secretsofthedark

What are Some Alternatives to ProtonMail?

Those who keep up with privacy news have probably heard about ProtonMail handing over the IP addresses of some of its users to Swiss law enforcement in the recent case, prompting a lot of criticism from those in the community.

If you read the article above, however, ProtonMail says they were forced to comply with the order and could not appeal. Their suggestion to users was to use their Tor hidden service, which also obfuscates IP addresses in a way that ProtonMail itself cannot.

There are, of course, other email services that are similar to ProtonMail, in that they are (ostensibly) privacy-focused, but no email provider can be trusted 100%, unless you set it up yourself. People have discovered the same issues regarding VPN providers that claim not to keep logs as well, particularly in cases when law enforcement subpoenaed them to hand over a user's data.

Part of the issue is that email, in general, is not the most secure form of communication, as email messages are easy to intercept. A post on StackExchange explains some of the reasons behind this:

Emails can be sniffed in transit, since they are not encrypted (some sites will opportunistically employ encryption for transit, but this is not reliably activated).

Emails will be stored on physical disks in the servers which are involved in the operation: the sender's email server, the recipient's email server, and any server “in between”. Physical disks can be sniffed when decommissioned or through backup tapes. Bored interns in the facilities managing these servers could simply have a look.

It is easy to make emails go to the wrong machine by altering the DNS. There are viruses which routinely inspect emails received by infected machines, in search for passwords, credit card data or other juicy information.

The whole email system just assumes that everybody is honest and nice and trustworthy. It is surprising (but morally encouraging) that it works at all.

A similar situation occurred with a provider named Hushmail back in 2007, and the Reddit post Hushmail: A cautionary tale of trusting webmail providers like Protonmail summarizes this situation a bit:

Before Protonmail or Tutanova [sic], or whatever the flavor of the month 'secure' webmail snake oil provider is, there was Hushmail, which similarly offered “secure” and “encrypted” webmail, claiming that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer”.

hushmail logo

And then court records showed that Hushmail handed over several CDs-worth of emails to the US (Hushmail was based in Canada):

On June 6, 2007, DEA SA Shawn Riley received three CD'S via Fed Ex from the DEA San Diego Division Office. The CD's were the results of a mutual legal assistance treaty (“MLAT”) executed on Hush Communications Inc, based in Canada, for email addresses [Hushmail email addresses]. Hush Communications Inc., also known as Hush Mail, is a free encrypted email communication system that claims to ensure the security, privacy, and authenticity of emails sent and received by it's users.

The results of the MLAT conducted on [Hushmail email address] included an IP log associated with access to this e-mail account.

In the same sense as putting your trust in a VPN provider, you are relying on a third party to protect your data, even if they claim to have a “privacy-centric” or “anonymous” service. Additionally, the mere fact that a company advertises itself as being more private usually makes it a target for attackers.

Still, better options exist: sn0w, admin of the Pleroma instance cofe.rocks, suggested encrypting emails with PGP, as well as using either Mailbox or Posteo.de, part of the reason being that although they are paid services, they accept anonymous forms of payment and support features like PGP.

Mailbox.org offers such features as an email account, online office, cloud storage, video conferencing, etc. While it is paid, as opposed to providers like Gmail, it is still inexpensive, and the fact that it relies on payment means that they do not have to serve you with ads in order to make money (unlike Facebook, for instance).

It has become a habit as of late to read a company's privacy policy before signing up with any of their services, so here is the one for Mailbox.org: Data protection & privacy policy. While some of these can be lengthy and full of legalese, it can prove helpful to know what kinds of data they collect from you, especially if you are wanting to avoid a fiasco like those of some of the big tech companies.

Mailbox.org also has a free 30-day trial for those who want to test out the service, which is enticing, to say the least. You can compare it against some of the other email services (e.g. ProtonMail) to see how they fare in terms of privacy and usability. It is encouraging to see that Mailbox receives A+ grades on three of the major “security checkers”: Qualys SSL Labs, DANE SMTP Validator, and CryptCheck.

Sn0w also made the point that both Mailbox and Posteo have the option to reject insecure inbound/outbound connections for extra security:

Posteo help: Activating TLS Sending Guarantee

Posteo help: Activating TLS Receiving Guarantee

Mailbox.org: Ensuring E-Mails are Sent Securely

Speaking of which, Posteo, which is based on the open source Roundcube. Roundcube is also the basis for Riseup and several other email providers.

