Since we're all back in action now on TER, and there are some old faces and some new faces around here, I figure now is a good time to talk about Operational Security, as it relates to your online activity.

All of this is equally applicable to Hobbyists and Providers alike.

 
Step 1) Get a VPN

A VPN is just you connecting to the internet through someone else's computer. Ideally, this would be a company that's outside of the USA, and more ideally, it'd be ran by someone outside of the USA as well, to avoid any potential for your local law enforcement to get their hands on your data. Mullvad VPN checks off all of these boxes, it's $5.50 a month, or about the cost of a cheap latte.

DO NOT USE A 'FREE' VPN. None of them are safe. At best, they're harvesting your data to sell to advertisers, at worst, they're harvesting your data to sell to hackers. They also always 100% cooperate with law enforcement and generally don't care about your security.

 
Step 1a) Pay for your VPN privately

Paying for your VPN securely is an important step, because any payment information that can get traced back to you undermines any security you'd get from having a VPN. For that purpose, Mullvad VPN (https://mullvad.net/en/account/create/) allows you to pay with bitcoin or bitcoin cash. I use bitcoin cash that I purchase on coinbase.com. It's very important to send the bitcoin cash to a different "wallet" or "wallet address" BEFORE you send it to Mullvad because Coinbase will rat you out to LEO's.  Bitcoin.com's mobile wallet is good enough for our usage, but if you want to be more secure, use a computer and download the Electron Wallet software (https://electroncash.org/) and use that instead. When buying bitcoin cash on coinbase, make sure you buy more than you need by 10 bucks or so, that way if the price fluctuates a little you'll always have enough by the time you get around to paying with it. Who knows, maybe that 10 bucks will turn into a million, it certainly won't go to waste.

I buy a year of mullvad all at once, so I don't have to remember to pay for it monthly. Once you pay, you download their app/software and enter your account number to sign in. From there, activate it and you're good-to-go.

 

 
Step 2) Device Security

Your phone is your weakest link in this game. It follows you around and records your every step, every word you type, the GPS coordinates of everywhere you go within 3 feet, and it transmits that data to Google, Facebook, Instagram, Twitter, and every other app on your phone. All of these apps know who you are, and sell your data to advertisers and those advertisers have terrible security practices.

With that in mind, DO NOT USE YOUR PERSONAL PHONE. Get a prepaid burner phone, pay for it with cash, and never, ever, use it for anything but hobby/providing/etc. This is the phone is to NEVER connect to your home/work wifi, in fact, it should be kept off while you're at home or at work. It also should NEVER be carried with your personal phone. Phones can see each other and your personal phone will reveal your secret one if they travel together too much. Leave your personal phone at home, or at least off, while you're hobbying. Leave your hobby phone home, or at least off, when you're not using it.

The biggest thing is to never use your hobby phone to login or connect to anything else but your hobby accounts. No personal accounts at-all, and never login to anything without your VPN.  

 
2a) Computers/Laptops/etc

Your computer has ways of tracking you, but it's much more secure than your phone. If you're behind a VPN, they're pretty ok as far as security goes. Best-Practice is to use a different browser than your regular browser. My go-to browsers for this activity is are Opera (https://www.opera.com) or Vivaldi (https://vivaldi.com). Same rules apply for these browsers as your hobby phone, don't use them for personal accounts, only hobby activity, only while using a VPN.

These browsers don't track you and are from reputable, privacy focused people, you can trust them.

 

Step 3) Communication

Now that you have your devices in order, and you have a VPN, you can communicate with people that you are looking to see, or people that want to see you. Understand that text messages are very insecure. For anything outside of immediate "what room number are you in" kind of needs, try to stay away from them. Phone calls are a better, and that's how I run things when email is inappropriate unless I absolutely have to text.

Email is the way to go if you can, specifically, protonmail (protonmail.ch). Get yourself a protonmail account while using your VPN, and ONLY access it via VPN. It's encrypted email, there's no tracking, it's safe enough for hardcore hackers to use it, so it's safe enough for you. If you're already using a protonmail account that you previously signed up for without a VPN, or one that you didn't use a separate browser to sign up for or login to, get a new one, they're free.

Another note with protonmail, it's best practice to keep it 100% empty. Delete all your messages that you're not immediately using, delete your sent messages, and empty the trash. Protonmail securely deletes everything so you don't need to worry about it after it's deleted.

If possible, recommend people use an app-based messaging service like Signal, which is just as safe as proton mail, but has all the convinience of text messaging. It's also free, and works over your VPN.

 

Step 4) Making Mistakes

Mistakes happen. We're human, we're not perfect. So what happens when you make a mistake and login to a hobby account on a personal device or browser? Maybe you logged in to something hobby related on your home wifi without a VPN? Well, you just connected, concretely, and permanently, your 'real' life and your hobby life. Probably the only thing to do is to burn it all down and start over again.

Things like using your hobby phone at home are ok if it's a one-time thing, if you've done it a bunch, burn it, but once or twice is probably ok.

 
4a) Cleanup

You'll need to dump the contacts off your burner phone (maybe by writing them down) and destroy it. Pry it open, take the battery out  (big silver thing in your phone), take the sim card out, and hit the phone with a hammer until it no longer looks like a phone. Then, take your SIM card and toss it into the microwave until it sparks. Then throw it all in the trash. When you get your new phone, enter your contacts, and burn your paper list.  

Browsers/computers/etc are harder. You'll probably be fine if you just reformat your computer and start from scratch. It's best to just get a new one, or better, two new ones so you can have a separate hobby computer, but for our purposes just formatting the hard drive and reinstalling everything is probably enough. If you're playing fast and loose, Uninstall ALL of your browsers, restart, run ccleaner (https://www.ccleaner.com/ccleaner/download) and reinstall your browsers. This isn't perfect, but it's better than nothing.

In terms of burning your accounts, you probably should make new ones, or at least whatever you logged into insecurely. You're taking a chance if you don't, not a huge chance, so consider the risk that maybe whatever you logged into keeps records of your logins and at least consider it. For protonmail, I might risk it, for most other things, I wouldn't.

 

 
That's it, 4 steps to safety. Yes, this operational security (opsec) stuff takes work. Yes it takes a little money. Yes it takes some diligence. Most things worth doing require these things. I'm happy to answer any questions anyone has in this thread, or via private message here. I promise I won't be too hard on you for not understanding something, and I really want to keep all you folks safe, or at very least not be low-hanging fruit.

If I keep my hobby phone off as much as you are suggesting (home and work), won't I be missing a lot of confirmation texts from providers or bookers who I have appointment requests pending with.  With many of these people in P4P, if they don't get a response from you within an hour or so after texting you during normal business hours, they will give the time you requested to someone else.  

I can not always keep my hobby phone in a separate  place from my personal phone.  

To me it's a moot point.  If a wife is smart and suspicious she will just have you tailed in real life by a Private Investigator.

-- Modified on 2/13/2020 9:21:31 PM

END OF MESSAGE

If that's the case, you can make sure to keep your hobby phone's gps/location, bluetooth, and wifi off while you have it on and are waiting for a confirmation.

You will have to remember to check it every time it turns on though, because they usually turn all of those services on at startup. Not best practice, because your location can be tracked via cell towers as well, but probably ok if you remember to check them.

Depends on who you are. If you're a provider, you're hiding from nosy or vindictive customers, people who you'd rather not know your line of work, law enforcement, various federal agencies, that kinda thing.

 
If you're a Hobbyist, you're hiding from nosy or vindictive providers, people in your life that don't know you're a hobbyist, law enforcement, various federal agencies, that kinda thing.  

 

So basically, everyone who you don't explicitly want to find out who you are. That's the whole point.

or Wi-Fi on any of my phones.  I know the downsides are that its more expensive to use internet through the phone service provider, but I'm okay with that, and if I lose or leave my phone somewhere, I can't use the recovery app, but I can't think of anything else that's a negative, can you?

Some apps just plain don't work with them turned off, mostly because that app's profit model is selling location data. There are ways to spoof them and feed the app phony GPS data, but those methods are pretty phone-specific and not really worth going into.

I do know some guys in the hacker community that have their burner phones commuting to a fake workplace and running errands, so it looks, for all intents and purposes, like it's a real person doing real things, but that's a huge pain in the ass to setup and maintain and I'm only mentioning it because it's cool.  

 
The only other thing is that Wifi is also more efficient battery wise than hitting the cell towers, and can be way faster. Neither are really a serious concern though.

 

It is a bit of a misnomer to have location services turned off, because they can pin you down with the towers alone within 25 feet or so. I remember before phones had GPS there were some terrible navigation apps you could use that worked off cell towers to determine location. I'd imagine the tech can do better now, they just don't bother because GPS is ubiquitous.

They will write to the same physical drive(s), caches, cookies and temp flies can be cleared. I would think just one security conscious browser would be better. Why are you suggesting this?

I think there is a lot of clock and dagger type thinking here but if that is the case then what was suggested is at best a speed bump, not security. But, if it makes people feel safer or happier, more power to them.

Twofold. One, people are comfortable using the browser that they use normally, so asking them to switch browsers entirely is a big ask. Sure they'd be better served using Vivaldi, but they're not going to do that because it's not comfortable.

 
Two, while the browser is running on the same OS and hardware, it's using different caches/cookies/tempfiles, so any potential for the browser to leak information is greatly reduced. Moreso with privacy focused browsers that don't give up hardware IDs so easily. Combine that with only using it over a VPN and you have a reasonable degree of privacy without too much work.

 
I personally use a laptop I bought with cash from a guy off craigslist, and the hobby stuff I do runs in an encrypted VM on that laptop, and the VM is configured to ONLY use my VPN to access the internet. Is that a better way to do it? yes, absolutely, way better, but is it in reach of regular people? No, not at all, and I'd go so far as to say, it's not even necessary for this kind of work.

Why?  

EVERYTHING you do that has the possibility of leaving the device you’re using is harvested by somebody.  Like your Apple Watch or FitBit data that’s being sold to your insurance company, your car’s GPS broadcasting your position to anyone that can receive it or your driving habits to your insurance company,...  you name it.  If you’re connected, you are a data factory being tracked, analyzed and map/reduced.  If LE wanted to crack down on the hobby, they likely have all the data they need to analyze patterns, use AI and develop strategies and tactics to attempt to shut it down.

Big brother isn’t the government, it’s big business and every time you sign up for a device, software, or app, you are prompted to acknowledge their data use policy or terms of use.  Most people don’t even bother to read them.  Try reading one sometime to see the permissions you’re giving.

So please assume that very little you do is secure and take the steps outlined by the OP to minimize your exposure.

Food for thought/

If you're a single hobbyist, isn't just a burner phone enough? You don't want a provider knowing your real identity or her handler(s). As far as the cops, the only exposure I see is if you're messaging them through your computer/phone (sting). And if that is the case you show-up with your burner phone and have a "Take a seat over here" moment it doesn't matter what phone you have on you.

I just don't see the need for all this if you're single and not in a long term relationship.

Being single as well, I feel the level of security I have now is probably enough.  No problems in 11 years of P4P activity.  However, I have many married hobby friends that go to great lengths to cover their tracks.  I'm not judgmental about that, because I think for anyone doing this, they have to reach their own comfort level with precautions and not someone else's.  

 
Most stings I have heard of target mongers that hobby in the $100-150 range.  If hobbyists move upmarket a little bit, say minimum $250 or $300 per hour, they are much less likely to find themselves in a LE sting.

Yeah It all sounds a little paranoid. Why are we being secure from? The CIA? They have much bigger fish to fry that a bunch of mongers trying to get some ass.

The big issue isn't so much LEO's, obvious cops are obvious. The issue is the absolute lack of data security in 2020.

 
Basically what happens is that some site leaks all of it's account info, and hackers pick through it and build a database, relating that data to other data. Then, they write scripts to pick targets out of that data. When it comes to things like this, they're looking for soft blackmail targets. That's the immediate risk.

 

Secondary to that, it isn't the CIA you have to worry about, they're not super involved with domestic issues. That's the FBI's job, and they are just OK at shutting stuff like this down. Sure, they have bigger fish to fry, but there's no guarantee that they won't ever get a ton of "anti-human trafficking" funding and start going after guys like us, because it'd probably be good publicity. Combine that with easy to get data from data breaches, and you'll be glad that you're not the low hanging fruit they're looking to harvest en-masse.  

 
I'll tell it to you straight too, most websites haven't had data breaches not because of competent security practices, but because they've never had anyone with any hacking talent try to get in.

 
The future risk is that laws could change, your life's situation could change and become more sensitive, etc. Nothing I've talked about here is hard, or expensive, and it'll really give you a reasonable degree of privacy and security if you're even just mostly diligent.