EvilZone
Hacking and Security => Anonymity and Privacy => : BlackWasp June 29, 2015, 12:23:39 AM
-
I've been browsing the community for a while, and this particular subforum retains my interest more than any of the others. As privacy quickly fades into a thing of the past, I've become very interested in preserving anonymity for its own sake. After reading all of the advice, I feel that I'm somewhat confused as to how to remain the most anonymous browsing the web. So far, I've heard...
"It's impossible to stay anonymous - period."
"Oh man, just use TOR / VPN / TAILS / WhoNix / Public Wifi and you're 100% anonymous."
"You can stay relatively anonymous by mixing as many layers of anonymity as possible."
"If you mix too many layers in an attempt to remain anonymous, then you're maximizing the amount of things that could go wrong and reveal yourself."
"Just buy a computer, use it, smash it, and then throw it away dawg."
Of course, while there's some truth to all of these ideas, they really seem to be a series of competing philosophies of privacy as opposed to any thorough method. I have no expectation that someone will spoon-feed me a fool proof method (nor would I want that), but I think the best way to find what I'm looking for is to get a survey of people's thoughts on the issue by asking a hypothetical question:
Suppose you wanted to browse the internet privately. In your ideal scenario, what would you do to remain as anonymous as possible?
-
just to browse the internet.. load up TAILS on usb, spoof youre MAC maybe and your good.. now pen testing is a whole diff ballgame.. plus dont sign in your email or social media with the same proxy you use to do something illegal ( that should go without saying), and dont ever post or say anything that can later be traced to you, like if your a male or female, if its snowing where you at.. little things you say can connect you to certain places and thats how most people get found.. just look at the whole LULZsec thing, besides sabu snitching, the only other way they found em is through shit they posted about themselves...
-
I would just add 3 things to dotszilla's response: noscript, https everywhere, and make sure your box is completely clean.
-
Haha that's about as useful as switching your user agent, unless it's a wireless attack against filtering.
-
Spotted the noob!!
right.. you forgot to put the MAYBE i wrote.. and why dont you contribute to the post instead of trying to call people out on stupid shit.. instead of talking shit maybe you can explain to people why changing youre mac is sucha bad idea, since youre so smart.. and i didnt see you post what you would do, like the thread suggests..
i hate people that act like they know everything, you just sound ignorant as fuck by calling somebody a noob.. when in all reality youre the noob..
P.S if you are connecting at a coffee shop or another public wifi spot, they can log the MAC addresses that connect to their routers, hack from there without spoofing and youre in trouble. So spoofing your MAC is not as useless as you think...
heres a link too smartass:
http://www.quora.com/What-are-the-advantages-of-MAC-spoofing
-
If the NSA wants to know where u are u are pretty much fucked and should find refuge in an embassy, otherwise I guess the thread: Art if Anonymity is stickied, that's the best there is.
Remember that each harware is unique and thus using any pc/laptop is identifying, I am not sure that if tails does prevent this but I doubt it, so basically destroy throw the laptop after you've done what u have to do is the best.
But in general if you are ont this forum asking this question u are not up to something the NSA or even the fbi cares to know, (or maybe for the FBI). Otherwise tor+not all add ons since having lots of addons on a tor browser is done, since if one is compromised u are basically fucked (law enforcement).
If u are just worrued about privacy from other peers, spams, Google collecting info about u etc.. Just follow the stickied post.
Again u probably aren't up to smth significant enough to track u trhoughly, ao regular anonymity measures are probably enough
P.S: I'll fix grammar etc once on PC
-
make sure your box is completely clean.
if you load TAILS on a usbdrive you dont have to worry about that, since TAILS makes it really hard to save anything to the HD... so there wont be anything to clean..
-
My bad dotszilla - didn't think about mac logging. Even things as simple as screen resolution can reveal your identity to a certain degree. And trying to hide your actions from feds is almost always ineffective, and will probably make them more suspicious of you. TAILS doesn't save to hd, but the unlikely instance of BIOS malware or hardware bugs can't be stopped by TAILS.
-
it does matter, i said maybe i would spoof my mac meaning depending on the situation i might do it, but most likely i wouldnt..
and w.e dude im not gonna sit here and argue with someone that averages 70 posts a year, you prolly just like to talk shit on forums...
2460h1
Posts: 276 (0.278 per day)
P.S. you shouldve explained why you think spoofing mac is useless in the first post, instead of calling me out and looking ignorant as fuck... uuhhh hes a noob cuz he said spoof the MAC ( a noob dont even know how to spoof a MAC) fking tard...
-
My bad dotszilla - didn't think about mac logging. Even things as simple as screen resolution can reveal your identity to a certain degree. And trying to hide your actions from feds is almost always ineffective, and will probably make them more suspicious of you. TAILS doesn't save to hd, but the unlikely instance of BIOS malware or hardware bugs can't be stopped by TAILS.
true true, and no prob...
-
Girls I had enough , no flaming and fuckin back-on-topic.
-
If the NSA wants to know where u are u are pretty much fucked and should find refuge in an embassy,
...
(or maybe for the FBI).
^this basically. If you've already made enough noise as to have attracted the feds, or worse, the NSA, then its too late for anonymity. If thats the case, even completely avoiding all electronic communications might not be enough to evade their watch.
In your question you specified as anonymous as possible, so I'm going to try and think of, and apply as many levels of anonymity as I can think of.
I would definitely start with booting a live distro, TAILS being the most efficient (most likely) as it has been designed from the ground up for privacy and anonymity. Next you'll need to configure how you will connect to the outside world. In this case since we're paranoid, so hop in the car and drive a few hours to a large metropolitan city (if you already live in one, then you might have to drive farther to find another.) Once youve found a suitable city, purchase a prepaid creditcard with *cash.* Before heading back home, find an open wifi network, or better yet hack an encrypted network (WEP is easy, WPA(2) with WPS would be a better choice.) Once your connected to the internet (while booted into TAILS) rent a server, use fake name, address etc and pay with your prepaid creditcard. Make sure your server is located offshore, in a privacy friendly country like iceland, denmark, france or switzerland. Configure a VPN server and TOR on your new box. Now you can go home.
Now you'll need to purchase a prepaid burner simcard and mobile hotspot, probably would have been a better idea to purchase that before you came home... thats not your fault though, your new to this so I'll let you off on that one. Immediately once connected to your new hotspot, connect to your vpn and then out from your vpn through tor, to the internet.
Once on the web,
NEVER use your real name for anything
NEVER tell personal stories or the like.. no matter how arbitrary and generic you think they are.
ALWAYS spread disinformation, make a back story for your alter ego and stick with it.
NEVER order anything to your home address
NEVER communicate to personal friends or family while using your anonymous connection
ALWAYS disable javascript
NEVER install flash, or JAVA browser plugins
and lastly (because im getting tired)
ALWAYS use tor browser (as opposed to a common browser set to use tor as a proxy) this is because tor browser emits the same fingerprint no matter what device its installed on so every tor user using a vanilla copy of tor will all give the same fingerprint. browser fingerprinting has shown to be pretty accurate and it seems the more you do to try and avoid this the more unique your fingerprint becomes in most cases (i could go into detail but browser fingerprinting is beyond the scope of this rant, but i suggest anyone that isnt familiar to read about it.)
Any way you could basically keep adding inifite layerrs of anonymity but the more you do, the more limitations you will encounter and the less enjoyable your web experience becomes. So what I suggest for anyone is to first determine exactly how much privacy and anonimity you require and go from there, and also don't forget that being so quiet on the web can attract attention on its own, so disinformation and alter ego's are a must. Don't be TOO quiet.
-
Ill hop on the boat.
The question here is hardly techical in nature since we can simply not know what lies beyond the horizon, security is fundamented on trust.
Since we trust the wrong stuff we are fucked.
Let SSL be an example , it has come forward that SSL auths where forced to give up the key's etc etc.
To truly gain anonymity one will have to make sure that one can trust every single shackle in the chain.
This is simply not possible with untrusted hardware/software and infra.
Fully revised opensource hardware/drivers/software/infra would make for a good start.
Good to note that this is not completely out of reach.
(just a mindfart; a rasp with selfwritten OS/drivers and some self designed proto to use the wireless interface would approach the problem quite well)
Non of this is practical.
In the last year or 2 openSSL has been turned upside down and some serious flaws came forward, large scale code revisions turn up even more, more will show.
This is happening in broad daylight, just imagine what is going on behind the scenes and who could have known etc.
They discovered a couple of 'illegal' taps placed by the NSA among others on seriously large routing points, this is hardly suprising but this and the stuff about SSL being fucked pretty much means you just dumped x years of unencrypted data in the hands of others.
bank details/passwords etc etc etc.
What I am trying to say is that info about you is all over the place and this highly conflicts with being 'anonymous' , to be anonymous you must not have an identity.
Some say you are fucked when you plug the cable , I think you are fucked anyway.
-
I believe the moment you create anything real on the internet about yourself, you are fucked.
-
Was not expecting this many replies - thanks everybody for the useful information. I will now address your responses.
First, as a general point, I am not doing anything that should or would attract the attention of the police, NSA, or FBI. I'm actually just a computer science student who is interested in privacy. The most "edgy" thing I do online is lurking various chans. I just feel like the knowledge of remaining anonymous is something important and inherently powerful to have in our contemporary Big Brother society.
...load up TAILS on usb, spoof youre MAC maybe and your good..plus dont sign in your email or social media with the same proxy you use to do something illegal ( that should go without saying), and dont ever post or say anything that can later be traced to you..
I think this is all well said. Running TAILS off USB is something I was a little sketched out about seeing as they found some pretty major security breaches since their most recent update, but I agree with you that it's overall the safest OS to run.
As far as the debate between you and the other member about spoofing the MAC address, I agree with you. Spoofing the MAC address isn't exactly top-notch high speed security, but it should definitely be part of the equation. What the user "2460h1" is failing to recognize is that, in the case of some kind of investigation, raid, getting V&, or whatever, the MAC address of your computer is going to be otherwise identified by any router it touches - including the one you're using. So spoofing shouldn't be a mainline defense, but definitely helps.
I would just add 3 things to dotszilla's response: noscript, https everywhere, and make sure your box is completely clean.
Again, a valid point, although I don't know if there really is such a thing as "completely clean." I've actually never heard of noscript until I got onto this website, so thanks for sharing.
Art if Anonymity is stickied, that's the best there is.
Yes, I plan on reading this. Thank you.
Remember that each harware is unique and thus using any pc/laptop is identifying...
I'm kind of curious how true this. Supposing someone went online and theoretically browsed a webpage, I don't think any identifiable hardware would potentially be identifable besides the MAC address and possibly the screen resolution as available via the user agent.
...Otherwise tor+not all add ons since having lots of addons on a tor browser is done, since if one is compromised u are basically fucked (law enforcement).
I've actually never used or downloaded TOR. I always felt like the amount of faith people put in TOR alone is ridiculious, but you do make a good point.
if you load TAILS on a usbdrive you dont have to worry about that, since TAILS makes it really hard to save anything to the HD... so there wont be anything to clean..
That's actually not totally true, and is one of the things that was one of the security details upgraded in the newest version of TAILS. I don't want to get into specifics, but there are other areas where datagrams are saved besides the ones manually deleted by the distro - not including the fact that older versions of the distro have demonstrably failed in cleaning what they said they would.
TAILS doesn't save to hd, but the unlikely instance of BIOS malware or hardware bugs can't be stopped by TAILS.
This is also true.
If you've already made enough noise as to have attracted the feds, or worse, the NSA, then its too late for anonymity.
Like I said, I would be absolutely shocked if my behavior is enough to warrant any attention from anybody, especially considering what kinds of stupid / screwed up / patently illegal things people post up and / or admit to on some of the forums I've visited. I'm not up to anything crazy.
I would definitely start with booting a live distro, TAILS being the most efficient (most likely) as it has been designed from the ground up for privacy and anonymity. Next you'll need to configure how you will connect to the outside world. In this case since we're paranoid, so hop in the car and drive a few hours to a large metropolitan city (if you already live in one, then you might have to drive farther to find another.) Once youve found a suitable city, purchase a prepaid creditcard with *cash.* Before heading back home, find an open wifi network, or better yet hack an encrypted network (WEP is easy, WPA(2) with WPS would be a better choice.) Once your connected to the internet (while booted into TAILS) rent a server, use fake name, address etc and pay with your prepaid creditcard. Make sure your server is located offshore, in a privacy friendly country like iceland, denmark, france or switzerland. Configure a VPN server and TOR on your new box. Now you can go home.
Thank you for taking the original question seriously. This is probably the best post so far.
On this note, I've never actually configured a VPN. A lot of people seem to think that they're like the greatest thing since sliced bread, but it stands to reason that it leaves more of a trail than the security it provides is worth.
Now you'll need to purchase a prepaid burner simcard and mobile hotspot, probably would have been a better idea to purchase that before you came home... thats not your fault though, your new to this so I'll let you off on that one. Immediately once connected to your new hotspot, connect to your vpn and then out from your vpn through tor, to the internet.
Once on the web,
NEVER use your real name for anything
NEVER tell personal stories or the like.. no matter how arbitrary and generic you think they are.
ALWAYS spread disinformation, make a back story for your alter ego and stick with it.
NEVER order anything to your home address
NEVER communicate to personal friends or family while using your anonymous connection
ALWAYS disable javascript
NEVER install flash, or JAVA browser plugins
and lastly (because im getting tired)
ALWAYS use tor browser (as opposed to a common browser set to use tor as a proxy) this is because tor browser emits the same fingerprint no matter what device its installed on so every tor user using a vanilla copy of tor will all give the same fingerprint. browser fingerprinting has shown to be pretty accurate and it seems the more you do to try and avoid this the more unique your fingerprint becomes in most cases (i could go into detail but browser fingerprinting is beyond the scope of this rant, but i suggest anyone that isnt familiar to read about it.)
Excellent post and well stated.
To truly gain anonymity one will have to make sure that one can trust every single shackle in the chain.
This is simply not possible with untrusted hardware/software and infra.
Again, outstanding point. Hence the reason I'm hesitant in respect to VPNs. Especially a service you're paying for.
Thanks everybody for their feedback. I'd like to see this conversation continue, particularly as it pertains to VPNs.
-
TLDR;
I don't feel like reading all the shit mostly mainly because I simply don't care. But I guess I'll post a normal setup.
Buy a reputable no log VPN, PrivateInternetAccess is a good choice. They support bitcoin payments as well as gift card payments (amazon, Walmart, Starbucks, etc). They also do not keep logs of anything. This is your first line of defence. The only system that should see your computer exposed is your VPN. It is obviously preferable to not use your home internet, rather highly populated areas with minimal Cameras and decent hot spots. Now that that's out of the way buy a bunch of cheap 8gb USBs, load up various nix distros, maybe a few Kali, a few tails... A different os for different purposes. Obviously if you run persistent you're stupid. So at this point we're Disposable OS - Hotspot (I guess a Mac spoofer) - VPN. Using tails I believe the web browser has extensions like noscript, HTTPS everywhere, etc. And that's good to browse the web. If you really want you can add in TOR and browse the deepweb.
In the end nothing is 100% anonymous but you can make it extremely difficult. Hide you USBs around, like a nice spot near your favorite hotspot locations. Don't forget to use your computer for regular browsing and have windows on it, keep it completely segregated. Nothing suspicious, Facebook, porn, personal emails, etc. The Disposable USBs are there for the other shit. Never sign up for anything with your real name with an alias email. For example:
Your real name is Thomas Abernathy. You have 1337.gh0st for a handle. You sign up for online banking with 1337.gh0st@gmail.com you just exposed a stupid mistake. Instead you have alias/alias email and real name/real name email. Never mix the 2 or you're going to have trouble when you piss off the wrong person and they go doxing.
-
TLDR;
I don't feel like reading all the shit mostly mainly because I simply don't care. But I guess I'll post a normal setup.
Buy a reputable no log VPN, PrivateInternetAccess is a good choice. They support bitcoin payments as well as gift card payments (amazon, Walmart, Starbucks, etc). They also do not keep logs of anything. This is your first line of defence. The only system that should see your computer exposed is your VPN. It is obviously preferable to not use your home internet, rather highly populated areas with minimal Cameras and decent hot spots. Now that that's out of the way buy a bunch of cheap 8gb USBs, load up various nix distros, maybe a few Kali, a few tails... A different os for different purposes. Obviously if you run persistent you're stupid. So at this point we're Disposable OS - Hotspot (I guess a Mac spoofer) - VPN. Using tails I believe the web browser has extensions like noscript, HTTPS everywhere, etc. And that's good to browse the web. If you really want you can add in TOR and browse the deepweb.
In the end nothing is 100% anonymous but you can make it extremely difficult. Hide you USBs around, like a nice spot near your favorite hotspot locations. Don't forget to use your computer for regular browsing and have windows on it, keep it completely segregated. Nothing suspicious, Facebook, porn, personal emails, etc. The Disposable USBs are there for the other shit. Never sign up for anything with your real name with an alias email. For example:
Your real name is Thomas Abernathy. You have 1337.gh0st for a handle. You sign up for online banking with 1337.gh0st@gmail.com you just exposed a stupid mistake. Instead you have alias/alias email and real name/real name email. Never mix the 2 or you're going to have trouble when you piss off the wrong person and they go doxing.
That's kind of shitty that you didn't read a lot of the other posts because you'd realize that most of what you said was already written by other people. Nevertheless, the rest of it was pretty insightful. I have two questions about your input though.
Firstly, I wonder about the wisdom of using a live boot *nix USB on another computer that you use regularly. Wouldn't that run the risk of exposing other information when you use it for browsing? Furthermore, wouldn't that run the risk of exposing the distro or its content if the computer was ever analyzed?
Secondly, could you elaborate on this part a bit?
Obviously if you run persistent you're stupid.
What do you mean run presistent? Do you mean using an actual installed version of a distro is stupid as opposed to always using a liveboot? Or do you just mean generally. I apologize, but I'm not fully picking up the context of what you're getting at.
-
DeepCopy I completely agree that a no log VPN is necessary, however I saw an article written by the CEO of PrivateInternetAccess in which he flamed the WiFi Pineapple and hackers alike. He then ended his article by stating that his service is the only reliable defense against the Pineapple. I can't find the link right now. I previously used the free and paid versions of CyberGhost VPN(bitcoin payment available). They are both quality services, and claim not to keep logs. However, the free version uses the PPTP protocol which is extremely insecure(lots of VPNs still use this). And beware of services which use every client's connection as a server for other users, such as Hola VPN. You're very likely to be busted for other people's shady activities. Just remember that no VPN will ever retain your privacy when presented with a court order. Yes BlackWasp I believe he meant an installed OS as persistent.
-
Persistent is a live usb that saves changes. I know most of what I said has been said before, but instead of interjecting myself into the differences in opinions, I simply posted mine.
And optimally yes you don't want to use the same computer. There's nothing new going on here. Just my opinion for doing minor illegal shit.
Anyways a healthy level of paranoia isn't bad as well.
@Trogdor
The wifi pinapple should be flamed, did you not hear about defcon? Isn't that good in a vpn that it can protect your traffic from devices like that, especially when using hotspot which are prime places for devices like a pineapple?
-
@DeepCopy
Thanks for your input. Paranoia is my middle name.
-
@DeepCopy I'm not promoting the Pineapple, I'm just trying to show that this company is fairly anti-hacking. Yes, there was a 0day found at DefCon, but don't almost all connected devices have some type of vulnerability?
-
@DeepCopy I'm not promoting the Pineapple, I'm just trying to show that this company is fairly anti-hacking. Yes, there was a 0day found at DefCon, but don't almost all connected devices have some type of vulnerability?
Exactly why a VPN is good, esp. Good ones like PIA. They encrypt traffic so even if you're connected at least it's encrypted. Whether PIA is anti-hacking or not, I can't think of a single provider that is going to advocate Hacking, especially a service that's meant to protect you from that. Can you name a VPN provider that's like "hey use our services to hack government sites and spam the internet. Please Abuse our services"
-
@Deep haha that's true, but lots of people will use VPNs for hiding *insert shady shit here* while thinking that they're safer. Sure it may be better than using your own internet connection, but people put way too much trust in companies.
-
@Deep haha that's true, but lots of people will use VPNs for hiding *insert shady shit here* while thinking that they're safer. Sure it may be better than using your own internet connection, but people put way too much trust in companies.
That's kind of my thought on the VPN. It seems like paying money is way too much of a hassle for the relatively basic "protection" they're providing.
-
And you're likely to make a tiny unavoidable mistake that completely gives you away. That's not to say that anonymity shouldn't be attempted; it's extremely important in modern times.
-
And you're likely to make a tiny unavoidable mistake that completely gives you away. That's not to say that anonymity shouldn't be attempted; it's extremely important in modern times.
What kind of mistakes would you be referring to?
By its very nature, a mistake is avoidable in my mind.
-
Any number of things. For example disabling noscript to enable functionality of a site will surely leak your true IP.
-
Any number of things. For example disabling noscript to enable functionality of a site will surely leak your true IP.
Interesting.
I guess, when all is said and done, it comes down to whether or not what you're doing is attracting enough attention of people for them to bother spending money on tracking you down.
-
That's a very good point. Thank you for initiating a really quality, in-depth thread.
-
Not bad for my first post, huh?
This seems like a cool community and I have a lot to learn, so I'm going to just hang around here, read, and ask questions.
You know, if I don't get v& in the meantime.
-
Awesome. You said your major is computer science?
-
Awesome. You said your major is computer science?
Yes. I'm in a computer science major and am starting this fall. I'm trying to get studied up on it before I show up so I can learn as much as possible.
I used to be really heavily involved with this kind of stuff when I was younger, but I never kept up with it because I was busy doing other things (chasing girls, smoking weed, etc.). I grew up a bit and decided it was time to come back to it seeing as it's such a lucrative field.
-
Haha you just described my life, but I'm a little younger.
-
Haha you just described my life, but I'm a little younger.
Lol, great minds think alike.
Anyway, the thing is that I'm getting serious mainly about anonymity because I'm tired of having anxiety throughout the day due to the fact that literally my entire life is online for anyone with access to exploit.
-
Privacy and anonymity are extremely important, even if you don't think you need it. You just made me think of tracking ads and cookies as another threat to anonymity.
-
When it comes to tracking cookies you can thank search engine optimization and analytics. Knowing what customers and potential customers want is what drives those cookies. Companies want to know what you're looking at and what you're doing so they can sell you what you're looking at. How many times have you gone to amazon and searched for a pocket pussy and then every other ad on every website is a pocket pussy. It's like brain Blocks in that aspect where if you see it all the time, subconsciously that's all you think about. Pocket pussies, pocket pussies everywhere.
-
Haha thats pretty descriptive of me
-
I don't try to be anonymous from the feds. It's too much work and they'll get you eventually if you use the same identity. I don't think they know who I am because they would need to send orders to certain people. The NSA might if their data collection is as massive as people say it is. I made up an identity and used it for registering everything. This way somebody can't get your information just by sending a threatening legal letter to your host or hacking one of your accounts. I care more about privacy from skids then hackers because teenagers who think they're hacker badasses are more likely to cause you serious short term trouble. Hackers can cause you much worse long term trouble. Unless you go after their family or do something really personal, an older man or woman with a real job isn't going to care. There are bad apples in any age group.
You said that you are interested in anonymity "for it's own sake." If that's your motive then you won't observe OpSec for very long. It's a chore to maintain and you won't keep it going. I like having an alter ego and an identity that only exists online but it's extremely restricting if I want to maintain proper anonymity. There are certain things that I can't talk about because if one of my friends posted on Facebook that I work with Linux, use X, Y, and Z programming languages, and A, B, and C interests, then my cover is blown. Web pages have already been written about what I do with computers. On just this one topic I have to be careful what I talk about. Anonymity is an all or nothing game. You only need to fuck up once.
-
I don't try to be anonymous from the feds. It's too much work and they'll get you eventually if you use the same identity. I don't think they know who I am because they would need to send orders to certain people. The NSA might if their data collection is as massive as people say it is. I made up an identity and used it for registering everything. This way somebody can't get your information just by sending a threatening legal letter to your host or hacking one of your accounts. I care more about privacy from skids then hackers because teenagers who think they're hacker badasses are more likely to cause you serious short term trouble. Hackers can cause you much worse long term trouble. Unless you go after their family or do something really personal, an older man or woman with a real job isn't going to care. There are bad apples in any age group.
You said that you are interested in anonymity "for it's own sake." If that's your motive then you won't observe OpSec for very long. It's a chore to maintain and you won't keep it going. I like having an alter ego and an identity that only exists online but it's extremely restricting if I want to maintain proper anonymity. There are certain things that I can't talk about because if one of my friends posted on Facebook that I work with Linux, use X, Y, and Z programming languages, and A, B, and C interests, then my cover is blown. Web pages have already been written about what I do with computers. On just this one topic I have to be careful what I talk about. Anonymity is an all or nothing game. You only need to fuck up once.
When I say anonymity for it's own sake, I'm not just talking about doing it for shits and giggles. I genuinely feel a certain degree of anxiety throughout the day due to the fact that my entire life is online. Think about it - all it takes is one crooked cop, one person who knows what they're doing, or one script kiddie and so many elements of my life are there for the taking. I'm tired of it and want to do something about it.
Even when you think about how much spying the federal government does, you can easily screw up your life just by accidently clicking on the wrong stuff. Sure, everyone says that they're only going to waste resources going after the bad guys, but what's the standard of what makes you a bad guy? How many controversial datagrams do you need to send before an investigation is justified? Do they have a file on BlackWasp right now just because I'm posting on this website? What if you accidently visited a webpage with illegal content, or worse, downloaded mislabeled illegal content? Are they watching you then? What if you did it more than once? Do they trace your IP and start investigating? I'm not sure if you guys are aware of this, but some of the laws on the books for downloading software and pirating music deal greater consequences than looking at child pornography (you can tell who makes the rules in this country). My point being, if you download music or software - does that make you enough of a bad guy to justify individual attention? What if you have a cotroversial opinion? What if you buy a lot of books on something controversial through amazon?
I'm not saying that I do any of that stuff, but it's worth asking where the line is drawn. When I was growing up, I was part of a community that encouraged everyone to question everything, read whatever you want, learn as much as you can, and the foundational axiom was that knowledge was free. Now I live in a world where I'm always wondering if my reading or surfing habits are enough to justify someone always looking over my shoulder, and that's not something I want.
So I'm taking privacy a little more seriously.
-
@BlackWasp your response made more sense to me than anything I have read this entire week.
-
Assume there are multiple dimensions, parallel universes, spirits, demons, angels, a magical veil that shrouds your vision from the truth. Reality is a giant mystery that no one has solved, the illusion of the material world has so many distractions, we convince ourselves to focus on just staying alive and how we relate to everyone else who is not us.
Assume your life is not your own, that you are an actor and cannot escape your script in life. You can only control how you feel, and even that is difficult at times.
So don't share your dream, don't share your wishes, don't share your love, don't share what you hold most dear; there is always something out there that's going to reduce you to nothing, to make you fail, to see if you stay down or get back up again.
Your worst enemy in staying anonymous is yourself, and the daemons..
-
When I say anonymity for it's own sake, I'm not just talking about doing it for shits and giggles. I genuinely feel a certain degree of anxiety throughout the day due to the fact that my entire life is online. Think about it - all it takes is one crooked cop, one person who knows what they're doing, or one script kiddie and so many elements of my life are there for the taking. I'm tired of it and want to do something about it.
Even when you think about how much spying the federal government does, you can easily screw up your life just by accidently clicking on the wrong stuff. Sure, everyone says that they're only going to waste resources going after the bad guys, but what's the standard of what makes you a bad guy? How many controversial datagrams do you need to send before an investigation is justified? Do they have a file on BlackWasp right now just because I'm posting on this website? What if you accidently visited a webpage with illegal content, or worse, downloaded mislabeled illegal content? Are they watching you then? What if you did it more than once? Do they trace your IP and start investigating? I'm not sure if you guys are aware of this, but some of the laws on the books for downloading software and pirating music deal greater consequences than looking at child pornography (you can tell who makes the rules in this country). My point being, if you download music or software - does that make you enough of a bad guy to justify individual attention? What if you have a cotroversial opinion? What if you buy a lot of books on something controversial through amazon?
I'm not saying that I do any of that stuff, but it's worth asking where the line is drawn. When I was growing up, I was part of a community that encouraged everyone to question everything, read whatever you want, learn as much as you can, and the foundational axiom was that knowledge was free. Now I live in a world where I'm always wondering if my reading or surfing habits are enough to justify someone always looking over my shoulder, and that's not something I want.
So I'm taking privacy a little more seriously.
If you want to be anonymous from law enforcement then you're going to need to do so much work that it won't be practical. You can't drive somewhere just to use the internet. A lot of the advice posted here has stupid holes in it. A burner hotspot will track your location like a phone, so you need to keep driving away to just have it turned on. Staying anonymous from the people on the internet is a wise decision because you don't know when and what would make you a target. I've gone after people who fucked with my friends, and all of them have had stupid flaws that allowed me to find them. None of my friends thought they were doing anything that would make them a target.
-
I don't think these situations are comparable as sh4d0w_w4tch is talking about anonymity from just hackers, while BlackWasp is talking about anonymity from the gubmint. I think they are both valid arguments in their own rights, though.
-
If you want to be anonymous from law enforcement then you're going to need to do so much work that it won't be practical. You can't drive somewhere just to use the internet. A lot of the advice posted here has stupid holes in it. A burner hotspot will track your location like a phone, so you need to keep driving away to just have it turned on. Staying anonymous from the people on the internet is a wise decision because you don't know when and what would make you a target. I've gone after people who fucked with my friends, and all of them have had stupid flaws that allowed me to find them. None of my friends thought they were doing anything that would make them a target.
Your dismissive attitude would be justified if you knew what you were talking about, but what you're saying isn't true. If I have a computer and am hitting a wifi hotspot, they can't "track your location like a phone." Phones are tracked through triangulation of several towers at once, whereas a wifi hotspot is a single modem and router. At best they might be able to calculate your distance from the actual modem due to the amount of packets your getting, but even that's variable to so many different things that it couldn't be tracked reliably.
Otherwise, the wisdom of not sharing information about yourself is appreciated, but that's not advice I actually needed from anybody. I've never been afraid of someone "doxing" me, because it's ultimately a pretentious dysphemism for "I don't understand NetSec and revealed enough information for someone with enough time to google me." I don't want to come off as a jerk, because I understand it's something worth mentioning in any conversation about anonymitiy (especially to a new person on the forum), but if you're still at the level of not having the self control to not tell personal stories and reveal other information about yourself, then VPNs and Proxy-Chains mean jack shit.
-
...but if you're still at the level of not having the self control to not tell personal stories and reveal other information about yourself, then VPNs and Proxy-Chains mean jack shit.
Humans tend to make mistakes, that' why humans are the weakest link, and whatever your level is you should worry about errors from your side being leet or a toral noob, human error has the same impact. And that's very true for anonymity, most high profile "hackers" were catched because of human error, like soemone said saying how's the weather were u are is compromising, also your writing type, typos, profile picture all of this help to profile u. This isnwhy most of the "big hacks" interpreters were catched due to this and not due to misconfigured VPN, WiFi Hotspot or proxychains.
So human behaviour is key and always always worth mentioning, and 100% that u are subject to it too, saying that human error is not a variable for u is a huge mistake
-
Humans tend to make mistakes, that' why humans are the weakest link, and whatever your level is you should worry about errors from your side being leet or a toral noob, human error has the same impact. And that's very true for anonymity, most high profile "hackers" were catched because of human error, like soemone said saying how's the weather were u are is compromising, also your writing type, typos, profile picture all of this help to profile u. This isnwhy most of the "big hacks" interpreters were catched due to this and not due to misconfigured VPN, WiFi Hotspot or proxychains.
So human behaviour is key and always always worth mentioning, and 100% that u are subject to it too, saying that human error is not a variable for u is a huge mistake
You seem to be forgetting the multitudes of people getting away with crimes consistently everyday (not just computer related) that know enough to keep their fucking mouth shut. It's not rocket science. It's as simple as being careful what you put out there.
-
You seem to be forgetting the multitudes of people getting away with crimes consistently everyday (not just computer related) that know enough to keep their fucking mouth shut. It's not rocket science. It's as simple as being careful what you put out there.
I never denied that, all that I am saying is that it's an extremely important aspect, that definitely is worth talking about.
-
You seem to be forgetting the multitudes of people getting away with crimes consistently everyday (not just computer related) that know enough to keep their fucking mouth shut. It's not rocket science. It's as simple as being careful what you put out there.
I think trying to stay anonymous online and the steps to stay anonymous to commit a crime and not get caught would differ alot ..
-
I think trying to stay anonymous online and the steps to stay anonymous to commit a crime and not get caught would differ alot ..
Well said.
It all depends on you basically , make it harder thus it costs more money to fuck with you.
When you are not that important noone is really gonna give a fuck and/or go through all the trouble.
ISP's tap because they are required to by the gov, at least here and I know more countries where this is the case.
As soon as there is a trail between you and the endpoint over which you send/receive data you could be fucked if someone wants to fuck you.
Thats a lotta fuck but it looks about right to me.
-
Your anonymity level is mostly determined by how closely you are being watched(assuming you have made no previous fuck-up). If the govt wants someone in particular they will probably find him no matter how badass he is. Being anonymous also involves keeping your shit low-profile.
-
I never denied that, all that I am saying is that it's an extremely important aspect, that definitely is worth talking about.
I don't disagree. I'm just think this point has been beaten to death and basically goes without saying. Literally almost every single person in this thread has mentioned it. It's important, but that's really the most basic OpSec / NetSec principle out there.
