Because it is always possible you will fail your Tor discipline, I would add some defense-in-depth aspects, in case your browser is compromised and your network address is revealed.
- Use separate hardware. A cheap laptop and a cheap phone.
- Burn the receipt and chuck the packaging.
- Cash. Pay in cash.
- Buy from small stores with no CCTV, or better yet, from people like migrant workers.
- You can buy stored value cards (debit cards) without ID, and some you can load with cash at ATMs. (Also good to buy from travellers.)
- Once you have a debit card you can pay for data without going to a store.
- If you turn on your Wifi tethering and other devices are in range you have created an event in their logs. Just use a cable. If you must, change the SSID regularly and use Android 6 which has MAC randomisation. Never have any other SSIDs saved, especially not your home network.
- Turn the phone off when not in use. Removing the battery is advisable.
- Don't connect to 3G near your home or work or where there is pervasive CCTV or not many people.
- If your commute is logged (via your cellphone, number plate recognition / tolling, personally identified public transport like Oyster cards) then your location can be correlated against when your persona was online.
- It might seem that transmitting from different locations is a good idea. But not really, it gives a more unique history.
- Run Tor on the laptop. Run nothing on the phone, its just a radio.
- If you want to use Signal, get another burner phone.
- Invest in some numbered wafer seals or tamper bags. Keep your kit in them when cached.
- Don't tell fibs to federal agents. Record all interactions with them.
You make a lot of interesting points with frequency analysis, but these facts can be used for your benefit.
For example, if you're concerned about transit systems being used to identify you, try leaving the devices in a safe location for several hours and have them respond on a timer system. Any analysis ran across millions of users will end up filtering you out, lowering your own suspicion factor and increasing the adversaries uncertainty when facing big data.
How a system fails is just as important as how it performs when it comes to security, the young-adult novel Little Brother by Doctorow goes into this in good detail.
Sure, but it depends how complicated you want to make it.
Ideally you would use an electronic dead drop -- any tweets would be sent by a small embedded computer which listens passively on Wifi for a message sent to it from you as you transit past it, then at some random time later fires up the 3G to send to twitter etc (still via Tor). This can be automated to run from an android phone. Of course if this phone is found its credentials can be extracted and it can be turned into a method to locate you. See the FBI CI bust in New York of 'Anna Chapman'. They really should have used Tor, but of course that flags your IP as of interest in the big NSA computer in sub-basement 19.
I'm glad they included something about mental health. There was an interesting post on /r/privacy the other day of someone with burnout from the paranoia of government surveillance [1]. I browse /r/privacy from time to time and am worried by the threat models that many people on there have. I don't know the reasons for their threat model, but I suspect a large number of people don't have any solid reason for such a rigorous model other than paranoia. The cognitive load of maintaining privacy at that level must just be overwhelming.
I can't find the tweet easily now, but the original reason for including that was because people apparently have problems handling disconnected personalities for a long time. the_grugq says this affected undercover people.
yeah, a study of the literature will show that it is a constant problem for people that start to assume a secret identity. There is a class of people that are actually better at this than others[0]. For police that go undercover flow long periods, they run the risk of "going native" [1][2]. There was Tolkachev[3][4] who insisted on personal meetings rather than dead drops (although it was ultimately Alrich Ames' betrayal that doomed him, not KGB surveillance or tradecraft errors.)
Karl Fuchs described his mental trauma of being both a Western atomic scientist and a Soviet Atomic Spy[5].
There are many more references available, but it is seldom discussed. This is one of the reasons that the CIA (and other secret agencies) become so insular. The members are unable to be open with anyone else except each other, and so they tend to stick together.
Theres more on the extensive work that RUC and Special Branch had to do to maintain the sanity of the IRA informants they were running. There is a constant refrain, human beings do not operate well with secret identities under high stress environments for long periods of time.
I wish I had something important enough to say to be able to put this advice to use!
How important is the physical location you work from? Should you religiously avoid working out of a place that is associated with you, such as your home or office? Should you avoid places that are near where you live, and if so, how far should you go? Or is Tor sufficient for masking your physical location in all cases?
I'm very interested in how the grugq is able to have had such a public persona for so long and remain anonymous—including speaking at conferences in person, I understand. Obviously, he is an expert, but that doesn't really explain _how_. He writes prolifically on Twitter and sometimes other mediums. How is this large body of content not subject to stylistic analysis? Information is known about him, such as where he lives and what he does for a living. That seems extremely revealing. How has he been able to speak at conferences, quite literally tying his physical identity to this anonymous persona, let alone traveling to the conference in the first place?
It depends a lot on how intense you expect the investigation to be. Strong protection comes from using a network connection that is not linked to you, in addition to using technology that masks your IP address. If there are CCTV, then that increases the risk exposure, as does bringing a mobile phone with you. It is a lot of trade offs based on the threat model. In the case of a resistance twitter account, I suspect that simply using Tor Browser Bundle will be sufficient, but it is hard to make a blanket statement.
2) anonymous
I'm not anonymous, I'm pseudonymous. There are hundreds, or thousands, of people that know my "real" name. It isn't important, I don't use it for anything. The only people who do use it are my mother and my bank. I've been using the same handle "grugq" for over two decades. Everything I have done is under my handle. I don't maintain two identities, I have only one -- the grugq. You can't link my handle with another identity because there isn't one.
Over a decade ago I was at a small art college where +Fravia was giving a talk. After his speech, we went for a walk and a chat. He lamented that all the hackers were dropping their handles and going by their real names for commercial reasons (so they could get jobs, basically.) He said to me, "you and I are the only ones left still using our handles." A few years later he died of cancer. So, now I am the only one left.
People who know my name, know where I live and know that it would increase my risk profile to expose me. They respect my wishes to use my handle, and they respect my privacy. It is no great secret, it is simply the choice I have made, an obligation to an old dead friend, and also one that could have very real security implications.
It always puzzles me why people care so much. A name is a name.
(also, you have no idea what I do for a living. lol)
He lived a full life, taught a lot of people, was great fun to hang out with. He greatest sadness was that the cancer robbed him of his pleasure of food and wine in his last years.
For the former, yes, I believe Tor is enough to hide your physical location. The times you tweet/write would be more worrisome, but maybe that can be automated.
As for the second, I didn't know he's anonymous. I'd imagine it would be very difficult to maintain anonymity when you need to board a plane. You're definitely not anonymous to someone who cares enough to follow you, I'd bet.
> I wish I had something important enough to say to be able to put this advice to use!
Do you disagree with the way things are? Do you face persecution of any sort if you publicly express that opinion? You have something important to say and should use this advice to say it.
Those who remain silent are complicit in the success of those who they oppose.
Do you remember _why the lucky stiff? It's probably really hard to keep anonymous, but if you start with just the persona and don't intend to ever get your own name involved, it seems to be doable.
The principles The Grugq outlines here are explained in lots more detail in his OpSec for Hackers presentation. It includes a detailed analysis of how Lulzsec violated these principles which is why they were caught:
I was originally against it but now I'm neutral on it. Most of the exploits are intentionally put there by companies that have enough money & expertise to avoid them. The bigger ones have enough money to make compilers and CPU's that make the software immune to code injection. Microsoft even has Steve Lipner who did one of projects (below) that taught me high-assurance security. Like them, his philosophy is shipping product over correctness since that is what market rewards. As for market, they almost always buy something insecure over something more secure if even the slightest extra benefit in insecure thing. You can't get them to use something secure even when it's free (eg Signal).
So, what you should be thinking is you and/or other people are using and financially rewarding companies that intentionally leave vulnerabilities in software. Is that morally right? Probably not. Is someone making money off those vulnerabilities morally right? Probably not. The first seems worse, though, as the vulnerability market would be tiny if it wasn't happening. They'd command higher prices but even that would mean less damage.
Yes. They don't put the individual vulnerabilities in there on purpose. It's an indirect effect that they're conscious of. They know certain practices will reduce the amount of vulnerabilities in their software at some increased cost. They know a quick-and-dirty approach will leave a ton of bugs, including vulnerabilities, in there at a higher, profit margin. If not embedded, they also usually sell the fixes for it in terms of support contracts or upgrades. They consciously choose to go the route that increases vulnerabilities and profits. After problems happen, they do as little as possible to patch them while underlying process creating them for profit remains. We call the result of this game penetrate-and-patch.
By avoiding QA for extra profit, they're effectively adding vulnerabilities to their software. There's other companies that know certain practices reduce their defect rates or security worries. They're preventing or removing defects on a regular basis while still making a profit. These companies are rare. Most leave vulnerabilities in. The project managers will even tell you that if you question them in a way to get a straight answer.
Here's Lipner at Microsoft straight up saying it. He at least still turned their security around a lot with compromise that was SDL.
A recent example comes from Jack Ganssle in The Embedded Muse where he points out basically nobody commissioning embedded systems will sacrifice dollars or time-to-market for security:
Others in later issues & other forums I've read all consistently say the same things. Total apathy where it's not even on the checklist or requirements is default. I experienced this myself with a lot of people I tried to sell on security at 10-30% extra cost. Just 10-30% on a critical system! Most in embedded will also frown on or fire you for improving security if it adds substantially to the BOM cost, dev cost, or time-to-market. You're supposed to do it cheap as possible. It's why 8-bitters are still selling by the millions of units or however large number despite little to no built-in safety/security. Hard to argue with $1 a chip vs $5-30 when selling 100,000+ units of a product with that different being profit. And you probably won't even get sued over hacks! :)
Counterexamples in case you're curious of methods for making software with low defects at somewhere from slightly to 50% increased cost:
Companies using those methods actually warrantied their software at specific defect levels that were usually under 6 bugs per loc. Praxis is still around as Altran.
I would go so far as to make sure you know who is near you when you engage in any such activities because when a government begins to limit its suspects to a small number of people they can catch you in the most innocuous places; like a public library
#8 cropping might not be adequate as many photos have meta-data attached (e.g. EXIF) - you probably want to at least view that or delete it entirely before posting a picture.
I recall Twitter was suspending accounts for logins using Tor - I assume, it's no longer true? Or it's sufficient to provide phone number to safely login via Tor?
Considering the fact they lock accounts for "suspicious behaviour" that don't provide a phone number and keep it that way until you do provide one. I'd say they don't care about your privacy.
Grugq has been a pretty consistent and coherent commenter on cyber security issues for some time now. Your "Jewish Marxist agitator" comment is pretty inflammatory and seemingly without reason or backup. I'm glad trolls are uncovering themselves though.
- Use separate hardware. A cheap laptop and a cheap phone.
- Burn the receipt and chuck the packaging.
- Cash. Pay in cash.
- Buy from small stores with no CCTV, or better yet, from people like migrant workers.
- You can buy stored value cards (debit cards) without ID, and some you can load with cash at ATMs. (Also good to buy from travellers.)
- Once you have a debit card you can pay for data without going to a store.
- If you turn on your Wifi tethering and other devices are in range you have created an event in their logs. Just use a cable. If you must, change the SSID regularly and use Android 6 which has MAC randomisation. Never have any other SSIDs saved, especially not your home network.
- Turn the phone off when not in use. Removing the battery is advisable.
- Don't connect to 3G near your home or work or where there is pervasive CCTV or not many people.
- If your commute is logged (via your cellphone, number plate recognition / tolling, personally identified public transport like Oyster cards) then your location can be correlated against when your persona was online.
- It might seem that transmitting from different locations is a good idea. But not really, it gives a more unique history.
- Run Tor on the laptop. Run nothing on the phone, its just a radio.
- If you want to use Signal, get another burner phone.
- Invest in some numbered wafer seals or tamper bags. Keep your kit in them when cached.
- Don't tell fibs to federal agents. Record all interactions with them.