Hi friends,
Risk Analysis: I'm a casual buyer (i.e. only for personal use, small purchases, clearly not a huge target... When signing up for libertyx account, they require a phone number. Using online services that receive sms state that they are not mobile phones: I ended up using my actual phone number. In this case, I tumbled the libertyx BTC to an intermediate "clearnet" (read: accessed through TOR) wallet, tumbled to my secure wallet, then finally tumble to markets.
I do not like the idea of libertyx requiring a phone confirmation. I don't want to spend the money on a burner just for a single text confirmation if this really isn't necessary. I just absolutely do not want to have anything connected to my personal info regarding the purchase of BTC. LibertyX is Cash and no ID, but it still disturbs me my phone number is attached. Thus, I'm tumbling three times... These are all relatively small transactions, but I end up losing quite a bit.
Current Practice: My desktop computer is entirely clean [for gaming, programming for school work, etc] and is clearnet only with a manually configured firewall (help? advice on this? noob here, any links or even references to resources would be helpful), while my secondary is continually connected to a VPN before accessing TOR. I only connect to DNM through tails, all of my comms use PGP. AFAIK, The only piece of compromised info is my phone number.
1) The main question: Creating a new libertyx account. Is there a way to bypass the phone number sms confirmation without purchasing a burner (or my personal phone) , or would a prepaid burner be worth the extra money (compared to 3x tumble)
2.) I'm not willing to share drop point info, but if anyone has further suggestions here. Opinions on private PO Boxes for my size of purchaseS 3.) Any further OPSEC tips for this context, or does it seem like I'm doing alright?
3a). suggestions for whole drive encryption on the following and my current practices: i.) whole drive encryption without destroying current operating system, barring bitlocker? (Is Truecrypt safe, does Veracrypt work?) ii.) Backing up PGP keys/ wallet: I would like to be able to have an encrypted USB drive that I keep in a secure, physical location to back up my wallets and PGP keys. I assume two: one full backup on tails (USB1) and on (USB2) I would like to keep my wallet seed, private, and public keys. Naturally I would like to be able to access USB2 from both tails and windows. The dilemma: I don't know if truecrypt is trustworthy anymore, nor if veracrypt can be decrypted by TAILS.
3b. Consider a raid on your house and you have time to clean house [stash located in an easy to access but well hidden place, destroyable within a total of 5 minutes (I've done a drill.), but no time to destroy hard drives. [HOW TO QUICKLY DESTROY CONTENTS OF HARDDRIVE WITHOUT 7X OVERWRITES??] This is assuming that, further, every drive is encrypted. Which leads me to... 3b i) Suggestions for whole drive encryption, currently running a Windows OS? Any links would be helpful, because I have done some searching and the most difficult part for me would (noob) decrypting the contents of the HDD before accessing it. I Would prefer not to wipe my whole drive and do a fresh install, but if that's necessary, I will.
*I could not, after searching, find a way to decrypt LUKS on windows. I might have been able to dig deeper, but you all would have better suggestions.
Please do excuse if there are some repetitions in my questions. I could have posted this in /r/OPSEC , but this is more specific. Again, I have done a bit of research on my own and am not stupid, yet admit ignorance. Besides the ease of access of much needed drugs, the whole DNM experience (including this board) has perked a casually-enthusiastic interest in privacy, anonymity, net neutrality, programming (re-learning the basis of C again!) websec (using firefox now with several extensions for privacy/anonymity ) ditching my ISP's DNS, and several others I can't think of myself.
If you can't be bothered to answer these questions, I would be more than grateful if you would be willing to send learning resources on the following: i) bitcoin, Bitcoin protocol, cryptocurrency and its properties, multisig transactions, and an other ii) transitioning from windows to some distro of linux that allows for more control over what goes in/out (also obviously, also going beyond neophyte level with the terminal...) [for web/(net?)sec] SPECIFICALLY FOR MY OWN NETWORK TO SECURE IT. I HAVE NO INTEREST IN BEING MALICIOUS WITH THIS INFO. I don't even necessarily want to work with kali(backtrack?) or other pentesting distro because I'm so inexperienced iii) Encryption (in terms of math, I have two years of calculus, ordinary (to a lesser extent partial) differential equations and the fundamentals of linear algebra down pretty well iv) I suppose this should go before II: management of a home network to increase security (? what type? I am a noob)
I ultimately want to be able to help others stay secure doing everyday things. I want to be able to write clear OPSEC guides for the casuals.
Thank you for reading, and thank you for replying. If you're particularly helpful, and willing to accept tips, I'll buy you a cup of coffee's worth in bitcoin.
Ci0ran
Money is required, sorry padawan:
Buy a laptop that boots, or that can easily boot, into BIOS (as opposed to UEFI). Rip out it's HDD. You don't need a physical hard drive to boot into Tails from a live USB, only RAM is required.
SMS and MMS do not use standard TCP/IP to deliver messages. On a smartphone, if you turn off your data connection (4G) and WiFi, you can still send text messages via SMS/MMS. This is "dumbphone" technology and there is a tradeoff. It's simpler than messaging apps that require a data connection (no fancy things like encryption), but it is also more versatile (you can use it in more situations and environments).
If you need an SMS verification, there are multiple ways that you can achieve this with TCP/IP. Everything from purely technical means (ex: spoofing) to just being a straight slick talking social engineering motherfucker (ex: getting some schmuck to do the verification for you). But for you, and in this context (always important to think about), it's best to buy a burner. You're looking at it wrong: it's a good thing to buy a burner and only use it for a single SMS verification. The less you use it, the better... (and unless you absolutely can't, properly recycle that shit please).
Actually buying the burner? I'll share one tactic. Go to the thrift shop and buy some clothes that you'd never get caught dead in (ex: if you're a nerd, look like a juggalo). Shit, if you have pretty eyes and you're comfortable with your sexuality, dress up like a chick. Go in with your new Mrs. Doubtfire getup and buy the phone. If the phone is <$100, use cash. If it's >$100, use a prepaid debit card (obviously get that card at different store from where you're purchasing the burner).
Back to the computers. Start buying a lot of USB sticks. Literally like once a week, go to a different store and buy a USB stick. Get varying sizes and types (ex: SSD, USB 3.0, etc). Don't open them. Just put them in a bigass box or whatever and take one out randomly whenever you need a new one. Tails = USB stick. Keeps your PGP keys on USB sticks and always encrypt them. If you want to use them straight on Tails see this link: https://tails.boum.org/doc/encryption_and_privacy/encrypted_volumes/index.en.html . If you want to make backups for your keys or store other related files on your USB stick, use a Veracrypt container - format your USB stick to an NTFS for ext filesystem.
Compartmentalization. No more DNM stuff on your home computer (or network for that matter). However, don't stop using Tor on your home PC. You want to Tor traffic continuing to flow from your network. Use the Tor Browser and Whonix (and even another Tails USB) to go to regular sites that you'd go on if you were viewing the clearnet from good old Firefox/Chrome/Safair/Edge. You don't have to do this for all your "regular" browsing, just some of the times. Look up a dude named Jeremy Hammond and how he got caught and convicted to see why this is important.
Hope this and all the other posts has given you more information and context of the situation. Remember that there is no one perfect way to do something; if there was there would exist some OPSEC Bible, but there isn't. Learn the technology, see it's limitations, and make it work for you. Make me proud.