Snowden Used the Linux Distro Designed For Internet Anonymity

Hugh Pickens DOT Com writes: "When Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. Now Klint Finley reports that Snowden also used The Amnesic Incognito Live System (Tails) to keep his communications out of the NSA's prying eyes. Tails is a kind of computer-in-a-box using a version of the Linux operating system optimized for anonymity that you install on a DVD or USB drive, boot your computer from and you're pretty close to anonymous on the internet. 'Snowden, Greenwald and their collaborator, documentary film maker Laura Poitras, used it because, by design, Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

The developers of Tails are, appropriately, anonymous. They're protecting their identities, in part, to help protect the code from government interference. 'The NSA has been pressuring free software projects and developers in various ways,' the group says. But since we don't know who wrote Tails, how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide; if it's bad for the NSA, it's safe to say it's good for privacy. And all of the Tails code is open source, so it can be inspected by anyone worried about foul play. 'With Tails,' say the distro developers, 'we provide a tongue and a pen protected by state-of-the-art cryptography to guarantee basic human rights and allow journalists worldwide to work and communicate freely and without fear of reprisal.'"

The NSA is becoming a new God for "True Believers"

[mythosaz]

What's that? Have any unknown in your life? Just insert the NSA?

Don't have the source code? The NSA must be behind it.
Don't know who spread a worm? Must be the NSA.
Don't know who authored BitCoin? NSA.
Don't know who packaged up TAILS? NSA.

The NSA sent his heavenly son to die for our sins.

Re:

[Russ1642]

Well for a start we know that the NSA exists. I can go on but what I've just said pretty much destroys the analogy.

Re:

[Lazere]

"We cannot confirm or deny the existence of an organization allegedly named the NSA."

Re:The NSA is becoming a new God for "True Believe

[theskipper]

Well, personally my first thought after reading the summary was "but how do you trust the BIOS?" A few years ago I'd have immediately said that's conspiracy theory and dismissed it (along with the other items you listed). But after a year of exposure to the Snowden and RSA revelations and everything else, it pains me to say these NSA questions aren't so far fetched any more.

Sure they may not be probable but they could be possible. No matter how rational you think you are, it really messes with one's mind. Subtle paranoia, if you will.

Re:

[sneakyimp]

TAILS sounds like a honeypot to me. What's wrong with just booting off a KNOPPIX CD-ROM or an Ubuntu CD-ROM? I expect some stuff might get written to a tmp directory somewhere but you could always shred any files there before rebooting the machine.

Re:

[fractoid]

Just physically unplug the hard drive before booting off a live CD? I have to admit, though, that my first reaction was also "Anonymously produced live CD promises to protect your secrets? Sounds legit."

Harry Tuttle

[ThatsNotPudding]

Well, personally my first thought after reading the summary was "but how do you trust the BIOS?" A few years ago I'd have immediately said that's conspiracy theory and dismissed it (along with the other items you listed). But after a year of exposure to the Snowden and RSA revelations and everything else, it pains me to say these NSA questions aren't so far fetched any more.

We need a Harry Tuttle to show up at night in our apts to offer us an alternative BIOS chip.

Re:The NSA is becoming a new God for "True Believe

[MrNickname]

That sounds like something the NSA would post.

Re:

[Jeremiah Cornelius]

Turn on your Heartbleed,
Let it shine, wherever you go
Let it make a happy glow
For the NSA to see...

Re:

[theshowmecanuck]

Sort of my first thought... he used this secure software to thwart the NSA, while the NSA supposedly 'owned' OpenSSL that the software likely used. Kind of ironic.

Re:

[nobuddy]

How much do they pay you for these NSA flagellation? I'd like a second income, and it appears you don't have to put any effort into it at all.

Re:

[Hognoxious]

Don't know who did 9-11? No carrier

Re:

[Johann Lau]

It was not his choice to get stuck there, the US govt pretty much made sure. You know, even getting the Swiss to force down the plane of a president and search it, because he might be on board... really, your comment is unintentionally ironic: the invasion already happened -- that is, your external enemies ain't shit compared to the internal ones you bred yourself -- and it's YOU who is bending over and cheering.

Well, If the NSA Can't Crack It, Ya Right

[LifesABeach]

Well, at least it will slow down the other Adam Henrey's with their personal, "needs." Where can I download a copy, today's a good day to start again.

Re:Well, If the NSA Can't Crack It, Ya Right

[CanHasDIY]

https://tails.boum.org/downloa... [boum.org]

Re:

[DarwinSurvivor]

I don't know what's funnier. A broken link in a slashdot post, or someone trusting a slashdot post as the correct location to acquire said security software.

Re:

[X0563511]

I've never once seen a browser do that, and if I did I would stop using it immediately. That's a huge security issue.

Re:

[sumdumass]

IE, firefox, opera, chrome, all do it. Unless you have no script or something like it running. I suppose it can be turned off in the browser settings somewhere.

Not sure what the security issue would be. You still have to click the link. It would be no more insecure than having a link present.

Re:Well, If the NSA Can't Crack It, Ya Right

[Nimey]

I've been seeding the 0.23 version since it came out. Here's the magnet link:
magnet:?xt=urn:btih:B7EE06A2568630EED830CFFBF45B6BFD5DE796D4&dn=tails-i386-0.23&tr=http%3a%2f%2ftorrent.gresille.org%2fannounce

Cue NSA infilatration in 3...2....

[NotDrWho]

May want to keep an eye out in the development community of the OS for a sudden influx of programmers "just wanting to help out." Or existing members suddenly driving new sports cars and acting strange.

Re:Cue NSA infilatration in 3...2....

[RGRistroph]

We, the open source and freedom-loving community, may need an organized task force to keep track of these programmers, track their incomes, and store their communications -- just for future reference in case something comes up and a mole is suspected, not an actual search as the Constitution defines it, of course. Similar to the Apache Foundation and other Foundations for Open Source causes, but tasked with keeping our communications secure, and breaking the other side's communications where feasiable. We'll have to keep the existence of the Association secret as much as possible of course, and thus also hide it's budget in small items spread accross the other Foundations. They'll archive all the repos and mailing lists and IRC channels and any other communication medium, but advances in technology make the storage on that scale cheaper. We might have to rent a large building out somewhere that has cheap land and few pesky curious tresspassers, Utah or something. We'll just refer to it as No Such Association for now. A small and expedient measure given the threats of our times.

Re:

[rcamans]

Isn't the phrase "programmers acting strange" redundant?

NSA boogeyman

[Blakey Rat]

'The NSA has been pressuring free software projects and developers in various ways,' the group says.

Did they provide evidence for this claim?

Re:NSA boogeyman

[Midnight_Falcon]

Go on YouTube and listen Jacob Appelbaum's (a Tor developer) videos. Something about NSA agents peering into his girlfriend's window at night and various other intimidation tactics..and that's just him..

Re:

[Blakey Rat]

A Tor developer? Being paranoid? Shocking!

No, I'm sorry, when I say "evidence" what I mean is, and try to follow along here, "evidence". Not anecdotes. Not scary bumping noises in the night. Evidence.

Re:NSA boogeyman

[Midnight_Falcon]

Considering the fact that the NSA is super-secretive and the ongoing joke is it's an acronym for "No Such Organization," short of another Edward Snowden I don't think you can be given the kind of evidence you want. Remember, before Snowden those "paranoid" people like Tor Developers were relegated by folks like you into the land of nutjobs, conspiracy theorists and tinfoil-hat haberdashers. Now look..

Re:NSA boogeyman

[lonOtter]

No, he doesn't. He's referring to the real puppeteers: NSO.

Re:

[R3d M3rcury]

The Netherlands Space Office [wikipedia.org]?

Re:

[fractoid]

Who are controlled in turn by an even more mysterious organisation: ROUS.

But I doubt they exist.

Re:

[Anonymous Coward]

Really? There haven't been enough scandals yet?

- pressure to backdoor linux - http://www.itworld.com/open-source/383628/linus-father-confirms-nsa-attempt-backdoor-linux
- NSA/GCHQ have power points about trying to attack TOR exit nodes including with DOS attacks
- they hack sys admins
- they are suspected of introducing bugs into code bases (anonymous commit to the linux kernel which had a = instead of == allowing remote code exploit)
- they are known to have inserted hardware backdoors into US chips - most pr

Re:

[fsterman]

A Tor developer? Being paranoid? Shocking!

No, I'm sorry, when I say "evidence" what I mean is, and try to follow along here, "evidence". Not anecdotes. Not scary bumping noises in the night. Evidence.

Okay [www.dw.de], "When I flew away for an appointment, I installed four alarm systems in my apartment," Appelbaum told the paper after discussing other situations which he said made him feel uneasy. "When I returned, three of them had been turned off. The fourth, however, had registered that somebody was in my flat - although I'm the only one with a key. And some of my effects, whose positions I carefully note, were indeed askew. My computers had been turned on and off."

Who breaks into an apartment, turns off alarms,

Re:

[minus9]

Just because your paranoid it doesn't mean they're not out to get you.

Re:

[K. S. Kyosuke]

Also known as Nasty Sexual Assailants.

Re:

[Midnight_Falcon]

NSA Agents

NSA agent is the name given to most employees of the NSA, same as other federal bodies like FBI, CIA, DEA, etc. You start as a "Special Agent" typically and then move up to Assistant-Special-Agent-in-Charge...Special-Agent-in-Charge etc..it's the default term. No one said anything about night vision and silenced weapons etc, AFAIK it was a plain ol stakeout. Sounds like you're the one playing too many video games.

some dolt

A rather accomplished and well-known individual who's been at the core of many privacy-re

Re:

[deadweight]

Ah.........NO. Let us just say I live in an area where you can meet these people and they are NOT agents. ROFLMAO

Re:

[Midnight_Falcon]

Regardless of this (and please enlighten us to what they are called rather than just dismiss), common parlance is to refer to NSA employees as Agents. Just google "NSA Agent" to see countless journalistic reports about NSA Employees referred to as "Agents" (outside of the context of covert operations video game nonsense)....same is true with other agencies. And yes, they do have "Special Agent" etc ranks. However, they will not permit ex-employees to use such designations on their resumes and force them

Re:

[deadweight]

WTF??? I can only say so much on here, but NO WAY are NSA employees running around being "agents". If some guy knocked on my door and said he was an NSA agent I would be falling over laughing.

Re:

[Midnight_Falcon]

That's not what I said at all. What I said is that, in common parlance (as in newspaper articles, discussions, etc) NSA employees are referred to as "Agents" in Standard Written English.

Tails is awesome

[Midnight_Falcon]

And the anonymous authors of the package deserve a medal.

The CIA etc notes that its employees 'serve in silence,' surely this team has advanced the cause of freedom and liberty more than them, in silence.

Re:

[cold fjord]

... surely this team has advanced the cause of freedom and liberty more than them, in silence.

I'm pretty sure that the answer to that is no. "Tails" isn't more than a few years old. The CIA was fighting communist dictatorships for decades, and before that its predecessor the OSS fought the Nazis.

Re:

[Midnight_Falcon]

Do you really believe that load? The CIA was formed to be an instrument of executive power with minimal accountability, and is one of many intelligence organizations in the United States. While it was fighting communist dictatorships it was also trying to steal the presidential election on behald of Nixon (Watergate), and potentially facilitating the sales of drugs in the USA to finance Iran-Contra. Their SAD divison helped illegally expand the Vietnam War into Cambodia, and use chemical weapons whose

Re:

[cold fjord]

How many of the present CIA had anything to do with Vietnam? Iran Contra? See, I can play that game too.

Watergate was Nixon's own men, not the CIA.

Were the North Vietnamese in Cambodia and using it to attack South Vietnam? Yes. Are you claiming that Cambodia was outside its rights to ask for assistance against the North Vietnamese occupation of its territory?

Now maybe you can tell me, how much did the Tails project help dissidents against the Communist governments of Poland, USSR, Hungary, Czechoslovaki

Re:

[Midnight_Falcon]

Actually, many present CIA employees were around for Vietnam and Iran-Contra..notably, a recent director, Porter Goss -- who was a career CIA employee. Those who were low-level agents at the agency are now in higher positions, and they were around for that time -- albeit it is unkown whether they were involved with those operations. You didn't fact check your statement at all before making it. The reason my statement is true is because of time disparity -- 70 years since the Nazis fell means that any C

Re:

[cold fjord]

Former CIA agents are not current CIA agents.

As the Cambodian situation became worse, the Cambodian government sought military assistance from the United States and South Vietnam.