I think trying to stay anonymous online and the steps to stay anonymous to commit a crime and not get caught would differ alot ..
I understand that I'm the new guy here and I see there's obviously a consensus forming, but I actually disagree with you and @proxx. At the end of the day, whether you're breaking the law or just trying to shop on amazon anonymously, you're going to be applying the same principles, using the same techniques, and relying on the same knowledge base of hardware, protocols, and computer science. Granted, Proxx is correct in saying that committing a crime "anonymously" ultimately comes down to not being worth the money that one would have to expenditure to catch you, but that's also true of remaining anonymous in general.
My greater point about crime was not to draw a distinction between remaining anonymous when breaking the law and remaining anonymous for privacy's sake. Rather, my point was that the finger wagging and eye-rolling impression I'm getting from certain individuals that "you're inevitably going to just volunteer personal information about yourself online because you're going to be that careless, and you're stupid to think you wouldn't" is absolute bollocks. This is to say that people engage in major crimes all the time and more often than not actually get away with it (3/5 of all major crimes are unsolved), and it's just as easy as keeping your mouth shut.
So maybe my rep will go down and I understand I'm disagreeing with the group, but I think the point still stands regardless.
[/size]
[/size]
[/size][size=78%]quote author=proxx link=topic=20584.msg108605#msg108605 date=1435768670][/size]
ISP's tap because they are required to by the gov, at least here and I know more countries where this is the case.
As soon as there is a trail between you and the endpoint over which you send/receive data you could be fucked if someone wants to fuck you.
This is mostly true, but I it isn't that simple. The types of records that ISPs hold aren't as thorough as people would like to imagine for several reasons. Mainly, ISPs have no desire to store that much data because it's expensive and requires a lot of equipment. The government and NSA are getting ISPs to hold records and helping them with it, but it isn't like every website and every datagram is unencrypted and printscreened. Also, those records aren't there forever.
The greater point @proxx is making is correct. Basically if you give them reason to watch you, then you can expect that they will do so very closely. However, if you aren't a terrorist, costing some company a ton of money, uploading gigs of illegal content, or hacking government computers, they're not going to waste resources spying on your account and they're really not going to care.
As far as the intelligence community is concerned, Executive Order 12333 is pretty much where all the "We're going to spy on everything you do" mentality comes from.
-
I guess its good to be paranoid and try to protect yourself any way you can.
But to protect yourself 100% would be to live in a bubble. To protect yourself fully online you would have needed to know to do it before you ever got on the internet. when i started using it i was young didnt know shit about watching what i do. I was about 13 when i first got online .
Most people bitch about they have no anonymity online while they post every pic and action they do on social media.
Not only are we watch by the Government but even by retailers. Now even stores track what you buy and what you look at so they can try to push items you might like to buy. Ive read that somehow the stores even follow ur cell signal to see what you stop to look at as your searching through the store .. dafuq ..
So even if you remain 100% anonymous online the things you do offline will probably still be tracked back to your online activity somehow.
* this is just a thought but If you buy a computer to use at home just because you are using 10 ways to not be tracked online, how do you know you arn't being watch from the hardware prebuilt inside that may have some backdoor in it or naughty firmware in your wifi driver ..
just an opinion tho .. im not in the Security Field or know what the fuck im talking about anyways :o [size=78%] [/size]
-
I understand that I'm the new guy here and I see there's obviously a consensus forming, but I actually disagree with you and @proxx. At the end of the day, whether you're breaking the law or just trying to shop on amazon anonymously, you're going to be applying the same principles, using the same techniques, and relying on the same knowledge base of hardware, protocols, and computer science.
You shop online anonymously? How does that work? Seriously.
-
I guess its good to be paranoid and try to protect yourself any way you can.
But to protect yourself 100% would be to live in a bubble. To protect yourself fully online you would have needed to know to do it before you ever got on the internet. when i started using it i was young didnt know shit about watching what i do. I was about 13 when i first got online .
Most people bitch about they have no anonymity online while they post every pic and action they do on social media.
This is really well put. +1 Maintaining a high level of anonymity on the internet is going to be way to cumbersome to be worth it. If you want to be anonymous for literally everything you do online, not just an identity, then you can't even have any computer turned on near where you live or work. The way to go is decide on a level of anonymity that you want to maintain and create an opsec plan on how to maintain it.
For myself I created a whole new identity. For billing I use prepaid cards. It feels like overkill and I've really over done it. One advantage it does confer is prevention of privacy leaks that will inevitably happen. If you distribute something like an app, your privacy can get leaked in the receipt.
Eric S. Raymond says on his page about becoming a hacker that real hackers don't hide online because they want to promote their accomplishments. Being anonymous and publishing all your work is going to limit your career because you can't publish the same tools and exploits under two different names and stay anonymous.
When I was in high school I thought it was one of the stupidest things in the world to use your real name on the internet and I didn't understand at all why any intelligent person would do it. I get it now, but I advise never interacting with other users under your real name. You should go to a pub if you want friends, as a lecturer put it. There's too many lunatics out there and too many people you know are going to be gullible enough to believe anything they say.
Don't use social media because you're just going to spray information about yourself that can be used in harmful ways even if it isn't obvious.
You don't want finger wagging, but it's going to be near impossible for you to have bulletproof anonymity. If you're not a criminal, an online identity with no connection back to you and basic technical measures to hide your identity will be enough.
Previous use of the internet will reduce your anonymity. If you've been using an identity that could be compromised then the only thing you can do is create an entirely new identity that has no connection to any other identity you have used. Your name should not reflect personal interests and you must avoid old behavior patterns.
You shop online anonymously? How does that work? Seriously.
You can't. Yet another reason why remaining 100% anonymous all the time is foolish.
You can for some services, but not completely. 7-11 will have a video of me buying a prepaid card.
