Public Release Feb17, 2021.
Copyright 2021, AKA Infra
Released under Creative Commons by Attribution 4.0 International (CC BY 4.0)
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
The licensor cannot revoke these freedoms as long as you follow the license terms.
Phone numbers are inherently a dodgy proposition. The designs behind the US telephonery systems are not good designs, by modern systems standards. There is a soft upper limit of phone numbers, with real costs associated with expanding it. The result: a system that is inherently expensive to use, inherently insecure, heavily scrutinised and tracked, but nevertheless assumed to be a de-facto communication format for engaging with Byzantine real-world systems - from non-screenburnt social clubs, to doctors and insurance agents.
Furthermore - it's safe to assume that most phone service providers will happily compily with "requests" from "law enforcement affiliated" individuals and organisations "to the fullest extent possible" - which, in many cases, is an approximate history of device movements over the last weeks or months, and metadata/content of recent calls and correspondence.
While no aspect of tradecraft or helpful source of information can factor out all risk, it is entirely possible to secure* and utilise a dialable phone number, with a US area code, for veritably no money, without third parties (your crazy aunt, a cop who writes you a ticket, a jealous ex) - being able to readily associate the phone number with other aspects of your identity.
This is not rocket science. This is at best, ritual magick. It requires attention to detail, practice, and occasionally - quick thinking.
When you are done, you will have a perfectly usable Google voice account without having to touch a burner phone, API, VPN, SIM card, or unvetted website. It will be under your control, and usable on any device one might feel comfortable using a personal G account. No proxy or VPN is suggested or required for the purposes of this exercise - this is not a "how to crime" guide. Should you be considering breaking local laws, consider combining multiple layers of anonymity technology, and keeping operations as short as possible. Also, "have you tried shutting the fuck up about the problem, and getting a lawyer?"
It is not free. It requires a computer, a very small amount of money, and 20-30 minutes.
To reiterate:
This will not protect you from yourself.
This will not protect you from The Mossad.
This will not protect you from US Fed Warrants.
If your adversary is the Mossad, YOU’RE
GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO
ABOUT IT. The Mossad is not intimidated by the fact that you
employ https://. If the Mossad wants your data, they’re going to
use a drone to replace your cellphone with a piece of uranium
that’s shaped like a cellphone, and when you die of tumors filled
with tumors, they’re going to hold a press conference and say
“It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,”
and then they’re going to buy all of your stuff
at your estate sale so that they can directly look at the photos
of your vacation instead of reading your insipid emails about them.
H/T Mickens
This will not protect you from The Mossad.
But with modification, this framework may be suitable as a part of defensive systems for averting hazard when existing proximate to a variety of other advanced and persistent threat actors.
- having your IRL identity crosslinked to the criminal record of an online friend who gets busted selling weed, when your AT&T number is found in their "recent contacts"
- having ie) the address registered fo your phone plan being inadvertnetly affililated with political art projects, via account recovery SMS
- being unable to secure and build a new pseudo-anon identity, without investing resources in a literal second phone / plan.
- preventing a stalker/abuser from finding your primary google voice or hardware numbers, or being able to use knowledge of such to identify new online accounts.
(note: if your abuser is technically savvy, and you're worried they might have compromised your systems in a capacity that risks your personal safety - start making noise to this effect on an anon twitter account around ie @iancoldwater @hacks4pancakes and @notdan - they don't know I tagged them here, and I don't know them well, but I'm of the opinion that they're good people who are not fond of hackers being shitheaps.)
So, with this extensive forewarning, let's set to work.
This is a bit of tradecraft I've used for almost 5yrs now - it's changed, slightly, but approaching battle-tested.
At a high level, there are three steps:
- acquire an account
- secure the account (by far the longest process)
- make the account easy to use
Some operational notes:
Browser profiles are great!
It's highly recommended that you create a dedicated profile for the purposes of keeping all traces of your new tool from mixing with your existing web presence, until you have completed the process of securing the account.
4G hotspots are pretty good!
Most/all of this can be done over a tethered 4G/LTE link! This will separate your home internet service provider from your new account, until it is secure enough for your liking. Turning the SIM card or LTE modem of your hotspot off/on is usually enough to get a fresh IP, which can allow you to avoid linking the same IP address to multiple accounts, until you are ready to do so.
By far the best reseller of accounts with which I am acquainted, is buyaccs.com. They both buy, and sell accounts for a wide array of websites and social networks. The accounts are built by trade specialists in the third world, and sold to a reseller (buyaccs.com) for a fraction of the purchase price.
The "good" accounts are sold for between $3 and $5 each. It's worth buying a good account. You'll provide then an email to deliver credentials, pay via a bitcoin service provider, and receive a plaintext message containing the credentials. Note: it should be possible to receive this message via sms-email gateway, to a burner, or to a disposable mail account. I have had no issues receiving it to other gmail accounts, but results may vary.
After an account has been purchased, or otherwise credentials have been received, the process is relatively straight forward:
- Log in to your new account at https://voice.google.com.
- Open a new tab and navigate to https://myaccount.google.com/security.
- Change the recovery email to an account you control - ideally not your most important email, but whatever's fine. Google does not hold recovery emails against you, or require confirmation before they take effect.
- Enable two-factor authentication through your new Google Voice number. This will not log out your current session, so take care to complete the reamining steps before Google closes it for you. (24hrs)
- Save your recovery codes, which will allow you to log in should you lose your two-factor authentication token.
- Add a time-based one-time-passcode (TOTP) based "Authenticator App" - I prefer Aegis but anything (Authy, Google Authenticator, etc) will work!
- Remove the phone number as a 2FA token, so the number will not be required for future use.
- Change the password.
- Optionally change Google activity rules to a conservative policy, automatically cleaning up information that could potentially be a liability in the future.
- Record the 2FA backup codes, the email address, the password, and the phone number on a piece of paper, for future reference.
Setting up forwarding from your new GMail / Google Voice account will allow you to use your new phone number for SMS signup/login codes, without having to login to your new account.
Navigate to the gmail settings in your new account. Click though to advanced settings, and to "Forwarding/etc."
Add the desired account as a destination for forwarding from th new account, confirming with the code sent to the target email.
Search for "voice.google.com" in your new gmail, and create a filter matching the desired combination of voicemails and confirmation codes.
Add rule to forward messages matching your filter, optionally deleting them from the source inbox.
Send a test message - perhaps by attempting to sign up for a new imgur.com account, and verify it successfully forwards to the desired location.