-- Across the Border: Sanctuaries in Cambodia and Laos [army.mil]

The US was out of South Vietnam in 1975. That is nearly 40 years ago. I doubt there are many CIA agents that were working in Vietnam still working at the CIA. Iran Contra is also well into the past. And once again, a former Director of CIA is not a current Director or employee.

The internet certainly did exist in the 1980s. But you basically concede my point then. Tails had nothing to do with the actual

Re:

[Midnight_Falcon]

Former CIA agents are not current CIA agents.

As the Cambodian situation became worse, the Cambodian government sought military assistance from the United States and South Vietnam.

-- Across the Border: Sanctuaries in Cambodia and Laos [army.mil]

This is an official military source that misses the point that the "government" of Cambodia was not de facto sovereign at the time, nor legal..the request came from Lon Nol, a pro-US general who was just installed in a coup d'etat.

The US was out of South Vietnam in 1975. That is nearly 40 years ago. I doubt there are many CIA agents that were working in Vietnam still working at the CIA.

They'd be 60-70 years old but it's still quite possible. The CIA doesn't really publish lists of employees so this can be checked.

Iran Contra is also well into the past. And once again, a former Director of CIA is not a current Director or employee.

The internet certainly did exist in the 1980s.

Yes, but mostly as U.S-only network, it would be more accurate to say the "Internet did not exist in the way we know it today". CERN and Europe didn't largely uplink into the TCP/IP-based internet until 1989..post-Berlin Wall.

The real contributor to freedom was the CIA, not the small Tails project only a few years old.

If you think that the CIA contributed to "freedom" then you speak propaganda only. The CIA contributed to realpolitik, and only came to create "freedom" in places that mattered to the U.S.'s strategic interests. In the same way the KGB helped enforce a "prison of states" around Eastern Europe, the CIA helped foster a similar situation in South America. See Guatemalan Coup [wikipedia.org]. Let's not forget also about Chile and Grenada. Also, the CIA helped stifle dissent in America and reduce American political freedoms during thist ime. Reference: Operation CHAOS [wikipedia.org]

Re:

[Midnight_Falcon]

Let's also not forget one of the first things the CIA did in Post-WWI America.. Project MKULTRA [wikipedia.org] How does giving people LSD in mind-control experiments help anyone's freedom? Seems like something that would be described in Arendt's Origins of Totalitarianism

Re:

[Midnight_Falcon]

s/WWI/WWII/g

Re:

[anagama]

Today, Cold Fjord and the NSA _are_ the Nazis.

Re:

[anagama]

not believing in the god of state

You have to be joking. There is no bigger defender of the state, the status quo, and the Anit-American activities of the NSA than you. I don't think there is a more statist asshole on all of Slashdot than you are, so I suppose we should add "deluded" to your list of faults now too.

Re:Tails is awesome

[anagama]

Jesus -- I haven't done acid since my college days a quarter century ago. You should lay off it.

Big Lie -- you're whole post is this. You try to take on the mantle of a freedom loving defender of American virtue, when the fucking straight fact is, you are the biggest NSA shill there is, and the NSA is one of the biggest threats to the US Constitution in the entire world. We also have other Executive branch things that are pretty fucking bad, but the NSA is anti-constitution, thus anti-American, and your support for the NSA makes YOU anti-American.

Re:

[cffrost]

I will grant you I am often the one-eyed milkman [...]

Fixed that for ya.

Almost

[s.petry]

Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

Traffic sniffing does not require files on the target and this is the biggest source of data for agencies like the NSA. It may protect you from key loggers being installed (unless they were inserted ahead of time).

I'm pretty sure that part of Snowden's leaked information showed that exploits are occurring at the hardware level as well as software. Entry points like LOM modules were explicitly called out in the leaked presentations.

I'd agree that forensics becomes extremely difficult, if not impossible (memory analysis can still occur). I don't agree that the systems are immune to malicious software at least in a general sense. Immunity would require a lot of control for the hardware running the OS, and monitoring to make sure things have not been tampered with. Relying on a repository build of an OS imaged is still a target for potential a MITM attack feeding a user a kitted image.

It's all good in my opinion, I'm just being picky about the terminology chosen. Immunity implies absolute safety, and very little in the world is absolute.

Re:Almost

[lister king of smeg]

Tails doesn't store any data locally,' writes Finley. 'This makes it virtually immune to malicious software, and prevents someone from performing effective forensics on the computer after the fact. That protects both the journalists, and often more importantly, their sources.'

Traffic sniffing does not require files on the target and this is the biggest source of data for agencies like the NSA. It may protect you from key loggers being installed (unless they were inserted ahead of time).

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

I'm pretty sure that part of Snowden's leaked information showed that exploits are occurring at the hardware level as well as software. Entry points like LOM modules were explicitly called out in the leaked presentations.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

I'd agree that forensics becomes extremely difficult, if not impossible (memory analysis can still occur).

if they are doing memory analysis thy have the computer in their posesion already and you probably have a much larger issues to worry over.

I don't agree that the systems are immune to malicious software at least in a general sense. Immunity would require a lot of control for the hardware running the OS, and monitoring to make sure things have not been tampered with.

Technically true. However you have to trust something, and as long as there has been know oppertunity to tamper with the computer you can assume your safe for most things.

Relying on a repository build of an OS imaged is still a target for potential a MITM attack feeding a user a kitted image.

That is why we have cryptographic signatures on repositories and iso images. If they can break a 4092 bit key in polynomial time we are f***ed anyway

Re:

[s.petry]

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

Um, no! I am not sure how much you know about network security, but I sniff packets all the time and decrypt traffic. If you have a private key this is simple to do. With a massive computer, I can store conversations and brute force a key lateer. This was made easier by the NSA introducing some weak algorithms into encryption protocols. Even without those weaknesses, it is possible to brute force. We are better today after knowing about introduced weaknesses, but still not immune.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

Unfortunately the exp

Re:

[AmiMoJo]

Tor mitigates traffic analysis attacks by padding data, generating extra random packets, combining packets it is forwarding or splitting them up again etc.

Re:

[fafalone]

All traffic sniffing will do is show they are talking to a TOR entree node. Everything is wrapped in multiple layeres of encryption between you and each of the nodes in between. Maybe they could tell from traffic analysis what type of traffic it is based on traffic profiling, streaming your pr0n over to will have a different profile than browseing a webpage wich will in tun be different than ssh, but they still won't know the end point and what the content is.

Assuming you can view every page and do what you need to do without ever turning on Javascript. Which is quite the tall order. For example, there is no e-mail service on this planet that allows signup and use without JS turned on for at least one step or payment (this sounds ridiculous, but go and try it. There used to be. They've all been changed or shut down.). And it's been clearly established all it takes is one malicious script to unmask your IP while on tor.

Yes but they would have to have had access to your computer to insert the hardware bugs. If you say pick up a cheap laptop at walmart paid for with cash they won't know who has it, and would not have inserted the bugs as they could not have known who would end up wih the computer.

Actually they would have a picture of your f

The Distant Future, Considered

[SuperKendall]

how do we know it isn't some government plot designed to snare activists or criminals? A couple of ways, actually. One of the Snowden leaks show the NSA complaining about Tails in a Power Point Slide

And that, ladies and gentleman, is how you play the Really Long Game.

Comment subjects suck

[caluml]

And it's Slashdotted.

NSA 'compaining' about tails

[spasm]

NSA 'compaining' about tails? Oh, no, please don't throw me in that briar patch!

http://americanfolklore.net/fo... [americanfolklore.net]

Re:

[bluefoxlucid]

Well it's too slow. Sonic is faster.

Amnesic?

[caluml]

The Amnesic Operating System. Shouldn't it be amnesiac? Or is this another English/American English difference like aluminium?

Re:

[CanHasDIY]

The Amnesic Operating System.

Shouldn't it be amnesiac?

Nope - an amnesiac is a noun that refers to a person suffering from amnesia; "amnesic" is an adjective that means "exhibits properties of amnesia," which can apply to more than just the human psyche.

Re:

[caluml]

Interesting - so an amnesiac would also be amnesic? Are there any other words that have similar examples like this?

Re:

[un1nsp1red]

A manic maniac?

The government should pass a law!

[Vinegar Joe]

Snowden would have had a much harder time had he been using legal Microsoft products.

What a shame

[cold fjord]

What do you bet that "Tails" used OpenSSL as part of its security?

Re:

[Midnight_Falcon]

It did, but a version that was NOT vulnerable to heartbleed since tails tracks debian-oldstable. Also, there is no use case for running a web server that people can exploit heartbleed on via tails.

Re:

[cffrost]

https://www.schneier.com/blog/archives/2014/04/reverse_heartbl.html [schneier.com]

Re:

[Midnight_Falcon]

Can you explain how heartbleed would be exploited in such a circumstance?

Re:

[Qzukk]

Just like a malicious client can suck data out of a vulnerable server, the same can work in reverse, though clients tend not to keep an SSL connection open any longer than they need to (unless, it's IMAPS or FTPS or chat or some other application with persistent connections).

If you suck the private key out of a bank webserver's RAM, then perform a MITM attack on the bank users using the bank's own certificate, not only can you get their bank credentials (by them filling in the form and sending it to you), d

Re:

[Midnight_Falcon]

Someone give this man a dollar (or an mBTC) for correctly describing Reverse Heartbleed. [reverseheartbleed.com] Luckily, Tails isn't affected by this.

Re:

[F.Ultra]

Heartbleed is a server exploit

Re:

[cold fjord]

True but I doubt that it matters that much since another client talking to the same vulnerable server could compromise the server keys and potentially allow intercepts of other client communications.

Re:

[Midnight_Falcon]

Yes, it matters a lot and renders the use of OpenSSL in Tails being a security issue moot -- any client would have this issue. Additionally, Tails' security practices also enforce use of things like Perfect Forward Secrecy when available. Also, most Tor nodes utilize PFS between nodes. Again, Tails' security architecture helps defend users against zero-day exploits.

Re:

[Fnord666]

Heartbleed is a server exploit

Actually it can cut both ways [reverseheartbleed.com].

Having the souce Code does not make it safe

[hduff]

Unless you compile from vetted source code on an un-compromised system using an un-compromised compiler, etc., you can't be certain the binary they provide is the same as what compiling the source code would provide.

Re:Having the souce Code does not make it safe

[istartedi]

I would assemble the system myself from discrete transistors, except that I can't be sure the NSA didn't drug me, drag me off and hypnotize me.

Re:

[AmiMoJo]

Most of us are gonna have to trust someone at some point. We can't build our own CPUs out of sand, we have to hope that Intel didn't install an NSA sponsored backdoor. Fortunately all the evidence so far suggests that the NSA avoids creating pre-exploited hardware and firmware, instead relying on more subtle techniques like weakening encryption or making use of genuine bugs. Maybe they insert a few bugs too, but again the evidence suggests that using systems like Tails is pretty effective.

At any rate, it se

Trust No One

[Lawrence_Bird]

Are you able to verify all of the distribution yourself? Are you able to vet the contributors? Are they able to vet each other? Is Tor really safe?

It all comes down to a matter of degree but in the end... Trust No One

Re:

[Nimey]

In other words, don't use any technology unless you developed it yourself, smelted the raw materials yourself, &c.

How much do you trust the evidence of your senses?

Re:

[Lawrence_Bird]

You'll notice that al Qaeda has gone back to using couriers.

I would say if you use technology which can compromise your location, communications or other private info and you do not want to share that then yes, you are making a mistake to assume safety unless you have personally vetted it. As noted earlier, it comes down to a matter of degree/risk assessment (ignoring that you may be terrible or unqualifed at assessing that) but that there is a non zero probability you have been compromised. And Trust No

Whonix is another alternative

[Nimey]

https://www.whonix.org/ [whonix.org]

Magnet links:
magnet:?xt=urn:btih:A031805E690BB0E03114A8FEB52485517218D3CE&dn=Whonix-Gateway-8.1.ova&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&ws=http%3a%2f%2fwebseed.whonix.org%3a8008%2f8.1%2fWhonix-Gateway-8.1.ova

magnet:?xt=urn:btih:AB89247534553946C500EDF3A78E9C30F9C956ED&dn=Whonix-Workstation-8.1.ova&tr=http%3a%2f%2fannounce.torrentsmd.com%3a6969%2fannounce&ws=http%3a%2f%2fwebseed.whonix.org%3a8008%2f8.1%2fWhonix-Workstation-8.1.ova

And here's

Re:

[Nimey]

Note that the above Whonices are vulnerable to Heartbleed, so you'll need to do an apt-get update/apt-get dist-upgrade once you've imported the VMs into VirtualBox.

News: NSA hired person good at security

[ignavus]

"Fire him! He's too clever for us!"

Old fashion...

[geogob]

How about just sending the stuff by snail mail? I'd bet my cup of coffee that they completely lost the expertise and interest on this form of communication.

If the NSA doesn't like Tails they will target it.

[mark_reh]

They will put developers to work on the open source code who will "accidentally" insert bugs that open holes in the security -like the hole that was recently discovered in https. Tails may have been a problem for them in the past, but with the NSA's nearly infinite budget it seems unlikely that Tails would remain a problem for long.

Re:Anonymous on the internet?

[Midnight_Falcon]

Tails bakes in a routing table that makes all traffic go over Tor. It also has built-in I2P support. So, while ISPs can look at your traffic, it becomes quite a tough nut to crack to figure out what you're actually doing. Attacks are possible, but require exponentially more sophistication and resources than just tracking an IP.

Re:

[Wycliffe]

makes all traffic go over Tor.

Doesn't this slow things down considerably? Can you do normal activities like ssh or youtube in this type of setup?

Re:

[K. S. Kyosuke]

Dear Wycliffe, in your time people were happy with letters and manuscripts. Why, you didn't even have the humble printing press at your disposal! Even if privacy-conscious citizens won't be able to share their shower selfies on YouTube, or whatever is popular this week, I'm sure that their actual communication needs will be amply provided for by a system like this.

Re:

[fulldecent]

Tor is ineffective when you can tap the whole internet and do statistical analysis.

Next.

Re:

[Midnight_Falcon]

No, actually, and the hubris of your "Next" comment is telling about how you summarily dismissed this without doing any actual research. Have you ever actually tried to do a traffic correlation attack? Do you even know how Tor works?

Tor, in order to defeat traffic correlation attacks (or at least make them much more difficult), re-negotiates its connection to use a different circuit every ten minutes. The NSA themselves in the leaked "Tor Stinks" document even pointed to this as being extremely diffi

Re:

[fulldecent]

Heres the slides (warning TS//) http://apps.washingtonpost.com... [washingtonpost.com] They are from 2007, before iPhone came out. Much has changed since then.

NSA capabilities now include tapping phones of an entire country this is even U// by now https://firstlook.org/theinter... [firstlook.org]

Since Tor was identified as interesting in 2007 and since it hasn't died, it is safe to assume efforts are continuing to be applied against it.

And no, I don't have access to Internet scale data streams here, just using the standard Tor disclaimer at ht [torproject.org]

Re:

[Midnight_Falcon]

No, no, and no. If you were using tails, you wouldn't have been vulnerable to this attack because it enables NoScript by default. Tails' use of security best practices helps protect against zero-day exploits like the FBI's javascript malicious payload.

Re:Anonymous

[lister king of smeg]

Incognito Linux did not impress me. You can be more anonymous using Backtrack.

ah no.

Backtrack is for cracking not staying anonamous.
Tails routes all of your traffic through TOR and keeps you anonymous as long as you don't share anything reveling.

Re:

[BitZtream]

as long as you don't share anything reveling.

So its pretty much useless then? I realize the point of what its doing, but its fairly trivial with software running at or near exit nodes to figure out who's doing what and who they are. I have no doubt the NSA is capable of doing it. Put me in an IRC channel with 20 people I know and have chatted with for some time, randomize their nicks, give me an hour and I can tell you who most of them are based on their conversation patterns alone, and I'm just observant, not software combing EVERYTHING you do.

Doe

Re:Anonymous

[Midnight_Falcon]

There's plenty of ways to defeat stylometric analysis, notably, running things through a translation engine several times through a few languages.

Re:

[fractoid]

Sir! I think we've just identified the Babelfish Bandit!

Re:

[inasity_rules]

But I revel in sharing! :P

Re:

[K. S. Kyosuke]

Well, OpenSSL is sort of complex. When it comes to actual security, simplicity is your friend. So I wonder whether - for mutual communication of two people (both equipped with this software) - you actually *need* OpenSSL or any crypto implementation of similar complexity. Just cut off everything unnecessary - especially given how X.509 should be suspicious to most paranoid people in the first place! What if the CAs get compromised by government agents? Just exchange your public keys in person to be sure. Yo

Re:

[TeknoHog]

Maybe Trucrypt isn't available for linux distros but i am sure there are plenty of alternatives that do a similar full system os encryption.

I can think of one alternative on Linux, it's called Truecrypt with an "e".