UNREDACTED Magazine Issue 009

I like testing publication strategies. I started self-publishing my own books in 2011 after having bad experiences with traditional publishers. This worked out amazingly well for about a decade. Over the last few years, book piracy eliminated many of the sales, and we have retreated from further new editions. However, I still always crave something more. My hope is that UNREDACTED Magazine can continue to scratch that itch.

The first seven issues of this magazine were completely free and supported by advertisements from sponsors. Many readers were bothered by these sponsorships and ads, so we tried something new with the previous edition (008). We made it completely free without any ads. We asked people to donate toward the next issue if they found value in our work.

Unfortunately, only a few people offered financial support, while our downloads were at an all-time high (52,000 readers within 28 days). We suspect some of that was bots, but we have decent bot blocking on the site through Cloudflare which seems to work well. We did not notice any spike in book sales, but we suspect a few people contributed that way as well. We sincerely thank those who contributed! We will find a way to reward you.

I had low expectations, but not that low. This would not pay the bills, not even the layout. We weren't upset. We were not counting on any payments, and we even said that people should not feel compelled to donate. We were just curious of what would happen. Again, we like experiments and knew we might be volunteering our time and resources.

We really like having no ads. It makes things much easier and allows us to focus every page on content. With this issue (009), we are trying something new yet again. This issue has a price of $10 and is only available today to those who pay. Once the next issue is released (010), this issue (009) will be published free for everyone on our website.

If you like our research and feel it is worth $10, please purchase a copy of this magazine. If you do not believe it is worth $10, or you cannot afford payment, simply wait for the next issue and you can have the previous one for free. We believe everyone wins this way. I anticipate the next issue will be released in early 2026.

This may fail too. Who knows. I confess I have no idea what I am doing. I am just having fun creating things which I hope a few others will enjoy. However, I need to pay those who assist. We scaled back the layout in this issue and will focus more on the content.

I now present issue 009 of UNREDACTED Magazine. All articles were written by myself and the UNREDACTED team, so there is no individual attribution.

No Ads. No Sponsors. No fluff. No filler. No agenda. Just detailed information. I hope you enjoy.

Purchase Current Issue: https://payhip.com/b/vltEK

Download Past Issues: https://unredactedmagazine.com/issues.html

Articles:

From The Editor
SMS Is Monitored and Censored
Controlling VoIP Integrity
What’s In Your Wallet Part II
Intercepting, Monitoring & Recording HD Radio
The OPNsense Home Firewall
The pfSense Home Firewall
Bringing Back Desktop Push-To-Talk
Mapping Traffic Cameras with DeFlock
YouTube Client Alternatives
Offline Maps Revisited
I Have Control of Your New Vehicle
New Benefits of the Strapless Mask
Testing the New Voip.ms Mobile App
Credit Card Expiration Tip
Pop!_OS 24.04 LTS Beta Release Available
AI Lie Detection During Employment Interviews
Opting Out of AI Training
Alternative Apple Hardware
Auditing Open-Source Code with AI
Reader Q & A / Feedback
Final Thoughts

UNREDACTED Magazine Issue 008

UNREDACTED Magazine Issue 008 is now available!

https://inteltechniques.com/magazine.html
https://inteltechniques.com/issues/008.pdf

After publication of the previous issue, I had thought that this magazine might be finished. While downloads and overall interest were at an all-time high, article submissions were low. Not just low, practically non-existent. My goal for the magazine was always to combine three of my favorite things from the past: Bulletin Board System (BBS) text files, photo-copied hacker 'zines', and old-school 2600 quarterly issues. Each of those merged various views from the communities which they served into a long-form outlet, encouraging the reader to devour the content unavailable anywhere else. Times have changed.

The internet has spoiled us. We have overwhelming unlimited access to immediate information. Click bait titles draw us in while our attention spans, or lack of, become victim to the next juicy thing. When we do find something online of interest, the information is limited to a bite-sized chunk which we can handle while we check our messages and scroll our feeds. We get sucked into a video when the thumbnail shows the "influencer's" shocked face or they promise to tell us the one thing we need to know to solve all of our problems (but never seem to disclose the secret). OK, OK, I sound like Andy Rooney now... and I just lost half of the remaining readers as they go search to see who that is. I think we all need Andy today more than ever. We also need more long-form written content.

With this issue, I am trying something new. In April, we announced that our digital book provider was terminating our legacy account and eliminating the ability to send free updates to those who had purchased books. This was devastating, because they were the only provider who offered the specific services we needed. In order to keep our promises of free book updates, we decided to post any new content to our Blog, free for the world to see.

This was met with both praise and criticism. The majority preferred these online updates which were released as they were written, instead of waiting for a combined update within a PDF. They also preferred the ability to immediately see the new details instead of skimming through the entire book to find the modified content. However, many readers wanted a PDF which they could download and add to their files for future offline reference. Some felt it was unfair that the updates were free for everyone and not just those who bought the books. We respect both camps, but ultimately found it more important to do SOMETHING instead of NOTHING.

Recently, we decided to do both. We will continue to post updates to our Blog as needed over at https://inteltechniques.com/blog/. With this magazine issue, we are combining all of those recent update posts, plus many new articles with expanded content, within a single PDF which can be preserved and digested as desired. No cost and no registration. Simply grab a copy from our site the same way as all previous issues.

While this issue is not much of a community effort, it allows us to use the existing avenue to deliver raw content which we feel is important. Most articles are simply attributed to "The IntelTechniques Team" since an internal group of us worked on them collectively. Any reference to "I" in those is a group effort "we". Two articles near the end were contributed by readers.

With this issue, we also eliminated any advertisements or paid endorsements. I am extremely thankful for our previous sponsors, as they made the past issues possible. This time around, we wanted to just focus on the content and not sales or ads. If you find value within these pages and have a strong desire to donate to the cause, please consider purchasing one of our digital books on our site. Give one as a gift to someone who needs it more than you. We also offer ways to donate virtual currency or smaller amounts on the magazine page. However, there is no pressure to donate, we want to do this work.

We now respectfully present issue 008 of UNREDACTED Magazine. No fluff. No filler. No agenda. Just free information.

MB

Extreme Privacy Update: E2EE Email Guide

Email was never meant to be private or secure. The protocol was created decades ago, and was first used to share files and messages between groups of researchers. We have come a long way since then. Today, we rely on email to pay our bills, confirm our identities, and communicate globally. I believe there are currently only two private and secure email providers, and every reader of this blog should establish accounts with both. First, let's understand the reasons we should care about email privacy and security.

Traditional email providers can read all of your messages. While they typically encrypt the data while it is in transit from one provider to another, they hold the keys and there is no end-to-end encryption (E2EE) protecting your content. A malicious employee or criminal hacker can access the data, and a court order can force the provider to hand over everything you have ever said. For a long time, Gmail was scanning every message in order to present advertisements relevant to your conversation.

This is where providers such as Proton Mail and Tuta come in. These services, each offering free tiers, provide email communications with true zero-knowledge E2EE. This means that your email is encrypted from your device before it is stored on their servers. Even with a court order, an employee of Proton Mail or Tuta would be unable to view any message content. If an email is sent from one Proton Mail user to another Proton Mail user (or one Tuta user to another Tuta user), it is never exposed to interception from a third party. Is this bulletproof? No, nothing is. There will always be some slight chance that an adversary could compromise your communications. However, it is extremely unlikely. On the other side, a court order to Google, Yahoo, Microsoft, or any other traditional provider will hand over all of your account details and email communications stored with them without any resistance.

While I am not very concerned about court orders being executed on my accounts, I am extremely bothered by data breaches and internal abuses. If a breach occurs at Proton Mail or Tuta, the thief gets a bunch of encrypted data that is of no use. In 2016, a large breach at Yahoo handed over access to over 500 million accounts to unknown criminal culprits. In 2021, Yandex caught an employee selling access to entire inboxes of targeted users. These scenarios are no longer theoretical. Verified threats toward your sensitive email content exist. A big part of being private is simply making better choices, even if they are not fool-proof.

I have a few opinions on email which may not be accepted by the security community. First, email is broken and outdated. I assume every email I write could be seen by someone else. I trust services such as Proton Mail and Tuta over any other mainstream provider because of the zero-knowledge environment. Even if they secretly had bad intentions, they could not access my data. Multiple independent third-party audits verify this protection. These audits carry more weight than online promises by the companies.

The bigger problem is on the other side of your messages. If you send a message from your Proton or Tuta account to a non-encrypted provider, then you lose most of the protection. Proton Mail and Tuta can only safeguard your information on their servers They cannot control what happens when you leave their ecosystem. However, You can have comfort knowing that your historical email archive is protected from prying eyes.

In the most recent edition of Extreme Privacy, I recommended both Proton Mail and Tuta, but displayed slight favor for Proton Mail due to wider adoption. I still see more Proton Mail users contacting me than Tuta fans, but the numbers are closing in. Also, both companies have made several improvements to their platforms. Let's dive into the latest comparisons for a full picture of each provider, sorted by the features I find most vital.

Email Security: This is a tie. Both services still provide industry standard E2EE and possess proper password and 2FA protocols.

Custom Domains: This is also a tie. I explain in the book the importance of owning your own domains for email communication. I place custom domains within each provider. If one service were to fail, shut down, kick me out, or become compromised, I can simply forward my DNS records to the other provider with almost no downtime. I am in true control of my addresses.

Adoption: This will vary, but Proton generally wins. Only a year ago, 99% or my contacts using secure email were Proton Mail users. Therefore, it simply made more sense to primarily use Proton Mail for communications. As I write this, 29% of the people who have emailed me from a secure provider in the past year are using Tuta. The other 71% are using Proton. That is quite a jump. When I have a contact using Tuta, whether a Tuta address or a custom domain on Tuta, I always communicate with that person via my own Tuta account. This protects the entire conversation, and is the right thing to do. This is why I believe we should all have accounts at each provider, even if only on the free tier.

Contacts: Tuta has a slight edge on this one. Both Proton Mail and Tuta do NOT fully encrypt the email addresses of incoming and outgoing mail. They must see the addresses to be able to facilitate the communications. However, Tuta encrypts the subject line while Proton does not. Is this a huge deal? Not to me, but it may be to you. Both providers encrypt everything else stored within a contact on their service. Personally, I do not store my sensitive contacts within any online service. I keep them in my offline desktop and mobile applications.

Calendars: This is a tie. Both providers offer a true E2EE calendar experience, and both now offer the ability to share a calendar between multiple users.

Offline Email Clients: The winner on this one will depend on how you want to store your email. I believe everyone should have an offline backup of every email communication. What if your email provider gets hacked or disappears? What if you logged in one day and all of your email was gone? An offline copy prevents this concern. Proton Mail offers a bridge application which allows you to use any traditional email desktop application to synchronize your emails to your computer. If you want to use Thunderbird or any other IMAP option, then Proton is the winner. Tuta allows you to export messages in bulk, which could then be imported into your email program, but that is an ongoing hassle. However, Tuta users can download their desktop application and synchronize all email for offline use. Make sure you select "Email" and change the "local data" to "999999 days" to get everything. Relaunch the program, disable internet, and scroll to your email archive to make sure all messages were synchronized. I am split on this. I like the ability to use my own application, but that means that I have to store all of my email twice on my machine (once encrypted via Proton's bridge application and once decrypted within my email program). Tuta's application is clean and just works.

Mobile Apps: I think Tuta gets a very slight win from me. Both providers offer great mobile apps, but Tuta's seems a bit cleaner, brighter, and faster to me. However, this should never be a reason to select a provider.

Multi-user Login: Tie. Both providers allow multiple paid and a single free account within the same mobile app. Proton is a bit easier to switch between users, but only because I am used to it.

Drive Access: Proton wins here. They provide a Drive service which allows you to store and share files securely. Tuta is working on their own version.

Audits: Slight advantage Proton. Both providers have had external audits of their services, but only Proton's can be seen HERE. Tuta's plans to release theirs, but has not as of this post.

Open Source Apps: Tie. Both providers have open-source apps available through their Github pages HERE and HERE.

Location: This is a tie for me. Proton is a Swiss company while Tuta is in Germany. I only prefer a non-U.S. provider, so I am happy either way. Only you can decide if either is a risk. Proton will obey Swiss court orders while Tuta will require a German court order. However, neither provider can give out any content since they cannot see through the encryption. They could only provide non-encrypted metadata.

Pricing: This is a loaded topic. While we should never choose providers based on costs, we should make sure we are receiving a fair deal. Again, both offer a free tier to try the services. Paid plans vary. Proton also offers a VPN service, so some users may prefer to bundle that in. Some may prefer it separate. Do your homework. Competition between the two should keep prices affordable, which is a good thing.

Payment: Proton has the slight advantage. They accept cash and Bitcoin directly. Tuta can accept Bitcoin, Monero, and cash, but you must go through a third-party service called Proxystore. This works fine, but does introduce an additional hurdle. I would never send cash overseas, but I have used Bitcoin for both services without issue.

Disclosures: While I am an affiliate of both Proton Mail and Tuta, I receive absolutely no information about you or your order. I was a user of (and recommended) both services before I became an affiliate. If you would like to support these guides, please consider registering with my custom links, even for a free trial, at https://go.getproton.me/aff_c?offer_id=7&aff_id=1519 and https://tuta.com/?t-src=inteltechniques. I was not asked to write this update and I provided no editorial control.

Which do I choose? Both. I possess paid accounts through each service and use them both daily. I possess custom domains on each service which can be changed to the other at any time. I am thrilled to have options. Which will you choose?

For much more information about secure email, and many other topics, please check out my book Extreme Privacy.

Extreme Privacy Update: Self-Hosted SearXNG Guide

In my books Extreme Privacy and OSINT Techniques, I discuss the SearXNG as an option to access search engine results. SearXNG is not a search engine itself. It is a metasearch engine which aggregates the results of multiple search engines, such as Google, Bing, and others, but does not share information about users to the engines queried. It is also open source and can be self-hosted. The easiest way to get started is to visit https://searx.space/ and test a few public instances.

After you have played with any of the public instances of SearXNG, you may now see the benefits of an aggregated search service. You may also be considering the risks associated with this behavior. Let's start with the benefits of a public instance which is not self-hosted.

  • All queries are submitted to search engines from a third-party server.
  • The IP addresses collected from engines are those of the server, not yours.
  • Your queries cannot easily be associated to one user by the engines.

That may sound great, but there are risks with public instances. Consider the following.

  • The host of the instance could monitor your queries.
  • If the host is popular, some engines may block access.
  • If the host has an outage, you are without service.

Overall, I believe it would be very unusual for a SearXNG host to monitor queries. This cannot be done with the stock SearXNG software, and hosts would have to go out of their way to collect data about users. I just do not see the motive of that. However, anything is possible. Personally, I prefer to self-host my own instance of SearXNG. Consider the following benefits.

  • All queries are submitted from your machine directly to the engines.
  • The tracking code on engine websites is removed from the SearXNG pages.
  • Minimal usage ensures that all options function reliably.
  • Does not rely on the uptime of an online instance for my queries.

As always, there are also risks. My IP address is submitted with every query I make, but I am always behind a VPN so I am not bothered by that. The ability to host my own code and know that no one else is intercepting that data is more important to me. You can never hide the queries from the search engines themselves, but you can limit the information loaded into your browser by not visiting their sites directly. Receiving results from multiple search engines simultaneously is very advantageous. Take some time to determine whether you are better served with a public instance or your own. I took the following steps on my Linux machine to configure my own host locally. If you decide to replicate these steps, you should copy and paste the in its entirety directly into Terminal. Note that these steps deviate from the official installation guides which are mostly outdated.

sudo -H apt-get install -y python3-pip python3-dev python3-babel \
python3-venv uwsgi uwsgi-plugin-python3 \
git build-essential libxslt-dev zlib1g-dev \
libffi-dev libssl-dev
mkdir ~/Documents/searxng && cd ~/Documents/searxng
git clone "https://github.com/searxng/searxng"
python3 -m venv searxngEnvironment
source searxngEnvironment/bin/activate
pip install -U pip
pip install -U setuptools
pip install -U wheel
pip install -U pyyaml
cd searxng && pip install --use-pep517 --no-build-isolation -e .
sudo -H mkdir -p "/etc/searxng"
sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" searx/settings.yml
sudo -H cp searx/settings.yml /etc/searxng/settings.yml
export SEARXNG_SETTINGS_PATH="/etc/searxng/settings.yml"
deactivate

My machine is now configured to run the SearXNG software. The following commands execute the program.

cd ~/Documents/searxng
source searxngEnvironment/bin/activate
cd searxng
python searx/webapp.py

The software is now running in the background. You can minimize this Terminal window. As long as it is not closed completely, the service is running. You can launch Firefox and navigate to http://127.0.0.1:8888 to load your own instance. Similar to public instances, any modifications you make to SearXNG will be erased when you close Firefox, unless you add http://127.0.0.1 to your stored cookies (or modify the settings.yml file directly). You can execute the following commands to fetch any updates.

cd ~/Documents/venv/searxng/searxng
git pull "https://github.com/searxng/searxng"

If desired, you can add these two commands to the Linux update script presented in Extreme Privacy. You could also add the launch commands to the maintenance scripts within the book. The image below displays an example query. Notice that I receive results from Google, Bing, Brave, and DuckDuckGo simultaneously.

From any search result, I prefer to click the "Preferences" option on the far right and make a few modifications. I disable any auto-complete options; disable SafeSearch; switch to a light theme; enable results in new tabs; and enable preferred search engines throughout all topics. You can even modify the way URLs will be presented. This allows you to remove embedded URL tracking codes, force older or mobile versions of websites, or even remove affiliate tracking links. Your options are unlimited when you control the code. If you want to store these changes so they will be preserved after you restart Firefox, you must conduct the following.

  • Navigate to Firefox's Settings menu and click the "Privacy & Security" option.
  • Click "Manage Exceptions" next to "Delete cookies...".
  • Enter the URL of your SearXNG instance, such as "https://127.0.0.1".
  • Click "Allow" and "Save Changes".

I currently have a self-hosted SearXNG instance running on my laptop, which allows me to query dozens of search engines simultaneously from my browser without trusting any third-party middle man. Since I rarely search or browse websites from my mobile device, I simply rely on a public SearXNG instance on it.

Let's repeat the process for those on macOS who want to self-host SearXNG. Make sure you have Homebrew configured as explained in the book.

brew install python3.13 git
mkdir ~/Documents/venv
cd ~/Documents/venv
python3.13 -m venv searxng
source searxng/bin/activate
cd searxng
git clone "https://github.com/searxng/searxng"
pip3.13 install -U pip
pip3.13 install -U setuptools
pip3.13 install -U wheel
pip3.13 install -U pyyaml
pip3.13 install -U lxml
cd searxng
pip3.13 install --use-pep517 --no-build-isolation -e .
cd searx
sudo mkdir "/etc/searxng"
sudo cp settings.yml /etc/searxng/settings.yml
sed -i '' "s/ultrasecretkey/00ef3039748274b4f2b93d16fb9695de00a4bb35e4c02b7704a167c7aeb274bd/g" /etc/searxng/settings.yml

deactivate

My machine is now configured to run the SearXNG software. The following commands execute the program.

cd ~/Documents/venv
source searxng/bin/activate
cd searxng/searxng
python3.13 searx/webapp.py

The software is now running in the background. You can minimize this Terminal window. As long as it is not closed completely, the service is running. You can launch Firefox and navigate to http://127.0.0.1:8888 to load your own instance. Similar to public instances, any modifications you make to SearXNG will be erased when you close Firefox, unless you add http://127.0.0.1 to your stored cookies (or modify the settings.yml file directly). You can execute the following commands to fetch any updates.

cd ~/Documents/venv/searxng/searxng
git pull "https://github.com/searxng/searxng"

If desired, you can add these two commands to the macOS update script explained in the book. You could also add the launch commands to the maintenance scripts presented there. If there is enough interest in self-hosting in Windows, I will ask Jason to work out the steps on his Windows machine.