How to be Anonymous Online (5 page)
Read How to be Anonymous Online Online
Authors: A. M. Eydie
You DO NOT need to upload your public PGP key to the keyservers in order to sync the other keys. However, if you want your public PGP key publicly available, use the following “sync everything” steps. If you would rather not publicly list your public PGP key, use the following “sync a particular key” steps.
To upload/sync everything...
- Open the
Passwords and Keys
program (
Applications
>
System Tools
>
Preferences
>
Passwords and Keys
), and then import the key in question - Select
Remote
>
Sync and Publish Keys - Click
Key Servers
, and
then choose a keyserver from the
Publish keys to:
drop-down menu and click
Close - Click
Sync - Your personal public PGP key will be uploaded. Also, the other keys will sync to reflect new trust signatures
- Download the following files into one folder...
- Download the program or file
that you will be authenticating (
filename
.iso
,
filename
.txt
,
etc.) - Download the signature file
(it should be
filename.iso
.sig
,
filename.txt.sig
, etc. S
ometimes it has a .pgp or .asc file extension - just rename/change the extension to .sig. - If you do not already have it,
download and import the signing party's public PGP key
, also known as the “
signing key
” (usually
developername
.asc
or
developername
.key
)
Wait for all three files to download before preceding
- If you need to, authenticate the imported public PGP key, aka “
signing key
” (get it in person, check the keyservers, fingerprint or whatever else works for you) - Verify the signature...
- If the signature file does not have a '.sig' extension, rename it (if it is
filename.xxx.asc
, rename it
filename.xxx.sig
)
(
right-click > rename
). - Right-click
filename
.xxx.sig
and select
Open with Verify Signature - In the top-right corner, you will either see
filename.xxx
Good Signature
or
filename.xxx
Unknown Signature
If you
see
filename.xxx
Good Signature
,
you have authenticated the file!
If you
see
filename.xxx
Unknown Signature
,
you have not authenticated the file. Either you did not download the entire file, forgot to import the public PGP key before checking the signature, imported the wrong public PGP key or the signature is wrong or forged.
Here is a real life example using a few demonstration files from my website
- Make sure you are connected to the internet, and then open the
Tor Browser
(
Accessories
>
Internet
>
Tor Browser
) - Go to
https://howtobeanonymousonline.info/pgpkey/ - Right-click 'Anna M Eydie Public PGP Key', and then select
Save Link As - Click
Save
to save
annameydie.asc
. Any location will do - Now, go to
https://howtobeanonymousonline.info/sigtest/ - Right-click '
Some Random File
', and then select
Save Link As - Click
Save
to save
some_random_file.zip
. Any location will do - On the same web page, right-click '
Some Random File Signature
', and then select
Save Link As - Click
Save
to save
some_random_file.zip.sig
. You must save it to the same location as
some_random_file.zip - You can close or minimize the Tor Browser
- Using the
File Manager
(
Applications
>
Accessories
>
Files
), navigate to the location of
annameydie.asc - Right-click
annameydie.asc
, and then select
Open With Import Key
. A '
Key Imported
' message will display in the upper right corner of Tails - Now, navigate to the location of
some_random_file.zip
and
some_random_file.zip.sig - Right-click
some_random_file.zip.sig
, and then select
Open With Verify Signature - A '
some_random_file.zip.sig: Good Signature
' message will display in the upper right corner of Tails
I do not trust email providers. Not a single one. Neither should you.
Since the Snowden scandal erupted, there are service providers touting their non-USA based servers. To me, this means nothing. What do I care if the server is in the United States or not? The United States is not the only country with intelligence agencies that want to read people's email. The only difference between the United States and other countries is Edward Snowden happened to work for the USA, so he blew his whistle on them and fled to Russia. If he worked for the Russians, he would have blown the whistle on them, fled to the United States and received a medal from the President. If he worked for North Korea, he would have been too hungry to blow the community whistle.
Anyway...
- A confirmation method must NOT be required
. Confirming an account requires that you already figured out how to be anonymous for the previous account, which would then mean you do not need a new anonymous account. - JavaScript must NOT be required
since it is a vehicle for malware. - Tor affiliated IP addresses must be allowed
. Gmail, for instance, blocks IP addresses it links to Tor.
s
that meet all three criteria:
You can use any email provider that meets the three criteria. You are not limited to one I mention. However, you are limited by the difficulty in finding providers that meet the criteria (
Hushmail does not meet the criteria
).
*If the limits prove too constricting, I cover alternative email options later in this section*
The risk with email providers is they can change or shutdown at any time. Since I first wrote these instructions, I have had to abandon three email providers. One no longer meets our criteria, another quit accepting new accounts, and a third shutdown. At the moment, one service, Safe-mail.net, meets the three criteria.
[
Latest Update:
a new email service,
https://ruggedinbox.com, now meets the three criteria!]
Safe-mail is not safe!
Do not let anyone tell you otherwise. Its servers are in Israel. It is easy to imagine that a back door is built into their system per government request. Having said that, Safe-mail meets the three criteria. You just have to access the website from within your anonymous system and encrypt messages yourself BEFORE they are uploaded and
sent. If you follow the rules, you do not need to trust the email provider that you use.
- Go to
https://www.safe-mail.net - Click
Sign Up now! - Read about how you give them the right to access your account, and then
Agree
(or Disagree and go home) - Fill the stuff out and click
Sign Up - Congratulations!!
it will say. - From your browser's address bar, go back to
https://www.safe-mail.net
. (if you click the 'Continue to Safe-mail System' button, you are taken to the JavaScript interface. It will not work well) - On the main page, when you sign in you need to select
Fast (no scripts or icons)
from the
Interface
drop-down menu.
The other interface options do not work with JavaScript disabled - If you get a
Security message
,
just click
Continue.
If you get a
Your IP Address has changed...
message, just enter your password and
Continue
Now, you have an anonymous email account.
Anonymous Email is NOT convenient. First of all, since options are limited, you are totally dependent on a service not shutting down or changing its system in a way that is incompatible with your system. Second of all, you might not want an email address that looks anonymous. Your careless boss is going to keep an eye on you, wondering why you need a '@safe-mail.net' email address. To be honest, I would never use Safe-Mail.net. I do not think they have a bad system, I just think using them puts a target on my back.
A now defunct email provider, TorMail, was the source of a major JavaScript exploit in which an attacker was able to insert malware into the systems of Tor users visiting the TorMail website. The malware learned a TorMail user’s real IP address and then reported it back to the attacker. The malware relied on the user having JavaScript enabled in an outdated version of Tor Browser running on a Windows System. Users following this guide were immune to the exploit.
Let us consider four reasons why TorMail and its users were likely targets. First, TorMail was run on servers owned by a small company specializing in anonymity, which also happened to host illegal websites. Second, TorMail was a relatively small, unknown service that happened to be popular among individuals conducting illegal activity. Third, since TorMail was only accessible to Tor users, an attacker was going to put forth the creative energy to unmask its users. Fourth, in the event an attacker was able to access the contents of TorMail accounts (and they did), they could retrieve user's past communications and pseudonyms to link them to physical locations and real identities. Had TorMail been a large company, it is likely they would have had a security team in place to identify and stop attacks in a relatively short amount of time. Also, it would have run from in-house servers, not ones that also hosted someone else's content that may have been a target for seizure. Besides, had it not been billed as some super secret anonymous email provider, nobody would have given it a second look in the first place.
For the sake of inconspicuousness, selectively, thoughtfully breaking the JavaScript rule is not the end of the world. Following, are a few points that might help you decide if breaking the rule for email is right for you.
Instead of Windows, you are running Tails, an open source Linux operating system. This fact alone reduces the likelihood that you fall victim to a malware attack. It makes much more sense for an adversary to develop an attack for Windows than Linux, since Windows has a larger user base. Not only does Linux have a smaller user base, there are numerous variants of Linux within that base. Additionally, being open source and popular, the Tails code has many eyes on it. An attack targeted at more than a few, select Tails users will hurriedly be recognized and rectified by the open source community.
By running Tails from a DVD-R and selecting
No
when prompted at the initial
More Options
screen, you have two layers of security that the TorMail victims did not. Using the DVD denies the ability for a program to carry over from one session to another. Furthermore, when you select
No
from
More Options
, you deny Root Access. Without root access, changes cannot be made to system files
.
There are also some advantages to using a well-known email provider: