Digital Privacy and Anonymity: Why it's important and how to achieve it! How to maintain your privacy online.

MFAAS

Well-known Member
AnabolicLab.com Supporter
Howdy y'all! Good morning. Happy mothafuckin SATURDAY!!

I wanted to write this up, because I am a strong believe in privacy, I have a very strong background in IT (specifically IT Security), and I know it seems like a TON of people just are unsure about how to gain privacy online and how to keep their lives and livelihoods safe from those fucking assholes that enforce the laws of the 100% unnecessary "War on Drugs." This post is meant to provide detailed information about privacy and the different entities that spy on us and why. The government portion is focused on the US as that is where I am, but it applies to most modern countries and many are FAR WORSE than the US in terms of digital privacy.

The recommendations are meant to be a guide to total internet hygiene and privacy. I think you'll find the tips extremely helpful, not only in regards to the allegedly grey-market stuff some of us on this forum may or may not partake in, but also just in general in life.

INTRO/BACKGROUND (or just skip down to the recommendations if you want, but there is good stuff in here!)

Privacy is of paramount importance for peeps like you and me, who allegedly do things online that some might consider to be "not good." In the modern age, ISPs track and log EVERY SINGLE THING you do online. They know what kind of porn you watch, they know what your hobbies and interests are, they know a good bit about the medical issues you face in life, medications you take, illegal drugs you use or are interested in, they know WAY more than I think they should. Which is why I am writing this guide to help us all out.

The length of time that this information is kept varies wildly. Federal laws actually dictate that ISPs must keep logs relevant to identity of the user for X number of days/months to ensure that if the government needs to subpoena or request logs, they are able to do so. There are laws requiring ISPs to keep logs in nearly every country, and some of the big ones are:
- USA: 90 days
- EU: 6 months
- China: 6 months
- India: "usually 3-6 months"

One thing to note is that those laws also vary by country as far as exactly what the ISP is required to log and how the ISP is required to work with Law Enforcement. Usually ISPs don't keep ALL logs for longer than necessary or gather more info than necessary, being those logs cost them money to collect and store. However, if you are doing anything sketchy, like torrenting, using TOR browser or one of its alternatives, There are tons of different laws that relate to the right to privacy and anonymity online, including, but not limited to: the National Security Act; Foreign Intelligence Surveillance Act; USA PATRIOT Act; Terrorist Surveillance Program; Electronic Communications Privacy Act. There is WAY too much for me to get into each one, nor do I really want to become a self-proclaimed lawyer of digital rights--there is just too much legal crap about each individual law. The point is that the US government, and most other governments, put into place whenever possible laws that invade our privacy as much as possible. If there isn't a law specifically prohibiting them from doing something, assume they are doing it...and even if there is, they might do it anyway (Snowden). They do every single thing within their power to track everything we do online, all in the name of protecting national security and many other excuses.

I'm not trying to make this a political discussion and will request that people refrain from making political comments, the next two statements are simply factual events that occurred and I am calling out the party responsible: we could have had more rights, but this happened instead. Unfortunately, it is way too fucking difficult to get our rights to privacy expanded. In fact, in the US there was an attempt last year to expand privacy to protect American's internet browsing and search histories from federal surveillance, but it failed by ONE fucking vote because of the Republican party basically said they will no longer support this bill because Trump switched his opinion and no longer liked it, bitching about it in tweets repeatedly. More detail about how the Republicans refused to let us have more privacy rights: "At the request of the Speaker of the House, I am withdrawing consideration of the FISA Act. The two-thirds of the Republican Party that voted for this bill in March have indicated they are going to vote against it now," Hoyer, D-Md., said in a statement."

Republicans have also introduced multiple bills trying to entirely ban the use of encryption or provide the government backdoors to decrypt ALL encryption technologies, all in the name of "national security" as they often do, and the constantly-used excuse that it is just to prevent inappropriate child-materials from circulating the internet. I absolutely 100% support catching and imprisoning people who consume inappropriate child materials, that is disgusting and they should be prosecuted HARD, but I am vehemently opposed to invading and destroying the privacy rights of every person in America in the process of doing so.

Related side track: This is an AMAZING resource that is quick and easy to read about what exactly the government can request with and without a warrant.

So, we have covered ISPs to some degree as well as Government Agencies/Entities. We have scratched the surface on the fight for digital privacy and those who fight against it. As though these things aren't bad enough, add in the fact that data mining and tracking is BIG BIG BIG business. Like, fucking huge. In 2019 it was a $125.18 BILLION dollar business in the United States ALONE. That is expected to increase to $152.97 BILLION by 2024, again that is just in the US. Advertising is literally the backbone of these companies and it is built off of YOUR and MY private, personal data. Two of the biggest are:
- Facebook: 97.9% of revenue comes from advertising
- Google: 70.7% of revenue comes from advertising

For example, Facebook track every site you visit that it possibly can, even outside of Facebook itself. They do this by using cookies to track your non-facebook activity on any site that has facebook extension features. You know the little facebook/twitter/pinterest/whatever extension where you can click on it to like something right from that page? Like this:
1614422352394.png

Or this: 1614422381190.png


Or ones that have the "login with facebook/google/apple" SSO feature? All the sites with those social SSO extensions feed info back to facebook, sharing exactly what you visited in that site, exactly what you did on the site and when you did it, even potentially how long you visited specific pages/looked at specific images. Another important thing is that these companies share data in both directions (often accompanied with a financial transaction), any website that uses the facebook feature sends into back to facebook, but facebook can also share info with them. This means these random third party websites can often see things like your full name, gender, email address, phone number, relationship status, and more. Basically anything you put on that god forsaken social media site can and will be shared with anybody they possibly can--for the right price!!! $$$$ The same goes for all these other sites.

