6
0

Basic Privacy Tips


 invite response                
2022 Jun 4, 10:56am   2,164 views  31 comments

by AmericanKulak   ➕follow (9)   💰tip   ignore  

TAKEN FROM: https://communities.win/c/Privacy/p/12kFL2ddVG/useful-links-please-contribute-y/c

TLDR: Nothing is safe, for complete privacy, move inna woods and live like a caveman

TLDR2: If you're not a glowie, currently the most private setup is to have a 2nd hand laptop, running non-persistent Tails on starbucks wifi. Never use your home internet, real name, don't reuse usernames or passwords. Memorise as much as possible, don't write shit down anywhere.

Ok, so for most of us that isn't possible. However I do see a lot of posts on this forum that are, unfortunately, wrong, or at least unintentionally misleading, so I want to try clear things up a bit.

Specifically, questions like "best VPN", "best cloud storage" etc. seem to come from people who are quite new to online privacy, and tend to come from the wrong mindset. Namely, that any data you store on networked hardware, or anything 'cloud', then you must assume that it has been harvested by LE and will be available for them to review at any point in the future. The old adage of "there is no cloud, it's just someone elses computer" applies here.

Are you a fat pedo with 100TB of CP? Are you a darknet heroin seller? Are you a journalist in China? Are you a (god forbid) free-thinking citizen who does not 100% agree with the current narratives?

This matters, and does dictate the level of opsec you need to implement.

IF YOU ONLY CLICK ONE LINK, MAKE IT THIS ONE This is quite a comprehensive guide, which covers most privacy basics -

https://anonymousplanet.org/guide.html

KICK JACK & ZUCK OUT OF YOUR LIFE FOR GOOD List of alternatives to big tech platform, fediverse etc

https://wiki.techxodus.org/en/home

and

https://gitlab.com/FSMdotCOM/foss-front-ends-and-alternatives

If you have more time, understand that cybersec is always evolving faster than any individual can keep up with. Get to know the history of the field, the motivations of LE which make our lives oh so wonderful, and learn how to mitigate against them.

These are good places to start:

https://en.wikipedia.org/wiki/Global_surveillance

https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects

https://en.wikipedia.org/wiki/ECHELON

I'M NOT A CRIMINAL THOUGH neither were Charlie Chaplin, Princess Di or John Lennon... but they're on this list:

https://en.wikipedia.org/wiki/List_of_people_under_Five_Eyes_surveillance

INCENSER, aka intercepting traffic from the backbone of the internet

https://www.electrospaces.net/2014/11/incenser-or-how-nsa-and-gchq-are.html

DARKWEB Safer - never use JS, never maximize the Tor window, assume that one day you'll be caught anyway. Not going to hold your hand here but d/Opsec is a good place to start.

(Edit: There was another subdread (d/DNMbusts) that had lots of useful info but it appears to have been deleted. However, the general idea of looking how people have been caught and mitigating against those methods is a useful one, and lots of useful info can be found on this on the clearnet.)

Start here, you're on your own from there on -

dark.fail

or its DN address:

darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion

Even then, you're not safe, know that a lot of universities, LE and other people that don't know how to have fun spend a lot of time trying to 'disrupt' the dark web.

Pastebin link discussing how people are deanon'd on the DN:

https://zerobin.net/?e7bb1676c24b4bda=#kZhNYD3L8zfBYE/5nNfv86eZLPw+crCtb3TkP0T7v4w=

and how this was done:

https://zerobin.net/?5381524b75d99885=#krVptUhQzB1fkFaGW6HhfEvAAGtUh6QGtHr7jTxggpY=

Using AI to track people in TOR:

https://news.mit.edu/2019/lincoln-laboratory-artificial-intelligence-helping-investigators-fight-dark-web-crime-0513

Shit can, and will, come around to bite you in the ass. Here's a guy that got sentenced in 2021 for doing something in 2011:

https://cointelegraph.com/news/alleged-366m-bitcoin-mixer-busted-after-analysis-of-10-years-of-blockchain-data

Understand the importance of FUD and the emotional techniques behind it - you can only defend yourself against it if you know what it is and how it works.

FREE SOFTWARE Only use open source software you can audit yourself. If you absolutely need to open a binary, scan it with something like Malwarebytes, open it in a VM, run it through Ghidra, thanks to the boys at the NSA

https://github.com/NationalSecurityAgency/ghidra

That's all I have for now. Please let me know if I got anything wrong, feel free to share this. (If you really want to know, I think Mullvad is the best VPN). Also happy to answer any questions, but just know that I'm no cybersec professional, just a retard with a keyboard

And remember - you just run them over

https://invidious.namazso.eu/watch?v=AbG6u86t4bA

Edit: Thanks for providing more useful links in the comments.

I'll keep adding useful links as I find them too, they are:

List of companies that aren't pozzed by communists: https://www.cancelthiscompany.com/News-Alt-Tech-Outlets.html

Another useful site with lots of general info: https://www.privacytools.io/

Comments 1 - 31 of 31        Search these comments

2   Eric Holder   2022 Sep 23, 11:36am  

Patrick says








Could be seen from a 1000 miles away. And was.
4   NuttBoxer   2022 Oct 8, 6:47pm  

AmericanKulak says

Memorise as much as possible


That's not a realistic solution for most people. Better is point them towards a password tool like bitwarden or keepass.

AmericanKulak says

Specifically, questions like "best VPN", "best cloud storage" etc. seem to come from people who are quite new to online privacy, and tend to come from the wrong mindset. Namely, that any data you store on networked hardware, or anything 'cloud', then you must assume that it has been harvested by LE and will be available for them to review at any point in the future.


If you don't understand the purpose of VPN, and don't choose a good provider, yes, common blunder. But that's really true of any privacy solution. As to the rest, it almost sounds like you're saying forget the NSA, the Snowden leaks, and all the court evidence proving everything is collected. When most people don't understand how to lock their digital door, I don't think telling them to keep leaving it wide open is good advise.

AmericanKulak says

never maximize the Tor window


Over a year ago, they added a bar to the screen so it no longer fits a standard height, this is not necessary.

AmericanKulak says

Not going to hold your hand here but d/Opsec is a good place to start.


Watch the Defcon talks, there's a really good one that discusses either Ross or Jeremy. Also the Ross documentary.

AmericanKulak says

Using AI to track people in TOR:


Assuming you trust Tor to start with(heavily funded by Defense sector), you can't track someone without a correlation attack, or control of a high percentage of the network. Never trust any one tool, this is a good reason to consider VPN layer.

AmericanKulak says

If you really want to know, I think Mullvad is the best VPN


I'd agree except I was unable to identify an anonymous method to pay them(didn't want to wait for my cash to be delivered). I was able to pay Nord, and they seem to be a definite improvement over PIA and Express as I now have less access to sites. The more they block, the more they validate your privacy is remaining intact.

Not sure if this one is up already, I only have the tor link:
http://www.privacy2zbidut4m4jyj3ksdqidzkw3uoip2vhvhbvwxbqux5xy5obyd.onion/providers/dns/
5   NuttBoxer   2022 Oct 8, 6:51pm  

A big one that was missed on here. Never, EVER associate your home address with your real identity. EVER!

Also, privacy does not start and end on a computer. In fact, it mostly just ends. Learn how to keep your privacy in the physical world.
6   richwicks   2022 Oct 8, 7:11pm  

Any Windows coders here?

I'm a linux coder, I can make an encryption tool which is basically unbreakable under Linux. Anybody wanting to port it to Windows, I'll make it available.

It uses the NaCL library (also know as SALT of course), AES256, SHA256SUMs, and the only way to crack it (that I can think of) is by guessing the initial password.

The design is to pull data from /dev/random (supposedly totally random) for 8192 bytes. I think do an SHA256SUM on the block, and use that result to swap bits in this block, and I do this repeatedly until the entire block has had every bit swapped. This is computationally expensive, which is the point. This block contains a list of keys for AES256. I then use the user entered password to do an AES256 on this block 1024 times, and the result are heavily encrypted keys for every 1KB block, taking 256bytes at a time to be used as the key.

When I encrypt 32blocks of data (32KB) I repeat the process.

This, I think, guarantees that the password MUST be guessed, and it's computationally expensive to try to guess the password because so many additional steps are made.

The resultant file is larger than the original, but it should be practically uncrackable and guessing the key to one 1KB block, won't help at all with guessing the key to any of the others.
7   Patrick   2022 Oct 22, 1:08pm  

https://reclaimthenet.org/invasive-tech-analyzes-your-voice-for-signs-of-mental-illness/

As in Soviet Russia, where opposing Communism was classified as a "mental illness". Here, it will be opposing injection mandates, among other quite sane activities.
9   HeadSet   2022 Oct 27, 12:18pm  

Looks like I need to borrow a worn pair of jeans before robbing a bank.

Imagine the FBI busting down your door and shooting bullets up your ass because you donated an old pair of Levi's to Goodwill and a crook got them.
10   Hircus   2022 Oct 27, 1:31pm  

richwicks says


I'm a linux coder, I can make an encryption tool which is basically unbreakable under Linux. Anybody wanting to port it to Windows, I'll make it available.

It uses the NaCL library (also know as SALT of course), AES256, SHA256SUMs, and the only way to crack it (that I can think of) is by guessing the initial password.


@richwicks why would someone want to use it over some of the existing tools, like GPG / PGP / openssl etc...

I know they have both javascript and java ports for NaCL, which would make it easy to run on any popular platform. Adding those runtimes into the mix adds some tiny attack vectors via increased surface area, but that may not matter for most uses.

I have thought of rolling my own encrypt / decrypt routines using established libraries. My reasoning is that by making some changes, I can probably escape most low-effort attempts to defeat encryption. They may have ways to defeat certain encryption schemes now, or will discover them in the near future, and by me not using the same flavor as everyone else, I may gain some degree of immunity to some automated tooling someone might use.
12   richwicks   2022 Nov 17, 9:38pm  

Hircus says


richwicks says


I'm a linux coder, I can make an encryption tool which is basically unbreakable under Linux. Anybody wanting to port it to Windows, I'll make it available.

It uses the NaCL library (also know as SALT of course), AES256, SHA256SUMs, and the only way to crack it (that I can think of) is by guessing the initial password.


richwicks why would someone want to use it over some of the existing tools, like GPG / PGP / openssl etc...

I know they have both javascript and java ports for NaCL, which would make it easy to run on any popular platform. Adding those runtimes into the mix adds some tiny attack vectors via increased surface area, but that may not matter for most uses.

I have thought of rolling my own encrypt / decrypt routines using established libraries. My reasoning is that by making some changes, I can probably escape most low-effort attempts to defeat encryption. They may have ways to defeat certain encryption schemes now, or will discover them in the near future, and by me not using the same flavor as everyone else, I may gain some degree of immunity to some automated tooling someone might use.



I don't believe that there are any attempts to stop low effort decryption. It's all about efficiency in encryption, which is stupid.

Consider this - enter a key "this is a k3y that ! hope you can't break" - do an SHA256SUM on that, and then repeat the SHA256SUM on the result, and repeat this process 1,000 times. Make the result your AES256 key. This is computationally expensive. You can be more complex. The SHA256SUM of "this is a k3y that ! hope you can't break" is:

42bd22ce6ecda78c3dcb10f506e2e198dbbf4ff7e6931a0115c964ad257db873

Take the first 2 digits to be 0x42 PLUS 1000 iterations, so each time the number of iterations changes.

The idea is you NEED THE ORIGINAL KEY to break it.

I'm fully convinced that all off the shelf encryption is now compromised, at least for symmetrical. There was a known bug in the random number generator of (I believe) BSAFE which was repeatedly identified, and ignored, and was later discovered to be a backdoor.

And in fact, yes:

https://en.wikipedia.org/wiki/BSAFE

First paragraph.

The Soviets had something similar to DES, but they had more more rungs, and the S-Boxes changed based on the key. Understanding the math is a good thing, but difficult, but making it so that the math CHANGES constantly, that's an exponentially more difficult problem. The trick I think today is making it very difficult for hardware solutions to solve the problem. If you have an algorithm that wastes a couple thousand cycles to decrypt, that's not a big deal for a known key, but for guessing a key, it makes the problem exponentially more difficult.

We hear about side attacks where the sound of a chip, or the EM frequencies can help decrypt the key, that's bullshit. You'd need a device next to the encryption device to do this, and if you have access to the machine, you basically can bypass all the encryption. The intelligence agencies are constantly trying to make us think they are geniuses, when in reality, they engage in subterfuge. The easiest way to get a key, is to put a camera on your keyboard, and watch you type it.

BTW: ever notice that when you read a book on security, you are CONSTANTLY warned not to implement it yourself? Why not? It's pretty easy to check it is accurate, if you encrypt with your implementation and can decrypt with an off-the-shelf solution, you don't have a bug. How could you? Why are they CONSTANTLY telling you not to roll your own? Well, any side attacks known won't work on your roll your own version, and you might be using a truly good random number generator. Can't have that!!!

Let's remember that Kevin Mitnick stole a bunch of information (presumably) and used his own encryption to secure what he had. He refused to give up the key, and the intelligence agencies couldn't break it - didn't save him from prison though. I'm pretty convinced that most off the shelf crap is compromised. Security is very hard, however, I believe the algorithms are strong, the implementations are weak.
14   Patrick   2023 Jan 17, 8:19pm  

https://reinettesenumsfoghornexpress.substack.com/p/how-county-health-and-human-services


Reinette Senum interviews a NorCal county worker whistleblower and exposes how Covid-blood-money is funneled from the Federal HHS to individual states’ Department of Health Care Services (DHCS), ultimately to be distributed to all the counties to create this electronic statewide healthcare record system. This will allow all government and its agencies, schools, clinics, higher education, law enforcement -and more- access to your medical records, including mental health, 24/7 and without your consent or knowledge.

To some, this may seem innocuous. But in the era of “abuse of power,” lack of government transparency, and the dystopian specter of China’s Social Credit system, one quickly realizes this is a slippery slope.

By design, Covid is the driving mechanism and justification for installing this personally invasive digital medical system.


The federal government should NEVER have access to medical records. Not even for prisoners or the military, imho.
16   NuttBoxer   2023 Aug 9, 12:10pm  

I was once again able to setup a move without giving our real info to anyone outside the property manager. Trash, water, electric and internet all think I'm someone else. It has gotten a bit harder and electric company requested I send them a copy of a photo ID, but the rest asked for little or no documentation.

You will always have as much privacy and freedom as you're willing to fight for.
19   WookieMan   2023 Oct 13, 2:27pm  

NuttBoxer says

You will always have as much privacy and freedom as you're willing to fight for.

How do you get your bills? Online? Do you get mail? It doesn't matter what you give the utilities. They know who you are. If you have a drivers license they all know who you are and you're easily findable. Finding any American is trivial. It's not hard. First and Last name and I can find where anyone is living currently within the last 30-60 days. It's easy.

I get there are sites that make you feel good that you can hide your identity. They're lying to you. They want clicks and ad revenue. They're worse than what you're hiding from. I've yet to be unable to find a primary residence of a human that I have a name for. That's it. No location. No family members. It's not difficult. Us cash and do all that other shit. I can find anyone with a name and address even if fake. It's not difficult.
20   just_passing_through   2023 Oct 13, 2:40pm  

Okay, I'll bite: Jennifer Warren. Last seen Slidell LA 1990. ~50 years old now. (extra info so I'm sure you can do it)
21   Patrick   2024 Feb 6, 2:08pm  

https://slaynews.com/news/tax-preparation-firms-facebook-extraordinarily-sensitive-personal-data-report/


The tax-prep companies—TaxAct, H&R Block, and TaxSlayer—are said to have “shared millions of taxpayers’ data with Meta, Google, and other Big Tech firms” using computer code known as pixels, according to the report by congressional Democrats.

Pixels are used across the Internet as pieces of code on websites that are used to gather information about visitors.

Companies, such as advertisers, use that information to understand the website users’ interests and behaviors.

“Tax-prep companies shared extraordinarily sensitive personal and financial information with Meta,” the report said.

Collected data include names, tax information, and details of dependents among others. ...

The data of users were collected via Meta Pixel and Google Analytics.

TaxAct’s Meta Pixel deployment collected the following information on taxpayers:

full names
email address
country
state
city
zip codes
phone numbers
gender
date of birth
filing status
approximate adjusted gross income
approximate refund amount
names of dependents
buttons clicked online
web browser used

In addition, TaxAct used another Meta tool to collect indicators of whether a taxpayer was the head of the household, had certain assets, investment income, mortgage interests, standard deductions, charitable contributions, Schedule Cs, and student loan interest. ...

TaxAct collected “substantially similar” data using Google Analytics.

“H&R Block and TaxSlayer also revealed an extensive list of data shared via the Meta Pixel, including transmitting information on whether taxpayers had visited pages for many revealing tax situations, such as having dependents, certain types of income (such as rental income or capital gains), and certain tax credits or deductions,” the report said.

Taxpayer privacy laws contain penalties for violating the rights of those who pay taxes, including large fines and potential jail time.

Tax preparers are required to obtain written consent from the taxpayer before disclosing their tax return information to a third party.

The report notes that, by handing over such data to Meta and Google, the three tax-prep firms violated the law.

Violation of the law comes with criminal penalties of up to $1,000 per instance as well as jail time of up to a year.

Since the companies shared the data of millions of taxpayers, they could be on the hook for billions of dollars in potential criminal liability
22   WookieMan   2024 Feb 6, 2:49pm  

Patrick says

The tax-prep companies—TaxAct, H&R Block, and TaxSlayer—are said to have “shared millions of taxpayers’ data with Meta, Google, and other Big Tech firms” using computer code known as pixels, according to the report by congressional Democrats.

The IRS shares all your information. lol. Did you guys not know this? You won't get SS#'s but you can get name and income information. How do you think you get marketing mailers from national brands that you never used? They know what you're worth and if it's worth the time marketing to you for the sale. It's not always EDDM.

We'd buy data for renters in an attempt to get buyers that looked like they had good income. In hopes we could double side a listing we had nearby that they could afford.

I don't and will never dox anyone. I know where multiple active users live on this site. I like not being behind bars, so no worries. I'm not hunting down names to try and prove a point. My real estate days are done and so is my access to paid services to find people. It's easier than you'd think...
23   RC2006   2024 Feb 6, 3:23pm  

What do most of you use for taxes?
24   WookieMan   2024 Feb 6, 3:33pm  

RC2006 says

What do most of you use for taxes?

I use TurboTax and give no shits. If there's data on a server someone is getting it. Even if you file via mail. Scanning tech is crazy perfect so that's not even fool proof.

I'm not saying give up, but if you were born here you have no privacy. Doesn't matter what you do. Unless you were born to hunter foragers that somehow owned land without giving up any information, you're a known commodity.
25   stereotomy   2024 Feb 6, 4:11pm  

I moved from TX to NY (I know, WTF????!!!) and had to set up gas service. They wanted my SSN, I said I didn't have to give it to them, and that furthermore it is (or was?) a Federal crime for a business to require a SSN as a condition of service (there are of course exceptions like banks, financial companies). They made me go down to the central office to apply in person. Since I worked nearby, that was no problem. They demanded the SSN again, and the same exchange occurred. I finally warned them "I hope you haven't been illegally coercing all your customers to provide SSN's, because you are exposing yourself to massive class-action liability."

Needless to say, they main office was almost to a woman a diversity hire. They hemmed and hawed for almost 30 minutes, before relenting and setting me up for gas service. They finally said, "We need the SSN to track you down in case you don't pay." I said "No, you want my SSN to make it easier for yourselves - you'll just have to do it the old fashioned way with me." What a bunch of incompetents.

In contrast, the electric utility just said, "Fine, no SSN, we need a $100 deposit (refundable once I terminate service in good standing)." That's what those idiots at the gas company couldn't even remember.
26   NuttBoxer   2024 Feb 6, 6:27pm  

WookieMan says


How do you get your bills? Online? Do you get mail?


Online, and mail, to my real address of course. But not in my real name.

We've played this game before, and you keep losing. Feel free to identify me and send the details to Patrick. I'll confirm. Not the first time I've said this, not the first time you've said that. And the score hasn't changed, you still don't know shit about me.

And I do get mail in my real name, but never, EVER to my real address.
27   NuttBoxer   2024 Feb 6, 6:33pm  

WookieMan says

How do you think you get marketing mailers from national brands that you never used?


Since I started protecting my privacy, never get these, and my income isn't low.
28   NuttBoxer   2024 Feb 6, 6:40pm  

stereotomy says

In contrast, the electric utility just said, "Fine, no SSN, we need a $100 deposit (refundable once I terminate service in good standing)." That's what those idiots at the gas company couldn't even remember.


Most utilities do ask for one, but not all. If you don't want to give yours, just make sure the one you use doesn't tie back to a real person. JJ Luna lists one in his book you can safely use, only $6 for hardcover. They use it to run credit, and if you don't check out, you just pay a refundable deposit. But certainly not required. In fact, most information on a form isn't required, or can be faked. People always assume you are telling the truth, and often don't care what info you give them.
29   NuttBoxer   2024 Feb 6, 6:59pm  

So I've promoted Vanilla gift cards before as a way to stay anonymous. But something has changed. They cards look different, and are missing the full barcode on the back. I can't get these new cards to work at any physical location. Even places where the old cards work fine. Not sure if they've changed all the vanilla gift cards, or it's just the place I buy from. Also my trash company stopped accepting them after January. Ironically the larger national company that also services my address took them no problem.

It's getting harder to maintain privacy, but just makes the game more fun for me.
30   WookieMan   2024 Feb 6, 10:05pm  

NuttBoxer says

Online, and mail, to my real address of course. But not in my real name.

So you rent and didn't have your credit pulled? Don't have a home loan? You did one or the other or you moved into a relatives house. The 3rd option is the only one your info cannot be found kind of.

I have no interest in doxxing people. Patrick is the only one that even knows my first name. I don't want this site to turn into that shit. People have been screwed before here. I'm not that guy. I respect your privacy, but just know you don't have it. If I wanted to find you, even from this site, I could. Understand the law. Hence why I'd never dox a person here. Disagreements aside I do have respect for you guys and I assume the occasional gal.

I may come across as a know it all dick, but I'm not lying. Words on the internet don't hurt me, though I'll argue. I'm not going to dox anyone to prove a point in an argument. We've literally had a murder from something posted on this site. Not anyone's fault. Just banter and a crazy husband. I like not knowing you guys. At some point I will cross paths with one of you. It will be good. Likely random since I live in IL and most of you are out west. I will meet one of you on accident.
31   NuttBoxer   2024 Feb 7, 10:48am  

No one's asking you to dox anyone. Is that your excuse to not deliver? I can give you a temp email to send the data to, just send enough to prove your point, nothing more.

I believe my credit was run, but you won't find that as helpful as you think. Those temp emails don't have long life for viewing messages, so let me know when you have something, I'll give you the address, either here, or through Patrick.

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions