Let’s Talk About Anonymity Online

Let me show you what it looks like from the internet’s point of view when I go to a simple website using a normal Browser (Brave):

111.222.333.444 – – [18/Dec/2019:16:29:05 +0000] “GET / HTTP/1.1” 200 7094 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36”

The 111.222.333.444 would be my IP address. With that, anyone can get a lot of information about. With just a simple google search, you can actually see in the general vicinity where an IP address originates from. For example, the public IP address for Google is You can use services like https://whatismyipaddress.com/ to what company owns an IP and a map to where it is located. In this case, the IP for Google is probably in a datacenter in Kansas. When I look up my personal IP, the website shows a map of Prague and the company that I use for my internet provider.

What does this mean? To any website that I visit and I don’t say who I am, I am anonymous but I am trackable. My IP address and many other things about my computer and my browser give me an unique fingerprint. From the website that I run, if I wanted, I could see a list of every IP address that ever visited, where they come from, what kind of computer they use, what browser they use, what resolution their screen is, and a lot more. A law enforcement or legal organization can easily find out who I am personally by contacting my internet service provider and then I am no longer anonymous at all. Anonymity is a very tenuous concept online. It really isn’t difficult to find out who someone is in real life if you have the means to do so.

Now let’s change gears. You’re probably heard about Tor. I know I’ve written about it a lot here. Tor is a way to make yourself both anonymous and untrackable. Furthermore it makes your true IP address a secret so even law enforcement have a very hard time tracking down someone using it. Your ISP doesn’t know what you do online.

Let’s see what it looks like when visit my website using the Tor Browser: – – [18/Dec/2019:16:49:41 +0000] “GET / HTTP/1.1” 200 7094 “-” “Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0”

The IP address is not mine. It belongs to an exit node which is run by a Tor volunteer. These IP addresses are publicly known and are often banned from many websites (we’ll talk about that later). Even though I am still running Linux, Tor Browser says that I am running Firefox on Windows 10. In fact every Tor Browser user appears to be running Windows 10 and they all have fake IP addresses.

If I do something that people don’t like, the best they could do it to contact and possibly ban the exit node but it is no simple feat to find someone using Tor. It takes a lot of big-government level money and resources to do so and even then it takes a lot of work.

Why is this important? Isn’t the amount of privacy that I have online enough? After all, if I log into Twitter or Reddit, I can create a new account and never tell anyone my real name. I am anonymous aren’t I?

To a point, you are anonymous but only on the most basic level. Again, it takes very little to pinpoint who you are in real life. Do one of these types of people sound like you? This list was written from a specific point of view. The thing that gets me most of all is that there are people in this world and perhaps in your country who are willing to use violence to keep opinions that they don’t like quiet. It is easy to keep quiet and hope not to get caught up. It is difficult to speak what you believe where the consequence could be loss of employment, injury, imprisonment, or even death. Anonymity isn’t cowardice. Sometimes it’s the only safe way to be heard.

Before I finish up, I have to talk about the negatives of anonymity. First and most obvious is that many online companies do not want you to be anonymous. They make money from giving you ads and tracking what you do. Do not be surprised if many website, including Google, stop working when using Tor. They have no reason to allow you to use their services if they can’t make money off of you and every reason to discourage it.

Secondly, bad people also use Tor. Not nearly as many as there are on the open internet, but they are there. Some are criminals. Some are merely trolls. A few do terrible things under the cover of anonymity online. Those are probably the stories that you have heard in the media and not about those who live under repressive regimes.

Not everyone agrees with me, but I believe that anonymity is important and it is crucial for safety online.

Posted in Tor

Communities in the distrowatch.org top 20

Distribution Forum Wiki Community Membership Bug Reporting Mailing List Chat
MX Linux Yes Technical Only No No Yes No No
Manjaro Yes Yes No No Forum Only Yes Yes
Mint Yes No Yes No Upstream or Github No IRC
elementary Stack Exchange No No No Yes No Slack
Ubuntu Yes Yes Yes Yes Yes Yes IRC
Debian Yes Yes Yes Yes Yes Yes IRC
Fedora Yes Yes Yes Yes Yes Yes IRC
Solus Yes No Yes No Yes No IRC
openSUSE Yes Yes Yes Yes Yes Yes IRC
Zorin Yes No No No Forum Only No No
deepin Yes Yes No No Yes Yes No
KDE neon Yes Yes Yes No Yes Yes IRC
CentOS Yes Yes Yes No Yes Yes IRC
ReactOS* Yes No Yes No Yes Yes Webchat
Arch Yes Yes Yes Yes Yes Yes Yes
ArcoLinux Yes No No No No No Discord
Parrot Yes Debian Wiki No No Forum Only No IRC/Telegram
Kali Yes No Yes No Yes No IRC
PCLinuxOS Yes No No No Forum Only No IRC
Lite Yes No Yes Yes Yes No No

*All are Linux distributions except ReactOS

Column descriptions:

  • Distribution: Name of the distro
  • Forum: Is there a support message board?
  • Wiki: Is there a user-editable wiki?
  • Community: Are there any links where I can directly contribute to the project?
  • Membership: Can I become a voting member of the community?
  • Bug Reporting: Is there a way to report bugs that I find?
  • Mailing list: Is there an active mailing list for support, announcements, etc?
  • Chat: Is there a way to talk to other people in the community directly?

What is this list?

This is the top 20 active projects distributions according to distrowatch.org in the past 12 months.

Things that I learned:

Only well-funded corporate sponsored Linux distributions (Fedora, Ubuntu, OpenSUSE) have all categories checked. That doesn’t mean that anyone is getting paid. I believe this means that employees are probably the chief contributors and that means there are more people putting in resources to help.

Some distributions are “Pat’s distribution”. Pat’s group owns it and Pat doesn’t want a steering committee or any other say in how the distro works. Though contributions by means of bug reports may be accepted.

A few distributions “outsource” resources to other distributions. Elementary allows Stack Exchange to provide their forum. Parrot Linux refers users to the Debian wiki. Mint suggests that you put in bug reports with the upstream provider unless it is a specific Mint create application.

There are a few Linux distributions that leave me scratching my head. How is this in the top 20 distros on distrowatch? There’s nothing here and the forum, if there is one, is nearly empty. Who uses this?

What do you want from an open source project?

Do you want to donate your time, make friends, and really help make a Linux distribution grow? Look at Fedora, Ubuntu, OpenSUSE, or Arch. These communities have ways to help you make this happen.

Do you want to just install a free OS on your machine and not worry about what goes into it until something breaks? Check out a Linux distribution with an active and friendly support community. Sometimes the more avenues the better. Sometimes you only need one really good and helpful forum.

Suggestions for distro owners:

Explicitly declare on your website what you want from the people who use your distribution and how they can help! Maybe you just need funding so you can quit your day job and do this full time.  Maybe you really need well written bug reports and testers. Say so and help them help you!

Did I miss something? Did I say that you have no chat but you have a thriving community on IRC? Then let me know and I will update this blog post! Also, make sure that it is visible on your page and not hidden away.

Email Consolidation

I’ve got too many email addresses.

I have:

  • 2 for work
  • 1 alias for opensuse.org
  • 1 paid account with protonmail with 5 addresses shared in that account
  • 1 very old gmail account (I signed up the first day I heard about it).
  • 1 seznam account (Czech provider)
  • 1 installation of mail-in-a-box with 4 domains that I own but only one real account that I use
  • 1 librem.one account (this is a mistake and a disappointment)

The goal is to change all of the services, mailing lists, etc that I use to point to a single email account either directly or through aliases so that all of my email is in one place with the exception of my work email which should always stay separate. Also, to get people to only email me at the one account.

to be continued…

Bedrock Linux: Strangest Linux Distro Ever?

What is Bedrock Linux?

From their website:

Bedrock Linux is a meta Linux distribution which allows users to utilize features from other, typically mutually exclusive distributions. Essentially, users can mix-and-match components as desired. For example, one could have:

  • The bulk of the system from an old/stable distribution such as CentOS or Debian.
  • Access to cutting-edge packages from Arch Linux.
  • Access to Arch’s AUR.
  • The ability to automate compiling packages with Gentoo’s portage
  • Library compatibility with Ubuntu, such as for desktop-oriented proprietary software.
  • Library compatibility with CentOS, such as for workstation/server oriented proprietary software.

