/pnd/ - Politics, News, Debate

2/5

> Given the importance of the secrets they were about to share, Snowden and Poitras could not use their regular e‑mail addresses. Why not? Their personal email accounts contained unique associations—such as specific interests, lists of contacts—that could identify each of them. Instead Snowden and Poitras decided to create new email addresses.

> How would they know each other’s new email addresses? In other words, if both parties were totally anonymous, how would they know who was who and whom they could trust? How could Snowden, for example, rule out the possibility that the NSA or someone else wasn’t posing as Poitras’s new email account? Public keys are long, so you can’t just pick up a secure phone and read out the characters to the other person. You need a secure email exchange.

> By enlisting Lee once again, both Snowden and Poitras could anchor their trust in someone when setting up their new and anonymous email accounts. Poitras first shared her new public key with Lee. Lee did not use the actual key but instead a 40-character abbreviation (or a fingerprint) of Poitras’s public key. This he posted to a public site—Twitter.

> Sometimes in order to become invisible you have to use the visible.

> Now Snowden could anonymously view Lee’s tweet and compare the shortened key to the message he received. If the two didn’t match, Snowden would know not to trust the email. The message might have been compromised. Or he might be talking instead to the NSA. In this case, the two matched.

> Snowden finally sent Poitras an encrypted e‑mail identifying himself only as “Citizenfour.” This signature became the title of her Academy Award–winning documentary about his privacy rights campaign.

> That might seem like the end—now they could communicate securely via encrypted e‑mail—but it wasn’t. It was just the beginning.

> Picking an Encryption Service

> Both the strength of the mathematical operation and the length of the encryption key determine how easy it is for someone without a key to crack your code.

> Encryption algorithms in use today are public. You want that. Public algorithms have been vetted for weakness—meaning people have been purposely trying to break them. Whenever one of the public algorithms becomes weak or is cracked, it is retired, and newer, stronger algorithms are used instead.

> The keys are (more or less) under your control, and so, as you might guess, their management is very important. If you generate an encryption key, you—and no one else—will have the key stored on your device. If you let a company perform the encryption, say, in the cloud, then that company might also keep the key after he or she shares it with you and may also be compelled by court order to share the key with law enforcement or a government agency, with or without a warrant.

> When you encrypt a message—an e‑mail, text, or phone call—use end‑to‑end encryption. That means your message stays unreadable until it reaches its intended recipient. With end‑to‑end encryption, only you and your recipient have the keys to decode the message. Not the telecommunications carrier, website owner, or app developer—the parties that law enforcement or government will ask to turn over information about you. Do a Google search for “end‑to‑end encryption voice call.” If the app or service doesn’t use end-to-end encryption, then choose another.

> If all this sounds complicated, that’s because it is. But there are PGP plug-ins for the Chrome and Firefox Internet browsers that make encryption easier. One is Mailvelope, which neatly handles the public and private encryption keys of PGP. Simply type in a passphrase, which will be used to generate the public and private keys. Then whenever you write a web-based email, select a recipient, and if the recipient has a public key available, you will then have the option to send that person an encrypted message.

3/5

> Beyond Encryption: Metadata

> Even if you encrypt your e‑mail messages with PGP, a small but information-rich part of your message is still readable by just about anyone. In defending itself from the Snowden revelations, the US government stated repeatedly that it doesn’t capture the actual contents of our emails, which in this case would be unreadable with PGP encryption. Instead, the government said it collects only the email’s metadata.

> What is email metadata? It is the information in the To and From fields as well as the IP addresses of the various servers that handle the email from origin to recipient. It also includes the subject line, which can sometimes be very revealing as to the encrypted contents of the message. Metadata, a legacy from the early days of the internet, is still included on every email sent and received, but modern email readers hide this information from display.

> That might sound okay, since the third parties are not actually reading the content, and you probably don’t care about the mechanics of how those emails traveled—the various server addresses and the time stamps—but you’d be surprised by how much can be learned from the email path and the frequency of emails alone.

> According to Snowden, our email, text, and phone metadata is being collected by the NSA and other agencies. But the government can’t collect metadata from everyone—or can it? Technically, no. However, there’s been a sharp rise in “legal” collection since 2001.

> To become truly invisible in the digital world you will need to do more than encrypt your messages. You will need to:

> Remove your true IP address: This is your point of connection to the Internet, your fingerprint. It can show where you are (down to your physical address) and what provider you use.

> Obscure your hardware and software: When you connect to a website online, a snapshot of the hardware and software you’re using may be collected by the site.

> Defend your anonymity: Attribution online is hard. Proving that you were at the keyboard when an event occurred is difficult. However, if you walk in front of a camera before going online at Starbucks, or if you just bought a latte at Starbucks with your credit card, these actions can be linked to your online presence a few moments later.

> To start, your IP address reveals where you are in the world, what provider you use, and the identity of the person paying for the internet service (which may or may not be you). All these pieces of information are included within the email metadata and can later be used to identify you uniquely. Any communication, whether it’s email or not, can be used to identify you based on the Internal Protocol (IP) address that’s assigned to the router you are using while you are at home, work, or a friend’s place.

> IP addresses in emails can of course be forged. Someone might use a proxy address—not his or her real IP address but someone else’s—that an email appears to originate from another location. A proxy is like a foreign-language translator—you speak to the translator, and the translator speaks to the foreign-language speaker—only the message remains exactly the same. The point here is that someone might use a proxy from China or even Germany to evade detection on an email that really comes from North Korea.

> Instead of hosting your own proxy, you can use a service known as an anonymous remailer, which will mask your email’s IP address for you. An anonymous remailer simply changes the email address of the sender before sending the message to its intended recipient. The recipient can respond via the remailer. That’s the simplest version.

4/5

> One way to mask your IP address is to use the onion router (Tor), which is what Snowden and Poitras did. Tor is designed to be used by people living in harsh regimes as a way to avoid censorship of popular media and services and to prevent anyone from tracking what search terms they use. Tor remains free and can be used by anyone, anywhere—even you.

> How does Tor work? It upends the usual model for accessing a website. When you use Tor, the direct line between you and your target website is obscured by additional nodes, and every ten seconds the chain of nodes connecting you to whatever site you are looking at changes without disruption to you. The various nodes that connect you to a site are like layers within an onion. In other words, if someone were to backtrack from the destination website and try to find you, they’d be unable to because the path would be constantly changing. Unless your entry point and your exit point become associated somehow, your connection is considered anonymous.

> To use Tor you will need the modified Firefox browser from the Tor site (torproject.org). Always look for legitimate Tor browsers for your operating system from the Tor project website. Do not use a third-party site. For Android operating systems, Orbot is a legitimate free Tor app from Google Play that both encrypts your traffic and obscures your IP address. On iOS devices (iPad, iPhone), install the Onion Browser, a legitimate app from the iTunes app store.

> In addition to allowing you to surf the searchable Internet, Tor gives you access to a world of sites that are not ordinarily searchable—what’s called the Dark Web. These are sites that don’t resolve to common names such as Google.com and instead end with the .onion extension. Some of these hidden sites offer, sell, or provide items and services that may be illegal. Some of them are legitimate sites maintained by people in oppressed parts of the world.

> It should be noted, however, that there are several weaknesses with Tor: You have no control over the exit nodes, which may be under the control of government or law enforcement; you can still be profiled and possibly identified; and Tor is very slow.

> That being said, if you still decide to use Tor you should not run it in the same physical device that you use for browsing. In other words, have a laptop for browsing the web and a separate device for Tor (for instance, a Raspberry Pi minicomputer running Tor software). The idea here is that if somebody is able to compromise your laptop they still won’t be able to peel off your Tor transport layer as it is running on a separate physical box.

> Create a new (invisible) account

> Legacy email accounts might be connected in various ways to other parts of your life—friends, hobbies, work. To communicate in secrecy, you will need to create new email accounts using Tor so that the IP address setting up the account is not associated with your real identity in any way.

> Creating anonymous email addresses is challenging but possible.

> Since you will leave a trail if you pay for private email services, you’re actually better off using a free web service. A minor hassle: Gmail, Microsoft, Yahoo, and others require you to supply a phone number to verify your identify. Obviously you can’t use your real cellphone number, since it may be connected to your real name and real address. You might be able to set up a Skype phone number if it supports voice authentication instead of SMS authentication; however, you will still need an existing email account and a prepaid gift card to set it up.

> Some people think of burner phones as devices used only by terrorists, pimps, and drug dealers, but there are plenty of perfectly legitimate uses for them. Burner phones mostly provide voice, text, and e‑mail service, and that’s about all some people need.

5/5

> However, purchasing a burner phone anonymously will be tricky. Sure, I could walk into Walmart and pay cash for a burner phone and one hundred minutes of airtime. Who would know? Well, lots of people would.

> First, how did I get to Walmart? Did I take an Uber car? Did I take a taxi? These records can all be subpoenaed. I could drive my own car, but law enforcement uses automatic license plate recognition technology (ALPR) in large public parking lots to look for missing and stolen vehicles as well as people on whom there are outstanding warrants. The ALPR records can be subpoenaed.

> Even if I walked to Walmart, once I entered the store my face would be visible on several security cameras within the store itself, and that video can be subpoenaed.

