As a security guy, I’ve been trying to write an Anonymity FAQ for my institution. So far I have:
What is anonymity?
Anonymity is a state of communication. Anonymity occurs when the source of a communication is unknown. See: http://en.wikipedia.org/wiki/Anonymity
It is important to remember that communications can be anonymous. People can NOT be anonymous. People are tangible and unique. Each person is self identified. To make a person anonymous is to destroy the person. Communications become more and more anonymous as they become increasingly disassociated with people. Ideas can be anonymous. People can not.
Normal communication is a sharing of self. Anonymous communication is a sharing of ideas. Think if it as an extreme form of technical writing.
So, why do people dislike anonymity?
Some people use anonymity to do bad things. These things include: Theft; Libel; Fraud; Deflamation; Extortion; and various Thought Crimes.
So, why do people like anonymity?
Some people use it to do good things. These things include: Free ideas and concepts from personal bias; Explore ideas that are unpopular, controversial, or politically incorrect; Create Academic Freedom; Create and maintain Democracy.
How do I create an anonymous communication?
This varies from one communication medium to another. The level of difficulty varies. Each medium requires attention to different details, but in general, the principles are the same. If you wish to be anonymous, you have to make sure that any communication source identifier is either unknown or meaningless.
Here are some suggestions from a 2013 Wired opinion article: http://www.wired.com/opinion/2013/05/listen-up-future-deep-throats-this-is-how-to-leak-to-the-press-today/
How is anonymity attacked?
Anonymity is subject to a variety of attacks. If you wish to use anonymity, you have to somehow counter the attacks. The most important attacks on anonymity are:
- Valuation attacks against Anonymity:
Good use of anonymity requires a good grasp of it’s value. Anonymity breaks when you assign too great or too small of a value to anonymous communication. Sample valuation attacks include:
- The meme “Anonymity is illegal’”
- The meme “It is impossible to be anonymous.”
- The meme “If somebody says something, it must be true.”
- The meme “Good ideas must not be challanged.”
- The meme “Bad ideas must not be discussed.”
- The meme “Anonymous speakers must have something to hide.”
- The meme “It doesn’t matter what I do, if they can’t catch me.”
As you can see, valuation attacks are memetic warfare. Various ideas are struggling for control of your brain. The winning ideas will survive and propagate.
Valuation attacks are countered by education and openess. You must clearly specify the value and the cost of anonymity. You then must take actions according to your evaluation. The whole process must be open to public inspection and validation.
- Indifference attacks against Anonymity:
Frequently, anonymity is lost thru indifference. Simply put, you lose anonymity when nobody can be bothered to create or maintain it. Sample indifference attacks include:
- Not bothering to find out how to communicate anonymously.
- Blindly handing your logs to anybody who asks.
- Logging everything. Even if you have no use for it.
Indifference is easy. Anonymity is harder. Anonymity takes work. Loss of anonymity thru indifference requires active defense. Anonymity will not exist unless there are defenders who take action to create the possibility of anonymity.
- Self incrimination attacks against Anonymity:
The easiest (and most common) way to defeat anonymity is to unwittingly reveal the source of the communication. There are many ways that identity is buried in communication. It takes effort and discipline to remove or obscure them all.
Also, any internet connected device that preserves history or state becomes increasingly unique over time. This process is unavoidable. Your phone or your computer becomes more and more unique as you use it and time passes. Your internet devices gain their own self-identity. This self-identity constantly builds in addition to it’s obvious names, numbers and external history.
To be anonymous on the internet, you have to preserve the anonymity of yourself and your communication device.This is why people use throw-away or burner phones and computers when they are attempting to achieve high levels of anonymity.
Sample Self incrimination attacks include:
- Signing your name. (Yes, really.)
- Engaging in identifying behaviors during anonymous communication.
- Using a personally identifiable tool to communicate. This might be your printer:
http://www.eff.org/Privacy/printers/ your wireless device: http://www.cs.cmu.edu/~jfrankli/usenixsec06/usenixsec06driverfingerprinting.pdf or your your normal computer: http://www.theinquirer.net/default.aspx?article=32280
- Any Internet device has multiple unique identifiers. To be anonymous, you have to suppress or change these identifiers. They include:
- Physical (MAC) address.
- In some circumstances, you will have a unique IP address.
- The design of IPv6 almost guarantees that your IPv6 IP is unique to you.
- Also, unless you utilize the IPv6 privacy extensions, your IPv6 IP will encapsulate your unique MAC address.
- Your phones IMEI identifier.
- Your phones SIM card identifier.
- Your Processor ID.
- Betrayal attacks against Anonymity:
As of late 2014, most in the network security community regard the actions of the NSA as a betrayal. They have used their vast resources to strip privacy and anonymity from everybody on the internet. See: Operation Bullrun
They also bear primary responsibility for creating and maintaining the Exploit marketplace. This marketplace is an economic engine devoted to making us less secure by creating, distributing, but not fixing exploit.
If you REALLY need anonymity, this might be a beginning…
Separate the private parts of your life.
Separate my emotional commitment from the idea I am attempting to communicate.
Create an isolated hardware environment for the anonymous communication.
Use a Raspberry Pi. At $40, it’s cheap and disposable.
Tails requires an Intel environment. Maybe when the new Intel Minnow board Max settles down. It should be $100. Should run Tails directly.
Install Debian, Firefox, NoScript, TOR, GPG.
Make sure the time identifiers are all set to a major metropolitan area. Maybe Denver.
Set keyboard and localization to the same metropolitan area.
Change local enet to random MAC.
Buy several disposable USB wireless dongles. They are only $10 to $15.
One for home and figuring it out. Save the others for when I need privacy.
Change the dongle’s MAC in software anyway.
Remember to change the MAC every time I use it. Use the Hex dice.
Remember the last bit of the first byte must be 0.
Build a Cantenna so I can be a long way away from the wireless AP.
Air gap the Raspberry at home.
Set it to ALWAYS use TOR.
Only go online by using a food vendor or hotel’s wireless AP from a distance.
Move around. Don’t frequent the same vendor or time of day or place.
These are nifty and all, but does anyone know of similar how-to’s aimed specifically at people with abusive, controlling partners? A friend of mine works in that field, and I’ve been telling her for a while they need to have info like that available, as abusers are getting very, very tech-savvy, but there seems, at least where we are, that there’s nothing like that going on. Some links & possible collaborative contacts would be greatly appreciated.
This topic was automatically closed after 5 days. New replies are no longer allowed.