Read the following information on OpSec from HeadJanitor on the Dread Forum.
Let me get straight to the point: there is one and only one rule in Operational Security
Rule # 1 -- Do not get caught.
Plausible deniability comes, again, after the fact. You are now a person on interest. You lost your anonymity.
Remember this: (I'm writing it atop, so it must be important): law enforcement can make all the mistakes they can, but you can't make a single mistake. Sure, you can get lucky and catch a break. But don't play with probabilities and you certainly can't go back in time and clean up that one, single mistake.)
If you quote for me anything, make sure it is this:
"Your sole protector on the darknet is PGP."
Learn how to use it. Know what it does. And why we have to use it in the first place and not do business or communicate with people who don't use it.
Now, I will explain this rule on both a macro and micro level so that it becomes clear why we have to do the things we have to do. What is the goal of an Onion? To be a hidden service. That means you can't find it in ordinary ways. You are lead to it, blindly.
What is your goal? Not to leave a trail behind. To leave no trace of ever having been there, done that, got that. You were never there.
Do Not Get Caught — What the hell does that even mean? You all know this.
Do Not Get Caught being on the darknet, period. Meaning, do not tell people in your life that you go on the darknet. The darknet has bad connotations. They see shows and it references murder-for-hire and human-trafficking and pedophilia and horrendous crimes and you fall into the class of a sicko.
Receiving Drugs in the Mail is a Federal Offense: that means do not sign for anything. Be polite. "Sorry, I don't know the sender, I can't sign for this. There is a lot of fraud out there. Thank you, though."
So, in OpSec, we hope for the best and prepare for the worst and this gives us peace of mind. OpSec allows us to prepare, to do reconnaissance, to do counter-intelligence, to obtain all the information we need to get the job done, to clear the attack surface, to prepare our tools, and leave not a single trace behind. This allows you to sleep in peace at night.
OpSec allows for the possibility of changing your point of view. This helps you differentiate one thing from another by the experience of moving around it, seeing new aspects of it (often referred to as making the absent present and the present absent), and still retaining the notion that this is the same thing that you saw other aspects of just a moment ago
Your safety depends on encryption. Not on Tor, not on your VPN, not on your email provider. Encryption is your line of defense on the darknet. PGP. Encrypt everything and verify everything.
If your vendor sends you plain-text. Respond to him to encrypt it to you. Do not be intimidated. Your safety is on the line, as is your future because the darknet is and always will be ephemeral and that market and that vendor will one day not exist but the plaintext you left behind will because computers never forget the traces you left behind.
Never Tie Identities
The killing zone: never tie any of your many identities to your identity on the darknet. Some people may do this out of the need to feel a sense of importance or special.
Not to Reddit, not to Reentry, not to Discord, not to Guilded, not to Keybase, not to Telegram, not to any of these places because a leak of your Source IP will give you away. That's all it will take.
The darknet is not a place to find yourself or welcome back the people of the past. It is a place to cover how you got there, your traces, your path, and most importantly, that you leave nothing of yourself, your true identity behind. Some have pride: they are stubborn and arrogant. Complacence: If it's worked fine all this time, it will continue to be fine Egotism: I am special, I'm different than the rest. I've gotten away so far! Some want recognition: this person remembered me from reentry, discord, keybase!
Your goal is that if the finger is ever pointed at you—sorry, you were never there.
Is this not the principle of anonymity?
If it isn't then you have a false perspective of the darknet where a persona matters to you.
What is Tor based on? → Privacy → Anonymity → Encryption When you visit an onion your goal is to blend in and look like everyone else. (Read up on fingerprinting and why we can't have add-on extensions and so on.)
So what is Tor?
What is Tor, Tor is a browser, Tor is a protocol, Tor is a client that acts as a socks proxy that you connect your applications to. When your applications connect to this socks proxy they are translated into what Tor calls streams, these streams are then multiplexed onto encrypted streams that Tor calls "circuits". These circuits are multiplexed over TLS between the individuals nodes that are geographically spread across the world in a specific design to keep you safe at at a distance from a nearby hop so that you are never compromised. It has been thought out.
I've gone on too long. I will end it with this.
Never Tie Identities
1) Most people are so complacent that they use the same VPN server each time, making them stick out more.
2) If there are two downfalls it is your VPN and BTC.
If you connect to a VPN over Tor, this traffic separation goes away completely. You build a single circuit through the Tor network, and over this circuit you connect to Gmail, Yahoo and God knows what else. All your traffic travels the same path right next to each other. Worse, you may have even broken the local state separation of the Tor browser.
I bet 90% of people never change their VPN server. I bet 99% never see the traceroute that it takes 4 hops to get to Luxembourg.
Do not trust your VPN Do not use a VPN before Tor.
More on this in another post.
I use a VPN. And I trust it. To an extent. But I've witnessed its failures many times.
Do not trust your VPN. If you think you are connecting to Luxembourg and it takes 4 hops, you are connecting to the next state over with a Luxembourg IP or a New York IP. You're being fooled!
All those rankings about "the top 10 best VPNs" are paid for. They're all owned by the mostly the same companies.
Your VPN is basically your 2nd ISP. They de-encapsulate your packet, read it, encapsulate it and send it to the next rented ISP and so on. They may not log your activity but you can be 100% sure they know your Source IP—that is, your residential IP. And one subpoena will give you away completely.
The whole purpose behind Tor is to make everyone look the same, If 10% of the population used a VPN before Tor then you stick out.
When you're using Tor, you have to be a different person entirely. Tor is only a tool that anonymizes your connection.
The Tor network is made to protect your IP address adding extra things won't help unless you are an extremely targeted individual and do so with special care with a full understanding of the reasoning behind the extra layers.
An actual VPN can de-anonymize you, and you're placing your trust in a quasi-rented VPN provider.
VPNs are only good for 2 things: hiding your activity from your ISP and giving websites you visit a different IP than your actual one.
If you live in America, how often have you received a complaint about Tor? Probably never.
The VPN company sees both ends of your traffic. It sees it all.
By doing so you essentially create either a permanent entry or exit node, a fingerprint that says that that user connected to New York as a he always does at 8:43 PM EST with this browser, this version, the computer, this resolution, and so, so, so much more.
It is so important to know that by specification design the way that Tor is built is that each hop must be in a different country so that there is no collusion. So you go from Germany, Finland, Netherlands, to Venezuela. Whereas with a VPN you are given an IP from Luxembourg but on a server in Delaware—a single point of compromise.
On secure email hosting.
There is no secure email provider, stop trying to find one. Email is an insecure form of communication. Law enforcement loves email because it provides them with a confession, the time, the date, the parties, and often people will use the Drafts folder as a container of information. Any information sent via email is not protected from being intercepted by third-party attackers. Your email messages may be accessed by your email provider as it is on their servers. You have no governance over retention rules or archiving practices on the receiving side. Documents that should have limited lifespans can potentially live forever on a server with data retention or no deletion practices that you would not know about.
Messages and files that are encrypted cannot be read by third-party attackers. E-mail messages remain vulnerable to exposure long after delivery. E-mail is susceptible to eavesdropping in transit. Sniffers can be used to read emails as they are moving across the network. Email gets sent through many servers between the sender and the recipient. Any one of those servers could be intercepting and saving that email.
The addition of the SSL/TLS security handshake into SMTP, creating SMTPS, provides confidentiality on the first leg of the trip (from your computer to your "home" e-mail server). That's all; you can't enforce confidentiality along any other leg of the trip, and the other three aspects of InfoSec are unaffected.
So simply: Never send sensitive information in clear text.
MORE ON THIS IN ANOTHER POST.
STOP WASTING YOUR TIME IN SEARCH OF SOMETHING THAT DOESN'T EXIST.
Drugs
Drugs change people. You won't notice the change because self doesn't reveal self to self. Others will notice it. Don't just apply OpSec here on the darknet. Apply OpSec in all your principles and affairs because once you connect to the darknet you're going to get intrigued and intoxicated by an underworld and you will soon forget that now you must constantly, vigilantly cover them up because you've become immune to them.
Real-Life Anonymity Do not ever reveal to anyone that you have drawn a connection to the darknet. You have to bury this aspect of your life out of view, out of sight, out of the possibility of a leak, of things you didn't plan for one, three, seven years from now. You were never here. Do you understand? You must maintain the framework that the darknet doesn't exist in your life. You've crossed the line. Now you must conceal your trail.
Sobriety As odd as it is to read it on the darknet, sometimes it's grand to be clean and sober. Sometimes you have to learn to walk away. Sometimes you need to listen to your former self and take a break from the darknet because after a while you will begin to think that drugs are always at your fingertips, in your thoughts, in your perspective. But self-care is of the utmost importance.
There's many people out there trying to help us but they can't. The doctors won't write that script, the psychiatrists understand but they're not going to give you what you want, the nurses can only comfort you, the psychologists think they understand us but they don't. We are the only people that can help each other. And, on that note, if you ever feel like taking a break and getting sober don't be scared. If you've ever held a newborn in your arms you'd know that there is nothing more precious than a sober breath. Just make sure you do your due diligence on OpSec so you have somewhere safe and secure to come back to without a past waiting for you. Do you understand?
Evolve, Adapt
What does not mean? Do not get attached to sentimentality. Upgrade your PGP key. Upgrade your browser. Encrypt your hard drives. Do not fall into a romance with the darknet.
But I love my username. "But I don't want to change my 2,048 cipher because I've had it for so long." Are you still using Windows 3.1, Windows XP, Windows 7? Sentimentality will be your ruin on the darknet if you do not place OpSec first. Do not get attached to the fleeting. Stay protected by evolving.
Constantly update your BIOS/UEFI, drives, PGP, Tor browser. Do not slack off on this.
Don't get attached to your identity. Unless you are here to be here. Meaning you are rank and file in the darknet. You are either a vendor or an admin. But know that if you create a lasting identity here, you are now a recorded history of the darknet permanently and you have sacrificed anonymity and without scaring you, you are being watched.
The darknet is ephemeral. This is not a theory.
The NSA hire firms to scrape all darknet markets 24/7. You are cached.
Do your homework on your vendor.
Do not buy from vendor's who have a 2,048 cipher key. Think of the long history behind those long-lived keys and the complacency for them to adapt.
Do not be cheap in buying international. Save your ass, save your address. It will go through customs and FDA.
Do not order from the top vendor who uses fake reviews to bolster themselves in the listings. Buy from a vendor who has been around awhile. Most buyers will not even leave a review.
Personal Amounts
Enough with this ‘personal amount' bullshit. Have you ever seen "Cops"? Right now, in your hometown, someone will get arrested for a $5 crack rock in their back pocket. Do you think telling the judge it was for personal use will dismiss the charges? Maybe you're just special.
Do you know what the personal amount for benzos is? Any amount. Possession is possession. They will get you for whatever they can because that's what it takes to win.
Reference:
https://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/69a39b3374df8049d5f3