Roundcube webmail login page

Like Mailbox.org, Posteo is ad-free, although the account requires a paid subscription; it is inexpensive, though. The account only costs 1 EUR ($1.13) per month, which, in terms of tech subscriptions, is a fair deal (compare that to some VPN provider subscriptions, for instance)!

Some of its features include:

  • 2 GB of storage, increasable up to 20 GB (for a higher price)
  • Attachments up to 50 MB
  • Email on all devices
  • Spam and virus filter
  • Two alias addresses

In privacy terms, Posteo says that it keeps as little data about its customers as possible, which is reassuring, especially after fiascos like that of Protonmail. You can read their privacy policy to be sure: Posteo Privacy Policy.

Posteo is also not financed by advertising, unlike a service such as Google – hence the subscription fee.

Many people still make the “nothing to hide” argument when discussing privacy online, i.e. “Why do I need privacy tools? I have nothing to hide.” Yet, in many cases, these same people will change their minds when they find out that their information was included in a data breach or something similar. It is more likely that those who make this argument are not aware of how much data is available about them on the web, or who might be after it. This is why it is good to peruse privacy policies, and also to be aware of how personal data and accounts can be compromised (and the answer to that is “in many ways”).

If you know of some other good pro-privacy email providers, please feel free to suggest them! There will be more articles about tools such as this in the near future.

How to Stay Safe on the “Dark Web”

A frequent question asked about the dark web is how to “stay safe” on it, and the answers often go in the direction of sensationalism, as in “There's NO WAY to stay safe on the dark web! Just don't go on it!”

In reality, the dark web is not that much more dangerous than the clearnet – in fact, the opposite may be true, depending on what you do with it. If it is Tor you're referring to, then it is designed to be more secure, so that is an advantage to start off with.

The part of Tor that may be risky is that there are numerous phishing sites and scams on it, as well as things like child abuse material. If your intention in using Tor is just to look around, then you probably do not need to worry about getting scammed. On the other hand, if you are looking to purchase things, such as drugs or hacked accounts, this is where many people lose money or get their information stolen.

To avoid the phishing sites, use a reliable link list like dark.fail (darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion), which has PGP-verified links for darknet markets and some other sites, like forums. At present, this site is generally considered to be the most reliable source for onion links, though Darknet Live (darkzzx4avcsuofgfez5zq75cqc4mprjvfqywo45dfcaxrwqg6qrlfid.onion) is a close second.

Another question that gets asked frequently is what operating system you should use. Contrary to popular belief, it does not matter as much as one might think. While Windows is certainly more vulnerable to malware, there is just as much malware on the clearnet as there is on Tor. There are, however, some sites that have PDF files and other sorts of files that may contain unsafe code. This is where using your good judgment becomes handy.

If you are concerned about operating systems, some Linux distros are designed with security in mind, such as Tails, Qubes, and Whonix. Tails, for instance, is amnesic, i.e. you can run it as a VM on a USB drive and then delete everything after the session is finished.

Tails operating system

Using a password manager and Diceware, which an earlier post mentioned, are good practices in general, not just on Tor. On some sites, people had attempted to bruteforce passwords, and randomly generating them seemed to help prevent this. Most password managers (e.g. pass, KeePass, Bitwarden, LastPass) have the ability to randomly generate passwords as well. Part of the reason for doing so is that if someone knows you and knows that you like coffee, for example, they may be able to guess that you would use a password like “coffee12345.” The password managers bypass this process altogether.

KeePassXC, a password manager

On Unix and Unix-like systems, the standard password manager is pass, which is command line-based. While it may take some time to learn, pass is relatively simple, and its official site has good instructions as well.

In addition, a lot of sites require using Pretty Good Privacy (PGP) when registering. While PGP itself has security issues, it does work reasonably well as a method of verifying someone's identity, or in the case of Tor, proving that a site is genuine. Often, sites like marketplaces will display their public PGP key on the front page for this reason.

