How to be Anonymous Online – A Quick Step-By-Step Manual
August 2015 Update
By A M Eydie
Copyright © A M Eydie
All Rights Reserved
2015
Table of Contents
WARNING, DISCLAIMER OR WHATEVER...
Section: Safe Updates and PGP Program Authentication
Section: PGP/GPG – Everything you want to know
Section: Email, Chatting, Messaging
Section: Writeprints – They will identify those other anonymous netizens... but not you
Section: Bitcoin is NOT Anonymous
The Great Flaw – You are not Stealth, You are Secure
BONUS – Creating a bootable microSD card that doubles as your phone's microSD card
The following works are cited in these instructions:
I know these instructions will be purchased by anonymity seekers of many levels. Here is where I am coming from in writing this guide and what you stand to gain.
First, this guide is $4.99. There is something worth $4.99 in this for 95% of you. For beginners, you will be totally anonymous online in two hours (and that is giving you time for a cigarette break). For post-beginners, you will discover some little, yet important, detail(s), like a wrong setting in Tor, that will blow your cover if uncorrected. After all, Tor and Tails DO NOT come preconfigured for total anonymity (f.y.i., there is more to this guide than Tor). Remember, if you have one, single, tiny, little hole in your system, you are NOT anonymous. If you are a know-it-all anonymity expert hacker computer science grad student, you do not need this guide, so feel free to move on. Again, this guide is only $4.99. You probably earn that in 15 minutes at work. Amazon will even give you a refund if you think this whole thing is a total waste.
Second, it is easy to be anonymous once you know how, but it is a pain in the ass when you don't. For $4.99, I will take the pain out of your ass. In the last ten years many anonymity "game changers," like Tor, Tails and Bitcoin, have come about… However, they have flaws. Tor and Tails need some modifications to be secure. Bitcoin is not anonymous in its current form. It does not even pretend to be anonymous. It is pseudonymous… This is a HUGE difference. I talk about why this matters and how Bitcoin can be anonymous in the near future with modifications YOU will make (and no, not "Bit-Laundry" services).
Third, PGP Encryption is confusing. I break it down into short step-by-step instructions, saving hours of figuring it out yourself ($4.99 to save a few stressful hours of your life is a good deal).
Fourth, this is not a book you read these are instructions you follow. If you are looking for a book to spend the day reading by the fire, do not buy these instructions. If you read these instructions in 30 minutes, and then complain that this 'book' merely says install Tails, you did not read this page, AND you did not follow the instructions. It will take you a couple hours to build a solid system. If you want to spend $4.99 to do things the right way the first time instead of spending days searching Google and browsing forums trying to figure this stuff out yourself (and still leaving holes in your system), buy these instructions. If you build your kid a doll house, you do not want a book about doll houses, you just want instructions for building a doll house. For $4.99, I am telling you what to do without asking you to subscribe to a proxy service, buy software or trust a third party.
Fifth, I post all updates on my blog. I make updates often, and there is no reason you should have to buy a new copy to stay "in-the-know." As new technologies are developed, new shortcomings are discovered (like how your mega-strong encryption will be broke in 5 years), and spelling mistakes are corrected :/ I will share them with you.
I will show you that Bitcoin is NOT Anonymous and how that is about to change.
I will provide you with future updates.
I believe in the “Keep It Simple Stupid” methodology. This manual details exactly what you need to get what you want, no more, no less. I wrote this so you could be anonymous today instead of spending the next week reading everything you find on Google and, in the end, still not know how to implement the proper steps.
The problem I've seen in other books and online instructions is they give you a bunch of sources and programs for anonymity, but they do not tie all the loose ends together. For instance, you might buy anonymity software, but god knows what a totally unrelated program in Windows is still tracking and saving to your hard drive. Besides that, if you want to use a work computer, they certainly are not going to allow you to install anonymity software. Moreover, maybe, you do not want to encrypt your hard drive because that looks suspicious. You need to run straight from a DVD, Flash Drive or Micro SD card outside of Windows altogether. I will even show you how to boot with a flash drive on old computers that typically will not do so.
Let’s tie up those loose ends.
----------
Don't worry, we are going to work around these.
To my knowledge, as of August 1, 2015, no one following my instructions has faced an exploit. Since I update these instructions regularly to reflect changes in technology, weaknesses that develop will see rectification quickly and accordingly.
Unfortunately, everything has flaws, especially software. The most popular, and probably most secure, software for online anonymity is Tor. The most popular operating system for online anonymity is Tails. These are the heart and nervous system of these instructions. The strength of these programs comes from the ongoing development of each and their open code. When good guys find flaws, work to rectify them begins immediately. When bad guys find flaws, they may be exploited indefinitely.
If being anonymous online is a hobby, this is the way to go. If being anonymous online is a way to restrict corporate advertisers from tracking your online life, this is the way to go. If you hate the fact that some governments are collectively spying on you for no reason, this is a way to make a point that you are not blindly submitting and a way to complicate their efforts.
