from hirihit640@sh.itjust.works to privacy@lemmy.ml on 21 May 02:32
https://sh.itjust.works/post/60519693
I feel like this is a hack that is rarely talked about. And it’s the most reliable method I’ve found for getting an email account that I can use for signing up to other websites.
Imagine you want to create a completely anonymous account on some website. Most websites require an email account to sign up. if you’re lucky you can use one of those a temporary email services, but many websites block those nowadays. They only accept trusted email providers like Gmail, Protonmail, etc. And trying to make an anonymous account on those providers is difficult. Even Protonmail, surprisingly. If you try to sign up for Protonmail using a VPN or Tor, they will ask for a phone number or a second email account. So now you have to get a phone number anonymously (very difficult), or get another email account anonymously, back to square one.
Darknet markets solve this problem. Pay a bit of Monero, and you get an account. Completely anonymous. Now I won’t pretend it’s easy. Even just signing up for a darknet market often requires learning how to PGP encrypt/decrypt messages. But it only takes an 30 min or so to figure it out and sign up, and it opens up a new world of tools to use for privacy. There are many other types of accounts that you can buy aside from Protonmail, and many other products in general that you can buy.
I don’t get why Protonmail doesn’t just accept anonymous crypto as an option during signup, but until they do this is honestly the most reliable option I’ve found. I really wish more websites just accepted crypto for account creation. It’s understandable that in order to prevent spam accounts, account creation has to cost something, and crypto allows it to cost something without costing your privacy.
Anyways, here’s a quick guide to get started. I’ll avoid direct links since I don’t know if those are allowed.
- install Tor Browser Bundle, and use it for the following steps
- search for websites like Daunt, Dread forums, and Tor Taxi. Darknet markets change all the time so use those websites to figure out which ones are currently active. Cross-check links across multiple websites to make sure they are trustworthy, since often scam websites will try to pose as legitimate ones
- look for markets that let you search for the product you’re interested in before signing up, to save you time
- some markets require you to load funds into the market and then pay using those funds. Avoid loading more than you need, since some markets have “rugpulled” before (aka taken everybody’s funds and disappeared. This is the risk of an anonymous market).
Edit: also if for some reason a seller doesn’t accept Monero, you can use a crypto swap. Basically you send the swap service some Monero, tell them what crypto to convert it to (like Bitcoin or Ethereum), and where to send it to. Many can be used anonymously, without signup
threaded - newest
Man, if you really think some darknet service is going to be more reliable just because Protonmail wants a specific kind of fiat
what do you mean? Are you talking about how you can pay for Protonmail using cash? I haven’t found a way to anonymously send cash. Physical movement can be easily tracked via surveillance cameras
Exactly, do you really think that your data is magically more secure because you paid the vendor with bits farmed on an ASIC somewhere instead of dead slave owner portraits?
yes, I believe that Tor and Monero are more private/secure than the postal service, just like I believe that 2048-bit RSA is more secure than a padlock
Nobody mentioned the postal service? You’re either hallucinating AI slop or a deluded zoomer regurgitating AI slop, and therefore you can go fuck yourself sideways
you’re going to have to explain what you meant by dead slave owner portraits. I assumed you meant dollar bills, but if you want to pay Protonmail using cash you need to mail it over, hence the postal service
That is indeed a currency with a picture of a dead slave owner on it, got it in one
I could easily sign up for a protonmail account without mailing anything, that sounds like such sovereign citizen bullcrap I can’t type it out with a straight face XD
the point of the post is about creating accounts anonymously. Try creating a protonmail account using a VPN or Tor, without giving any PII.
You were the one that brought up cash, I was simply explaining that sending Monero is often more private than sending cash
……Creating accounts anonymously by using Crytocurrency
Which you purport to be more reliable
More reliable than what exactly?
than other anonymous methods, like trying to find the right Tor exit for Tutanota to let you create an account, or trying to use sms services like smspool to get past the phone number check from Protonmail, etc. These methods only work like 25% of the time, while buying accounts from the darknet has worked for me 100% of the time.
.
Monero is very secure. You might want to actually read about it first… For one, it runs best on consumer grade hardware
Cool, so running on consumer hardware makes your communications more secure how exactly?
it makes it more decentralized, preventing data centers from having a large advantage and mounting 51% attacks
Ahh yes, I’m sure some genius out there is scheming a 51% attack on the Federal Reserve 🙄
We need a more decentralized digital currency to address the issues inherent to the last decentralized digital currency!
Ok this is getting far off topic. Monero provides privacy. It’s a lot easier to send money anonymously using Monero than, say, cash or credit. The point that the other commenter made about consumer hardware, is more about decentralization, which some people value and are thus against government-controlled currency like the Federal Reserve. But that’s not why I brought up Monero in the post
You can say that again lmao, it was an honor getting lost in the sauce with you o7
I brought up the hardware thing because people don’t use ASICs for it as far as I understand. Which is what you said.
The zero-knowledge proofs and ring signatures make it secure.
But hey man, if you think you can crack it, there’s millions of dollars there waiting for you so go for it.
Okay, cool, completely aside the point
Say I spent the next 5 years developing StuperDuperMonero with -1-knowledge proofs and purple starfish signatures
Would you purport that this would somehow make your communications more secure?
The fuck are you even talking about?
The word I said have actual meaning.