PGP Signature from dark.fail

As for creating and storing your own PGP key, there are a number of different PGP clients for different operating systems. On Windows, for instance, the standard PGP client is called Gpg4win (GNU Privacy Guard for Windows), which can be downloaded from Gpg4win – Secure email and file encryption with GnuPG for Windows. From there, the process will vary depending on your OS and the client that you are using, but most are fairly simple.

Every PGP key is a keypair, i.e. a public and a private key. Never share your private key with anyone! The private key is used to encrypt and decrypt messages, whereas the public key is the one used to sign messages and verify your identity, as in the above image.

It should be noted that the “dark web” consists of more than just Tor, although in the past few years, the two have become conflated with one another. Tor is merely one anonymity network that falls under the dark web umbrella. Other such networks include I2P, Freenet, GNUnet, and Oxen (formerly known as Lokinet). These other networks are all considered to be “anonymous peer-to-peer (P2P) networks, in which the nodes are anonymous or pseudonymous.

I2P Router Console

As far as staying “safe” on these other networks is concerned, the same rules apply as those on Tor, in a sense: you can still use the random password generation methods as above, but on networks like Freenet, that may be unnecessary. Freenet, like PGP, uses keypairs (public and private), and the network's sites, known as “freesites,” consist of part of the sites' public keys. Your identity, when you register, also has a corresponding keypair; it is important, therefore, that you keep your private key safe, just as you would with your private PGP key.

Some of the potential danger with Freenet and other P2P networks comes in with the filesharing aspect: you do not necessarily know if the files you are downloading are safe; there will be other posts about this in the future to go into further detail.

There are probably other precautions you can take as well, but some of the learning process just comes from experience. Just be skeptical of everything you see, and if something looks suspicious, it is best not to get involved with it.

Creating a Fake Person and Deleting Yourself: Tutorial

There have been some posts going around about creating fake online identities lately. Doing this is actually a lot easier than it would at first appear. While it depends on what details the site requires, all of these can be made up easily.

As far as usernames go, if you don't want to make one up off the top of your head, there are numerous “username generators” that can accomplish this for you. Soybomb nonsense word generator is a good one, as some of the nonsense words also work well as usernames. Username Generator also works well for this.

Depending on how much detail you need, there are other sites and programs that can fill out additional personal information when necessary. Fake Person Generator, for instance, will create a detailed fake identity, including name, address, phone number, social security number, photo, credit card number, and other information! (Hopefully none of these correspond to a real person.) Beyond that, there are sites like This Person Does Not Exist, which can create incredibly realistic profile photos for such a purpose.

Once you have completed the creation of your fake person, if you are further concerned about being identified by your IP address or other identifying details, it would probably be best to use a service like Tor or a proxy server to temporarily conceal your IP address. While these are not foolproof, it is theoretically better than accessing sensitive information in the standard manner. If you are trying to find some proxy servers with decent anonymity, do this search: “:8080”+”:3128”+”:80” filetype:txt – this is a Google dork that searches for text files that contain lists of proxy servers using ports 8080, 3128, and 80. It works on other search engines besides Google as well.

VPN providers have also become a trendy topic lately, especially due to some aggressive marketing on the part of certain companies, like NordVPN. While a VPN can also help disguise your identity, it is reasonable to be careful in your choice of provider, as some VPNs have been compromised in the past, which, by extension, means that the users are compromised. The difference, with Tor, is that trust is distributed, rather than being put into a single provider: the Tor network is comprised of many different nodes and relays, which are volunteers who donate bandwidth to the network.

A list of Tor relays and stats about them

One thing to consider with all of this is your threat model, of course. What types of adversaries are you trying to protect yourself against? If it is a type of organization that has powerful investigative tools, you may need something stronger than the online name generators, for instance. One way that some accounts are compromised is through weak passwords or reused passwords. Even in 2021, the most common passwords are things like:

12345 123456789 qwerty password

The variety of password managers that exist today can at least help with this problem. Practically all of the password managers have the ability to randomly generate passwords or passphrases. For example, Bitwarden can generate passwords that are up to 128 characters long, and use letters, numbers, and special characters.

A few other password managers include KeePass, LastPass, Keeper, Dashlane, and pass (the standard Unix password manager). As with things like Unix/Linux distros and web browsers, choosing a password manager is a matter of personal taste, and what works for one person may not work for another. Try out different ones to see which one is best suited to your needs.

An alternative to standard password generators is to use the Diceware method, in which you roll some dice in order to generate a passphrase. The dice rolls are done in sets of five numbers, which correspond to word lists, and then the words are combined to make your passphrase. For example:

55364 staff 26434 fully 52434 runic

When you finish doing the dice rolls, you combine the words together to make your passphrase, and you can separate the words with punctuation if you wish, like “staff.fully.runic,” or something like that. In general, the more words you use, the stronger your passphrase is. The link above explains further how Diceware works. While it can take additional time to create a password or passphrase, the simple fact that you are not creating a human-generated password makes it slightly more difficult for an attacker to access it. Plus, if you use physical dice, the generation is being done offline. The same method can be used to generate individual characters instead of words, though this takes a bit longer.

One of the other major issues that is cause for concern, as you may know, is having tons of accounts, which is becoming more and more common in the present day. The more accounts you have on different services, the greater the likelihood that some of them will be compromised, so at the very least, you can use the password and username generators to decrease the chances of this happening. The site Just Delete Me has a large list of popular online services and social media networks, sorted alphabetically and color-coded to designate how difficult it is to delete your account. Services colored in green are easy to delete, yellow indicates medium difficulty, red indicates hard, and black indicates impossible. Beneath the name of the service are instructions on how to delete your account, if possible at all.

A list of sites on Just Delete Me

In the cases where deleting an account is impossible, the site lists the minimum amount of options you have, such as deleting any identifying information that might be in your profile, despite the fact that the profile still exists. So, in your free time, if there are accounts that you are no longer using, this list may help you comb through them and delete ones that are inactive.

You may also have heard of a site called Have I Been Pwned. This site helps you easily check if your email addresses or passwords have been compromised in a data breach. Simply type your email address or phone number into the search bar on the site, and it will tell you if it has shown up in any data breaches. In the case that it does, it would be a good idea to change the password on those accounts, or delete them altogether if you are not using them.

sites listed on Have I Been Pwned

While nothing 100% guarantees your internet anonymity, besides being offline altogether, these methods can at least help your cause. More will be discussed on this topic in the near future.

Who is the Fake Diploma Forum Spammer? (dyellihhi001)

On my previous blog, I had written several times about a bot that posts spam all across the internet, especially on forum sites. The YouTuber Barely Sociable had done a video about this bot/person in 2019: The Fake Diploma Forum Spammer – Internet Oddities.

While spam is obviously not uncommon, particularly in email form and on social media sites, the strange thing about this bot is that it seems skilled at getting past captchas and other forms of verification. Here are a few of the sites on which the bot has posted:

Reddit: dyellihhi001

Retrohealth: fake diploma posts

Wiscobrews: fake diploma posts

As Barely Sociable points out in his video, many of the bot's forum posts are related to fake diplomas, and are written in Korean. According to some sources, fake diplomas are a particularly lucrative type of crime in South Korea, where there is a lot of pressure to attend a prestigious university.

Oddly enough, I had first seen the bot's posts prior to the video, on a site called WritersCafe.org, which is a site for publishing poetry, stories, and articles. On this particular site, the bot would create fake writer profiles (accounts), and then post its spam links as “stories” or “poems.” While the site's administrators attempted to close some of the accounts, the bot creates them at such a rapid rate that it's difficult for a human to keep up with it. Some of the usernames that the bot generates are variations on the name “dyellihhi001” or something similar, which appears to be random, almost like a keysmash.

Some of the other email addresses that the bot has generated are dyellogfhf001@hotmail.com, dyellogfhf002@outlook.com, and dyelltgtgt004@outlook.com, so they may even be created sequentially. A Scribd upload has a txt document with some or all of these email addresses; this document was reposted on pastebin as well: The Forum Spammer Txt Document. Most of the diploma-related posts also have a WeChat ID in the description, which is “501058216,” and usually reference the name “Andy.” It's possible that “Andy” is one of the people responsible for sending out these bot posts.

As Barely Sociable also mentioned in the video, there's a possibility that some or all of these posts are being done with bots made by BotmasterLabs, such as XRumer or XEvil. These bots are specifically designed to recognize more than 8400 captchas, hence their ability to post on forums even when anti-spam measures are taken. In fact, there is even a YouTube video with a tutorial on how the bot works: XRumer 12.0.9: how to get about 100.000 profiles on forums and blogs! This gives a good explanation as to how it has been able to post on so many different websites in such a short amount of time, as well as how it gets around many websites' security measures. If it is unsuccessful in posting to one website, it merely moves onto the next one on the list.

On Tor, some site administrators have been able to defeat similar bots by making more complex captchas that the bots aren't able to read, and thus greatly reducing the amount of spam – though sometimes frustrating human users when they can't read the captchas.

In addition to fake diplomas, the organization(s) using this bot for spam posts also appear to be behind other businesses, such as escort services, casinos, and possibly hookup sites as well. This doesn't seem that surprising in retrospect, however. In all likelihood, if these sites are all run by the same group, then it seems that they have their fingers in several different areas of illegal or dubious businesses. For instance, on the forum 2VEE, the bot has posted hundreds of times with links to the casinos and escort sites.

The mysterious parts are: who is behind all of these spam posts? Is it one person, or an organization? Beyond that, is the same bot still sending out spam posts at this very moment, or have website administrators found a way to curb the spam onslaught? If anyone has further information about this, it would be interesting to hear.

Byoblu YouTube Channel Shut Down!

On my previous blog, I had interviewed the admin of a group called Isolate ByoBlu, whom I had met via the federated social network Mastodon. The same person contacted me recently and told me that Byoblu's YouTube channel was recently shut down!

For those unfamiliar with the context, ByoBlu is a far-right news source based in Italy; it is somewhat analogous to Breitbart News for Italian speakers. As one might expect, ByoBlu's founder is also associated with a far-right movement; his name is Claudio Messora. Messora is a blogger and media personality connected to the Five Star Movement of Italy.

Given that this has been one of the goals of Isolate ByoBlu, this is certainly a great victory. The group takes its name from a similar group called Isolate Gab, which had been geared toward defederating the social network Gab. Mastodon and other social networks like it, such as Misskey, Pleroma, PeerTube, Funkwhale, and PixelFed, are federated, i.e. hosted on interconnected servers, and Gab was originally federated with these other social networks.

Like ByoBlu, Gab centers around far-right politics such as anti-immigration, racism, and conspiracy theories about subjects like COVID-19 and genetics. It is worth noting that Gab did defederate from the rest of the fediverse.

ByoBlu still operates its own website and has a Facebook page, but the loss of its YouTube channel is a huge blow to its growth as a social network. YouTube has had other controversies connected to groups like ByoBlu, including the fact that its algorithm seemed to unintentionally recruit viewers to far-right groups based on their viewing history.

VPN Providers Compared

Several people here have asked about VPN providers over time, so maybe it’s about time to talk about it. Keep in mind that, contrary to popular belief, you do not need to use a VPN provider with Tor for extra privacy. That’s one of the persistent myths about it. In fact, using a provider like NordVPN may or may not compromise your privacy. Still, if you insist on using one, it's good to know some of the advantages and disadvantages.

While it’s difficult to try each and every VPN provider, as many charge a subscription fee, VPN Ranks has an excellent chart that compares most of the major ones, such as NordVPN, PureVPN, and TorGuard: VPN Comparison Chart. As you can see, some others included are Surfshark, Mullvad, and Private Internet Access.

The chart outlines many of the aspects that people are concerned about with VPN services, such as jurisdiction, traffic logging, and IP leaks. In addition to what’s visible on the above screenshot, the original chart includes the number of countries in which the services are available, speed, encryption, Netflix support, torrenting support, killswitch, number of simultaneous connections, whether or not they accept bitcoin as payment, whether or not they have a free trial option, money back guarantee, and their score from Trustpilot (customer reviews).

For those who don’t know, the Five/Nine/Fourteen Eyes countries are intelligence alliances that share information with one another. The Five Eyes countries are Australia, Canada, New Zealand, the United Kingdom, and the United States. The others are the originals plus other countries that participate: Wikipedia: Five Eyes – Other international cooperatives.

Besides the facts outlined in the article above, some of people’s choices, as with Linux distros or phones, have to do with personal experience.

