1 Year of Service
Since I did not see any thread like that, and I thought this might be quite valuable and useful for certain members of this community, I thought, why not make a little tutorial on how to actually minimize risk of getting doxed or tracked from different actors.
A little about myself, skip this if you don't care.
First, I would like to go a bit into the threat model, so you understand which techniques and tools are actually useful to you, what is overkill and what might be useful even tho without too much merit. If you already know what your threat model looks like, skip this.
Onto the basics, I would say, probably anyone using this kind of forum should employ.
- Keep your data of residence, name, and pictures private, at best, do not reuse the username for other social media, except where you employ the same techniques. You can sometimes reveal your City/State/Country or some name, but only when you are 100% sure, that you have not revealed too much information in another publicly traceable conversation. If you live in tiny cities, never reveal your city, or do not reveal any more information like names or similar.
- Keep the username in a different format, or use a very common format, from what you usually do, best not to add any identifiable information in it. Avoid things like having your birthdate, real name or clues to your real or other identies as part of your username.
- If you do use a private picture, make sure to either remove metadata from the image, or make sure your camera already does that, many camera apps nowadays have the ability. Usually this is called Exif metadata, but Exif does not encompass all metadata, most tools I used in the past also removed most other sensitive metadata as well tho, tools for removing this metadata exist for all operating systems, I will not endorse any here, since I have not checked any tools in recent times. Even if most social media nowadays do remove this data, you can never be 100% sure that they will do that in the future as well.
- Use a VPN or other encrypted tunnel. Here I will actually endorse Mullvad VPN, Proton VPN is not too bad either, not a huge fan of the proton corp tho, Windscribe is also not bad, and pretty cheap, weird CEO tho, till now none of these ever worked together with law enforcement, simply out of the reason that they can't, since they have no actual data about the connection stored. This way, even if your ISP tracks all the domains you connect to, and after that law enforcement or whatever starts to actually investigate (because of whatever reason whatsoever), they will not be able to actually see that you visited lewdcorner.com, but the IP/domain of the VPN server or tunnel.
- Onto VPNs, to note is, this mostly prevents ISP and possible local devices sniffing out where you connect to, not as much actually for the anonymity, for this you should employ multiple of these techniques. If you do not care about your Internet provider to see that you visit the community, you can ignore the VPN.
- Do not just trust people in the community, do not fall for easy lures. Usually the biggest threat to your privacy is yourself, and your mouth or, well, fingers. Just because someone offers you something in DMs, even if it is very alluring, as long as you cant verify that the person is trustworthy, or if you can trust the person, cant be sure that they haven't been hijacked and have suspicions, reject. As long as you keep that in mind, and actually take a bit of time to think before sending any information, clicking a link, downloading and executing a file, you will for the most part be safe. But remember, even if you trust the person, people can change, so its better to never reveal any personal information, if the other person has not done so as well, and were able to verify that information.
- If it is a publicly accessible, or shared computer/device, clear your browsing history and website cookies (honestly more good pratice than necessary, but still). Yes it might be a bit annoying to log in again, but it is more annoying when your parents, children, siblings, grandchildren and grandparents or friends, can freely access whatever you have written, posted, or viewed.
Now onto a bit more privacy concerning, maybe wanting to hide the activity from a government with which Google/Alphabet, Meta or other corporations are cooperating, or simply wanting not to be tracked by Google meta and so on.
If you actually want to have fully separate identities for different scenes or communities in a scene or overlapping scenes, in cases of fully hiding your real identity and clues from any kind of actor.
I hope this helps anyone, I am very open for discussion on this, as well as additions. And very much hope I haven't overread some rule preventing this kind of post, or interpreted it wrongly. This is only meant educationally for members of this forum.
If I somehow posted this in the wrong section or have done anything else wrong please tell me
Please also tell me if you need clarification on certain topics, or if I should make any part more understandable.
A little about myself, skip this if you don't care.
I was active in multiple hacking/doxing/cyber crime and cyber security forums over the years, and also wrote command and control servers and corresponding RATs, bypasses and ransomware, as well as multiple smaller pentesting tools, packers and OSINT tools, I was also staff for multiple scripting/cheating communities at the same time by employing some of the techniques I will go into here, and was involved with writing external and internal scripting platforms. Most of these platforms did not know I was active in other communities, and I never faced any real life problems after doing this for years, before unofficially retiring and seizing almost any action in these communities.
First, I would like to go a bit into the threat model, so you understand which techniques and tools are actually useful to you, what is overkill and what might be useful even tho without too much merit. If you already know what your threat model looks like, skip this.
A threat model, very roughly, is a framework for understanding what actors (governments, regular people, a community, etc.) pose an overall security risk to your privacy, security or data.
Usually these actors can roughly be categorized into:
- Government actors - Usually local or national level law enforcement, can reach up to international law enforcement (5-14eyes, interpol)
- Corporate entities - Usually corporations like Google, Meta and similar, for data selling, advertisement or tracking of individuals.
- Cybercriminals - Usually small time "hacker" groups which try to get login information via phishing attacks, can reach up to big hacktivist groups as well as real cyber crime groups as well tho.
- Insiders (Staff, Employees)
- Users
- Friends/Family
This list could be longer, could be shorter, depending on actual application and person.
The next important thing in defining your threat model is, what you actually want to secure. Is it your personal identity, your data, your more private information, and depending on that which person can get which data.
In my use case, as an example, in the scripting communities, for me it looked somewhat like this:
- No revealing of personal identity, closer personal data like real age and similar
- Mostly targeted against insiders and users in the community, people who could know me from real life, cyber criminals (actually a huge part in that scene), and also contacts from previous groups, minimally government actors, since what I did, was not really illegal in the jurisdiction I was in, but I did get profits from it in crypto anonymously
I hope this clarified a bit, what a threat model could look like.
Usually these actors can roughly be categorized into:
- Government actors - Usually local or national level law enforcement, can reach up to international law enforcement (5-14eyes, interpol)
- Corporate entities - Usually corporations like Google, Meta and similar, for data selling, advertisement or tracking of individuals.
- Cybercriminals - Usually small time "hacker" groups which try to get login information via phishing attacks, can reach up to big hacktivist groups as well as real cyber crime groups as well tho.
- Insiders (Staff, Employees)
- Users
- Friends/Family
This list could be longer, could be shorter, depending on actual application and person.
The next important thing in defining your threat model is, what you actually want to secure. Is it your personal identity, your data, your more private information, and depending on that which person can get which data.
In my use case, as an example, in the scripting communities, for me it looked somewhat like this:
- No revealing of personal identity, closer personal data like real age and similar
- Mostly targeted against insiders and users in the community, people who could know me from real life, cyber criminals (actually a huge part in that scene), and also contacts from previous groups, minimally government actors, since what I did, was not really illegal in the jurisdiction I was in, but I did get profits from it in crypto anonymously
I hope this clarified a bit, what a threat model could look like.
Onto the basics, I would say, probably anyone using this kind of forum should employ.
- Keep your data of residence, name, and pictures private, at best, do not reuse the username for other social media, except where you employ the same techniques. You can sometimes reveal your City/State/Country or some name, but only when you are 100% sure, that you have not revealed too much information in another publicly traceable conversation. If you live in tiny cities, never reveal your city, or do not reveal any more information like names or similar.
- Keep the username in a different format, or use a very common format, from what you usually do, best not to add any identifiable information in it. Avoid things like having your birthdate, real name or clues to your real or other identies as part of your username.
- If you do use a private picture, make sure to either remove metadata from the image, or make sure your camera already does that, many camera apps nowadays have the ability. Usually this is called Exif metadata, but Exif does not encompass all metadata, most tools I used in the past also removed most other sensitive metadata as well tho, tools for removing this metadata exist for all operating systems, I will not endorse any here, since I have not checked any tools in recent times. Even if most social media nowadays do remove this data, you can never be 100% sure that they will do that in the future as well.
- Use a VPN or other encrypted tunnel. Here I will actually endorse Mullvad VPN, Proton VPN is not too bad either, not a huge fan of the proton corp tho, Windscribe is also not bad, and pretty cheap, weird CEO tho, till now none of these ever worked together with law enforcement, simply out of the reason that they can't, since they have no actual data about the connection stored. This way, even if your ISP tracks all the domains you connect to, and after that law enforcement or whatever starts to actually investigate (because of whatever reason whatsoever), they will not be able to actually see that you visited lewdcorner.com, but the IP/domain of the VPN server or tunnel.
- Onto VPNs, to note is, this mostly prevents ISP and possible local devices sniffing out where you connect to, not as much actually for the anonymity, for this you should employ multiple of these techniques. If you do not care about your Internet provider to see that you visit the community, you can ignore the VPN.
- Do not just trust people in the community, do not fall for easy lures. Usually the biggest threat to your privacy is yourself, and your mouth or, well, fingers. Just because someone offers you something in DMs, even if it is very alluring, as long as you cant verify that the person is trustworthy, or if you can trust the person, cant be sure that they haven't been hijacked and have suspicions, reject. As long as you keep that in mind, and actually take a bit of time to think before sending any information, clicking a link, downloading and executing a file, you will for the most part be safe. But remember, even if you trust the person, people can change, so its better to never reveal any personal information, if the other person has not done so as well, and were able to verify that information.
- If it is a publicly accessible, or shared computer/device, clear your browsing history and website cookies (honestly more good pratice than necessary, but still). Yes it might be a bit annoying to log in again, but it is more annoying when your parents, children, siblings, grandchildren and grandparents or friends, can freely access whatever you have written, posted, or viewed.
Now onto a bit more privacy concerning, maybe wanting to hide the activity from a government with which Google/Alphabet, Meta or other corporations are cooperating, or simply wanting not to be tracked by Google meta and so on.
- Use a different browser from your regular activity, or do it in a separate profile. This will make it harder for single websites to track you.
