to be up (nothing on any web ever is), but provide valuable services when they are available.

  • Aktrivix - URL shortener for TOR and the dark web.

  • AnonyShares - enables you to post and publicly share files of any type, up to 10MB in size

  • Onion Fileshare - enables you to post (and therefore share) files of any type up to 2 MB in size

  • PasteOnion - enables you to post share files of any type. Shared files can be public or have a password set for them.

  • Pirate Bay - dark web version of thepiratebay site. A great place to download music that you like or are curious about, but not enough to pay for. (Hint: if you find yourself listening to something twice, buy a copy if you can. If it's out of print and not purchasable as downloaded audio, that's somone else's stupid fault, and a different matter.)

Bulletin boards, chats, and social sites

Though chatty, social site seem like concceptual anathema to the darknet, you can participate as anyone, and you'll certainly learn a lot! In an exercise in recusion, you can also ask for suggestions about similar sites.

  • Anon Net - go beyond TOR into another dark world of strange looking sites and paranoia. Usable through TOR.

  • CryptoParty - lots of content and lots to learn from the darkweb version of the clearnet CryptoParty site, where you can get together to share info and hot tips and advice

  • Deepsec - security-oriented site and community, populated by smart, secure people all over the world, often much smarter than I am

  • Galaxy Social Network - A social network for the anonymous darknet is detrimental. Well traveled with lots of great content.

  • Onion Soup - experiences and news about the darkweb

  • Overchan Lolz - very similar to, and sometimes duplicated from, Overchan Slamspeech, this chan has a huge number of well-populated categories with many posts within each of them

  • Overchan Slamspeech - popular bulletin-board systerm with a tremendous number of subjects. Well worth checking out for more information about the dark net and everything else

  • https://torum6uvof666pzw.onionTorum - capcha-protected cyber security forum. Friendly, English-only educational forum with a wide range of sub-forums on operating systems, hardware, social engineering, networking, and so on.

    Figure 11.8. The Torum site

    The Torum site

News and information sites

There are a zillion useful sites on the darkweb. Some of my favorites are:

  • Anon Net - go beyond TOR into another dark world of strange looking sites and paranoia. Usable through TOR.

  • Jiskopedia: Dark Web Encyclopedia - huge amount of intelligence information, guides, articles, and a database to tie it all together, together they provide a rich source of information about life below the surface.

  • ProPublica: Journalism in the Public Interest - the .onion version of their clearnet site, both of which deliver their insighful and stimulating jouralism - "journalism with moral force", as they themselves say. They have even won a Pulitzar prize for the MS-13 gang coverage, while most news sites struggle with graduating from CSS 101 and basic design. This is such an excelllent source of real information that I would subscribe President Trump to their newsletter if I thought he could read (or at least would).

    Figure 11.9. ProPublica investigative journalism site

    ProPublica investigative journalism site

  • Sci-Hub: free scientic knowledge - contains millions of scientific research papers in an attempt to make the world's scientific knowledge available to people without the exorbitent fees that are often requied by scientic journals. Access to this knowledge is like having a lifetime pass to the libary at Alexandria.

  • Onion Soup - experiences and news about the dark web

  • Wikileaks - official mirror site of the famous clearnet Wikipedia site, through 2010 with occasional new links

Commercial services


Commercial services, such as cryptocurrency mixers and mail services, that have been discussed in other chapters, are replicated in this section for your convenence.

  • Bitcoin Blender - Tor hidden service that provides a mode which does not require the creation of an account in order to do simple mixing. Sheduled mix/withdrawal for regular users,

  • Bitcoin Laundry - low fees, a usable user interface (UI), and good security easily explain the popularity of this site. By efault, logs are purged weekly, but log purging can be requested at any time.

  • BitMix - enables you to mix Bitcoin, Ethereum, and/or Litecoin. Low commission, quick mixing, and full anonymity. Minimums are requied for different cryptocurrency transfers. No logs are retained.

  • CryptoMixer - well-suited to large volume bitcoin mixing. Generated addresses are retained for 24 hous, then discarded.

  • Mailfence - a secure surface web email provider headquartered in Belgium, Mailfence provides a secure and private email service with browser-side encryption and full support for OpenPGP and digital signatures. Mailfence supports secure document storage, The free level of Mailfence supports 10 MB of attachments and 500 MB maximum mailbox storage, with increasing levels of each for the Entry and Pro service levels that cost real money.

  • - a secure surface web and onion email provider headquartered in Switzerland, Protonmail provides end-to-end encryption and hardware-level security with no provider access to user date. The free level provides 500 MB of storage and one email address, with a maximum of 150 messages per day. Other levels (Plus, Professional, and Visionary) have actual costs, but also provide increasing amounts of all of these plus the addition of custom domains for sending/receiving email.

    Figure 11.10. The Protonmail secure email provider

    The Protonmail secure email provider

  • Real Hosting - up your game with full-featured hosting on the dark web, with free 6- or 8-letter .onion addresses depending on how long you sign up for. Accepts bitcoin payments. No kiddie porn or victim-ful crimes. Very useful, though you should check where they're headquartered in case subpoenas appear and they have to give you up like last month's rent.

  • - a secure surface web email provider headquartered in Israel, supports the POP3 protocol to receive non-encrypted emails, or the POP3 SSL/SMTP SSL or IMAP SSL/SMTP SSL protocols for end-to-end encryption. The free level has interesting limitations such as 200 email messages per folder is 200, a maximum number of 10 folders per account, and 3MB of total storage. Safe-mail is the purchasing entry point for private and business email pages with increased or unlimited amounts of all of these, multiple levels of secure document storage, plus many add-on services such as additional security, backup and disaster recovery, calendaring, chat, bulletin boards, and much more.

  • TorShops - site for purchasing your own .onion site, which includes hosting, an integrated wallet, order tracking, messaging, personalized .onion domain (first six characters), custom logo, multiple page designs to start with, and much more. Setup fee is $100 USD (0.015 bitcoin), with an on-going charge of 6% of sales.

  • - a secure surface web email provider headquartered in Iceland, Unseen supports end-to-end encryption, file sharing, and full support for OpenPGP for email and other encryption mechanisms for audio/video encryption, including some that are apparently proprietary. Messages sent to non-Unseen hosts using proprietary encryption mechanisms that are not supported by the recipient's system will be sent in the clear. The free level of Unseen supports sharing files of up to 50 MB, and a reasonable amount of message storage. The premium version supports 2GB of storage, sharing files of up to 40GB in size, and group audio/video calling.

Chapter 12.  Crypotocurrency 101

Hey, I thought this was a book about the dark web? Yes, Virginia, it is, but if you ever plan to buy anything there and don't want to pay for it by a check with your name and address on it, you're going to have to pay for it with cryptocurrency. Therefore, this chapter provides enough info to get you started so that you can eventually buy that Glock, er, that marijuana, er, that Donald Trump voodoo doll with complete security.


Time to stand on a popular soapbox for a moment. In cryptocurrency, we are all being present at the birth of a new way to back, store, and think about currency. Cryptocurrency s not backed by some hard-to-find metal that is stored in some facy closet surrounded by armed guards (ala Fort Knox), nor is it backed by promises made by some goverment. Instead, it if backed by work or the value of some intellectual technological asset. As such, the intellectual technologies that understand and innovate cryptocurrencies are themselves under development. This chapter explains the basics, but what about the future? Bitcoin Improvement Proposals (BIPs) are the cryptocurrency versions of the Requests for Comment (RFCs) that have always driven the bith of the Internet itself. BIPs can be found at Bitcoin Improvement Proposals page of the Bitcoin Wiki. The current list of BIPs and their status can be viewed here. BTW, "Bitcoin" is something of a misnomer here, because these are really cryptocurrency and cryptocurrency handling improvement proposals, but I guess the first crypto coin out there gets lots of naming rights.

Let's start with the core concept behind all true cryptocurrencies - the blockchain. It's hard to find a tech blog, online site, or zine that doesn't hype blockchain as the next big thing, but many people seem to recognize the word without really understanding the concept. Understanding blockchain as a technology and its relationship to each cryptocurrency is fundamental to becoming part of the cryptocurrency future. Beyond "just" cryptocurrencies, understanding blockchain's implications for other industries will help make it clear why blockchain is a truly revolutionary approach to transaction tracking, metadata storage, lookups, and data security.

What is a blockchain?

A blockchain is shared, distributed data that functions as a ledger which tracks a certain type of transactions. There is no such thing as the blockchain. Each application of the blockchain concept, such as most types of cryptocurrency, uses *a* blockchain to record the type of transactions that it is associated with, though multiple applications can share a single blockchain. Bitcoin was the first popular cryptocurrency, and is the original example of a blockchain-based technology. Anyone who is mining bitcoins is interacting with Bitcoin's blockchain, which is completely distinct from the blockchain used by Ethereum, the blockchain used by Monero, and so on.

Every participant in a blockchain has a complete copy of that blockchain. Every time a transaction is completed, all members of the associated blockchain network get information about those changes and ensure that they are present in their copy.

How does blockchain work with cryptocurrrency?

As the name suggests, a blockchain is composed of data blocks of a certain size that are linked together. Each block is comprised of a header and the data that the block contains. The header in each block in a blockchain has a reference to the previous block in the chain. The identifier used to identify the previous block is the fingerprint of the header of that block, known as a hash. In mathematics, a hash function is a mathematical process that takes input data of any size, performs some mathematical operations on that data, and returns a value that is a fixed size. The term "hash" comes from the notion that you are somehow chopping up differently-sized input data to arrive at the fixed-size output value.


A blockchain model does not guarantee anonymity - it only provides an abstraction that, for some cryptocurrencies (such as bitcoin), is easily trackable.

Using a hash as the identifier for the previous block has a big advantage over just using an increasing block identifier for each block. Change one bit in the data, and a different hash is returned. Thus, using a hash as a block identifier provides both a unique way of identifying a block and a way of verifying the fact that the data in that block has not changed.

The block headers of different blockchains have different formats, and the content and sizes of their blocks also differ. Bitcoin's header format is 80 bytes, while the header for the blockchain used by Ethereum is over 500 bytes. They key features of any blockchain header are the following:

  • prev-block link - the hash value that identifies the previous block in the blockchain

  • block size - size of this block in bytes

  • nonce - one or more values that verify that appropriate work went into creating the block

Block headers differ by more than size across different blockchains - their contents differ based on the types of transactions that they are tracking and the way in which they are being tracked. Because headers differ across blockchains, block contents also differ widely across different blockchains. Each transaction and related block contents must at least contain a unique identifier for that transaction, which is typically a hash based on the contents of the transaction.

Because the blocks in a blockchain contain a record of all transactions that have ever been made to that blockchain, blockchains can only be appended to as new transactions occur.

Earning cryptocurrency by adding to its blockchain

Blocks in a blockchain are created by an operation known as mining. Systems that are involved in the blockchain, known as nodes, create new blocks by performing many calculations in order to find hash values that satisfy the criteria for the "nonce" field in the block header. The nonce is therefore referred to as "proof of work" in blockchains such as Bitcoin. Other blockchains use different criteria for validating a block, such as "proof of stake", "proof of activity", and so on. When you successfully mine a block in a public blockchain such as that for a cryptocurrency, you receive a reward, typically in units of that cryptocurrency.

For more information about obtaining bitcoin and other types of cryptocurrencies, see the section called “ Getting Bitcoin and other currencies ”.

Getting Bitcoin and other currencies

As mentioned in previous sections, there are various ways to obtain a form of cryptocurrency. Unless you're a day trader and want to be nervous all the time, the best strategy for profiting from cryptocurrency is to buy a cryptocurrency whose technology and reason for existence you believe in, and then to HODL that currency until/if it catches on and makes some sort of profit. Other strategic tips on how to profit from cryptocurrrency are to ever invest more than you can afford to lose, always buy low and sell high, and ton always leave sufficient room between you and the car in front of you.

The standard ways of obtaining cryptocurrencies are the following:

  • mining - solving the mathematical problems associated with a given blockchain until a block is completely solved, at which point the reward is earned and shared. Rarely profitable or timely nowadays for bitcoin, unless you happen to have hundreds of machines with multiple GPUs just sitting around or buy a Bitcoin (or other cryptocurrency) miner. See the section called “ DIY Mining: There's crypto coins in them there algorithms ” and the section called “ Contract/Cloud Mining: They'll drive and pay for the power ” for more information.

  • earning - various earning schemes such as micro tasks, crypto blogging, affiliate marketing, day trading, gambling, crypto faucets, etc. Auto-earners can be lots of hassle to set up, but can earn micro amounts for you in the background.

  • purchasing/exchanging - exchanging fiat currency or some other cryptocurrrency for cryptocurrency through an exchange or equivalant.

    When purchasing a cryptocurrency, it's preferable to be able to be able to deposit that cryptocurrency in an account or multi-asset wallet where multiple currencies are supported, so that you can convert between the crytocurrencies that you will want to be able to spend or invest in. Bitcoin is the lowest common denominator (in terms of being able to invest and convert between currencies, not in terms of actual cost). See the section called “ Desktop software wallets ” and the section called “ Using an exchange ” for more information.

In any of these scenarios, you just need to be able to specify the hex address of the cuurency wallet in which you want the cryptocurrency that you've acquired to be sent/deposited to,

DIY Mining: There's crypto coins in them there algorithms

If you're really determined to mine yourself, you can either:

  • Build a machine with a motherboard that supports multiple video cards, a special rack to hold them, and a power supply big enough to fuel a small city, and then install the operating system of your choice (usually Linux or optimized, customized Linux) and the software that you plan to use for GPU mining of the cryptocurrency that you'll be mining. ASUS makes some great motherboards for mining, such as the B250. Other vendors include almost everybody: ASRock, Biostar, Gigabyte, MSI, and new (to me, at least) vendors such as Onda.

  • Purchase a bitcoin miner which features ASICs (Application-Specific Intergrated Circuits) that are designed for that purpose. With this hardware, you will still have to register with a mining pool, which aggregates the results from multiple miners and shares the coins that are mined. Some vendors of ASIC miners are:

    • Bitmain - Bitmain is the oldest and best-known designer and manufacturer ofstanlone miners, all of which need a separate power supply to run. They are all high perforance, with new models appearing quite often. They all sound like a private or commercial jet airplane taking off, so doon't try to set them up in your bedroom. Bitmain miners are easy to find on eBay or on Amazon. Their web site hints at futurec AI-based systems if you're playing buzzword bingo or are an AI fan in general.

    • Caanan - Caanan Creative (usually known simply as Caanan is a hardware and services vendor located in Beijing, North Dakota... JUST KIDDING! Beijing, China. Caanan produces its own ASIC designs, and also took over the popular Avalon brand. At the time that this section was last updated, the Caanan and Avalon hardware was most readily available in on Amazon. For larger quantities, ontact Caanam themselves (if their web site is up).

    • FutureBit - Creators of both a USB miner that you plug into a USB port, and whose control software then runs on your PC, and a standalone miner that boots from an SD card and requires an external power supply. They are located in the USA, and their hardware can be purchased from them directly and is easily found on commercial sites such as Amazon.

    • Gekko Science - Creators of a USB miner that you plug into a USB port, and whose control software then runs on your PC. Their hardware is most commonly resold by other vendors and is easily found on commercial sites such as Amazon. This hardware enables you to mine any SHA256 based cryptocoins like Bitcoin, Namecoin, DEM and others.

    • Halong Mining - Halong Mining makes the Dragonmint Miner hardware, which are relatively new, high performance. standalone miners that require a 1600 Watt power supply per device. I wasc as surprised as anyone when, after many high performance claims and much hoopla in the press, everyrthing turned out to be true. The Dragonmint miners are also quieter than some from other vendors. These miners are available from them directly or from commercial vendors such as Amazon.

    • Pangolin Miner - Pangolin Miner makes the WhatsMiner hardware, which are relatively new standalone miners that require a 3350 Watt power supply per device. Wow! Uniquely, Pangolin also lets you host your miners in their farm for a small fee. These miners are available from them directly or from commercial vendors such as Amazon.

Former vendors of mining hardware include Butterfly Labs, Gridseed (USB), Spondoolies (much lamented by me!), and many more. These all offered transaction/hash rates that are low by today"s standards. Don't buy these even on eBay unless you collect old hardware or are just looking for an extremely inefficient space heater. A great quote on old mining hardware that I read somewhere is:

If you’re a hobbyist miner on a budget, with no interest in the profitability of transmogrifying electricity into bitcoins, then the old-hardware-name is worth considering.

Be forewarned that ASIC hzrdware has converted most of the USB devices into curios that may not be sigicantly profitable before the sun turns into a dark, smoky ember.

Good times at the mining pool

Mining pools offer a place to which you contribute the hashing that is being done on your hardware, which is then combined with that of other contributors/participants. You pay for this pool service via a share of any profits that you make from your contribution. This is the common way of earning crypto from some Frankensitinian mining hardware that you have assembled. Some contract/cloud sites also offer pool services as well as rental services.


See the Glossary under cryptocurrency tyoes for a list of many cryptocurrencies and their short and full names.

To find a mining pool that you can participate in, a simple Google search for "cryptocurrency mining pool" will turn up lots of sites for you, and will be more up-to-date than a written list could possibly be. To get you started here, some specific pools that I have participated in or heard about from others are the following:

  • AntPool - AntPool is operated by the Bitmain folks and is located in mainland China. They give out "Beijing is where the heart is" T-shirts when you sign up for an account. (That is a lie, but would be nice.) They are a well-respected pool, running primary on the latest Bitmain Antminers and custom Bitfury hardware. They support SHA256 mining, namely Bitcoin, Bitcoin Cash, Litecoin, and Zcash. Not too surprisingly, you can also rent Bitmain miners from them.

  • F2Pool - Supports SHA256 ontributory mining in Bitcoin and Zcash. Supports shared/rented mining via Nice2hash, with payouts in Bitcoin, Litecoin, Ethereum, GRIN-29, GRIN-31, ZCash, and Zclassic. NiceHash is a hashrate exchange platform, where miners can purchase hashrate based on different algorithms and mine in F2Pool.

  • - Supports SHA256 mining with potential payouts in Bitcoin, Bitcoin Cash, Decred, Ethereum, Ethereum Classic, Litecoin, GRIN-29, GRIN-31, and United Bitcoin.

  • Slush Poool - Slush Pool was the first mining pool. and therefore introduced most of the "pool" concepts. It is still going strong today. They currently enable mining SHA256 currecies, specifocally Bitcoin and Zero Cash. They are moving to a new website soon. If redirection does "just work", try the new slush pool site. How you profit from mining onSlush Pool is spelled out here.

Contract/Cloud Mining: They'll drive and pay for the power

Cloud mining is the hot term for sites that will mine for you, using their real or virtual hardware, and is especially cool because it uses the world cloud in its title, so you know that this is modern, bleeding-edge technological wizardry. In reality, these are just sites thhat run a bunch of mining hardware or virtual machines, from which you can rent an overall share or some number of real or virtual machines. Virtual mining hardware providers enable you to install and use your favorite mining software, rather than that is used by default on the site's hardware.

There are two basic ways of a cloud site charging you for participation:

  • pool fees - a share of any profits that you make from the hashing that is being done on your hardware and whose results are being contributed to the site. Some contract/cloud sites offer traditional mining pool services as well as their rental services. For more information about mining pools and pool sites, see the section called “ Good times at the mining pool ”.

  • rental cost - the cost for renting a guaranteed amount of hashpower or one or more specific real or virtual machines. There is often no pool fee for such contracts - it's built into the contract cost.

Before worrying about the cost, a key to selecting a cloud site is to find one that mines using the algorithm that you are interested in, if you care. Some sites use an algorithm that is used by the cryptocrrency that you want to mine, while others mine using other algorithms and pay in a supported cryptocurrency, which you can eventually convert into the cryptocurrency that you are interested in by using a multi-asset wallet or an exchange. See the section called “ Overview: Single currency and multi-asset wallets ” and the section called “ Using an exchange ”

To find a site that will mine for you, a simple Google search for "cryptocurrency mining site" (and optionally the algorithm or cryp[tocurrency that you're interested in) will turn up lots of sites for you, and will be more up-to-date than a written list could possibly be. To get you started here, some specific sites that I have used or heard about from friends are the following:

  • Genesis Mining - probably the largest Bitcoin and scrypt cloud mining provider. They support over six algorithms that can produce profits in more than 15 crrencies. Genesis Mining offers two Bitcoin mining plans with four levels of service each, and four levels of service each for Dash, Ethereum, Litecoin, Monero, and Zcash. If being sold out of various service levels for multiple currencies is any indication, they're doing great!

  • Hashflare - offers SHA-256 mining contracts in Bitcoin, Dash, Ethereum, Litecoin, and Zcash pools. Contract prices look very inexpensive until you check the units that they are measured in. Profitable SHA-256 coins can be mined, but automatic payouts are still in BTC, which makes things hard to calculate. If being sold out of mining contracts for multiple currencies is any indication, they're doing great! At the time this document was last updated, only a limited number of Ethereum contacts were available - all other contract types were sold out.

  • hodlAir - provides multi-algorithm uhash (micro-hash) contracts to simulaneously mine multiple altcoins and share in general site profits, with payouts in Bitcoin supported currency. Their farm is therefore made up of multiple types of ASIC miners and GPU rigs. Each contract has a ‘Guaranteed Minimum Hashrate’ (currently 127GH/s of SHA256 mining). Their innovative multi-algorithm model is unique to the industry, and is therefore creatively profitable.

Storing Cryptocurrency

A big part of creating a crytocurrency and fostering its success is creating a wallet in which coins in that currency (or representation of them) can be stored. After all, the "coins" in a given cryptocurrency are just pointers into the blockchain (or its equivalent) for that currency. A cryptocurrency wallet is a device, physical medium, application or service that stores a pair of public and private cryptographic keys for each type of cryptocurrency that it supports. Your wallet's public key for a cryptocurrency enables other wallets to send a currency to the wallet's address and the private key for a cryptocurrency enables you to send cryptocurrency from that wallet to another address. A wallet is basically the crypto equivalent of a bank account - it's your personal interface to one or more types of crypto coins in the crytocurrency network, just as an online bank account is an interface to holdings in the traditional monetary system.

The first cryptocurrency wallet was introduced by Satoshi Nakamoto in 2009 when he first released the bitcoin paper and implementation. One bitcoin can be divided out to eight decimal places. This means that one bitcoin corresponds to 100 million satoshi, the smallest base unit, and> bitcoin wallets must support that level of granularity. As other currencies emerged, they were each accompanied by a wallet for storing keys for that currency, and other implementations of those wallets also emerged. As more and more cryptocurrencies appeared, wallets that could handle more than one cryptocurrency (known as a multi-asset wallets also began to appear.

