About this article
You will not understand this article if you do not have an understanding and appreciation for Tor hidden services. If you don’t even have an appreciation for Tor, you might like my article Comparing HTTP, HTTPS, VPN, and Tor with “snail mail” metaphors that looks at basic Tor operations.
Following my blog post A guide for journalists that need to defend their work from governments, I purchased a new, inexpensive Acer laptop and have reviewed it by configuring and hardening it to be a secure Tor hidden service with the intent of thwarting well-funded adversaries that may search for and discover its physical location. But first and foremost, journalists and other human rights defenders need safe spaces for their information and data, especially when moving around and crossing borders.
If I were a journalist and needed to defend my work from a wide range of threats, I would deploy several of these laptops in various geographical locations and configure them to automatically sync with to each other. People need to be able to document wrongdoing and safely transport their work to private systems; quite plainly, it is often not safe for people to carry valuable information with them due to government and corporate abuses.
Please note that I am not a subject matter expert at any of the systems that I discuss in this guide. There is always someone else that knows more than I do on specific topics, but I do my best to bring together many different knowledge areas to create a holistic, usable solution. What is “best” or “more secure” is relative to so many things. If you do not understand why you do or do not perform any of these actions, you should consider not doing any of them until you do. Operational security is hard and easy to mess up, so you need to be able to think carefully, independently, and rethink about your problems, often, as circumstances change.
Brief SecureDrop vs GlobaLeaks vs plain hidden service discussion
I believe that news and law professionals have an ethical obligation to implement SecureDrop when interfacing with the public. That being said, this guide absolutely must not be intended to support the public. This guide is exclusively for news media professionals, human rights investigators, or documentary film makers that need private storage accessible over the net.
SecureDrop has outstanding security features but it is a complex system that requires several physically-disparate systems to work together. SecureDrop doesn’t scale well due to time (education, installation, maintenance) and financial (hardware) costs. SecureDrop is not an option for the problem that this guide aims to help solve.
GlobaLeaks, on the other hand, is so easy to install it puts WordPress to shame. As long as you are comfortable with the Linux command line (yeah, I know), all you do is download the script, make the script executable, and then run the script. The GlobaLeaks script takes care of installation and prudent configuration. This guide, however, is more complex simply because hardware and software systems are not designed to withstand well-funded adversaries.
GlobaLeaks, once it’s installed, is completely configurable through a web interface. This guide will not look at GlobaLeaks configuration, you will need to research that separately. I will say that GlobaLeaks is a hardened web interface that makes it easy to upload whole files, including automatically encrypting any file uploaded to your GlobaLeaks server with a PGP public key of your choosing. It is at this point that we need to explore using a regular Tor hidden service.
A Tor hidden service, simply configured in the torrc file, is easily the most secure option if you only operating via the command line (ssh, scp, rsync, etc). If an adversary (accidental or purposeful) were to discover your private onion address(es), a CLI-only server has a lot less attack surface. But it also requires that you expose openssh and its dependencies. Probabilistically, an adversary discovering your Onion site(s) without first finding them physically is not likely. In my opinion it is more important at this stage of defense-in-depth thinking that you choose a solution that makes your job easier. This guide is written to support GlobaLeaks with an added hidden service for CLI operations.
Rsync’ing is probably really ideal given the use of Tor hidden services. Large file transfers may be problematic if your Tor circuits aren’t stable. Incremental backups are really great, even more so because you can perform an incremental backup on an entire encrypted volume and you don’t have to transfer the entire volume.
If you are a journalist or human rights defender and need a technical resource, I make myself available using the contact methods listed on my blog.
The new Acer Aspire One Cloudbook
The Acer Aspire One Cloudbook, also reviewed on Mashable, is a budget laptop that is, in my opinion, a good option for a Tor relay or Tor hidden service computer. The Acer with 32GB of disk storage was $189 (retail) at my local Microsoft Store. After asking about, smiling, and receiving a 10% student discount, the total was $186.43 after tax. There are also 16GB and 64GB models of this laptop.
Mfg date: 2015/07/30
Important hardware specifications and security thoughts
The Intel Celeron N3050 is one of two reasons why this laptop is so valuable. This Celeron has the AES-NI instruction set, which means Tor’s encryption processing overhead is greatly reduced. AES-NI is traditionally used to speed up Tor relays, but it has the same effect on Tor hidden services if there are large file transfers taking place.
Low-hanging fruit problem number one: RAM. The second reason why this Acer is so great for Tor hidden services specifically is because the DDR3L SDRAM is integrated into the system board. This means, if an adversary were to discover the physical location of your hidden service, the RAM cannot be removed which mitigates all cold boot attacks. Combined with LUKS disk encryption, this Acer would have strong defenses against physical attack.
A nice perk is that this Acer has a TPM chip. Sadly, the laptop (either the eMMC drive or BIOS) does not support full disk encryption.
Last but not least, laptops, by design, have two great things going for them: internal batteries to withstand brief power loss, and power adapters that have built in surge protection. It is also quite slim, is passively cooled (it makes no noise), so is very discrete. You can throw this in a friend’s closet (because of its wireless connection) and would be easily forgotten. Keep in mind that if and when these systems (with BIOS and partition encryption passwords) power down, they cannot be started back up until you are physically present to enter in the passwords. Fortunately, I have personally seen Linux server systems have uptime of 600+ days. Tor will accommodate poor connections common with residential Internet.
Most regrettably, this Acer does not have a 1 GbE port. Fortunately the Wifi card is quite good and is recognized by Tails 1.7. For Ubuntu 15.10 server, there is some minor configuration editing needed to get the Wifi to work, but nothing crazy like driver installation. If you will not or cannot accept relying on Tor hidden services using Wifi, do not use this laptop.
If you need more storage space you will need to find a different laptop simply because of the security implications. The security implications are simple — we need to shut down all USB access, which is discussed below. From a management point of view, it is easier to manage a Linux client if there is only one storage volume — the one the OS is installed on. Never treat a solution like this as any manner of backup or archive, only as a transitional solution that is part of a broader information assurance plan. There are “desktop replacement” laptops that can support 2+ drives, and in those configurations it is possible to leverage hardware or software RAID (like RAID-1, mirroring) for storage-at-rest redundancy. Desktop replacement laptops, however, have RAM that is easily removable, and the threat model will have to be re-assessed.
Open question: I do not believe this Acer can have its eMMC drive upgraded. As far as I can tell, it is also integrated into the system board.
Low-hanging fruit problem number two: USB. If an adversary were to find the physical server, said adversary might perform a USB attack to extract important information from the system to support additional attacks, or they might modify the system in a malicious way to gain entry. There are three things to be done to mitigate USB attacks:
1. Verify that the first boot device in BIOS is the internal drive, and verify there is a high-entropy BIOS administrator password and a high-entropy BIOS boot password.
2. Configure the Linux kernel not to support USB (detailed below).
3. Optionally, close the USB ports with heat-resistant epoxy resin, and make sure the epoxy has fully cured before turning the system back on. For obvious reasons, only perform this step after you have a stable system configuration and are comfortable with the fact that it will not be possible to install another OS.
BIOS configuration for bootable USB drives
Enter into BIOS by pressing the F2 key during boot.
Main > Touchpad > select: Basic Main > Network Boot > select: Disabled Main > F12 Boot Menu > select: Disabled Main > Lid Open Resume > select: Disabled Main > D2D Recovery > select: Disabled Security > select: Set Supervisor Password (max is 12 characters) Security > select: Set User Password (max is 12 characters)
Assure that you use high-entropy passwords. Sadly, 12 characters is not a lot. But we can use complex passwords, so be sure to document them on a separately encrypted device. After some testing, I was able to determine which alpha-numeric and special characters this BIOS will accept, so here is a Linux command to generate a good 12-character passwords (15 passwords will print, so you can easily choose two of them):
cat /dev/urandom | tr -dc 'a-zA-Z0-9-=;,.' | fold -w 12 | head -n 15
Security > Password on Boot > select: Enabled Boot > Boot Mode > UEFI > select: Legacy
Verify USB HDD is first when preparing to install the OS. After the OS is installed, make sure the “EMMC : HBG4e 32GB” boot device is first.
Exit > select: Exit Saving Changes
Tails 1.7 test (just for fun)
I made a Tails 1.7 USB-bootable drive from a Ubuntu 15.10 system:
dd if='tails-i386-1.7.iso' of=/dev/sdb bs=16M && sync
Tails booted without issue. The trackpad on the Acer does not work with Tails, but this does not affect a Server OS. I used a USB mouse to navigate. The Wifi works great and Tor connected with no problem.
Ubuntu Server 15.10 x64 w/ GlobaLeaks
GlobaLeaks advises using the LTS versions of Ubuntu (12.04, 14.04), but unfortunately, the eMMC SSD (storage) is not recognized by 14.04. Ubuntu 15.10 has no problem seeing using the eMMC SSD. With the 32GB SSD, after Ubuntu Server is installed, 24GB is usable. I started by making my USB-bootable drive from a Ubuntu 15.10 system:
Disks (utility) > (select USB drive) > menu > Format Disk > (defaults) Format > Format
dd if='ubuntu-15.10-server-amd64.iso' of=/dev/sdb bs=16M && sync
Ubuntu setup configuration
- I acknowledged that there are no network interfaces.
- I changed the hostname to “Windows”.
- I set an unattributable user name and long (64+ characters), unique password.
- I selected my time zone.
- I did not encrypt the home directory.
- I selected: Guided – use entire disk and set up encrypted LVM (with a long (64+ characters), unique password)
- I confirmed no automatic updates.
- I did not install any additional services.
- I confirmed installation of GRUB.
Find the on-board Wifi device name (the one after “lo”):
Mine is called “wlp2s0”. Make sure your Wifi network uses standard DHCP with WPA2 security (like a normal home network should). Add all of this information to the interfaces configuration file:
sudo vim /etc/network/interfaces
Add these four lines:
auto wlp2s0 iface wlp2s0 inet dhcp wpa-ssid 'SSID' wpa-psk 'password'
Enable the iptables firewall with UFW, which, when enabled, blocks all incoming network traffic (that isn’t Tor).
sudo ufw enable
Start up the wireless interface and connect:
sudo ifup -a
sudo apt-get update sudo apt-get dist-upgrade -y sudo shutdown -r now sudo su mkdir /etc/systemd/system/tor.service.d vim /etc/systemd/system/tor.service.d/directory.conf
Add these two lines:
wget https://deb.globaleaks.org/install-globaleaks.sh chmod +x install-globaleaks.sh ./install-globaleaks.sh
Yes, accept that you are using an unsupported system.
Once GlobaLeaks is installed, it will have printed out the onion address for the GlobaLeaks site. Now you can go there to perform your desired configuration: https://github.com/globaleaks/GlobaLeaks/wiki/Configuration-guide
Another hidden service for command line interface access
sudo vim /etc/tor/torrc
Uncomment lines 74 and 76 to active them:
HiddenServiceDir /var/lib/tor/other_hidden_service/ HiddenServicePort 22 127.0.0.1:22
sudo apt-get install openssh-server -y
Configure SSHd (at a minimum):
sudo vim /etc/ssh/sshd_config
Comment out these lines:
#HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key
Edit these lines:
ServerKeyBits 4096 PermitRootLogin no
Uncomment and edit this line:
Restart tor and ssh:
sudo service ssh restart sudo service tor restart
View your new (second), command-line-interface only hidden service address:
sudo cat /var/lib/tor/other_hidden_service/hostname
Disable all USB
sudo vim /boot/grub/grub.cfg
There should be five different instances of the following line:
linux /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro
Each one of them needs to be modifed with “nousb” at the end, like the following:
linux /vmlinuz-'KERNEL' root=/dev/mapper/'NAME' ro nousb
Here are the 5 line numbers that I found (in vim, typing “:” then the number, like “:143” then pressing enter to take you directly to that line):
143 161 178 196 213
sudo shutdown -r now
You can verify that USB devices are not initialized by your system by viewing the kernel log in real time and inserting USB devices (if no logs are created, then no new devices are being initialized):
sudo tail -f /var/log/kern.log