Stay Safe - A non How-To to staying Safe

Discussion in 'Security, Privacy & Anonymity' started by theSilence, Feb 23, 2018.

  1. theSilence

    theSilence Member

    Stay Safe!!!

    Be advised, this is not a comprehensive How To, nor does it provide all of the information you need to guarantee safety or anonymity. There is no 100% safe way to do any of this, because you don’t know me, I don’t know you, and you NEVER know who is watching you! Remember – The security of a system is only as secure as the person managing it – That’s you. You are your first obstacle for staying safe. If you can’t maintain a secure system, then you are asking for trouble.

    Verified by the forum’s administrator, access logs are maintained for I think he said 30 days. That means VPN / Tor are essential. This administrator could at any time be subpoenaed and told to hand over all logs for the past 30 days. Your IP is your ID, so keep it safe. The site is hosted in the US so it’s only a matter of time before that happens. Be anonymous, and STAY SAFE!

    First off, if you are not accessing this site over Tor… STOP!!!

    Tor

    1. Go to Tor Project | Privacy Online and click the big purple ‘Download Tor’ button
    2. Client ‘DOWNLOAD’ next to the Operating System (64-bit) you are running under
    a. If you access the site under Windows, then you will be directed to the Windows downloads. If under Linux / Mac you will be given the Mac downloads.
    3. Once downloaded, run the executable and follow the on screen instructions.
    a. For those Linux users, this should be self-explanatory. Un-Tar, chmod if needed, and start-tor-browser…
    b. For the Windows Users – This will install a new Firefox type browser that will become your new home
    4. Once installed, run the new browser from the desktop icon. This isn’t a necessary step, you can run it from wherever you want – Just run it.
    5. When asked if your country censors Tor, click Yes – This will allow you to select a new Relay – Select which ever you want. I usually select ‘meek-amazon (works in China)’
    6. Once Tor connects you will have a home page that says ‘Welcome to Tor Browser. You are now free to browse the internet anonymously.’ – This is your ticket to freedom!

    For those Android Users, You can download ‘Orbot’
    For those iPhone users, you can download ‘Onion Browser’ from the App Store

    Big Tip – Never browse the normal internet while also browsing through Tor. If you are on VPN / Tor, that is your home for that session.

    VPN

    It is highly suggested to run Tor through a VPN these days as many ISPs are now logging Tor traffic. This is unacceptable so we must divert attention!

    MAJOR – If you are accessing ANY of this over your mobile phone, remember to turn off Syncing to your company email, contacts, Notes, calendars, or reminders BEFORE turning on VPN.

    There are a few requirements in order to stay safe.

    1. Your VPN needs to allow anonymous purchasing – BTC, Gift Card, or Gift Amex / Visa / Mastercard
    a. You can purchase any of these from your favorite retailer with cash, and no question asked. I suggest you purchase a Visa gift card for more than what you will purchase the VPN service for. This is to make sure the purchase amount is not correlated to a VPN purchase amount.
    i. Buy a card, pay for some McDonalds or whatever, then buy your VPN Service
    2. Your VPN must NOT log any access – This is almost as important as the anonymous purchasing.
    3. Your VPN ‘should’ allow you connect to various endpoints around the world – Its best to switch it up every once in a while because again, your ISP does log traffic now.
    4. It is a good idea if your VPN provider can route through TOR. This does not fulfill the Tor Browser requirement, but does allow your VPN service to bounce around the globe before hitting the Tor Browser again before hitting the forums.
    5. And finally, the jurisdiction in which the VPN service is registered under – The US has stricter laws than many other countries, so chose one that suits your needs, in this case, one that doesn’t have a court order or subpoena requirement.

    There are a few providers that hit all of these criteria, some that hit a few important ones. Important to note, I am not a vendor of any of these, I don’t care which one people use and I get no kick backs from any of them – so don’t think too far into the order of these.

