manbytesgnu_site

20240810_comms.rst (11603B)

---

 Comms summary
 ############
 
 :date: 2024-08-10 18:10:25
 :category: Hygiene
 :author: Louis Holbrook
 :tags: ssh,bash
 :slug: put-anon
 :summary: How to set up your own mini-service to share files safely and anonymously
 :lang: en
 :status: draft
 
 
 One should think that sharing a single file with someone else on the internet without anyone else knowing would be the simplest thing there is.
 
 Sadly, it's not. Really not.
 
 Let's see how to traverse the obstacles with a minimum of skill, and a minimum of tools.
 
 
 Anonymous VPN
 =============
 
 First step is to make sure that the connection you use to register the service has some degree of anonymity.
 
 There are and will always be services out there that will enable you to do this. They will never be the same as time passes. The important thing is to know what to look for.
 
 
 Connecting
 ----------
 
 No matter which of the two stategies you are using, you should use some unidentifiable, disposable connection to do the initial registration.
 
         * A truly anonymous VPN (it's harder than you think)
 
 
 The public wifi
 +++++++++++++++
 
 Unless you are *really really* in the sights of the surveillance state, a random internet cafe access point should do nicely.
 
 Just make sure that if you are using a public wifi, you randomize your MAC address before connecting. I myself use `wpa_supplicant` directly, and it offers the `mac_addr` and `preassoc_mac_addr` configuration directives for this purpose (for connection and access point search, respectively). Otherwise, your MAC address can be correlated across access points, that increasingly as "Local Magic Device" offers from big corporations.
 
 
 The Tor Browser
 +++++++++++++++
 
 It's really hard to say whether the Tor Browser is a honey-trap or not. But single-shot sessions used for one single purpose has a low risk of compromise.
 
 Still, the public wifi option is preferable.
 
 
 The anonymous VPN
 +++++++++++++++++
 
 Now, this is much harder than you may think.
 
 How do you sign up for the VPN? Some email? How did you get that email? Without the same VPN? How did you pay for it?
 
 VPN is an extra layer of protection that is as secure as the security you used to sign up for it.
 
 The only service I've come across so far that counts as an exception is the self-sources method for registration used by `Mullvad <https://mullvad.net/en>`_ It's nearly unfathomable that some 15 years after the Bitcoin revolution, client-side secrets aren't the canonical way of authentication. With Mullvad, you generate a secret on the fly, and if you lose the secret you lose the account. And the account may be paid for with cryptocurrency. (Remember, though, you are just as safe as the connection used to generate that account.)
 
 An example
 ++++++++++
 
 1. You go to a random wifi access point
 2. You randomize your MAC address
 3. You start a TOR session
 4. You make a VPN account with Mullvad
 
 Now, the payme
 
 
 The email anachronism
 =====================
 
 It is nearly unfathomable that still 15 years on from the Bitcoin revolution, we are still working with emails and, even worse, phone numbers, to register accounts.
 
 I haven't seen a single VPS provider that does not use one of these forms of registration.
 
 So, seriously! Anyone! Do something!
 
 Anyway, right now it is how it is, so the next step becomes making an email address with our anonymous connection.
 
 Unsurprisingly, getting an anonymous email is getting harder and harder.
 
 No sweat, you may thinkg. You could just roll your own.
 
 But then, how do you register the domain name for the email, and how do you pay for that? Not easy. The registrars will want an email.
 
 Confound it! You're back to square one.
 
 
 The honeytrap method
 --------------------
 
 Currently, `Protonmail <https://proton.me>` is one of the few options at the time of writing. However, it has been around for so long as a private email solutino that there is good reason to suspect that they are just one more of those honeypots that promise you safety and privacy for everything except what's inside their services, and ultimately they both mine your data for yourself and give you up to the empire if compelled to do so.
 
 
 The lone geek site method
 -------------------------
 
 Funnily, small individual-run private services like `<https://danwin1210.de/mail/>`_ still exist out there.
 
 To be honest, I would love to see more services like that. Services that are simply too small and obscure for the empire to care about. And when they start caring, it closes down and 10 more take its place.
 
 That would be how we win.
 
 
 The disposable method
 ---------------------
 
 I have used `receivemail.org <https://www.receivemail.org>`_ for several years now as a disposable email recipient for registrations and contacts of all sorts that I didn't want polluting my email.
 
 The main feature of services like this is that no registration is required. A related type of service is `guerrillamail.com <https://guerrillamail.com>`
 
 Of course, there is no access control for these mailboxes, so you cannot use it to protect anything of real value. For any service that requires one email service once and never again, it will probably do nicely.
 
 Keep in mind that a lot of Fascism-as-a-Service providers out there will block entities like this from receiving email from them. If they do, probably they are not for you.
 
 
 The anonymous server
 ====================
 
 There *are* options out there that will let you establish a VPS for a small amount of cryptocurrency per year. I have had luck with using `1984.is <https://1984.is>`_.
 
 Iceland is a good territory for digital anonymity and sovereginty ever since they gave the middle finger to the global banking establishment after the 2008 crash, when they wanted to loot the country under the legal cover of utter fraud of the population.
 
 You only need the email for registration. After that, your email will be your username, and you don't have to verify it exists. At least not for now. Who knows what the future will bring.
 
 So sign up for the VPS, in which you can set up a webserver.
 
 
 The web server
 ==============
 
 Settings up a webserver is out of the scope of this post.
 
 However, all you need is a vanilla server that serves any file in a given directory.
 
 
 The posts
 =========
 
 How do we get the content to the server?
 
 First of all, remember that the same anonymity precautions are valid for any connection you make to the VPS.
 
 Having established that, here's a small shell script [1]_ that will upload a file to a random identifier, while creating
 
 * A retrieval URI
 * A QR code for the retrieval URL
 
 .. code-block:: bash
 
         REMOTEPROTO=${REMOTEPROTO:-http}
         REMOTESSHHOST=${REMOTESSHHOST:-localhost}
         REMOTEHOST=${REMOTEHOST:-localhost}
         REMOTESSHPATH=${REMOTESSHPATH:-/var/www}
         # note this should handle missing start or end slash if exposed!
         REMOTEPATH=/
         TMPDIR=/tmp
 
         fi=$1
 
         if [ ! -f "$fi" ]; then
                 exit 1
         fi
 
         uu=$(uuidgen)
 
         d=$(mktemp -d)
 
         ext=${fi##*.}
 
         fn="$uu.$ext"
 
         fo=$d/$fn
 
         cp $fi $fo
 
         scp -q $fo ${REMOTESSHHOST}:${REMOTESSHPATH}
         ssh ${REMOTESSHHOST} chmod 644 ${REMOTESSHPATH}/$fn
 
         url="${REMOTEPROTO}://${REMOTEHOST}${REMOTEPATH}$fn"
 
         qrencodebin=$(which qrencode)
         if [ ! -z "$qrencodebin" ]; then
                 $qrencodebin "$url" -s 10 -m 6 -o $TMPDIR/${uu}_qr.png
         fi
 
         echo $url
 
 Simply:
 
 1. Generate a random identifier as a file basename
 2. Attach the file extension to the filename
 3. Make a file copy through SSH to the public web folder of the VPS
 4. Share the URI (or qr code stored to `$TMPDIR` with the same name) to retrieve.
 
 
 The get
 =======
 
 Safety always depends on the weakest link in the chain.
 
 In this example, your privacy is not necessarily compromised by stupidity on the other end, that does not mean that the other party is secure.
 
 But I would beg of you; show me one single example where this isn't the case. Where the sender and/or receiver:
 
 * is in full control of their client
 * is in full control of their node, receiving or sending
 * is in full control of their relay
 
 I have looked! Oh my, have I looked. Let's look at some of them?
 
 
 Signal
 ------
 
 `Signal <https://signal.org>`_
 
 Yes, the canonical safe space. Endorsed by Snowden himself. The forward- and backward secret axolotl crypto protocol.
 
 ... and it asks for your phone number.
 
 Ant how many places in the world do you get anonymous phone numbers anymore?
 
 Norway, where I'm from, will ask you for your digital ID.
 
 The belgians distribute fucking passport scanners to their SIM card vendors.
 
 Portugal, where I live, actually still offers them. For now.
 
 And many places there is still a second-hand market available.
 
 But in general, you have to bend or break the law to get them.
 
 So that's the premise for your super-secret app? Sorry, I don't buy it.
 
 ... and apart from that, good luck setting up your own infrastructure.
 
 
 Session Messenger
 -----------------
 
 `Session <https://getsession.org>`_
 
 The app is immature.
 
 The GUI is buggy.
 
 The anonymity is arguably less than with Signal.
 
 If only setting up your own node was easier.
 
 It's not.
 
 It's *SO* complicated.
 
 And it even requires buying into the `Oxen <https://oxen.io/>`_ cryptocurrency, which is its own snake pit of track coverings.
 
 
 
 Deltachat
 ---------
 
 `DeltaChat <https://delta.chat/en/>`_ 
 
 I absolutely adore Deltachat.
 
 If content secrecy was all I cared about, I would say that this service is the no-brainer default.
 
 It is email-as-a-chat, making the encryption part automagical and easy.
 
 No evil middle party involved. Largely like the original intention of email and Pretty-Good-Privacy.
 
 I may do a separate post on how this option could be implemented within the same security scope of the webserver VPS, but it will take quite a bit more effort for the provider.
 
 But as stated; *who* is talking to *who* is less of a  secret here.
 
 
 SimpleX
 -------
 
 `SimpleX <https://simplex.org>`_
 
 This is a newer arrival, and it stands out in two aspects in particular:
 
 * Running a node is *easy*, and requires *no resources*.
 * It has a bundled CLI client!!
 
 Like Signal, it offers double-ratchet encryption.
 
 However, unlike most all other applications, it tries to make its absence of a user id its selling point. The idea is you make a connection link on the fly, and that connection link is never translated to an ID.
 
 And yes, this theoretically helps avoid collateral damage when one conversation pair is disclosed. Let's say the authorities seize your friend, and forces him or her to decrypt his or her phone. They can see what he or she wrote, but not necessarily any identity of counterparties (except for whatever is disclosed in the messages themselves, of course). It is a neat, neat trick.
 
 
 whatever-paste-as-a-service
 ---------------------------
 
 Yes, for sure. Hiding among the masses works perfectly.
 
 **IF** you will encrypt the data you post yourself. Because whatever encryption offered by the server is not under your control.
 
 Will you?
 
 Really?
 
 Securely?
 
 Good for you!
 
 But if not: You're screwed!
 
 In this case - at a minimum, the other party should be retrieving the file using the same precautions as you took above. Tha is, through a VPN or Tor or public wifi, or all two or three.
 
 Remember, though, that not all cases are a question of both parties being secret. If the retriever does not have to hide (much), then they may act accordingly.
 
 
 ..
 
         .. [1] You will need the `qrencode` packagefor that