Category: Networking

This week, on “Capitalism,” technicians are forced by employment contract to not educate customers.

I just wrote this really long comment elsewhere and after I posted it realized it might actually be useful to many folks here if they are struggling to make ends meet or to pay bills. So, here ya go. May your dependence on capitalism decrease as your experiences increase.

(Context for this is that a lot of people pay cable companies for “bundles” or “packages” or “upgrades” that, on their face, sound like a good deal, but are actually not. Here’s why.)

In most places I’ve been, it’s actually cheaper not to bundle TV with Internet service because the Internet service you get with bundled TV is actually unusable, so the upsell is literally worse than useless.

For instance, a friend of mine was telling me about the recent Time Warner Cable/Spectrum strike in NYC, and from what I hear part of the sticking point is that Time Warner sells this “300Mbps upgrade” for about $40 a month. This is slightly cheaper with a bundled TV package, but not drastically.

What this actually means, for anyone who doesn’t know the technical details of this, is that Time Warner will let you download files at about 300 million bits per second (Mbps), which is something like 37 megabytes per second. So, if you were downloading a file that was 37 megabytes (maybe the PDF of a textbook or something), you would be able to get it on your computer in about 1 second.

The kicker, though, is that most houses which purchase this “upgrade” are connected to the modem using a 100BASE-T Ethernet cable, which has a theoretical maximum speed of only 100Mbps. So this means, even if you’re paying for a 300Mbps “upgrade,” there is still a bottleneck that is only one-third the capacity and no amount of service plan changes will fix it, because the problem is the physical cabling installed in the apartment complex or in the house. You could buy a “fastest Internet in the whole world” package deal and still only get 100Mbps top speeds.

On top of that, most people don’t even use cabling. They use Wi-Fi. And the most ubiquitous form of Wi-Fi is called 802.11g, whose maximum theoretical speed is 54Mbps, or 54 million bits per second. In other words, a quarter of the speed of the super popular “upgrade” package sold by Time Warner. However, unlike physical cable, Wi-Fi is (wireless) radio, which means things like microwaves and other household appliances interfere, further reducing that 54Mbps theoretical maximum. Most of the time, a typical home Wi-Fi setup in a city will see Wi-Fi speeds slow to 34 or even 24Mbps at most.

That’s bad enough, but why the strike? Well, Time Warner contracts with technicians who, of course, know all this stuff. They apparently get called out on so many support calls from customers who want to know “why the Wi-Fi isn’t working well” and there’s literally nothing they can do to improve the situation, because Wi-Fi can’t, by DESIGN function at the speeds Time Warner is selling. But the real kicker is that, according to their contract, the technician is not allowed to tell the customer that this is what’s happening, because anyone in their right mind who understands how this works would immediately cancel their package subscription with the upgrade charges and so on, since it is physically impossible for them to make any use of it. There is no benefit to ever buying it, unless you rewire your building.

And yet people do buy it. Why? Because it’s a “package” deal, it’s sold and marketed as “better! faster! stronger!” and even then, when a customer has “trouble” with something about “the Internet,” the Time Warner Cable/Spectrum support personnel on the phone and whatnot encourage the upsell.

It’s 21st century snake oil.

Anyway, my point is, if you take a closer look at the Internet Service Provider plans in your area with someone who knows what they’re doing (not saying that you don’t know what you’re doing, I’m just writing this for readers and passers-by), it’s very often possible to get identical Internet service for close to half of the price that most people pay for it. I’ve helped some people evaluate this for their households during my travels, and each time, after several months, the answer to “Have you noticed a difference in service or speeds?” is “No.”

And of course that’s the answer. Because that’s how physics works.

How to: Securely configure Mac OS X for network packet sniffing with Wireshark

If you’re anything like me, you often run into a computer problem or five that could be diagnosed more quickly by taking a peek at activity on the network. The best general purpose tool for inspecting network activity has gotta be Wireshark. It’s an industry-standard, open source packet sniffer that you can use for fun and profit. But on many Mac OS X builds, the default configuration for packet capturing is less secure than it ought to be. Here's how to fix that on your Mac.

Read more

One Minute Mac Tip: Open multiple Tor circuits in the new TorBrowserBundle 3.5 for Mac OS X

Earlier this month, the Tor Project released a new version of the Tor Browser Bundle, an easy-to-use anonymity-enhancing Web browser. In a previous post, I discussed how to use the Tor Browser Bundle (TBB) for other applications on your computer, such as Safari and even This post has updated instructions for doing some of the “fancy” things that the new TBB no longer provides a graphical user interface to do.

You should already have the newest Tor Browser Bundle installed on your Mac and have followed the steps in “HowTo: Use Tor for all network traffic by default on Mac OS X” for configuring a new Network Location to use Tor.

As of version 3.5, the Tor Browser Bundle on Mac OS X no longer ships with Vidalia, the GUI that lets you configure your connection to the Tor network. Instead, this is packaged as a Firefox add-on called TorLauncher. This add-on doesn’t have any GUI yet, but since it’s still a full-fledged Tor, you can access its advanced features using Tor’s configuration file.

Editor’s note: When I first wrote this guide, I suggested editing the torrc-defaults file to apply your customizations, but it is actually better to edit the torrc file. This second file overrides any configurations made in the torrc-defaults file and your customizations will be preserved even after Tor Browser auto-updates itself. Therefore, wherever you see torrc-defaults below, just replace this with torrc instead.

From the Finder, right-click (or control-click) on the TorBrowserBundle application and select “Show Package Contents.” A window will open showing the folders and files that make up the application bundle. The file we’re looking for is called torrc-defaults, which the TorLauncher uses to configure the Tor (essentially the equivalent of Vidalia’s old “Settings” screen). That file is located in Data/Tor/torrc-defaults, as shown below:

TorBrowserBundle torrc-defaults in Mac OS X Finder

Open the torrc-defaults file with any text editor (such as TextEdit). Its contents are a tor configuration file, and they’re pretty simple:

# If non-zero, try to write to disk less frequently than we would otherwise.
AvoidDiskWrites 1
# Where to send logging messages.  Format is minSeverity[-maxSeverity]
# (stderr|stdout|syslog|file FILENAME).
Log notice stdout
# Bind to this address to listen to connections from SOCKS-speaking
# applications.
SocksPort 9150
ControlPort 9151
CookieAuthentication 1

Using configuration directives in this file, you can tell Tor to, for example, use a specific country as an exit node so that you appear to always be accessing websites from the country you specify (useful for avoiding country restrictions on video content). You can also use it to open multiple Tor circuits for privacy reasons, as discussed in my previous post. That’s what we’re going to do.

