-----------------------
Anonymity is getting harder and harder. The more gifted people we have
developing methods to track and trace end users, the more difficult it
is to stay off the radar. I've been doing research for the last few months,
truly trying to stay anonymous online. I've found that it takes a lot
more than just using the right tools.
The Mindset
-----------------
We're all used to thinking about how we can be un-hackable. It's much like
securing a prison. We put up as many walls and alarms as we can. We have
a guard constantly patrolling for "infestations". We have penetration testing
trying to break through the walls. Etc..
Computer Security really is Isolation - trying to be as isolated as possible.
Then we control who comes in and who goes out.
Anonymity is NOT isolation. Stop thinking about it the same way you normally
think about computer security.
Anonymity is different. You want to be normal. You want to be common. You
want to look no different than everybody else. Essentially, you want to be a
brainwashed drone in boot camp - just like everyone else.
But let's be realistic. 9 times out of 10 if you're going out of your way
to be anonymous, you usually have a good reason, and that reason alone
causes you to not be like everyone else. So, you need to hide.
Rules when Hiding
-----------------
1. Don't trust your software.
When surfing online using a web browser you usually have JavaScript turned
on by default. Client side scripts can be written to reveal your true
identity. Ever heard of Ajax? Same with java, flash, etc. All this is
on by default. Some browsers don't let you turn them off.
2. Don't identify yourself
Duh right? This also goes for nicknames. I use the name xxxx here. If I then go and hack a website and write "xxxx was here" all over the website, clearly that can be traced back to ME - which could potentially trace back to my real self a lot easier than the traces
left over on the victim server.
3. Spoof what you can when you can
Spoof your user agent
Take this idea and run with it. The following sections will discuss
"spoofing your IP Address". I'll leave the rest up to you.
4. Clean up after yourself.
Your local operating system caches a lot more than we think. I've been at
this for probably 20 years now and I’m STILL learning about new caching
mechanisms inside of Windows. If you're doing something extremely sensitive
then I wouldn't even bother with Windows. That's just my personal preference.
I'm not saying Windows isn't secure, but i am certainly saying it isn't
anonymous - and I'm not just talking about clearing your browser cache. It'd
be a 400 page book to describe everything that damn OS does. Doesn't help
they change their methods every new release.
Side note: I don't believe the developers of the OS do this
intentionally. In software, verbosity is a side effect of complexity and
Windows is just damn complex.
You see, software doesn't intentionally try to trap you. It's just what
accidentally happens. That's the real reason it's so damn hard to stay
anonymous.
Tools for staying anonymous
--------------------------------
When it comes to anonymity online (and your following the rules
by not entering any personal information about yourself anywhere) then
the next biggest obstacle is your IP address.
Fortunately, there are ways to "hide" your ip address.
Proxy Server
-------------
I'm assuming by now everybody's heard of a proxy server. A proxy server
is basicaly something you act through. It is the most basic tool when it comes
to anonymity.
For instance, I want to deliver a message to santa clause. I give my message to
Mr. X and Mr. X relays that message to Santa Clause.
Likewise, I want to connect to an IRC server but still hide myself. I can use
an IRC 'proxy'.
Me => Proxy => IRC Server.
The trick with proxies is that they don't tell the destination who the source is.
For instance, Mr. X doesn't tell Santas Clause who I am.
There are many proxies for various types of applications:
:: Tutorial Online Anonymity ::
STARK MARCH 07, 2022 0 COMMENTS
SHARE:
FacebookTwitterGoogle+Pinterest
This is a write up on internet anonymity. Hopefully you guys find it useful. I see many misconceptions around the internet.
---------------
I. Introduction
---------------
When discussing "computer security" anonymity is often avoided or
simply forgotten. I believe the reason is because we always begin
the thought of "computer security" assuming that we are a target.
The benefits of investing in computer security also only arise when
we are actually targeted. My strict firewall is pretty pointless
if nothing out of the ordinary ever happens.
Really, we always begin with the fundamental assumption -
"They have my IP Address. Now what?"
This is a perfectly valid starting point if you are already know.
For example, Google has every right to begin with this assumption.
However for you and me, this isn't necessarily true.
The only 'real' security
-------------------------
Government. Let's just say it. The government is the biggest/best
hacker of us all. Why? How?
I'm not going to ramble on about some mythical uber technology they
may or may not have. The truth of it is quite simple:
If the government wants your computer, all they have to do is
bust down your door and take it. If you try to stop them they just
subdue you, either by force or by some other means. If you try to
protest on some form of legal ground, they throw a warrant in your
face and laugh.
It doesn't matter what kind of network security you have or physical
security you have. They'll rip out your hard drive and mount the partitions
to access your files without ever booting your computer.
Government here is just the most obvious form. Really, anybody with a gun
can do the same thing. Government is just the only ones who do this quite
often.
So what do you do against this? My firewall doesn't mean jack shit here.
My local system permissions are worthless. My user account is pointless.
Deleted files can be recovered. Encrypted files are a little better but
all they need to do is lay in some legal pressure to get the password.
They do, after all, have a warrant. God forbid it's really bad and
they drug you with some kind of truth agent. OK so that's unlikely, but
possible.
God forbid you have anything incriminating in your deleted files - or
swap memory - or your file system is a journaling file system that you
can easily see the history of or "rewind" - or you have restore states
on your OS. Etc...
The only 'real' hope of keeping your ass out of this kind of situation is
never get into it in the first place.
In enters anonymity. The only 'real' security that you have.
Seriously?
------------------
Yea OK, so getting raided by FBI or worse is unlikely for most of us. We're
not exactly international terrorists (or are we?).
That's not the point. We have a right to privacy. Maybe I don't want my
ISP keeping a full history of my traffic. Maybe I don't want the good
people of Website ‘X’ to know where I'm from and be able google maps
my IP address to find the exact address of my house.
Perhaps I'm a well known member of the republican party and I want to
make a donation to a democrat candidate that I believe is a good man?
Who knows? Who cares? The point is, I have ever right NOT to tell
someone my name, let alone my hobbies, interests, address, and credit
card information.
-----------------------
II. How to be Anonymous
-----------------------
Anonymity is getting harder and harder. The more gifted people we have
developing methods to track and trace end users, the more difficult it
is to stay off the radar. I've been doing research for the last few months,
truly trying to stay anonymous online. I've found that it takes a lot
more than just using the right tools.
The Mindset
-----------
We're all used to thinking about how we can be un-hackable. It's much like
securing a prison. We put up as many walls and alarms as we can. We have
a guard constantly patrolling for "infestations". We have penetration testing
trying to break through the walls. Etc..
Computer Security really is Isolation - trying to be as isolated as possible.
Then we control who comes in and who goes out.
Anonymity is NOT isolation. Stop thinking about it the same way you normally
think about computer security.
Anonymity is different. You want to be normal. You want to be common. You
want to look no different than everybody else. Essentially, you want to be a
brainwashed drone in boot camp - just like everyone else.
But let's be realistic. 9 times out of 10 if you're going out of your way
to be anonymous, you usually have a good reason, and that reason alone
causes you to not be like everyone else. So, you need to hide.
Marijuana Example
-----------------
Take smuggling marijuana for example. You want the make the marijuana
as anonymous as possible. So, before you take a drive, mow your yard and
mix all the grass clippings in with the marijuana. I'm talking a 'lot'
of grass. Then get a bucket full of garlic cloves and smash it all up.
When thoroughly ground up - season and stir your grass/marijuana together
until you have the weirdest smelling trunk in the world.
At that point, finding the marijuana in your trunk is going to be literally
like finding a needle in a haystack. Of course.. this is going to be true
for you as well as any authorities.
Rules when Hiding
-----------------
1. Don't trust your software.
When surfing online using a web browser you usually have JavaScript turned
on by default. Client side scripts can be written to reveal your true
identity. Ever heard of Ajax? Same with java, flash, etc. All this is
on by default. Some browsers don't let you turn them off.
2. Don't identify yourself
Duh right? This also goes for nicknames. I use the name xxxx here. If I then go and hack a website and write "xxxx was here" all over the website, clearly that can be traced back to ME - which could potentially trace back to my real self a lot easier than the traces
left over on the victim server.
3. Spoof what you can when you can
Spoof your user agent
Take this idea and run with it. The following sections will discuss
"spoofing your IP Address". I'll leave the rest up to you.
4. Clean up after yourself.
Your local operating system caches a lot more than we think. I've been at
this for probably 20 years now and I’m STILL learning about new caching
mechanisms inside of Windows. If you're doing something extremely sensitive
then I wouldn't even bother with Windows. That's just my personal preference.
I'm not saying Windows isn't secure, but i am certainly saying it isn't
anonymous - and I'm not just talking about clearing your browser cache. It'd
be a 400 page book to describe everything that damn OS does. Doesn't help
they change their methods every new release.
Side note: I don't believe the developers of the OS do this
intentionally. In software, verbosity is a side effect of complexity and
Windows is just damn complex.
You see, software doesn't intentionally try to trap you. It's just what
accidentally happens. That's the real reason it's so damn hard to stay
anonymous.
--------------------------------
III. Tools for staying anonymous
--------------------------------
When it comes to anonymity online (and your following the rules
by not entering any personal information about yourself anywhere) then
the next biggest obstacle is your IP address.
Fortunately, there are ways to "hide" your ip address.
Proxy Server
-------------
I'm assuming by now everybody's heard of a proxy server. A proxy server
is basicaly something you act through. It is the most basic tool when it comes
to anonymity.
For instance, I want to deliver a message to santa clause. I give my message to
Mr. X and Mr. X relays that message to Santa Clause.
Likewise, I want to connect to an IRC server but still hide myself. I can use
an IRC 'proxy'.
Me => Proxy => IRC Server.
The trick with proxies is that they don't tell the destination who the source is.
For instance, Mr. X doesn't tell Santas Clause who I am.
There are many proxies for various types of applications:
IRC : http://gotbnc.com/
HTTP: http://www.stayinvisible.com/web_proxy_list.html
FTP : http://www.ftpproxy.org/
Etc...
Web Proxy Failure
-----------------
There is a problem with several web proxies due to the "crapiness" of
HTTP 1.1
When you type in www.example.com in your browser what happens is:
1. Your browser requests to fetch HTML from the path given.
HTTP GET www.example.com/index.html
2. The browser then receives the HTML from the web server and begins
to render this html.
3. When the browser encounters an Image in the webpage, it'll make
A SEPARATE HTTP REQUEST for that image. The same with style sheets,
javascripts, etc. Any extra file.
You see, when your browser receives the HTML from www.example.com the
connection is closed. That's the end of the transaction. Several web
proxies (BUT NOT ALL) stop there. They let YOUR machine request
any images, style sheets, etc.. This breaks the anonymity.
The correct implementation would be for the web proxy to rewrite the
image urls in the HTML so that YOUR MACHINE would request the image from
the proxy server which would then request the image.
These types of failures exist in other application proxies, not just web.
It's important to look closer at the proxy your using and test them out first.
Alternatively, you can use a Socks Proxy which avoids this problem entirely.
Socks Proxy Server
------------------
The above list was several proxies for different applications. This means the
proxy was setup specifically for the applications.
From a technical standpoint:
Me ------------> Relay ------------> Destination Server
Protocol Protocol
The actual relaying that is done utilizes a SPECIFIC protocol. The above
lists are lists of proxies that operate this way.
A Socks Proxy is a multi-application proxy server. It can technically
work with any service. This is because it operates at lower network
layer.
The standard proxy (like those in the above list) operate at the
application layer of the OSI Model (http://en.wikipedia.org/wiki/OSI_model).
This makes them application specific.
Socks proxies operate at Layer 4 or arguably 5. In the TCP/IP model,
they operate at the TCP layer. This means that it simply relays whatever
communication comes in. It doesn't care about the type of communication.
The good thing about Socks proxies is that they're not susceptible to the
type of problems found in application proxies such as the issue described
above with web proxies.
A Socks Proxy operates in app transactions. Instead of protocols specific
transactions like the web problem described above, a socks proxy will
be used by the application until you either close the application or tell
it to stop using the socks proxy.
This is the safer bet of the 2.
Dangers of Proxy Administration
--------------------------------
A proxy server is a dangerous thing to own and adminster. Just think about it.
Do you really want someone to be able to control your machine? What could
they do with it?
What if they're using my proxy server to start a big f'kin fight on IRC.
The result of such an act could get my machine attacked. Alternatively, the
person could use my proxy to do something illegal. I could get a knock on
my door by the FBI for something that I didn't even do.
For these exact reasons, proxy servers keep logs of who uses them and who does
what with them. In some places it's legally required that they keep logs.
A proxy server logging things defeats the whole point of using them in
the first place. Where's the anonymity in that?
You may be thinking that the solution is to chain many proxies together.
For example:
Me -> Proxy 1 -> Proxy 2 -> Proxy 3 -> ... -> Destination.
This, aside from it being incredibly slow, doesn't solve the problem. The
problem isn't that 1 proxy is logging things. It's that they all
are. You can follow the chain backwards and still arrive at the source.
"Yea but who would do that"
- The government if they want you bad enough.
Relying on the laziness of people is not anonymity. So what's the solution then?
Zombies
-------
Well if all official proxy servers log (or potentially log) then we
can just use an unofficial proxy server right?
The idea here is to 'root'/'own'/'hack'/'some other buzzword' someone's
computer and then install proxy software on that.
Simple enough really and it seems like a safe idea, though illegal. There
are a few potential problems with this.
1. The zombie machine could disappear at any given time.
This is not that big of deal really.
2. Zombie machine could be logging things. Again, windows is nasty when
it comes to that. Make sure to take care of that ahead of time.
3. ISP - if that ISP is like mine, then they have extremely annoying
logging policies that could potentially lead back. Not likely but
is a possibility.
Overall a zombie isn't that bad of an idea if they have the bandwidth for
it and it can be stable.
Onion Routing
-------------
Onion routing is considered by some to be the final solution to anonymity.
I only agree to an extent. It is, essentially, a super socks proxy.
Onion routing works as follows:
Me ~> Entry Node ~> Onion Router ~> Onion Router ~> ... ~> Exit Node -> Destination
My machine sets up a unique encrypted channel to an entry node.
The entry node setups a unique encrypted channel to another node
That node setups up an encrypted channel to another node
...etc...
The last node (the exit node) setups an unencrypted channel to
the destination.
At each router hop, a layer of encryption is performed on top
of the previous layer. This layer of encryption hides the previous hop
to the router next in the path.
For example:
NodeA ~> NodeB ~> NodeC
The encryption done at node B hides node A from node C. So, node C has
no idea about node A.
Essentially, each node in the path ONLY knows about the next node and the
previous node. This is why it's called "Onion" routing, because each hop
adds a layer of encryption. The result is what appears to be an "onion".
The entire path from source to destination is hidden. The destination server
only knows the exit point. The source user/server only knows about the
entry point. Each node inbetween, only knows about its neighbors.
I want to point out, the initial connetion between my machine and the entry
point is an encrypted channel. The ISP between my machine and the entry node
has no way of knowing what I'm doing or where I'm going. In the same way, only
the entry node knows who I am - but not where I'm going.
The exit node is a standard unencrypted connection. It acts like the proxy
server in this case but it has no idea who made the original request.
This technology hides a person extremely well and also is not illegal. It's
also free. I for one am a huge fan of using onion routing. So are the folks
in China as it allows them to get around the 'great firewall'.
There are some downsides to this:
1. You're connection is traveling across the world several times being
encrypted at each step. Your bandwidth takes a HUGE hit. I have
faster than T1 speeds and it reduces me to DSL times. Though this isn't
that bad for me, but if you're on 56k, it's a major hit.
2. It's breakable by an attacker with a LARGE amount of resources. Onion
routing, by design, can withstand several "bad nodes". Remember, each node
only knows about its neighbors. So if there is a compromised node in
the network it has limited effect. A party with a large amount of resources
could potentially flood the network with bad nodes. Again, they would
have to have a LOT of resources.
Side Note: In experimentation with onion routing, I've stumbled onto several
nodes in an actual onion routing network that are government hosted. These
nodes are actually set up in such a way that they are usually chosen "first"
as entry nodes by onion routing clients. I don't know exactly what they're
doing there, but it is clear to me that the gov't is watching. Message me
if you have any questions on these findings. I won't get into too much
detail here.
3. DNS. DNS requests are still sometimes made by applications outside of
any proxies. This is basically just application flaws. Again, don't trust
the software you use. Fortunately, the onion routing client implementations
have taken this into account and have built in mechanisms to handle this.
Still - be aware that you could have DNS leaks.
4. Timing attacks. If I'm an entry node and I'm a honeypot server, I could
potentially tell, simply based off the time a connection was requested
and the time it was established, which user was connecting to the honey pot.
This could be resolved by client implementations that utilize throttling or
even node relay implementations.
Overall - onion routing is a pretty nifty thing. There is currently an
onion network available to use. It is called TOR.
http://www.torproject.org/
Tor is a wonderful technology that is, unfortunately, abused quite often.
It's a spammer's paradise as well as a haven for pedophiles. If the scum
of the earth can survive on it, I suppose then that it is safe for more
noble uses.
What you do is your responsibility.
---------------------------
IV Staying Invisible on P2P
---------------------------
A friend of mine IRL recently got disconnected by his ISP for a
bullshit DMCA violation. He was apparently caught downloading a CSI
episode. Funny thing was he didn't watch CSI.
He runs your typical Bit Torrent client on a windows platform. He
also uses Peer Guardian. http://peerguardian.sourceforge.net/
Disclaimer: So yea, he was doing something illegal. But what if you
don't want to do something illegal and you still don't want people watching
you. Right?
Zombies are unreliable and can be difficult to obtain.
Onion routing takes a significant hit on your bandwidth making it unsuitable
for p2p. What then?
Freenet
-------
On May 7th, 2009, Google donated $18,000 USD to the freenet project.
http://freenetproject.org/
Freenet is one potential solution to the p2p problem of our age. I'm going
to forgo the entire searching algorithm and just tell you how it keeps
things anonymous.
When you connect to freenet, you become a node. A large (10 gig for example)
ENCRYPTED virtual partition gets setup on your harddrive. This is where files
get stored - not the files you download or you upload, just files in general
that travel the Freenet network.
Freenet basically operates as one GIGANTIC Distributed Cache. Files are spread
out throughout the entire network. No user actually knows what files he/she
stores. Even if they wanted to find out, they can't because the files are
encrypted and the names are hashed. To be really honest, 1 user doesn't
even store the entire file, just pieces of it.
When you search for a keyword, it is hashed and through some pretty cool
algorithms, a file is quickly "located" and you begin downloading. All
encrypted of course.
This allows for no single person being responsible for file distribution.
At the same time, nobody knows what you're searching for. And though they're
connected to you downloading "it" the machine doing the transferring to the
down loader has no idea what's being uploaded. Basically, the only person
who knows what's going on is the down loader doing the downloading.
Of course the problem here is that you're still downloading something from
someone else. If an attacker has a large amount of resources
they couldpotentially flood the network with known files of a certain type and track
who downloads it.
There has come a recent solution to this. Freenet can operate now using a
darknet. A darknet being a small network of people he knows and trusts. For
example, Altenen could form it's own darknet and basically have it's own
small freenet network. Eventually this could grow as members trust outwardly.
Freenet (along with all these other anonymous p2p networks I'm going to be
talking about) is currently a fairly small network. It's therefore slow
and kind of a pain. If the Bit Torrent crowd ever caught on, this could grow
to extreme heights and become quite powerful.
It's good to note that Freenet does not really provide anonymity but
rather resistance to being held responsible for contribution. This could
be the underlying flaw of the whole system.
GNU Net
-------
http://gnunet.org/
GNUnet is a fairly 'new' anonymous file sharing network. Unlike Freenet which
provides legal deniability for file distribution, Gnunet provides actual anonymity
for the distributors.
Gnunet's fundamental principle is described in 2 sentences on the homepage:
"Anonymity is provided by making messages originating from a peer indistinguishable
from messages that the peer is routing. All peers act as routers and use
link-encrypted connections with stable bandwidth utilization to communicate with
each other."
I love the simplicity. The request to down loader and response distribution
is indistinguishable form routed requests. For example:
A -> B -> C -> D
A requests CSI episode. B Forwards the request to C. C has no way of telling
whether the request was made by A or by B. It's just that simple.
An advantage of GnuNet over Freenet is that you don't have to commit 10+ gigs of
hard drive space to a distributed cache... and there's a guarantee of anonymity outside
of a darknet.
Again, an attack with a large amount of resources could both be B and C and
therefore notice who is doing the original request. This would require a VAST amount
of resources in comparison to the number of Gnunet contributors.
I2P
----
http://www.i2p2.de/
I2P is a fascinating concept. It is not limited strictly to p2p communication
but can work with any application. The only requirement is that both ends of
line utilize I2P. This makes it an appropriate fit with p2p, but can also work
with IRC if the IRC client and server both have I2P.
I2P is like a new encrypted IP layer on top of an encrypted routing layer.
Client and server both have unique cryptographic addresses. Individual "router"
hops also have unique cryptographic identity. The 'routers' communicate using
basic TCP/IP communication. The client and server communicate through these
virtual I2P 'routers'.
It's very similar to taking the TCP/IP stack, building encryption into it,
and putting it back on top of the existing TCP/IP stack. It's confusing at
first but really cool when you get it.
A -> B
Due to the cryptographic identities, A doesn't know who B is and B don't know
who A is. And due to the encrypted channel between them, nobody knows what
they're saying to each other.
I2P is actually designed to work in a hostile environment and was built to resist
attackers with a large amount of resources.
I didn't intend to leave out VPN's but I believe most people understand them.
You are being logged MOST of the time. You do not know who you can trust.
The best way to determine if you can trust a company is to look at a company
that has been in business for a while and check to see if they have ever had
data subpoena'd to court and went through with it. A couple "supposedly"
secure and non-logging VPNs were involved in releasing user data resulting
in an arrest recently. I would have to find the names of these companies, they
weren't huge like NordVPN or other reputable providers. Here are a few articles
if you want to read about VPN's.
