As careful as some of the things he suggests are...if you're truly wanted by a state-level actor or sufficiently motivated attacker, you won't be able to hide by simply using VPN and Tor. Especially if you're running something with many transactions like AlphaBay. You would need to obfuscate quite a bit more:
- if you're using VPN traffic but most people "around" you aren't, you're a suspicious node; your ISP could easily flag you to your government. If you use wifi at a common point you're likely to be flagged and there isn't an easy way other than keeping on the move. But moving often is another anomalous event, and it's very difficult to do even for Drug Lords ( El Chapo ) or Terrorists that it behooves to do. This puts you in a sort of Zugzwang, to borrow a chess term.
- there's always leakage, for instance, in the way you talk with people in the real world. At some point you send enough communication for sophisticated frequency analysis.
- and there are other patterns of usage that could be used to identify you, like searches or even keyboard frequency on anonymized accounts can be de-anonymized by very specific markers ( ML works! ).
- off ramps for crypto aren't very good. If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed. Mixers and tumblers will eventually leak and you'll be caught.
- you're very vulnerable to social engineering by people you do business with. one slip where you stop communicating in a transactional mode of communication and that's a weak link in your armor.
In the end, the FBI only has to be right once, and you have to be right every time.
You're absolutely right. It is not enough to use anonymity tools, you also have to make sure everything else around you doesn't compromise your anonymity. Made me think of a Harvard bomb threat incident where the student posting a fake bomb threat (through Tor) to avoid final exams was the only person using Tor on campus at the time, which trivially identified him.
>> If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed
South America is the greatest tumbler of all. I spent years in Argentina under the currency restrictions and paid my rent in Bitcoin, bought USD and pesos at black market rates in Bitcoin, all with people I met on localbitcoins and never using an exchange. I don't know about Brazil, but there is a huge market for peer to peer BTC in AR and UY, and you can just trade an envelope of cash over the table at a Starbucks in Buenos Aires for anywhere up to $10K USD.
In the USA I would be scared of being on camera, but I really doubt you would have that problem if you meet someone in a bar or on the beach in Brazil.
[edit] Just to explain this comment for people who think of BTC as something that you have to buy or sell on an exchange where you're allowing the endpoints to be tracked; the original reason for cryptocurrency was that you don't have to show your passport or link it to a bank account. That still obtains in lots of places in the world where people will happily give you their shitty paper money for bitcoin, and you can use the paper to pay your rent. Don't buy BTC on an exchange, and don't sell it on an exchange. Buy it from someone in person in a phone-to-phone transfer, or win it in a poker game. Keep it in a private wallet, not an exchange. Sell it P2P in person when you want to. You don't need to use an exchange at all.
For example, you buy a burner phone, but the place you bought it from, even if a second hand shop, had a security camera. Maybe they also record IMEI's before selling phones.
Or you carry your burner phone together with your real phone. Or alternatively, you leave one at home when using the other. Both of these things can be linked by a sufficiently determined actor (FBI/NSA level).
Or they track you to using a public square WiFi one day. Again, cameras are everywhere.
If they got your real name, no matter how, it's game over. You will be surveilled and they will find proof to link you. This is why all those posts "if only DPR used this kind of encryption or dead-men-switch" are ridiculous. Once they knew his real name it was just a matter of time and building a case.
It's very odd to list all these (pretty theoretical!) things when, in practice, everyone gets owned by much more basic operational security concerns (except for the last "social engineering" one, where moving to a different communication network is a super common way for law enforcement to close the loop on an investigation).
Like "being super careful isn't enough" _might be true_, but if you did everything on this list and get caught anyways, you are in a super minority of people getting caught.
The example in the article (a hotmail-based email address being used). Everyone sees this and immediately goes "OK the feds can get this info". If such a basic opsec failure was happening, how is it that this person was still able to get as far as they did building up their website?
