TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
A Dreadful Toolkit- Miscellaneous Notes on Computers and Opsec (Chapter 4)
by /u/AgentOrange230 • 3 years ago* in /d/OpSec
Since there's money and shiny things on offer, I thought I'd try writing for the HunDREADs competition. It got a bit out of hand, so it's split over multiple articles. The table of contents and introduction are at the index⚠️.
Pennywise, Clown Foolish?
Making Money Work, Privately and Anonymously + Conclusion
Like it or hate it, money makes the world go round. Whether you're using the dark web to deal drugs, buy them, or get CC data, you'll need some way to pay or make a profit with the same anonymity and privacy the rest of your opsec measures are devoted to protecting. Traditionally this has been cash. It's still not a bad choice for low-stakes uses: there's no central repository of currency owners, it's fungible (valued independently of its history or origins), and it holds its value well over time. But in 2008 a better alternative came out of nowhere.
Cryptocurrencies
It was in November that year Mr(s) Satoshi Nakamoto published a paper to a public cryptography mailing list⁴⁵. It described a way to maintain a strict consensus on the distribution of money in a network by regularly solving problems that link to its history of transactions. By making these difficult enough a consensus history (documented in this blockchain of data and solutions) to the problems is reached. Notably, it builds on the massive amount of computing power the problems require, instead of with a central bank or similar keeping track of it and everyone else following that. Two months after this initial publication (s)he would implement this in a network called BitCoin- the first currency using such a technology, or cryptocurrency. Users could, with software wallets, obtain a public/private key pair that they then used to accept and make payments in a pseudonymous manner.
In some perhaps poetic irony, Satoshi Nakamoto is itself a pseudonym. Three years after first appearing suddenly Nakamoto disappeared: 6-700,000 BTC and an identity remain largely untouched some 9 years on, even without any shortage of speculation and investigation⁴⁵. It's an act of great self-restraint in a world where the attention of investors has pushed the value of one coin over $1000 USD and fueled the growth of many alternative cryptocurrencies to a similar degree. Yet they remain more than an investment fad.
Privacy and Anonymity in Transactions
While the original kid on the block remains popular for dark web trading, BitCoin isn't the best option. Buyers will sadly still need to plan for it, but sellers should never offer to take it unless a customer explicitly requests it unless they want to lose money to transaction fees. Privacy coins, which have at heart refined mathematical techniques to offer privacy and anonymity on top of the blockchain, have sprung up in the last decade and are a much better option for supporting good opsec in a high-stakes environment- chief among their charge Monero.
It's a critical distinction that gets ignored in popular discussion. BitCoin is only pseudonymous, and will give up all your secrets to anybody with an internet connection if they catch you making a transaction even once. In that sense, it's worse for privacy than using a credit card! Monero is, though- there is $625,000 on offer from the IRS for anybody who can crack it⁴⁶! That only applies, of course, if you don’t intentionally de-anonymize yourself, as exchanges with Know Your Ccustomer policies or requirements will demand. Unless you happen to have connections or live somewhere with weak money laundering laws, this will probably rule out using major institutions.
What BitCoin is is secure. You occasionally hear of people losing large amounts of it in hacks, but these haven't been on the blockchain itself- just online wallets and exchanges⁴⁷. As long as you do your best to avoid these or at least choose trusted services such as xmr.to, you should be reasonably safe from such attacks.
Tricks for Using Cryptocurrency as an Opsec Tool
Taking the above into mind, as well as everything previously, there's some important considerations in using cryptocurrency:
Store currency in a offline wallet software (e.g. Electrum, FeatherWallet) passing through Tor. This keeps your cryptographic keys under your control and maintains their anonymity.
Don’t spend directly from exchanges! They can monitor incoming and outgoing transactions from their wallets just like you can from yours, so use an offline wallet to keep your coins safe.
Convert any BitCoin you obtain into Monero at a trusted exchange, and then (if necessary) convert Monero into BitCoin for spending. The two transactions won't be linked thanks to the anonymity Monero provides, allowing you to move BitCoin between (for example) an address you use to store BitCoin purchased in person and an address for buying illicit goods.
Use decentralized and open source exchanges like Bisq⁴⁸ as a way of maintaining anonymity at this stage of the process.
Don't allow your chain of transactions to become fodder for a correlation attack. That means purchasing more cryptocurrency than you need if you're buyer so an adversary can't guess what a purchase is based on the price. For sellers, it means cashing out at irregular intervals to keep withdrawals from being tied to sales.
Finally, as a summary to both this section and the whole guide, always know that there is no such thing as too much opsec. If a measure isn't too expensive or difficult to implement, and doesn't actually hurt your opsec or lead you to neglect a more important measure, it doesn't matter whether it helps. The important thing about the process, whether it be moving Monero from one wallet to another for extra peace of mind as some people like to do, blocking JavaScript in about:config on Tor Browser, or using a separate computer to access the deep web from the one you use day-to-day, is that it keeps opsec at the front of your mind. It is your mind that is ultimately the most powerful defense against an adversary seeking your information, so never forget to use it.
by /u/AgentOrange230 • 3 years ago* in /d/OpSec
Since there's money and shiny things on offer, I thought I'd try writing for the HunDREADs competition. It got a bit out of hand, so it's split over multiple articles. The table of contents and introduction are at the index⚠️.
Pennywise, Clown Foolish?
Making Money Work, Privately and Anonymously + Conclusion
Like it or hate it, money makes the world go round. Whether you're using the dark web to deal drugs, buy them, or get CC data, you'll need some way to pay or make a profit with the same anonymity and privacy the rest of your opsec measures are devoted to protecting. Traditionally this has been cash. It's still not a bad choice for low-stakes uses: there's no central repository of currency owners, it's fungible (valued independently of its history or origins), and it holds its value well over time. But in 2008 a better alternative came out of nowhere.
Cryptocurrencies
It was in November that year Mr(s) Satoshi Nakamoto published a paper to a public cryptography mailing list⁴⁵. It described a way to maintain a strict consensus on the distribution of money in a network by regularly solving problems that link to its history of transactions. By making these difficult enough a consensus history (documented in this blockchain of data and solutions) to the problems is reached. Notably, it builds on the massive amount of computing power the problems require, instead of with a central bank or similar keeping track of it and everyone else following that. Two months after this initial publication (s)he would implement this in a network called BitCoin- the first currency using such a technology, or cryptocurrency. Users could, with software wallets, obtain a public/private key pair that they then used to accept and make payments in a pseudonymous manner.
In some perhaps poetic irony, Satoshi Nakamoto is itself a pseudonym. Three years after first appearing suddenly Nakamoto disappeared: 6-700,000 BTC and an identity remain largely untouched some 9 years on, even without any shortage of speculation and investigation⁴⁵. It's an act of great self-restraint in a world where the attention of investors has pushed the value of one coin over $1000 USD and fueled the growth of many alternative cryptocurrencies to a similar degree. Yet they remain more than an investment fad.
Privacy and Anonymity in Transactions
While the original kid on the block remains popular for dark web trading, BitCoin isn't the best option. Buyers will sadly still need to plan for it, but sellers should never offer to take it unless a customer explicitly requests it unless they want to lose money to transaction fees. Privacy coins, which have at heart refined mathematical techniques to offer privacy and anonymity on top of the blockchain, have sprung up in the last decade and are a much better option for supporting good opsec in a high-stakes environment- chief among their charge Monero.
It's a critical distinction that gets ignored in popular discussion. BitCoin is only pseudonymous, and will give up all your secrets to anybody with an internet connection if they catch you making a transaction even once. In that sense, it's worse for privacy than using a credit card! Monero is, though- there is $625,000 on offer from the IRS for anybody who can crack it⁴⁶! That only applies, of course, if you don’t intentionally de-anonymize yourself, as exchanges with Know Your Ccustomer policies or requirements will demand. Unless you happen to have connections or live somewhere with weak money laundering laws, this will probably rule out using major institutions.
What BitCoin is is secure. You occasionally hear of people losing large amounts of it in hacks, but these haven't been on the blockchain itself- just online wallets and exchanges⁴⁷. As long as you do your best to avoid these or at least choose trusted services such as xmr.to, you should be reasonably safe from such attacks.
Tricks for Using Cryptocurrency as an Opsec Tool
Taking the above into mind, as well as everything previously, there's some important considerations in using cryptocurrency:
Store currency in a offline wallet software (e.g. Electrum, FeatherWallet) passing through Tor. This keeps your cryptographic keys under your control and maintains their anonymity.
Don’t spend directly from exchanges! They can monitor incoming and outgoing transactions from their wallets just like you can from yours, so use an offline wallet to keep your coins safe.
Convert any BitCoin you obtain into Monero at a trusted exchange, and then (if necessary) convert Monero into BitCoin for spending. The two transactions won't be linked thanks to the anonymity Monero provides, allowing you to move BitCoin between (for example) an address you use to store BitCoin purchased in person and an address for buying illicit goods.
Use decentralized and open source exchanges like Bisq⁴⁸ as a way of maintaining anonymity at this stage of the process.
Don't allow your chain of transactions to become fodder for a correlation attack. That means purchasing more cryptocurrency than you need if you're buyer so an adversary can't guess what a purchase is based on the price. For sellers, it means cashing out at irregular intervals to keep withdrawals from being tied to sales.
Finally, as a summary to both this section and the whole guide, always know that there is no such thing as too much opsec. If a measure isn't too expensive or difficult to implement, and doesn't actually hurt your opsec or lead you to neglect a more important measure, it doesn't matter whether it helps. The important thing about the process, whether it be moving Monero from one wallet to another for extra peace of mind as some people like to do, blocking JavaScript in about:config on Tor Browser, or using a separate computer to access the deep web from the one you use day-to-day, is that it keeps opsec at the front of your mind. It is your mind that is ultimately the most powerful defense against an adversary seeking your information, so never forget to use it.