Email, Chatting, Messaging - How to be Anonymous Online: Step-by-Step Anonymity with Tor, Tails, Bitcoin and Writeprints (2016)

How to be Anonymous Online: Step-by-Step Anonymity with Tor, Tails, Bitcoin and Writeprints (2016)

Section: Email, Chatting, Messaging

I do not trust email providers and neither should you.

Since the Snowden scandal erupted, there are service providers touting their non-USA based servers. To me, this means nothing. What do I care if the server is in the United States or not? The United States is not the only country with intelligence agencies that want to read people's email. The only difference between the United States and other countries is Edward Snowden happened to work for the USA, so he blew his whistle on them and fled to Russia. If he worked for the Russians, he would have blown the whistle on them, fled to the United States and received a medal from the President. If he worked for North Korea, he would have been too hungry to blow the community whistle.

Anyway...

Three criteria for anonymous email:

1. A confirmation method must NOT be required. Confirming an account requires that you already figured out how to be anonymous for the previous account, which would then mean you do not need a new anonymous account.

2. JavaScript must NOT be required since it is a vehicle for malware.

3. Tor affiliated IP addresses must be allowed. Gmail, for instance, blocks IP addresses it links to Tor.

Email providers that meet all three criteria:

You can use any email provider that meets the three criteria. You are not limited to one I mention. However, you are limited by the difficulty in finding providers that meet the criteria (Hushmail does not meet the criteria).

*If the limits prove too constricting, I cover alternative email options later in this section*

The risk with email providers is they can change or shutdown at any time. Since I first wrote these instructions, I have had to abandon three email providers. One no longer meets our criteria, another quit accepting new accounts, and a third shutdown. At the moment, one service, Safe-mail.net, meets the three criteria.

[Latest Update: a new email service, https://ruggedinbox.com, now meets the three criteria!]

Safe-mail is not safe! Do not let anyone tell you otherwise. Its servers are in Israel. It is easy to imagine that a backdoor is built into their system per government request. Having said that, Safe-mail meets the three criteria. You just have to access the website from within your anonymous system and encrypt messages yourself BEFORE they are uploaded and sent. If you follow the rules, you do not need to trust the email provider that you use.

Signing up with Safe-mail

1. Go to https://www.safe-mail.net

2. Click Sign Up now!

3. Read about how you give them the right to access your account, and then Agree (or Disagree and go home)

4. Fill the stuff out and click Sign Up

5. Congratulations! it will say.

6. From your browser's address bar, go back to https://www.safe-mail.net. (if you click the 'Continue to Safe-mail System' button, you are taken to the JavaScript interface. It will not work well)

7. On the main page, when you sign in you need to select Fast (no scripts or icons) from the Interface drop-down menu. The other interface options do not work with JavaScript disabled

8. If you get a Security message, just click Continue. If you get a Your IP Address has changed... message, just enter your password and Continue

Now, you have an anonymous email account.

Is Not-so-Anonymous email actually more Anonymous?

Anonymous Email is NOT convenient. First of all, since options are limited, you are totally dependent on a service not shutting down or changing its system in a way that is incompatible with your system. Second of all, you might not want an email address that looks anonymous. Your careless boss is going to keep an eye on you, wondering why you need a '@safe-mail.net' email address. To be honest, I would never use Safe-Mail.net. I do not think they have a bad system; I just think using them puts a target on my back.

A now defunct email provider, TorMail, was the source of a major JavaScript exploit in which an attacker was able to insert malware into the systems of Tor users visiting the TorMail website. The malware learned a TorMail user’s real IP address and then reported it back to the attacker. The malware relied on the user having JavaScript enabled in an outdated version of Tor Browser running on a Windows System. Users following this guide were immune to the exploit.

Let us consider four reasons why TorMail and its users were likely targets. First, TorMail was run on servers owned by a small company specializing in anonymity, which also happened to host illegal websites. Second, TorMail was a relatively small, unknown service that was popular among individuals conducting illegal activity. Third, since TorMail was only accessible to Tor users, an attacker was going to put forth the creative energy to unmask its users. Fourth, in the event an attacker was able to access the contents of TorMail accounts (and they did), they could retrieve user's past communications and pseudonyms to link them to physical locations and real identities. Had TorMail been a large company, it is likely they would have had a security team in place to identify and stop attacks in a relatively short amount of time. Also, it would have run from in-house servers, not ones that also hosted someone else's content that may have been a target for seizure. Besides, had it not been billed as some super-secret anonymous email provider, nobody would have given it a look in the first place.

For the sake of inconspicuousness, selectively, thoughtfully breaking the JavaScript rule is not the end of the world. Following, are a few points that might help you decide if breaking the rule for email is right for you.

Instead of Windows, you are running Tails, an open source Linux operating system. This fact alone reduces the likelihood that you fall victim to a malware attack. It makes much more sense for an adversary to develop an attack for Windows than Linux since Windows has a larger user base. Not only does Linux have a smaller user base, but there are also numerous variants of Linux within that base. Additionally, being open source and popular, the Tails code has many eyes on it. An attack targeted at more than a few, select Tails users will hurriedly be recognized and rectified by the open source community.

By running Tails from a DVD-R and selecting No when prompted at the initial More Options screen, you have two layers of security that the TorMail victims did not. Using the DVD denies the ability for a program to carry over from one session to another. Furthermore, when you select No from More Options, you deny Root Access. Without root access, changes cannot be made to system files.

There are also some advantages to using a well-known email provider:

· The user base is huge. If an attacker gets into their system, it is far less likely that they will scour through your account than if you are on a smaller service with only a few thousand users.

· Anything you do is unlikely to stand out as unique among the user base, including using encryption and logging in from Tor.

· The email provider's servers are not going to be shared with those of not-so-legit services, and, therefore, are not going to go down as collateral damage when some other service gets seized.

· The service will not be out-of-business tomorrow.

· It will be difficult for an attacker to execute a JavaScript exploit, especially for a sustained period.

· Since you will encrypt your communications BEFORE you upload and send, a provider or attacker will not be able to read them.

Is not-so-anonymous email actually more anonymous? Weigh the options. If you need super-untraceable anonymous email, the account must meet the three criteria. However, your options are limited and may leave you using an email provider that draws unwanted attention. By flying under-the-radar, you have more services to choose from and are less noticeable.

Internet Relay Chat

IRC (Internet Relay Chat) has been around since the old days... That is the 1980's. Just like Ray-Ban's and Will Smith, it has not aged a bit. It is simple, it is quick, you can send private messages, and you can group chat. So, let's get to it...

Special Notice: Unfortunately, DDOS attacks on the Tor IRC server happen. During such events, connections may fail. So, if you cannot get a connection, despite doing everything right, you are not crazy.

Chatting

1. From the top toolbar, Go to Applications > Internet > Pidgin Internet Messenger

2. The “Buddy List” and “Accounts” windows will open... If not, look at the right half of the top toolbar. To the left of the Green Onion icon will be an icon that looks like a little message box behind a circle. Click this icon and the windows will open. Then, selectAccounts > Manage Accounts

3. An account that you can use is already created with a random username. To use it, click the checkbox in the “Enabled” column next to random_username@irc.oftc.net. I will show you how to create a new account later.

(If you are working within your Persistence system, your account and username will carry over to future sessions. If not, you will have a new name for each session)

4. A third window will open and display your connection (If you get an SSL Connection Failed, double check to see if you are online). At the top of this window select Conversation > Join a Chat.... You can also join a chat from the Buddy List window by selectingBuddies > Join a Chat...

5. Now a fourth window opens! Just click Room List

6. Finally, your last window is open!!! From this Room List window, you can... you guessed it... choose a chat room. Just scroll around, pick a room and click Join (you can join more than one room)

7. Move or Close the Room List window and go back to the Conversation window. Your room choices will show as Tabs. Click the tab for a room and go chat

8. To Instant Messaging an individual, right-click their name, select IM and send a message

9. I want you to look at something. Right-click a name in the names list and select Info (your name or someone else's... it does not matter). There is revealing information here. If you log in to IRC from outside Tails, the information under the Username will be your IP address and internet provider. Kim Jong-Un's cyber scouts would love to see this it!

Messaging

1. In the Buddy List window, select Buddies > +Add Buddy

2. Add the username of the buddy you want to instant message within the Buddy's username box (I realize you probably do not have a buddy yet, so, the easiest thing to do is run Tails on a second computer, open up another IRC window and talk to yourself OR you can go randomly select some lucky user in some random chat room and hope he/she is lonely enough to humor you)

3. You will now see your buddies name under Buddies in the Buddy List window. Right-click it and select IM

4. You can chat away, BUT, you need to follow a couple more steps to be Private

5. From the top toolbar of your Chat window, select OTR > Start private conversation

6. After a few seconds, your conversation will turn private, BUT, you still need to Authenticate your Buddy

7. Again, select OTR, and then select Authenticate buddy

8. The Authenticate Buddy window will open. There are three options for authenticating your buddy. For simplicity, just choose Question and answer. Then, type a question and answer that only you and your buddy know and click Authenticate

9. Your Buddy will receive the question on her end. If answered correctly, you will be told Authentication successful. Your Buddy is now Authenticated (Even though you just Authenticated your Buddy, she has not Authenticated you. To Authenticate you, she will send you a question)

10. Click OK

11. Go back to the Buddy List window that has been open the whole time. Right-click your Buddie's name and select OTR Settings. The OTR Settings window will open

12. Uncheck Use default OTR settings for this buddy

13. Check Enable private messaging, Automatically initiate private messaging and Require private messaging

14. Whether you want to "log OTR conversations" is up to you. Personally, I do not log anything, just in case Kim Jong-Un gets into my Persistence system. Then again, the whole point of a Persistence system is so you can save stuff like this, so, to each his own.

15. DONE. Yay!

Other IRC stuff

Adding Another Account:

1. From the Buddy List window, select Accounts > Manage Accounts

2. In the Accounts window, click the Add button

3. The Modify Account window will open

4. IMPORTANT - There are 1000's of IRC networks throughout the world. Many block TOR IP addresses... meaning they are blocking you. If you are curious, internet searches will turn up other networks and their settings. We will use the irc.oftc.net server.

5. Input the following in the Modify Account window, under the Basic tab:

· for Protocol, select IRC

· for Username, type whatever you want your username to be

· for Server, enter irc.oftc.net

6. Under the Advanced tab:

· for Port, enter 6697 (not 6667)

· for Encodings, enter UTF-8,ISO-8859-1

· for Ident name and Real name, enter the username you created in the Basic tab

· check Use SSL. Leave the rest unchecked

· under the Proxy tab, leave Use Global Proxy Settings as the choice for Proxy type

· click Add

· enable an account by checking the Enabled box for your new account. You can also enable and disable accounts by selecting Accounts in the Buddy List window

· ERROR – If you get an SSL Handshake Failed message, close out the entire messaging program (Buddies > Quit) and then restart it

· once all is well, you will have a fresh, clean Buddy List and a new xxxxxx.oftc.net identity

Sending/Receiving Files

This feature does not work on IRC through the Tor network. Sorry.

Add Buddy Pounce

This is for you to set some notifications

1. Right-click your Buddies' name and select Add Buddy Pounce...

2. Check the boxes that fulfill your Buddies' activity notification desires