Riseup Privacy tips

1. *************************************************************************************
2. Privacy Tips: Operations Security Comments for Beginners
3.  
4. (TODO: Need MANUAL spellcheck in this section, please help if you know any of the
5. following languages: Arabic, Chinese Simplified, English, French, Russian, Spanish;
6. also lacks Esperanto translation!!!)
7.  
8. مرحبا يا أصدقائي ، لقد وصلت إلى أكثر مكان مقدس سرًا في العالم!
9. لا تتردد في دعوة أصدقائك لتحسين هذه "pad" أو طرح أي شيء في الدردشة.
10. (TODO: Wired, how to EXACTLY paste arabic sentences right-to-left?)
11.  
12. 你好我的朋友，你已经到达了世界上最神秘，最神圣的地方！
13. 随意邀请你的朋友改进这个“pad”或者在聊天中提出任何问题。
14.  
15. Hello my friends, you've reached the most secret, sacred place in the world!
16. Feel free to invite your friends to improve this "pad" or ask anything in chat.
17.  
18. Bonjour mes amis, vous avez atteint l'endroit le plus secret et sacré du monde!
19. N'hésitez pas à inviter vos amis à améliorer ce "pad" ou à poser n'importe quoi dans le chat.
20.  
21. Привет, друзья, ты достиг самого секретного, священного места в мире!
22. Не стесняйтесь приглашать своих друзей, чтобы улучшить эту «pad» или спросить что-нибудь в чате.
23.  
24. ¡Hola amigos míos, han llegado al lugar más secreto y sagrado del mundo! Siéntase
25. libre de invitar a sus amigos para mejorar este "pad" o preguntar algo en el chat.
26.  
27. Last edit: 2018-03-24T00:00:00Z
28. *************************************************************************************
29.  
30. ---------------------
31. General Recommendation
32. ----------------------
33.  
34. Terminology
35.  
36. [Privacy](https://en.wikipedia.org/wiki/Privacy)
37. Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.
38. [Security](https://en.wikipedia.org/wiki/Security)
39. Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) from external forces.
40.  
41. Can you distinguish Privacy from Security? Let's do a small test.
42. Imagine you have a budget computer. (We only focus on data at rest and data in transit) Inside its hard drive you got a pre-installed Operating System - of course you are givin full permission of the OS. It is connected to the network too. Consider the following:
43. Q1. How do you protect your *privacy* while interacting with computers? Please demonstrate it on this budget computer.
44. Q2. What can you do to *secure* this budget computer (physically, or through the OS abstract layer; you have many choices.)?
45. (Answers to Q1,Q2 is located at the very end of this document.)
46. Assume your budget computer is stolen somehow, based on your action in Q1, can you still ensure no data leakage has occurred? Think again from an attacker's view.
47.  
48.  
49. Preface
50.  
51. Riseup.net help pages have a great explaination, and decompose the concept "security" down into four aspects: https://riseup.net/en/security Another link https://we.riseup.net/riseuphelp+en/email is more focused on anonymity than privacy, but it gets you on the right track.
52.  
53. For privacy, the most important thing is not to share too many personal details. And for more sensitive topics where you can get exposed to larger audience, trolls, evil kids, malicious hackers, political opponents, or anything controversial, it's best to use a new fresh internet persona that can't be linked to your real ID or other internet persona.
54.  
55. Using the same nick on all pages/platforms isn't the best idea (unless you use it as a brand, but then privacy is not your concern since you want to spread your brand) since your nick can be tracked all over internet and people can get quite good picture about your interests and traits from that. It's best to use nicks that return thousands of google results (famous ple, common objects, titles of books/songs/movies, popular phrases) than to use some unique string that only you use and all google results are links with your content. Also change your persona every few years or use new one for different fields, so that links with your posts don't start accumulating on top if you sort google results by time.
56.  
57.  
58. Mistake
59.  
60. There are many mistakes beginners do, and in OPSec the slightest mistake can compromise everything.
61.  
62. Always use Tor.
63.  
64. Create new email with new username you haven't used anywhere before, and new secure password you haven't used anywhere before.
65.  
66. Never send email to or from any of your other email accounts (Disagree, IMHO it's fine to treat your other email accounts as if they are your friends account, i.e. for obfuscation), don't use them for recovery email either.
67.  
68. Never log into your new accounts from your regular IP, always use only Tor (or VPN or open proxy but don't use same VPN for private email too).
69.  
70. Never talk about anything personal on new anonymous accounts; any personal data can be later used to deanonymize you.
71.  
72.  
73. Never mention, use or link your new account on any social media or forum; don't put it in any address book. Be very carefull to not contaminate your new email with anything from your previous internet activities.
74.  
75. For encryption of emails, learn how to use PGP (I can make some tutorials or provide links later).
76.  
77. It's very important that you NEVER contaminate your new internet persona with any of your previous emails, nickanmes, accounts, I3Ps. Its equally important that even passwords need to be different.
78.  
79. Some email providers like email.com and Yahoo! show senders computer IP in email header which exposes you geographical location. SMTP's HELO/EHLO directives contains NAT IP, Thunderbird does this. This can in some cases (specific NAT settings) also be used to identify sender. Do some tests to figure out if your provider also does that. Make another throwaway account and send few emails to it. Check header of recieved emails, check all "Received: from" lines and make sure your LAN IP is not shown anywhere. Avoid email clients if they aren't set up correctly.
80.  
81. Related Knowledge
82.  
83. We are going to send telnet requests to mail servers.
84.  
85. Modern Linux distribution: Install GNU inetutils, Install GNU inetutils, Install GNU inetutils!!!
86. Microsoft Windows NT: Draw you command prompt by pressing Win+R follows an input of "cmd.exe"
87. Apple macOS: IDK... Macs are unacceptably expensive, I don't have any experience using macOS.
88. But I guess macOS's userland programs are mostly ported from FreeBSD and are shipped by default?
89.  
90. Enter `telnet sender's_mail_server port', this connects if the ports(25 for Simple Mail Transfer, 465 for Message Submission over TLS, 587 for Message Submission)(https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt) aren't blocked by your ISP; you should then type `EHLO recipient's_mail_server'. This is roughly what you should see:
91.  
92. (the bold parts are commands you should type in)
93. $ telnet mail.riseup.net 587
94. Trying 198.252.153.227...
95. Connected to mail.riseup.net.
96. Escape character is '^]'.
97. 220 cotinga.riseup.net ESMTP (spam is not appreciated)
98. EHLO smtp.gmail.com
99. 250-cotinga.riseup.net
100. 250-PIPELINING
101. 250-SIZE 25600000
102. 250-ETRN
103. 250-STARTTLS
104. 250-ENHANCEDSTATUSCODES
105. 250-8BITMIME
106. 250 DSN
107. (hold "Ctrl" while typing a literal "]" to end this session, the
108. caret "^" denotes the Control key on a standard 104-key keyboard)
109. ^]
110. telnet> quit
111.  
112. It's worth to mention that STARTSSL/STARTTLS falls back to cleartext transmission if the destination server doesn't support encryption while pure SSL/TLS just stop right there and throw out an exception, so StartTLS is considered harmful and shall be avoid whenever possible.
113.  
114. Maybe all these seem a bit overkill, but in future we can expect more hacked servers and more lists of usernames related emails, passwords, hashed passwords, birth dates; all those data can be gathered and used to analyse ones internet activity, find all his accounts, find all public posts, find all memes... XKeyscore, revealed by Snowden, is one of such databases. In future things like that will be even more advanced.
115.  
116.  
117. Project
118.  
119. Be carefull with whom you share your clernet, use proxies, VPN and/or Tor to conceal it when necessary.
120.  
121. Combining Tor with a VPN:
122. https://www.deepdotweb.com/jolly-rogers-security-guide-for-beginners/combining-tor-with-a-vpn
123. VPN -> Tor -> Twitter -> Jail (your ISP doesnt know you are using Tor but knows your VPN)
124. Tor -> VPN -> Twitter -> Not Jail (your ISP knows you are using Tor but not about VPN)
125. Conclusion: VPN will not go to jail instead of you.
126.  
127. There is a well known VPN provider named HideMyAss that previously claimed not to keep logs of its users. Unfortunately, when met with a court order from their government in the UK, they handed over evidence of a suspected hacker from an internet group LulzSec which helped lead to his arrest. The story can be found below:
128. HideMyAss defends role in LulzSec hack arrest: http://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy
129.  
130. Want to learn more about how deep web resolving works under the hood?
131. https://www.torproject.org/docs/onion-services.html.en
132.  
133. Even doing all this you can still be tracked based on specifics of your browser.
134. Here are few pages that show how unique your browser fingerprint is:
135. https://amiunique.org
136. https://panopticlick.eff.org
137. Make sure you browser is blocking WebRTC. Test:
138. https://whoer.net
139. https://browserleaks.com/webrtc
140. https://www.perfect-privacy.com/webrtc-leaktest
141.  
142. People can make you click on an unknowingly open (hidden in html elaments of email, the so called "web bug") links that are either on servers they control or are links that log IPs of all visitors. This sort of links can be shared via chat apps or via emails. In emails if they are html it is even possible that email includes link to picture on attackers server that revelas your IP as soon as email is opened, without clicking any links. Its even possible that picture is 1px*1px big and invisible.
143. Some pages that can be used:
144. https://grabify.link
145. https://iplogger.org
146. http://www.blasze.com
147. http://www.vbooter.org
148. http://whatstheirip.com
149. Links can be combined with link shorteners like
150. https://bitly.com/
151. https://goo.gl/
152.  
153. You can search for your leaked usernames and passwords on few XKeyscore similar free tools available to anybody.
154. Lists of leaked emails where you can check how many times your email/username have been hacked:
155. https://hacked-emails.com
156. https://haveibeenpwned.com
157. https://www.leakedsource.com
158. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
159. Pages where you can check if your username is available on multiple other pages show how easy it is to follow certain username across internet:
160. https://namechk.com
161. http://checkusernames.com
162. https://www.namecheckr.com
163. http://knowem.com/checkusernames.php
164.  
165.  
166. Link
167.  
168. Best way to learn good OPSec is reading how some hackers were cought. Knowing their mistakes and avoiding making them for yourself is best thing one can do.
169. #HITB2012KUL D1T3 - The Grugq - OPSEC: Because Jail is for wuftp
170. https://www.youtube.com/watch?v=9XaYdCdwiWU
171. Very good OPSec presentation
172. http://www.slideshare.net/grugq/opsec-for-hackers
173. Doxing of one of admins of hillarys email server on 8chan;
174. His mistake was that he used his personal reddit account to ask for help how to alter addresses in emails.
175. https://archive.fo/wbpLg
176. "namshub" BacktraceSecurity Table with information gathered on anonymous IRC members
177. https://www.scribd.com/document/55381908/namshub
178. The 'one tiny slip' that put LulzSec chief Sabu in the FBI's pocket
179. http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis
180. 3 ways to get busted on the dark web
181. https://nakedsecurity.sophos.com/2015/09/04/3-ways-to-get-busted-on-the-dark-web
182. Everything the Silk Road Founder William Ulbricht AKA, Dread Pirate Robert Did to Get Caught
183. https://motherboard.vice.com/blog/everything-the-silk-road-founder-did-to-get-caught
184. Funny article about security
185. This World of Ours James Mickens: https://www.usenix.org/system/files/1401_08-12_mickens.pdf
186. Legal papers exposing how one moderator of some darkent market got caught. OPSec lesson! : DarkNetMarkets
187. https://www.reddit.com/r/DarkNetMarkets/comments/72ws9e/legal_papers_exposing_how_one_moderator_of_some
188. US Indicts Russian Hacker Allegedly Behind Dropbox, LinkedIn Breaches
189. https://motherboard.vice.com/read/hacker-allegedly-behind-linkedin-breach-also-indicted-for-dropbox-hack
190.  
191. Opening microsoft excel, word or even PDFs can expose your IP (If you cannot disconnect from the Internet, the best way to prevent all potential leaks is to install a software/hardware firewall and set rules manually):
192. https://www.thedailybeast.com/this-is-how-cops-trick-dark-web-drug-dealers-into-unmasking-themselves
193. https://www.reddit.com/r/DarkNetMarkets/comments/6oix7d/hansas_newest_feature_was_a_vendorlocktimetxxlsx
194. http://www.independent.co.uk/life-style/gadgets-and-tech/news/dark-web-us-government-alphabay-hansa-marketplace-down-not-working-offline-shutdown-a7851321.html
195.  
196. Information on email specification:
197. https://tools.ietf.org/html/rfc5322 (This is the newest, RFC 822 is really really obsoleted)
198.  
199. Useful documentation for determining scam or phishing emails:
200. http://squirrelmail.org/docs/user/user.html#toc3.1 (Check each `Received' header from the bottom up)
201.  
202.  
203.  
204. --------
205. Password
206. --------
207.  
208. Do not (try to) memorize passwords, instead, use generators. There are basically two kinds of password generator:
209.  
210. Password manager : They use CSPRNG^[1] to generate passwords and since the passwords are not computed you'll
211. need space to store them. Backuping password database is a tough job. Software: KeePass
212.  
213. Stateless generator: You need a master password as one of the input, plus mnemonic symbols, then the two inputs is run
214. through a hash function, the outcome is the password. ^[2] No storage needed. BUT, if the generated
215. password is compromised, you have to reconsider the symbol that will be used to generate a new one;
216. I'm getting paranoid with this flaw inherently come with the stateless generator. Software: LessPass
217.  
218. Footnote:
219.  
220. [1] CSPRNG: Cryptographically secure pseudo-random number generator
221. [2] Flow: char_mapping(hash(master_password+mnemonic_symbol)) => app_specific_pw
222.  
223. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
224.  
225. I have some stupid bash scripts that I personally use to do this kind of dirty work, gonna
226. paste them below (Reference: https://en.wikipedia.org/wiki/Random_password_generator):
227.  
228. 1. dwgen.sh
229.  
230. #!/usr/bin/env bash
231.  
232. # The below three hardcoded EFF wordlists are available at
233. # https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases.
234. # Once you have got those three files, place them as follow:
235. #
236. # $ tree -a dwgen
237. # dwgen
238. # |-- dwgen.sh
239. # `-- dict
240. # |-- eff_large_wordlist.txt
241. # |-- eff_short_wordlist_1.txt
242. # `-- eff_short_wordlist_2_0.txt
243. #
244. # 1 directory, 4 files
245.  
246. case $1 in
247. '-L' | '--large')
248. dict=eff_large_wordlist.txt && head=5
249. ;;
250. '-S' | '--short')
251. dict=eff_short_wordlist_1.txt && head=4
252. ;;
253. '-S2' | '--short2')
254. dict=eff_short_wordlist_2_0.txt && head=4
255. ;;
256. *)
257. cat <<-EOF
258.  
259. Diceware(TM) Generator, version rel.ver.patch
260. (GNU version of bash, grep, sed and coreutils
261. are mandatory for this script to run.)
262.  
263. Copyright (C) $(date +%Y) Cryptonymous
264. License GPLv3+: GNU GPL version 3 or later
265. <http://gnu.org/licenses/gpl.html>
266.  
267. One monkey is sitting in front of the typewriter,
268. let's see whether it could type up the complete
269. works of William Shakespeare. - That's you, faggot!
270.  
271. Description: Generate passphrases, one per line.
272.  
273. Usage: $0 [wordlist] [word] [passphrase]
274.  
275. [wordlist]
276. -L , --large Use EFF large wordlist;
277. -S , --short Use EFF general short wordlist;
278. -S2, --short2 Likewise, but with words that hav-
279. e unique three-character prefixes.
280.  
281. [word]
282. {1,2,...,INT_MAX} This many word(s), defaults to 6.
283.  
284. [passphrase]
285. {1,2,...,INT_MAX} This many passphrase(s), defaults to 1.
286.  
287. EOF
288. exit 1
289. ;;
290. esac
291.  
292. word=${2:-6}
293. phrase=${3:-1}
294. prng=/dev/urandom
295. word_all=$[$word*$phrase]
296.  
297. for (( i = 0; i < $word_all; i++ )); do
298. dice_num=$(tr -cd '1-6' <$prng | head -c $head)
299. dice_all=$(grep $dice_num "${0%/*}/dict/$dict")
300. dice_word=$(sed -E "s/^$dice_num\s//" <<<"$dice_all")
301. printf '%s' "${dice_word^}"
302. if [[ $[$[i+1]%$word] -eq 0 ]]; then
303. printf '\n'
304. fi
305. done
306.  
307. exit 0
308.  
309.  
310. 2. ~/.bashrc
311.  
312. # Description: Print out passwords in batches using all printable chars.
313. # Usage: pwgen2 [character#] [password#]
314. # Hack: Simply change '[:graph:]' to '[:alnum:]' to get an `idgen';
315. # for advanced input control, see `man tr'.
316.  
317. pwgen2() { LC_ALL=C tr -cd [:graph:] </dev/urandom | head -c $[$1*$2] | grep -Eao .{$1}; }
318.  
319.  
320.  
321. -------------------------------
322. Email provider and self-hosting
323. -------------------------------
324.  
325. General
326.  
327. Make sure to check each one carefully, check some reviews and reccomendations you can find on other sites, and decide which one to use. I suggest you use more than one for redundancy, so that in case you lose account for whatever reason you have backup email already set and your contacts already have adress of that one too.
328.  
329. Those free, private, anonymous email providers are not reliable. Use two emails, from two different providers for initial contact with every new person. In case one email provider goes down, you still have second email where you can contact same person. (Just make sure you aren't sending passwords for one email account to another since in that case, once one is compromised second one is too)
330.  
331. There's better choice on email solution:
332.  
333. You can buy your own domain using for email, if you do so, nobody(except ICANN) can take over your email address unless your domain's expired;
334.  
335. You park your domain on any email hosting service or you build email server yourselves. ESP can go down without notice, in which case you should be prepared, simply change the domain's MX records and move for another ESP - this procedure is painless, may only result in email not reaching your address for up to 24hrs(a Time-To-Live value of 86400) This depends on (recursive) DNS cache, if you had set TTL to 300(s) beforehand, then you can say that you are almost unaffected;
336.  
337. For the maximum flexability to set up a catch-all address to bounce all emails that are sent to non-exsist address of your domain to that address. That's cool because whenever you need to register sites you don't trust, you can make an throw-away address with which you can fill in the registration form;
338.  
339. Some mail servers its MTA(Message Transfer Agent) can be configured to support sub-addressing (https://en.wikipedia.org/wiki/Email_address#Subaddressing, like Postfix), means that all emails sent to username[delimer][email protected] will be delivered - by MDA(Message Delivery Agent) - directly into the INBOX [email protected], so once you are seeing a funny marketing email in your Spam folder you are able to trace back easily. In reality, however, most scenarios are that spammers grab your address and filter that through a regular expression, thus getting your real [email protected].
340.  
341. How to communicate with a person you have never met securely:
342.  
343. Confirm each other's public key fingerprint in proper ways (offline, phone, etc), without completing this step you CANNOT move on further;
344.  
345. Using asymmetric crypto, you should agree with a shared password and cipher (symmetric crypto), e.g. password='aaaaaA@2', cipher='AES-256';
346.  
347. You have successfully negotiated a secure connection! Keep in mind the word `secure' do not mean `trustworthy', if that person is bad, nothing is changed;
348.  
349. Above I explained the basic schema of modern approach used in communication around the world, its varieties OpenPGP, S/MIME and SSL/TLS are used for different purposes, and fortunately these schemas already have respective open source implementation, e.g. GnuPG for OpenPGP(gpg) and S/MIME(gpgsm), OpenSSL for SSL/TLS(there used to be some misunderstanding, actually OpenSSL is a common provider of TLS libraries; the others are MS's one and GnuTLS); Those do not have standardization document (IETF RFC) are not mention, like Off-the-Record Messaging for XMPP (although OTR implemented its Forward Secrecy and Deniable Authentication).
350.  
351. For one-way anonymous contact maybe chaining two or more cypherpunk remailers (Type I) is enough? Check the Remailer section below for details.
352.  
353.  
354. Clearnet
355.  
356. In general I suggest using sigaint.org or sigaintevyh2rzvw.onion (defunct: https://en.wikipedia.org/wiki/SIGAINT)
357.  
358. I am currently liking https://cock.li I like how cock.li admin Vincent handled situation when some of his servers were seized due to some bogus bomb threats. Also they have few funny domains like @dicksinmyan.us and @national.shitposting.agency... Yeah you can download the entire https://cock.li/transparency using `wget -rk -np https://cock.li/transparency/' and browse them, especially those funny subpoena callings.
359.  
360. There are also good alternatives:
361. https://tutanota.com
362. https://mail.teknik.io
363. https://www.msgsafe.io
364. https://protonmail.com
365. https://scryptmail.com
366. https://www.hushmail.com
367. https://www.safe-mail.net
368. https://www.autistici.org/en/services.html
369. Some reccomendations from Riseup: https://riseup.net/en/security/resources/radical-servers
370.  
371. /!\ Caution: Keep an eye on [Mailfence](https://mailfence.com) as I suspect that it's a shadow company. How comes? Well, I once found a website which claims to provide email service, and I immediately noticed its website's style is incredibly similar to the one Mailfence has. It's exactly a clone LOL. I don't remember the URL, but its domain is end with ".be"(Belgium TLD); and that Mailfence is also a Belgium company. I think there's some kind of relationship between the two. :hmm:
372.  
373. I have seen people use Israel based https://www.safe-mail.net
374.  
375. New thing I found: anyone heard of https://unseen.is ?
376. ^ Unseen - Unseen.is secure chat, calling, and email ^
377. Private and Secure. Messaging, Calling, Email and Hosting From Iceland.
378.  
379. And I was recently reading about some new system: https://www.mailpile.is, never tried it but it looks like you have your own personal mail client on your box, so you dont have to trust your email provider that they really do what they claim they do. However this only make sense if your provider has opened POP/IMAP and SMTP ports... By the way, what about RainLoop? It's a not-that-old(in contrast to SquirrelMail, Roundcube and Horde) webmail client shipped with a modern UI and have native support for OpenPGP too.
380.  
381. Reason I suggest other providers is only because Riseup.net haven't renewed their canary recently. Which means that they are under some kind of investigation. Probably some smaller thing targeted at few specific accounts, but still be careful. There are many posts on internet abut their canary. Here is one: https://www.reddit.com/r/WhereIsAssange/comments/5p1b5a/julian_answered_my_question_today_about_the
382. EDIT: Canary has been updated in 2017. Everything is fine now. Although new canary is less usefull since it doesnt cover minor subpoenas and investigations.
383. https://riseup.net
384.  
385. You have many very good suggestions regarding privacy and security on this page:
386. https://www.privacytools.io
387.  
388. Similar link
389. https://ssd.eff.org (highly recommended to have a look at it)
390. https://prism-break.org/en (introduced many FLOSS software)
391. https://thatoneprivacysite.net (email and VPN comparison chart)
392. https://www.reddit.com/r/privacy/wiki/index (miscellaneous things)
393.  
394. Also to avoid using JavaScript for providers where webemail client demands it you can use Thunderbird desktop client and addon TorBirdy that redirects POP/IMAP and SMTP traffic through Tor network.
395.  
396.  
397. Deep Web
398.  
399. Reference(lots of them are dead):
400. https://en.wikipedia.org/wiki/List_of_Tor_hidden_services
401. https://www.reddit.com/r/emailprivacy/comments/3gf2ta/email_providers_with_onion_tor_hidden_service
402.  
403. Here are the email providers I know of which offer webmail access via Tor hidden servers. They are roughly organized in order of most appealing to least appealing for general use in my opinion although they are not precisely organized.
404.  
405. Hidden Webmail Services (sort by name in ascending alphabetical order to eliminate implied prejudice):
406. AnonInbox.net / http://ncikv3i4qfzwy2qy.onion | Paid accounts only; responsive support.
407. Autistici.org / http://wi7qkxyrdpu5cmvr.onion | For anti-capitalist activists, they have a rather strong political stance - Thus it's hard to request their service account.
408. BitMai.la / http://oxicsiwet42jw4h4.onion | Very low-cost, paid accounts. /u/bitmaila
409. BitMessage.ch / http://bitmailendavkbec.onion | /u/AyrA_ch | built-in support. Forces Google scripts at signup; otherwise good. Onion site was under DoS and down Jan-June 2016.
410. Cock.li / http://mail.cockmailwwfvrtqj.onion | JavaScript(hereinafter - JS) required (Roundcube only). Many alt-domains!
411. GuerrillaMail.com / http://grrmailb3fxpjbwm.onion | Temporary, disposable addresses. JS required. Emails deleted after 24 hours.
412. Lelantos.org / http://lelantoss7bcnwbv.onion | Paid accounts only; lacking support; Service is not well run.
413. Mail2Tor.com / http://mail2tor2zyjdctd.onion | Unreliable service sometimes. Was unable to connect from April to May 2016.
414. ProtonMail.com / https://protonirockerxow.onion | JS is required for OpenPGP.js; signup is redirected to clearnet website.
415. RayServers.com / https://nmf6cg7tiyqlhsg3.onion | Paid accounts only; responsive, competent support.
416. Riseup.net / http://nzh3fv6jc6jskki3.onion | For horizontal collectivists, SquirrelMail access which can be set not to use JS at all.
417. SCRYPTMail.com / http://scryptmaildniwm6.onion | JS required.
418. Sigaint.org / http://sigaintevyh2rzvw.onion | /u/sigaint Defunct now.
419. Systemli.org / http://h2qkxasmmqdmyiov.onion | JS required (Roundcube only). Account by invite or request only. Onion address not working...
420. TorBox / http://torbox3uiot6wchz.onion | 100% Tor, no clearnet.
421. VFEMail.net / https://344c6kbnjnljjzlz.onion | 3rd party, clearnet JS required at signup. Many alt-domains!
422.  
423. History Lesson
424. The first free .onion accessible email service that was widely used was tormail.net / tormail.org during 2011-2013. Tormail was taken down by the FBI because it happened to be hosted at FreedomHosting (a free .onion web host) whose server(s) the FBI seized because FH was allowing other things that were horrible (CP) to be hosted. The FBI now has full access to all the non-PGP encrypted information that was on the tormail server when they seized it, and they have used their access to that information in multiple investigations. Remember this when using such email services.
425.  
426.  
427.  
428. ----------------------------
429. Email signing and encryption
430. ----------------------------
431.  
432. Software
433.  
434. Maybe it is more appropriate to involve another solution and let you choose between
435. OpenPGP: https://tools.ietf.org/html/rfc4880 (most popular among the world)
436. S/MIME: https://tools.ietf.org/html/rfc5751 (easy to deploy in companies)
437.  
438. Use command prompt or dedicated PGP packages: http://openpgp.org/software
439.  
440. Microsoft Windows NT
441. GnuPT: http://www.gnupt.de (site is in German)
442. Java-based: http://ppgp.sourceforge.net (seems not maintained)
443. GPG4USB: http://gpg4usb.cpunk.de/index.html
444. GPG4Win: https://www.gpg4win.org
445. (GPG4Win gives you wonderful experiences on Explorer's shell integration; GPGOL is
446. also very helpful to those who keep sticking with the evil proprietary MS Outlook)
447.  
448. Apple macOS
449. https://gpgtools.org
450. https://www.deepdotweb.com/2015/02/20/pgp-tutorial-os-x
451. http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever
452.  
453. BSD or GNU/Linux
454. Mutt: http://mutt.org
455. ("All mail clients suck. This one just sucks less.")
456. (built-in support, just copy the sample file and source it)
457.  
458. Multi-platform or web browser extensions
459.  
460. Enigmail: https://www.enigmail.net/index.php/en
461. (Thunderbird has become less and less active developing since Dec 2015 while
462. Mozilla is phasing out its own XUL/XPCOM extension framework on Firefox 57)
463. (addon TorBirdy routes your traffic through Tor network)
464.  
465. Mailvelope: https://www.mailvelope.com/en
466. (is developed using WebExtensions API, and is ported to Chromium-based
467. browsers and newer versions of Firefox; It is OpenPGP.js backended so
468. that it doesn't support ECC as for now unless OpenPGP.js implements it.)
469.  
470.  
471. Notice
472.  
473. If you find a new tool to encrypt your email, make sure that the attachment(inline MIME) is also encrypted.
474.  
475. When you are composing your message some email clients (B/S or C/S) might save drafts of unencrypted emails in your folders, make sure to delete them and turn off automatic saving. Use a local mail client really... Most webmail clients are proprietary and some of which consist of crappy(why? https://www.gnu.org/philosophy/javascript-trap) JavaScript code; while even more email servers are proprietary and not audited: You can see ProtonMail and Tutanota opensource'd their webmail clients but that does not include the server-side implementation, but well, if they opensource'd their servers it's easily imagined sth like bankruptcy.
476.  
477. When you are sending encrypted email, know that email subject is NOT encrypted, so dont include anything that reveals nature of content of email in email subject (example of no no subjects: "meeting at Joes bar on Friday 13" or "Hi Bob greetings from Alice", replace it with "NSA go away" or something irreleveant and deceptive). There are of course other sensitive metadata in email header that are able to reverse your identity, for example MUA(Message User Agent) string, sent time and zoneinfo(always use UTC/GMT) and encoding(always use UTF-8 for portability; one cannot split your preferrd language given only that info); Sadly email header is NOT encrypted referring to the RFC of OpenPGP Message Format.
478.  
479.  
480. Tutorial and Quirk
481.  
482. https://wiki.archlinux.org/index.php/GnuPG (ArchWiki's always good)
483. http://uncovering-cicada.wikia.com/wiki/PGP_TUTORIAL
484. http://uncovering-cicada.wikia.com/wiki/PGP_and_RSA_theory
485. http://uncovering-cicada.wikia.com/wiki/Verifying_PGP_signatures
486.  
487. https://www.keylength.com/en/4
488. https://eprint.iacr.org/2010/006.pdf
489. https://gist.github.com/grugq/03167bed45e774551155
490. http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
491. https://www.usenix.org/system/files/1401_08-12_mickens.pdf
492. https://arstechnica.com/security/2016/12/op-ed-im-giving-up-on-pgp
493. https://www.theregister.co.uk/2010/01/07/rsa_768_broken/?mt=1486963827317
494. https://thehackernews.com/2014/08/cryptography-expert-pgp-encryption-is_19.html
495. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
496. https://www.deepdotweb.com/security-tutorials/word-warning-versions-pgp-created-equally
497. https://security.stackexchange.com/questions/33752/will-encrypting-the-same-file-with-gnupg-and-the-same-key-produce-the-same-ciphe
498.  
499.  
500.  
501. --------
502. Remailer
503. --------
504.  
505. Needs basic knowledge of using OpenPGP-compliant software to start off. Give it a try, send yourself an email using a remailer to observe how remailed email's header is different from the normal/regular one.
506.  
507. Terminology
508. https://en.wikipedia.org/wiki/Anonymous_remailer
509. https://www.whonix.org/wiki/Remailer
510. https://www.whonix.org/wiki/Nymservers
511.  
512. Tutorial
513. https://www.autistici.org/docs/anon/remailer
514. https://en.wikipedia.org/wiki/Cypherpunk_anonymous_remailer
515.  
516. Useful Link
517. http://www.noreply.org/echolot
518. http://www.cypherpunks.to/remailers
519. https://www.autistici.org/crypto/index.php/remository/Remailer-clients
520.  
521.  
522.  
523. ----------
524. Stylometry
525. ----------
526.  
527. 29C3 - Stylometry and Online Underground Markets (EN) - YouTube
528. https://www.youtube.com/watch?v=zkh7dwwfrHM
529.  
530. (Saluton!) Esperanto the artificial language is one of the coolest thing to learn (Kio estas tio?), it is designed that whoever uses it enjoys the equality of personality; the grammar of Esperanto rarely lead to ambiguity. You can learn Esperanto online at: https://lernu.net.
531.  
532. The researchers declared that every user tend to adopt his own writing style during his internet experience, peculiarity that make it identifiable. The identification is possible thanks the analysis of "function words" that are words that serve to express grammatical relationships with other words within a sentence and are strongly related the attitude or mood of the speaker.
533. TheShadowBrokers and their "Russian English" is good practical example of language obfuscation
534. https://twitter.com/shadowbrokerss/status/851260161020764161
535. https://steemit.com/shadowbrokers/@theshadowbrokers/grammer-critics-information-vs-knowledge
536. Many Russian native speakers confirmed that mistakes in TheShadowBrokers messages are not mistakes russians would make
537. https://news.ycombinator.com/item?id=1406828
538.  
539. Miscellaneous
540. https://github.com/psal/JStylo-Anonymouth
541. https://events.ccc.de/congress/2012/Fahrplan/events/5230.de.html
542. http://www.techfleece.com/2013/01/09/up-to-80-of-anonymous-users-can-be-identified-by-using-linguistic-software
543. http://www.infosecisland.com/blogview/22846-Stylometric-analysis-to-track-anonymous-users-in-the-underground.html
544.  
545.  
546.  
547.  
548. *************************************************************************************
549. Answers
550.  
551. Q1: Deploy full disk encryption and use a varient of SSH Tunnel for data transfer on the network.
552.  
553. Q2: No, absolutely you cannot haha. Actually nobody could stop one from physically manipulating (including destroying) that computer even that if you put it in a solid-rock safe, in extreme cases organ of violence forces you to hang it out (a piece of cake, yes).
554.  
555. Note: The term "privacy" is often referred to as information secrecy, while "security" makes sense of damage prevention, permission control, and more or less, relates to (meta)data backup and redundancy. Should you understand it, then you must be able to make a distinction between the two. Nevertheless, it's up to your preference when you use these terms.
556. *************************************************************************************