I mean, all language is subjective dawg, words have the meaning people associate with them
Anyway, my point still stands, say I rescue Satoshi Nakamoto from Epstein’s island and she makes a crypto currency utilizing cutting edge security techniques, is quantum resistant, and verified 10x secure as Monero,
Do you purport that would make your communications more secure?
Wow deep.
I still have no fucking idea what you’re point is supposed to be. Sure buddy, you can make up any bizarre situation you want. Good job.
Meanwhile, monero exists and nothing I’ve said is made up.
Be pissy all you want dawg
I’m not going to waste any more time on someone who talks about crypto but thinks Satoshi Nakamoto is made up 😂
Yeah, clearly that wasn’t the made up shit in your comment I was referring to.
Like did you forget that was the entire point of your previous comment? You literally just said a bunch of nonsense words and pretended I was doing the same thing because I mentioned zero knowledge proofs and ring signatures.
Read a fucking book, dude.
It’s amazing how in such few words you have shown how you know utterly nothing about Monero
Physical movement can be tracked by cameras. All digital transactions are tracked by virtue of the way the internet works.
When you put your trust in digital transactions you are putting your trust in the cryptography that hopefully underpins them. With recent regimes of harvest now decrypt later, you are putting your trust in both the perfect forward and quantum/parallel resistance of that cryptography.
Just some food for thought. Sending cash might be a smarter choice than you think.
harvest now decrypt later applies to cameras too. Install a bunch of security cameras, aggregate all footage, use facial detection, gait detection, predictive algorithms, etc to figure out the motion of all citizens at all times. I would not be surprised if governments were already doing this.
You simply cannot practically “encrypt” physical methods wirh the same amount of entropy that can be used for digital methods. And this is even before quantum-safe encryption.
Hndl applied to physical surveillance is all metadata. Hndl for digital interactions is content too.
that’s assuming they don’t scan the contents of mail, in which case physical surveillance would include content too.
Physical surveillance of mail is incredibly expensive, slow and subject to a bunch of regulations.
It also doesn’t consistently work.
Electronic surveillance of communications is incredibly cheap in comparison, near instantaneous and an evolving new technology that’s loosely regulated if at all.
It also creates a 1:1 copy of the transmission for interpretation at a later date.
Regulation means nothing, if the feds want to track people there’s endless strings they can pull. Plenty of evidence online of feds intercepting packages and bugging devices. They can even use illegal means and then use parallel construction.
On the other hand, just because the feds collect a bunch of dsta to be decrypted later, doesn’t mean they actually will. Encryption is very rarely cracked, it’s far more difficult than tracking people down via camera footage. Not to mention, statute of limitations means that even if they crack it 20 years later, the data might be useless by then.
Fact is, I can send some monero to somebody today and know it won’t be cracked within the year. But if I put on a mask and gloves and try to send a letter in the dead of the night, I know there’s still a chance that I’m caught.
There’s a reason why hackers today choose to use crypto and mixers rather than cash. Same reason why the US criminalized tornado wallet. Turns out, Monero and mixers are incredibly effective.
Physical surveillance is barely even circumstantial evidence of the crimes we’re talking about, Hndl troves are incontrovertible. People get caught using monero to do crimes all the time.
Of course if you dress up like the hamburgler you’re gonna stick out. Just look normal.
I did not intend to fight you about this, the point of my reply was to provide some context about the often overlooked physical side of things.
We very often overlook the physical because we think it’s too unknown and that we understand the digital much better but in many years I’ve never met a person who thought that way and could explain in detail how the web works or why certificates are scrubbed.
Keep your nose clean out there, you never know whose gonna be looking in 20 years…
I think this comment is a good example of why people don’t like physical methods. It just seems so hand-wavy, like homeopathic medicine. How do you judge how well it will work in a given situation? Physical privacy is just dependent on too many unknowns. And privacy techniques for the user have not improved in the past 100 years, meanwhile surveillance and location tracking algorithms for the authorities have progressed.
Digital privacy continues to improve every year. Andbody can use Tor and Monero, and benefit from the research and development behind them. Anybody can audit the tech, and build on top of it. Right now darknet markets are clunky to use, but they definitely feel better than they did 5 years ago, and they’ll keep getting better.
Anyways thanks for engaging in this discussing with me, it definitely helped me explore these ideas deeper.
depending on your juridiction, the statute of limitations should save you after 20 years :)
They might see that I ate a sandwich and mailed a letter vs my transactions are in a public ledger and can be tied to me at any time in the future when that ledgers cryptography gets broken or my information or the other party’s information gets corroborated.
Quantum is fake. Everybody knows it but no one talks about it.
Parallel computing is not fake though, and the technology to do it is being deployed at scale never seen before in our lives. Hash cracking software is already designed to take advantage of video cards, and the same mathematics were put into service and honed on those video cards years before during the crypto boom(s).
So now you have to contend with the future of ai: if the bubble pops then there’s piles of parallel computing hardware out there that are suddenly upside down on their leases and have to be pressed into service doing something, anything. If the bubble doesn’t pop then consistent improvements in efficiency of new stuff cause old hardware to become available to the part of the market that can afford a little more per millisecond of torch time: crypto and crackers.
This is already happening.
The space you need to be able to solve for to transact physically is limited and finite, the same space for digital is unlimited and infinite.
What do you mean the space for digital is unlimited and infinite? There’s finite resources on the planet. 2048-bit RSA is not getting brute-forced in our lifetime (without quantum). And if you are talking about password strength, all of what you mentioned should be factored in. Take the combined compute of all GPUs of the world, factor in Moore’s law with a 50 year horizon, and figure out how strong your password should be. I know some people use 128 bits of entropy but I think 100 bits is plenty. Use a word-based passphrase for easy memorization. Or just use a hardware key.
Now I’d love to know how to calculate what level of security is enough for physical methods. Anything rigorous?
Of course Im not suggesting that d-h is comparable to some mathematical expression of laundering your money during lunch and sending a letter. You can’t compare the two using mathematics because elliptic curve works in a really narrow set of domains. Now my friends in actuarial work might have something to say about that but I was trying to use types of equations as a way to help explain how the physical and digital are different. what I mean is that any new discovery or development could undo the security of digital transactions, specifically blockchains which exist as public ledgers in perpetuity. When solving the calculus of what degree of concern and care a person needs to exercise you gotta look to any possible future.
Physical transactions are done when theyre done. You either succeed or you don’t, no one can dig back into the perfect public copy of everything you did and reveal it was you (or even in the case of some blockchains what was done!). Perhaps they find out they have a surveillance video of you going to the restaurant and getting lunch then mailing a letter and try to use it as evidence that you conducted a cash transaction using a nonce. It’s meaningless.
You don’t need to worry about it in any way you wouldn’t have to worry about conducting the transaction digitally. The solution space of a physical transaction is finite, which of course could be partially or completely encompassed by the infinite solution.
That last part is to say that for both a physical or digital transaction you gotta worry that the other party (or yourself) screwed it up somehow or betrayed their counterpart but because it’s common to both methods it’s not worth discussing.
Again the point of all this math talk isn’t to suggest that we ought to be talking in proofs or something silly like that. Some people really “get” math though and using it as a metaphor can help get the point across.
Better the devil you know than one you don’t. Physical methods involve too many unknowns, and chances are the people using them are overconfident, victims of dunning-kruger effect. The weaknesses of cryptography can be publicly studied. The blind spots in the surveillance network of your neighborhood are a big unknown. I’ve made enough security mistakes in the past to know that the biggest risk is the user, and the more you can offload to professional tools like Tor and Monero, the better.
It’s not that simple. They have a rough idea of your location past on the post office box. They use surveillance footage to narrow down the list of suspects. They know that the suspect cares enough about privacy to mail cash to an email service. That’s at most 1/1000 individuals. So in a city of a million residents, that’s about 1000 people. Combined with surveillance footage, traffic cameras, and phone tracking to determine the movements of all citizens, as well as cameras around the post office box to get the height and build of the suspect, they can probably narrow it down to 5-10 people. Then they monitor those 5-10 people individually. Even using illegal methods like breaking in and installing mics, cameras, bugged hardware. Once they confirm who the suspect is, and find evidence, they use parallel construction to come up with some legal rational for how they found the evidence, hiding their illegal methods.
Imo targeted surveillance is game over. The enemy has magnitudes more resources on you, and you’ll never even know that it’s happening. The best you can do is avoid it in the first place. Hide amongst a million others, using Tor or Monero.
I agree about the devil you know vs the infinite possible future ones you don’t.
I think you’re making way too many assumptions about physical surveillance (“they know you care about privacy” as opposed to the actual thing they know, which is simply that you mailed a letter, being able to narrow your suspect list down based on the fact that they care about privacy, etc) but even if I were to take every single one of them at face value then the authorities have less information than is public on a bitcoin transaction (I know you’re a fan of monero, I’m using the amount of information in a bitcoin transaction here to make my point clear in the language of crypto). And they had to be looking when you did it.
I’m of the opposite opinion: digital surveillance is game over. The opponent still has orders of magnitude more resources than you, but they also have access to your entire communications chain via well documented backdoors, can apply millions of exploits on each piece of software or hardware involved in that chain, can literally directly translate those resources to faster and higher quality exploits and with hndl they don’t even have to be there when it happens. I think the best thing you can do is avoid the digital as much as possible.
I always used to laugh at my professors, friends and coworkers who were “revolver next to the fax machine in case it gets any funny ideas” types but a few decades around computer security done made me into a stereotype.
I should have been more specific. They are looking for somebody that mailed cash to an email service for account X. They know the mail came from postbox Y. They use surveillance footage and other factors to find the 10 people that used postbox Y that day. etc.
And yes the Monero blockchain is public, just like Tor traffic, but it’s all encrypted.
Except with Tor and Monero, it’s not them vs you, its them vs everybody using Tor and Monero. That’s way harder. My point was that targeted surveillance is game over. Trying to break Monero is not a targeted attack. And the number of exploits on Tor and Monero are much more known than the number of exploits known for physical methods. You can look them up. Again, the fact that all this information is public is a good thing. It means security can improve over time. Hackers get better too, but if we look at history, in general computer security gets the upper hand over time. For example look at how hard it is to jailbreak an iPhone nowadays.
Physical methods is where there actually might be a million exploits. Nobody knows how secure they are, and anybody who claims to know is probably overconfident, with very little rigorous evidence.
I still dont think you’re comparing apples to apples here.
A physical payment for the thing you linked (I dont use posteo but they seem to use the same cash+nonce system everyone else does) consists of a sealed addressed envelope with the bills and a number used once (nonce) at the recipient in order to associate receipt with account. The nonce is not saved or recorded.
So a surveilling party could possibly perform in depth inspection of every letter going to the service they’re trying to surveil, record all the payments and nonces, cross reference the mailing location of the individual letters (idk of any post service that bins them according to location of origin but I’ll go with your description!) with public camera footage and make a positive id for all the people who mailed the letters and they still don’t have the ability to associate payment/person/letter/nonce with a particular account because the nonce isn’t retained.
They’d just know you sent a letter containing money and a code to a service.
Again, what I described is a type of investigation that is extremely expensive and requires exacting precision at every step in order to not make an error that would make the evidence inadmissible.
They’d have to have infiltrated the recipient at the time and place of associating account with nonce and if that’s the case it doesn’t matter if you’re using the monero jetpack/ninja climb or the physical letter walk across the gymnastics mat t-posing method because the other end of the mat is jail.
But let’s look at it from the other direction, they’re not trying to remove privacy and anonymity in general, they’re specifically trying to get you:
You are observed through your open window from the cleaning service van across the street. When you leave to mail your letter, which contains unique microscopic markings and fiber identifiers cross referenced to the s/n of envelope boxes you were recorded on cctv purchasing at the drug store last week, the van radios a follow car around the corner that appears to be a bunch of hoodlums who slow to a crawl and yell out their car window, berating and denigrating you. You don’t respond, though their yelling distracts you from the pebble in your shoe and the traffic cameras get a good id on you through gait recognition.
The follow car bumps into a fire hydrant and you round the corner and enter the restaurant, where the server seems to be looking at you and texting constantly. Your grilled cheese has melted chocolate in it with the unique mushroomy taste of senna. You catch the host and bartender running your change back to the office and hear the sound of a scanner and notice the shifting white light coming from behind the open door.
You put part of your change in the envelope with the nonce you wrote using your non dominant hand and lick it to seal the flap, activating dozens of moisture sensitive polymer capsules to absorb and preserve the trace genetic material left behind for later analysis. Outside the restaurant, you drop the letter in the mailbox and head home. The restaurants host radios when you round the corner and a flower seller with dark sunglasses, an earpiece and a conservative suit on under their apron rolls their cart down to the mailbox, unlocks it and picks out your letter.
They know that you sent a letter with money and a code to some address. If they allow it to continue on its way then they can’t associate it with a particular account because the code isn’t retained after use.
That was a colorful and fun read, can’t say I can match that. But I think if you are against the feds the assumption has to be that they infiltrated the other party. This is the whole reason why canaries exist. Because many jurisdictions allow the feds to force companies to do things and keep silent about it (gag order). For example, Protonmail was once forced to log IPs to track down the owner lf an email account.
By the same token, if Posteo is able to associate a nonce to an account, then they’re also able to tell the feds. Even if you are in a different jurisdiction from Posteo, feds can work across state lines through international agreements (which I think was also the case in the Protonmail case).
Gotta excercise the ol creative muscles somehow. Thanks for putting up with it!
I think what you just said is our breakdown. Neither cryptocurrency, cryptography (in its d-h or one time code permutation) or any other technology removes the requirement that you trust the other party both to perform their side of the process and to not betray you.
It’s important to not go down that route because if you can’t ever trust then you can’t believe you can ever have privacy or anonymity except when you completely retreat from all communication or interaction both electronically and physically.
Remember that the problem cryptocurrency solves is the credit card clearing problem, not the problem of trusting your counterpart.
Also your proton example might be the one where some ding dong used their out of the box (no adp) icloud email as the recovery for proton and the cops got the icloud through a logged in device and recovered the proton account using it as opposed to forced ip logging but I might be mistaken.
I do agree that it’s an extreme threat model, so it’s not one I use personally. I guess some people may try anyways though 😅
here’s an article about the proton case: schneier.com/…/protonmail-now-keeps-ip-logs.html
Bless Bruce but if I were able to write one sentence and call it a blog entry some things would be different around here!
You’re talking about the French kid. As it turns out, operating an email service requires knowing a users ip and the government can implement ip monitoring if they want to. Protons response was to use tor or a vpn like theirs which everyone got mad at them about but was later upheld in court as the correct solution (email provider isn’t a telecommunications provider judgement).
How to be paranoid but not schizophrenic guide. Avoiding mental illness in the modern age %100 no cap real strats the pros use now you’re playing with power!
haha what a riot! I may be paranoid but I’m not schizophrenic, the voices told me so.
Well it was a blast chatting with you friend, beware of the ip-monitoring governments and stay safe out
Same.
this legit feels illegal/criminal. aren’t those accounts stolen or made through identity theft?
Not necessarily. Protonmail will happily let you create an account if you don’t use a VPN or Tor. Such accounts are tied to your IP, so you can’t create too many of them, which is all Protonmail cares about, since spam accounts reduce the trustworthiness of their email service. I really doubt sellers are going through efforts to steal accounts, if they can just make them for free at a coffee shop.
Darknet markets create a system where people can create accounts non-anonymously, and convert them into anonymous accounts by selling them to others. I wish this were more common. For example I’d love to be able to pay for an anonymous Youtube Premium account
Edit: also in case it reassures anybody, the accounts I got from the darknet were clearly freshly made accounts, not stolen. Only a few days old, and no emails except the “welcome to protonmail” one.
yes so that’s the part where identity theft is used
is that legally identity theft? Creating accounts and then transferring them to others? I’m sure it violates ToS but I wasn’t aware that it was illegal
Yeah the word “theft” usually connotes harm via taking away the possession of another. Identity sale or even light identity “fraud” if you’re being pedantic, but hardly theft if the originator of the account is knowingly transferring it away from themselves, especially for monetary gain.
that’s not what i’m talking about. i mean, the one who sold you the account is very likely not the one who provided the personal information to create the account. it’s very hard to create those online accounts at scale with few people’s personal information, so identity theft is widely utilized to mitigate that.
I think you overestimate the scale. Last I checked there were only like 3-4 sellers. They could easily be making these accounts themselves. If the scale grew larger, people in poorer countries would see it as a way to make a quick buck, and start selling them as well. And if the scale grew to an enormous size, Protonmail would probably just start accepting crypto instead of just letting darknet sellers make all the money.
i’ve seen far more. maybe there’s not many on the specific forum/website you’re looking at, but there are many criminals on dark web forums selling directly stolen accounts or accounts generated with stolen PIIs. in this case it is definitely illegal/criminal, and this post may be seen as endorsing such cases.
interesting, I have not seen that before but if it helps, no I don’t endorse stealing accounts or buying stolen accounts. Given how easy it is to make a (non-anonymous) Protonmail account I’m inclined to believe that most accounts sold are legitimate, but one should always practice best judgement when browsing the darknet
It varies by jurisdiction but if the reseller you bought from is selling you an account used by some other person for some personally identifiable thing (which is why the internet at large trusts that account and why you bought it!) then you’re at the very least toeing the line of Id theft or impersonation and while the cops might not be able to get you for that particular crime they will absolutely have enough suspicion to investigate you and discover other crimes or even just watchlist you.
I don’t care if you break the law from a moral or ethical standpoint, but it can cause you problems from a practical one.
the internet trusts protonmail because protonmail adds barriers to prevent unlimited spam accounts from being created. Those barriers are IP, phone number, and secondary email. Darknet markets simply provide an alternative path: monetary. But monetary is still a barrier, and prevents spam accounts as well. So imo society should still “trust” it. In other words, a monetary barrier achieves sybil resistance without sacrificing privacy, and I’m all in support of that.
You are not following the point I’m making:
The account you buy on the darknet works because the rest of the internet already associated it with an identity. That means law enforcement has cause to investigate the new user for impersonation or id theft. It doesn’t matter if they can’t get you for id theft or impersonation on a technicality, they’re already investigating you at that point! Law enforcement attention is what you don’t want!
It’s like using your neighbors car with an expired tag because you don’t want to have your car show up on the highway cameras.
with dragnet surveillance, law enforcement is already investigating everybody. The purpose of buying it on the darknet is that it’s anonymous, so it doesn’t matter if law enforcement investigates it.
It’s anonymous at the moment you buy it. After that you use it and identifying data and metadata that conflicts with the original users data and metadata starts to accumulate.
I’m confused at your point here. First off, there’s very little initial metadata. The seller uses their ip address to make the account, and then you buy the account and start using Tor to access the account. From Protonmail’s perspective, this just looks like somebody made an account and started using it with Tor.
But let’s say there was some usage difference that could be detected. Maybe the seller used the email for Github, and then you started using it for Discord. So what? I think you’re going to have to be more specific about the threat here.
The threat is that someone who learns the material facts of your accounts interactions around the internet would (correctly) recognize that it changed hands and if that person were some kind of cop they would have cause to investigate further, possibly uncovering other facts about you or your activities.
The point is that you’re breaking one of the cardinal rules: “keep your head down and your nose clean!”
Not gonna fight about it, just making it known.
In the case of buying Protonmail accounts, I don’t think it’s obvious that it changed hands, since again, it just looks like the account user started using Tor, nothing more. The use of Tor is suspicious, but so is any anonymous methods. For example, mailing cash to a email provider is also extremely suspicious, given how much effort one is going through to pay anonymously, and thus it may trigger a cop to immediately start reviewing security camera footage around the mailbox. Any type of anonymity is going to raise eyebrows, but buying accounts from the darknet is imo the safest and most secure method.
But being aware of the tradeoffs is important so thanks for sharing
We accept that there is a surveillance panopticon that operates on all our actions online. We accept that it collects information that can be compiled to form a frighteningly accurate picture of us as individuals. We accept that the internet as a whole uses the presence of this information to prevent anonymity, ostensibly to stop spammers and scammers.
But it wouldn’t be obvious an account changed hands.
yes, in this case it wouldn’t be obvious. Unless you can figure out a clear way to distinguish between a person who made an account and then started using it with Tor, vs somebody who made an account, sold it on the darknet, and the buyer started using it with Tor
either you didn’t get the idea, or you don’t know what’s identity theft
So, I undetood what you were saying. It’s weird how few others did. You have no way of knowing whether these were created by the person selling them (doubtful) or they used someone else’s identity without their permission.
yeah this… you can’t know for sure the person selling you the account is the one who made the account, or the one who provided the personal information to create that account.
i highly doubt there are many people who even know where to sell their own created online accounts and monetize them. these accounts being sold at scale very likely seems like accounts that are literally stolen or created with stolen personal information.
of course, i’m not saying violating ToS is illegal or whatever bs. i hate those PII monetizing big tech as much as any other fediverse user.
“using somebody else’s identity” on it’s own would not help here. To create a Protonmail account, you would either need a non-VPN IP, or access to a phone number or secondary email. You can’t just plug in somebody else’s name and address. The seller could try to hack other people’s accounts, but in my mind it’s much easier for them to create accounts legitimately using their own phone #, or at a coffee shop.
Can’t you just go somewhere that has public wifi and set up a Proton account from there? No VPN and they dont have your IP.
But they have a rough idea about where you come from
Could work in some cases, though if the feds were trying to track you down they’d have approximate location + surveillance camera footage to work from. As I said in other comments, the posted method works for extreme threat profiles
this is what they seem to be pushing privacy towards.
Man just go to gmail and make an email address. I have like 30. I have addresses for spam, doing financial stuff, signing up for irl service requests (plumbing or electrician or whatever), etc etc. it takes like 5 mins to setup forwarding and filters, so you don’t miss something you care about
Same but with proton
Proton asks for a phone number
Does it? Did it always?
It depends. Certain behaviour like creating multiple accounts in a short time span, or creating an account using Tor/VPN will trigger ProtonMail into making you verify with a phone number, a (non-ProtonMail) email address, or by paying them
The post is about creating accounts anonymously. I think you are talking about preventing the email recipient from knowing who you are. I am talking about preventing the email provider (Gmail, Protonmail) and the government (who can compel companies to track users) from knowing who you are.
This is an extreme threat model that takes a lot of effort, but one that some may find useful nonetheless
I don’t give any PII when I create a new email address
Your IP is your PII
You can’t create a Gmail account these days without a valid phone number
Can we just perfect strangers this and I create zendayagirl67@gmail and you create shielaandstu@hotmail, then we trade?
Am I being very naive?
Interesting idea. Honestly at first glance I thought this seemed ok, but it’s actually dangerous. Imagine if you initiated a trade with somebody and they turned out to be a fed. The fed now has the gmail account you created, and can just ask gmail who created the account. Now they have your identity, and they also know the hotmail account they gave you, so your identity is now linked to that email as well.
By definition, the only way to anonymously acquire an email account is to give zero identifying information about yourself, but by giving away an email account that you created non-anonymously, you are giving away identifying details.
Oh, yeah. That’s a very real possibility. I assume trading only with trusted online friends (obviously one might trust the wrong person, but plenty of people have 20+ year old friendships with people whom they’ve never met irl, and ) would compound the problem by making your online network even more traceable?
That’s another tricky question. I suppose it’s possible to make an anonymous online connection, chat with them long enough to be confident that they aren’t a fed, and then trade emails. Sounds like a lot of work though 😅
Some things to be cautious about though. If this is a friend that you made over non-anonymous channels, eg Facebook or Discord, then the feds may have already established a link between you two. I’m sure the feds create big social graphs that map the connections between everybody. So if you trade emails with a friend, and then do something illegal with that email, the feds go to your friend, realize that they have the wrong person, and even if your friend doesn’t give up any info, the feds might investigate you anyways due to your connection to them.
Yeah, I think you’re right and it’s unlikely that many people have such long friendships with people over entirely private media.
If you’re enjoying the hypotheticals, I’ve got another, but if they’re unhelpful/distracting, don’t feel obligated to indulge me. What if you had an open, anonymous community sharing a chain of emails, so each person joining the group would receive the email account made by the person before them and would make an email for the person joining after them? Obviously the feds could still infiltrate it, but they’d have a lot less data from any given user and they’d get the most data from the person who joins after they do, which they can’t control. Unless they monitor it 24/7 and get lucky, they wouldn’t be able to make sure every other user is a fed. That seems like it would also be relatively easy to detect, if every single time a new account joined, another immediately followed.
keep the hypotheticals coming! They’re always fun to think about.
The problem with the chain sharing idea, is all it takes is one person to not make an email for the next person, and the chain is broken.
It sounds like you are trying to create a system for anonymously trading emails. Maybe you invent a fancy system where you have to give an email in order to receive one. But why stop there? What if somebody comes along and says “I’m not very good at making emails, but I can write songs. Can I trade a song for an email address?” And then somebody else says “Sure! Man it would be nice if there were some intermediate form of value that we could use to trade goods and services, instead of just trading emails directly”. Voila, the invention of currency :). This is effectively what the darknet market is. A way to anonymously trade goods and services.
Yeah, I figured the prior person’s information would only be released when the new user provides the details for a valid email account. I’m (clearly) not a tech person, but that sounds relatively doable.
The problem with changing the terms is that you don’t know who’s going to join after you, so you don’t know that they want a song. You can look at that as the free market in action, but it’s also effectively a dead end for a purpose-built group.
It has also just occurred to me that people who want to commit fraud would also be interested in this, and perhaps giving them the opportunity to collect a bunch of potential blackmail ammunition is not ideal.
fair enough, this is how the darknet market works too. You provide payment, and then the email account is given to you.
But wouldn’t the free market provide more? For the purpose-built group to work, say the group had 10 people. All 10 people would each ask for one email, while each supplying one email. The free market would be able to serve this group as well. If we price an email at $10, each person would sell their email for $10 and then buy one for $10 for a net gain/loss of $0. Emails are traded, and nobody gains/loses money. What the free market does is allow other goods and services to be exhanged for emails as well, like songs.
Privacy tools can also be used by criminals. I prefer that police focus on the crime and not the tools used for the crime (unless those tools were built specifically for that crime in mjnd). Though there are some cases where it makes sense to regulate tools simply to reduce risk.
Just get a Tuta account. No recovery email or phone number required. Sometimes they will kill a new account, just wait a day or two before using it or buy a voucher from Proxysrore with Monero and upgrade.
Tuta will kill any new account that is used to register to another service. It’s in their ToS and you get blocked immediately.
I used Tuta to create my Bluesky account and all my Addy traffic goes to Tuta although I did wait a while before using my Tuta.
I have had spotty success with Tuta in the past. Out of the 5-10 times I tried, maybe 2-3 succeeded. And I had to wait 1-2 day before I could find out whether or not it succeeded, and if it failed I’d have no idea why. I just found the process way too annoying, and I’m willing to pay a few bucks to save myself the trouble. And, last I remember, the voucher can only be used to upgrade an account, but the problem is creating an account in the first place
Tuta is not the best check the list at the bottom of the first post --> programming.dev/post/50697138
Who said it was the best?
no one you’re right, I was meaning it’s not fitting in my need ( see my post )
Can you elaborate on how to get get Monero and hide then transaction from BigData/Gov?
I’ve seen some of the basic steps but I imagine the Gov/Bank see me transfer money to a Monero.
They see that Monero account pay for ServiceX. They then see ServiceX coming from my IP (a VPN might precent this). Or they see ServiceX used by an account that is linked to me. Or they see a number of services paid for by the same Monero account.
Using a VPN is not always possible.
I’ve also seen machines that take cash but imagine these have CCTV to prevent theft and many link to me even harder.
I don’t quite remember since I bought it so long ago, but I think the easiest method was to simply buy some bitcoin or ethereum at an exchange (they usually don’t support monero), and then use a swap service to convert to monero. I also remember something about rinsing/washing your initial funds, by first sending them to another Monero wallet that you own? Sort of like a mixer, but since Monero transactions are mixed up by default, you can just send them to another wallet and the final wallet is now unlinked from you? To be honest I don’t even know if this step is necessary. Hopefully somebody else can pitch in here with more up-to-date tips.
As for your VPN concerns, if you can’t use a VPN all the time, reading online it seems like the official Monero GUI wallet supports Tor, though I haven’t tried it so I can’t really help here
Edit: in case you haven’t heard of Tails or Whonix, I’d also recommend looking into those if you care strongly about privacy. Be warned that they are fairly inconvenient to use though
Edit2: it seems like the extra step of sending the funds from one monero wallet to another one that you own, is unnecessary. If you use a KYC exchange, then use a (non-NYC) swap to convert to Monero and transfer to your wallet, then you should be fine. Though it can’t hurt to send the money to a second wallet, sort of like adding a hop to the onion routing system used by Tor.
Also, apparently Monero feather wallet has good Tor support. You can read more on reddit or the Dread forums on Tor
They don’t, Monero transactions are entirely anonymous and untraceable.
They don’t, Monero transactions are entirely anonymous and untraceable.
They don’t, Monero transactions are entirely anonymous and untraceable.
I’ve recently changed dozens of accounts to use Mozilla email masks. Most websites accept them, and the ones that don’t I think twice if I actually need that service. I have Simple Login and 3 custom domains if I really want to, before I give out a personally identifiable name. I’ve only seen one service that was super strict and only allowed gmail, outlook/hotmail, and yahoo.
I’ve also used duck.com’s free email masks with great success
Not quite what OP is talking about but useful in most cases
Outlook gives you aliases, but obviously we’re not trying to use big bro tech.
Proton paid does this as does free with limited aliases.
Then there’s SimpleLogin (also through Proton) that gives you a bunch of domains to use with several other domains. The only service that rejected the alias domain was Github, but it’s trash and owned by MS so nbd.
Good post, haven’t tried this as I haven’t felt the need but it’s good to know there is a market for this.
you can use certain temp mail providers for protons secondary email verification, money involvement makes it more insecure
I’ve never found one that worked, which ones do you use?
temp-mail.org/es/
I’m fairly sure Protonmail does not accept this one for the secondary email check they use during signup
Not sure about proton mail but it works for reddit throwaways to get the verification code
that’s good to know! I haven’t made reddit throwaways in a long time so it’s nice to know that anonymous methods still work
yopmail, adguard, mailhole is open source and intermittently works
theres a gmail spoofer too idr what its called
A much easier and safer way to generate an anonymous email if you live in the EU is to use Posteo.
After you create an account, you get an account code. You can pay by mail with account info on a piece of paper. €1/month. Mail off some Euro, no returned address required.
Posteo accepts other currencies as well, though obviously mailing cash internationally takes longer.
Very cool I did not know this. Do they ever plan to support Monero? Physical payment methods are still unideal because security cameras can track you.
Track you where? Post it at a post office or drop point with gloves a cap if you want to feel like a badass, dont put a return address on it. How would anyone know by the time it gets to the legitimate company selling a very normal product where it came from to even check cameras?
There’s too many unknowns for me to feel comfortable with it. Paper bills have identifiers so you have to make sure you got them anonymously, or launder them anonymously. Use gloves for everything. Mask your face without looking too suspicious. Hope that the post system doesn’t secretly scan letter contents. Hope that the government isn’t already tracking the movements of all citizens using cameras. Etc
Often the camera footage is enough. I’ve seen enough cases where police track down criminals via security camera footage, to know how effective it can be.
If you actually needed that level of privacy you wouldn’t be posting on a public forum about it.
