diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 73f84a9..1b5ec75 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -7,3 +7,4 @@ - [Chapter 4](./chapter_4.md) - [Chapter 5](./chapter_5.md) - [Chapter 6](./chapter_6.md) +- [Chapter 7](./chapter_7.md) diff --git a/src/chapter_7.md b/src/chapter_7.md new file mode 100644 index 0000000..1090512 --- /dev/null +++ b/src/chapter_7.md @@ -0,0 +1,321 @@ +# Chapter 7 + +In the early 2000s, a whistleblower known only as "Deep Throat" played a crucial role in exposing the Watergate scandal, which eventually led to the resignation of U.S. President Richard Nixon. Deep Throat was later revealed to be Mark Felt, a top official at the FBI. + +Felt chose to remain anonymous because he feared retribution from powerful political figures and potential harm to his career and personal life. By meeting secretly with journalists Bob Woodward and Carl Bernstein, Felt provided critical information that helped uncover illegal activities and abuses of power within the Nixon administration. + +His anonymity allowed him to share the truth without facing immediate consequences, ultimately leading to significant political changes and reinforcing the importance of accountability in government. Mark Felt's story shows how anonymity can allow people to bring positive change to the world, rather than doing destruction to society. It's a double-edged sword as well as a slippery slope. + +Taking away people's anonymity means silencing dissenting voices and creating an environment of fear in which society halts. When individuals can't speak out without risking their safety, privacy, or lives, we lose dissenting opinions, and the creativity of a society dies out. It will start moving backwards, and fear will slowly become the norm of society, passing from one generation to the next, slowly taking away what makes us different from other animals. + +## Creating Another Identity + +As I mentioned in previous chapters, creating a full identity can really help in managing identities and keeping them as separate as possible. Based on your threat model and what you're going to do, you might need to create a pseudonym for yourself and tie it to your anonymous activities. + +There's a difference between pseudonymity and anonymity. Pseudonymity means giving your anonymous identity a name, so people can recognize you and your work, for example, a writer using a pen name. Anonymity means hiding one's identity entirely so that there is no way to trace or identify the individual behind the actions or information. + +You can still be anonymous and have a pseudonym. Rather than being nameless, especially if you're an activist, writer, or whistleblower, you might need a pseudonym or a fake identity that people would recognize your work with. People can connect better with someone who has a name and identity, even if it's not real, rather than a nameless user on the internet. + +Pseudonymous users can build a reputation and credibility over time, while anonymous users cannot build a reputation tied to a specific identity. + +To create your pseudonymous identity, you can choose one of these paths: + +- Create a username/nickname only +- Create a full identity +- Create a combination of both + +### Creating a Username/Nickname Only + +This path is easier; you only have to think of a unique and untraceable nickname or username and tie your activities to that. The drawback is that it can make it harder to gain reputation and credibility, and if you work with other people, you might want to have an actual name and origin as well. + +A real-life example of a nickname would be the famous "Dread Pirate Roberts," aka "DPR," which was the nickname of Ross Ulbricht, the creator of the "Amazon of Drugs," aka the Silk Road. Ross Ulbricht had no other name than this, just one name, "Dread Pirate Roberts." + +What matters when creating a nickname is that you don't choose something that can be linked to your real identity. That is the only and most important thing when it comes to creating nicknames. Make sure it doesn't reflect too much of your real identity's interests, and make sure you have never used it before. + +To prevent links between your real identity and your nickname, it's better to use a nickname generator website. Search for one and choose one that sounds the best to you, and check its uniqueness as well. Google it and see if anyone else has it or not. + +### Creating a Full Identity + +This path involves choosing a country, an origin story, birthday, full name, gender, address, email with that name, etc. Basically, you are creating yourself a full character with its own interests, style of writing, name, birthplace, birthday—everything. + +The advantage of this path is that it is really easy to keep it separate from your real identity. If you have to sign up somewhere that requires information, you can enter the fake personal information you created before. + +Make sure the name doesn't lead back to you and write it down in a safe place to keep it consistent, so you don't have to change anything if you forget it. + +Also, there are a lot of websites that can generate random and fake identities and addresses. Just search for one and you'll find a ton of them. + +### Create a Combination of Both + +This path, in my opinion, is the most convenient. You can have both a nickname and a full identity and use them as needed. For example, for your GitHub, you can use your nickname as the username and the fake name as your name. + +This can bring you both reputation and credibility and ease of identity management, while allowing you to use either name based on the situation. + +Just make sure the nickname and identity don't lead back to your real identity. You can also create some nicknames by combining the name and information of your fake identity as well. + +## OPSec and Online Behaviours + +When it comes to anonymity, your OPSec and online behaviors are the most important factors. I have covered OPSec in Chapter 3. Your operational security is crucial when it comes to privacy and especially anonymity. Having poor OPSEC and not being cautious about what information you share online is like snitching on yourself. + +Other than your OPSEC, your online behaviors play a huge role in maintaining anonymity. These behaviors can be hard to keep consistent. Inconsistent behaviors can create identifiable patterns that can be used to de-anonymize you. Here are some key points to consider: + +### Typing Patterns (Keystroke Dynamics) + +Your typing speed, rhythm, and the way you switch between keys can create a unique fingerprint. Using typing randomizers or maintaining a consistent typing speed can help avoid recognizable patterns. + +### Mouse Movement and Click Patterns + +The way you move your mouse and the speed at which you click can be tracked. Use tools to anonymize mouse movements or standardize your movement patterns to reduce the risk of identification. + +### Touchscreen Gestures + +On mobile devices, swipe and tap patterns can be unique to you. Similar to mouse movements, try to use standardized gestures and avoid developing identifiable patterns. + +### Browser Fingerprinting + +Details like installed fonts, plugins, screen resolution, and color depth can create a unique browser fingerprint. Use browsers or extensions that randomize or block these details, such as the Tor Browser or CanvasBlocker. + +### IP Address and Network + +A static IP address is more easily trackable. Regularly change your VPN or proxy server location to avoid creating patterns. Use public or shared networks along with an anonymizing network like the TOR network for activities requiring high anonymity. + +### Device Fingerprinting + +Information about your device’s hardware, such as the GPU and CPU, can be collected. Use virtualization or disposable devices for highly sensitive activities to avoid leaving identifiable traces. + +### Behavioral Biometrics + +Keystroke dynamics and other behavioral biometrics can uniquely identify you. Consider using virtual keyboards or scripts to automate some typing tasks. + +### Account and Profile Creation + +Using the same pseudonym across platforms can create linkable patterns. Use different pseudonyms and email addresses for different accounts to avoid connections if possible. + +### Usage Patterns + +The times at which you are active online and the frequency of your logins or visits can create patterns. Vary your online activity times and frequency to avoid detection. + +### Language and Writing Style + +Your vocabulary, syntax, and repeated use of specific phrases can be distinctive. Use different writing styles or tools like paraphrasers to vary your text and reduce traceability. + +### Geolocation + +GPS data, Wi-Fi, and Bluetooth signals can reveal your location. Disable GPS, Wi-Fi, and Bluetooth when not needed, or use location spoofing tools to mask your whereabouts. + +### Software and Version Information + +The combination of your operating system and browser version can be unique. Use commonly used software versions and keep them updated to blend in with the crowd. + +### Social Media and Online Presence + +The type of content you post, your engagement patterns, and your network connections can all be used to trace your identity. Limit social media use, employ pseudonyms, and avoid linking accounts to maintain anonymity. + +Consistency in these practices is key to avoiding de-anonymization and maintaining the highest level of security. + +You might not need to worry about all of these behaviors; see which ones seem more important to your activity. For example, if you're a writer or whistleblower, your writing style can matter a lot more than other things. + +## Creating an Environment for Your Activities + +Every identity needs an environment for their work and activities, and the setup of that environment is heavily dependent on your threat model. Not every identity and activity requires maximum caution and privacy, but some might, based on what you want to do. + +You need to tailor this setup to your own situation, but I will show some examples of different environments based on the sensitivity of activities. These may not necessarily suit your specific situation. + +### Low-Sensitivity Activities + +For activities that do not require high levels of anonymity, such as casual browsing or social media use under a pseudonym, a basic setup may be enough: + +- **Browser**: Use a privacy-focused browser like Firefox with privacy extensions such as uBlock Origin, and apply some hardening using Arkenfox, to make it both usable and private. Also, use different hardened profiles for different pseudonyms and activities. +- **VPN**: A reputable VPN service to mask your IP address and encrypt your traffic. +- **Email**: Use a privacy-respecting email service like ProtonMail or Tutanota. +- **Search Engine**: Use DuckDuckGo or Startpage to avoid tracking by mainstream search engines. +- **Privacy-Friendly Front-Ends**: There are privacy-friendly front-ends for YouTube, Twitter, Instagram, etc., that allow you to browse these websites without having an account on them or sharing too much data. + +### Medium-Sensitivity Activities + +For activities that require moderate anonymity, such as maintaining a blog or participating in forums on sensitive topics, a more cautious setup is necessary: + +- **Browser**: Use the Tor Browser for anonymity and protection against tracking. +- **VPN**: Combine a VPN with the Tor network for added security. This can impact your network bandwidth, so if bandwidth is a concern, Tor with obfuscation might be sufficient. +- **Email**: Use secure email services and consider disposable email addresses for one-time communications. +- **Device**: Consider using a dedicated device or a virtual machine for these activities to avoid cross-contamination with your primary activities. +- **Communication**: Use encrypted messaging apps like Signal or Matrix (although not as secure as Signal, it allows sign-up with email and you can host your own home server, so it might be better for privacy and anonymity) for secure communication. + +### High-Sensitivity Activities + +For activities that require the highest level of anonymity, such as whistleblowing, investigative journalism, or activism in a dictatorship regime, a maximum security environment is needed: + +- **Operating System**: Use a live operating system like Tails, which can be run from a USB stick and leaves no trace after use, or set up an encrypted virtual machine with Whonix OS. +- **Browser**: Strictly use the Tor Browser and follow Tor usage best practices. +- **VPN**: Use a multi-hop VPN service and route your traffic through the Tor network for layered security. +- **Email and Communication**: Use encrypted email services, PGP encryption for emails, and secure messaging apps like Signal or Wire. Consider using anonymous email services for additional protection. +- **Device**: Use a dedicated, secure device that is only used for these high-sensitivity activities. Regularly wipe and reformat the device to remove any potential traces. +- **File Sharing**: Use encrypted file-sharing services and tools like OnionShare to share files anonymously. +- **Metadata Removal**: Always strip metadata from files and photos before sharing them. +- **Geolocation**: Disable GPS, Wi-Fi, and Bluetooth on your device. Use location spoofing tools to mask your actual location. +- **Operational Security**: Maintain strict OpSec practices, such as never using your real identity, avoiding linking different online identities, and being cautious about the information you share. + +## Anonymizing Tools + +To stay anonymous online, you will need to use different tools based on your needs and situations. Not every tool will necessarily improve your anonymity if used without need. Here are some key anonymizing tools categorized by their function and use case: + +### 1. Browsers + +- **Tor Browser** + - **Use Case**: High-level anonymity needs, such as accessing the dark web or conducting sensitive research. + - **Features**: Routes your internet traffic through the Tor network, masking your IP address and encrypting your traffic multiple times. + +- **Brave Browser** + - **Use Case**: General privacy-focused browsing for everyday use. + - **Features**: Built-in ad blocker, tracker blocker, and the ability to use Tor for private tabs. + +- **Hardened Firefox Browser** + - **Use Case**: Highly customizable and can be great if fingerprinting is not your main concern. + - **Features**: Can be set up based on your needs and can provide great anti-tracking features if hardened correctly. + +### 2. VPN (Virtual Private Network) + +- **Reputable VPN Providers** + - **Use Case**: Masking your IP address and encrypting your internet traffic. + - **Features**: No-logs policies, multiple server locations, and additional security features like double VPN and kill switches. + +- **Self-Hosted VPNs** + - **Use Case**: Great for bypassing censorship as you can run protocols that have greater obfuscation and are less likely to be blocked by firewalls. + - **Features**: Can help bypass censorship; no one else can control and access the data passing through the VPN other than you. + +### 3. Email Services + +- **ProtonMail** + - **Use Case**: Secure, encrypted email communication. + - **Features**: End-to-end encryption, based in Switzerland, supports PGP encryption. + +- **Tutanota** + - **Use Case**: Privacy-focused email service. + - **Features**: End-to-end encryption, no tracking, built-in encryption for calendars and contacts. + +- **Disposable Email Services (Guerrilla Mail, 10 Minute Mail)** + - **Use Case**: Temporary email addresses for short-term use. + - **Features**: Provides anonymous, temporary email addresses that self-destruct after a set period. + +### 4. Messaging Apps + +- **Signal** + - **Use Case**: Secure messaging for personal or professional use. + - **Features**: End-to-end encryption, open source, self-destructing messages. + +- **Briar** + - **Use Case**: Censorship-resistant encrypted messaging via Bluetooth, Wi-Fi, Tor, with privacy built-in. + - **Features**: Great for communicating securely in places with no internet or high censorship. + +### 5. Operating Systems + +- **Tails** + - **Use Case**: High-security needs, such as whistleblowing or sensitive journalism. + - **Features**: Live operating system that runs from a USB stick, leaves no trace, routes all traffic through Tor. + +- **Qubes OS** + - **Use Case**: Secure, compartmentalized computing. + - **Features**: Uses virtualization to create isolated environments for different tasks, reducing the risk of compromise. + +- **Whonix OS** + - **Use Case**: A security-focused operating system designed to ensure maximum anonymity and privacy. It can also be used along with Qubes OS for additional security and isolation. + - **Features**: Uses virtualization to create isolated environments for different tasks, reducing the risk of compromise. + +### 6. File Sharing and Storage + +- **OnionShare** + - **Use Case**: Securely sharing files anonymously. + - **Features**: Uses Tor to create a temporary, anonymous file-sharing server. + +- **ProtonDrive** + - **Use Case**: Encrypted cloud storage. + - **Features**: End-to-end encryption, integrated with ProtonMail for secure file sharing. + +### 7. Metadata Removal Tools + +- **ExifTool** + - **Use Case**: Removing metadata from files before sharing. + - **Features**: Command-line tool for viewing, editing, and removing metadata from various file types. + +### 8. Search Engines + +- **DuckDuckGo** + - **Use Case**: Privacy-focused web searches. + - **Features**: Does not track search history, anonymizes user information. + +- **Startpage** + - **Use Case**: Anonymous web searches using Google results. + - **Features**: No tracking, IP anonymization, private search queries. + +### 9. Device and Network Security + +- **MAC Address Randomization** + - **Use Case**: Preventing tracking of your physical device. + - **Features**: Changes your device’s MAC address to avoid identification on networks. + +- **Public Wi-Fi Caution** + - **Use Case**: Reducing risk when using public Wi-Fi. + - **Features**: Always use a VPN, avoid accessing sensitive accounts, and consider using a travel router for added security. + +### 10. Behavioral Anonymizing Tools + +- **Typing Randomizers and Virtual Keyboards** + - **Use Case**: Preventing identification through keystroke dynamics. + - **Features**: Randomizes typing patterns or uses on-screen keyboards to avoid tracking. + +- **Mouse Movement Anonymizers** + - **Use Case**: Obfuscating mouse movement patterns. + - **Features**: Tools that standardize or randomize mouse movements. + +Not all of these tools are needed, nor are they guaranteed to remain effective over time. The world is constantly changing, so always research and keep yourself updated about privacy and security news and new tools. These companies may also change their policies or effectiveness over time. If you read this book years later, do some research, but the concepts should remain the same, even if the names of the tools have changed. + +## Purchasing Anonymously + +Sometimes, for your activities, you might need to buy things anonymously online, such as a VPS (Virtual Private Server) to host your own VPN or cloud storage, or you might want to buy a VOIP number anonymously to sign up for Signal or Twitter, or pay for your VPN service. In these cases, you cannot pay with PayPal or credit cards or debit cards, as they are easily trackable. Also, you cannot pay with most cryptocurrencies, as they are worse than fiat and PayPal. For PayPal and credit cards, there should be a court order or permit to see who has paid, but for Bitcoin, well, it is a public ledger; everyone can see where the money comes from and where it goes. Everything is transparent. Most popular cryptocurrencies are like that. Your Bitcoin address is not tied to your name directly, that is correct, but you have to buy it from an exchange first or someone sends you some, and the moment you spend your cryptos, it's obvious whose they were. There are some methods like coin mixing, which is not legal in most countries because you're mixing your coins with others' coins. + +But there are cryptocurrencies that are meant to be anonymous, like Monero or Zcash (as these two are the most popular privacy coins on the market). Here's how they work: + +### Monero (XMR): + +**How it Works:** + +1. **Stealth Addresses**: Monero uses stealth addresses to ensure that transactions cannot be linked back to the recipient. A unique one-time address is created for each transaction, which hides the recipient's actual address. + +2. **Ring Signatures**: This cryptographic technique allows a group of users to sign a transaction without revealing which member of the group actually signed it. In a Monero transaction, multiple possible sources of funds are included in the transaction, making it unclear which source is the actual sender. + +3. **Ring Confidential Transactions (RingCT)**: This feature hides the amount being transacted. RingCT ensures that the values in a transaction are hidden from everyone except the parties involved, preventing third parties from knowing the amount of money being sent. + +4. **Kovri Project**: Monero plans to integrate the Kovri project, which will route and encrypt transactions through I2P (Invisible Internet Project) nodes, further obscuring the transaction metadata such as IP addresses. + +**Why It’s Anonymous:** + +- **Obscured Addresses**: Stealth addresses ensure that only the sender and recipient know where the funds are going. +- **Hidden Transaction Amounts**: RingCT hides the amount of every transaction. +- **Unlinkable Transactions**: Ring signatures make it impossible to determine the actual source of funds. +- **Additional Layer of Privacy**: The Kovri project adds an extra layer of anonymity by masking transaction origins through I2P. + +### Zcash (ZEC): + +**How It Works:** + +1. **Zero-Knowledge Proofs (zk-SNARKs)**: Zcash uses a form of zero-knowledge proofs called zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) to enable fully anonymous transactions. These proofs allow one party to prove to another that a statement is true without revealing any information beyond the veracity of the statement itself. + +2. **Shielded Addresses**: Zcash offers two types of addresses: transparent addresses (t-addresses) and shielded addresses (z-addresses). Transactions between shielded addresses are completely private and do not reveal the sender, recipient, or amount being transacted. + +3. **Selective Disclosure**: Users can choose to disclose transaction details to third parties (e.g., for auditing purposes) while keeping the rest of the network unaware. + +**Why It’s Anonymous:** + +- **Private Transactions**: zk-SNARKs allow transactions to be verified without revealing any transaction details. +- **Shielded Transactions**: Transactions between shielded addresses hide the sender, recipient, and transaction amount. +- **Flexibility**: Users can opt for transparent transactions when privacy is not needed or use shielded transactions for full anonymity. +- **Selective Transparency**: Users can disclose transaction details when necessary without compromising overall privacy. + +But there are many more privacy coins as well, but if a coin is not well known in the market, most websites probably won't accept it as payments. The acceptance of privacy coins can be limited, and their use for online purchases might be restricted compared to more well-known cryptocurrencies, especially when governments try to regulate these coins or, if they can't, they will try to eliminate them. + +Another payment method is cash. Cash money is as private as Monero; I would say Monero is the cash equivalent of cryptocurrencies. Cash transactions do not require personal information, and there is no way to trace them back to you. Also, more importantly, cash is accepted almost everywhere. Some websites like MallwadVPN allow you to send them cash for the VPNs. + +Also, you can get prepaid cards with cash for online purchases as well. This won’t link them to your identity if they are bought without providing personal information and they’re paid with cash. + +--- + +These were some starting points for beginning an anonymous life; it obviously goes way deeper than this. It changes your lifestyle, your communications, everything. The next chapter will be about the skills you need to learn to maintain this anonymity and privacy and to move forward.