Through the Web, Darkly

© Copyright 2019 William von Hagen. All Rights Reserved. All opinions expressed in this document are the opinions of the author, except where explicitly attributed to someone else. They are just that - opinions. Free thought and speech are still legal, isn't it?

Released on Amazon and as donation-ware. If you didn't get this on Amazon and liked any part(s) of this document or found it to be useful, please make a small donation via PayPal to or in Bitcoin to 35DnXM3Fg9zvirbraGmUGecLy7EPZiBWsT. Thanks!

Comments welcome. Updates will be ongoing. Any errors are accidental. Please report them to to ensure that this document is corrected.

Heads up! The cover illustration is a public domain photograph of the skull of St. Wenceslaus. Merry Xmas, reader!

ISBN-13: 978-0-578-56194-3

Version 20190815-002

This legend may not be removed from this document by any party. That would be just plain wrong.

Table of Contents

About this book
1. Overview
Cast of hackers
Differentiating between privacy and anonymity
Ways of exploring
Non-reader's checklists
More reasons to worry abut privacy and anonymity
2. Selecting an operating system
What OS to use when exploring
How Linux is distributed
To VM or not to VM?
Putting together a secure system
Dat Mofo' Linux
Kodachi! Gesundheit!
Parrot Linux - Argv, matey!
Qubes OS
TAILS, I win
Whonix do you love?
Recommendation: Which Linux?
3. Installing Linux on a USB stick
Partitioning and formatting USB storage
Formatting the partitions on your USB storage
Writing a Linux distribution to USB storage
Now I have a bootable secure OS - Why read more?
4. My kingdom, or 0.005 bitcoin, for a VPN
Why a VPN?
What is 5 EYES and why do they suck?
Censorship is to knowledge as lynching is to justice
Avoiding DNS filtering, hijacking, and redirection
Freedom by proxy
Useful browser extensions
Censorship circumvention tools
Must-have VPN features
Some popular commercial VPNs
Free VPNs with a caveat or two
VPN alternatives
Smart DNS
SOCKS 5 tunnel for tor
Rolling your own really-close-to-a-Linux-VPN
Is my VPN working?
Using web sites for VPN testing
Testing your system for identity leaks
Manually examining network addresses
5. Obtaining, installing, and configuring the tor browser
Tor, good god, what is it good for?
Tor in a nutshell
Host lookups in Tor
Tor circuits
Obtaining and installing the Tor browser
Verifying download integrity
Installing and running downloaded Tor
Configuring Tor
Verifying and fine-tuning tor
Becoming a Tor relay
Using Tor bridges
Verifying connectivity and resolving timeouts
Avoiding browser fingerprinting
Developing good, paranoid browser habits
I insist on using some-other-browser
Opening .onion links in vanilla Firefox
Opening .onion links in Chrome
Using a SOCKS5 proxy and any browser with the Tor service
Browser tips for any browser or browser combo
Chrome by day, chromium by night
6. Creating secure email and alternatives
Creating a secure email account
Encrypting and decrypting email
Generating a public/private PGP key pair
Encrypting a message using a public key
Importing public user keys to your keyring
Encrypting a message using a GUI
Decrypting a message
Payment for my Heroin Order
Using a disposable account for notification
7. Hiding files, directories, and partitions
Block device encryption strategies
VeraCrypt kicks ass, er, is great!
Obtaining and installing VeraCrypt
Creating a decoy and hidden volume
Using the volumes
Mounting decoy and hidden VeraCrypt volumes
Listing mounted VeraCrypt volumes
Unmounting a VeraCrypt volume
Muddying the water
8. Finding stuff on the dark web
Opening links in the "right" browser
Dark web directories
Dark web search engines
Dark web markets
Public services on the dark web
Bulletin boards, chats, and social sites
News and information sites
Commercial services
9. Crypotocurrency 101
What is a blockchain?
How does blockchain work with cryptocurrrency?
Earning cryptocurrency by adding to its blockchain
Getting Bitcoin and other currencies
DIY Mining: There's crypto coins in them there algorithms
Good times at the mining pool
Contract/Cloud Mining: They'll drive and pay for the power
Storing Cryptocurrency
Overview: Single currency and multi-asset wallets
Hardware wallets
Software wallets
Using an exchange
10. Buying and safely paying for stuff
Keys to buying (and paying) anonymously
Secure credit card payments
Choosing dark web payment models
Mixing payments to aid anonymity
Concluding payments and purchases

List of Figures

1.1. Hacker News image of web levels and types
2.1. Dat Mofo' Linux desktop
2.2. The Kodachi Linux startup screen
2.3. The Parrot Startup Screen
2.4. Applications > anonsurf menu in parrot
2.5. Qubes OS desktop
2.6. The Startup Screen for TAILS Linux
2.7. Starting tor in TAILS
2.8. Whonix-Gateway desktop
2.9. Whonix-Workstation desktop
3.1. Using mkfs.ext2
3.2. Using mkfs.ext3
3.3. The unetbootin web site
3.4. Downloading unetbootin from its web site
3.5. Using unetbootin
3.6. Status screen while using unetbootin
3.7. The unetbootin success screen
4.1. IP connection info from Perfect Privacy
4.2. IP test info from (Air VPN)
4.3. Top-level IP address info from
4.4. Various IP and browser tests from
4.5. A suspected DNS leak from
4.6. Linux/Mac OS script to look up IP address info multiple ways
4.7. Sample Linux routing table
4.8. Sample, simpler Linux routing table before starting a VPN
4.9. Sample, simpler Linux routing table after starting a VPN
5.1. Displaying a Tor circuit
5.2. The Tor project's download page
5.3. The tor browser on another Linux distribution
5.4. Connect to Tor dialog for tor browser on Windows
5.5. Tor browser running on Windows
5.6. The Tor browser's Configuration (hamburger) menu
5.7. Configuring Tor security levels
5.8. The Tor project's bridge integration page
5.9. Requesting a Tor bridge of different types
5.10. The Tor check project page
5.11. Checking for browser tracking and fingerprinting
5.12. Danger, Will Robinson, Danger!
5.13. Successful connection (check url!)
5.14.'s animated timeout page
5.15. Tor2web connection failure
5.16. Tor startup and SOCKS5 proxy script for MacOS
5.17. Checking Crome and the SOCKS5 proxy
6.1. The Protonmail secure email provider
6.2. Getting a user key for transaction messages
6.3. User key as part of user profile
6.4. A GUI for PGP Encryption
6.5. The Guerrilla mail disposable email provider
7.1. VeraCrypt hidden volume layout
7.2. VeraCrypt startup screen
7.3. VeraCrypt Volume Creation Wizard dialog
7.4. VeraCrypt Volume Type dialog
7.5. VeraCrypt Volume Location screen
7.6. The Specify a New VeraCrypt Volume dialog
7.7. VeraCrypt Outer Volume Encryption Options screen
7.8. VeraCrypt Outer Volume Size screen
7.9. VeraCrypt Outer Volume Password screen
7.10. VeraCrypt Outer Volume Format screen
7.11. VeraCrypt Hidden Volume Encryption Options screen
7.12. VeraCrypt Hidden Volume Size screen
7.13. VeraCrypt Hidden Volume Password screen
7.14. VeraCrypt (Hidden Volume) Format Options screen
7.15. VeraCrypt Cross-Platform Support screen
7.16. VeraCrypt Hidden Volume Format screen
7.17. VeraCrypt Informative screen
8.1. The Tor Hidden Wiki
8.2. The TorLinks directory
8.3. The Candle search engine
8.4. The Torch search engine
8.5. UnderMarket 2.0 market
8.6. R.I.P., Wall Street Market
8.7. Random items for sale at a random site
8.8. The Torum site
8.9. ProPublica investigative journalism site
8.10. The Protonmail secure email provider
9.1. Atomic Wallet
9.2. Exodus
9.3. Jaxx Liberty
9.4. web wallet

List of Tables

1. Common cyrptocurrencies and symbols

List of Examples


About this book

This book started out as a simple explanatory document - how to safely and anonymously access the dark web so that you can share in certain types of information and victim-less commerce without being arrested. A big part of how people can be arrested due to their actions requires that they can be identified and that their actions can be uniquely tracked back to them. Therefore, the more that I wrote about privacy and anonymity, the more scared I became regarding how supposedly private, personal information can be collected to enable tracking people and ideas on the web. Someone who's tracking people may just want to join a fan club, or they may want to collect people's info to sell ring-around-marketing, worm ouroboros-style to each other.

I have opinions and you should too. I don't even care if we agree, just that our opinions are honestly held and intelligently arrived at. Marketing, data collection, and advertising taken to their logical extremes can be very scary things. We all should have the right to think and make decisions for ourselves, and it just isn't that way any more. Witness the idiot who is our president, the greed of his entourage, and their wish to control everything for something as pitiful and sad as money. Personal data collection begat personal tracking, which begets monitoring people and locations, which begets control, which... I think you see where I'm going with this.

This book should help you protect yourself and to think about how personal information can and is being collected and could be used. A few extra seconds taken now to privatize and anonymize your communications and identity are seconds that are very wisely spent, regardless of whether you're worried about being arrested tomorrow or simply about being rounded up twenty years from now because of that verdamnt "free speech" thing.

This book is released on Amazon and as donation-ware. If you didn't get this on Amazon and liked any part(s) of this document or found it to be useful, please make a small donation via PayPal to or in Bitcoin to 35DnXM3Fg9zvirbraGmUGecLy7EPZiBWsT. Thanks!


I accept no liability or responsibility for the information that is contained in this book. It has all been tested and verified by some guy that I know with a CS degree and years of systems-level experience.

Comments welcome. Updates will be ongoing. Get them from my website, Any errors are accidental. Please report them to to ensure that this document is corrected.

Chapter 1.  Overview

When you access the Internet, you’ve finally reached a maze of twisty passages, all different - at least, what most people think of as the Internet. In reality, the Internet is just a zillion cables and connecting devices on which data is flowing back and forth; data that is reached and shared by many applications using many protocols, some of which are compatible. The big reason all of this exists is for sharing information. The military wanted the Internet, which was then called the ARPAnet (for the Defense Advanced Research Projects Agency network) and wanted this to preserve control during World War III or earlier. What they got was an open network for sharing information, a network that was designed by researchers, academicians, business people, hippies, and crackpots. In today’s most popular way of sharing information, the world-wide web (www, W3, or simply “the web”) , most of the information that is hosted on the web is public or password-protected, but is still intended for widespread use by commercial entities and/or regular people.

Luckily, there is also a large amount of network traffic on those same wires that isn’t as boring as buying a pair of shoes or investing in tulip bulbs. According to researchers and other randoms, only 4% of the network known as the Internet is visible to most people - the rest bubbles under the surface. Before you get all excited and buy a bathysphere, the invisible 96% is primarily a thick commercial oil slick that supports corporate Internets and commercial transactions. Of that 96%, a tiny sliver is information yearning to be free, which maintains that freedom using a security though obscurity model. If most people can't see or find it, its content can't offend or be destroyed by them. These layers of different audiences and types of content make it easy to think of the internet as being composed of three virtual layers:

  • Surface web - anything that can be indexed/found by a standard search engine (Google, Yahoo, etc.) and accessed with no special magic by regular or authorized users. This is the billion-site 4% that most people think of as “the web”. Also commonly referred to as clearnet due to its openness and lack of encryption - available to all and readable by all.

  • Deep web - anything that is not indexed/findable by a standard search engine or which is only intended for use by internal applications. This is generally site- or company-specific data that is designed to be accessed by privileged users using (under the covers) special query engines to locate content based on SQL, SQL-like, or NoSQL queries and applications.

  • Dark web - a subset of Deep web content, the Dark web is content that was hidden intentionally and cannot be found via standard tools, authentication models, or browsers. Often requires a special URL and access protocol. Discussing what’s out there and how to safely access and explore that content are the reasons for this book. There are other dark networks that are only discussed in passing in this document. How dark nets such as I2P, Freenet, and even GNUnet are accessed and work is outside the scope of this document.

Figure 1.1. Hacker News image of web levels and types

Hacker News image of web levels and types

So what is the dark web’s content? Amazing stuff with very few rules except technical ones about security and doing business there. Guns. Drugs. Dead drops for securely sharing top-secret information. Reporters without Borders. Political manifestos. Lists of potential hack targets. Fake jewelry. Stupid information about strange sexual practices and rituals that would make Aleister Crowley blush. Counterfeit currency. Fake birth certificates. More hacks. Fake IDs. It's like being catapulted back into the early wild west days of the ARPAnet, when freedom was just another word for liberation. The freedom of the dark web is due with thanks to the Tor project and the Tor browser (see the section called “ Tor, good god, what is it good for? ”). Read on!


As the previous paragraph indicates, there's an amazing variety of stuff out there on the markets of the dark web. Some things are only legally wrong because that's the result of short-sighted scumbags who force you to agree with them and punish you if you do not. But there certainly are things out there that are morally wrong. IMHO, I could care less if you want to smoke or ingest some flower bulb sap, plant leaves, or mold derivative, or want to give yourself a new identity.

This book explains how to go shopping, not what to buy or why. Some things, like carding (buying or using stolen account data or credit card numbers) or hiring a hit person (bang!) are not victimless, and thus aren't discussed here and and are definitely not advocated. AFAIAC, the whole idea of freedom is about freedom, personal responsibility, and not stealing from or harming your neighbor. Unfortunately, freedom applies to everyone, which means that you have the freedom to be stupid - a religious terrorist, a child-pornography manufacturer or propogater, a right-wing or facist lunatic, and so on. Again, true freedom is sadly for everyone. The ACLU once had to defend a white Nazi march though a Jewish area - the good guys have to good towards everyone, even the idiots. Please just try to be one of the good guys.

This book may not be as cool or counter-cultural as some other dark web books. You may just really want to know about the dark web and how to explore it, rather than looking for a new philosophy. You can make up your mind all by yourself! On the other hand, if you need somebody to protect you from something intangible or you’re afraid that you’ll cut yourself on a sharp word, take the door over there by the sign that says “This Way to the Egress”, and enjoy that legendary creature first. Call me later.

If everything I’ve said so far sounds like it might be interesting, illegal, or you simply don’t care because that’s up to the individual, the alternate river of information that is the dark web may be for you. Read on and remember to never, ever shoot the messenger.

Cast of hackers

Speaking of shooting the messenger, be aware that there are a few basic classes of people that understand how the web works and have the smarts to do something about it (or are curious enough that they’ll know RSN). The first are hackers (AKA white hats, grey hats, and black hats), which is the term that I use to describe smart, curious people who want to understand and experiment with how software and hardware work. Names like white hat, grey hat, and black hat come from the color of wizard’s hats and robes in role playing games and fantasy novels, and are used to identify sets of hackers with different motivations.

White hat hackers are the good guys of the software universe, exploring and experimenting with software and hardware to learn about it, identify problems, and report them (occasionally complete with fixes). Next in line, but in the same class, are the grey hats. The second line of true hackers, grey is almost white, but sometimes crosses legal lines to do the right thing. Finally, there are the black hats, who want to profit from their arcane knowledge and don't care how many other people get hurt while they're making their poisoned profits.

A separately-named second group of knowledgeable folks are crackers (often the same as your black hats), who have the same white/grey knowledge but also have malicious intent and are scummy enough to want to profit from their wizardly knowledge. They may exploit a known security hole to encrypt your data and then charge you for the encryption key so that you can get your data back. They may hack some corporate site, dump its customer data, and then sell it to the competition or other crackers who can use it for spam or to charge 10,000 pizzas to your MasterCard. Scumbags. They often also simply package up the hacks that they know so that others can do the same things but without having to understand or figure out how they worked. Selling or distributing pre-packaged sacks of hacks enables people known as script kiddies (AKA skiddie or skid) to use them to look like they’re smart. They’re not dumb either - in fact, they’re at least smart enough to avoid reinventing the wheel.

Various flavors of hackers are usually the good and the bad of computer-savvy folks on the web, but there’s another computer-savvy class that you must not overlook - the ugly. These are the cops and other people whose job it is to make sure that you play by their rules, even if the rules are stupid. Do not EVER make the mistake in thinking that law enforcement dweebs are stupid or “won’t notice” if you just buy one AK-47 or one kilo of cocaine off the dark web. They have a lot of smart people who believe that they are doing the right thing, which is an uninterruptible delusion. If you’re smart and the least bit paranoid (which doesn’t mean that they’re not after you), you’ll use some of the security tools we’ll discuss, and you’ll use them ALL OF THE TIME. There’s no real penalty in doing so, but not doing so can get you 5-10 and a lovely ankle bracelet that goes with any outfit but clashes with freedom.

The final group of people, the one that really matters the most, is you and me. Right now, we’re just curious - WTF is the dark web, what’s out there, and how can we access it if we want to? Maybe we’ll grow into hackers, but right now, we just want to know. This is the information age, and there are zillions of companies out there analyzing every character we type and packet we send so that they can get information that they can sell somewhere or which they can use to better target us when selling ads or whatever. The dark web is about accessing information that we want to see, without someone tracking it or us. Our ideas and our decisions. The dark web is all about seeing what we want to see without some monetary, social, or political scumbag forbidding that, tracking what we’re looking at, or monetizing our curiosity and interests.

Censorship comes from the idea that “It’s my network, so I get to control what’s on it.” This stupid idea is like saying “It’s my electric socket, so I get to control what’s plugged into it”. George Orwell ain’t got nothing on such dummies! It’s not my fault that the Internet has been commercialized rather than being treated like every other public utility, only paying for bandwidth, amount of power used, amount of water consumed, and so on - and not what that water, power, or connectivity is being used for.


One tip before you read further - the US sucks in terms of privacy and anonymity! Do not use any US-based VPN or security service because the US is a partner in the 5EYES eavesdropping system (see the the section called “ What is 5 EYES and why do they suck? ” for more information). In general, US companies seem to see selling customer information without asking as yet-another-revenue-stream. Sigh...

Information wants to be free, and so do we!

(And so, BTW, does Ross Ulbricht - he may have been a bit sloppy, but he doesn’t deserve crucifixion...)

Differentiating between privacy and anonymity

The core difference between privacy and anonymity is "what" versus "who". When surfing anywhere, you want to make sure that no one knows what you're saying. When surfing the dark web, you want to make sure that no one knows who you are. Anonymity is the difference between simply shouting "fuck you" in a crowded auditorium and standing up and shouting it. Privacy is when no one could understand you except the person that you were saying it to.

In nerdier terms, anonymity is security of identity, whereas privacy is security of content:

  • Anonymity: Using the tor browser, Tor service, or a proxy will provide anonymity because no one will know where/who your request is actually coming from. In the first two cases (Tor), it will appear to be coming some random host that is running a Tor exit node. In the proxy case, it will be coming from the proxy. in none of those cases, will it be coming from your IP address (whether assigned by your ISP or by whatever VPN you're using).

  • Privacy: Using HTTPS or other browser-based forms of encryption will guarantee privacy because no one except the recipient will be able to decrypt the content that you are sending. This will not guarantee anonymity because malicious randoms (like those working for the NSA or other three-letter acronym agencies) can still identify the IP address that you're coming from.

Some browsers have a "private" or incognito mode that had very lite to do with privacy of content. These modes do not use existing browser history and do not use existing cookies, but they do prevent your browsing from being tracked, do not conceal or change your IP address, and only delete web browsing history when you exit from the incognito/private mode. The goals of these modes are to enable you to surf without dragging along your usual web baggage, thereby reducing the value of this tracking to your favorite online data vampires`.

This document explains how to guarantee (as much as is possible) both of these by using a VPN and a privacy tool such as the tor browser. In the cases of anonymity and privacy, more is indeed better.


Just when you thought it was safe to go into the water, you also have to worry about browser fingerprinting, which is a way that TLAs try to identify you by usage patterns, browser characteristics, or both. For more information, see the section called “ Avoiding browser fingerprinting ”.

Ways of exploring

If you're like me, you have the patience of a fruit fly and just want to start exploring the dark web. Unfortunately, anonymity and privacy are the keys to exploring a "secret" network that contains questionable content, and they take some time to set up. Therefore, this document discusses several general hardware/software models for accessing the dark web, with notes about the security of each:

  • Customizing an existing system: while this is obviously the fastest and easiest way to get to the dark web, it is also the least secure and most dangerous. Your account and the existing system itself are probably already full of stashed browser cookies, information leaking browser extensions, "slightly incorrect" configuration, tattle-tale applications and accounts, and much more. An existing laptop or desktop system is also usually unencrypted and physically insecure.

  • Creating a new computer system: building a virgin system with encrypted partitions, installing the necessary software, and hardening everything is very safe and secure (content-wise), but has the same physical security concerns as using an existing system. Content security is the security of the information in your files; physical security is the security of the computer and storage devices that hold those files.

    If everything is encrypted and configured for security, a system such as this will protect your data from everyone except for the NSA and a secret grotto full of supercomputers. However, there are still two possible problems:

    • You could accidentally use the wrong system or leave clear data behind unless your new system is obviously different and thus easily recognizable

    • Your system itself can still be seized or stolen, so you could either lose everything (but it would still require decryption in order to have the content abused/stolen) or (worst case) have your data exposed due to some accidental misconfiguration. Maintaining secure backups is critical, and will be discussed later.

Non-reader's checklists

If you're already tired of reading and just want a checklist or two so that you can be sure you're doing the right things in the right order, here 'tis:

WARNING: Following the preceding list will only protect you if you never buy anything on the dark web, never sign up for anything on the dark web or give out your vanilla email address, and do not use the same browser to surf the surface and dark webs. If you want to do any of these things, for God's sake, read the appropriate parts of this book before you begin exploring the darkness!

More reasons to worry abut privacy and anonymity

In this document, I will call idiocy and close-mindedness "idiocy and close-mindedness" whenever I think it applies. I'm not wearing a tin-foil hat, nor do I even own one. If you think that I'm overly critical or paranoid, please read the articles and sites listed in this section.

Government and online personal information collection are runaway trains, and the engineer (at the moment) probably can't even figure out ROT13. We are wasting billions making plants and chemicals illegal and jailing violators, when plenty of actual victim-ful crimes exist to choose from. Stop the former, and use the cash savings to help people! Let Charles Darwin, not Adolph Hitler, deal with stupid people. Privacy and anonymity are inalienable rights, and we should always have the right to think, so please do so:

Fix the way things are, and avoid the crap until then!

Chapter 2.  Selecting an operating system

The word "security" usually invokes the idea of protecting something from intrusion by something else. In the case of our pursuit of the dark web, there are two sides to the security coin:

  • the traditional one of protecting your system against attacks, virii, and things that go hack in the night

  • protecting your and your system’s identity and not leaving footprints behind you as you explore the dark web

A zillion packages can fill the first role, from open source packages like ClamAV (with the ClamTk front end) to traditional commercial heavyweights like Norton (owned by Symantec). Lots of book and articles can help you find the best of those. (I pay for Malwarebytes myself. Both the package and the name are great!)

The second, privacy and anonymity role is a combination of software packages and security-oriented operating systems, and is germane to the dark web and this document. All in all, you can’t leave your IP address behind or access the dark web from an IP address that can explicitly be tracked back to anywhere, let alone to any specific geographic location, non-spoofed IP address, or (God forbid) a specific host owned or operated by a specific person - you (and if you’re not careful, soon also known as inmate 3.147159). You may want to avoid having your system preserve any browser history or many files of standard user data, and avoid exposing any network ports, services, or capabilities that it doesn’t have to so that there are as few opportunities for obfuscated ways of logging or preserving data as possible.

When should you use encryption such as that provided by a VPN? Always. Always encrypt or you might as well be turning a spotlight on what you’re working on when you do use it, saying “Hi, I’m important data, so check me out”.

This chapter introduces the basic characteristics of Linux, using it to browse and interact with the dark web, and how Linux is distributed. It focuses on accessing the dark web from an actual desktop, laptop, or tablet computer, NOT from a smart phone. Though I have had my fingers sharpened many times, I still can’t do real work from the dinky keyboards offered by today’s smart phones.

The rest of this chapter discusses some recommended operating systems you may want to use to access the dark web, and how you may want to run them. These sections also discuss the security requirements of different types of systems that are designed to let you safely explore the dark web. I’ll also discuss the types of packages that you would add to an existing system to make it safe to surf the dark web without picking up any virii or other unwelcome hitch-hikers.


Though I advocate using Linux, the Mac and *BSD* platforms are also excellent choices for an actually secure (unlike Windows) platform for exploring the dark web. After all, today's Macs run their GUI on top of a FreeBSD variant. For true newbies or Linux chauvinists, BSD stands for Berkeley Software/Standard Distribution, which is the name of the UNIX version forked from AT&T UNIX by Bill Joy and others before he moved on to help found Sun Microsystems, develop SunOS, and develop (gak!) Slowlaris, er, Solaris. I was originally a BSD fan, but I am much more familiar with the details of Linux nowadays. If you're curious about hacking the dark web from one of the *BSD* platforms, see TrueOS (a FreeBSD variant), which is an excellent flavor of *BSD*. There's always FreeBSD itself, NetBSD, and many more.

What OS to use when exploring

There are many operating systems out in the world today, the main ones being Microsoft Windows, Apple’s OS X, the *BSD* versions of modern Berkeley Unix, and a zillion flavors of Linux. While the choice of which operating system you want to run on your desktop computer is often both a philosophical and aesthetic choice, the choice of which operating system you want to use to explore the dark web is simply selecting which secure, controllable hammer to use. AFAIC, the answer is one of a few Linux distributions that have been created with powerful support for security, anonymity, and privacy, and focusing on that. Linux is open source, except for a few applications that we don’t care about for the purposes of this book.The open source nature of Linux, where you can get the source code for any application, read through it if you have the time and knowledge, and build it for yourself if you want, protects you against any virus or malware being inserted into the code without your knowledge. (Tip: watch out for external code that’s being linked in!) The Linux security model of installing and managing applications and services protects you from accidentally installing persistent viruses or malware, such as keyloggers, that always run on your system and ether corrupt it or call back to a hostile cracker’s mothership every five minutes.

The tools for exploring the dark web are available for all modern platforms, but the base for all platforms except the Linux ones is a generic one-size-fits-all commercial platform that includes a lot of system and basic commercial apps that don’t help explore the dark web and just provide virus or malware targets. Maybe that should be one-size-doesn’t-fit-anybody. As far as the dark web is concerned For this and related reasons, I’m going to focus on a few great Linux platforms that provide different approaches to the dark web, so that you know what’s out there, how they work, and you can pick the one you prefer. Don’t worry - I’ll also tell you what I use and why ;-) I’ll also provide a copy that ready to go, and is just a download away.

How Linux is distributed

Linux distribution are distributed or downloaded in one of two ways:

  • a bootable ISO (International Standards Organization) image that can either be booted from directly or burned to a CD or DVD which can then be booted from. In all cases, what you boot into from these media is either an installer, which lets you permanently install the distribution on some other media such as the hard drives in a system, or a live distribution which you can execute and run from directly. Some bootable ISO images come with other partitions that can be mounted and written to so that you have some form of persistent storage even when running from an ISO.

  • As an archived appliance (OVA) that you can install on a system using a virtual machine manager (VMM), and then run from the installed appliance within the context of that VM Each of these approaches to installation and execution has advantages, disadvantages, and caveats, which we’ll discuss throughout the rest of the chapter.

To VM or not to VM?

When selecting an operating system for safely and securely accessing the dark web, a good initial question is whether you should use real hardware or a virtual machine (VM). A virtual machine is a computer system that only executes as software which runs under other software (a virtual machine manager) on another host, typically a physical host. Using a virtual machine to access the dark web has a big advantage in that the most fundamental characteristic of a VM is that nothing crosses the real world/VM boundary except though a service that is intentionally hosted on the virtual machine. This prevents virii and malware from attacking the VM from the host computer system because they literally can’t reach the VM except when “invited in” just like one physical host infects another. Treating the VM like “just another machine” is a great thing except that, by default, all network services and virtual machines on a machine with a single Ethernet connection and which is part of a Virtual Private Network (VPN) go through the VPN. This means that any public services that you expect people to find at a given IP address (whatever is registered for that host via DNS or DHCP) will not be there because they are now using the IP address assigned to them through the VPN.


The whole "Should I use a VM?" question becomes somewhat moot if you decide to run a virtual machine-oriented version of Linux, such as Whonix (the section called “ Whonix do you love? ”) or Qubes OS (the section called “ Qubes OS ”), to access the dark web. Whonix must be run inside VirtualBox (at the moment - KVM support is coming, where Linux is the hypervisor), while Qubes OS requires the Xen hypervisor.

Using a VM (virtual machine) to access the dark web gives you an extra layer at which you can obfuscate your IP address or otherwise manage the security of your site and connections. The most important issue about whether you should access the dark web from a VM is the degree of control you have over the host on which the VM is running. A compromised host could send virtual machine information (IP address info, running process list and anything else that could be swapped from the VM into disk space on the host) and direct host information (keylogging, which could capture both host and VM info, the VM info being that which is in the VM which could be swapped out onto the host, and host-specific info (keylogging). If you “own” the host, this isn’t an issue, since you can protect both it and your VM with appropriate software.

A good stack on a host that you control is the following:

  • Vanilla Linux privacy-oriented host system running anti-virus, anti-malware, and VPN software with as many other services disabled as possible

  • Encrypted container located in the host filesystem that can be unpacked to expose a VM that, when mounted, runs privacy-oriented Linux and the Tor browser. Files can be saved in the VM filesystem to preserve those files across system boots.

If you cannot control the host, you can still explore the dark web with a USB-based Linux distribution with both a VPN and the Tor browser installed. The USB stick can even be partitioned so that a partition can be mounted to enable you to save large files as required and unmounted to preserve those files across USB boots. Linus distributions that run a Ubuntu-based Linux kernel can also support persistent storage, where the filesystem records changes and stores them in disk space that is overlaid on the base root filesystem.

Several of the distributions discussed in this chapter provide releases that can be written directly to and booted from a USB stick. You can take the USB stick to any machine that can boot from USB, boot from the stick and do whatever you want on the dark web (or anywhere), then shut down, remove the USB stick, and no one knows what you've done, or where.

The downside of a non-encrypted bootable system for dark web exploration is that if stolen or seized by the law, its contents can be explored and possibly used to incriminate the operator.

Putting together a secure system

On an Internet-capable system, your Internet Protocol (P) address is the easiest way of locating and identifying network traffic to and from your computer. No big surprise there - that’s how systems know where to send packets in response to queries or simple network traffic that you or your system originated. I’d say that an IP address obfuscation mechanism (which I’ll soon discuss in the context of a Virtual Private Network (VPN)) is the key component of a secure system were it not for the fact that a secure operating system is the best context for secure network communications. The next section discusses many popular and secure Linux distribution and systems, and explains some of the pros and cons of each. The beauty of comparing and selecting a secure Linux system is that they are all alike at some level, so one explanation usually works for many Linux distributions.

I’ll talk more about VPNs in Chapter 4, My kingdom, or 0.005 bitcoin, for a VPN , but let’s first finish discussing the OS. Regardless of whether you want to use a virtual machine or a physical one, that machine should run Linux. Why? Most of that was explained earlier, but another very real reason is that the Linux kernel is the powerful and flexible cornerstone supporting a tremendously wide range of utilities that include everything you’ll ever need to use with the dark web. There are also many, many users of Linux distributions that target security and anonymity, and many of the creators of these distros actually read the code. The chance of some cracker slipping malicious code into one of these distros is extremely small. The chance of any one of these distros being very secure and a great thing to learn from is very high.

The next few sections discuss some amazing secure/anonymous/small Linux distros with details about each and a discussion of features and potential problems. A big thank-you shout out goes to the Deep Web Sites links site for turning me onto a couple I hadn't really played with!

