But one should practically note that this is just a practical warning. The omnipotence of the Mossad and NSA etc is limited too, and their interest in things is also limited.
Basically the attack vector from them is polluting the Tor nodes (so that they control enough of them to understand information), timing attacks on onion services to figure out locations of people accessing the hidden services solely within in Tor, as well as undeclared exploits, and feeding local law enforcement around the globe the information about you.
But 9 out of 10 things you could possibly even do are not things that would have them bother with you, although it is accurate that over time you begin to have a problem if you are really trying to stay both private and anonymous and are doing criminal violations (distinct from civil violations). So just keep rotating keys and move with purpose. Limit your Tor session to implementation and execution and consider using Tor just for casual reading or accessing RDP to actually browse clearnet from someone else's computer.
The second column is a bit puzzling. The adversaries are listed as advertisers and people randomly googling you, but the suggested mitigation is to... add 2fa? What type of advertisers and/or googlers are breaking into your accounts?
That's precisely the point. Infiltrate me and a group of other people that have nothing going on, as long as I'm wasting your time I'm doing my part in protecting a tiny bit those who lack freedom.
Problem is, you essentially can’t trust people. Not even in a personal “do I know this person” way. But fundamentally people are squishy. If you squish them too much, they’ll do things they never wanted to do. That unfortunately is why groups greater than 1 are a weak spot.
In your scenario, you’ll never know if the last person increments an ID somewhere or did some other activity that adds compromises the chain.
Every person you swap hardware with is a chain leading back to you.
It also becomes tricky to convince someone to lend you their phone in my country since ID cards are required to register any SIM cards.
As someone else above said, adding more people makes the rope (your opsec) weaker.
People generally can't be trusted once their self-preservation instinct kicks in. How sure are you the other guy you trusted enough to put them in your opsec isn't going to sing on you when their balls are gently fondled by LE agents.
Your ISMI (aka your sim card) is going to be sent alongside your IMEI, which makes that type of identity "borrowing" pointless because the carrier can see right through it. wifi mac addresses can be easily spoofed without swapping hardware. Overall I don't see much value in swapping hardware.
Different users of one device muddle location, patterns and data being transferred. This is the usefulness.
I'm lucky enough not to live a pretty vanilla life and so do my peers. Please investigate and waste time and resources in tracking down the most boring and uninteresting (on a political and criminal level) persons you could ever snoop on.
again, once you pay for it, even with cash, they can track you down(though it may take a while). It's trivially easy to see where a given # is, so once they know the phone #, they can pretty easily find out who has it in their possession, by just showing up and seeing who has it in their hand.
Not to say there isn't SOME anonymity by paying cash for a burner phone, but it's not even remotely fool-proof for anyone really wanting to figure out who you are.
yeah running 1 or 2 of your own Tor nodes seems to be pretty ideal. One of which being an exit node. Connecting to that is the move.
providing an obfs4 bridge seems good too
but I really wish there was a docker container for all this, the documentation is all over the place, most of it is just on forums that can only be accessed on Tor and those forums have unreliable uptime, it is really discouraging but it seems like there are some very competent people that are so comfortable doing this that one could just assume they all have this greater level of OPSEC and infrastructure
But if they can trace back all the activity pertaining to a case they can show strongly though not conclusively that you were probably the source? Also as long as they can prove that you constructed the setup you also start looking guilty as hell..
The bottom right cell in this chart is directly plagiarized (poorly, the dropped question mark makes the joke less funny) from a great article by James Mickens.
> Basically the attack vector from them is polluting the Tor nodes (so that they control enough of them to understand information), timing attacks on onion services to figure out locations of people accessing the hidden services solely within in Tor, as well as undeclared exploits, and feeding local law enforcement around the globe the information about you.
Most of this info seems like overkill for most people's purposes, and as mentioned even following all of it won't protect you against the NSA etc.
Maybe it would be good to have an interactive version of the guide with a slider or something, which shows you the most relevant steps to take for your situation?
What I wonder about is the democratization of technology.
Basically, the technology available to the folks with "unlimited global resources" trickles to the left and becomes available to even to those with lesser skills/motivation.
For example, databases and tools formerly available only to governments are widely available. Things like DL data, wifi ap databases, rainbow tables, gps trackers - a web search + a credit card.
"...and feeding local law enforcement around the globe the information about you."
Local law enforcement gets almost nothing from them. Providing info on low level offenders greatly decreases the effectiveness of the program, especially if those offenders are being prosecuted in open courts (ie not the secret courts or foreign countries).
And in the offline world - pay for things in cash. Government is lazy and they love being able to search everything. Sending people to actually investigate things with actual leg work is not ideal. Paying in cash, or doing anything physical (pen and paper, in-person talking) breaks everything.
which is why laws are being made to prevent large cash transfers. I won't say which country i'm referring to, but it sounds like a police state. I'm terrified this will become the new reality. Bitcoin to the rescue? I shudder at the thought.
And live in New York City? Probably the one last city where you at least have a chance at being anonymous. The train station camera coverage is a joke.
Heh, I remember spending hours in college tweaking Firefox config flags and then checking which websites broke this time. Nowadays I just enable uBlock and call it a day. For ordinary people it's jut not worth it. Cool guide though, I will check it out.
>This suggests to me the author is giving advice based on paranoia rather than technical knowledge.
I noticed that immediately on the home page. The author suggests installing and running some sort of python package to verify the pdf is harmless. That sort of makes sense, until you realize that installing a random python package and running it is exposing you to far more risk than a opening a pdf ever will.
There are javascripts exploits as well. Do you never enable scripts? If you do enable scripts, do you vet the websites you enable scripts on as thoroughly as you random executables off the internet?
More complex =/= more secure. Tor, Whonix, Tails, et all have sections in their wikis covering potential tunneling setups and their thoughts on efficacy and rationale behind them.
From the Tor wiki:
> You -> X --> Tor --> X
> No research whether this is technically possible. Remember that this is likely a very poor plan because [#You-Tor-X you -> Tor -> X] is already a really poor plan.
I don't think the author is recommending that, just discussing it...
The guide recommends using a VPN over TOR in "specific cases", for example "when your destination service does not allow Tor Exit nodes", and for "VPN over TOR over VPN" they say it's not recommended because "it is just VPN over Tor but slower".
As someone who isn't THIS paranoid, but definitely closer to it than most, I can add a criteria for a reason one would be this paranoid. If you've worked in/with some of the agencies listed, you're not just paranoid but feel totally justified knowing exactly what some old pals can see.
Because people's threat levels are different. There is nothing you can do to escape from the NSA, for example.
But there are things you can do to prevent advertisers, or other adversaries from just getting your data.
And for most people, that's what they're looking for. I can't imagine I'm very interesting to the NSA, for example. But I'm probably very interesting to a large number of corporations and organizations competing for my attention.
The first rule of security is that nothing is 100%. There is always someone who can get you if they have sufficient motivation and resources.
Security is about taking steps to reduce risk, so that its outside of your adversaries budgets to attack you, and taking mitigating steps so that if you do get attacked the damage is limited.
Nothing about this is specific to computers, it applies to all security things, whether that's locking your door or a bank trying to prevent armed roberies.
https://anonymousplanet.org/media/image6.jpeg
But one should practically note that this is just a practical warning. The omnipotence of the Mossad and NSA etc is limited too, and their interest in things is also limited.
Basically the attack vector from them is polluting the Tor nodes (so that they control enough of them to understand information), timing attacks on onion services to figure out locations of people accessing the hidden services solely within in Tor, as well as undeclared exploits, and feeding local law enforcement around the globe the information about you.
But 9 out of 10 things you could possibly even do are not things that would have them bother with you, although it is accurate that over time you begin to have a problem if you are really trying to stay both private and anonymous and are doing criminal violations (distinct from civil violations). So just keep rotating keys and move with purpose. Limit your Tor session to implementation and execution and consider using Tor just for casual reading or accessing RDP to actually browse clearnet from someone else's computer.