CaptnMeowMix | 393 points
A Definitive Guide to Staying Safe
Since there have been links to actual dangerous material posted now, and fears of a honeypot type operation are rising, I figured it was important for all of us to at least be aware of how we can stay relatively safe. That way we can just point people back to this resource and keep all the legitimate concern comments to a minimum and focus on the actual investigation.
A few things to note first:
There are always multiple points of failure. Each piece of security advice ignored, means one more possible point of vulnerability somewhere. It's hard to ensure you've absolutely covered all of your bases, but this should be enough to at least make tracking you a pain in the ass.
There is no such thing as being 100% secure. Doing everything here will drastically improve your security, but nothing is guaranteed.
No amount of technological security can protect you from human error. Be weary of anybody and anything that might prompt you for information.
Anonymity != Encryption. Anonymity is about making it harder to track you down, but everything you do is still in plain sight. Encryption is about hiding what you have or what you're doing, but doesn't necessarily hide who you are. Making use of both of these together is the best strategy.
I have background in software, but I'm in no way shape or form a security "expert", so take all this with a grain of salt. And please do feel free to add on or correct anything if you're knowledgeable about any of this stuff.
Anyways, onto the different areas you need to look out for.
This aspect is critically important for anyone that's even thinking about downloading potentially incriminating evidence. You DO NOT want any of this stuff touching your computer's main hard drive. Keeping your pc clean is your last line of defense in a worst case scenario situation.
Luckily, you can avoid it rather easily. You can run an entire functioning, temporary operating system off a cd or usb drive. And as long as you don't deliberately mount your pc's hard drive on there, it'll simply store data onto your RAM, which is temporary by design.
The way to do this is with a Linux/Unix distribution that offers a "live cd". Ideally a security-minded one like Tails , Kali , Qube , BackBox , or OpenBSD . But even a standard user-friendly distro like Mint is better than nothing. Just download the disk image file (.iso) they offer, and burn it onto a CD/DVD or install it on a usb drive.
A physical disk is slightly safer than a usb drive only because you can't accidentally write to those while you're using them, and they're easier to destroy in case SHTF. But running it off a disk can be noticeably slower. And if you don't have access to blank cd's/dvd's or a disk burner, you might need to go the flash drive route anyway. Installing the .iso file onto a usb drive is also pretty straightforward , though installation procedures can vary from distro to distro, so that might require some more research on your end.
Just put the prepared disk in your disk drive, or plug in your usb stick, and reboot your pc. Then make sure to select the option to boot from the corresponding drive in your bios somewhere. This will be slightly different from pc to pc, but you can find tons of tutorials on booting off of cds online.
Rely on storing things locally with encrypted usb drives or sd cards. You can encrypt them with VeraCrypt , and wipe them with BleachBit when you're done using them.
These next services are here just for reference, I wouldn't recommend relying on them for backups/storage unless you absolutely have to. These are only useful if you need to share large data dumps online that are too big for encrypted email/messaging services. All of these rely some form of AES / RSA encryption, not PGP.
Where services are based, and where they store your data (encrypted or not) is important, because you want them to be outside your country's jurisdiction, and ideally somewhere with strong privacy/anti-spying laws.
Switching around where you're connecting to is more important than just finding a good connection. Ideally, you'd use like a hotspot with sim cards from some low-frills, pay-as-you-go mobile data provider (there are even some free ones ), and reset your connection every once in a while.
But that's also a chore, so the next best thing is public wifi. Anything free with lots of users on it is good. Even better if it doesn't make you load up some web page to sign into it.
If none of those sound viable, you can at least somewhat improve your router situation by flashing an open source firmware on it, but that's a bit advanced and not really guaranteed to be much more private.
Even without special firmware, you should be restarting your router regularly to assign you fresh IP addresses. You're also better off if you're in an apartment/office complex where there are many other users and routers sharing your general location. You do not want to be the only active internet user in your general vicinity, regardless of your connection method.
Once you actually have a working connection, you should be re-routing your traffic through a good VPN service that doesn't keep logs , and ideally connecting to a server in a country with decent privacy laws. But once again, periodically switching up where you're connecting from is more important. Luckily in this case, it's as easy as selecting a different connection server in a dropdown menu.
You could also add in the cliche 100's of layers of proxies here, but that's probably more trouble than it's worth.
Lastly, there's Tor . Everyone knows it's not as secure as it used to be now, but it's still significantly better than just a VPN and it doesn't hurt to try it, especially if you're not a noteworthy target for anything. Besides, stacking it on top of all the other measures is only gonna make it harder for them anyway. Remember to periodically request a 'New Tor circuit' under the onion button for any site you're frequenting, and restart the browser from time to time to clear anything it's temporarily stored up. And it's always smart to read up on what exactly it does , and doesn't do .
The tor browser should be enough for most things, and while using different browsers for different sites doesn't hurt, it is a bit of a chore. Though sometimes the tor network can be a bit slow, so in those cases you can try other browsers like Brave , Opera (which has it's own built-in VPN service), or SlimJet . But Chromium / FireFox are fine too, just make sure to set them up with any appropriate privacy extensions.
Either one you choose, make sure to:
Enable the 'Do Not Track' option in your settings (mostly just as a precautionary measure. It's up to the sites to comply with it, so it doesn't actually guarantee anything)
Disable Cookies
Disable at least 3rd-party scripts, either in the browser's settings, or through an extension like NoScript . Note that some things might not work properly with this on, but you can whitelist stuff as necessary.
Enable HTTPS Everywhere, either somewhere in your settings or through an extension .
Disable WebRTC features, might require an extension. (thanks to /u/sunkenberries )
And always pay attention to what URL shows up as in your browser's status bar (usually at the bottom) when you hover over a link. Take special note of any addresses that don't match up.
I figure most around here know about DuckDuckGo , but there have been questions about it's privacy in the past, and it's results can be a bit underwhelming without using their "!g" command. But it's better than nothing.
Personally, I use StartPage , as it actually uses google's search results directly, and just provides layers of heavy encryption and anonymity on top. The trade-off for that of course, is that it's search results are noticeably slower to pop up.
Encrypted email service providers:
Proton Mail : Based in Switzerland
Tutanota : Based in Germany
StartMail : Paid only, based in the Netherlands
If you're familiar with HushMail, it's worth noting that they have a history of turning over people's data .
For just sharing one-off encrypted messages, there's LockBin .
For actually messaging back-and-forth with people:
RetroShare : Encrypted, distributed P2P messaging. Works over Tor. Supports voice and video as well.
Riot / Matrix : End-to-end encryption
Jitsi : Supports encrypted video calls
Open Whisper Systems : Supports encrypted phone calls from your actual phone
Don't rely on online password services . Use a local password wallet like KeePass or Enpass . Come up with the master password for your password manager, but always use different generated passwords for everything else. You can double-check the strength of your passwords here .
If your running this off a live CD, backup your password manager data onto an encrypted flash drive/sd card (as described above) so you can log back into your accounts across sessions.
The EFF has a pretty nice collection of resources on dealing with surveillance and privacy issues if you want to read more about any of this.
And that's about as much as I can think of off the top of my head. Please do shout out any more suggestions or corrections if you have any.
raildogz | 24 points
Starting to wonder if I should stay off Reddit and go back to being a sheep.
Gapaot | 20 points
You can't. After knowing that shit exists and real, and not distant but right there in your country, your state, maybe right next door, you may choose to not do anything for various reasons, but you can't go back to being a sheep.
Tcutshaw2 | 4 points
Ignorance truly is bliss, as they say. Part of me longs to go back to the days when I wasn't even aware of politics, let alone corruption. But the more rational half of me craves information. I've come to realize that knowledge is the most important thing in the world. You shouldn't give it up for anything.
[deleted] | 15 points
M8! Oooooo, M8! You took your time m8, thank you. Good reading material.
sunkenberries | 12 points
Also, for VPN's: watch out for RTC leaks. Google RTC leak to see if your browser is leaking your real IP. There are extentions that block this.
beanx | 12 points
Folks who arent techies / arent totally sure of what they're doing: PLEASE, PLEASE, PLEEEEASE BE EXTREMELY CAUTIOUS. If you are someone who doesnt possess the know edge to SAFELY do this type of stuff, for the love of GOD, DONT!!!
If the things people are digging up are true, you have tapped into something more gigantic, more evil, more sinister than you can imagine. I fear for those of you who might be harmed in some way because you truly just wanted to help bring this shit down. THINK BEFORE YOU CLICK. If you have kids, a spouse, loved ones or enjoy a life free from feds (or worse) banging on your door, being investigated or watched, DONT dive in. We ALL want this sick shit exposed, but understand that the people involved in this shit have the resources and money to destroy you if you get too close and havent protected yourself in EVERY possible way. This isn't going away; it's not simmering down. It's becoming more and more some REAL SHIT and I just want you all to be safe.
SapereAude404 | 8 points
If you are just an observer, then "Epic privacy browser" can give you a good first layer of privacy. It's basically chromium but with all the questionable google features removed and full focus on privacy. it also has a built in proxy mode which is hosted by spotflux.
Another tip is using BitBox: it's basically Virtualbox+debian+firefox/chrome, just easier to use. You could use that + a VPN service if you dont feel comfortable running linux of a USB stick (you should, because it's safer).
if you are staying with windows (10), you should follow this privacy guide: http://adolfintel.com/index.php?p=w10debotnet/index_1607.frag also activate Bitlocker if your SSD is supporting it!
before uploading stuff to the internet always throw it into a .rar or .7z file and slap a password on it!
If you plan using a VPN service, then definitly check this website out: https://thatoneprivacysite.net/choosing-the-best-vpn-for-you/
when you are connected to a VPN, always check if your IP is actually hidden and also your privacy settings: https://ipleak.com/full-report/ or https://ipleak.net/
EDIT: (worst case scenario) If you fell into a honeypot, then you should think about nuking(aka nulling) your harddrive: http://www.dban.org/
ithasanh | 6 points
All this effort which seems to be involved makes me glad I don't have weaponized autism
NoNameJon | 5 points
I repeat that Tor is not compromised, tor is the best anonymity tool out there. Unlike if you use a vpn the browser can still reveal unique information like browser finger printing.
Don't let the shills tell you that vpn is more secure than Tor. Tor has multiple layers of encryption. Do your own research
NoNameJon | 4 points
Tor is much more secure than a vpn and Tor was never meant for the use of hidden services that's why the security is weak for hidden services.
Mr-Mick | 4 points
More on this Check following posts:
For ransomware prevention .
Combating advanced persistent threats
Now, my foremost recommedation would be to shift onto a secure and private email provider (as follows).
Email is (however) fundamentally not secure and one has to make several trade-off's depending on their personal preferences, specific requirements and understanding of security & privacy on the whole. Though their are some projects ( DIME , LEAP , ...) which are working on re-engineering the protocol - but that again is work-in-progress. I personally use mailfence (due to their complete emailing suite - docs, calendar, address book, groups, polls, IMAP, POP, ... and the ability of Digital signatures) - however, it all depends on individual preferences and specific requirements.
Privacy tools and Vegard secure email services feature matrix ... are some of the other places that provides further details in this regard.
bludevl80 | 4 points
If you are just reading reddit and upvoting stuff... do you think you still need all these levels of security?
buddylee_moa | 3 points
Just don't click on links. If your just reading stuff no one cares about u . If your posting and actively investigating stuff u could become a target.
existentialspider | 3 points
question. my SO just mentioned that shes read some articles that state that trump has also been to the island. Is this true? verifiable? anyone heard anything similar?
[deleted] | 2 points
[deleted]
The_Meme_TM | 3 points
Use a VPN "Kill Switch", it automatically disables your internet connection when the VPN is disconnected by an error.
If you you are using the VPN and get an IP from another country, and you connect to your gmail/reddit/facebook or whatever, they think its not you.
No, since you are connecting to your personal gmail/reddit/facebook they know its you.
Well you can just confirm its you
???
but if you on and off connect to those services with different IPs, didnt you then just expose yourself?
No, exactly the opposite. Switching IPs/Servers is a good thing, especially if you are logging into your personal accounts. Just close the browser while switching the IP so it is harder to connect both IPs to the same user.
tahmorex | 2 points
Thanks for this. I'm new to this thread (yesterday) and was watching as the WtP was going on- and besides feeling anxious staring down the rabbit hole- I was so leery of any and all links!
asdftendies | 2 points
didn't the lead singer of the who get in trouble for "research"? i fear this effort is attracting pedos who are trying to justify their sickness in some way
betchman | 2 points
I know how to do all this stuff, yet I still use a username containing my actual name.
I guess I will make a throwaway and go back to using my ghost box after I hit the gym....
asdftendies | 2 points
There is no mention of browser signatures. I have not done any experiments outside of torbrowser and vanilla firefox, but it's fucked up how unique you appear online.
torbrowser at its most restrictive makes your browser look the same as about 1 in 75 browsers according to https://panopticlick.eff.org/.
Anything less, you are unique in every 170,000 browsers - and it gets worse from there.
Another fucked up thing I saw today on drudge is this:
http://clickclickclick.click - go to it on your daily use browser and see what it can figure out about you.
thekingmolly | 1 points
Do you have any recommendation as to where one might go to follow this should Reddit try to shutdown PG?
[deleted] | -12 points
[removed]
CaptnMeowMix | 16 points
I'm so terribly sorry your parents didn't pay enough attention to you as a child. It's always sad to see an inferiority complex leading people to cry incoherently for attention from random internet strangers. Luckily, it's issues like these that have gathered us all here in the first place.
In the meantime, you can go back to playing in your nice little safe space and let the adults handle their business, ok? You're probably cranky because it's past your bedtime, but we won't take much longer, we promise.
Stretches_the_truth | -12 points
Deflect and deny that's all you people can do. xD holy shit this is hilarious you people think you are actually heroes. Poor you man, poor you. xD
SleuthForTruth | 2 points
You're just mad you can't eat junk food or drink Mountain Dew without your chrons causing you to shit yourself
Yea I took a peak into your user history, full of impotent rage and trolling
HarleyDavidsonRider | 37 points | Nov 21 2016 07:27:17
Any tips for moble users. Have been and always post like this.
permalink
windowsisspyware | 5 points | Nov 21 2016 23:59:04
Yeah, avoid mobile platforms and get a Linux laptop. If this is real then Apple/Google phones are not appropriate at all. Neither is Windows 10. All of these commercial US operating systems have strong ties to the NSA's PRISM network.
permalink
Philario | 1 points | Nov 21 2016 20:53:47
What about Telegram?
permalink