Dat Mofo' Linux

(Home Page:

A big part of my first computer science job out of college involved morphing Vaxen running 4.1 BSD into Vaxen running 4.2 BSD when the latter was released. As part of this "effort", I built and installed a Usenet application named jive as a pre-processor for the man command, which simply replaced every instance of "Unix" with the phrase "dat mofo' Unix", much to the delight of co-workers. That was quickly followed by orders from management for its removal, who did not seem to think that official systems repeating "dat mofo' Unix" over and over was very mature. (Their exact request was phrased slightly differently.) Imagine my delight when I spotted Dat Mofo Linux as a serious contender for Linux distributions that focused on anonymity, privacy, and “defeating state censorship”.

Supporting anonymity, privacy, and “defeating state censorship” are worthy goals that are well-addressed by Dat Mofo Linux. The current release at the that this document was last updated, Dat Mofo Linux 7.0 is based on Ubuntu 18.04.2, and features a version 4.20 of the Xanmod Linux kernel, a fine-tuned Linux kernel with many desktop/gaming timing, latency, and performance enhancements. Though it's rare to find a GPL project with multiple streams that are under active development at the same time, the Linux kernel is one of the cases in which the code is huge enough and the changes associated with different development paths are pervasive enough to justify forking the source code base.

Figure 2.1. Dat Mofo' Linux desktop

Dat Mofo' Linux desktop

Dat Mofo Linux (hereafter referred to as DML) comes pre-bundled with the following applications and services, to name a few:

  • Tor Browser, Onion Share (file sharing over Tor), Tor Messenger

  • Psiphon and Lantern domain fronting proxies

  • I2P and Freenet for dark web access

  • OpenVPN, SoftEther, Outline, and WireGuard VPNs

  • Streisand and Algo VPN Server Managers

  • Interplanetary File System (IPFS) - peer-to-peer distributed file system

  • Signal, Telegram, and Riot instant messaging

  • Kodi media center, WebSDR, OpenWebRX software defined radio

  • Veracrypt, zuluCrypt, and Ecryptfs file/folder/partition encryption

  • Bleachbit disk wiping utility

  • DNS-Over-TLS

All history, caches, and logs are automatically and thoroughly purged at system shutdown. DML can be booted from a CD, DVD, or USB stick, meaning that it can be used as a live OS.

The system requirements for DML are much the same as for Ubuntu 18.04, with the exception of those that are necessary to take advantage of the XanMod kernel. XanMod is a general-purpose Linux kernel distribution with custom settings and new features. Its goal is to provide a more rock-solid, responsive and smooth desktop experience. it can be used with any recent 64-bit Debian and Ubuntu-based system.

Kodachi! Gesundheit!

(Home Page:

Kodachi is an Xubuntu 18.04-based Linux distribution that is designed to provide you with a secure, anti-forensic, and anonymous operating system. It contains all of the features that someone concerned with privacy and anonymity would need (and want) to have for security.

Kodachi comes as a bootable ISO that is both pre-installed with favorite tools like a VPN, Tor, and DNSEncrypt, and is pre-configured to route all Internet activity through these tools default. This configuration even lets you choose your Tor exit nodes without hacking configuration files all over the place..Like all good bootable privacy/anonymity distributions, Kodachi flushes all configuration and state information on exit - and that's flush as in toilet, not as in "force pending writes to media".

Figure 2.2. The Kodachi Linux startup screen

The Kodachi Linux startup screen

The default desktop shown in Figure 2.2, “The Kodachi Linux startup screen” can be slightly confusing at first, grouping conceptually-related applications into clusters along the bottom of the screen, but quickly turns into "the right thing" once you use it for a little while. (The reflection of the dock beneath it doesn't help your initial understanding much, either, though it certainly looks nice.) The Panic Room cluster on the right is a thing of beauty if problems arise, grouping memory wiping and other critical tools together for convenience before you get molested by John Law.

Minimum system requirements for Kodachi 6.0 are only slightly greater than those for Xubuntu 18.04, namely:

  • Dual core processor, 2GHZ or better

  • Graphics card and monitor capable of at least 800x600 resolution

  • 512MB system memory (1 GB recommended; 2 GB recommended for running in a virtual machine)

  • 5 GB storage minimum for local install. (20 GB storage recommended for local installation, add-on applications, and local data storage)

While I am a huge fan of Ubuntu-based distributions, I personally Xubuntu-based distributions somewhat slow unless you install on hardware that is more powerful than the recommended minimums. Application and configuration-wise, Kodachi provides a truly powerful distribution, including tools such as Pidgin messenger, FileZilla, Transmission, the Exodus crypto wallet, Audacity, Blender, the Chromium web browser, I2P and GNUnet support, Enigmail, Zulucrypt, and VirtualBox, and many more. It's feature-rich and powerful enough to be a daily driver, let alone a powerful distribution with which to explore the furthest reaches of the dark web. I'm not a huge fan of its initial color palette (my eyes are old) but it's Linux, so my local install mantra is "...if you don't like it, change it."


Kodachi uses Conky to display a lot of system information on the desktop, so you should consider using a display resolution that is wider than vanilla desktops.

Parrot Linux - Argv, matey!

(Home Page:

“Parrot is a great GNU/Linux distribution [that is] based on Debian testing and is designed with Security, Development, and Privacy in mind. It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net.” I couldn't have said it better myself.

Figure 2.3. The Parrot Startup Screen

The Parrot Startup Screen

Parrot is based on Debian Testing, but features a custom Linux kernel and provides the MATE desktop environment. (Other desktop environments are available.) Parrot provides two primary distributions for your computing pleasure:

  • parrot-sec - the core Parrot distribution, targeting developers and casual secure surfers, and which focuses on the tools for those audiences

  • parrot-home - the core Parrot distribution, wrapped in a higher-level software set that enables you to surf the dark web when you want to but use your Parrot system as a daily-driver Linux system the rest of the time.

These two Parrot distribution versions are available as downloadable appliances (ova files) that you can install as a virtual machine or burn onto a USB stick for portable surfing. Each of these includes a copious set of security tools including those for penetration testing and digital forensics, which can be very useful if you are using Parrot to surf the dark web and want to be sure that you’re really secure.

In addition to these flavors, Parrot also provides ISO versions of each for pure, virgin hardware installs, and a Parrot-KDE distribution if you’re a KDE 5+ fan or don’t remember how GNOME works. Parrot does a lot of cool things to support it pen test/forensics starting points. Applications are sandboxed, disks are only mounted when needed, package updates are regularly scheduled to guarantee that they’re the latest and greatest, everything goes through tor after you fix some initial problems like missing iptables in the path (update packages), missing atk-bridge (install package libatk-adaptor), and so on. The distribution is great! It provides the tools that we can all use to figure out just how secure/anonymous/private we are - identifying any holes in the bathtub so that you can fix them!

The following list summarizes the requirements for a Parrot 4.5.1 system, which was the latest stable release at the time that this document was last updated:

  • 32-bit or 64-bit, x86-64 or ARMHF desktop or server system

  • 512 MB or more RAM

  • 16 GB or greater SSD, SATA, PATA, or USB storage

  • DVD reader or the ability to boot from a USB stick

Figure 2.4. Applications > anonsurf menu in parrot

Applications > anonsurf menu in parrot

Parrot is reminiscent of Kali Linux, a pioneering Linux distribution for security and digital forensics, except that the parrot-home distro resolves most of the complaints that people have often made about Kali: designed for experts, not mere mortals; missing (by default) many of the tools that users want in a daily-driver Linux system; doesn’t feature truly minimal hardware requirements while still providing a usable and well-organized desktop. Some of these will continue to evolve away (tools will increase, hardware will get more powerful, etc.) but why wait for Kali to continue to evolve? Parrot-home is just a download away.

Qubes OS

(Home Page:

Qubes OS is a cool distribution for secure and private surfing of the dark web (and anywhere else for that matter), and has some pretty impressive members in its fan club, including Edward Snowden. The great thing about Qubes is that it starts virtual machines atop the Xen hypervisor, which provides it with an intermediate management, analysis, and priority level for interacting with those VMs Those VMs isolate (compartmentalize) processes and services appropriately for secure process execution. Qubes provides fast, light-weight “disposable VMs” to execute and exit processes quickly, with results and modified files automatically being merged back into a common filesystem. It also provides template VMs that enable you to quickly define and compile the software and infrastructure required to support distribution-specific executables. (These per-application execution stacks are known as “qubes”, but in this section, I generally use the term "Qubes" to refer to the Qubes OS operating system.). Different isolated processes, process families, and security levels within the Qubes OS are easily identifiable because sets of processes and related items share border colors within the window manager (xfce4 by default). Several of these qubes/groups are created for you by default: work, personal, and untrusted.

Figure 2.5. Qubes OS desktop

Qubes OS desktop

Qubes OS comes with template VMs for secure versions of Fedora, Fedora Minimal (lightweight, small footprint), Debian, Debian Minimal (lightweight, small footprint), Archlinux, and Ubuntu. For Dark Web exploration, Qubes OS comes with templates for Whonix, another Xen-based Linux distribution. Whonix works by hosting two VMs: Whonix-Gateway and Whonix-Workstation. Whonix-gateway serves as a Proxy VM that routes all of its traffic through Tor, while the workstation supports all application VMs. Unfortunately, Invisible Things Lab (creators of the Qubes OS), does not provide an installable distribution that is based on Whonix, so a fair amount of work and testing is required before you should use the Qubes OS with Whonix for safe dark net exploration. When you’re done, however, you’ll have a modern, secure, and trustworthy OS that deeply and elegantly integrates tor for all your private and anonymous dark web surfing needs.

The following list summarizes the requirements for a Qubes OS 4.0.1 system, which was the latest stable release at the time that this document was last updated:

  • 64-bit, x86-64 desktop or server system

  • Intel VT-x with EPT, AMD-V with RVI, Intel VT-d, or AMD-Vi processor. AMD IOMMU not supported.

  • 4 GB or more RAM

  • 32 GB or greater SSD, SATA, PATA, or USB storage

  • Non-USB keyboard

  • DVD reader or the ability to boot from a USB stick

  • Graphics (Recommended): Intel GBP or AMD Radeon RX580 and earlier

TAILS, I win

(Home Page:

Linux geeks are nothing if not hilarious and fun at parties. Tails stands for “The Amnesiac Incognito Live System”, which has to be the best/worst backronym ever. Tails is a small Linux distribution that is based on Debian with the exception of not following Debian’s “only completely open source” mantra.

TAILS is an amazing distribution to use for browsing and interacting with the dark web. It comes as a live CD image that boots from an ISO image by default, but which you can easily burn to a USB stick and boot/run from there. TAILS includes tor and automatically routes all port-remapped Internet traffic though a SOCKS proxy.

Figure 2.6. The Startup Screen for TAILS Linux

The Startup Screen for TAILS Linux

TAILS also comes with a wide variety of utilities that help you accomplish common administrative tasks:

  • create, inspect, and use secure, persistent storage Tails Persistence Setup, Onionshare, tools for decrypting and using VeraCrypt volumes, luksformat and cryptsetup for creating encrypted partitions, and so on.

  • inspect and monitor network use (aircrack-ng)

  • cryptocurrency tools (Electrum Bitcoin Wallet)

TAILS includes many other standard privacy/anonymity utilities like KeePassX for key management. It also features some clever nuggets that are designed to resolve traditional anonymity/privacy problems with VMs, such as erasing memory on shutdown to ensure that no temporary file contents are still visible (though deleted) after editing or system swapping.

Figure 2.7. Starting tor in TAILS

Starting tor in TAILS

TAILS delivers a complete GNOME-3 desktop environment, though its menu appearance on the default desktop has, of course, been customized. The following list summarizes the requirements for a TAILS 3.13.1 system, which was the latest stable release at the time that this document was last updated:

  • 64-bit, x86-64 desktop or server system

  • 2 GB or more RAM

  • 10 GB or greater SSD, SATA, PATA, or USB storage

  • DVD reader or the ability to boot from a USB stick

TAILS’ release notes state that it is relatively fast to rebuild live TAILS if you want to add additional utilities, which is cool. Though you’d really have to work hard to get a virus into a Linux distribution, let alone a live Linux distribution, it would be nice if TAILS included some free anti-virus software like Malwarebytes or similar tools, just for peace of mind.

Whonix do you love?

(Home Page:

Whonix is a Debian-based Linux distribution that lives atop virtual machine environments such as KVM and VirtualBox, and provides two complementary virtual machines, Whonix-Gateway and Whonix-Workstation. These combine to isolate the workstation/user environment from the gateway which ensures that all external network events are routed through Tor. As virtual machines, Whonix must be installed on the host that provides a supported virtual machine environment, which opens it up to use on most Linux systems, as well as on Windows and Mac OS systems - Tor, a VPN, and the virtualization software are the key requirements of the software environment.


The Whonix web site is wallpapered with warnings about the fact that Whonix is actively under development, and therefore shouldn't be trusted to guarantee anonymity. I appreciate those warnings, but they feel a lot like excuses in advance so that the Whonix folks can say "...but we warned you..." when the thought police take me away and give me an adjoining cell to the hillside strangler. Whonix is a great idea and I have donated money to them in the past, but I would wait to use it until they stop apologizing in advance for potential problems. If you're that worried, you may be reading the wrong document in the first place.

Figure 2.8. Whonix-Gateway desktop

Whonix-Gateway desktop

Even though its warnings can be disconcerting, Whonix's ease of installation, ease of operation, and its technical elegance mean that it has a lot going for it. The isolation of the user/desktop environment from the actual desktop environment preserves anonymity and helps guarantee privacy. MAC addresses can't be directly tracked back to a system that can't be talked to directly - at best, its existence can be inferred. This isolation also basically guarantees protection from IP/DNS leaks and fingerprinting. Traffic and thus conversations can't be eavesdropped on, because all traffic from the gateway is encrypted. Even though the gateway participates in all communications, traffic to and responses from the dark web is impressively fast, largely bound by the response time and throughput of the remote system.

Figure 2.9. Whonix-Workstation desktop

Whonix-Workstation desktop

As far as software goes, the whonix workstation features a rich selection of pre-installed/pre-configured dark web-related tools, from the tor browser, XChat (configured as described in the Tor project wiki), and the Thunderbird email client, to desktop user applications such as VLC. n addition, any Debian desktop application can easily be installed using the familiar apt and apt-get tools.

Recommended minimum system requirements for Whonix (the latest version at the time that this book was last updated) are the following:

  • Dual core processor, 2GHZ or better

  • Graphics card and monitor capable of at least 800x600 resolution

  • 6 GB memory recommended for running VirtualBox and 2 virtual machines

  • 10 GB storage recommended (minimum) for local of VirtualBox, the two virtual machines, add-on applications, and local data storage

Recommendation: Which Linux?

The Linux distributions that were discussed in this section each have their advantages and disadvantages, and are all suitable for us to explore and learn from the dark web. My favorites are:

If you're installing Linux on a hard disk or SSD, MOFO or TAILS Linux seem to be the best out-of-the-box distributions for dark web exploration, and have been my favorite for a while. Both are excellent, powereful, and well-supported. (TAILS has a bigger fan club, bt maybe you and I can help fix that.)

If you're trule paranoid and fairly techy, you can then install a VPN on the desktop distro and also install VirtualBox on the system. Configure the VPN to start and connect automatically. Within VirtualBox, install the Whonix XFCE Gateway and Workstation as virtual machines. You can then either surf the dark web from the desktop distro after activating its anon-surf mode or a VPN or, for the height of paranoia, surf from within the Whonix Workstation under VirtualBox. The MOFO and TAILS distributions provide all of the power, security, and privacy you’ll need as you become one with the dark web while you can still use either for your daily driver desktop.


You’ll still need to integrate encryption into your files or filesystems, just in case.

If you're going to run Linux from a USB drive so that you have a portable surfing platform, install Dat Mofo Linux on that drive. After booting, activate the SoftEther VPN, and you're good to go. See Chapter 3, Installing Linux on a USB stick for more information.

Of the rest, Qubes OS is the most interesting, but its hardware requirements and the extent to which it has to be customized and re-updated after each regular update makes it likely that you may miss or simply misconfigure something during an update or upgrade. TAILS is popular and powerful, but it has been around for a while and most people will want to add a fair number of applications to be comfortable.

Chapter 3.  Installing Linux on a USB stick

As mentioned earlier, booting a live, secure Linux distribution from a USB stick is a great way to introduce yourself to exploring the dark web without building a complete system from scratch. Combined with the persistent storage provided by modern Linux kernels and Ubuntu-based distributions, a USB-based distribution can be a temporary learning experience or a long-term, portable, and secure dark web surfing machine.

The next few sections explain how to burn a Dat Mofo Linux 7.0 (hereafter just referred to just by the initials DML) distribution to a USB stick that is 8 GB or larger. An 8 GB stick provides plenty of space for the DML kernel and distribution (both of which are in the image that the DML folks provide), and plenty of space for 4 GB for persistent stage across reboots. In this example, I'll use a 32 GB USB stick that I'll partition into two partitions, one for Linux and persistent storage, and another that I can mount for additional storage, if needed (such as when transferring large files between systems). Doing this (and choosing the type of filesystem that you want to use) is discussed in the beginning of the next section.


This section and its subsections are written in lots of detail so that even a Linux noob can follow them. If you're more wizardly, I apologize in advance for all the extra words. Everyone deserves privacy and anonymity, and everyone should learn Linux, so... lowest common denominator and all that.

Partitioning and formatting USB storage

It's a good idea to put bootable USB distributions on a USB stick that also contains a regular Microsoft Windows, Apple MacOS, or Linux partition. You can mount the regular partition and use it to store files when running from the live USB distribution. After shutting down, you can mount the regular partition on another machine to copy the files there. This enables you to easily access those file from another machine even when you're not running the live Linux USB distribution.

If you're using a USB stick that's larger than 8 GB, you should first partition it to create a permanent partition in the extra space. This can be formatted with any format that is supported by your other systems:

  • FAT32, VFAT, or NTFS - for easy interchange with Microsoft Windows 2000 and later systems, as well as with Apple MacOS systems. Mac OS X has always been able to read NTFS drives, but its NTFS write support must still be manually enabled and is considered experimental (i.e., not guaranteed and not deeply supported). For best results, use NTFS for exchanged with Windows systems, and VFAT for exchange with MacOS systems. Paragon Software offers a more robust MacOS driver for MacOS if you insist on read/write NTFS.

  • EXT2, EXT3, or EXT4 - for data exchange with Linux systems. EXT4 is primarily EXT3 with support for extents, while EXT3 is EXT2 with journaling support, so I typically use EXT2 on spare partitions. (Both of these filesystem comparisons are trivial Reader's Digest version of a real comparison.) Paragon Software offers an EXT2/EXT3/EXT4 driver for MacOS and one for Windows, if you insist on EXT* but need to coexist with a Mac or Windows box.

  • HFS - Really? You can use the Mac's old Hierarchical File System on a USB stick if you've installed the hfsplus and hfsutils packages on the version of Linux that you're writing to the USB stick, but... Really? OTOH, I admire the fact that you're still using your Fat Mac.


If you have another filessystem type on your stick or other external medium and you Linux system can't read it, you may need to load a FUSE (Filesystem in User Space) driver for it. Check your system's log and package list to see what packages you need.

I generally suggest using VFAT for maximum read/write compatibility with other systems (Windows, Mac OS X, or Linux) and EXT3 if you just need to coexist with a post-2007 Linux system.

The Linux utility to use to partition a disk drive (including USB disk drives) is fdisk (fixed disk) command. This utility is found on almost all Linux distributions. The process of using fdisk to partition a USB stick is the following:


Make absolutely sure that you are addressing the right disk before issuing any command that writes to the USB stick. It is very difficult, if not impossible, to recover or restore data from a disk that has been re-partitioned and reformatted.

  1. Execute the sudo -s command to ensure that you have the permission required to read the system logs and modify fixed media. Supply your password if required.

  2. Use the system log to make sure that you're going to specify the right drive when starting the fdisk command: If the USB stick is currently plugged into your Linux system, unplug it and then plug it back in. If the USB stick is not plugged in, plug it in.

    Look at the end of the system log to see how the system identified the USB stick. The section in which it is identified will look something like the following (irrelevant prefix data has been redacted):

    ...[11559.211237]  sdc: sdc1
    ...[11559.213020] sd 3:0:0:0: [sdc] Attached SCSI removable disk
    ...[11559.204571] scsi 3:0:0:0: Direct-Access  VendorCo ProductCode 2.00 PQ: 0 ANSI: 4
    ...[11559.205709] sd 3:0:0:0: Attached scsi generic sg3 type 0
    ...[11559.206280] sd 3:0:0:0: [sdc] 61440000 512-byte logical blocks: (31.5 GB/29.3 GiB)
    ...[11559.207721] sd 3:0:0:0: [sdc] Write Protect is off
    ...[11559.207724] sd 3:0:0:0: [sdc] Mode Sense: 03 00 00 00
    ...[11559.208797] sd 3:0:0:0: [sdc] No Caching mode page found
    ...[11559.208803] sd 3:0:0:0: [sdc] Assuming drive cache: write through

    In this example output, the USB stick has been identified as sdc, and currently only has one partition, sdc1. Common ways to see the end of the system log are:

    • If the file /var/log/syslog exists, execute the tail command to see the end of the log

    • On systems where the system log is binary because they use systemd, execute the command journalctl -b | tail to see the end of the system log that was recorded since the last system boot.


      By default, the tail command displays the last 10 lines of its input. If you need to see more lines from the end of the file, use the -n num option.

    For the rest of this section, I'll call the USB stick by its right name - a USB drive - and use /dev/sdc as the basename of the example USB drive. You should obviously replace /dev/sdc and /dev/sdc1 with the basename of your USB drive and the name of the first partition on that drive.

  3. Execute the fdisk command followed by the name of your USB drive. The fdisk command displays an introductory message, and then finally displays a prompt:

    # fdisk /dev/sdc
    Welcome to fdisk (util-linux 2.31.1).
    Changes will remain in memory only, until you decide to write them.
    Be careful before using the write command.
    Command (m for help):
  4. Execute the p to see the current partitioning scheme to ensure that you are working with the correct disk:

    Command (m for help): p
    Disk /dev/sdc: 29.3 GiB, 31457280000 bytes, 61440000 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x023fbda6
      Device           Boot Start  End Sectors  Size Id Type
      /dev/sdc1  *	   64 61439999 61439936    29.3G  c W95 FAT32 (LBA)
  5. Execute the d command to delete any existing partitions. If only one partition exists (as in this example), no partition number is required as an argument. Otherwise, multiple d commands are required, each of which must be followed by an integer that identifies the partition to delete:

     Command (m for help): d
     Selected partition 1
     Partition 1 has been deleted.
  6. Execute the n command to create a new partition. The fdisk then prompts you for the partition type, either primary or extended. Primary partitions are specific portions of the physical storage, whereas extended partitions are logical portions of a part of the physical drive.

     Command (m for help): n
     Partition type
      p   primary (0 primary, 0 extended, 4 free)
      e   extended (container for logical partitions)
    Select (default p):
  7. Since a standard drive that uses the traditional MBR (Master Boot Record) partition table can have up to three primary partitions, we'll create the partition as the default, which is a primary partition, by pressing <return>. We'll also create the the default partition (by number) by pressing <return>, and have the partition start at the first sector that is not part of another partition, which is sector 2048 in this case. by pressing <return> again.

    Using default response p.
    Partition number (1-4, default 1):
    First sector (2048-61439999, default 2048):
  8. The fdisk program then prompts you for the last sector to be assigned to assigned to the partition. Since 30719999 is half of the total, I enter that value. That's the last data that the fdisk program needs, it creates that partition and re-displays its prompt.

    Last sector, +sectors or +size{K,M,G,T,P} (2048-61439999, default 61439999): 30719999
      Created a new partition 1 of type 'Linux' and of size 14.7 GiB.
    Command (m for help):
  9. Execute all of the previous fdisk command again to create the second partition, accepting all of the default values since partition 1 has already been created, filling the first half of the disk.

    Command (m for help): n
    Partition type
     p   primary (1 primary, 0 extended, 3 free)
     e   extended (container for logical partitions)
    Select (default p):
    Partition number (2-4, default 2):
    First sector (30720000-61439999, default 30720000):
    Last sector, +sectors or +size{K,M,G,T,P} (30720000-61439999, default 61439999):
      Created a new partition 2 of type 'Linux' and of size 14.7 GiB.
  10. Execute the fdisk command's w command to write the new partition table to disk and exit the fdisk program.

    Command (m for help): w
    The partition table has been altered.
    Calling ioctl() to re-read partition table.
     Syncing disks.

Congratulations! You've just partitioned your USB drive/stick into two new equal-sized partitions. Now, in order to use them, we'll format them both. formatting the first one as an EXT2 partition so that it can be mounted and used by the unetbootin program (discussed in the section called “ Writing a Linux distribution to USB storage ”), and the second as EXT3 so that we can mount it and use it to hold files after booting from the finished USB stick.

Formatting the partitions on your USB storage

Partitioning the USB stick was fun, but the next step before actually writing the disk image to the USB stick is to create filesystems on those partitions so that we can write data to them. Hewlett-Packard put it best in a manual for one of their early UNIX (actually, HP-UX) systems when they said:

"On a clear disk, you can seek forever."

Ah, those nerd jokes! At any rate, we'll now create filesystems in the partitions that we created so that we can write data to them (and read it back afterwards, if we need to):

  • /dev/sdc1 - We'll create an EXT2 filesystem on the first partition because it must be auto-mounted by unetbootin. This is the utility that we will use to write the bootable Dat Mofo Linux distribution to the USB stick. This includes 4 GB of filesystem overlay space that provides persistent storage for any changes that we make or files that we create. Using unetootin is explained in the section called “ Writing a Linux distribution to USB storage ”.

    This partition is created as EXT2 because it must be mounted by the unetbootin utility, and because we will allocate some space for an overlay filesystem to save changes, and overlay filesystems should not be journaled because that delays writes and makes it more difficult to stay in sync with the use of the changes to the base filesystem.

  • /dev/sdc2 - We'll create an EXT3 filesystem in this partition because we will be mounting for extra persistent storage and data interchange with other systems. Journalining will defer writes and thus improve responsiveness when using this filesystem from Dat Mofo Linux.

To create an EXT2 filesystem on the first partition of the USB stick, execute the mkfs.ext2 command via sudo. (I use sudo -s so that I can execute multiple command as root without prefacing each with"sudo".) The mkfs.ext2 /dev/sdc1 command and its output is shown in Figure 3.1, “Using mkfs.ext2”.

Figure 3.1. Using mkfs.ext2

# mkfs.ext2 /dev/sdc1
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 3839744 4k blocks and 960992 inodes
Filesystem UUID: 1666b928-6eff-45e5-b60e-ffd95d9de366
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done118
Writing inode tables: done118
Writing superblocks and filesystem accounting information: done

To create an EXT3 filesystem on the second partition of the USB stick, execute the mkfs.ext3 /dev/sdc2 command via sudo. The mkfs.ext3 /dev/sdc2 command and its output is shown in Figure 3.2, “Using mkfs.ext3”.

Figure 3.2. Using mkfs.ext3

# mkfs.ext3 /dev/sdc2
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 3840000 4k blocks and 960992 inodes
Filesystem UUID: 16387ed5-9b53-4e7c-b813-36b5e280bfe0
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done118
Writing inode tables: done118
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

Since these are making an EXT2 and EXT3 filesystem, respectively, the only difference is that making the EXT3 filesystem adds the journal.

Writing a Linux distribution to USB storage

You won't be surprised to hear that there are a zillion different tool that you can use to create a bootable USB stick from an ISO image of a zillion different Linux distributions. This section uses UNetbootin to write a bootable Linux USB stick because it's a graphical tool that lets you do this from a Windows, MacOS, or Linux box. Regardless of whether you're a Windows or MacOS refugee or a Linux fan who just wants to dabble with the dark web without messing with their existing Linux desktop, unetboootin is a great, easy-to-use tool.


The other tools that I'm familiar with are primarily Linux software, but still relative easy-to-use. Of these, mkusb (dus) is my favorite, and there's a nice How-To Geek article on using it from a Linux box. There's also something called the LinuxLive USB Creator for Windows that burns a bootable Linux USB stick but doesn't currently support persistent storage.

Before doing anything, download the Dat Mofo Linux 7.0 distribution by clicking the Direct Download button on their web site and saving the downloaded ISO file to the local disk.

Next, regardless of the platform that you're using, the first step in using UNetbootin is getting it from their web site, shown in Figure 3.3, “The unetbootin web site”.

Figure 3.3. The unetbootin web site

The unetbootin web site

After getting to their web site, click the button for the platform on which you be running UNetbootin. Clicking the Windows or MacOS buttons immediately starts a download of the UNetbootin installer for that platform (EXE or DMG, respectively), while clicking the Linux download button takes you to the page shown in Figure 3.4, “Downloading unetbootin from its web site”. This page gives information on how to install UNetbootin from the Ubuntu PPA (Personal Package Archive) if you're running Ubuntu, or how to simply download statically-compiled 32-bit or 64-bit binaries for Linux if you're not. The page also provides links to platform-specific binaries for Linux distributions such as Ubuntu, Debian, Fedora, SuSe, Arch, and Gentoo, plus a tarball of the source code and a link to the live source code in Github.

Figure 3.4. Downloading unetbootin from its web site

Downloading unetbootin from its web site


If you're running Ubuntu, using the PPA is a good idea because this lets you download the most recent version of UNetbootin and also keeps you plugged in for any updates that are released in the future.

If you've downloaded the binaries from Figure 3.4, “Downloading unetbootin from its web site”, you have to make them executable in order to run them. To do so, either:

  • from a terminal window, change directory (cd) to the directory to which you downloaded the binary, and execute the command chmod +x ./unetbootin-linux

  • from the graphical desktop, navigate to where you downloaded the file, left-click on the file that you downloaded, select Properties-<Permissions and check the Execute checkbox)

You can now start the application by double-clicking on the file in your graphical desktop or by executing sudo ./unetbootin-linux from the terminal window. I recommend the latter so that you are guaranteed to have the privileges necessary to mount and format drives. Otherwise, the unetbootin command will prompt you for a privileged password when you begin to write to the USB stick.

Figure 3.5. Using unetbootin

Using unetbootin

You will see a screen like the one shown in Figure 3.5, “Using unetbootin” when UNetbootin finally starts. This is the only screen n which you will enter data. The screen shown in Figure 3.5, “Using unetbootin” shows the screen with all of the values configured for writing our DML IO to the USB stick. In order, the fields on this screen are the following:

  • Select Distribution and Select Version - each of these buttons activate a drop-down that (big surprise!) enable you to select a Linux distribution and a version of that distribution that you want to install. Using these drop-downs is really cool because you don't have to download the distribution/version that you select, because UNetbootin will do it for you. Unfortunately, Dat Mofo Linux (DML) is not on the list, which is why we downloaded it at the beginning of this section. Maybe it will be on the drop-downs in the future, and I'll get to delete these sentences. Until then, the next item in this list will have to do...

  • Diskimage - enables to select ISO or floppy from a drop-drown, navigate to the location where you've stored or downloaded an image, then select that image.

  • Space used to preserve file across reboots - if the distribution that you're installing on the USB stick is an Ubuntu-based distribution, you can use this text-box to enter an integer number of megabytes (between 0 and 9999) that UNetbootin should allocate for an overlay in which changes to the filesystem on the USB stick will be recorded. (Hint: use a power of two for best results.) Specifying some amount of storage here enables you to expand and upgrade DML, adding additional packages, adding a different editor, or whatever else would make you happy to see the next time you boot from the USB stick.

  • Type - enable you to select a type of storage (USB drive, sdcard, etc.) that UNetbootin has detected as being present on your system.

  • Drive - enables you to select the device associated with the type of storage device that you selected previously.

  • OK or Cancel - clicking OK begins writing to and creating the bootable USB stick. Clicking Cancel terminates and closes UNetbootin.

In this example, I chose the settings shown in Figure 3.5, “Using unetbootin”: selecting DiskImage, navigating to and selecting my downloaded ISO of Dat Mofo Linux 7.0, specifying 4096 MB of space (this is, 4 GB) to preserve files, and selected the right device that corresponds to my USB drive. After double-checking that I didn't typo anything, I clicked OK to begin the process of creating a bootable version of DML on my USB stick.

Figure 3.6. Status screen while using unetbootin

Status screen while using unetbootin

Beginning the write process displays status screens such as the one shown in Figure 3.6, “Status screen while using unetbootin”. These are nice because I like to know that something is happening. Otherwise you could look at your USB stick to see if it lights up and flickers as it is being written to, but not all of them do that.

Figure 3.7. The unetbootin success screen

The unetbootin success screen

When the write process completes, the screen shown in Figure 3.7, “The unetbootin success screen” displays. Safely eject the USB stick by doing the right one of the following for the operating system that you're using:

  • Linux - in a terminal window, type the following command: eject /dev/your-device.

  • MacOS - open a finder window and click the name of the dr(Taive in the left column. Select Eject from the pop-up menu that displays.

  • Windows - from the system tray in the lower right-hand corner of the Windows 10 screen, select the Eject icon. You may need to click the upward-facing arrow in the left side of the tray to see it. This displays a drop-down menu that includes the name of your USB drive. Select that and Windows will finalize all writes to the disk and display a message when it's safe to remove the drive. Other versions of Windows are similar.

After you've ejected the drive, it's a good idea to test it immediately. Reboot your system, plugging in the drive when the existing system goes down. When you see the grub screen, type e to edit the boot command, and add the word persistent to the kernel boot line (after the filename of the kernel). Press the F10 key to continue the boot process. When DML comes up, displaying a background image with two workspaces available, congratulations!

Now I have a bootable secure OS - Why read more?

Sorry to perhaps disappoint you, but just having a car doesn't mean you know how to drive, where you want to go, or how best to get there. Subsequent sections of this document are important for the following reasons:

  • Chapter 4, My kingdom, or 0.005 bitcoin, for a VPN - explains why you should run software on your system so that your system is part of a VPN (virtual private network). This is critical to help guarantee your anonymity. VPN software also encrypts the network communication over the VPN, making packet-sniffing useless and helping ensure your privacy. If no VPN software is included with the system you're using, this section identifies some possibilities.

  • Chapter 5, Obtaining, installing, and configuring the tor browser - anything that you look or search for on the dark web should be done in a secure, non-packet-traceable browser. For your safety, purchases in dark web markets must be made in a secure browser.

  • Chapter 8, Finding stuff on the dark web - one you're on the dark web, you'll need to find whatever you're interested in, whether you browse a relevant site or market, or use a dark web search engine.

  • Chapter 6, Creating secure email and alternatives - if you purchase an external VPN package, buy anything on the dark web, or simply want to communicate with another dark web user, you'll want to receive secure mail through an account that isn't tied to you personally in any way.

  • Chapter 10, Buying and safely paying for stuff - whatever you buy on the dark web, you'll want to be able to pay for it anonymously, and you'll need to understand the payment process and the different ways that you can pay for it.

Chapter 4.  My kingdom, or 0.005 bitcoin, for a VPN

Ordinarily, your computer system's IP address can be used to determine your computer system's location. Most computer systems get their names based on their IP address via network requests using DHCP (the Dynamic Host Control Protocol), which typically constructs host names from the sequence of hosts that your machine must traverse to reach it within the context of your ISP. You may subscribe to a service that gives you a fixed IP address or which maps it to a static host name, but you almost certainly have a hierarchically-constructed host name lurking out there somewhere.

Commands like traceroute make it easy to see the network path that packets take to get from your machine to another. This is obviously unsuitable for private or anonymous network use, since you might as well point a huge illuminated sign at your machine if you decide to do anything that you don't want to share with any interested cracker or three-letter agency. What's a girl to do?

The answer is to create and use a VPN - a Virtual Private Network. All done via software, the process is basically:

  1. Create a virtual network and virtual network adapter on your system. When creating the virtual network, define the type of encryption that it will use.

  2. Assign one end of that network to a remote host, and assign your computer to be a member of that network via that adapter

  3. Make that virtual adapter be the primary network interface used by your system

In other words (in nerd speak), a VPN is a set of one or more virtual network interfaces that appear to be on their own network, are encrypted with a shared key or secret, and whose IP addresses are independent of those that are assigned to the corresponding physical network interface(s) of the actual hardware.

VPNs function as an encrypted tunnel over less secure networks, and enable you to use shared, potentially unprotected or insecure infrastructure while maintaining security and privacy via tunneling and standard network security mechanisms and protocols. A VPN enables you to create a secure connection to another network over the same or another network. Because the data flowing over this virtual network and connections to it is encrypted, the data cannot be intercepted and read by a third party or your least favorite hacker. An additional level of encryption hides the sending and receiving addresses.


See a contrarian view of VPNs for more/different opinions about the value of VPNs and Tor in general.

Why a VPN?

Beyond the lower-level security-related issues listed at the end of the previous section, there are a number of good reasons to use a connection to a VPN at all times:

  • Complete anonymity when using the Internet. No one knows you're a dog when you're using a VPN, let alone where your doghouse is located.

  • Eliminate geo- or location-locked limitations on the content that you can view. The network can be logically “positioned” wherever any connection to it is located, enabling access to region-restricted websites by assigning one end of the VPN to a network region that is allowed access). Porn, anyone? Torrents?

  • Last line of defense when using tor. Because of its complexity and power, Tor can be vulnerable to flaws which reveal your IP address, location, identity, and so on, and which may just have been discovered by the Cercetasii Romaniei (boy scouts) in Romania. Using a VPN with Tor can prevent against or at least obfuscate A VPN affords privacy, while Tor supports anonymity. Internet providers can detect when Tor is being used because Tor node IPs are public. If you want to use Tor privately, you can use either a VPN or Tor Bridges (Tor nodes that are not publicly indexed). US Tor users in particular should use a VPN, which will be faster and more reliable.

  • Eliminate centralized services that are sometimes required by streaming software to work around or legally interact with open-source services such as Kodi.

  • State of the art encryption to protect your personal information, chats, emails, bank details, photos, sensitive business documents, etc. This is especially valuable when you are using public Wi-Fi.

What is 5 EYES and why do they suck?

Each of the VPN descriptions provided later in this chapter identifies where the headquarters of its parent company are located because that plays directly into privacy concerns such as the 5 Eyes effect. This is the term (often abbreviated as 5EYES) for an English-speaking intelligence alliance comprised of Australia, Canada, New Zealand, the United Kingdom, and the United States (i.e., the anglosphere. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence, a classic misnomer if ever there was one. 5EYES participants are the real scumbags that you want to protect your information from, but no such luck.

Originally created just to monitor communication to/from/in Soviet republics, UKUSA is now used to monitor billions of private communications all over the world as long as they originate in or are being sent to one of the participating countries. 5EYES is a great example of an attractive houseplant that turned into kudzu. In addition to active monitoring, 5EYES cooperation also enables logs and other information to be demanded from parent companies that are located in a participating country.

If 5EYES eavesdropping isn't nauseating enough because 5 is a small number, there is also 9 Eyes and 14 Eyes. 9 Eyes is 5EYES plus Denmark, France, the Netherlands, and Norway, with the same touchy-feely goals, lack of morals, and cockiness that made us all detest 5EYES. Not wanting to be left out, most of the rest of Europe jumped in to form 14 eyes, which is 9 Eyes plus Germany, Belgium, Italy, Sweden, and Spain. I'm sure that Portugal, Luxembourg, Monaco, and Finland are coming soon in 18 Eyes. Israel is an honorary member of 5 Eyes and therefore of `every superset, but they don't count towards the total.


For more information about 5, 9, and 14 (or more) EYES, either see 5, 9, and 14 EYES or just place a call about drugs, money, and revolution and wait for the men in black.

Every map of the United States, especially, should come splashed with the legend "Here there be bogons.". For a place that started out based on the idea of freedom of speech, the USA today is really an onerous mess.

Censorship is to knowledge as lynching is to justice

Censorship, AKA cloistering information, means to block access to supposedly dangerous or politically questionable information so that you and I don’t hurt ourselves by knowing too much or getting correct information. Henry David Thoreau, a white hat before there were computers, once said:

“If I knew for a certainty that a man was coming to my house with the conscious design of doing me good, I should run for my life.”

Hackers have no malicious intent, and help us all by opening resources so that we can access them, understand them, fix problems, and really know what's going on. Thanks, Edward Snowden, for letting us know that tin foil hats are often justified - you deserve a Nobel prize!

I am proud to be an American due to our history of freedom, innovation, and invention. I am disgusted to be an American when I see things like 5 EYES and friends, or legislation like SOPA (the Stop Online Piracy Act and PIPA (the Protect IP Act) being proposed and hotly debated. These are bills that purport to do good, but really just benefit the greedy media companies. We already have the greedy and disgusting RIAA (Recording Industry of America)? How many Satans do we need? Luckily, SOPA and PIPA were defeated, and even though they may have had some good points, they offered other censorship and anti-freedom possibilities that would have made Hitler and Goebbels blush. Remember the death of the original Napster? Shot to pieces like a dog in the street.

The point of that little rant was to highlight that knowledge is power, and withholding information for whatever reason is the abuse of power. The next few sections discuss how get around some governments' abuse of power in this fashion, discussing common censorship tricks and how to (try to) get around them.


This is a good point at which to mention that supporting the Electronic Frontier Foundation (EFF) is one of the best things that you could ever do. Freedom isn't itself free, and just like Superman, the EFF is always on the side of truth, justice, and the intent of the American way. Donate!

When you are affected by site or content blocks, the first thing you should always try as a fix is to install and activate a VPN. After all, you should always be running a VPN for basic privacy and some anonymity help (because it changes your geo-location). Depending on how active the blockers are at blocking the IP addresses used by the VPN, that may be all you have to do to get around content and site-blocks based on your physical location.

Some good sites with a vast amount of such information are the following (if they aren't blocked, that is):

Avoiding DNS filtering, hijacking, and redirection

If you are being blocked when you try to access a site by host name, there are a number of workarounds that you can try. Their success depends on how accessing the host by name is being blocked:

  • Try accessing a blocked host by IP address rather than by host name. If you don't know the host's IP address, try using the dig command to retrieve it. If that is blocked because your default name server does not contain an entry for it, use a known safe name server and syntax like:

              dig  @nameserver  host-name

    Some open and trustworthy name servers are the following:

                # Google
                # Google
              208,67.222.22      # OpenDNS
         # OpenDNS
  • Check if your VPN software supports augmenting DNS with other name servers. If it does, enter the name servers from the previous bullet as alternatives. Many VPN providers run their own nameserver that are immune to the changes that censors make, but they may be blocked. Providing safe, public alternatives is always a good idea (as long as they are not blocked).

  • Try entering the IP address of the site that you want to access in another base, such as octal or hexadecimal.

  • Use the Tor browser. The use of Tor's multi-hop resolution and display routing technique will circumvent many URL blacking schemes because the multi-hop nodes may not be filtered or blocked.

  • Try to use the Wayback Machine to see a recant version of the site. The Wayback Machine crawls most of the internet frequently, and has more disk drives than god.

Freedom by proxy

According to Merriam-Webster:

"Proxy comes from a contracted form of the Middle English word procuracie (meaning “procuration”). A proxy may refer to a person who is authorized to act for another or it may designate the function or authority of serving in another's stead."

In the web context, a proxy refers to a web server that effectively replaces the front end of one or more search engines It submits your queries and displays the results for you so that the query appears to be coming from the proxy's IP address and geo-location, not yours. This is effective method of working around blocks of search engine sites by name and/or IP address. Some examples of such sites are:

Even if one or more of these proxy sites work for you at first, they will eventually be blocked if the Nazis who are censoring your queries know what they are doing.(IT-wise, not evil-wise, since they're certainly good at the latter). A better solution in this case is to set up your own proxy server. All you need to do that is a friend in a free country who is willing and competent enough to install and configure some proxy server on a machine that they have admin privileges on.


If you're happiest with someone else providing your proxy but need to stay up-to-date with what's available, MyIPHide offers free lists of US, UK, SSL, Google, and Anonymous proxies. You can also purchase larger up to the minute lists of HTTP proxies and SOCKS proxies. You can also purchase access to their fast, encrypted proxy service.

Some free proxy servers that you can get someone to download, install, and configure are the following:

  • - this proxy runs on Microsoft Windows platforms. It is free but not GPL.

  • Squid is everyone's favorite GPL proxy, and I can attest to the fact that it is powerful but still easy to compile, install, and set up. See Wikipedia for more praise and general information. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

  • - free, GPL, and well-regarded. See

  • - A secure SOCKS5 proxy that must be compiled, installed, and configured. installed.

  • - Tinyproxy is an incredibly small but robust HTTP/HTTPS proxy daemon. If you can get around censorship with a proxy, Tinyproxy makes it easy to clone Raspberry Pi systems and share them with any friends who are also interested in freedom. GPL, of course.

Useful browser extensions

One usually wants to configure things so that you whole machine is ready to go anywhere, at any time. On the other hand, a bird in the hand is worth an infinite number in the bush. That's the theory behind customized tools like tor (see Chapter 5, Obtaining, installing, and configuring the tor browser ), and that's also the theory behind browser extensions that can increase privacy for any browser session. The next few sections discuss some handy browser extensions that can help you get around traditional search blockage, and increase content privacy wherever you go.

HTTPS Everywhere

As discussed in the section called “ Differentiating between privacy and anonymity ”, anonymity is security of identity, whereas privacy is security of content. HTTPS (Hypertext Transfer Protocol Secure) helps guarantee privacy by encrypting communication between a remote web server and your browser so that you can look at whatever you want. TLAs and other misguided voyeurs will know the IP address and port of the site that you are visiting, but not what particular pages you're viewing.

HTTPS Everywhere is a browser extension that forces trying for an HTTPS version of the sites that you visit, before falling back to an insecure HTTP version. The encryption that HTTPS provides increases privacy and thus makes your browsing more secure. This content security makes it more difficult for censors to see what you are viewing, but not what site you're visiting. You should always use this extension to get as close to privacy as possible

Chrome Ultrasearch extension

Ultrasearch provides a sanitized search extension for Chrome that was originally developed to fight Chinese censorship. Their slogan is "Privacy, Security and Freedom". Easy to install, and enables you to browse the web safely and freely!

Censorship circumvention tools

Hola, Lantern, Psiphon, and others are free or freemium and open-source Internet censorship circumvention tools. These are privacy tools, not anonymity tools, and use a combination of secure communication and obfuscation technologies (VPN, SSH, and HTTP Proxy) to circumvent web and IP blocks that are implemented by modern Nazis to prevent people from accidentally learning about "forbidden" topics. (Forbidden topics are generally those that don't agree with the party, government, or prevailing moral line.) Since this is the modern, open source universe, there are many similar projects aren't discussed here, that may never have gotten off the ground, or which may have died the mung fade (RIP Haystack, for example). I just don't know them all, but knowing that some exist will hopefully inspire you to look for others if you want to know more. Please let me know if I've missed something, and one of us can add it to a future version of this document.

  • Hola - collaborative, community-powered, peer-to-peer (P2P) proxy software that shares the idle resources of its users for the benefit of all. The Hola VPN combines traditional VPN architecture and peer-to-peer technology routes traffic through other peers (nodes) in the Hola VPN network, reducing costs by eliminating the requirement for power-hungry, easily seized, centralized servers.

  • Lantern - peer-to-peer proxy software that leverages a network of trusted users who share their bandwidth with those who are in countries where the network is partly blocked. Connections are dispersed between multiple computers running Lantern so that this proxying does not put undue stress on or point virtual fingers at on a single connection or computer. (Thanks for that summary, Wikipedia!) One of the primary people behind Lantern is a former lead developer for Limewire, a cool and powerful music sharing application that was unfortunately crushed under the jackboots of the insipid and foul RIAA.

  • Psiphon - proxy software that leverages a centrally managed and geographically diverse network of thousands of proxy servers, using a performance-oriented, single and multi-hop architecture. Psiphon is specifically designed to support users in countries considered to be "enemies of the Internet" - in other words, that are enemies of the free, open, and un-censored sharing of information. The codebase is developed and maintained by Psiphon, Inc. which operates systems and technologies designed to assist Internet users to securely bypass the content-filtering systems used by governments to impose censorship of the Internet. (Thanks for that summary, Wikipedia!)

Free and commercial (i.e., freemium) versions of all of the packages listed in the previous list are available.

Must-have VPN features

To provide all possible goodness in a truly secure fashion, VPNs and their developers should provide features such as the following:

  1. No logging. If the FBI or NSA raid your provider, no activity or other logs should be discoverable with a paper finger pointed firmly at you.

  2. High performance, regardless of remote connection location

  3. A fast kill switch for the VPN and for applications that you can specify because you are specially concerned about them, in case connectivity is interrupted or evil government scumbags are eagerly snooping around or closing in

  4. TOR compatibility and interaction

  5. Doesn't step on specific applications and their protocols (bittorrent, Netflix, and so on)

  6. Nice-to-have: Supported on all popular platforms

Some popular commercial VPNs

There are more VPNs than there are word processors nowadays. including free solutions and open source software (OSS) toolkits that enable you to roll your own. While I am a hard-core advocate of open source software, I am also an expert in knowing what I am not an expert in - and that is low-level security software. My favorite VPNs are the following (in order), based on my personal experience. Monthly cost at the time that this document was last updated is provided if you want to try any of these out for your use case.

  • NordVPN - (My personal favorite) Good: no logging; high performance, works great with services like Netflix, works fine with torrenting or peer-to-peer, no problems with dark web URLs, offers add-ons like double VPN (encrypts data twice) and dedicated IP (be careful when and why you use this!), enables VPN routing before Tor, anonymous payments supported via multiple cryptocurrencies. Headquartered in Panama. 5000+ servers worldwide. Problems: occasional speed hiccups and not much more. Chrome browser extension (not required and not recommended) causes frequent restarts, logouts, and per-country selection failures. (Just don't use it!) Cost: monthly, $12 US std, longer-term but less expensive subscription/purchase plans available.

  • ExpressVPN - Good: no logging, high speed, provides good access to Netflix and other streaming services, good support for BitTorrent and P2P, over 3000 servers available world-wide, provides its own encrypted DNS service, anonymous payments supported (Bitcoin), supports split tunneling (simultaneous VPN and non-VPN user-specified applications), features nice UI. Problems: Headquartered in the British Virgin Islands, so not immune from 5 EYES scrutiny - see their privacy policy for more info. (Sad, because this is otherwise a great package!) Seems to restrict the number of simultaneous connections from multiple devices, which can be avoided by installing it on a home router. Cost: monthly, $12.95 US, longer-term but less expensive subscription/purchase plans available. Look for coupons!

  • SoftEther VPN - The SoftEther VPN Project has created a powerful, FREE, open source VPN that is multi-platform, but is especially easy to set up and use on Linux systems. (You can download its source code for *BSD* systems, but they do not build it for *BSD* systems themselves. Native Mac OS X client support is still identified as experimental at the time that this document was last updated.) As an open source VPN (Apache 2.0 license), it is especially handy to integrate if you are assembling a Linux/*BSD* platform for redistribution.

    Good: No logging, high performance, no payment necessary. Problems: can be slow to start, since it walks through a list of possible providers in its primary configuration file, not all of which may be currently available. SoftEther VPN is structurally very similar to OpenVPN, its better known open source brother. The SoftEther controller/client is included in the Dat Mofo Linux distribution.

  • AzireVPN - Good: no logging; high performance, offers own super-secure WireGaurd protocol betweeen your client and their servers, works great with services like Netflix, works fine with torrenting or peer-to-peer, no problems with dark web URLs, anonymous payments supported via multiple cryptocurrencies. Account login and password are your choice, not autogenerated, so see Chapter 6, Creating secure email and alternatives . Headquartered in Sweden, 7 server locations in various countries. Problems: Must install tools (140+ packages, depending on what's already installed) and compile any Linux client. Cost: monthly € 5, longer-term but less expensive subscription/purchase plans available.

  • IVPN - Good: no logging, great performance in my experience, dedicated IP available, anonymous payment. Headquartered in Gibraltar. Problems: some problems with streaming services such as Netflix. Cost: monthly, $15 US, longer-term but less expensive subscription/purchase plans available.

  • CyberGhost - Good: no logging, good performance in my experience, dedicated IP available, anonymous payment. Headquartered in Romania. Problems: good UI with some issues, usually solved by a restart. Questionable Israeli parent company specializing in malware. Cost: monthly, $13 US, longer-term but less expensive subscription/purchase plans available.

  • Private Internet Access (PIA) - Good: no logging, high performance, anonymous payments. Problems: Not all servers deliver unblocked content. Headquartered in the United States, so legal protections against government data theft such as 5 EYES may be nil even though they say no logs. Cost: monthly, $4 US.


    Former Mt. Gox CEO Mark Karpelès is CTO of PIA at the time this document was last updated. That can be a good or bad thing - he's obviously clueful, but bad things have happened under his watch before. One may be an aberration, but who knows...

  • PureVPN - Good: good performance, headquartered in Hong Kong, with over 2000 servers spread across more than 140 countries, bittorrent friendly, 256-bit encryption, and some cool add-ons. Problems: super-fast claims are just super-claims, add-ons are actually added and thus cost extra money, customer reports of DNS and IP leaks, no logging policy is unclear and questionable. Cost: monthly, $10.95 US, frequent specials on longer-term subscriptions.

  • IPVanish - Good: no logging, high performance, anonymous payments. Problems: doesn't always enable access to certain applications or when using certain protocols. Headquartered in the United States, so legal protections against government data theft such as 5 EYES may be nil even though they say no logs. Cost: monthly, $10 US

  • WindScribe - Good: no logging; strong encryption; ad blocking; feature-rich desktop app. Headquartered in Canada (and thus potentially susceptible to 5 eyes scrutiny). Problems: can be slow. Cost: FREE with fewer servers and 10 GB monthly limit, otherwise monthly, $9

  • Perfect Privacy - Good: no logging; strong encryption; offers verification of functionality through a number of online tests that are available on their web site. Headquartered in Switzerland, which you would ordinarily think would make them immune from 5 EYES scrutiny, but it turns out that they will fold like a cheap suit in response to a 5 EYES information/log request. I used to respect Swiss neutrality, but that now seems to have more holes than their cheese. Problems: can be slow, and things like Netflix support are highly server-dependent. Cost: monthly, $9.99 (yearly rate)


VPNs such as ExpressVPN, NordVPN, PIA, PureVPN, Windscribe, and many more are available pre-installed on a Linksys router to avoid simultaneous device access limitations. See FlashRouters for more information.

This is just the tip of the VPN iceberg. A great source for comparing VPNs is That One Privacy Site, which is even recommended by the Electronic Frontier Foundation (EFF), so you know it's good.


After selecting which VPN, always pay for it securely using properly-mixed bitcoin, some other cryptocurrency, or a pre-paid credit card. Set any email to go to a secure email account that uses a name that can't be traced to you. You should also consider changing VPN hosts (and possibly providers) at least yearly, so that the set of IP addresses that you're coming from changes at that point. Changing VPN providers changes the set of alternate hosts the the VPN will use, helping avoid establishing a usage pattern that could be tracked.

Free VPNs with a caveat or two

The previous section discussed various commercial VPNs, listed in order of personal preference. However, I am not a hardcore security person (and have never even been asked to play one on TV) - my basis for personal preference is things like performance, number of servers, headquarter location, add-on bells and whistles, cost, and bittorrent support. However, the ones discussed in the previous section still all cost something, even some that are based on OpenVPN, SoftEther, and other free software projects. Surely, in these open source days, there must be some free VPNs out there?

I'm proud to be able to say "Yes, Virginia, there is a Santa Claus." There are actually a number of them, and the free VPNs that they've developed have been carefully compared in an impressive article by Paul Bischoff called 20+ free VPNs rated side by side, 2019 list. I'm not going to bloat this document by pilfering from Paul. If you don't have the time or inclination to read that, or can't find a free one that meets your needs, check the SoftEther site, the OpenVPN site, or buy a commercial package. YMMV. However, remember that it's your privacy that you may be messing with.


People deserve to be rewarded for their work, especially if that's all they have time to do. In the Linux and *BSD* spheres, it's quite rare to have software that costs money, and that leads many people not to be willing to pay for anything. I'm sure that Richard Stallman is starting a voodoo doll with my likeness, and I'm sorry about that, but it's worth it to me to support great software if I need to. An example of great commercial software for Linux is SoftMaker's TextMaker, part of their excellent office suite, all components of which are fully compatible with anything I've ever had to deal with. (I am not being compensated in any way for that recommendation, I just like the software. Sorry, Richard!)

VPN alternatives

The next sections describe real or perceived alternatives to commercial VPNs that you may want to consider for various reasons. A VPN or similar solution is key to using the dark web safely and securely over the standard Internet. These next few sections describe alternatives to various aspects of a VPN when you may need or want to implement another solution.

Smart DNS

Ome of the most common reasons for using a VPN is to make your network traffic appear to be coming from another location, enabling you to circumvent content or service blocking based on geo-location. Some location-based content blocking is driven by greed (Netflix, broadcast networks, and so one), while other s blocking is driven by the desire to emulate Nazi Germany (China, Iran, and so on). On the other hand, geo-location based content blocking simplifies the term "world wide web" by removing two w's - those pesky "world wide" ones.


This section uses the term smart DNS in the conceptual sense, not as a company name. If a smart DNS server fulfills your needs, a company that happens to have that name is a well-respected provider of that specific service.

Semantically, a smart DNS service provides a DNS service proxy that hands off its information requests to geographically correct DNS servers that enable a user to reach the sites that are normally unavailable due to geo-restrictions. If this is all that you need to do, smart DNS services are generally faster than using a VPN for this purpose because they do not do the extra encryption/decryption that a VPN does.

There is really no easy way to provide a smart DNS service yourself, due to the need to identify and then use the DNS servers that are specific to each geo-location. A VPN is generally preferable to a smart DNS service to resolve location-based content blocking as long as the VPN does not interferes with content delivery. A smart DNS server does not provide the privacy guarantees that a VPN provides because it does not perform the end-to-end encryption that is done by a VPN. Similarly, it does not obscure your IP address because it focuses on modifying DNS provider information without modifying your IP information.


Checking the browser language of incoming requests and serving up text in that language is all the geo-location (ethno-location?) that anyone should ever have to do. There are companies that provide geo IP blocking as a service, but I don't know any of them. If you are interested in geo blocking information on your web site, check out their booths outside the next Nuremberg rally.

SOCKS 5 tunnel for tor


This section describes a higher-performance mechanism for securely using the tor browser to surf the dark web. If you want to use this mechanism rather than a VPN, note that using this mechanism does not provide the anonymity guarantee that a VPN provides. It is focused on privacy - that is, protecting the private contents of whatever you type and browse to. This will provide privacy for any browser, but not anonymity, because all your packets will all seem to come from wherever you tunnel to. You don't have to be a rocket scientist to know that whoever is behind them is someone with access to that SSH server, and even the government may be able to figure out or demand that information. Choose well, grasshopper.

For anonymity's sake, DO NOT start the tor browser without this tunnel mechanism in place (or your favorite VPN), and do not exit from either mechanism while the tor browser is running. Just to be on the safe side, courtesy of the Department of Redundancy Department, DO NOT use the tor browser unless this proxy or a VPN is running.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. A SOCKS server proxies TCP and UDP connections to an arbitrary IP address.

The primary differences between a VPN and a SOCKS proxy is the time delays that a VPN may introduce, so every time you ask "VPN or SOCKS?" there's always at least one hand up for SOCKS. SOCKS is attractive for performance reasons, because VPNs can introduce delays due to the time delays involved in routing across tunnel endpoints, depending on network load and where those endpoints are. A lack of encryption used to be an issue with previous versions of SOCKS, but this is "fixed" by using the latest version of SOCKS with a single protocol. The latest generation of SOCKS, SOCKS5, introduces the support for and use of authentication. Because the SOCKS5 proxy servers use an SSH (secure socket shell) protocol, not just anyone can connect, and someone trying to gain access improperly has a large amount of encryption to deal with.

Another advantage of a SOCKS5 proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time.

The process of creating a SOCKS5 tunnel that you can use with the HTTP traffic used by the tor browser is the following:

  1. Open a terminal program

  2. Set up the tunnel with this command (replace items in this font with your own values):

    sudo ssh -D 1234 -C -q -N -f

    The options and parameters to this command have the following meanings:

    • -D - tells SSH to use the specified port (which can be any unused port between 1024 and 65536) for the tunnel

    • -C - compress all data before sending it

    • -q - Uses quiet mode

    • -N - Tells SSH that no command will be sent once the tunnel is up

    • -f - Starts the tunnel in the background, returning control to you at the command line

  3. Verify that the tunnel is up and running with this command:

    ps aux | grep ssh

    If you see a process listing command (i.e., from the ps aux command) that was the same as that in 2, congratulations! Your tunnel is running. You can quit your terminal application and the tunnel will stay up, because we used the -f argument to put the SSH command (the one that that opened the tunnel) into the background and detach.

Now that you have an SSH tunnel, configure the tor browser to use it:

  1. In the upper right hand corner of the main tor browser window, click on the hamburger icon to open the browser menu

  2. Click on the Preferences menu item and navigate to the Network Proxy section. Click the Settings button. A new pane displays.

  3. Select the radio button for Manual proxy configuration. (It should already be selected).

  4. Enter for the SOCKS Host (in other words, localhost, and for Port number, enter the same port number that you specified when creating your SSH tunnel.

  5. Click OK to save and close your configuration

Now, open another tab in the tor browser and start browsing the web! You should be all set for secure browsing through your SSH tunnel.


To verify that you are using the proxy, go back to the Network settings in the tor browser. Try entering a different port number. Click OK to save the settings. Now if you try to browse the web, you should get an error message The proxy server is refusing connections. This proves that Firefox is using the proxy and not just the default connection. Revert to the correct port number, and you should be able to browse again. Hooray!

When you are done using the SSH tunnel, go back to the Preferences > Advanced > Network > Settings pane in the tor browser. In the Network proxy settings section, click on the radio button for Use system proxy settings and click OK. The tor browser will now read data over your normal connection using the normal settings, which are probably unsecured.


As mentioned before, this section describes a higher-performance mechanism for securely using the tor browser to surf the dark web. If you want to use this mechanism rather than a VPN, DO NOT start the tor browser without this mechanism in place, and do not exit from this mechanism while the tor browser is running. Just to be on the safe side, DO NOT use the tor browser unless this proxy or a VPN is running.

To terminate the tunnel, use the ps command given earlier to find the process ID (PID) of the proxy server, and then terminate it using the kill command:

ps aux |grep ssh
      wvh    98765   0.0  0.0  2462228    452   ??  Ss    6:43AM   0:00.00 ssh -D 9876 -f -C -q -N
kill -9 98765

Rolling your own really-close-to-a-Linux-VPN

It's hard to choose a single VPN solution, especially in the open source world where you have at least 15,384 to choose from, including commercial ones, as of 12:30 PM on the day that I'm writing this. The open source universe has room for everyone's creativity, with room for an infinite number more. One or more of them may be exactly what you need/want. And the source code is always available if you think a certain project/package is almost perfect.



All Linux distributions are not created equal, especially if you're running Linux on a less common platform or if someone else hosts and supports the system that you're using. Some platforms are uncommon because they're obscure or old, while others are simply up-and-coming. If there is no commercial VPN for your hardware or you cannot install one on a shared system, you should definitely consider at least using a more light-weight solution such as sshuttle's proxying, as discussed in this section.

I can't tell you all of the networking background, details, and nuances that you would need to write a completely new VPN client and server that is bulletproof and tighter than Silas Marner's purse strings. Open source projects like SoftEther or OpenVPN are huge, complete, and still growing. Explaining either of those in detail deserves its own book and is just a subset of the dark web access that this document is about, so it's out of scope here. Sorry.

As far as other open source projects that are, or are really, really close to, a VPN, one of my favorites is sshuttle, which proxies all IP traffic through a remote host's SSH server, as long as you can SSH to that host in the first place. This gives you the benefit of the encryption that SSH provides, reduces your administrative wishlist on a network that does not provide a VPN, and also hides your IP address (though it paints a really large target on the machine whose SSH server you're using). It will hide your identity from randoms and driveby hackers, but not from the NSA. OTOH, it is open source, so here's your chance to help foster a project rather having to do that and give birth to it in the first place.

One huge advantage that sshuttle has over other VPN-like solution is that it requires no administrative privileges, and it also requires no special thousand port-forwarding to be set up on your machine - all ports (including all DNS queries) are forwarded.

You can get sshuttle from its GitHub repository, through the repositories of many Linux distributions, or through tools like Homebrew on Mac OS. Once you've installed it, running sshuttle is quite simple by using a command like the following:

sshuttle --dns -r user@sshserver

You'll be prompted for the password that you need to use to access the sshserver as user@sshserver, and the proxying/forwarding/rerouting begins!. Because you specified the --dns, this command forwards all TCP and DNS traffic to the specified SSH server. If you want to continue using your existing DNS server(s), do not specify this option. The sshuttle currently does not forward other requests such as UDP, ICMP ping, and so on.


Ordinarily, the sshuttle command does not display status information while it's running, but you can make it more verbose by adding one or two -v options to the command-line. Each -v option increases its verbosity.

As specified in the sample command, the sshuttle command continue to run in the foreground. To cause it to detach after starting (writing verbose log information to the system log rather than just to stdout), add the -D to the command line.

The sshuttle application, enabling you to exclude certain IP address traffic from its forwarding, only forwards traffic headed for certain networks, and so on. As always on a Linux box, the man command is your friend.


To verify that the sshuttle command is working, you can use a command like curl and check its output to make sure that the address that it returns is the address of the SSH server that you specified.

Is my VPN working?

If you think you're hidden because you paid someone money and because the software you're running that claims to be a VPN is now displaying different numbers/addresses than it used to, I have a bridge (and not a Tor bridge) that I think you'll be interested in. I'll take you on a guided tour as soon as it stops raining gumdrops.

Seriously, trust, yet verify is the right way to go with any security software, including some package that you read a good review of or which someone recommended to you. This is especially true of something like VPN software, which turns knobs for you under the covers, and changes something that is usually assigned to you - something that you usually don't have to mess with or even know in the first place. Most ISPs assign you an IP address when you connect to them, but whether is your home or an IP from a VPN in Croatia is hard to tell, initially. The next two sections identify some ways in which you can obtain IP and related information about your system.

Using web sites for VPN testing

Seriously, trust, yet verify is the right way to go with security software, especially something like VPN software, which changes something that is usually assigned to you and which you usually don't have to know. Most ISPs assign you an IP address when you connect to them, but whether is your home or an IP from a VPN in Croatia is hard to tell, initially. Here are few sites to visit that will give you information about your IP address, whether you're using a VPN, and the browser that you're using to connect with:

  • Perfect Privacy Connection Details - This site's primary Check IP connection test, shown in Figure 4.1, “IP connection info from Perfect Privacy”, displays basic IPv4 and IPv6 address and DNS info (or You do not seem to have IPv6 connectivity for the latter if that's the case), HTTP header metadata, and the status of Java, JavaScript, and Flash support in the browser that you're testing with. There's also a nudge nudge wink wink entry about whether you're using the Perfect Privacy VPN software (which you obviously don't have to be in order to run the tests). Other tests (selectable by buttons at the top of the page) or from its parent page) include the following:

    • DNS Leak Test - tests if you are using the provider's DNS server directly rather than the one that is provided by the VPN

    • WebRTC Leak Test - determines whether the WebRTC API enables remote systems to identify your "real" IP address (the one that was originally assigned by your ISP)

    • MSLeak Test -tests whether Microsoft login data and system services are available directly. Only meaningful if you are running the Internet Exploder or Edge browsers from a Microsoft Windows system. The easiest fix is, of course, to stop running Windows and to switch to a real operating system rather than incremental ambergris.

    Figure 4.1. IP connection info from Perfect Privacy

    IP connection info from Perfect Privacy

  • - provides a huge amount of information about your IP connection and the browser and system that you are using, including: IPv4 and IPv6 addresses, location, WebRTC tests, DNS info, Torrent Address info, and a very cool Geek Details section that provides browser capabilities and plugins info, screen size info, and general detectable system info. Very pretty.

    Figure 4.2. IP test info from (Air VPN)

    IP test info from (Air VPN)

  • WhatIsMyIP - displays hi-level local and public IP address info, with buttons that enable you to drill down into pages that provide additional information. These subsequent pages also provide detailed information about the new data that is being displayed.

    Figure 4.3. Top-level IP address info from

    Top-level IP address info from

  • IP X Test Suite - displays IPv4 and IPv6 (if available) address and geographic location info, DNS server info, WebRTC leak info, and a tremendous amount of browser analysis and header info, including whether the "Do Not Track" bit is set in HTTP headers. Extremely useful test suite!

  • - provides a huge amount of browser fingerprinting information about your IP connection and the browser that you are using, including: IPv4 and IPv6 addresses, location, JavaScript, Flash, WebGL, and Silverlight capabilities, and so on. The icons at left enable you to jump to the results of a specific set of tests. A truly impressive test suite - and you can't beat the price!

    Figure 4.4. Various IP and browser tests from

    Various IP and browser tests from

  • DNS Leak - fast but minimal test for DNS leaks in your web queries. Figure 4.5, “A suspected DNS leak from” show the information that this site displays when used with a VPN that seems to be leaking DNS information, in this case about the DNS server that is being used .

    Figure 4.5. A suspected DNS leak from

    A suspected DNS leak from

The sites in this list are just the tip of the information iceberg that you can find on the net. Each provides a different subset of the information that can be culled from your site. Take your pick - I wanted to potentially save you a bit of surfing by listing the ones that I personally have found useful in the past.

Testing your system for identity leaks

Most of this book is about how to keep yourself anonymous on the Internet, but there is much more to anonymity than protecting your IP address and where you are physically located (the latter is commonly referred to as your geo-location). The additional information that can be captured and tracked also includes things like:

  • a unique hardware/machine identifier

  • a system-level login identity (a Windows, MacOS, Linux, Android, iOS, or similar login)

  • some service account identity (account/login to a specific service or vendor account)

  • a service account that provides cross-service authentication or proof of identity, such as a Facebook or Google identity

Beyond empirical collectable data like these things, there is also observable data that can be collected and used to try to infer your identity or provide a basis for identifying you by usage patterns, like browser fingerprinting.

Together, all of this makes up a veritable smorgasbord of trackable information, with you lying on the buffet table.

The following sections each discuss a different software tool that probes some aspect of your system and the hardware/software configuration information that it contains. The goal of this section is to explain how to use these tools to make you comfortable with the facts that your data is secure and untraceable after following the mechanisms that are explained in this book.


Class: network probe

Nessus is a very popular vulnerability and system status scanner. Originally free and open source, the Nessus source (version 2.2.11) was closed in 2005 and the software has been through several packaging methods since then. A free "Nessus Essentials" version is still available, but the full version ("Nessus Professional") now costs $2,190 per year. Its closure has led to many forked open source projects based on Nessus like OpenVAS and Porz-Wah.

Nessus Professional's network scans cover a wide range of technologies including operating systems, network devices, hypervisors, databases, web servers, and critical infrastructure. (Nice summary, Wikipedia! Nessus Professional is often used for configuration and compliance audits, SCADA audits, and PCI compliance testing. This would all be great if the full version was still free.


Porz-Wahn is yet another security scanner based on the last open source release of Nessus. It hasn't been updated since sometime in 2014, so it's probably defunct. You may hear about it, so I'm listing it here.


The Nmapapplication is the best known and best established Network scanner around. It has more options than you can shake a port at. It scans/probes network ports for a number of different states (i.e., packet states returned) and also has different default behavior depending on whether you run it as root or not (that is, whether you can read the raw packet data or not). Common states to scan for are:

  • SCTP INIT scan (-sY) - SCTP is a relatively new alternative to the TCP and UDP protocols, combining most of their characteristics and adding new features like multi-homing and multi-streaming. To quote the nmap docs, "...the SCTP INIT scan is, the SCTP equivalent of a TCP SYN scan. Like a TCP SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states...

  • SYN scan (-sS) - In SYN scan, only half of a TCP connection is established. When running as root on Linux, nmap does a SYN scan by default, and SYN scanning requires root privileges in general on Linux systems. SYN scanning is faster than TCP scanning since it does not establish a full TCP handshake, which can also make it harder to detect.

  • TCP connect (-sT) - In TCP connect scan, a full TCP connection is established to verify the existence of a port. When running as non-root on Linux, nmap does a TCP connect scan by default.

  • UDP scan (-sU) - While services running over the TCP protocol are much more common, UDP services (such as DNS, SNMP, and DHCP) are still widely deployed. UDP scanning is much slower than TCP scanning but can be done at the same time as TCP scans to reduce overall scan time.

The nmap application supports many other, more specialized states to scan for - see the nmap documentation for details.

Some common examples of using nmap are the following:

  • Simple TCP port scan (non-root): nmap IP addresses or range

    $ nmap
    Starting Nmap 7.80 ( ) at 2019-09-28 14:21 EDT
    Nmap scan report for (
    Host is up (0.035s latency).
    Not shown: 996 filtered ports
    25/tcp	 closed smtp
    80/tcp	 open	http
    443/tcp  open	https
    8080/tcp open	http-proxy
  • Simple TCP port scan (root): nmap IP addresses or range

    Starting Nmap 7.80 ( ) at 2019-09-28 14:49 EDT
    Nmap scan report for 172,16.100.49
    Host is up (0.040s latency).
    All 1000 scanned ports on are filtered
    Nmap done: 1 IP address (1 host up) scanned in 40.03 seconds
  • Simple UDP port scan (must be done as root):

    nmap -sU
    Starting Nmap 7.80 ( ) at 2019-11-23 13:52 EST
    Nmap scan report for
    Host is up (0.048s latency).
    All 1000 scanned ports on are open|filtered
    Nmap done: 1 IP address (1 host up) scanned in 49.41 seconds
  • TCP SYN and UDP port scan (as root):

    nmap -sS -sU
    Starting Nmap 7.80 ( ) at 2019-09-22 06:21 EDT
    Nmap scan report for
    Host is up (0.010s latency).
    Not shown: 1987 closed ports
    PORT      STATE         SERVICE
    22/tcp    filtered      ssh
    23/tcp    filtered      telnet
    53/tcp    open          domain
    80/tcp    open          http
    443/tcp   open          https
    705/tcp   open          agentx
    53/udp    open          domain
    67/udp    open|filtered dhcps
    514/udp   open|filtered syslog
    520/udp   open|filtered route
    1100/udp  open|filtered mctp
    1900/udp  open|filtered upnp
    34796/udp open|filtered unknown
    Nmap done: 1 IP address (1 host up) scanned in 1632.09 seconds
  • After installing a web server (nginx), TCP SYS scan as root:

     nmap -sS
    Starting Nmap 7.80 ( ) at 2019-09-21 13:25 EDT
    Nmap scan report for
    Host is up (0.022s latency).
    Not shown: 989 filtered ports
    53/tcp   closed domain
    80/tcp   open   http
    88/tcp   closed kerberos-sec
    89/tcp   closed su-mit-tg
    90/tcp   closed dnsix
    443/tcp  open   https
    1080/tcp closed socks
    1233/tcp open   univ-appserver
    1234/tcp open   hotline
    5060/tcp open   sip
    8080/tcp open   http-proxy
    Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds
  • After installing a web server (nginx), predictive OS scan (-O) with banners of running services (-sV):

     nmap -O -sV
    Starting Nmap 7.80 ( ) at 2019-09-14 20:48 EDT
    Nmap scan report for
    Host is up (0.011s latency).
    Not shown: 997 filtered ports
    80/tcp	  open	 http	 nginx 1.14.0 (Ubuntu)
    443/tcp   closed https
    20000/tcp closed dnp
    MAC Address: 64:6E:69:3C:92:AE (Liteon Technology)
    Aggressive OS guesses: Linux 2.6.32 - 3.13 (95%), Linux 2.6.32 (92%), Linux 3.2 - 4.9 (92%), Linux 2.6.32 - 3.10 (92%), HP P2000 G3 NAS device (91%), Infomir MAG-250 set-top box (91%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (91%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (90%), Linux 2.6.32 - 3.1 (90%), Linux 3.7 (90%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 1 hop
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 19.56 seconds

A good set of example of

Example 4.1. 


commands is here, and a simple Google search will give you plenty more!

Manually examining network addresses

The web sites that were discussed in the previous section were both useful and fancy, but you might be from the state of Missouri, also known as the Show Me state. The next few sections provide some useful commands that show how to query different aspects of a Linux, *BSD*, or Mac OS system to make sure that your VPN software is doing something other than still handing out your system's vanilla IP address.


If you can, it's easiest to look at your system's network address before and after you activate the VPN in order to see what (if anything) your VPN software is really changing. If your address is the same before and after, either something is wrong with your VPN and it didn't activate, or it was actually already on and you didn't know that. In that case, try the WhatIsMyIP web site (discussed in the section called “ Using web sites for VPN testing ”) to double-check your public and local IP addresses.


If you are using a browser-based extension to activate your VPN, make sure that i affects your system's IP address for all application, not just for browser communication.

Figure 4.6, “Linux/Mac OS script to look up IP address info multiple ways” shows a good number of cmdline (that is, command line) tests that you can use to get information about the network interfaces and IP addresses that your machine has. The next few sections walk through using some of these to get that information - I just put a bunch of them in the script for your copy-and-paste convenience, and also to show subtle differences in what you get back from different applications and queried locations.

Figure 4.6. Linux/Mac OS script to look up IP address info multiple ways


echo "Ifconfig thinks:"
ifconfig -a | grep '^[_a-z0-9]*:\|netmask'
echo ""

echo "OpenDNS (via dig) thinks:"
dig +short
echo ""

echo "Google (via dig) thinks:"
dig TXT +short | sed -e 's;";;g'
echo ""

echo "Akami (via dig) thinks:"
dig +short
echo ""

echo "Akami (via nslookup) thinks:"
echo ""

echo "BrowserLeak (wget from says:"
wget -qO -
echo ""

echo "Current routing:"
if [[ "$OSTYPE" == "linux-gnu" ]]; then
        route -n
elif [[ "$OSTYPE" == "darwin"* ]] || [[ "$OSTYPE" == "freebsd"* ]]; then
        netstat -nr -f inet | grep -v "Routing tables"
elif [[ "$OSTYPE" == "cygwin" ]]; then
         route print
        echo "  Sorry, I don't know"

Getting network interface addresses

The first step in determining the state of networking on your machine is figuring out what IPv4 network interfaces your system has and what addresses they currently have. I'm looking forward to the day when IPv6 is the primary addressing scheme, but until then IPv4 is where it's at.

You can locate your original IPv4 address with the ifcfg (interface configuration) command.. This command lists the interfaces that exist on your system in a detailed nerdy way, so I typically filter the output using a fancy regular expression to show which of these are actual interface definitions (by beginning a stanza), and which lines contain IP addresses by looking for the associated netmask keyword, as in the following example:

ifconfig -a | grep

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet netmask 0xff000000
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
EHC250: flags=0<> mtu 0
EHC253: flags=0<> mtu 0
	inet netmask 0xffffff00 broadcast
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
ipsec0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1400
	inet --> netmask


In English, the GNU grep command's argument expands to " that matches the beginning of a line followed by any number of alphanumeric characters up to a colon OR lines containing the string "netmask"...". You can either use this explanation to check my nerd fu, or you're welcome.

By scanning this output, you can see that this system's internal IP address is


This address is the system's local address, which is the IP address that was assigned via DHCP when you booted your system, or perhaps your system's fixed IP address if you bought one from your ISP and hardwired into your networking configuration.

The previous command output was captured on Mac OS, which includes GNU grep as part of the FreeBSD infrastructure behind all the whizzy graphical stuff. To demonstrate that this also works on Linux, here's the same command and its output on a Mofo Linux box (and because it is a different box, it therefore has a different local address or else the network is broken):

ifconfig -a | grep '^[a-z0-9]*:\|netmask'

enp1s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast

Thank God for the FSF, the GNU project, and Richard Stallman! Or maybe they're all the same thing?

Checking your network routing table

The routing table is the internal data that shows the addresses to which packets destined for various types of addresses are forwarded so that they can eventually delivered to the host that they were addressed to, or which is running a specific service for an address family (such as the email service for a domain). It's really not necessary to check your system's routing table when determining if your VPN is working, but it may provide you with some insights into how your VPN software works internally. Knowledge is power, right?

Figure 4.7.  Sample Linux routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0   U     0      0        0 vmnet8   U     0      0        0 vmnet1   U     0      0        0 virbr0     U     1002   0        0 eth0         UG    0      0        0 eth0

Figure 4.7, “ Sample Linux routing table ” shows a sample routing table, as displayed by the output of the Linux route command with the -n option, which does not attempt to translate numeric IP addresses into host/domain names. The entries in this sample network routing table have the following meanings:

  • The first route (that is, line) says that IP addresses of the form 192.168.6.X are sent directly to Ethernet interface eth0 - this is because Ethernet interfaces that match this range are non-routable IP addresses which are not routed/forwarded to any other network device (see non-routable IP addresses in the glossary).

  • The second and third lines are for other patterns of non-routable IP addresses that are sent directly to the network interfaces vmnet8 and vmnet1, respectively, which are virtual network interfaces that, in this case, are used for virtual machines on my sample network.

  • The fourth line directs IP traffic for addresses that match 192.168.122.X to the interface virbr0, which is the bridge to the virtual machine network.

  • The fifth line ( is used for Automatic Private IP Addressing, or APIPA. If a DHCP client attempts to get an address but fails to find a DHCP server after the timeout/retry period, it will randomly assume an address from this network. (This explains why DHCP failures result in hosts receiving addresses on this network.)

  • The sixth/last line directs any traffic for addresses that were not matched by any other entry through the Gateway for this entry. The G flag identifies the gateway defined on this line as the default gateway.

Figure 4.8.  Sample, simpler Linux routing table before starting a VPN

Kernel IP routing table
Destination	Gateway 	Genmask 	Flags Metric Ref    Use Iface 	UG    303    0	      0 wlp2s0	U     1000   0	      0 wlp2s0	U     303    0	      0 wlp2s0

Figure 4.8, “ Sample, simpler Linux routing table before starting a VPN ” shows the routing table for a system that I use to surf the dark web (and which therefore is a simpler machine, network-wise) before a VPN has been activated. No virtual machine networking or bridges are present because most dark web surfing systems follow the K.I.S.S. mantra (Keep It Simple, Stupid, which was coincidentally also followed by a band by that name, long ago).

Figure 4.9, “ Sample, simpler Linux routing table after starting a VPN ” shows the routing table for that same system after a VPN has been activated. Note that it's now knee-deep in new tun0 entries, which are the virtual network interfaces that were created in order to support packets traveling over the VPN. (See TUN/TAP in the glossary for a slightly more verbose definition.)

Figure 4.9.  Sample, simpler Linux routing table after starting a VPN

Kernel IP routing table
Destination	Gateway 	Genmask 	Flags Metric Ref    Use Iface	UG    0      0	      0 tun0 	UG    303    0	      0 wlp2s0 UGH   0      0	      0 tun0 UH    0      0	      0 tun0	UG    0      0	      0 tun0	U     1000   0	      0 wlp2s0	U     303    0	      0 wlp2s0 UGH   0      0	      0 wlp2s0

To loop back to the reason why this information is in this section, if a system's network device list (examined via the ifconfig command, as discussed in the previous section, the section called “ Getting network interface addresses ”) contains one or more TUN devices, and the system's kernel routing table contains one or more of the same, there's an extremely good chance that VPN software is installed and running on that system. Whether it's doing the right thing™ is an entirely different matter, which you can usually figure out by:

  1. tracing what happens to standard network packets as they arrive and depart, and

  2. by seeing if your before and after output from the script shown in Figure 4.6, “Linux/Mac OS script to look up IP address info multiple ways” (or from just a single command from that script) differs

The next section contains a short discussion that illustrates the second point in this list.

Checking your true external address

The "final" step in trying to determine whether your VPN configuration is actually working is checking what other (i.e., external) systems see as your system's IP address. The easiest way to do this is use a name resolver to see where requests to your system (by name) are sent. The easiest (modern) way to do this is to use the dig command, as in the following example:

dig +short

This command sends an request for the IP address of the host to the DNS server If this special host is requested, the resolver returns the IP address from which the request originated.

Since the IP address in the output of the example dig command differs from the IP address that was originally assigned to the system's external Ethernet address, my VPN appears to be working. This could also be confirmed by the web-based tools that were discussed in the previous section, especially those that include geo-location information for the system's external IP address information.

Depending on how your VPN software works and which interface it uses, the instructions in this section aren't bulletproof or may at least be too simplistic, but the core point is true - your system's internal idea of its IP address will differ from external systems' idea of your IP address via the VPN.

Chapter 5.  Obtaining, installing, and configuring the tor browser

A big part of cruising any portion of the Internet anonymously is being able to use tools that preserve and promote that anonymity. The VPNs discussed in the previous section don't provide anonymity, but instead focus on increasing your privacy by encrypting the data that you send and receive over the VPN and potentially associating a different physical location to your connection by binding the VPN to a network at another location. To provide anonymity in addition to this, you need a tool that completely hides the relationship between your original and VPN-assigned IP addresses.

Tor stands for the onion router which does exactly that by routing data requests through multiple layers, decrypting and re-encrypting data with each layer as it passes through, and assigning a new IP address to your packet as it exits Tor (oddly enough, through what is known as an exit node). The relationship between you and your VPN connection can still be determined if you have the bill mailed to your house and pay by check, but that would make you a dummy and we'll talk about anonymizing payments later in this document. Software-side, both your privacy and anonymity are assured unless you manage to do something that gives away your secret (i.e. real) identity.

The remainder of this chapter explains how to install the tor browser, how to plug a few holes by configuring the tor browser correctly, and how to start and use the tor browser for all your private, anonymous dark web surfing needs.


I swear to god that I understand that the Tor project develops and ships a customized version of the Firefox web browser that is, perhaps mistakenly, commonly referred to as the tor browser. I am common, and therefore refer to it that way too, and browser customizations are just one of the many great things that the Tor project does. If you refuse to use a Firefox variant for whatever reason, accept the facts that this document said not to do that, you ignored such comments and don't mind possibly (eventually) being arrested, and skip ahead to the section called “ I insist on using some-other-browser.

Tor, good god, what is it good for?

This chapter focuses on using tor as part of your suite of anonymity and privacy applications in order to explore and participate on the dark web. It's quite ironic that tor was originally developed by the US Navy for secure information sharing. I never thought I'd get anything for my tax dollars, but what do you know!

Tor provides benefits to a wide range of people, many of whom use it for widely different purposes. The tor folks have a good deal of information about this on their site, but since you're currently reading this and their information is therefore at least a click away, here are some of the highlights:

  • Secure information sharing - Though originally designed to protect government communications from snooping and interception by our enemies, now that our government is frequently the enemy of any free-thinking citizen, tor is useful to support secure communication between citizens. This includes whistle-blowing and similar actions that could cause an improvement in ethics and morals at the cost of a drop in stock price.

  • Protecting purchasing privacy - Voracious marketeers want to know who sent and read what so that they can market related items or antidotes to those same folks. Tor solves this by obfuscating who looks at what. Problem solved unless you're a business person sitting on top of a million cases of unwanted product.

  • Protecting research and interest privacy - Though you may genuinely be researching AIDS for a paper that you are doing, Focus on the Family and other feeble-minded Nazis probably want to know who you are so that they can kill you "just in case". Tor makes it possible for you to ask uncomfortable questions and study unpopular topics without finding a cross burning` in your lawn.

  • Enabling online surveillance and stings - Anonymity and privacy are coins that can be spent by anyone, even slack-jawed law enforcement Nazis who want to crush anything they don't agree with or which is against short-sighted laws. Everyone means everyone whether or not they have a soul. Be careful - you need more than just tor to be safe!

See the tor site for a much longer and slightly less opinionated list.

Tor in a nutshell

Looking up and connecting to a .onion site is very different than looking up and connecting to a vanilla site. The Tor service (and therefore the to browser) differs from standard/traditional lookups and site contacts in two core ways, which are explained in the next two sections.

Host lookups in Tor

Tor host lookups use DNS differently or not at all, depending on the type of address your Tor-aware application is looking up.

When using the tor browser or just the Tor service, only hosts in domains other than .onion use DNS, and then by forwarding the DNS request to one of the nodes in a Tor circuit (the exit node) for resolution.

Nodes in the .onion domain (known as Tor hidden services or simply "hidden services") follow a different mechanism than DNS to enable Tor-aware applications can find them. They must first announce their existence to nodes in the hidden network, where a substring of their host names is a base32 string of the first 80 bits of the SHA1 hash of the public key of the server. (Yikes! You may want to breathe now.) This is propagated through hidden service nodes to reach being stored in a hidden service directory. At this point, the hidden service can be contacted by looking up an introduction point for that service via the hidden service directories. A rendezvous point is then set up where the hidden service and the target client meet.


The previous paragraph provided a mile-high view of the host name propagation and lookup process for .onion hosts. For more detailed information, see the Tor documentation or the Tor Stack Exchange.

Some companies have posted news relating to DNS-like services for .onion hosts. One of the most interesting is Cloudflare's Hidden DNS Resolver A well-known cloud-oriented company (and therefore 110% network-aware), Cloudflare's entry into supporting other networks is well worth a look to see how it might benefit your networking applications, which might benefit from being able to contact resources on the dark web. A related Tor project is discussed on the Tor Project's DNS Resolver/Server page.


The easiest way to integrate .onion host name lookup into whatever you're doing is to set up a SOCKS5 proxy and route your network traffic through it, as explained in the section called “ Using a SOCKS5 proxy and any browser with the Tor service ”

Tor circuits

As mentioned earlier, one of the primary ways that Tor benefits users is by routing network requests through multiple hosts to improve your chances of anonymity. The hosts though which a network request to a given host or service is routed make up the tor circuit being used by your application/host and a remote application/host to communicate with each other. This routing obscures the real IP addresses that are communicating with each other, and is an implementation of onion routing, which encrypts and then randomly routes communications through a network of tor relays (nodes) that are being run by volunteers around the globe. Communication between each pair of nodes in the circuit is encrypted, which helps guarantee the privacy of your communication along each circuit.

When using the vanilla tor browser, you can display the tor circuit that you're currently using by clicking on the information symbol to the left of the host address. This displays a drop-down that provides details about the Tor circuit that is being used to communicate with the host listed in the address bar, as shown in Figure 5.1, “Displaying a Tor circuit”.

Figure 5.1. Displaying a Tor circuit

Displaying a Tor circuit

Tor remembers the entry and exit nodes being used by the current browser and circuit. If you suspect any nodes has been compromised or communication between nodes is simply taking too long, you can create a different circuit at any time by selecting the tor browser's File -> New Tor Circuit for this Site command.

The only node in a Tor circuit that knows your IP address is the entry node and the relay node that it is forwarding packets to. Each relay node knows the host that it received packets from and the host that it should forward packets to. There are typically three or six relay nodes between the entry and exit nodes in a Tor circuit. The last relay node in the circuit knows the address that it received packets from and the address of the exit node. The exit node finally delivers the packets to your host application or service. Responses traverse the same circuit, but in the opposite direction.

Obtaining and installing the Tor browser


If you're using either the Mofo Linux, Parrot, or TAILS Linux distributions as suggested in Chapter 2, Selecting an operating system , you'll be happy to know that tor and all of its dependencies are already installed, and you can skip this section.

If your system's package management tool does not enable you to select tor as an installable package, you can always get the latest version from the tor project's download page, as shown in Figure 5.2, “The Tor project's download page”.

Figure 5.2. The Tor project's download page

The Tor project's download page

The icons across the bottom of the screen represent the primary platforms for which the tor project builds its releases in the English language. If none of these are the platform, distribution, or language that you're using, the link at the bottom left of this figure takes you to a page that contains some others that be more appropriate for you.

After downloading a tor release, you'll still want to verify the integrity of what you've downloaded. See the next section, the section called “ Verifying download integrity ”, for information about how to verify the integrity of a download using its signature file.

Verifying download integrity

The gpg utility enables you to verify that the content in the file that you downloaded matches the content of the file as posted on the web by its distributor. It does not verify that the binaries or libraries in file that you downloaded work correctly or contain no bugs. It just verifies that you will see the same features and bugs that everyone else who downloaded the file successfully will see.

In order to verify the integrity of the downloaded archive, you first have to download the public key that the tor project folks uses to sign the archives that they release. You can do this with the following command:

gpg --keyserver --recv-keys 0x4E2C6E8793298290

The output of this command will be something like the following:

gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 289 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2021-03-19
gpg: Total number processed: 1
gpg:               imported: 1

The meaningful lines in this output are the last two, which state that one key was processed and imported.

After importing the key, you should electronically double-check and verify that the fingerprint is correct. The command to do so and its output are something like the following:

$gpg --fingerprint 0x4E2C6E8793298290

pub   rsa4096 2014-12-15 [C] [expires: 2020-08-24]
      EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid           [ unknown] Tor Browser Developers (signing key) <>
sub   rsa4096 2018-05-26 [S] [expires: 2020-09-12]

To get the signature file, left-click on the SIG link below the icon for the platform whose version of tor you downloaded. When the Save File dialog displays, save the file in the same location as the downloaded version of tor was saved.

From a terminal window, change directory to the directory where the tor archive and its signature file were both saved. Execute the following command to receive the following output to verify that the content of the tor matches the hash stored in the signature file:

gpg --verify TorBrowser-8.0.8-osx64_en-US.asc TorBrowser-8.0.8-osx64_en-US.dmg

gpg: Signature made Fri Mar 22 19:45:06 2019 EDT
gpg:                using RSA key EB774491D9FF06E2
gpg: Good signature from "Tor Browser Developers (signing key) <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: 1107 75B5 D101 FB36 BC6C  911B EB77 4491 D9FF 06E2

The important part of the output is the good signature line - everything else is gravy that indicates that you haven't certified this as a trusted key, which is outside of the scope for this verification. See the GPG documentation for detailed information about trusted signatures.

Installing and running downloaded Tor

If you've chosen to ignore my suggestions and want to run tor on a Linux distribution other than Parrot or TAILS (where tors is pre-installed), another Linux distribution that packages tor for you and can deliver it though its package management system, or on a Mac OS or Windows system, you will have to install the downloaded version yourself. After downloading tor for your platform and verifying that it is indeed tor, you should fell comfortable enough with it to actually install it, and then run it!

The next few sections explain how to install the downloaded version on another Linux distribution, on a Mac OS system, or on a Windows system.

Installing and running on Linux

Different Linux distributions have their own disciples and adherents, and almost every one of these has a different package management system, each of which has its own way of identifying and resoling dependencies. Therefore, unlike the version of the tor archive for other platforms, the tor archive for Linux contains all of the libraries and other dependencies that must be satisfied for it to run on almost any Linux system, regardless of the distribution that is being run. Since it is self-contained and NP-complete, it can be installed anywhere on your system. I always install it on my desktop (and will do so in the section), but you can install it anywhere that you prefer.

To install the tor distribution for Linux on your Linux system, do the following:

  1. Download the architecture-appropriate tor package, save it somewhere, then run one of the following two commands to extract the package archive:

    tar -xvJf downloaded-archive-name
  2. Change directory to the directory that was created by the previous command (where LANG is the language that was listed if the name of the archive file:

    cd tor-browser_LANG
  3. Move the contents of this directory (thebrowser directory and the start-tor-browser.desktop file, in this case) to the location where you want to install tor (the desktop, in this example):

    mv * ~/Desktop
  4. On your desktop, double-click on the start-tor-browser.desktop file to configure it for the install location. The name of the file changes to Tor Browser as it is configured to run from this location, and the tor browser starts as shown in Figure 5.3, “The tor browser on another Linux distribution”

Figure 5.3. The tor browser on another Linux distribution

The tor browser on another Linux distribution

Congratulations! The tor browser is now installed on your system and can be executed at any time by double-clicking on the Tor Browser icon.

Installing and running on Mac OS

Downloading tor for Mac OS produces a DMG (Disk iMaGe) file, which is a container for an application (the tor browser in this case). Double-clicking this file mounts the disk image on your desktop as a virtual disk, just like a real one, and opens it.

Drag the file from the virtual disk window into your Applications folder to install the tor browser. Eject the virtual disk by dragging the disk image from your desktop into the trash. You can then pin on your Dock by dragging its icon from your Applications folder to a position on your dock.

Double-click the tor icon in your dock to start the tor browser.

Installing and running on Windows

Downloading tor for Windows gives you an executable installer. Double-click the installer to begin the installation process:

  1. The installer displays a dialog that enables you to select the language that will be used during the rest of the installation process. The default language is English. To use another language, click the drop-down and scroll as necessary to select the language used by the installer and click OK to continue. the Install location dialog displays.

  2. The default install location is a Tor Browser folder on the current user's desktop. To change the install location, click Browse, navigate to the new location, and click OK.

    Once the install location displays the full path to the folder where you want to install tor, click Install to proceed. The installer begins the installation process, which displays a progress dialog as files are installed. After the physical installation process completes, the Completing Tor Browser Setup dialog displays.

  3. The Run Tor Browser and Add Start Menu & Desktop Shortcuts items are pre-selected. De-select any options that you do want to execute when closing the dialog, and press Finish to complete the installation process and return to Windows.

    Figure 5.4. Connect to Tor dialog for tor browser on Windows

    Connect to Tor dialog for tor browser on Windows

  4. Exiting the tor browser installer on Windows automatically starts the tor browser's Connect to Tor dialog (shown in Figure 5.4, “Connect to Tor dialog for tor browser on Windows”), which enables you to set network proxy or bridge options related to its execution on systems running in countries where content is censored or blocked in some fashion. To do so, click Configure. When you have set bridge or proxy options (if necessary) and have returned to this dialog, click Continue.

  5. The tor browser starts, as shown in Figure 5.5, “Tor browser running on Windows”.

Figure 5.5. Tor browser running on Windows

Tor browser running on Windows

Congratulations! You've completed installing and setting execution options for running the Tor browser on Windows. Sorry about that Windows thing, but that was your decision and at least you can run tor! DO NOT DO ANYTHING SERIOUS IN TOR UNTIL YOU HAVE INSTALLED AND ARE RUNNING A VPN! Sorry for shouting, but I'd hate to have to visit you in jail.

Configuring Tor


The next few sections explain some additional ways that you may want to configure Tor for alternate security or to fine-tune it is some other way.

Verifying and fine-tuning tor

The Tor project and the Linux distributions that deliver the Tor browser through their package management system provide a version of tor that is configured to provide general, rather than absolutely strict, privacy. Tor can still be further improved, but there improvements often come at a price - slower performance, some web sites may not render perfectly, and so on. Some options and configuration settings that you may want to further tune improve are the following:


It's common practice is to modify your Tor configuration and set your home page to a Tor Status page or to a Tor directory page or search engine page. See Chapter 8, Finding stuff on the dark web for more information about directory pages and search engines.

Figure 5.6. The Tor browser's Configuration (hamburger) menu

The Tor browser's Configuration (hamburger) menu

  • Completely disable JavaScript - (only in extreme cases). The tor browser uses the NoScript plugin to limit, where possible, the usage of JavaScript. To be completely safe from JavaScript leakage of your intellectual property and IP address, you can disable it in the configuration of your Tor browser. Go to about:config and set the javascript.enabled variable to false.


    JavaScript is required to successfully render and use shared style and content in most modern websites, so many surface web sites will not render correctly if disable JavaScript. Only disable this setting if you plan to use the Tor browser to surf both the dark web and surface web, and then only if you are running a VPN and if running JavaScript is truly necessary, such as when a site that you need to visit (and which you know to be safe) requires JavaScript.

  • Set the Tor browser security level - Tor's configuration menu, shown in Figure 5.6, “The Tor browser's Configuration (hamburger) menu”, includes a Security Level section (Figure 5.7, “Configuring Tor security levels”) in which you should select the radio button that corresponds to the highest possible security level that still enables you to visit the site(s) that you want to visit.

    Figure 5.7. Configuring Tor security levels

    Configuring Tor security levels

  • Disable referers - The referer header tells the browser which page you came from, so you may want to disable it for privacy reasons. To do so, enter about:config in the search bar, and change the value of network.http.sendRefererHeader from 2 to 0.

  • Disable iframes - Iframes can be used to spread a malware through your browser. As with JavaScript, iframes are used everywhere, so disabling them is an extreme measure. To disable iframes, go to about:config and disable noscript.forbidIFramesContext by changing its value to 0.

  • Use bridges - Bridges enable you to mask the fact that you are using Tor. See the section called “ Using Tor bridges ” for a detailed discussion of why and how to use bridges.

Becoming a Tor relay

Using tor makes it very difficult to trace the endpoints of your browsing sessions. Tor does this by bouncing connections through a chain of anonymizing relays, consisting of an entry node, a relay node, and an exit node:

  • entry node - only knows your IP address and the IP address of the relay node, but not the final destination of the request

  • relay node - only knows the IP address of the entry node and the IP address of an exit node, but not the origin or the final destination of the request

  • exit node - only knows the IP address of the relay node and the final destination of the request. The exit node is also the only node that can decrypt traffic before sending it over to its final destination

Relay nodes create a cryptographic barrier between the source of the request and its destination. Even if exit nodes are controlled by scumbags intent on stealing your data, they will not be able to know the source of the request without controlling the entire Tor relay chain.

Your privacy is protected as long as there are plenty of relay nodes for Tor to use. You can become a truly good Tor party member if you have the resources to run a relay node. You should only run a relay node on a system that is always (well, usually) up, because it's little use to anyone if it's often down. Relay nodes are therefore usually run on servers as yet another service or on small dedicated systems that are intended for the purpose. It's safe to run a relay node on dedicated ports on a server because relay nodes only receive and forward encrypted traffic and do not access any other sites or resources, so you don't need to worry that running one will allow someone to access other sites directly from your home IP address.

After running a relay node for a day or so, you should probably check if its bandwidth consumption violates any resource limitations that your ISP made you agree to. Doing so will always make your ISP take a closer look at you, which is never a good thing.

Using Tor bridges

As strange as it may sound, improvements in privacy and anonymity are really a team effort. Not just because of the open source movement, but also because people occasionally do "the right thing" and share resources for the benefit of everyone. Tor normally stores the addresses of all its relays in a central directory that any tor software can query to determine a relay to use as part of the onion. However, it didn't take long for privacy-hating maroons to discover that's what's good for the goose is also good for the weasel. Many IT groups use the relay directory as a way to construct filtering rules to block all of those addresses and their related traffic as being used by tor. To work around this, the Tor project introduced bridges, which are simply relays that are not listed in the directory. Using a bridge as the first step in your onion routing makes it more difficult for censors to empirically identify that you are using tor.


At first glance, a bridge seems like something that would be good to use, no matter what. In reality, bridges can introduce performance delays when they are up, and even greater performance delays or outright failures when they are unavailable. Only use a bridge if explicitly required to work around some type of censorship or blocking, or if the system on which you are running the bridge is highly-available, such as a server or dedicated bridge system.

Since Tor bridges are not listed in the relay directory, there have to be alternate ways to identify bridges to those who want to use them. These are the following:

  • Request a bridge address by querying Tor's bridge database.

  • Request a bridge by sending email to with the line “get bridges” in the body of the message. To receive a bridge address via email, you must send that email from an address from Gmail, Riseup, or Yahoo, so that it can be parsed correctly.

  • Configure your host to automatically become a bridge relay, which means that it is not published to the standard relay directory, but is instead published to the bridge directory, from which it address will be given out in response to email queries or bridge database requests.

    To use this mechanism, manually edit your /etc/torrc file to contain just these four lines:

    SocksPort 0
    ORPort auto
    BridgeRelay 1
    Exitpolicy reject *:*
  • Use a trusted bridge address that you obtained from someone

Figure 5.8. The Tor project's bridge integration page

The Tor project's bridge integration page

Figure 5.8, “The Tor project's bridge integration page” shows the page on the Tor project's web site that enables you to download tor and request bridges in the first two of the mechanisms listed previously.

A bridges entry as returned in email or by querying the database ` looks like the following: 4334457EC9AA003BE9085D72A881089E7D502BBD 1C41B62A48C9B86E2D0AA6C27F25D73CCC848D83

Querying the bridge database directly is preferable because it let you choose between bridges of different types, shown in Figure 5.9, “Requesting a Tor bridge of different types” and known as pluggable transports, and because it is secure since solving a capcha is required before you can get the bridge entry. The obfs4 bridge type is the currently-recommended types of bridge, though others are supported and may work better for you in various locations. A bridge definition for a pluggable transport precedes each line with the pluggable transport type.

Figure 5.9. Requesting a Tor bridge of different types

Requesting a Tor bridge of different types

The first time that you start tor, a dialog displays that enables you to select Configure to request and define a bridge or define a proxy. You then select Continue to start Tor with those options. To subsequently reconfigure Tor, you must select the Tor Status icon at left in the address bar and select either the Network Configuration or Proxy Configuration item to display the appropriate dialog to change that aspect of Tor's networking configuration.

Verifying connectivity and resolving timeouts

Like all tools, Tor is great when it works. After you've verified that it's actually connecting to remote sites, the most common problem you'll encounter are resource timeouts, which you can often resolve by fine-tuning its configuration.

  • Verifying connectivity and functionality - As mentioned earlier, you can use the Hamburger -> Preferences -> Home Page configuration item to set your home page to the Tor Project page. If the page displays your IP address and a message that you are connected to Tor, try the Tor Onion page, which lists onion sites run by the Tor project. You can click several of these to ensure that you have no problems connecting to standard Tor sites. (This list may include sites that are down - try a few.)

    Figure 5.10. The Tor check project page

    The Tor check project page

  • Minimizing or eliminating timeouts - A timeout message usually means that the site that you are trying to reach is unavailable, but you can try the following settings to either fix the problem or certainly minimize the chance that Tor itself is the source of the problem. In Tor, enter about:config in the address bar and search for the following settings, making the indicated changes if necessary:

    http.response.timeout 0

Avoiding browser fingerprinting

Browser fingerprinting is a "mechanism" whereby scumbags (that is, tracking companies or TLAs) attempt to identify the sender of packets by miring browser packet metadata, usage patterns, sites visited, and so on. The goal is to find an alternative way of identifying a user or location because the user has been too clever to provide trvial tracking data such as login, other per-site data, an IP address, or a crumpled envelope containing the recipient and the sender's return address.

Figure 5.11. Checking for browser tracking and fingerprinting

Checking for browser tracking and fingerprinting

Figure 5.11, “Checking for browser tracking and fingerprinting” shows the Electronic Frontier Foundation's Panopticlick tracking analysis tool, which performs various tests to assess how well protected your browser is against various tracking and browser fingerprinting attacks. The EFF is a great organization, and this is a great tool! Feel free to make a small donation to them to say thanks.

Some common ways to defeat the active swine who are attempting browser fingerprinting, or at least to make it harder to do so, are the following:

  • Use only the vanilla tor browser as installed and a VPN when surfing the web. Doing so enables you to avoid reading the rest of this section, only using it as a checklist or for educational purposes. Become a privacy and anonymity advocate in your spare time!

  • Use the most common browser possible. You don't have to completely sacrifice your taste and sense of aesthetics, but remember that each browser identifies itself to other web tools via a specific User Agent string. For more precise identification, scumbags can also remotely inspect browser plugins, plugin versions, OS version, screen resolution, and installed fonts on desktop and laptop browsers. There are common sets of these that are often found together on phones, but (as of today), there is little dark-web surfing done on smart phones. Perhaps that should change...

  • Disable JavaScript. While lots of fun and easy to use, JavaScript is to browser fingerprinting as albumin is to the Petri dishes in a lab. JavaScript supports or directly provides most of the tools or functions that people use to query websites for browser, plugin, and font data. Friends don't let friends use JavaScript.

    That said, if you don't want to disable JavaScript because not supporting it in your browser makes too many websites look like crap, at least try running a plugin like Chrome/Chromium's uBlock Origin that does its best to identify the trackers that are hungry for your browsing data and lets you disable it for specific sites or pages if you need to view them "normally" for one reason or another. You can also selectively block popups, large media elements, cosmetic filtering, and remote fonts, or even enable JavaScript on a specific page. However, always remember that the JavaScript gun is loaded - don't look down the barrel to check for bullets.

  • Disable Flash. Flash has always been the plugin environment with more holes than a colander, so it should be no surprise that its API has been exploited for many evil purposes, including advertising and fingerprinting. Turn it off!

  • Use as few plugins as possible, verify them, and make sure that you really need them long-term. It's hard to control yourself when you find some bright and shiny plugin that promises to do exactly what you wanted to do once. In a previous life, I used to accumulate plugins in case I ever had to do that task a second time. Nowadays, the notion that such a plugin exists is enough for me and, because I'm rightfully paranoid, I install one-shot plugins only for as long as I need to use them.

  • Change footprint data frequently. A fundamental part of the data that makes up your browser footprint is the user-agent string. This variable identifies the type and version of OS browser that you're running. Changing this string to "Chrome 32 on Windows 10" is great for giving you a substantially different footprint. It's also useful for testing the compatibility of pages and sites with specific browsers and versions. Even though you may feel sick to your stomach when claiming that you're running some version of Windows, pretending to be a dummy can certainly mask your true identity (as far as browser fingerprinting goes).

    I've used and been happy with User-Agent Switcher for Chrome and User-Agent Switcher and Manager for Firefox, though several others exist. You can also change the User-Agent string in Microsoft Edge, but I think that an easier way to do that is to install and use Chrome, Chromium (many flavors), Iridium, or Firefox.

  • Disable Canvas API fingerprinting. Like the User-Agent variable component of standard browser fingerprinting, the Canvas API provides calls that are often misused for simple fingerprinting purposes. This is a JavaScript API, so if you've turned off JavaScript, you're already safe. You can explicitly block the Canvas API by using the CanvasBlocker extension for Firefox or the Canvas Defender for Chrome.

The BrowserSpy page provides some interesting insights into the information that can be collected from a browser after visiting many different pages, each of which probes for something different.


If you've heard of a Firefox browser extension named TorButton and are wondering why the hell I didn't mention it, that's because it's no longer supported by the Tor folks. See their documentation for the official statement.

Developing good, paranoid browser habits

This section provides some tips for securely browsing the dark web, as well as some environmental tips for using and testing your browser (your computing environment, that is). Some good habits to acquire are the following:

  • Use the Tor browser exclusively. Even if it is possible to make every browser connect to the Tor network, it is recommended to use the Tor browser that is fine tuned with this purpose in mind. The other browsers, in fact, all have issues with their configurations that could lead to the leakage of your identity.

    If you insist on using some other browser than the Tor browser, see the section called “ I insist on using some-other-browser for some suggestions on how/if you can do that.

  • Never use the Tor browser to log in on any surface web or other clearnet site with any browser identity other than the one that you use to browse the dark web. Mixing your online identities will eventually make it easy for some TLA snoop to establish a relation between them and may make it easy for them to track you down at your physical location.

  • Don’t torrent over Tor. It is well known that the torrent file-sharing applications can ignore proxy settings, giving away your real IP to the external world. A further reason, is that torrenting over Tor can heavily slow down the entire network.

  • Consider using a non-caching web proxy such as privoxy as a front-end to the Tor browser to improve support for and integration of pluggable transports and thereby protect Tor traffic against DPI (Deep Packet Inspection).

  • Use the NoScript browser extension to ensure that you disable JavaScript support. JavaScript is well-known for leaking IP address information, which will eventually leak you IP address information to someone. However, even the vanilla NoScript extension whitelists JavaScript for several domains. The ultimate way to quickly and fully disable JavaScript is to go to about:config, find the javascript.enabled variable, and set it to false. (You should still use the NoScript extension, JIC.)

  • Integrate VPN startup into your login process so that you are always using a VPN.

  • Use the HTTP Everywhere browser extension. The HTTPS Everywhere plugin forces websites to use HTTPS, if possible. This results in using end to end encryption.

  • Don’t enable or install extra browser plugins. Other plugins could leak your real identity.


    If you are ignoring me and running other browser extensions anyway, make sure that you are not running any (cough FoxyProxy cough) that enable the tor browser to circumvent the DNS settings that are automatically configured by Tor. You want to be SURE that you are doing DNS lookups as configured by Tor, and not using your system's /etc/resolv.conf before or rather than the Tor network's DNS service.

  • Don’t open documents that you downloaded with the Tor browser when you’re online. Such documents might contain links that connect to a website without passing through Tor, and could reveal your identity if you are not actively running the Tor service and proxying everything.

I insist on using some-other-browser

Hello, my name is Bill, and I am a Chrome fan. There, I said it. Therefore, I don't blame people who prefer using another browser than Firefox or a variant thereof. OTOH, the tor browser, a Firefox variant, is customized and configured to provide guaranteed privacy (as much as possible). It is designed to work when surfing the web in general, and specifically understands .onion addresses and has a cool DNS-alternative to make it possible to easily surf the dark web.

Other browsers can be made to work with Tor by setting up a SOCKS5 proxy, starting tor as a service, and then starting the alien browser. If you're running a VPN, you appear to be safe according to the Tor checker but that doesn't mean that you're not leaking your real IP address like a sieve or giving away other info that paints a big target on your identity and location. The ultimate test would be to do something really stupid like buying drugs and a bazooka and shipping them to the home of someone you don't like. If they get arrested and you do not, then you're safe. If both of you get arrested, you have an enemy for life, and I hope that you get separate cells.


Do not do this!

Do not follow the instructions in this section unless you are wizardly and understand the implications of IP and DNS leaks, deep packet inspection, 5/9/14 Eyes, the NSA, the tragic and misguided falsehoods of the DEA, and the real horrors of spending time in jail. I believe the tips and tricks presented in the next few sections to be correct and sufficient, but I rarely use them. That's what the Tor service and the tor browser are for. It could be that I've connected to honeypot city and just haven't been busted yet. Maybe once this document is more widely spread... Hey, that's not meant as a challenge!

Figure 5.12. Danger, Will Robinson, Danger!

Danger, Will Robinson, Danger!

Opening .onion links in vanilla Firefox

Firefox's default mode is to actively block .onion host names from being sent to DNS for resolution. However, any recent version of Firefox can be made to attempt to handle .onion addresses by going to about:config, accepting the risk of turning low-level knobs (as shown in Figure 5.12, “Danger, Will Robinson, Danger!”, and double-clicking the network.dns.blockDotOnion configuration variable to toggle it to false. Voila! Your browser can now attempt to handle .onion sites as well as all the traditional ones! But more has to happen before you can actually open one... skip to the section called “ Using a SOCKS5 proxy and any browser with the Tor service ” for the exciting conclusion of this story...

Opening .onion links in Chrome

Unlike Firefox, Chrome's access to .onion sites is either enabled by an extension, by accessing sites that rewrite the .onion URLs so that you can use regular DNS to contact them, or by proxying. Proxying is the only one of these that forwards packets to the Tor service, and therefore the only "safe" one. If you want to use Chrome via proxying, skip ahead to the section called “ Using a SOCKS5 proxy and any browser with the Tor service ” unless you're curious about a less-safe, but perhaps more convenient way to continue to use a browser other than the tor browser.


The Tor project formerly provided a graphical application named Vidalia as a bridge, relay, and client, the last of which enabled other network applications to be routed through the Tor service. Because of the complexity of configuring Vidalia for the various roles, Vidalia was first split into separate installable pages for a relay, bridge, and client, and was eventually discontinued as more and more functionality was subsumed by the tor browser and support for the Tor service's SOCKS5 proxy was improved.

The majority of the Tor support that is available for Chrome involves rewriting URLs (which actually work with any browser). I'm listing them here in case you simply want to look around on the dark web rather than buying an AK-47 and having some strange fun with that. The approaches that involve rewriting URLs are the following:

  • - enables you to surf .onion sites just like those with more familiar extensions. As they themselves say, " sacrifices client-anonymity for convenience.". lets you visit .onion sites from the clearnet (without your having to run tor), taking you to that site just like a typing a URL in the address bar. The folks who run this service also provide a Chrome extension to automagically do the same thing for you.

    Figure 5.13. Successful connection (check url!)

    Successful connection (check url!)

    Unfortunately, the Tor2web service often cannot proxy communication with the .onion site and get a response quickly enough, instead displaying the screen shown in Figure 5.14, “'s animated timeout page”. This page displays a nicely animated onion graphic as a small consolation.

    Figure 5.14.'s animated timeout page's animated timeout page

  • - enables you to append various domain names to the .onion URL, which tells the Tor2web service that is listening on *, *, *, *, and more, which then strip everything after .onion, forward the remaining .onion host to the onion service via Tor, and relays any responses back to you.

    I have had mixed results from this service, more often seeing Figure 5.15, “Tor2web connection failure” than the remote web site. As they say, "Using Tor2web trades off security for convenience and usability." Like, Tor2web is very convenient to use when checking an information-only site on the dark web, but is not the mechanism to use for a last-minute order of your favorite drug when you're running low.

    Figure 5.15. Tor2web connection failure

    Tor2web connection failure

Using a SOCKS5 proxy and any browser with the Tor service

Traditional Internet activity depends on using DNS, a local database, or the text file /etc/hosts to find the IP address that is associated with a host. Hosts with the .onion suffix use a completely different key and rendezvous point mechanism, and do not use DNS.

The process that Tor uses to resolve .onion host names into IP addresses is every bit (sorry!) as complex as you would think, and is therefore hard to replace or emulate, A much easier solution for resolving and contacting .onion hosts is to let Tor do it no matter what browser you're using. You can do this by setting up a SOCKS5 proxy/tunnel so that all TCP traffic is routed through the Tor service so that it can be both encrypted and handled if necessary. Setting up this type of proxy was explained in the section called “ SOCKS 5 tunnel for tor ”, but is explained here in a slightly different fashion because it's buried in a script for convenience.

Figure 5.16.  Tor startup and SOCKS5 proxy script for MacOS

#!/usr/bin/env bash

# 'Wi-Fi' or 'Ethernet' or 'Display Ethernet'

# Ask for the administrator password upfront
sudo -v

# Keep-alive: update existing `sudo` time stamp until finished
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

# trap ctrl-c and call disable_proxy()
function disable_proxy() {
    sudo networksetup -setsocksfirewallproxystate $INTERFACE off
    echo "$(tput setaf 64)" #green
    echo "SOCKS proxy disabled."
    echo "$(tput sgr0)" # color reset
trap disable_proxy INT

# define proxy
sudo networksetup -setsocksfirewallproxy $INTERFACE 9050 off
# turn me on, dead man
sudo networksetup -setsocksfirewallproxystate $INTERFACE on

echo "$(tput setaf 64)" # green
echo "SOCKS proxy enabled."
echo "$(tput setaf 136)" # orange
echo "Starting Tor..."
echo "$(tput sgr0)" # color reset


This script was not written by me (but is used by me). The script is from the excellent article at Simple Tor setup on macOS.

After running this script, using the Chrome browser to visit our beloved Tor check page displays the screen shown in Figure 5.17, “Checking Crome and the SOCKS5 proxy”. Hooray! My favorite line is "However, it does not appear to be [the] Tor browser." The project folks who designed that page seem to have thought of everything.

Figure 5.17. Checking Crome and the SOCKS5 proxy

Checking Crome and the SOCKS5 proxy


The Linux version of Figure 5.16, “ Tor startup and SOCKS5 proxy script for MacOS ” and a discussion of both are coming soon, but you should really just use the tor browser.

Browser tips for any browser or browser combo

  • Completely segregate your browser use and site/browser logins depending on what you're doing in the different browsers:

    • Never use the same browser to log in on any surface web or other clearnet site that you use to browse the dark web.

    • Never use the same browser identity in multiple browsers, even though they are different browsers. Mixing your online identities in the dark web and clearnet browsers may eventually make it possible for some TLA eavesdroppers to draw a line between them and may make it easy for them to track you down at your physical location.

  • If you're using Firefox as your other browser, make sure that the Privacy & Security section of the browser preferences is configured not to save cookies and site data across browsing sessions, enables strict content blocking, does not save logins and passwords, and does not remember history. This is just plain smart to do so in case your machine is ever lost, stolen, or seized. Your filesystems are encrypted anyway, right?

  • Don’t open documents that you downloaded with Tor when you’re online. Such documents might contain links that connect to a website without passing through Tor, and could reveal your identity.

Chrome by day, chromium by night

Eeryone knows that Google developed and released the Chrome browser out of the goodness of their heart, right? If that's the case, that bridge that I've been trying to sell you throughout this document is still available. Google is a great company, but their corporate "do no evil" slogan has gotten a bit tarnished and timeworm over the years, as the reality of being a corporate entity has crept in further and further. Chrome is still my favorite browser, but it simply has to be more advertising aware than any other Linux browser to better support the corporate feeding trough, also known as advertising.

Luckily, because Chrome is open source, the Chrome source tree also gave birth to the Chromium broser. Chromium is Chrome with the branding and non-essential "phone home" functionality stripped out. All of the usability with none of the built-in identity-leakage is a hard combination to beat!

If you decide to use Chromium rather than Chrome, the first thing that you may want to do is to import your bookmarks in HTML formet from Chrome into Chromium. To do so:

  1. In Chrome: Select the hamburger icon (AKA the vertical ellipses at far right in the URL/extensions menu bar), select the Bookmarks menu item, and select the Bookmarks Manager command. Once the Bookmarks Manager screen displays, left-click its hamburger menu and select the Export bookmarks menu command. Specify the location to which to save your bookmarks in HTML text format, and click Save. Voila!

  2. In Chromium: (This command sequence will be a big surprise!) Select the hamburger icon, select the Bookmarks menu item, and select the Bookmarks Manager command. Once the Bookmarks Manager screen displays, left-click its hamburger menu and select the Import bookmarks menu command. Specify the location from which to load your bookmarks in HTML text format, and click Open. Voila!

Importing bookmarks from another browser is always a good point at which to review those bookmarks and winnow them dowb so that they only contain the booknmarks that you really need, as opposed to the "oh yeah, that might be interesting someday" bookmarks that always bloat mine, but you may be more deterministic than I. If you insist on surfing the dark web from the same desktop system that you use during the day, at least:

  1. Log out of the computer system that you are using and log back in as another user as whom you surf the dark web.

  2. Makesure that you are running your VPN software and start it if you are not.

  3. Make sure that you are connected to the VPN and conect to it if you are not.

  4. Start the Tor browser and use it to connect to the dark web.

Chapter 6.  Creating secure email and alternatives

A secure email account is useful for lots of things, including establishing a new online identity based on your new expectations of privacy and anonymity, ordering things that you don't want to be traceable back to you personally, and so on. The key here is not creating a new account that is untraceable to you because of a a generic name like "John Doe" (though that's fine to do), but rather creating an account that can't be tied to you in any way and is secure from outside access or intervention. As long as you can access it, you can then do whatever you want through it - it's all yours and only yours.

The remainder of this chapter discusses the process of creating a secure email account that is not associated with any of your previous account information. This helps guarantee the security of the email that you send and receive except while that email is in transit. This chapter therefore then discusses encrypting and decrypting email so that your mail is even secure while being sent or received. The chapter concludes by discussing disposable email services that give you a temporary account which you can use to receive initial email about any other account or service, but which you don't want to go to an account that can be traced back to you, and is also mail that you don't want or need to permanently preserve. I'm not suggesting that you use such an account to threaten the president to to send him pizzas, but...

Creating a secure email account

A secure email account in the dark web context has two basic characteristics:

  • The account is anonymized - none of the account information ties back to a personal account that is in any way related to you (names, address, phone, email, etc.)

  • The account is secure - password-protected, the mail system supports end-to-end encryption, no logs are kept, the system is not headquartered in a 5EYES country (see the section called “ What is 5 EYES and why do they suck? ” for more information), and so on.

Some well-known free providers of secure email services are the following, in order of my personal preference from the voice of experience:

  • - a secure surface web and onion email provider headquartered in Switzerland, Protonmail provides end-to-end encryption and hardware-level security with no provider access to user date. The free level provides 500 MB of storage and one email address, with a maximum of 150 messages per day. Other levels (Plus, Professional, and Visionary) have actual costs, but also provide increasing amounts of all of these plus the addition of custom domains for sending/receiving email.

    Figure 6.1. The Protonmail secure email provider

    The Protonmail secure email provider

  • - a secure surface web email provider headquartered in Israel, supports the POP3 protocol to receive non-encrypted emails, or the POP3 SSL/SMTP SSL or IMAP SSL/SMTP SSL protocols for end-to-end encryption. The free level has interesting limitations such as 200 email messages per folder is 200, a maximum number of 10 folders per account, and 3MB of total storage. Safe-mail is the purchasing entry point for private and business email pages with increased or unlimited amounts of all of these, multiple levels of secure document storage, plus many add-on services such as additional security, backup and disaster recovery, calendaring, chat, bulletin boards, and much more.

  • Mailfence - a secure surface web email provider headquartered in Belgium, Mailfence provides a secure and private email service with browser-side encryption and full support for OpenPGP and digital signatures. Mailfence supports secure document storage, The free level of Mailfence supports 10 MB of attachments and 500 MB maximum mailbox storage, with increasing levels of each for the Entry and Pro service levels that cost real money.

  • - a secure surface web email provider headquartered in Iceland, Unseen supports end-to-end encryption, file sharing, and full support for OpenPGP for email and other encryption mechanisms for audio/video encryption, including some that are apparently proprietary. Messages sent to non-Unseen hosts using proprietary encryption mechanisms t5hat are not supported by the recipient's system will be sent in the clear. The free level of Unseen supports sharing files of up to 50 MB, and a reasonable amount of message storage. The premium version supports 2GB of storage, sharing files of up to 40GB in size, and group audio/video calling.

If you plan to purchase anything on the dark web, especially something that is illegal or questionable legal in the eyes of gap-toothed, self-righteous morons who don't understand victim-less crimes, you MUST use an anonymous email account based outside the USA and other 5EYES moron countries. Actually, you don't have to if a stiff fine, jail sentence, and 6x8 foot locked concrete cell are your idea of a good time - like any choice, it's up to you.

Encrypting and decrypting email

Most of the mailers discussed earlier in this document support end-to-end encryption, which means that the email is encrypted while it is in flight, that is, while it is in transit from sender to receiver. Only the intended recipient can decrypt and read the message. No one in between can read the message or tamper with it. End-to-end email encryption provides the highest level of confidentiality and protection for email communication.