    1. Private Internet Access
    2. NordVPN
    3. TorGuard
    4. SlickVPN
    5. ProtonVPN
    6. ExpressVPN

    Again, this list is not exhaustive – If you don’t like any of these then DuckDuckGo is your friend.
    Your steps for connecting to VPN / Tor are:

    1. Connect to your favorite no log safe VPN service
    2. Launch the Tor Browser and Stay Safe!

    Email

    There are many to choose from, but there are only a few that provide the level of security required to keep your communications safe and secure. Once you complete your order process, delete your cache, delete all the emails (Sent and received, and don’t forget any drafts you might have) and for the love of god, don’t leave your email logged in on your phone. Set it to require a PIN (NOT A FINGER READER!!!) on each launch.

    1. ProtonMail – This seems to be a popular one on the forums. All email is encrypted end to end and nearly impossible to Man-In-The-Middle
    a. If you are going to access ProtonMail, Do so over VPN / Tor. If on Mobile, at least use VPN before connecting to the mail app. While people won’t be able to read your emails, the fact that you are accessing a ProtonMail server could be logged.
    2. CounterMail – Good, but you can’t send encrypted email to non CounterMail users.
    3. HushMail – Been around a while
    4. Tutanota – Decent service

    Again – Not an exhaustive list, use DuckDuckGo to find more encrypted free email services if you like.

    GPG (non-proprietary encryption)

    If you are not familiar with GPG or PKI, or even encryption / signing – then read on!
    GPG is a method of both encryption and providing non-repudiation (signing, proves that the sender is in fact the person who sent the message without reasonable doubt. Of course, you don’t personally know me, so… Just proves the email address and public GPG key). If you use a secured and encrypted email service, then then this may not be for you, but it is still highly recommended.

    1. To generate a GPG key pair, it is suggested you do this under a secured OS, or at least on an encrypted volume. I always have an encrypted USB key for storing keys that never leaves my side. More on encryption later though.
    2. Under Linux, there are built in applications that you can use to generate this key, GPG.
    3. On Windows – You will need to either download and install Cygwin, or figure out a way to bring the binaries in another way. I HIGHLY suggest you DO NOT use an online application to create your PGP key pair. They say they don’t keep it, but you have absolutely no way to audit that.

    I’m not going to write a How-To on this one because there is a lot to it and there are plenty of How-Tos online to do it. I just suggest you use it in tandem of encrypted email.
    Keep the private key on you to decrypt email messages, sign your messages, and…. Stay Safe!

    Disk Encryption

    While most don’t think this is an important step because you need a password to get into your computer or phone, those things are easily cracked and can be done in under 5 minutes.
    You can encrypt your disk with BitLocker (Windows) or use an LVM Encrypted Volume (Linux) or FileVault (MacOS)

    If you don’t want to encrypt your disk, then try some secured OSs.
    Get yourself a copy of TAILS OS, this is a volatile Operating System that routes all traffic through Tor. Nothing you do is saved to disk and cannot be harvested through memory dumps after the machine is powered off. This can run Live on nearly any machine with a USB stick and works like a charm. Just remember you will probably need to download your VPN client or configure OpenVPN each time you want to connect. Can be a pain in the ass, but worth it in the end. (No pub intended)

    Forum Access

    While maintaining your VPN / Tor secure access methods, it is also a good idea to maintain Dual Factor Authentication while accessing the forums. This is to keep any unwanted malicious users from gaining access to your accounts.

    There are are a few services that work well for this.
    1. Google Authenticator
    2. Authy
    3. Duo Mobile

    Again, not an exhaustive list. DuckDuckGo is your friend.
    Rotate your passwords every week. I make this a priority for all my public access sites, just as a precaution, and never use the same password twice or for anything other than the one service you’re using. Email should not be the same as the forum.

    Lingo

    I see on the forums many people quote the exact payment method, the ship date, the received date, and the order of the packaging. This should be a bit NO NO.
    The proper way to communicate should be,
    ‘Ordered day 1, paid day 2, received tracking day 3, received few days later’

    I would stay away from exact delivery days, this is an easy way to track shipping behaviors and could easily geographically pin point people. Shipping times are easily available online so anyone can see that.
    Don’t give away the packaging method – If you received your shipment and everything is in working order, then that’s all anyone needs to know. We don’t need pictures, don’t need to know about any bubble wrap that was used to keep the vials safe, no need to tell me it was sitting on your porch for 2 hours and no one stole it. That’s your information – Comment on fast processing, say thank you for the great packaging, and move on.

    Sometimes less is more.

    Communication

    Keep your PM communication details to a minimum. Try to use secured email as much as possible for orders and such. Like I said in the first section, access logs are maintained and we should not rely on forum administration to keep us safe. That starts with you, and me.
    There should be no reason to link an email address / order with a member user name, so sources should never ask for it and if they do, don’t give it to them. Of course if you go on telling everyone what you ordered and when, the source will be able to figure it out. Try not to say too much. It is just bad practice to match the two, as too much correlation is bad. If the source gets nabbed, you don’t want anything linking you to them as much as possible. We just have to hope they follow the Email section and delete everything right away. Again, you can’t trust that they are doing that anyway.

    PO Boxes vs Home addresses

    There are ways of getting anonymous deliveries, and none of them include using a US postal box (Requires valid ID) or your home address (Don’t need to say anything about that)
    Use a delivery router – Basically its a shipment proxy that accepts delivery, can even repackage the order and send it to you. There are plenty of international or even domestic places that will do this. They can even move a USPS / FedEx delivery into a private delivery company. Keeps you off the radar and some won’t even keep track of past deliveries. This helps a TON! I won’t suggest any because I don’t want to be liable for any suggestions. DuckDuckGo is your friend.

    Use a neighbors house who may be on vacation and you have seen recent deliveries. Don’t deliver it there if they have put a Hold for Delivery or anything, just make sure they are still receiving mail and packages. Sometimes that works. But – Then you are stealing mail, so be careful.

    Send it to a friend – Have a friend who isn’t associated with this type of thing receive the package, and get it from them later.

    There is extensive information on line about receiving anonymous packages, but all of them end with you holding the goods so remember that there is never a 100% guaranteed way of staying anonymous with this one, and the suggestions above are only that, suggestions. I don’t recommend anyone doing any of that.

    Ordering

    If you are ordering from a website that isn’t using HTTPS, STOP and go somewhere else. Always pay with cryptocurrency if you can. Other methods require you to physically pay for (WU and such).
    If you are purchasing coin via Coinbase or any other Exchange, always rotate through a private wallet before paying. Never pay directly from an exchange. It is too expensive to launder BTC these days, but if generate a new wallet for each transaction that would be good enough. Don’t use the same wallet for multiple transactions, unless it is to transfer to another wallet. Once the wallet is drained, delete it and start a new one.

    Conclusion

    Remember, you don’t know them – they don’t know you. Trust no one and question everything. Everything I have posted here is free and widely available for your verification. DuckDuckGo, (or Google if you want limited and tracked searches) is your friend if you need verification on anything I have posted.

    All of this should apply to members, and sources. Believe it or not, the easiest way to a source, is through the member, so if you screw up – you’re not only harming yourself, but everyone else as well. Lastly – I don’t condone nor support any illegal activities, so do so at your own risk or within the confines of your countries laws.

    And remember – STAY SAFE!
     
  2. NorthMich

    NorthMich Member

    Thank you man
     
  3. Amazing information, this should be stickied.
     
  4. master.on

    master.on Member

    How to Leave Google Behind: Quick Guide to Take Back Your Privacy Online.

    Stop using privacy-intrusive services. Now is the time to leave Google, Facebook & Co.

