May 21, 2022 at 2:23 PM
Some useful Privacy & OpSec guides
Scrolling through BF I see so many stupid mistakes made in opsec.
If you want to get into cybersecurity / 'hacking', that's great. It's real interesting stuff.
But you need to understand that in the eyes of law enforcement, you are easy pickings and they will jail you to fill a monthly quota.
I don't condone any sort of malicious / illegal computer use. If you're going to get into cybersec, don't go straight into 'black-hat' because
you WILL be caught. To your ISP, LE and hackers, you are not special. You are not invincible or invulnerable to being caught just because you
have had such experiences in real life.
Sites like RF, BF and HF attract a lot of skids. Most skids don't think they are skids. You might be a skid. I might be a skid.
With that said, here are some guides that I have found very useful in being private & anonymised while browsing the web.
https://www.privacyguides.org/tools/
https://anonymousplanet-ng.org/ [Very useful for your fake digital identity]
https://darknetlive.com/dnmbible.pdf
https://darknetone.com/operations-security-opsec-handbook-for-all-darknet-market-users/
And some general tips:
- Don't use bitcoin. Just don't. Monero.
- Your VPN is not your friend. They will sell you out to LE without a second thought. Buy anonymised services such as Mullvad. But realise that a VPN is very minimal in terms of security - tiktok skids might tell you otherwise though...
- The hidden wiki is not a real site. It's a sensationalization for youtubers and 13 year olds.
- Understand what the 'fourteen eyes' are
- Don't act on impulse or adrenaline. Nobody you met on the internet is 'your friend'.
- 'End to End Encrypted' doesn't mean secure. There is nothing forbidding the client side from logging the data upon decryption. It stops only primitive man-in-the-middle attacks.
- 'Intel Management Engine'. 'AMD Secure Technology'.
- Use PGP
- Use 2FA. For everything.
- Create a digital identity different to your own. With a cash-bought phone, one that's not used in the same proximity or on the same networks as your daily ones,
with social media, education history, work history and purchase history. Spend months, years maintaining it. It can become a bit of a hobby really.
- No matter how secure your encryption, you are liable to the Wrench Method. https://xkcd.com/538/
- Malware will get you jailed. Security experts with 30 years in the business get caught for malware. What makes you think you won't. Ransomware especially.
- Discord is not secure. Tor is not strictly secure. Law Enforcement own exit nodes.
- Data correlation is a legitimate technique for LE. If the data you send is identical in size, and in a similar timeframe, to data recieved by a malicious site or honeypot, you can be arrested.
- Always assume somebody is trying to track you down
- Have a go at HTB, the challenges as well as the machines. Work your way up to intermediate level. It's fantastic for understanding computer systems & how they break.
- For anything darknet - Use Tails. Or Whonix. Or Qubes if you're advanced. Tor browser is not enough.
- For common darknet sites - DarkdotFail. Research purposes only.
- You can and will get phished.
- Opt-Out on haveibeenpwned and other email lookup tools.
- Private your instagram - if you have one. People will blackmail and extort you. Access to your 'friends list' gives them leverage.
- It can be tempting to tell your IRL friends about your experiences in doxxing / hacking or whatever. Don't.
- If you're caught doing something you shouldn't, it's on your record forever. You won't be hired by any company based around tech. You won't be trusted with NDAs. Etc
To reiterate, this advice is not to be used for crime or malice. I'm a security researcher. Not a hacker. It's good practice to follow opsec in your daily life. Law Enforcement are there for a reason.
And finally:
Verify the BF canary every so often. You can find it here: https://breached.co/transparency/
Scrolling through BF I see so many stupid mistakes made in opsec.
If you want to get into cybersecurity / 'hacking', that's great. It's real interesting stuff.
But you need to understand that in the eyes of law enforcement, you are easy pickings and they will jail you to fill a monthly quota.
I don't condone any sort of malicious / illegal computer use. If you're going to get into cybersec, don't go straight into 'black-hat' because
you WILL be caught. To your ISP, LE and hackers, you are not special. You are not invincible or invulnerable to being caught just because you
have had such experiences in real life.
Sites like RF, BF and HF attract a lot of skids. Most skids don't think they are skids. You might be a skid. I might be a skid.
With that said, here are some guides that I have found very useful in being private & anonymised while browsing the web.
https://www.privacyguides.org/tools/
https://anonymousplanet-ng.org/ [Very useful for your fake digital identity]
https://darknetlive.com/dnmbible.pdf
https://darknetone.com/operations-security-opsec-handbook-for-all-darknet-market-users/
And some general tips:
- Don't use bitcoin. Just don't. Monero.
- Your VPN is not your friend. They will sell you out to LE without a second thought. Buy anonymised services such as Mullvad. But realise that a VPN is very minimal in terms of security - tiktok skids might tell you otherwise though...
- The hidden wiki is not a real site. It's a sensationalization for youtubers and 13 year olds.
- Understand what the 'fourteen eyes' are
- Don't act on impulse or adrenaline. Nobody you met on the internet is 'your friend'.
- 'End to End Encrypted' doesn't mean secure. There is nothing forbidding the client side from logging the data upon decryption. It stops only primitive man-in-the-middle attacks.
- 'Intel Management Engine'. 'AMD Secure Technology'.
- Use PGP
- Use 2FA. For everything.
- Create a digital identity different to your own. With a cash-bought phone, one that's not used in the same proximity or on the same networks as your daily ones,
with social media, education history, work history and purchase history. Spend months, years maintaining it. It can become a bit of a hobby really.
- No matter how secure your encryption, you are liable to the Wrench Method. https://xkcd.com/538/
- Malware will get you jailed. Security experts with 30 years in the business get caught for malware. What makes you think you won't. Ransomware especially.
- Discord is not secure. Tor is not strictly secure. Law Enforcement own exit nodes.
- Data correlation is a legitimate technique for LE. If the data you send is identical in size, and in a similar timeframe, to data recieved by a malicious site or honeypot, you can be arrested.
- Always assume somebody is trying to track you down
- Have a go at HTB, the challenges as well as the machines. Work your way up to intermediate level. It's fantastic for understanding computer systems & how they break.
- For anything darknet - Use Tails. Or Whonix. Or Qubes if you're advanced. Tor browser is not enough.
- For common darknet sites - DarkdotFail. Research purposes only.
- You can and will get phished.
- Opt-Out on haveibeenpwned and other email lookup tools.
- Private your instagram - if you have one. People will blackmail and extort you. Access to your 'friends list' gives them leverage.
- It can be tempting to tell your IRL friends about your experiences in doxxing / hacking or whatever. Don't.
- If you're caught doing something you shouldn't, it's on your record forever. You won't be hired by any company based around tech. You won't be trusted with NDAs. Etc
To reiterate, this advice is not to be used for crime or malice. I'm a security researcher. Not a hacker. It's good practice to follow opsec in your daily life. Law Enforcement are there for a reason.
And finally:
Verify the BF canary every so often. You can find it here: https://breached.co/transparency/