There have been a few patriot websites and some conversations among the AmRRON group questioning the security of TAILS, TOR and Silent Circle. Some of the AmRRON members (including Kilo Papa-53) asked me to addresses these concerns. Is TAILS and TOR secure? The answer is:

TOR, TAILS and Silent Circle is better than nothing.

I would be cautions of anyone telling you using basic security is “not useful.” A simple question for them is what is unsecure about TOR, TAILS or Silent Circle?  P.S. Silent Circle is releasing the Black Phone 2 this month.  If you are a Patriot or Christian leader please consider the $650 price tag as a “stay out of jail assurance” policy.  Remember the life you save may not be your own.  The source code is open on the Internet for review. When they demonstrate that they do not have the expertise to review the source code, then you can ask them what about the existing audits of this software don’t you trust? Either they know something I and several other dedicated computer software developers and system engineers, plus many professional cryptologist don’t know, in that case we would invite them to participate in this community and let us know, or they do not know and are giving you bad advice.

For example one popular patriot blog linked to this article Tor and the Illusion of Anonymity.  This talks about the FBI taken down of a Tor website serving kiddy porn and TorMail.  Here is Tor’s technical explanation of this hack.   In this case this web site was up against a nation-state.  Web site are static targets that are up 24 / 7 / 365.  This gives the nation-state targeting this web site a lot of opportunity to find ways around it, even with that the nation-state took quite some time to locate the site. It took even more time to prove who’s site was it.

They then hacked the website not Tor itself.  Specifically that attacked the web server that was running behind Tor.  They then used a weakness in Firefox and Java Script to try and find the people connecting to the site.  The weakness was only for Windows computers that were running an older version of Tor Browser (FireFox) and Java Script. This is what Tor developers said “It appears that TBB users on Linux  and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack.” That is why we strongly advocate using TAILS and TOR from an open wireless connection that is not yours.  We also strongly recommend updating your security tools regularly.  TAILS is not built on Windows, and by default it disables Java Script.   We are not advocating using Tor to host a website at this time. We are advocating using peer-to-peer clients (chat) and Tor or the Tor browser (TBB) for general browsing.  You come online, you talk, you disconnect and are off line.  If you want to host a website on Tor it take a lot more work. 

To remind people there is a way to attack the Tor exit nodes. Tor is not defeated, but once you enter the normal Internet there is strong suspicion that nation states are “owning” some of these exist nodes. To detect that attack the web site you are going to must use SSL  or HTTPS. When you are exiting a Tor node and someone has tried to “own it” your Tor browser will detect it if you are using a properly formed SSL / HTTPS. That is why here on the CCS we have taken the step to implement SSL or HTTPS and we have advised every blog to upgrade to HTTPS.  I covered that in the post Calling for all Liberty blogs / website to implement SSL.  Actually every blog, from your gun store, to your church group should implement SSL.  We have also made it open to comment on any post here on the CCS without providing your real name or real email. Tor keeps “raising the bar” on what the evil people have to do to see you simply browsing the Internet. Here is another article on how to stay safe from bad exit nodes.

There is also a group of hackers who have attacked Tor relays.  They got some press on their attack in post like If you still trust Tor to keep you safe, you’re out of your damn mind.  Their attack was detected and dealt with.  The statement from Tor is as follows: “This looks like a regular attempt at a Sybil attack: the attackers have signed up many new relays in hopes of becoming a large fraction of the network. But even though they are running thousands of new relays, their relays currently make up less than 1% of the Tor network by capacity. We are working now to remove these relays from the network before they become a threat, and we don’t expect any anonymity or performance effects based on what we’ve seen so far.” So hopefully this gets nipped in the trollish bud before anonymity is affected.”  This is why it takes a bit of expertise to understand these threats.  That is why the AmRD was formed to provide patriots a level of confidence. 

MIT the best computer science engineering school in the world attacked Tor.  They said “Breaking the encryption to unmask users of Tor is complicated and can’t be done reliably right now, but the MIT technique doesn’t require compromising encryption. Instead, it’s a very clever form of traffic fingerprinting.”  They did this by building bad Tor entry nodes.  “…setting up a computer on the Tor network as an entry node and waiting for people to send requests through it.”  That is basically the “powers that be” having a computer system outside your house waiting for you to connect.   Again, they didn’t crack the underlying technology which MIT admits is “…complicated.”  Again this is why we recommend using wireless connectivity that is not yours for liberty operations.  Also MIT gave Tor developers an easy answer and I am unsure if Tor has implemented the solution yet.

TOR, TAILS and Silent Circle are pretty good at reducing your exposure to bulk or mass surveillance. That is why we describing using encryption as “whispering” over the Internet. Yes, two patriots whispering in the back of the room may get the attention of the confidential informant that has infiltrated your group. He may even realize something is being said between the two, but he still has to use energy to figure out what is being said. We know that screaming at the top of your lungs from the podium will get their attention.  And that is what you do when you don’t use encryption. We know that nation states have created a surveillance state. They claim it is to keep us safe from terrorism. We suspect it is also to keep tabs on those who disagree with the government. Recently Patrick Lewis of Rural Revolution wrote in her WND column titled Would a coup make things better?:

“It comes as no surprise that the federal government is fascinated – no, obsessed – with keeping tabs on anything and everything we do. Privacy no longer exists. Everything from media communications to the movement of our vehicles is recorded and stored in massive facilities such as the Utah Data Center. The government needs these data … you know, just in case. And why would such massive data ever be needed? There is endless speculation, of course, but ultimately, just as not paying your taxes eventually leads to men with guns, it is to prevent a citizen uprising. In short, a coup. Like slave owners, our overseers are petrified that we will revolt. History has shown, over and over again, that a people can take oppression for only so long before they rise up in explosive anger. That is, after all, what the Declaration of Independence was all about.”

I agree with her assessment and the thoughts express by one of the Founders of Silent Circle Phil Zimmerman in the video above. I strongly suspect that the government is keeping tabs upon people who politically disagree with it, and are willing and capable of mounting a “…2nd Amendment defense” of liberty.  We have covered progressive authorarians being paid millions of dollars to track you.  We covered that in the post The government has paid ½ a million dollars to track conservatives online – What you can do about it.  We have documented that the government has created the MAIN CORE database to track dissidents.  The American Redoubt Darknet (AmRD) sometimes we call it the Patriot Darknet, depending upon the audience are very skilled patriot computer administrators and developers.  After much investigation and review we suggested using the best technology that we could find  to lower your profile on line. We shared this research with the larger patriot community. Does this make you invisible? No it does not. May it reduce your online signature? Yes, there is strong evidence that it does. Does not using it make that information very easy for others to access? Yes, there are plenty of evidence of people not using encryption and anonymity tools and having their information compromised.

One of the best examples that not using encryption is not good for the community is when the BATFE stole the customer records of ARES armor.  I covered that in both podcast and multiple blog post, one of them titled Patriot Mondays: Ares Armor & CEO Dimitrios Karras. The question that everyone asked is, why wasn’t the gun store customer list encrypted with free TrueCrypt or its successor VeraCrypt? Another great example are the Georgia militia who refused to use any Patriot Darknet recommended tools and are now sitting in jail.  I covered that in the post Freedom Fighter Mondays: What Not to Do – Terry Eugene Peace, Brian Edward Cannon & Cory Robert Williamson.  They choose to organize on Facebook and sent unencrypted emails and text messages to each other, from their own computers without using TAILS.  They are now sitting in jail for 12 years, after pleading guilty.  One of the Bard 10 Rules for OPSEC (or perhaps CONOPS) is Rule 6: Be proactively paranoid, it doesn’t work retroactively.  I am sure the Georgia Militia is sitting there saying “…I should have done this…” or “…I should not have done that.”  They have 12 long years to keep going over that.  I recommend you spend five minutes and a little money asking the same questions now. Plastic gloves, a mask and “booties” on your boots do not make you invisible, but they do make it more difficult to find you and prove it was you that was at such and such a place. Not using them make you easier to find and track.

No one has presented a case where the technology of TOR, TAILS or Silent Circle has been “compromised” directly. Not one case. In every case, the “powers that be” found a way to attack the CONOPS or the players using TOR. That is why we published the Bard’s 10 rules to OPESEC. The Onion Router (TOR) which “TOR” now Tor stands for is the best approach I know of to anonymize general web traffic. TAILS is the best technology we have found to leave no traces on your computer. Using Silent Circle for voice and text is the best way we know of to communicate via the phone.  We do not have an email option because we have not found a technology to recommend that meets our fairly high criteria at this time.  Using an open wireless connection that is not yours, TAILS and TOR and Silent Circle are the best approaches we know of exchanging data and communicating on the Internet and making it very difficult to prove in a court of law that it was you who sent this or that message. Remember it is not just figuring it out it is you. It is proving it in a court of law.

