The news over the past few years has been spattered with cases of Internet anonymity being stripped away, despite (or because) of the use of privacy tools. Tor, the anonymizing “darknet” service, has especially been in the crosshairs—and even some of its most paranoid users have made a significant operational security (OPSEC) faux pas or two. Hector “Sabu” Monsegur, for example, forgot to turn Tor on just once before using IRC, and that was all it took to de-anonymize him. (It also didn’t help that he used a stolen credit card to buy car parts sent to his home address.)
If hard-core hacktivists trip up on OPSEC, how are the rest of us supposed to keep ourselves hidden from prying eyes? At Def Con, Ryan Lackey of CloudFlare and Marc Rogers of Lookout took to the stage (short their collaborator, the security researcher known as “the grugq,” who could not attend due to unspecified travel difficulties) to discuss common OPSEC fails and ways to avoid them. They also discussed their collaboration on a set of tools that promises to make OPSEC easy—or at least easier—for everyone.
Called Personal Onion Router To Assure Liberty (PORTAL), the project is a pre-built software image for an inexpensive pocket-sized “travel router” to automatically protect its owner’s Internet traffic. Portal provides always-on Tor routing, as well as “pluggable” transports for Tor that can hide the service’s traffic signature from some deep packet inspection systems.