How to be Anonymous Online (5 page)

BOOK: How to be Anonymous Online
12.05Mb size Format: txt, pdf, ePub
Upload your key to the keyservers / Sync keys you have signed

You DO NOT need to upload your public PGP key to the keyservers in order to sync the other keys. However, if you want your public PGP key publicly available, use the following “sync everything” steps. If you would rather not publicly list your public PGP key, use the following “sync a particular key” steps.

To upload/sync everything...

  1. Open the
    Passwords and Keys
    program  (
    Applications
    >
    System Tools
    >
    Preferences
    >
    Passwords and Keys
    ), and then import the key in question
  2. Select
    Remote
    >
    Sync and Publish Keys
  3. Click
    Key Servers
    , and
    then choose a keyserver from the
    Publish keys to:
    drop-down menu and click
    Close
  4. Click
    Sync
  5. Your personal public PGP key will be uploaded. Also, the other keys will sync to reflect new trust signatures
Authenticate software
  1. Download the following files into one folder...
  • Download the program or file
    that you will be authenticating (
    filename
    .iso
    ,
    filename
    .txt
    ,
    etc.)
  • Download the signature file
    (it should be
    filename.iso
    .sig
    ,
    filename.txt.sig
    , etc. S
    ometimes it has a .pgp or .asc file extension - just rename/change the extension to .sig.
  • If you do not already have it,
    download and import the signing party's public PGP key
    , also known as the “
    signing key
    ” (usually
    developername
    .asc
    or
    developername
    .key
    )

Wait for all three files to download before preceding

  1. If you need to, authenticate the imported public PGP key, aka “
    signing key
    ” (get it in person, check the keyservers, fingerprint or whatever else works for you)
  2. Verify the signature...
  • If the signature file does not have a '.sig' extension, rename it (if it is
    filename.xxx.asc
    , rename it
    filename.xxx.sig
    )
    (
    right-click > rename
    ).
  • Right-click
    filename
    .xxx.sig
    and select
    Open with Verify Signature
  • In the top-right corner, you will either see
    filename.xxx
    Good Signature
    or
    filename.xxx
    Unknown Signature

If you
see
filename.xxx
Good Signature
,
you have authenticated the file!

If you
see
filename.xxx
Unknown Signature
,
you have not authenticated the file. Either you did not download the entire file, forgot to import the public PGP key before checking the signature, imported the wrong public PGP key or the signature is wrong or forged.

Authenticate software (Real Life Example)

Here is a real life example using a few demonstration files from my website

  1. Make sure you are connected to the internet, and then open the
    Tor Browser
    (
    Accessories
    >
    Internet
    >
    Tor Browser
    )
  2. Go to
    https://howtobeanonymousonline.info/pgpkey/
  3. Right-click 'Anna M Eydie Public PGP Key', and then select
    Save Link As
  4. Click
    Save
    to save
    annameydie.asc
    . Any location will do
  5. Now, go to
    https://howtobeanonymousonline.info/sigtest/
  6. Right-click '
    Some Random File
    ', and then select
    Save Link As
  7. Click
    Save
    to save
    some_random_file.zip
    . Any location will do
  8. On the same web page, right-click '
    Some Random File Signature
    ', and then select
    Save Link As
  9. Click
    Save
    to save
    some_random_file.zip.sig
    . You must save it to the same location as
    some_random_file.zip
  10. You can close or minimize the Tor Browser
  11. Using the
    File Manager
    (
    Applications
    >
    Accessories
    >
    Files
    ), navigate to the location of
    annameydie.asc
  12. Right-click
    annameydie.asc
    , and then select
    Open With Import Key
    . A '
    Key Imported
    ' message will display in the upper right corner of Tails
  13. Now, navigate to the location of
    some_random_file.zip
    and
    some_random_file.zip.sig
  14. Right-click
    some_random_file.zip.sig
    , and then select
    Open With Verify Signature
  15. A '
    some_random_file.zip.sig: Good Signature
    ' message will display in the upper right corner of Tails
Section: Email, Chatting, Messaging

I do not trust email providers. Not a single one. Neither should you.

Since the Snowden scandal erupted, there are service providers touting their non-USA based servers. To me, this means nothing. What do I care if the server is in the United States or not? The United States is not the only country with intelligence agencies that want to read people's email. The only difference between the United States and other countries is Edward Snowden happened to work for the USA, so he blew his whistle on them and fled to Russia. If he worked for the Russians, he would have blown the whistle on them, fled to the United States and received a medal from the President. If he worked for North Korea, he would have been too hungry to blow the community whistle.

Anyway...

Three criteria for anonymous email:
  1. A confirmation method must NOT be required
    . Confirming an account requires that you already figured out how to be anonymous for the previous account, which would then mean you do not need a new anonymous account.
  2. JavaScript must NOT be required
    since it is a vehicle for malware.
  3. Tor affiliated IP addresses must be allowed
    . Gmail, for instance, blocks IP addresses it links to Tor.
Email provider
s
that meet all three criteria:

You can use any email provider that meets the three criteria. You are not limited to one I mention. However, you are limited by the difficulty in finding providers that meet the criteria (
Hushmail does not meet the criteria
).

*If the limits prove too constricting, I cover alternative email options later in this section*

The risk with email providers is they can change or shutdown at any time. Since I first wrote these instructions, I have had to abandon three email providers. One no longer meets our criteria, another quit accepting new accounts, and a third shutdown. At the moment, one service, Safe-mail.net, meets the three criteria.

[
Latest Update:
a new email service,
https://ruggedinbox.com, now meets the three criteria!]

Safe-mail is not safe!
Do not let anyone tell you otherwise. Its servers are in Israel. It is easy to imagine that a back door is built into their system per government request. Having said that, Safe-mail meets the three criteria. You just have to access the website from within your anonymous system and encrypt messages yourself BEFORE they are uploaded and
sent. If you follow the rules, you do not need to trust the email provider that you use.

Signing up with Safe-mail
  1. Go to
    https://www.safe-mail.net
  2. Click
    Sign Up now!
  3. Read about how you give them the right to access your account, and then
    Agree
    (or Disagree and go home)
  4. Fill the stuff out and click
    Sign Up
  5. Congratulations!!
    it will say.
  6. From your browser's address bar, go back to
    https://www.safe-mail.net
    . (if you click the 'Continue to Safe-mail System' button, you are taken to the JavaScript interface. It will not work well)
  7. On the main page, when you sign in you need to select
    Fast (no scripts or icons)
    from the
    Interface
    drop-down menu.
    The other interface options do not work with JavaScript disabled
  8. If you get a
    Security message
    ,
    just click
    Continue.
    If you get a
    Your IP Address has changed...
    message, just enter your password and
    Continue

Now, you have an anonymous email account.

Is Not-so-Anonymous email actually more Anonymous?

Anonymous Email is NOT convenient. First of all, since options are limited, you are totally dependent on a service not shutting down or changing its system in a way that is incompatible with your system. Second of all, you might not want an email address that looks anonymous. Your careless boss is going to keep an eye on you, wondering why you need a '@safe-mail.net' email address. To be honest, I would never use Safe-Mail.net. I do not think they have a bad system, I just think using them puts a target on my back.

A now defunct email provider, TorMail, was the source of a major JavaScript exploit in which an attacker was able to insert malware into the systems of Tor users visiting the TorMail website. The malware learned a TorMail user’s real IP address and then reported it back to the attacker. The malware relied on the user having JavaScript enabled in an outdated version of Tor Browser running on a Windows System. Users following this guide were immune to the exploit.

Let us consider four reasons why TorMail and its users were likely targets. First, TorMail was run on servers owned by a small company specializing in anonymity, which also happened to host illegal websites. Second, TorMail was a relatively small, unknown service that happened to be popular among individuals conducting illegal activity. Third, since TorMail was only accessible to Tor users, an attacker was going to put forth the creative energy to unmask its users. Fourth, in the event an attacker was able to access the contents of TorMail accounts (and they did), they could retrieve user's past communications and pseudonyms to link them to physical locations and real identities. Had TorMail been a large company, it is likely they would have had a security team in place to identify and stop attacks in a relatively short amount of time. Also, it would have run from in-house servers, not ones that also hosted someone else's content that may have been a target for seizure. Besides, had it not been billed as some super secret anonymous email provider, nobody would have given it a second look in the first place.

For the sake of inconspicuousness, selectively, thoughtfully breaking the JavaScript rule is not the end of the world. Following, are a few points that might help you decide if breaking the rule for email is right for you.

Instead of Windows, you are running Tails, an open source Linux operating system. This fact alone reduces the likelihood that you fall victim to a malware attack. It makes much more sense for an adversary to develop an attack for Windows than Linux, since Windows has a larger user base. Not only does Linux have a smaller user base, there are numerous variants of Linux within that base. Additionally, being open source and popular, the Tails code has many eyes on it. An attack targeted at more than a few, select Tails users will hurriedly be recognized and rectified by the open source community.

By running Tails from a DVD-R and selecting
No
when prompted at the initial
More Options
screen, you have two layers of security that the TorMail victims did not. Using the DVD denies the ability for a program to carry over from one session to another. Furthermore, when you select
No
from
More Options
, you deny Root Access. Without root access, changes cannot be made to system files
.

There are also some advantages to using a well-known email provider:

Other books

Hot & Bothered by Susan Andersen
Dahlia (Blood Crave Series) by Christina Channelle
True Colors by Melissa Pearl
Betrayal by Lady Grace Cavendish
A Rip in the Veil by Anna Belfrage