Security--Encryption, Tor, PGP and more

  • Thread starter Thread starter Kelakarekrew
  • Start date Start date
K

Kelakarekrew

Guest
One thing that is missing from this forum is a thread about basic operational security for using crypto, ordering, or even just communication. I am open for any tips, corrections, or additions: I am not an expert so there may be holes or better ways. There are no referral codes in the links, I get nada from this. Nonetheless you can google the software names to make sure I'm not scamming you. It doesn't hurt to be cautious and doubt is the main path to security. If in doubt, verify. Nothing here is unusual, just basic steps to help avoid the eyes of big bro.

Basically without some form of security we are all a single subpoena away from exposure. It might even happen in the vendor's country and we'd never know.
So what can you do? You can dramatically minimize risk with a few steps. This is NOT a guide to absolute safety. This just adds layers that make digitally tracking you down difficult. The main lesson is: Encrypt, encrypt, encrypt!! 

1) The big one. If you are using a gmail, yahoo, hotmail, outlook, comcast, etc.... email address- stop now. I've been guilty of this, I started 15 years ago with a big email provider and just kept doing it. Get a free protonmail, tutanova or countermail address. There's debate over which is better but at least all 3 should provide encryption of your data on their servers. Do not mention anything sensitive in subject line, it may or may not be encrypted. If you can, only use a single email address for any single vendor. Make another email for other vendors. Combined with step 2 you are way safer.

2) Use Tor browser only to access the encrypted email accounts, Tor is the standard and does a good job to hide your location and make IDing you difficult. Not impossible but highly unlikely. Chrome, Firefox, Safari... they are not secure out of the box. Tor is the entrypoint to the darknet, so it is obviously well regarded by those with privacy needs. I use it often even when serious security isn't needed. https://www.torproject.org/. It is slower than other browsers due to the many steps the data moves through. I don't stream or download torrents using Tor for this reason.

----------------------------------------------------------------------------------------
Really curious about this? Read on. Step 3 is overkill for most of us but may be handy for other purposes, particularly in crypto if you are US based. Steps 4-5 are for the truly paranoid, privacy, conscious, or risk-averse.
 

3) Use a vpn, it can add some privacy depending on the provider. Skip the free ones, they make money somehow. I use protonmail's paid basic VPN service. You can use the VPN for anything also. Like bypassing a netflix country block, or such actions. You can use with Tor; VPN + Tor isn't necessarily safer but it doesn't hurt as far as I know. You can run mobile and home PC data through most VPNs

4) Learn and use PGP encryption for any of the vendors willing to use it. Almost no one does though they should. It only adds 30 sec to sending/receiving a message but it's a bit of a pain in the ass to learn. PGP means you and the vendor both independently create a public key and private key for yourselves. The cryptography is way over my head but essentially each user provides their public key to each other and the message is encrypted using the receiver's public key. Only the receiver's private key can then decrypt that message. At the moment it is nearly impossible to break this encryption. 
For doing this I use https://www.gpg4win.org/index.html
The weak spot here is exchanging public keys. temp.pm is a nice service for transmitting sensitive data, the service encrypts your message and then it self deletes at your specified time.  You send a link, when it expires it's gone. For many of us, this service might be good enough to avoid using PGP locally on your PC. Depends on the vendor.

5) My goto for really, really, sensitive actions is using "Tails". This will take a little bit of time and effort to set up, but there are good guides. Tails is a Linux OS that usually runs off a USB stick (known as a live USB). It is designed to leave no trace on the host PC and have no memory of its own. So the next time you boot into it, it is the first time as far as the OS knows. https://tails.boum.org/. Like PGP you'll need to find a guide for the OS you use.
--------------------------------------------------------------------------------------------------------------------

That's it from me for now. I hope others know more. All this info is culled from various friends, websites, and guides. I make no pretense to being an expert.

Thanks to vendor pink for introducing me to temp.pm, it is an awesome resource.
 

 
Thanks so much for this info. I had not thought about botH looking over our shoulder... Yikes! I appreciate the thoughts you shared here.

 
Sorry, typo/autocorrect error *bigB (looking over our shoulder)

 
delawaredrew said:
Basically without some form of security we are all a single subpoena away from exposure. It might even happen in the vendor's country and we'd never know.
 
Click to expand...
Except this isn't happening. People aren't going to jail because they have a Hotmail account or because they didn't use Tor. I'm not exactly disagreeing with these as suggestions. I'm just trying to identify what's really needed for the average person's security. It's much easier to get a Proton account than it is to start using Tor or TAILS---are the latter really needed? It doesn't seem so, because for the most part people aren't getting subpoenaed or arrested or extradited to other countries (which is the only way a subpoena in another country would even matter).

I'm just trying to get a handle on this myself: What is really necessary for security and what isn't?

 
For myself TAILS is key ,a 5$ USB for the laptop and I'm ready to go 

:)

Sometimes I say to myself I'm using way to much security but reading the DMN bible nothing is to much .I'm thinking of posting a like to the dmn bible cause its way to  much to post ...

 
Last edited by a moderator:
Biskobro said:
For myself TAILS is key ,a 5$ USB for the laptop and I'm ready to go 

:)

Sometimes I say to myself I'm using way to much security but reading the DMN bible nothing is to much .I'm thinking of posting a link to the dmn bible cause its way to  much to post ...
Click to expand...

 
Jesse said:
Except this isn't happening. People aren't going to jail because they have a Hotmail account or because they didn't use Tor. I'm not exactly disagreeing with these as suggestions. I'm just trying to identify what's really needed for the average person's security. It's much easier to get a Proton account than it is to start using Tor or TAILS---are the latter really needed? It doesn't seem so, because for the most part people aren't getting subpoenaed or arrested or extradited to other countries (which is the only way a subpoena in another country would even matter).

I'm just trying to get a handle on this myself: What is really necessary for security and what isn't?
Click to expand...
Preface: I'm not a paranoid person, nor do I believe anyone is out to get me in particular, I just wrote down some thoughts gleaned from recent months doing casual research into privacy and crypto use in the US.  I did directly say (and place a divider between them) the latter steps are for deeper needs and not necessary for most readers. Maybe you missed that part. I'd at least use protonmail, tutanova, or whatever suits you. That's probably enough. But it's your call of course. Odds are you'll never be bothered. It's like insurance.

I'm also not a lawyer so I don't know what can or cannot happen. Gmail, yahoo, hotmail, and your internet providers have long memories and I don't want what I did 5 years ago to bite me in the ass in 5 years so I've begun to take precautions. All major services are known to scan your email content for info to use for advertising. Is that all it's used for? Who knows? As for using Tor, I believe protonmail has an onion address, the others probably do as well. It takes seconds to take that precaution so I do.

The feds are also already suing to get crypto exchanges to reveal US customers for tax purposes. Coinbase was forced to give up some accounts moving $20000 and up I believe.

If a vendor gets caught in any country that shares info with the US  it could expose your activities. Will it? I don't know. Will the US choose to act on that info? I don't know that either. This isn't about extradition, it's doubtful the US would allow extradition to another country. Prosecution would take place here I assume. It's about what data is available and how it's used. These weren't meant to be a "must do" set of instructions, just some ideas for those who wish to distance themselves. I hadn't seen any similar discussion here.
 
I've received LLs, you just ignore them. But I'd place a bet that the sent LL is recorded in some database. 

 
Last edited:
I have talked to people here who go all the way across the spectrum from reckless to ultra paranoid and like most things, I think somewhere in the middle is fine for any member who isn't doing more than personal use buys. 

If you are moving large volume then for sure I would go all out with the best security you can get. If you have a tendency to have trouble with LE for any reasons...same.

Of the two main posters on this thread, I'm more of a @Jesse than a @delawaredrew. Do what makes you feel comfortable and use some common sense. If it all makes you so paranoid that you want to close your DBG account every other week and you had to add Zanex to your orders just to get through delivery day...well...it's not for everyone.

To the other extreme, if you feel compelled to call carriers and have them open a case for your missing/late delivery or take 20 pills because the first two didn't do the trick... well...it's not for you either. This only works if we have some respect for our community and don't jeopardize it by careless behavior.

 
delawaredrew said:
 I did directly say (and place a divider between them) the latter steps are for deeper needs and not necessary for most readers. Maybe you missed that part. 
Click to expand...
No, I saw it. They're all good suggestions. But Tor was in your first two, on the "must have" list, and I just question whether it's really a must-have. With the caveat, as 2earls said, that one is not moving large volume and that one is not uncomfortably anxious about the whole process and/or already on LE's hit list for some reason---i.e., someone like me. Do I really need Tor? I honestly don't know. Especially since Tor is ultimately not a protection unless you have TAILS. Not if you're being watched.

I guess that's my issue with it. Most of these won't really help you if you're actually being sought out and watched by LE. And few, if any, matter much if you aren't, as far as I can tell.

Most people who get in trouble with the cops---for whatever reason---drop themselves in the drink with their own mouths. They don't exercise their right to remain silent. If they do engage in illegal activity, they blab about it to their friends and acquaintances. Some even outright confess.

Not that I'm anywhere near qualified to write a security tip list, but if I did, the first thing I would put on it is: SHUT THE FUCK UP. Don't chat up your friends about any possibly illegal activities in which you might be engaged. For the love of God, don't initiate contact with LE. And don't think that by talking you can somehow convince LE of your sweet innocence.

Again, I am not an expert. You clearly know more about Internet security than I do, so I do take what you're saying seriously. I just suspect that Shutting The Fuck Up is worth Tor and TAILS ten times over!

 
2earls said:
I have talked to people here who go all the way across the spectrum from reckless to ultra paranoid and like most things, I think somewhere in the middle is fine for any member who isn't doing more than personal use buys. 

If you are moving large volume then for sure I would go all out with the best security you can get. If you have a tendency to have trouble with LE for any reasons...same.

Of the two main posters on this thread, I'm more of a @Jesse than a @delawaredrew. Do what makes you feel comfortable and use some common sense. If it all makes you so paranoid that you want to close your DBG account every other week and you had to add Zanex to your orders just to get through delivery day...well...it's not for everyone.

To the other extreme, if you feel compelled to call carriers and have them open a case for your missing/late delivery or take 20 pills because the first two didn't do the trick... well...it's not for you either. This only works if we have some respect for our community and don't jeopardize it by careless behavior.
Click to expand...
To be clear I don't go all secure in most cases. It's overkill. But for sites we don't review here I do take extreme protections.

 
Jesse said:
No, I saw it. They're all good suggestions. But Tor was in your first two, on the "must have" list, and I just question whether it's really a must-have. With the caveat, as 2earls said, that one is not moving large volume and that one is not uncomfortably anxious about the whole process and/or already on LE's hit list for some reason---i.e., someone like me. Do I really need Tor? I honestly don't know. Especially since Tor is ultimately not a protection unless you have TAILS. Not if you're being watched.

I guess that's my issue with it. Most of these won't really help you if you're actually being sought out and watched by LE. And few, if any, matter much if you aren't, as far as I can tell.

Most people who get in trouble with the cops---for whatever reason---drop themselves in the drink with their own mouths. They don't exercise their right to remain silent. If they do engage in illegal activity, they blab about it to their friends and acquaintances. Some even outright confess.

Not that I'm anywhere near qualified to write a security tip list, but if I did, the first thing I would put on it is: SHUT THE FUCK UP. Don't chat up your friends about any possibly illegal activities in which you might be engaged. For the love of God, don't initiate contact with LE. And don't think that by talking you can somehow convince LE of your sweet innocence.

Again, I am not an expert. You clearly know more about Internet security than I do, so I do take what you're saying seriously. I just suspect that Shutting The Fuck Up is worth Tor and TAILS ten times over!
Click to expand...
I thought I had Tor below the line, my apologies. I should have verified my own post when you mentioned it instead of making a smart-ass comment like I did. Apologies again.
My justification for using Tor is just because it's such an easy step, assuming the encrypted email provider has an onion site. I also like to think I am helping our vendors by leaking as little data between us as I can. That may or may not be true and LE may (probably) has tools that I can't imagine.
You are 100% right. If you are already under surveillance, the steps above might help eliminate some evidence but it won't stop LE.
Keeping one's mouth shut among friends to avoid attention goes a very long way. That I agree on.  :)

 
Last edited:
delawaredrew said:
One thing that is missing from this forum is a thread about basic operational security for using crypto, ordering, or even just communication. I am open for any tips, corrections, or additions: I am not an expert so there may be holes or better ways. There are no referral codes in the links, I get nada from this. Nonetheless you can google the software names to make sure I'm not scamming you. It doesn't hurt to be cautious and doubt is the main path to security. If in doubt, verify. Nothing here is unusual, just basic steps to help avoid the eyes of big bro.

Basically without some form of security we are all a single subpoena away from exposure. It might even happen in the vendor's country and we'd never know.
So what can you do? You can dramatically minimize risk with a few steps. This is NOT a guide to absolute safety. This just adds layers that make digitally tracking you down difficult. The main lesson is: Encrypt, encrypt, encrypt!! 

1) The big one. If you are using a gmail, yahoo, hotmail, outlook, comcast, etc.... email address- stop now. I've been guilty of this, I started 15 years ago with a big email provider and just kept doing it. Get a free protonmail, tutanova or countermail address. There's debate over which is better but at least all 3 should provide encryption of your data on their servers. Do not mention anything sensitive in subject line, it may or may not be encrypted. If you can, only use a single email address for any single vendor. Make another email for other vendors. Combined with step 2 you are way safer.

2) Use Tor browser only to access the encrypted email accounts, Tor is the standard and does a good job to hide your location and make IDing you difficult. Not impossible but highly unlikely. Chrome, Firefox, Safari... they are not secure out of the box. Tor is the entrypoint to the darknet, so it is obviously well regarded by those with privacy needs. I use it often even when serious security isn't needed. https://www.torproject.org/. It is slower than other browsers due to the many steps the data moves through. I don't stream or download torrents using Tor for this reason.

----------------------------------------------------------------------------------------
Really curious about this? Read on. Step 3 is overkill for most of us but may be handy for other purposes, particularly in crypto if you are US based. Steps 4-5 are for the truly paranoid, privacy, conscious, or risk-averse.
 

3) Use a vpn, it can add some privacy depending on the provider. Skip the free ones, they make money somehow. I use protonmail's paid basic VPN service. You can use the VPN for anything also. Like bypassing a netflix country block, or such actions. You can use with Tor; VPN + Tor isn't necessarily safer but it doesn't hurt as far as I know. You can run mobile and home PC data through most VPNs

4) Learn and use PGP encryption for any of the vendors willing to use it. Almost no one does though they should. It only adds 30 sec to sending/receiving a message but it's a bit of a pain in the ass to learn. PGP means you and the vendor both independently create a public key and private key for yourselves. The cryptography is way over my head but essentially each user provides their public key to each other and the message is encrypted using the receiver's public key. Only the receiver's private key can then decrypt that message. At the moment it is nearly impossible to break this encryption. 
For doing this I use https://www.gpg4win.org/index.html
The weak spot here is exchanging public keys. temp.pm is a nice service for transmitting sensitive data, the service encrypts your message and then it self deletes at your specified time.  You send a link, when it expires it's gone. For many of us, this service might be good enough to avoid using PGP locally on your PC. Depends on the vendor.

5) My goto for really, really, sensitive actions is using "Tails". This will take a little bit of time and effort to set up, but there are good guides. Tails is a Linux OS that usually runs off a USB stick (known as a live USB). It is designed to leave no trace on the host PC and have no memory of its own. So the next time you boot into it, it is the first time as far as the OS knows. https://tails.boum.org/. Like PGP you'll need to find a guide for the OS you use.
--------------------------------------------------------------------------------------------------------------------

That's it from me for now. I hope others know more. All this info is culled from various friends, websites, and guides. I make no pretense to being an expert.

Thanks to vendor pink for introducing me to temp.pm, it is an awesome resource.
 
Click to expand...
I usr nord vpn and proton mail. Contrary to what majority thins, bitcoin is psedoanonymous. As far as TOR? I think insyalling thay would raise more eyebrows.thats just me. Now.crypto can be tumbled.etc...etc... But.why go to the trouble when blockchain is public record. So.i just do wu and money s. Thats just me.....crypto is never anon. I forget the name. But twonew eallets are out that afdd another layer...but. Idk. Too much trouble and if they see a someone jumping thru hoops well....that raises more queries ....just me

 
Monero is anon altcoin.

Vickydog said:
I usr nord vpn and proton mail. Contrary to what majority thins, bitcoin is psedoanonymous. As far as TOR? I think insyalling thay would raise more eyebrows.thats just me. Now.crypto can be tumbled.etc...etc... But.why go to the trouble when blockchain is public record. So.i just do wu and money s. Thats just me.....crypto is never anon. I forget the name. But twonew eallets are out that afdd another layer...but. Idk. Too much trouble and if they see a someone jumping thru hoops well....that raises more queries ....just me
Click to expand...

 
Monero is definitely the way to go!!! its also good as a safe way to better anonymize your BTC.  Traditional tumbling BTC is a bit silly imo.  But you can convert your BTC to Monero, then back to BTC with MorphToken or Cake Wallet and send to a different BTC wallet. But hopefully more vendors will start using Monero!

 
DoomKitty said:
Monero is definitely the way to go!!! its also good as a safe way to better anonymize your BTC.  Traditional tumbling BTC is a bit silly imo.  But you can convert your BTC to Monero, then back to BTC with MorphToken or Cake Wallet and send to a different BTC wallet. But hopefully more vendors will start using Monero!
Click to expand...
Monero and other privacy coins have taken some hits recently, with researchers able to track TX's. Monero also had a compromised wallet issue very recently. It's still one of the better ones though, especially if you bounce your funds in and out of accts a few times. Like to and from an exchange that you did not do KYC for.

 
Yeah that recent Monero hack was fascinating (and a bit too easy) as is all the on-chain tracking, etc stuff people are doing.  I like it for the bouncing around to better anonymize capabilities as well.  

 
I think protonmail makes things way easier and is basically a necessity. There is no reason not to take advantage of protonmail to protonmail Accounts which i wish more people used it so that way PGP Encrypti0n is automatic plus more security. I think T0r Browser far more superior to a VPN in terms of Security and the fact you don't have put trust into anyone unlike with your VPN Provider.

I think nothing is uncrackable Eur0p0l has cracked the Tor Browser and I don't know how Tails works exaclty as they made they changed the IRC Chat to XMMP Chat Client for Support. It doesn't matter if your being watched or not google for example has all kinds of tools that could ironically come across sketchy thing your emailing with Gmail for example from what I understand.

Like it's been stated if your not doing anything to big and crazy your fine presumably but your only paranoid until your not. You don't need a .Onion Link for the Tor Browser to work for increasing anonymity and security.

 
You must log in or register to reply here.
Drugbuyersguide Shoutbox
  1. rockychoc @ rockychoc: @SoopaFireGuy8 as in smell or is that some sort of substance?
  2. SoopaFireGuy8 @ SoopaFireGuy8: Anybody know the scientific name for Stink?
  3. G @ GABAtastic: Good morning all you beautiful souls here at DBG!!!
  4. Leet6 @ Leet6: @rockychoc hey I know my own buffoonery cost me what it did you, didn't have to lout man and I really appreciate you didn't have to do what you did and that speaks to who you are that you did anyway I appreciate that and that speaks volumes about you as a person
  5. P @ psychedpsych: Whhh, with me doing rideshare and if I had a way to know where to go, I’d gladly travel a little just to get out of this area for a bit and feel some freedom.
  6. P @ psychedpsych: Whhh, with me doing rideshare and if I had a way to know where to go, I’d gladly travel a little just to get out of this area for a bit and feel some freedom.
  7. Leet6 @ Leet6: Hope everyone had a great Sunday and I hope they continue to have a good Sunday night
  8. rockychoc @ rockychoc: Damn.. everyone thinks of everything!
  9. P @ ponglenis: @rockychoc there is an app to find someone to shovel snow, like uber for snow shoveling
  10. SeaDonkey @ SeaDonkey: @Rocky sorry bud I think you're on your own, got more coming down now 😭
  11. T @ Tim92: thanks friend! appreciate it
  12. T @ Tim92: is reaction score good or bad?
  13. M @ Mammasboi123: @Tim92 Reaction score isn't good or bad. It's merely showing the number of times another member has interacted with your comments/posts/messages/etc.. If you hover over the like button on a message, you'll see a list of 'reactions' you can leave on someone's comments within a thread or DM.
  14. T @ Tim92: is reaction score good or bad?
  15. DerailedFisherman @ DerailedFisherman: Night
  16. DerailedFisherman @ DerailedFisherman: Hope everyone is good today. Its a great day
  17. DerailedFisherman @ DerailedFisherman: Hope everyone is good today. Its a great day
  18. rockychoc @ rockychoc: For sure
  19. B @ BHeisenberg: Going to send you a DM
  20. B @ BHeisenberg: Rocky
Back
Top