TOR, TAILS and Silent Circle publish their source code. This means their source code has been published on the Internet. Thus when someone tells you it is “not secure.” Ask them to please show you in the source code which is freely available where it is not secure? Unlike people who are not in the business of Information Assurance also called Cyber Security people have the ability to constantly look over the open source code to see if there are issues in the code.  Lots of people have looked at the Tor source code, as can be seen from the number of researchers which have modified Tor and the number of bugs people have found by reading Tor’s source. So far nobody has found anything which is close to being a back-door.  The source code for Silent Text is here.   Several professionals have looked at the Silent Circle code and “audit” it.  And when that happens some people have found some minor things. Nothing is perfect, and these companies have been quick to fix their software.   The EFF reviewed the security of Silent Circle and found it to be very good. Silent Circle submits their code for several third-party audits.

There are over 2 million people (clients) are using Tor at any one time. There are over 375,000 people using Tor in the United States at any one time. This does not include people who are hiding behind Tor bridges. Yes, perhaps people will see you using Tor and would like to know what you are doing, but when there are millions of users, it is going to get harder and harder. Silent Circle does not publish how many total subscribers or concurrent people use Silent Circle, but it is a decent number. Again, you are simply one of many using this technology.

Another way to think of this is by implementing basic online security mechanism like TOR, TAILS, open wireless connections that are not yours, TruCrypt to maintain data it “raises” the bar on who can track you. See, if you come to the attention of nation state actors, you better be using the ultimate encryption which is “face-to-face” encryption.  Some call it “meat space.”  Nothing is written down ever. Anything less, can be tracked and hacked. The US government has tens of thousands of highly paid scientist, engineers and developers all focused on one thing. Cracking other nation-state communications. Those other nation-state have tens of thousands of their own highly paid of scientists, engineers and developers to try and keep their communications secure. Often they lose. The American Legions are strong. You know why I know this? I was part of the American Legions working to secure and break communications. I would trust no electronic communication methodology against such an attack.

However that is not the focus of the American Redoubt Darknet (AmRD) or the Patriot Darknet. It is to keep your online interactions safer from bulk mass surveillance which I find ungodly and unconstitutional. It is not to keep you safe from “targeted” nation state surveillance. It is to reduce the chance of you coming to the attention of players and / or them figuring out what you are communicating.

If you are communicating with TAILS and its included encrypted chat, or with Silent Circle Text, a private investigator (PI) hired by grey organizations or political opponent are going to find it very hard to attack your communication in transit. We have no incident of anyone PI level resources attack successfully penetrating TAILS and encrypted chat or Silent Circle Text while in transit.   Your local mall ninja sheriff or State police are also going to find it hard to penetrate encrypted chat and Silent Circle. We have no incident of any State level enforcers being successful at this. It is questionable if even Department of Homeland Security fusion centers can map out communications patterns when using TAILS, TOR and Silent Circle. It all depends if they can access the resources of the nation-state actors.

Thus by using the best resources we know about, you effectively using plastic gloves on the Internet. You are reducing your online signature, like wearing electronic camouflage. It does not make you invisible, there is still a lot of skill in stalking dear that is not “equipment”, but it does make it harder to see you. That is why hunters wear camouflage.  That is why I suggest you review my 10 OPSEC rules.

People using these tools have made such a impact that the Fed.Gov is asking Congress to pass more laws to prevent it.  Also if more patriots “go dark” and use online anonymity and security tools it makes “clutter” in the surveillance State. Now “the powers that be” have millions of encrypted conversations going on. Who do they focus their resources on? They have to decided, because they cannot be everywhere all the time. This is a form of soft secession. It is legal, something anyone can do for no more than $9.00 a month and it makes things harder for those doing unconstitutional things. Why not? The more people using some form of anonymity and security makes it much harder for mass surveillance to be useful, other than those obstinate people who doggedly persist in suggesting simply sending things in the clear, when you know people are listening.

We strongly recommend you using the best online security you can find.  P.S. The guy who created PGP Phil Zimmerman recommends moving to Silent Circle which he also created.  He says it is more secure.  After much effort and discussion we have found tools we trust to a degree and have shared the with you.  Now that I am located in the Redoubt, if patriot or Christian organization from this area wants a class on this, I will try and get myself or another Patriot computer person to give you a class on this and explain in detail.