- With the different browser/profile use with either a low number of extensions installed, usually uBlock Origin/uBlock Origin Lite, the VPN, and maybe a password manager should be enough or make sure that you do not have roughly the same extensions installed. More extensions make it easier to create a unique or almost unique fingerprint of you. If you employ this correctly, your fingerprint for your sessions for this kind of thing, and your regular activity will be completely different.
- Do not to log into your main google, apple, or meta account on this profile/browser as well. Otherwise these entities will still be able to track you somewhat, this is already defeated when using Google Chrome or Edge and similar browsers. I would recommend Ungoogled Chromium and Librewolf. Best would be to use the browser/profile really only for browsing these communities. If you have multiple accounts which are in anyway linked to these, better not to log in to these as well.
- Again, here it is actually a good idea to fully double tunnel, best with two different VPNs, my old setup as example was, Mullvad VPN on my OS as VPN connection for everything, then I had one LibreWolf instance for most of the activity with Windscribe as outgoing from the browser, and on my normal browser also a windscribe vpn tunnel but connected to my home country, so you have two-three VPN tunnels, best in different locations, which prevents law enforcement seizing single servers, dumping the full RAM and having access to some connection data, and being able to possibly trace that back. For additional, and honestly needed security, use techniques like decoy traffic/fake traffic to prevent or weaken many timing attacks as well, either at the client level, when the VPN does not support it natively, or on the VPN level (I believe all three support it, Mullvad, Windscribe and Proton, but not sure anymore tbh).
- With the different browser/profile use with either a low number of extensions installed, usually uBlock Origin/uBlock Origin Lite, the VPN, and maybe a password manager should be enough or make sure that you do not have roughly the same extensions installed. More extensions make it easier to create a unique or almost unique fingerprint of you. If you employ this correctly, your fingerprint for your sessions for this kind of thing, and your regular activity will be completely different.
- Do not to log into your main google, apple, or meta account on this profile/browser as well. Otherwise these entities will still be able to track you somewhat, this is already defeated when using Google Chrome or Edge and similar browsers. I would recommend Ungoogled Chromium and Librewolf. Best would be to use the browser/profile really only for browsing these communities. If you have multiple accounts which are in anyway linked to these, better not to log in to these as well.
- Again, here it is actually a good idea to fully double tunnel, best with two different VPNs, my old setup as example was, Mullvad VPN on my OS as VPN connection for everything, then I had one LibreWolf instance for most of the activity with Windscribe as outgoing from the browser, and on my normal browser also a windscribe vpn tunnel but connected to my home country, so you have two-three VPN tunnels, best in different locations, which prevents law enforcement seizing single servers, dumping the full RAM and having access to some connection data, and being able to possibly trace that back. For additional, and honestly needed security, use techniques like decoy traffic/fake traffic to prevent or weaken many timing attacks as well, either at the client level, when the VPN does not support it natively, or on the VPN level (I believe all three support it, Mullvad, Windscribe and Proton, but not sure anymore tbh).
If you actually want to have fully separate identities for different scenes or communities in a scene or overlapping scenes, in cases of fully hiding your real identity and clues from any kind of actor.
- If you are active in multiple communities, and do not want crossover, then make sure to split your identities for the different websites/communities/groups. This goes strongly with the username rule mentioned above, as well as with changing a bit of how fast you respond, and changing your writing style a tiny bit, as example, previously I had some phrases and such which I used in different communities, some writing styles (short sentences versus longer ones, a bit of error in writing vs no big errors, sometimes bringing in some slang or dialect from different communities).
- If possible actually prepare some background story, a second name which you can use for revealing information, an fictional age, which is not actually real information. This further helps grounding your identity, but you either need to make sure to remember all of that, or write it down somewhere, otherwise your additional identity could either be exposed or get questioned.
- Separate your emails as well, if possible and necessary for some services try to get a temporary or burner phone with credit (sadly really hard nowadays). If possible, also use different providers, you can opt for less private but free variants like Gmail, Yahoo, Webmail, but at this point, you should probably use Proton Email (which is free but a tiny bit limited) or opt into an email for payment service with strong privacy policies like Tutanota.
- If possible actually prepare some background story, a second name which you can use for revealing information, an fictional age, which is not actually real information. This further helps grounding your identity, but you either need to make sure to remember all of that, or write it down somewhere, otherwise your additional identity could either be exposed or get questioned.
- Separate your emails as well, if possible and necessary for some services try to get a temporary or burner phone with credit (sadly really hard nowadays). If possible, also use different providers, you can opt for less private but free variants like Gmail, Yahoo, Webmail, but at this point, you should probably use Proton Email (which is free but a tiny bit limited) or opt into an email for payment service with strong privacy policies like Tutanota.
I hope this helps anyone, I am very open for discussion on this, as well as additions. And very much hope I haven't overread some rule preventing this kind of post, or interpreted it wrongly. This is only meant educationally for members of this forum.
If I somehow posted this in the wrong section or have done anything else wrong please tell me
Please also tell me if you need clarification on certain topics, or if I should make any part more understandable.