The type(s) of wallet(s) that you use depend on how you are using cryptocurrencies. If you are using them as a long-term savings or investment mechanism, hardware wallets are probably you best option because of the stability and security that they provide. If you are frequently trading cryptocurrencies, a desktop or web software wallet is probably best. If you always have access to the computer on which a desktop wallets runs (and do regular backups to an off-site device), a desktop software wallet provides greater security. If you are mobile and are always using different devices, a web wallet is probably your best option. More about all of these options later...


Wallets generally store one or two types of semantically similar assets, coins and tokens. Coins are just what we typically think of coins as: a money equivalent that is a native blockchain object that serves as a medium of exchange and as a medium of storing account value. To muddy the water, Ethereum introduced EIPs and ERCs (Ethereum Improvement Proposals and Ethereum Request for Comments), the latter of which is a type of the first. These are sponsored by the Department of Redundancy Department - sorry, JUST KIDDING! These are developed or proposed by the Ethereum community. ERC20 introduced a protocol standard defining rules and standards for issuing tokens based on Ethereum's blockchain. Tokens therefore differ from coins because (1), they are not native blockchain objects and (2), they are generally based on coins from some blockchain but are abstractions used for some logical purpose. To muddy the water one final time, only the truly pedantic care about that difference, and the terms are generally used interchangeably by people who are buying or or selling them. People who are actually using or spending them see a big difference. Coins vs tokens is almost the modern equivalent of Lewis Carroll's "Why is a raven like a writing desk?"

The next few sections discuss how different types of cryptocurrency are obtained, and the different types of wallets that are available. Each of these sections discuss the pros and cons of each type of wallet and provides a few examples of each. A subsequent section then discusses currency exchanges, often simply referred to as exchanges, which enable you to trade between supported cryptocurrencies, and even to convert cryptocurrencies into traditional (fiat) currencies. They are referred to as fiat currencies because they are as futuristic as the rusting cars by that name - JUST KIDDING!. They are called fiat currencies because that is the term for legal tender whose value is backed by the government that issued it. This differs from currencies that are backed by some physical asset, such as gold or silver, which are therefore referred to as commodity currencies.

Overview: Single currency and multi-asset wallets

Different wallets obviously differ in style, general user interface, and in the sequence of actions that you must take to send a cryptocurrency somewhere or check the balance of your holdings. However, beneath these differences are two more fundamental ones - where the assets in them are stored, and how many different types of assets can be stored in them.

Hardware wallets

A hardware wallet is a physical device built for the sole purpose of storing the keys for crypto coins. The next two sections discuss the two primary types of hardware wallets: a paper wallet that records the keys for a specific type and amount of cryptocurrency, and a hardware wallet that records the same types of keys but stores it in flash memory on the device, so it is easier to add to or subtract from when spending a cryptocurrency. Hardware wallets are a good choice if you’re serious about security and convenient, reliable cryptocurrency storage.

Physical hardware wallets keep private keys separate from potentially vulnerable, always connected devices that could potentially be accessed by the entire Internet when you are online, modulo the degree to which your computer's security system enables access to specific devices. If you do not block incoming network traffic that was not initiated on your end, cyber-criminals could target a software wallet on your computer and steal cryptocurrency by accessing your private keys. Using a hardware wallet provides another level of security by requiring another, password or PIN protected way to reach your keys. Even if the hardware wallet (the physical device) is stolen and cyber-criminals can obtain the software used to access it, criminals would have to know your password or PIN to access the cryptocurrency keys that it contains. It is therefore a good idea to retain a backup code or device dump that you can use to restore your wallet and its contents.

There are two classes of hardware wallets: hot and cold. The difference is simple. Hot wallets can be connected to the Internet (generally through another Internet-connected device), while cold wallets are completely offline. The cold wallets still require a communication mechanism, generally QR code scanning or physical MicroSD with stored PSBT (Partially Signed Bitcoin Transaction) BIP 174 transactions to add or spend currency. BIP 174 is a proposed extensible standard for exchanging information about such transactions. QR scanning makes wallets that support it very mobile-friendly. Cold wallets are often limited to handling a smaller number of cryptocurrencies because they can be difficult to update due to their disconnected nature.

Paper and steel wallets

A paper or steel wallet is an offline mechanism for storing Bitcoins. This type of hardware cryptocurrency wallet is as simple as witting down a single pairing of a Bitcoin address with its corresponding Bitcoin private key. These wallets are not fancy technical slang - they literally mean a wallet made of one or more sheets of paper or a flat piece of steel. The very technical process of using them involves printing the private keys and Bitcoin addresses onto paper or transcribing them into a steel wallet using applied letters and numbers of some sort. Paper and steel wallets are always cold wallets unless your computer system has some sort of osmosis interface. if you do, maybe you should be selling the osmosis interface rather than spending your time with crypto.

You can buy regular sheets of paper to make a paper wallet anywhere, or you can buy slightly fancier paper or light cardboard "wallets" on sites like eBay. Paper wallets are cold wallets and are therefore immune to hacking, but slightly more susceptible to physical theft than whizzy hardware wallets that require password to gain access. Other possible problems with paper wallets include:

  • fire

  • floods

  • "the dog ate my cryptocurrency wallet"

Slightly cooler than the eBay solution for paper wallets are web sites that will generate wallet templates for you. Some touch-up is required after generating them, since you should run away from any wallet generation site that asks for your private key and cryptocurrency address as input. You might as well post them on Facebook as an offsite storage solution.

Some cool sites for generating paper wallets are the following:

After printing and customizing a paper wallet, put it in a zip-lock baggie, and then put that inside a safe. Your cryptocurrency will then be safe, at least from computer hacks.

Once you've created a paper wallet, you can still add funds to it by telling people to send bitcoins to your Bitcoin address (or other cryptocurrencies to their wallet address). You can always check your balance by going to sites like or and entering your bitcoin address. Spending cryptocurrency stored on a paper wallet is a bit more complex, requiring that you temporarily go through a hot wallet.


Satoshi advised that one should never delete a wallet.

I'm not aware of any sites that let you print steel wallets, but that's probably more because I'm not aware of any steel printers. Other types of hardware wallets sold on eBay may be pre-hacked, but the blank steel ones are safe.

USB and QR scan wallets

A USB wallet is an electronic device that typically must be connected to your computer, phone, or tablet (i.e, a computer) before the coins that it contains can be spent, examined, or added to. QR scan wallets are offline hardware that use QR scanning to exchange data, and thus are never physically ` connected to your systems. USB wallets are hot wallets; QR scan wallets are generally cold wallets. As always, the coins that a hardware wallet contains are actually the private keys required to access those coins. A hardware wallet typically uses writable flash storage to provide secure offline storage for your cryptocurrency. Because a hardware wallet is just a persistent storage device, its contents are typically secure even if it is connected to a computer that is the Typhoid Mary of viruses and malware.

Some minimal level of care for a USB hardware wallet itself is still required, akin to the type of security that your bank typically provides for the funds that it holds. Hardware wallets do not survive lightning bolts or being directly plugged in to AC outlets, so (for example) I would not put any of my USB wallets in my pocket and then go walking on a golf course during a thunderstorm, but maybe that's just me.

Even if hardware wallets are stolen, their contents usually still require a PIN (Personal Identification Number) and special software to access them. The storage is typically encrypted, so reading the raw hardware device won't help. You should still use whatever mechanism the device manufacturer suggests for backups. Knowing the PIN won't help much if you lose the hardware wallet itself or it is stolen. Caveat dummy.

The next sections discuss some well-known and well-regarded hardware wallets, the Ledger X and the Terror T. There are many other vendors of hardware wallets, such as Bitfi, Coinkite, Ellipal, Kasse, Keepkey, Temexe, and even more. Of these, the Coinkite and Ellipal cold wallets and the Keepkey hot wallet seem the most interesting, but I don't have actual experience with them, so I can't actually recommend them.


If you're a wallet manufacturer whose product I did not discuss, and you would like me to test and discuss your wallet, send me one!

Ledger Nano X

The Ledger Nano X is Ledger's newest multi-asset hardware wallet, following on the heels of Ledger's classic and popular Nano S.

Hardware: Like the Nano S, the Ledger Nano X is an attractive, simple USB stick with a swing-down metal connection protection cover. The only problem I ever had with the Nano S was its limited storage. In my case, I was limited to storing 3 cryptocurrency assets on the Nano S, because space requirements depend on the currencies that were being stored. Currencies that are related to each other (Ledger uses the term "derivative") can share storage space with each other (application code libraries). Currencies that are orthogonal to each other therefore consume more space because their blockchain and code are unrelated and nothing can be shared between them. The Nano X removes this limitation by providing sufficient capacity to store at least 10 currency assets (Ledger claims 22, but I haven't gotten there yet).

Software: The Nano X introduces a new Ledger Live application, which can be used from an IOS or Android phone or tablet, or from a Windows, MacOS, or Linux system. I won't walk through the software installation process - suffice it to say that it's quite simple and straight-forward. Remember to write down and verify the 24-word recovery phrase when it is created - that is absolutely critical for recovering your currencies if you have problems down the road! You will have to select the coin-specific download that you want to install in order to create an account for that cryptocurrency. Once you create an account, transfers work normally on that device by supply a local or remote wallet address to add or spend coins, and then receive or send that amount or that currency to/from the Nana X.

As mentioned previously a zillion times or so, backups are critical for all wallets, especially so because all the responsibility for backups, restores, and security is yours. Ledgers support restoration from the magic 24-word recovery phrase, and you can also use another Ledger as a hot spare or a second access point for another party. The cost of another Ledger as a backup device pales beside the cost of a complete hair transplant if you lose your Ledger device, have to order another one to recover assets that are worth significantly more than the cost of that second Ledger device.

Hardware wallets are my favorite place for long-term HODL'ing (sic) of cryptocurrency. The security provided by the Ledger hardware combined with ease of use provided by the Ledger Live software makes the Ledger Nano X another winner, and my favorite hardware wallet. The Nano X also speaks Bluetooth so, while this provides yet another attack point for crackers, it's one less cable on your desk!

Trezor T

The Trezor T (AKA the T) is the latest product from SatoshiLabs, one of the original manufacturers of multi-asset hardware wallets for all your cryptocurrency needs. The Trezor T is a follow-on to their first hardware wallet, The Trezor One (AKA the T-1), and offers significant improvements in both hardware and software.

The T introduces a color touchscreen that does away with the need for physical button and provides a small, easy-to-use footprint. The T is the primary competitor for the Ledger Nano X , and maintains Trezor's well-respected emphasis on security. The T features a twelve word recovery seed much like Ledger's 24 word seed, and you use a 4 to 9 digit PIN to access the T for every day use. Backing up (and restoring, if needed) the T is easy to do from its software, using a 24-word seed to reflect up-to-the-minutes status of all stored cryptocurrency. Store these seed somewhere safe and impervious to loss or destruction!

The T is a USB device that therefore attaches easily to a desktop or tablet computer for spending, examining, or receiving cryptocurrencies. The cryptocurrencies that the T supports are Bitcoin, Bcash, Bitcoin Gold, Dash, Ethereum, Ethereum Classic, Expanse, Litecoin, NEM, UBIQ, and Zcash, and also supports many similar currencies. (See their web site for a complete list.) It is an excellent wallet that supports slightly fewer coins then the Ledger Nano X, but if you are focused on one of the supported currencies, its interface and ease-of-use trump the Nano X.

Software wallets

The most common and easiest to use cryptocurrency wallets are software wallets, which provide a desktop interface that is either dedicated software or a web-based interface to the asset storage that they provide. Dedicated desktop software wallets generally store and track cryptocurrency holdings on your local system, and interact with the associated blockchain by copying it locally (slow!) or through various interfaces to the remote blockchain. Web-based wallets provide the same capabilities, but store your keys and the assets that they track in the cloud. Best of all, software wallets of both types are free, surviving by taking a small fee from each of your transactions.


Another way to think of software wallets is that they differ by how/where addresses are created to identify your stored cryptocurrency, and by who controls the storage in which they are held.

When seriously evaluating software wallets, it's always useful and important to determine which BIPs (Bitcoin Improvement Proposals, discussed at the beginning of Chapter 12, Crypotocurrency 101 ) they conform to and/or implement. Ensure that the software wallet that you are considering complies with at least the BIP32, BIP39 or BIP44 standards.

The other most important things to know about software wallets is (1), someone will try to hack them and (2), local storage wallets are vulnerable to system failures or other catastrophes. You should always carefully back up software wallets, most critically in the case of desktop software wallets with local currency/key storage, which is always online when your system is. Backups are just as critical for web wallets. Web wallet storage is not local, but web/cloud storage is more susceptible to hacking since it is always online.

The next few sections discuss desktop and web software wallets, proving a few examples of each. Remember that a good general rule for these is that a software wallet is a good place to keep the cryptocurrencies that you're currently using or planning to use, but a hardware wallet is a better place to HODL large amounts of long-term hodlings. Think of them, respectively, as your standard wallet and your own personal Fort Knox.

Desktop software wallets

Desktop software wallets are applications that run on internet connected devices like a computer, mobile phone, or tablet. They and the keys that they contain are always available, so they are often referred to as hot wallets. Hot wallets usually generate and store your private keys on an Internet connected device. They can't be considered totally secure from malware such as key loggers, which could capture the key sequences required to open and access a software wallet and the keys that it contains. Software wallets are best thought of like your physical wallet - convenient to carry the amount of currency that you plan to actually use or receive, but not the right place to store your entire life's savings. Sorry to keep beating this horse, but you'll thank me when some fake Jeff Goldblum Independence Days your computer.

Some of the most popular and well-regarded multi-asset desktop software wallets are the following:

  • Atomic Wallet - It's lucky that Atomic Protocol Systems' Atomic Wallet comes first in this list, because it's also first in the hearts and minds of many crypto fans, myself included. The Atomic Wallet is a multi-asset software wallet that provides an easy-to-use interface to over 300 coin and tokens. It features versions for all popular platforms.

    Figure 12.1. Atomic Wallet

    Atomic Wallet

  • Exodus - Exodus is extremely popular, featuring many UI bells and whistles like graphical charts that show the history of your hodlings. It supports over 100 assets and highlights that it keeps you private keys local to your hardware, giving you total, local control over your assets. It can also be integrated with the Trezor T, enabling you to easily move assets between hot and cold storage,moving assets. To further impress, it includes exchange functionality, and makes it trivially easy to trade one currency for another (known as "rebalancing"). Exodus is a great wallet that runs on all popular platforms. If you're just getting started with crypto, give Exodus a try!

    Figure 12.2. Exodus


  • Jaxx Liberty Blockchain Wallet - Jaxx Liberty is a nice wallet that was created by one of the founders of Ethereum and supports over 70 currencies. Jaxx Liberty runs on all popular platforms, and even provides a chrome extension that enables you to access you local storage. Many people are fans of its UI, which I am not. It is nice in that it includes some exchange capabilities courtesy of ShapeShift, which enables you to change your hodlings without explicitly visiting a third party exchange and ts associated costs. (They're built in.)

    Figure 12.3. Jaxx Liberty

    Jaxx Liberty

Web wallets

Web wallets were the original "access from anywhere" wallets because their UI runs in a web browser. They store your keys and hodling information remotely ("in the cloud"), and are therefore relatively easy to attack because crackers can try continuously. (Whether they can be hacked is a different matter, and depends on quality code and security-aware coding.) On the plus side, they are instantly accessible from any web browser).

