Category Archives: Advice from Bison

Advice from Bison – Private Social Media

Bison (Bison bison)_6

Bison have seen some bad days. Once, there were 20,000,000. Then, there were 541. But things got better and today there are 500,000.

The key, they say, is to be able to ride out the bad times. But how do you do that? I asked some bison for advice.


There are lots of secure email services out there, but they are not all equal. Many of the good ones have shut down, leaving us with a weird situation in which we have to jump through a few hoops to safely use them. Today, the bison suggest a process one may use to create a relatively anonymous email account that may be used over the long term. This account can then be used to “prove” identity for any other accounts you may have to make, such as on various social media sites.

Now, that said, there are different types of communication and different types of social media sites. For example, if you are communicating on Facebook or GooglePlus, you are more likely to be monitored, even on private groups, than if you are using less well-known US-based systems. So you may want to follow this process a few times and create a handful of anonymous accounts that you can use in different circumstances.

1) Password Management
You’ll be making lots of accounts here, with lots of different passwords. You’re going to need a password manager. It’s best to pick one that is open source and that stores the passwords securely as a local file. That way you can synchronize the passwords with an unsecured service, like Dropbox, without worrying about them. While it is safer to make copies outside of a Dropbox-like system, many prefer the convenience. This is one option that works on many different operating systems: http://keepass.info/ .

2) Name Selection
The most critical thing you can do when creating accounts is to be truly random. One of the easiest things to do when attacking an account is to assume that someone thought they were being clever when choosing a username or a password. You’re never as clever as you think you are, so it’s best to just randomly generate usernames and passwords. For your new account name, try the Random Name Generator: http://www.behindthename.com/random/? . Be sure to enter this URL through the torbrowser that was mentioned in the last post so anyone monitoring you is less likely to figure out your new name.

Now, if you live in certain places where specific ethnically-unique names might be targeted, you will want to reduce the random selection to something that doesn’t stand out. Selecting English, French, and Biblical is often a good selection. Adding Irish and Scottish can improve the set. Then you’ll, optionally, want to select “ambiguous” for gender, as there’s no point in giving away that data too.

When running in this mode for five times, some example names are:

  • Florence Bernie
  • Ariel Cass
  • Briar Gabby
  • Tibby Nogah
  • Ash Tommie

If the names sound too weird to you, reduce the selection set to just English and keep generating names until you get one that sounds normal.

3) Secure Email
Now that you have a name, the next step is to create an email account. This can be done at Proton Mail for free: https://mail.protonmail.com/create/new . Remember to use the torbrowser again, so anyone watching you doesn’t see the traffic going to Proton. Once there, create the account using your randomly generated name. Then, go into your password tool from step 1 and create two entries. Name them “ProtonMail – Login” and “ProtonMail – Mailbox”. This will generate random passwords for each account. By default, KeePass generates 20 character passwords, which are very hard to crack. However, you can go one better by clicking on the button next to the password field to generate a new password. Once up, set it to be 64 characters. Then you should be able to copy and paste the passwords from those KeePass entries into the user creation form. If you’re using a password manager, having a long password isn’t difficult to remember, so max them out where you can.

Once you have an account created, log out and create a new one. You’ll need at least two.

One note: At times, Proton Mail asks you to prove that you’re human through some sort of CAPTCHA. This is fine. At other times, they want to send you a text or email. If you send a text or email to your regular phone or your regular account, it creates a link to ProtonMail that you may not want to exist. If that’s the case, send a text to a burner phone if you have one. Alternatively, create a basic account somewhere that allows for free email, like Yahoo or Hotmail. Use that account for validation and then never again. When they next purge their accounts, the link will be broken.

4) JoinDiaspora
OK, you have two anonymous email addresses now. What do you do with it? Well, one thing is to create an anonymous discussion group. This is where things get a bit weird. Designate one of your accounts as “public, anonymous” and the other as “private, anonymous”:

  • Florence Bernie – Public
  • Ariel Cass – Private

Here, you will use the private account for anonymous communication on semi-private social networks, and the public account for invites. For example, from within the torbrowser, go to https://joindiaspora.com/users/sign_up . Once there, enter the email address and name for your private account, “Arial Cass” in this case. Then generate a nice long password in your password manager and prove you’re human by entering the CAPTCHA. This will create your Diaspora account.

