stoned_chief

stoned_chief wrote

VPNs can have their very specific uses but so many people just use them thinking they are protecting their security, privacy, and anonymity when in reality they're mostly useless.

2

stoned_chief wrote

Why do you think the US Military bankrolls this project?

Because they need to use Tor themselves. These technologies aren't made to just benefit the people, they also benefit the government agencies/organizations who fund them. Tor wouldn't work if it was only used by military/intelligence. They needed to open it up to the public.

Is Tor perfect? Fuck no.

Is Signal perfect? No, it actually kind of sucks.

Does that mean they are completely backdoored and purely made for surveillance? No... Well, at least Tor isn't. Signal can be sort of sketchy because of how centralized it is, but they also allow you to verify your contact's keys as well so worst-case scenario you just have to verify that they are providing the correct crypto keys.

We 100% need to rebuild technology from the ground up. Networks/the internet, hardware, firmware, software, it's all backdoored. But that doesn't mean we should completely disregard these band-aid solutions for the time being. Instead of attacking these projects, I think our time would be MUCH better spent on getting the word out about how everything is backdoored and why we need to rebuild everything from scratch, because until then, we will never defeat state/corporate surveillance, we can only fight a constant battle of trying to minimize it.

2

stoned_chief wrote (edited )

I was referring to E2EE, not TLS. Almost every modern website is encrypted with TLS. TLS isn't helpful if you need private communication because tons of third-parties can intercept your communications. As seen on their E2EE page, their end-to-end encryption is experimental and turned off by default. Jitsi is not a safe choice if privacy is extremely important to you. Instead people should use stable and audited alternatives such as Signal and Wire.

3

stoned_chief wrote (edited )

Wire, Jami, and Tox seem to be the only open source solutions offering E2E encryption for group calls. The encryption Tox uses is still experimental so I wouldn't' trust it with my life, at least until it is professionally audited. I also found some people voicing concerns over Jami's encryption but a developer responded in the thread and I find their answer satisfying so I personally consider Jami to be safe. Wire has been professionally audited so they might be the most secure out of the three. The main downside is that they're centralized and they are now a US based company so hypothetically they can be compromised and provide false encryption keys to users so the NSA/CIA/whoever can spy on their communications. I'm not sure if Wire allows you to verify your keys like how Signal and Riot do, but if they do I'd definitely recommend you verify keys before using it for serious stuff.

Tl;dr use Wire or Jami, or if your threat model allows for some risk you can also use Tox.

2

stoned_chief wrote (edited )

Jitsi isn't encrypted and Riot uses Jitsi for calls. I wouldn't use Jitsi if you need the call to be private.

Either way both should work well as a discord alternative.

Jitsi is indeed better than discord in that it has benefits that come from the fact it's open source, but that doesn't mean it should be used if you require a truly private call. For everyday not-so-secret use it's fine, but if you're plotting a heist (in minecraft) you better use something with E2E encryption.

3

stoned_chief wrote (edited )

So if one were to build social media accounts solely through Tor and only accessed them through Tor then it would go towards concealing my personal identity from the one being created.

Well the thing is that it's not just a matter of what IP your using. Mobile devices have tons of identifiers and you could easily be deanonymized with that information. Especially when using an app installed on your phone. It call pull tons of information and it can also reveal your IP if/when you're disconnected from Tor. So even when you use Tor on SnapChat or Facebook, you're still not anonymous. And even if you manage to patch up those problems, you can still accidentally reveal who you are by the way you use the applications (sometimes called e-biometrics) which is super difficult to mitigate. If you absolutely had to use SnapChat, Facebook, etc and be as anonymous as possible, I'd recommend you use Whonix + Anbox. Also beware of the "e-biometrics" I mentioned. Don't type directly in the applications, instead type in a text editor and copy/paste whatever you want. Clean any metadata on any files you upload, including your profile pictures. Don't talk the same way, don't act the same way, don't follow the same people, don't keep certain habits, etc etc etc. Literally every single way you could use the app can be tracked and will be used against you if you are a target.

As for Orbot as VPN, what i meant was - does it act more generally and not as a specific browser application like the Tor Browser? For instance: if I have Orbot enabled, and I access a social media app, would all of the app's data be transferred through the Tor network?

Yes, when using Orbot you should be connected to Tor system-wide, meaning all your traffic should be routed through Tor.

what would the danger be in downloading a file from Tor? I have read some stuff online and AFAIK, the real danger lies in the file "calling home."

There is nothing inherently dangerous about downloading stuff from Tor. So long as you are downloading from a trusted source (to avoid malware) and are using an encrypted connection (either using TLS or connecting to a Tor hidden service) you will be fine.

Would putting your device in airplane mode and then opening the file eliminate that danger, or is there something else that needs to be done?

Not really, if you download malware you’re going to get infected regardless. Just follow the advice I gave and you’ll be perfectly fine. If you have to download stuff from an untrusted source, don’t use your mobile device. Use a locked down virtual machine or better yet Qubes to download untrustworthy files.

I am specifically looking to d/l stuff from the anarchist library to print and hand out if that makes a difference.

The Anarchist Library is fine, you don’t really have to worry about anything. Just make sure you have an encrypted connection (HTTPS/TLS) and away you go.

Sorry and thanks again for helping this noob out!

Don’t apologize, I love answering questions about this type of stuff on my free time. :)

1

stoned_chief wrote (edited )

i read that Orbot is used more as a VPN and will route all data through the Tor network not just internet traffic.

Not sure what you mean by "not just internet traffic" because something like SMS or calls aren't routed over Tor because they don't use the internet. Did you mean browser traffic? Also small correction but Tor does not work like a VPN, it just uses a VPN connection on Android to make the initial connection, but it's still the same old Tor.

If one were to have Orbot active and then you sign into Snapchat or FB, wouldnt that deanonymize(sp?) you?

You wouldn't be deanonymized because you're using Orbot, but you'd be deanonymized because you're using social media tied to your phone and identity.

With Orbot active does it matter which browser you use? Would there be any advantage to using Tor Browser in conjucntion with Orbot, or would it just be redundant?

You would still be connected to Tor no matter what browser you use, but the Tor Browser is safer for many reasons. Mainly because you'll blend in with other Tor users which improves anonymity.

1

Reply to comment by stoned_chief in Is Riot safe(r) ? by vandemic

stoned_chief wrote

You don't have to manually perform the encryption, you're only advised to verify each device which can only really properly be done in person or over another secure channel. You don't actually have to verify anything to use encryption, it's just a way to ensure that the Matrix server you're using isn't providing you a fake encryption key to spy on your communications.

3

stoned_chief wrote (edited )

Yes, Riot is pretty safe so long as you make sure you're using encryption. I'd recommend you avoid the main Matrix homeserver because they have notoriously bad security and privacy, plus they're based in the UK.

EDIT: I forgot to mention that calls are not encrypted on Riot... Or at least the group calls aren't, I'm not sure about 1-to-1 calls. If you need encrypted calls use Signal, Wire, or maybe Tox if you're okay with trusting experimental encryption.

1

stoned_chief wrote

RiseUp is relatively safe. They're an excellent organization BUT they're based in the US so you might be fucked either way. If you need something to secure your connection on public WiFi or bypass censorship it's a fine option. Just don't use it for anything serious, or really any VPN for that matter. Also please don't use it if you don't need to. RiseUp runs entirely off volunteer work and donations so using up their resources to pirate a movie or something is kind of a dick move. Hope this helped!

2

stoned_chief wrote (edited )

Correct me if I'm wrong but you only need ID when actually setting up a plan. If you buy a pre-paid SIM you should be able to do so in cash with no ID. They might ask for a name and email, just give them some bullshit name/email of course.

EDIT: /u/celebratedrecluse also made a good suggestion incase I'm wrong about the pre-paid stuff... good luck!

2

Reply to comment by stoned_chief in How can I become more Secure? by zddy

stoned_chief wrote (edited )

Super sorry for answering you literally a month later, I haven't been on in a while.

Would a purism phone be any better than the pixel+graphene combo?

Possibly. While the phone itself sucks, if we are talking strictly security, it does better in some areas. It does have the hardware killswitches and it is completely free and open source so some might prefer it because of that. BUT on the other hand, GrapheneOS is developed by a security researcher and it's based on AOSP which has a ton of people behind it. Because of this, I'd argue that Graphene is probably a better choice if we are talking strictly security... not to mention it's much more usable. So while PureOS might be better for the freedom loving GNU bros (and all the power to them) GrapheneOS is probably better security wise, assuming the project stays alive that is. (btw if anyone reading this has spare change, please donate to them!)

Would there be a benefit to just ditching phone service providers all together and use a cellphone on wifi only? Im trying to imagine a more cost effective option in that scenario.

Yes, absolutely! Just keep in mind that your phone can still connect to cell towers so still follow the safety measures I mentioned before. Also you'll want to keep in mind that the WiFi networks you use could be used to discover you. For example if you use your own WiFi network, they can immediately trace the phone back to you, so you'll want to use Tor for some extra protection. Similarly even with public WiFi, they can still find locations you've been to and perhaps even look at CCTV footage to figure out who you are.

If you're using a smartphone on WiFi-only it sounds like you wont have a phone number attached to it, so perhaps you'll be using a SIP/VOIP alternative. Just be careful with it and use Tor when doing so. ALWAYS pay anonymously with cash/crypto/etc.

1

stoned_chief wrote (edited )

This just looks like a glorified router, I wouldn't go for it. I'd recommend you set up your own OnionPi, it's cheaper and more trustworthy since it's open source (I think) and you'd be setting it up yourself. Or just set Tor up on an OpenWRT router as /u/avbeav suggested. I'd imagine you could also do it on a libreCMC router.

2

stoned_chief wrote (edited )

(This answer went on much longer than I expected so I'll include a Tl;dr at the end)

Like my phone is my phone so it doesnt matter what apps I use on it, that activity can still be traced to me- if that makes sense?

You are absolutely right in realizing that your phone isn't that private, therefore any app you use on it wouldn't really matter. What can you do about it? Well first I have to emphasize that all cellphones are privacy nightmares and ultimately if you need privacy, you shouldn't use one. But I know that it's pretty difficult to give up such an important device such as a smartphone, so I recommend people use GrapheneOS which runs on the Pixel 2, 2 XL, 3, 3 XL, 3a, and 3a XL. If you’re going to buy a Pixel for it, get a Pixel 3a or 3a XL. This is because GrapheneOS can only support a phone so long as it’s getting security updates, and the Pixel 3a is going to be guaranteed support for the longest time. They don’t have the resources to add support for the Pixel 4 but as the project grows and the Pixel 2/2 XL being dropped, they’ll probably support the 4 or 4a in the future, so keep that in mind. Other than GrapheneOS, there aren’t really any great options for a daily driver. You’ll get some other recommendations which mostly suck either because they’re still terrible for privacy OR they just aren’t ideal alternatives for use as daily drivers. IF for whatever reason GrapheneOS doesn’t work out for you, the best of the worst would probably be iOS. No it’s not a private device, no it’s not perfect for security. But it is probably better than any Android device simply because it doesn’t have nearly as much telemetry/tracking as Google’s Android does.

Other than what phone and operating system you use, better digital hygiene and opsec is definitely helpful. Someone using a smartphone with good opsec isn’t going to be nearly as vulnerable as someone with poor opsec. Don’t install apps you don’t use and use privacy-friendly alternatives for any apps/services you use. You might also want to consider getting a faraday bag to carry with you so you can cut your phone’s connection for good, just keep in mind that sensors in your phone can still be active offline only to transmit collected data after it reconnects, so it isn’t 100% bulletproof.

Are there any tips or things I could be doing to make these options safer?

You can separate Signal from other IMs you don’t have to use on your phone such as Riot so that your phone doesn’t act as a backdoor to all of your communications. Other than that, just be sure to add a pin to you Signal account and verify your friends keys which you can do within the Signal app itself.

Ive heard of Tails, and that sounds more of what Im looking for in an...OS i guess?

Tails is a great operating system but it might not be ideal for you as a daily driver because it still has limitations. I still encourage you use Tails, but you’ll definitely need to pick a host OS to use for when Tails is too limited for what you want to do.

For your host OS I’d stick with Linux. For noobs I tend to recommend Linux Mint Cinnamon or MATE. But some other decent options would be Manjaro, Ubuntu MATE, ZorinOS, or ElementaryOS. If you don’t mind using something with a bigger learning curve Qubes is the way to go, especially Qubes-Whonix if you’re using Tor.

And with hardware, what are some dos and donts?

All modern hardware is backdoored. It’s best to get a laptop with Intel ME disabled (from Purism or System76) or get a super old refurbished laptop from before Intel ME existed such as a Thinkpad X200 which can be bought Minifree, Vikings, and a few others. These companies also provide open source BIOS replacements which is good too. If you can’t afford a Purism/System76 laptop and don’t want a super old Thinkpad, you’re pretty much out of options. You’d just have to accept that you’ll have a laptop with hardware backdoors and there isn’t anything you can do.... UNLESS you want to actually neuter the Intel ME and flash Coreboot yourself, which is time consuming, risky, and a pain in the ass, BUT not terribly expensive.

If you can’t go with any of the options I recommended, there isn’t anything you can do for your privacy and security. BUT I always recommend people buy used devices so that we aren’t funding companies like Intel and AMD while they’re putting backdoors in our computers. So... maybe starve them of a few bucks while being a little more eco-friendly.

Tl;dr

  • Get a Pixel 3a/3a XL and use GrapheneOS... if not iOS is the "best" of the worst options.
  • If you don't want your phone to act as a backdoor to all of your conversations you can use something like Riot strictly on your laptop. Also use a Signal pin and verify your friends keys within Signal and Riot.
  • Tails is great but you probably wouldn't want to use it for everything. For your host OS you can use something noob friendly like Linux Mint. If security is super important, use Qubes.
  • All mordern hardware is backdoored. Buy a laptop with IME disabled or neutered from Purism or System76, or buy a super old laptop from before IME was implemented such as a Thinkpad X200. Best to also get it with a free or open source BIOS, Minifree is a popular choice but there are others too.
  • If you can't go with any of the laptop recommendations I made the least you could do is buy a used laptop so you're not funding these assholes.
4

stoned_chief wrote (edited )

If it's even just a little cold outside you might get away with wearing a hoodie with a neck warmer around your lower face. Also wear a winter hat or beanie, sunglasses, and maybe gloves. If you'll be buying during the pandemic you can get away with a medial mask and latex gloves. Of course, buy in cash and don't look sus. When buying a plan for the phone be sure it's entirely pre-paid in cash, ideally from a different location. Depending on your threat model, you might want to age the phone for a few months or even a year, but I doubt you're doing anything super serious. Even if you're a small time dealer, you probably wouldn't have to age for that long.

MAKE SURE THE BATTERY IS NOT IN THE PHONE UNLESS YOU'RE USING IT. When using the phone make sure you're not in a location which can lead back to you as it can be triangulated. You should probably avoid calling, especially if you're not using something with E2EE like Signal since intelligence agencies would be able to match your voice to who you are. If you're going to call, maybe change your tone and accent, maybe that'll throw em off. When you're done using the phone, shut it off and take out the battery, then it's safe to go home or wherever you gotta go. Cover any cameras the phone has while the battery is out and consider disabling/removing other sensors like GPS or the microphone if you know how to do so safely. You should also know that all of your calls/texts are being logged and monitored. Either speak in code/slang or don't use a phone as a means of communication, it just isn't secure.

Some of the advice I gave is a little extreme, only you can decide how far you want to go. At the very least just pay in cash, cover up your appearance, take out the battery when not in use, and speak in code. Ultimately if your threat model is great enough, you might not want to use a phone at all. They're horrible for anonymity and you have to jump through a ton of hoops just to make the attempt to cover your a$$.

2

Reply to comment by stoned_chief in Getting a phone. by Frostysnowjob

stoned_chief wrote

It depends how bad they want to find them, but it's absolutely in the realm of realistic possibilities. If you're dealing or even worse, organizing an armed leftist group, you should take this into consideration.

1

stoned_chief wrote

When using Tor you have to use bridges to bypass the firewall, if obfs4 doesn't work use meek-azure. For viewing individual sites and articles you might have luck with Startpage anonymous view, Archive.is, Archive.org, and via.hypothes.is. You can also try Shadowsocks or SSH obfuscation if they're able to block VPNs.

1

stoned_chief wrote

On Android I suggest Blokada. On iOS I'd use an ad-blocking DNS through DNSCloak. You can also use AdGuard but for free it only blocks ads on Safari, you'd have to pay for system-wide blocking which is basically what DNSCloak can do for free.

1