You're absolutely right. It is not enough to use anonymity tools, you also have to make sure everything else around you doesn't compromise your anonymity. Made me think of a Harvard bomb threat incident where the student posting a fake bomb threat (through Tor) to avoid final exams was the only person using Tor on campus at the time, which trivially identified him.https://theprivacyblog.com/blog/anonymity/why-tor-failed-to-...
missingrib|4 years ago
zxcvbn4038|4 years ago
cywick|4 years ago
smeyer|4 years ago
klysm|4 years ago
323|4 years ago
notsoanonynous|4 years ago
The author of this article is also very wrong: Anonymity is not on a spectrum. It’s all or nothing. Like a Mario game where any mistaken encounter makes you start over (and that’s if you don’t get in trouble for what you did).
First step is to understand that any system could be bugged. Every IRL confidant could sell you out. Every keyboard could have a keylogger, etc. Every store could have a security camera. Phones are giving out their MAC numbers to every cell tower and wifi radio. They now have chips you can’t turn off, and so forth.
You should also assume there is no such thing as an “anonymous” account and that every service COULD sell out whatever information you gave it. (Yes, even Telegram or ProtonMail, however unlikely that may be.)
The below is a playbook for how to become truly anonymous. Continue to live your everyday life but the below is only for your “anonymous” identities, which you can gradually bootstrap as a hobby:
The first thing you do, therefore, is bootstrap your identity by taking advantage of unlinkability that is available to you. Buy a bunch of Android phones on Craigslist for cash, for example. (Or pay a homeless guy to buy a phone in a store for you.) Do not use SIM cards at all, only WiFi. Never take photos, etc. Keep your phone off or in a faraday cage until you use it. For extra points, always use it through a VPN on WiFi at home, which you purchased using the accounts below:
Then make an anonymous google account on the Android phone. Make some ProtonMail accoung usinf such an anonymous Google account. Now you can bootstrap from email addresses.
Buy some Google Play gift cards and download some apps to get a second number. Now you can bootstrap from a phone number. Sign up to Telegram, Signal and other accounts using this. Now you have end to end encrypted messaging.
Frankly, though, realtime messaging is a bit of a luxury to continue to stay in normie world. To stay truly anonymous, you should continue to:
1. Schedule posts and mail send/receive at random times. Do not ever use realtime audio or video because it might be recorded. You might make an exception for early days of your projects when people would have no reason to go out of their way to record you — just to give them confidence you’re a real person. But afterwarss, stop doing that. Let the people build your movement for you.
2. Never mention your anonymous identity or projects from your real one, and vice versa. This means your anonymous identity MUST NEVER have confidants or colleagues IRL. Build up a network of colleagues who are “fronts” for what you do. Eventually you can step back and let the movement do things for you.
3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
4. You will only ever be able to spend the crypto on paying people for services and DeFi protocols. You can never cash out to fiat, because the IRL purchases catch up with you when they follow the money. There is a surprising amount of online services you can spend $97 million dollars on, while staying anonymous ;-) If you really do need to spend money IRL (because you went broke somehow in your everyday life) then you can cashout using cross-chain bridges and Monero to pay for goods. But still, never get ostentatious wealth IRL!
5. The weakest link then becomes your writing or coding style. Never publish any code or writing, let others do it for you. Make your communication to others from your anonymous identity sufficiently different than anything saved later would not identify you (this is the weakest link, but you can consider “playing a character” when speaking to others).
6. Any private keys that you used to sign your messages can be periodically published in some conspicuous place, effectively giving you plausible deniability about all your previous and future posts. It’s hard to prove a negative (that no one else has access to your private keys before your public disclosure.)
Alright, Hacker News. I have given away the non-amateur anonymity playbook using https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
Go ahead and try to deanonymize this in the comments below. Assume you are a state actor with all tools at your disposal.
BbzzbB|4 years ago
Is it not, for the non-criminal user? My HN, Reddit and Twitter accounts are "anonymous" (pseudonymous would be more accurate), and it matters to me to the extent I share thoughts I would not on Facebook or if Googling my name lead straight to it - not that I'm ashamed of them, I try to be decent (tho I slip at times and am more brash than I would IRL), it's just that they hold some personal opinions and matters, kind of like that lady in OP's post (except I wouldn't reuse pseudonyms, especially not openly cross-linked to identified accounts). Obviously, a governmental agency that had any reason to look for me would link them in the blink of an eye, but it is "anonymous" enough for my needs: people who matter to me or people like prospective employers do not know of them and hardly could. Even if they leaked to some dark corners of the Internet like my SSN (screw you, Equifax), that hardly doxes me as far as regular humans are concerned. If someone emailed me with my online usernames, it would creep the fuck out of me, but ultimately be inconsequential, at worse it would threaten to shame me for my opinions.
So how's that not on a spectrum of anonymity? OP's post obviously does not say your anonymity when it comes to three letter US agencies is on a spectrum, that is black and white and s-he recognizes it, but rather the link-ability of your online presence(s) to your real life identity. With that Tinder lady at the "IDGAF"-end of it, your paranoid (or criminal) Jane Doe on the other end and me somewhere in between (but much closer to the former).
ipaddr|4 years ago
Using a phone is probably the first mistake. If you are going to use your home network you are better off using a machine you control and an operating system that is open source.
I suggest these steps: Step 1: Connect to a popular vpn. Step 2: Connect to tor Step 3: Get free vps or pay with cryto you trade for gift cards purchased or some other method Step 4: Connect to vps with desktop running. Use virtual desktop. Step 5: Use vpn. This time use vpn with best rep to be accepted as regular traffic. Step 6: Signup for services
Step 1 solves the k issue. Many people using that vpn will connect to tor
Step 4: Seems slow but at the virtual desktop level out things are fast from that machine to new hosts. Use scripts could help.
Riverheart|4 years ago
coolspot|4 years ago
ccn0p|4 years ago
majormajor|4 years ago
My first question about this plan is "what are you getting paid for and how do you advertise your services"? You need to never meet the people paying you in person, and ideally you are selling some purely digital good. So, something like underground illegal programming or hacking or such? Is there anything else that would work?
frodo_77|4 years ago
Living in no-extradition countries, using GrapheneOS on an Android phone, using Jabber/OTR chat for communication.
Pq2Vvv8MtzTCFWS|4 years ago
pzs|4 years ago
nly|4 years ago
The timing could have been conincedental. Even if he was the only person online on campus at the time, it proves nothing.
borski|4 years ago
unknown|4 years ago
[deleted]