> Okay, so let’s say I send a stranger to the store—maybe a homeless person I hired on the spot. That person walks in and buys the phone and several data refill cards with cash. Maybe you arrange to meet this person later away from the store. This would help physically distance yourself from the actual transaction.

> Activation of the prepaid phone requires either calling the mobile operator’s customer service department or activating it on the provider’s website. To avoid being recorded for “quality assurance,” it’s safer to activate over the web. Using Tor over an open wireless network after you’ve changed your MAC address should be the minimum safeguards. You should make up all the subscriber information you enter on the website. For your address, just Google the address of a major hotel and use that. Make up a birth date and PIN that you’ll remember in case you need to contact customer service in the future.

> After using Tor to randomize your IP address, and after creating a Gmail account that has nothing to do with your real phone number, Google sends your phone a verification code or a voice call. Now you have a Gmail account that is virtually untraceable. We can produce reasonably secure emails whose IP address—thanks to Tor—is anonymous (although you don’t have control over the exit nodes) and whose contents, thanks to PGP, can’t be read except by the intended recipient.

> To keep this account anonymous you can only access the account from within Tor so that your IP address will never be associated with it. Further, you should never perform any internet searches while logged in to that anonymous Gmail account; you might inadvertently search for something that is related to your true identity. Even searching for weather information could reveal your location.

> As you can see, becoming invisible and keeping yourself invisible require tremendous discipline and perpetual diligence. But it is worth it. The most important takeaways are: First, be aware of all the ways that someone can identify you even if you undertake some but not all of the precautions I’ve described. And if you do undertake all these precautions, know that you need to perform due diligence every time you use your anonymous accounts. No exceptions.

> Excerpted from The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data, Copyright © 2017 by Kevin D. Mitnick with Robert Vamosi. Used with permission of Little, Brown and Company, New York. All rights reserved.

Source: https://www.wired.com/2017/02/famed-hacker-kevin-mitnick-shows-go-invisible-online/

Archive: https://archive.is/i177E

some of you may say, "well, anon, you know none of this is really enough, or some parts of it has flaws…"

well, its not perfect, but it will mitigate you losing your online anonymity.

Is the book itself worth reading? I skimmed the audiobook and it all seemed like common sense/things that everyone was expected to do online a decade or so ago.

>>22937

yet how many actually do it?

>>22754

The only problem I see with it is that he gives some convoluted process to get a burner phone anonymously so you can authenticate your (((Google))) mail account when ProtonMail exists.

I'm pretty sure Bob has been fucking Alice.

One option people generally forget in their attempts to hide is that you are also supposed to make yourself indistinguishable from any other user. They think to themselves that by refusing to participate that they have turned invisible when in reality they put the spotlight on themselves more than it already was on them.

An important thing to note is that you can always give them erroneous information. They will very easily notice someone refusing to give information but they won't be able to distinguish someone that willingly gives them false information. Because they have no means of verifying whether or not it is true, you should actively go out of your way to feed them false data. Anons posting should know how to do this already: shitposting is very good practice for this.

>if you are a 28 year-old office worker in France then pretend to be a retired US veteran

>if the sun is blinding you as you write your post, pretend that your connection is going down the shitter due to a massive thunderstorm

>if it's 2 AM where you live, pick a time-zone where it's 5 PM

Nobody gives a shit about this information in the slightest except the person spying on you, who will add every single bit of this information to his folder on you thinking that it's true. All you have to do is avoid having a consistent identity or posting style because they will be able to catch onto your deception by checking what information matches, in other words just don't give out the truth where it isn't necessary and just replace it with whatever bullshit you want.

>>23037

now run netstat again after you close your browser

close all your browsers

your email too

why yes, i will take the advice of a guy named (((Mitnick))).

hackers who get caught because they are ego consumed spergs are the worst kinds of hackers to emulate. you want a real hacker idol? be like Guccifer 2.0. nobody knows who he is, and the FBI wants to NOT catch him because arresting him would cause their own corruption to be exposed.

>>23037

>heavily pinged

lol

So long as you intended to connect to "mylocalserver" then that printout shows normal activity.

>>23887

non-humans did this thing

>Doesn't mention anything relevant, like uMatrix

Boomer noise, sage.

>>22937

mitnick is famous for social engineering rather than technical skill and the whole story of his supposed activities was likely a psyop created to justify stricter electronic crime laws in the 1990s the same way that 9/11 justified all sorts of new police state shit

>>23887

windows literally takes screenshots of the screen every second

it indexes the entire harddrive and sends entire md5 hashtable to the datacenter in huston

>>50080

Open the cmd in windows

type netstat -b

See how many datacenters are pinging you 24/7.

Enjoy portscans.

>>53071

As if OSX were any better.

fuckm