All at the same time, all working together like one, largely cohesive operating system.

So, what is this thing? Bedrock Linux is a package manager compatibility overlay. Ever wanted to use CentOS or Arch packages on your Debian system? Bedrock Linux will let you do that.


A stratos in Bedrock Linux is a package management overlay. For example, if you want to add a CentOS Strata, you run:

$ sudo brl fetch centos

The BRL app will then download yum and it’s required apps and libraries into the overlay. Once it’s done you can then yum install whatever you want.

Have multiple versions of the same package? Use:

$ strat [stratus name] [packagename]

For example with the Nano editor:

tux@debian:~$ strat arch nano -V
GNU nano, version 4.2
(C) 1999-2011, 2013-2019 Free Software Foundation, Inc.
(C) 2014-2019 the contributors to nano
Email: nano@nano-editor.org Web: https://nano-editor.org/
Compiled options: --enable-utf8
tux@debian:~$ strat debian nano -V
GNU nano, version 2.7.4
(C) 1999..2016 Free Software Foundation, Inc.
(C) 2014..2016 the contributors to nano
Email: nano@nano-editor.org Web: https://nano-editor.org/
Compiled options: --disable-libmagic --disable-wrapping-as-root --enable-utf8
tux@debian:~$ strat centos nano -V
GNU nano version 2.3.1 (compiled 04:47:52, Jun 10 2014)
(C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
2008, 2009 Free Software Foundation, Inc.
Email: nano@nano-editor.org Web: http://www.nano-editor.org/
Compiled options: --enable-color --enable-extra --enable-multibuffer --enable-nanorc --enable-utf8

There are problems

It’s not as easy as it sounds. In order to install Bedrock Linux, you must have a compatible base OS. Here is the list that’s currently on the website:

Distro Hijack-able Fetch-able Maintainer
Alpine Linux Yes Yes paradigm
Arch Linux Yes Yes paradigm
CentOS Known issues Yes paradigm
Clear Linux Mixed reports Experimental support N/A
CRUX Known issues No N/A
Debian Yes Yes paradigm
Devuan Needs investigation Yes paradigm
Elementary OS Yes, but limited testing No N/A
Exherbo Yes In development Wulf C. Krueger
Fedora Yes Yes paradigm
Gentoo Linux Yes Yes paradigm
GoboLinux Known issues No N/A
GuixSD Needs investigation No N/A
Manjaro Yes, but pamac/octopi broken No N/A
Mint Needs investigation No N/A
MX Linux Known issues No N/A
NixOS Known issues No N/A
OpenSUSE Yes Experimental support N/A
OpenWRT Needs investigation Experimental support N/A
Raspbian Yes Yes paradigm
Slackware Linux Known issues Experimental support N/A
Solus Yes Experimental support N/A
Ubuntu Yes Yes paradigm
Void Linux Yes Yes paradigm

Hijack-able distros are suitable base installations. Fetch-able distros can be used as overlays.

However this isn’t entirely true or at least not up to date. My first attempt was with OpenSUSE Tumbleweed. After installing, it failed to boot. My second attempt was with Fedora 30. Same resume. It worked on the third try with vanilla Debian. Finally, while Fedora is listed as fetch-able, I couldn’t install it because the brl application couldn’t find a suitable mirror.

Should I give it a try?

Yes! It’s a very interesting project, but don’t do it on any machine where you need your data to be protected. A spare VM is the ideal platform until it becomes more stable.

In Defense of Tumblweed: Why @BryanLunduke is wrong

What is OpenSUSE Tumbleweed?

OpenSUSE Tumbleweed is a cutting-edge Linux distribution from the OpenSUSE team. It uses the latest versions of software applications and the Linux kernel for those who want to see what will be coming up in other Linux distributions in 6-months to a year or more from the time that they appear in Tumbleweed. This means that there are bugs; lots of them. Things break, This is the price that you pay for having the very cutting edge or software technology.

What did Bryan Lunduke actually say?

Let’s break down his complaints. There are only two.

  • SUSE Studio
  • YaST (ugly, cumbersome, hard to use, stupid, bloated)

The first complaint is an application stack that doesn’t actually have anything directly to do with Tumbleweed. I never used it. It was going by the wayside when I started using OpenSUSE as my daily OS of choice. The source code is still out there and maybe it should be forked and brought back to life. I don’t know. I can’t argue with this point because it is a red herring and has nothing to do the OpenSUSE Tumbleweed distribution.

The second list of complaints is pretty vague, but his complaint is basically that YaST has issues that are causing it to bring does the entire distribution as a whole.

What is YaST?

YaST (Yet Another Setup Tool) is a set of system management tools that are grouped together in a single management application called YaST though they can be installed and run separately as needed.

The modules allow the user to easily control most administrative functions that might be needed. Not all of the modules are the same though. Some such as the printer and scanner modules suck. Other modules like the Software Management module are great. I consider this to be on par with Debian’s Synaptic package management tool which is freaking amazing. If unevenness in the quality of the modules is the reason why he dislikes it so much, then it’s not a completely wrong reason but it’s not a really good one either.

I say that it’s a given that some of the modules are out of date or need a fresh new rewrite, but that’s not specifically what he is saying. He keeps his complaints vague and oddly personal. I’m not privy to much of the inner-workings of the OpenSUSE distribution but I’ve seen from social media that there is some bad blood there between him and folks in OpenSUSE and I really hope this isn’t just a rant against them instead of really against the distribution.

With that aside, let’s talk about the real issue with YaST and any GUI based configuration tool. It is yet another level of abstraction away from actually working with the operating system. For example, YaST has an module called HTTP Server. If you run it, it will set up Apache and any modules like PHP for you and will give you some basic options for tuning it without actually needing to work with the command line or configuration files directly. If someone told me that they had been a system administrator for 5 years but they had only ever used YaST, I wouldn’t hire them because many times things break and they can’t be fixed with YaST. Tools like YaST should mainly be a time saver not a replacement for good configuration and I think that’s what it is currently.

Even with my own genuine complaints above, they don’t really co-inside with Bryan Lunduke’s complains (it’s ugly, cumbersome, hard to use, stupid, and bloated) because I can’t see all of that. It’s no more ugly than any other tool (besides real nerds care about function over form). Granted, some of the modules are cumbersome and hard to use, but not all of them. It’s “stupid, stupid and it’s stupid” what the heck is that supposed to mean? Use your words Lunduke! Don’t just emote. “It’s bloated.” There are currently 183 total YaST modules. Many will never be used by an end user because they are only used during installation. However if you were to install them all, it would take up 176MiB which would average out to .96MiB per module. There are some required Ruby libraries that I’m not taking into account here, but this really isn’t what I would call bloat. You can even uninstall the modules that you don’t want without causing a huge fuss.

Let’s Wrap Up

Bryan Lunduke is wrong when he says that OpenSUSE Tumbleweed is one of the worst distros out right now. He is wrong when he says that YaST is dragging down the entire distro. YaST has problems, but they aren’t what he says they are.

LattePanda Gigglescore

A Gigglescore is a ratio score of price to performance for single-board-computers like the LattePanda or Raspberry Pi. A lower Gigglescore means a better value for the money. A higher one is worse. You can see more here: https://gigglescore.com/

My LattePanda:

sudo ./benchmark.sh 149
Repository 'openSUSE-Leap-15.0-Non-Oss' is up to date.
Repository 'openSUSE-Leap-15.0-Oss' is up to date.
Repository 'openSUSE-Leap-15.0-Update' is up to date.
Repository 'openSUSE-Leap-15.0-Update-Non-Oss' is up to date.
All repositories have been refreshed.
Category5.TV SBC Benchmark v1.1
Powered by sysbench 1.0.11
Number of threads for this SBC: 4
Performing CPU Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
576.760 events per second. Price: Ģ930.02 per unit.
Performing RAM Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
3,625,781.466 events per second. Price: Ģ0.15 per unit.
Performing Mutex Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
6.873 events per second. Price: Ģ7.80 per unit.

Total Giggle cost of this board: Ģ1,397.58

Giggles (Ģ) are a cost comparison that takes cost and performance into account. While the figure itself is not a direct translation of a dollar value, it works the same way: A board with a lower Giggle value costs less for the performance.
If a board has a high Giggle value, it means for its performance, it is expensive. Giggles help you determine if a board is better bang-for-the-buck, even if it has a different real-world dollar value. Total Giggle cost does not include I/O since that can be impacted by which SD card you choose. Lower Ģ is better.

Being that the suggested retail price is currently $149, we get a Gigglescore of 1,397.58. This is right between the Raspberry Pi 3 B+ and the ODROID XU4 in terms of value for the dollar.

Documentation and Asciidoc

A few weeks ago I wrote a guide for installing OpenSUSE Kubic. I wrote it using my team at work’s lab manual templates in LibreOffice and then exported the output as a PDF. If you ever take a course from SUSE Training, you will receive a complete lab manual like this as a part of your course materials.

I received some good and some less-than-good feedback for this guide from people at SUSECON and on IRC. So a few days ago I began converting the source files from LibreOffice .odt files to AsciiDoc text files and I put them on github.

AsciiDoc is great as a markup language. I can make some very nice and professional output with only a basic “cheat sheet”. The problem is what format do you want your exported to be like? If you want just a standard html, then you can use the asciidoc or the asciidoctor application to export it to html and it looks great. If you want PDF, which is generally how I like distributing documents like this, it isn’t quite what I’m looking for.

So far, I’ve found three ways to export from AsciiDoc to PDF. You can use asciidoctor-pdf which is a plugin for asciidoctor. The asciidoctor-pdf output is nice. It looks quite professional. In the build that I’m linking to, there are some formatting issues that I hadn’t tackled yet, but overall it’s a nice looking document. The second method is with DAPS. DAPS is a technical writing tool from the SUSE Documentation team. In the latest version, 3.0.0, it works natively with AsciiDoc. An intro to AsciiDoc with DAPS can be found here. The output from my files looks like this. Again, it looks pretty nice. However if you look at both of these PDF files from asciidoctor and DAPS, and compare it with the link to my original PDF from LibreOffice above, you will see some important changes. In the original, we in the SUSE Training team have a specific color palette that we use for our documents and I wanted to create a nearly 1:1 translation from LibreOffice to AsciiDoc. Bold Monospace Blue for commands, Bold Monospace Green for urls and filenames, Bold Light Gray for field names. Also, page breaks between sections. This isn’t possible at the time being without me learning how to write my own custom XSLT stylesheets (which probably isn’t going to happen). Is this a negative on AsciiDoc? No, it’s still easier than learning Docbook or TeX. It means that I will need to change how I format my documents using AsciiDoc’s conventions if I use these tools, not my own.

I mentioned that there are three ways to export from AsciiDoc to PDF. The third is with a tool called AsciidocFX. This is a really cool tool that seems to no longer be actively maintained. It gave me the formatting that I wanted in the PDF output, but sadly it gave me a ugly title page which I can probably live with for now. I have mixed feelings about this project. On the one hand, it gives me pretty much what I want but on the other hand, if it isn’t being actively maintained, it’s a bummer. I also have the question whether the color palette that we use for training docs is really as important I think and perhaps I should stick with the standard formatting so that anything that I write look, at least from a format perspective, like what anyone else would write.

I will decide on a standard format soon. The OpenSUSE Kubic installation guide won’t be the last free guide that I write. I’m constantly working on new guides, slide decks, etc. for my day job at SUSE Training, but I also want to contribute to the various open-source communities that I work with more and I think this is a great way to do it.

Onion Services in Windows 10


The following is a proof of concept tutorial on how to create a Tor onion service on Windows 10 using Ubuntu in Windows Subsystem for Linux. This has not been security tested by anyone in the Tor project. It is also not exactly the same directions that I would give someone who wants create an onion service in Linux. Namely that WSfL doesn’t use systemd the way it is meant to be used natively. Instead you have to start system daemons using the old SysV method with /etc/init.d/ Also, services do not continue running after the window has been closed. If someone can find a workaround for that, I’ll gladly update this tutorial.

As for Apache and Tor, they seem to be working normally as long as the Ubuntu window is not closed. The default path for the Apache web server is: /var/www/html/index.html. More info on how to build a website with Apache can be found all over the web.

On with the tutorial!

First, open powershell 64-bit as administrator:

Enable Windows Subsystem for Linux and reboot:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

After rebooting, go to the Microsoft Store and search for Ubuntu 18.04 LTS

Install the App but beware that you will be forced to sign in with a Microsoft account.

Open the new app. You will be prompted to create a local Linux account. This will not be tied to anything else. It is only for your computer.

Update the packages in Ubuntu to the latest versions:

sudo apt update -y && sudo apt upgrade -y

Install Tor and Apache:

sudo apt install apache2 tor -y

Edit the tor configuration:

sudo nano /etc/tor/torrc

Remove the # signs from before the following lines:

DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80

The result should look something like this:

Save by hitting CTRL-x

Start apache and then tor:

sudo /etc/init.d/apache2 start && sudo /etc/init.d/tor start

Get your new .onion site url:

sudo cat /var/lib/tor/hidden_service/hostname

Try your new onion service in Tor Browser!

Posted in Tor

Does it Leak? — Tumbleweed Edition

The following is a spreadsheet that I put together this weekend testing Linux applications and how well the work on Tor.

The first column is the name of the application and the second is the Linux distribution. In this case, I am using the latest build of OpenSUSE Tumbleweed with the latest patches applied.

The Torsocks column is whether or not the application is compatible with torsocks which is a wrapper around an application that send it’s networking requests to Tor instead of the standard internet.

The Proxy column is whether or not the application supports a SOCKS5 proxy with a DNS Proxy, specifically the one used by the Tor application.

The DNS Leak column is a test that I ran with Wireshark to see if any of the applications were misbehaving with DNS. i.e. Did they try to use DNS even though I set a proxy not to use it and/or did they go around the torsocks application and use DNS directly?

In the No DNS Test, I commented out the nameserver entry in /etc/resolv.conf so that the VM that I was using as a whole would not have access to DNS. Would the application be able to use DNS via Tor alone?

Finally, I tested to see if the application could reach a .onion site. I don’t have a OpenSUSE Repo in an .onion site or a steaming service like youtube to try so I didn’t test those.

ApplicationLinuxTorsocksProxyDNS LeakNo DNS Test.onion

My findings were that none of the applications that I tested had DNS Leaks though there could be other issues that I did not test for. If your concern is strictly about privacy and not being tracked, the official Tor Browser is the way to go. However I am keenly interested in other applications for Tor so this is my first step in finding what could be possible.

Anonymity is Important

Let’s begin with something useful.

In order to use Tor, you ideally need a browser that can access it. The Tor Browser on desktop platforms, formerly known as the Tor Browser Bundle, and the Orfox Browser with the Orbot app on Android are the suggested browsers. Why? Tor takes anonymity seriously.

The four log entries below are from 4 browsers that are using Tor.

Brave: - - [10/Nov/2018:12:56:19 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "http://irvdwucxcq6kb2nm.onion/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
Firefox: - - [10/Nov/2018:13:00:58 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Tor Browser - - [10/Nov/2018:12:57:27 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"
Orfox - - [10/Nov/2018:13:04:53 +0000] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"

The first log entry is from the Brave browser (https://www.brave.com) which has Tor built in into their Private Window mode. This is a really neat concept, but you gain a lot of information about the person using this browser and that makes them stand out. You can see which website that I am trying to access. You can see that I am running 64-bit Linux. You can also see that I am running a browser based on Chrome. None of these things tell you exactly who I am but they fingerprint me as someone who stands out. The goal of anonymity is it blend in with the rest of the internet.

The second entry is normal unmodified Firefox running on Tor. This is a little better. It almost completely matches the entry for Tor Browser, except that it gives away my operating system and it is a not running the same version as the Tor Browser.

I didn’t change to a Windows PC to test the Tor Browser, all versions will always report the same information. It will always report that it is being used in Window since it is the most widely used operating system. It’s important to keep it up to date not only to apply bugfixes but to keep in line with all of the rest of the Tor Browser users.

The final entry is for Orfox. Yes, you can see that I am running it on Android as it is based on the Firefox app for Android. This is a bit of a negative. Preferably you would want it to appear to be the same as the normal Tor browser but there is probably a trade off. All copies of Orfox, no matter the device or version of Android, should look the same. However in order to get mobile versions of websites suitable for a mobile device, the browser needs to identify itself as a mobile browser. We’ll discuss more about fingerprinting in a later chapter.