First of all allow me to introduce myself: I'm a paranoiac person regarding privacy and security. At the point that I mostly use FOSS and do my research about possible vulnerabilities, backdoors and take a look to the code of what I'm using. That say, I'm the type of guy who prefer Debian over Ubuntu. I have read in many websites weather is good idea to use VPN when you are using Tor or not. From Tails website, the Tor project website, Whonix website (let me send some shut out to this guys that the only they did was copied and paste the information from Tails website), that one privacy site, and comments from people here expressing their ideas.
Now let's break this up. You might say: "I will stick to Tor and Tails developers advise, they know what they do and if they do not recommend the use of VPN with Tor then that's what I'll do" Very wise. However, what I have read in their opinions is that they mainly worry about Tor users being deanonymized by having the same exit IP address from your VPN all the time or having the same enrty IP address from your VPN. While Tor nodes change around every 10 minutes to random nodes, that's clearly an advantage that VPN's by themselves can't beat, less if you increase anonymity using Tor bridges. I agree with this point, partly. It depends on how you set up your VPN, how anonymously you pay for it, and how legit regarding no logs your VPN provider is. Moreover, keep in mind Tor and Tails developers work for nonprofit organizations, by logic who would recommend a paid service when you are working on something free and open? If they do, I can't even imagine the amount of people asking them what VPN they recommend, why, and if they do, it would look like if they were endorsing X company for profit.
Now I would like to show you with examples how the use of VPN could have helped Tor users to don't get caught. My main goal here is not to express my thoughts and opinion, but to prove with facts and evidence the importance of VPN in your OpSec.
2007 - Today? CIPAV FBI has been using malware techniques to unmasked users using proxies, back in the 2000's with a malware tool called CIPAV. CIPAV, which stands for "Computer and Internet Protocol Address Verifier" collects from the infected computer the following:
IP address. MAC address. List of open ports, TCP and UDP. Operating system's type. Default browser and its version. Default language of the OS. Current logged in user.
In the affidavit from Special Agent Norm Sanders and the information that I found in Wikileaks, does not specify if this affects GNU/Linux operating systems. Personally I don't think so, because one time the FBI was trying to use this malware against a target machine and they got a message saying "System incompatible, cannot connect" and they had to ask for help to the engineers. Clearly this attack requires action from the target in order to work, which means if you are careful enough in what you do, you might not get owned. Although chances are if the users would have been using Tor or a VPN at router level instead of a regular proxy, they might got away with it.
2012 Operation Torpedo. Sting operation by the FBI targeting 3 different child pornography sites using a Flash application attack on the Tor network to unmasked users visiting the sites. Feds took advantage from a technique called Metasploit Decloaking Engine developed by Metasploit's creator HD Moore. This vulnerability was only exploitable if you had Flash installed on your Tor Browser or an old Tor version. It worked because Adobe's Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user's true IP address. Only users with really old Tor versions and users who took the time to install Flash on Tor were affected. In 2 weeks the FBI collected IP addresses of at least 25 visitors of the sites, send subpoenas to the ISP's and they handed over the information to bust the targets.
2013 Freedom Hosting. Operation launched by the FBI to take over servers of the largest hosting child pornography facilitator. Using a vulnerability on FireFox 17, on which the Tor browser was based at that time. They built an exploit capable of gather the IP address, MAC address, and generate an ID number to tied the victim's information according to the country of its real IP address. When LE took over the severs on France, some extra JavaScript code was injected into the sites, to be automatically run by the browsers of users accessing the sites as part of loading the page. The web sites hosted by freedom hosting (the feds at that time) had an iframe, like a website within a website. This iframe contained JavaScript code with a payload concealed in a variable called "magneto" that will send HTTP request to the FBI servers bypassing Tor and nullifying its anonymity system. JavaScript had to be enabled in your Tor browser and you had to visit the infected site for this exploit to take effect.
2015 Operation Pacifier. PlayPen. Is by far the scariest case for many reasons: let us know there's a lot of sick people out there (215,000+ users in this CP site), LE distributing CP (FBI ran the site for almost 2 weeks), and the fact that there is almost 0 technical details about what technique was used by the feds to seized PlayPen's servers. It is unclear what flaw feds took advantage of in order to unmasked Tor users visiting the site. What we know is that the site was accessible with any browser not just Tor, and its actual IP address was publicly visible and appeared to resolve to a location in The United States. Which means the site itself had poor security and not the best OpSec. In the time feds ran the site, FBI delivered its malware by exploiting a vulnerability in Mozilla's Firefox browser, gathering around 1,300 real IP addresses from visitors.
Note: Must of this vulnerabilities were fixed, hence their exploits being mitigated in a fashion timing manner by the tor project, Tails and Mozilla team. Nonetheless, I believe back then if I remember well, there was no start splash when you launch Tor browser indicating that your browser was outdated. The Onion icon on the top left of the browser did not blink indicating about a new update, you had to manually check for updates in order to see if your browser was updated. Please correct me if I'm wrong with this I don't remember very well.
Don't put all your eggs in one basket, don't put all your confidence in one software. Tor is now days the heart of the darknet and anonymity, we all agree with that. Nevertheless, in the cases presented above it could have been possible for those darknet users to don't reveal their real IP addresses using a VPN in their routers. You may say: "FBI would have send a subpoena to the VPN company and would have been the same story", not really. If you use a good VPN that dose not keep logs for a long term and located outside of the 5, 9 or 14 eyes countries. Chances are they wouldn't got caught. It takes time for LE got all those subpoena signed for a judge and send them to the companies. Enough time for your logs to disappear from the data center and the VPN provider that you were using at that time, this of course considering the VPN would care about a subpoena from USA. Now if you were just using Tor and your IP got leak is over, your ISP keep records for months of what IP was assigned to you, what devices where connected and much more information.
A good VPN well implemented works. I recommend to use VPN on your router, this avoid any type of leaks coming from your operating system and browser. OpenWRT is the most complete OS for router that I have seen, well documented support in its website, has a lot of users and developers, and is supported for many VPN providers. Benefits of using VPN on your router: • You can increase your security by using IPtables on OpenWRT allowing only certain traffic. • You can set up a kill switch to revoke all outgoing traffic if the VPN drops. • Bitcoin transaction are going through the VPN which adds more privacy. • Prevents WebRTC leaks.
Not all VPN providers support OpenWRT, some of them have a mess in their files, some have outdated and broken guides, unless you know what to do you will make them work, and others have their guides but you will never make them work. I received this error from 3 different VPN providers "daemon.err openvpn(VPN)[27151]: Options error: unknown --redirect-gateway flag: ipv6" I tried to explained the support there was a bad configuration on server side, but of course they eluded my comments telling me to keep trying on my end. The thing about this is that, requires time to learn why your connection is not working and find the problem to get it fix. Must of the people are not willing to invest time in taking all this steps to have the best OpSec.
I encourage you to learn how to install OpenWRT on your router, choose carefully your VPN, and set it up on your router. I encourage you to start using Debian as your main OS, now days is easy to install and use. I would love to read your comments, opinions and questions about this topic. Be safe, stay anonymous.
Pretty soon I'm going to be the must wanted man in the world. There will most likely be a manhunt, the likes of which we haven't seen since Bin Laden.
so autistic
aaaand I was right