diff --git a/src/chapter_03_publishing_and_distribution/00_publishing_anonymously.md b/src/chapter_03_publishing_and_distribution/00_publishing_anonymously.md index 92ab578..e7a68c1 100644 --- a/src/chapter_03_publishing_and_distribution/00_publishing_anonymously.md +++ b/src/chapter_03_publishing_and_distribution/00_publishing_anonymously.md @@ -3,26 +3,117 @@ Publishing Anonymously Whether you are an activist operating under a totalitarian regime, an employee determined to expose some wrongdoings in your company or a vengeful writer composing a bitchy portrait of your ex-wife, you need to protect your identity. If you are not collaborating with others, the focus lies on anonymity and not encryption or privacy. -If the message is urgent and the stakes are high, one easy way to just get it out quickly is going to an internet cafe one usually does not frequent, create accounts specifically set up for the task, deliver the data and discard those accounts right after that. If you are in a hurry, consider MintEmail ([http://www.mintemail.com/](http://www.mintemail.com/)) or FilzMail ([http://www.filzmail.com/](http://www.filzmail.com/)), where your address will expire from 3 to 24 hours respectively. Do not do anything else while you're there; do not check your Gmail account, do not have a quick one on Facebook and clear all cache, cookies and history and close the browser before you leave. + +If the message is urgent and the stakes are high, one easy way to just get it out quickly is going to an internet cafe one usually does not frequent, create accounts specifically set up for the task, deliver the data and discard those accounts right after that. Do not do anything else while you're there; do not check your Gmail account, do not have a quick one on Facebook and clear all cache, cookies and history and close the browser before you leave. If you keep these basic rules, the worst – though highly improbable – thing that could happen would be that the offered computer is compromised and logging keystrokes, revealing passwords or even your face, in case an attached webcam is remotely operated. Do not do this at work or in a place where you are a registered member or a regular visitor, like a club or a library. -If you want to maintain a constant stream of communication and maybe even establish an audience, this method quickly becomes quite cumbersome, and you might also run out of unused internet cafes. In this case you can use a machine you own, but, if you cannot dedicate one especially to this purpose, boot your computer with a different operating system (OS). This can be easily done by using a USB stick to boot a live operating system like Tails ([https://tails.boum.org/](https://tails.boum.org/)), which comes with Tor enabled by default and includes state-of-the-art cryptographic tools. In any case, use Tor to disguise your IP. -Turn off all cookies, history and cache options and never use the same profile or the same browser for other activities. Not only would that add data to your topography as a user in the Net, but it also opens a very wide window for mistakes. If you want extra support, install *Do Not Track Plus* and *Trackerblock* or *Ghostery* in your browser add-ons menu. +One of the best ways to get your information out there is to create a blog. While blogging is a great way for sharing but it has it's own set of obstacles. Here we will cover some of the things you need to know before you start your own anonymous blog. + + + + +Using a Dedicated Laptop +--- + +It's advised to use a dedicated laptop. Don't blog on your personal laptop that you use daily. You should buy your burner laptop with cash instead of using a credit card. Never store anything personal on that laptop that could be associated to you. If you are using a password manager such as KeePassXC on your personal machine, don't have a copy of your database on this laptop, create a new database for this machine. + + +If you bought a used laptop, wipe it. Although you can install a linux distro and start blogging, we recommend using **Tails OS**. + Use passwords for different accounts and choose proper passwords or even passphrases (more about that in the basic tips section). Protect your entire system with a general password, change it often and do not share it with anyone, *especially* not your lover. Install a keystroke logger to see if someone sneaks into your email, especially your lover. Set up your preferences everywhere to log out of every service and platform after 5 minutes of non-use. Keep your superhero identity to yourself. If you can mantain such level of discipline, you should even be