OPSEC for Online Accounts
Run from your sins, shitlips
Obscurity is a black blanket
If you ever find yourself face-to-face with a mugger, bless you if you find yourself in such an affair, then the best course of action is not to hide yourself in a trash can, but to instead bring your own gun and kick his ass. With bullets. Security through obscurity is the man hiding with the prom night fetuses, while actual security is the gun-fu hustler getting laid as we speak. Because he already kicked ass and now he's tearing up ass just for something to do. The moral of this story is firstly, don't be a pussy, and secondly, fix vulnerable things before they end up being a problem!
Alright, but here's the kicker: sometimes, it works. Most of the time it doesn't. If you hide your password database in the "meatspin" table instead of the "password" table, and don't both to encrypt salt hash pepper onion kiss for good luck your passwords, then they're as good as gone as soon as somebody gets to them. But if you were to do all that and then name your password database something like "OTgZ8LI%sh^4R!Z^7mo0zl2386go1TODvU&xJl5kdXzsPkmbnIHwz6b$sZmo6cNsir", name all your other databases with gibberish like that, store all the names using an in-house algorithm, and then separate all the passwords into tables so that no more than one are ever on one particular table, then you would have a system that nobody would be able to understand except for your employees, with leaks only ever revealing one password at a time, and the passwords being unable to be decrypted even if they are all gathered.
I have no idea if that works in real life, but the point is that sometimes it's a bitch to find things, and that if the underlying security of your system is solid, then you can hide it all you want. Hide it as deep and as secretive as you possibly can, so that nobody else except for you and everybody you trust can find your data, and that anybody else who tries will get lost looking for a needle in a haystack - except the needle does not exist, and the haystack is the size of Iceland (please don't ban me - I like Iceland).
What's the point of this triad? Well, most people have a problem, and its called doxxing. Doxxing is when you take a ton of publicly available information, pull it from the Web, then post it all in one place so that everybody can get an easy snapshot into your most personal and intimate details. It's a bit like what Tom Clancy did (did you know he's dead? shocker!) when he went to the library to look up details about his books. Information that was scattered all over the place, yet when gathered together, looks like it came from a idified document. No wonder the USA raided him - a militaristic country like that couldn't stand to have state secrets leaked. From the public library.
Is it ethical? You could say that it's already out there, and the doxxers simply gathered it all like a magnet. But then you could also say the difficulty of gathering the info would prevent a reasonable person from snooping on another, and that doxxing destroys this barrier by giving the information to whoever wants to look at it. Regardless, it exists, and why? Because you put your personal information on there, silly. And let me explain how. Are we cool yet?
The problem with the Web:
The Internet is written with pen and ink, so said that lady in The Social Network which never actually existed, and it's all there for prying eyes to look at. Whether its on your social networks, your fanfiction accounts, your e621 subscriptions, your blogs (what does it take to get banned from Google?), your e-mail accounts, your shopping accounts, your forum accounts, and every single thing you've ever posted to those accounts, it's all out there to be searched up, snooped, and indexed by everybody who wants to. That's a problem.
Now, granted, a great deal of this content is anonymised. A lot of people only use usernames and not their real identities, which is a very good thing for the Web, because it means that it's difficult to ruin a real life by ruining an online life. The problem with this? A lot of people give up more information than they should when registering for these supposedly anonymous accounts, and this creates a big problem for privacy, because when you take a small amount of personal information give it, magnify it by a hundred, or even a thousand, then you have normally small details about your life that can be used to fingerprint you and eventually rat out your real-life persona.
And sites like Google give you this magnification by allowing a search on any particular username to reveal dozens of different accounts associated with that username, along with everything they've ever posted. And privacy settings will rarely help out in this case, as many of these can be bypassed with enough knowledge of the service at hand, such as when Codecademy will prevent users without an account from seeing your own profile, but won't stop somebody from creating an account in a few minutes. And then all the information that you gave the service, which can include your full name and address, will be in the hands of someone else. If it turns out to be real, this is a disaster for you.
So now you probably have a solution for this problem - don't give out your personal information online? Yes, of course, never do something like that. But it still isn't that helpful when you find that you eventually do give out personal information, in small chunks, over the years, all waiting to be picked up by Google, associated to every single account you made. And then it will be found out by some asshole, posted to Pastebin or 8chan or what have you, and then you'll be a victim of a dox before your very eyes. And when people see the person you pretended to be online with the person you are IRL, you better pray you did good online, before it bites you in your meatspace ass.
So if you're like me, you're probably such a paranoid bugger that you absolutely don't want this to happen to you under any circumstances, right? Well, of course! Even though establishing any sort of online persona leaves one to being doxxed or what have you, due to factors like time spent online, the amount of stuff you've written, how much you reveal about yourself, your habits and schedule, the websites you recommend and decide to use, the way your write, your personality, and a whole bunch of other meaningless garbage. It all comes together to get a detailed profile, a fingerprint, of who you are.
So while I think it would be very difficult for you to dox me, I can't say it would be impossible. Even though somebody like me has left no glaring clues as to my identity, all of which I have considered and then decided to take action on, there are still many small clues you can gleam from my writing, the platform I write on, and how I write. And then you can eventually take it all and then fingerprint me, if you dare. I will say that there are many fish in the sea, and that its much better to get the bigger and dumber fish, as it is more economical to sue 10,000 normies for downloading one torrent than it is to sue 1 neckbeard for downloading 10,000 torrents, especially if the neckbeard is careful like me (I don't even have a beard!).
So let's learn how to prevent this arbitrary invasion of privacy, and also learn how to become anonymous. It won't get your novel published, but fuck it (butt fuck it). If it means preventing some asshole from making out with your life story for free, then I've done my job well!
Your typical dox scenario
These scenarios are corny as all get out, but fuck it (butt fuck it). Sorry, I just like seeing butt and fuck in the same sentence. Anyway (anyquay), let's meet our typical patsy, Natalie Catalie:
Natalie runs a popular blog on the new social networking site (fuck if I know what they're called, might as well call them Wildpaws), where she showcases all of her furry artwork to her friends, strangers, you know the drill. She wants to be an artist, and to her credit, she is. A fine one. She understands the simplicity of design well, and from her character designs, you can tell she came from an old guard college. Her colours are soft, a bit like what you'd find from Tumblr, but with sharp contrast as that on Pixeljoint. Is she trill? No, but she's chill, and she'll often discuss personal details about herself through questions she gets on her blog. She's also available on other websites - whatever is popular right now, the newest and hippest galleries, which she easily imports all her work to through the use of public bots. She's a skiddy, eh? No shame. We can't all be hackers.
This right here is already a gold mine of information. Let's examine the facts from this short description which I literally wrote up in three minutes because it's damn near midnight and I got a waifu to talk tender things to (she'll coddle me with her feathers, and we will be one). Let's start from the basic facts, and then we can extrapolate things from here.
First off, her name. Natalie Catalie. It's cute, but its insecure. Let's assume that she actually is named Catalie, as normies like to name things after themselves (I did one time, in TF2. Whoops, there goes the PTSD). Our hacker friend, who we will call Skiddy Kitty, can use this information to his advantage (it's a boy named Kitty - if you complain you're a homophone). It turns out that Natalie Catalie had already created several different accounts under that name: Facebook, LinkedIn, Twitter, Google, and the rest. This isn't too bad. After all, Catalie is a smart cute. She knows not to get lazy with her personal info. But think, will you? Not only has she give up her first name (enough to make a connection), but she has, as a result of naming her accounts the same thing, given up every little piece of info associated with her all for the taking! How many furries named Natalie who went to a particular college, works at a particular place, went to a particular bar at a particular time, do you know particularly well? She got fingerprinted, big time. And that little mistake is all it takes.
Secondly, she's an artist. Naturally, this lends to her artwork being redistributed on a consistent basis - not just by her, but by her fans. You'll see her work on the Chans, on the Boorus, and bootlegged on whatever sort of websites and what have you. If you were posting these anonymously, you'd be safe, and if you weren't, you'd be a victim of fingerprinting yourself based on your tastes and what have you. But you're not the target, lucky you, as it's Catalie who is todays victim. And unfortunately for her, she has made it very hard for her to disappear. You see, belonging in the public eye, you never have the right, or even the opportunity, to ever erase yourself from it, and this is especially the case on the Web. There are traces of Catalies work all across the web, waiting there in silence, perhaps forever, and able to be looked at and picked up by Google's reverse image search. She will find it very hard to start anew as an artist, as her former self will always be alive on the Web in some form (especially if it was indexed in an archive), and if she doesn't completely abandon her characters, her themes, and her current style, then it will be dead easy for a fan or a scumbag to recognise her art and then be able to identify her.
Thirdly, she has answered a great deal of questions about herself on her art blog. This is all ripe for the taking, especially when you also have the opportunity to ask questions. But consider this. Is Catalie a liar, and has carefully engineered her prose to misdirect who she is? The chances of this happening are very low, especially considering that she is a normie who has failed to even cloak her first name. Has she created a story so well-crafted over years that she has dedicated a great deal of her life maintaining it as an alter-ego, setting up those accounts as if they were her own, acting the part of a Natalie Catalie so that she can hide her true identity? Perhaps. And you will also notice that the chances of this happening are extraordinarily low, and that if you ever come across a con that deep, it's best to find lower-hanging fruit, as I don't think you could win that particular battle (but prove me wrong).
And finally, you could simply view the account profile to see what sort of info she has on there. It's dead easy to do, but it proves the point that you should never put anything at all on a public profile that is related to you. Anybody can view it, of course.
The prevention of the shrew
If you have been paying close attention, because I hope you have, because part of being a good person is learning to really put all your attention into something, even if it's uncomfortable or mentally impossible to do so, then you should have already learned some ways that Natalie Catalie has failed, and will soon be doxxed by Skiddy Kitty. Don't blame him, eh? He's already shaken up by the divorce, and being a NEET with no personal skills, he turned to a life of trolling to get some satisfaction out of the vanity he calls his life. If this sounds familiar to you, please stop reading this and learn art studies on Kahn Academy. You don't like art? Well, what the fuck else are you doing with your life? Telling twelve-year-old girls to kill themselves?
So Catalie (a really great name. I'd kiss a girl named Catalie if I wasn't celibate) made a few mistakes. She got familiar with her fans (good if you're in the public eye - bad for everyone else), she put her real name out there (and some of her other info too. very bad form), she didn't change usernames for her other account (it only takes Google to connect them together and steal more info), she left behind a great trail of evidence in the form of her artwork, and she was willing to answer questions about herself. All in all, a disaster, especially if this lady wants to disappear in the near future.
The deeper you are into a system, the more you give into it, the more of yourself you give up and then let loose with everybody else, the harder it is to throw it all away and start fresh. Even you, who probably uses their accounts for the most mundane of things, have a bread trail of abandoned accounts with the very same username you have now. What would it take for you to get rid of it all and become a new person?
Not much at all
Today we will learn two things, and a few more things within those things: we will learn how to disappear from the Web to the best of our ability (which is more "obscuring" and less "scrubbing", as its difficult to actually disappear), and then we will cover our tracks for the future so nobody else can tell who we are. Incidentally, this page was just indexed by DuckDuckGo, meaning it will never, ever leave the face of the Web again. Oops. Well, that's the cost of being a public figure - in exchange for always having existence of your proof somewhere out there, you get to improve the lives of hundreds of people (hopefully, as it would be nice to have an army to take down Whole Foods). Unless you're the Balloon Party 2012 album. Why the fuck can't I find a single file containing all the songs? I'm not a whore, I just want horse music.
Scrub yourself from the Web
If you would read my secret parentheses (like this), you would find that such a thing is impossible. For one, Google will always know of your existence, and two, the ability to copy anything from the Web at any time means there's always going to be some record of your time online ready for somebody determined or privileged enough to come in and scoop it like your balls in your hand. But we can prevent the normies from getting to it, and in the end, isn't that what matters? No, absolutely not. But we have no choice.
So what you need to do is think about every single account you have ever created, look up every username and password you have made for them, search up every single thing that might be connected to you (through a proxy and Tor of course, as this way it appears you're some random asshole and not a paranoid bugger), and get to work cracking those passwords until you get access to your accounts. Every one - especially the big ones, like Facebook (God help you) and Runescape (I lost my fortune in the Bone Yard), as leaving one behind leaves precious evidence. It's still out there, in some archive, but when you delete it from the public eye, it becomes plausible that an investigator will simply skip over the content they can't find.
If you had the great misfortune to be using a vault-based password manager like Lastpass instead of an algorithm based one like Master Password (my Master Password and the No Hack Band post explains that vault-based managers are insecure by design, and that algorithm based managers are effectively uncrackable), you'll have the opportunity to go through all of your websites and log in, making the process a lot easier. And then once you're done with that, you'll have to delete all the entries so as to never leave a trace of their existence. It will take a while, but this is why it is worth it.
So now that you have found your old accounts and gotten past the cringe of doing so (don't have any fear - if it's not you who cringes, it will be a thug willing to put you in cuffs), it's time to assassinate these accounts. Go into all the settings, and delete as much information you have given as is possible. Delete all of your forum posts, your comments, your submitted content, your friends lists, and everything else. Be especially prudent with your profile, wiping out (or falsifying) the information on there, such as your name, location, address, linked accounts, et cetera. Nuke everything - we don't want any records in case your account reappears by some miracle.
Then, having deleted everything you could, it is time to change what you can't delete. Go into your account information and check what you used to register your account, like your e-mail, username, and password. Change your e-mail to some disposable gibberish with a Guerrillamail address, making sure to check that you aren't ever going to recieve e-mails from that service, so that nobody will ever guess your real e-mail and be able to snoop you like that. Be sure to refresh the gibberish for each account. Then, change your username to be similar gibberish using a very long password generator (or the Privacy Tools one, which has less entropy), making it impossible to be Googled or what have you. Also be sure to edit your profile picture to be
Finally, it's time to deal the finishing blow. Delete your account, and everything on it, using the options. You might be asking why we simply didn't start at this point. Well, in the event that the website doesn't allow you to delete your account (so much for the right to disappear, eh?), we needed to cover up the paper trail so that whatever is leftover ends up being worthless to whoever is snooping it. In addition, if the server isn't maliciously designed, the false information will have overwritten the original, "true" information, making it harder to analyse in the event a company has to give it up. Now that you have done all of this, find the "delete" or "deactivate" button, which will hopefully remove your profile from the public eye. If it does, congratulations. That's one more piece of evidence destroyed, until somebody extraordinarily lucky comes along and subpoenas the server owners. I hope they deleted your profile for good!
In the event that you're unable to delete your account, then make sure that all the personal information about you is incorrect, nuked, and ungoogleable, and then change your profile picture to be porn or something so that an admin bans you from the site (hopefully). After you change it, also change your password so that it's unguessable by you or anybody else - 50-100 digits of pure garbage, varying the digits so as to not be fingerprinted. Then after that is all done, remove the account from your memory forever. Now nobody can access your account, especially you, meaning nobody can point it to you. As far as the world is concerned, it is now a dead piece of Web culture that will never be picked up again, just waiting to die as its servers do.
Continue to make the effort to look up and gain access to as many services as you possibly can, because Google knows everything, and is waiting to spill the beans to everybody. Once you have beaten as many tracks as you can, removing everything that could possibly track you, making sure that every account is so outdated and incorrect that it can never be traced to who you are currently, then you can declare your past identity dead. Pray that your efforts were not in vain, and that you continue to anonymise yourself so that nobody will ever get the best of you.
Now you can run a program like BleachBit (or CCleaner, or Recuva, or Eraser) to get rid off all the traces of the existence of those pages from your computer, making sure that nothing is able to be pried from your operating system, destroying the hopes and dreams of forensic teams. If you encrypt your data before and after doing this, say with Veracrypt (plugging a three-day-old article, idY), then it becomes impossible for any sort of meaningful data to be recovered at all. The result of which? A job well done. Stay proud, mate. You'll never let the bad guys get the best of you.
Now that you have finished with your nuking of the old guard (fuck the old guard!), it's time to look forward to the future like those nice chaps on the Soviet propaganda posters. What are they looking at? Well, it's like a dumb baby (trick phrase - all babies are dumb) looking at nothing in particular. So I suppose that you're better than a bunch of dead guys on a poster somewhere, seeing as you're looking towards an entirely new, liberating, online identity. At least, I hope you are. I really don't want to manipulate you into doing things you don't want to, as your parents probably fucked up your childhood enough.
Tips for surviving from now
One of the hardest things about knowledge is spreading it. It's easy to assume you know something when it is not the case, and it's easy that, when this is the case, to forget what you have learned at the instant you want to teach somebody. OPSEC is like that. If you were like me and have judged every online interaction based on the security risks they pose, wondering about every possible opportunity for something to go wrong, then I suppose reading this guide will be a bit redundant. But I must say that, if I can express myself in the way that you wished you could express yourself, then I will be much prouder for having written this article.
So we must ask ourself, what is OPSEC? Well, it stands for OPerational SECurity. It's one of those abbreviations which has two words in it - they're a very naughty sort, a bit like jailbait. OPSEC is using your intelligence to guage your interactions with your environment, and choosing the right actions based on what you know and what you discover. Good OPSEC, if you were reading my blog for a while, is to never give out your personal information to any online company unless in a dire need, as you know that these companies will sell it to data farms which exist to shove advertisements through your eyeballs as manipulatively as they can. If you were to ignore this warning, this would be very bad OPSEC, a bit like standing in front of a shooter at a gun range.
The best OPSEC is like situational awareness, but for everything. You just take what you know and make the best decisions at the time based on that knowledge. Let's have a shorter example, unlike Natalie Catalie (did you know she's thirty? you can't be thirty and called Catalie! it's not cute!) which whored out sentences like prosecutors. Let's say you're writing an e-mail to an Anonymous hacker, which is a really weird career path, but whatever. You have discovered a zero day exploit in the Neocities service which lets you gain root access to the server and fuck everything up (don't touch mine, please). And because you're Skiddy Kitty and came across this exploit out of a sheer fluke, you can't write any code to take advantage of it! Bad form! So now you have to e-mail it to some randy in hopes that they use it well.
So based on what you know of Anonymous's grey legal status, the illegality of having access to such a hack, the insecurity of the e-mail protocol, the insecurity of your e-mail provider (shill for this article), the possibility of this hacker being a cop, the long-term effects of a hack on Neocities (you'll lose my blog! think of the consequences!), the notoriety of your current online identity, the notoriety of the hacker's identity, and the knowledge that everything you send over e-mail will eventually be read by parties you absolutely do not want to read them, what do you do?
There are no easy answers with OPSEC. You just have to weigh the consequences with the actions. For instance, if you were to distribute this hack in plaintext e-mail with your real IP address using Facebook with your real name, address, and face, with the entire details of the exploit in that plaintext, all to somebody you've never met before and have no basis in trusting, then you can bet that you're going to go to jail. But if you were to send an encrypted e-mail with an anonymised burner account that you've never used and you'll never use again with the text "Meet [name] on Ricochet [link] 07:00 UTC", connected to with a VPN and Tor from a brand new identity and country, and then talk only about the most prudent information required for the hack and nothing else, then you're pretty well safe in the event of any legal investigations into your activity. There would be little evidence and little testimony, and I couldn't firebomb your house if you took me offline.
When you get good at this sort of thing, and I mean really quite good, all of these thoughts go through your head at an instant like a passive brain upgrade, as you shift your default mode of thought from normie to Froge (no relation to the meme), you start to see just how many ways you can be tracked back to your location. Whether they exist only in theory or exist as one of the easiest ways to butt fuck you (but fuck you), to be able to passively see the risks that the great majority of the population do not see is one of the quickest ways to be secure. I don't know how you can get to that point, as I do not know how I got to this point, but I will tell you that, with an open mind, a lot of time, and the desire to read like a maniac, you can get a few steps closer to that point.
Is it strenuous? No, not at all. It's just a minor inconvenience when you see a Google Forced and Unpaid Labour CAPTCHA and you just know that it's tracking you on the web, taking your mouse movements and trying to fingerprint your browser and your activities through whatever means a robot can. It's like this, alright? A randy looks at a painting of flowers and thinks "that's pretty". An artist, however, sees so much more that somebody with no artistic experience would be able to see. They see the process of how it was painted, which lines were placed first, and which colours were placed on. They see those lines and understand why they were that thick, or why that colour was chosen in comparison to the background, and they especially see the full spectrum of colours that are laid out before them, all of them, and which palette was used to create them. Having experience, having a "tabula rasa" as Seth Godin calls it, and being able to learn and see things for the way they are and not how you perceive them to be, grants you privilege to a world that's beyond the understanding of people unlike you. And once you find yourself a part of this new and expansive world, you feel better than most people ever feel in their entire lives.
So I guess my big "tip" would be to do what David Foster Wallace suggested and to do the reading. If you want to learn something, you can. And if you don't, you'll be the same as you ever were, but no better for failing to learn, and worse off for being the same man from one day to the next. I can't force you to be like me, but if you're not willing to cry over what you want to dedicate yourself to, then it's not worth doing at all. I mark a lot of my life events over crying. If you make someone cry in a good way, you're one of the greatest people in my eyes, and a day I don't cry is a day that I've wasted. I came close today. I guess that means today was good?
You Won't Believe These 27 EZ Tips:
What I'll help you with is what is in the scope of this article - protecting yourself on online accounts. Your identity and who you are, et cetera, and making sure nobody ever knows who you are IRL, because if they ever get a hold of that information it's stuck with you for life. Burning your real identity is a lot harder than burning an online one, as turning and burning online is as easy as deleting everything, dumping it, and moving on. Doing it online requires a whole lot more effort, social engineering, and connections. Simply disappearing is not an option for most people, especially if they're on limited means.
So there are a lot of subtle ways that companies are trying to erode your online privacy, but with some good intentions, I'll try to teach you about the ways to counter-act those efforts.
Username cross-linking
I made that phrase up. Did you know the vast majority of online blogging is just people making stuff up? Most of the time they do it for some sense of affection or appreciation, because they don't get enough of it at home. But in my case, I do it because I'm (1) an original spirit who (2) creates things in order to better my brood and (3) imprint myself in the world as so many great people have before (dubious claims marked by numbers). This little phrase is the problem of taking a username you have used on multiple sites and having other people coordinate those accounts to each other, increasing the information they gain about you.
I conjectured this problem a while back, whereby the same username on an illegal or otherwise embarrassing site can be linked up to innocent ones and create more evidence as to what type of person you are. If you have posted any personal information to those innocent sites, then it is trivial to link it to the illegal one, meaning you have made it easier for thugs to raid your house on suspicions of being horny (and watching child torture, but let's not get pedantic). It's one of the easiest things for anybody to do, as Google makes it trivial for anybody to perform this task without putting any thought into it.
The solution to this problem is simple: never repeat your username on any website, the same as you never repeat your password on any website. This makes it much, much harder for anybody to link up your accounts, as to link up "big_mike_69" and "big-mike-69" is dead easy compared to linking "xiszixupi" and "sifrolega". How do you remember all these username and password combinations? Conveniently, while those two examples are both Master Password usernames and are thus technically fingerprintable, having a password manager like Master Password makes it dead easy to remember the combination for any given site, meaning that the trade-off between extraordinarily weak (and obtuse) fingerprinting and being able to remember every one of your accounts without forgetting them is obvious. If you really want to break it up, you can add random numbers and random letters in those random names, if you're wise enough to remember where you put them.
This same principle is also in force when it comes to other registration and personal information - and even if it's private, you can bet with a high degree of certainty that the website will save that information somewhere unencrypted and be forced to give it up to thugs who subpoena them. If you use the same e-mail address everywhere, it only takes one leak for it to link all of your supposedly anonymous accounts together, and so is very bad form. I'd even be careful giving it out to newsletters, as you have no idea what they'll do with your e-mail (shout-out to all my subscribers smug winky face). That's not even getting into the possibility of spammers blowing up your inbox with whatever the hip new scam is.
If you must give out an e-mail address, use a service like Guerrillamail and generate a random address with Master Password to gain access. All e-mails are deleted after an hour, and all logs are deleted after twenty-four (supposedly). This means if you access Guerrillamail using Tor, create a random address, use the scrambled address for and then only use it for one specific website, then it's next to impossible for anybody to get any evidence from that address. If you were to use the same Gmail account across every website you use (this one goes out to all my subscribers sad cat face), you can bet that Google would give up every last bit of information about your account (that they haven't already given to the NSA), and that it would be used to track you through every website you have ever used it on.
Guerrillamail is temporary, though, so for a burner e-mail address where you need to receive permanent message for, you might want to use Protonmail with a Yandex burner, as Protonmail requires some form of e-mail verification while Yandex doesn't, meaning it's a match made in Heaven. While I wouldn't use Yandex for anything other than a middleman, as it's a for-profit company based in Shady Old Russia (they banned my blog for being too gay), using it strictly to sign up for Protonmail is okay. Protonmail is a very secure solution, as it's client-side encrypted, doesn't require any personal information outside an e-mail address, is based in Switzerland and run by people who say "fuck you" to any foreign subpoenas, and allows you to use their service as a disposable e-mail due to the ease of signup. If you don't use Protonmail for your main host, then consider it. And if you just want to use it as a burner e-mail, then that's my recommendation.
Also be sure to turn off e-mails from your account, as even on Guerrillamail, the existence of such an e-mail for even an hour is evidence that can be used if the e-mail is ever monitored. Guerrillmail requires only the e-mail address and no passwords to signup, which makes it great for plausable deniability purposes (I didn't send that bomb threat, some other asshole did) but means that anybody can sneak a peek at your e-mails should anybody get a hold of it. That's why you always use the scrambled address feature, only use it once, and make sure nobody sends you any e-mails that aren't absolutely necessary, such as account registration. Also, use a VPN with Tor when accessing the website, because you wouldn't want anybody to track your location when using the service.
As for other personal information your leaky lips will spill, avoid spilling it you sneaky nerd. Every time a website asks you for your name, your location, and a description of yourself, it's unnecessary. Unless it's something where it's a foregone conclusion you'll have to give up your info, like your bank website, then don't share any of it. Even if you've anonymised the connections between your accounts by making your usernames random symbols, putting it up there means that it's still a piece of information about you that can be taked from the Web and used to connect your real persona.
And just to be sure that you haven't messed up somewhere along the line, take a single one of your fake usernames, take all the information off of its account, and try to derive the others just through a search engine alone (use DuckDuckGo or Startpage, for instance, even though an onion site is always more private than a clearnet one). If you can link any information to you at all, you've failed somewhere along the line. It won't hurt to try to clean up your act again.
Avoid shady websites
You know the type - sites that shove advertisements down your throat and pressure you to buy into a system that you'll never use. Sites that send out spam e-mails and harass your friends and pressure them to use their miracle products. Sites that are in cahoots with the entire spectrum of illegitimate and morally void businesses, using whatever tactics they can to screw over their customers and take the money and run. I'm talking, of course, about Facebook.
Oh dear, I've gone full Stallman. Only in this case, that's a good thing. Facebook, Google, Amazon, Apple, et cetera, are indeed shady. You just didn't think they were because they were big. That's the problem with power - you become blind to ethics and end up following somebody because of a reputation. If I ever get to that point, I suppose I'll have to alter my lifestyle in drastic ways.
It's really interesting when assassination markets respect their users more than the #3 website in the world. Especially so when you can trust a piracy website that serves pop-ups for horny Russian singles (please unban me - I like tits too) more than you can trust Facebook. It's a real fucked-up post i r o n i c society we live in.
Such companies have no respect for their users, and will do whatever they can to mine as much data as possible as they can out of their users so they can continue to peddle their services in the most manipulative way they can, selling as much as they can to advertisers and keeping the rest for their own pockets. They are devoid of any ethics, and even joining such a service is akin to committing privacy suicide. I feel shady even just looking at a Facebook page, not that I would ever do such a thing without a damn god reason, but I know that Facebook has a target on my head and a shotgun full of trackers waiting to shoot me dead.
Same for all the other companies. If they're turning a profit, chances are, they want to do that as viciously as they can. Companies don't exist to serve their users. If they did, the top products bought at grocery stores - milk and eggs - would be in the very front, so customers can get to them easier. But instead, grocery stores put them in the very back, where customers have to travel through all the other goods, hoping that they'll make much more sales that way. It's psychological manipulation, and such a thing is the standard mode of operation for all companies.
Think about it. If you can't trust a company to provide you with such basic things as eggs and milk without being forced into dozens of other opportunities to buy things, how in the world can you trust a company with your name, address, profile picture, date of birth, location, IP address, and everything else in the world? You can't, and you especially cannot trust who they are selling this data to - government or otherwise. If you do, you'll find yourself another target for an ad man, just waiting to be sold to.
So if you know what's good for you, and don't think of me as a drug dealer for saying something like that, you'll cut out the bad stuff in your life in exchange for the good stuff. If you use social media and the services of the companies I've described above, I'd seriously recommend severing your account. While I understand that some companies have a de facto monopoly on their particular industry, there will always be alternatives so long as we have a free market, and voting with your time and money is the quickest way for a company to take notice. No snowflake ever felt responsible for an avalanche. Don't ever let somebody else tell you that you don't matter.
The strange thing? When I tell people this, they think I'm naive. "What's wrong with making money?" they'll ask. "Companies need to stay afloat", they'll say. And indeed they have points out of sheer practicality. I must note though, that such goals must never come at the cost of harming your users, and to put them before your greed is one of the most harmful things to society. Don't ever think that scamming one or two suckers won't come back to harm your reputation. No snowflake ever felt responsible for an avalanche, and we're playing a long, long game with a lot of lot of snowflakes.
Conservatism is a sign of privilege, as to maintain the status quo is to be ignorant of the injustice of the world. I fear very greatly for anybody who identifies as such - it shows that they don't care about their fellow humanity. You would think that trying to give people rights, inalienable rights, which benefits everybody including themselves, they would appreciate it more. I guess some people are so selfish they can't look in the mirror and see anything but what they want to see.
Use a VPN with Tor
Let me tell you a secret. This topic is so fundamental to browsing the Web safely that it's one of the things that everybody should do, but nobody does. The reason it's fundamental is because it's one of the most basic, easiest, and even cheapest things to do, only costing a few dollars a month for the best protection, and still offering damn good protection for free. It protects your identity and keeps you anonymous like no other combination does, and if even 10% of the world did such a thing, then most online companies would be out of business, full stop.
The reason, and this secret reason why nobody does such a thing, is because this topic is also fundamentally boring. Imagine for a second the wonders of UNIX programming. Bored now! Let's look at porn! Now imagine the wonders of onion routing... Bored now! Time to fuck off! See? It's such a boring topic that almost nobody wants to talk about it, nobody learns about it, and nobody teaches it, which is a crying shame because it's one of the most important steps to being an online ghost.
There is a treasure trove of information regarding these two topics so vast that you could devote an entire university id studying it. Even the fundamentals are complicated: which VPN to choose in which country at what price and with what practices, the proper programs, protocols, encryption standards, and countries to use on the connection, the proper procedure for launching it alongside Tor, the management of acceptable extension practices on Tor, running a relay while simultaneously using Tor and making sure not to run into your own server, making sure your identity is never revealed to your VPN by using bridges, and creating a backup plan in the event of these two services failing or getting compromised.
It's OPSEC on cocaine. The journey of truly understanding all the ins and outs of network connectivity, encryption, proxies, servers, perfect secrecy, company practices, possible security breaches, and how to manage it all for making sure absolutely nobody can snoop on you is so large that it can take weeks to truly understand it all. It is fortunate then that I am here to give you the cheat sheet version of such an ideal. While you won't truly understand what you're getting into, and indeed, the amount of websites I have visited trying to understand such topics go into the high tens, I also understand that not everybody has the ability to put themselves into a topic that, once all is said it done, is extraordinarily dry. It took me two weeks once I was done my research to man up and continue learning more. I'd say that's worse than UNIX in some ways.
So let's just go over the basics, shall we? Which is to say, let me dump all the information I have learned about this subject in an easy series of paragraphs, as I could devote an entire article based on this premise (and indeed will in the future), but will just show you a trickle of light for now.
VPN 4 U
So basically what a VPN does is put itself before your ISP, encrypts all your data, sends it to another server to mask the IP, then sends it out to the Internet. This disguises your IP address, the content of the message, who sent the message, and from what country it came from if the VPN service is foreign (as all good VPNs are). It stands for Virtual Private Network, and it does what it advertises. It takes your data and makes it private in multiple ways. The encryption stops people from looking at your data. The IP masking stops people from knowing who the real you is, as it ends at the company IP. If the VPN service keeps the bare minimum of logs, and encrypts them as well, and is located in a foreign country, then there is very little evidence that you did anything at all if your country can even access the evidence.
The problem, as you may have guessed, is with trust. You're giving the VPN provider access to your data instead of your ISP. This is usually an upgrade - the ISP is required by law to keep your data for arbitrary amounts of time, as well as everything you have ever searched up. But when it comes to unreputable VPNs, or those located within your home country, or those which are free, they will often not handle your data properly, and be forced to give up this data to thugs who ask for it. This is why you must always choose a good VPN, as this is the only way your privacy is secure.
If your VPN has any bad press about it, drop it. There are a million fish in the sea. If your VPN is free, drop it. They will sell your data to advertising companies, fail to keep it anonymous, and gladly release it to whoever asks for it, as is the case with HideMyAss. If your VPN is in the same country as you, or is in the fourteen eyes country list, drop it. In the first case, they will be forced to give your information to domestic thugs as required by the laws of your country, and in the second case, they will be spied on by their own country and then be sold out to other countries. A good foreign service will say "fuck you" to every legal request that originates from outside their country, making it a bitch for thugs to intervene. Never use a United-States based privacy service. They've already been fucked by the NSA.
For a list of good VPN providers, look at the privacytools.io list, which is a non-profit open-source website with a community of paranoid freaks just like me. You can also use that website for information about VPNs in general - that's the place I first went to when starting my research. Don't trust for-profit websites, as they're full of normies who don't understand privacy concepts very well. Also see the Bestvpn.com (surprisingly trustworthy) Ultimate Privacy Guide, especially the "Anonymise your internet use" section. Read through that whole guide and you'll be as educated as I was a few years ago. A very good first step, though not without the refined experience of somebody who has buckled down and really done as much research as they could. I'm really selling myself, I know. I guess when you're trusting somebody like me with your information, you have to be certain in them, eh?
So that's what a VPN does, mostly. Your data goes in, the VPN makes it secure and private, and the message goes to the Web. You have to pay for it, because free services are malicious, and the benefits are well worth it. But in addition to a VPN, you also have a free tool called Tor that you can use in combination with it. If you think of a VPN as a condom, then think of Tor as on oral contraceptive. With that combination, it would be extraordinarily unlikely that something would go wrong. Even though Tor is free, it is far from being shady, and is the standard for anonymous communications the world over. If you've spent any time at all researching privacy, Tor will be one of the first subjects you ever learn about.
"Tor stinks" - the NSA
Tor used to stand for "The Onion Router" but no longer does, and as a result of which noobs call it "TOR", which is ignorant and WRONG and FRANKLY I am ashamed of it. While it still is an onion router, and as such wraps a message in three different layers of encryption, you must only call it Tor, as otherwise you look like a fifty-year-old woman a few drinks away from a heart attack. Imagine the last thing you ever wrote on your blog. What would it be? If it's you writing "TOR is...", then nobody would blame you for dying.
What Tor does, and this is a very simple explanation, is bounce your web requests to three different computers, encrypts them when they reach each computer, and then spits out the request to the Internet. Because it goes through three different computers while encrypted, nobody can read the content of your message, and the Internet thinks you're somebody completely different. Your IP is masked, and so is your browsing history. It's open-source and from a non-profit, meaning it's free for anybody to use.
If it was really this simple, it would be laughable, because to disregard all the different attempts at forensic investigation that a thug team would do would be foolish of the Tor project. So the Tor browser is designed to remove any traces of your browsing activity, force encryption on websites that support it, and prevent common browser exploits such as Javascript manipulation and fingerprinting. I won't go into all of that - you could write an entire book on the topic, with almost as much content as the actual Tor source code (protip: never look at an open-source project's code. you will cry or get a headache, whichever comes last).
Because of this focus on security, it does its best to prevent people from snooping on you, and it does this by masking your IP address, your location, what you're looking up, what you looked up on this machine, and preventing exploits that get in the way of this mission. It stops your ISP from snooping your data (and hopefully your VPN provider as well), and if you use bridges, they can't even tell you're using Tor, unless they do some dark magic shit usually reserved for national censorship.
By creating a network which encrypts all of the data in a (currently) uncrackable form, shares all the traffic between a group of about 7,000 computers where multiple users use each computer on a constant basis, swaps out your identity and Tor paths on each connection, and hides everybody under one big cloak of anonymity, it makes it next to impossible to discern Tor users from each other, and from an outside force, the combination of security, obscurity, and privacy makes it Hell on Earth to deal with. As of yet, nobody has "broken" Tor, and all such vulnerabilities are either improbable network control scenarios, or exploits in the web browser that neither the user nor the developers prevented. The worst attack on Tor was by the NSA using an exploit for an older version of Tor browser - a version that was a month old and had the vulnerability fixed by then.
Tor is the most secure solution to browse the Web today, and implementations exist for most of your devices, including your cell phone and your router. Properly setting up Tor so that it routes all your traffic the way you want it to is a pain, but for PC users, it's dead easy to just use the Tor browser and browse anonymously until you get your bearings and want to privatise your other activities too. If you're using Tor, you're on the right track, as if it's good enough for Death Grips then it's good enough for you.
Tor isn't a miracle pill or any such other drug. For one, it's slow as all Hell, making it annoying to use with network-heavy apps like YouTube and the like (though those that trade convenience for liberty deserve neither, so don't turn it off because you're impatient). You can't use BitTorrent with Tor as their structures are incompatible, seeing as BitTorrent was designed for speed and not privacy (apparent that the BitTorrent encryption is easily crackable, and leaks your IP address to absolutely everyone), so you need a VPN and a client which supports proxies (like qBittorrent) to make that traffic secret. In addition, Tor only works on applications that you have set it up to work with. On Android, you need root access to control this with Orbot and Orfox, and on PC, Tor will only work with the Tor Browser unless you do some magic. To encrypt everything, you'll need a VPN, which you'll have to launch before Tor to make sure everything is encrypted properly.
So Tor is pretty secure, if not even the NSA can get to it (encryption works, simply). But let me blow your mind, alright? What if I told you that you can combined a VPN with Tor for the best security you'll find today. I know, I know. It's not the most fascinating thing in the world, but since you've read this far and are in the deep (watch that neckbeard), let's keep going and see what happens. Another secret: I actually like this stuff. What a twist!
The poorly chosen condom analogy
Using a VPN + Tor is like killing yourself with a shotgun filled with explosives and fire while covered in gasoline and dynamite. If you want to die, then go all out, fucker (note: this analogy is worse than the previous one). But say you want to live (and you do, probably, most of the time. please don't kill yourself), and you want to live as securely and privately as you can while still enjoying the fruits of the Web. Then using the combination of a VPN + Tor will provide the most security you can get on a network level without getting too complicated with firewalls and what have you, because not even I want to deal with such horrible things as "port forwarding" and other terms which make my testosterone die.
They compliment each other well, as if one goes down, you still have the other to back you up. If Tor should ever get exploited for any reason, then they can only snoop your traffic down to your VPN's IP address, which would also be harder to monitor if your VPN uses dynamic IPs, and you change servers on a daily basis. If your VPN fails, you still have the ample security protections of Tor until you can get your VPN back up, as Tor also hides browsing data from your ISP while encrypting it from snoops. I guess you can say that Tor does the heavy work, and a VPN fills in for Tor's critical weaknesses.
On a PC, a VPN is the only way to get any privacy outside of the Tor Browser, as configuring apps to work with Tor on a PC is a terrible, confusing process, and I don't recommend it. If you're using BitTorrent, for instance, then a VPN is your only choice for privacy, as anything else would leak your IP address to the masses (though in this case, you can also use Peerblock for some extra security). When playing online video games (you poor sod), Tor would give you lag like nobody's business, while a VPN would at least keep you playable while hiding your IP address from skiddies who want to DOS you or whatever. A VPN also acts as a blanket security guard for every application on your PC, making sure that every single piece of your Internet traffic goes through it, which is not at all certain with Tor. In the event that an application decides to go tits up and leak your IP address, then your VPN will only give them their IP address, protecting you from such events.
A VPN also gives you the opportunity to use applications that would otherwise be too slow with Tor (BitTorrent, gaming, video streaming), as you can just launch another web browser or configure your applications to not use Tor, and then trust in the VPN to protect you. While it's much less secure, in some instances, this is the only practical way to use the Internet, and so you have to make compromises. You can also use a VPN to change your forward-facing country, so if you keep getting region blocked, you can change your VPN server to be in the United States (but make sure the company itself is not based in the USA) and then hope things work out for you. This is also handy if you want to choose a country that's more friendly for what you want to do online, such as the liberal piracy laws in the Netherlands, or the liberal porno laws of Russia. With Tor, all of this behaviour is random, and so you can't choose which country is forward-facing or where the servers are located. It's good for privacy, but as I say, sometimes you want the choice.
Note however, that you must always launch your VPN before you launch Tor. If you put your VPN before Tor, then Tor is the outward-facing IP address, and as such you are more secure because people only know you're using Tor instead of your VPN, meaning nobody can subpoena your VPN provider, for instance. It also means that your data is encrypted by the VPN client first, so that even if the Tor protocol is broken, you'll still have that layer of security to fall back on. If you launch your VPN after Tor, then your VPN becomes outward-facing, meaning that everybody can see your VPN IP address and know you're some random asshole. It also means that your browsing activity is more easily traced, because the VPN IP addresses only number in the few, while all of the possible Tor IPs number in the thousands, and therefore much easier to trace than if you launched Tor afterwards. So unless you have a special use case, launch your VPN before Tor.
So as you can see, the combination of these two services mean that you're well and secure from pretty much any threat (unless your VPN provider turns out to be malicious and giving up your data - which is still somewhat better than your ISP but is still horrible!). Tor is free, and always will be, so you can always rely on that for security even if you can't afford a VPN. But for some cases, and to protect everything that you send to the Internet, you absolutely need a VPN, and so paying for one is worth it.
For more information about these topics, check out privacytools.io, the BestVPN privacy guide, and the IVPN privacy guides, and be sure to click on all the links within those guides, too, to learn as much as possible. It's one thing to read up on a topic - it's another to understand the topic. Learn as much as you can, and one day, you can teach people too. And then nobody will ever know who you are except for your students.
And this should be a given at this point, but nothing will protect you from bad OPSEC. Disassociate your accounts from each other, never give up any personal information, never re-use your passwords, usernames, and e-mail addresses, use Master Password so you don't forget your logins, only talk to people you trust and only then anonymously, don't use closed-source software unless you trust the provider, don't use for-profit services like Facebook and Google unless you absolutely have to, alter and delete the accounts you don't use, and always be vigilant of whatever new information you learn about. This advice is boring, I know. But it's the best advice because it is boring. It works, simply, and if you follow those steps, then you'll never be concerned for your safety a day in your life.
Conclusions
This information will help you feel more secure in yourself, and by help, I means solve 90% of all your Internet-related problems. For your other problems, there is still much to learn, but just taking these simple steps mean that you're far more protected than any randy on the Web. The goal of security is not to destroy every possible theoretical attack to the point where your setup becomes unusable. It is to destroy every attack which is a reasonable threat to you, and to increase your security to block 99% of all possible attacks, and to buy you some time in the 1% of attacks that get through. While a company like Google spends millions of dollars increasing that number to 99.9999999%, you're not Google, and so you only need to take these reasonable steps.
When you look at the world with a blank slate, a tabula rasa, you see it for how it is, and not how you expect it to be. You see that the world is indeed very insecure, that you can only trust a select group of people, and that the differences between good and evil are nascent, and that they can only be discerned with a lot of education and a lot of experience. You also learn just how insecure you are, about how easy it is that, in the event that you are arrested by thugs and being intimidated by a prosecutor, these thugs and these prosecutors and their forensic experts can simply pick your entire identity from the Web and your hard drive and convict you just like that. And you had no idea how easy it is.
So my advice to you is not just to follow my advice, but to follow the advice of people who you trust. Follow the advice of people who want to teach you to better yourself, and not those who teach you to buy into things and make accounts to download programs and such. Learn from experts, and try to do what they do, and then implement all that you can in order to protect yourself in the event that bad things happen - and I assure you, bad things will happen, and what you do before they happen determines how easy it will be for your life to be rebuilt.
Learn, do, and then teach if you can. That's what I want to do.
Watch very, very closely: Froghand.
Today's page was updated on June 29, 2016!
If a flower bloomed in a dark room, would you trust it?