To set up multiple circuits, simply delete the line that starts with SocksListenAddress and replace it with a line that reads like SocksPort 9050 (where 9050 is whatever port you want to use as your additional circuit). Here’s what my torrc-defaults looks like:

# If non-zero, try to write to disk less frequently than we would otherwise.
AvoidDiskWrites 1
# Where to send logging messages.  Format is minSeverity[-maxSeverity]
# (stderr|stdout|syslog|file FILENAME).
Log notice stdout
# Bind to this address to listen to connections from SOCKS-speaking
# applications.
SocksPort 9048
SocksPort 9049
SocksPort 9050
SocksPort 9150
ControlPort 9151
CookieAuthentication 1

Save this file, quit the TorBrowser, and re-open it. Tada. You can even open up your Console to watch the logs as Tor starts:

Console watching TorBrowser with multiple SocksPort

Don’t forget that using Tor by itself is not a guaranteed invincibility shield. To really make Tor work for you, you’ll need to change some of your habits.

HowTo: Use Tor for all network traffic by default on Mac OS X

Recently, I had the gratifying experience of doing some political work that earned me a bunch of hate mail and some threats of physical violence. It had already gotten to the point where I was being harassed by a self-described “Internet stalker” who would call up venues I went to and get the employees to find me and give me the phone. Enough is enough.

This prompted several changes in my behavior in order to protect myself. For instance, I started “checking in” to venues on Foursquare as I left rather than as I arrived. For the full belt and suspenders, I also started making much heavier use than I’d previously been doing of privacy-enhancing services like Tor: The Onion Router.

Tor is a best-in-class, free, open source anonymizing network proxy. Using a tool like Tor can help you obscure details about who you are and what you’re doing from an Internet Service Provider (ISP), company network filter, or other entities. And it turns out that its reputation as a piece of black magic is largely undeserved. Tor is simple to set up, very strong, and woefully underutilized by “normal people.”

So I thought I’d do what I can to demystify Tor and encourage you to use it, even if you’re a muggle rather than a technomage. :)

Why use Tor?

Every time you turn on your computer, you’re sending all kinds of signals to all kinds of people and companies about who and where you are, and what you’re doing. Naturally, some of these are necessary to complete your tasks, like logging into your email account to read your messages. But if you’re using a Wi-Fi hotspot at a café, why should everyone at the café, the café’s owners, and the café’s ISP know that you’re checking your email? Moreover, why should your email provider know that you’re at that specific Joe’s Coffee on the corner?

I realize this might not seem like a big problem to most people. After all, everyone and their mother knows you fancy the cute barista at Joe’s Coffee since you’ve confessed your undying love of their ability to serve you a mocha with perfect latte art every time, you snob. But after just a few visits to Joe’s, it becomes pretty easy for any of those companies (or, more to the point, the unscrupulous employees working in the IT department) to guess your next move, since you’ve (unknowingly?) been sharing your every move with them already. And it’s trivial for government agencies to do the same kind of spying on you.

Now, you might not be worried about government agencies tracking you, and you might feel like you have some legal recourse if a company abuses your information, but as an individual (who “has nothing to hide”), you are more likely to be targeted or stalked by other individuals than by institutions. This was exactly what happened to me when I picked up my mob of cyberbullies. So if you leave an “anonymous” comment on a blog, why tell the blog owner where you are?

What Tor can and can’t do

Tor isn’t magic. It’s not going to make you “Invincible!” That’s why when you go to download Tor the first thing you’ll see is a warning from the developers saying “You need to change some of your habits” for Tor “to really work.” I recommend reading their list of warnings, but at the end of this howto I’ll also offer you some guidelines for a few simple things you can do to set yourself up for success.

For now, you simply need to understand that Tor isn’t encryption. For instance, if you log into Facebook without checking for the little lock icon in your browser (HTTPS, or SSL/TLS) then people who are watching Internet traffic can still see, intercept, and modify the pages you’re seeing. Moreover, Facebook still knows who you are, and if you load any page that has one of Facebook’s “Like” widgets installed, Facebook will still be able to track where you go online. It’s just that, if you use Tor, Facebook won’t know where you are in person.

To block trackers like Facebook’s “Like” button, see the “Block trackers and web bugs” section at the end of this post.


Okay, so. Here is the world. Round! I mean, how are we gonna make this work?

Privacy and security are both like a chain. The strength of the chain is only as strong as its weakest link. So in order for something like Tor to be useful, you need to use it for anything and everything, if possible. Moreover, the more people who use it, the more useful it becomes for everyone using it since fewer and fewer uses of Tor will, themselves, arouse suspicion. Private browsing should be the default, not the exception.

But in order for something like Tor to actually get used, it needs to be unobtrusive, easy to use, and easy to stop using. In other words, we need a quick and easy “On/Off” switch for using Tor or not using Tor. We’ll get there, and then we’ll go one step further.

Step 1: Install the Tor Browser Bundle

First things first. Install the Tor Browser Bundle (TBB). Do this:

  1. Using your Web browser, go to the Download Tor page.
  2. Find the software for your operating system. Download and install it just as you would any other piece of software.

EDITOR’S NOTE: At the time of this article’s publication, the Mac OS X version of the Tor Browser Bundle included an additional application called Vidalia that offered a graphical interface for managing your connection to the Tor network. When version 3.5 of the Tor Browser Bundle for Mac OS X was released, Vidalia was replaced with a component built into the TorBrowser itself. The bad news is that advanced configuration of your connection to the Tor network on Mac OS X is harder. The good news is that, if you don’t want to do anything fancy, you can just ignore every part of this article that references “Vidalia” and assume that whatever was described in that step is already done for you; this means you can skip all of “Step 2.” If you do want to do the fancy stuff, see “One Minute Mac Tip: Open multiple Tor circuits in the new TorBrowserBundle 3.5 for Mac OS X.” With this new Tor Browser Bundle at version 3.5.x, as long as you keep the TorBrowser open, then by default you’ll have a connection to the Tor network on port 9150. Thanks, Tor developers!

The Tor Browser Bundle is a package deal. It gives you the Tor software itself, plus a graphical tool called Vidalia used to manage and configure your connection to the Tor network, as well as a completely clean browser based on Mozilla Firefox with some privacy-enhancing add-ons already pre-installed. When you run the TorBrowser for the first time, all three applications open and you’re sent to If everything’s working as it should, you’ll be greeted with a message that reads “Congratulations. Your browser is configured to use Tor.”

If all you wanted to do is browse the Web anonymously, you’re technically done. Using the TorBrowser, you can bypass Web censors that filter your view of the Web and surf the ‘net reasonably assured that your identity can’t be tracked (as long as you don’t log in to any services with your account, obviously).

However, only the TorBrowser application is using Tor. This means you’re still trackable if you use another browser. In fact, if you now go to in Safari, you’ll see a message that reads “Sorry. You are not using Tor.”

Let’s fix that.

Step 2: Configure Tor to use an unchanging port

Since Tor is a network proxy, it works by accepting connections, forwarding them on behalf of the initiator, and then passing back any responses it receives. This means you need to tell your operating system to send connection requests it wants to make to Tor instead of out onto the network itself. But in order to do that, you need to know where Tor will be listening for connection requests.

EDITOR’S NOTE: In the past, the Tor Browser Bundle was configured to automatically find an unused network port. It was recently changed to use port 9150 by default. But since this guide was written before that change, its instructions refer to port 9050. All this means is that wherever you see me refer to port 9050 or similar, replace it with 9150 instead. (Thanks, milo!)

By default, the Tor Browser Bundle is configured to look for an unused network port on your system and use that. But this means we can’t know, ahead of time, where Tor will be listening, so we’re going to disable this feature and instead use a static port. The Tor FAQ provides instructions for doing this:

In Vidalia, go to Settings → Advanced and uncheck the box that says ‘Configure ControlPort automatically’. Click OK and restart TBB. Your Socks port will then be on 9050.

Step 3: Make a new Network Location for Tor

At this point, you should have a running Tor instance listening on its default port (9050) for incoming connection requests. All you need to do now is tell your operating system to send all its network requests to that location. To do this, we’ll make use of Mac OS X’s Network “Locations” feature. A network Location is simply a set of preferences you can switch to using the  (Apple) menu.

Apple provides instructions for making a new Network Location:

  1. Choose System Preferences from the Apple () menu.
  2. Choose Network from the View menu.
  3. Choose Edit Locations… from the Location menu.
  4. Click the + icon to add a new location.
  5. Type a name for your new location, such as Mobile, then click Done. […]

In the last step listed above, I typed “Automatic (via Tor [localhost:9050])”, because I like to stuff as much information as possible into the names of things, but you can type whatever makes sense to you.

At this point, we have a “toggle” for turning our system-wide use of Tor on or off, but the toggle doesn’t actually toggle anything, yet.

Step 4: Configure your new Network Location to use Tor

With your new Network Location for Tor active, do this:

  1. Select Airport from the list of interfaces.
  2. Click Advanced…. The advanced Airport network options sheet will open.
  3. Click Proxies in the list of panes.
  4. Activate SOCKS Proxy by ticking its checkbox in the Select a protocol to configure: box.
  5. In the SOCKS Proxy Server box, type localhost and 9050. (Remember, 9050 is the port Tor is listening on. If you used more than one SocksPort in Step 2, you can use any of the port numbers you configured.)
  6. Click OK and then click Apply.

Repeat the above steps for each interface you have available, such as “Ethernet.”

To test that this worked, while you are connected to the Internet and have your Tor Network Location active, open Safari and go to If you were presented with the congratulatory message, you’ve done everything right!

At this point, any time an app on your system tries to access the network, the connection will be routed through Tor. All the built-in applications, like, and all well-behaved third-party applications, will now be transparently proxied through the Tor network. Some applications, such as Adium, may still need to be explicitly told to use the “system wide” configuration rather than the app’s own defaults, though, so I strongly suggest double-checking the network preferences for every app you use. And if you’d like to isolate Adium’s or any other specific application’s network traffic from other traffic you send, then configure the app to use a SOCKS proxy on one of the additional Tor listening ports you configured in Step 2.

You can now easily toggle Tor on and off simply by changing the active Network Location from the Apple () Menu.

On my computer, the Network Location for Tor is the default, and I almost never change it away from that. I also set up the TorBrowser to open when I log in to my computer. (For obvious reasons, when the Network Location is set to use Tor but Tor isn’t running, it’s as if I have no internet connection available.) This means I now tunnel all my traffic through Tor by default.

But all or nothing is a rather blunt approach. Sometimes I really don’t want to use Tor, such as when I’m editing Wikipedia (which expressly blocks Tor exit nodes from making edits), so let’s set up some finer-grained control. We can do this in one of two ways. I’ll show you both, but I only use the latter.

Step 5-A: Bypass Tor using Network Proxies Preferences

If you know you never want to use Tor for specific domains or websites, you can enter them in a comma-separated list back where you set up the SOCKS proxy. For instance, if you never want to use Tor to get to Wikipedia, enter , into the “Bypass proxy settings for these Hosts & Domains:” text box, as shown below:

Screenshot of Mac OS X Proxies Network Preferences.

You can also use this method to bypass Tor for multi-media sites like YouTube or Pandora Internet Radio, which are often frustratingly slow when proxied. Just be aware that any time you bypass Tor, the server you’re connecting to gets additional information about you from your IP address, and so on, so use this sparingly.

Anyway, this configuration will always bypass Tor for accessing any domain name regardless of what application initiated the connection. For instance, I monitor my Wikipedia watchlist using RSS feeds in, but I read and edit Wikipedia in my Web browser

Since there’s no issue reading Wikipedia over Tor, only editing, using this configuration isn’t as private as it could be. I’m leaking information to Wikipedia about my whereabouts even when I’m just reading their articles. That’s why I don’t use this configuration, opting instead for a Web browser proxy manager that lets me bypass Tor only when I’m making an edit.

Step 5-B: Bypass Tor on-demand using Web browser proxy managers

A more secure (and, in my humble opinion, more convenient) option for bypassing Tor is to use a Web browser proxy manager, such as Proxy SwitchySharp for Google Chrome or FoxyProxy, which works in Mozilla Firefox, Google Chrome, and Internet Explorer. Since I use Proxy SwitchySharp, I’ll describe how I’ve set up that tool to bypass Tor so I can edit Wikipedia and more comfortably stream music from Pandora.

Do this:

  1. If you haven’t already, install Proxy SwitchySharp to your Google Chrome Web browser.
  2. Once installed, click the Proxy SwitchySharp icon (which looks like a grey globe) and select Options.
  3. Click the + New Profile button to create a new Proxy Profile.
  4. In the Profile Name field, type a meaningful name. I chose “Tor (localhost:9050)”.
  5. Select the Manual Configuration radio button.
  6. In the SOCKS Host field, type localhost. In the associated Port field, type 9050. Remember, this is where Tor is listening for connections.
  7. Select the SOCKS v5 radio button. (SOCKS5 is what Tor uses. SOCKS4 is an older protocol we don’t need for this purpose.) When complete, it should look something like the following screenshot:
    Screenshot of Proxy SwitchySharp Options screen showing several Proxy Profiles.
  8. Click Save.

Proxy SwitchySharp lets you change Google Chrome’s proxy settings at the press of a button. It’s basically Network Locations but for Chrome instead of your whole Mac OS X system. If you want to send Chrome’s traffic through a different Tor circuit from any other application’s traffic, be sure to use a SOCKS port number in this Proxy Profile that’s different from the SOCKS port number you used for your Tor Network Location. You can also make multiple Proxy Profiles that each use a different port number you configured in Step 2.

In addition to each Proxy Profile you define (and, as you can see, I’ve defined three), Proxy SwitchySharp also always offers a “Direct Connection,” which means no proxy is used. Have a go at changing your active Proxy Profile and reloading to get a sense of what it’s like.

When you’re comfortable with that, do this:

  1. Open the Proxy SwitchySharp Options page again, and this time select the Switch Rules tab.
  2. If it isn’t already, tick the checkbox labelled Enable Switch Rules.
  3. In the “Default Rule” row, select the Proxy Profile you created for Tor from the Proxy Profile drop-down menu. This sets Proxy SwitchySharp to use Tor by default when you use the smart Switch Rules feature, which we’re about to.
  4. At the bottom of the rules table, click the + New Rule button.
  5. In the Rule Name column, type a meaningful name. I chose “Wikipedia editing” but, obviously, make the name relevant to the function of the rule.
  6. In the URL Pattern column, copy-and-paste the URL you want to access using a different profile, and replace any variables with an asterisk (*) or the appropriate regular expression. For editing the English Wikipedia, I entered:\?title=.*&action=(edit|submit)
  7. In the Pattern Type column, choose the appropriate pattern. For the pattern to edit English Wikipedia pages, I set it to “RegExp”. (Regular expressions are beyond the scope of this how to. Suffice it to say that they’re extremely powerful, but you can also just use several different wildcard expressions to achieve the same effect.)
  8. In the Proxy Profile column, select [Direct Connection].
  9. Click Save, and close the tab.
  10. Click the Proxy SwitchySharp icon (the grey globe) and select Auto Switch Mode.

That’s that! With this Proxy Rule configuration, which is very reminiscent of email rules, all of my Web browsing with the exception of editing Wikipedia articles will automatically be routed through Tor. I can now add additional bypass rules for browsing, say, or if I really wanted, and when I go to those sites, Proxy SwitchySharp will automatically re-route the network request away from Tor.

However, I prefer to write as few exceptions as possible, and sometimes I get a Tor connection that’s good enough to let me stream short videos, anyway. I don’t really mind the slowdown I experience using Tor because it forces me to do more of my work in batches (like email) and respond slower, to think more, to other things (like Twitter).

Still, sometimes Tor will dump me on the Internet from Romania or some country where Pandora blocks access. In those cases, I can click the Proxy SwitchySharp icon and select the name of the domain (in this case, “”), which adds a temporary rule for the current website. Next time I open Pandora, Chrome will first attempt to connect through Tor—the default Proxy Profile I’ve set—again, which is what I want.

Step 6: Change your habits

You’ve now got your computer routing all of your network traffic through Tor by default, which protects you from the prying eyes of your ISP and your fellow Wi-Fi café patrons, but there’s still more you can do. For those of you who think the belt-and-suspenders approach is just too groovy to ignore, here are some additional things you could do to protect your privacy.

Consider using DNSCrypt to keep your DNS queries private, too.

When you joined that Wi-Fi hotspot, you were given the address of a Domain Name System (DNS) server operated by the ISP of whoever’s running the hotspot. A DNS server is a computer your computer asks to translate domain names (like “”) into IP addresses. Even though you’re now using Tor for Web browsing, your computer will still have to eventually ask a DNS server for the IP address of the websites you’re going to. This means whoever operates that DNS server is going to know where you’re going, because you’re asking them for directions! is a reputable company who offers a free utility called DNSCrypt that sets up an encrypted tunnel between your computer and their DNS servers. Using DNSCrypt, you’re not asking the Wi-Fi hotspot’s ISP for directions to websites. In fact, they never even know you’re sending DNS queries.

Block third-party cookies.

Cookies have long been a notorious privacy concern, but they’re also fundamental to the way the Web works. However, third-party cookies are arguably only useful for tracking purposes. We really don’t need them.

Sadly, every major browser vendor currently ships with third-party cookies enabled by default, with the notable exception of Apple’s Safari. If you’re not already blocking them, consider doing so. Instructions for blocking third-party cookies depend on the browser you’re using, and are left as an exercise for the reader.

That said, Steve Gibson over at offers a very thorough breakdown of cookie privacy and related Internet surveillance issues.

Block trackers and web bugs.

As mentioned earlier, just using Tor won’t stop the Web server sending you the page that you’re loading from knowing who you are. And if that page contains an advertiser’s tracking code, then the advertiser will still be able to track you. To stop this from happening, you need to take some extra steps to pro-actively block trackers (sometimes called “web bugs,” “beacons,” or “widgets”) from loading and running code in your browser.

I recommend installing at least the following browser add-ons:

The only trustworthy ad blocking add-on also happens to be both the best and simplest one: uBlock Origin, and it is available for both Mozilla Firefox and Google Chrome. It’s actually a general-purpose blocking tool that is more akin to an HTML firewall than merely an “ad blocker,” but that also means it’s the best ad blocker around. Don’t bother with AdBlock Plus, Ghostery, or Each of those tools are made by companies that actually track you. :(

Use HTTPS, everywhere.

While Tor will stop people in your immediate vicinity from snooping on your network traffic, it isn’t a substitute for end-to-end encryption. In other words, if you request an insecure connection, you’ll get an insecure connection on that last hop from the Tor network to your final destination. Therefore, you really want to use HTTPS (SSL/TLS) everywhere you can. Luckily, the Electronic Frontier Foundation (EFF), the same folks who champion Tor, wrote a browser add-on called HTTPS Everywhere that does just that. In fact, it even comes bundled with the TorBrowser! Install it, use it, love it!

Anonymize your search queries.

In addition to outright tracking, monitoring, and other direct surveillance techniques, your identity and activities can be determined by inference after collating and analyzing a bunch of data about you. Your “Internet paper trail” (or “data trail”) can reveal things about you just as your IP address can. That’s why it’s prudent to do what you can to anonymize as much of your data trail, such as your search history, as possible.

Google claims to offer private search and the ability to erase your Google search history, but why give it to them in the first place? The TorBrowser’s home page is set to, which is a privacy-focused search service. It does a bunch of stuff to protect your privacy, and it’ll even proxy your search query to Google and return their results for you, so you don’t even have to stop using fancy Google search features.

To make sure I don’t accidentally query Google, I’ve switched my default search engine in all my Web browsers to use Consider doing the same!

Fake your Referer HTTP header

When you click on a link from a given web page, let’s call it Page A, and that link takes you to another page, let’s call it Page B, your browser adds a bit of information to the request for Page B telling Page B’s server that you came by way of Page A. This information is known as a Referer [sic.] header because it tells the server you’re accessing which server referred you to it. If someone were to examine all the Referer headers you sent to all the servers you visited (for instance, if they sold this information like this to advertisers, which they do, it’s called “clickstream”), then that person could figure out the exact path you took through the Web that day.

Most Web browsers have an add-on that lets you control or disable the Referer header, and I’d suggest installing and using one. On Google Chrome you can use Referer Control for a simple solution, or ScriptSafe for a more robust one, which by default masks your Referer header as well as disabling JavaScript (another best practice, but outside the scope of this article).

Use your Web browser’s private browsing mode

In technical terms, a Web browser is called a User Agent because it’s basically the embodiment of you, on the Web. Now, you’re pretty unique. Your hair color, eye color, height, weight, and a vast array of other biometrics can be used to identify you. You’ve got a literal fingerprint, too. What you need to be aware of is that so does your Web browser. Everything from the make and model of your browser to your screen size to the fonts you have installed on your system can be used to pick you out of a crowd (of Web browsers).

This is even more true if you’ve gone all power-user and tricked out your cyber ride with a bunch of extensions and add-ons that weren’t written with privacy in mind. If that description fits you, then consider using your Web browser’s private browsing mode for any cyber-sleuthing you’re doing while trying to keep a low profile. On Google Chrome, this mode is called “Incognito,” but many other browsers have similar features where add-ons, bells, and whistles are disabled.

To test how unique (or plain-Jane) you are online, use the EFF’s Panopticlick, where you’re hoping for a low uniqueness score, labelled on their site as “bits of identifying information.” Section 6 of their whitepaper (on page 16 of this PDF) called “Defending Against Fingerprinting” is also worth a read. (TL;DR? Use NoScript, and tools like it.) Also, while not identical to Chrome’s Incognito mode, Mozilla Firefox has a “Safe Mode,” which might help.

Spoof your MAC address.

Every piece of network hardware, called a Network Interface Card (or NIC), contains its own globally-unique serial number, which itself is called a Media Access Control (or MAC) address. (Don’t confuse this with your Apple Mac’s serial number!) When you connect to a Wi-Fi hotspot or plug into a wired Ethernet network, your computer sends this MAC address to other computers on the physical network you’re connecting to as part of a lower-level protocol (called Address Resolution Protocol or ARP) in order to establish its physical connection to the network.

Every network-capable device, including Wi-Fi routers, have such MAC addresses. Anyone can scan the network looking for them. And yup, you guessed it, this MAC address can be tracked to the computer you’re using, which can then be tracked to you.

Think of a NIC’s MAC address like a license plate on a car, posted on the outside for anyone within line of sight to see. Changing your MAC address is called “spoofing,” and while spoofing a MAC address is a bit of a pain on Mac OS X, it can be done. I recommend doing this if you’re willing to get your hands a bit dirty.

Turn on “Do Not Track” and “Tracking Protection” options.

Remember telemarketers? I hate telemarketing. To stop them from calling, I listed myself in the “Do Not Call” list. When they called me anyway, I’d ask them to identify what company they worked for, and then I’d file FCC complaints against those companies.

While not quite the same thing, an emerging technology standard called “Do Not Track” (DNT) is making its way into browsers that will, hopefully, one day be legally enforceable in much the same way that the “Do Not Call” list is today. Every major browser vendor offers you the option to turn on the “Do Not Track” signal, which I recommend you do even if it doesn’t do anything other than express your intent to not be tracked. (The previous advice about blocking trackers and web bugs is what will actually keep your browser tracker-free, regardless of how DNT evolves.)

As with blocking third-party cookies, Instructions for turning on “Do Not Track” depend on the browser you’re using, and are left as an exercise for the reader.

UPDATE, May 8th, 2015: Two years after I wrote this post, the “Do Not Track” option seems to have failed. Unfortunately, simply by its nature as a voluntary self-regulation, almost no tracking companies obey this signal, making it worse than useless. In fact, adding “Do Not Track” to browsers that do not have it enabled by default (which, as of this update, is all of them) makes you more trackable, not less. So the new advice is to not turn on “Do Not Track” if it’s not on by default in your browser, and to not turn it off if it’s already enabled by default in your browser. Instead of Do Not Track, a new feature in Mozilla Firefox called “Tracking Protection” is integrating the web-bug blocking features from various popular browser add-ons into the browser itself. When that feature becomes generally available (slated for release in Firefox version 39), I suggest you turn it on. (Advanced users can already turn it on by typing about:config in their Firefox address bar, searching for trackingprotection and ensuring the privacy.trackingprotection.enabled flag is set to true.)

Step 7: Pay it forward

If you got all the way here, gain 10,000 experience points, and level up!! You are now a fledgling technomage.

Your mission, should you choose to accept it, is to share what you’ve learned with anyone and everyone who’ll listen. In the age of online social networks, protecting your privacy is a network problem. That means your friends need to be in on it, too! It’s all very nice and well to have your Web browser locked down, but if I find your Facebook profile and all of your friends are doing that kiss-and-tell thing….

Well, let’s just say there are many ways of tracking people online.

How to spoof your MAC address on Mac OS X (for reals)

Update: For users of Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion), a much easier solution called SpoofMAC exists as a set of Python scripts. (via)

One of the oddities of Apple’s Mac OS X platform is that some things that should be easy are obtusely difficult, and remarkably so. Changing the hostname of a Mac OS X Server is one good example. Another is changing the “Ethernet ID” (aka. MAC address, aka. link-level address) of a network interface card.

This should be really simple, as the correct command line is plain as day (where the string of colon-separated 00’s is your preferred MAC address):

sudo ifconfig en1 lladdr 00:00:00:00:00:00

There are numerous blog posts all over the ‘net that tell you this time and again, but each one seems to have comments from users complaining that it doesn’t work on their system. I ran into a similar problem not long ago when my MacBook Pro didn’t do what I expected. Just like others, whenever I tried to run the above command, nothing seemed to happen:

ifconfig | grep ether # Determine current MAC addresses
sudo ifconfig en1 lladdr 00:00:00:00:00:00 # Try changing MAC address for en1 (usually Airport) 
ifconfig | grep ether # Confirm change; but uh-oh! Output is the same as before! Why?

Here’s how I fixed this problem.

The thing to know is that there seem to be a number of conditions that will prevent Mac OS X from successfully changing a NIC’s MAC address. Some are obvious and some are not. As far as I can tell, these conditions are:

  • having the interface “down” (i.e., if you’ve recently run ifconfig en0 down or an equivalent),
  • being associated with (i.e., connected to) a Wi-Fi network with your Airport card,
  • having the System Preferences application running,
  • forgetting to “unstick” the current system configuration set.

It’s the last one that bit me. Mac OS X has a feature called “system configuration sets” or “locations,” as it’s termed in much of the GUI. These can be accessed via the Network pane in System Preferences, or via the scselect command from Terminal; it’s that scselect command which offers the key to changing a Mac’s MAC address.

On my MacBook Pro (which, for the record and if it matters, is running Mac OS X 10.6.7), I need to do all of the following before running ifconfig, as shown above:

  • If I’m changing my Airport card’s MAC address, I need to disassociate from any network. (This can most easily be done by invoking airport -z from Terminal. If you don’t have this command, see my tips on where to find airport.)
  • Quit System Preferences if it’s open.
  • Tell the operating system to “delay changing the system’s ‘location’ until the next system boot” by running: scselect -n.

According to the man page for scselect:

scselect provides access to the system configuration sets, commonly referred to as “locations”. When invoked with no arguments, scselect displays the names and associated identifiers for each defined “location” and indicates which is currently active. scselect also allows the user to select or change the active “location” by specifying its name or identifier. Changing the “location” causes an immediate system re-configuration, unless the -n option is supplied.


-n Delay changing the system’s “location” until the next system boot (or the next time that the system configuration preferences are changed).

Once I perform the above rigmarole, I can then change my MAC address without issue. But I have to be ludicrously careful. As soon as I open the Network System Preferences pane or otherwise do something to change the system configuration preferences, I have to run through that rigmarole again before changing my MAC address will work as expected.

One Minute Mac Tip: Sniffing Wi-Fi traffic and capturing packets with the built-in airport utility

Many Mac OS X users lament the lack of sophisticated network analysis tools, often prevalent and seemingly prolific on Linux systems. What many don’t know is that Mac OS X comes with a built-in command-line tool to do all sorts of nifty things with Wi-Fi networks, from packet capture (traffic sniffing) to scanning nearby networks’ signal to noise ratios.

Mac OS X ships with a command-line tool called airport that can do all sorts of nifty things with Wi-Fi networks. Unfortunately, it’s so squirreled away that most people don’t seem to know about it. The utility is part of the Apple80211 Private Framework used to power your Mac’s Airport menubar icon.

Invoking the utility without arguments prints a useful (if incomplete) usage message. At a Terminal command prompt, type:


The tool let’s you do a number of interesting things, so it’s worth playing around with. While you’re playing, you may as well create a symlink (a shortcut) to the utility so you don’t have to type that long path name all the time:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/bin/airport

Among the easiest things you can do is print a list of the Wi-Fi networks within range of your computer, but unlike the Airport menubar item, this report shows you a bunch of extra, precise data, such as which encryption protocol (if any) is being used on the network:

$ airport en1 scan
                            SSID BSSID             RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
                       moscohome 00:22:6b:8b:86:51 -61  10      N  -- WPA2(PSK/AES/AES) 
                     PUBLIC-455H 00:15:6d:60:95:d1 -82  1       N  -- NONE
                    Alex Network 00:1e:e5:24:c4:4f -86  1       Y  TW WPA(PSK/TKIP,AES/TKIP) WPA2(PSK/TKIP,AES/TKIP) 
                   linksysELNIDO 00:21:29:a3:fd:99 -90  6       N  -- WPA(PSK/AES,TKIP/TKIP) WPA2(PSK/AES,TKIP/TKIP) 
                        2WIRE024 00:18:3f:02:2f:49 -88  6       N  US WEP
                        2WIRE940 00:12:88:d9:85:41 -93  6       N  US WEP

If I wanted to see which of my neighbors still haven’t upgraded from WEP, I could just filter using grep:

airport en1 scan | grep WEP

More awesome, perhaps, is the tool’s ability to actually perform traffic sniffing and capture packets. Tell airport to sniff, and optionally provide a channel (which you now know thanks to your ability to scan). You need to be an administrator (i.e., you need sudo privileges) to do this:

sudo airport en1 sniff 6

This creates a file called airportSniffXXXXXX.cap in the /tmp directory, where XXXXXX is a string for uniqueness. You can then feed this file into your favorite network analyzer such as Wireshark to examine the traffic offline.

How to use HTTP Basic Authentication with git

Coming right on the heels of my need to set up a git repository on shared hosts, I next wanted to see if I could use HTTP authentication for such a repository. Of course, HTTP authentication is an extremely insecure protocol, but it typically is enough to dissuade the casual user (such as Googlebot) from peeking at things you don’t want available on the public Internet, so it has its uses.

Note that with the set up described in the above-linked previous post, you can only pull over HTTP. This is usually what you want. If you want to be able to push over HTTP as well, git must be compiled with the USE_CURL_MULTI flag.

This is, as it turns out, because git seems to use curl for its HTTP operations, which also obviously means you must have curl installed on your workstation if you don’t already and it also implies that it’s curl, not git which you need to configure. In other words, accessing a git repository that is behind HTTP authentication is exactly the same as accessing one without it, and so is publishing a git repository to an HTTP server. The rest of this short tutorial assumes you have published your repository at and are using the Apache web server.

Step 1: Create an HTTP Basic Authentication username and password file

First, you’ll need to create a file that lists the usernames who are permitted to access your repository over HTTP Basic authentication. This is easily accomplished with the htpasswd utility (or your host’s custom web UI, if one is provided). Let’s create a file called .git-htpasswd to store these usernames and passwords.

From your shell, run the following command:

htpasswd -c /path/to/DOCUMENT_ROOT/.git-htpasswd username

where /path/to/DOCUMENT_ROOT is the full path to the root directory of your web site and username is the username you want to add. If you want to add subsequent users to this file, run the same command again without the -c, like this:

htpasswd /path/to/DOCUMENT_ROOT/.git-htpasswd another_username

You’ll then be prompted to enter a password, and then prompted again to verify that you’ve typed it correctly.

Step 2: Configure HTTP Basic Authentication on Apache

Next, configure standard HTTP Basic Authentication on Apache. In most shared hosting environments, you’ll be allowed to configure per-directory passwords using .htaccess files. Some hosts provide web UI interfaces for creating “protected folders,” which is basically the same thing. Make certain that the kind of protection you select is “Basic,” because curl will require that.

To do that, create a new file named .htaccess in your DOCUMENT_ROOT/git directory if one does not already exist with the following contents:

AuthType Basic
AuthName "Git"
AuthUserFile /path/to/DOCUMENT_ROOT/.git-htpasswd
Require valid-user

This tells Apache to look for usernames and passwords in the file named .git-htpasswd we created in step 1.

If everything is set up correctly, you should now be able to access in your Web browser and you should be presented with a login dialogue box.

Step 3: Configure curl on your (client) workstation computer

Next, configure your local curl client. git-pull will call curl with its --netrc-optional switch for HTTP operations. This means curl will look for a file named .netrc in your home directory and will read authentication configurations from that file. The format of this file is incredibly simple:

username your_username
password your_password

To check if this is working correctly, run curl yourself to access the current HEAD of the public repository and see if you get the expected result:

curl --netrc --location -v | grep 'ref: refs/heads'

If you see a line of output then you know this is working, otherwise you should double check your work.

Step 4: There is no step four

You’re done. With this configuration, you can git-pull as you normally would, and git will automatically use your .netrc file to enable curl‘s HTTP authentication schemes.

One minute Mac tip: Create the illusion that Bonjour works over a VPN

If you’re a Mac user who often uses VPN connections, you’ll notice one very disappointing thing about connecting to your corporate or personal network over such tunneled connections: typically, Bonjour-style addresses (such as “computer-name.local”) don’t work. This is because multicast DNS (or mDNS) doesn’t work over a tunnel. Though there are ways to get it functional, they are pretty complicated and require that you have a lot of esoteric networking knowledge.

However, if the services you typically access via Bonjour use static IP addresses, then there is one age-old networking technique you can use to simulate Bonjour-style naming conventions without actually using Bonjour. This, of course, is the /etc/hosts file.

The /etc/hosts is a simple, static, text-based mapping of computer names to IP addresses. It does exactly what Bonjour does except it doesn’t keep itself up to date when things change. Of course, if you’re using static IPs for the services you want access to, you can pretty safely assume that things aren’t going to be changing frequently anyway. Long-time sysadmins will laugh at this, but I say let them laugh. This is remarkably useful and very easy to implement.

Let’s assume I’m running a personal web server on my home network, and I can access my home network via a VPN. On my home network, my web server’s IP address is, say,, and I usually access it as http://server.local/. All I need to do is open a Terminal prompt and run the following commands as an administrative user:

sudo echo "	server.local" >> /etc/hosts

That’s it. What this does is hard-wire the name server.local so that it always resolves to the IP address Now, anytime anything on my computer tries to access server.local, it’ll always access directly instead of ever needing to make an mDNS query on the network. The net effect is that we can trick our computer into thinking that Bonjour is working, even when it’s not—such as over a VPN connection.

Note that in default cases, hard-wiring an IP address like this completely prevents your computer from ever asking other computers (such as DNS servers) what the current IP address for this name is. That means if the IP address of the remote server changes, you won’t be notified, and things will just not work. So be mindful that you’ve made this change, and revert it as a first step in troubleshooting procedures.

By the way, Windows users can do the very same thing simply by editing their etc/hosts. They can find this file at C:\WINDOWS\system32\drivers\etc\hosts and can edit it with Notepad. They will also need to install Bonjour for Windows to get Bonjour working in the first place, of course.

One minute Mac tip: Restore Bonjour’s “.local” addresses

Lately, there have been a string of networking problems with Mac OS X 10.5 Leopard reported by sites such as MacFixIt. One of most common symptoms is the loss of Bonjour’s “.local” addresses. So, for instance, if you have a machine named “Perseus” then you could address that machine by the hostname “Perseus.local” instead of its IP address.

However, if you find that the .local host name no longer works but the IP address still does, the problem may be in a corrupt or outdated local DNS cache. Luckily, the solution is incredibly simple. Just run:

dscacheutil -flushcache

at a Terminal prompt, and try again. If you’re still running Mac OS X 10.4 Tiger and you experience this problem, the solution is just as simple. Instead of the above line, simply run:

lookupd -flushcache

at a Terminal prompt.

Sharing your Windows XP Virtual Machine’s Internet connection with your Mac OS X host operating system using VMware Fusion

In some situations, like the odd one I now find myself in, the only way to get Internet connectivity is to use a solution that requires a fair bit of maneuvering. In my situation, I have temporarily obtained a Vodafone 3G mobile card. Unfortunately, the Vodafone Mobile Connect software for Mac OS X as of this writing is obscenely poor. Of course, Vodafone’s software for Windows works without a hitch.

The only way I could get my Vodafone 3G card to work was to fire up a Windows XP guest inside of my MacBook Pro, using VMware Fusion. Connecting to the Internet with the 3G card using the Windows guest was smooth sailing, but that only provided the Internet connection to the Windows virtual machine. I wanted my Mac to be directly connected.

The solution is obvious, but a few gotchas really bit me hard. To get the Windows guest to share its Internet connection from the 3G card to my Mac, I would need to bridge VMware’s virtual ethernet adapter from the Windows guest to the Mac OS X host. Once bridged, both the Windows guest and the Mac OS X host would logically be on the same ethernet network segment. At this point, I can enable Windows XP’s built-in Internet Connection Sharing (stupidly dubbed “ICS” because everything needs a TLA) on the 3G connection so that Windows NATs it through to the bridged virtual ethernet card. Finally, I can connect to Vodafone’s 3G network, and all should be well.

Here’s the gotchas.

First, in order for VMware to actually initiate the network bridge when it starts up, it must detect that a physical link is active on your Mac. In other words, Mac OS X’s Network System Preferences pane must show you a yellow dot next to at least one physical networking device (probably either your “Built-in Ethernet” or your “AirPort” ports). VMware Fusion will give you no errors or warnings that a bridge is unavailable until you try to connect your virtual machine’s network while set to bridge, in which case VMware Fusion will complain with an error that reads: “The device on /dev/vmnet0 is not running.”

Obviously, if you have no other devices to connect to, you need to fake one. The easiest way to do this is to set up a Computer-to-Computer network using AirPort. Just go to your AirPort menu bar item and select “Create Network…” and create the network (preferably encrypted). If you check System Preferences now, you should see a that AirPort has a yellow dot next to it and reads as having a “Self-Assigned IP Address.” Now that you have a physical link on your AirPort card, you should be able to start the VMware Fusion virtual machine with bridged networking mode without incident.

However, if you do encounter the above error anyway, you need to restart the VMware network bridge. You can do this either by shutting down VMware completely (turn off your guest operating systems, and quit the VMware Fusion application), or you can run the following commands as an administrator in Terminal, which will stop any bridge currently running (or do nothing if no bridge is running) and then restart it, providing the output as shown:

sudo killall vmnet-bridge
sudo "/Library/Application Support/VMware Fusion/vmnet-bridge" -D vmnet0 ''
Entering event loop...
Examining network configuration...
Turning on bridge with host network interface en1...

Obviously, you may be asked for your password as you perform this procedure. Note that the trailing two apostrophes are single quotes with no space. This is (almost) how the VMware Fusion script starts and stops the network bridge. Specifically, you’re telling the vmnet-bridge application to run in Debug mode and to bridge vmnet0 to whatever is the current primary networking interface. In the example output shown above, this is en1, or my AirPort card connected to the computer-to-computer network I created in the previous step.

Hopefully you won’t have to mess with the vmnet-bridge application, as this should happen on its own when you start up VMware Fusion if you have any physical link on a network device. Nevertheless, I’ve found this is sometimes unreliable, so just in case it doesn’t now you know how to bring up the bridge on your own. (Tip: once it’s up, you can CTRL-Z to pause it, re-start it with fg %1 and then quit Terminal if you like. The bridge will still be up.)

Now that the AirPort card has a physical link, and the VMware network bridge is running, the next step is to configure your virtual machine to use bridged networking. Just go to Virtual Machine → Network → Bridged as normal. Make sure Connected is also selected. Now start up your Windows guest.

Once Windows boots, go to the Network Connections window by selecting Start → Connections → Show all connections. At this point, your “Local Area Connection” in Windows probably has a warning sign on it and reads as having “Little or no connectivity.” It probably has a self-assigned IP address just like your AirPort card. That’s fine—as long as it’s not “unplugged,” we’re in good shape.

Next, select whatever other connection you want to share the Internet from (in my case, the 3G modem, but it could also just be any other connection in the window), right-click it and select Properties. Go to the Advanced tab and make sure “Allow other network users to connect through this computer’s Internet connection” is checked. The other boxes won’t matter.

What this does is turns on Windows’ own NAT service that configures the one connection (the one your sharing) as the WAN side of (yet another) virtual networking device and the Local Area Connection (the one we’ve bridged to our AirPort or Built-in Ethernet card on our Mac) as the LAN side. Hit OK as many times as is necessary to close the network connection properties windows and wait a few moments. Sometimes this can take up to 30 seconds or so, but eventually you’ll see Windows announce that “Local Area Connection is now connected.” If you inspect it, you’ll see that the IP address configuration has been automatically assigned as a “Manual Configuration” with the address of, a subnet mask of, and no default gateway.

As a last step, now we can actually connect to the Internet using whatever service we have. In my case, this is when I hit the “connect” button on my Vodafone Mobile Connect software. Once the connection is established and the Windows XP virtual machine can see Internet, it takes up to another minute or two (or three) for the Mac’s connection to get an IP address from the Windows guest, but it invariably works.

If the Windows side of things is giving you any trouble, the most reliable solution I’ve found is to simply disable, then re-enable whatever connection isn’t behaving as desired. If after all of this your Mac still doesn’t get an IP address from the Windows XP guest, disconnect and then re-connect the virtual machine’s ethernet card (by toggling the “Connected” menu item in the Virtual Machine → Network menu). Also, of course, be doubly sure that your AirPort is set to “Use DHCP.”

Phew! So simple…and yet so much harder than it had to be. I found the following two PDF documents very helpful in understanding all of this. You might too:

  1. VMware Fusion Network Settings — a super-brief, but excellent introduction to VMware’s network setting internals. It’s also a PDF download attached to the linked forum thread.
  2. Share Windows XP Guest Internet Connection with OS X Host HOWTO — This basically describes the same thing this post does, but it does so using absolute step-by-step instructions. It’s also a PDF download attached to the linked forum thread.