Stay Safe - A non How-To to staying Safe

Discussion in 'Security, Privacy & Anonymity' started by theSilence, Feb 23, 2018.

  1. theSilence

    theSilence Member

    Stay Safe!!!

    Be advised, this is not a comprehensive How To, nor does it provide all of the information you need to guarantee safety or anonymity. There is no 100% safe way to do any of this, because you don’t know me, I don’t know you, and you NEVER know who is watching you! Remember – The security of a system is only as secure as the person managing it – That’s you. You are your first obstacle for staying safe. If you can’t maintain a secure system, then you are asking for trouble.

    Verified by the forum’s administrator, access logs are maintained for I think he said 30 days. That means VPN / Tor are essential. This administrator could at any time be subpoenaed and told to hand over all logs for the past 30 days. Your IP is your ID, so keep it safe. The site is hosted in the US so it’s only a matter of time before that happens. Be anonymous, and STAY SAFE!

    First off, if you are not accessing this site over Tor… STOP!!!

    Tor

    1. Go to Tor Project | Privacy Online and click the big purple ‘Download Tor’ button
    2. Client ‘DOWNLOAD’ next to the Operating System (64-bit) you are running under
    a. If you access the site under Windows, then you will be directed to the Windows downloads. If under Linux / Mac you will be given the Mac downloads.
    3. Once downloaded, run the executable and follow the on screen instructions.
    a. For those Linux users, this should be self-explanatory. Un-Tar, chmod if needed, and start-tor-browser…
    b. For the Windows Users – This will install a new Firefox type browser that will become your new home
    4. Once installed, run the new browser from the desktop icon. This isn’t a necessary step, you can run it from wherever you want – Just run it.
    5. When asked if your country censors Tor, click Yes – This will allow you to select a new Relay – Select which ever you want. I usually select ‘meek-amazon (works in China)’
    6. Once Tor connects you will have a home page that says ‘Welcome to Tor Browser. You are now free to browse the internet anonymously.’ – This is your ticket to freedom!

    For those Android Users, You can download ‘Orbot’
    For those iPhone users, you can download ‘Onion Browser’ from the App Store

    Big Tip – Never browse the normal internet while also browsing through Tor. If you are on VPN / Tor, that is your home for that session.

    VPN

    It is highly suggested to run Tor through a VPN these days as many ISPs are now logging Tor traffic. This is unacceptable so we must divert attention!

    MAJOR – If you are accessing ANY of this over your mobile phone, remember to turn off Syncing to your company email, contacts, Notes, calendars, or reminders BEFORE turning on VPN.

    There are a few requirements in order to stay safe.

    1. Your VPN needs to allow anonymous purchasing – BTC, Gift Card, or Gift Amex / Visa / Mastercard
    a. You can purchase any of these from your favorite retailer with cash, and no question asked. I suggest you purchase a Visa gift card for more than what you will purchase the VPN service for. This is to make sure the purchase amount is not correlated to a VPN purchase amount.
    i. Buy a card, pay for some McDonalds or whatever, then buy your VPN Service
    2. Your VPN must NOT log any access – This is almost as important as the anonymous purchasing.
    3. Your VPN ‘should’ allow you connect to various endpoints around the world – Its best to switch it up every once in a while because again, your ISP does log traffic now.
    4. It is a good idea if your VPN provider can route through TOR. This does not fulfill the Tor Browser requirement, but does allow your VPN service to bounce around the globe before hitting the Tor Browser again before hitting the forums.
    5. And finally, the jurisdiction in which the VPN service is registered under – The US has stricter laws than many other countries, so chose one that suits your needs, in this case, one that doesn’t have a court order or subpoena requirement.

    There are a few providers that hit all of these criteria, some that hit a few important ones. Important to note, I am not a vendor of any of these, I don’t care which one people use and I get no kick backs from any of them – so don’t think too far into the order of these.

    1. Private Internet Access
    2. NordVPN
    3. TorGuard
    4. SlickVPN
    5. ProtonVPN
    6. ExpressVPN

    Again, this list is not exhaustive – If you don’t like any of these then DuckDuckGo is your friend.
    Your steps for connecting to VPN / Tor are:

    1. Connect to your favorite no log safe VPN service
    2. Launch the Tor Browser and Stay Safe!

    Email

    There are many to choose from, but there are only a few that provide the level of security required to keep your communications safe and secure. Once you complete your order process, delete your cache, delete all the emails (Sent and received, and don’t forget any drafts you might have) and for the love of god, don’t leave your email logged in on your phone. Set it to require a PIN (NOT A FINGER READER!!!) on each launch.

    1. ProtonMail – This seems to be a popular one on the forums. All email is encrypted end to end and nearly impossible to Man-In-The-Middle
    a. If you are going to access ProtonMail, Do so over VPN / Tor. If on Mobile, at least use VPN before connecting to the mail app. While people won’t be able to read your emails, the fact that you are accessing a ProtonMail server could be logged.
    2. CounterMail – Good, but you can’t send encrypted email to non CounterMail users.
    3. HushMail – Been around a while
    4. Tutanota – Decent service

    Again – Not an exhaustive list, use DuckDuckGo to find more encrypted free email services if you like.

    GPG (non-proprietary encryption)

    If you are not familiar with GPG or PKI, or even encryption / signing – then read on!
    GPG is a method of both encryption and providing non-repudiation (signing, proves that the sender is in fact the person who sent the message without reasonable doubt. Of course, you don’t personally know me, so… Just proves the email address and public GPG key). If you use a secured and encrypted email service, then then this may not be for you, but it is still highly recommended.

    1. To generate a GPG key pair, it is suggested you do this under a secured OS, or at least on an encrypted volume. I always have an encrypted USB key for storing keys that never leaves my side. More on encryption later though.
    2. Under Linux, there are built in applications that you can use to generate this key, GPG.
    3. On Windows – You will need to either download and install Cygwin, or figure out a way to bring the binaries in another way. I HIGHLY suggest you DO NOT use an online application to create your PGP key pair. They say they don’t keep it, but you have absolutely no way to audit that.

    I’m not going to write a How-To on this one because there is a lot to it and there are plenty of How-Tos online to do it. I just suggest you use it in tandem of encrypted email.
    Keep the private key on you to decrypt email messages, sign your messages, and…. Stay Safe!

    Disk Encryption

    While most don’t think this is an important step because you need a password to get into your computer or phone, those things are easily cracked and can be done in under 5 minutes.
    You can encrypt your disk with BitLocker (Windows) or use an LVM Encrypted Volume (Linux) or FileVault (MacOS)

    If you don’t want to encrypt your disk, then try some secured OSs.
    Get yourself a copy of TAILS OS, this is a volatile Operating System that routes all traffic through Tor. Nothing you do is saved to disk and cannot be harvested through memory dumps after the machine is powered off. This can run Live on nearly any machine with a USB stick and works like a charm. Just remember you will probably need to download your VPN client or configure OpenVPN each time you want to connect. Can be a pain in the ass, but worth it in the end. (No pub intended)

    Forum Access

    While maintaining your VPN / Tor secure access methods, it is also a good idea to maintain Dual Factor Authentication while accessing the forums. This is to keep any unwanted malicious users from gaining access to your accounts.

    There are are a few services that work well for this.
    1. Google Authenticator
    2. Authy
    3. Duo Mobile

    Again, not an exhaustive list. DuckDuckGo is your friend.
    Rotate your passwords every week. I make this a priority for all my public access sites, just as a precaution, and never use the same password twice or for anything other than the one service you’re using. Email should not be the same as the forum.

    Lingo

    I see on the forums many people quote the exact payment method, the ship date, the received date, and the order of the packaging. This should be a bit NO NO.
    The proper way to communicate should be,
    ‘Ordered day 1, paid day 2, received tracking day 3, received few days later’

    I would stay away from exact delivery days, this is an easy way to track shipping behaviors and could easily geographically pin point people. Shipping times are easily available online so anyone can see that.
    Don’t give away the packaging method – If you received your shipment and everything is in working order, then that’s all anyone needs to know. We don’t need pictures, don’t need to know about any bubble wrap that was used to keep the vials safe, no need to tell me it was sitting on your porch for 2 hours and no one stole it. That’s your information – Comment on fast processing, say thank you for the great packaging, and move on.

    Sometimes less is more.

    Communication

    Keep your PM communication details to a minimum. Try to use secured email as much as possible for orders and such. Like I said in the first section, access logs are maintained and we should not rely on forum administration to keep us safe. That starts with you, and me.
    There should be no reason to link an email address / order with a member user name, so sources should never ask for it and if they do, don’t give it to them. Of course if you go on telling everyone what you ordered and when, the source will be able to figure it out. Try not to say too much. It is just bad practice to match the two, as too much correlation is bad. If the source gets nabbed, you don’t want anything linking you to them as much as possible. We just have to hope they follow the Email section and delete everything right away. Again, you can’t trust that they are doing that anyway.

    PO Boxes vs Home addresses

    There are ways of getting anonymous deliveries, and none of them include using a US postal box (Requires valid ID) or your home address (Don’t need to say anything about that)
    Use a delivery router – Basically its a shipment proxy that accepts delivery, can even repackage the order and send it to you. There are plenty of international or even domestic places that will do this. They can even move a USPS / FedEx delivery into a private delivery company. Keeps you off the radar and some won’t even keep track of past deliveries. This helps a TON! I won’t suggest any because I don’t want to be liable for any suggestions. DuckDuckGo is your friend.

    Use a neighbors house who may be on vacation and you have seen recent deliveries. Don’t deliver it there if they have put a Hold for Delivery or anything, just make sure they are still receiving mail and packages. Sometimes that works. But – Then you are stealing mail, so be careful.

    Send it to a friend – Have a friend who isn’t associated with this type of thing receive the package, and get it from them later.

    There is extensive information on line about receiving anonymous packages, but all of them end with you holding the goods so remember that there is never a 100% guaranteed way of staying anonymous with this one, and the suggestions above are only that, suggestions. I don’t recommend anyone doing any of that.

    Ordering

    If you are ordering from a website that isn’t using HTTPS, STOP and go somewhere else. Always pay with cryptocurrency if you can. Other methods require you to physically pay for (WU and such).
    If you are purchasing coin via Coinbase or any other Exchange, always rotate through a private wallet before paying. Never pay directly from an exchange. It is too expensive to launder BTC these days, but if generate a new wallet for each transaction that would be good enough. Don’t use the same wallet for multiple transactions, unless it is to transfer to another wallet. Once the wallet is drained, delete it and start a new one.

    Conclusion

    Remember, you don’t know them – they don’t know you. Trust no one and question everything. Everything I have posted here is free and widely available for your verification. DuckDuckGo, (or Google if you want limited and tracked searches) is your friend if you need verification on anything I have posted.

    All of this should apply to members, and sources. Believe it or not, the easiest way to a source, is through the member, so if you screw up – you’re not only harming yourself, but everyone else as well. Lastly – I don’t condone nor support any illegal activities, so do so at your own risk or within the confines of your countries laws.

    And remember – STAY SAFE!
     
    Burrr likes this.
Tags: