[The Beast1]

(02-22-2016 11:25 AM)Valentine Wrote:  

(02-22-2016 10:36 AM)The Beast1 Wrote:  

The fact that you're going well beyond what is necessary makes you immediately more interesting to security agencies. TOR, VPNs, cryptocurrencies, just screams, "I have something to hide!"

Hiding in plain sight is much safer and easier to do.

These methods, when used correctly, make you extremely difficult to track.

Tor? You're almost impossible to identify.
VPNs? They'd have to gain logs from the RVF server AND THEN slap a court order on your VPN provider.
Cryptocurrency? Again, almost impossible to track (with proper OPSEC).

I hear what you're saying but how exactly would they identify that you specifically are using these measures?

As this website uses SSL even if you're just using a free proxy all they know is that a particularly username is posting on RVF, but nothing beyond that unless they get server logs. And if you don't use a proxy then your ISP knows, which is not ideal.

But I could be wrong. Who knows. Discussing this and identifying the leaks however is exactly how we'll make sure this movement survives, because they'll get increasingly aggressive to try and stop our momentum.

Dude,I already outlined previously how they would identify you using TOR and a VPN. They don't need to hack anything. All they need to do is sit and listen at a TOR exit node the NSA hosts or at a VPN's ISP (which they already do) and snag the data that comes through. It's a fishing expedition for the NSA to find info on you. This is all done on the other side.

Once they grab some packets that identify your name using whatever service you like they can begin building a profile on you and attach it. Most of this is done automatically until you become more interesting to warrant a field agent.

You've secured point A (your computer) to point B (Tor/VPN) and then exit to the open internet at point C. Your data is exposed at point C and this is where security agencies like to gather their data.

[BassPlayaYo]

(02-22-2016 10:36 AM)The Beast1 Wrote:  

...
As for the doxxing threat, security agencies and employees of telecoms do not dox people. Generally when intelligence agencies have information they don't want the subject of their investigation to know.

The people who do doxxings are folks googling people's names and looking for listed phone numbers and addresses of people. If you want to protect yourself from doxxing unlist your name and phone number from the internet, Google search the sh!t out of your name and hide stuff people can find, keep your posting habits on this site obscure enough so people can't identify you from posting, and obscure anything you do with multiple user names so people can't dig it up.

Often times what happens is that you become engaged in an activity that over a period of time gives rise to you having a bigger public profile, something you never considered. The public begins paying more attention to you because you're controversial or you've done some "wiz bang" thing that they love. Prior to the rise in your public profile you didn't think about the "tracks" that you were leaving around that connect the anonymous user entity you've created to the real you. If you are able to monetize this activity you will have to use a name and an address. If you're not thinking that what your doing will result in you having a much bigger public profile (success) you will probably engage in this activity from your home and quite naturally all of the "paper work" will have your home address on it, things like domain name registration, if you have an app in the Google Play Store, it will list your physical address, if you have a registered trademark it will list the address of the business when queried, etc.

[Valentine]

(02-22-2016 11:46 AM)The Beast1 Wrote:  

Dude,I already outlined previously how they would identify you using TOR and a VPN. They don't need to hack anything. All they need to do is sit and listen at a TOR exit node the NSA hosts or at a VPN's ISP (which they already do) and snag the data that comes through. It's a fishing expedition for the NSA to find info on you. This is all done on the other side.

Once they grab some packets that identify your name using whatever service you like they can begin building a profile on you and attach it. Most of this is done automatically until you become more interesting to warrant a field agent.

You've secured point A (your computer) to point B (Tor/VPN) and then exit to the open internet at point C. Your data is exposed at point C and this is where security agencies like to gather their data.

And I have already proved that's unrealistic:

(02-22-2016 07:17 AM)Valentine Wrote:  

(02-22-2016 06:46 AM)The Beast1 Wrote:  

For especially sensitive information, use Tor. TOR exit nodes have occasionally been used by the NSA again in MITM attacks) http://motherboard.vice.com/read/how-the...-anonymity

Again, only if you're being actively targeted is this a risk. If you're forced to always use Tor and you happen to download a large file from a website without verifying it, then you're an idiot.

If that's your threat model you'd be downloading files from websites only within a virtual machine at the very least.

For Tor, they have no idea which Tor exit node you'll use because a new circuit is used every time.

And if you happen to use an infected Tor exit node, then you'd still have to download a file from the fake website. But if you're forced to use Tor religiously, you should be using a Whonix virtual machine to completely prevent any IP leaks anyway.

Again, to identify your VPN in the first place they'd have to gain logs from the RVF server as well as slap a court order on your VPN provider.

If you've got an adversary who manages to deanonymise you through all of that, you end up at the same stage you would have as if you had been connecting through the clear (no VPN or Tor).

If you want to go without these layers of defence it is your call, personally I prefer the extra insurance.

[Just_Die]

I guess as with all such risks, the problem will be security versus accessibility. How often and how easily will you be able to reach people if they have to use exotic applications and security protocols just to receive a message. How much outside the meetings interactions will members have if forum communication becomes very cumbersome. The benefit of using established media platforms is accessibility and getting the word out. You've of course outlined the cost of those platforms. But I'd say the movement is still in its recruitment phase and I'd have an easier time getting a newcomer to sign up and participate to a secret facebook group than I do having him use VPNs and Tor and so on.

Of course the argument for deeper security for "inner circle" type communication is reasonable, amongst proven and committed members.

[The Beast1]

(02-22-2016 12:13 PM)Valentine Wrote:  

(02-22-2016 11:46 AM)The Beast1 Wrote:  

Dude,I already outlined previously how they would identify you using TOR and a VPN. They don't need to hack anything. All they need to do is sit and listen at a TOR exit node the NSA hosts or at a VPN's ISP (which they already do) and snag the data that comes through. It's a fishing expedition for the NSA to find info on you. This is all done on the other side.

Once they grab some packets that identify your name using whatever service you like they can begin building a profile on you and attach it. Most of this is done automatically until you become more interesting to warrant a field agent.

You've secured point A (your computer) to point B (Tor/VPN) and then exit to the open internet at point C. Your data is exposed at point C and this is where security agencies like to gather their data.

And I have already proved that's unrealistic:

(02-22-2016 07:17 AM)Valentine Wrote:  

(02-22-2016 06:46 AM)The Beast1 Wrote:  

For especially sensitive information, use Tor. TOR exit nodes have occasionally been used by the NSA again in MITM attacks) http://motherboard.vice.com/read/how-the...-anonymity

Again, only if you're being actively targeted is this a risk. If you're forced to always use Tor and you happen to download a large file from a website without verifying it, then you're an idiot.

If that's your threat model you'd be downloading files from websites only within a virtual machine at the very least.

For Tor, they have no idea which Tor exit node you'll use because a new circuit is used every time.

And if you happen to use an infected Tor exit node, then you'd still have to download a file from the fake website. But if you're forced to use Tor religiously, you should be using a Whonix virtual machine to completely prevent any IP leaks anyway.

Again, to identify your VPN in the first place they'd have to gain logs from the RVF server as well as slap a court order on your VPN provider.

If you've got an adversary who manages to deanonymise you through all of that, you end up at the same stage you would have as if you had been connecting through the clear (no VPN or Tor).

If you want to go without these layers of defence it is your call, personally I prefer the extra insurance.

The problem is, that insurance is useless if they already know you've visited. To be 100% safe you should have always used TOR to obscure your data coming into RVF. If you've ever accessed this site with a phone or without any encryption they've already captured that data and know you're the source.

If you obscure it by using TOR after the fact it's useless. They still monitor the back bone provider that RVF's server is connected to. They'll see your data coming from multiple places and go, "Ah Valentine is using TOR again" and attach your information from the TOR link to your previous accessed information.

Also, a MITM is trivial for someone like the NSA and GCHQ. All they need to do is spoof the SSL certificate and pass that info between you and the RVF server. Most likely they have the tools needed to create 100% authentic keys. There isn't any software that needs to be downloaded this is all done externally.

Once they have that, they can tie it back in to information about you if you've accessed this site without protection in the past.

The NSA datacenter in Utah has storage for between 3 to 12 exabytes (per wikipedia). They have all the info they need to find out who we all are and use the massive computing power to collate everything together. They don't need access to our machines to figure out who we are.

The thing is 100% of this data collection is automated. No human ever really looks at it until they have a reason to.

Have you accessed this site previously without hiding your identity via Tor?

[Cronus]

Good thread.

Here is a solid guide that goes in depth with tor, vpns and general security. Always be safe and use protection when needed. Don't raw dog the internet folks.

https://www.deepdotweb.com/jolly-rogers-...beginners/

[polar]

(02-22-2016 08:07 AM)DaveR Wrote:  

(02-22-2016 07:17 AM)Valentine Wrote:  

You can buy a new SIM card to register Signal, then toss it and put in your normal SIM card.

There are some problems with that:

- it's difficult to buy a SIM without providing ID in many countries

- each phone has an ID number (called "IMEI"), and carriers keep records of which IMEIs have been used with each SIM card. That makes it very easy to associate your temporary SIM with your main one (and such lines of inquiry are standard operating procedure, by the way).

So in order to maintain anonymity, you'll need to find a way to buy a SIM anonymously and also use a separate phone that hasn't ever had any of your (preferably also your friends') SIM cards in it.

Signal does offer some advantages in theory, but I think it's far less practical in reality and that's why its user base is still quite small.

You'd also need to worry about not being on the same SIM cards in the same locations on the same phones. With even broad location data, it's possible to track what phones tend to travel together or connect and disconnect from networks at similar times.

https://ssd.eff.org/en/module/problem-mobile-phones

Quote:

Together, these facts mean that effective use of burner phones to hide from government surveillance requires, at a minimum: not reusing either SIM cards or devices; not carrying different devices together; not creating a physical association between the places where different devices are used; and not calling or being called by the same people when using different devices.

Furthermore, consider cell towers and free Wi-Fi in public places. Do you think it's just for your convenience?

Check out your city's favorite tourist attractions. The central square popular for public gatherings. Count the number of security cameras. A city of a million will have 20. A tier one city will have 200+ security cameras. If you're not in the third world, all of those cameras will be connected to a centralized database with facial recognition software. You're not getting around that with some Groucho glasses.

The future is here, gentlemen. You can be anonymous from the public through a handful of common sense. You can't be anonymous from Big Brother. The best you can do is obfuscation, and even that isn't a foolproof strategy.

In short, if you want to be anonymous in this day and age, you have to be off the grid and live in the woods.

[DaveR]

Great discussion we're having here. I think it's important to debate these concepts as Neomasculinity increases in profile and becomes more political.

(02-22-2016 08:51 AM)Valentine Wrote:  

This means if you want to have encrypted group chats, you should only share your Signal number with vetted individuals. Otherwise, stick to Telegram for 1:1 secret chats.

In my threat model, to be honest, the contents of group messages are not the main concern. It's more about identity(anonymity) and metadata, and Telegram has advantages in those areas.
What you wrote is essentially correct, though - if discussing something extremely sensitive with a group of people, and those people already know your phone number, then Signal has the upper hand.


I see the following potential threats:

1. targeted (individual) attacks by the NSA or similar. There isn't much you can do about these, but we're unlikely to be targets of that agency.

2. mass surveillance by the NSA, including metadata collection - can probably be reduced by choosing the right services, but as above, we're unlikely to be targets. I find the idea of mass surveillance appalling, but I also don't see the NSA as a risk specific to myself or other RVF users. Yeah, they have everyone's private information and that poses a long-term risk to society in general, but right now they're really only interested in terrorists and foreign espionage.

3. subpoenas and court orders - I think this is one of biggest risks and it will require careful planning to mitigate. As seen a couple of weeks ago, governments can be brought into the hysteria if the media and social justice warriors perpetuate enough lies.
Using the right services will make it difficult for law enforcement to conduct "fishing expeditions" on your private communications and may help you to avoid being implicated or connected in case of an investigation.
The solution doesn't have to be elaborate or inconvenient. Use Telegram in a secure way (as per Roosh's instructions), use Protonmail or similar (check the other thread), keep RVF and real identities separate, don't reveal any identifying information on Twitter, RVF, etc.

4. social justice mobs and Anonymous - again, a very large risk, but not difficult to avoid. Use two-factor authentication where possible, use strong passwords and compartmentalise them (maybe with a password manger), keep RVF and real identities separate, don't post identifying information or photos under your RVF identity, keep photos of yourself off the web if possible.

5. infiltrators - a large risk to individual members. The only solution is to build trust. Make sure the person has contributed time/effort/money to Neomasculinity and be suspicious of new acquaintances... a good actor could hold a facade for a couple of days, maybe a week, but for a month? They'll slip up at some point.

[Valentine]

(02-22-2016 11:58 AM)BassPlayaYo Wrote:  

Often times what happens is that you become engaged in an activity that over a period of time gives rise to you having a bigger public profile, something you never considered. The public begins paying more attention to you because you're controversial or you've done some "wiz bang" thing that they love.

Definitely. Protect yourself from doxxing before it comes to be a threat and the risk won't be able to materialise. Too many people only realise this stuff is important once they've already been doxxed.

(02-22-2016 12:37 PM)Just_Die Wrote:  

I guess as with all such risks, the problem will be security versus accessibility. How often and how easily will you be able to reach people if they have to use exotic applications and security protocols just to receive a message. How much outside the meetings interactions will members have if forum communication becomes very cumbersome. The benefit of using established media platforms is accessibility and getting the word out. You've of course outlined the cost of those platforms. But I'd say the movement is still in its recruitment phase and I'd have an easier time getting a newcomer to sign up and participate to a secret facebook group than I do having him use VPNs and Tor and so on.

Of course the argument for deeper security for "inner circle" type communication is reasonable, amongst proven and committed members.

Most of these measures are just for your personal security.

Communication wise, the only thing being promoted is a new app - Signal or Telegram. And that's only for meetups or any other communication where your identity is at risk. Not a particularly inconvenient step.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

The problem is, that insurance is useless if they already know you've visited. To be 100% safe you should have always used TOR to obscure your data coming into RVF. If you've ever accessed this site with a phone or without any encryption they've already captured that data and know you're the source. 

Agreed that if you've accessed the website once without encryption then your ISP knows about it. Whether they share all web traffic with their intelligence agency depends on the country you're in.

There's also a difference between being flagged as a one time visitor and a regular community member. Who's more likely to get the extra surveillance?

(02-22-2016 01:38 PM)The Beast1 Wrote:  

They still monitor the back bone provider that RVF's server is connected to. They'll see your data coming from multiple places and go, "Ah Valentine is using TOR again" and attach your information from the TOR link to your previous accessed information.

Care to provide a source for this?

(02-22-2016 01:38 PM)The Beast1 Wrote:  

Also, a MITM is trivial for someone like the NSA and GCHQ. All they need to do is spoof the SSL certificate and pass that info between you and the RVF server. Most likely they have the tools needed to create 100% authentic keys. There isn't any software that needs to be downloaded this is all done externally.

There probably exists a few 0days to spoof SSL but they're not going to waste therm on RVF realistically since they'd get patched thereafter and that means less websites they can attack. They wouldn't want to waste their payload like that.

At best if they did they'd get your VPN or Tor IP. If they've got your Tor IP, they can't do anything with it. If they've got your VPN IP, they still need to levy a court order. Which is why you get a VPN in somewhere like Sweden.


The Beast1, your main issue seems to be with VPNs and Tor.

But you realise by arguing for connecting transparently it puts members at risk unnecessarily.

- Logging onto red pill stuff at work can result in someone getting fired.
- Your identity will be logged whenever you visit anything red pill by your ISP.
- Media websites log your identity when you visit certain political articles and will check the referring website, in which case you should hope it isn't RVF.

And not even red pill related you're also now at risk of MITM attacks on your LAN.

I really don't see the benefit of connecting transparently. Do you do so?

(02-22-2016 02:00 PM)Cronus Wrote:  

Good thread.

Here is a solid guide that goes in depth with tor, vpns and general security. Always be safe and use protection when needed. Don't raw dog the internet folks.

https://www.deepdotweb.com/jolly-rogers-...beginners/

Great guide. Little advanced for most as it's aimed at users of an online black market but still good advice within.

(02-22-2016 02:24 PM)polar Wrote:  

You'd also need to worry about not being on the same SIM cards in the same locations on the same phones. With even broad location data, it's possible to track what phones tend to travel together or connect and  disconnect from networks at similar times.

https://ssd.eff.org/en/module/problem-mobile-phones

Quote:

Together, these facts mean that effective use of burner phones to hide from government surveillance requires, at a minimum: not reusing either SIM cards or devices; not carrying different devices together; not creating a physical association between the places where different devices are used; and not calling or being called by the same people when using different devices.

Good advice. Mobile phones leak so much metadata it's insane. Better to rely on your laptop for secure comms or an encrypted chat app.

(02-22-2016 02:24 PM)polar Wrote:  

Furthermore, consider cell towers and free Wi-Fi in public places. Do you think it's just for your convenience?

Check out your city's favorite tourist attractions. The central square popular for public gatherings. Count the number of security cameras. A city of a million will have 20. A tier one city will have 200+ security cameras. If you're not in the third world, all of those cameras will be connected to a centralized database with facial recognition software. You're not getting around that with some Groucho glasses.

Yeah hiding your location is pretty difficult now. Best you can do is isolate your online alias from your real life one.

(02-22-2016 02:25 PM)DaveR Wrote:  

I see the following potential threats:

1. targeted (individual) attacks by the NSA or similar. There isn't much you can do about these, but we're unlikely to be targets of that agency.

Yeah if they want you then they'll pull out all the stops. If you fear this though there's many measures you can take though to make it very difficult for them eg what's in the DeepDotWeb guide.

2. mass surveillance by the NSA, including metadata collection - can probably be reduced by choosing the right services, but as above, we're unlikely to be targets. I find the idea of mass surveillance appalling, but I also don't see the NSA as a risk specific to myself or other RVF users. Yeah, they have everyone's private information and that poses a long-term risk to society in general, but right now they're really only interested in terrorists and foreign espionage.

In my opinion this is one of the biggest threats. It's so easy for them to deploy.

Just add a few extra keywords to monitor via XKEYSCORE and they've got every red pill person who used a PRISM company, accessed a HTTP site, wrote an email, sent a text etc.

This is where countless people will get caught unnecessarily.

3. subpoenas and court orders - I think this is one of biggest risks and it will require careful planning to mitigate. As seen a couple of weeks ago, governments can be brought into the hysteria if the media and social justice warriors perpetuate enough lies.
Using the right services will make it difficult for law enforcement to conduct "fishing expeditions" on your private communications and may help you to avoid being implicated or connected in case of an investigation.
The solution doesn't have to be elaborate or inconvenient. Use Telegram in a secure way (as per Roosh's instructions), use Protonmail or similar (check the other thread), keep RVF and real identities separate, don't reveal any identifying information on Twitter, RVF, etc.

4. social justice mobs and Anonymous - again, a very large risk, but not difficult to avoid. Use two-factor authentication where possible, use strong passwords and compartmentalise them (maybe with a password manger), keep RVF and real identities separate, don't post identifying information or photos under your RVF identity, keep photos of yourself off the web if possible.

5. infiltrators - a large risk to individual members. The only solution is to build trust. Make sure the person has contributed time/effort/money to Neomasculinity and be suspicious of new acquaintances... a good actor could hold a facade for a couple of days, maybe a week, but for a month? They'll slip up at some point.

Great advice and breakdown of the potential threats.

[The Beast1]

(02-22-2016 04:42 PM)Valentine Wrote:  

(02-22-2016 01:38 PM)The Beast1 Wrote:  

The problem is, that insurance is useless if they already know you've visited. To be 100% safe you should have always used TOR to obscure your data coming into RVF. If you've ever accessed this site with a phone or without any encryption they've already captured that data and know you're the source. 

Agreed that if you've accessed the website once without encryption then your ISP knows about it. Whether they share all web traffic with their intelligence agency depends on the country you're in.

There's also a difference between being flagged as a one time visitor and a regular community member. Who's more likely to get the extra surveillance?

(02-22-2016 01:38 PM)The Beast1 Wrote:  

They still monitor the back bone provider that RVF's server is connected to. They'll see your data coming from multiple places and go, "Ah Valentine is using TOR again" and attach your information from the TOR link to your previous accessed information.

Care to provide a source for this?

Here's one example: https://en.wikipedia.org/wiki/Room_641A

If they've cracked into the backbone like that, they're most likely doing far more nefarious stuff that we can only fathom. In the US there are 9 back bone network providers. It isn't farfetched to believe they have their fingers in each one.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

Also, a MITM is trivial for someone like the NSA and GCHQ. All they need to do is spoof the SSL certificate and pass that info between you and the RVF server. Most likely they have the tools needed to create 100% authentic keys. There isn't any software that needs to be downloaded this is all done externally.

There probably exists a few 0days to spoof SSL but they're not going to waste therm on RVF realistically since they'd get patched thereafter and that means less websites they can attack. They wouldn't want to waste their payload like that.

At best if they did they'd get your VPN or Tor IP. If they've got your Tor IP, they can't do anything with it. If they've got your VPN IP, they still need to levy a court order. Which is why you get a VPN in somewhere like Sweden.
[/quote]

Do you follow any IT security blogs or news wires? If so, you'd be aware about this https://en.wikipedia.org/wiki/Bullrun_(d...n_program)

They've already cracked SSL and TLS. This isn't a few zero day exploits. This is far worse.

You know that western intelligence agencies also share data between each other? While your data most likely doesn't get sniped by your local government's agency the NSA certainly does share its data with agencies abroad.

Using a VPN on foreign soil isn't much of an advantage either. Your data is not any more safer in Sweden than it is in the US. In fact, all it takes is a little coercion by the US on its vassal states and they'll do whatever the US wants. Sweden tried to press bunk rape changes on Assange, sharing VPN data for a non citizen would be even easier to pull off.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

The Beast1, your main issue seems to be with VPNs and Tor.

But you realise by arguing for connecting transparently it puts members at risk unnecessarily.

- Logging onto red pill stuff at work can result in someone getting fired.
- Your identity will be logged whenever you visit anything red pill by your ISP.
- Media websites log your identity when you visit certain political articles and will check the referring website, in which case you should hope it isn't RVF.

And not even red pill related you're also now at risk of MITM attacks on your LAN.

I really don't see the benefit of connecting transparently. Do you do so?

My problem really mostly stems with from overkill security paranoia prepping without identifying the pros and cons of each set up. Don't get me wrong, they are useful tools and serve a purpose. However saying, "you'll be safe if you do this!" is disingenuous. VPNs and Tor for visiting this site and others are over kill and aren't perfectly safe.

If you want to be 100% safe, stepping away from this forum and red pill stuff for good and not participating is the only way.

All of what we say here has been logged for others to see. If they're splicing into fiber optic cables at the backbone level, it's obvious they are able to do far more with that data than we can even realize.

The key problem is, the NSA and other security agencies have destroyed internet security. There isn't any safe means of communicating or visiting sites on the internet anymore. You can obscure and spread your data around making it difficult for someone to find you, but at that point you're inviting further investigation when your ISP notices hidden traffic coming out of your network left and right.

(02-22-2016 04:42 PM)Valentine Wrote:  

I really don't see the benefit of connecting transparently. Do you do so?

I do as a matter of fact. At this juncture, there really isn't any benefit to connecting opaquely either. They've already identified all of us just by metadata alone. I'm hopeful one day these records could be opened by us. I'd be curious to see if they know what my porn fetishes are

[Valentine]

(02-22-2016 06:19 PM)The Beast1 Wrote:  

Do you follow any IT security blogs or news wires? If so, you'd be aware about this https://en.wikipedia.org/wiki/Bullrun_(d...n_program)

They've already cracked SSL and TLS. This isn't a few zero day exploits. This is far worse.

Agreed, that is some scary stuff.

If they can easily crack SSL/TLS then your end point IP address is up for grabs. And if they can crack into the VPN of a foreign governments nuclear program they can definitely crack into your VPN provider and identify you that way.

However there are two things you're forgetting:

1) Motivation
Are the NSA motivated to attack this website? My belief is no. My strategy is based on dragnet global surveillance not a targeted attack on RVF by the NSA. To stand a chance against that you need far more thorough security than what I've mentioned here.

2) Tor
If you've previously connected to a website via Tor, retroactively finding that user is very difficult because thousands of users use the same exit node.

(02-22-2016 06:19 PM)The Beast1 Wrote:  

(02-22-2016 04:42 PM)Valentine Wrote:  

(02-22-2016 01:38 PM)The Beast1 Wrote:  

They still monitor the back bone provider that RVF's server is connected to. They'll see your data coming from multiple places and go, "Ah Valentine is using TOR again" and attach your information from the TOR link to your previous accessed information.

Care to provide a source for this?

Here's one example: https://en.wikipedia.org/wiki/Room_641A

If they've cracked into the backbone like that, they're most likely doing far more nefarious stuff that we can only fathom. In the US there are 9 back bone network providers. It isn't farfetched to believe they have their fingers in each one.

Oh right. That isn't too dissimilar from TEMPORA https://en.m.wikipedia.org/wiki/Tempora as they're essentially copying the whole internet.

In my opinion this is all the more reason to only enter information on sites which use HTTPS or Tor hidden services so all they receive is encrypted web traffic.

Whether they'll put a higher priority on cracking encrypted traffic rather than analysing HTTP traffic we'll never know. It is possible that you make yourself more interesting to authorities by doing this.

However Snowden himself stated that encryption works. It's an extra barrier in their way. In fact it's the only barrier in their way. 

If this stops even 10% of our web traffic from being analysed then this may lower flagged profiles labels from 'dissident' to 'hobbyist'.


The other big question mark is traffic analysis.

If traffic analysis can identify you despite using a VPN, then attacking the website isn't even necessary.

I don't know to the extent their traffic analysis is able to deanonymise you. But if it's the case where the metadata transparently reveals your identity then perhaps RVF should be accessed via Tor only. Adding a Tor hidden service as well would further boost privacy.

After all in Snowden's released documents they said themselves that they can only deanonymise a small percentage of Tor users for a small amount of time. Plus looking at case studies of criminals who successfully stayed anonymous online, all used Tor to do so. VPN users were caught immediately.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

Using a VPN on foreign soil isn't much of an advantage either. Your data is not any more safer in Sweden than it is in the US. In fact, all it takes is a little coercion by the US on its vassal states and they'll do whatever the US wants. Sweden tried to press bunk rape changes on Assange, sharing VPN data for a non citizen would be even easier to pull off.

Yeah VPNs can be easily nullified via Bullrun or political pressure. Ideally though you're not that big of a target and would use Tor at that point.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

(02-22-2016 04:42 PM)Valentine Wrote:  

The Beast1, your main issue seems to be with VPNs and Tor.

My problem really mostly stems with from overkill security paranoia prepping without identifying the pros and cons of each set up. Don't get me wrong, they are useful tools and serve a purpose. However saying, "you'll be safe if you do this!" is disingenuous. VPNs and Tor for visiting this site and others are over kill and aren't perfectly safe.

If you want to be 100% safe, stepping away from this forum and red pill stuff for good and not participating is the only way.

Agreed, that's the only way to be guaranteed secure. Hopefully everyone is able to make a decision that they're comfortable with from our discussion.

Definitely not saying you're 100% safe with my recommendations. But I still believe that encrypted traffic is better than unencrypted. Especially if you're using Tor's anonymising layer.

(02-22-2016 01:38 PM)The Beast1 Wrote:  

All of what we say here has been logged for others to see. If they're splicing into fiber optic cables at the backbone level, it's obvious they are able to do far more with that data than we can even realize.

The key problem is, the NSA and other security agencies have destroyed internet security. There isn't any safe means of communicating or visiting sites on the internet anymore. You can obscure and spread your data around making it difficult for someone to find you, but at that point you're inviting further investigation when your ISP notices hidden traffic coming out of your network left and right.

(02-22-2016 04:42 PM)Valentine Wrote:  

I really don't see the benefit of connecting transparently. Do you do so?

I do as a matter of fact. At this juncture, there really isn't any benefit to connecting opaquely either. They've already identified all of us just by metadata alone. I'm hopeful one day these records could be opened by us. I'd be curious to see if they know what my porn fetishes are

If they're able to collect and decrypt all encrypted web traffic then that's true. However with the volume of encrypted traffic they receive we don't know if that's true, and could be doubly moreso for Tor encrypted traffic.

On the traffic analysis and metadata side I've found little solid information regarding their ability to positively identify you if you're using a VPN so if you have some please do share. Likewise with Tor.

Regarding your ISP seeing hidden traffic, I agree that is a potential threat. They could keep a closer eye on your non-hidden traffic thereafter. This could lead to them discovering your crimethink in a slip up. But is telling them exactly what you do online by connecting transparently really any better? You've just given yourself away immediately and you have 0% chance of anonymity. On the other hand if you encrypt traffic, then you've given yourself at least a 1% chance.


By the way I just want to thank you The Beast1 for your intelligent and well argued replies. You've raised some fine arguments and though I disagree with you you've given myself and I'm sure many other readers a lot to think about.

The issue of digital privacy is one with few definite answers. We're operating on assumptions on both sides of this discussion because we don't know the full capabilities of our enemies. For that reason we'll never be able to come to a consensus on the best strategy to take, but I hope others are able to take something from this to make a more informed decision.

[Valentine]

Got a bunch of other assorted privacy posts scattered over the forum, gonna compile them here for ease of access:

Email

(06-22-2016 10:43 PM)Valentine Wrote:  

To be more specific, Google scans all Gmail messages and hashes images. So basically, don't use Gmail.

Tutanota and Protonmail are great pro-privacy email providers.

You need an email account for many accounts. But for day-to-day communication you'll want to switch over to encrypted instant messaging software for talking with close friends as email is fundamentally non-secure. Even PGP encrypted messages leak tons of metadata.

Phones

(11-22-2016 08:56 PM)Valentine Wrote:  

^ Agreed that on mobile you have to use a gateway, but that's the same problem for everything on mobile, it's always less free speech and pro-privacy e.g. can't do proper virtualisation, darknet access isn't as secure, cellular radio reveals location etc.

(12-13-2016 09:44 AM)Valentine Wrote:  

Moreso that smartphones are easier to hack and provide more useful data to police.

4G connection means rogue updates can be more reliably pushed via a IMSI-catcher (stingray) and of course smartphones contain far more data and metadata than their dumb counterparts.

To combat this there is an IMSI-catcher detector app for Android but your phone is still vulnerable to being hacked.

You need hardware baseband isolation - your baseband processor no longer having access to your device fully. So either use a Neo 900 (still in development) or a tablet + a portable WiFi router.

Phones are extremely vulnerable privacy liabilities because of this weakness so yes, they're not closing down 2G out of the goodness of their heart.

(12-30-2016 10:14 PM)Valentine Wrote:  

You're right about this, phones are still easy to hack by gov due to the closed-source all-access baseband processor.

However Google Home and the like are worse, because these very likely are passively always recording you and they're able to share with the gov a huge backlog of content, whereas you've got to be deemed a target for gov to hack your phone via your baseband processor and they require close proximity to do so with a Stingray. Even then you can get a heads-up if your phone is being hacked in this way with the AIMSICD app.

Operating System (Linux)

(12-06-2016 05:17 PM)Valentine Wrote:  

The choice of operating systems are:

Expensive, virus-prone, bloated, with built-in backdoors and spyware - but has no learning curve

VS

Free, near virus-invulnerable, lightweight, with no backdoors or spyware - but has a learning curve

It's hardly a choice these days.

Operating System (Linux - Tails)

(04-01-2016 05:22 AM)Valentine Wrote:  

The problem here is that you haven't explained why someone would benefit from this.

Tails does two things:
1) Automatically Torifies your internet connection (which is overkill for most - Tor Browser is sufficient and you can use VPNs)
2) Runs all your programs on an amnesic USB (amnesic meaning it stores no data, kind of like what you wish Incognito mode would do)

And there are far better options to what you've explained.

Why would someone need a burner laptop? Tails when run on a simple USB (what it's designed for) doesn't leave a trace on your laptop. The divide between identities comes from simply plugging in the USB. The laptop buying instructions are good so they should be followed when buying a primary laptop.

The problem is Tails USBs are great but it has too low usability for the average user. You have to boot up your PC again every time in order to access your RVF identity - very low usability.

Instead, if Tor Browser isn't sufficient for your needs, you're better off running Tails in a virtual machine. Like a browser, you can easily start it on your own PC and have it run simultaneously with your normal operating system - very high usability.

Tails VMs (use VirtualBox by the way) are theoretically not as amnesic as the live USB - that is they may leave some small files on your PC.

For most people, the small files are of no consequence. It would have to be a motivated aggressor using forensics to detect what programs you used.

If you are however concerned, then encrypt your laptop. No one will be able to access those files. If you are worried being coerced to decrypt your laptop, then stick to a Tails USB to ensure you leave no trace of your activities.

VPNs and Tor

(06-26-2016 03:25 PM)Valentine Wrote:  

There's a misconception here. It's the network the browser connects to which grants you anonymity, not the browser itself. Conceivably you can change any browser to connect to the Tor network.

When it comes to changing IP addresses, there are only two methods really - Tor or VPNs:

Tor Browser
+ Strong anonymity e.g. from NSA
+ Free
- Slow
- Many websites block Tor users e.g. those which have CloudFlare often do
- Installing additional browser extensions can break anonymity

VPNs
+ Much faster
+ Moderate anonymity e.g. from website owners, web services etc (unless they slap your VPN provider with a court order)
- Not free

(06-26-2016 08:59 PM)Valentine Wrote:  

Agreed, once post-quantum cryptography becomes widespread then all currently encrypted data becomes an open book. But that is many years off, so relatively speaking it is still strong anonymity.

I'm referring to the protocol's anonymity only, not the actions you might take on it. Of course if you log into your Facebook or do anything else which harms compartmentalisation then Tor won't save you. However case studies have proven that Tor + good OPSEC works well enough for child pornographers, darknet drug dealers and hackers to thwart identification.

Note: My opinion on Tor has changed recently - it won't keep you safe from NSA (due to traffic analysis) but will protect privacy against normal law enforcement & FBI.

Script, Analytics and Ad Blocking

(10-31-2016 06:50 PM)Valentine Wrote:  

Why has the internet gotten slow: bloated websites with copious use of scripts, analytics and ads.

Unfortunately this isn't a trend that is going to reverse any time soon. People want shiny websites and the ability to maximise the money they can get out of readers.

Most likely we'll see a proliferation of native ad-blocking within browsers (which is currently being implemented in Brave and Firefox) and of course increased computer/internet speed to help mitigate this.

Other than that though you'll need to actively get savvy about how to speed it up yourself:

Speeding Up Webpage Loading

(10-28-2016 04:37 AM)Wreckingball Wrote:  

Get a decent browser: Firefox, or Opera.
Download ublock origin and either privacy badger or disconnect.

This is the 80/20 method.

A level above that: NoScript.
Another level above that: uMatrix.

You can get most of these as addons in Firefox for Android also.

The real booster however would be setting up a Pi-Hole - which is a Raspberry Pi that basically blocks ads from even being downloaded to your network.

Quote:

Advantages overview
For me the biggest advantage is ad blocking on all devices on the network (phones, tablets, all computers). It blocks in app ads on iOS, android and WP.
Beside that, it caches DNS queries, which makes DNS lookups faster (for example once you lookup the address for reddit.com (which may take 50ms) from your desktop, the Pi will remember it, and next time you ask for resdit.com from your phone, the DNS request will only take 2ms, because its already cached on the Pi).
The third advantage is faster loading times of web pages, because it doesn't have to load all the ads (and lookup their addresses again!). The Pi is actually also a small web server, which serves a very tiny blank web page, and this tiny web page (lets say 1 byte) is loaded instead of 100kB ad banner on your phone, actual deciding what is ad and what isn't is already processed on the Pi, leaving your phones resources to display the actual content instead of wasting it on ads.

Search

(06-22-2016 10:43 PM)Valentine Wrote:  

DuckDuckGo's creator is historically anti-privacy (sold previous data collection company Names Database for $10 million) so I wouldn't trust them with my search data. StartPage is a better option.

(11-06-2016 06:17 PM)Valentine Wrote:  

Searx metasearch and add up to 70 different search engines in the preferences menu. You can even have Google (as long as you choose StartPage to proxy results).

Open-source alternatives for lots of closed-source software.


Home Automation and the Internet of Things

(12-30-2016 10:14 PM)Valentine Wrote:  

(12-30-2016 05:49 PM)kmhour Wrote:  

The smart home devices - Alexa, Google Home etc - are processing the commands using cloud processing, which means they aren't recording everything you say.

How could you possibly know that? Do you somehow have the source code for the closed-source software these devices run? Do you know how to decrypt the encrypted web traffic they send back to their servers?

No. I'd never dare consider getting a smart home device unless it was completely open-source, and even then I'd be highly wary because if hacked this device could be extremely harmful to your privacy.

Quote:

It would be prohibitive to send every word recorded by every Alexa in the world back to Amazon (or Google etc) for processing and storage. This is why they won't respond until the appropriate "wake word" is detected.

This is just naive on the costs of voice data these days, as well as how much they can sell this data for (WhatsApp and Facebook Messenger calls aren't free due to being good Samaritans).

Quote:

As for the broader privacy implications (i.e. the government hacking your Alexa type device to constantly record) my personal feeling is they could already do it with my cell phone which follows me around almost anywhere. If you aren't concerned about the privacy implications of the microphone on your smart phone, you shouldn't be overly concerned with the implications of your Alexa.

You're right about this, phones are still easy to hack by gov due to the closed-source all-access baseband processor.

However Google Home and the like are worse, because these very likely are passively always recording you and they're able to share with the gov a huge backlog of content, whereas you've got to be deemed a target for gov to hack your phone via your baseband processor and they require close proximity to do so with a Stingray. Even then you can get a heads-up if your phone is being hacked in this way with the AIMSICD app.

(12-30-2016 10:59 PM)Valentine Wrote:  

(12-30-2016 10:40 PM)kmhour Wrote:  

how could I know it? I don't have to. what mechanism does the device have to do this otherwise? either it's sending an enormous amount of unsolicited data back to home base - which is easily discovered by anyone who cares enough to monitor their home network traffic. or it has enough storage onboard to hold large amounts of recorded audio - which is also easily discovered by any hardware hacker who tears the thing down.

Amazon Echo has 4GB of storage space, so ignoring the size of the software it runs it can hold up to 4000 mins of audio (approximately 1mb = 1 min of audio).

This can then be sent at intervals, so network analysis is not going to be very revealing.

It doesn't even have to record all the data. It could simply 'wake up' on other unknown key words such as "credit cards", "guns" or "fuck the government".

Quote:

to say nothing of the overhead required to process every moment of every Alexa or Google Home device's recordings in Silicon Valley - or the PR disaster that would ensue if they were - simple logic dictates they can't send all audio recorded back home to be processed without people noticing it. they are definitely passively listening - they need to, in order to recognize the 'wake word'. but what past that?

That's the point, we don't know exactly how much they are listening because their software is closed-source. In this post-Snowden age if they really had good intentions they would open-source it to show that, but for now I refuse to give them the benefit of the doubt after already seeing the depth of the NSA PRISM program for instance, which proves tech behemoths are already all-in on absorbing as much customer data as possible for profit.

Quote:

like I said, it's your prerogative whether you want to move toward a smart home or not. I'm a tech enthusiast and I admit the idea of voice control and integration is worth the risk of something like the first episode of Mr Robot Season 2 (spoiler alert, the general counsel's smart home goes batshit). but in opposition, five or ten years it'll be the same as the guy who swore he wouldn't give up his analog phone for a smart phone.

Being a tech enthusiast and privacy conscious are not mutually exclusive. Everyone who has created privacy-focused tech are massive tech enthusiasts. The difference is they want to make the tech benefit them, rather than potentially harm them.

It's not as easy as 1-click Amazon checkout but open-source home automation already exists today, for those who value both.

Protecting Privacy Against Facebook & Google

(06-27-2016 07:25 PM)Valentine Wrote:  

I'm a big believer in doing what you can, not worrying about the rest. So let's just focus on some actionable stuff.

Facebook
- Don't install any Facebook apps (this is the main way they link your WhatsApp and Facebook accounts together)
- Don't give them your real phone number
- Limited info on your profile
- Log into it using a VPN/Tor

Google
- Swap all the Google services you use (some resources for that here)
- Self-Destructing Cookies + Privacy Badger to block Google tracking you around the web
- Use a VPN that you've never logged into a Google account. If you need to use an account for whatever reason always use it on a separate browser and not that VPN
- For embedded YouTube videos, they can see only who you are if you're logged into YouTube whilst watching them. Otherwise it's just an IP address as well as the referrer (URL of the forum post)

[JayR]

If you use Firefox and care about privacy, this post might be of interest:

https://blog.ungleich.ch/en-us/cms/blog/...dangerous/

Mozilla has a new feature, "Trusted Recursive Resolver" (TRR), that sends all DNS requests through Cloudflare in the U.S. by default, opening up your browsing activity to snooping.

You can override the default setting -- instructions are at the bottom of the post:

1. Enter about:config in the address bar
2. Search for network.trr
3. Set network.trr.mode = 5 to completely disable it

[deuce]

Wire/Wickr/Sudo for secure comms
Email/VPN service in a non-14 eyes country
-references: privacy tools.io, thatprivacyguy.com
Blur to mask credit card info
Read “TheComplete Privacy & Security Desk Reference” and “Hiding From The Internet”
TAILS & Tor (if your threat model requires)

[Vladimir Poontang]

Alternatives to Google products : https://restoreprivacy.com/google-alternatives/