6 Wicked Ways to Use Tor...
Whonix
This is 2 virtual machines. The 2nd one keeps Tor external, so even if malware breaks out, you're still safe.
Each program gets it's own circuit, which means a different 3 hop path.
Tails
Disposable USB stick. Plus you can run this without an admin (sudo) password existing, meaning nobody can install anything. How can hackers get sudo, when there is no sudo?!
ParrotOS
While there aren't different circuits for each program like Whonix or Tails, Parrot lets you change Tor exit IPs quickly via the GUI for the whole system. This is useful for beginners (that like the GUI) and want new identities from the same domain/program, for example multiple emails, multiple XMPP accounts, ect.
KaliTorify
This is a Command line tool. Exactly like Parrot, it routes the entire system through Tor like a VPN. Both Parrot and KaliTorify use IPtables, which is just a firewall program. KaliTorify is convenient and fast, but it’s easy to accidentally forget to put it on and doxx yourself.
OpenWRT
This is router software that can do Tor. It's useful for when you want to hide Tor use on your phone, because the app bans or restricts Tor. So Tor router -> VPN phone. For example making a burner Telegram or WhatsApp account with the crypto-VoIP numbers, like I showed you how before.
Orbot or InviZiblePro
This is Tor for cellphones. Be careful with this, because it's NOT giving you new circuits for each app like Whonix or Tails. So let's say you got Telegram with your real KYC number and an anonymous Signal burner. That Tor exit node is seeing you pull from Signal and Telegram at the same time, and if that's a malicious government node, you're not as "anonymous" as you think.
Solutions:
Either toggle different mobile profiles, never use KYC numbers, or use a firewall app. Graphene has one under each app's settings, or Calyx has an awesome system-wide one.
Conclusion
Do you want help setting any of this up? Advice on opsec or what to avoid? Don't get burned with random idiots giving you bad advice, and save yourself headache and time. At $30/hr, it's so low you'd probably lose more trying to debug it on your own. We're just a DM away.
Great info, thank you for sharing 🙏🏼
I would like to have Pixel+GrapheneOS as my new phone but everything I'm capable to find about "firewall per app" is just simple switch network/no-network (probably via kernel capabilities) then to ability filter network acces per app of style "no network / wifi only / wifi+mobile data". Some of them are even able to recognise and filter mobile data when on roaming.
But by my investigation, GrapheneOS can't do it.
What "firerall per app" on GrapheneOS do you mind in your comment?
Thanks.
We aren't willing to add toggles like this because they leak via indirect access. Apps use various OS APIs which apps may then use that cannot get covered by these toggles. An example is DownloadManager:
https://developer.android.com/reference/android/app/DownloadManager
See: "Note that the application must have the Manifest.permission.INTERNET permission to use this class." - The partial toggles do not disable INTERNET permission, while the toggle GrapheneOS and the DivestOS toggle that disables all networks does. That's why DivestOS adds our toggle above the leaky per-network toggles.
If an app does one network only and then calls the OS DownloadManager which chooses to use the other networks, you have leaked traffic towards those networks in that case.
It would be a nice to have if it worked, but we're not going to be adding unreliable features any time soon. You'd be better with an Always On VPN or Tor or disabling the cellular network with Airplane Mode when not using it -- it's up to the user's choice.
Nor vpn, nor tor, nor airplane mode solves my use case when I just don't waste my limited mobile data by apps that can "wait" until I'm on wifi.
What about proxys and vpns, What you Think about? Recomend any?
Oddbean new post about login | logout 
