[HN Gopher] Starting a New Digital Identity
___________________________________________________________________
Starting a New Digital Identity
Author : noch
Score : 171 points
Date : 2021-04-21 11:20 UTC (11 hours ago)
(HTM) web link (k3tan.com)
(TXT) w3m dump (k3tan.com)
| cyberlab wrote:
| This is a form of blue team hacking, and instead of doing
| offense, you are doing defense. It's worth remembering how it can
| all come crumbling down due to bad OPSEC. Read this for more
| information: https://blogsofwar.com/hacker-opsec-with-the-grugq/
|
| The covert lifestyle can be mentally taxing, and you _will_ make
| mistakes (if you 're not _consistently_ careful). Here 's a good
| quote from that Grugq article: As I phrased it
| in my "The Ten Hack Commandments" -- be proactively paranoid, it
| doesn't work retroactively.
| [deleted]
| DoreenMichele wrote:
| _The covert lifestyle can be mentally taxing, and you will make
| mistakes (if you 're not consistently careful)._
|
| Catch the flu or a cold, get shorted on sleep for one or more
| nights or have one distracted moment for any random reason and
| that can make the whole thing fall apart. People seem to vastly
| underestimate this reality.
|
| Also: In practice, people who are in earnest on the run are
| often identified based on things like subscribing to their
| favorite magazines related to their hobby.
|
| I think for most people that's the harder thing to address: How
| do you just stop being yourself and develop entirely new
| interests?
|
| Trying to just not do X because it's closely associated with
| who you are is amazingly hard and can rapidly start making
| people actually crazy. This is much harder to do than breaking
| a bad habit which is infamously hard for most people under the
| best of circumstances.
| ASalazarMX wrote:
| > I think for most people that's the harder thing to address:
| How do you just stop being yourself and develop entirely new
| interests?
|
| But why? There's countless people that enjoy the same things
| you do. Unless you're into very niche activities, it should
| dilute in the noise. Maybe drop the least popular
| activities/subscriptions/toys?
| ghaff wrote:
| >How do you just stop being yourself and develop entirely new
| interests?
|
| Furthermore, no contact with people from prior life. Access
| to healthcare. Access to money if you didn't take a big pile
| out (and then where do you keep it?) Where do you live
| without a bank account? Driving is a big risk. The list goes
| on.
| [deleted]
| rsync wrote:
| This is a topic I think a lot about. I don't have a lot of time
| this morning so I will just say a few things ...
|
| First, the OP describes an eSIM for his mobile phone - in this
| case with a provider named "silent.link". In my experience, eSIMs
| provide "voip" numbers and not actual "mobile" numbers. This is
| an important distinction since _most_ 2FA verifications[1] come
| _not_ from a phone number, but from a "short code"[2] and voip
| numbers cannot receive SMS from a short code. So you are quite
| limited in what services you can sign up for and maintain with
| just an eSIM.
|
| Second, the term "threat model" does not appear in the article.
| This is important because if your threat model is "everyone
| except state level actors" or "everyone but state level actors
| AND my bank" the possibilities open up _dramatically_. I think
| there is a tremendous amount of benefit in remaining anonymous in
| relation to your carrier and the FAANGs and (various vendors)
| that is realistic to achieve - but anonymity in relation to state
| level actors is practically impossible.
|
| Third, there is a big, giant blind spot in the entire chain of
| identity and that is the following: VISA/MC _do not validate name
| and address_ [3]. It seems like they do - and merchants believe
| that they do - but they do not. This means you can use your bank
| card with _any name you like_ and the minimal address match
| (which, in the US, is zip code). I 'm not going to diagram this
| out for you but if your threat model is (everyone except bank and
| state level actors) you now have the basis for a working
| pseudonym.
|
| Fourth, a second blind spot in the chain of identity is a
| business tax ID (which you can get for free at[4]). Many
| providers (like mobile carriers) ask for things like SSN, etc.,
| but if you say "business" and give them a tax ID, it's like their
| brains turn off. They typically don't even ask for ID. You can
| initiate service over the phone. You _may_ be forced to pay a
| higher rate for "business service".
|
| [1] gmail, your bank, even twilio (ironically).
|
| [2] https://en.wikipedia.org/wiki/Short_code
|
| [3] AMEX does.
|
| [4] https://sa.www4.irs.gov/modiein/individual/index.jsp
| [deleted]
| gruez wrote:
| > In my experience, eSIMs provide "voip" numbers and not actual
| "mobile" numbers
|
| Are you conflating eSIMs (which are just equivalent to physical
| SIMs) with "burner phone" apps? I guess it's possible that the
| MVNO uses voip numbers rather than "real" phone numbers, but
| several large mobile providers (eg t-mobile) use eSims.