Web wallets should be used like and other software-based wallet. They are the right place for day-to-day holdings that you need fast access to because you plan to use in the short term. They are NOT the right to store long-term hodlings like your bitcoin life's savings.

Some popular and well-known web wallets are the following:

  • - a great web wallet, with two-phase authentication required for successful login. has been around for a while, as its success, stability, and security show. Coinbase also has a local wallet, but IMHO, their web wallet shines as both a wallet and exchange. supports 23 currencies directly, with varying levels of support (more information available here). They are integrated with the ShapeShift exchange service, which can be replicated by simple selling the currency that you want to exchange, and buying the currency that you want to receive. Coinbase is also easily integrated with a bank account, credit card, and many other easy ways to buy any of the currencies that they support. I've used this for years due to its usability and convenience. Apparently, others agree, as it's the world's largest crypto broker, is a regulated company, and accounts are even FDIC insured up to $250,000. That's good enough for my quick cash. (Long-term hodlings still go into a cold hardware wallet.)

    Figure 12.4. web wallet web wallet

  • GreenAddress - Once popular as both a web and desktop wallet, its web wallet is now deprecated. I'm mentioning it here in case you just thought I'd overlooked it.

Using an exchange

As Ethereum founder Vitalik Buterin once said:

"I definitely hope centralized exchanges go burn in hell."

Cryptocurrency exchanges are like the money lenders in the Christian Bible - they provide a necessary (or at least useful) service, but only because they are making a profit from that service. That profit therefore increases the cost of that service.

All centralized crypto exchanges work on the same principle: they accept a user’s deposits on their wallets and allow the user to exchange assets as part of the deposit. Common exchanges are places like ShapeShift, but I prefer to use a software or web wallet that has a built-in exchange capability, like Atomic's atomic swap.

Chapter 13.  Buying and safely paying for stuff

"The process of buying something from a site is site-dependent...". This tautology from the Department of Redundancy Department is, surprisingly, true - but it only applies to what exactly you click on, and where, when, and in what order you do so. Otherwise, the process is basically the same everywhere, and is roughly the following:

  1. Make sure you have sufficient funds available in a currency that you can use to purchase what you want. Buy, exchange other cryptocurrency for, or mine more until you have a sufficient amount. This is absolutely the wrong time to start mining, since it takes an incredibly long time unless you have amazingly great hardware resources. Mining certain cryptocurrencies, such as Bitcoin, is unprofitable for mere mortals nowadays in most cases.

  2. Agree to purchase the item, the first step of which may be to select the payment/receipt model that you'll be using to pay for the item and, optionally, the cryptocurrency in which you will be paying. Some sites only support one payment model, such as a simple direct, escrowless payment model to a Bitcoin address, in which case selecting one model out of one is a waste of time, and is therefore unnecessary.

  3. Specify the shipping method and time frame in which you want to receive the item. (This may affect the payment amount.)

  4. Provide shipping/delivery instructions, often in an encrypted format using a user key that is porovided. See the section called “ Encrypting a message using a public key ” and the section called “ Encrypting a message using a GUI ” for discussions of common ways of doing so.

  5. Conclude the purchase, which will probably show you a Bitcoin or other cryptocurrency address to which you will transfer the funds necessary to pay for the item.

  6. If not built into the funds transfer, your wallet, or your standalone cryptocurrency account, mix the cryptocurrency that you are using so that there is no relationship between you, your account, and the funds that you will be transferring.

  7. Go to the appropriate wallet or online cryptocurrency account and send the appropriate cryptocurrency to the specified cryptocurrency address.

  8. After you have received the merchandise, complete the payment by any model necessary. Most transactions automatically forward payment after a period of time that is estimated to be longer than the shipping period.

The details of the purchase, payment, and resolution process will differ for most sites, but the process will always be all or a subset of these steps.

Keys to buying (and paying) anonymously

Key to buying and paying anonymously is doing so using identities that can't easily be mapped back to a single, personal identity. Buying anonymously is usually done by using a secure email address that doesn't identify you personally as the initiator of the purchase or payment transaction. Paying anonymously requires that obtaining the cryptocurrency with which you are paying cannot be mapped back to you personally. Chapter 9, Creating secure email and alternatives explained how to obtain a secure email address that you can use to make such purchases, including using that secure address to sign up for additional private accounts such as one at Remember that privacy and anonymity CANNOT be guaranteed for firms that are headquartered in the United States or any other 5EYES signatory country. Subsequent sections explain how to pay for anonymous purchases while keeping them that way.

Secure credit card payments

Given that credit cards typically bill to a surface address monthly, the idea of a secure credit card purchase seems odd. This is even more true of cards issued by companies based in the United States, where the Patriot Act is commonly referred to as the Misnomer Act, and where Joseph Goebbels and Heinrich Himmler are the idea of model citizens. That said, there are some ways to purchase credit cards that you can use for anonymous purchases:

  • OneVanilla prepaid VISA card - a non-reloadable VISA card that is available in denominations from $20.00 (US) through $500.00 (US), and is available at places such as US department stores (CVS, Walgreen's, Rite-Aid, etc.), Dollar General, Sam's Club, and so on - I think you get the idea. Using one of these is pretty easy, but having to give a fake zip code and a real address and phone number for certain types of credit transactions may scare you - though the address is not really tied to the credit card, the Patriot Act says the government can correlate the two and do whatever the hell else they want and claim that it's legal, and OneVanilla is a US based company.


    Receiving initial account information, such as a PIN, is one of those cases where you need to receive the mail but you probably don't need or want it to be permanently ties to a specific email address. This is a good situation under which you may want to use one of the disposable email providers that were discussed in the section called “ Using a disposable account for notification ”.

  • PaySafeCard - a prepaid online wallet and associated PIN to access your account gives you to security of a credit card without all the tracking. As a UK company, they don't have quite the same "bend over and spread them" response to the police that American countries do, though the UK is a 5EYES participant, so YMMV and so may your cell number (jail cell, not your portable phone).

  • BitCoin ATMs - you can search online for BitCoin ATMs, but these are often a bad investment because the price of bitcoin is so volatile, and many businesses do not yet accept bitcoin for payment. The cryptocurrency process is still new to many people, and a bitcoin ATM is hard/impossible to use without a computer. If you have a computer, and are comfortable with bitcoin already, well-mixed bitcoin is often the easier way to go. See the section called “ Mixing payments to aid anonymity ” for more information.

Pre-paid credit cards and similar accounts are often private, but may not be completely confidential. If both privacy and anonymity are your goals, check carefully before buying and using one.


When purchasing things such as VPNs or other security software that sends a password to an email address, ensure that you are using a secure, non-5EYES email service. 5EYES is explained in the the section called “ What is 5 EYES and why do they suck? ” in the section called “ Some popular commercial VPNs ”, and the secure email providers discussed in Chapter 9, Creating secure email and alternatives each identify the extent of their compliance with this satanic and misleading set of regulations.

Choosing dark web payment models

Different dark web markets offer different ways of paying for your purchases, which are paid for using one of the following models:

  • escrow - you make the payment, and funds in your account are locked until both the buyer and the seller agree that the sale has completed successfully, until the default transaction period had completed, or until a complaint has been filed about a problem with the transaction or merchandise received. Complaints about receipt or merchandise are decided upon by a third party, usually representatives of the market where the merchandise was bought and sold.

  • multi-sig - three parties are required: the buyer, the seller, and an impartial third-party. The wallet address becomes a pay­to­scrip­hash (P2SH), where with a “3” instead of a “1”, and where all three parties must agree (using their new keys) in order for the transaction to be completed. These multiple private keys form that basis of the names for this type of transaction: multi­signature, or multi-sig. The buyer initiates the transaction, identifying the seller and the third-party judge. The judge is paid whenever third-party resolution is required, and the arbiter receives that fee from the remaining party when the return the funds to the non-responsible party.

  • smart contracts - work the same as escrow except that they are unbiased and automated.

Mixing payments to aid anonymity

The blockchain in the days of Satoshi first gave us the bitcoin cryptocurrency, which was supposed to guarantee anonymity. Anonymity was supposed to be the case even though the blockchain/transaction relationship has be be explicit and initially permanent so that the rewards for solving the nonce could be paid to the right party. It does guarantee anonymity in the sense that the bitcoins you get aren't stamped outright with your social security number and return address, but it is easy enough to backtrack and calculate those unless that info is somehow obscured or obfuscated.

Mixers are the key to truly anonymizing bitcoin by severing that relationship by repeatedly shuffling bitcoins through one or more laundries, where you purchase someone else's bitcoins, use those to purchase others, sell those to buy others, and rinse lather repeat until the chain of ownership is thoroughly broken -or is at least thoroughly mixed up.

As a requirement to guarantee anonymity, mixing is often done automatically by various markets, but you can also it yourself if you are truly paranoid. This may required (both the mixing and the paranoia) if the market you buying from doesn't offer this service. A general outline of the process is the following:

  1. Create an initial wallet to work with, either on the surface web or the dark web.

  2. Buy some amount of bitcoins, larger than the amount you plan to spend on a market. Keeping these quantities different helps obfuscate the relation between buying and selling. Deposit those bitcoins in the initial wallet.

  3. Create a second wallet, on the dark web if the first wallet was on the surface web, or on the surface web if not. Use an identity that cannot be directly tied to you or the other wallet.

  4. Transfer the bitcoins from the first wallet to the second one, preferably though multiple transactions (though each transfer incurs a small transaction cost).

  5. Create yet another wallet, this time definitely on the dark web.

  6. Using both dark web wallets, multiple transactions that are less than the full amount of bitcoin that you are mixing, and with an irregular amount of time between each transaction, shuffle the bitcoins until you are sure that their trail is cold. The more times you shuffle, the more mixed up your bitcoins are.

If you're lucky, smart, or both, the market you're executing a transaction in will do do this for you as part of the escrow or equivalent payment process. Understanding what's happening behind the scenes, and how this breaks the direct connections between coins, wallets, buyer, and seller is very important if you want your transactions to be secure. Caveat emptor, and everyone else, too.

If you do not want to do your mixing yourself and the market where your purchase is taking place doesn't do it for you automatically, some popular bitcoin mixers are the following:

  • Bitcoin Blender - A Tor hidden service that provides a mode which does not require the creation of an account in order to do simple mixing.

  • Bitcoin Laundry - low fees, a usable user interface (UI), and good security easily explain the popularity of this site. By default, logs are purged weekly, but log purging can be requested at any time.

  • BitMix - Enables you to mix Bitcoin, Ethereum, and/or Litecoin. Low commission, quick mixing, and full anonymity. Minimums are required for different cryptocurrency transfers. No logs are retained.

  • CryptoMixer - Well-suited to large volume mixing, Generated addresses are retained for 24 hours, then discarded.

These are just a few of the better-known and well thought of mixers that are available - the Internet is a big place, and there are certainly others, with new sites and new bells and whistles appearing all the time.

Concluding payments and purchases

Once you've made a purchase, selected a payment model, and received your merchandise, most escrow (and certainly auto-accept) payments are made for you without subsequent work on your part. If you're satisfied the the transaction, it's generally good form for you to leave a positive message about the merchandise and the seller. This helps others feel comfortable in dealing with the market and seller (or, occasionally, warning them away). Either way, this makes life better for everyone.


Make sure that you test/trust every point at which cryptocurrency rests and moves. Always deposit a small amount of cryptocurrency into a wallet first, and then withdraw/deposit/transfer a small amount from there into another wallet/account, preferably one which you have used before. Once a full deposit/withdrawal/transfer cycle has completed, you can feel safer about making actual purchases and payments from there. Also, if you can ever get my funds out of EasyCoin (or can get me five minutes alone in an alley with its operators), I have a small reward waiting for you.

Always assume the other parties involved are dishonest, and you will never be disappointed. If all goes well, you will be pleasantly surprised, but I'm sure you'll be able to deal with that!


Here you go:

browser fingerprinting

A mechanism through which, despire your efforts at assuring privacy and anonymity, malicious scum tries to track you by inspecting browser header and other data, general usage patterns, and similar "soft" data. See the section called “ Avoiding browser fingerprinting ” for some examples.


See Also libreboot.


(A &| B), where:

  • A - a flat, dry baked food typically made with flour, sometimes known as water biscuits or just biscuits

  • B - very smart and technically savvy people who skipped their ethics and morals classes (or simply don't care about them). They have gone over to the dark side, usually in search of money and fun, with money having precedence.

See Also hackers.

cryptocurrency types

The following table provides the full names and abbreviations for many type of cryptocurrency. There are zillions more - it would be impossible to try to catch up.

Table 6. Common cyrptocurrencies and symbols

BitcoinBTCBitcoin CashBCH
EthereumETHEthereum ClassicETC

dike it out

To remove hardware by using diagonal cutters to excise it. It is also used to refer to removing software by cutting it out of the source code rather than simply commenting it out. The ignorant or politically insensitive sometimes get a laugh by spelling this as "dyke it out".


Usually used in discussions of using I2P, the "Invisible Internet Project", an eepsite is a website that is hosted anonymously, a hidden service which is accessible through your web browser and its support for I2P.


As the name suggests, firmware is neither pure software or pure hardware - it is a flexible, "mushy" software component that lives in updateable hardware. It is therefore resident across each time that you boot your computer, where its residence in low-level hardware is taken advantage of by loading and running it during the system boot process. Its existence as updateable software is taken advantage of each time it is corrected or enhanced and reloaded into the persistent hardware on a computer system.


Free software of which a more powerful or officially supported (i.e., premium) level that costs money is also available.


From the Latglish: Geo, for earth, and location, for location; literally "Where on earth you are."


Superstars and gunfighters of technology, there are white hats (good guys), grey hats (noncommittal good guys who may occasionally stray to the dark side), and black hats (bad technophiles with souls the color of the La Brea tar pits). These are all truly smart and clever people who understand how the technology and of today (and often tomorrow) works, are curious, and want to know more.

See Also crackers.


The term HODL, originally a typo for HOLD (as in to buy and hold cryptocurrency), originated in a drunken newsgroup post that is available for your reading pleasure here.


In my honest opinion. Ths means that what follows is something that you might not like, but it's still just my opinion. (Even though it's obviously correct.)


Just In Case


One of the most popular free, open source BIOSs, libreboot is also the BIOS behind CoreBoot, which is a quarterly checkpoint of LibreBoot. CoreBoot provides a regular release stream for LibreBoot, and also provides an expanded testing and debugging stream for Libreboot. All CoreBoot fixes and enhancements are consideration back into the LibreBoot source archive.

non-routable IP addresses

IP addresses that are reserved for internal networking use and are therefore not forwarded/routed to other locations (outside of the current network) for final delivery. For IPv4, these are addresses in the ranges -, -, and - These reserved IP addresses provide an extra layer of security for the “internal” side of a network. Non-routable IP addresses were proposed in RFC 1597. Non-routable IP addresses are why most pieces of cheap network hardware come with a default address of 192.168.1.X - it's safe and sells a lot of crossover network cables.

Open Internet Tools Project

New York-based project working to improve and increase the distribution of open source anti-surveillance and anti-censorship tools. (Current state of this project is unknown.)


On the other hand. Something that is in contrast to what was just said/written.


A multi-word password that - as a phrase - is often more easily remembered than a complex single password with upper and lower case, symbols, and the like.

Persistent Storage

Any data storage device that retains data after power to that device is shut off. Persistent storage is also sometimes referred to as non-volatile storage. (It is amazing how many web sites use that exact definion, so I did too.) When referring to the data itself, that quality is known as persistence. (I added that part).


An application or service that receives data which was intended for another application or service, performs some intermediate processing, and re-forwards the processed data to one or more applications or services (which can include the same or other instances of the original application or service).

restore point

A saved operating system (i.e., Windows system disk) configuration that you can restore your system to. zWhether you call it a "save point" or a "restore point" just reflects how you think of it - as something you save or as some saved thing vthat you restore to. Five plus one, or seven minus one of the other.


The Recording Industry Association of America, which sounds good but which actually is to recording artists as a mercenary version of the Nazi party is to dentists.

security through obscurity

An optimistic security model based on the concept that what you can't see or find can't offend or be exploited by the people who are greedy or don't approve of it. Extremely easily to implement, this model is great until someone is offended or takes advantage of the it. Like many good things, this security model is extremely money-soluble.

Small Office, Home Office

The generic term for the smallest of businesses or home offices, usually used as a way of typifying a small network setup.


The traditional UNIX term for the standard error output of a command, which is where any error message(s) from that command are written. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 2.

See Also stdout, stdin.


The traditional UNIX term for the standard input of a command, which is where the input of that command comes from. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 0.

See Also stderr, stdout.


The traditional UNIX term for the standard output of a command, which is where the output of that command is written. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 1.

See Also stderr, stdin.

three-letter acronym

A Three Letter Acronym, once standing for groups of freedom figghters (for example, the SDS), but nowadays reserved for "intellience" agencies (I'm serious, that's how they think of themselves!) whose goals are to bend your will and behavior to comply with their goals.

Trusted Platform Module

A chip on your computer's motherboard (or on an add-in board) that generates and stores encryption keys. If storage vis encrypted, the TPM can automatically unlock that storage drive during the system's boot process so that you can sign in by typing your Windows login password. If someone tampers with the system motherboard or removes the storage from the computer and attempts to decrypt it, the storae can't be accessed without the key stored in the TPM. A TPM generally won't work if it's moved to another system's motherboard. You can buy and add a TPM chip to some motherboards, but if your desktop. server, or laptop motherboard doesn't support doing so, you can still use encryption mechanisms such as BitLocker without a TPM, though this is more hassle and less secure.


TUN/TAP devices are virtual network devices that use a user-space application to communicate between the operating system kernel and a physical network device. TUN devices (that is, network TUNnel) simulate a network layer device and operate with layer 3 packets like IP packets. TAP devices (that is, network TAP) simulate a link layer device and operate with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge.

This definition was cheerfully lifted/paraphrased from Wikipedia. but don't worry, I gave them both this attribution and donated some money.


Your Mileage May Vary. You may not feel exactly the same way as I do or get exactly the same results as I did, but that's life, and I'm still right in whatever I said/wrote.



Air VPN tests, Using web sites for VPN testing
(see also IPLeak test)
Alienware, Selecting your hardware
Allow access to the camera on this device, Protecting camera settings
Allow apps to access your camera, Protecting camera settings
Allow apps to access your location, Customizing location
Allow desktop apps to access your camera, Protecting camera settings
anglosphere, What is 5 EYES and why do they suck?
Anon Net, News and information sites
AntPool, Good times at the mining pool
Arch Linux, Just Browsing, honest!
(see also JustBrowsing)
Atomic Wallet, Desktop software wallets
AzireVPN, Some popular commercial VPNs


end-to-end encryption, Encrypting and decrypting email
enemies of the Internet
fighting, Censorship circumvention tools
exchanging cryptocurrencies, Using an exchange
Exodus, Desktop software wallets
ExpressVPN, Some popular commercial VPNs
Extensions, Opening .onion links in Chrome


Mac OS
SoftEther VPN, Some popular commercial VPNs
MacOS firmware password, Setting a Firmware password on MacOS
mail service
end-to-end encryption, Encrypting and decrypting email
Guerrilla Mail, Using a disposable account for notification, Using a disposable account for notification
Mailfence, Creating a secure email account , Commercial services
Protonmail, Creating a secure email account , Commercial services, Creating a secure email account , Commercial services
Throwaway Mail, Using a disposable account for notification, Creating a secure email account , Commercial services, Using a disposable account for notification
Mailfence, Creating a secure email account , Commercial services
Microsoft security
trusting, Managing activity history tracking
mining, Earning cryptocurrency by adding to its blockchain
mining hardware vendors
Bitmain, DIY Mining: There's crypto coins in them there algorithms
Caanan, DIY Mining: There's crypto coins in them there algorithms
FutureBit, DIY Mining: There's crypto coins in them there algorithms
Gekko Science, DIY Mining: There's crypto coins in them there algorithms
Halong Mining, DIY Mining: There's crypto coins in them there algorithms
Pangolin Miner, DIY Mining: There's crypto coins in them there algorithms
mining pools, Good times at the mining pool
AntPool, Good times at the mining pool
F2Pool, Good times at the mining pool, Good times at the mining pool
Slush Pool, Good times at the mining pool
mixers, Mixing payments to aid anonymity
Bitcoin Blender, Commercial services
Bitcoin Laundry, Commercial services
BitMix, Commercial services
CryptoMixer, Commercial services
list of, Mixing payments to aid anonymity
process of, Mixing payments to aid anonymity
Mofo Linux, Getting network interface addresses
MSLeak test, Using web sites for VPN testing


Qubes OS requirements, Qubes OS

S, Creating a secure email account , Commercial services
Sci-Hub, News and information sites
secure system, Putting together a secure system
security, Managing activity history tracking
content, Ways of exploring
physical, Ways of exploring
through obscurity, Overview
Select Distribution, Writing a Linux distribution to USB storage
Select Version, Writing a Linux distribution to USB storage
Send my activity history to Microsoft, Managing activity history tracking
Allow access to location, Customizing location
Allow access to the camera on this device, Protecting camera settings
Allow apps to access your camera, Protecting camera settings
Allow apps to access your location, Customizing location
Allow desktop apps to access your camera, Protecting camera settings
Choose which apps..., Customizing location
Choose which Microsoft Store apps..., Protecting camera settings
Clear activity history, Managing activity history tracking
DefauaZlt location, Customizing location
Delete diagnostic data, Minimizing diagnostics and similar reporting
General privacy options, General privacy options
Geofencing, Customizing location
location , Customizing location
Location history, Customizing location
Provide locally relevant content, General privacy options
Send my activity history to Microsoft, Managing activity history tracking
Show activities from these accounts, Managing activity history tracking
Store my activity history on this device, Managing activity history tracking
Tailored experiences, Minimizing diagnostics and similar reporting
View diagnostic data, Minimizing diagnostics and similar reporting
diagnostic data, Minimizing diagnostics and similar reporting
diagnostics and feedback, Minimizing diagnostics and similar reporting
Feedback frequency, Minimizing diagnostics and similar reporting
improve inking and typing, Minimizing diagnostics and similar reporting
ink and personalization, Disabling ink and typing personalization
speech recognition, Disabling speech recognition
Show activities from these accounts, Managing activity history tracking
Show suggested content in Settings app, General privacy options
tor circuits, Tor circuits
Slush Pool, Good times at the mining pool
SOCKS proxy, SOCKS 5 tunnel for tor
SoftEther VPN, Some popular commercial VPNs
Dat Mofo Linux, Some popular commercial VPNs
software wallets
, Desktop software wallets
Atomic wallet, Desktop software wallets
Exodus, Desktop software wallets
Space used to preserve file across reboots, Writing a Linux distribution to USB storage
speech recognition, Disabling speech recognition
Store my activity history on this device, Managing activity history tracking
surface web, Overview
System 76 systems, Selecting your hardware


Xubuntu, Kodachi! Gesundheit!
(see also Kodachi)