Best way to set up a risky blog?
Suppose I want to set up a blog where I can document abuses of power, cases of corruption, etc. without risk of getting doxxed, as these people will stop at nothing to stifle such content.
What are my options?
What are my options?
37 comments
[ 3.1 ms ] story [ 87.1 ms ] threadI'd also recommend using a secure/disposal operating system like Tails, using the Tor browser with the default settings at all times, changing your writing style as much as possible and using an identity that's only used for the blog in question, and never used to access the clearnet/on any other service you can think of.
Also, try and make sure the identity used is as plausible as possible. Maybe create a fake photo with AI and a fake but realistic sounding name and description to go with it, then use those to create a fake online footprint. An obvious pseudonym makes people want to find out who it is, while a realistic name and identity makes them think they've identified the person behind it.
But of course, it really all depends on who exactly your enemies are. Normal people and companies have a lot less in the way of resources for tracking someone down than government agencies. It takes a lot less opsec work to fool say, Burger King than it does the NSA.
Funny enough, this guide that was posted a few days ago on Hacker News might be exactly what you need:
https://github.com/zolagonano/a-ninjas-handbook
The problem with that is then the regular people (the voters, mainly) can't find it an educate themselves. Which then defeats the purpose.
It has even more protections than Tor hidden services.
If you think you have found that, you are kidding yourself. Powerful people have incentives to hire experienced and motivated professionals and the lawyers, guns, and money to do so. Odds are you wont be the smartest person in the room. Good luck.
Once you make enough trouble that using the library wifi might affect your risk, you've made enough trouble that it doesn't.
If you really want to set up a blog, why not just an email address under any name and a free Wordpress blog?
There might be more rewarding hobbies than discovering that the world works in the same fairly predictable ways it always has. If this is really your mission in life, you need bulldog lawyers not technology.
Hope is not a plan.
To be fair, he was kind of an idiot when it came to security. But there are ways of knowing who is using public wifi at different times.
State actors have plenty of resources at their disposal for revealing your identity, ranging from the perfectly legal (wiretaps, national security letters, etc.) to the questionable (making allied intelligence agencies do their dirty work, using loopholes to do warrantless wiretapping at a mass scale, monitoring Tor exit nodes, etc.), to the outright murdery (good luck if you personally piss off the Russians or Israelis).
Even if you leak it to a reputable journalistic outfit, you're betting that a reporter will value your freedom over their own. They can and have been compelled to leak their sources under enough pressure, and it takes a rare hero to stand up against that sort of governmental abuse of power.
You really, really shouldn't do this if you value your safety. If you absolutely must get the information out, deliver it to some media agency anonymously, preferably without a digital record or paper trail.
Or, geopolitically, you can also choose to leak to an enemy of whatever entity you're concerned about, and hope that they will protect you. (e.g. if you're leaking national security matters, go to a non-allied adversary and ask for asylum from their embassy... after making sure that country does not have extradition agreements with your own).
There is no risk-free way to do this.
Thank you for the concern, I understand where you're coming from; but fortunately, it's nothing that glamorous.
It is about low-level corruption (think county/city level) and things like nepotism, bad contracts, wastage of resources, etc.
But just some examples...
- Where are you going to post something where it's both anonymous (to protect you) but also verifiable (so the person receiving it can authenticate you)?
- Has, or will, that laptop ever be used for anything else? Can someone with enough power fingerprint it (MAC address, browser fingerprint, etc.) and eventually correlate it to you?
- Are you sure it's not scanning for wifi while asleep to check for updates, etc., possibly leaving a log in other routers / street view cars etc. along the way?
- Once the information is posted, do you need to further communicate with your audience? If so, you'll be doing so under higher risk. They'll know which IP address it came from, thereby narrowing it down to an ISP and probably a city, if not the exact library or cafe or whatever. Then that entire spot can be placed under surveillance. They can slowly try to rule out likely individuals.
- If the router logged your laptop's real MAC address, they might be able to identify the vendor and the person they first sold it to, who under interrogation might reveal they sold it to a person who looked like so and so.
Best case scenario maybe you buy a one time use burner laptop, hike to a different state, buy nothing along the way, connect to a public wifi there one time only, post anonymously, and then burn and bury that laptop in some forest. That'd be much harder to track down than, for example, someone who need to maintain a line of communication with a journalist over a few weeks while also trying to keep their normal life. And someone with a family is probably less likely to attempt the more extreme measures.
It just depends on who you expect your adversary to be. If you're just trying to post mean things about a local politician, probably you're safe with the most basic protections. Probably you can just go to the local media and even if they reveal who you are, the impact will be limited.
If it's national secrets you're revealing, well, they'll try a lot harder to track you down, both technologically and socially.
Probably want to use Tails or Qubes OS on a single-purpose laptop used only on public WiFi without a real MAC address or CCTV, and without taking your personal mobile phone with you (or always keep it in a RF blocker pouch).
If you don't want to host anything, consider what already exists like SecureDrop.
https://securedrop.org/directory/
So what you do is, always from behind Tor, generate a key (called an nsec in the nostr world), begin publishing messages. Publish to as many relays as possible. You don't have to host anything (unless you want to run your own relay, then you run into the problems you're worried about), your identity is just a key, so you can always prove it's you. If you publish to enough relays sufficiently distributed across the continents you're basically censorship proof. There are even paid relays that guarantee availability of your messages that are paid in bitcoin (and a few that take Monero) if you're really trying to make sure you're protected from censorship.
To me, if your goal is just to release information, this is the most headache free way to do it. No hosting, no DNS, no picking a jurisdiction, none of that, just setting up Tor and generating a private key and signing messages and broadcasting them out.
If you publish via tor and never fuck up and connect outside of tor, you're anonymous.
If you publish to a lot of relays, it's almost impossible to remove.
What youre saying is tor is less secure than i2p. Maybe. But if you don't have to store your blog on a server you rent or that's in your garage, you're way less likely to be eventually identified. There's no overhead to keeping your messages available, and you don't have to remain connected to the internet for them to be available. It is significantly more robust than hosting a server behind i2p.
In other words, I2P has its own torrent servers and network, which never reveals any ip addresses.
Be careful to have nothing in common in terms of usernames, passwords etc with your normal identity.
If you look how other people got caught it was often things like reusing a name from their other identity like with Ross Albright
>Investigators were given a major break when, eight months later, “Altoid” made another posting on Bitcoin Talk, stating he was looking for “an IT pro in the Bitcoin community” to hire in connection with “a venture backed Bitcoin startup company.” The posting asked interested parties to contact rossulbricht@gmail.com.
And Satoshi seems to have used his real birthday on a forum and some other things.
Second, you probably have two major concerns: hosting and staying anonymous. Hosting is relatively easy, and there's a surprisingly good guide at Anna's Blog, run by the people behind Anna's Archive (a pirate library, and as such with legal troubles). See https://annas-archive.se/blog/how-to-run-a-shadow-library.ht....
Three, even if your website isn't through Tor, you should still mostly be doing stuff on Tor. If you want to have an email, you can use ProtonMail or some other secure(r) email service. (ProtonMail's free plan isn't the best, but it should do. They also have a free VPN.)
That could help with hosting. Staying anonymous but trusted is harder, since people tend not to trust anonymous things. However, a good idea would be to create a common, realistic-sounding pseudonym (again, make it clear it's not your real name). Also make it strange for you. If you are, for instance, Buddhist, you could choose a pseudonym that makes it seem like you're Christian. If you're Nigerian, you could choose a pseudonym that makes it seem like you're American. (If you are going the nationality route, I recommend using a VPN to make it seem like your traffic is coming from that country.)
A specific section of the Ninja's Handbook might be quite helpful for you: https://zolagonano.github.io/a-ninjas-handbook/chapter_7.htm.... I'd also recommend testing how unique you are with https://coveryourtracks.eff.org/, which provides both a summary and a more detailed analysis of the most unique points in your browser.
Good luck!
International Consortium of Investigative Journalists
https://www.icij.org/
Many journalists in this category also use Ghost for their website which is open-source but I am not sure about other security features
https://ghost.org/
next, even if you run your own server, there are logs in the datacenter that can record your ip and times when you access it, so authoring the content is problematic. you can use tor or vpn and that should suffice. though vpn is not reliable by any means and tor is the way to go in this case.
after all, main thing is to physically be in a country that is not subject of your content and is not friendly to the country that is subject of your content.