End-to-end encryption is typically done via key exchange, which requires both sender and recipient to have a pair of cryptographic keys, one private key and one public key. The sender encrypts the message locally on their device using the recipient’s public key. The receiver decrypts it on their device using their private key. The canonical example of this is the following:

  1. Alice (sender) and Bob (recipient) both generate their key pairs and share their public keys with each other. They keep their private key ‘private’ as the name suggests. You only need to generate your keys once when creating an encrypted email account.

  2. Alice encrypts the message using Bob’s public key in her device and sends it to Bob.

  3. Bob receives the encrypted message on his device and decrypts it using his private key.

With real end-to-end encryption, also called “client-side encryption” or “zero access encryption”, all encryption and decryption happen on the users’ devices. End-to-end encryption thus prevents any intermediary from reading email or other user data and guarantees the confidentiality of the data much more than SSL/TLS or mechanisms such as STARTTLS.

Figure 6.2. Getting a user key for transaction messages

Getting a user key for transaction messages

Messages associated with commercial transactions on the dark web are typically sent encrypted in this fashion to avoid snooping. As seen in Figure 6.2, “Getting a user key for transaction messages”, a link near the center of the form (in the blue region above the Trade Method label) enables you to retrieve the seller's key, which you use to encrypt your message as described in the rest of this section. A user key is part of the user profile information in this transaction system, as shown in Figure 6.3, “User key as part of user profile”.

Figure 6.3. User key as part of user profile

User key as part of user profile

The next few sections discuss how to work with encryption keys from the command-line. Each mail application on each platform has its own special way of working with keys and encrypting and decrypting messages, but the command-line version of the OpenPGP tools can be executed on every platform and operating system. The GNU version of OpenPGP is called GNU Privacy Guard, and the command-line examples used in these sections help to make it clear what things are going on under any platform-specific and graphical covers.


This chapter uses the terms OpenPGP and GNU Privacy Guard interchangeably, though they are different software packages from different organizations. Sorry - that's how cheapos like me think of them. I also apologize profusely to Phil Zimmerman, the kind-hearted genius who developed PGP and gave a chance for privacy back to all of us.

Generating a public/private PGP key pair


To generate a new public and private key pair, do the following:

  1. Log in to your system. If you know that you have existing keys and want to reuse them, or don't have any keys yet, skip to the next step. To back up and clean up your existing keys, use the following commands:

    cd $HOME
    cd .ssh
    mkdir OLD
    mv id_rsa OLD
    cd $HOME
  2. Execute the following command to generate your new OpenPGP keys:

    ssh-keygen -t rsa -C ""

    You should replace the address "" with the primary email address that you will use on the dark web. The people to whom you send encrypted email will need to know this address in order to specify which key to use to decrypt your email.

  3. Depending upon the platform, software manufacturer, and software version that you are using, the ssh-keygen application may prompt you for items such as the directory location and filename for your keys, a passphrase to use to help protect your keys, and to move the mouse to help truly randomize your keys.

When the prompt re-displays, your new keys have been created and stored in the default location.


If you are unsure whether you have already added a user's public key to your keystore, use the gpg --list-keys command to list the contents of your keystore and use the grep command to scan the output for the user's email address (or whatever else you may have used as an index.

Encrypting a message using a public key

Encrypting a message from the command-line is simple. All you have to provide is:

  • an option identifying the operation that you want to perform (--encrypt)

  • the name of the recipient (to look up the recipient's public key in the keystore)

  • the name of the file containing the input message

An example of a command to do this is the following:

gpg --encrypt --recipient sample-mail.txt

By default, the name of the output file that is produced is the name of the input file with the .gpg extension appended.

Depending on the type of platform you are using, you may be able to skip specifying the input file, and use shell redirection ('<') to identify the source of the input text. Since the name of the output file is created from the name of the input file, in this case you would also have to identify the name of the output file. The following is an equivalent command using shell redirection:

gpg --encrypt --recipient < sample-mail.txt > sample-mail.txt.gpg

The gpg command's support for redirection makes it easy to integrate the command into graphical mail clients.

Importing public user keys to your keyring


OpenPGP and application such as gpg that adhere to it standard, store public keys in a database that is cleverly known as a keystore. Keys stored in the keystone are hashed on the owner name to improve lookup speed.

Adding a key to the keystore requires two arguments to the gpg command:

  • an option identifying the operation that you want to perform (--import)

  • the name of the file that contains the public key that you want to import

An example command to import a key is the following:

gpg --import input-filename

Encrypting a message using a GUI

An easy way to encrypt a message based on a public user key is to use one of the web-based tools to do so. My favorite, shown in Figure 6.4, “A GUI for PGP Encryption”, is iGolder's PGP encryption tool.

Figure 6.4. A GUI for PGP Encryption

A GUI for PGP Encryption

Using a form like this one is convenient when you are, for example, encrypting your address and any instructions to the seller as part of a darkweb transaction, as discussed in Chapter 10, Buying and safely paying for stuff .

To use the form shown in Figure 6.4, “A GUI for PGP Encryption”:

  1. Copy a user's public key (such as a seller's) from another form to the PGP Public Key field.

  2. Type or paste your message into the Message to Encrypt field.


    Because I am lazy and a poor typist, I keep my shipping address in a text file that I can simply copy and paste into text fields such as this.

  3. Click Encrypt Message.

  4. Copy the contents of the Encrypted Message field into the appropriate form that you will be using to submit your encrypted message.

Decrypting a message

Messages that are intended for you (or were created by you) can be read by you using either your public or private key. The gpg command to do this requires two options:

  • an option identifying the operation that you want to perform (--decrypt)

  • the name of the file that contains the public key that you want to import

An example command to decrypt a message is the following:

gpg --decrypt message-filename

If only these options are specified and you have used a passphrase to protect your key, you will be promoted for the passphrase and, if correct, the decrypted message is displayed. To quote the folks at SSH.COM, a passphrase differs from a password in the following way:

A passphrase is similar to a password. However, a password generally refers to something used to authenticate or log into a system. A password generally refers to a secret used to protect an encryption key. Commonly, an actual encryption key is derived from the passphrase and used to encrypt the protected resource.

You can also specify the passphase by using the --passphase option.

Payment for my Heroin Order

See how your eyes were drawn to that title? Even if you're using encryption or an anonymous mail system, there are still a few things that you should remember in order to send messages that fly under the radar.

As the title of this section suggests, encrypted email does not encrypt the subject of the email message, so make sure that your subject line is something like "Jesus Loves You", rather than something that might alert a scanner or surveillance system that something is not up to snuff in your message. If tobacco is illegal or you are a minor, you probably shouldn't use the word "snuff", either.

If you're going to encrypt any of your email from one of your email addresses, you should probably encrypt all of it from that address. Only encrypting some of it from an address is the same as attaching a label to those messages that says "I wanted to hide something in this message." On the other hand, encrypting all of your mail from an account could raise a similar flag, but if you're using a VPN, a truly anonymous mail system, and encrypting everything, you'll probably just cause someone a migraine. Good for you!

Using a disposable account for notification

A disposable email provider is a password-free email provider that provides pre-defined accounts, accepts mail to those accounts and deletes that mail after a specified period of time. Disposable email providers are therefore perfect for receiving mail when you do not want or need that mail to be associated with any existing account of yours, even if that account is a secure account. The fewer places for cross-contamination, the better.

For example, when creating an account that gives you access to some service, like an account with an email provider, the account creation process typically involves providing an email address at which you can receive mail about the account. When the account creation process for the new service generates a password that enables access to that service, it typically sends that password to the specified email address as part of a "Welcome" message.

Examples of disposable email providers that you may want to use are the following:

  • Guerrilla Mail - visiting the site generates a random email address without requiring registration. You can also choose your own address. Email is deleted 60 minutes after receipt, whether read or not.

    Figure 6.5. The Guerrilla mail disposable email provider

    The Guerrilla mail disposable email provider

  • ThrowAway Mail - ThrowAway Mail generates a temporary email address and Inbox for you, which continues to exist for 48 hours beyond the last time you use it. Cookies and JavaScript are required in your browser to use this service.

  • - Temp Mail provides a temporary, secure, anonymous, and free email address. Email sent to this address us deleted after 10 minutes.

  • - provides a free throwaway email address that is temporary, transient, and disposable. The Inbox can contain up to 10 messages, and is cleared when no message is received within 24 hours.


    MailDrop does not allow any email messages that have to do with illegal activity in your country, state, city, or region, and also has very active spam filters. If your email is about the "Stealing Drugs" song by The Marijuana Mercenaries, you may just as well delete it yourself and save MailDrop the trouble. If you don't want your mail to be scanned, look elsewhere.

Chapter 7.  Hiding files, directories, and partitions

Using a computer for whatever you do generally involves creating and storing data of some sort - even gamers need to save high scores. Whether you're writing personal letters to friends and family, saving unpopular political manifestos, or keeping a record of whatever you've bought on the dark web, this is all stuff that you don't want randoms to be able to see. Sure, they have to get access to your computing device to be able to see it. However, that's rarely a problem for jackbooted thugs from some TLA who just kicked open your door or crashed through a window and are now holding you and your computing devices at gunpoint. At that "point", you are "free" to give them access to your data either before or after your first few waterboarding or electric shock sessions. Lucky you! Remember, security is a pain until it saves you from loss or jail.

We all know how files, images, and whatever else are stored on a computing device. A hierarchical set of directories, each containing related files, yada, yada, yada... The way you store things is up to you, but the same hierarchy that helped you organize things is probably going to be similarly useful to Adolph TLA in seeing what you were doing and when you were doing it.

The remainder of this section discussed some common Windows, MacOS, and Linux block device encryption strategies for disks, partitions, and more. It concludes with sections explaining how to create a hidden volume inside a filesystem, how to hide its existence, and how to mount and use it.

Block device encryption strategies


The title of this section refers to block devices, which is what disks, partitions, and files that look like them are. Block devices are accessed/addressed by raw storage chunks (blocks, whose size depends on the device and device driver) rather than being accessed some number of characters at a time, like traditional files.

One way to protect yourself from letting Joe Hitler be able to read all your personal data is to encrypt everything. the section called “ Encrypting and decrypting email ” already explained how to do that in the context of email, and encrypting/decrypting your files one-by-one with PGP (Pretty Good Privacy) is pretty much the same thing. Sadly, doing that is still a PITA and isn't even that useful if the machine they've seized contains your private keys. Windows and MacOS systems both feature built-in encryption tools that are only a menu click away and enable you to password-protect your files, but giving up your password may only be 10,000 volts away. The government or your competitors would never do that, of course - and if you believe that, I can give you a great price on the Brooklyn Bridge as soon as you help my Nigerian cousin get a few million bucks out of the country.

A far easier method is to store your data on encrypted volumes that you mount in certain places. If you're a Linux fan, you've probably used LUKS (Linux Unified Key System), which encrypts partitions and enables you to specify a password when you mount them. This protects the entire partition but is pretty easy to detect:

  • If you encrypt an entire partition that holds a entire well-known directory hierarchy like /home and that partition is automounted, the system will prompt for a password when it is booted and sit there until you supply the password. So will Mr. TLA.

  • If you encrypt an entire partition containing some non-LSB (Linux Standard Base) partition that is mounted somewhere on demand (at which point you're prompted for the password), the partition is identified in /etc/fstab, which makes it fairly trvial to spot. 10,000 volts, here we come - plus, the TLA dweebs are even more curious now because you've tried to hide something (and done a pretty shitty job of it, so they're sure that the can outwit you).

  • If you encrypt an entire partition and don't list it in /etc/fstab, the TLA dweebs will probably notice that you can only account for 200 GB of partitions on a 500 GB disk. From there it's only an sudo fdisk -l disk-device or an sudo lvdisplay -m command (or some equivalent) away from identifying the hidden partition or logical volume and forcing you to mount tt at gunpoint or while holding your breath underwater.

This all assumes that you'll fold like a cheap suit when threatened. You may be more resistant to electric shock, partial drowning, or some number of years in jail than I am, I don't know. Privacy and protecting the intellectual property of your business are perfectly good reasons for security through encryption, but you'll have a hard time convincing some an airport security rocket scientist that you're not hiding kiddie porn. Those guys don't make minimum wage for nothing!

The preceding material treated your computer as, basically, a single-user system, which is pretty accurate nowadays. On multi-user systems, you still have encryption options at the user level, like encrypting each user's home directory when you create their account. That way, users can't look at other users' data even if they have the root password to defeat directory-level non-permissible file protections. If such a multi-user system is stolen, each user's password is different, and thus each home directory is separately encrypted. (I'm going to ignore the multi-user case from now on since it's 2019 and the last VAX 11/785 was gutted and made into a nerdy closet long ago.)

Encryption is a always good idea to protect your data if your machine is stolen, but is pretty obvious at the disk or partition level. If you want to try to protect your data against being discovered if your machine is seized, you have to be a bit more clever. I take the following approach to help safeguard my private data in this, single-user case:

  1. Optional: Use LUKS to encrypt the whole disk except for a small /boot partition. - I rarely do this in the single-user case because (1) it interrupts the system's boot process until the password is entered, (2) when there only is one user, it's functionally equivalent to encrypting the user's home directory, (3) if you're using logical volumes, you're already stacking disk and partitions and therefore slowing the system down slightly, and (4) it slightly slows all writes to anywhere on the system, including the creation and use of temporary files by the system or by applications.

  2. Encrypt home directories as they are created - I do this to protect the privacy of the user's data in case the system is lost or stolen. Logging in as the user allows read/write access to the data in their directory and any public areas.

  3. Use VeraCrypt to create a real and a hidden volume that are mounted on demand - The hidden volume is where the user's most private data is stored. As I'll explain later in this chapter, this type of volume is reallocated but hidden, and the volume that you create actually contains two volumes that are selected between by mount password - a placebo volume containing arbitrary files that makes it appear that the volume does not also contain another, truly hidden volume. You can even put mounting the placebo volume in /etc/fstab, just never supply the hidden volume's mount password in response to any police or TLA "request", no matter how many volts accompany it.

When stacking encryption and other abstractions (like logical volumes), make sure that you understand the performance impact of doing so. Each level of encryption that you add increases the time that it takes to access content, sometimes exponentially, For security and privacy purposes, it might be amusing to nest encryption models like Matryoshka or Babushka dolls, but it will definitely be slower than normal.


For the love of God, USE STRONG PASSWORDS! Now that we're talking about serious local system topics, the strongest file, directory, volume, or partition security possible doesn't do much good id your password is "qwerty", "123456", "password", or even "god". No one who is reading something like this would even consider using passwords like those, right? I thought not, but felt compelled to say it anyway. If you do use passwords like those and refuse to change, save yourself some jail time by blowing your brains out now.

VeraCrypt kicks ass, er, is great!

Aside from being cross-platform yet compatible with each system's disk/partition/volumrme management system, VeraCrypt's coolest feature is its ability to create a hidden volume where you can store you most private data - for example, any evidence of illegal purchases or thought-provoking documents. I am not slyly referring to kiddie porn. If you're into that, I spit on you and would appreciate it if you delete this document before reading any further.

For the rest of us, VeraCrypt has this amazing cool mechanism where you create a standard password-protected VeraCrypt volume that contains a hidden password-protected VeraCrypt volume. The password that you supply at mount-time determines which volume is mounted. Because VeraCrypt volume data is stored in an apparently random fashion, it is impossible to tell that what appears to be free space in the enclosing volume is actually a hidden volume plus free space. Figure 7.1, “VeraCrypt hidden volume layout” show this graphically, in case I was just too excited to explain it clearly. (I have been told that some people prefer pictures to words - I just don't get it.)

Figure 7.1. VeraCrypt hidden volume layout

VeraCrypt hidden volume layout


The image in Figure 7.1, “VeraCrypt hidden volume layout” was cheerfully lifted from the actual VeraCrypt documentation. Thanks! The VeraCrypt documentation is excellent, and is well worth reading even if you have no problem using the software.

After creating a non-hidden and hidden volume, I generally mount the non-hidden partition and salt it with a few important but non-secret file. Your resume, a scan of your passport, tax file for the past few years, and a few (safe) letters to friends. Maybe even some over-18 porn. If the TLA scum find VeraCrypt and insist forcibly that you mount your VeraCrypt volumes, they can scrutinize them all they want, and not find anything really bad. (Maybe jerk off to the porn!) They may not realize that real data hides under the surface.

The only clue that a forensics expert would have that a hidden volume was present is that the size of the files in the partition plus the amount of free space available does not match the size of the volume itself. The fact that you can mount the non-hidden volume (which I refer to as the "placebo" volume, since I really just use it as a distraction) or the hidden volume, and store files in each, is a very useful feature for hiding things. I map unmounting the hidden volume to a hotkey so that f the Gestapo ever break my door down, the existence of the hidden volume is invisible. If the TLA thought police force to mount that volume, I can mount the non-hidden version, and my secrets are still mine. They can examine the files I put in the non-hidden version to their hearts content (if they have a heart, that is).


When editing or creating file on a hidden volume, make sure that any temporary files created by the application that you are are using are also created on the hidden volume. This can usually be achieved by setting environment variables to create backup/checkpoint files in the same directory as the original file, or not to create them at all.

Obtaining and installing VeraCrypt

Different operating systems and graphical desktop environments provide different levels of access to platform-specific compression and disk utility applications. The MacOS and Microslush Windows desktops provide compression utilities om standard popup menu entries. All platforms support graphical and/or command-line utilities for portioning and formatting disks and other block devices.

Here the goal is not to hawk or explain a specific operating system's approach to traditional storage, but rather to provide a platform-independent discussion of how to hide sensitive data so that Erwin Rommel and TLAs don't roll over your right to privacy when they eviscerate your computer system in their latest legal panzer attack. As such, I'll use a program that I absolutely love, VeraCrypt, which is (as they put it) "...a free open source disk encryption software for Windows, Mac OSX and Linux." (They forgot about FreeBSD, which they also support.) They go on to say that VeraCrypt is based on the last version of TrueCrypt. TrueCrypt was a well-known and well-respected disk encryption tool, support and developers for which vanished one day in the worst possible amalgam between an open source development team and rats leaving a buggy sinking ship. What bobbed to the surface immediately thereafter was VeraCrypt, which you should absolutely donate to. You'll see why soon.

To get started with VeraCrypt, download the version of VeraCrypt for your platform and install it by running the executable (Windows), copying the executable to the Applications folder (MacOS - OSX FUSE is also required), or uncompressing the downloaded bzip2 tar archive (tar xjvf archive-file) and then running the 32 or 64-bit console or GUI installer, depending on your system and preference (Linux).

Creating a decoy and hidden volume

To use VeraCrypt to create a decoy and hidden volume, do the following:

  1. Stat VeraCrypt. A screen like the one shown in Figure 7.2, “VeraCrypt startup screen” displays. Click Create Volume. The VeraCrypt Volume Creation Wizard screen, shown in Figure 7.3, “VeraCrypt Volume Creation Wizard dialog”, displays.

    Figure 7.2. VeraCrypt startup screen

    VeraCrypt startup screen

    Figure 7.3. VeraCrypt Volume Creation Wizard dialog

    VeraCrypt Volume Creation Wizard dialog

  2. Select the Create an encrypted file container radio button, then click Next. The Volume Type screen, shown in Figure 7.4, “VeraCrypt Volume Type dialog”, displays.

    Figure 7.4. VeraCrypt Volume Type dialog

    VeraCrypt Volume Type dialog

  3. Select the Hidden VeraCrypt volume radio button. The Volume Location, shown in Figure 7.5, “VeraCrypt Volume Location screen”, displays.

    Figure 7.5. VeraCrypt Volume Location screen

    VeraCrypt Volume Location screen

  4. Click the Select File button to display the dialog shown in Figure 7.6, “The Specify a New VeraCrypt Volume dialog”, which enables you to navigate to the the location where you want the decoy volume to be created.

    Figure 7.6. The Specify a New VeraCrypt Volume dialog

    The Specify a New VeraCrypt Volume dialog

    Enter the name that you want the decoy volume to have in the Save As field, and click Save to close this dialog. Note that the full path to the new volume now displays in the Volume Location dialog.

    Optionally select the Never save history button to avoid saving any references to actions within this new volume in your shell history, which could reveal the existence of the hidden volume and whatever files and directories it contains.

    Click Next to proceed. The dialog shown in Figure 7.7, “VeraCrypt Outer Volume Encryption Options screen” displays.

    Figure 7.7. VeraCrypt Outer Volume Encryption Options screen

    VeraCrypt Outer Volume Encryption Options screen

  5. Use the dropdown beside the Encryption Algorithm field to display the list of available encryption algorithms or sequences of encryption algorithms that you want to use to encrypt any data that is stored on the decoy volume. Select the one(s) that you want to use from this list.

    After selecting the encryption algorithm(s) that you want to use in the decoy volume, you can optionally click the Test button to display a dialog that enables to to see the effects of the algorithm(s) that you selected. You can then click the Hash Algorithm field to drop down a list of the available hash algorithms to be used by VeraCrypt's random number generator as a pseudo random function during mixing and header key derivation. Select a value from the list or leave the default SHA-512 value selected.

    After changing these values or accepting the defaults, click Next to proceed. The screen shown in Figure 7.8, “VeraCrypt Outer Volume Size screen” displays.

    Figure 7.8. VeraCrypt Outer Volume Size screen

    VeraCrypt Outer Volume Size screen

  6. Enter the size that you want the decoy volume to have in gigabytes, megabytes, or kilobytes (seriously?). The minimum size is 340 KB, just slightly less than the size of a double-sided DOS floppy and almost as useful as one.

    After entering this value, click Next to proceed. The screen shown in Figure 7.9, “VeraCrypt Outer Volume Password screen” displays.

    Figure 7.9. VeraCrypt Outer Volume Password screen

    VeraCrypt Outer Volume Password screen

  7. Enter the password that you want to use for the decoy volume, then enter it again to ensure that you entered it correctly. If VeraCrypt complains that the passwords don't match, select the Display Password checkbox to locate and correct the differences. This password must be very different than the one that you use for the hidden volume, so use an easy-to-remember one for the decoy volume. This is the one you may be forced to reveal to some TLA, so you probably don't want to tease them by making it "The-NSA-Suck5" or anything along those lines.

    Click Next to proceed. The screen shown in Figure 7.10, “VeraCrypt Outer Volume Format screen” displays.

    Figure 7.10. VeraCrypt Outer Volume Format screen

    VeraCrypt Outer Volume Format screen

  8. Preparatory to actually formatting the decoy volume, VeraCrypt collects information to use in its "randomness", which the randomness it uses when filling the new volume with random data after formatting it. Once you have moved the mouse "enough", click Format to begin formatting and filling the decoy volume. VeraCrypt display a quick dialog to say that it is beginning the format process.

    When the format process completes, VeraCrypt displays a dialog telling you that it has mounted the new volume, and that you should populate it with some sensitive-appearing data, the size of which it will use to calculate the maximum size of the hidden volume that you can create.

    When you have populated the decoy volume with some sensitive-appearing data, click Next to proceed. Another informative dialog displays, letting you know that the maximum possible size of the hidden volume has been determined. Click Next to proceed. the dialog shown in Figure 7.11, “VeraCrypt Hidden Volume Encryption Options screen” displays.

    Figure 7.11. VeraCrypt Hidden Volume Encryption Options screen

    VeraCrypt Hidden Volume Encryption Options screen

  9. Select the encryption and hash algorithms that you want to use when creating the hidden volume, just as you did when creating the decoy volume in FOOBAR.

    When you are finished, click Next to proceed. The dialog shown in Figure 7.12, “VeraCrypt Hidden Volume Size screen” displays.

    Figure 7.12. VeraCrypt Hidden Volume Size screen

    VeraCrypt Hidden Volume Size screen

  10. Enter the size that you want the hidden volume to take up. Its maximum size, based on the size of the data with which you populated the decoy volume, is the initial value that is suggested. I generally reduce this by 5 GB or so, so that I can continue to update and add files to the decoy volume to make it look like a normal value that is being used normally.

    After specifying the size of the hidden volume, click Next to proceed. The dialog shown in FOO displays.

    Figure 7.13. VeraCrypt Hidden Volume Password screen

    VeraCrypt Hidden Volume Password screen

  11. Enter the password that you want to use for the hidden volume, then enter it again to ensure that you entered it correctly. If VeraCrypt complains that the passwords don't match, select the Display Password checkbox to locate and correct the differences. This password must be very different than the one that you used for the decoy volume,

    Click Next to proceed. The screen shown in Figure 7.14, “VeraCrypt (Hidden Volume) Format Options screen” displays.

    Figure 7.14. VeraCrypt (Hidden Volume) Format Options screen

    VeraCrypt (Hidden Volume) Format Options screen

  12. Click the down arrow at the right of the Filesystem type field to see a list of the types of filesystems that you can create in the hidden partition, select one, and then optionally select the Quick format checkbox if you want to do a quick job of creating the filesystem, which only writes necessary data to reformat the filesystem - it does not write all blocks from scratch.

    Click Next to proceed. The dialog shown in Figure 7.15, “VeraCrypt Cross-Platform Support screen” displays.

    Figure 7.15. VeraCrypt Cross-Platform Support screen

    VeraCrypt Cross-Platform Support screen

  13. Indicate whether you will use this volume with other operating systems by selecting either the I will mount the volume on other platforms or the I will mount the volume only on Mac OS X radio buttons.


    The screenshots for this tutorial were captured on Mac OS X. These options will differ when running VeraCrypt on other platforms, but the idea will be the same - on other platforms or only on the current one.

    Click Next to begin the format process. The dialog shown in Figure 7.16, “VeraCrypt Hidden Volume Format screen” displays.

    Figure 7.16. VeraCrypt Hidden Volume Format screen

    VeraCrypt Hidden Volume Format screen

  14. Preparatory to actually formatting the hidden volume, VeraCrypt collects information to use in its "randomness", which the randomness it uses when filling the new volume with random data after formatting it. Once you have moved the mouse "enough", click Format to begin formatting and filling the hidden volume. VeraCrypt display a quick dialog to say that it is beginning the format process.

    When the format process completes, VeraCrypt displays a dialog telling you that it has formatted the hidden volume, and proving some references to the section of the documentation that are relevant to hidden volumes, shown in Figure 7.17, “VeraCrypt Informative screen”.

    Figure 7.17. VeraCrypt Informative screen

    VeraCrypt Informative screen

  15. A final Volume Createdscreen displays, enabling you to format another volume by clicking Next or to exit, well, by clicking Exit.

Well, that was easy!

Using the volumes

So far, I've focused on using VeraCrypt's excellent GUI for creating an encrypted, hidden volume. The GUI makes it easy to specify things like the size of the decoy and hidden volumes, and to select, experiment with, and switch between the encryption algorithms used during volume creation. However, once you've created a volume, a GUI is not the right thing to integrate into largely textual, command-line sequences of system-level commands likec a system's boot process. A flurry of mouse moving, cursor tracking, object selection, menu expansion, and button clicking looks silly when just bringing up a systrm. You just want some things to happen in a predetermined sequence without the need for interaction and intervention - if a system is rebooted, you shouldn't need to be present while it rises, pohoenix-like, from its own ashes or a simple power-off state. Making storage voumes available for use, known as mounting them, is a part of brining up every system, and generally takes place before a system's GUI is available.

The folks at VeraCrypt didn't want mounting their volumes and making them available to be left out of a system's boot process, especially because VeraCrypt can encrypt system and similar volumes where all the binaries you're running live in the first place. They therefore added command-line switches that control every aspect of VeraCrypt from the command-line, making it easy to integrate VeraCrypt into any system's boot process and its associted shell scripts, command files, and other easy-to-use textual control for bring up a system. You don't even have to learn any new tools when working with this aspect of the boot process and these types of files - you already know how to use such a tool, and it's called emacs, er, I mean, a text editor. Hey, how did that soapbox get under my feet?

The next few section explain how to use VeraCrypt's command-line interface to perform standard system tasks like mounting and cleanly unmounting volumes. Your system's power switch provides a quick and dirty way of unmounting volumes, but it doesn't always leave them ready for reuse wuithout burning some incense and sacrifing a chicken or two. Let's use VeraCrypt's command-line interface first, but keep those chickens handy, just in case.

Mounting decoy and hidden VeraCrypt volumes

The bas>ic syntax of the command used to mount a VeraCrypt volume from the command-linen is the following:

      veracrypt -t --non-interactive volume -p password mountpoint

These optiopn and arguments have the following meanings:

  • -t - specifies that VeraCrypt is being used in text mode, without GUI

  • --non-interactive - specifies that arguments and options will be supplied on the command-line - VereCrypt does not need to prompt for additional arguments or values

  • volume - specifies that name of the volume that is to be mounted

  • -p password - specifies the password for the volume thatv you are mounting

  • mountpoint - specifies the directory non which the volume is being munted

Mounting a VeraCrypt volume can take 30 seconds or so. Unless the volume contains the operating system or system binaries, it is therefore often a good idea to mount VeraCrypt volumes outside of the linear system b oot process.


If you are mounting a hidden volume, it is generally a bad idea to mount it while its enclosing decoy volume is also mounted.

When the mount command competes successfully, you will see a message like "Volume volume-name has been mounted.".

Listing mounted VeraCrypt volumes

VeraCrypt provides an equally concide command to list all of the VeraCrypt volume that you have mounted or have acces to. This command is the following:

      veracrypt -t --list

This command returns something like the following:

      1: /home/wvh/Personal /dev/disk2 /home/wvh/DARK

In this sample output fragment, the fields have the following meanings:

  • 1: - the VeraCrypt "slot" that holds the information about a specific mounted volume, which isa VeraCrypt volume to mount point mappoing

  • /home/wvh/Personal - the name of the VeraCrypt volume

  • dev/disk2 - the name of the internal system disk device that is assigned to this mounted vomlume

  • /home/wvh/DARK - the directory on which the specifed VeraCrypt volume is mounted and therefore through which it can be accessed

For hidden volumes, the same device, internal disk, and mountpoint are used - the password used to mount the volume determines whether the decoy or hidden volume is mounted.

Unmounting a VeraCrypt volume

VeraCrypt provides a more concise command to unmount a specific VeraCrypt volume, identifying it by its mount point. This command is the following:

      veracrypt -t -d mountpoint/

The options and arguments to this command are the following:

  • -t - specifies that VeraCrypt is being used in text mode, without GUI

  • -d mountpointspecifies that you want to dismount the volume that is currently mounted at the specified mountpoint

After running this command and having the shell re-display its prompt, the volume mounted at the specified mountpoint has been dismounted. As with many Linux and Unix commands, the lack of complaint indicated success.

Muddying the water

Figure 7.2, “VeraCrypt startup screen” shows VeraCrypt's startup screen, which displays the slots that VeraCrypt maintains for its mounted volumes. This makes it easy for you to see the encrypted and/or hidden volumes that are currently mounted. Unfortunately, this interface is just as easy for Herman Goering to use to see that same list of volumes after he or some other TLA cronies have seized and are dissecting your running laptop`. The same is true of the command-line mechanism for listing mounted volumes, as explained in the section called “ Listing mounted VeraCrypt volumes ”.

Commands like these are hard to hide, especially if the TLA goons know about VeraCrypt - and I apologize if they did so through this book. Let's assume/hope not.

My favorite trick for hiding tools like VeraCrypt is to rename the binaries to something similar but innocuous. One of my favorite renames for VeraCrypt is purge-logs, which could obviously take directories as arguments. This will only delay the marginally clueful, but any delay is a win, and renaming could actually cause Joe TLA to overlook something.

Chapter 8.  Finding stuff on the dark web

Welcome! Now the fun begins, as you poke around on the dark web, looking for something interesting. Each of the sections in this chapter describes sites that I've spent time on and found to be interesting, useful, or both. I'm not going to bloat this document by summarizing everyone else's favorite sites on the web - that's what search engines are for.


It's common practice to modify your Tor configuration and set your home page to a Tor Status page or to a Tor directory or search engine page. If you already know where you want to go, you're probably going to click on it directly, type it in, or have bookmarked it on a previous visit; if you're just poking around, a directory or search engine page give you a blank canvas to start with.

Dark web directories

There was a time on the internet before search engines (ask your grandfather), when the primary web sites were nested pages that contained hand-curated, hand-organized collections of links that helped you find anything that you were looking for on the web. Yahoo! got its start this way. The dark web sports a few of these, which can be very useful in finding a starting point or in just getting some idea of what you subsequently want to search for.

  • - a clearnet site that provides many links to onion sites. You must be running Tor (or any other software that handles .onion links) in order for these links to resolve correctly. The darknet hidden wiki frequently changes location (and can be searched for), and features many scams, but is currently here.

  • The Tor Hidden Wiki - the dark web version of the hidden wiki - lots of links to lots of sites, updated at random times. and moves frequently. Some versions of this site are among the best-known, most commonly references sites.

    Figure 8.1. The Tor Hidden Wiki

    The Tor Hidden Wiki

  • ParaZite - Much like the earliest versions of Yahoo!, ParaZite has a clever name and consists of a combination of curated links and a rudimentary search engine. The curated links are great for dark web newbies who want to find sites that are related to a noun or concept rather than randomly searching for them.

  • https://3g2upl4pq6kufc4m.onion/TorLinks - a moderated replacement for the Hidden Wiki, TorLinks serves as a link/url list of Tor hidden services. A great source of information for matches regrading certain terms if you are not exactly sure what to search for. Regularly updated, though I'm not sure of the update schedule.

    Figure 8.2. The TorLinks directory

    The TorLinks directory

  • - yet another clearnet site that consists of links that only resolve if you're visiting it in the Tor browser.

Dark web search engines

  • - a great search engine to start with because it searches both the surface web and the dark web at the same time. It's often used as a home page for this reason and for convenience in general.

  • Candle - somewhat modeled after Google, but without the complex syntax for advanced searches. Only indexes .onion sites.

    Figure 8.3. The Candle search engine

    The Candle search engine

  • - Page of up-to-date dark net infobytes followed by a long listing of the online/offline status of various popular .onion markets and related sites.

  • DuckDuckGo - a high quality search engine second only to Google in popularity, but far superior to it in privacy. DuckDuckGo does not have the commercialism and privacy/anonymity tracking violations that infest Google, but it does have a vast index and quality search engine. The Onion version of DuckDuckGo includes hits for the clearnet in addition to .onion matches. The clearnet version of DuckDuckGo does not include .onion links in its index

  • Grams - search dark web markets for just about anything, preferably something illegal. This site doesn't seem to be up very often, but the wait ca be worth it.

  • News Group File Search - Eeasily searched, but limited to news group content. Quite useful at times, but not always.

  • not Evil - as witty a search engine as you can get in two words, and with an obscure reference to something the Google used to believe was their motto, not Evil has a simple UI that lets you search within titles, URLs, or full text. The About link at the bottom makes it clear that this site is philanthropic and philosophical.

  • searX - a metasearch engine, aggregating the results of other dark web search engines while not storing information about its users. Supports plugins, including web search and ad-blocking by default. Inspired by the Seeks project, a web search proxy and collaborative distributed tool for websearch.

  • Tor Search - a search engine for Tor hidden services. Tor Search makes it easier to find these because it is restricted to things that are hidden (but not too well, apparently).

  • Tor66 - a search engine limited to .onion sites, and therefore displays a very different set of results than other search engines Results are displayed in a traditional list or a matrix-like "gallery" view. First search engine to deliver an "amputees porn" site in response to a search for "bitcoin".

  • Torch - one of the broadest and best-known dark web search engines. They crawl and index more than a million pages, and is a great place to start and search. Like most search engines, the Torch site is paid for by ads, which can be handy if you're looking for something that matches an ad, though the rotating, blinking GIFs may occasionally induce an epileptic seizure.

    Figure 8.4. The Torch search engine

    The Torch search engine

  • VisiTOR - this site seems like a little bit of everything. You can get to various things (link directory, search engine, etc.) though per-section buttons across the top of the screen, and you can see those sections if you scroll down far enough. The link directory is especially interesting because it seems very different from others.

Dark web markets

One of the best things about the darkweb is your opportunity to buy just about anything. Caveat emptor - and that means you!


Law enforcement scum often seize sites and turn them into honeypots, which is the nerd term for a site that is set up to entrap the unwary. Be very careful when attempting to buy something on the dark web - make sure that the ste from which you are attempting to make a purchase hasn't been taken over by someone who wants to force you to agree with them in the name of some stupid law or supposed morality.

  • Black Market Guns - large selection of pistols, hand guns with butt stocks, and ammunition. Some night vision hardware.

  • Dream Market - has had some interesting history recently, when its operators modified its home page to announce that it was going down on 30-April-2019) perhaps to change hands. This message disappeared a few days later, so it either changed hands or morphed into the world's largest and trickiest honeypot. Since legal folks have to do something to justify their existence, use and order with caution.

  • EuroGuns - Small selection of quality hand guns. Desert Eagle, Walther PPK, SIG Sauer. Shipped from the Netherlands and Germany, and only guaranteed within the EU.

  • Silk Road 3.1 - Silk Road is probably the best known of the markets on the dark web, having been busted several times and made clearnet headlines for selling things that are "illegal" according to someone's bogus ideas of what laws are for. However, like a resilient cockroach, the site keeps coming back, though some sites referenced on it are probably still honeypots so that John Law can arrest people for victim-less crimes.

  • UnderMarket - a newer, yet well-populated market, tabs enable you to jump directly to various parts of the market. The site is definitely oriented towards hacks, crack, and other services. DDOS for two, anyone?

    Figure 8.5. UnderMarket 2.0 market

    UnderMarket 2.0 market

  • Valhalla - another of the best-known and most popular markets for goods and services, Valhalla (AKA its Finnish name, Silkkitie) once required an invitation, but now seems to be freely available (when it's available at all).

  • Wall Street Market - one of the best known dark web markets, the Wall Street market features the usual assortment of drugs, literature, and services. DANGER: Supposedly siezed by law enforcement scum early in 2019.

    NOTE: Things change just as quickly on the dark web as on the surface web. In the time between my writing the first draft of this document (including the warning in the previous paragraph) and now (29-May-2019), the jackbooted thugs that support the law rather than moral or ethical good siezed the Wall Street Market and shut it down. Figure 8.6, “R.I.P., Wall Street Market” shows what you see now - check the tab at the top of the screen. The site should never be trusted again, lest it rise phoenix-like, coming back as a zombied honeypot. Alas, poor Wall Street Market, I knew thee well...

    Figure 8.6. R.I.P., Wall Street Market

    R.I.P., Wall Street Market

Figure 8.7. Random items for sale at a random site

Random items for sale at a random site

Public services on the dark web

The dark web has a "softer" side, which is to provide some sites that support its other goals, primarily along the lines of information sharing. These sites are not guaranteed to be up (nothing on any web ever is), but provide valuable services when they are available.

  • Aktrivix - URL shortener for TOR and the dark web.

  • AnonyShares - enables you to post and publicly share files of any type, up to 10MB in size

  • Onion Fileshare - enables you to post (and therefore share) files of any type up to 2 MB in size

  • PasteOnion - enables you to post share files of any type. Shared files can be public or have a password set for them.

  • Pirate Bay - dark web version of thepiratebay site. A great place to download music that you like or are curious about, but not enough to pay for. (Hint: if you find yourself listening to something twice, buy a copy if you can. If it's out of print and not purchasable as downloaded audio, that's somone else's stupid fault, and a different matter.)

Bulletin boards, chats, and social sites

Though chatty, social site seem like concceptual anathema to the darknet, you can participate as anyone, and you'll certainly learn a lot! In an exercise in recusion, you can also ask for suggestions about similar sites.

  • Anon Net - go beyond TOR into another dark world of strange looking sites and paranoia. Usable through TOR.

  • CryptoParty - lots of content and lots to learn from the darkweb version of the clearnet CryptoParty site, where you can get together to share info and hot tips and advice

  • Deepsec - security-oriented site and community, populated by smart, secure people all over the world, often much smarter than I am

  • Galaxy Social Network - A social network for the anonymous darknet is detrimental. Well traveled with lots of great content.

  • Onion Soup - experiences and news about the darkweb

  • Overchan Lolz - very similar to, and sometimes duplicated from, Overchan Slamspeech, this chan has a huge number of well-populated categories with many posts within each of them

  • Overchan Slamspeech - popular bulletin-board systerm with a tremendous number of subjects. Well worth checking out for more information about the dark net and everything else

  • https://torum6uvof666pzw.onionTorum - capcha-protected cyber security forum. Friendly, English-only educational forum with a wide range of sub-forums on operating systems, hardware, social engineering, networking, and so on.

    Figure 8.8. The Torum site

    The Torum site

News and information sites

There are a zillion useful sites on the darkweb. Some of my favorites are:

  • Anon Net - go beyond TOR into another dark world of strange looking sites and paranoia. Usable through TOR.

  • Jiskopedia: Dark Web Encyclopedia - huge amount of intelligence information, guides, articles, and a database to tie it all together, together they provide a rich source of information about life below the surface.

  • ProPublica: Journalism in the Public Interest - the .onion version of their clearnet site, both of which deliver their insighful and stimulating jouralism - "journalism with moral force", as they themselves say. They have even won a Pulitzar prize for the MS-13 gang coverage, while most news sites struggle with graduating from CSS 101 and basic design. This is such an excelllent source of real information that I would subscribe President Trump to their newsletter if I thought he could read (or at least would).

    Figure 8.9. ProPublica investigative journalism site

    ProPublica investigative journalism site

  • Sci-Hub: free scientic knowledge - contains millions of scientific research papers in an attempt to make the world's scientific knowledge available to people without the exorbitent fees that are often requied by scientic journals. Access to this knowledge is like having a lifetime pass to the libary at Alexandria.

  • Onion Soup - experiences and news about the dark web

  • Wikileaks - official mirror site of the famous clearnet Wikipedia site, through 2010 with occasional new links

Commercial services


Commercial services, such as cryptocurrency mixers and mail services, that have been discussed in other chapters, are replicated in this section for your convenence.

  • Bitcoin Blender - Tor hidden service that provides a mode which does not require the creation of an account in order to do simple mixing. Sheduled mix/withdrawal for regular users,

  • Bitcoin Laundry - low fees, a usable user interface (UI), and good security easily explain the popularity of this site. By efault, logs are purged weekly, but log purging can be requested at any time.

  • BitMix - enables you to mix Bitcoin, Ethereum, and/or Litecoin. Low commission, quick mixing, and full anonymity. Minimums are requied for different cryptocurrency transfers. No logs are retained.

  • CryptoMixer - well-suited to large volume bitcoin mixing. Generated addresses are retained for 24 hous, then discarded.

  • Mailfence - a secure surface web email provider headquartered in Belgium, Mailfence provides a secure and private email service with browser-side encryption and full support for OpenPGP and digital signatures. Mailfence supports secure document storage, The free level of Mailfence supports 10 MB of attachments and 500 MB maximum mailbox storage, with increasing levels of each for the Entry and Pro service levels that cost real money.

  • - a secure surface web and onion email provider headquartered in Switzerland, Protonmail provides end-to-end encryption and hardware-level security with no provider access to user date. The free level provides 500 MB of storage and one email address, with a maximum of 150 messages per day. Other levels (Plus, Professional, and Visionary) have actual costs, but also provide increasing amounts of all of these plus the addition of custom domains for sending/receiving email.

    Figure 8.10. The Protonmail secure email provider

    The Protonmail secure email provider

  • Real Hosting - up your game with full-featured hosting on the dark web, with free 6- or 8-letter .onion addresses depending on how long you sign up for. Accepts bitcoin payments. No kiddie porn or victim-ful crimes. Very useful, though you should check where they're headquartered in case subpoenas appear and they have to give you up like last month's rent.

  • - a secure surface web email provider headquartered in Israel, supports the POP3 protocol to receive non-encrypted emails, or the POP3 SSL/SMTP SSL or IMAP SSL/SMTP SSL protocols for end-to-end encryption. The free level has interesting limitations such as 200 email messages per folder is 200, a maximum number of 10 folders per account, and 3MB of total storage. Safe-mail is the purchasing entry point for private and business email pages with increased or unlimited amounts of all of these, multiple levels of secure document storage, plus many add-on services such as additional security, backup and disaster recovery, calendaring, chat, bulletin boards, and much more.

  • TorShops - site for purchasing your own .onion site, which includes hosting, an integrated wallet, order tracking, messaging, personalized .onion domain (first six characters), custom logo, multiple page designs to start with, and much more. Setup fee is $100 USD (0.015 bitcoin), with an on-going charge of 6% of sales.

  • - a secure surface web email provider headquartered in Iceland, Unseen supports end-to-end encryption, file sharing, and full support for OpenPGP for email and other encryption mechanisms for audio/video encryption, including some that are apparently proprietary. Messages sent to non-Unseen hosts using proprietary encryption mechanisms that are not supported by the recipient's system will be sent in the clear. The free level of Unseen supports sharing files of up to 50 MB, and a reasonable amount of message storage. The premium version supports 2GB of storage, sharing files of up to 40GB in size, and group audio/video calling.

Chapter 9.  Crypotocurrency 101

Hey, I thought this was a book about the dark web? Yes, Virginia, it is, but if you ever plan to buy anything there and don't want to pay for it by a check with your name and address on it, you're going to have to pay for it with cryptocurrency. Therefore, this chapter provides enough info to get you started so that you can eventually buy that Glock, er, that marijuana, er, that Donald Trump voodoo doll with complete security.


Time to stand on a popular soapbox for a moment. In cryptocurrency, we are all being present at the birth of a new way to back, store, and think about currency. Cryptocurrency s not backed by some hard-to-find metal that is stored in some facy closet surrounded by armed guards (ala Fort Knox), nor is it backed by promises made by some goverment. Instead, it if backed by work or the value of some intellectual technological asset. As such, the intellectual technologies that understand and innovate cryptocurrencies are themselves under development. This chapter explains the basics, but what about the future? Bitcoin Improvement Proposals (BIPs) are the cryptocurrency versions of the Requests for Comment (RFCs) that have always driven the bith of the Internet itself. BIPs can be found at Bitcoin Improvement Proposals page of the Bitcoin Wiki. The current list of BIPs and their status can be viewed here. BTW, "Bitcoin" is something of a misnomer here, because these are really cryptocurrency and cryptocurrency handling improvement proposals, but I guess the first crypto coin out there gets lots of naming rights.

Let's start with the core concept behind all true cryptocurrencies - the blockchain. It's hard to find a tech blog, online site, or zine that doesn't hype blockchain as the next big thing, but many people seem to recognize the word without really understanding the concept. Understanding blockchain as a technology and its relationship to each cryptocurrency is fundamental to becoming part of the cryptocurrency future. Beyond "just" cryptocurrencies, understanding blockchain's implications for other industries will help make it clear why blockchain is a truly revolutionary approach to transaction tracking, metadata storage, lookups, and data security.

What is a blockchain?

A blockchain is shared, distributed data that functions as a ledger which tracks a certain type of transactions. There is no such thing as the blockchain. Each application of the blockchain concept, such as most types of cryptocurrency, uses *a* blockchain to record the type of transactions that it is associated with, though multiple applications can share a single blockchain. Bitcoin was the first popular cryptocurrency, and is the original example of a blockchain-based technology. Anyone who is mining bitcoins is interacting with Bitcoin's blockchain, which is completely distinct from the blockchain used by Ethereum, the blockchain used by Monero, and so on.

Every participant in a blockchain has a complete copy of that blockchain. Every time a transaction is completed, all members of the associated blockchain network get information about those changes and ensure that they are present in their copy.

How does blockchain work with cryptocurrrency?

As the name suggests, a blockchain is composed of data blocks of a certain size that are linked together. Each block is comprised of a header and the data that the block contains. The header in each block in a blockchain has a reference to the previous block in the chain. The identifier used to identify the previous block is the fingerprint of the header of that block, known as a hash. In mathematics, a hash function is a mathematical process that takes input data of any size, performs some mathematical operations on that data, and returns a value that is a fixed size. The term "hash" comes from the notion that you are somehow chopping up differently-sized input data to arrive at the fixed-size output value.


A blockchain model does not guarantee anonymity - it only provides an abstraction that, for some cryptocurrencies (such as bitcoin), is easily trackable.

Using a hash as the identifier for the previous block has a big advantage over just using an increasing block identifier for each block. Change one bit in the data, and a different hash is returned. Thus, using a hash as a block identifier provides both a unique way of identifying a block and a way of verifying the fact that the data in that block has not changed.

The block headers of different blockchains have different formats, and the content and sizes of their blocks also differ. Bitcoin's header format is 80 bytes, while the header for the blockchain used by Ethereum is over 500 bytes. They key features of any blockchain header are the following:

  • prev-block link - the hash value that identifies the previous block in the blockchain

  • block size - size of this block in bytes

  • nonce - one or more values that verify that appropriate work went into creating the block

Block headers differ by more than size across different blockchains - their contents differ based on the types of transactions that they are tracking and the way in which they are being tracked. Because headers differ across blockchains, block contents also differ widely across different blockchains. Each transaction and related block contents must at least contain a unique identifier for that transaction, which is typically a hash based on the contents of the transaction.

Because the blocks in a blockchain contain a record of all transactions that have ever been made to that blockchain, blockchains can only be appended to as new transactions occur.

Earning cryptocurrency by adding to its blockchain

Blocks in a blockchain are created by an operation known as mining. Systems that are involved in the blockchain, known as nodes, create new blocks by performing many calculations in order to find hash values that satisfy the criteria for the "nonce" field in the block header. The nonce is therefore referred to as "proof of work" in blockchains such as Bitcoin. Other blockchains use different criteria for validating a block, such as "proof of stake", "proof of activity", and so on. When you successfully mine a block in a public blockchain such as that for a cryptocurrency, you receive a reward, typically in units of that cryptocurrency.

For more information about obtaining bitcoin and other types of cryptocurrencies, see the section called “ Getting Bitcoin and other currencies ”.

Getting Bitcoin and other currencies

As mentioned in previous sections, there are various ways to obtain a form of cryptocurrency. Unless you're a day trader and want to be nervous all the time, the best strategy for profiting from cryptocurrency is to buy a cryptocurrency whose technology and reason for existence you believe in, and then to HODL that currency until/if it catches on and makes some sort of profit. Other strategic tips on how to profit from cryptocurrrency are to ever invest more than you can afford to lose, always buy low and sell high, and ton always leave sufficient room between you and the car in front of you.

The standard ways of obtaining cryptocurrencies are the following:

  • mining - solving the mathematical problems associated with a given blockchain until a block is completely solved, at which point the reward is earned and shared. Rarely profitable or timely nowadays for bitcoin, unless you happen to have hundreds of machines with multiple GPUs just sitting around or buy a Bitcoin (or other cryptocurrency) miner. See the section called “ DIY Mining: There's crypto coins in them there algorithms ” and the section called “ Contract/Cloud Mining: They'll drive and pay for the power ” for more information.

  • earning - various earning schemes such as micro tasks, crypto blogging, affiliate marketing, day trading, gambling, crypto faucets, etc. Auto-earners can be lots of hassle to set up, but can earn micro amounts for you in the background.

  • purchasing/exchanging - exchanging fiat currency or some other cryptocurrrency for cryptocurrency through an exchange or equivalant.

    When purchasing a cryptocurrency, it's preferable to be able to be able to deposit that cryptocurrency in an account or multi-asset wallet where multiple currencies are supported, so that you can convert between the crytocurrencies that you will want to be able to spend or invest in. Bitcoin is the lowest common denominator (in terms of being able to invest and convert between currencies, not in terms of actual cost). See the section called “ Desktop software wallets ” and the section called “ Using an exchange ” for more information.

In any of these scenarios, you just need to be able to specify the hex address of the cuurency wallet in which you want the cryptocurrency that you've acquired to be sent/deposited to,

DIY Mining: There's crypto coins in them there algorithms

If you're really determined to mine yourself, you can either:

  • Build a machine with a motherboard that supports multiple video cards, a special rack to hold them, and a power supply big enough to fuel a small city, and then install the operating system of your choice (usually Linux or optimized, customized Linux) and the software that you plan to use for GPU mining of the cryptocurrency that you'll be mining. ASUS makes some great motherboards for mining, such as the B250. Other vendors include almost everybody: ASRock, Biostar, Gigabyte, MSI, and new (to me, at least) vendors such as Onda.

  • Purchase a bitcoin miner which features ASICs (Application-Specific Intergrated Circuits) that are designed for that purpose. With this hardware, you will still have to register with a mining pool, which aggregates the results from multiple miners and shares the coins that are mined. Some vendors of ASIC miners are:

    • Bitmain - Bitmain is the oldest and best-known designer and manufacturer ofstanlone miners, all of which need a separate power supply to run. They are all high perforance, with new models appearing quite often. They all sound like a private or commercial jet airplane taking off, so doon't try to set them up in your bedroom. Bitmain miners are easy to find on eBay or on Amazon. Their web site hints at futurec AI-based systems if you're playing buzzword bingo or are an AI fan in general.

    • Caanan - Caanan Creative (usually known simply as Caanan is a hardware and services vendor located in Beijing, North Dakota... JUST KIDDING! Beijing, China. Caanan produces its own ASIC designs, and also took over the popular Avalon brand. At the time that this section was last updated, the Caanan and Avalon hardware was most readily available in on Amazon. For larger quantities, ontact Caanam themselves (if their web site is up).

    • FutureBit - Creators of both a USB miner that you plug into a USB port, and whose control software then runs on your PC, and a standalone miner that boots from an SD card and requires an external power supply. They are located in the USA, and their hardware can be purchased from them directly and is easily found on commercial sites such as Amazon.

    • Gekko Science - Creators of a USB miner that you plug into a USB port, and whose control software then runs on your PC. Their hardware is most commonly resold by other vendors and is easily found on commercial sites such as Amazon. This hardware enables you to mine any SHA256 based cryptocoins like Bitcoin, Namecoin, DEM and others.

    • Halong Mining - Halong Mining makes the Dragonmint Miner hardware, which are relatively new, high performance. standalone miners that require a 1600 Watt power supply per device. I wasc as surprised as anyone when, after many high performance claims and much hoopla in the press, everyrthing turned out to be true. The Dragonmint miners are also quieter than some from other vendors. These miners are available from them directly or from commercial vendors such as Amazon.

    • Pangolin Miner - Pangolin Miner makes the WhatsMiner hardware, which are relatively new standalone miners that require a 3350 Watt power supply per device. Wow! Uniquely, Pangolin also lets you host your miners in their farm for a small fee. These miners are available from them directly or from commercial vendors such as Amazon.

Former vendors of mining hardware include Butterfly Labs, Gridseed (USB), Spondoolies (much lamented by me!), and many more. These all offered transaction/hash rates that are low by today"s standards. Don't buy these even on eBay unless you collect old hardware or are just looking for an extremely inefficient space heater. A great quote on old mining hardware that I read somewhere is:

If you’re a hobbyist miner on a budget, with no interest in the profitability of transmogrifying electricity into bitcoins, then the old-hardware-name is worth considering.

Be forewarned that ASIC hzrdware has converted most of the USB devices into curios that may not be sigicantly profitable before the sun turns into a dark, smoky ember.

Good times at the mining pool

Mining pools offer a place to which you contribute the hashing that is being done on your hardware, which is then combined with that of other contributors/participants. You pay for this pool service via a share of any profits that you make from your contribution. This is the common way of earning crypto from some Frankensitinian mining hardware that you have assembled. Some contract/cloud sites also offer pool services as well as rental services.


See the Glossary under cryptocurrency tyoes for a list of many cryptocurrencies and their short and full names.

To find a mining pool that you can participate in, a simple Google search for "cryptocurrency mining pool" will turn up lots of sites for you, and will be more up-to-date than a written list could possibly be. To get you started here, some specific pools that I have participated in or heard about from others are the following:

  • AntPool - AntPool is operated by the Bitmain folks and is located in mainland China. They give out "Beijing is where the heart is" T-shirts when you sign up for an account. (That is a lie, but would be nice.) They are a well-respected pool, running primary on the latest Bitmain Antminers and custom Bitfury hardware. They support SHA256 mining, namely Bitcoin, Bitcoin Cash, Litecoin, and Zcash. Not too surprisingly, you can also rent Bitmain miners from them.

  • F2Pool - Supports SHA256 ontributory mining in Bitcoin and Zcash. Supports shared/rented mining via Nice2hash, with payouts in Bitcoin, Litecoin, Ethereum, GRIN-29, GRIN-31, ZCash, and Zclassic. NiceHash is a hashrate exchange platform, where miners can purchase hashrate based on different algorithms and mine in F2Pool.

  • - Supports SHA256 mining with potential payouts in Bitcoin, Bitcoin Cash, Decred, Ethereum, Ethereum Classic, Litecoin, GRIN-29, GRIN-31, and United Bitcoin.

  • Slush Poool - Slush Pool was the first mining pool. and therefore introduced most of the "pool" concepts. It is still going strong today. They currently enable mining SHA256 currecies, specifocally Bitcoin and Zero Cash. They are moving to a new website soon. If redirection does "just work", try the new slush pool site. How you profit from mining onSlush Pool is spelled out here.

Contract/Cloud Mining: They'll drive and pay for the power

Cloud mining is the hot term for sites that will mine for you, using their real or virtual hardware, and is especially cool because it uses the world cloud in its title, so you know that this is modern, bleeding-edge technological wizardry. In reality, these are just sites thhat run a bunch of mining hardware or virtual machines, from which you can rent an overall share or some number of real or virtual machines. Virtual mining hardware providers enable you to install and use your favorite mining software, rather than that is used by default on the site's hardware.

There are two basic ways of a cloud site charging you for participation:

  • pool fees - a share of any profits that you make from the hashing that is being done on your hardware and whose results are being contributed to the site. Some contract/cloud sites offer traditional mining pool services as well as their rental services. For more information about mining pools and pool sites, see the section called “ Good times at the mining pool ”.

  • rental cost - the cost for renting a guaranteed amount of hashpower or one or more specific real or virtual machines. There is often no pool fee for such contracts - it's built into the contract cost.

Before worrying about the cost, a key to selecting a cloud site is to find one that mines using the algorithm that you are interested in, if you care. Some sites use an algorithm that is used by the cryptocrrency that you want to mine, while others mine using other algorithms and pay in a supported cryptocurrency, which you can eventually convert into the cryptocurrency that you are interested in by using a multi-asset wallet or an exchange. See the section called “ Overview: Single currency and multi-asset wallets ” and the section called “ Using an exchange ”

To find a site that will mine for you, a simple Google search for "cryptocurrency mining site" (and optionally the algorithm or cryp[tocurrency that you're interested in) will turn up lots of sites for you, and will be more up-to-date than a written list could possibly be. To get you started here, some specific sites that I have used or heard about from friends are the following:

  • Genesis Mining - probably the largest Bitcoin and scrypt cloud mining provider. They support over six algorithms that can produce profits in more than 15 crrencies. Genesis Mining offers two Bitcoin mining plans with four levels of service each, and four levels of service each for Dash, Ethereum, Litecoin, Monero, and Zcash. If being sold out of various service levels for multiple currencies is any indication, they're doing great!

  • Hashflare - offers SHA-256 mining contracts in Bitcoin, Dash, Ethereum, Litecoin, and Zcash pools. Contract prices look very inexpensive until you check the units that they are measured in. Profitable SHA-256 coins can be mined, but automatic payouts are still in BTC, which makes things hard to calculate. If being sold out of mining contracts for multiple currencies is any indication, they're doing great! At the time this document was last updated, only a limited number of Ethereum contacts were available - all other contract types were sold out.

  • hodlAir - provides multi-algorithm uhash (micro-hash) contracts to simulaneously mine multiple altcoins and share in general site profits, with payouts in Bitcoin supported currency. Their farm is therefore made up of multiple types of ASIC miners and GPU rigs. Each contract has a ‘Guaranteed Minimum Hashrate’ (currently 127GH/s of SHA256 mining). Their innovative multi-algorithm model is unique to the industry, and is therefore creatively profitable.

Storing Cryptocurrency

A big part of creating a crytocurrency and fostering its success is creating a wallet in which coins in that currency (or representation of them) can be stored. After all, the "coins" in a given cryptocurrency are just pointers into the blockchain (or its equivalent) for that currency. A cryptocurrency wallet is a device, physical medium, application or service that stores a pair of public and private cryptographic keys for each type of cryptocurrency that it supports. Your wallet's public key for a cryptocurrency enables other wallets to send a currency to the wallet's address and the private key for a cryptocurrency enables you to send cryptocurrency from that wallet to another address. A wallet is basically the crypto equivalent of a bank account - it's your personal interface to one or more types of crypto coins in the crytocurrency network, just as an online bank account is an interface to holdings in the traditional monetary system.

The first cryptocurrency wallet was introduced by Satoshi Nakamoto in 2009 when he first released the bitcoin paper and implementation. One bitcoin can be divided out to eight decimal places. This means that one bitcoin corresponds to 100 million satoshi, the smallest base unit, and> bitcoin wallets must support that level of granularity. As other currencies emerged, they were each accompanied by a wallet for storing keys for that currency, and other implementations of those wallets also emerged. As more and more cryptocurrencies appeared, wallets that could handle more than one cryptocurrency (known as a multi-asset wallets also began to appear.

The type(s) of wallet(s) that you use depend on how you are using cryptocurrencies. If you are using them as a long-term savings or investment mechanism, hardware wallets are probably you best option because of the stability and security that they provide. If you are frequently trading cryptocurrencies, a desktop or web software wallet is probably best. If you always have access to the computer on which a desktop wallets runs (and do regular backups to an off-site device), a desktop software wallet provides greater security. If you are mobile and are always using different devices, a web wallet is probably your best option. More about all of these options later...


Wallets generally store one or two types of semantically similar assets, coins and tokens. Coins are just what we typically think of coins as: a money equivalent that is a native blockchain object that serves as a medium of exchange and as a medium of storing account value. To muddy the water, Ethereum introduced EIPs and ERCs (Ethereum Improvement Proposals and Ethereum Request for Comments), the latter of which is a type of the first. These are sponsored by the Department of Redundancy Department - sorry, JUST KIDDING! These are developed or proposed by the Ethereum community. ERC20 introduced a protocol standard defining rules and standards for issuing tokens based on Ethereum's blockchain. Tokens therefore differ from coins because (1), they are not native blockchain objects and (2), they are generally based on coins from some blockchain but are abstractions used for some logical purpose. To muddy the water one final time, only the truly pedantic care about that difference, and the terms are generally used interchangeably by people who are buying or or selling them. People who are actually using or spending them see a big difference. Coins vs tokens is almost the modern equivalent of Lewis Carroll's "Why is a raven like a writing desk?"

The next few sections discuss how different types of cryptocurrency are obtained, and the different types of wallets that are available. Each of these sections discuss the pros and cons of each type of wallet and provides a few examples of each. A subsequent section then discusses currency exchanges, often simply referred to as exchanges, which enable you to trade between supported cryptocurrencies, and even to convert cryptocurrencies into traditional (fiat) currencies. They are referred to as fiat currencies because they are as futuristic as the rusting cars by that name - JUST KIDDING!. They are called fiat currencies because that is the term for legal tender whose value is backed by the government that issued it. This differs from currencies that are backed by some physical asset, such as gold or silver, which are therefore referred to as commodity currencies.

Overview: Single currency and multi-asset wallets

Different wallets obviously differ in style, general user interface, and in the sequence of actions that you must take to send a cryptocurrency somewhere or check the balance of your holdings. However, beneath these differences are two more fundamental ones - where the assets in them are stored, and how many different types of assets can be stored in them.

Hardware wallets

A hardware wallet is a physical device built for the sole purpose of storing the keys for crypto coins. The next two sections discuss the two primary types of hardware wallets: a paper wallet that records the keys for a specific type and amount of cryptocurrency, and a hardware wallet that records the same types of keys but stores it in flash memory on the device, so it is easier to add to or subtract from when spending a cryptocurrency. Hardware wallets are a good choice if you’re serious about security and convenient, reliable cryptocurrency storage.

Physical hardware wallets keep private keys separate from potentially vulnerable, always connected devices that could potentially be accessed by the entire Internet when you are online, modulo the degree to which your computer's security system enables access to specific devices. If you do not block incoming network traffic that was not initiated on your end, cyber-criminals could target a software wallet on your computer and steal cryptocurrency by accessing your private keys. Using a hardware wallet provides another level of security by requiring another, password or PIN protected way to reach your keys. Even if the hardware wallet (the physical device) is stolen and cyber-criminals can obtain the software used to access it, criminals would have to know your password or PIN to access the cryptocurrency keys that it contains. It is therefore a good idea to retain a backup code or device dump that you can use to restore your wallet and its contents.

There are two classes of hardware wallets: hot and cold. The difference is simple. Hot wallets can be connected to the Internet (generally through another Internet-connected device), while cold wallets are completely offline. The cold wallets still require a communication mechanism, generally QR code scanning or physical MicroSD with stored PSBT (Partially Signed Bitcoin Transaction) BIP 174 transactions to add or spend currency. BIP 174 is a proposed extensible standard for exchanging information about such transactions. QR scanning makes wallets that support it very mobile-friendly. Cold wallets are often limited to handling a smaller number of cryptocurrencies because they can be difficult to update due to their disconnected nature.

Paper and steel wallets

A paper or steel wallet is an offline mechanism for storing Bitcoins. This type of hardware cryptocurrency wallet is as simple as witting down a single pairing of a Bitcoin address with its corresponding Bitcoin private key. These wallets are not fancy technical slang - they literally mean a wallet made of one or more sheets of paper or a flat piece of steel. The very technical process of using them involves printing the private keys and Bitcoin addresses onto paper or transcribing them into a steel wallet using applied letters and numbers of some sort. Paper and steel wallets are always cold wallets unless your computer system has some sort of osmosis interface. if you do, maybe you should be selling the osmosis interface rather than spending your time with crypto.

You can buy regular sheets of paper to make a paper wallet anywhere, or you can buy slightly fancier paper or light cardboard "wallets" on sites like eBay. Paper wallets are cold wallets and are therefore immune to hacking, but slightly more susceptible to physical theft than whizzy hardware wallets that require password to gain access. Other possible problems with paper wallets include:

  • fire

  • floods

  • "the dog ate my cryptocurrency wallet"

Slightly cooler than the eBay solution for paper wallets are web sites that will generate wallet templates for you. Some touch-up is required after generating them, since you should run away from any wallet generation site that asks for your private key and cryptocurrency address as input. You might as well post them on Facebook as an offsite storage solution.

Some cool sites for generating paper wallets are the following:

After printing and customizing a paper wallet, put it in a zip-lock baggie, and then put that inside a safe. Your cryptocurrency will then be safe, at least from computer hacks.

Once you've created a paper wallet, you can still add funds to it by telling people to send bitcoins to your Bitcoin address (or other cryptocurrencies to their wallet address). You can always check your balance by going to sites like or and entering your bitcoin address. Spending cryptocurrency stored on a paper wallet is a bit more complex, requiring that you temporarily go through a hot wallet.


Satoshi advised that one should never delete a wallet.

I'm not aware of any sites that let you print steel wallets, but that's probably more because I'm not aware of any steel printers. Other types of hardware wallets sold on eBay may be pre-hacked, but the blank steel ones are safe.

USB and QR scan wallets

A USB wallet is an electronic device that typically must be connected to your computer, phone, or tablet (i.e, a computer) before the coins that it contains can be spent, examined, or added to. QR scan wallets are offline hardware that use QR scanning to exchange data, and thus are never physically ` connected to your systems. USB wallets are hot wallets; QR scan wallets are generally cold wallets. As always, the coins that a hardware wallet contains are actually the private keys required to access those coins. A hardware wallet typically uses writable flash storage to provide secure offline storage for your cryptocurrency. Because a hardware wallet is just a persistent storage device, its contents are typically secure even if it is connected to a computer that is the Typhoid Mary of viruses and malware.

Some minimal level of care for a USB hardware wallet itself is still required, akin to the type of security that your bank typically provides for the funds that it holds. Hardware wallets do not survive lightning bolts or being directly plugged in to AC outlets, so (for example) I would not put any of my USB wallets in my pocket and then go walking on a golf course during a thunderstorm, but maybe that's just me.

Even if hardware wallets are stolen, their contents usually still require a PIN (Personal Identification Number) and special software to access them. The storage is typically encrypted, so reading the raw hardware device won't help. You should still use whatever mechanism the device manufacturer suggests for backups. Knowing the PIN won't help much if you lose the hardware wallet itself or it is stolen. Caveat dummy.

The next sections discuss some well-known and well-regarded hardware wallets, the Ledger X and the Terror T. There are many other vendors of hardware wallets, such as Bitfi, Coinkite, Ellipal, Kasse, Keepkey, Temexe, and even more. Of these, the Coinkite and Ellipal cold wallets and the Keepkey hot wallet seem the most interesting, but I don't have actual experience with them, so I can't actually recommend them.


If you're a wallet manufacturer whose product I did not discuss, and you would like me to test and discuss your wallet, send me one!

Ledger Nano X

The Ledger Nano X is Ledger's newest multi-asset hardware wallet, following on the heels of Ledger's classic and popular Nano S.

Hardware: Like the Nano S, the Ledger Nano X is an attractive, simple USB stick with a swing-down metal connection protection cover. The only problem I ever had with the Nano S was its limited storage. In my case, I was limited to storing 3 cryptocurrency assets on the Nano S, because space requirements depend on the currencies that were being stored. Currencies that are related to each other (Ledger uses the term "derivative") can share storage space with each other (application code libraries). Currencies that are orthogonal to each other therefore consume more space because their blockchain and code are unrelated and nothing can be shared between them. The Nano X removes this limitation by providing sufficient capacity to store at least 10 currency assets (Ledger claims 22, but I haven't gotten there yet).

Software: The Nano X introduces a new Ledger Live application, which can be used from an IOS or Android phone or tablet, or from a Windows, MacOS, or Linux system. I won't walk through the software installation process - suffice it to say that it's quite simple and straight-forward. Remember to write down and verify the 24-word recovery phrase when it is created - that is absolutely critical for recovering your currencies if you have problems down the road! You will have to select the coin-specific download that you want to install in order to create an account for that cryptocurrency. Once you create an account, transfers work normally on that device by supply a local or remote wallet address to add or spend coins, and then receive or send that amount or that currency to/from the Nana X.

As mentioned previously a zillion times or so, backups are critical for all wallets, especially so because all the responsibility for backups, restores, and security is yours. Ledgers support restoration from the magic 24-word recovery phrase, and you can also use another Ledger as a hot spare or a second access point for another party. The cost of another Ledger as a backup device pales beside the cost of a complete hair transplant if you lose your Ledger device, have to order another one to recover assets that are worth significantly more than the cost of that second Ledger device.

Hardware wallets are my favorite place for long-term HODL'ing (sic) of cryptocurrency. The security provided by the Ledger hardware combined with ease of use provided by the Ledger Live software makes the Ledger Nano X another winner, and my favorite hardware wallet. The Nano X also speaks Bluetooth so, while this provides yet another attack point for crackers, it's one less cable on your desk!

Trezor T

The Trezor T (AKA the T) is the latest product from SatoshiLabs, one of the original manufacturers of multi-asset hardware wallets for all your cryptocurrency needs. The Trezor T is a follow-on to their first hardware wallet, The Trezor One (AKA the T-1), and offers significant improvements in both hardware and software.

The T introduces a color touchscreen that does away with the need for physical button and provides a small, easy-to-use footprint. The T is the primary competitor for the Ledger Nano X , and maintains Trezor's well-respected emphasis on security. The T features a twelve word recovery seed much like Ledger's 24 word seed, and you use a 4 to 9 digit PIN to access the T for every day use. Backing up (and restoring, if needed) the T is easy to do from its software, using a 24-word seed to reflect up-to-the-minutes status of all stored cryptocurrency. Store these seed somewhere safe and impervious to loss or destruction!

The T is a USB device that therefore attaches easily to a desktop or tablet computer for spending, examining, or receiving cryptocurrencies. The cryptocurrencies that the T supports are Bitcoin, Bcash, Bitcoin Gold, Dash, Ethereum, Ethereum Classic, Expanse, Litecoin, NEM, UBIQ, and Zcash, and also supports many similar currencies. (See their web site for a complete list.) It is an excellent wallet that supports slightly fewer coins then the Ledger Nano X, but if you are focused on one of the supported currencies, its interface and ease-of-use trump the Nano X.

Software wallets

The most common and easiest to use cryptocurrency wallets are software wallets, which provide a desktop interface that is either dedicated software or a web-based interface to the asset storage that they provide. Dedicated desktop software wallets generally store and track cryptocurrency holdings on your local system, and interact with the associated blockchain by copying it locally (slow!) or through various interfaces to the remote blockchain. Web-based wallets provide the same capabilities, but store your keys and the assets that they track in the cloud. Best of all, software wallets of both types are free, surviving by taking a small fee from each of your transactions.


Another way to think of software wallets is that they differ by how/where addresses are created to identify your stored cryptocurrency, and by who controls the storage in which they are held.

When seriously evaluating software wallets, it's always useful and important to determine which BIPs (Bitcoin Improvement Proposals, discussed at the beginning of Chapter 9, Crypotocurrency 101 ) they conform to and/or implement. Ensure that the software wallet that you are considering complies with at least the BIP32, BIP39 or BIP44 standards.

The other most important things to know about software wallets is (1), someone will try to hack them and (2), local storage wallets are vulnerable to system failures or other catastrophes. You should always carefully back up software wallets, most critically in the case of desktop software wallets with local currency/key storage, which is always online when your system is. Backups are just as critical for web wallets. Web wallet storage is not local, but web/cloud storage is more susceptible to hacking since it is always online.

The next few sections discuss desktop and web software wallets, proving a few examples of each. Remember that a good general rule for these is that a software wallet is a good place to keep the cryptocurrencies that you're currently using or planning to use, but a hardware wallet is a better place to HODL large amounts of long-term hodlings. Think of them, respectively, as your standard wallet and your own personal Fort Knox.

Desktop software wallets

Desktop software wallets are applications that run on internet connected devices like a computer, mobile phone, or tablet. They and the keys that they contain are always available, so they are often referred to as hot wallets. Hot wallets usually generate and store your private keys on an Internet connected device. They can't be considered totally secure from malware such as key loggers, which could capture the key sequences required to open and access a software wallet and the keys that it contains. Software wallets are best thought of like your physical wallet - convenient to carry the amount of currency that you plan to actually use or receive, but not the right place to store your entire life's savings. Sorry to keep beating this horse, but you'll thank me when some fake Jeff Goldblum Independence Days your computer.

Some of the most popular and well-regarded multi-asset desktop software wallets are the following:

  • Atomic Wallet - It's lucky that Atomic Protocol Systems' Atomic Wallet comes first in this list, because it's also first in the hearts and minds of many crypto fans, myself included. The Atomic Wallet is a multi-asset software wallet that provides an easy-to-use interface to over 300 coin and tokens. It features versions for all popular platforms.

    Figure 9.1. Atomic Wallet

    Atomic Wallet

  • Exodus - Exodus is extremely popular, featuring many UI bells and whistles like graphical charts that show the history of your hodlings. It supports over 100 assets and highlights that it keeps you private keys local to your hardware, giving you total, local control over your assets. It can also be integrated with the Trezor T, enabling you to easily move assets between hot and cold storage,moving assets. To further impress, it includes exchange functionality, and makes it trivially easy to trade one currency for another (known as "rebalancing"). Exodus is a great wallet that runs on all popular platforms. If you're just getting started with crypto, give Exodus a try!

    Figure 9.2. Exodus


  • Jaxx Liberty Blockchain Wallet - Jaxx Liberty is a nice wallet that was created by one of the founders of Ethereum and supports over 70 currencies. Jaxx Liberty runs on all popular platforms, and even provides a chrome extension that enables you to access you local storage. Many people are fans of its UI, which I am not. It is nice in that it includes some exchange capabilities courtesy of ShapeShift, which enables you to change your hodlings without explicitly visiting a third party exchange and ts associated costs. (They're built in.)

    Figure 9.3. Jaxx Liberty

    Jaxx Liberty

Web wallets

Web wallets were the original "access from anywhere" wallets because their UI runs in a web browser. They store your keys and hodling information remotely ("in the cloud"), and are therefore relatively easy to attack because crackers can try continuously. (Whether they can be hacked is a different matter, and depends on quality code and security-aware coding.) On the plus side, they are instantly accessible from any web browser).

Web wallets should be used like and other software-based wallet. They are the right place for day-to-day holdings that you need fast access to because you plan to use in the short term. They are NOT the right to store long-term hodlings like your bitcoin life's savings.

Some popular and well-known web wallets are the following:

  • - a great web wallet, with two-phase authentication required for successful login. has been around for a while, as its success, stability, and security show. Coinbase also has a local wallet, but IMHO, their web wallet shines as both a wallet and exchange. supports 23 currencies directly, with varying levels of support (more information available here). They are integrated with the ShapeShift exchange service, which can be replicated by simple selling the currency that you want to exchange, and buying the currency that you want to receive. Coinbase is also easily integrated with a bank account, credit card, and many other easy ways to buy any of the currencies that they support. I've used this for years due to its usability and convenience. Apparently, others agree, as it's the world's largest crypto broker, is a regulated company, and accounts are even FDIC insured up to $250,000. That's good enough for my quick cash. (Long-term hodlings still go into a cold hardware wallet.)

    Figure 9.4. web wallet web wallet

  • GreenAddress - Once popular as both a web and desktop wallet, its web wallet is now deprecated. I'm mentioning it here in case you just thought I'd overlooked it.

Using an exchange

As Ethereum founder Vitalik Buterin once said:

"I definitely hope centralized exchanges go burn in hell."

Cryptocurrency exchanges are like the money lenders in the Christian Bible - they provide a necessary (or at least useful) service, but only because they are making a profit from that service. That profit therefore increases the cost of that service.

All centralized crypto exchanges work on the same principle: they accept a user’s deposits on their wallets and allow the user to exchange assets as part of the deposit. Common exchanges are places like ShapeShift, but I prefer to use a software or web wallet that has a built-in exchange capability, like Atomic's atomic swap.

Chapter 10.  Buying and safely paying for stuff

"The process of buying something from a site is site-dependent...". This tautology from the Department of Redundancy Department is, surprisingly, true - but it only applies to what exactly you click on, and where, when, and in what order you do so. Otherwise, the process is basically the same everywhere, and is roughly the following:

  1. Make sure you have sufficient funds available in a currency that you can use to purchase what you want. Buy, exchange other cryptocurrency for, or mine more until you have a sufficient amount. This is absolutely the wrong time to start mining, since it takes an incredibly long time unless you have amazingly great hardware resources. Mining certain cryptocurrencies, such as Bitcoin, is unprofitable for mere mortals nowadays in most cases.

  2. Agree to purchase the item, the first step of which may be to select the payment/receipt model that you'll be using to pay for the item and, optionally, the cryptocurrency in which you will be paying. Some sites only support one payment model, such as a simple direct, escrowless payment model to a Bitcoin address, in which case selecting one model out of one is a waste of time, and is therefore unnecessary.

  3. Specify the shipping method and time frame in which you want to receive the item. (This may affect the payment amount.)

  4. Provide shipping/delivery instructions, often in an encrypted format using a user key that is porovided. See the section called “ Encrypting a message using a public key ” and the section called “ Encrypting a message using a GUI ” for discussions of common ways of doing so.

  5. Conclude the purchase, which will probably show you a Bitcoin or other cryptocurrency address to which you will transfer the funds necessary to pay for the item.

  6. If not built into the funds transfer, your wallet, or your standalone cryptocurrency account, mix the cryptocurrency that you are using so that there is no relationship between you, your account, and the funds that you will be transferring.

  7. Go to the appropriate wallet or online cryptocurrency account and send the appropriate cryptocurrency to the specified cryptocurrency address.

  8. After you have received the merchandise, complete the payment by any model necessary. Most transactions automatically forward payment after a period of time that is estimated to be longer than the shipping period.

The details of the purchase, payment, and resolution process will differ for most sites, but the process will always be all or a subset of these steps.

Keys to buying (and paying) anonymously

Key to buying and paying anonymously is doing so using identities that can't easily be mapped back to a single, personal identity. Buying anonymously is usually done by using a secure email address that doesn't identify you personally as the initiator of the purchase or payment transaction. Paying anonymously requires that obtaining the cryptocurrency with which you are paying cannot be mapped back to you personally. Chapter 6, Creating secure email and alternatives explained how to obtain a secure email address that you can use to make such purchases, including using that secure address to sign up for additional private accounts such as one at Remember that privacy and anonymity CANNOT be guaranteed for firms that are headquartered in the United States or any other 5EYES signatory country. Subsequent sections explain how to pay for anonymous purchases while keeping them that way.

Secure credit card payments

Given that credit cards typically bill to a surface address monthly, the idea of a secure credit card purchase seems odd. This is even more true of cards issued by companies based in the United States, where the Patriot Act is commonly referred to as the Misnomer Act, and where Joseph Goebbels and Heinrich Himmler are the idea of model citizens. That said, there are some ways to purchase credit cards that you can use for anonymous purchases:

  • OneVanilla prepaid VISA card - a non-reloadable VISA card that is available in denominations from $20.00 (US) through $500.00 (US), and is available at places such as US department stores (CVS, Walgreen's, Rite-Aid, etc.), Dollar General, Sam's Club, and so on - I think you get the idea. Using one of these is pretty easy, but having to give a fake zip code and a real address and phone number for certain types of credit transactions may scare you - though the address is not really tied to the credit card, the Patriot Act says the government can correlate the two and do whatever the hell else they want and claim that it's legal, and OneVanilla is a US based company.


    Receiving initial account information, such as a PIN, is one of those cases where you need to receive the mail but you probably don't need or want it to be permanently ties to a specific email address. This is a good situation under which you may want to use one of the disposable email providers that were discussed in the section called “ Using a disposable account for notification ”.

  • PaySafeCard - a prepaid online wallet and associated PIN to access your account gives you to security of a credit card without all the tracking. As a UK company, they don't have quite the same "bend over and spread them" response to the police that American countries do, though the UK is a 5EYES participant, so YMMV and so may your cell number (jail cell, not your portable phone).

  • BitCoin ATMs - you can search online for BitCoin ATMs, but these are often a bad investment because the price of bitcoin is so volatile, and many businesses do not yet accept bitcoin for payment. The cryptocurrency process is still new to many people, and a bitcoin ATM is hard/impossible to use without a computer. If you have a computer, and are comfortable with bitcoin already, well-mixed bitcoin is often the easier way to go. See the section called “ Mixing payments to aid anonymity ” for more information.

Pre-paid credit cards and similar accounts are often private, but may not be completely confidential. If both privacy and anonymity are your goals, check carefully before buying and using one.


When purchasing things such as VPNs or other security software that sends a password to an email address, ensure that you are using a secure, non-5EYES email service. 5EYES is explained in the the section called “ What is 5 EYES and why do they suck? ” in the section called “ Some popular commercial VPNs ”, and the secure email providers discussed in Chapter 6, Creating secure email and alternatives each identify the extent of their compliance with this satanic and misleading set of regulations.

Choosing dark web payment models

Different dark web markets offer different ways of paying for your purchases, which are paid for using one of the following models:

  • escrow - you make the payment, and funds in your account are locked until both the buyer and the seller agree that the sale has completed successfully, until the default transaction period had completed, or until a complaint has been filed about a problem with the transaction or merchandise received. Complaints about receipt or merchandise are decided upon by a third party, usually representatives of the market where the merchandise was bought and sold.

  • multi-sig - three parties are required: the buyer, the seller, and an impartial third-party. The wallet address becomes a pay­to­scrip­hash (P2SH), where with a “3” instead of a “1”, and where all three parties must agree (using their new keys) in order for the transaction to be completed. These multiple private keys form that basis of the names for this type of transaction: multi­signature, or multi-sig. The buyer initiates the transaction, identifying the seller and the third-party judge. The judge is paid whenever third-party resolution is required, and the arbiter receives that fee from the remaining party when the return the funds to the non-responsible party.

  • smart contracts - work the same as escrow except that they are unbiased and automated.

Mixing payments to aid anonymity

The blockchain in the days of Satoshi first gave us the bitcoin cryptocurrency, which was supposed to guarantee anonymity. Anonymity was supposed to be the case even though the blockchain/transaction relationship has be be explicit and initially permanent so that the rewards for solving the nonce could be paid to the right party. It does guarantee anonymity in the sense that the bitcoins you get aren't stamped outright with your social security number and return address, but it is easy enough to backtrack and calculate those unless that info is somehow obscured or obfuscated.

Mixers are the key to truly anonymizing bitcoin by severing that relationship by repeatedly shuffling bitcoins through one or more laundries, where you purchase someone else's bitcoins, use those to purchase others, sell those to buy others, and rinse lather repeat until the chain of ownership is thoroughly broken -or is at least thoroughly mixed up.

As a requirement to guarantee anonymity, mixing is often done automatically by various markets, but you can also it yourself if you are truly paranoid. This may required (both the mixing and the paranoia) if the market you buying from doesn't offer this service. A general outline of the process is the following:

  1. Create an initial wallet to work with, either on the surface web or the dark web.

  2. Buy some amount of bitcoins, larger than the amount you plan to spend on a market. Keeping these quantities different helps obfuscate the relation between buying and selling. Deposit those bitcoins in the initial wallet.

  3. Create a second wallet, on the dark web if the first wallet was on the surface web, or on the surface web if not. Use an identity that cannot be directly tied to you or the other wallet.

  4. Transfer the bitcoins from the first wallet to the second one, preferably though multiple transactions (though each transfer incurs a small transaction cost).

  5. Create yet another wallet, this time definitely on the dark web.

  6. Using both dark web wallets, multiple transactions that are less than the full amount of bitcoin that you are mixing, and with an irregular amount of time between each transaction, shuffle the bitcoins until you are sure that their trail is cold. The more times you shuffle, the more mixed up your bitcoins are.

If you're lucky, smart, or both, the market you're executing a transaction in will do do this for you as part of the escrow or equivalent payment process. Understanding what's happening behind the scenes, and how this breaks the direct connections between coins, wallets, buyer, and seller is very important if you want your transactions to be secure. Caveat emptor, and everyone else, too.

If you do not want to do your mixing yourself and the market where your purchase is taking place doesn't do it for you automatically, some popular bitcoin mixers are the following:

  • Bitcoin Blender - A Tor hidden service that provides a mode which does not require the creation of an account in order to do simple mixing.

  • Bitcoin Laundry - low fees, a usable user interface (UI), and good security easily explain the popularity of this site. By default, logs are purged weekly, but log purging can be requested at any time.

  • BitMix - Enables you to mix Bitcoin, Ethereum, and/or Litecoin. Low commission, quick mixing, and full anonymity. Minimums are required for different cryptocurrency transfers. No logs are retained.

  • CryptoMixer - Well-suited to large volume mixing, Generated addresses are retained for 24 hours, then discarded.

These are just a few of the better-known and well thought of mixers that are available - the Internet is a big place, and there are certainly others, with new sites and new bells and whistles appearing all the time.

Concluding payments and purchases

Once you've made a purchase, selected a payment model, and received your merchandise, most escrow (and certainly auto-accept) payments are made for you without subsequent work on your part. If you're satisfied the the transaction, it's generally good form for you to leave a positive message about the merchandise and the seller. This helps others feel comfortable in dealing with the market and seller (or, occasionally, warning them away). Either way, this makes life better for everyone.


Make sure that you test/trust every point at which cryptocurrency rests and moves. Always deposit a small amount of cryptocurrency into a wallet first, and then withdraw/deposit/transfer a small amount from there into another wallet/account, preferably one which you have used before. Once a full deposit/withdrawal/transfer cycle has completed, you can feel safer about making actual purchases and payments from there. Also, if you can ever get my funds out of EasyCoin (or can get me five minutes alone in an alley with its operators), I have a small reward waiting for you.

Always assume the other parties involved are dishonest, and you will never be disappointed. If all goes well, you will be pleasantly surprised, but I'm sure you'll be able to deal with that!


Here you go:

browser fingerprinting

A mechanism through which, despire your efforts at assuring privacy and anonymity, malicious scum tries to track you by inspecting browser header and other data, general usage patterns, and similar "soft" data. See the section called “ Avoiding browser fingerprinting ” for some examples.


(A &| B), where:

  • A - a flat, dry baked food typically made with flour, sometimes known as water biscuits or just biscuits

  • B - very smart and technically savvy people who skipped their ethics and morals classes (or simply don't care about them). They have gone over to the dark side, usually in search of money and fun, with money having precedence.

See Also hackers.

cryptocurrency types

The following table provides the full names and abbreviations for many type of cryptocurrency. There are zillions more - it would be impossible to try to catch up.

Table 1. Common cyrptocurrencies and symbols

BitcoinBTCBitcoin CashBCH
EthereumETHEthereum ClassicETC


Usually used in discussions of using I2P, the "Invisible Internet Project", an eepsite is a website that is hosted anonymously, a hidden service which is accessible through your web browser.


Free software of which a more powerful or officially supported (i.e., premium) level that costs money is also available.


From the Latglish: Geo, for earth, and location, for location; literally "Where on earth you are."


Superstars and gunfighters of technology, there are white hats (good guys), grey hats (noncommittal good guys who may occasionally stray to the dark side), and black hats (bad technophiles with souls the color of the La Brea tar pits). These are all truly smart and clever people who understand how the technology and of today (and often tomorrow) works, are curious, and want to know more.

See Also crackers.


The term HODL, originally a typo for HOLD (as in to buy and hold cryptocurrency), originated in a drunken newsgroup post that is available for your reading pleasure here.


In my honest opinion. Ths means that what follows is something that you might not like, but it's still just my opinion. (Even though it's obviously correct.)


Just In Case

non-routable IP addresses

IP addresses that are reserved for internal networking use and are therefore not forwarded/routed to other locations (outside of the current network) for final delivery. For IPv4, these are addresses in the ranges -, -, and - These reserved IP addresses provide an extra layer of security for the “internal” side of a network. Non-routable IP addresses were proposed in RFC 1597. Non-routable IP addresses are why most pieces of cheap network hardware come with a default address of 192.168.1.X - it's safe and sells a lot of crossover network cables.

Open Internet Tools Project

New York-based project working to improve and increase the distribution of open source anti-surveillance and anti-censorship tools. (Current state of this project is unknown.)


On the other hand. Something that is in contrast to what was just said/written.

Persistent Storage

Any data storage device that retains data after power to that device is shut off. Persistent storage is also sometimes referred to as non-volatile storage. (It is amazing how many web sites use that exact definion, so I did too.) When referring to the data itself, that quality is known as persistence. (I added that part).


An application or service that receives data which was intended for another application or service, performs some intermediate processing, and re-forwards the processed data to one or more applications or services (which can include the same or other instances of the original application or service).


The Recording Industry Association of America, which sounds good but which actually is to recording artists as a mercenary version of the Nazi party is to dentists.

security through obscurity

An optimistic security model based on the concept that what you can't see or find can't offend or be exploited by the people who are greedy or don't approve of it. Extremely easily to implement, this model is great until someone is offended or takes advantage of the it. Like many good things, this security model is extremely money-soluble.


The traditional UNIX term for the standard error output of a command, which is where any error message(s) from that command are written. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 2.

See Also stdout, stdin.


The traditional UNIX term for the standard input of a command, which is where the input of that command comes from. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 0.

See Also stderr, stdout.


The traditional UNIX term for the standard output of a command, which is where the output of that command is written. By default, this is the terminal or invoking application (such as a shell) from which you started the command, and is also file descriptor 1.

See Also stderr, stdin.

three-letter acronym

A Three Letter Acronym, once standing for groups of freedom figghters (for example, the SDS), but nowadays reserved for "intellience" agencies (I'm serious, that's how they think of themselves!) whose goals are to bend your will and behavior to comply with their goals.


TUN/TAP devices are virtual network devices that use a user-space application to communicate between the operating system kernel and a physical network device. TUN devices (that is, network TUNnel) simulate a network layer device and operate with layer 3 packets like IP packets. TAP devices (that is, network TAP) simulate a link layer device and operate with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge.

This definition was cheerfully lifted/paraphrased from Wikipedia. but don't worry, I gave them both this attribution and donated some money.


Your Mileage May Vary. You may not feel exactly the same way as I do or get exactly the same results as I did, but that's life, and I'm still right in whatever I said/wrote.



end-to-end encryption, Encrypting and decrypting email
enemies of the Internet
fighting, Censorship circumvention tools
exchanging cryptocurrencies, Using an exchange
Exodus, Desktop software wallets
ExpressVPN, Some popular commercial VPNs
Extensions, Opening .onion links in Chrome


Lantern, Censorship circumvention tools
Ledger Nano X, Ledger Nano X
Dat Mofo Linux, Dat Mofo' Linux
getting, How Linux is distributed
parrot distribution, Parrot Linux - Argv, matey!
Qubes OS distribution, Qubes OS
secure system, Putting together a secure system
SoftEther VPN, Some popular commercial VPNs
TAILS distribution, TAILS, I win


Mac OS
SoftEther VPN, Some popular commercial VPNs
mail service
end-to-end encryption, Encrypting and decrypting email
Guerrilla Mail, Using a disposable account for notification, Using a disposable account for notification
Mailfence, Creating a secure email account , Commercial services
Protonmail, Creating a secure email account , Commercial services, Creating a secure email account , Commercial services
Throwaway Mail, Using a disposable account for notification, Creating a secure email account , Commercial services, Using a disposable account for notification
Mailfence, Creating a secure email account , Commercial services
mining, Earning cryptocurrency by adding to its blockchain
mining hardware vendors
Bitmain, DIY Mining: There's crypto coins in them there algorithms
Caanan, DIY Mining: There's crypto coins in them there algorithms
FutureBit, DIY Mining: There's crypto coins in them there algorithms
Gekko Science, DIY Mining: There's crypto coins in them there algorithms
Halong Mining, DIY Mining: There's crypto coins in them there algorithms
Pangolin Miner, DIY Mining: There's crypto coins in them there algorithms
mining pools, Good times at the mining pool
AntPool, Good times at the mining pool
F2Pool, Good times at the mining pool, Good times at the mining pool
Slush Pool, Good times at the mining pool
mixers, Mixing payments to aid anonymity
Bitcoin Blender, Commercial services
Bitcoin Laundry, Commercial services
BitMix, Commercial services
CryptoMixer, Commercial services
list of, Mixing payments to aid anonymity
process of, Mixing payments to aid anonymity
Mofo Linux, Getting network interface addresses
MSLeak test, Using web sites for VPN testing


Qubes OS requirements, Qubes OS


Xubuntu, Kodachi! Gesundheit!
(see also Kodachi)