    For many the Internet is Google: Search, mail, videos - Google is the major player in all these fields. But Google uses all data it gathers across its services to post targeted ads, and to massively profit from the data many share so freely with the Internet giant. The time has come to stop this unlimited data mining and to take back our right to privacy! Here's a quick guide as to how you can use the Internet without sharing all your data with Google.

    An increasing number of people understand that everybody wants their data, and that there's only one way to stop mass surveillance: by using privacy-friendly tools, best with built-in encryption. With privacy-friendly tools growing in number and in quality, more and more people are starting to protect their personal data.

    Even Google now understands that more people want to protect their private data. Google now promises not to scan your emails, however, this might very well be just a marketing initiative. Everybody knows that they are still able to scan your entire Gmail inbox. The no-scan policy might end like Gmail's end-to-end encryption project has ended: In limbo.

    Switch from Gmail to Tutanota
    For the most private alternative to Gmail, try our encrypted, secure email service. The entire Tutanota mailbox is end-to-end encrypted so that it is fully protected from snooping eyes. Even we as the developers cannot read your emails.

    You can automatically send end-to-end encrypted mails, too, so that you can be sure that only you and the intended recipient can read your emails. Because of the encryption, Tutanota cannot harvest your data for advertisements, in fact, there are no advertisements at all in Tutanota. Try it today, and register your own secure mail account.

    On top of the end-to-end encryption, Tutanota

    lets you register an anonymous email account without asking for a phone number.
    uses state-of-the-art SSL protection, supporting DNSSEC, DANE, DMARC, DKIM, PFS & STARTTLS.
    receives an A+ rating on Securityheaders.io. Gmail on the other hand does not get an A rating.
    is the best open source email alternative with its Android app published on F-Droid.
    Read this to find out why everyone should use Tutanota instead of Gmail.

    Stop using Google Search, try DuckDuckGo and Qwant
    Google search is widely used because in the past it was the only one giving reliable results quickly. However, privacy-friendly search engines have caught up over the past few years, and there is no reason at all not to favor those. We recommend trying Qwant, based in France, and DuckDuckGo, based in the US.

    Switch from Chrome to Brave, Firefox, or Tor Browser
    Today there are several browsers that give you much more privacy protection than Google Chrome. Brave is an open source browser that automatically blocks ads and trackers. Firefox is a well-established browser known for respecting user's privacy. If you need extra anonymity when browsing online, we recommend the Tor browser.

    Stop using Google Drive, try Tresorit
    When using Google Drive, one must know that all files are stored unencrypted on Google servers. Everyone gaining access to these servers can easily copy and read those files. An encrypted alternative is Tresorit. The paid service offers end-to-end encrypted file sharing and sync. You can store your files securely encrypted in the cloud without the threat of anyone else accessing or reading your files without your permission.

    Watch Videos on Vimeo, not YouTube
    A great alternative to YouTube is Vimeo. If the video you are looking for is not on Vimeo, you can search and watch YouTube videos on DuckDuckGo via YouTube's "youtube-nocookie" domain. While not entirely leaving Google here, this gives you better privacy protection.

    If you absolutely want to watch a video on YouTube, we recommend watching it via Hooktube in a browser or via NewPipe on Android.

    Hooktube is a YouTube proxy, which allows you to unblock YouTube videos, download videos, and get around YouTube censorship restrictions. Watching videos via HookTube keeps your data from Google.

    Use OpenStreetMap instead of Google Maps
    OpenStreetMap is a great alternative to Google Maps when looking up places online. It's an open source project with the aim to create a free editable map of the world.

    Stop using Google Play, get your apps from F-Droid
    In case you are using an Android phone, it is a bit harder to fully get rid of Google. In a first step, you should get all your apps from F-Droid instead of Google Play. F-Droid is a great alternative, especially for open source enthusiasts. By getting your apps from F-Droid you can be sure that they come without any ties to Google.