|
| > This is an important distinction since most 2FA
| verifications[1] come not from a phone number, but from a
| "short code"[2] and voip numbers cannot receive SMS from a
| short code
|
| jmp.chat is a voip service and supports short codes just fine.
|
| https://jmp.chat/sp1a/faq/
| rsync wrote:
| "Are you conflating eSIMs (which are just equivalent to
| physical SIMs) with "burner phone" apps? I guess it's
| possible that the MVNO uses voip numbers rather than mobile
| numbers"
|
| I am thinking specifically of eSIM providers like truphone
| who do all kinds of nice and interesting things, but the
| numbers are voip numbers. Yes, you do get a physical SIM from
| truphone but the numbers terminate to (non-mobile) numbers.
| You can't get SMS from shortcodes with truphone.
|
| "jmp.chat is a voip service and supports short codes just
| fine."
|
| I'm not so sure ... the issue here is _receiving SMS_ from
| shortcodes (which is how gmail, for instance, sends 2FA auth
| to you) and I don 't see that jmp.chat can _receive_ SMS from
| shortcodes ... see[1] which says:
|
| "Unfortunately it did not. I was not consistently able to
| receive short code SMS. I've since fallen back to using
| cellphone service from Telus which allows me to receive
| shortcodes."
|
| [1] https://www.reddit.com/r/VOIP/comments/8z44iu/mobile_voip
| _ca...
| singpolyma3 wrote:
| > I don't see that jmp.chat can receive SMS from shortcodes
|
| Hi there! One of the lead devs at JMP.chat here -- our
| service definitely supports receiving SMS from short codes.
| We cannot currently support Canada-only short codes (only
| north-america-wide short codes).
|
| I personally use my JMP number for receiving 2FA codes all
| of the time (and I have not had another phone number in 4
| years).
| numpad0 wrote:
| > I am thinking specifically of eSIM providers like
| truphone who do all kinds of nice and interesting things,
| but the numbers are voip numbers.
|
| That has nothing to do with eSIM though? That's just the
| operator terminating VoLTE to VoIP numbers. eSIM is the
| equivalent of OTA flashing in good old CDMA2000, just in
| LTE.
| tacostakohashi wrote:
| I opened a mobile account with T-Mobile once, and they asked
| for my SSN (in fact, they even took a copy of the card). Then,
| somehow, they mistyped the SSN in their records.
|
| It was a special kind of hell getting them to fix that, because
| of course any discussion about it, or changing anything _else_
| on the account would take the form "what's your SSN to verify
| your identity?" / "Well, I can tell you my real SSN, but I
| don't know what wrong SSN you have there...", etc, etc.
|
| Eventually I sat down with some poor staff member at a retail
| location who spent an hour or two getting transferred around at
| the head office to fix it.
| InitialLastName wrote:
| I had the same problem with a car insurance company and my
| birth date (was off by a year). I ended up navigating the
| call labyrinth ("It's mm/dd/yyyy but I think you have
| yyyy-1... ok, I'll hold") just enough to cancel the policy.
| mywittyname wrote:
| Curious: did you try getting a new account as a completely
| new person?
| tacostakohashi wrote:
| No. I'm sure I could have, I didn't want a new phone
| number, and I guess I would have have run into much the
| same problem closing the old account anyway.
| vlfig wrote:
| For a less romanticised, more practical resource on the topic, I
| recommend The Hitchhiker's Guide to Online Anonymity
| https://anonymousplanet.org/guide.html
|
| (also, Monero > bitcoin)
| jpeter wrote:
| The "get an anonymous pre-paid sim card" section doesn't tell
| you what to do if you can't get one in your country.
| notdang wrote:
| In Mexico a new law was passed that requires all sim
| cards/phone numbers to be registered to the person using it,
| up to the biometric data.
| ASalazarMX wrote:
| It's still being contested, so far no telco has asked for
| biometric data, yet.
| pixiemaster wrote:
| same in germany. fortunately there are services like
| digitalcourage where you send your card and get another
| random back - easy to deflect the legal issues you'll be
| confronted with because it's not illegal to exchange.
| ASalazarMX wrote:
| Why has this loophole not been closed? It seems really
| easy to ban exchanging personal SIMs.
|
| Mexico already tried something like this in 2008 IIRC,
| and it was aborted because the database was leaked and
| sold for like 20-30 USD a copy. That database empowered
| fraudsters then, and I fear this new one, having recent
| biometric data, would be even worse if passed, as our
| government is an even less capable digital steward now.
| If this law gets enforced, an loophole like the one
| DigitalCourage uses would be closed quickly.
| arsome wrote:
| They're suggesting you buy cryptocurrency then buy an eSIM
| online (which comes in the form of a QR code you scan) from a
| particular, kind of sketchy service. Don't need to worry
| about country restrictions unless the country you're in
| somehow bans roaming.
| ValentineC wrote:
| Pay someone a small tip to buy and register a pre-paid SIM
| card for you.
|
| (This seems to be common for people churning/abusing new
| account bonuses.)
| choeger wrote:
| You buy one. You can probably buy a sim card for cash in any
| high school, college, or public park.
| 3np wrote:
| You may be surprised to find this is getting increasingly
| unlikely in more and more places.
| pwdisswordfish8 wrote:
| If you're not bothered by having a conversation with the
| homeless, indigent, or hard-up, then it's more doable
| than you think. You're not just subject to the chance of
| happening upon someone already in the business of
| providing these services. You can be a job creator.
|
| With mandatory (and otherwise widespread) masking
| policies right now, it's even easier than under normal
| circumstances.
| numpad0 wrote:
| > You can be a job creator.
|
| And the godfather, depending on how local laws are
| written.
| samatman wrote:
| "desirable illegal thing isn't available on the black
| market" is wrong. Not even worth saying it. No, that
| horrific thing you're thinking of isn't a counterexample
| but you probably can't afford it.
| JKCalhoun wrote:
| Reads sort of like part nerd romance and part paranoia-tinged
| thriller. 3 out of 5 stars, would recommend to my engineer
| friends.
| mywittyname wrote:
| I would think that true digital hiding requires a good bit of
| misdirection. If you go completely off the grid, then you leave a
| hole where a person should be. But if you have a legitimate
| house, credit card, phone, facebook account, etc. then you have
| plausible deniability when it comes to hiding.
|
| The person looking into you might shrug and be like, "this is all
| we have on them."
| captn3m0 wrote:
| >[...] but instead opt for a free Protonmail account
|
| Protonmail faces a lot of spammer signups for their free plan and
| require a reCaptcha, Email, or SMS to create a free account[0].
| In practice I've always been asked for a email or SMS.
|
| They do clarify:
|
| >We don't save reCaptcha results. If you are presented with Email
| or SMS verification, we only save a cryptographic hash of your
| email or phone number which is not permanently associated with
| the account that you create.
|
| so it seems okay, but there is a temporary trail (I remember
| reading that they delete these after some time) to your original
| email/mobile to maintain rate-limits.
|
| Something to keep in mind.
|
| [0]: https://protonmail.com/support/knowledge-base/human-
| verifica...
| gruez wrote:
| >In practice I've always been asked for a email or SMS.
|
| I suspect it depends on your IP reputation. A VPN or tor exit
| code would definitely get hit with those measures, given how
| much abuse emanate from them. The IP reputation of a local
| library would be relatively clean.
| mooreds wrote:
| > The only social media I would have is a nym twitter account
|
| What is nym in this context? That's a new word for me.
| rsync wrote:
| "What is nym in this context?"
|
| It is shorthand for _pseudonym_.
| HugoDaniel wrote:
| Nym
|
| The pseudonym a person selects and uses to sign his or her
| postings to websites, blogs, etc. so as to create a unique
| online identity without revealing their actual name/identity.
|
| "With his most recent idiotic post, Little_Brain really lived
| down to his nym."
|
| Source: https://www.urbandictionary.com/define.php?term=Nym
| [deleted]
| [deleted]
| dominojab wrote:
| paying with bitcoin for an esim , isn't bitcoin digital gold have
| the narrative changed ?
| tacostakohashi wrote:
| A "digital identity" should be easy enough, using the steps
| mentioned or by other means.
|
| I have sometimes thought it would be (more) interesting doing
| this with a real identity. I suspect it wouldn't actually be that
| hard to find an identity / birth certificate for someone from an
| obscure county, perhaps with poor / lost records and try to build
| up a paper trail from there, as much as a sport as anything else.
|
| I have a suspicion that it would be fairly doable to get quite
| far with it, but of course one slip-up and you could end up in
| prison.
| ghaff wrote:
| Remaining anonymous in the physical world is much tougher--
| although, again, it depends on your threat model. I think you'd
| almost have to have a fake ID which you wouldn't want to use in
| circumstances where it might actually be checked against
| databases, such as driving.
| tacostakohashi wrote:
| The goal wouldn't be anonymity, rather to have a real, valid
| (state-issued) driver's license with a different name on it
| to use when convenient.
| ghaff wrote:
| >an identity / birth certificate for someone from an
| obscure county
|
| That would not get you a driver's license in the US. You're
| also required (probably in all states--certainly to get a
| REAL ID-compliant card), you need proof of citizenship or
| lawful presence.
| tacostakohashi wrote:
| Birth certificate in an obscure county is proof of
| citizenship - perhaps you misread that as "country".
| ghaff wrote:
| Yup. Where I live counties aren't terribly significant.
| :-)
| mjochim wrote:
| I sure did ;)
| ska wrote:
| > but of course one slip-up and you could end up in prison.
|
| Felonies are funny that way.
| vsareto wrote:
| Can you get SIMs issued to companies and use them for company
| phones and have your alter egos be on the record as consultants
| and use those phones?
| dobladov wrote:
| I can see some logic in buying second hand devices, but wouldn't
| be better to buy new ones with cash since second hand devices
| already have a history of usage that could lead to locate you?
| joe-collins wrote:
| What's your threat model? That new phone's serial number has
| records of being shipped to the store you bought it at. The
| store has cameras and sales receipts.
| thedanbob wrote:
| Might not be an option for the phone as it takes a while for
| alternative OSes to add support for particular hardware, so
| generally only older models are compatible.
| trungdq88 wrote:
| Can someone explain to me why doesn't he use his existing cash to
| buy stuff?
| hycaria wrote:
| I think he wants to be untracable from start to end, no credit
| card.
| gruez wrote:
| "cash" implies physical currency. my guess is that he doesn't
| want to get the notes from an ATM because those serial
| numbers can be traced to him (not sure whether banks actually
| do that). That said, doing a bunch of odd jobs to get $1000
| seems excessive. You'd probably have better luck getting
| change from random shops. something like a farmers market
| would be ideal because they deal in cash, probably don't have
| facilities to record serial numbers, and probably don't have
| cameras around.
| botwriter wrote:
| Would make sense if he withdrew small amounts from an ATM
| incrementally, but if he withdrew say $5k and then his web
| footprint went dead it draws a lot of red flags.
|
| Although it depends who your adversary is at the end of the
| day.
| Mediterraneo10 wrote:
| People commonly withdraw thousands of dollars and then
| disappear from online banking or bank-card use, if they leave
| to travel for some months in e.g. sub-Saharan Africa or
| Andean villages where all transactions will be made in cash.
| krisgee wrote:
| That's associated with a big travel purchase so you can cut
| that possibility out pretty quickly.
| cyberlab wrote:
| > People commonly withdraw thousands of dollars and then
| disappear from online banking or bank-card use
|
| In fairness, using contactless payments is super convenient
| and although it leaves a data trail, the sheer convenience
| of being able to buy a beer without fumbling around in my
| pockets is great. It's the old privacy versus convenience
| argument. But then, here in the EU you can compartment your
| card use with things like Revolut, and you can even secure
| your card by setting a limit on how much you can spend with
| contactless (no affiliation with Revolut, I just enjoy
| their app).
|
| Of course in an ideal world, there would be no such
| (transparent) data trail and you would pay for everything
| with Monero, over Tor lol
| Mediterraneo10 wrote:
| Was I not clear in my post above? People sometimes take
| out cash before traveling because cash is the _only_ way
| to pay for things in certain parts of the developing
| world.
| cyberlab wrote:
| Sorry, I skipped that part where you meant the developing
| world. I'm referring to how I spend my money in the EU.
| Revolut has all these 'neobank' features of limiting
| contactless spend, creating a virtual disposable card for
| e-commerce purchases, and also being able to send money
| to others, etc.
| [deleted]
| shanecleveland wrote:
| This is more about avoiding having a digital identity. I recently
| created a second Twitter account to create some separation
| between personal and business interests, conversations, etc.
|
| Not that I want to have two identities, but I would like to be
| able to distinguish between them. It was not difficult, but
| required some effort to create separation (I didn't want twitter
| suggesting my "business" account to my friends I already followed
| on my personal account).
|
| Facebook was another story. I have never had a Facebook account
| until a couple of weeks ago. I took on a new hobby recently, and
| the most active community around this topic is exclusively on
| Facebook. I joined and immediately disabled the ability to be
| seen to the extent I saw possible. But then Facebook disabled my
| account within 24 hours - the irony! They allowed a review
| process, which required a selfie (they clearly know my identity
| through facial recognition, despite having never supplied a
| picture myself). They let me back in fairly quickly. But I hate
| having to "support" the ecosystem. And it turns out I cannot
| friend anybody without allowing their friends to view my account.
| hpoe wrote:
| One thing that helped me a lot with this is Firefox containers.
| I started using it just to separate work and personal, but now
| I have Work, Personal, School, my professional blog, and my DND
| sessions and it is great, it really promotes separation and
| helps me manage all of them seamlessly and independently.
| shanecleveland wrote:
| That's a good tip. Thanks. Twitter actually makes it easy to
| switch between accounts in their app, but I do have a mangled
| mess of folders, files, bookmarks, etc.
| [deleted]
___________________________________________________________________
(page generated 2021-04-21 23:01 UTC)