[TOR] Dread - There is One and Only One Rule in OpSec

Source: http://g66ol3eb5ujdckzqqfmjsbpdjufmjd5nsgdipvxmsh7rckzlhywlzlqd.onion/post/69a39b3374df8049d5f3

There is One and Only One Rule In OpSec

by /u/HeadJanitor in /d/OpSec


(This post was tremendously longer, so more posts to come on expanding on these subjects, especially in technical detail, even if I have to link posts together in a cohesive way.)

This is going to be a hard read because a lot will expose boldly things you do not want to read, believe, do or know about.

Let me get straight to the point: there is one and only one rule in Operational Security

Rule Number One: Do Not Get Caught

Welcome to the new era of Dread. There is so much chattering and talking over each other than you forget the miracle happens when you take the time to listen, i.e. read. So, in this long-drawn out post try to read as much of it as you can. Some of it might save you down the line. Some of It is sure to piss you off. But it’s in the listening (or, in this case, the reading that we connect with each other and hear what has to be said.) But that’s okay about the chattering, because everyone’s word ought to be heard; especially the minority opinion.

I apologize in advance if some of the things below don’t meet your jurisdiction or geography but the principles are the same.

Recently, /u/stephenhawking69,

Asked me, “Fair enough, and excellent answer. However, isn’t measuring the plausible deniability of activities a strong component of OpSec? This question wouldn’t have even occurred to me until I read various OpSec defensive measures that made simple effective arguments as to how those measures provided very tricky legal problems for criminal prosecution. Where would defense strategies after the fact fit into the question of how to secure one’s freedom? This also begs the question, what is the threshold of evidence at which point doubt cannot be inferred as to the operation in a legal context? How does this impact an OpSec threat model?

EDIT: For example, there is little trace of evidence in this type of operation, and no evidence which cannot be plausibly denied, so the Red Team does not have significant attack vectors against Blue Team in this operation.”

I replied with:

/u/HeadJanitor P Moderator:
Eventually, when I have time, which is rare, I am going to write a comprehensive post and in it I am going to lay out two rules for OpSec.

Rule # 1 – Do not get caught.

Plausible deniability comes, again, after the fact. You are now a person on interest. You lost your anonymity.

What I try to aim for here on Dread is to keep you safe by keeping you aware. I’ve been around. All around. More than you should know and it doesn’t make a single difference because the message I carry applies to the person with one day as it does with someone with a years of successful vending.

Remember this: (I’m writing it atop, so it must be important): law enforcement can make all the mistakes they can, but you can’t make a single mistake. Sure, you can get lucky and catch a break. But don’t play with probabilities and you certainly can’t go back in time and clean up that one, single mistake.)

I want to eradicate some myths and expose some facts. Ouch, these facts may hurt you. But, it’s in your best interest that you read them because I’ve spent a lot of time studying them and seeing them in practice.

If you quote for me anything, make sure it is this:

“Your sole protector on the darknet is PGP.”

Learn how to use it. Know what it does. And why we have to use it in the first place and not do business or communicate with people who don’t use it.

Now, I will explain this rule on both a macro and micro level so that it becomes clear why we have to do the things we have to do.
What is the goal on an Onion? To be a hidden service. That means you can’t find it in ordinary ways. You are lead to it, blindly.

What is your goal? Not to leave a trail behind. To leave no trace of ever having been there, done that, got that. You were never there.

Do Not Get Caught — What the hell does that even mean? You all know this.

On a macro scale:

The Laws You All Know
Do Not Get Caught Buying
Do Not Get Caught Buying a controlled substance [21 USC § 802(6)]
Do Not Get Caught Selling (21 U.S.C. Section 841)
Do Not Get Caught Vending (21 U.S.C. Section 841)
Do Not Get Caught Drop-Shipping (21 U.S.C. Section 841)
Do Not Get Caught Pressing Compounds
Do Not Get Caught Hoarding Controlled Substances {Section 201 (c), (21 U.S.C. § 811 (c))}
Do Not Get Caught Importing Foreign-Sold Controlled Substances {Section 801(d)(1)(B) of the Federal Food, Drug, and Cosmetic Act}

Do Not Get Caught Hacking (18 U.S.C. § 1030)
Do Not Get Caught with Possession
Do Not Get Caught with possession or possession with intent to supply
Do Not Get Caught with narcotics trafficking (21 U.S.C. Section 841)
Do Not Get Caught with federal drug trafficking
Do Not Get Caught with distribution of controlled substances
Do Not Get Caught with money laundering (18 U.S.C. Section 1956).
Do Not Get Caught and be charged with one count of possessing a controlled substance with intent to distribute for bringing packages containing a controlled substance across state lines using the USPS Postal Delivery system.
Do Not Get Caught being on the darknet, period. Meaning, do not tell people in your life that you go on the darknet. The darknet has bad connotations. They see shows and it references murder-for-hire and human-trafficking and pedophilia and horrendous crimes and you fall into the class of a sicko.
Receiving Drugs in the Mail is a Federal Offense: that means do not sign for anything. Be polite. “Sorry, I don’t know the sender, I can’t sign for this. There is a lot of fraud out there. Thank you, though.”

So, in OpSec, we hope for the best and prepare for the worst and this gives us peace of mind. OpSec allows us to prepare, to do reconnaissance, to do counter-intelligence, to obtain all the information we need to get the job done, to clear the attack surface, to prepare our tools, and leave not a single trace behind. This allows you to sleep in peace at night.

OpSec allows for the possibility of changing your point of view. This helps you differentiate one thing from another by the experience of moving around it, seeing new aspects of it (often referred to as making the absent present and the present absent), and still retaining the notion that this is the same thing that you saw other aspects of just a moment ago

Your safety depends on encryption. Not on Tor, not on your VPN, not on your email provider. Encryption is your line of defense on the darknet. PGP. Encrypt everything and verify everything.

If your vendor sends you plain-text. Respond to him to encrypt it to you. Do not be intimidated. Your safety is on the line, as is your future because the darknet is and always will be ephemeral and that market and that vendor will one day not exist but the plaintext you left behind will because computers never forget the traces you left behind.

Never Tie Identities

The killing zone: never tie any of your many identities to your identity on the darknet.
Some people may do this out of the need to feel a sense of importance or special.

Not to Reddit, not to Reentry, not to Discord, not to Guilded, not to Keybase, not to Telegram, not to any of these places because a leak of your Source IP will give you away. That’s all it will take.

The darknet is not a place to find yourself or welcome back the people of the past. It is a place to cover how you got there, your traces, your path, and most importantly, that you leave nothing of yourself, your true identity behind. Some have pride: they are stubborn and arrogant. Complacence: If it’s worked fine all this time, it will continue to be fine
Egotism: I am special, I’m different than the rest. I’ve gotten away so far!
Some want recognition: this person remembered me from reentry, discord, keybase!

Your goal is that if the finger is ever pointed at you—sorry, you were never there.

Is this not the principle of anonymity?

If it isn’t then you have a false perspective of the darknet where a persona matters to you.

What is Tor based on?
→ Privacy
→ Anonymity
→ Encryption
When you visit an onion your goal is to blend in and look like everyone else.
(Read up on fingerprinting and why we can’t have add-on extensions and so on.)

So what is Tor?

What is Tor, Tor is a browser, Tor is a protocol, Tor is a client that acts as a socks proxy that you connect your applications to. When your applications connect to this socks proxy they are translated into what Tor calls streams, these streams are then multiplexed onto encrypted streams that Tor calls “circuits”. [b]These circuits are multiplexed over TLS between the individuals nodes that are geographically spread across the world in a specific design to keep you safe at at a distance from a nearby hop so that you are never compromised. It has been thought out.

I’ve gone on too long. I will end it with this.

Never Tie Identities

  1. Most people are so complacent that they use the same VPN server each time, making them stick out more.

  2. If there are two downfalls it is your VPN and BTC.

If you connect to a VPN over Tor, this traffic separation goes away completely. You build a single circuit through the Tor network, and over this circuit you connect to Gmail, Yahoo and God knows what else. All your traffic travels the same path right next to each other. Worse, you may have even broken the local state separation of the Tor browser.

I bet 90% of people never change their VPN server.
I bet 99% never see the traceroute that it takes 4 hops to get to Luxembourg.

Do not trust your VPN

Do not use a VPN before Tor.

More on this in another post.

I use a VPN. And I trust it. To an extent. But I’ve witnessed its failures many times.

Do not trust your VPN. If you think you are connecting to Luxembourg and it takes 4 hops, you are connecting to the next state over with a Luxembourg IP or a New York IP. You’re being fooled!

All those rankings about “the top 10 best VPNs” are paid for. They’re all owned by the mostly the same companies.

Your VPN is basically your 2nd ISP. They de-encapsulate your packet, read it, encapsulate it and send it to the next rented ISP and so on. They may not log your activity but you can be 100% sure they know your Source IP—that is, your residential IP. And one subpoena will give you away completely.

The whole purpose behind Tor is to make everyone look the same, If 10% of the population used a VPN before Tor then you stick out.

When you’re using Tor, you have to be a different person entirely. Tor is only a tool that anonymizes your connection.

The Tor network is made to protect your IP address adding extra things help unless you are a extremely targeted individual and do so with special care with a full understanding of the reasoning behind the extra layers.

An actual VPN can de-anonymize you, and you’re placing your trust in a quasi-rented VPN provider.

VPNs are only good for 2 things: hiding your activity from ISP # 1 and your geography ISP from # 1 and giving websites you visit a different IP than your actual one.

If you live in America, how often have you received a complaint about Tor? Probably never.

The VPN company sees both ends of your traffic. It sees it all.

By doing so you essentially create either a permanent entry or exit node, a fingerprint that says that that user connected to New York as a he always does at 8:43 PM EST with this browser, this version, the computer, this resolution, and so, so, so much more.

It is so important to know that by specification design the way that Tor is built is that each hop must be in a different country so that there is no collusion. So you go from Germany, Finland, Netherlands, to Venezuela. Whereas with a VPN you are given an IP from Luxembourg but on a server in Delaware—a single point of compromise.

Myth: VPNs do not work on cell phones. Especially on the iOS. It will always leaks your IP.

Check your weather, check your GPS, check your maps, etc.
(Page 7, Section 5.4.2)
https://papers.mathyvanhoef.com/usenix2023-tunnelcrack.pdf
https://www.researchgate.net/publication/375616995_Tunnel_Crack_Detection_Method_and_Crack_Image_Processing_Algorithm_Based_on_Improved_Retinex_and_Deep_Learning
TunnelCrack: Widespread design flaws in VPN clients
https://dl.acm.org/doi/pdf/10.1145/3278532.3278570

On secure email hosting.

There is no secure email provider, stop trying to find one. Email is an insecure form of communication. Law enforcement loves email because it provides them with a confession, the time, the date, the parties, and often people will use the Drafts folder as a container of information. Any information sent via email is not protected from being intercepted by third-party attackers. Your email messages may be accessed by your email provider as it is on their servers. You have no governance over retention rules or archiving practices on the receiving side. Documents that should have limited lifespans can potentially live forever on a server with data retention or no deletion practices that you would not know about.
Messages and files that are encrypted and cannot be read by third-party attackers. E-mail messages remain vulnerable to exposure long after delivery. E-mail is susceptible to eavesdropping in transit. Sniffers can be used to read emails as they are moving across the network. Email gets sent through many servers between the sender and the recipient. Any one of those servers could be intercepting and saving that email.
The addition of the SSL/TLS security handshake into SMTP, creating SMTPS, provides confidentiality on the first leg of the trip (from your computer to your “home” e-mail server). That’s all; you can’t enforce confidentiality along any other leg of the trip, and the other three aspects of InfoSec are unaffected.

So simply: Never send sensitive information in clear text.

MORE ON THIS IN ANOTHER POST.

STOP WASTING YOUR TIME IN SEARCH OF SOMETHING THAT DOESN’T EXIST.

Real-Life Anonymity

Do not ever reveal to anyone that you have drawn a connection to the darknet.
You have to bury this aspect of your life out of view, out of sight, out of the possibility of a leak, of things you didn’t plan for one, three, seven years from now. You were never here. Do you understand?
You must maintain the framework that the darknet doesn’t exist in your life.
You’ve crossed the line. Now you must conceal your trail.

Evolve, Adapt

What does not mean? Do not get attached to sentimentality. Upgrade your PGP key. Upgrade your browser. Encrypt your hard drives. Do not fall into a romance with the darknet.

But I love my username.
“But I don’t want to change my 2,048 cipher because I’ve had it for so long.”
Are you still using Windows 3.1, Windows XP, Windows 7?
Sentimentality will be your ruin on the darknet if you do not place OpSec first. Do not get attached to the fleeting. Stay protected by evolving.

Constantly update your BIOS/UEFI, drives, PGP, Tor browser. Do not slack off on this.

Don’t get attached to your identity. Unless you are here to be here. Meaning you are rank and file in the darknet. You are either a vendor or an admin. But know that if you create a lasting identity here, you are now a recorded history of the darknet permanently and you have sacrificed anonymity and without scaring you, you are being watched.

The darknet is ephemeral. This is not a theory.

The NSA hire firms to scrape all darknet markets 24/7. You are cached.

3 Likes