The great length that people must go to break these systems hints that they work well. However, if you want a foolproof, 100% certain way to avoid the prying eyes of every entity, there is no solution for you. There are organizations with thousands of people dedicated to tracking and watching you. If you want to use Tor to bad mouth Vladimir Putin, you should know that the Russian Ministry for Interior has a 3.9 million rubles reward for developing methods to identify you. If for nothing more than bragging rights, there are academics and hackers that simply want to be the first to publicize mistakes. In fact, a couple of researchers from Carnegie Mellon University gained a huge amount of attention for their attempts to de-anonymize Tor users in 2014.
These are advanced methods for protecting your anonymity. I take you through detailed steps, far more than you are likely to find in one place online, to authenticate your software. I think the sections on authenticating your system are the most overlooked, yet most valuable aspect of this guide. However, if you are looking for a way to evade every entity in existence, I do not know what to tell you.
Nothing I say, do, provide, link to or recommend is guaranteed to protect your anonymity. Whether it is tomorrow or thirty years from now, every security measure will eventually be compromised. That is the power of technology. Frankly, if you can sue me for it, I am telling you that I am not guaranteeing it; therefore, it is at your risk to follow or do anything that I write in this manual.
The first thing you need to do is gather your tools. By the end of this section, everything you need will be in place and ready to go.
If you are already comfortable and familiar with Tails you can skip to Section: Safe Updates and PGP Program Authentication.
Your Tool List:
Hardware
Software
Step 1: On your Desktop, create a folder named Toolbox.
Step 2: Download your Tools
If you need a .zip file extraction program, I use 7-zip (http://sourceforge.net/projects/sevenzip)
If you would rather download the Tools directly from the developer websites up front, the links are posted below:
Step 3: Burn two DVD's
Burn Tails
Burn Plop Boot Manager
***To burn your DVD's, install InfraRecorder from your Toolbox
Now, you are now ready to boot your computer using the Tails DVD
The single biggest advantage of the Tails DVD is that you cannot save data or customize it. These limitations reduce your risk of falling victim to a virus or Malware.
Here's how to use it:
Getting Online:
Ethernet Cable
Do not worry if you get a message saying your version of Tails is out of date or has numerous security holes… You will fix this later.
Wi-Fi
Do not worry if you get a message saying your version of Tails is out of date or has numerous security holes… You will fix this later.
IMPORTANT! - You have to disable JavaScript manually. That does not happen automatically (Remember, JavaScript leaves you vulnerable to malware).
In the Iceweasel Web Browser:
Go to https://check.torproject.org to see if your connection is secure. If so, you are anonymous enough to browse online and feel fairly safe, but, you are NOT running the latest version of Tails. You are not as secure as you will be once you make it all the way through this manual. In later sections, I will cover properly updating your software. Also, don't worry if the connection speed is slow. It varies based on the bandwidth available in the Tor network.
Go to http://www.whatismyipaddress.com to see where it thinks you are. Your IP address will change often, so your location will change, as well.
You have reached the two-hour mark for achieving anonymity. Again, if you are already bored with these instructions, go play, but, come back later because there is A LOT more that must be done to secure your system.
The big advantage of the Flash Drive or MicroSD card version of Tails is it allows you to upgrade safely. Also, the Flash Drive lets you do an emergency shutdown simply by removing it. Furthermore, you can save files, bookmarks, etc. from session to session.
To minimize the chances of compromising your anonymity, you should keep changes to Tails at a minimum. Part of your anonymity stems from not having a digital fingerprint... Or, more accurately, not having a unique digital fingerprint. Every time you make a change to Tails your digital fingerprint becomes a little more unique. You do not want Kim Jong-Un using your prints to compile a track record of everywhere you have been.
Also, saving data opens the possibility of housing malware inside your system. Encryption and anonymous IP addresses are not going to protect you if you are being watched from inside your system.
That being said, it is time to set up your Tails USB Flash Drive or Micro SD card:
***Important - “Windows 8 Certified” Flash Drives Do Not Work With Tails. “Windows 8 Certified” flash drives are not bootable, meaning you cannot use them to boot your computer into Tails. Flash drives that are NOT “Windows 8 Certified” work fine, unfortunately, they are getting harder to find. If you have an old flash drive, you are probably fine. If not, the best alternative is to use a Micro SD Card with a USB adapter. Many SD Cards are sold with a USB adapter for under $15. USB adapters sold separately cost even less.***
***This is a temporary administrative password that only lasts one session. Occasionally you will be required to use an administrative password to perform certain tasks.***
Now, you will configure a Persistent Volume.
Now that a Persistence volume has been created, you have the option to use it each time you start Tails from your Flash Drive or MicroSD card. If you choose not to use a Persistence volume at startup, Tails will run like the DVD version. If you choose to use a Persistence volume, Tails will run with your personal settings, files, etc.
To use a Persistence Volume:
A few things you should know about the Persistence Volume:
REMINDER – When you go online, do not forget to disable JavaScript in the Iceweasel Web Browser (Edit > Preferences, select the Content tab and uncheck “Enable JavaScript”).
To see how well you have minimized your digital fingerprint, visit https://panopticlick.eff.org and click the Test Me button. Visit it from Windows, Tails DVD, Tails USB with JavaScript enabled, disabled, etc. Compare your various results and see which options leave you with and without a unique digital fingerprint.
Remember when I told you that you could use someone else’s computer without them knowing? Tails is how. When a computer boots from Tails it circumvents Windows and the computer's hard drive (in fact, you can remove the hard drive and still use Tails). Instead, it runs as its own operating system, utilizing only the computer's RAM. At shutdown, even if you eject the Tails DVD or remove the USB flash drive while the system is running, Tails wipes the RAM.
When using a computer other than my own, I only use the Flash Drive or Micro SD card in its USB adapter. The reason being, I do not have to worry about the Flash Drive getting stuck inside the computer when I need to do a quick bailout. I can just yank it and go. Even if I need the Plop Boot Manager DVD to boot, I can remove it as soon as Tails starts.
Anonymity is always under threat. As such, you need to verify that you are securely connected to the Tor network, and you must stay current on Tor news. Every time you go online, the first websites to visit are:
News of a Tails or Tor exploit will travel fast. You do not want to find out when it is too late.
In this section, you will upgrade Tails. Unlike just about everyone else, you will not leave yourself vulnerable to a security breach during the upgrade. I cannot stress how important it is to upgrade Tails properly. Once upgraded, you can go stand outside Labor Camp 16's fence and wave to all those people that said, "just download and install Tails." Since they did not follow these steps, they installed Kim Jong-Un's decoy program, Twails.
You are going to use PGP encryption to authenticate this upgrade. In the next section, I will fully explain PGP, but, for now, just follow these steps to get through the upgrade. This way, once you get to the next section and start making encryption keys you will know you are working within an authentic system.
The Tails website offers plenty of information about authentication, but, it ain't easy. I am going to make the process more “keep it simple stupid” like.
At this point, you should be downloading the files “tails-i386-x.xx.iso”, “tails-signing.key”, and either “tails-i386-x.xx.iso.sig” OR “tails.i386-x.xx.iso.pgp”
You need to wait for all three files to download before continuing to step 4. That could take a few hours, sorry.
F.Y.I., in Windows, you can open a .key, .sig or .pgp file in Notepad.
It is common for PGP files to end in “.asc” instead of “.sig”, “.key”, or “.pgp”. For any of these files, simply open them in gedit and the top line of the file's text will tell you if it is a Key, Signature, etc. That should save you a few headaches.
When starting Tails, if you choose Yes for More Options at the Welcome to Tails screen, you are given the option to uncheck Spoof all MAC addresses and to use a Bridge to connect to Tor. Under almost all circumstances, you can leave these settings unchanged.
MAC address spoofing is a way of anonymizing your machine's identity within your local network. Spoofing can be a problem if your local network has restrictions that only allow connections from 'approved' machines. That could be the case within some office networks to increase security. Do not worry if you do not spoof your MAC address, it is not visible online like an IP address. It will only show a network administrator that your machine connected to the internet on a particular network at a particular time. It does not reveal your online activities.
A Bridge is an unlisted access point to the Tor network. Using a Bridge is necessary when a local network (like your office, coffee shop or internet service provider) blocks access to Tor by blacklisting known Tor servers. I talk more about Bridges in a few posts on my blog. You can read them at https://howtobeanonymousonline.info/?s=bridges.
The Tor Web Browser will not automatically open upon connecting to the internet. So...
To disable JavaScript, in the Tor Browser:
This also disables automatic loading of online custom fonts (an extra preventative measure to stop a website from determining fonts installed on your system)
Disabling Cookies: You no longer have the option of disabling all cookies. However, by default, Third-Party cookies are Disabled. These are the dangerous ones that track you from one site to another. First-Party cookies are Enabled, but, automatically deleted when no longer needed. These cookies only track you within the site that gave you the cookies. They are used, for example, to keep you logged into the site.
To disable automatic loading of online images (helpful to speed up browsing):
PGP allows you to encrypt messages. So, if you want to email a secret love note or favorite recipe without Kim Jong-Un fixing his hungry eyes upon it, type it into a little text file, encrypt it and send it.
PGP and GPG are pretty much the same. The difference between the two comes down to licensing and encryption algorithms that you probably will never notice. They are interoperable, so, using one will not leave you unable to communicate with someone that uses the other. Unless you are a mega uptight person, there is no need to distinguish between the two. I will refer to it all as PGP.
It is common to find PGP related files with the wrong extensions. If you suspect this to be the case, open the file in your gedit program (right-click the file > Open with > gedit). The top line of the text will tell you if it is a public PGP key, private PGP key or signature file. Just rename the file as needed. If the entire text is pure chaos, including the first line, it is an encrypted file, which you can give a .pgp extension.
Copy everything, Starting with “-----BEGIN PGP PUBLIC KEY BLOCK-----” and ending with “-----END PGP PUBLIC KEY BLOCK-----”
Copy everything, Starting with “-----BEGIN PGP PUBLIC KEY BLOCK-----” and ending with “-----END PGP PUBLIC KEY BLOCK-----”
You can easily look up someone's public PGP key if they upload it to a keyserver. Keyservers are databases that anyone (even you) can use to share their public PGP key(s) with the world. To import someone's public PGP key from the keyservers:
In the next steps, you are NOT using the Passwords and Encryption Keys program
You can put your signature on a file, so people know it is from you, not an impostor. You can sign both encrypted and non-encrypted files.
Ideally, the person verifying your signature had previously received and verified your public PGP key.
This process works like bank signatures did in the old days.
Now, suppose the bank received a signature card and a signed check at the same time. Meanwhile, you were not present. Even though the signatures match, the bank cannot tell if they are authentic.
You face the same dilemma if you get a public PGP key online at the same time as a signed file. You need a way to authenticate the public PGP key before you can use it to authenticate a signed file.
There are a two ways to make sure you have someone's actual public PGP key, not a fake.
If someone trusts that a public PGP key is authentic, they can sign it. When you import a particular key, you can see the keys of all the people that have chosen to publicly sign it, vouching for its authenticity. Using the terminal, you will view these signatures.
The more signatures that are from people you know and trust, the more trust you can have in the keys authenticity
This trust stuff is a big deal for software developers collaborating on projects and, in the case of my family, Christian missionaries spreading the word to hostile lands. For most other people, PGP is just a way of pretending to be Batman and Robin exchanging puppy memes without the Joker eavesdropping.
To check a key's Fingerprint:
You DO NOT need to upload your public PGP key to the keyservers in order to sync the other keys. However, if you want your public PGP key publicly available, use the following “sync everything” steps. If you would rather not publicly list your public PGP key, use the following “sync a particular key” steps.
To upload/sync everything...
Wait for all three files to download before preceding
If you see filename.xxx Good Signature, you have authenticated the file!
If you see filename.xxx Unknown Signature, you have not authenticated the file. Either you did not download the entire file, forgot to import the public PGP key before checking the signature, imported the wrong public PGP key or the signature is wrong or forged.
Here is a real life example using a few demonstration files from my website
I do not trust email providers. Not a single one. Neither should you.
Since the Snowden scandal erupted, there are service providers touting their non-USA based servers. To me, this means nothing. What do I care if the server is in the United States or not? The United States is not the only country with intelligence agencies that want to read people's email. The only difference between the United States and other countries is Edward Snowden happened to work for the USA, so he blew his whistle on them and fled to Russia. If he worked for the Russians, he would have blown the whistle on them, fled to the United States and received a medal from the President. If he worked for North Korea, he would have been too hungry to blow the community whistle.
Anyway...
You can use any email provider that meets the three criteria. You are not limited to one I mention. However, you are limited by the difficulty in finding providers that meet the criteria (Hushmail does not meet the criteria).
*If the limits prove too constricting, I cover alternative email options later in this section*
The risk with email providers is they can change or shutdown at any time. Since I first wrote these instructions, I have had to abandon three email providers. One no longer meets our criteria, another quit accepting new accounts, and a third shutdown. At the moment, one service, Safe-mail.net, meets the three criteria.
[Latest Update: a new email service, https://ruggedinbox.com, now meets the three criteria!]
Safe-mail is not safe! Do not let anyone tell you otherwise. Its servers are in Israel. It is easy to imagine that a back door is built into their system per government request. Having said that, Safe-mail meets the three criteria. You just have to access the website from within your anonymous system and encrypt messages yourself BEFORE they are uploaded and sent. If you follow the rules, you do not need to trust the email provider that you use.
Now, you have an anonymous email account.
Anonymous Email is NOT convenient. First of all, since options are limited, you are totally dependent on a service not shutting down or changing its system in a way that is incompatible with your system. Second of all, you might not want an email address that looks anonymous. Your careless boss is going to keep an eye on you, wondering why you need a '@safe-mail.net' email address. To be honest, I would never use Safe-Mail.net. I do not think they have a bad system, I just think using them puts a target on my back.
A now defunct email provider, TorMail, was the source of a major JavaScript exploit in which an attacker was able to insert malware into the systems of Tor users visiting the TorMail website. The malware learned a TorMail user’s real IP address and then reported it back to the attacker. The malware relied on the user having JavaScript enabled in an outdated version of Tor Browser running on a Windows System. Users following this guide were immune to the exploit.
Let us consider four reasons why TorMail and its users were likely targets. First, TorMail was run on servers owned by a small company specializing in anonymity, which also happened to host illegal websites. Second, TorMail was a relatively small, unknown service that happened to be popular among individuals conducting illegal activity. Third, since TorMail was only accessible to Tor users, an attacker was going to put forth the creative energy to unmask its users. Fourth, in the event an attacker was able to access the contents of TorMail accounts (and they did), they could retrieve user's past communications and pseudonyms to link them to physical locations and real identities. Had TorMail been a large company, it is likely they would have had a security team in place to identify and stop attacks in a relatively short amount of time. Also, it would have run from in-house servers, not ones that also hosted someone else's content that may have been a target for seizure. Besides, had it not been billed as some super secret anonymous email provider, nobody would have given it a second look in the first place.
For the sake of inconspicuousness, selectively, thoughtfully breaking the JavaScript rule is not the end of the world. Following, are a few points that might help you decide if breaking the rule for email is right for you.
Instead of Windows, you are running Tails, an open source Linux operating system. This fact alone reduces the likelihood that you fall victim to a malware attack. It makes much more sense for an adversary to develop an attack for Windows than Linux, since Windows has a larger user base. Not only does Linux have a smaller user base, there are numerous variants of Linux within that base. Additionally, being open source and popular, the Tails code has many eyes on it. An attack targeted at more than a few, select Tails users will hurriedly be recognized and rectified by the open source community.
By running Tails from a DVD-R and selecting No when prompted at the initial More Options screen, you have two layers of security that the TorMail victims did not. Using the DVD denies the ability for a program to carry over from one session to another. Furthermore, when you select No from More Options, you deny Root Access. Without root access, changes cannot be made to system files.
There are also some advantages to using a well-known email provider:
Is not-so-anonymous email actually more anonymous? Weigh the options. If you need super-untraceable anonymous email, the account must meet the three criteria. However, your options are limited and may leave you using an email provider that draws unwanted attention. By flying under-the-radar, you have more services to choose from and are less noticeable.
IRC (Internet Relay Chat) has been around since the old days... That is the 1980's. Just like Ray-Ban's and Will Smith, it has not aged a bit. It is simple, it is quick, you can send private messages and you can group chat. So, let's get to it...
Special Notice: Unfortunately, DDOS attacks on the Tor IRC server happen. During such events, connections may fail. So, if you cannot get a connection, despite doing everything right, you are not crazy.
(If you are working within your Persistence system, your account and username will carry over to future sessions. If not, you will have a new name for each session)
I want you to look at something. Right-click a name in the names list and select Info (your name or someone else's... it does not matter). There is revealing information here. If you login to IRC from outside Tails, the information under the Username will be your IP address and internet provider. Kim Jong-Un's cyber scouts would love to see this it!
This feature does not work on IRC through the Tor network. Sorry.
This is for you to set some notifications
As I stated before, my goal in writing this manual is to provide you with a means of being anonymous. It is not intended to be a comprehensive book about anonymity technology, so, please forgive me for the brevity on this topic. Still, I will try to give you a clear understanding of writeprints, how they can be used as a weapon against your anonymity and how to counter the attack. A sharp, good looking person like you can keep the writeprinters off your ass with just a little bit of knowledge and effort. Let's get to it.
Writeprints are a means of identifying an author solely from the characteristics of her written work. It is a separate discipline from handwriting analysis and digital forensics. With the ability for individuals to mask IP addresses and minimize digital fingerprints, writeprinting is often the only method available to identify the author.
The field of writeprinting is far from perfect, however, the accuracy of some writeprinting analysis is scary. Bloggers, tweeters, chatters, and posters are identified enough to warrant concern. I do not rank writeprints as high as fingerprints, digital fingerprints, handwriting analysis or DNA when it comes to evidence. Writeprinting is more comparable to a witness telling the police that the thief was "around 5'5, 300lbs, round-faced, oddly tanned skin, had short brown hair shaved on the sides, was smiling, waving, wearing a Dennis Rodman jersey and riding a white stallion into the sunset." That does not give the police a name or address, but, it does allow them to focus their search.
A number of methods are available for writeprint analysis. Most seek to identify an author by combining a variety of features, such as average word length, vocabulary complexity, favorite words, topics, grammar, punctuation, capitalization and sentence length. These nuances vary enough between individuals that they can be compiled to create a unique writeprint. To clarify, when I talk about the author, this does not only mean someone that has written a book, article or some other large body of work. That applies to individuals who post on message boards, tweet, blog or email. Ten 50 word tweets can be as useful as one 500 word email.
As part of China's 12th Five-Year Plan, funding was provided for extensive research into identifying bloggers with writeprints. Apparently, they find it imperative to identify people who exercise free speech. A China funded study at their own Wuhan University had an 80% success rate when attempting to single out different authors from a pool of 50 Amazon.com reviews [1]. Of course, China is not the only beneficiary of writeprinting. Corporations and other governments can use writeprints to identify whistleblowers.
The most famous case study in writeprinting involves the Federalist Papers. The Federalist Papers are 85 anonymously authored articles, published in the late 1780's, to promote the ratification of the United States Constitution. Speculation by scholars, as well as contradicting claims by various Founding Fathers, narrowed the field to only a handful of potential authors. Researchers writeprinted the 85 articles and determined there were three authors. Author #1 wrote 51 articles, Author #2 wrote 26 articles, Author #3 wrote five articles, and Authors #1 and #2 collaborated on three articles. By matching the writeprints of each article with the writeprints of the Founding Fathers, it was determined that Author #1 was Alexander Hamilton, Author #2 was James Madison and Author #3 was John Jay.
Investigators are not always so lucky as to have a list of suspects from which to identify an author. This scenario was tested by a team of researchers who mined writeprints from an email database in which all emails were anonymous, and no suspects were given. The researchers extracted each email's writeprint. With that, they grouped the emails by their respective authors (example: suppose there were 100 emails, they determined 30 emails were by one author, 20 by another and 50 by a third). Once each author's emails were grouped, creating a larger body of work per author, a more accurate writeprint was extracted [2]. No further attempt was made to identify each author's true identity, but, one can only imagine what an entity with large resources and supercomputers scouring the web could do with the “more accurate” writeprints.
In another project, researchers extracted unknown authors writeprints from individual, anonymous blog posts. The writeprints were matched against a database of 100,000 non-anonymous blogs (2.4 million blog posts in total). With no further personal investigative work and strictly using open source software, the researchers were able to identify successfully the authors 7.5% of the time. When the researchers extracted an unknown authors writeprints using three anonymous blogs posts, the success rate grew to 25%. Even when writeprinting failed to match unknown authors to their non-anonymous blogs, the field of possibilities was often narrowed from 100,000 to 20 [3].
Given the previous research, let's play out a scenario that applies existing technology:
Realistically, the investigators are going to be more thorough. The scenario will probably go more like this:
Given this scenario, there is probably a much greater than 7.5% to 20% chance that the software correctly identifies Sam from the 900 employees. There is probably a near 100% chance that the writeprinting software can narrow the field to 20 suspects, of which Sam is included. From these 20 suspects, traditional investigative techniques can probably weed out Sam as the whistleblower.
This scenario might be hypothetical, but, it is not unrealistic.
You have an advantage over Sam in that you know writeprints exist. As such, you will not be naive when you send that letter exposing the toxic waste dump in Tumangang City. Moreover, since you are a genius, you can wear your leather writer gloves so your prints do not end up all over the net.
IMPORTANT – You should not mask your writeprints in your daily life. You only mask them when you need to be anonymous. You do not want to alter your non-anonymous writeprints and end up with them matching your anonymous ones.
A few techniques you can apply to anonymize writing:
You do not necessarily need to follow all of these methods. You can pick and choose those that you feel best work for you
Applying the previous techniques can make you stand out as trying to hide your writeprints. Feel free to use them as a guide for faking your writeprints instead of following them exactly to obscure your writeprints
Above all else, writeprinting relies on your consistency as a writer. Fortunately, you can change your style anytime without too much hassle.
For fun, visit http://www.textalyser.net to have stuff writeprinted.
Think of Bitcoin as digital cash. Until recently, it served as a means for high-risk currency trading, gambling and drug dealing. It was popular for these transactions because it was unregulated, easily used internationally and could be traded for government-issued currencies on exchanges, the most famous being the now defunct Mt. Gox.
Here is a tiny history of Bitcoin. It was introduced to the world in 2009 via the white paper “Bitcoin: A Peer-to-Peer Electronic Cash System.” Just about nobody cared about Bitcoin until 2011 when the price of one Bitcoin went from $1 to $32 and back down to $2. After this first crash, financial nerds figured Bitcoin was just a cheap thrill that would soon fade away. After creeping up to $14 by the end of 2012, Bitcoin reached $1240 on December 4, 2013. Now, Bitcoin has scrutiny. Venture capitalists, FBI agents, and Academics are all over the technology, and, for various reasons, are dedicating resources to tracking and identifying users. The IRS and DEA showed that they are in the game by making the high profile arrests of Charlie Shrem, CEO of BitInstant and Robert Faiella, aka BTCKing, from the Silk Road on January 27th, 2014 (read a brief of the events at https://howtobeanonymousonline.info/bitcoin/busted/.
Before I go into why Bitcoin is not anonymous, I want to mention why Bitcoin is awesome:
While I am not going into all the details of Bitcoin’s inner workings, I am going to dispel the misconception that Bitcoin is anonymous. In fact, Bitcoin is the most public payment system in the world. Previously, it was considered “anonymous” because no entity cared enough to track transactions and identify users. Well, as I just mentioned, they care now.
Tracking Bitcoin is manageable for those with ample resources because every Bitcoin transaction is broadcast to the world through what is known as the Blockchain (visit https://www.blockchain.info to see). The Blockchain prevents a person from double spending a Bitcoin. Since every transaction is broadcast to the public, the “anonymity” comes from the fact that an individual's Bitcoin wallet address is publicly displayed instead of their actual identity. This is known as pseudonymity, not anonymity.
Here is a liberal scenario to help explain why this is a problem.
Let’s rework this scenario with a Bitcoin.
Using Bitcoins, Xavier, Yasmin and Zack thought they were on the “down-low” since all of their activity was done behind their computers using fake IP addresses and randomly generated "anonymous" Bitcoin wallet addresses. So wrong they are!
There are a number of ways to track Bitcoins along their transaction chain [7]. In fact, many stolen Bitcoins have never been used because there are no places to spend them without the risk of being identified. If they are traded on one of the major Bitcoin exchanges for government-issued currency, to be useful, the money must eventually be transferred to a bank. Subpoenaing an exchange would reveal where the money was transferred to or from. Subpoenaing the bank would identify who owned the account (Subpoenaing an exchange is one of the means the Feds used to identify BTCKing, from the Silk Road, as Robert M Faiella). If the Bitcoins were used to purchase physical goods, those physical goods would need to be physically delivered, exposing the receiver to the risk of identification or the goods to possible seizure. Selling a large quantity of Bitcoins in person is unrealistic since a well-informed person would not buy an enormous volume of Bitcoins from a mysterious seller knowing we now live in a world where the FBI can and has seized illegally obtained Bitcoins (read about Ross William Ulbricht).
Thank God for Bitcoin "laundry" services! They will scrub those dirty, traceable Bitcoin's clean... Right? Maybe?? Hopefully???
Nope.
Using a Bitcoin laundry service assumes two things; First, they will wash your Bitcoins. Second, you can trust them for anything else.
Washing a Bitcoin is no simple task. The laundry service needs to mix your Bitcoin with LOTS of other Bitcoins. Then, those mixed Bitcoins must be divvied up and sent through LOTS of separate transactions where, again, they are mixed with new Bitcoins and re-divvied up at every step. That must happen to the point where it is statistically impossible to prove the link from a fraction of the Bitcoin at the beginning of the process to a fraction of the Bitcoin at the end of the process. That just is not going to happen. In fact, researchers tested out some Bit-Laundry services. The results? The Bitcoins were stolen, or the same Bitcoins were returned [7]. I am no genius, but, I would say if you took your dirty shirt to the cleaners and it came back dirty, you got f-cked. If you took your dirty shirt to the cleaners and they stole it, you got double f-cked.
Using a Bit-laundry service also brings us back to the third party trust issue. This entity could be tracking or sharing data, susceptible to subpoenas or under siege by Kim Jong-Un. Seriously, when is the last time you went to the cleaners, and it was not run by Koreans? I certainly can't remember.
So what the heck!
As with everything else cyber-related, there are computer geeks working on a solution. Last year, the John Hopkins University Department of Computer Science began developing Zerocoin, an add-on to Bitcoin to anonymize Bitcoin transactions. This year, the Zerocoin developers joined another group of developers and renamed the project Zerocash.
Zerocash will make use of two new crypto-currencies, a new ‘Zerocoin’ and a yet-to-be-named ‘basecoin.’ Zerocoins will be anonymous, and the basecoins will not.
If a user cannot initially obtain Zerocoins through a transaction, she will purchase or accept basecoins, and then convert those to Zerocoins. Once the user has Zerocoins, they can be spent without revealing the coin amount or addresses of the parties involved and without relying on a central authority. Importantly, the Zerocoins will not need to be spent in the same amount as the original basecoin conversion (an improvement upon the original Zerocoin project). In other words, a user can convert two basecoins into two Zerocoins, and then only spend one. As long as the two parties in the transaction are willing to accept Zerocoins, there will be no need to convert back to basecoins, although that will be an option. The Zerocash project remains in the testing phase.
In my opinion, for crypto-currencies to achieve widespread use, they must incorporate anonymity. Imagine if all of your financial records are public. Your coworkers will see your income. Your useless friend that needs a loan or your needy pastor that wants to remodel the chapel will know your bank balance. Your nosy neighbor will tell everyone you are broke and a month behind on your Mercedes payment. If the current Bitcoin becomes a dominant currency, this will be your reality.
On my blog (https://howtobeanonymousonline.info/) I will keep you up to date on crypto-currency anonymity innovations.
At the source, anyone spying on your home internet connection can see if you are using Tor (You Are Not Stealth). They cannot see what you are doing, whom you are talking to or what you are reading. All they know is that you are going somewhere, and they will probably not find out where (You Are Secure).
In the middle, out in the Tor network, spies can see activity. They cannot see what it is, where it came from or where it is going (You Are Secure).
At the destination, wherever that may be, spies can see Tor users visiting. They cannot see who the visitors are or where they came from (You Are Secure).
On a grand scale, this is all the security you need. It does not matter that you are not stealth. Since you are one person out of hundreds of thousands floating across the Tor network every second, it should not be inferred which of those anonymous connections is yours. On an intimate scale, this is not the case.
During December 2013's final exam's week, Harvard University was emailed a bomb threat. Upon reviewing the email, the FBI could see that it was sent using the Guerrilla Mail service from a Tor IP address. From there, they searched Harvard's system records for all students that accessed Tor around the time of the email. Next, they asked those students if they sent the bomb threat. One student, a Korean whose surname happens to be Kim, confessed (I swear to God, it was a Korean named Kim).
I only use this story as an example of blowing one's cover because the good morality stories do not make the news. Please do not send any bomb threats. You will make us both look like a--holes.
The Germans used the “unbreakable” Enigma machine to encrypt communications during WWII. Unfortunately for the Nazis, the United Kingdom’s Ultra program broke Enigma, and the Brits read their sh-t. See the story in the movie The Imitation Game!
In the 1950's, the United States was flying over the Soviet Union with a badass spy-plane called the U-2. Even though the Soviet's could see it, it was too high to shoot down. Then, on May Day, 1960, the Soviets shot one down.
In the 1970's, the Data Encryption Standard was developed and implemented as the United States' federal standard for data encryption. In 1998, it was broken by brute force using background processing power provided by volunteers on the internet.
Eventually, all security is breached. When? Who knows. Apply the analogies as you see fit.
Stay ethical. Stay legal. Have fun.
A M Eydie
***
If you want to say something nice, Amazon.com has a comment section…
If you want to complain, please first read the 4th paragraph of the Preface that was available in the free preview for you to read before you bought the book. If you still hate me, you can get a refund (Amazon.com > Your Account > Manage Your Content and Device > Actions > Return for Refund)
***
To donate to Tails, visit: https://tails.boum.org/contribute/how/donate.
***
If you want to send an e-card to taunt or praise Kim Jong-Un, one of these cheerleaders for human equality can forward it to him: http://www.korea-dpr.com/organization.html. Long live the Kim's!
***
BONUS Section ahead → → →
WARNING – This is cool, but not highly secure.
This works on microSD cards formatted by Android phones. Like Tails, Android is a Linux-based operating system; therefore, they use the same file format.
A quick preview of what you are going to do... You will format your microSD card with your phone, and then install Tails using a program called UNetbootin.
The following instructions, with screenshots, are posted at https://howtobeanonymousonline.info/tutorial/sdcard-2/
The next steps quickly become confusing, so I am going to be specific.
Even though you cannot see it yet, the microSD card drive is now “mounted” to /dev/sda1. This will matter in a minute.
If you need to download the Tails.iso file, see the Downloading and Authenticating Tails section for instructions.
Now that the drives are inserted and mounted...
Unfortunately, you cannot create a persistence volume. If you do, you will wipe out everything your phone saved to the card.
WARNING... Again – I DO NOT CONSIDER THIS SECURE. I can imagine too many scenarios in which Kim Jong-Un can hack your phone and manipulate your SD card from Pyongyang.
Secure or not, having a secret operating system in your phone is pretty cool, especially when you can use it to boot someone's computer.
Go impress somebody in the Chess Club.
1: Jianwen Sun, Zongkai Yang, Sanya Liu, Pei Wang, Applying Stylometric Analysis Techniques to Counter Anonymity in Cyberspace, 2012
2: Iqbal, Farkhund, Hamad Binsalleeh, Benjamin Fung, and Mourad Debbabi, Mining writeprints from anonymous e-mails for forensic investigation, 2010
3: Michael Brennan, Rachel Greenstadt, Deceiving Authorship Detection, 2011
4: Aylin Caliskan, Rachel Greenstadt, Translate once, translate twice, translate thrice and attribute: Identifying authors and machine translation tools in translated text, 2012
5: M. Schmid, Computer-aided Writeprint Modeling For Cybercrime Investigations, 2012
6: Michael Brennan, Rachel Greenstadt, Practical Attacks Against Authorship Recognition Techniques, 2009
7: Meiklejohn, Sarah, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage, A fistful of bitcoins: characterizing payments among men with no names, 2013
In the first half of 2014, a Bitcoin mining pool named GHash.IO came to comprise over 50% of the mining power in the Bitcoin network. Previously, it was thought to be practically impossible for a single entity to gain such a large position. GHash.IO could have used their position to manipulate and compromise the Bitcoin system... essentially, asserting some 'Central Authority' powers. Major Bitcoin miners left the pool to remove the 50% threat, as those most vested in Bitcoin would stand to lose the most if confidence in the currency evaporated. Do an online search of “Bitcoin 51% Attack” to learn more.