RISEUP tutorial

1. *************************************************************************************
2. Privacy Tips: Operations Security Comments for Beginners
3.  
4. Hello my friends, you've reached the most secret, sacred place in the world!
5. Feel free to invite your friends to improve this pad or ask anything in chat.
6.  
7. Last edit: 2018-03-12T06:30:00Z
8. (periodically touch this in case of
9. deletion of pad for 30-day inactivity)
10. *************************************************************************************
11.  
12. ----------------------
13. General Recommendation
14. ----------------------
15.  
16. Terminology
17.  
18. [Privacy](https://en.wikipedia.org/wiki/Security)
19. Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.
20. [Security](https://en.wikipedia.org/wiki/Privacy)
21. Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) from external forces.
22.  
23. Can you distinguish Privacy from Security? Let's do a small test.
24. Imagine you have a budget computer. (We only focus on data at rest and data in transit) Inside its hard drive you got a pre-installed Operating System - of course you are givin full permission of the OS. It is connected to the network too. Consider the following:
25. Q1. How do you protect your *privacy* while interacting with computers? Please demonstrate it on this budget computer.
26. Q2. What can you do to *secure* this budget computer (physically, or through the OS abstract layer; you have many choices.)?
27. (Answers to Q1,Q2 is located at the very end of this document.)
28. Assume your budget computer is stolen somehow, base on your action in Q1, can you still ensure no data leak is occurred? Think again from an attacker's view.
29.  
30.  
31. Preface
32.  
33. Riseup.net help pages have a great explaination, and decompose the concept "security" down into four aspects: https://riseup.net/en/security Another link https://we.riseup.net/riseuphelp+en/email is more focused on anonymity than privacy, but it gets you on the right track.
34.  
35. For privacy most important think is to not share too many personal details. And for more sensitive topics where you can get exposed to larger audience, trolls, evil kids, malicious hackers, political opponents, or anything controversial its best to use new fresh internet persona that cant be linked to your real ID or other internet persona.
36.  
37. Using same nick on all pages/platforms is not best idea (unless you use it as a brand, but then privacy is not your concern since you want to spread your brand) since your nick can be tracked all over internet and people can get quite good picture about your interests and traits from that. Its best to use nicks that return thousands of google results (famous ple, common objects, titles of books/songs/movies, popular phrases) than to use some unique string that only you use and all google results are links with your content. Also change your persona every few years or use new one for different fields, so that links with your posts dont start accumulating on top if you sort google results by time.
38.  
39.  
40. Mistake
41.  
42. There are many mistakes beginners do, and in OPSec the slightest mistake can compromise everything.
43.  
44. Always use Tor.
45.  
46. Create new email with new username you haven't used anywhere before, and new secure password you haven't used anywhere before.
47.  
48. Never send email to or from any of your other email accounts (Disagree, IMHO it's fine to treat your other email accounts as if they are your friends account, i.e. for obfuscation), don't use them for recovery email either.
49.  
50. Never log into your new accounts from your regular IP, always use only Tor (or VPN or open proxy but dont use same VPN for private email too).
51.  
52. Never talk about anything personal on new anonymous accounts, any personal data can be later used to deanonymize you.
53.  
54. Never mention, use or link your new account on any social media or forum; dont put it in any address book. Be very carefull to not contaminate your new email with anything from your previous internet activities.
55.  
56. For encryption of emails, learn how to use PGP (I can make some tutorials or provide links later).
57.  
58. Its very important that you NEVER contaminate your new internet persona with any of your previous emails, nickanmes, accounts, I3Ps. Its equally important that even passwords need to be different.
59.  
60. Some email providers like email.com and Yahoo! show senders computer IP in email header which exposes you geographical location. SMTP's HELO/EHLO directives contains NAT IP, Thunderbird does this. This can in some cases (specific NAT settings) also be used to identify sender. Do some tests to figure out if your provider also does that. Make another throwaway account and send few emails to it. Check header of recieved emails, check all "Received: from" lines and make sure your LAN IP is not shown anywhere. Avoid email clients if they aren't set up correctly.
61.  
62. Related Knowledge
63.  
64. We are going to send telnet requests to mail servers. On modern Linux distribution with GNU inetutils installed, open your terminal: enter `telnet sender's mail server port', this connects if the ports(25 for Simple Mail Transfer, 465 for Message Submission over TLS, 587 for Message Submission)(https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) aren't blocked by your ISP; you should then type `EHLO recipient's mail server'. This is roughly what you should see:
65.  
66. (the bold parts are commands you should type in)
67. $ telnet mail.riseup.net 587
68. Trying 198.252.153.227...
69. Connected to mail.riseup.net.
70. Escape character is '^]'.
71. 220 cotinga.riseup.net ESMTP (spam is not appreciated)
72. EHLO smtp.gmail.com
73. 250-cotinga.riseup.net
74. 250-PIPELINING
75. 250-SIZE 25600000
76. 250-ETRN
77. 250-STARTTLS
78. 250-ENHANCEDSTATUSCODES
79. 250-8BITMIME
80. 250 DSN
81.  
82. It's worth to mention that STARTSSL/STARTTLS falls back to cleartext transmition if the destination server doesn't support encryption while pure SSL/TLS just stop right there and throw out an exception, so StartTLS is considered harmful and shall be avoid whenever possible.
83.  
84. Maybe all these seem a bit overkill, but in future we can expect more hacked servers and more lists of usernames related emails, passwords, hashed passwords, birth dates; all those data can be gathered and used to analyse ones internet activity, find all his accounts, find all public posts, find all memes... XKeyscore, revealed by Snowden, is one of such databases. In future things like that will be even more advanced.
85.  
86.  
87. Project
88.  
89. Be carefull with whom you share your clernet, use proxies, VPN and/or Tor to conceal it when necessary.
90.  
91. Combining Tor with a VPN:
92. https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/combining-tor-with-a-vpn
93. VPN -> Tor -> Twitter -> Jail (your ISP doesnt know you are using Tor but knows your VPN)
94. Tor -> VPN -> Twitter -> Not Jail (your ISP knows you are using Tor but not about VPN)
95. Conclusion: VPN will not go to jail instead of you.
96.  
97. There is a well known VPN provider named HideMyAss that previously claimed not to keep logs of its users. Unfortunately, when met with a court order from their government in the UK, they handed over evidence of a suspected hacker from an internet group LulzSec which helped lead to his arrest. The story can be found below:
98. HideMyAss defends role in LulzSec hack arrest: http://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy
99.  
100. Want to learn more about how deep web resolving works under the hood?
101. https://www.torproject.org/docs/onion-services.html.en
102.  
103. Even doing all this you can still be tracked based on specifics of your browser.
104. Here are few pages that show how unique your browser fingerprint is:
105. https://amiunique.org
106. https://panopticlick.eff.org
107. Make sure you browser is blocking WebRTC. Test:
108. https://whoer.net
109. https://browserleaks.com/webrtc
110. https://www.perfect-privacy.com/webrtc-leaktest
111.  
112. People can make you click on an unknowingly open (hidden in html elaments of email, the so called "web bug") links that are either on servers they control or are links that log IPs of all visitors. This sort of links can be shared via chat apps or via emails. In emails if they are html it is even possible that email includes link to picture on attackers server that revelas your IP as soon as email is opened, without clicking any links. Its even possible that picture is 1px*1px big and invisible.
113. Some pages that can be used:
114. https://grabify.link
115. https://iplogger.org
116. http://www.blasze.com
117. http://www.vbooter.org
118. http://whatstheirip.com
119. Links can be combined with link shorteners like
120. https://bitly.com/
121. https://goo.gl/
122.  
123. You can search for your leaked usernames and passwords on few XKeyscore similar free tools available to anybody.
124. Lists of leaked emails where you can check how many times your email/username have been hacked:
125. https://hacked-emails.com
126. https://haveibeenpwned.com
127. https://www.leakedsource.com
128. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
129. Pages where you can check if your username is available on multiple other pages show how easy it is to follow certain username across internet:
130. https://namechk.com
131. http://checkusernames.com
132. https://www.namecheckr.com
133. http://knowem.com/checkusernames.php
134.  
135.  
136. Link
137.  
138. Best way to learn good OPSec is reading how some hackers were cought. Knowing their mistakes and avoiding making them for yourself is best thing one can do.
139. #HITB2012KUL D1T3 - The Grugq - OPSEC: Because Jail is for wuftp
140. https://www.youtube.com/watch?v=9XaYdCdwiWU
141. Very good OPSec presentation
142. http://www.slideshare.net/grugq/opsec-for-hackers
143. Doxing of one of admins of hillarys email server on 8chan;
144. His mistake was that he used his personal reddit account to ask for help how to alter addresses in emails.
145. https://archive.fo/wbpLg
146. "namshub" BacktraceSecurity Table with information gathered on anonymous IRC members
147. https://www.scribd.com/document/55381908/namshub
148. The 'one tiny slip' that put LulzSec chief Sabu in the FBI's pocket
149. http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis
150. 3 ways to get busted on the dark web
151. https://nakedsecurity.sophos.com/2015/09/04/3-ways-to-get-busted-on-the-dark-web
152. Everything the Silk Road Founder William Ulbricht AKA, Dread Pirate Robert Did to Get Caught
153. https://motherboard.vice.com/blog/everything-the-silk-road-founder-did-to-get-caught
154. Funny article about security
155. This World of Ours James Mickens: https://www.usenix.org/system/files/1401_08-12_mickens.pdf
156. Legal papers exposing how one moderator of some darkent market got caught. OPSec lesson! : DarkNetMarkets
157. https://www.reddit.com/r/DarkNetMarkets/comments/72ws9e/legal_papers_exposing_how_one_moderator_of_some
158. US Indicts Russian Hacker Allegedly Behind Dropbox, LinkedIn Breaches
159. https://motherboard.vice.com/read/hacker-allegedly-behind-linkedin-breach-also-indicted-for-dropbox-hack
160.  
161. Opening microsoft excel, word or even PDFs can expose your IP (If you cannot disconnect from the Internet, the best way to prevent all potential leaks is to install a software/hardware firewall and set rules manually):
162. https://www.thedailybeast.com/this-is-how-cops-trick-dark-web-drug-dealers-into-unmasking-themselves
163. https://www.reddit.com/r/DarkNetMarkets/comments/6oix7d/hansas_newest_feature_was_a_vendorlocktimetxxlsx
164. http://www.independent.co.uk/life-style/gadgets-and-tech/news/dark-web-us-government-alphabay-hansa-marketplace-down-not-working-offline-shutdown-a7851321.html
165.  
166. Information on email specification:
167. https://tools.ietf.org/html/rfc5322 (This is the newest, RFC 822 is really really obsoleted)
168.  
169. Useful documentation for determining scam or phishing emails:
170. http://squirrelmail.org/docs/user/user.html#toc3.1 (Check each `Received' header from the bottom up)
171.  
172.  
173.  
174. --------
175. Password
176. --------
177.  
178. Do not (try to) memorize passwords, instead, use generators. There are basically two kinds of password generator:
179.  
180. Password manager : They use CSPRNG^[1] to generate passwords and since the passwords are not computed you'll
181. need space to store them. Backuping password database is a tough job. Software: KeePass
182.  
183. Stateless generator: You need a master password as one of the input, plus mnemonic symbols, then the two inputs is run
184. through a hash function, the outcome is the password. ^[2] No storage needed. BUT, if the generated
185. password is compromised, you have to reconsider the symbol that will be used to generate a new one;
186. I'm getting paranoid with this flaw inherently come with the stateless generator. Software: LessPass
187.  
188. Footnote:
189.  
190. [1] CSPRNG: Cryptographically secure pseudo-random number generator
191.  
192. [2] Flow: argon2(hash_function)['aaaaaA@2'(master_password)+'riseup.net'(mnemonic_symbol)]
193. -> mapping_printable_character() -> '1hHdp?Rf'(password_generated
194.  
195. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
196.  
197. I have some stupid bash scripts that I personally use for generating passwords, gonna
198. paste them below (Reference: https://en.wikipedia.org/wiki/Random_password_generator):
199.  
200. 1. dwgen.sh
201.  
202. #!/usr/bin/env bash
203.  
204. # The below three hardcoded EFF wordlists are available at
205. # https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases.
206. # Once you have got those three files, place them as follow:
207. #
208. # $ tree -a diceware
209. # arbitrary-folder
210. # |-- this-script
211. # `-- dict
212. # |-- eff_large_wordlist.txt
213. # |-- eff_short_wordlist_1.txt
214. # `-- eff_short_wordlist_2_0.txt
215. #
216. # 1 directory, 4 files
217.  
218. case $1 in
219. '-L' | '--large' )
220. dict=eff_large_wordlist.txt && head=5
221. ;;
222. '-S' | '--short' )
223. dict=eff_short_wordlist_1.txt && head=4
224. ;;
225. '-S2' | '--short2' )
226. dict=eff_short_wordlist_2_0.txt && head=4
227. ;;
228. * )
229. cat <<-EOF
230.  
231. Diceware(TM) Generator, version rel.ver.patch
232. (GNU version of bash, grep, sed and coreutils
233. are mandatory for this script to run.)
234.  
235. Copyright (C) $(date +%Y) Cryptonymous
236. License GPLv3+: GNU GPL version 3 or later
237. <http://gnu.org/licenses/gpl.html>
238.  
239. One monkey is sitting in front of the typewriter,
240. let's see whether it could type up the complete
241. works of William Shakespeare. - That's you, faggot!
242.  
243. Description: Generate passphrase, one per line.
244.  
245. Usage: $0 [wordlist] [word] [passphrase]
246.  
247. [wordlist]
248. -L , --large Use EFF large wordlist;
249. -S , --short Use EFF general short wordlist;
250. -S2, --short2 Likewise, but with words that hav-
251. e unique three-character prefixes.
252.  
253. [word]
254. {1,2,...,INT_MAX} This many word(s).
255.  
256. [passphrase]
257. {1,2,...,INT_MAX} This many passphrase(s).
258.  
259. EOF
260. exit 1
261. ;;
262. esac
263.  
264. word=${2:-6}
265. phrase=${3:-1}
266. prng=/dev/urandom
267. word_all=$[$word*$phrase]
268.  
269. for (( i = 0; i < $word_all; i++ )); do
270. dice_num=$(tr -cd '1-6' <"$prng" | head -c $head)
271. dice_all=$(grep $dice_num "${0%/*}/dict/$dict")
272. dice_word=$(sed -E "s/^$dice_num\s//" <<<"$dice_all")
273. printf '%s' "${dice_word^}"
274. [[ $[$[i+1]%$word] -eq 0 ]] && printf '\n'
275. done
276.  
277. exit 0
278.  
279.  
280. 2. ~/.bashrc
281.  
282. # Description: Print out passwords in batches using all printable chars.
283. # Usage: pwgen2 [character#] [password#]
284. # Hack: Simply change '[:graph:]' to '[:alnum:]' to get an `idgen';
285. # for advanced input control, see `man tr'.
286.  
287. pwgen2 () { LC_ALL=C tr -cd [:graph:] </dev/urandom | head -c $[$1*$2] | grep -Eao .{$1} }
288.  
289.  
290.  
291. -------------------------------
292. Email provider and self-hosting
293. -------------------------------
294.  
295. General
296.  
297. Make sure to check each one carefully, check some reviews and reccomendations you can find on other sites, and decide which one to use. I suggest you use more than one for redundancy, so that in case you lose account for whatever reason you have backup email already set and your contacts already have adress of that one too.
298.  
299. Those free, private, anonymous email providers are not reliable. Use two emails, from two different providers for initial contact with every new person. In case one email provider goes down, you still have second email where you can contact same person. (Just make sure you aren't sending passwords for one email account to another since in that case, once one is compromised second one is too)
300.  
301. There's better choice on email solution:
302.  
303. You can buy your own domain using for email, if you do so, nobody(except ICANN) can take over your email address unless your domain's expired;
304.  
305. You park your domain on any email hosting service or you build email server yourselves. ESP can go down without notice, in which case you should be prepared, simply change the domain's MX records and move for another ESP - this procedure is painless, may only result in email not reaching your address for up to 24hrs(a Time-To-Live value of 86400) This depends on (recursive) DNS cache, if you had set TTL to 300(s) beforehand, then you can say that you are almost unaffected;
306.  
307. For the maximum flexability to set up a catch-all address to bounce all emails that are sent to non-exsist address of your domain to that address. That's cool because whenever you need to register sites you don't trust, you can make an throw-away address with which you can fill in the registration form;
308.  
309. Some mail servers its MTA(Message Transfer Agent) can be configured to support sub-addressing (https://en.wikipedia.org/wiki/Email_address#Subaddressing, like Postfix), means that all emails sent to username[delimer]suffix@domain.tld will be delivered - by MDA(Message Delivery Agent) - directly into the INBOX username@domain.tld, so once you are seeing a funny marketing email in your Spam folder you are able to trace back easily. In reality, however, most scenarios are that spammers grab your address and filter that through a regular expression, thus getting your real username@domain.tld.
310.  
311. How to communicate with a person you have never met securely:
312.  
313. Confirm each other's public key fingerprint in proper ways (offline, phone, etc), without completing this step you CANNOT move on further;
314.  
315. Using asymmetric crypto, you should agree with a shared password and cipher (symmetric crypto), e.g. password='aaaaaA@2', cipher='AES-256';
316.  
317. You have successfully negotiated a secure connection! Keep in mind the word `secure' do not mean `trustworthy', if that person is bad, nothing is changed;
318.  
319. Above I explained the basic schema of modern approach used in communication around the world, its varieties OpenPGP, S/MIME and SSL/TLS are used for different purposes, and fortunately these schemas already have respective open source implementation, e.g. GnuPG for OpenPGP(gpg) and S/MIME(gpgsm), OpenSSL for SSL/TLS(there used to be some misunderstanding, actually OpenSSL is a common provider of TLS libraries; the others are MS's one and GnuTLS); Those do not have standardization document (IETF RFC) are not mention, like Off-the-Record Messaging for XMPP (although OTR implemented its Forward Secrecy and Deniable Authentication).
320.  
321. For one-way anonymous contact maybe chaining two or more cypherpunk remailers (Type I) is enough? Check the Remailer section below for details.
322.  
323.  
324. Clearnet
325.  
326. In general I suggest using sigaint.org or sigaintevyh2rzvw.onion (defunct: https://en.wikipedia.org/wiki/SIGAINT)
327.  
328. I am currently liking https://cock.li I like how cock.li admin Vincent handled situation when some of his servers were seized due to some bogus bomb threats. Also they have few funny domains like @dicksinmyan.us and @national.shitposting.agency... Yeah you can download the entire https://cock.li/transparency using `wget -rk -np https://cock.li/transparency/' and browse them, especially those funny subpoena callings.
329.  
330. There are also good alternatives:
331. https://tutanota.com
332. https://mail.teknik.io
333. https://www.msgsafe.io
334. https://protonmail.com
335. https://scryptmail.com
336. https://www.hushmail.com
337. https://www.safe-mail.net
338. https://www.autistici.org/en/services.html
339. Some reccomendations from Riseup: https://riseup.net/en/security/resources/radical-servers
340.  
341. /!\ Caution: Keep an eye on [Mailfence](https://mailfence.com) as I suspect that it's a shadow company. How comes? Well, I once found a website which claims to provide email service, and I immediately noticed its website's style is incredibly similar to the one Mailfence has. It's exactly a clone LOL. I don't remember the URL, but its domain is end with ".be"(Belgium TLD); and that Mailfence is also a Belgium company. I think there's some kind of relationship between the two. :hmm:
342.  
343. I have seen people use Israel based https://www.safe-mail.net
344.  
345. New thing I found: anyone heard of https://unseen.is ?
346. ^ Unseen - Unseen.is secure chat, calling, and email ^
347. Private and Secure. Messaging, Calling, Email and Hosting From Iceland.
348.  
349. And I was recently reading about some new system: https://www.mailpile.is, never tried it but it looks like you have your own personal mail client on your box, so you dont have to trust your email provider that they really do what they claim they do. However this only make sense if your provider has opened POP/IMAP and SMTP ports... By the way, what about RainLoop? It's a not-that-old(in contrast to SquirrelMail, Roundcube and Horde) webmail client shipped with a modern UI and have native support for OpenPGP too.
350.  
351. Reason I suggest other providers is only because Riseup.net haven't renewed their canary recently. Which means that they are under some kind of investigation. Probably some smaller thing targeted at few specific accounts, but still be careful. There are many posts on internet abut their canary. Here is one: https://www.reddit.com/r/WhereIsAssange/comments/5p1b5a/julian_answered_my_question_today_about_the
352. EDIT: Canary has been updated in 2017. Everything is fine now. Although new canary is less usefull since it doesnt cover minor subpoenas and investigations.
353. https://riseup.net
354.  
355. You have many very good suggestions regarding privacy and security on this page:
356. https://www.privacytools.io
357.  
358. Similar link
359. https://ssd.eff.org (highly recommended to have a look at it)
360. https://prism-break.org/en (introduced many FLOSS software)
361. https://thatoneprivacysite.net (email and VPN comparison chart)
362. https://www.reddit.com/r/privacy/wiki/index (miscellaneous things)
363.  
364. Also to avoid using JavaScript for providers where webemail client demands it you can use Thunderbird desktop client and addon TorBirdy that redirects POP/IMAP and SMTP traffic through Tor network.
365.  
366.  
367. Deep Web
368.  
369. Reference(lots of them are dead):
370. https://en.wikipedia.org/wiki/List_of_Tor_hidden_services
371. https://www.reddit.com/r/emailprivacy/comments/3gf2ta/email_providers_with_onion_tor_hidden_service
372.  
373. Here are the email providers I know of which offer webmail access via Tor hidden servers. They are roughly organized in order of most appealing to least appealing for general use in my opinion although they are not precisely organized.
374.  
375. Hidden Webmail Services (sort by name in ascending alphabetical order to eliminate implicit unfairness):
376. AnonInbox.net / http://ncikv3i4qfzwy2qy.onion | Paid accounts only; responsive support.
377. Autistici.org / http://wi7qkxyrdpu5cmvr.onion | For anti-capitalist activists, they have a rather strong political stance - Thus it's hard to request their service account.
378. BitMai.la / http://oxicsiwet42jw4h4.onion | Very low-cost, paid accounts. /u/bitmaila
379. BitMessage.ch / http://bitmailendavkbec.onion | /u/AyrA_ch | built-in support. Forces Google scripts at signup; otherwise good. Onion site was under DoS and down Jan-June 2016.
380. Cock.li / http://mail.cockmailwwfvrtqj.onion | JavaScript(hereinafter - JS) required (Roundcube only). Many alt-domains!
381. GuerrillaMail.com / http://grrmailb3fxpjbwm.onion | Temporary, disposable addresses. JS required. Emails deleted after 24 hours.
382. Lelantos.org / http://lelantoss7bcnwbv.onion | Paid accounts only; lacking support; Service is not well run.
383. Mail2Tor.com / http://mail2tor2zyjdctd.onion | Unreliable service sometimes. Was unable to connect from April to May 2016.
384. ProtonMail.com / https://protonirockerxow.onion | JS is required for OpenPGP.js; signup is redirected to clearnet website.
385. RayServers.com / https://nmf6cg7tiyqlhsg3.onion | Paid accounts only; responsive, competent support.
386. Riseup.net / http://nzh3fv6jc6jskki3.onion | For horizontal collectivists, SquirrelMail access which can be set not to use JS at all.
387. SCRYPTMail.com / http://scryptmaildniwm6.onion | JS required.
388. Sigaint.org / http://sigaintevyh2rzvw.onion | /u/sigaint Defunct now.
389. Systemli.org / http://h2qkxasmmqdmyiov.onion | JS required (Roundcube only). Account by invite or request only. Onion address not working...
390. TorBox / http://torbox3uiot6wchz.onion | 100% Tor, no clearnet.
391. VFEMail.net / https://344c6kbnjnljjzlz.onion | 3rd party, clearnet JS required at signup. Many alt-domains!
392.  
393. History Lesson
394. The first free .onion accessible email service that was widely used was tormail.net / tormail.org during 2011-2013. Tormail was taken down by the FBI because it happened to be hosted at FreedomHosting (a free .onion web host) whose server(s) the FBI seized because FH was allowing other things that were horrible (CP) to be hosted. The FBI now has full access to all the non-PGP encrypted information that was on the tormail server when they seized it, and they have used their access to that information in multiple investigations. Remember this when using such email services.
395.  
396.  
397.  
398. ----------------------------
399. Email signing and encryption
400. ----------------------------
401.  
402. Software
403.  
404. Maybe it is more appropriate to involve another solution and let you choose between
405. OpenPGP: https://tools.ietf.org/html/rfc4880 (most popular among the world)
406. S/MIME: https://tools.ietf.org/html/rfc5751 (easy to deploy in companies)
407.  
408. Use command prompt or dedicated PGP packages: http://openpgp.org/software
409.  
410. Microsoft Windows
411. GnuPT: http://www.gnupt.de (site is in German)
412. Java-based: http://ppgp.sourceforge.net (seems not maintained)
413. GPG4USB: http://gpg4usb.cpunk.de/index.html
414. GPG4Win: https://www.gpg4win.org
415. (GPG4Win gives you wonderful experiences on Explorer's shell integration; GPGOL is
416. also very helpful to those who keep sticking with the evil proprietary MS Outlook)
417.  
418. Apple macOS
419. https://gpgtools.org
420. https://www.deepdotweb.com/2015/02/20/pgp-tutorial-os-x
421. http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever
422.  
423. UNIX and derivatives
424. Mutt: http://mutt.org
425. ("All mail clients suck. This one just sucks less.")
426. (built-in support, just copy the sample file and source it)
427.  
428. Multi-platform or web browser extensions
429.  
430. Enigmail: https://www.enigmail.net/index.php/en
431. (Thunderbird has become less and less active developing since Dec 2015 while
432. Mozilla is phasing out its own XUL/XPCOM extension framework on Firefox 57)
433. (addon TorBirdy routes your traffic through Tor network)
434.  
435. Mailvelope: https://www.mailvelope.com/en
436. (is developed using WebExtensions API, and is ported to Chromium-based
437. browsers and newer versions of Firefox; It is OpenPGP.js backended so
438. that it doesn't support ECC as for now unless OpenPGP.js implements it.)
439.  
440.  
441. Notice
442.  
443. If you find a new tool to encrypt your email, make sure that the attachment(inline MIME) is also encrypted.
444.  
445. When you are composing your message some email clients (B/S or C/S) might save drafts of unencrypted emails in your folders, make sure to delete them and turn off automatic saving. Use a local mail client really... Most webmail clients are proprietary and some of which consist of crappy(why? https://www.gnu.org/philosophy/javascript-trap) JavaScript code; while even more email servers are proprietary and not audited: You can see ProtonMail and Tutanota opensource'd their webmail clients but that does not include the server-side implementation, but well, if they opensource'd their servers it's easily imagined sth like bankruptcy.
446.  
447. When you are sending encrypted email, know that email subject is NOT encrypted, so dont include anything that reveals nature of content of email in email subject (example of no no subjects: "meeting at Joes bar on Friday 13" or "Hi Bob greetings from Alice", replace it with "NSA go away" or something irreleveant and deceptive). There are of course other sensitive metadata in email header that are able to reverse your identity, for example MUA(Message User Agent) string, sent time and zoneinfo(always use UTC/GMT) and encoding(always use UTF-8 for portability; one cannot split your preferrd language given only that info); Sadly email header is NOT encrypted referring to the RFC of OpenPGP Message Format.
448.  
449.  
450. Tutorial and Quirk
451.  
452. https://wiki.archlinux.org/index.php/GnuPG (ArchWiki's always good)
453. http://uncovering-cicada.wikia.com/wiki/PGP_TUTORIAL
454. http://uncovering-cicada.wikia.com/wiki/PGP_and_RSA_theory
455. http://uncovering-cicada.wikia.com/wiki/Verifying_PGP_signatures
456.  
457. https://www.keylength.com/en/4
458. https://eprint.iacr.org/2010/006.pdf
459. https://gist.github.com/grugq/03167bed45e774551155
460. http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
461. https://www.usenix.org/system/files/1401_08-12_mickens.pdf
462. https://arstechnica.com/security/2016/12/op-ed-im-giving-up-on-pgp
463. https://www.theregister.co.uk/2010/01/07/rsa_768_broken/?mt=1486963827317
464. https://thehackernews.com/2014/08/cryptography-expert-pgp-encryption-is_19.html
465. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
466. https://www.deepdotweb.com/security-tutorials/word-warning-versions-pgp-created-equally
467. https://security.stackexchange.com/questions/33752/will-encrypting-the-same-file-with-gnupg-and-the-same-key-produce-the-same-ciphe
468.  
469.  
470.  
471. --------
472. Remailer
473. --------
474.  
475. Needs basic knowledge of using OpenPGP-compliant software to start off. Give it a try, send yourself an email using a remailer to observe how remailed email's header is different from the normal/regular one.
476.  
477. Terminology
478. https://en.wikipedia.org/wiki/Anonymous_remailer
479. https://www.whonix.org/wiki/Remailer
480. https://www.whonix.org/wiki/Nymservers
481.  
482. Tutorial
483. https://www.autistici.org/docs/anon/remailer
484. https://en.wikipedia.org/wiki/Cypherpunk_anonymous_remailer
485.  
486. Useful Link
487. http://www.noreply.org/echolot
488. http://www.cypherpunks.to/remailers
489. https://www.autistici.org/crypto/index.php/remository/Remailer-clients
490.  
491.  
492.  
493. ----------
494. Stylometry
495. ----------
496.  
497. 29C3 - Stylometry and Online Underground Markets (EN) - YouTube
498. https://www.youtube.com/watch?v=zkh7dwwfrHM
499.  
500. (Saluton!) Esperanto the artificial language is one of the coolest thing to learn (Kio estas tio?), it is designed that whoever uses it enjoys the equality of personality; the grammars of Esperanto rarely lead to ambiguity. You can learn Esperanto online at: https://lernu.net.
501.  
502. The researchers declared that every user tend to adopt his own writing style during his internet experience, peculiarity that make it identifiable. The identification is possible thanks the analysis of "function words" that are words that serve to express grammatical relationships with other words within a sentence and are strongly related the attitude or mood of the speaker.
503. TheShadowBrokers and their "Russian English" is good practical example of language obfuscation
504. https://twitter.com/shadowbrokerss/status/851260161020764161
505. https://steemit.com/shadowbrokers/@theshadowbrokers/grammer-critics-information-vs-knowledge
506. Many Russian native speakers confirmed that mistakes in TheShadowBrokers messages are not mistakes russians would make
507. https://news.ycombinator.com/item?id=1406828
508.  
509. Miscellaneous
510. https://github.com/psal/JStylo-Anonymouth
511. https://events.ccc.de/congress/2012/Fahrplan/events/5230.de.html
512. http://www.techfleece.com/2013/01/09/up-to-80-of-anonymous-users-can-be-identified-by-using-linguistic-software
513. http://www.infosecisland.com/blogview/22846-Stylometric-analysis-to-track-anonymous-users-in-the-underground.html
514.  
515.  
516.  
517. Answers
518.  
519. Q1: Deploy full disk encryption and use a varient of SSH Tunnel for data transfer on the network.
520. Q2: No, absolutely you cannot HAHA. Actually *nobody* could stop one from physically manipulating (including destroying) that computer even if you put it in a solid-rock safe, in extreme cases organ of violence forces you to hang it out (a piece of cake, yes).