Use this same process for any non-mainstream social media site. The mainstream sites have enough developers to really dig into what you do even if you’re pseudo anonymous like this. Facebook, in particular, really doesn’t like fake names, so be careful.

5) Invites
Thus far, you have created accounts that aren’t linked to your primary social media. Now the trick is to get your friends to connect with you, without knowing who you are and without you knowing who they are. The good news is that there are anonymous emailers. This is where your public email comes in to play.

Logging in as your regular self to a private FB group or similar (do *not* do this on a public group), post a message like the following. You can also send this request to them through plain old email or private messaging.

Hello. I may be forced off of Facebook in the future. However, I would like to stay in touch with all of you. If you would like to join my anonymized social network, my public email address is [email protected]. Please join Diaspora under a different name, and use https://anonymousemail.me to send me your Diaspora profile link (left hand side, “Invite your friends”, copy the link). That way we can all stay in touch, but none of us will truly know which of us are which.

Then, everyone can join up and you can retain social interaction without your friends putting you at as much risk, and vice versa.

Happy socializing.


NOTES
a) As with everything, no system is perfect. The goal behind this process is to provide a “safer” way to stay in touch should a mainstream service become untrustworthy. There is no truly “safe” way to do this. In all such systems, you are at risk from the weak security practices of others.

b) There is a point of weakness from social graph theory, as well as one from timing. If you post to a small group and someone replies with “okay” and, a few minutes later, you get the anonymous email from them, it’s pretty easy to identify who “September Sam” really is. To protect your friends, add them in batches and delete those emails from your public email inbox when done. The good news is that as social networks group, they grow more complex and such analysis becomes more difficult.

c) There are also anonymous email receivers that can be used in the place of a permanent account. With those systems, like https://www.mailinator.com, you are using a public email account that anyone can access. This is less linked to you, but it does mean that anyone randomly trying accounts could easily find the list of people that you are trying to join to the group.

d) There are lots of different social networks out there. JoinDiaspora is just an example. The same general principle will apply to all of them, though the individual implementations will differ.


I expect that bison will have more advice in the coming weeks.

Advice from Bison – Torbrowser

Bison (Bison bison)_5

Bison have seen some bad days. Once, there were 20,000,000. Then, there were 541. But things got better and today there are 500,000.

The key, they say, is to be able to ride out the bad times. But how do you do that? I asked some bison for advice.


Torbrowser is designed for privacy, while making it easy for people to use the Tor service.

If you ever find yourself pondering the possibility that the legality of certain activities may change in the future …
If you need to research possible actions you may take but do not want to create a trail by which you may be tracked …
If you find the need to discuss events and concerns with anonymity but think that your ISP may not have your best interests at heart …
If you find yourself, for some reason, needing to access the Internet from an unsecured location but don’t want others to know where you are …

Use Torbrowser. It will work on Windows, OSX, and Linux and it doesn’t need to be installed. If you have the ability to launch a program, you can use Torbrowser.

Once it runs, browsing may be slow (bison love to browse slow), but you have much more privacy through the Torbrowser.

When using Torbrowser, be careful not to accidentally over-share.

  • Do use HTTPS on all sites. This should happen automatically, but check anyway.
  • Do not use Google for search. Duck Duck Go is a better choice.
  • Don’t fill in any forms (including login forms) using real information. April 1st is generally a good birth date.
  • Don’t use torrents over Tor. They leak your information.
  • Don’t open any documents. Downloading a Word, Excel, Powerpoint, or PDF file through Torbrowser does not make it safe.

You can get Torbrowser here: https://www.torproject.org/projects/torbrowser.html.en

If that link is blocked, you can also get it via Twitter (@get_tor) or email ([email protected])


I expect that bison will have more advice in the coming weeks.