capable of using your own internet connection. But consider this: not using a dedicated system makes it incredibly difficult to keep all the different identities separated in a safe way, and the feeling of safety often leads to carelessness. Keep a healthy level of neurosis. -Today there are many publishing possibilities, from cost-free blogging sites (Blogspot, Tumblr, WordPress, Identi.ca) to PasteBins (see glossary) and some specifically catered to anonymous users like BlogACause. Global Voices Advocacy recommends using WordPress through the Tor network. Keep a sane level of cynicism; they all act in commercial interests that you use for 'free' and so cannot be trusted at all, especially in that they may be bound to the demands of a legal jurisdiction that is not your own. All providers are, when it comes down to it, traitors. -If registration with these services requires a working email address, create one dedicated solely to this purpose. Avoid Gmail, Yahoo, Hotmail and other big commercial platforms with a history of turning over their users and go for an specialized service like Hushmail ([https://www.hushmail.com/](https://www.hushmail.com/)). For more on anonymous email, please find the chapter Anonymous email in the previous section. + +What is Tails OS? +--- + +Tails OS is a linux distro based on Debian which forces all connections to go through Tor network. Tails is also amnesic which means everytime you turn off your laptop Tails forgets everything and nothing is stored since everything is stored in the RAM. Each time you boot your system from your USB stick, your system is fresh. If any malware was installed the day before, the next time you boot your system it won't be there. + +How To Use Tails OS +--- + +First off, you need a USB stick (8 GB minimum) or a recordable DVD. To use Tails get the latest version from [Tails download page](https://tails.boum.org/index.en.html). + + +After downloading the image, verify it. Now we need to flash Tails on our USB stick. You can use [Etcher](https://www.balena.io/etcher/) for this purpose. If you already have another application for flashing USB sticks and you are comfortable with it, use that. + +Download the latest version of Etcher and install it on your machine. After the installation, launch the application and select Tails image to burn it on your stick. This may take a few minutes. Close Etcher and but leave the USB stick plugged in. + +Restart your machine. Press the boot menu key and select Tails. + +![Tails Boot](tails_boot.png) + +You will see a screen similar to this: + +![Tails Welcome Screen](tails_welcome.png) + +The default settings are considered safe but if you want to add a custom setting, press '+' icon. + +If Tor network is blocked in your country you can use a bridge to bypass that. Now everything you do will pass through Tor network. For more information you can read Tails documentation. Now you're ready to start blogging. + +Don't Use Tails Inside a Virtual Machine +--- + +Although you can download the image from Tails download page and create a virtual machine and blog there instead of booting from the usb stick, we don't recommend that. Why? + +The host operating system and the virtualization software are able to monitor your activities. It's also possible that your host machine is compromised. + +The virtualization software may also leave traces. Therefore we don't recommend using a virtualization software to run Tails. + + + +Blogging Platforms +--- + +Today there are many publishing possibilities, from cost-free blogging sites to PasteBins (see glossary). Some blogging platforms include: + +1. Github Pages +2. WordPress +3. Blogger +4. Tumblr +5. Write.as + +We covered how to set up a burner laptop to run Tails, now it's time to choose one blogging platform. Each of these platforms have their own pros and cons. For example WordPress is widely used and there are lots of templates and tutorials for it. Although, WordPress is not considered unsafe. + +Keep a sane level of cynicism; they all act in commercial interests that you use for 'free' and so cannot be trusted at all, especially in that they may be bound to the demands of a legal jurisdiction that is not your own. All providers are, when it comes down to it, traitors. + +If registration with these services requires a working email address, create one dedicated solely to this purpose and do not use personal information for that email account. Avoid Gmail, Yahoo and other big commercial platforms with a history of turning over their users. + + +For more on anonymous email, please find the chapter Anonymous email in the previous section. + + +Public Network vs. Home Network +--- + +Using Tails daily may raise some suspicions by your ISP or your government. Some suggest using a public network would be a good counter-measure. + +Using a public network has few downsides: + +1. Public Networks log information about your device (such as your MAC address) +2. If you're using a coffee shop's network, there are CCTV's around which could be used to identify you. + +If you decide to use a public network in a library or coffee shop, never leave your machine unattended. Change your MAC address every time you connect to a network. Encrypt all your traffic. + + +Stylometry +--- + +Remember that if you are being targeted your adversary may use stylometry to identify you. Stylometry analyzes a person's writing style and it could be used to de-anonymize you. Word choice, sentence structure, syntax and punctuation can be used to de-anonymize you. + +There is an application named [Anonymouth](https://github.com/psal/anonymouth) which could be used to anonymize your documents. Unfortunately the installation process is not very easy. One other way to to obfuscate your text is to run your text through a couple of translators. For example: + +English > Norwegian > Japanese > English Several Don'ts -------------- -**Don't register a domain.** There are services that will protect your identity from a simple who is query, like Anonymous Speech or Silent Register, but they will know who you are through your payment data. Unless you have the chance to purchase one in BitCoins, limit yourself to one of the domains offered by your blogging platform like yourblogname.blogspot.com and choose a setting outside your native country. Also, find a name that does not give you away easily. If you have problems with that, use a blog name generator online. +**Don't register a domain.** There are services that will protect your identity from a simple who is query, like Anonymous Speech or Silent Register, but they will know who you are through your payment data. Unless you have the chance to purchase one using prepaid card or cryptocurrency, limit yourself to one of the domains offered by your blogging platform like yourblogname.blogspot.com and choose a setting outside your native country. Also, find a name that does not give you away easily. If you have problems with that, use a blog name generator online. **Don't open a social network account associated to your blog.** If you must, keep the level of hygiene that you keep for blogging and never ever login while using your regular browser. If you have a public social network life, avoid it all together. You will eventually make a mistake. @@ -35,3 +126,5 @@ Several Don'ts **Don't expect it to last.** If you hit the pot and become a blogging sensation (like *Belle de Jour*, the British PhD candidate who became a sensation and sold a book and mused two TV shows about her double life as a high escort) there will be a legion of journalists, tax auditors and obsessive fans scrutinizing your every move. You are only human: they will get to you. **Don't linger.** If you realize you have already made any mistakes but nobody has caught you yet, do close all your accounts, cover your tracks and start a totally new identity. The Internet has infinite memory: one strike, and you're out of the closet. + +**Don't reveal personal details.** Don't talk about weather, your setup, your education, your job, etc. This all could be used to identify you. diff --git a/src/chapter_03_publishing_and_distribution/tails_boot.png b/src/chapter_03_publishing_and_distribution/tails_boot.png new file mode 100644 index 0000000..6c8c3bf Binary files /dev/null and b/src/chapter_03_publishing_and_distribution/tails_boot.png differ diff --git a/src/chapter_03_publishing_and_distribution/tails_welcome.png b/src/chapter_03_publishing_and_distribution/tails_welcome.png new file mode 100644 index 0000000..dfdcd42 Binary files /dev/null and b/src/chapter_03_publishing_and_distribution/tails_welcome.png differ diff --git a/src/chapter_13_secure_file_sharing/03_torrent.md b/src/chapter_13_secure_file_sharing/03_torrent.md new file mode 100644 index 0000000..94aa127 --- /dev/null +++ b/src/chapter_13_secure_file_sharing/03_torrent.md @@ -0,0 +1,84 @@ +# Torrent + +BitTorrent +---------- + +BitTorrent is a peer-to-peer (P2P) protocol that facilitates distribution of data stored across multiple nodes/participants of the network. There are no central servers or hubs, each node is capable of exchanging data with any other node, sometimes hundreds of them simultaneously. The fact that data is exchanged in parts between numerous nodes allows for great download speeds for popular content on BitTorrent networks, making it quickly the de facto P2P file-sharing platform. + +![Torrenting](How-torrenting-works.png) + + +If you are using BitTorrent to circulate material of ambiguous legality, you should know that enforcement agents typically collect information on allegedly infringing peers by participating in torrent swarms, observing and documenting the behaviour of other peers. The large number of users creates a difficulty for the enforcement system simply at the level of scaling up - there simply are not the resources to pursue every user. Any court case will require actual evidence of data transfer between your client and another (and usually evidence of you uploading), it is enough that you provide even part of the file, not the file in its entirety, for a prosecution to have legs. But if you prefer to lean towards greater caution, you should use a VPN to route your BitTorrent traffic, as detailed in the **Using VPN** chapter. + +Leeching (downloading) of a file from BitTorrent network begins with a *torrent file* or *magnet link*. A torrent file is a small file containing information on the larger files you want to download. The torrent file tells your torrent client the names of the files being shared, a URL for the *tracker* and a *hash* code, which is a unique code representing, and derived from, the underlying file - kind of like an ID or catalog number. The client can use that hash to find others seeding (uploading) those files, so you can download from their computers and check the authenticity of the chunks as they arrive. + +A *Magnet Link* does away with the need for a torrent file and is essentially a hyperlink containing a description for that torrent, which your torrent client can immediately use to start finding people sharing the file you are willing to download. Magnet links do not require a tracker, instead they rely on *Distributed Hash Table (DHT)* - which you can read more about in the Glossary - and *Peer Exchange*. Magnet links do not refer to a file by its location (e.g. by IP addresses of people who have the file, or URL) but rather defines search parameters by which this file can be found. When a magnet link is loaded, the torrent client initiates an availability search which is broadcast to other nodes and is basically a shout-out "who's got anything matching this hash?!". Torrent client then connects to the nodes which responded to the shout-out and begins to download the file. + +BitTorrent uses encryption to prevent providers and other man-in-the-middle from blocking and sniffing your traffic based on the content you exchange. Since BitTorrent swarms (flocks of seeders and leechers) are free for everyone to join it is possible for anyone to join a swarm and gather information about all connected peers. Using magnet links will not prevent you from being seen in a swarm; any of the nodes sharing the same file must communicate between each-other and thus, if just one of the nodes in your swarm is rogue, it will be able to see your IP address. It will also be able to determine if you are seeding the data by sending your node a download request. + +One important aspect of using BitTorrent is worth a special mention. Every chunk of data that you receive (leech) is being instantly shared (seeded) with other BitTorrent users. Thus, a process of downloading transforms into a process of (involuntary) publishing, using a legal term - *making available* of that data, before the download is even complete. While BitTorrent is often used to re-distribute freely available and legitimate software, movies, music and other materials, its "making available" capacity created a lot of controversy and led to endless legal battles between copyright holders and facilitators of BitTorrent platforms. At the moment of writing this text, the co-founder of *The Pirate Bay* Gottfrid Svartholm is being detained by Swedish police after an international warrant was issued against him. + +For these reasons, and a public relations campaign by copyright holders, use of BitTorrent platforms has become practically analogous to piracy. And while the meaning of terms such as piracy, copyright and ownership in digital context is yet to be settled, many ordinary BitTorrent users have been already prosecuted on the basis of breaking copyright laws. + +Most torrent clients allow you to block IP addresses of known copyright trolls using blacklists. Instead of using public torrents one can also join closed trackers or use BitTorrent over VPN or Tor. + +In situations when you feel that you should be worried about your BitTorrent traffic and it's anonymity go through the following check-list: + + * Check if your torrent client supports peer-blacklists. + * Check if the peer-blacklist definitions are updated on a daily basis. + * Make sure your client supports all recent protocols - DHT, PEX and Magnet links. + * Choose a torrent client that supports encrypted peers and enable it. + * Upgrade or change your torrent client if any of the above mentioned options is not available. + * Use VPN connection to disguise your BitTorrent traffic from your ISP. Make sure your VPN provider allows P2P traffic. See more tips and recommendations in Using VPN chapter. + * Do not leech and seed stuff you do not know much about. + * Be suspicious of high ratings and overly-positive comments regarding particular torrent link. + * + +## Installing qBitTorrent + +First you need to install a torrent client. There are many clients out there but we're going to use qBitTorrent since it's open-source and ad-free. It's also available on all platforms. + +To get qBitTorrent go to qBitTorrent's website and download the appropriate installer for your machine. Make sure to verify the download before installing it. When you launch it, you would see a window like this: + + +![qBitTorrent](qbittorrent_0.png) + +## Getting Trackers + +We need to find trackers for our torrent file. There are many sites that share trackers and you can search for "Torrent Tracker List" and open one of the websites. There are bunch of trackers in each list like this: + +![Tracker](tracker.png) + +Usually one tracker suffices but you can use more than one if you want to. Copy the URL and we're ready to create our torrent file. + +Be sure that the files you're sharing comply with your tracker's rules. Spend some time researching the tracker you're going to use. + + +## Creating Own Torrent + +So far we've covered installing qBitTorrent and getting a tracker for our torrent. Now launch qBitTorrent and navigate to 'Tools' and choose 'Torrent Creator'. + +![qBitTorrent](qbittorrent_1.png) + + +Select the file(s) you want to share and and enter the tracker you copied earlier. + +![qBitTorrent](qbittorrent_2.png) + +You also need to specify whether your torrent is private or not. If you selected private tracker then you will be asked for the preference of whether you want to keep this torrent private or not. + +Now Save the torrent file, and share it with whom you want to using email or Signal etc. + +Check "start seeding immediately". + +## Things to consider + +- If your file is sensitive, you should encrypt it before sharing it with other people so only it's accessible to whom you want to share it with. + +- Your ISP may know what you're doing. Especially if you're not using a VPN. Try to find a reputable VPN which is suitable for torrenting. In some cases, VPN providers have provided intelligence to law enforcement agencies to help them catch people. + +- If you're using a VPN make sure it has a kill switch that shuts down your torrent client when the VPN disconnects. + +- Use blocklists in your torrent client. This will reduce your visibility to copyright trolls, ISPs and etc. + +- If you're torrenting a file, be sure to read the comments before downloading it. If there is a problem with the torrent, people write about it. Try to stay away from unknown uploaders since you don't want to get your machine infected. diff --git a/src/chapter_13_secure_file_sharing/How-torrenting-works.png b/src/chapter_13_secure_file_sharing/How-torrenting-works.png new file mode 100644 index 0000000..d08c5dc Binary files /dev/null and b/src/chapter_13_secure_file_sharing/How-torrenting-works.png differ diff --git a/src/chapter_13_secure_file_sharing/qbittorrent_0.png b/src/chapter_13_secure_file_sharing/qbittorrent_0.png new file mode 100644 index 0000000..7102eca Binary files /dev/null and b/src/chapter_13_secure_file_sharing/qbittorrent_0.png differ diff --git a/src/chapter_13_secure_file_sharing/qbittorrent_1.png b/src/chapter_13_secure_file_sharing/qbittorrent_1.png new file mode 100644 index 0000000..f374f58 Binary files /dev/null and b/src/chapter_13_secure_file_sharing/qbittorrent_1.png differ diff --git a/src/chapter_13_secure_file_sharing/qbittorrent_2.png b/src/chapter_13_secure_file_sharing/qbittorrent_2.png new file mode 100644 index 0000000..ae54655 Binary files /dev/null and b/src/chapter_13_secure_file_sharing/qbittorrent_2.png differ diff --git a/src/chapter_13_secure_file_sharing/tracker.png b/src/chapter_13_secure_file_sharing/tracker.png new file mode 100644 index 0000000..07b02ce Binary files /dev/null and b/src/chapter_13_secure_file_sharing/tracker.png differ