Being worried about the feds finding you from speech analysis of your posts online seems a bit silly when it's always _not_ that and much more just "finding the one simple thing you did wrong".
Scamming is BOOMING. We are talking entire developing countries getting onboard. The noise ratio is very high on all these services. There are hundreds of "alphabays" running RIGHT now with millions of people using them, right now. This isnt 2013, those big take-downs of high profile sites did nothing but diversify, fracture the community.
Sure, if u piss off the wrong agent and they spend a few years on the case you may get busted. But the vast majority?
Why is this comment the top comment when it's a bunch of conjectures, scare mongering tactics and half-truths at best? Sure if you're on tor and no one else around you is then you stand out, so what? Now there is a faint signal that there is something suspicious going on. To assume one could with sufficient accuracy narrow down a target based on a weak signal like that to see what they're up to is like assuming we're going to general AI any day now because obviously imageNet is so good. Let's not allow the creation of an echo chamber to add confusion to the great work people at the Tor project are doing and to instill even more fear in those who may want to dissent against authoritarian forces.
> if you're using VPN traffic but most people "around" you aren't, you're a suspicious node
Yes, working from home is very suspicious. :P
(That said, the VPN companies that work in the B2C segment for those who can't set up their own VPN server is small and they're all well-known to the government.)
Are there reported incidents where somebody was caught with such sophisticated techniques? It seems like every time I read about how the FBI caught some big darknet criminal it was pretty much always some trivial mistake on the criminal's side.
VPN providers can also be compelled to share all logs, even if they say they don’t log your info or activity, there are court cases that prove there are weaknesses in VPN providers, whether it was the method of payment you signed up with or if they logged your meta data on sign up, location services and telemetry from a mobile app backend etc.
Privacy is never a guaranteed thing when you introduce ubiquitous computing to the mix, even things outside of computers can profile you like being captured in CCTV around the time when your signals are picked up from a computer/smartphone phoning home or unusual internet activity, like the scene out of Mr. Robot.
Having to be right “every time” is why it’s insane we still rely on things like SSNs and phone numbers that are difficult to replace but highly valuable and damaging if leaked.
We need to be exchanging personal data only in forms that become worthless and unidentifying in a short period of time, requiring secure refreshes to maintain.
It’s a bit like Schneier’s Law. You can put in place protections that you personally cannot workaround, but that doesn’t mean someone with sufficient means and motivation would also be blocked.
Or you can just be a known drug lord, launder billions of USD through a respected international bank, no one goes to jail, small fine, and they're probably still laundering 10 years later and no one cares. No one is anonymous. They're probably all using SMS and corporate email.
Sell a little bit of drugs through the silk road and you'll get royally f-ed! Sell all the opioids in the world through a public pharma corp and you can keep enjoying your jet-set life and yacht.
The allegedly smartest people in the world are focusing on the dumbest problems while being reamed by the frat-boys that went to Wall Street and Politics, guns and drugs. LULZ.
“The pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators of tax evaders.”
And it's more than tax evasion, "include a human trafficker in the Philippines, a Hong Kong stock exchange boss jailed for bribery, a billionaire who ordered the murder of his Lebanese pop star girlfriend and executives who looted Venezuela’s state oil company, as well as corrupt politicians from Egypt to Ukraine".
Sure, big pharma over does it sometimes but remember that people truly need these drugs sometimes and they are prescribed by well intentioned doctors.
I don't think you can compare a legitimate business publishing public accounting figures, operating within the law, subject to policy by elected officials with the illicit drug trade who's supply chains operate in the dark. These supply chains are probably responsible for thousands of deaths, human trafficking, and unfathomable suffering whose actors you have no possible way of mitigating their actions.
I grow weary of hearing this recurring argument that the relatively minor side effects of a free market being compared to pure evil.
It's good advice. The problem with anonymity in an environment of ubiquitous surveillance is that it's paradoxical. The point of anonymity is achieving freedom, but staying anonymous expends energy and makes you a target, so you can't actually do any things that anonymity was supposed to get you.
If what you really want is sovereignty, which is what most people confuse anonymity with, the goal is to be like what Ernst Jünger called the anarch (in contrast to the anarchist), which is someone who complies and renders herself indifferent to authority, rather than standing out and drawing attention.
A much better practice is to be as open as possible about the boring stuff, so you're not constrained and can do what everyone else does. Trying to be absolutist about anonymity is automatically like wearing a straitjacket.
The article touches on a good point: one mistake and you're out. It doesn't even have to be your mistake - you didn't choose to put your SSN out there after all, yet here we are.
This gave me a radical company idea, on the other end of the spectrum: spam as a service. Something that'll take your name, email, and other things and put it all over the internet in questionable and plausibly denial ways. That way, even when someone is trying to find things out about you, it'll be hard to find, and easy to deny. (I'm kidding of course).
This is the crucial piece. It doesn't matter how careful you are; everyone who knows you has to be careful too. I have a... well, I hesitate to use the word stalker, because that makes them sound more motivated than they really are. But someone on that spectrum, anyway. After a few years of being harassed I managed to elude them. Then they found me again. You know how? They pieced together two pieces of information posted publicly by other people. That's all it took.
"Something that'll take your name, email, and other things and put it all over the internet in questionable and plausibly denial ways."
What if instead of spamming the correct information out, spam slightly incorrect information out.
Correct address, incorrect middle initial, wrong birth month, and a machine generated SSN would be from the right time period, area number, but with an incorrect group and serial number.
Personas like someone who posts content during 08:34:40 - 09:23:23 except 08:43:30-08:55:23, never seems to be active during 22:00 - 06:00, can be narrowed down to something like a person commuting via bus route A from stop B to C changing to a train route from C to D through passageway E in the station.
From there you can look for a man looking down at a phone, or couple information with other factors, or throw in a bait like a giant stinking dead fish or a rare and loud car in front of him and watch for responses he'd make. IMSI catchers and Bluetooth scanners can be useful as well if your adversaries are resourceful. Time and location of transmissions and time of receptions can be correlated, in theory.
This type of attacks can't be mitigated on fast-paced social media at all; both posts and requests has to be queued and obfuscated for time.
That's a bultin feature of messaging systems like I2P-bote (running on I2P darknet). It's been a while since experimenting with Bitmessage but I think they queue/batch messages as well. But for forum like software that's definitely true, can't easily have variable delayed posting.
Another aspect that's important and often ignored, is writing style anonymization. You practically want an offline tool, that removes idiosyncrasies from the text you write and makes it sound as bland as possible.
edit:
A related story. Around 2010-2012 I was working for a company, and I was part of a somewhat managerial group. At one point we decided to pull in direct employee feedback in an anonymous free-text form. Due to their writing style being reflective on the way they spoke, it was possible to point exactly who wrote what message. Of course, few exceptions existed, I didn't personally know all the employees in the company.
The conclusion is a weird one, given the premise. The crux of the argument is basically true. Its an all or nothing proposition.
Or you can lead a double life. One for your public persona, where you don't care at all about security, and your real persona, where you do. This has been my approach on the internet since basically it started and handles were a common thing.
I don't care about being anon, but I don't want all my info sitting in databases, so I've made done the following and trying to evolve over time and fix gaps that I currently have. This is things I've done...
* Use Brave browser with ublock origins and privacy badger
* Use pihole + unbound to resolve my own DNS and do not use google
* Run wireguard on my home network that I connect to when I'm out and need to use wifi
* Be anti-google as much as possible. I'm still in the process of this, i'll switch my domain based email off of google soon
* Be anti-facebook and delete all accounts (whatsapp and insta included)
* Be anti-reddit
* Be anti-cloud and host everything internally as much as possible (except for encrypted backups, say for video cam footage)
* All of my home automation is local and blocked from the internet. If I want access, I'll connect to my VPN.
* Use signal with disappearing chats to communicate with my friends.
Maybe Eric S. Raymond's advice from 21 years ago is no longer true in today's internet:
> Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.
I mix @realname and @pseudonym accounts. I'm generally pretty careful about what I post under my real name and less so under an alias.
However, over time I drop enough clues that people could figure my real identity with a little work. That leaves me with the worst of both worlds. It seems safest to assume that your identity is always tied to everything you do online.
"Ultimately, anonymity comes down to one thing: Control. You should educate yourself on data privacy and make sure that you know what data you're sharing and what is possibly out there."
And be OK that sometimes some people don't want to interact with anonymous randos... Credentials are not everything, but they are a filter on medias with large amounts of time-wasters...
I make sure that I can be found and attributed. I deleted my last anonymous account, a couple of years ago. In the Days of Yore, I was pretty much "Dick From the Internet." A real neckbeard troll.
There's a lot of reasons that I do it. The biggest, is that I want to be in control of my narrative. I learned from a couple of folks that are really good at curating their SEO results.
Also, these days (for a change), I'm pretty well-behaved. Doing it this way, helps to keep it that way.
Alex Cazes had bad op-sec. His #2, DeSnake, didn't, and is still alive and well and has restarted his marketplace and gives anonymous interviews to media outlets:
I think the point about most people not choosing anonymity at all is a bit misleading. It assumes that these people are making a reason, informed choice, and going ahead and living the way they do. I don't think that's the case.
Most "normal" people, and even many tech people, don't know what companies like Google and Facebook are capable of. If you showed someone exactly what information of theirs was collected, for how long, the predictions they could make with it,and god knows what else is being done with it, I think many people would change their behavior. But they don't know, and this is not an accident.
Most people do not even know what the business model of Facebook and Google are. If you ask, they'd probably say something like "oh they're an email company" or "they help me share photos of my grand kids" or god-forbid, they're "helping connect people connect". Both are surveillance-based, personal information-driven ad companies. That's it. No amount of Google X or Android or Gmail or Libra or FB Live or any other program will change what their business is. And they will never, ever admit to this.
Privacy is on a spectrum, but is also compounded by time and once the cats out the bag it can be impossible to turn back. In the example given of Alex Cazes he could change the from email but the damage was already done - there's no way to recall the emails already sent that led a trail back to him.
The article presents a spectrum, dismisses both extremes, and advocates that people aim for the middle. The problem is, you may think you are hanging out in the middle, but you probably have much less privacy than you think you do. Even if you are making the right choices for today, you can't trust that the future will keep things private (advances in ML, ubiquitous surveillance) and you don't know that futures isn't here yet.
Personally, I hang out at the fully open end of that spectrum. This has worked out pretty well for me; I don't think I've run into any downsides.
What do we want to achieve by protecting our online identity?
For me, escaping the pervasive tracking and profiling by FAANG is one goal. I'm sure that tracking me across the internet is a lot more difficult (not impossible) than tracking the average user. Hopefully it can't be done in an automated fashion. That way tracking me is hopefully just not worth doing just for a few advertising dollars.
This reminds me of a time I was having a yelling match with a guy on reddit and he started calling me names. I google searched his username and he had used it across multiple sites, several being porn sites, and he also posted his reddit user name on his Facebook and a Facebook search I found his real name and pictures of him. When I called him by his real name and linked a picture of him he immediately changed his tune. In the end he and I both laughed and thought it was funny and he was more curious how I found all those thing. I told him he used the same username across multiple sites including Facebook. He said he was a lot younger and didn’t think of those things when he originally did it. I removed any post where I used his name and tried not to dox him for others to see.
I would strongly advise anyone who really wants to be anonymous on the internet such as a freedom activist in a totalitarian country, not to follow the advice listed at the end of the article.
Or rather: these are very basic and very naive recommendations, certainly good first steps, but absolutely nowhere near enough to guarantee strong anonymity on the internet.
Remaining truly anonymous on the net is extremely hard, especially in these days where ML can be used to statistically narrow down and pinpoint who wrote a specific piece of text only based on things like use of punctuation, vocabulary, sentence structure and style.
I have been afraid of sharing my ideas, post history, etc. in a way that could be easily traced back to my identity for years. I made sure my accounts and usernames bore no personally identifiable tid-bits. I use a VPN religiously (that won't change).
I've since decided that I am done with all that.
I was afraid my employer might question my Reddit posting history (they wouldn't.) I was worried someone who Googled me would think my past self was dumb (who cares).
Now my ideas are almost all public and growing more so by the day. I am working up the energy to start a personal blog, if anything just to document my ideas over time. I am adding my real name and email to my Github, HN, (not Reddit, yet, though it would not be hard to connect), IH, etc.
I want someone to be able to Google me and find my best work.
On the other hand, there are clearly cases and types of info/accounts that should remain private. I self-host as much as possible. I encrypt personal files before uploading. I have multiple Protonmail accounts. I use custom DNS, etc.
Ideas should be public. Information is a case by case basis, but I generally care a lot less than I used to.
[+] [-] cellis|4 years ago|reply
- if you're using VPN traffic but most people "around" you aren't, you're a suspicious node; your ISP could easily flag you to your government. If you use wifi at a common point you're likely to be flagged and there isn't an easy way other than keeping on the move. But moving often is another anomalous event, and it's very difficult to do even for Drug Lords ( El Chapo ) or Terrorists that it behooves to do. This puts you in a sort of Zugzwang, to borrow a chess term.
- there's always leakage, for instance, in the way you talk with people in the real world. At some point you send enough communication for sophisticated frequency analysis.
- and there are other patterns of usage that could be used to identify you, like searches or even keyboard frequency on anonymized accounts can be de-anonymized by very specific markers ( ML works! ).
- off ramps for crypto aren't very good. If you're in e.g. Brazil, haha, yeah, good luck spending bitcoin or any other crypto and going unnoticed. Mixers and tumblers will eventually leak and you'll be caught.
- you're very vulnerable to social engineering by people you do business with. one slip where you stop communicating in a transactional mode of communication and that's a weak link in your armor.
In the end, the FBI only has to be right once, and you have to be right every time.
[+] [-] ogisan|4 years ago|reply
https://theprivacyblog.com/blog/anonymity/why-tor-failed-to-...
[+] [-] noduerme|4 years ago|reply
South America is the greatest tumbler of all. I spent years in Argentina under the currency restrictions and paid my rent in Bitcoin, bought USD and pesos at black market rates in Bitcoin, all with people I met on localbitcoins and never using an exchange. I don't know about Brazil, but there is a huge market for peer to peer BTC in AR and UY, and you can just trade an envelope of cash over the table at a Starbucks in Buenos Aires for anywhere up to $10K USD.
In the USA I would be scared of being on camera, but I really doubt you would have that problem if you meet someone in a bar or on the beach in Brazil.
[edit] Just to explain this comment for people who think of BTC as something that you have to buy or sell on an exchange where you're allowing the endpoints to be tracked; the original reason for cryptocurrency was that you don't have to show your passport or link it to a bank account. That still obtains in lots of places in the world where people will happily give you their shitty paper money for bitcoin, and you can use the paper to pay your rent. Don't buy BTC on an exchange, and don't sell it on an exchange. Buy it from someone in person in a phone-to-phone transfer, or win it in a poker game. Keep it in a private wallet, not an exchange. Sell it P2P in person when you want to. You don't need to use an exchange at all.
[+] [-] 323|4 years ago|reply
For example, you buy a burner phone, but the place you bought it from, even if a second hand shop, had a security camera. Maybe they also record IMEI's before selling phones.
Or you carry your burner phone together with your real phone. Or alternatively, you leave one at home when using the other. Both of these things can be linked by a sufficiently determined actor (FBI/NSA level).
Or they track you to using a public square WiFi one day. Again, cameras are everywhere.
If they got your real name, no matter how, it's game over. You will be surveilled and they will find proof to link you. This is why all those posts "if only DPR used this kind of encryption or dead-men-switch" are ridiculous. Once they knew his real name it was just a matter of time and building a case.
[+] [-] rtpg|4 years ago|reply
Like "being super careful isn't enough" _might be true_, but if you did everything on this list and get caught anyways, you are in a super minority of people getting caught.
The example in the article (a hotmail-based email address being used). Everyone sees this and immediately goes "OK the feds can get this info". If such a basic opsec failure was happening, how is it that this person was still able to get as far as they did building up their website?
Being worried about the feds finding you from speech analysis of your posts online seems a bit silly when it's always _not_ that and much more just "finding the one simple thing you did wrong".
[+] [-] weq|4 years ago|reply
Sure, if u piss off the wrong agent and they spend a few years on the case you may get busted. But the vast majority?
[+] [-] soheil|4 years ago|reply
[+] [-] xvector|4 years ago|reply
Whonix uses Kloak to mitigate this [1], but unfortunately it isn't available in Qubes-Whonix.
> Mixers and tumblers will eventually leak
Don't use mixers and tumblers, use Monero and/or Monero atomic swaps.
But, you are right that it is futile to maintain defense against a determined 3 letter agency.
[1]: https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak
[+] [-] otabdeveloper4|4 years ago|reply
Yes, working from home is very suspicious. :P
(That said, the VPN companies that work in the B2C segment for those who can't set up their own VPN server is small and they're all well-known to the government.)
[+] [-] xurukefi|4 years ago|reply
[+] [-] sizzle|4 years ago|reply
Privacy is never a guaranteed thing when you introduce ubiquitous computing to the mix, even things outside of computers can profile you like being captured in CCTV around the time when your signals are picked up from a computer/smartphone phoning home or unusual internet activity, like the scene out of Mr. Robot.
[+] [-] makecheck|4 years ago|reply
We need to be exchanging personal data only in forms that become worthless and unidentifying in a short period of time, requiring secure refreshes to maintain.
[+] [-] blowski|4 years ago|reply
[+] [-] pc86|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] imnotlost|4 years ago|reply
Sell a little bit of drugs through the silk road and you'll get royally f-ed! Sell all the opioids in the world through a public pharma corp and you can keep enjoying your jet-set life and yacht.
The allegedly smartest people in the world are focusing on the dumbest problems while being reamed by the frat-boys that went to Wall Street and Politics, guns and drugs. LULZ.
[+] [-] hbbio|4 years ago|reply
https://www.theguardian.com/news/2022/feb/20/credit-suisse-s...
“The pretext of protecting financial privacy is merely a fig leaf covering the shameful role of Swiss banks as collaborators of tax evaders.”
And it's more than tax evasion, "include a human trafficker in the Philippines, a Hong Kong stock exchange boss jailed for bribery, a billionaire who ordered the murder of his Lebanese pop star girlfriend and executives who looted Venezuela’s state oil company, as well as corrupt politicians from Egypt to Ukraine".
[+] [-] Thorrez|4 years ago|reply
Are you referring to some specific drug lord? Who?
[+] [-] npteljes|4 years ago|reply
[+] [-] d0gsg0w00f|4 years ago|reply
I don't think you can compare a legitimate business publishing public accounting figures, operating within the law, subject to policy by elected officials with the illicit drug trade who's supply chains operate in the dark. These supply chains are probably responsible for thousands of deaths, human trafficking, and unfathomable suffering whose actors you have no possible way of mitigating their actions.
I grow weary of hearing this recurring argument that the relatively minor side effects of a free market being compared to pure evil.
[+] [-] Barrin92|4 years ago|reply
If what you really want is sovereignty, which is what most people confuse anonymity with, the goal is to be like what Ernst Jünger called the anarch (in contrast to the anarchist), which is someone who complies and renders herself indifferent to authority, rather than standing out and drawing attention.
A much better practice is to be as open as possible about the boring stuff, so you're not constrained and can do what everyone else does. Trying to be absolutist about anonymity is automatically like wearing a straitjacket.
[+] [-] mindvirus|4 years ago|reply
This gave me a radical company idea, on the other end of the spectrum: spam as a service. Something that'll take your name, email, and other things and put it all over the internet in questionable and plausibly denial ways. That way, even when someone is trying to find things out about you, it'll be hard to find, and easy to deny. (I'm kidding of course).
[+] [-] _moof|4 years ago|reply
This is the crucial piece. It doesn't matter how careful you are; everyone who knows you has to be careful too. I have a... well, I hesitate to use the word stalker, because that makes them sound more motivated than they really are. But someone on that spectrum, anyway. After a few years of being harassed I managed to elude them. Then they found me again. You know how? They pieced together two pieces of information posted publicly by other people. That's all it took.
[+] [-] Liiiii|4 years ago|reply
What if instead of spamming the correct information out, spam slightly incorrect information out.
Correct address, incorrect middle initial, wrong birth month, and a machine generated SSN would be from the right time period, area number, but with an incorrect group and serial number.
[+] [-] adelie|4 years ago|reply
[+] [-] Damogran6|4 years ago|reply
[+] [-] bugBunny|4 years ago|reply
[+] [-] BeFlatXIII|4 years ago|reply
[+] [-] bimboler38|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] numpad0|4 years ago|reply
Personas like someone who posts content during 08:34:40 - 09:23:23 except 08:43:30-08:55:23, never seems to be active during 22:00 - 06:00, can be narrowed down to something like a person commuting via bus route A from stop B to C changing to a train route from C to D through passageway E in the station.
From there you can look for a man looking down at a phone, or couple information with other factors, or throw in a bait like a giant stinking dead fish or a rare and loud car in front of him and watch for responses he'd make. IMSI catchers and Bluetooth scanners can be useful as well if your adversaries are resourceful. Time and location of transmissions and time of receptions can be correlated, in theory.
This type of attacks can't be mitigated on fast-paced social media at all; both posts and requests has to be queued and obfuscated for time.
[+] [-] mhitza|4 years ago|reply
Another aspect that's important and often ignored, is writing style anonymization. You practically want an offline tool, that removes idiosyncrasies from the text you write and makes it sound as bland as possible.
edit:
A related story. Around 2010-2012 I was working for a company, and I was part of a somewhat managerial group. At one point we decided to pull in direct employee feedback in an anonymous free-text form. Due to their writing style being reflective on the way they spoke, it was possible to point exactly who wrote what message. Of course, few exceptions existed, I didn't personally know all the employees in the company.
[+] [-] nickstinemates|4 years ago|reply
Or you can lead a double life. One for your public persona, where you don't care at all about security, and your real persona, where you do. This has been my approach on the internet since basically it started and handles were a common thing.
[+] [-] ronnier|4 years ago|reply
* Use Brave browser with ublock origins and privacy badger
* Use pihole + unbound to resolve my own DNS and do not use google
* Run wireguard on my home network that I connect to when I'm out and need to use wifi
* Be anti-google as much as possible. I'm still in the process of this, i'll switch my domain based email off of google soon
* Be anti-facebook and delete all accounts (whatsapp and insta included)
* Be anti-reddit
* Be anti-cloud and host everything internally as much as possible (except for encrypted backups, say for video cam footage)
* All of my home automation is local and blocked from the internet. If I want access, I'll connect to my VPN.
* Use signal with disappearing chats to communicate with my friends.
Still a lot to do, but it's a start...
[+] [-] sampo|4 years ago|reply
> Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.
http://www.catb.org/~esr/faqs/hacker-howto.html#style
[+] [-] underwater|4 years ago|reply
However, over time I drop enough clues that people could figure my real identity with a little work. That leaves me with the worst of both worlds. It seems safest to assume that your identity is always tied to everything you do online.
[+] [-] blakesterz|4 years ago|reply
That's some REALLY good Solid advice.
[+] [-] touisteur|4 years ago|reply
[+] [-] anderspitman|4 years ago|reply
https://solidproject.org/
[+] [-] ChrisMarshallNY|4 years ago|reply
I make sure that I can be found and attributed. I deleted my last anonymous account, a couple of years ago. In the Days of Yore, I was pretty much "Dick From the Internet." A real neckbeard troll.
There's a lot of reasons that I do it. The biggest, is that I want to be in control of my narrative. I learned from a couple of folks that are really good at curating their SEO results.
Also, these days (for a change), I'm pretty well-behaved. Doing it this way, helps to keep it that way.
[+] [-] oh_sigh|4 years ago|reply
https://www.wired.com/story/alphabay-desnake-dark-web-interv...
[+] [-] ssklash|4 years ago|reply
Most "normal" people, and even many tech people, don't know what companies like Google and Facebook are capable of. If you showed someone exactly what information of theirs was collected, for how long, the predictions they could make with it,and god knows what else is being done with it, I think many people would change their behavior. But they don't know, and this is not an accident.
Most people do not even know what the business model of Facebook and Google are. If you ask, they'd probably say something like "oh they're an email company" or "they help me share photos of my grand kids" or god-forbid, they're "helping connect people connect". Both are surveillance-based, personal information-driven ad companies. That's it. No amount of Google X or Android or Gmail or Libra or FB Live or any other program will change what their business is. And they will never, ever admit to this.
[+] [-] srmarm|4 years ago|reply
[+] [-] jefftk|4 years ago|reply
Personally, I hang out at the fully open end of that spectrum. This has worked out pretty well for me; I don't think I've run into any downsides.
[+] [-] Tepix|4 years ago|reply
What do we want to achieve by protecting our online identity?
For me, escaping the pervasive tracking and profiling by FAANG is one goal. I'm sure that tracking me across the internet is a lot more difficult (not impossible) than tracking the average user. Hopefully it can't be done in an automated fashion. That way tracking me is hopefully just not worth doing just for a few advertising dollars.
[+] [-] 14|4 years ago|reply
[+] [-] ur-whale|4 years ago|reply
Or rather: these are very basic and very naive recommendations, certainly good first steps, but absolutely nowhere near enough to guarantee strong anonymity on the internet.
Remaining truly anonymous on the net is extremely hard, especially in these days where ML can be used to statistically narrow down and pinpoint who wrote a specific piece of text only based on things like use of punctuation, vocabulary, sentence structure and style.
[+] [-] Ansil849|4 years ago|reply
> Move to Brazil and live in the rainforest
Juvenile, snarky, irreverent and irrelevant advice I'd expect to read on a 12 year old's Reddit post.
[+] [-] sedatk|4 years ago|reply
> Don't use Gmail -- use ProtonMail
"ProtonMail logged IP address of French activist after order by Swiss authorities" https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
[+] [-] chillycurve|4 years ago|reply
I've since decided that I am done with all that.
I was afraid my employer might question my Reddit posting history (they wouldn't.) I was worried someone who Googled me would think my past self was dumb (who cares).
Now my ideas are almost all public and growing more so by the day. I am working up the energy to start a personal blog, if anything just to document my ideas over time. I am adding my real name and email to my Github, HN, (not Reddit, yet, though it would not be hard to connect), IH, etc.
I want someone to be able to Google me and find my best work.
On the other hand, there are clearly cases and types of info/accounts that should remain private. I self-host as much as possible. I encrypt personal files before uploading. I have multiple Protonmail accounts. I use custom DNS, etc.
Ideas should be public. Information is a case by case basis, but I generally care a lot less than I used to.