Search found 8 matches

by killswitch
Sat Aug 15, 2015 10:21 pm
Forum: general chat, suggestions, industry news
Topic: The Adversary Spectrum
Replies: 0
Views: 15797

The Adversary Spectrum

People begin taking an interest in security when they get sick of their browsers not doing what they want. Then comes a VPN, then maybe the Tor browser bundle, and finally, if they are technically literate, they may partially set aside Windows or OSX, and move to VMs running under VirtualBox. The solutions chosen are often haphazard, unless they have a lot of background knowledge, or they reach for one of the Adversary Resistant Computing environments that solves most of the problem for them.

More important questions than “Which tools and services are you going to use?”, are these:

“Who do you think might be after you?”

“Why do you think they are after you?”

“What do you think their capabilities are?”

There are a spectrum of online threats and determining which ones you might face is the first step. Here are some example threats in increasing order of severity:
  • trolls – typically boys fifteen to twenty five, with a sprinkling of middle aged people, more women than men, and these older ones are often dealing with mental illness, substance abuse, and character disorders.

    Identity theft/fraud rings – online crime evolves at internet speed. Any banking or assets managed via a web interface are prized targets, and if your health care provider gets cracked you may face serious identity theft issues.

    Extortion rings – revenge pornography is almost always a thin cover for an extortion racket. The recent intrusion at Ashley Madison puts millions of wandering spouses at risk for attention from fraudsters. Malware such as Crypto Locker brings hundreds of millions of dollars from businesses that can't afford to lose data they didn't have backed up.

    Corporate security – if you've been involved in any sort of protest you may be facing paid professionals using tactics similar to trolls, but with much greater diligence in information gathering and far better judgment in what will/will not work on others.

    MPAA/RIAA & related litigation – movie and music sharing with Bittorrent and other services that provide gray or black market entertainment data have long been targets for copyright troll law firms.
    Law enforcement – there are a range of activities from 1st Amendment protected protest to drug trafficking that might get you attention from your local, regional, or national law enforcement.

    Intelligence agencies – if you are an aggressive activist or involved in criminal activity, particularly that which intersects with terror funding, you might just find yourself elevated from the general surveillance dragnet to a point where you are receiving personal attention.
Which of these do you think are a legitimate problem for you? You have to have some sense of why you might have drawn attention in the first place, so these two issues go hand in hand with determining which problems you might actually have.

Many of these entities leave clear tracks – the extortion and identity theft oriented groups are either using your personal information or approaching you wanting a payoff of some sort. While these are all criminal, unless there is a lot of money involved, you can assume law enforcement is going to treat your problem about as seriously as a graffiti complaint.

If you are the subject of a law enforcement investigation, you presumably know what you do that gives your exposure. Occasionally this is not the case. As an example, some times troll attention is calculated to put innocent individuals in harm's way. This is one of those sticky situations where less if more – if you've got problems like this, drop everything and wait for them to go away. Problems like that start in internet time but they fade slowly, taking from months to years.

It might seem strange at first, but trolls to corporate security to intel agencies are a continuum all on their own. A competent troll crew will have capabilities far beyond most police departments. Corporate security will sometimes employ trolls to do their dirty work. A large corporation will be able to bring more resources to a conflict than a small nation state. All of them leave intentionally confusing trails, not wanting the consequences of being discovered.

Applying Adversary Resistant Computing & Networking to such problems is always going to lead to some improvement no matter which problem you have, but you could probably also use some Adversary Resistant Wetware. The peace of mind that comes from having an intentionally hardened environment is good, but if you're constantly look over your shoulder you will likely develop some induced paranoia.

Once you've identified your opponent(s) and the underlying motivations, you need to get a clear idea of what they can and can not do. This is something that you should do, put it down in writing, and keep it handy. If you're hyper-alert you will find patterns where others will just see random noise, so the assessment keeps you from over-reacting to coincidences. Journaling is a good counter tactic and few things that happen in internet time online are truly urgent – make a point to sleep on complex problems, and jack out early enough that you get quality sleep. As a rule of thumb, jack out an hour before you lay down for the night.

While we have tools that protect computers and their network traffic, protecting the minds those who operate in a high threat area is dramatically more difficult. One of the very first things you can do is reducing the amount of attack surface you expose. If you've read this far, you might just have some real problems, and sweeping your real social media presence clear is a good first step.

So, what exactly can these opponents do?

All of them, except the MPAA/RIAA type civil litigation things, make a habit of taking over the computers of those they target. You need an adversary resistant OS, but you also need some serious thought here, especially the further down the spectrum you go. Are you really such a lightning rod that you might be facing a nation state actor? If you don't have a lot of money, a lot of political pull, or a history of dropping secret government docs, this is probably not a problem for you. The FBI gets invoked a lot and they are a big problem for activists, but nobody is investigating perceived threats via social media, unless the target is government, elected officials, or very large corporations.

A bigger problem for most people are the smaller fish, who have more time on their hands, but they have much less access, so they subsist on spearphishing and watering hole attacks. They can hang around and keep obsessively trying until they get some results.

The nation state actor can insert malware on the fly if you are in their jurisdiction. Cryptostorm takes steps to filter that out at the service level, while Tor only conceals your public IP, any clearnet access is at risk. The little fish have the time to root your machine and play a careful, longterm game against you.

The ultimate technical solution is QubesOS, perhaps with Whonix for when Tor is appropriate, and a mixture of Tor and Cryptostorm somewhere between the NetVM, ProxyVMs, and AppVMs. This only solves the technical issues. If your judgment is impacted by too much time jacked in, you may find that all you accomplish with a more sturdy system is putting yourself into an even higher risk position than when you started.
by killswitch
Sun Jul 26, 2015 3:05 pm
Forum: #cleanVPN ∴ encouraging transparency & clean code in network privacy service
Topic: Understanding Adversary Resistant Networking
Replies: 0
Views: 25840

Understanding Adversary Resistant Networking

There are a variety of bad things that can happen when an adversary can connect a public IP address to your online activities. This can range from the bratty kid next door pranking you, to the MPAA suing you for downloading a movie, to intelligence agency or law enforcement attention. There are a number of ways to conceal your movements, but no one of them is 100% bullet proof, so knowing their strengths and weaknesses will help you select the right one for any given problem.


The Onion Router, commonly referred to as Tor, was designed by the U.S. Naval Research Laboratory, and made public in 2004. When used on a workstation, Tor starts a service that makes encrypted links to entry relays, it provides one or more local SOCKS5 proxies for your applications, and traffic is sent to exit relays, which provide access to the clearnet.

The Onion Router also offers hidden services, a special domain ending in .onion, which is only visible to those using the Tor network. A notable example of this is http://silkroad6ownowfk.onion, one of the addresses associated with the Silk Road 2.0 dark net market.

Since Tor only offers a SOCKS5 proxy, it only supports TCP connections. This means web browsing and chat sessions will work, but it can't do audio streaming or VoIP calls, as those depend on UDP connections. When you are accessing web sites and you absolutely can't afford to leave a trail, this is the one to use.

The Invisible Internet Project, known as I2P, is similar in spirit to Tor. It establishes encrypted connections to other I2P nodes and it offers local ports which permit access to I2P hidden services, which are called 'eepsites'. The names are free form just like clearnet domains, but they end with '.i2p' as their top level domain.

There are exits to the clearnet on I2P, but most are not meant for widespread anonymous access, they tend to be pet projects or services for small numbers of people who know each other. Interest in I2P has grown in parallel with all of the negative attention Tor has been receiving. There is now a C++ version of the software, which is suitable for use on headless servers, and there has been at least one darknet market effort made using I2P. This system is not quite ready for prime time, but it's evolving rapidly, and you should be aware that it exists.

The other anonymizing network is Cryptostorm, which uses OpenVPN to provide its service, but it should not be mistaken for just another VPN. Their is a hierarchy of capabilities among OpenVPN service providers, and their offering is unique.

There are a number of VPN providers that offer paid service and perhaps a free low speed service, but they require that you install their software. These binary blobs contain adware, keyloggers, and complete rootkits. If you are considering a VPN provider, make sure they offer a text config file you can use with OpenVPN. Treat any that do not offer this as untrustworthy.

There are some providers that offer both a free low speed service and connecting with OpenVPN. PrivateTunnel does this as a loss leader to get people to subscribe. VPNBook provides unlimited access at high speed, but there has to be some underlying revenue method they do not disclose, perhaps something like inline serving of their ads instead of the ads of the sites you are visiting. The RiseUp collective has offered OpenVPN access in the past as part of their member services and is currently experimenting with LEAP and Bitmask. These all offer varying degrees of IP address concealment, but they require some expertise to ensure they do what you need.

Cryptostorm offers two advantages over these other VPN providers.

The first is that access is obtained by getting a digital token and then hashing it. Reversing the hash is computationally impossible, so no one can backtrack to your purchase by observing your VPN traffic. Even if someone could do that, tokens are sold via Bitpay or by resellers, and Cryptostorm doesn't know the details of those transactions. Other providers swear they don't log, then require you to have a username and a password. Cryptostorm is functionally incapable of logging, because they never collect enough information from subscribers to do that.

The second advantage is that Cryptostorm is not just a VPN, the service also includes some 'baked in' protection against common attack vectors. When the webrtc/STUN IP address leak was made public Cryptostorm implemented a fix within thirty six hours and it's now a permanent part of the service. Certificate Revocation Lists are almost never used for their intended purpose, but there are several types of malware that depend on the fact that browsers do no checking on CRLs they receive. Cryptostorm started dropping all CRLs a few months ago and nobody has missed them.

Cryptostorm is a good solution for those who want to circumvent country based filtering for streaming services like Netflix, it is dramatically faster for torrent file sharing, and it is often accepted by sites that have banned anonymous use via the Tor network.

There are reasons to combine these two approaches. If you're running Whonix or even TAILS in a VM, having Cryptostorm for your host OS ensures that if you hit some sort of exploit that can de-anonymize Tor clients, all your opponent will get is a Cryptostorm IP. On the other hand, Tor exits are often banned due to abuse, and Cryptostorm will accept inbound TCP connections, which can be used to circumvent those bans.

Thanks to an earlier leak, the world has long known of the type of deep packet inspection Blue Coat provides to repressive regimes. Thanks to the recent Hacking Team leak we know a bit more about Corruptor-Injection Networks, which use subterfuge such as type 302 redirects to insert their exploits into whatever legitimate browsing you were doing.

Just as standalone general purpose operating systems are no longer safe, the same holds true for the networks you use. Layered defenses are the way of the future, both for your computer's operating system and the means by which you communicate with the rest of the world.
by killswitch
Sat Jul 25, 2015 5:26 am
Forum: cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity
Topic: Quad VPN & the snake oil of "multi-hop" VPNs
Replies: 4
Views: 32530

Re: Quad VPN & the snake oil of "multi-hop" VPNs

Looping VPN sessions through two concentrators owned by the same provider might provide advantage in some situations, but depending on implementation. But the tunnel in a tunnel setup between two nodes owned by the same operator is just begging for attention from NSA's TURBULENCE system.

VPN within VPN would help if there were provider diversity - two companies to contact, two geographically diverse locations are involved, there are some situations where this would be useful.

Having started this, I am more inclined to write about the adversary spectrum, rather than going further down this recursive tunnel rabbit hole.
by killswitch
Fri Jul 24, 2015 10:04 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: Creating Adversary Resistant Networking Configurations
Replies: 1
Views: 19735

Creating Adversary Resistant Networking Configurations

There are two schools of thought regarding Adversary Resistant Networking, one depends on application level proxies, the other on fail closed VPN configurations.

Tor offers a SOCKS5 port, usually 127.0.0.1:9050 if you're running Tor locally, or port 9100 on a nearby machine if you're splitting gateway and workstation duties. I've found SOCKS5 support in Firefox to be sketchy, so I often configure the Polipo HTTP proxy at port 8123, and have it use SOCKS5 as an upstream proxy. Many applications offer the capability to use a proxy in their configuration and command line tools can be wrapped with torsocks to achieve the same goal.

I2P maps individual local ports to services at remote locations, so it is similar in spirit to Tor. Both of these anonymizing networks offer application level proxies, which means that the system providing them is not required to NAT traffic from local subnets. These systems fail closed because they are incapable of forwarding traffic.

Creating a fail closed configuration with a VPN requires mucking around with firewall and/or route table configurations. There are several ways you can create a fail closed VPN solution, but these are the methods I am using for the moment.

When your workstation boots it probably gets it's IP address, DNS servers, and a default route from a local router via DHCP, the dynamic host configuration protocol. This configuration presumes you want to reach the whole world. Here is what this looks like in a VirtualBox VM, preceded by the command used to inspect the routing table. The 10.0.2.0/24 network is the default for VirtualBox network type NAT, the 0.0.0.0/0 entry is the default route.
netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

When you activate an OpenVPN tunnel the system enters a host route to the VPN server you are using, and then adds 0.0.0.0/1 and 128.0.0.0/1 to the route table. This divides the 32 bit global Ipv4 address space into two 31 bit blocks, which disables the default route. Ipv4 packets are sent using the most specific route for their destination.
Netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.55.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.55.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.55.0.1 128.0.0.0 UG 0 0 0 tun0
212.129.10.40 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
The 212.129.10.40/32 route is the VPN concentrator in use, in this case the Cryptofree service. The 10.0.2.0/24 route is the default NAT network for VirtualBox, the 10.55.0.0/16 network is the link from this machine to Cryptostorm, then the 0.0.0.0/1 & 128.0.0.0/1 routes via 10.55.0.1 ensure nothing uses the default route via 10.0.2.2 – easy enough, right?

If you want the system to fail closed you would need to delete the default route and add a static host route to the VPN concentrator. The routing table prior to the VPN launch would look like this:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
212.129.10.40 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
And once the VPN is started it would look like this
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.55.0.1 128.0.0.0 UG 0 0 0 tun0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.55.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
128.0.0.0 10.55.0.1 128.0.0.0 UG 0 0 0 tun0
212.129.10.40 10.0.2.2 255.255.255.255 UGH 0 0 0 eth0
If the VPN connection stumbles the two /1 routes it offers would be withdrawn, and the system would be disconnected. This part is easy enough to understand, but there are two pitfalls you must avoid.

The static route to 212.129.10.40 is great, but the Cryptostorm config files use the symbolic name linux-cryptofree.cryptostorm.net. Your system probably has an /etc/resolv.conf file with the IP addresses of a couple of DNS servers in there. You could add a pair of static host routes to your DNS servers, but since we're in lockdown mode it's probably safer to add this to /etc/hosts
212.129.10.40 linux-cryptofree.cryptostorm.net
212.129.10.40 linux-cryptofree.cryptostorm.ch
212.129.10.40 linux-cryptofree.cryptokens.ca
212.129.10.40 linux-cryptofree.cstorm.pw
212.129.10.40 linux-cryptofree.cryptostorm.nu
The other issue you have to deal with is DHCP lease renewal. If your system is configured with DHCP, then you add the statements to create your fail closed config to /etc/rc.local, the minute your DHCP lease is up the system will renew, your default route is back, and you are exposed. As above with the DNS versus /etc/hosts config, it is safer to make your IP configuration static.

It has long been said that “Eternal vigilance is the price of liberty”, and this has never been more true than when we face a surveillance dragnet recording our every move.
by killswitch
Fri Jul 24, 2015 1:57 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: Selecting An Adversary Resistant Computing Solution
Replies: 0
Views: 24826

Selecting An Adversary Resistant Computing Solution

The Cryptostorm desktop OS demographic in some ways mirrors the real world's Windows/Mac/Linux division, but Mac/Linux are more prevalent, at least among those who visit the #cryptostorm IRC channel. A portion of these subscribers reveal, after some discussion, that they truly need an adversary resistant solution above and beyond hardening their normal desktop OS.

There are three adversary resistant systems available today, TAILS, Whonix, and Qubes. Each has its strengths and weaknesses, but it might be better if we used to phrase 'requisite skills' rather than weakness.


TAILS, The Amnesiac Incognito Live System, is the Linux distribution Edward Snowden recommended to his press contacts. The backronym TAILS is very descriptive of what the system does – you're incognito when using it and it doesn't provide any place for a nosy website to drop cookies or other identifying information.

TAILS routes all its traffic to the Tor anonymizing network. There are provisions to use an OpenVPN provider like Cryptostorm, but the developers are very particular about what is included and why. There is no easy path to turning up Cryptostorm, or any other VPN for that matter. Once Cryptostorm is workable it's likely going to be in an usual role, providing TCP based VPN services after transiting the Tor network. This is needed because some sites block all Tor exit nodes, but they'll accept a VPN exit.

Hardware wise TAILS is the least demanding of the three – it'll work on whatever retired laptop you have sitting around in a closet. You don't need to know anything about Linux to use TAILS.

Whonix is a gateway/workstation solution that will run under a type two hypervisor such as VirtualBox. The gateway has access to the internet, it connects to Tor entry nodes, and it provides SOCKS5 proxy service for the workstation. This configuration is sturdier than TAILS – if an attacker does come up with a way to crack the workstation, they can do many things, but finding your public IP is not one of them.

Whonix, like TAILS, has some very specific ideas about where VPNs should go and their thinking is somewhat similar to the TAILS developers. It is possible to install a recent OpenVPN package on the gateway and use Cryptostorm, but this requires a multistep recipe that involves turning the iptables firewall off for some stages.

Hardware requirements are a processor that supports VirtualBox and each VM wants about a gig of memory, so a four gig system is a bare minimum, and you'll be much happier if the disk is SSD rather than a spindle. You can start using Whonix right away without any Linux knowledge, but it takes quite a bit of command line and network skills in order to get OpenVPN running.

Qubes is a type one hypervisor based on Xen virtualization and the Fedora Linux distro. This system has its graphical system management stuff in a VM that is quite secure against network attacks, as it has no network access. A NetVM handles networking hardware, a ProxyVM provides services and enforces policies, while one or more AppVMs access the internet using the ProxyVM.

Qubes does not include OpenVPN support in the NetVM or the ProxyVM, but the system is open and flexible enough that you can add this service where it makes sense. We want to get to the point where Qubes either includes a ProxyVM set up to run Cryptofree, or we want to offer instructions here so that a new Qubes user can do this for themselves.

Hardware wise the Qubes minimums are the same as for Whonix, four gig of ram and a processor that supports virtualization. If you want to get into this system, upgrading an older laptop by adding an SSD will provide a workable platform without a big price tag.

Conclusion

Two of these systems enforce the use of Tor and none of them are plug and play with Cryptostorm, nor any other VPN provider. Qubes will probably be the first to handle OpenVPN smoothly and the reason is they are focused on securing the system itself rather than any networking concerns.

You can use Cryptostorm on your host OS when running Whonix, but unless you are comfortable manually hardening your workstation, your setup will fail open, leaving Whonix grasping for new Tor entry nodes. You can also run TAILS in a VM to take advantage of the additional protection afforded by a VPN connection, but the same fail open caveat applies here, too. Maybe that's a problem, maybe not, it all depends on who your likely adversaries are.

The world is at a turning point brought on by the militarization of cyberspace. People who never worried if their machine was safe or if they were under surveillance are waking up in a house on fire. Minimalist, easily audited systems that connect using snoop/tamper proof network connections are going to become the new normal for the technically literate, with both Whonix and Qubes carving out niches. TAILS is simple by design and will appeal to a different demographic.

If these things feel a bit raw and 'fiddly' to you, that's because they still are. Look again in a year and there will be more offerings in this area, maybe Subgraph will even offer an ISO worthy of the slick site they've created. All three of the ARC offerings mentioned here are going to develop some means to use OpenVPN services, although it may be done in a curious, limited fashion with TAILS and Whonix.
by killswitch
Fri Jul 24, 2015 12:08 pm
Forum: #cleanVPN ∴ encouraging transparency & clean code in network privacy service
Topic: Adversary Resistant Systems
Replies: 4
Views: 21795

Re: Adversary Resistant Systems

Cryptostorm is a marvel, but it's like a remote alpine valley - there is a huge learning curve to climb before one has enough background to read the content with any confidence that they're absorbing the details. This is great as a first cause, as an incubator for such thinking, but imagine how this place looks to someone who is trying to decide between Cryptostorm and one of the bigger VPN players like Cyberghost or Witopia.

Cryptostorm needs a simple, linear, confident presentation to the non-technical user. That's been done in hand to hand transactions, now it needs to go bigger. If we firmly grasp this emergent Adversary Resistant meme, the expansion will happen as a natural follow-on to putting some structure around this stuff we all do to keep our systems safe.
by killswitch
Thu Jul 23, 2015 9:51 am
Forum: #cleanVPN ∴ encouraging transparency & clean code in network privacy service
Topic: Adversary Resistant Systems
Replies: 4
Views: 21795

Re: Adversary Resistant Systems

Technically correct, parityboy, and there are places where defining Adversary Resistant Networking will get deep, but this is part of an overall effort to lay claim to and properly define the terms Adversary Resistant Computing, Hosting, and Networking. I imagine there will be a couple of posts a week at various places as the concepts are distributed and clarified.

Cryptostorm is patient 0 for this, where else do you think it should go? Do you have a presence on any of these other sites?
by killswitch
Wed Jul 22, 2015 9:34 pm
Forum: #cleanVPN ∴ encouraging transparency & clean code in network privacy service
Topic: Adversary Resistant Systems
Replies: 4
Views: 21795

Adversary Resistant Systems

The world has been shaken in 2015. First the Office of Personnel Management lost everything it had on four million Americans with security clearances. Then Italy's Hacking Team lost control of the entire contents of their corporate systems. Then in quick succession NYSE and United Airlines were down, around the same time an outsider managed to send commands to a Turkish Patriot missile battery deployed in the field.

Among the Hacking Team treasures was the source code for Remote Control System, a piece of second string espionageware, not quite as capable as Duqu or Flame, but still quite dangerous in the hands of an entity with good operating discipline. Along with the C&C (command & control) the world also got to see the range of methods used to compromise target systems. Among these was an appliance for man on the side attacks – a Corruptor-Injector Network tool.

We started to understand how dangerous things had truly become thanks to Snowden's leak in 2013. Now with the Hacking Team intrusion we can see the full spectrum of tools and methods employed by a small but skilled surveillance dragnet operator. No amount of legislation or law enforcement is going to fix problems like this unless it also utterly breaks the good stuff the Internet does.


What the world needs are Adversary Resistant Systems, and there are a number of grassroots projects that already provide quite a bit of functionality.
Adversary Resistant Computing There are three well known adversary resistant computing platforms which you could download and start using today.

TAILS is short for The Amnesiac Incognito Live System, a live CD/USB system that enforces use of the Tor anonymization network and which, as the name implies, keeps nothing locally between sessions. This distro is about 900 megs and built to run on the smallest Atom based netbooks.

Whonix is another Tor focused system but it is served up as a pair of 1.5 gig virtual machines in OVA format, suitable for import into the free VirtualBox type two hypervisor. The gateway VM provides routing, firewall, and the Tor anonymizing network. The workstation, completely separate from any network duties, can not provide any information about the host OS such as public IP or actual MAC address. This thwarts both geolocation and equipment purchase tracking.

Qubes is a type one hypervisor, a 'bare metal' solution based on Linux + Xen. This system boots to a graphical environment that has no network connection at all, connectivity is provided by a NetVM that accesses hardware, a ProxyVM that implements services such as Tor or a VPN, and workstations. Templates are provided so users can create workstations from a Fedora or Debian install and there is an alpha grade port of the Whonix system which is currently in need of a maintainer.
Adversary Resistant Networking There are two well known anonymizing networks supported by both TAILS and Whonix, namely Tor, The Onion Router, and I2P, the Invisible Internet Project. Cryptostorm's Zero Customer Knowledge VPN service is the third worthy contender in this category.

Tor was created at the U.S. Naval Research Laboratory and released to the public in 2004. This system provides a local SOCKS5 proxy that can access the clearnet via about 400 volunteer run Tor exit nodes. There is an internal addressing scheme where site operators can create .onion domains and these sites are used for all sorts of hosting, most notably for the dozen dark net markets that have sprung up in the wake of the takedown of the first two iterations of Silk Road, an online cybercrime/drug/weapons market.

I2P, the Invisible Internet Project, is similar to Tor in some ways, but there is no generalized access to the clearnet, so the primary function is for operators to create eepsites, which are similar to Tor hidden services, but ending with the extension .i2p instead of .onion. This network is a purely grassroots effort so it isn't nearly as large or as fast as Tor, but it has become more hidden site operator friendly with the publication of headless I2P software meant for virtual servers.

Cryptostorm provides a service that is superficially similar to other VPN providers, but there are important differences. These include:

Zero Customer Knowledge – instead of a userid/password subscribers purchase digital tokens, then use the hashed token as their username and no password. Other VPNs vow that they do not log, Cryptostorm simply avoids ever having enough information about its subscribers to do that.

Value added access and filtering – when the webrtc/STUN leak became public in early 2015 Cryptostorm had modifications to block this exposure within thirty six hours. When it became the Certificate Revocation Lists (CRLs) were being used to attack browsers they were immediately 100% filtered across the network. It is a testament to the hazard they CRLs represent that this change went entirely unnoticed by subscribers.

Hidden service in the Tor and I2P networks may be accessed directly via the Cryptostorm network, thanks to built in application proxies that translate requests for subscribers. There is room to debate the value of that versus local installation of Tor and I2P, but the service is present and no other VPN provider can make that claim.
Adversary Resistant Hosting Hardening operating systems is offering a tool, network transport for encrypted traffic is providing a service without being aware of the content, but hosting is an entirely different matter. Content may be politically provocative or even outright criminal in some jurisdictions. Servers are in datacenters, subject to law enforcement seizure and continued operation as watering hole attack locations against visitors.

There have long been “bullet proof” hosting companies, located in jurisdictions with permissive laws and little enforcement, promising that operators will never be shut down due to administrative action. Existing at the fringes of polite society, they are as likely to rootkit and rob interesting sites as provide them the promised service level. Tor's ability for hidden services to conceal what a server actually does has cut into the business of such companies, making it possible to host questionable content at major providers like Rackspace, OVH, or Digital Ocean.

The shining example of journalism/whistleblower oriented adversary resistant hosting is Secure Drop, an architecture created by the late Aaron Swartz, who committed suicide after being subject to overzealous prosecution. The system is now maintained by Freedom of the Press Foundation.

Two other notable hosting service developers are Thomas White of CthuluSec and LulzSec veteran Donncha O'Cearbhaill, both of whom do research on hardening hidden services in the Tor network.

Conclusion The militarization of cyberspace has been creeping up on us for a number of years now. The United States has pursued a failed strategy in the construction of CYBERCOM, attempting to build a deterrent, an analog to the role nuclear weapons played during the Cold War.

The Soviet Union's denied areas of the 1970s, thanks to satellite imagery and social media, are now accessible in a way the CIA could only dream of forty years ago. The shining example is Bellingcat's crowdsourced effort to identify who shot down MH17, and the grubby example is the smash & grab job on Hacking Team, who richly deserved such treatment.

The problems the Internet faces today will not be solved using lessons we learned in the Cold War. The only remedy when facing a network threat is to build a better network to face it.