Anonymity techniques
Posted: 26 Jul 2014, 19:38
Firstly, it is my humble opinion that if you are seriously breaking the law and causing grief for other humans then not only do you deserve to be caught, but it is nigh impossible to maintain total anonymity once you have been targeted by powerful authorities. I am no security expert so take what you read here for what it is worth.
Why anonymity?
Anonymity is privacy. I close my curtains of an evening because I don't want people outside seeing what goes on inside. Just because I don't need my anonymity privacy today doesn't mean that I may not need it in 5 years. Once you give it away, it is not coming back. The future internet will be nothing like it is today. Corporate and government bodies dictate that it will become less anonymous and more controlled. In the same way that we should fight to retain our freedom of speech, we should fight to retain our right to privacy and a free internet as it was intended to be from the start. Some years ago, through a massive screw up of delivery personnel, I discovered that the national police were working together with a certain online business (equivalent of ebay) to prevent parallel importing. In doing so they legally had the right to read my emails. They delivered an item I sold to a friend of mine to whom I had only corresponded via email. Busted big time. They confessed and informed me that they were totally within their legal rights to do so.
If you think that national and international agencies are not spying upon the population then you are kidding yourself (think PRISM, XKeyscore and NASKEY). If you choose to do nothing about it, you are perpetuating the complacent attitude that will eventually see many of our basic rights slowly and unperceivably wrenched from our grasp. For good.
Total anonymity?
Personally I don't think this is possible (without keeping on the run) once you have been targeted. Below are some extreme but necessary pointers if you want to attempt to maintain total anonymity.
What NOT to do if you are a paranoid mess.
1) Don't use windows. Closed source proprietary code is an unknown. Since before 2000 windows was attempting backdoors (see NSAKEY). From memory I couldn't even setup windows 8 without connecting to the internet and associating my computer with an account.
2) Don't use your home internet connection.
3) Don't use public internet without precautionary steps (see below).
4) Don't use email to correspond.
5) Don't use popular social networking sites.
6) Don't use your cell phone.
7) Don't think you are smarter than the next guy.
Some things to DO if you are totally 'out there' noid.
1) Use a live operating system (as non root) on a read only media that doesn't mount existing internal drives. It should not use swap partitions, hibernate or sleep and it should not support booting from any other device except the one it was installed on. If you want persistent changes they should be saved on an encrypted file system. It should require a password to boot and clear ALL memory before shutdown.
2) On a public network spoof your MAC address and browser agent and stay away from security cameras. If you pay, pay in cash and try not to touch anything (public kiosks are a bacteria haven).
3) User burner phones, or burn your phones.
4) Use end to end encryption when chatting on any network.
5) If you must use email use temporary accounts such as 10minutemail or guerillamail. At least use an email service that scrubs headers.
6) Use a VPN, tor and anonymous socks proxies. If you pay, pay for it with bitcoins or some anonymous unsourcable online currency (or somebody else) and use a disposable email to join.
For the non crazy but slightly paranoid (me)
If that sounds like too much work then here are some tips to remain somewhat anonymous while using your home connection. The aim is to have my ISP, all sites I visit and my wife ignorant as to my online activities. I'm just joking about the wife. I want her ignorant to my offline stuff too. I want my IP Address to be anonymous and I want to be able to choose from which country I appear to be from so I can do things like stream the world cup live from websites restricted to the UK.
Pay for a VPN. It doesn't have to be quad loop VPN. For as little as $3 per month it can be well worth it. Many come with a nice GUI for every device you have. I use a non logging VPN from a tiny island outside of the US and EU that has a transparency report about all abuse claims and their reactions to said claims. They have a warrant canary which is a funny name for being transparent about request warrants, searches and seizures. They also have an alternative DNS. Here is my traffic route when I am in eNinja mode.
ME --> ISP --> VPN --> TOR --> VPN --> DESTINATION
My ISP (or network admin at work) sees my encrypted entry into a VPN only. Inside there I go through the tor network and exit on a chosen (and trusted non-logging) VPN node. I check for DNS leaks upon first log in.
Another commonly used setup for me is:
ME --> ISP --> SOCKS PROXY --> VPN --> DESTINATION
ME --> ISP --> VPN --> SOCKS PROXY --> DESTINATION
Apart from adding an extra layer of security, it acts like a kill switch if the VPN connection is lost. Any file transfer in prorgess through software configured to use the proxy will not unexpectedly resume later while in an insecure environment.
Another layer of security would be to run the livedisk inside a virtual machine with all web traffic from the VM going through the PROXY/VPN.
I use a volatile pastebin service (burn on read) for messages and encrypt (end to end) any chat services which I very rarely use because some of my friends can't even spell encryption. At work I do the opposite to all that is written above. I find the privacy invading, totalitarian, cloud based services soooo useful that I swallow my pride and just connect. I know, I am two faced.
If anybody has other anonymity techniques to add then please do. If anyone wants some advice on how to start playing around with anonymity then feel free to ask. I would love to release a Porteus edition that fits in the 'I am totally fucking paranoid' category above. TAILS style.
Why anonymity?
Anonymity is privacy. I close my curtains of an evening because I don't want people outside seeing what goes on inside. Just because I don't need my anonymity privacy today doesn't mean that I may not need it in 5 years. Once you give it away, it is not coming back. The future internet will be nothing like it is today. Corporate and government bodies dictate that it will become less anonymous and more controlled. In the same way that we should fight to retain our freedom of speech, we should fight to retain our right to privacy and a free internet as it was intended to be from the start. Some years ago, through a massive screw up of delivery personnel, I discovered that the national police were working together with a certain online business (equivalent of ebay) to prevent parallel importing. In doing so they legally had the right to read my emails. They delivered an item I sold to a friend of mine to whom I had only corresponded via email. Busted big time. They confessed and informed me that they were totally within their legal rights to do so.
If you think that national and international agencies are not spying upon the population then you are kidding yourself (think PRISM, XKeyscore and NASKEY). If you choose to do nothing about it, you are perpetuating the complacent attitude that will eventually see many of our basic rights slowly and unperceivably wrenched from our grasp. For good.
Total anonymity?
Personally I don't think this is possible (without keeping on the run) once you have been targeted. Below are some extreme but necessary pointers if you want to attempt to maintain total anonymity.
What NOT to do if you are a paranoid mess.
1) Don't use windows. Closed source proprietary code is an unknown. Since before 2000 windows was attempting backdoors (see NSAKEY). From memory I couldn't even setup windows 8 without connecting to the internet and associating my computer with an account.
2) Don't use your home internet connection.
3) Don't use public internet without precautionary steps (see below).
4) Don't use email to correspond.
5) Don't use popular social networking sites.
6) Don't use your cell phone.
7) Don't think you are smarter than the next guy.
Some things to DO if you are totally 'out there' noid.
1) Use a live operating system (as non root) on a read only media that doesn't mount existing internal drives. It should not use swap partitions, hibernate or sleep and it should not support booting from any other device except the one it was installed on. If you want persistent changes they should be saved on an encrypted file system. It should require a password to boot and clear ALL memory before shutdown.
2) On a public network spoof your MAC address and browser agent and stay away from security cameras. If you pay, pay in cash and try not to touch anything (public kiosks are a bacteria haven).
3) User burner phones, or burn your phones.
4) Use end to end encryption when chatting on any network.
5) If you must use email use temporary accounts such as 10minutemail or guerillamail. At least use an email service that scrubs headers.
6) Use a VPN, tor and anonymous socks proxies. If you pay, pay for it with bitcoins or some anonymous unsourcable online currency (or somebody else) and use a disposable email to join.
For the non crazy but slightly paranoid (me)
If that sounds like too much work then here are some tips to remain somewhat anonymous while using your home connection. The aim is to have my ISP, all sites I visit and my wife ignorant as to my online activities. I'm just joking about the wife. I want her ignorant to my offline stuff too. I want my IP Address to be anonymous and I want to be able to choose from which country I appear to be from so I can do things like stream the world cup live from websites restricted to the UK.
Pay for a VPN. It doesn't have to be quad loop VPN. For as little as $3 per month it can be well worth it. Many come with a nice GUI for every device you have. I use a non logging VPN from a tiny island outside of the US and EU that has a transparency report about all abuse claims and their reactions to said claims. They have a warrant canary which is a funny name for being transparent about request warrants, searches and seizures. They also have an alternative DNS. Here is my traffic route when I am in eNinja mode.
ME --> ISP --> VPN --> TOR --> VPN --> DESTINATION
My ISP (or network admin at work) sees my encrypted entry into a VPN only. Inside there I go through the tor network and exit on a chosen (and trusted non-logging) VPN node. I check for DNS leaks upon first log in.
Another commonly used setup for me is:
ME --> ISP --> SOCKS PROXY --> VPN --> DESTINATION
ME --> ISP --> VPN --> SOCKS PROXY --> DESTINATION
Apart from adding an extra layer of security, it acts like a kill switch if the VPN connection is lost. Any file transfer in prorgess through software configured to use the proxy will not unexpectedly resume later while in an insecure environment.
Another layer of security would be to run the livedisk inside a virtual machine with all web traffic from the VM going through the PROXY/VPN.
I use a volatile pastebin service (burn on read) for messages and encrypt (end to end) any chat services which I very rarely use because some of my friends can't even spell encryption. At work I do the opposite to all that is written above. I find the privacy invading, totalitarian, cloud based services soooo useful that I swallow my pride and just connect. I know, I am two faced.
If anybody has other anonymity techniques to add then please do. If anyone wants some advice on how to start playing around with anonymity then feel free to ask. I would love to release a Porteus edition that fits in the 'I am totally fucking paranoid' category above. TAILS style.