Follow

Gentle reminder; don't brag about your cool crimes (like doing graffiti) on here. It's not a secure place. That's how people get caught. In general, it's important to learn to be happy being a secret bad ass.

If you need help doing cool crimes, only tell one or two people you'd trust with your life. Make sure they won't tell anyone, even if they get arrested. The Weather Underground and the people who exposed CoIntelPro got away with it because they all kept quiet.

Don't store dangerous or secret info as pictures on your phone. Not unless you really know how to lock that down. Android and iPhones upload all the pictures to the cloud by default, and that's not private. It can get hacked, or the police can just ask for the pics. You wouldn't even know till it's too late.

Don't do research for your cool crimes in normal web browsers. Use Tor (there's a Tor Android app) or a VPN you know won't cooperate with authorities. And don't use your normal accounts.

Someone's gonna be like "but a VPN is something you use with your normal web browser." Yes, I know. But your browser might try to automatically log in to one of your accounts, and even over a VPN that would identity you. Even in Private Mode you might slip up. So it's best to use a separate browser.

None of this guarantees safety, it just improves your odds of getting away with things.

Actual security experts feel free to chime in here. I'm just a scared bunny who is too scared to do any cool crimes.

Signal is a decent messaging app for secretly talking with friends about where/when/how to do cool crimes. Like posting the address of an abandoned house you want to graffiti.

It has flaws. Nothing is perfect. But it's end to end encrypted and you can set messages to self destruct. Better than planning crimes on here.

Thanks for coming to my TED Talk. I'm gonna go back to hiding in a hole in the ground and not sharing any judge's home addresses on here because yikes that's how you get ALL of the Feds investigating you. Here is not the place to do that.

One more thing! This isn't advice for people seeking an abortion. It might be useful for them too, but it's really advice for people who are talking on here about wanting to follow in the footsteps of John Brown, or The Weather Underground, or CLODO.

@bunny_jane Matrix is also good. It also has flaws (for one everyone says it's somehow More Complicated™ than Signal, though we really don't see how), but we trust it more than Signal, not least because Signal makes you give them your phone number to sign up.

@LunaDragofelis @bunny_jane ehhhh XMPP+OMEMO /works/ but it's not nearly as nice.

Of course, part of that is because we tend to be multi-device and multi-client. Matrix has provisions for that. XMPP? /Nope./

@LunaDragofelis @bunny_jane okay sure, but does it support getting your history from an old client to a new client?

does it support anything like Matrix's cross-signing so I don't have to manually tell people "hey this new device is really us, you can trust it"?

@thatonecalculator @bunny_jane @LunaDragofelis I hope so! Have to try it ourselves sometime and make sure y'weren't talking about a different thing somehow.

Sometime when we have spoons, which is not today.

@IceWolf @thatonecalculator @bunny_jane @LunaDragofelis that's cool! i was thinking about setting up an XMPP server (maybe Prosody IM?) and it's good to know that you can get OMEMO history from a device to another.

@LunaDragofelis @bunny_jane (if you're worried about cross-signing security: you can't sign new devices without the old device. The old device signs your key, not the server.)

@IceWolf@masto.brightfur.net @bunny_jane@plush.city
Matrix does not have self destruct messages, IMO that's one huge disadvantage compared to Signal.
🤔

@bunny_jane Not quite a security expert but... yep, this stuff is hard to do well, browsers easily leak data, and phones are even worse.

I hate that the only really solid approach here is to have a separate dedicated communications device, and thats not economically feasible for so many even if they are willing to put in the effort.

For really safe communication, a minimal setup on a separate old laptop with VPN/TOR is simplest. We must return to the old ways, local email clients, PGP, web1.0

@unlofl @bunny_jane Make sure any disks are encrypted. It’s easy for them to get “lost”.

A stateless USB or CDROM are better then a physical device. Tails is setup for this.

tails.boum.org/

@bunny_jane Make sure any drives with data are encrypted. Hard drives, flash drives, sdcards.

On top of that, use encrypted volumes, and only keep them open when needed.

Veracrypt is a good option for both, as far as I’m aware.

Use a password rather then biometrics. Passwords are protected.

@bunny_jane Tails is a Linux distro setup to run off of a flash drive which allows the host machine to stay clean.

tails.boum.org/

@bunny_jane Wowww on the pictures thing. Really glad we installed Lineage on our phone first thing when we got it.

@bunny_jane @dhfir

> Android and iPhones upload all the pictures to the cloud by default

Dependent on OEM and their fork of Android. AOSP is the base code for Android, and it does no such thing by default.


> Don't do research for your cool crimes in normal web browsers

Not always best for everyone. Chromium-based browsers are much more secure than Firefox-based browsers and can be used tactically.
Source: https://madaidans-insecurities.github.io/firefox-chromium.html


> Use Tor (there's a Tor Android app) or a VPN you know won't cooperate with authorities.

Tor is the best way, due to its onion routing system, but it can be vulnerable to Sybil attacks. A VPN is *NOT* a good way to be private against police or governments, because there is no privacy by design, it is completely trust-based. Certificates can be used to MITM you, and are often used for VPN secure connections.


> don't use your normal accounts

I'd like to add, don't use any account already used with identifying data such as IP address. Once it's been leaked, it must be classified as tainted. Create a new account for the purpose, even better if it's a throwaway one.

@bunny_jane Try not to use your regular phone, if at all possible. Get a prepay phone, keep it off, away from you, if needed, but phones shouldn’t be trusted.

Phones can be tracked easily, and the phone companies won’t think about handing over records to LEOs.

Set a PIN/password and turn off anything biometric. PIN/passwords are protected data, biometrics are not.

Definitely use Tor.

@bunny_jane rule number one of vandalism

you don't talk about what you did

Weather Underground 

@bunny_jane In the early 1980s, lots of WU people came back from the underground, admitted their membership openly or turned themselves in, & got slaps on the wrist because they're white from upper class families. Now most of them are otherwise unremarkable dems. Not talking isn't really the reason they got away with it especially since they weren't immune to infiltration either. Other left-wing groups doing similar things at the time got much worse treatment despite similar or better security practices.

This isn't to say that it's actually fine to brag recklessly about this stuff but that privilege & bad politics makes shit easier.

@bunny_jane what did Weather Underground "get away with"? Aren't they just amateur meteorologists?

Sign in to participate in the conversation
✨Plush✨City 🏙

This is a space for soft friends and friends of soft friends to gather together!

In this city we're all about soft friends and compassion and caring about each other!

Code of Conduct in a Nutshell

Discrimination & Bigotry Won’t Be Tolerated.

Hatred will find no home here.

Treat this Space and Those Within it with Respect.

Listen actively to and honor the requests of others; always respond with compassion first.

Consent is Important in all contexts.

If you’re ever unsure, ask first. Use CWs where required.

Listen; Don’t Make Excuses.

If you’re accused of causing harm, either take some responsibility or ask moderators for help.

Don’t Break the Law Here.

The whole space may be liable if you do.

Use the Report Feature.

All reports go straight to our moderation team. We’re here to help!

For more detail, please
Review our
Full Code of Conduct