Mullvad VPN

Touted by many privacy enthusiasts, Mullvad VPN doesn’t log IP addresses, traffic, or DNS requests. One Reddit user, however, complained that they stopped accepting bitcoin cash as a form of payment (though they still accept the standard bitcoin).

Its jurisdiction is in Sweden, which is considered to be one of the better legal jurisdictions as far as privacy.

Private Internet Access

Private Internet Access (PIA) offers a strong VPN service that you can use on up to 10 devices, though it is not free and its privacy policy is somewhat unclear.

You can go to their website and read it for yourself if you like: PIA privacy policy. Still, according to Torrentfreak.com, their no-logging policies have held up in court, which is encouraging and is one of the true tests of a service that advertises privacy and anonymity.

Riseup VPN

Riseup VPN, which is just one feature that Riseup.net offers, is a free VPN service (though based in the USA, which for some might be an automatic disqualification).

Among its benefits are:

No logging of IPs DNS services OpenVPN support Free trial Cryptocurrencies accepted as payment In addition the VPN service, Riseup also has an email service, text editor, and XMPP chat. However, the service is invite-only, so an existing user has to invite new users. Part of the reason for this is to weed out law enforcement and other malicious parties from infiltrating the service.

What Was the Nth Room? (Disturbing Content, NSFW)

Those of you who read here regularly know that red rooms have been an occasional topic of discussion, and also know that horror/mystery YouTubers are much appreciated. YouTuber ReignBot, who covers subjects like this, recently made a video entitled The Nth Room Chatrooms (embedded below), which deals with something very similar.

The title refers to a series of Telegram channels hosted in South Korea, known as the Nth Room(s), that basically fit the red room definition and were every bit as horrible (with the one exception that the victims weren’t being killed on camera, but tortured).

According to articles about the chatrooms, the victims were blackmailed into performing forced sex acts of all kinds, from putting their underwear on their heads, to full-on rape, as quoted in an article on Koreaboo.com. You may wonder why the victims participated in the first place; initially, the operators of the site lured them via dubious job offers on places like Twitter. They were asked to send pictures of themselves, soon followed by sexual abuse videos. If the victims decided they wanted to quit, their pictures and personal information were used against them as collateral.

Two reporters from the newspaper Kookmin Ilbo eventually infiltrated the chatrooms and witnessed some of the horrific crimes, which was how they came to be known to the general public. As one reporter described:

Most of the victims seemed to be in middle school. The girls are barking like dogs. I saw the girls naked and lying on the floor of the men’s washroom with my own eyes.

The article also mentions that there was a photo of one of the administrators of the site, “Baksa,” commanding one of the victims, who had the words “Baksa” and “slave” carved into their body. The (non-consensual) scarification was a method of telling viewers that the “slaves” were under his control.

A Wikipedia article about the Nth room case explains some of its complexities. A Telegram user going by the name of “God God” created the original groups, named after their ordinal numerals (1st, 2nd, etc.), and thus the “Nth room” nickname. A second user, by the nickname of “Watchman,” advertised links to these groups in another Telegram group called “Gotham room.”

In July of 2019, a Telegram user nicknamed “Doctor” created another Telegram room on which he distributed sexually exploitive pornography, which was accessible to users via a cryptocurrency payment (likely bitcoin). Doctor threatened women by discovering their personal information, followed by uploading their pictures and videos. When news reports first came out about the story, Doctor even figured out the personal information of the reporter and made it public. Eventually, it came to light that Doctor’s real identity was a 24-year-old named Cho Joo-bin, according to the South China Morning Post.

In a second Koreaboo article, one of the victims of the Nth room case spoke out about what happened. She explained that the perpetrators lured victims, like herself, with the promise of money. They targeted young girls who were in desperate financial situations, which seems common in cases like this.

As it relates to the red room phenomenon, the concept is very similar: torture victims on video for a paying audience. The main difference in this case is that the abuse did not take place over Tor. This is not to say that everything that happens on Telegram is nefarious (just as on Tor), but like Tor, due to the app’s encryption and anonymity capabilities, it sometimes lends itself to criminal activity.

It makes one wonder, however, if there are other such cases taking place on Telegram, or on other such apps like Signal or Tox. No verified stories have come out about such things as of yet, but the possibility exists.

I2P: Personal Experiences

Following Tor, at some point, I became interested in other anonymity networks as well. One of the first ones that I’d heard of at this time was I2P, although from a technical standpoint, it’s one of the most complex. Unlike Tor, it didn’t have its own dedicated browser, although any browser can be configured to use I2P. You can download the software at geti2p.net.

At that time, I was still using Windows shudder, and though I2P has a Windows version, it seems like it’s oriented toward more advanced users. What I know now (and this seems awfully simple) is that you just have to adjust your proxy settings to be able to access it from most browsers. For instance, in Firefox, it’s under about:preferences#general, and then “Connection Settings.” You then click “Manual proxy configuration” and set HTTP Proxy to 127.0.0.1, Port 4444.

In any case, once I had had this set correctly, the “I2P Router Console” popped up, which looked similar to this:

Besides the proxy settings part, this is where it became somewhat confusing as well, because as opposed to Tor, it felt as though there were many directions in which you could go. There was the “Addressbook,” in which you could add different hidden services (“eepsites”), “Configure Bandwidth,” “Configure UI,” etc. At the very least, the Router Console does feature “Hidden Services of Interest,” which are some general eepsites that are suggested for newcomers, like the I2P Wiki and anoncoin.i2p (which has a clearnet mirror at anoncoin.net).

Eventually, I started to get the hang of all this and just started looking around, as on Tor. I looked at most of the hidden services that were listed on the router console above, and also started to familiarize myself with some of the settings. There’s actually an excellent subreddit for I2P at /r/i2p as well, for those of you who want to join a community of others involved with this. One of the places in which I found some other eepsites, at the time anyway, was Nekhbet.com: I2P Links, but I have no idea if most of these are still online, because the site is from several years ago. The list features eepsites in a number of different categories, including multimedia, filehosting, and forums.

Confession: I was a bit late to the world of torrenting, but it’s something I’m into now, and I2P is one of the best anonymity networks for torrenting. On my current machine, I have a Bittorrent client called Transmission, which does the job as well, but on I2P, one of the most popular clients is called I2PSnark. I2PSnark is a fork of a Bittorrent client called Snark, so they work similarly. As a matter of fact, I2P comes with this service built in, so you don’t even have to install it separately. I’ve only used it a few times to download music and such, but it seems to work just fine.

I learned to use I2PSnark via several other tutorials that I found, so you may find these helpful too: Untraceable: How to Seed Torrents Anonymously Using I2PSnark and Bittorrent over I2P (from the official documentation). I’m aware that new DMCA laws now make it possible to serve prison time for filesharing, but realistically, there are people who have done it quite a bit more than I have.

After becoming more experienced with I2P, I eventually started using the Android version as well. Like the PC, Mac, and Linux bundles, it has a router console, but on the Android version, to stop and start your connection, you long press a button, as below:

This is an older screenshot; on the version that I’m using right now, it says “Network: IPv4: Firewalled; IPv6: OK.” As you can see in the screenshot, it also tells you how many active peers are known on the network. Under the menu that says “Addresses,” you can find other I2P eepsites; in fact, this is one way that I found quite a few more than on any other search.

At present, on Linux, I’m using the Debian version, so read more about it on the official page. For a time, I had also used an unofficial I2P Browser, which was a Firefox fork tweaked for I2P. In appearance, it looked similar to the Tor Browser, but didn’t have an outproxy to the clearnet (this can be set up if you wish). Anyhow, there are a lot more features on I2P, which I might discuss in future posts. What didn’t I cover here that you would like to see more of?

Deleted by WordPress!

Well, it finally happened. WordPress suspended the original Secrets of the Dark blog in violation of their terms of service, which is odd, because I had been writing about the dark web and related things for around five years.

I suspect that someone complained about a specific post, which may have been the impetus for them suspending it, but I'm not sure. They didn't specify in the notification what the cause was for them shutting it down.

Fortunately, many of the older posts are at least on the Wayback Machine, so I may repost some of them here or just write new ones. In addition, I may move here permanently, or I've also been writing on Substack, which is an option as well. Substack seems to be a platform for more formal articles, of course.

In any case, there are lots of options! I plan on building everything back up from scratch, and will not be defeated.

Dos and Don'ts of the Tor Browser

A friend of mine asked recently about dos and don’ts of using the Tor Browser, and there are quite a few; in fact, I may not know all of them offhand, which is why it’s good to read the official Tor Browser manual and other documentation made by the Tor Project.

That being said, there are some definite things that you should and shouldn’t do with the Tor Browser:

Do use the official Tor Browser from the Tor Project: The only Tor Browsers you should use are ones made by the official Tor Project, including ones for different platforms. Currently, the official ones work with Windows, OS X, Linux, and Android.

tor

Do use .onion services if they’re available: Some clearnet sites also have Tor hidden services (.onion sites) as mirrors. If you have the option to use either, the onion service, if configured correctly, is likely to have better anonymity.

Do use different passwords and usernames on Tor: Depending on what your threat model is, on Tor, it’s better to use different passwords and/or usernames than what you’d use on the clearnet. Use your password manager or something like Diceware to generate new passwords for Tor sites.

Don’t install plugins or add-ons: Tempting as it might be to install plugins like password managers and other plugins that you’re accustomed to on other browsers, with Tor, these can be harmful rather than helpful. Because Tor’s purpose is anonymity and security, installing add-ons differentiates you from other Tor users. Using the example of password managers, you can use a manager like KeePass, which can store your passwords offline, and copy the passwords into the sites on Tor.

As user SuperSluether put it on StackExchange:

Look, using plug-ins in the Tor Browser is the same as using your default browser. Any protection from Tor is lost because the plugins COMPLETELY IGNORE THE PROXY SETTINGS.

If you want to use plugins, don’t use Tor. Trying to use both at the same time is most wasted effort. The only difference between doing this and using your normal browser is the fact that your normal browser already has the plugins installed.

In fact, it’d be easier to set up a local Tor proxy, and tell your default browser to use that. Since plugins ignore the proxy, you’ll get the exact same effect as on the Tor Browser.

Don’t torrent over Tor: Tor notoriously is bad for torrenting, for two reasons: breaking your anonymity and also slowing down the network for everyone else. In fact, Tor addresses this directly in their FAQ:

Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.

Other anonymity networks, like I2P, Freenet, and ZeroNet, are better suited to things like torrenting. For instance, I2P can be used with I2P-Snark.

Don’t use “unofficial” Tor browsers: There are a number of “imitation” Tor browsers on places like the Google Play store (which, if you’re already anti-Google, you probably don’t use anyway). For instance, there’s an app called Onion Search Browser, which, in theory, allows you to access onion sites, but contains ads and is terrible with anonymity. Any of these other “Tor browsers” are likely to be awful, even if they are able to access onion sites.

Be careful about enabling JavaScript and other site features: While some sites won’t function without JavaScript and other features, be aware that allowing them on some sites and not others can enabling tracking as well. The current version of the Tor Browser has three security levels: standard, safer, and safest. Under “standard,” all Tor Browser and website features are enabled. Under “safer,” some website features that can be dangerous are disabled: JavaScript is disabled on all non-HTTPS sites; some fonts and math symbols are disabled; audio and video (HTML5 media) are click-to-play. On “safest,” only website features required for static sites and basic services are enabled, so images, media, and scripts are blocked. Also, JavaScript is disabled on all sites, while some fonts, icons, and math symbols are disabled as well. Audio and video (i.e. HTML5 media) are set as click-to-play.

Don’t use a VPN provider with Tor: There are still a lot of articles and videos that claim you need to use a VPN provider with Tor, which is essentially a myth started by VPN providers. Doing so can actually compromise your anonymity, because you’re then relying on the VPN provider for privacy. If the VPN company is compromised in any way, then so is your data. This isn’t to say that VPNs don’t have other uses, but using the two together is pointless. If you’re concerned about hiding your Tor usage from your ISP, then using a Tor bridge can get around this problem: Relay Search.

.Onion sites: As on the clearnet, there are some .onion sites with malicious intent. Sites listed on directories like the Hidden Wiki, especially financially-related ones, tend to be scams. Use your good judgment. While this doesn’t correlate with the browser itself, these types of sites are aimed at those who are new to Tor and hope to take your money. Such sites have stolen people’s bitcoins, PGP keys, passwords, and other personal information.