Wednesday, February 1, 2017

Beginner's Guide - Anonymity and Privacy (Part 1)

Given the current political climate, I feel like it's a good time to share some important information on privacy and anonymity.  Many parts of the world don't have net neutrality and more corporations and governments are pushing for a more regulated and censored internet. This high level beginner's guide will cover a broad set of technologies and is only cursory, but should be a good starting point for those looking to protect their privacy and anonymity.  Convenience vs Anonymity, you lose one for the other. There are three levels of anonymity which I'll cover which are aimed who you wish to remain anonymous from:
  1. Internet Service Providers (ISP)
  2. Corporations & Individuals
  3. Governments
Before I dive into some real tools hackers use, however I'm obliged to state the obvious.

Disclaimer: All information in this post is for academic/informational purposes only.  There is no such thing as true anonymity online, only layers of obfuscation. I do not condone any illegal activities online and utilizing these tools will not prevent you from being caught.  The dark web is already under surveillance by various private and governmental entities and most activities are closely monitored.  Do not try to do any of the following activities on the darkweb (or online in general): buy/sell illegal drugs, weapons, explosives, porn, assassinations, etc.  At best, you'll be scammed, at worse, you will get caught and go to jail. Lastly, do not harass, spam, dox, or cyber bully.  Just because you can be anonymous, doesn't mean you can't be caught, so don't be a jerk. Lastly, I'm not responsible for anything that happens to you or your systems as a result of using these tools.

With that out of the way, let's talk about what you should use some of these tools for.  Getting around censorships, whistleblowing, communicating with political activists, expressing yourself freely in public forums without the fear of being targeted. Really, freedom of expression is my key reason for writing this. An ideal use of anonymity tools would be for someone who works for a government or corporation and wishes to be politically active but isn't allowed to be due to fear of retaliation from their employer or government.  I'll include some more use cases as I break down the different levels of anonymity.


Be it your home cable/DSL or your cellular provider, your ISP can see all of the network traffic you send and receive from the web.  This gives them great power and can watch what you do, censor you and parts of the web from you, etc.  Do you watch porn online?  Your ISP knows every kind of fetish you have.


Fortunately, it's relatively easy to block your ISP from seeing your internet traffic by using a VPN (Virtual Private Network) provider.  These paid services are usually only a few bucks a month and let you secure you encrypt your internet traffic so your ISP can't see what you are doing online.

Using a VPN isn't considered "deep web" since it's just encrypting standard web traffic over single connection.  Of course, the VPN provider can see your decrypted traffic however, so really it's shifting trust from your ISP to the VPN provider.  They also have a light to moderate impact on your broadband performance as the encryption overhead and extra point of relay adds latency and can affect throughput performance. Generally, it's not noticeable with most online activities like web surfing, video streaming and gaming sometimes are impacted.  

VPNs can be configured in two ways: on your device (PC/tablet/phone/etc) or on your router which gives all of your devices access to the VPN.  Setting up the later takes some extra know-how; same with setting up phones & tablets. If you are going to configure your router, it's best to configure rules for games and video streaming providers to not use the VPN service. PCs have special software the VPN providers make which makes setting them up a breeze. Each provider has different configurations, pricing, performance throughput, features, etc. Some VPN providers strive to protect your privacy, while others are ran by the NSA directly and give the government even more direct insight into your personal lives!

Here's a few VPN reviews. I know that Private Internet Access works directly with the NSA so they are pretty much a no go. StrongVPN has really great service, but again, they are a US based company and likely is being tapped by the NSA as well. Another note regarding VPNs, they are great at circumventing corporate  and even national censorship firewalls. For example, there are providers who specialize in getting around the Great Chinese Firewall.  I recommend using a VPN if you do not trust your ISP or need to circumvent censorship.

Corporations & Individuals

Most individuals who target others online to do reconnaissance (aka online stalking) usually get their intel from public records and corporation data collection sources like Spokeo.  It's nearly impossible to hide your public records especially if you are a homeowner.  Here's a pretty decent article on how to limit your online public record exposure.  You can also limit your online exposure from malicious individuals by locking down your social media profiles.

Search Engines

Perhaps the biggest culprit of tracking and logging your internet activities is your search engine. Most of the world uses Google, followed closely by Apple, Yahoo, and Bing (Microsoft).  Aside from these companies being compelled to work with the NSA, they also keep logs of your activities and profile you to better display more relevant ads and sell your information to third party companies.  If you wish to hide your search engine terms, you need to switch to a privacy commited search engine provider like DuckDuckGo.


Hiding your identity from corporations is difficult because most websites use cookies to tag your computer and track you.  Search engines, social networks, online shopping, even just viewing an information page like this sends you a cookie.  In addition to cookies, simply loading an ad or external resource (like an embedded video, ad, image, etc) gives your IP address and browser information to third party sites which can track you.

If you'd like to stop this, you can do several things to block the loading of external ads and acceptance of cookies.  Disabling cookies is one of them, most browsers support this.  Using Adblock plus is highly recommended.  And the must have is Privacy Badger which stops many forms of tracking.


Even if all these measures are taken, without using a VPN, your source IP address is still being presented to sites you surf or services you use and can be tracked and even geolocated.  You could use a public proxy server service (free or paid) which will mask your IP, but the proxy provider now can see all of your traffic like VPN providers can, but it's worse since proxies act like the man-in-the-middle and can decrypt secure SSL connections even so I discourage the usage of public proxies and only use my own Privoxy and Squid Proxy servers.  The advantage to running your own private servers locally is that you can limit tracking and ads for your whole network. There are also routers you can buy which have such services built-in like AdTrap.  To be clear though, running private proxies will not mask your IP address.


Another major security hole built into virtually all browsers is Javascript (JS).  This is code that runs on your browser and can easily be used to identify you.  Unfortunately, many pages require JS to load correctly, so disabling it breaks many pages.  That's why I like to use a browser plug-in that has a quick on/off switch and allows for temporary access for a single particular page that I trust.

Deep Web & Tor

If you are trying to hide your IP address without using a VPN provider (which are still very traceable), you need to connect through the an encrypted obfuscation mesh network (aka anonymous network) within the deep webTor is the most common and widely used. Installing the Tor browser and connecting to the network greatly slows down web surfing but adds multiple layers of encryption and masking relaying of usually 3-6 servers often in different countries.  This will hide your ip from any site you wish to visit, but to be clear, it's very possible to be traced back to your IP given sufficient resources.  This is why it's generally accepted that Tor is not robust enough to prevent governments from tracing and intercepting your "anonymized" surfing to standard websites.  But this is generally good enough to stop most corporations and individuals from identifying you, assuming you don't give yourself away through your actions.


Of course I must now talk about deanonymization which can occur in many ways by not following strict rules of surfing anonymously.  You lose your anonymity if you log into any of your known public accounts, like facebook, webmail, twitter, google, youtube, apple, etc.  Any time you even enter in your username that is tied to any public accounts, you risk exposing your identity.  For this reason, once you log into tor, you should always create new accounts and only log into those accounts while connected to tor.

Those account names should never share the same handles or usernames as your other public accounts. You never should use your real email address. If a service requires you to enter in an email address, you can first buy prepaid credit cards (with cash in person) or use bitcoin, and then buy anonymous email addresses from a secure provider like Lavabit, then use that address to register your new masked identity social network accounts. If you need a phone number to receive SMS (text messages), you can also use prepaid cards to purchase an online accessible number.  There are many free no signup required providers which you can use as well, most of them have embedded cookies and malware in the ads though, so be careful.

Perhaps most importantly, never ever give away your real name, phone number, address, age, family, friends, hobbies, schools attended, places of work, places visited, even what you drive.  Any identifying information can easily be used against you to narrow the search to identify you.  Imagine every post you make on any forum, chatroom, or social network is being looked at by a team of investigators trying to figure out who you are.  If you leave no clues, you can assume a relative high level of anonymity.


Even using the Tor browser with JS disabled being smart about what information you share, it's still possible to be tracked. Your Operating System (OS) and computer hardware can give you away and render your system easily traceable. Ultimately, if you are  paranoid, the real answer is to change operating systems.  Not permanently, but using a live boot OS from a USB stick or DVD that any computer can temporarily load without removing your existing OS and files. The gold standard of anonymous operating systems is Tails. This linux based custom tuned OS leaves no traces once it's rebooted and renders any PC virtually untrackable.  It has Tor browser and has a ton of security features built in and enabled by default. Here's a quick video of how to install tails correctly.  Note it requires two USB sticks, at least 4gb each.

If you run Tails, connect to Tor, and follow the rules of protecting your anonymity, you can remain undiscoverable to most of the world, minus governments (and potentially very large mega corporations).  There are a few more gotchas regarding tails usage.


For the Edward Snowdens and other whistleblowers of the world, even sticking to just the deep web isn't enough. Communicating using the dark web is the ultimate way remain anonymous.  The dark web isn't like the normal web in that you can't access normal sites.  Tor is only part dark web as you can still surf normal (surface web) sites; it's technically a hybrid web.  The Tor protocol and network has been shown to be hackable by those entities with enough resources such including nation states and mega corporations.  Therefore those most paranoid use a more advanced protocol/network that is purely dark web.


Built with clear advantages over Tor, i2p is what most hackers use for many activities.  While it has many clear advantages, it takes time to connect and really works better as a persistently connected dedicated system.  It used to be bundled into Tails, but was disabled in more recent builds frankly because most users of tails don't need to be on it.  You can turn it on however during the boot up of tails.

Hidden dark web sites on both Tor and i2p are likely monitored and indexed by private security research firms and governments, so really, only direct messaging and secure encrypted email are your two ways of communicating completely securely.  Forums, IRC, and various chat rooms are also often logged and monitored, so unless you trust a particular forum or IRC server (like one you are running yourself), assume someone is able to read everything you type.


There are three anonymous networks; we already covered Tor and i2p, the last is Freenet.  It's the oldest and has it's advantages.  It's best used to combat censorship for publishing information that would be potentially fatal to the author if they could be identified.

For these reasons, I do not recommend novices run either i2p nor Freenet until they are experienced with Tor and know what they are doing; browsing them is not for the faint of heart.  Despite the high level of monitoring, terrorist organizations and hacktivist groups mostly reside on these more advanced anonymous networks and it's obviously better not to get mixed up with either. 


Once you've figured out your needs for anonymity and privacy based on the kind of activities you wish to hide from whom, selecting adequate technologies to utilize should hopefully be easier now that you've had this crash course. It is giving up convenience for privacy and anonymity. My opinion as of 2/1/2017 is that utilization of anonymous networks for political activism in the US might be a bit overkill, but might advantageous for certain scenarios and offer added peace of mind.

In part 2 I will cover more in depth scenarios, especially around secure communication, physical security, asset protection, wireless networks, political activism, and using non-PC devices like tablets and phones.

No comments: