News Feed
- DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.
- Retro Market has gone offline. Circumstances of the closure unknown.
- SuperMarket has closed following an exit scam by one of the admins.
- The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.
- Silk Road
- darknet markets list
- Popular P2P exchange LocalMonero has announced it is closing.
I apologize for just now getting to your comment and request. I have been away from Dread and returned just days ago.
Thank you for that great post.
If you can please post it as well at /d/Tails and /d/Guides
I will make three posts in the next few days.
Two will be disturbing but need to get out there.
___________________________________________________________
As far as hard OpSec:
One thing about "Tails OS. The easy & recommended OpSec guide for buyers who still use Tor on Windows." is that, of course, Tails doesn't even require one to have an hard drive so Windows or not, it doesn't matter. Hard drive or not, no problem.
I would encourage you to edit the post to mention the use of USB 3.0 or greater.
Since you mentioned "KeepassXC" it would be better for OpSec to keep Dread's URL in there as well as other bookmarks as have always been a security hole issue. Recently, particularly with Windows and requires:
(I would advise you to state to make frequent backups for the KeePassXC file as they do get corrupted.)
___________________________________________________________
"Recently discovered in TOR Windows Desktop, if you go to upper right “hamburger” apps menu, then select Bookmarks, it displays at least the last 10 Recent Bookmarks visited. This is a pretty significant security issue. I have read through discussions here and general on-line searches. I find no simple way to shut this off. Have written a userChrome.css that works fine in Firefox, have tried about:config switches; nothing stops this in the TOR (windows) Desktop."
This is very serious for Windows users. BUT your audience is not using The Tor Browser Bundle for Windows.
Tor is different in Tails than it is in Whonix and it is different than the Tor Browser Bundle and it is different that Qubes-Whonix.
Thus, in Windows, months ago it was discovered that bookmarks leaks the ten most recent bookmarks.
https://github.com/arkenfox/user.js/blob/662eddbc2124d9d09774da7d5bc385f45c287c0d/user.js#L378-L388
Favicons are particularly dangers and require: browser.chrome.site_icons option.
toolkit.legacyUserProfileCustomizations.stylesheets = true
It is never wise to click on a bookmark. It is always best OpSec to paste the URL itself.
___________________________________________________________
I would remove that https://kevinsguides.com as it collects far too much information on you.
See if any one these can benefit you:
/d/GnuPG/wiki?id=a5f518cd
If not, I will find others.
___________________________________________________________
Now, for a MAJOR OpSec concern you have listed a lot of clearnet sites. That means your audience will consonantly be decrypted by the exit node.
In order to prevent that I made it simple for you.
Feather Wallet Onion
http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4rszylfzjdg6pbm3id.onion/
Kycnot.me Onion
http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/
anonymousplanet.org Onion
http://benzosbbvk7gu6taxbjpcpsi3u3dgg3wb3ewwr4jx7tholioxmnwagyd.onion/PDF/Hitchhikers/
___________________________________________________________
Now, I happen to be a major Darknet Host connoisseur and snob. OrangeFen was kicked out of the community until they squared away some issues and his is tied with Majestic Bank.
___________________________________________________________
The greatest non-KYC of the modern day is without a doubt:
Trocador.app/en
Trocador Onion Site
http://qkiw4pl4qlxui26nsbjnxei323x7ptqcf765a6koxlzcox35udmihsid.onion/en/
OrangeFen cannot compete.
___________________________________________________________
Do not even ever mention "darkwebinformer" as he is a phony, money-driven, con-artist. Who steals articles and puts up paywalls.
He is what you would call a scumbag. He is a F R A U D. Never visit is phony site.
___________________________________________________________
Tor gives away a distinct "odor" that wreaks "I am using Tor".
Personally, as a Linux user, I find Tor extremely restricted to use and Whonix to be such a breeze.
But Whonix doesn't give off an "odor" it screams "I am a virtual machine." But it is 100x better in so many ways.
___________________________________________________________
This is the biggest risk I found in the post:
"Click Privacy & Security, find security level and select safest."
You MUST go to about:config
type JavaScript.enabled and set it to false.
___________________________________________________________
Have NO fear in downloading Tails. You should remove that as it instills fear. It would violate the US Constitution. America is full of Linux enthusiants, developers, people who make YouTube videos.
People on Dread have a firm belief that Tor is illegal.
Yesterday it was discovered and published that tunnels aka VPNs led to 1/4 of all attacks to the individual.
Tool is a tool set - it is best not to mess with it. Some VPNs are terrible.
In this day and age I would recommend SnowFlake bridges and it makes you look like you are having a telemedicine, video-conferencing call.
When you write "You'll make your own PGP." You can edit to: "You'll make your own PGP Certificate or PGP Pair." One key is a PGP key. When combined they are now a Certificate or a Pair.
___________________________________________________________
Major: "Start up Feather, make a new wallet and store the password/seed in KeepassXC"
You IMMEDIATELY must save your keys and seeds in KeePassXC.
___________________________________________________________
"Tails doesn't make you invincible" - I do not think you wrote that but that sounds mythological, supernatural and God-like.
Tails is very inconvenient - it is an Amnesiac and designed for "NO EXCUSES".
It is very difficult to use for work and other things but for quick use, it's fine.
___________________________________________________________
What we need to do is break misconceptions:
TailsOS is not illegal.
Tor is not illegal.
VPNs are a trend and lead to disasters.
____________________________________________________________
***MAJOR***
The most striking statement: (I may be reading it out of context) "When making the PGP key, make sure the name is the same as your username on the market."
OMG is this a fatal move. Maybe because you did not mention what mean by "name".
You never want likability.
We never want likability.
I never want likability.
A market PGP key and PGP key on Dread profile would dox someone.
For every market a new key with a meaningless name.
This is THE CARDINAL RULE if there was one.
____________________________________________________________
***MAJOR***
You forgot to mention:
"Protect the generated key with a passphrase."
THIS IS A MUST
____________________________________________________________
***MAJOR***
Now, we forgot something major.
Backup your keys.
Then back your private key.
Then do it again.
Make two folders and archive them.
Then use 7zip and use AES-256 to place a secure password on them.
DO NOT STORE THEM ON THE SAME MACHINE.
____________________________________________________________
MAJOR
When you generate your keys, make sure you are completely disconnected from the Internet.
____________________________________________________________
MAJOR
The best and most proper way to make keys is V E R Y simple.
Do not use the GUI!
gpg --full-generate-key --expert
(9) ECC and ECC
(1) Curve 25519
0 = key does not expire
Key does not expire at all
Is this correct? (y/N) y
Real Name: -----
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
***DONE*** Took 10 seconds
___________________________________________________
Everything I wrote about making PGP keys is in some way incorrect but it is good enough for buying drugs.
If we had to follow FIFS guidelines, we failed.
You would need to export 0AAB A2AB 04F1 766C your Public Key so that all people have is the ability to encrypt messges for you.
___________________________________________________
I hope this helped. I apologize about the delay.
/u/newbieforever2018 /u/Paris -- why did I just tag Paris? /u/mayehessman
I'm glad to see your return. And I hope you're in good health.
I will carefully go over all your remarks and will implement changes accoringly. I will also most likely PM you ask you some questions to further improve this guide.
Thank you very kindly for your extensive critique. It's highly appreciated. I was smiling when I saw it, yet also made me more aware of my own ignorance. Thank you again.
Love,
KS
ps I have put a notice on top of the post to mention this guide is in active developement.
(Response had to be split up 2 due to character limit. Part 1)
Let me preface my decisions for changes to this guide, guided by your advice, with the following thoughts.
This guide is meant for people who:
- Use Tor/Windows (without using any other safety measures).
- Save their passwords/PGP in a notepad on their Windows environment.
- Have little understanding of tech/OpSec and subsequent nomenclature.
- Don't know how to get/use XMR. Directly deposit their Fiat bought XMR from a CEX to a DNM market.
- Use unsafe passwords.
- Don't even know how to use PGP and send their private data without encryption to a vendor.
I want to find a balance between a bad OpSec based on ignorance & false hope, and allowing people be educated to increase their OpSec in a reasonably simple & safe matter, without having an information overload.
I find that a hard balance to maintain, and I appreciate your recommendations.
The darkweb and it's markets, must become/remain somewhat reasonable to reach. And an all encompassing guide to what /d/OpSec should consider 'the basics' needs to exist. Right now, this information is fragmented to many posts, platforms and people, so it's too diffuclt to find. We can't reasonably expect most inexperienced people to educate themselves based on these patchworks of information - This will not lead to a lively community, rather.
I've made changed with your suggestions, yet have to question others on their feasability to be implemented. Oke, here we go.
___________________________________________________________
As far as hard OpSec:
One thing about "Tails OS. The easy & recommended OpSec guide for buyers who still use Tor on Windows." is that, of course, Tails doesn't even require one to have an hard drive so Windows or not, it doesn't matter. Hard drive or not, no problem.
I would encourage you to edit the post to mention the use of USB 3.0 or greater.
Since you mentioned "KeepassXC" it would be better for OpSec to keep Dread's URL in there as well as other bookmarks as have always been a security hole issue. Recently, particularly with Windows and requires:
(I would advise you to state to make frequent backups for the KeePassXC file as they do get corrupted.)
Response:
- Made changes to refer to USB 3.0 or greater.
- Advised to make Backups of KeePassXC files after every new addition to KeePassXC.
___________________________________________________________
"Recently discovered in TOR Windows Desktop, if you go to upper right “hamburger” apps menu, then select Bookmarks, it displays at least the last 10 Recent Bookmarks visited. This is a pretty significant security issue. I have read through discussions here and general on-line searches. I find no simple way to shut this off. Have written a userChrome.css that works fine in Firefox, have tried about:config switches; nothing stops this in the TOR (windows) Desktop."
This is very serious for Windows users. BUT your audience is not using The Tor Browser Bundle for Windows.
Tor is different in Tails than it is in Whonix and it is different than the Tor Browser Bundle and it is different that Qubes-Whonix.
Thus, in Windows, months ago it was discovered that bookmarks leaks the ten most recent bookmarks.
https://github.com/arkenfox/user.js/blob/662eddbc2124d9d09774da7d5bc385f45c287c0d/user.js#L378-L388
Favicons are particularly dangers and require: browser.chrome.site_icons option.
toolkit.legacyUserProfileCustomizations.stylesheets = true
It is never wise to click on a bookmark. It is always best OpSec to paste the URL itself.
Response:
- Another good reason to use TailsOS rather than Windows.
- I have found no known vulnerabilities regarding bookmarks and Tor in Tails. For this guide I won't make the recommendation to save the exclusively in KeePassXC.
___________________________________________________________
I would remove that https://kevinsguides.com as it collects far too much information on you.
See if any one these can benefit you:
/d/GnuPG/wiki?id=a5f518cd
If not, I will find others.
Response:
- Changed https://kevinsguides.com to biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion/content/bible/pgp/index.html
- The /d/GnuPG/wiki?id=a5f518cd were too dense with information for most people
___________________________________________________________
Now, for a MAJOR OpSec concern you have listed a lot of clearnet sites. That means your audience will consonantly be decrypted by the exit node.
In order to prevent that I made it simple for you.
Feather Wallet Onion
http://featherdvtpi7ckdbkb2yxjfwx3oyvr3xjz3oo4rszylfzjdg6pbm3id.onion/
Kycnot.me Onion
http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/
anonymousplanet.org Onion
http://benzosbbvk7gu6taxbjpcpsi3u3dgg3wb3ewwr4jx7tholioxmnwagyd.onion/PDF/Hitchhikers/
Response:
Changed all to clearnet links to .onion links. Except anonymousplanet, because there's zero .onion links found working.
___________________________________________________________
Now, I happen to be a major Darknet Host connoisseur and snob. OrangeFen was kicked out of the community until they squared away some issues and his is tied with Majestic Bank.
Response:
Removed OrangeFren as a suggested crypto-crypto exchanger
___________________________________________________________
The greatest non-KYC of the modern day is without a doubt:
Trocador.app/en
Trocador Onion Site
http://qkiw4pl4qlxui26nsbjnxei323x7ptqcf765a6koxlzcox35udmihsid.onion/en/
OrangeFen cannot compete.
Response:
Added trocador and OpenMonero
___________________________________________________________
Do not even ever mention "darkwebinformer" as he is a phony, money-driven, con-artist. Who steals articles and puts up paywalls.
He is what you would call a scumbag. He is a F R A U D. Never visit is phony site.
Response:
- There's no mention of it now.
___________________________________________________________
Tor gives away a distinct "odor" that wreaks "I am using Tor".
Personally, as a Linux user, I find Tor extremely restricted to use and Whonix to be such a breeze.
But Whonix doesn't give off an "odor" it screams "I am a virtual machine." But it is 100x better in so many ways.
Response:
- I would recommend Qubes/Whonix route if TailsOS wasn't so fool-proof to use. For beginners of both Linux/Tor, I would recommend TailsOS as the perfect solution.
People are hard to change, and prefer to take the route of least resistance. So we must educate people to allow them the reasonable choice to desire change.
___________________________________________________________
This is the biggest risk I found in the post:
"Click Privacy & Security, find security level and select safest."
You MUST go to about:config
type JavaScript.enabled and set it to false.
Response:
- Added the step to change aboug:config to JavaScript.enabled to false on every start of Tor.
___________________________________________________________
Have NO fear in downloading Tails. You should remove that as it instills fear. It would violate the US Constitution. America is full of Linux enthusiants, developers, people who make YouTube videos.
People on Dread have a firm belief that Tor is illegal.
Yesterday it was discovered and published that tunnels aka VPNs led to 1/4 of all attacks to the individual.
Tool is a tool set - it is best not to mess with it. Some VPNs are terrible.
In this day and age I would recommend SnowFlake bridges and it makes you look like you are having a telemedicine, video-conferencing call.
When you write "You'll make your own PGP." You can edit to: "You'll make your own PGP Certificate or PGP Pair." One key is a PGP key. When combined they are now a Certificate or a Pair.
Response:
- Just because it's not illegal, doesn't mean it's not considered suspiscious by secret agencies of many nations. I have to stand by my suggestions, that in certain circumstances, u should download Tor in a public library or internet cafe. As more internet surveillance is becoming the norm, and everyone being profiled by increasingly techonlogically power hungry entities, I am concerned about network observers.
Privacy tools like Tails can be scrutinized in contexts where anonymity is seen as a threat to national security or law enforcement efforts. As according to leaked documents from 2014: ''The NSA has targeted Tails users, labeling it as "a comsec mechanism advocated by extremists on extremist forums"''. Law enforcement agencies do scrutinize people more who look into ''privacy online''. It should be considered to stop a profile being build about a person.
- I don't recommend a VPN, but certain cases might benefit from it. And not all VPN's are equal, it's a careful consideration.
- Changed "You'll make your own PGP." to You'll make your own PGP Pair."
___________________________________________________________
Major: "Start up Feather, make a new wallet and store the password/seed in KeepassXC"
You IMMEDIATELY must save your keys and seeds in KeePassXC.
Response:
- Changed the language to make sure it's understood as important.
___________________________________________________________
"Tails doesn't make you invincible" - I do not think you wrote that but that sounds mythological, supernatural and God-like.
Tails is very inconvenient - it is an Amnesiac and designed for "NO EXCUSES".
It is very difficult to use for work and other things but for quick use, it's fine.
Response:
- This guide is for casual DW user and/or DNM buyers. It's an easy introduction to both Linux (Debian) and a fool-proof OpSec method. For anything beyond the intented purpose groups, this guide is not recommended.
The convienience comes from having a DW 'work station' that u can just put in any old device and start up from the USB.
___________________________________________________________
***MAJOR***
The most striking statement: (I may be reading it out of context) "When making the PGP key, make sure the name is the same as your username on the market."
OMG is this a fatal move. Maybe because you did not mention what mean by "name".
You never want likability.
We never want likability.
I never want likability.
A market PGP key and PGP key on Dread profile would dox someone.
For every market a new key with a meaningless name.
This is THE CARDINAL RULE if there was one.
Response:
- Made language more specific. The public username on the market should be the same as the usename associated with Public PGP, as this would help a vendor.
- Now recommend to change PGP across platforms.
____________________________________________________________
***MAJOR***
You forgot to mention:
"Protect the generated key with a passphrase."
THIS IS A MUST
Response:
- Was mentioned: ''Then click ''add a new entry'' and let KeepassXC create a password for the upcoming PGP.'' But changed for better language.
____________________________________________________________
***MAJOR***
Now, we forgot something major.
Backup your keys.
Then back your private key.
Then do it again.
Make two folders and archive them.
Then use 7zip and use AES-256 to place a secure password on them.
DO NOT STORE THEM ON THE SAME MACHINE.
Response:
- I've decided not to include this. The encryption on TailsOS, LUKS2 with Argon2id, should be sufficient to not require a further encrypted folder with private PGP keys. The private PPG exctraction is already password protected by Kleopatra, and the password is within KeePassXC, which is also password protected.
- I have already included backup steps to both the KeePassXC file and to get an optional 2nd USB to back up the whole persistent drive. For the intended users of this guide, it is sufficient.
____________________________________________________________
MAJOR
When you generate your keys, make sure you are completely disconnected from the Internet.
Response:
- I think this is a good practise. And I'll include it in the guide as a reminder.
____________________________________________________________
MAJOR
The best and most proper way to make keys is V E R Y simple.
Do not use the GUI!
gpg --full-generate-key --expert
(9) ECC and ECC
(1) Curve 25519
0 = key does not expire
Key does not expire at all
Is this correct? (y/N) y
Real Name: -----
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
***DONE*** Took 10 seconds
Response:
Takes 10 seconds for you, yes. But using the terminal can feel really quite intimidating for most people.
Most people use Windows & Chromium, most people don't know about the DarkWeb and think it's scary. The people who do manage to get here, should be guided without being overwhelmed. I think it should be a cummulative experience. Succesfully using the terminal for the first time is quite a rush. I hope people get to do that, but this guide isn't for that.
___________________________________________________
Everything I wrote about making PGP keys is in some way incorrect but it is good enough for buying drugs.
If we had to follow FIFS guidelines, we failed.
You would need to export 0AAB A2AB 04F1 766C your Public Key so that all people have is the ability to encrypt messges for you.
Response:
-I think it's quite sufficienct for these specific practical purposes.
-What are the FIFS guidelines?
___________________________________________________
I hope this helped. I apologize about the delay.
Response:
It helped very much. Thank you kindly.
Love,
KS