Setting Up Torbirdy

In This Earlier Posting, I wrote that I was setting up an old, garbage-grade laptop, to connect entirely through Tor. And one of my motivations has to do with the USB-stick, in that I am trying to establish that this USB-stick cannot really be of such immense benefit to whoever is using it, as is claimed, and that therefore, Edward Snowden cannot also have gotten much use out of .

Further, I think we can see that in recent years, the way in which PCs react to inserted, ‘ USB-sticks’ has also changed, so that our chances of finding a host machine which will boot from such a pen-drive, but without the consent or knowledge of its owner, are also quite slim. An actual laptop bypasses that problem.

What I think I found, was that most of the services which we could connect to – including IRC Servers – detect that we are connecting to them from a remote IP address that belongs to a Tor gateway – a so-called “Exit-Node” – and if we are authenticated, bans the user, or otherwise just blocks the user.

What I had written though, was that in addition to being able to use the Web-browser, I wanted my own laptop to be able to perform one additional task. And so I had found that a mailbox service exists called , and that it runs its own Tor Exit-Node internally, for which reason we could send and receive email with them, once we have set up and paid for an account.

What I discovered, is that this not only works in theory, but actually does in practice. We need to install an ‘‘ extension named “” to get that to work, but it does finally work.

I do know that there exists a package ‘‘, as of , which some people might see as the more-secure way to install . But I had two problems with this:

  • My laptop is based on , which did not have this package yet,
  • These package-installed extensions are often not up-to-date, for full compatibility with the package-installed, or versions. The only exception I positively know of, is ‘‘.

At some point in the past, I needed to uninstall all the ‘‘ -extensions, and reinstall their up-to-date versions in user-space.

There is a practical note to getting to work however, which I needed to resolve. The local machine could have Tor configured in different ways, and this extension assumes just one arbitrary Tor-daemon configuration to connect to. We need to configure the extension itself, to tell it which port number our Tor-daemon is listening on, if not which IP address, before will connect.

But once I overcame that hurdle, I was able to connect. I happen to be using the Hidden Tor Service URL of , instead of the open IMAP Server URL, because with the Hidden Tor Service, I am more likely to get to the IMAP Server, using the correct, assigned Exit-Node. One problem which plagues Tor, is Man-In-The-Middle Attacks, which have in fact been run by dishonest Exit-Nodes.

Also, it is possible to set a computer-wide HTTP Proxy. The ‘‘ URL-Form is not only used for Web-browsers and sites, but also for a plethora of services that provide data in response to Requests, etc.. And so there are ultimately more services which we could connect to, if we tried hard enough.

I also derived a little script, which can be used once the laptop is set up, to block all non-Tor data-output completely. This version of the script has an option, which will deliberately allow for some DNS leaks if uncommented.

 


#!/bin/bash

# Let's save typing and confusion with variables
IPTABLES=/sbin/iptables
DNSSERVER=`cat /etc/resolv.conf | grep nameserver | awk -F ' ' '{print $2}'`

$IPTABLES -F OUTPUT

$IPTABLES -P OUTPUT DROP

$IPTABLES -A OUTPUT -j ACCEPT -m owner --uid-owner debian-tor
$IPTABLES -A OUTPUT -j ACCEPT -o lo

$IPTABLES -A OUTPUT -j ACCEPT -p udp -d 192.168.2.0/24
$IPTABLES -A OUTPUT -j ACCEPT -p tcp -d 192.168.2.0/24

# if [ -n "$DNSSERVER" ] ; then
#     $IPTABLES -A OUTPUT -j ACCEPT -d ${DNSSERVER}/32
# fi
    
# $IPTABLES -L -v


 

The following line can be added to ‘‘:

 


DNSPort 53

 

which will cause Tor to act as the DNS-server remotely, not from the visibility of the local machine. Then, we can designate ‘127.0.0.1’ to be our DNS-server, to which end we can also give the command

 


chattr +i /etc/resolv.conf

 

To prevent our DNS-server assignment from being overwritten. Obviously, these two configuration options are mutually exclusive.

Dirk

(Edit 12/25/2016 : ) One peculiarity that will exhibit, once we have installed , is that certain behaviors of the client application are altered, in ways that are deemed ‘safer’ in a potentially-hostile data-environment, from how we normally expect email-clients to be set up.

One of the numerous altered behaviors, is that once we have started the email client, it will no longer go directly to the Inbox of our default email account, when that is the account. I made lengthy efforts to change this behavior in the GUI, and observed with each restart of the application, that my changes were ignored. In fact, if is as well-managed as I imagine they are, some of their data-specialists might be scratching their heads, as to why this one registered user is connecting so many times in a row, and doing so repeatedly via Tor, and not sending or receiving any emails.

This one problem can be solved, by going into ‘‘ , and Searching specifically for settings. There is one which needs to be set to True, if we want to go directly to our Inbox when started.

Under Windows, this settings window can be found under ‘‘ .

There is another changed behavior which is truly ‘safer’, which is to prefer that a message be displayed at first in plaintext, even if an HTML version is available. This is a setting which belongs to , and if we do change it, during the next restart of the application, will just change it back again.

Normally, we change this from the GUI, from the ‘‘, as we like, thus affecting the same settings in the . If there is an HTML version available, we can still choose to view it once. Only, what we expect from , is that any changes we make to this setting will be remembered. Now they will not.

 

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Prove You Are Not A Robot *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>