I don’t, somebody else might
You don’t need much money to pay for Posteo, it’s 12 EUR a year. If you paranoid enough to suspect that bank tracks bills that you withdraw from ATM, just pay with these bills for a sandwich in a small convenience store. No standard surveillance camera will catch the serial numbers on the bills. Maybe do it a few times in different places. Then send the envelope through the drop box in suburbs or rural area where are no cameras. Don’t bring your phone to any of these locations. You’ll be fine.
This is why I just use darknet markets instead. Buying a new account takes only a few minutes, without leaving the house
It’s pseudonymous, not anonymous.
See: www.edpb.europa.eu/…/what-difference-between_en
Monero is completely anonymous
The email accounts aren’t
hence why op wants email without ties to their real identity
get your old android phone, no phone # needed. install lineageos + gapps. go to some public wifi spot. register a fresh gmail account. jot the login down somewhere. reset/wipe your phone. you’re done.
I’d rather stop communicating altogether than do anything that involves interacting with shitcoins in any shape or form.
Using a nearby public wifi spot, means that the email provider has your approximate location. If the feds get involved, then combined with security camera footage they can likely track you down.
Monero provides a way for people to pay for things anonymously, and is a lot more convenient then trying to pay with cash anonymously. For some people, their privacy is more important than whatever qualms they may have against crypto. Clearly you are not one of those people, and that’s fine
Obviously, your threat model matters. You didn’t say in the original post anything about it, and the mainstream privacy methods, I believe, are mostly to protect from general surveillance by commercial entities. If you have to worry about feds, maybe just going offline is a safer choice.
I mention “anonymous” in the title, and many times in the post, and explained the scenario at the start of the post. It’s true that the mainstream does not need anonymity, but anonymity was clearly the goal of the post.
And I agree that this method alone won’t save you from the feds. It’s just one tool in the arsenal
Why all that version over using the public access computers of your local library?
I ain’t got none of those and this is/was the only way you can open a gmail account without a phone number; as posited in OP, this is to be used only to register to stuff, not use it as a comms medium.
this doesn’t work these days, google requires your phone number during signup even on android google app. also if you’re using ‘your’ old android phone the IMEI is probably already tied as being owned by you…
Google wants all your infos, no way around that
I don’t think that’s correct as I’ve registered a fresh account as described, during the setup phase of a phone, within the last month and no phone number was needed. I’ll give you the benefit of doubt as I don’t want to do that again just to disprove a stranger on the internet, but if anything changed it had to change in this very, very recent period.
edit: the posit of OP was to open an account in order to be able to register to other accounts, not go jasonbourne on 5eyes and friends.
google’s system is not simple, they have a very opaque process that determines whether the user’s environment is “trustworthy” and asks for more information as needed.
it’s still possible to create a new google account without explicitly tying a phone number in some cases, but it hasn’t worked reliably for a very long time now.
until about 2023 creating it on an android <= 4.4 (kitkat) worked 100%, but now that also doesn’t work.
Monero is really the only real anonymous currency, you SHOULD use it and so should everyone else. You shouldn’t be okay having everything you do tracked.
I would love for a less environmentally impactful thing to be invented, but it doesn’t exist yet.
you’re doing the divine’s work; thank you for this!
I make burner inboxes on tutanota for longterm, yopmail for short-term. You might have to try multiple exits, but eventually you can get tuta to let you make an account over TOR.
Why pay for a burner?
That being said if you need a burner SMS number, no good free alternative to that since those usually involve simfarming.
Been a fan of smspool for that reason.
as mentioned in other comments, making burners on Tuta is a pain. You often have to wait 1-2 days before they’ll let you use the account, and often the account gets deleted during that period if it was made over Tor. Out of the 5-10 times I tried, I was only able to make 2-3 accounts. I’d rather pay for a reliable method.
And in my mind, paying is a more sustainable path. Protonmail and Tuta are pro-privacy, ultimately these services just want to avoid people creating unlimited spam accounts. Rotating Tor exits is something a bot can do, and so I wouldn’t be surprised if Tuta started blocking it entirely. Payment is a barrier that doesn’t cost your privacy. Protonmail and Tuta don’t accept crypto during account creation, but darknet markets provide a workaround
Proton email is free and pretty easily accepts new throwaways without having to input any ID
every time I tried using VPN or Tor, they asked for phone number or a second email address. For the second email address, I’ve tried temporary email services but they all got rejected. Any recs?
I think it has to do with the frequency you create accounts. I’ve had it let me make an account, and I’ve had it demand more info.
Then I started using FF Relay —I know it’s not super private, but this is just trial circumvention— then sites stopped accepting the Relay emails.
Fair enough. This is why I mentioned that the darknet method was the most reliable method I found. So far it hasn’t failed me
Oh definitely, thanks for sharing! It was an interesting read.
But if he’s not logged in (because he doesn’t have an account) and he’s using a VPN (and maybe changing every time) then frequency shouldn’t matter bc Proton wouldn’t know it’s the same person
Wouldn’t it be able to tell from session cookies?
cock.li has no kyc signup i think
Haha well they may have the same problem with some services just not accepting emails from their url, they admit I’m the homepage that messages often end up in spam
Hmmm. Is this a new development with protonmail? I have used VPN plus a throwaway/temporary email to get a protonmail account before.
Hmmm. Is this a new development with protonmail? I have used VPN plus a throwaway/temporary email to get a protonmail account before.