    Change your Android system to LineageOS
    In case you are using an Android phone and fully want to get rid of any tie to Google, we recommend that you install LineageOS as the operating system on your phone. LineageOS is a version of Android which you can use without a Google account. LineageOS is the most popular fork of the discontinued CyanogenMod project.

    When you want to get a new smartphone, take a look at the upcoming Purism 5. It is Google-free phone that focuses on privacy and security.

    Use Mastodon instead of Facebook
    Edit 2018-04-04: Due to the recent Facebook scandal, we felt the need to update this post and add privacy-friendly social media alternatives.

    The business model of most social media sites is like Google's based on tracking and posting targeted advertisements. Therefore, we recommend that you stop using Facebook for sharing your private information with your friends. A great alternative is Mastodon, you'll also find us on Mastodon, or Diaspora.

    Use Tor or a VPN like Private Internet Access
    When using the Internet your Internet Service Provider can see, monitor and log every website you visit. If you want to make sure that your browsing history remains private, we recommend that you protect it by using Tor or a VPN like Private Internet Access.

    Make the switch today, change the Internet of the future!
    We all know that mass surveillance is always present when you are online. Yet, each one of us can make a change by making online surveillance harder. One major step to achieve this is to start using privacy-friendly services - if possible with built-in encryption!

    Make the switch today, and you'll find that taking back your privacy is much easier than expected.

    How to Leave Google Behind: Quick Guide to Take Back Your Privacy Online.
     
    Necessary Evil likes this.
  5. bob hughes

    bob hughes Member AnabolicLab.com Supporter

    A few questions that I have about this information. Using TOR / vpn Attracts attention in and of itself. Your isp Knows if you are using these. Using public Wi-Fi will avoid this, but has security issues as well. I think using a bridge will camouflage tor usage, but I’m not sure of the ins and outs of this. But in general, is it necessary to go this route to order personal quantities of AAS? I’ve only ever heard of one person being prosecuted for this, I believe he imported them from somewhere in Asia to the US, and the country in Asia tipped off US customs leading to his arrest. I believe he worked in a school or some other fairly high profile job, which may have contributed to the decision to prosecute him for personal quantities. My hesitation to use tor for this purpose, is that if you attract attention, They’re going to be looking for someone dealing with child pornography, hard drugs from the dark web, or terrorism. So theoretically, just by using tor you could attract unwanted attention, then once they see it’s only AAS you’re dealing with, since they’re already invested in it they may decide to bust you anyway. Whereas if you were using clear net, you never would’ve drawn attention to begin with. In other words, is the scrutiny that you’re potentially bringing upon yourself by using tor, Worth it for the anonymity it brings, when buying aas?

    One issue with tor is JavaScript, I’m not a tech guy and I don’t fully understand it, but if you use tor And you’re on any site that has JavaScript enabled, which is most websites, it creates a security flaw and removes your anonymity.

    Also, it’s important to note that bitcoin is very easy to track, the only way I know of to buy it completely anonymously, is using a bitcoin ATM, paying cash, using a burner phone because you need to give a phone number when you use those ATMs, and buy the burner phone anonymously with cash. And you would need to wear a disguise, because the bitcoin ATMs have cameras. But even if you use a bitcoin tumbling service, if they really want to track your transactions they can, and that information lives on the block chain forever.

    Also, i use ProtonMail, but there have been security flaws discovered in it, just something to be aware of as well. I’m not aware of any completely secure email service. PGP encryption is great to encrypt specific messages.
     
  6. bob hughes

    bob hughes Member AnabolicLab.com Supporter

    One other very important point, never ever check a tracking number while using tor! It will absolutely raise red flags, and possibly lead to a seizure of the package or potentially even a controlled delivery. Not likely for a small quantity of AAS but they will absolutely know you’re on tor and likely investigate. And I would imagine your address would be flagged in that situation.
     
    tengtren likes this.
Tags: