Tor on a Stick

ToaSt


ToaSt is a framework that allows you to build your own USB anonymity bundles, similar to the one offered by Torpark (now xerobank). For the time being, these bundles incorporate Tor, Firefox, Polipo and some Firefox add-ons, including the development release of TorButton and Quick Locale Switcher with several built-in languages. The IE 6 theme is enabled by default for those who need to blend in with a room full of typical Windows machines.

[reload]
[todo]
[explanation]
ToaSt is dead! Long live Tor Browser! (2008-02-15)

ToaSt Download - Current Version
Version Date Size Contents Notes
ToaSt 0.1.0.10 2007-12-03 20 MB Tor 0.2.0.12-alpha
Firefox 2.0.0.11
Polipo 1.0.1
Torbutton 1.1.12
Other Add-ons
SHA-1:  43d00466796df9413d6b2f1adcbae27c208970f3
Warnings:
  • Open control port means this version of ToaSt is vulnerable to exploitation by malicious Web pages. See this post for more information
  • Vidalia support is quirky to the point of being nearly unusable. Sorry. The "quickie" ToaSter.exe bundle will remain frozen at version 0.1.0.9 until some of these issues are resolved.
Changes:
  • Added the Vidalia GUI controller, although many bugs remain to be worked out.
    • If you right-click on the Vidalia icon in the system tray, the first selection you make will be broken until ToaSt is restarted. As such, I recommend avoiding the "Settings" and "Message Log" options until after you have selected a less important option, like "Help," which will then refuse to work for the duration of your session. *shrug*
    • After you quit ToaSter or ToaSt, it may appear that Vidalia is still running. The green onion icon (not the Torbutton one...) will remain in the System tray. In fact, Vidalia has quit, and if you hover your mouse over this icon, it will disappear.
    • If you are using a version of ToaSt or ToaSter that is configured without a Bridge, and you click the "My ISP Blocks Connections to the Tor Network" option in Vidalia's "Network" pane, a default bridge may appear automatically, but it will not work (even after you press Save). If you delete this bridge, however, and add it again, bridging will be enabled. Of course, if you are using a ToaSter bundle (as opposed to running ToaSt.exe directly), this will only last until you quit the session.
    • One of the main reasons for including Vidalia in these bundles is to replace torcircuitstatus.exe with a secure, open source alternative. I have not yet begun trying to make this work. I'm betting that it won't be too difficult to have Vidalia tell the NSIS process when a circuit has been successfully established....


ToaSt Use Cases - Current Version
What and Why How
Use Case 1: "Wonder Bread"

Instant gratification

Ignore the rest of this page; get ToaSter.exe; verify its Sha1 hash (see below); put it on a USB drive; double-click it (directly from the USB drive) on a Windows computer that is not already running Tor. Startup should be relatively fast (less than ?? seconds on broadband), even the first time through, because files are copied to the hard drive temporarily. Changes made to the browser settings will not persist across ToaSt sessions. This version of ToaSter.exe has bridging disabled, to avoid overloading the small number of active bridges. The use case below will show you how to create a version of ToaSter.exe with blocking-resistance enabled.

Warning: Open control port means this version of ToaSter.exe is vulnerable to exploitation by malicious Web pages. See this post for more information

Note: The "quickie" release of ToaSter.ese will be frozen at version 0.1.0.9 until Vidalia support is improved. Sorry.
Quickie SHA-1:  44df70493c17d966b54c192b40cd717dd414885a
Use Case 2: "Golden Brown"

Because it's harder

Download ToaSt.zip; verify its Sha1 hash (see above); extract the ToaSt folder to a safe location; double-click the make.bat file. The resulting ToaSter.exe file should be identical to the one from Use Case 1. See instructions above. (Note: Linux users should run make.sh, rather than make.bat, and will need to install the p7zip package first. The resulting ToaSter.exe is, of course, a Windows application. There is currently no plan for a Linux version of the executable itself.)

Use Case 3: "Open Face"

Although it is slower (particularly on systems without USB 2.0 support), running ToaSt.exe directly from the USB drive has some advantages over ToaSter.exe, which makes a temporary copy on the hard drive. For example, this method allows the user to make persistent configuration changes at any time. It is also somewhat less likely to leave traces on the host's hard drive.

Download ToaSt.zip; verify its Sha1 hash (see above); extract the ToaSt folder to a safe location; copy 1) ToaSt.exe, 2) the App folder, and 3) the Data folder onto a USB drive; double-click ToaSt.exe (directly from the USB drive) on a Windows computer that is not already running Tor. Startup will take several minutes the first time through, and you may have to click the "Keep Waiting" button once or twice. Subsequent ToaSt sessions should begin much more quickly (less than ?? seconds with a broadband connection). Changes made to the browser settings will persist across ToaSt sessions.

Use Case 4: "Bruschetta"

Allows for customization even when using the (faster) ToaSter.exe method of execution. This "customization" can extend to completely new versions of Tor, Firefox, Polipo, TorButton, etc..
Download ToaSt.zip; verify its Sha1 hash (see above); extract the ToaSt folder to a safe location; double-click ToaSt.exe (from the location where it was extracted) on a Windows computer that is not already running Tor. Startup will take several minutes the first time through, and you may have to click the "Keep Waiting" button once or twice. Subsequent ToaSt sessions should begin much more quickly (less than ?? seconds on broadband). Once everything is working, modify browser settings, plugin configurations, themes, bookmarks, etc.. (This is your chance to remove the default IE theme....) You may find the "Restart Firefox" option in the File menu helpful, as it will refresh installed Add-ons without requiring a lengthy restart of ToaSt. When finished, quit Firefox and wait about 30 seconds. Double click the make.bat file. The resulting ToaSter.exe file should be a customized version of the one from Use Case 1. Put it on a USB drive, etc.

Use Case 5: "The Breadmaker"

Several of the methods above include steps to create a ToaSter.exe file. So far, however, they all use the pre-compiled ToaSt.exe file, which is a small Nullsoft Installer (NSIS) script that handles application execution, parameter specification, cleanup, etc.. In fact, it is quite easy to build ToaSt.exe as well (from the ToaSt.nsi source file), as long as NSIS and the necessary NSIS plugins are properly installed.

The ToaSt.exe file itself can be "compiled" on either Windows or Linux (for use on Windows, of course) by installing the appropriate software (NSIS and p7zip on Linux; just NSIS on Windows) then uncommenting the first command in make.bat or make.sh. Please see the explanation for instructions and a list of required NSIS plugins. This Use Case should only appeal to the most meddlesome of control freaks and to those who wish to validate the security of the binary ToaSt.exe.


Older Versions
Version Date Size Contents Notes
ToaSt 0.1.0.9 2007-12-02 15 MB Tor 0.2.0.12-alpha
Firefox 2.0.0.11
Polipo 1.0.1
Torbutton 1.1.12
Other Add-ons
SHA-1:  efdda578e5cb09dfc53c1c985b63c21ad5e9647d
Warnings:
  • Open control port means this version of ToaSt is vulnerable to exploitation by malicious Web pages. See this post for more information
Changes:
  • Updated Applications:
    • Firefox 2.0.0.9 -> 2.0.0.11
  • Updated Firefox Add-ons:
    • Torbutton 1.1.9.1 -> 1.1.12
    • Arabic, Spanish, Russian and Chinese locales updated to version 2.0.0.11

ToaSt 0.1.0.8 2007-12-02 15 MB Tor 0.2.0.12-alpha
Firefox 2.0.0.9
Polipo 1.0.1
Torbutton 1.1.9.1
Other Add-ons
SHA-1:  9a414ab5b83c9b599b5f9e191164f17fdbb6eaf6
Warnings:
  • Open control port means this version of ToaSt is vulnerable to exploitation by malicious Web pages. See this post for more information
Changes:
  • Tor's blocking-resistance functionality now works properly with the included Bridge
  • Updates from the default Bridge Authority now work properly, as well, which should allow Bridges to have dynamic IPs
  • Beginning with version 0.2.0.8, the "quickie" download of ToaSter.exe will have bridging disabled, making largely equivalent to Torpark/Xerobank
  • Fixed a bug that prevented Torbutton from disabling Tor
  • Updated polipo.config to be more secure
  • Updated Applications:
    • Tor 0.2.0.7-alpha -> 0.2.0.12-alpha
    • Firefox 2.0.0.7 -> 2.0.0.9
  • Updated Firefox Add-ons:
    • Dev Torbutton 1.1.7 -> 1.1.9.1
    • QuickLocaleSwitcher 1.6.3.4 -> 1.6.3.7
  • Bookmarks:
    • "Add Languages..." link 2.0.0.8 -> 2.0.0.9

ToaSt 0.1.0.7 2007-10-01 15 MB Tor 0.2.0.7-alpha
Firefox 2.0.0.7
Polipo 1.0.1
Torbutton 1.1.7
Other Add-ons
SHA-1:  08ba709c90b174751d2bf997df0ccfe25045c6b9
Warnings:
  • Open control port means this version of ToaSt is vulnerable to exploitation by malicious Web pages. See this post for more information
Changes:
  • Changed Firefox homepage to http://check.torproject.org
  • Set Firefox to load homepage on startup
  • Enabled a new default bridge
  • Disabled Bridge Authorities (bug?)
  • Opened control port for torcircuitstatus.exe
  • Updated Applications:
    • Tor 0.2.4-alpha -> 0.2.7-alpha?
    • Firefox 2.0.0.6 -> 2.0.0.7
  • Updated Firefox Add-ons:
    • Dev Torbutton 1.1.6 -> 1.1.7
    • QuickLocaleSwitcher 1.6.3.1 -> 1.6.3.4
  • Bookmarks:
    • "Add Languages..." link 2.0.0.4 -> 2.0.0.6

ToaSt 0.1.0.6 2007-08-09 16 MB Tor 0.2.0.4-alpha
Firefox 2.0.0.6
Polipo 1.0.1
Firefox add-ons
SHA-1:  679b70dc03f657746252571ea24aac26c2e0bc51
Changes:
  • Implements Tor's new (alpha) blocking-resistance feature
  • Implements Mike Perry's new version of TorButton, which replaces most of the privacy-oriented Firefox plugins that were previously included
  • General software updates

ToaSt 0.0.0.4 2007-07-02 15 MB Tor 0.2.0.2-alpha
Firefox 2.0.0.4
Polipo 1.0.1
Firefox add-ons
SHA-1:  5a60d24316c816711f5d6708324038950cf2f7f2
Use Case 1: "Wonder Bread"
N/A

Use Case 2: "Golden Brown"
(see above)

Use Case 3: "Open Face"
(see above)

Use Case 4: "Bruschetta"
(see above)

Use Case 5: "Bootstrap Bruschetta"
Follow the instructions for Use Case 4, but instead of running make.bat, run make-bootstrap.bat. You will not have to answer 'Y' because the script does not need your permission to remove directories. The resulting ToaSter-bootstrap.exe should be a customized version of ToaSter.exe that includes a cache of Tor router information and uses the __AllDirActionsPrivate option to evade packet filtering techniques such as those described here and, to a lesser extent, here. Startup time is extremely fast (< 30 seconds on broadband), assuming the router information is current. (Note: If you run make-bootstrap.bat immediately after running make.bat (without running ToaSt.exe in between), you will create a ToaSter-bootstrap.exe with no cached router information. It won't work.)

Use Case 6: "The Breadmaker"
(see above)
ToaSt 0.0.0.3 2006-12-17 19 MB Tor 1.1.23
Firefox 1.5.0.7
Polipo 0.9.99.0
MD5:  abaa7da3f0eccc242c1a4f9656103718
Version 0.0.0.3 of the framework has been changed to enable bootstrapping by default. Because...why else would you bother with all of this? Having said that, the only pre-bundled (read, "ready to throw on a USB stick") version of the application included in ToaSt.zip is ToaSter_nobootstrap.exe. If you want to play with bootstrapping, you'll have to read the explanation and figure out how to bundle ToaSters.

ToaSt.exe will run in /bootstrapprep mode by default, leaving its directory information around for you to bundle using make.bat or make.sh. No need for a Windows command shell. 7zip.conf now includes the /bootstrap switch by default, so the resulting ToaSter.exe will do the sneaky thing. This is in line with the explanation.

7z.exe is now included in ToaSt.zip, which should allow Windows users to make a fresh ToaSter.exe (using make.bat), without having to install software. If you want to build it (for Windows) on Linux, you'll still need the p7zip package.

Building ToaSt.exe itself (rather than just rolling a new ToaSter) requires all of the NSIS stuff, regardles of whether you are building on Linux or Windows. It also requires that you uncomment the first ("makensis...") command in make.bat (windows) or make.sh (linux). See explanation for more information.
ToaSt 0.0.0.2 2006-12-15 28 MB Tor 1.1.23
Firefox 1.5.0.7
Polipo 0.9.99.0
MD5:  e69e2e04c78266a4379786e4490ee3b0
ToaSter_bootstrap.exe will be outdated by 2006-12-17. To create a new one, run "ToaSt.exe /bootstrapprep" from a command prompt, let it establish a circuit, then quit. The optional flag will prevent ToaSt from removing the directory descriptors after it exits. Modify make.bat to use 7zip.bootstrap.conf instead of 7zip.conf, then run the batch file. The resulting ToaSter.exe will use pre-cached router descriptors (which will expire in...24 hours?) and perform directory operations, confidentially, from "inside" the Tor network. This should circumvent http-based filtering techniques such as those described here and, to a lesser extent, here. This will require you to have 7-Zip installed, but not NSIS.

(...forgive us our kludges as we forgive those who kludge against us....)
ToaSt 0.0.0.1 2006-12-13 NA Tor 1.1.23
Firefox 1.5.0.7
Polipo 0.9.99
Nevermind...

This project owes a great deal to Steve Topletz, John Haller, Roger Dingledine, Nick Mathewson, Mike Perry and others.
It is, however, not their fault....

Last updated 2007-12-03@03:40 Pacific Time