Staying Safe While Investigating: From Reddit, Updated.
Since there have been links to actual dangerous material posted now, and fears of a honeypot type operation are rising, I figured it was important for all of us to at least be aware of how we can stay relatively safe. That way we can just point people back to this resource and keep all the legitimate concern comments to a minimum and focus on the actual investigation.
A few things to note first:
There are always multiple points of failure. Each piece of security advice ignored, means one more possible point of vulnerability somewhere. It's hard to ensure you've absolutely covered all of your bases, but this should be enough to at least make tracking you a pain in the ass.
There is no such thing as being 100% secure. Doing everything here will drastically improve your security, but nothing is guaranteed.
No amount of technological security can protect you from human error. Be weary of anybody and anything that might prompt you for information. Watch Defcon's How People Got Caught Using Tor.
This aspect is critically important for anyone that's even thinking about downloading potentially incriminating evidence. You DO NOT want any of this stuff touching your computer's main hard drive. Keeping your pc clean is your last line of defense in a worst case scenario situation. If you do store anything, use full disc luks encryption.
You can run an entire functioning, temporary operating system off a cd or usb drive. And as long as you don't deliberately mount your pc's hard drive on there, it'll simply store data onto your RAM, which is temporary by design.
The way to do this is with a Linux/Unix distribution that offers a "live cd". Ideally a security-minded one like Tails, Qubes, Whonix BackBox, or OpenBSD. But even a standard user-friendly distro like Mint, Ubuntu or Debian is better than nothing. Just download the disk image file (.iso) they offer, and burn it onto a CD/DVD or install it on a usb drive.
A physical disk is slightly safer than a usb drive only because you can't accidentally write to those while you're using them, and they're easier to destroy in case SHTF. But running it off a disk can be noticeably slower. And if you don't have access to blank cd's/dvd's or a disk burner, you might need to go the flash drive route anyway. Installing the .iso file onto a usb drive is also pretty straightforward, though installation procedures can vary from distro to distro, so that might require some more research on your end.
Just put the prepared disk in your disk drive, or plug in your usb stick, and reboot your pc. Then make sure to select the option to boot from the corresponding drive in your bios somewhere. This will be slightly different from pc to pc, but you can find tons of tutorials on booting off of cds online.
Rely on storing things locally with encrypted usb drives or sd cards. You can encrypt them with VeraCrypt, and wipe them with BleachBit when you're done using them.
These next services are here just for reference, I wouldn't recommend relying on them for backups/storage unless you absolutely have to. These are only useful if you need to share large data dumps online that are too big for encrypted email/messaging services. All of these rely some form of AES / RSA encryption, not PGP.
- MEGA: 50GB of free encrypted storage. Based in New Zeland.
- Tresorit: Paid only. 1TB of storage. Based in Switzerland. BoxCryptor: Not really a service, but rather an app to encrypt files for storage on other cloud providers
- ExpireBox: Not encrypted, but does auto-delete files after 2 days.
Your Internet Connection
Switching around where you're connecting to is more important than just finding a good connection. Ideally, you'd use like a hotspot with sim cards from some low-frills, pay-as-you-go mobile data provider (there are even some free ones), and reset your connection every once in a while.
But that's also a chore, so the next best thing is public wifi. Anything free with lots of users on it is good. Even better if it doesn't make you load up some web page to sign into it.
If none of those sound viable, you can at least somewhat improve your router situation by flashing an open source firmware on it, but that's a bit advanced and not really guaranteed to be much more private.
Routing Your Internet Traffic
Once you actually have a working connection, you should be re-routing your traffic through a good VPN service that doesn't keep logs, and ideally connecting to a server in a country with decent privacy laws. But once again, periodically switching up where you're connecting from is more important. Luckily in this case, it's as easy as selecting a different connection server in a dropdown menu.
You could also add in the cliche 100's of layers of proxies here, but that's probably more trouble than it's worth.
Lastly, there's Tor. Everyone knows it's not as secure as it used to be now, but it's still significantly better than just a VPN and it doesn't hurt to try it, especially if you're not a noteworthy target for anything. Besides, stacking it on top of all the other measures is only gonna make it harder for them anyway. Remember to periodically request a 'New Tor circuit' under the onion button for any site you're frequenting, and restart the browser from time to time to clear anything it's temporarily stored up. And it's always smart to read up on what exactly it does, and doesn't do.
The tor browser should be enough for most things, and while using different browsers for different sites doesn't hurt, it is a bit of a chore. Though sometimes the tor network can be a bit slow, so in those cases you can try other browsers like Brave, Opera (which has it's own built-in VPN service), or SlimJet. But Chromium/FireFox are fine too, just make sure to set them up with any appropriate privacy extensions.
Either one you choose, make sure to:
Enable the 'Do Not Track' option in your settings (mostly just as a precautionary measure. It's up to the sites to comply with it, so it doesn't actually guarantee anything)
Disable at least 3rd-party scripts, either in the browser's settings, or through an extension like NoScript. Note that some things might not work properly with this on, but you can whitelist stuff as necessary.
Enable HTTPS Everywhere, either somewhere in your settings or through an extension.
Disable WebRTC features, might require an extension. (thanks to /u/sunkenberries)
And always pay attention to what URL shows up as in your browser's status bar (usually at the bottom) when you hover over a link. Take special note of any addresses that don't match up.
I figure most around here know about DuckDuckGo, but there have been questions about it's privacy in the past, and it's results can be a bit underwhelming without using their "!g" command. But it's better than nothing.
Personally, I use StartPage, as it actually uses google's search results directly, and just provides layers of heavy encryption and anonymity on top. The trade-off for that of course, is that it's search results are noticeably slower to pop up.
Encrypted email service providers:
Proton Mail: Based in Switzerland Tutanota: Based in Germany StartMail: Paid only, based in the Netherlands
If you're familiar with HushMail, it's worth noting that they have a history of turning over people's data.
For just sharing one-off encrypted messages, there's LockBin.
For actually messaging back-and-forth with people:
XMPP with OTR - Pretty secure, using public key infrastructure.
RetroShare: Encrypted, distributed P2P messaging. Works over Tor. Supports voice and video as well.
Riot / Matrix: End-to-end encryption
Jitsi: Supports encrypted video calls
- Open Whisper Systems: Supports encrypted phone calls from your actual phone
Don't rely on online password services. Use a local password wallet like KeePass or Enpass. Come up with the master password for your password manager, but always use different generated passwords for everything else. You can double-check the strength of your passwords here.
The EFF has a pretty nice collection of resources on dealing with surveillance and privacy issues if you want to read more about any of this.
And that's about as much as I can think of off the top of my head. Please do shout out any more suggestions or corrections if you have any.