-
You cant be anonymous and also be a tax paying citizen.
Having a valid regular use online presence is important.
IE: social media, shopping, banking
Keeping your personal identity separate from your malicious online identity is key.
Illegal activities:
Don't piss where you sleep.
Don't script your activities (keep it random)
Don't use the same WIFI AP
Use a throw away laptop
Use throw away id.
Do not reuse the same id.
Do not sign up for anything.
Do not use passwords that you use for your personal shit.
Do not store information.
Do not email.
Do not talk about fight-club.
-
So this is the first time i post in this forum, im been in this board for a while now and i found this topic interesting. Secrecy became the biggest problem, and for most tweakers hackers curious programmers and whistleblower its becoming harder to hide their identity.
So i've been concerned about anonymity for years now and about how to leave the minimum trace in the internet.
So from my point of view for started you need to plan that adapt depending on the location the type of hardware and software used.What i always do is get 2 spare pci wireless card for the my machine and i take off the original and replace with a new one (i keep the original one for normal use).
Then comes the software part so a live cd is recommended (tails).
A foreign hosted server where we setup the vpn (not from home of course)
Try using public wifi (or crack some) and change location often.Or you can build this box called proxyham i just discovered a day ago and it seems a promising project that really got my interest and here is the link for the article
http://www.wired.com/2015/07/online-anonymity-box-puts-mile-away-ip-address/ (http://www.wired.com/2015/07/online-anonymity-box-puts-mile-away-ip-address/)
Here what i think of for now and if there critics or advices im happy to hear them x)
-
Ill hop on the boat.
The question here is hardly techical in nature since we can simply not know what lies beyond the horizon, security is fundamented on trust.
Since we trust the wrong stuff we are fucked.
Let SSL be an example , it has come forward that SSL auths where forced to give up the key's etc etc.
To truly gain anonymity one will have to make sure that one can trust every single shackle in the chain.
This is simply not possible with untrusted hardware/software and infra.
Fully revised opensource hardware/drivers/software/infra would make for a good start.
Good to note that this is not completely out of reach.
(just a mindfart; a rasp with selfwritten OS/drivers and some self designed proto to use the wireless interface would approach the problem quite well)
Non of this is practical.
In the last year or 2 openSSL has been turned upside down and some serious flaws came forward, large scale code revisions turn up even more, more will show.
This is happening in broad daylight, just imagine what is going on behind the scenes and who could have known etc.
They discovered a couple of 'illegal' taps placed by the NSA among others on seriously large routing points, this is hardly suprising but this and the stuff about SSL being fucked pretty much means you just dumped x years of unencrypted data in the hands of others.
bank details/passwords etc etc etc.
What I am trying to say is that info about you is all over the place and this highly conflicts with being 'anonymous' , to be anonymous you must not have an identity.
Some say you are fucked when you plug the cable , I think you are fucked anyway.
I was talking with someone not to long ago about this(ha he remains anonymous no one knows he is my dad!), and told him much of this...said yeah you can do more....and that it wont matter soon anyway. MASSIVE data centers are going up everywhere(cough google) video records from stores are being stored for longer and longer and longer periods of time. How soon till facial recognition screws you? (assuming you try to go anonymous at say starbucks 3 states away). Because eventually, business like walmart will realize that their is money to be had in that video, some of whcih they are already doing, other things that they WILL do eventually, like identify shoplifters, share that data with other stores..and have them do the same. because money baby! think RIAA..but applied to your local grocery store. The more business share that data, or leave it open to sale(and the gov can just fucking buy it ...) it doesnt matter what the "laws" on reasonable search are, when they are getting it from a 3rd party for a price. The cameras installed are getting better and better, and many of them can read what is on your computer screen. How long till THAT gets searched...and mind you im just barley touching the envelope, of how dead privacy is. So yeah being truly annon? not really possible. But "good enough" well its talked about all over here.
Also, to digress some, but because its important: considering the above, and other things, hiding your MAC IS a good idea. because your mac is very very likely to identify you. Just like an ip range, MAC addresses are identifiable. it will tell them WHO the manufacture is of your piece of gear, they can then go to said vendor and say hey which store did you sell this too? Oh best buy.hey best buy this MAC just blew up Harlem, we dont miss it per say, but we still need to catch him, would you terribly mind checking the purchase date of the machine that matches that MAC, and send us the video too? How long till your name is on the news? Which is why, if your going to do something "bad" enough to go through the trouble of super paranoia id recommend going with a flat out burner PC. Build a psu/converter/battery into a briefcase with monitor and keyboard and the like. slot for a ras pi+ wirless card. and when your done each time torch both components, put in new ones.
One last point: forget big citys-cameras everywhere. what you want is some smaller city with few cameras, but big enough not to notice that new car driving through, and find open wifi somewhere and do it that way. But still travel hours, use a pringles can to connect from several blocks away, bla bla bla--still probably gonna get caught if its really really bad.
-
I'm sure there are a handful of services like this on the web, but i just found this one and it reminded me of this thread. http://ip-check.info
Try it with no proxy / tor and all your settings in "non-paranoid" configuration.. enable javascript etc (not flash though, don't even install that garbage) then try it using tor browser with noscript enabled etc in a live os etc...
Interesting just to see the possibilities and dangers of browser leaked data.
-
I'm sure there are a handful of services like this on the web, but i just found this one and it reminded me of this thread. http://ip-check.info (http://ip-check.info)
Try it with no proxy / tor and all your settings in "non-paranoid" configuration.. enable javascript etc (not flash though, don't even install that garbage) then try it using tor browser with noscript enabled etc in a live os etc...
Interesting just to see the possibilities and dangers of browser leaked data.
nice.. very cool site, im messing with it and using different settings right now, checking the results.. very interesting.. thanks