Anonymous While On-Line = AWOL
by Potatoe Fish
Using secure communications: A dead simple and short overview
Non-exhaustive: You will need to research these topics and implement them on your own time (ASAP!)
Alot of people don’t think they “need to worry” about surveillance because they say they haven’t done, aren’t doing, and won’t do anything wrong. That isn’t really the point. If you don’t care about your privacy, do you care about anybody elses? If somebody cares about privacy and you don’t, why would they associate with you? I know that people are commonly delusioned into thinking that the government cares in any way for them and won’t do them wrong. If you believe in revolution you need to take part in information activism. Not only is privacy important, but those who don’t make serious attempts to remain anonymous and secure may find their accounts hacked and their reputation destroyed by a hacker or the government. Sometimes you just need to listen, so hear this, become anonymous and learn to keep your information private as well as secure. If you don’t understand why, start researching abuses of power by the government for surveillance, searches, and seizures as well as corporate databases being hijacked and spilling all sorts of personal information. Make sure you use privacy, anonymity, and security tools!
If you use a windows version newer than Win7, tracking tools imbedded in the OS will upload your data to corporate headquarters and forward copies to the government (updates to Win7 can do this too!). Seriously consider switching to linux, even if you decide to dualboot for retaining access to windows for gaming. For anything that is privacy or security critical, use linux and do not use windows. Do not cross contaminate between “work” on linux and “play” on windows. You will need to specifically configure your computer to get it up to par. You will need to audit your OS settings and installed software for privacy and security reasons.
Stop using webservices being directly monitored by the FiveEyes agencies (I.e. NSA and GCHQ). Examples include gmail, facebook, and twitter, but just about anything on the internet can be snooped on. Facebook tracks your activities all around the web, and they are not the only one. If you keep using these services, you are handing your personal information over to the government and corporations, essentially proclaiming you don’t care about personal privacy or right to abstain from warrant-less searches and seizures. The government is already monitoring everything they can on the internet, don’t make their job easier. Consider switching to an alternative service that is not hand in glove and find one that respects your privacy and security.
When you create a new web account, use unique login details for each site. This includes using a separate email, birthday, username, password, and phone number for each account. Avoid cross contamination between accounts like the plague. You may want to install a password safe to manage your credentials. Personally, I prefer using an onion of cascading encrypted containers that hold my passkeys (CRYPT1->CRYPT2->CRYPT3).
Use TOR and the Tor Browser Bundle to anonymize your access to the internet. You can route most of your regular web traffic over TOR as a socks5 proxy. Use a VPN to secure your internet connection, just be sure it uses encryption and keeps no logs. There are lots of VPN options out there, just remember, if you are not paying for a service you are usually the product being sold. enabling TCPcrypt will You will also want to switch your DNS resolution to openNIC servers and enable DNScrypt. You can force an application to use TOR in linux by running torsocks APPLICATION in the terminal, but it is still possible that IPleaks will happen. You will want to research routing your applications through anonymity services and how your anonymity can be broken.
Encrypt the plaintext of any email with PGP and encrypt the attachments with VeraCrypt containers. Using GnuPG, thunderbird, enigmail, and torbirdy, plus the email provider of your choice who supports PGP encrypted email fetched from POP3/IMAP (over TOR is better). Better than email in many ways is bitmessage and TOX.
Install pidgin and the OTR plugin for it, route the messenger client over TOR by configuring proxy settings to 127.0.0.1 port 9050, make sure the TOR sevice is running (TBB or tor in the terminal), and join an XMPP server to begin chatting.
If you are tech savvy, install I2P and use hexchat with the proxy settings directing traffic over I2P. This will not be private like conversations you can have on pidgin using OTR but as a public chatroom it is a good choice as it offers anonymity.
Use encrypted VOIP rather than open phone conversations. Installing Linphone and enabling STRP for SIP over TLS will ensure your conversations stay private, at least for the time being.
Encrypt your SMS with Silence (“SMSSecure”) and try not to use SMS at all; Bleep is an alternative messenger for android but not as good as other services like Wickr and ChatSecure. Its worth switching over to a TOX client if you want to send files back and forth. You can get most of these programs from F-Droid or Aptoide (Don’t use Play Store or Google services if you can ever avoid it as the collected data is exported directly to the US Gov.).
Consider rooting your android phone and removing google applications. There are guides on how to re-flash your android phone so that it is secure from government and corporate snooping. You will want to do more than root your phone of course. Installing f-droid and freezing/uninstalling applications on the android device can free up space, increase snappiness, and best of all, prevent data leaks and secure your device. Installing KALI linux in the terminal of your device and loading up kali GUI through a VNC application can enable you to audit your network using your mobile device.
You need to start being paranoid about your anonymity, data privacy, and system security; the vulnerabilities that have been talked about for nearly 20 years are no longer unlikely theoretical scenarios but real time persistent threats. Do yourself and those you know a favor and start locking down your platforms. The level of security needed may vary slightly from person to person, but if you don’t start now, it will basically be too late someday. People like myself have already started working on this and are gently nudging our associates towards a more anonymous, private, and secure channel of digital communication. If you still don’t care, you will be left behind with the other sheep to be herded by the wolves.
(New Telecom Whistleblower Exposes Spy Grid – The Alex Jones Channel)
This guide was created through necessity to help enlighten people in the general sense on the topic of anonymity online and beginner cyber-security. It is in no way fully comprehensive and only suited as an overview of the methods employed. It is up to you the reader to discover the many guides available online and implement more advanced methods for securing your devices. Nothing provided in this guide is intended to encourage, promote, or condone illegal activity. What you do with your knowledge is on you. Stay safe. Stay anonymous.
The main purpose of this guide is to cover computers in general. We recommend people switch to whatever linux flavor they desire and begin securing the system for themselves. If you want to get started on your research right away but don’t know how to get started, go ahead and download a copy of tails through the TOR browser and read up. You can perform cross platform encryption within tails using xxx and then access the information later after saving to a flash drive or other storage media of your choice.
Anybody should learn and implement these methods and others. If you have friends who think that data security is not necessary, you may want to kindly mention in a nonchalant manner that you think personal privacy is being intruded upon too greatly and exercise of our rights is being slashed at from all sorts powers. You probably won’t want to mention anonymity to them directly but attempting to enlighten them is worth a shot.
I am the man in the mask. Ultimately, I do not care if you are good or bad. As to what this means, I leave those of who are good to counter those of you who are bad, for me it is tiring and a near sore effort to sift out everybody on account of their merit to receive such information.
This guide is being released in hopes that it will aid true gentlemen in their pursuit of becoming anonymous. One must be and always remain a gentleman. Being a gentleman is about your mannerisms and actions, defining the way you think and interact.
It is up to you to learn good OPSEC (operations security) and to apply it diligently.
We advocate for open source hardware and software; Governments and businesses should be transparent with the public, not forcing people to loose their privacy and rights to the cause of “security” for the ‘greater good’.
I myself would not always expect this guide to be available, if you do find it useful, I recommend you back it up and continue redistributing at your leisure. Takedowns do happen and I do not rigorously maintain links to material unless I have been made aware the resource is too valuable to be lost. Since it is hard for me to assure this resource will stay where I put it, if you think it is valuable information or needs expansion in some area or to patch a gaping hole, let me know by getting in contact with me.
Opening words to the wise
I know most people obtain the position of “You can’t tell me what to do”, but I am going to say this anyways in an attempt to deter anybody thinking they might abuse their new found power; Do not use your anonymity to break the law. Not only is it stupid but it is the wrong way to go. Use your common sense, if there is any left these days…
Being a gentleman is of the utmost importance, especially with all that is involved, one must make the highest pursuit of theirs to always remain a gentleman. You are to be a gentleman and have an accurate code of ethics to navigate with your moral compass. Do not boast or place yourself above others, be as you should be, a gentleman.
Its not paranoia if there is a real reason to feel that way. paranoia to the cautious can be a proactive means of protection, even if it is too superstitious at times.
Remember the first rule of f*g*t c*u*.
The power of anonymous is with you and all others, to perform your duties as your person, and to help support the rights of all people in an empowering way. an anonymous person may attempt break your anonymity for any given purpose, it is on you what you do. Don’t give another person a reason to break down your walls, as anything you do or say is taken into account, learn and speak anonymously as anonymous.
An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs. The operating system is a component of the system software in a computer system. Application programs usually require an operating system to function. For hardware functions such as input and output and memory allocation, the operating system acts as an intermediary between programs and the computer hardware, although the application code is usually executed directly by the hardware and frequently makes system calls to an OS function or is interrupted by it. Operating systems are found on many devices that contain a computer from cellular phones and video game consoles to web servers and supercomputers.
If you are going to use windows then you need to be aware that it is a boat with many holes of which even the smallest may send it sinking. plugging up the holes is a good place to start (not enough), but remember, windows is not open source and cannot be audited by the community. You are going to want to use windows 7, avoiding vista, 8 and 10 (windows xp is ok, to be fair). Windows does have known backdoors pre-configured by the NSA, which are also suspected to exist in macintosh. windows is also extremely vulnerable to attack. don’t think windows is secure in any fashion and if you use it, exercise all interactions with extreme caution. (don’t use windows!)
Macintosh is a good platform to already own if you are stuck in your ways, because it is more secure than windows and also quite easily relate-able in fundamental nature to linux. The problem is that dual booting a mac is not nearly as easy as dualbooting any other brand pc (macs are technically a pc) Need I mention that mac hardware though not unique in architecture is unique in hardware provide pretty exclusively, you will not blend in well given more layers of security are stripped to fingerprint.
Linux is better than mac osx which is better than windows, hands down. to understand, compare security of the systems in different breakdowns. I don’t like to do this much, but to save space, here is a link:
All operating systems are vulnerable to malware, but the worst has got to be windows. Such a large amount of malware is developed towards windows that it is the very worst system to use attempting to be an anon. macintosh has many strengths over windows, but people have gotten too comfortable telling themselves that there are no ‘viruses’ for mac and other types of obscure mythical protections that macintosh has. even linux is not entirely secure, yet, the aility to audit the code from source and also the largest flexibility in configurational security, linux is your best bet all around. The worst bit for beginners is learning the alternative pieces of software that work for linux over windows, which is the most drastic change. Linux will be more familiar to MAC OSX users given the akin nature to eachother they have through a relation in their past. It is possible to multiboot these systems but let it be known that an infection through BIOS attack for example could destroy security on your end.
Security is a cornerstone of the Linux OS, and one of the principal reasons for its popularity among the IT community. This reputation is well deserved, and stems from a number of contributing factors.
One of the most effective ways Linux secures its systems is through privileges. Linux does not grant full administrator or “root” – access to user accounts by default, whereas Windows does. Instead, accounts are usually lower-level, and have no privileges within the wider system. This means that when a virus gets in, the damage it can do is limited, and restricted mainly to files and folders on the individual machine. This can be greatly beneficial from a damage control standpoint, since it’s far easier to simply replace one machine than scour the entire network for malware traces.
There’s also the fact that open source code such as Linux software is generally thought to be more secure and better maintained, due to the amount of people scanning it for flaws. Similar to the “infinite monkeys” principal, “Linus’ Law” (named after Torvalds), states that “given enough eyeballs, all bugs are shallow”.
Possibly most important, however, is the issue of compatibility. As we mentioned earlier, virtually all software is written for Windows, and this also applies to malware. Given that the number of Windows machines in the world vastly outnumbers the number of Linux ones, cyber attacks targeting Microsoft’s OS are much more likely to succeed, and therefore much more worthwhile prospects for threat actors.
This isn’t to say that Linux machines are totally immune from being targeted, of course, but statistically, you’re definitely safer than with Windows, provided you stick to best practices.
If you finally decided to use linux, the best of the best are with you with you now. Though you will not find most of the common software that day to day users consider with windows, you are going to be happy that most opensource software you may have been using is pretty much capable of being run on linux, and better yet, that software is cross platform to a large degree in linux, which customizations through technical knowledge yeild even more amazing benefits. You will need to go ahead and anonymously download an ISO of linux if you plan on doing an install. I am inconclusive if data forensics can tell which disk drive created a dvd but I believe if you are reasonable with your use of dvd’s you don’t need to worry too much about that; The only workaround seems to be re-flashing with a custom firmware on the disk burning drive.
Computer basics walk-though and tcp ip
You will eventually need to understand computers at least to a CompTIA certification level, even if you never attain the certification. CompTIA for all levels is advised, for beginners, focus on A+, Linux+, Network+, Security+, and Server+. This should get you on the right track
Once you understand the inner-workings of computers and the network protocol stack, you may want to dive into programming. The best place to start is debatable, but I advocate for beginners to start with python or other flexible multi-level of entry language that will serve you well for all your years, as well as learning at least the command shell of whatever operating system you use. Other good languages to learn in general are XHTML, Java/Script, C++, and openGL/webGL.
You are going to run a smooth machine that you have specifically modified to your needs, but at the same time, you do not want the customizations to be obvious in a way that reflects the addition of finger-printable details regarding your device. Tweaking windows is in itself a bit of a joke, and if you are serious about anonymity, you will switch over to linux as soon as possible. Tweaking windows is easy enough to gain a bit more performance out of your system and potentially close up a few security holes like desktop widgets that come bundled with windows 7, but you do not want to rely on these small customizations to secure your computer. As far as what changes to make, you will need to research the history of vulnerabilities and performance hits your system is known to have, and adjust your settings accordingly. Disabling special effects in your GUI might make it less pretty to look at, but it will be worth the performance gain and potential security increase. Read up on this for yourself.
Do not use your ISP provided router (if you have one) for anything if you can avoid it, that will be the weakest piece of hardware in your setup. Make sure to run your own firewall and router from whatever your connection to the internet is. WIFI is a bad idea if there is anything you need to keep seriously hidden from an unknown outside observer, but if you are going to go ahead and go against this warning, use at least a 16-20 character password and change it every 3-6 months to prevent brute forcing attacks being successful. it may be helpful for you to do research on ISP level logging/tracking and WIFI security cracking to help understand. On the other hand, WIFI can be valuable to not disclose your physical location and identify your person depending on the circumstances, given you take efforts to protect your privacy and security. The NSA is also pushing backdoor configurations in all new hardware licensed by the FCC, whether it be software or hardware backdoors; This has supposedly already happened in CPU’s released by intel, and there is reason to suspect any integrated bluetooth(wireless)/cpu will be vulnerable in such a way.
Offline password generators and random name creation scripts are your friend. practice your random passwords and do not use any weak password for offline or online purposes. your password safe should be stored offline with at least a 16char password (NEVER less than 8-10 characters).
Always make sure to to enter the correct web address in the browser and to use HTTPS when available, do not submit any sensitive form data without https enabled or you risk discovery of potentially sensitive information.
Do not enter personally identifiable information anywhere on the internet and always be careful who and what you trust to have this information.
Your computer, especially windows, will keep all sorts of records regarding your activities, such as software caching entered data and creating registry keys revealing fingerprints of what you thought may have been harmless details. know how these systems work and what details each piece of software leaves on your computer through installation/de-installation and regular use. the swapfile and ram are also sensitive parts of your system vulnerable to certain types of attacks; always erase your swapfile at shutdown and choose software that encrypts plain values in ram to gain security in these areas.
It is not wise to use TOR over TOR, issues can come about and there is not enough information on the consequences of doing so, not to mention it may actually harm your anonymity. If you decide to hack a router to use TOR as a proxy to the internet, be warned, not only will the connection need to be scripted to periodically reset and establish the TOR pathway but any personally identifiable activity will also indicate you as being a TOR user.
It is entirely possible that it will not be you but somebody else who breaks the OPSEC of your network and computer system integrity; bringing people you know over who ask for the wifi password or even just link into the ethernet can leave traces of their connection to you, at the very least, leave footprints clear as day that they are associated with yourself in any way. MAC address logging on the router is one example as well as phoning home from a piece of service provider equipment. If you understand that somebody else may inadvertently correlate your behavior which you tried to strictly regulate, you may find ways to prevent them from violating your security measures. Somebody may also attempt to actively attack you in your own network if you give away the keys or otherwise allow access. In the case of this, the only preventative is to know anybody can be a potential adversary, and you don’t want to give them any measure power over you. If you are worried about being snitched on for being anonymous and having people breach your trust, a slightly offtopic but interesting read is RATS! by Claire Wolfe.
Software on your computer can be a vulnerability. Services like steam, flashplayer, serverware and anything else that established a network connection or phones home (even “offline” software can be used in bridging an exploit) can break your attempts of anonymity and even be a security hole. You need to know that automatic updates can also induce this type of issue by making an easily identifiable pattern appear while are using anonymity networks. Disabling automatic updates may not be as convenient but having control over the environment you operate in is to your advantage in the pursuit of anonymity and security maintenance.
Writing down passwords on paper and tacking them to the pc or leaving it in a stack of papers is unwise. If you decide write passwords, you need to place it in a safe until it is no longer needed, shred it and BURN or otherwise destroy it properly.
Biometrics are not yet secure and indeed may never be. Your fingerprints for example are so easy to attain for anybody that may have physical access to your system that relying on anything short of extortion to get them from you is ridiculous. Don’t use biometrics for anything but a soft layer of access control, never guard under biometrics alone.
Use different passwords for each site, never use the same password twice unless you want an adversary to potentially learn it, use strong passwords, use skeptical trust distribution for your password schemes that has contingency, common keys can make implementations a bit easier or far riskier.
Reduce your online footprint and learn anonymity without breaking it; the services that used to track you will still try but be less likely to make connections if you are smart about your electronic habits.
Begin sorting data by necessity and content, protect long term data under encryption even if you decide to use common keys.
Know your rights and how to protect yourself preventatively.
Do not use your knowledge or technological resources to break the law, use them as a force for good. I am not here to condone illegal activities but to offer advice and information. What YOU do with that knowledge is on you. Stay Anonymous.
There is no truly anonymous method of accessing the internet (anymore); don’t get caught up in thinking of silver bullets. furthermore, your anonymity is only as strong as your weakest link and vulnerable to user error.
A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off. Fingerprints in general describe any of the identifying characteristics of a user or machine, so it is important to be aware of their significance and how to shield from them.
Now you may begin to grasp what indeed your job of being anonymous entails. Leave no trace. You may even choose to not use aliases seeking absolute protection. When conversing with people, it seems to assure them to have any name worth communicating with, but be aware, doing such is incognito and not the strength or armor in truth of an anonymous person.
People and data harvesting services either inadvertently or intentionally breach the anonymity of massive amounts of data all the time. Realize that these systems are often running on servers and unless you know your data is not being pooled, don’t trust that it isn’t being gathered (in any part).
Anything you ever did when not anonymous that you now do anonymously may break your anonymity. Exampled range from signing into old user accounts to re-posting old material you released onto the internet at any time. It is absolutely important that you do not release any picture of yourself, others, or reveal any locations that you may be found to have a connection with, unless you want those connections to be made. Remember, an ounce of preventative is worth a pound of cure.
Generation of information that is unique to you can be verified as such. Lingo and slang can also be used to identify you. You need to begin to think on the account that if an attacker was socially engineer you by entraining responses through tailored questions, your use of slang could be used as a positive point creation of ID or even to unmask you entirely, depending on the circumstances. Be aware that the risks are ever present, you need to need to be careful about anything you do or say.
You may go as far as creating alter egos that for the most part, act nothing like you, and as such, makes it harder to profile and statistically determine your person. Talking about food you like isn’t a good idea, but talking about hobbies you don’t care for may help draw attention away from you. It is all on your discresion what you choose to share; Understand that simple deceptions must occasionally can be used protect your identity. People may go as far as to actively socially engineer you while you are conversing or doing anything else, you need to take an active stance in not being too open and inadvertently disclosing private/personal information.
Do not break your anonymity for any reason at any moment. If you are having questions to yourself about should I do something that I think would be better if I don’t, listen to your intuition and GTFO. Your ability to reason with caution should provide some protection, also ensuring the correct choices are made needs to be a continual process of upkeep. If you were to for example say that you enjoy a certain activity, such may be linked to your alias or even just the digital identifications databases around the world. How vague you are may make or break a conversation you are having with somebody else, but choosing not to disclose personal interests is necessary at times, you will find that over time once trust has been established you can speak more freely as long as you are off the record. You are to pay due diligence to your actions being anonymous, don’t do anything stupid or it will be up for review of the seekers.
You are going to need to learn to change your browsing habits in many ways to make sure you always keep your anonymity. For example, do not let down a thread in your security net, to browse websites that say you cannot access them, due to some IP ban or other similar blocking method. You will need to find workarounds for certain situations but never remove any layers of existing protection nor leave any unique trace of what you are doing online. If you search for boats on your regular connection alot and then look up schematics of boats on tor, if the adversary who is amassing a database of all interlinked connections notices that a boat was viewed on the ‘clear’ connection and that within a time correlating the events, schematics for boats and even of those boats will be linked back to you. You need to discover that disappearing into the crowd and only coming back in unidentifiable manner is the most proficient way to prevent profiling.
If you have questions and want to speak with anonymous members, have a look at anonboards and anonhq. I do believe anonboards can be a good resource, but the wealth of information is found within the conversations you can have one on one with anonymous members. Please be polite and not make demands of them; You are sure to find a buddy somewhere on there. Some people think that anonboards is total crap; unless you understand, anonboards is a resource with limits, you may find yourself lost. When in doubt, study greyhat [email protected] and use your knowledge on your own personal equipment to simulate the state of your comprehension (don’t practice on systems unless you have explicit permission to do so, fuck the TPP, use the hardware you own with itself as you see fit and go wild).
Sometimes the best manner of providing advice to somebody is in an anonymously, whether that be an anonymous account on a public messaging board or one on one encrypted OTR chat system. If you are going to be anonymous, put your skills to good use and help by educating people on anonymity from experience. Don’t be afraid to admit you do not know an answer, but be careful about what details you may inadvertently leave along with any anonymous interaction you may have.
I don’t know what all to say here, but this should help you understand a fraction of the sayings and wisdom behind becoming anonymous.
Anti-septics can be thought of as leaving the computer without a trace of your presence, or in the case of the unavoidable, sanitizing the information as thoroughly as possible.
The first step in all of this is to make sure your computer does not save any state information when ‘shut down’. doing this will require you to disable hibernation and if you use windows, to disable shadow copies.
Go ahead and secure erase everything you would normally mark for deletion (moving to trash on your computer isn’t a secure wipe). to clear free space, a secure erasure program such as bleachbit is a good idea to run at least once a week and schedule a deep clean at least once a month to make sure any previous deleted information is irrecoverable.
You should encrypt your swapfile and have it clear itself on system shutdown with random 0’s and 1’s.
If you are especially paranoid, you can also find a way to wipe ram on shutdown and encrypt it. The video memory can be enumerated as a device in linux and written over with dev random at shutdown by creating a custom script.
In microsoft windows, the system recods artifacts when USB removeable storage devices are connected to the system. as far as I know, the only way to remove them is to modify the registry. go ahead and do your own research or download the zipped portfolio for more information.
You will want to strip all your files of meta-data any time they are put into your long term storage (this may even be too late), and always before uploading onto a network of any kind. An example would be overwriting the exif data in a photo with random nonsense or deleting all the exif data itself. You may even go as far as stripping the files immediately of any identifying information.
Securing your network connection
The first order of buisness before you go ahead and use your computer on any network is to apply protective countermeasures (even your personal non-internet connected systems). The first order of buisness is to spoof the MAC addresses on your hardware, set up an alternate dns perhaps through OpenNIC, then apply a VPN (no logs; free will do to start, but remember paid VPNs like TorGuard are better; always select VPNs based on their support of encryption and use it!) and proceed to route all system connections through TOR or other suitable anonymous non-logging proxy service. Next order of buisness ot to enable TCPcrypt and DNScrypt if you want to get more serious with your security.
There are ways to expand your network connection anonymity “protection” by combining TOR with I2P and even freenet, but you are going to want to be careful as to how much trust you place in any one of these systems alone (also, I2P was vulnerable to an exploit in tails a while back). By combining these I of course mean setting up their automatic routing of any information your computer will transmit back and forth between the internet.
Learn and use TLS and IPsec which are internet security systems. Get well aquainted with them. Stay anonymous by encrypting your web traffic and keeping up a strong OPSEC.
the TOR browser is quite secure, but you still do not want to link any information identifyable to your person within any of the system you can access through tor (even regular websites). In addition to this, cross site behaviour can be analyzed though the temporary cookies that exist within tor (don’t worry so much about traces of them), the main issue is that the TOR browser at the time being may inadvertantly reveal your activity, and to avoid this, use it within sessions and then get a new identity on TOR each time you do different types of activity. Also, NEVER sign into any of your incognito accounts without doing this. Also, I never advise visiting a government website with tor, as it may be used directly to identify you through browser and network attacks.
If you are wondering if tor is really anonymous and secure, it is not completely, though it is decent as a thread to your security net:
Packets are logged, brute forced when they are found interesting enough, and meta-data can be used to link your activities digitally
Aliashood is a mannerism of going incognito. within aliashood are rules to live by such as never disclosing your name, age, or geographic location (even saying what continent you are on can be too much!). any additions like a code with symbolic meaning disclosed on the record can be used as fingerprints to track your digital movements. common aliases should never link into themselves, this can go as far as server separation when using multiple emails from different providers for service registrations or social networking to messenger IDs, there are of course more ways and reasons to understand why separation is important.
Information you learn under one alias and share with another can be used to draw correlations linking their activities.
Your first alias may be your most unique, but uniqueness though appealing, should never be your reason for breaking separation and situational awareness of your alter ego. if your name which is unique to you is compromised in any integrity, do not go back to use the same user sign again.
Use a different login and password for all systems, do not interlink between systems if your trust authentication could be compromised in any circumstance. Its not a good practice to share usernames or passwords unless you want it to be easier for somebody to identify you and potentially lift your access keys.
A random name and password generator come in great handy for the creation of nearly unlimited different username and keycode credentials, but if you use an online service to make then, they may and thereby will be logged. Take this into account for any tracing done to your feeds by an analysis program.
Go ahead and wrap your login details in encryption if you cannot remember the many passwords that you will require. Your security is only as strong as your weakest link.
Email is a good place to start communicating but it is also one of the least secure by default. you can password protect your account from authorization but an admin can essentially gain access to communications and their metadata, revealing the contents or source destination and transit of an email. Always make sure your emails are generated using encryption for anything that could ever become sensitive (for any reason) using PGP or another secure transport methodology like encrypted containers loaded with password protected stenographic files. Using Mozilla thinderbird with TORbirdy and Enigmail is recommended.
Another way to communicate is VOIP and after some obfuscation is done. You are going to seriously consider for what and how you will use this voice communication service. Linphone is among the best opensource VOIP softwares especially to begin and works on mobile as well as computers, but you are going to have to activate SRTP to encrypt audio and video conversations. Linphone and Mumble speak should be run through TORsocks. You can host your own VOIP server using Asterisk.
Public chat-rooms can be convenient to meet large groups of people at once, but they also can break your anonymity to at least whatever logs are being kept. do not think that so called private chats are actually invisible. anything you do can be used to fingerprint the session, or different activities that have traces left behind that a computer might link to you in statistical tracking databases. IRC is considered public and if you want to get started, go ahead and use Hexchat:
Private chatrooms come in many varieties, but the mostly highly praised for its security is XMPP with OTR enabled; this can be done with the pidgin messenger using an OTR plugin. Selecting the right XMPP is really up to you, but is is always advisable to run the messenger client connections through tor to obscure their origin and destination. many other methods than pidgin with OTR XMPP can be employed, such as bitmessage and Tox. These two services are also route-able through proxy (e.g. TOR socks5) and are quite a bit more secure than pidgin OTR XMPP. Getting on bitmessage and Tox are steps you can take to begin securing your private communications. TorChat is also considered a good piece of software.
Communicating with Pidgin using OTR over XMPP:
Sending files is a bit difficult but can be achieved easily enough for anything under 100mb, if you have a larger file to share, onionshare (a tor hidden server software) can be used to start, also sharing files over i2p can be done relatively easily. the packets will be placed under a trace at any point a data transfer begins and by for example using strategic network squeezing attacks, traffic analysis, or being used to profile an individual; the source and destination can be determined depending on the scope and scale of an operation, remember this when sending sensitive files, and try to keep file sizes down in security intense operations. You are definitely going to want to find ways to securely send files through performing research on what methods exist and how to keep your OPSEC strong in one of the more vulnerable pursuits. Any file you create may have unique indicators that can be used to identify you.
Social networks are just a really bad idea in general if you are wanting to remain maximally anonymous, but for those ‘brave’ enough to venture on them, do not break the code of anonymity anywhere on any system. You are in much better hands to find your contacts on them, establish trust, and communicate personal messages in a truly secure channel, and social media just isn’t one of them. If you have used social networks before, deleting them now is a good idea. If you have friends who still desire to use social media, look at mentioning the Diaspora or freindica social network to them. Social number has some benefits if you wish to continue to remain anonymous and still use a social network. Your best bet though is to only use decentralized networks if you desire to continue with them, and of course, there are disadvantages to these. An example fo a decentralized social media service is Friendica. Hosting your own social network is risky and not for the fool hardy to embark upon.
A good examples of public social media networks are social-number and galaxy2.
There are many more methods and facets to cover regarding communication, but for the sakes of this guide, that about wraps up the basics.
Choosing online services
The hype of internet services has drawn many users into their centralized and fully logged systems. Many people are unaware or apathetic to big brother peeping on every bit of digital data they can attain, where the logs ammased are kept for 7-10 years or longer to fuel the warrant-less laws of pre-crime society.
Lots of people use facebook, gmail, or skype for example, tending to enjoy the popularity of the service as a rendezvous. do not fall under an illusion believing that these services ever have or ever will truly respect any of your privacy. not only do these types of services sell your data directly to advertising companies, they also will surrender any data they contain to big brother on request even if there was no warrant issued. given that these companies are in the business of linking profile activities statistically to their massive databases, if you have ever used their services, your anonymity has already been breached internet-wide, now content seeker-bots will attempt to determine who created any piece of data they might find interesting (for any reason) and attempt to link activities to you or others who exhibit a similar trait in content creation. The manner in which one creates a sentence and other things like pictures of the interior of your house will be used in the tracking database search and linkage index.
You should make your first duty while your online identity is still publicly know to go ahead and erase as many traces of your online presence as possible (you cannot erase them all, they are spread to widely), and to never again enter your personal information onto the internet. This may be an inconvenience at first and you may even be asked by people why you are doing this. The answer is simple, your privacy is worth more than the ‘convenience’. If there is anybody who you need to stay in contact with, send them an email requesting they write you back and gather their contact details as you prepare to plunge into incognito with them. Begin deleting yourself from the face of the internet.
When choosing an online service, your first questions should be about necessity of using the service, the possible connections that could be made to you for using them or employing their capabilities in certain ways, does the service pledge full protection of privacy or will they roll over given the pressure applied in the right places.
Alternatives to traditional services such as forums and micro-blogging can be found using secure software such as syndie and twister; you will need to look for these pieces of software and perform due diligence in your choice of alternative platform.
If you decide to host your own service, know that there will always be potential vulnerabilities present. You could leak your IP or somebody could infect your system and watch it spew sensitive details though the IP of your server may still be secret. Remember that there are loads of attacks that can be performed and if you are visible on the internet, in any way (even just plain accessing), you can be vulnerable to attacks on your system.
Hosting open source alternatives to common centralized systems can be a great joy for anybody that is security minded and technically inclined. The main drawback after general systems security is finding a way to allow you and your users to both remain anonymous. IP and DNS leak as well as unencrypted responses and anti-crypto analysis attacks though ever present, may plague your server with attacks if anybody but your circle of trust know about it, even if the method is trust-less, a skilled enough adversary with enough resources and knowledge of your system could facilitate an attack on your system. Need I remind you of famous bandwidth and node squeezing attacks that track packet flows through undersea cables and the like to expose the geographic location of the system. Another issue is having your details snooped by a link phishing attempt. If you are thinking about hosting a service of any kind on the web, a good linux distro to choose would be CentOS, based on fedora core linux.
It is of utmost importance your devices are encrypted in case they ever fall into the hands of another who may attempt to breach your privacy and security with them. Not only does it serve as an added layer of device access authentication, your files inside which if they are wrapped properly in additional layers of encryption, are nearly impossible to gain access, so implementing multiple layers of security is essential.
If you are dualbooting, use VeraCrypt for your windows partitions and LUKS for your linux partitions
VeraCrypt, EncFS, LUKS, or GnuPG will do. You will also need to diligently use encryption, never leaving sensitive data un-encrypted.
You may decide to use your encryption program instead of a password safe, which I recommend since worrying about the passwordsafe being breached could be a serious issue, but here is the caveat; All your passwords in an encrypted contained could be swept up through copying your clipboard or in swapfile, even exploiting a vulnerability to traces left in ram. make sure your OPSEC incorporates these vulnerabilities are covered in your contingency plan.
Security through education. Learn grey hat hacking and practice with yourself on your own equipment.
An essential component of your training will include social engineering.
You will probably want to read phrack magazine online and browse blackhat world forums. Cybrary is also a good resource along with deep dot web.
A method you may choose to implement could be creating a SSH tunnel on your LAN to an ARM dev-board and running TOR as an entry proxy for the internet with your deviced loaded up on ARCH or some other linux. openWRT running custom security services may serve as a valuable asset in your network layering. For beginners, it is never to late to learn some entry level hardware hacking.
If in the event you ever run into legal trouble, remember as you know from this guide, that what you do is on you. That being said, you have the right to not self incriminate, and mentioning this guide to officers is definitely a bad idea, though there is no illegal content within it.
This section does not constitute binding legal advice, it is simply a description of procedures one should keep in mind in case you end up having trouble with law enforcement. You should contact your lawyer right away if you are expecting legal issues and begin working things out with them. At the very least, you should write down their number on a small card in you wallet and make sure you work on memorizing it; In some cases, police may allow you to access this ‘calling card’.
Even if you do nothing wrong, most LE wants to screw you. The majority of them are not trying to protect and serve, but are trying to meet some alpha male requirement they subconsciously have. They feel important when they bring you down. Also, people tend to minimize what they do, so you are probably bigger than you would like to admit.
Cops do not have to tell you they are cops, neither do feds. Undercovers lie all the time. So do confidential informants. Be careful who you trust, even friends you have known your entire life can turn.
Know your rights and exercise them, otherwise they may be violated if you do not stand with them in your defense.
Never consent to be searched or have your vehicle or house searched. Make them get a warrant.
Always retain your right to remain silent and state that you do not speak to officers of the law without your lawyer present.
Keep calm and cool.
Get a solicitor so that you have someone know where you are and to show the cops you are not going to be a soft target; they may back off a bit.
It is advisable to avoid using the duty solicitor as they are often either crap or hand in glove with the cops. It’s worth finding the number of a good solicitor in your area and memorizing it. The police are wary of decent solicitors. Also, avoid telling your solicitor exactly what happened; this can be sorted out later. For the time being, tell them you are refusing to speak. Your solicitor can come into the police station while the police interview you: you should refuse to be interviewed unless your solicitor is present.
Never make a statement. Don’t get drawn into conversations with the police.
An interview is a no-win situation. You are not obliged to speak. If the police want to interview you, it shows you’re in a good position. The only way to stay in that position is to refuse to be drawn into any conversation and answer “No Comment” to any questions.
An interview is the police questioning you about the offenses they want to charge you with. The interview will usually take place in an interview room in the police station. An interview is only of benefit to the police. Remember they want to prosecute you for whatever charges they can stick on you. An interview is a no-win situation. For your benefit, the only thing to be said in an interview is “No Comment”. Remember, they cannot legally force you to speak.
If you are roughed up, see a doctor immediately after being released. remember the officer’s names and numbers if possible.
There are many laws that constitute victimless crimes; Being anonymous is not illegal in the sense that it is a criminal act, instead, the prohibition of anonymity in certain jurisdictions is a type of pre-crime tactic.
In the US, you will want to remember the following, as they are rights of yours as a defendant in criminal cases:
a speedy and public trial;
a trial by an impartial jury composed of twelve Citizens;
to be informed of nature and cause of the accusation;
to confront witnesses and to compel witnesses to appear in court;
the assistance of legal counsel free of charge where appropriate;
to be presumed innocent until proven guilty;
not to be compelled to be a witness against himself or herself;
not be deprived of life, liberty, or property, without due process of law.
Remember, anything you do or say can and will be used against you in the court of law (for any reason they can conceive).
Officers cannot demand key disclosure by law unless they have a warrant. The law is a bit hazy on the subject, but if there is not a warrant issued for you and especially if it does not disclose probable cause to knowledge of the encrypted device in addition to its contents, you do not need to disclose the encryption key. Again, you need to speak with a lawyer to be sure.
Be sure to research the laws and regulations in your locality so you know what they are (ignorance is not innocence). Be aware that searching for information specific to your geographic region can be used as an indicator of your presence and activities. Be very careful about what you search for and how you search for it.
At the end of all this, to protect yourself, all that is really left to be said in your benefit is don’t break the law; Never give them a reason to come for you.
You will need to make sure privacy starts with you. If you are being anonymous, telling anybody you know about it is just a bad idea. They may even just be confused and believe you commencing in an illegal activity, alerting the authorities and killing your best chances at staying anonymous.
Things like screen view protectors are a good idea if you think anybody could walk into a room and see what you are doing or may be reading over your shoulder, such as at home or in a coffee shop.
Talking about anything you have done as anonymous can end up having it lead back to you, which may look bad if nothing else. Just as bad as talking or even worse can be bragging/boasting about things. If somebody asks you, just deny them any (additional?) information, affirm plausible deniability if a minimal response is required, and don’t react to the things people say believing that your response is actually going make things better.
If somebody you know is with you, put away your anonymous mask so that they are not aware of your incognito alter ego. You wouldn’t be anonymous if they knew what you were doing. This may be hard to hear, brace yourself, you may have to tell a white lie from time to time if you are anonymous. Be prepared for questions about your day or what are you doing and being ready to pull the plug on your work if somebody surprises you with a visit.
Privacy starts at home and with who you invite in to your home. Next, retaining absolute privacy in a house with electronics is nearly impossible, even your offline xbox/psX accounts will show what games were played, applications installed, and usernames on the system; this plus more information may be phoned home if you connect your xbox/psX to the internet. Once you are at work, expect your privacy to be mostly gone; Watch what you do and say everywhere, especially at work. You are given a choice to share what you want, so exercise that freedom.
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say”. – E. Sno.
Use your commonsense and avoid mistakes in the first place, because once you make one, its most likely too late. Be per-medtative about your actions, their implications, and consequences; listen to the voice of reason when you hear it.
Learn survival skills such as offgrid living, urban disaster mitigation, first aid, and martial arts to help you in case the worst happens and we loose all infrastructure. Use your skills to stay alive and out of harms way. Best luck!
If you are using linux, make sure your distribution includes SElinux. Though the code was contributed by the NSA, it has been audited by the community and not believed to contain any backdoors. Using SElinux will definitely ensure that your software permissions do not allow an attacker to over-run
You need to read up on security vulnerabilities for whatever system you ultimately decide to use and understand that no system is truly secure. Some people may think that their off-grid powered offline computer is secure, thou has TEMPEST the government; Read up on van eck phreaking if you are not sure what I am talking about.
Using a ‘burner’ laptop is a good idea in that the computer is relatively self contained and should be easy enough to scrub in the event of being attained, since a DBAN erasure disk will easily boot and cleanse it if necessary for OPSEC. You will want to be careful given that all devices are integrated on the board and disassembling is less meaningful in a timely manner when considering laptops over desktops, for any work you do that often connects to the internet, you should probably focus on using a laptop. Indeed, there are even different behaviors one should engage in when using a laptop over a desktop to help lower your profile.
You are going to need to learn [email protected] techniques and then cover security protocol on your own terms (obscurity is not security). If you aren’t sure where to start, have a look at intrusion detection, then perhaps code yourself some intrusion diagnostic and alarm system that has contingency in the event of a complete takeover, a panic button to initialize your countermeasures will serve you well in the event you ever need it. Make sure to drill your techniques in the event of a real life scenario.
Platform specific recommendations
Windows (xp/7) computer (insecure; ‘burner laptop’):
Tor Browser Bundle
Firefox ESR w/ NoScript & I2P settings
WinPassGen (defuse cyber-security’s high-security offline password generator)
Pidgin & OTR
Hexchat w/ I2P settings
Thunderbird & ENIGmail (tor socks5 settings like TORbirdy)
linux (mint/fedora/debian/suse/arch/kali/tails/qubes-whonix) computer (secure; ‘burner laptop’)
Tor Browser Bundle
Firefox ESR w/ NoScript & I2P settings
Defuse PassGen (https://defuse.ca/passgen.htm)
Pidgin & OTR
Hexchat w/ I2P settings
Thunderbird & TORbirdy & ENIGmail
For a good list of software to combat big-data and mass-surveillance, go ahead and swing by prism-break.org and check out the information they provide.
Using a chromebook with chromeOS is a bad call for attempting to be anonymous. You can search online to implement methods described in this guide but be aware that you will be more or less exposed in the manner that data collection is going on in. At least it is better in so many ways than owning a ‘platform locked’ windows 10 computer. Many of the procedures covered in the android part of this guide will apply to you securing and anonymizing your chromebook.
The NSA loves googles fancy chromebook:
To get the most out of your efforts of anonymity, you need to consider installing linux on your chromebook and understand that there are some limits to this approach that would not affect regular pc users in the same way.
Android smartphone section
I advise using android smartphones due to their open source nature and ease of customization, making them potentially a better candidate secure mobile device, but there are some drawbacks to android devices as well as general vulnerabilities of using mobile networks with your PDA.
Begin your anonymous mobile streak by researching and ordering the supplies you need to begin your new digital life; this will be your first test in anonymity. using the information in this text will help you with a starting push.
Choose a phone (GSM is best…) compatible either between replicant, ‘Guardian ROM’ (secure android ROM), or CyanogenMod, make sure the phone you are getting will suit your desired needs such as running kali linux through android terminal, choose an unlocked phone through your choice of online ordering service and use bitcoin or anonymous credit card (research these first) to purchase it and have it mailed to a different address, such as a friend’s house or P.O. Box that is unrelated to the one where your item will be kept. Once the item arrives, transport it discreetly to its final destination. Avoid abandoned buildings or any place where it would be suspicious to have mail delivered. Do not sign for your package. If you are expecting a package, do not answer the door for the postman, let him leave it there and then transport it as described above. Do not use your real name. This tactic doesn’t work in some places because deliveries won’t be made to names not registered with the address. If you think this is a problem, send yourself a test letter with the fake name and see if it arrives.
Select a pay as you go service that will accept your payment from the anonymous money source you choose. make sure that you do not use your real name or any other information that may be tracked to you. you may need to use a anonymized VOIP service to activate your payment method or phone service; learn how to set up an anonymous VOIP before continuing.
Anonymously acquire the guide to root your phone and flash the CWMR Touch recovery to the device, backup your original rom (store in VeraCrypt or other encrypted container if you want), flash the new “secure” android rom to the device.
If you decide to use any google account related service, go ahead and use a fake name generator to create your alternate personality and use the device knowing you are being tracked at least by the relations under this account (never give your real name to the services or companies you use).
Use link2sd or similar app managing program and freeze all google services, begin removing any software that may need to, install all android software in list from f-droid or alternative app market (warning, some applications may not work without google services installed and unfrozen!).
(Continuously make rom “save states” to revert to in case you make a mistake)
Go ahead and install any additional software you need, but keep in mind that every additional piece of software can make your phone more insecure. You can help control these permissions with PDroid.
(android system encryption), F-Droid, Chatsecure, Wickr, Signal, orbot, orwall, orweb, orfox, Bitmessage, Pixelknot, Obscuracam, SecureWipe, PasswdSafe, APG, CCleaner, GnuPrivacyGuard, I2P, K9 mail, OpenKeychain, Silence, HashPass, OI safe, OI notepad, OI file manager, ring, cryptonite, PDroid, ostel (guardian project).
Once you are satisfied with the rom enough to call it good, save the state in an encrypted container and then go ahead and encrypt the entire android device using the inbuilt capabilities (use at least a six character mixed alphanumeric random password).
If you are confident about your rom and have scrubbed it to antiseptic purity, ensuring at a minimum it has no personally identifying details within it, you may choose to release it upon a forum. make sure you are wise about this decision, as though it is true you may help others like yourself out, the rom itself can be potentially used to uniquely identify you. if you do release the rom to the public, it would be wise to only state that it is for security minded android beginners and don’t make claims to the rom regarding anonymous or [email protected] purposes. You may even just want to leave this to more experienced individuals.
Set up VPN, whether it be with a free or paid provider, make sure it is anonymous with no logs (search online for lists of providers)
In the settings of the android rom and within the phone application, disable location reporting and GPS tagging of photos. Always strip exif data from any picture that may have been taken with your phone or other device.
Remember your phone may be more secure now but there are still ways that your anonymity or security could be compromised; don’t use the device for anything your wouldn’t be cool with an adversary knowing and using against you later, but feel safe in knowing you are diminishing the powers at be.
Spread this paste with your friends using an encrypted OTR self-destructing messaging system and help other learn about becoming anonymous.
Perhaps the first order of business now should be learning how your anonymization measures work and their limits, then go ahead and load up on field manuals and survival information in case you ever need them (disasters can happen!) Maybe buy yourself a solar backup battery (5v li-ion charging bank) and a usb solar panel in itself to charge the battery.
Learn to reduce the ability of being tacked/profiled and leaving fingerprints on the network.
You may want to use an IMEI and MAC generator-spoofer method to further reduce the tracking of your device; sending false GPS coordinates may be helpful as well, you should pick a random location on your planet. Your device may still be tracked and profiled by the cellular towers; It is advisable to spoof your device hardware from the beginning and change the spoofed values at least every 6 months. To prevent being tracked you will have to remove the battery from your device when not in use and only use the device in an area that will not compromise your identity.
Recommended phones (most compatible):
Samsung Galaxy S
Samsung Galaxy SII
Samsung Galaxy Tab 2 (7.0) & (10.1)
Samsung Galaxy SIII
Samsung Galaxy Note 2
Goldelico OpenPhoenux GTA04
There are other resources available all over the internet, while using tor, that can help you learn. Using startpage/duckduckgo/search.disconnect.me and ‘not evil’ as well as the hidden wiki are good places to start. Use common sense when accessing anything on the internet. Remember that backdoors could potentially be installed and active in your system, rootkits and trojans are not difficult to implement, and platform attacks can de-anonymize you. If your hardware has been physically compromised then there is little you can do but remove the modifications and hope none of your private information has been keylogged or swept up by a bug.
iPhone smartphone section
This section may be filled in some other time, but I doubt how much good it will do, since iPhones are a closed platform and therefore inherently bad for using regarding the purposes this guide outlines.
learn [email protected]:
Private search engines:
Security testing webservices:
I know this brief guide is nowhere near close to covering everything, and though I have attempted to enlighten beginner users for taking their first steps, there is little I can do to assure them that they have done all that is necessary. Even advanced anons wonder at times if they have taken all known precautions.
Thank you for taking the time to look over and read this guide. If you found this information useful, spread the good word of anonymity, in your circle and abroad, as you see fit.
There is a lot more information than available in this guide available for download. It is mostly a collection of webpages and PDFs that were generated to help people become more enlightened on the topic. Ultimately it is up to you if you want to be a cyber security expert, and though I advocate for people learning how to use computers with maximum exercise of knowledge, most end users who will read and even implement measure defined in this brief guide will not study adequately and could potentially see their anonymity slipping up. The links to this guide are at the top and the additional compilation of resources is below. If you are paranoid, scan for exploits and strip the data provided per your needs.
A brief guide for computers has been zipped, uploaded, and the link for it included, make sure to open these files in TOR browser by dragging them in individually or disconnect from the internet to prevent site scripts from leaking your ip and browser activity and PDFs from loading components that may de-anonymize you online. alternatively you can use them as a list of topics to research:
A brief description on how to make secure, so called “un-beatable” passwords
This post is for rookies who don’t know so much about creating strong passwords and need pointers. Using the template outlined may make a mask attack less difficult because the template is known, but it is mainly to illustrate the assembly and cascading protection a long password can provide.
The ultimate tip is to just use completely random passwords but if you need to this outline should help get you started.
password formula and procedure for strength
“password_template; all characters chosen randomly”
the lower-alpha_word/pad may be replaced with random lower-alpha or alpha_numeric characters. A word is acceptable here because your password will have additional length to prevent bruteforcing. If security is critical, don’t use a word or padding but actual random characters. The alpha word in this example was chosen randomly.
The use of lower-alpha in the template does not need to be strictly lower case. You may choose to mix cases in the lower-alpha portions but I advise against using all upper case in “shouty passwords”. Choosing which letters should be lower or upper case can be determined through diceware.
acii may be replaced with either a numeric pin or alpha numeric mixed phrase for resolving potential compatibility issues (E.g. WPA2-PSK wireless passwords)
read up on theoretical password safety
generating, checking, and protecting your passwords
install defuse passgen in linux
install KeePassX from https://www.keepassx.org/ OR Password Safe from https://www.pwsafe.org/
generate the necessary passphrase seeds and save them in an encrypted container; use VeraCrypt from https://veracrypt.codeplex.com OR GnuPG from http://www.gnupg.org/
If you do not feel like counting the characters of a password yourself, use the shell to find the length of a string, using “expr length STRING”, where STRING is your password in quotes (E.g. expr length “nixcraft”). You may have to divide the length of the password into parts, measure their string length, and add the total together. Make sure to clear your terminal history by running the command $ history -c
Use BleachBit to delete any remnants of your previous passwords from your computer.
Do not use your password for more than one instance and always generate a new password for any account you make. Do not cross contaminate your credentials for any reason.
Download a few password dictionaries such as John the Ripper, Cain & Abel, and RockYou. You can find them at https://wiki.skullsecurity.org/Passwords
Audit your passwords using hashcat by attempting to bruteforce the MD5, SHA256, and bcrypt hash as well as the plaintext password itself.
cryptographic container protocol:
a master keysafe textfile in the cryptographic root directory will be stored in an encrypted container and contain the passwords to the cascading keysafes in each folder containing the ciphered files; all other (than the mstrsf encrypted containers will be placed in separate lower directories than this cryptographic root that follow an inverse naming sceme as the encrypted containers (I.E. ####abcedf); the master keysafe can use a shared password between all the volumes if security is not critical, however, when using shared password, the password must be private (not available as a file on the disk, stored in the user’s memory within their brain), and the password is 16_char+4_numeric_pin
all containers will have the format of (6_lower-alpha)+(4_numeric)=12_char for a name that have been derived from random generator; there is no default name prefix, and any will do, as long as it does not conflict with mstrsf(XXXX), yektsl(XXXX), or ridtsl(XXXX); there are theorhetically 3.08915776e8 different container names that can be created using the prefix alpha characters and 1.0e4 suffix numbers possible per unique name, making many different container names possible
all containers will be locked with at least a 28_char mixed alpha_numeric random password; the standard is 32 characters mixed alpha_numeric for medium grade protection
a naming list for containers will be separate from the container passwords and contain the address book for interpreting the content names of each container; the container indicator is found in the prefix of ridtsl
a password file will be placed on a “directory keysafe” container that will be tasked at containing the passkeys for unlocking the containers by their codenames (not their content names); the password file will indicate the address book relevant to the password list; the container indicator is found in the prefix of yektsl
it may reasonable to place all these containers into one master container per “unencrypted” disk drive/partition; it may be your choice to place a hidden volume within the master container that will contain all your data, but you will need to set an independent password for this hidden volume, though it may share the derive numeric_pin; the master container derives it’s name using 3_lower-alpha+4_numeric+3_lower-alpha; the master container would have two companion containers, with one that contains the master container key and another that is optional which is the address book that inter relates between all encrypted volumes and is simply updated “centrally” to load itself into all open areas of any drives; the master container should use a shared password between all drives (the master container obscures the interior contents); the master container will not use the same password as master keysafe but share the same ending 4_numeric_pin, meaning that 16_char+4_numeric_pin is the final entrance phrase; the container indicator is found in the prefix+suffix in mst+(XXXX)+rct
to complete the tripple layered onion encryption, the encrypted cipher containers can be loaded inside of a fully encrypted disk partition; this fully encrypted disk contains the master container which in turn contains the remainder of encrypted directories within it; (CRYPT1->CRYPT2->CRYPT3); this technique is basically military grade and only weak to endpoint security or weak user OPSEC including choice of password; if a user looses any of the passwords to the access system, all data is irretrivable within any reasonable period of time that the known universe exists unless the encryption algorithms are found to be insecure; this operating system access encryption should use a private+public key system to help strengthen the system against any adversary while making the job far easier for the operator/admin; using a 12to16_alpha_numeric(private)+8to12_alpha_numeric(public) would make cracking the full disk encryption very difficult without phishing/forcing the password out of the owner
protecting any system from rubber hose attacks is nearly impossible; sidechannel attacks and direct system compromise are basically impossible to protect against as well; endpoint security is usually terrible
storing sophisticated passwords within a password safe on a secured offline system that must be accessed with 1-3 master passwords makes an attackers job nearly impossible without physical access to the system and to your passwords from access of the virtual safe, only sophisticated electromagnetic phrack attacks can bypass this pretty good security; you would need to lock this offline system in a vault and only ever use it to get into your secured system in a manner that is always physically disconnected (no USB keys for example) and has no network access or communicating interfaces than the screen, mouse, and keyboard
account creation overview
First M. Last
City, ST ZIPx#
Mother’s maiden name:
Month dy, year
x# years old
“username_template; all characters chosen randomly”
at the minimum, a username should consist of (4to6_lower-alpha)+(4to6_numeric)
better yet, a username should consist of (4to6_lower-alpha_word)+(4to6_lower-alpha)+(4to6_numeric)
“password_template; all characters chosen randomly”
when working on creating random words, you can generate lower-alpha characters of the desired length and load them into an offline anagram solver
the lower-alpha_word/pad may be replaced with random lower-alpha or alpha_numeric characters. A word is acceptable here because your password will have additional length to prevent bruteforcing. If security is critical, don’t use a word or padding but actual random characters. The alpha word in this example was chosen randomly.
the use of lower-alpha in the template does not need to be strictly lower case. you may choose to mix cases in the lower-alpha portions but I advise against using all upper case in “SHOUTY PASSWORDS”. choosing which letters should be lower or upper case can be determined through diceware.
acii may be replaced with either a numeric pin or alpha numeric mixed phrase for resolving potential compatibility issues (E.g. WPA2-PSK wireless passwords)
goals to reach as minimums
(persona portfolio; name and details)&(generated_bio)
(VeraCrypt_public&private)&(rand_name 8_alpha_numeric crypt_container) & (16to28_password)
(default_email; [cross contamination?])&(PGP_keys)
(12to18_char service specific username)
(16to28_char service specific password)
at the top of every section in each area your portfolio, you should indicate the name of the service and the web address to it. make sure to indicate any nessesary login or recovery info for each as well.
every service should have unique details that do not tie into your persona portfolio. you will not disclose your persona portfolio details until a person has truly gained your trust, and do not disclose your persona portfolio details in any of your bios. if you do not adhere to this, an external adversary correlating the individual accounts will have their work be significantly easier.
in addition to your main portfolio, you should have at least 5 sets of fresh names, birthdays, usernames, and passwords as extras to use when needed. make sure to indicate what is in use where and for what, and regenerate your list to keep it stocked with fresh ones that are not in use.
bitcoin vanilla visa [anonymous]
western union or amazon gift card to convert of cash into credit and buy bitcoin
use bitcoin to buy greendot moneypak to refil virtual credit cards
greendot visa prepaid card from “walgreens” for ATM withdraw
another wise choice would be to use anoncoin instead of bitcoin as much as possible since the project is more likely to develop for increasing anonimity. zerocoin is claimed to already be doing just that.
the bitcoin technology will be used to hold your money anonymously, but it is not intended for long term investment or garanteed preservation of the value to your dollar. store those values in silver if you need to.
using FOREX markets is one way to use cashed out bitcoins to exchange real money for gaining a profit. If you are going to invest your money in search for cash-to-cash returns, using the forex market is a way to gain income but your anonymity will be thouroughly compromised and the money is fully centralized. updates to this document will hopefully explain how to trade forex markets anonymously with bitcoin as the holding currency.
TOR proxychained for internet entry point; TORSOCKS command to force programs to run through TOR
I2P for antything not requiring standard web access (For everything else there is I2P); All IRC and torrenting done on I2P
I2P&Tahoe-LAFS for cloud storage and file distrobution
B.A.T.M.A.N protocol with openWRT routers using I2P in an anonymous mesh
openBTS and openWRT-MESH “software defined radios” for disaster communications
This part intentionally left blank.