Article: Think twice before using facebook, google, or apple to sign in everywhere.

Tracking data is BIG MONEY. That is the primary motivator for all these private companies I mentioned. They actually build massive virtual profiles of each individual that uses their services. As I said at the beginning, they know what your hobbies and interests are, they know where you live, where you sleep, your favorite restaurants, your sexual preferences/habits, and more. They aggregate all this information at any change they get. These companies sell this data to one another to expand their data sets and compile even more information. Their main motivator: advertising. Ads that are targeted to you based off your interests are more likely to be clicked on (though I personally truly do not understand who the fuck clicks on an ad). Even if I see an ad I like (which almost never happens) I will just open a new tab and search for that product. I actively go out of my way to ensure they make as little money off of me as possible.

Article: Google is giving data to police based off search keywords

So does that mean google will give police info of what keywords you searched for? Yeah! That is not even in question. This is actually much worse. What this means is that the five-O say "Hey google, give me the name, address, telephone number, Social Security numbers and IP addresses related to every person who searched for <insert search term here>." This means even if you aren't under investigation, you could get eyes on you and potentially be investigated because you searched for a certain term using google when you were logged in and not using VPN and not using a private browser, so they could tell who you are. This is why using good OPSEC protocols (operational security) and a paid VPN that doesn't keep any logs is SO important!

There are many instances

Alright, so we have covered the following:
1. ISPs track you and will sometimes track you extra if there is suspicious traffic coming from your computer/network. This could be TOR browser, torrenting, scanning other networks or doing anything that looks like it could be malicious, etc.
2. The government tracks the hell out of you at every possible opportunity, some legal...some not...this is through your PC, your phone, your smart appliances and your google home/alexa, your "smart" car. The more technology you're surrounded by, the less privacy you have. Personally, I won't ever buy a car newer than 2012 or 2013, because I refuse to take part in this smart bullshit. It is a safety risk as well as a privacy risk.
3. Private Companies track you like crazy as far and wide as possible, exchange and sell your data between dozens of different business entities, all in the name of profit at the expense of your privacy.

RECOMMENDATIONS:

You can mitigate these issues and maintain anonymity and privacy online--it actually isn't that hard if you are smart and careful. All it takes is a few privacy programs and features, some knowledge and understanding, and good privacy/OPSEC hygiene and habits to make it happen. This is not a fully exhaustive list, but if you did everything on here you are going to be in very good shape. After reading through and implementing these things, searching DuckDuckGo for more information about privacy settings and how to be private/anonymous online would be a great thing to do.

So here is the list, go!

1. First thing's first, use a good, PAID VPN that does not keep logs. The following are considered the best VPNs.
- ExpressVPN - there is a real-world case where one of their servers was seized by law enforcement and turned up ZERO information, which verifies that they really do not keep any logs. They also have a third-party audit verifying that they do not keep logs. This is the number 1 choice for VPNs IMO.
- Perfect Privacy - there may be a real-world case here too. Perfect Privacy announced that Dutch authorities had seized two of their servers as part of an investigation and said nothing was turned up as they don't keep logs. They didn't say why the servers were seized though, so it's possible that they weren't looking for customer connection logs anyway...we aren't really sure.
- VyprVPN - third-party audited to verify no logs are kept at all
- NordVPN - has an audit verifying they don't keep logs, however this was an internal audit, so it is possible it's not true, though we have NO reason to believe that is the case.
-
PureVPN was proven by an FBI case that THEY DO FUCKING KEEP LOGS. They are fucking LIARS and if you use PureVPN you should cancel your account immediately and switch to one of the other 3 above. Since then they have said they've updated their policy and no longer keep logs, but I wouldn't trust them ever again, not after someone go arrested (not saying they didn't deserve it, but the principals of the PureVPN as a company are obviously bullshit.

- ^^ Personally I would use ExpressVPN, VyprVPN, and would also be comfortable using Perfect Privacy or NordVPN, myself. DO NOT use free VPNs!! ^^

2. If you use chrome, make sure you're not logged in to chrome itself, that will allow google to see every single site you visit and what you do ALL THE TIME.
Does your chrome browser look like this? Because it should! DO NOT log in to the browser itself!!
1614422795363.png


3a. Best practice, use VirtualBox and build out a privacy virtual machine (VM) using Tails (preferable) or linux (acceptable) to use for anything related to "shopping" or other allegedly not-so-legal activities. Use a VPN on your host machine, then also install another VPN from a different provider on your VM, then use TOR from your privacy VM and also have your crypto wallet and all your PGP keys and utilities installed there too. This is the machine you will actually DO stuff from.
3b. Always use a different, privacy based browser for all grey-area activity--or just ALL activity, like I usually do. Technically 3a is probably overkill for just ordering some gear over anonymous email. However, it can be good to be on the safe side. Regardless, for just browsing activity things like forums about steroids, drugs, etc. I prefer DuckDuckGo browser and search engine and obviously always be connected to VPN. There's no reason not to use DuckDuckGo browser. At minimum, if you are against DuckDuckGo you should ALWAYS use a private browsing session before you navigate to any of these sorts of sites, and use DuckDuckGo search engine. Important note: if you are connected to a VPN, but then you are logged in to Amazon or Facebook or something from the same device, then investigators could easily aggregate those logs and determine that you were connected to that VPN server at a specific time. This is why it is so important to log out of other web apps and close out unnecessary windows when doing anything potentially shady.

4. Use an anonymous email provider, such as ProtonMail, Tutanota, SecureEmail. There are some others, but those are the big names.

5. Make sure to ENCRYPT your messages especially if they contain sensitive information!! Learn how to use PGP. I know some of these services say "automatic encryption" but you can't trust it. First, often a password must be agreed upon for that to work, and most people don't actually use it. So the email just ends up being unencrypted. Your best bet is to get the PGP key for the other party and manually encrypt your message using their key. Then send them your key so they can encrypt messages back to you using your own key, and you can decrypt and read them. Even better, learn how to use signed messages, so you can verify who you're talking to. Search DuckDuckGo for how to do this, it really isn't that hard. I just use bash command line for this stuff, but for Windows the best app is probably Kleopatra.

6. Next, go through any accounts you have, google, yahoo, facebook, twitter, linkedin, insta, whatever, and manually change all the privacy settings to minimize the amount of tracking they do on your account. This won't STOP it entirely, but it will limit it. Also, do a quick search to find whether it is possible to request they delete all your data. For example, for Google and Facebook, they will track your location history and keep it forever. They'll have every GPS coordinate you've been to for the last X years, BUT you can request they delete all your location history, etc., then turn off the setting so they stop gathering this in the future. Some people don't care about it and like being able to see where they've been, but personally, I don't have any fucking desire for google or facebook or ANYONE ELSE other than me to know where I have been, they can suck a big fat dick instead.
6a. Also, note that companies UPDATE these settings and options on occasion!! So it is important to go back and review them maybe once or twice per year. I just went back to facebook and found they added a bunch more settings and guess what, they defaulted to be ON!! So I had to go turn that shit off.
6b. NEVER use the "login with facebook/google/apple" features. If you struggle to remember passwords (and even if you don't), download a good, free app like PasswordSafe or KeePass and use a super strong password for it. A good example of a password is: "I won't 3ver forg3t!!This PASSwerd-because it is SO EASY TO remember$4$4" Using long phrases like that with some l337 and special chars here and there is the best way to go. Phrases are easy to remember and that is so long that it would take decades to brute force it with todays technology.

7. I swear, please do not be one of the idiots that doesn't update your profile settings on your social media sites! By default, they make almost EVERYTHING public and collect ALL the data they can. Your photos, your posts, the things you like, what school you went to, sometimes even your email address and birthday!! CHANGE YOUR FUCKING SETTINGS!! It only takes 10 mins or so to fix all this stuff and make it so that only your friends can see it. If you have had these settings on for the last several years, you can request to download your data from sites like Facebook and Google--that will give you a nice idea of just how much these companies track. Then make sure you request to delete it all :)
7a. For privacy settings, set everything possible to either "Only Me" or "Friends" - don't even do "Friends of Friends" because SO many people just add anyone that sends them a friend requests, this is how the fucking Russians and Chinese and African hackers social engineer people so easily, it's because they friend them on Facebook/LinkedIn and then they learn ALL this info about them and are able to fuck them over. Just make your profile more private. Turn off fucking face recognition too!

8. On the topic of facial recognition, I will also mention that fucking evil companies like Clearview AI literally scrape social media websites (even though it's against their terms of service) to steal pictures of you to plug into their facial recognition algorithm, which they then share with law enforcement!! This is part of why #5 is fucking CRITICAL!!! Make your photos private, for the love of god!! There have been people who have been wrongfully arrested because of Clearview AI! As of last February, they had 3 BILLION pictures in its database and law enforcement have been able to get a warrant for an arrest solely based on a facial recognition match. Honestly, the CEO is a piece of shit who is selling his tech to several countries with track records of human rights violations. it seems their tech is pretty fucking shitty, some of the matches it provides are just blatantly wrong, which as we saw above has led to wrongful arrests and innocent people spending time in jail The less it has on you, the better. This is just one more reason why it is SO FUCKING IMPORTANT to make your shit PRIVATE!!! A couple bills have been introduced a few bills to try to protect people from facial recognition in the hands of law enforcement, but they haven't gone anywhere.

9. From the mobile side: at minimum, take the 20ish minutes to tweak the shit out of your phone settings for maximum privacy. Just use DuckDuckGo to search for "Android/iOS version <X> privacy settings guide" (your version) or something similar. Then follow the advice to ensure your phone is setup for maximum privacy. Personally, I would also recommend uninstalling any apps that track you when you're not actively using them. This includes Facebook app and Facebook messenger, TikTok is one of the absolute worst, Instagram and LinkedIn (both owned by Facebook), Twitter, and more. First off, do these sites really improve your quality of life? Are these services REALLY worth spending your time and life using? Is there nothing better you could do with your time?
9a. Make sure to turn off your location when you're not actively using maps and your wi-fi when you're not at home. Also make use of airplane mode whenever you can! This will prevent your location from being tracked. Use a VPN on your phone, too. Google has a literal map of ALL the different wi-fi networks in the entire country. It can determine your location simply based off of what wi-fi networks your phone can see when wi-fi is on. Turning it off stops this scanning from taking effect and makes it harder for companies to track you.
9b. Check out privacy extensions and apps such as: uMatrix, HTTPS Everywhere, NoScript, AdBlock Plus for browsers. Check out Photo EXIF Editor to remove personally identifiable information from photos before you post them online (you wouldn't believe how revealing photo metadata is, this lets you clear it all out so it is literally just a photo with a filename). Check out FreeOTP instead of Google Authenticator, as Google Auth isn't open source and we don't know what they can see in the app. Check out apps like AccessDots to be alerted when an app is accessing your microphone or camera.

10. Lastly, remember that BITCOIN ISN'T FUCKING PRIVATE!! The government can track and trace bitcoin transactions, as well as many other cryptocurrencies. You need to use something like Monero instead and it's best to get it through an anonymous method like localexchange or some other service where you don't need to provide any personal information to sign up and use it.

Turn it up to 11: If you want to go ALL OUT and turn that privacy/anonymity dial up to 11, instead of following 3a, search DuckDuckGo for darknet privacy guides, they are much more extreme in some places than this. The main difference will be the recommendation not to use a VM anymore, but instead having a burner laptop with Tails installed isn't hard, and is the best level of privacy and anonymity you can attain so long as you do it right. Probably overkill for what we do, but some people want the peace of mind. Then worst case scenario you can just smash the hard drive and literally destroy any evidence.

I know it's a lot, I started this yesterday morning and am just now finishing...spent way more time than I originally thought I would on it (which really shouldn't surprise me, y'all know I write a lot). Hopefully this is helpful for people!
 
Thanks a lot man... @Millard i think it should be a sticked thread
Thanks man! The sheer ability for these companies and the government (and foreign governments) to track us is absolutely insane. I just saw an article about a darknet VENDOR (not AAS, other, bad shit) that got arrested because he was using the same username between his DNM vendor activity and his dating profile and his twitter...like how stupid are you man?

Anyway, far too many people just don't think about it, or if they do, they just don't know how to even go about starting to be more secure. Given my background I thought this would be a nice addition for people :)

Be safe yall!
 
Hey thanks @MFAAS this is very informative. Do you think it's okay to put your actual name for the shipping information or is it better for an alias to be used?
 
Hey thanks @MFAAS this is very informative. Do you think it's okay to put your actual name for the shipping information or is it better for an alias to be used?

If you use your real name and address make sure to encrypt it. Don't trust the tutanota or protonmail built-in encryption, because it still shows the email in clear text. Use the vendors PGP key to encrypt it yourself. Honestly you should do that even if you are using an alias. The answer to your question will totally depend on your post office though. Some will be very suspicious of fake names or initials, etc. I don't think there's any way to know if yours is or not. Best thing to do is, when you move into a new place, immediately start getting some mail by another name along with your real name, that way you can use that too.
 
If you use your real name and address make sure to encrypt it. Don't trust the tutanota or protonmail built-in encryption, because it still shows the email in clear text. Use the vendors PGP key to encrypt it yourself.

Honestly I'm a bit lost on how to do this. Sure we can ask a vendor, but if we get the PGP key, where do we enter the PGP key?
 
Honestly I'm a bit lost on how to do this. Sure we can ask a vendor, but if we get the PGP key, where do we enter the PGP key?
You use an encryption program like openpgp via gnupgp on a linux shell. Look up a youtube video on how to encrypt messages with pgp and you should find some tutorials
 
Superb article, thank you!

A little over a month ago, on September 16th, 2021, Edward Snowden tweeted:

Edward Snowden
@Snowden

If you're an ExpressVPN customer, you shouldn't be.


View: https://twitter.com/Snowden/status/1438291654239215619


This was in response to a tweet by Joseph Menn, wherein he stated:

Joseph Menn
@josephmenn
Sep 14

The at least until recently CIO of big VPN ExpressVPN is one of the
three former U.S. intelligence operatives who agreed today not to fight
charges they illegally helped UAE hack people. Kind of makes you think.


View: https://twitter.com/josephmenn/status/1437885720169836544


MotherBoard/Vice had an article about this:

ExpressVPN Knew 'Key Facts' of Executive Who Worked for UAE Spy Unit

Daniel Gericke, an executive of the company, previously helped build the
UAE's Karma hacking system, according to court records.


"We’ve known the key facts relating to Daniel’s employment history since
before we hired him, as he disclosed them proactively and transparently
with us from the start. In fact, it was his history and expertise that
made him an invaluable hire for our mission to protect users’ privacy and
security," ExpressVPN told Motherboard in a statement.

"Daniel has a deep understanding of the tools and techniques used by the
adversaries we aim to protect users against, and as such is a uniquely
qualified expert to advise on defense against such threats. Our product
and infrastructure have already benefited from that understanding in
better securing user data," the statement continued.

On Tuesday, unsealed court filings described how Gericke as well as Marc
Baier and Ryan Adams faced charges for their part in working on Project
Raven. The court records say that the three violated the International
Traffic in Arms Regulations and conspired to commit access device fraud
and computer hacking offenses.

The court records say that the three took a zero-click exploit, which
allows takeover of a device without any user interaction, and implemented
that into Karma, the hacking system used by the UAE's Project Raven.
Project Raven involved the hiring of former U.S. intelligence hackers who
then worked on behalf of the UAE government, Reuters reported in 2019.

The court records also describe other uses and purchases of exploits by
the group.

The court filings detailed that prosecutors will drop the charges if the
three men cooperate with U.S. authorities, pay a financial penalty, and
agree to a list of unspecified restrictions on their employment

"We were confident at the time and continue to be confident now in
Daniel’s desire and ability to contribute to our mission of enabling users
to better protect their privacy and security. He has demonstrated nothing
but professionalism and commitment to advancing our ability to keep user
data safe and private. Our trust in Daniel remains strong," ExpressVPN's
statement continued.

"Of course, we do not rely on trust in our employees alone to protect our
users. We have robust systems and security controls in place in all our
systems or products. We also engage and provide significant access to many
independent third parties to conduct audits, security assessments, and
penetration tests on our systems and products," it added.
 
Thanks man! The sheer ability for these companies and the government (and foreign governments) to track us is absolutely insane. I just saw an article about a darknet VENDOR (not AAS, other, bad shit) that got arrested because he was using the same username between his DNM vendor activity and his dating profile and his twitter...like how stupid are you man?

You would be amazed! I recall reading about a vendor on the original Silk Road (almost 10 years ago, now) who re-used an email address on his PGP key. This email address was used to register a hobby site he had setup a couple of years earlier. A quick whois query on the hobby domain (from the address on the PGP key) yielded the vendor's real name, address and mobile number with less than 5 minutes of effort.
 
You would be amazed! I recall reading about a vendor on the original Silk Road (almost 10 years ago, now) who re-used an email address on his PGP key. This email address was used to register a hobby site he had setup a couple of years earlier. A quick whois query on the hobby domain (from the address on the PGP key) yielded the vendor's real name, address and mobile number with less than 5 minutes of effort.
Well THAT is just plain stupid! That isn't quite as bad as that guy who used the same username on his darknet dealer screenname as his dating profile and snapchat and some other shit. Fucking straight retarded, that one.

Granted, the original silk road...man that was before proper OPSEC had even really been fully defined. I still can't believe he wouldn't rotate keys...
 
Well THAT is just plain stupid! That isn't quite as bad as that guy who used the same username on his darknet dealer screenname as his dating profile and snapchat and some other shit. Fucking straight retarded, that one.
One of the SR mods told me that the number of people who registered their SR accounts using Gmail, Yahoo and similar clearnet email addresses was in the tens of thousands, and this was despite an admonition by the SR site operators NOT to do so!

Granted, the original silk road...man that was before proper OPSEC had even really been fully defined. I still can't believe he wouldn't rotate keys...
OPSEC was well defined -- it had been defined by the Cypherpunks in the mid-1990s -- there were even people on Silk Road who advocated for secure practises to be used, but they were totally, and willfully, ignored. There were users who pleaded with DPR to make the use of PGP mandatory on SR, but he stubbornly held on to his Libertarian principles of 'voluntaryism'.

As a result, vendors reported at that time that some 80-90% of people didn't even bother to PGP-encrypt their shipping addresses. When the SR servers were eventually located and seized, the authorities literally could not believe their good fortune, in that 80-90% of the data on the site was in the clear (i.e. unencrypted).

This was despite the fact that DPR had been told, over and over again, that the only protection the user data would have, in the case of the servers being hacked/seized, would be if it was PGP-encrypted.

I read about one vendor, who stated what it was like, to sit in court, and listen to his Silk Road PMs (private messages) being read aloud into the court record as evidence against him. He stated that if he had been more diligent (not to mention consistent) in his use of PGP, that these PMs would never have been available to use against him in court. It was in large part because of these that he went to prison.
 
Honestly I'm a bit lost on how to do this. Sure we can ask a vendor, but if we get the PGP key, where do we enter the PGP key?
You add the vendor's PGP key to the copy of the PGP software that you are running on your desktop/laptop computer. You use the same copy of that PGP software to generate your own PGP key, which you supply to the vendor for him to use to encrypt messages to you.

I realize it sounds daunting, but it's like learning to drive -- we all remember what it was like when we were 16, and learning to drive, it all seemed so overwhelming at first, but once you get used to it, it becomes second nature.
 
One of the SR mods told me that the number of people who registered their SR accounts using Gmail, Yahoo and similar clearnet email addresses was in the tens of thousands, and this was despite an admonition by the SR site operators NOT to do so!


OPSEC was well defined -- it had been defined by the Cypherpunks in the mid-1990s -- there were even people on Silk Road who advocated for secure practises to be used, but they were totally, and willfully, ignored. There were users who pleaded with DPR to make the use of PGP mandatory on SR, but he stubbornly held on to his Libertarian principles of 'voluntaryism'.

As a result, vendors reported at that time that some 80-90% of people didn't even bother to PGP-encrypt their shipping addresses. When the SR servers were eventually located and seized, the authorities literally could not believe their good fortune, in that 80-90% of the data on the site was in the clear (i.e. unencrypted).

This was despite the fact that DPR had been told, over and over again, that the only protection the user data would have, in the case of the servers being hacked/seized, would be if it was PGP-encrypted.

I read about one vendor, who stated what it was like, to sit in court, and listen to his Silk Road PMs (private messages) being read aloud into the court record as evidence against him. He stated that if he had been more diligent (not to mention consistent) in his use of PGP, that these PMs would never have been available to use against him in court. It was in large part because of these that he went to prison.
Yeah for whatever reason people didnt take it seriously then. And many still dont. The number of gear vendors that dont have PGP and dont use anonymous currencies is just jaw dropping
 
Yeah for whatever reason people didnt take it seriously then. And many still dont. The number of gear vendors that dont have PGP and dont use anonymous currencies is just jaw dropping
The single biggest weapon in the authorities' arsenal is end-user laziness and/or unwillingness to learn proper tradecraft. I remember in the early-to-mid 1990s, how law enforcement agencies were literally having fits, over the prospect of criminal use of strong encryption. They used to argue that key escrow was required, because otherwise their investigations would be stopped in their tracks.

The Cypherpunks, on the other hand, believed that if only the tools were made available, that people would immediately start using these to protect their privacy.

Both the dreams of the Cypherpunks, and the nightmares of law enforcement failed to come to pass, and for the same reason: they both foundered on the rocks of apathy and indifference.
 
Reposting from another thread where a user questioned the benefit of PGP encryption:

It is called "Pretty Good Privacy" (PGP) for a reason: it is pretty good. Not perfect. Not military-grade. Not uncrackable. However, the math behind the encryption isn't what's been cracked (as long as you use a strong enough key), it is how users use it. Eventually, compute power will be such that yes, it will become obsolete, especially if quantum computers manifest in the way technologists are aiming for. But they aren't going to use it for low-level drug offenders, that will be used to crack encryption of foreign adversaries, governments, hacker groups that are doing widespread and major damage to various institutions.

So yes, it isn't PERFECT...
However, it is DEFINITELY better than nothing. Consider the following three scenarios:
1. Nobody encrypts anything: anytime an email server for a company like tuta or protonmail, etc., is accessed by the feds (either via subpoena or because they try to hack into things like this on the regular) or they compromise your home PC or seize it in an investigation, they get clear-text access to everything. Boom, gold mine, super easy access, zero work required. They can go wild.
2. Some people encrypt stuff, others don't: same scenario, only this time you can be damn sure the feds are going to go after those who DIDN'T encrypt their messages FIRST, because it's less work. Why go through all the trouble to try to crack encryption when you can just nail people who didn't encrypt and move on? Additionally, people who use weak encryption (2048 bit isn't weak, persay, but everybody should be using 4096 bit keys nowadays, which should provide protection beyond the year 2031) get targeted first because it takes minimal effort.
3. Everybody (or most people) encrypt: the feds have no idea what is what. Sure, your messages are obviously trying to keep something private...but what? It could be homemade porn, it could be an order for some schedule 4 or 3 drug that will barely be a misdemeanor and could even get dismissed. Hell, maybe you are just chatting about some private stuff and want to keep it private. Now they have to scour through all these messages, using massive amounts of compute resources to attempt to crack them or brute force the passkeys. Again, they will target the weak keys first, because that is what is easiest. Then they will move on to the others if they still have the funding and haven't gotten distracted by some other initiative or operation.

So, you see, regardless, using encryption IS better than not using encryption. If you DON'T use encryption, then rather than them seeing your encrypted message and thinking "oh, she/he is hiding something", they will just index all the emails and do a keyword search for various words that imply illegal substances, etc.

Cracking encryption is not easy. As I said, it requires a lot of compute power. In the end, the feds are NOT going to spend the cycles (computer or time, lol) on trying to decrypt random messages that they aren't sure contain something of value. It is expensive for them to try to crack keys or passwords. You would already have to be a pretty high profile suspect in an ongoing operation for them to spend the effort decrypting your messages/keys.

Generally, if you are a suspect, they are going to try alternative things. They will hack into your personal PC and install a keylogger and try to see what you are up to--again, in clear text (they LOOOOVE clear text).

It's not like the feds have some magic backdoor to PGP, or if they do nobody knows about it, and if you do @Delphi , please share the juicy details lol

In the end, you ARE better off using encryption than not. That is just a fact.

In the US, the 5th amendment protects us from handing over something that would incriminate ourselves, that includes our PGP passphrases (you better be using a fucking long ass passphrase and not a password). Note: IN THE UK YOU CAN BE JAILED FOR REFUSING TO HAND OVER YOUR PASSWORD/PASSPHRASE TO POLICE.

For those interested, here is a list that was exposed by Edward Snowden that covers the technical details of the different tools the feds have to have into various devices.

So @Delphi I must wholehearted disagree with you. I work in the IT Security space for over a decade and I know for a fact clear text is NEVER good. That is how organizations get pwned over and over again, that is how feds target people when they compromise darknet market servers, that is how fucking assholes target people for blackmail, etc. The compromise is not that the math behind RSA has been cracked, it is that users use shitty passwords or their PCs get hacked, allowing the feds access access to their keys and passwords. The main issue is with both OPSEC and with how users manage their PGP keys. Key management is a pain in the ass, people lose their keys or forget their passwords, they leave old keys sitting around, they don't rotate keys often enough or EVER, so if your passphrase DOES get cracked, they have access to EVERYTHING you've EVER done, or the user writes the password down somewhere or stores it in clear text somewhere on their computer that, during an investigation, the feds can easily find...THAT is the real issue here.

The key here is NOT using any "built-in" encryption from email clients like tuta or protonmail, or even Gmail and the like, you MUST use an actual PGP client on your own PC--and preferably a burner PC that you never, ever connect to your home network so it is not linked to you in any way.

Hopefully this settles it. Using PGP IS beneficial, 100%, this is NOT debated within the IT Security community at all. What it comes down to is HOW its used and how high profile of an actor you are in any given investigation.

Edit: IMPORTANT: one other thing people fuck up with is storing their drafts in clear text and leaving them there. Once your message is encrypted and sent. DELETE THE FUCKING DRAFT: the best thing to do is to open that same file, erase all the text, then just store is as a blank file. That way, so long as file versions are turned OFF, nobody could recover the file with a disk recovery tool. The ABSOLUTE best thing to do is to use a non-persistent OS like Tails. As I said in the original post, google darknet privacy guide for more info on this as well as more intense privacy tips.
 
Last edited:
Thank you for yet another superb post!

PGP isn't perfect, no -- but is was (and is) good enough for Julian Assange and Edward Snowden, both of whom have been directly targeted by the largest, most powerful intelligence agencies in existence.

2048-bit keys are indeed becoming vulnerable -- the year I've most often seen quoted when these keys may become breakable is 2030 or thereabouts. I've been advising people to use 4096-bit keys since the software was able to generate keys of this size, about 20 years ago. It is noteworthy that Werner Koch, the head developer of the GnuPG project raised the minimum RSA keysize from 2048-bits (where it had remained for many years) to 3072-bits in August, 2020. Werner is nothing, if not conservative, and he wouldn't have made such a change if he didn't feel it was absolutely necessary.

In the development branch of GnuPG (2.3.x) Werner has switched the default key algorithm from RSA to Curve25519. Over the next 5-10 years, RSA keys are headed down the path to obsolence, a path that DSS/Elgamal has already taken. In the meantime, anyone still using 2048-bit keys needs to switch to 3072-bit RSA at a minimum, with 4096-bit keys preferred.

You are absolutely correct when you say that cracking encryption requires a LOT compute power. Keys are not going to be broken by brute-force, however. Rather, the authorities are going after an easier target: your passwords.

The Secret Service actually started this back in 2005 -- it was reported in the Washington Post at that time. In a nutshell, the approach is this: the software scours your computer, building up a list of unique keywords related to your hobbies, interests, etc. It then adds those terms to a dictionary, and begins a dictionary attack your your passphrase.

Brian Krebs wrote an excellent article on this in the Washington Post, in March, 2005.


Given this capability, what can you do about it? A lot, actually.

What you need are long, random passwords -- these can be genrerated by password managers. For your PGP key, I would recommend Diceware -- see:
https://www.diceware.com/ (this re-directs to the author's home page, https://theworld.com/~reinhold/diceware.html)

You generate a Diceware passphrase by using dice, and a numbered word-list. These lists look like the following:

16655 clause
16656 claw
16661 clay
16662 clean
16663 clear
16664 cleat
16665 cleft
16666 clerk
21111 cliche
21112 click
21113 cliff
21114 climb
21115 clime
21116 cling
21121 clink
21122 clint
21123 clio
21124 clip
21125 clive
21126 cloak
21131 clock

If you have 5 dice, you will need one roll of the dice for each word. Keep rolling the dice until you have the desired number of words for your passphrase.

I would recommend 10 Diceware words -- these are equivalent to 129 bits of entropy, or twice that of a 128-bit cipher such as IDEA or AES-128.

Given that these words are chosen using a random process (dice rolls) the order is not predictable, thus the only option is brute-force, trying all possible combinations. If you use the default Diceware list, this is 7,776 words. Trying them all would yield 7776^10 or 8.08x10^38 combinations.

A symmetric cipher with 128-bits of entropy = 2^128 = 3.4x10^38 combinations. So, you can see that 10 Diceware words have about double the number of combinations as a 128-bit symmetric key, or a 3072-bit RSA key.

Ed Snowden stated that the intelligence agencies are able to test about 1x10^12 combinations per second -- that is truly a huge number, but it is dwarfed by the number of combinations posed by, e.g. a 128-bit key.

A 3072-bit RSA key has about 128-bits of entropy, so how long would it take for an agency to go through the entire keyspace?

1 trillion combinations/second = 3.15x10^19 combinations per year (that is, 1x10^12x31,557,600 seconds/year).

3.4x10^38 / 3.15x10^19 = 1.07x10^19 years.

That is about 2.5 billion times the age of the earth.

It is infeasible to brute-force such a keyspace with any technology currently available, or that is likely to become available in the forseeable future.
 
Thank you for yet another superb post!

PGP isn't perfect, no -- but is was (and is) good enough for Julian Assange and Edward Snowden, both of whom have been directly targeted by the largest, most powerful intelligence agencies in existence.

2048-bit keys are indeed becoming vulnerable -- the year I've most often seen quoted when these keys may become breakable is 2030 or thereabouts. I've been advising people to use 4096-bit keys since the software was able to generate keys of this size, about 20 years ago. It is noteworthy that Werner Koch, the head developer of the GnuPG project raised the minimum RSA keysize from 2048-bits (where it had remained for many years) to 3072-bits in August, 2020. Werner is nothing, if not conservative, and he wouldn't have made such a change if he didn't feel it was absolutely necessary.

In the development branch of GnuPG (2.3.x) Werner has switched the default key algorithm from RSA to Curve25519. Over the next 5-10 years, RSA keys are headed down the path to obsolence, a path that DSS/Elgamal has already taken. In the meantime, anyone still using 2048-bit keys needs to switch to 3072-bit RSA at a minimum, with 4096-bit keys preferred.

You are absolutely correct when you say that cracking encryption requires a LOT compute power. Keys are not going to be broken by brute-force, however. Rather, the authorities are going after an easier target: your passwords.

The Secret Service actually started this back in 2005 -- it was reported in the Washington Post at that time. In a nutshell, the approach is this: the software scours your computer, building up a list of unique keywords related to your hobbies, interests, etc. It then adds those terms to a dictionary, and begins a dictionary attack your your passphrase.

Brian Krebs wrote an excellent article on this in the Washington Post, in March, 2005.


Given this capability, what can you do about it? A lot, actually.

What you need are long, random passwords -- these can be genrerated by password managers. For your PGP key, I would recommend Diceware -- see:
https://www.diceware.com/ (this re-directs to the author's home page, https://theworld.com/~reinhold/diceware.html)

You generate a Diceware passphrase by using dice, and a numbered word-list. These lists look like the following:

16655 clause
16656 claw
16661 clay
16662 clean
16663 clear
16664 cleat
16665 cleft
16666 clerk
21111 cliche
21112 click
21113 cliff
21114 climb
21115 clime
21116 cling
21121 clink
21122 clint
21123 clio
21124 clip
21125 clive
21126 cloak
21131 clock

If you have 5 dice, you will need one roll of the dice for each word. Keep rolling the dice until you have the desired number of words for your passphrase.

I would recommend 10 Diceware words -- these are equivalent to 129 bits of entropy, or twice that of a 128-bit cipher such as IDEA or AES-128.

Given that these words are chosen using a random process (dice rolls) the order is not predictable, thus the only option is brute-force, trying all possible combinations. If you use the default Diceware list, this is 7,776 words. Trying them all would yield 7776^10 or 8.08x10^38 combinations.

A symmetric cipher with 128-bits of entropy = 2^128 = 3.4x10^38 combinations. So, you can see that 10 Diceware words have about double the number of combinations as a 128-bit symmetric key, or a 3072-bit RSA key.

Ed Snowden stated that the intelligence agencies are able to test about 1x10^12 combinations per second -- that is truly a huge number, but it is dwarfed by the number of combinations posed by, e.g. a 128-bit key.

A 3072-bit RSA key has about 128-bits of entropy, so how long would it take for an agency to go through the entire keyspace?

1 trillion combinations/second = 3.15x10^19 combinations per year (that is, 1x10^12x31,557,600 seconds/year).

3.4x10^38 / 3.15x10^19 = 1.07x10^19 years.

That is about 2.5 billion times the age of the earth.

It is infeasible to brute-force such a keyspace with any technology currently available, or that is likely to become available in the forseeable future.

Ever heard of disinformation? Don't believe anything you hear, for all we know Snowden is working for the Gov. Accept nothing at face value.

If the Gov wants you, they will get you. But most likely... you are not that important to them.
 
If there's one thing I've learned is that my brain can actual remember obscenely long passphrases of random ass nonsensical words quite well after I use it a couple dozen times. I will often look at random pictures of different places and use the objects I see to make a phrase, so it isn't connected to me or my interests.

Crab banana squash sand schoolbus electricity remington screw thumbnail piglets

Bam I got a great passphrase. Obviously changing case or adding some numbers would help as well, but as the math from the Chinese President himself, @Winnie the Pooh showed, that 10 word key is enough entropy to ensure security for a long time to come. By the time anybody cracked it they'd have spent SO much money and time, and likely the statute of limitations would have already passed (everybody should be aware of what the statute of limitations is in their state for drug offenses).

Also using obscure or random foreign words can be great too because they simply won't be cracked... unless you get key logged in which case you're fucked anyway...this is why the best practice is to use a burner laptop that you NEVER connect to your home PC and only use on public networks with a disguise (hat, sunglasses, mask, hoodie, whatever).

Never sit outside a coffee shop in your car to use their wifi, their cameras will pick up your license plate easily and boom you're done. If you go into a shop and buy something then sit down to do your stuff, don't fucking use your credit card to pay you idiot, use cash. Also rotate locations, don't just go to the same place all the time. This is likely way overkill for steroids, but that is the OPSEC best practice currently as preached by the DNM peeps.

Ever heard of disinformation? Don't believe anything you hear, for all we know Snowden is working for the Gov. Accept nothing at face value.

If the Gov wants you, they will get you. But most likely... you are not that important to them.

It is good to be suspicious and question things, but you also need to look at what is actually happening in the world and combine that suspicion with real world happenings. With the sheer number of criminal arrests that have happened (and the even larger number that HAVEN'T happened to DNM dealers, etc.), you can be sure LE doesn't easily crack PGP encryption. If they did, we'd see waaay more DNM vendors in prison real quick.

With the amount of attention I pay to the IT Sec space, it would be huge news if some sort of exploit was found in PGP or thought to be used in a trial to obtain evidence. Again, it's great to question things, but to say "well if the government can crack it I will just not encrypt at all"--that is just foolish thinking. First off, as I said, there's just no reason to believe they can "crack" PGP encryption. They first need to have enough suspicion to open a fucking investigation against you, justify spending a ton of time and money to hack into your personal devices, profile you or key log you, and all sorts of other shit they do first. THEN, MAYBE they can get access to your stuff, or at least some of it (that's where having multiple keys, using multiple different passwords, devices, etc., can be beneficial). All those barriers you put up, PGP included, make it harder and more costly for them to nab you. For a single person who just uses steroids, there's no way they're gonna spend that much time/money on a case.

So, Delphi, you are basically saying, "Well, a criminal can always kick down my door, so I might as well just NOT lock my doors ever." I must wholeheartedly disagree with what you've said about privacy on this and the PPL thread recently. It is bad advice and I hope nobody takes it.

Every single barrier you put up between you and LE is beneficial. From having good, long, strong passphrases that don't have anything to do with your interests and hobbies, to encrypting messages, to using VPNs and/or a burner laptop, disk encryption, etc., all of these things are important.

You are right that if Law Enforcement REALLY wants to get you, they almost certainly will eventually. HOWEVER, even if they DON'T REALLY want to get you, but you make it so fucking easy for them to do so that they can do it with almost zero effort, then you are SERIOUSLY increasing risk for yourself because they always LOVE an easy win. Basically: they might just go after you anyway because you're such a fucking easy target.

If YOU want to just leave yourself out in the open for LE to stumble over like a bump on a log then feel free, but I am going to be safe. I sure as hell don't want to be the easy target. OPSEC and privacy practices are critical to ensuring our own safety as much as possible. That is just fact.
 

Sponsors

Back
Top