What are the best ways to leak information anonymously on the Internet today? Please detail the extent of the achieved anonymity and what would have to happen to compromise it.

To interact with this page you must login. Signup

ask a person to answer this question Ask to answer

Please detail the extent of the achieved anonymity and what would have to happen to compromise it.

encryption

anonymity

technology

understand

tynamite

Anonymity on the internet doesn't exist.
It is impossible to be truly anonymous on the internet.

--------✂--------------------------

Below you will find out why I don't trust the supposedly anonymous browsing methods, and why they're not really 100% anonymous.

SSL Certificates have been compromised. Wikileaks doesn't trust them, and Verisign root keys have previously been hacked.

They are that padlock you see in your web browser, to show that your internet requests are encrypted and not being transmitted among the tubes plaintext.

Tor is a red herring made up by the US Government and then open sourced as a honeytrap. People are fooled by it. Yes the webmaster won't have your identity, but the ISP will be able to use network route analysis to find yours out, revealing your ip address.

Tor works by routing your traffic though several servers (A-K-H-D-B) instead of A to B. Explain to me how that is anonymity (unless you live in the Middle East)?

Virtual Private Networks work by exchanging your ISPs internet connection with one from the VPN provider, preferably based in another country. Once you pay them your monthly fee, you have no guarantee that they will conceal your identity if ever their local government subpoena's them. This is why a VPN carries risk. Any VPN company can be subpoena'ed by any worldwide government.

A British LulzSec hacker got caught by being too foolish and idiotic to read the TOS of British VPN HideMyAss, to read that it prohibited illegal activities such as hacking, and would retain logs and willingly comply with subpoenas. Would your country's VPNs do the same? I recommend you get a Swedish or Russian VPN, as Sweden has excellent freedom of speech and privacy laws, and Russia is anti-US. Refer to TorrentFreak for advice on finding a VPN. http://torrentfreak.com

And by the way, all VPNs keep logs! If they say they aren't keeping logs, they are lying. How can a VPN keep logs, and at the same time manage to block and throttle people using their service? That doesn't add up. They may not log your credit card or name, but they do log something.

Would you go to prison for 2 years, over a VPN?

The RIP Act or RIPA

UK jails schizophrenic for refusal to decrypt files
The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record.
His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer files.

The 33-year-old man, originally from London, is currently held at a secure mental health unit after being sectioned while serving his sentence at Winchester Prison.

http://www.theregister.co.uk/2009/11/24/ripa_jfl/

What is the RIPA Act?
The Regulation of Investigatory Powers (RIP) Act sets out the government's plans for how the security services can monitor and access communication over the internet. It passed into law hours before the Commons rose for its summer break and has now come into force.
Why is it so controversial?

Critics say the act is a gross invasion of privacy which will scupper e-commerce in Britain; the government argues it is necessary to crack down on internet crime and paedophilia.

What are the key areas of controversy? The first is "black box" interception. Security services, such as MI5, will be able to monitor people's internet habits through the collection of "communications data". This data is not website or email content, but users' "clickstream" - the websites and chatrooms they visit and the addresses of emails they send and receive. If security services suspect criminal activity, they request a government warrant to intercept and decode internet content.

The second key controversy is the legislation's reverse burden of proof. If intercepted communications are encrypted (encoded and made secret), the act will force the individual to surrender the keys (pin numbers which allow users to decipher encoded data), on pain of jail sentences of up to two years. The government says keys will only be required in special circumstances and promises that the security services will destroy the keys as soon as they are finished with.

http://www.guardian.co.uk/world/2000/oct/24/qanda

http://en.wikipedia.org/wiki/RIP_Act#Powers
http://en.wikipedia.org/wiki/RIP_Act#Controversy

Proxies are like a VPN but less anonymous. They work like an intermediate between you and your ISP, of which it acts as the third wheel like an interpreter, of which both you and your ISP talk to the proxy, but not to each other, and the proxy passes the message along back and forth.

There are 3 types of proxy servers and I've forgot what they're called. Regular ones show your IP Address on the down-low. The other ones hide your ip but let slip to the websites that you're using a proxy. The highest ones hide both your ip and the fact that you're using a proxy and are called an elite proxy. I don't know how to check type, proxies fall into, forgot and would have to check.

So all of these anonymity methods for using the internet, are not really anonymous.

SSL Certificates
Tor
VPN
Proxies
Botnets

I also would avoid using botnets. A botnet is a group of computers which are infiltrated/infected with spyware, who are slaves to do the hacker's bidding. When Lulzsec and Anonymous want to bring down websites with DDOS attacks, they use botnets - their slave group of 100s of websites - to carry out the attacks unknowingly.

If Tor can't be trusted, why should you use a Botnet? Can you guarantee that their traffic will go anonymised to you, when they receive instructions from you?

Beware of Packet scanning

For those that don't know what packets are, it is a bit of information that transfers down your telephone (or broadband) line when you use the internet. It's the data that transfers through the wires. If someone on your street is browsing the internet using an unprotected hotspot (without a password), you can easily snoop (listen in) on their internet traffic. If they are not using https:// websites with the padlock, and are typing in their passwords, you with hacking software, can get their passwords.

This is why Facebook now wants you to use Secure Browsing. Now your passwords are encrypted over the air as you login to Facebook.

You can do packet scanning with hacking software, to get other people's passwords. Now think about this for a second? Could your ISP, or your government (data retention and sharing laws), scan your packets.

If you live in Britain, you'll notice that The Pirate Bay has been blocked. However, only Virgin Media is the ISP who has decided to block the website by scanning the packets. Think about this for a second. ISPs are now given the authority to scan your packets.

Couldn't the government do the same?
Did you know that everyone who followed @wikileaks on Twitter, has been subpoenaed by the US government? No joke!

They've scanned my shit.

Let's not forget that democracy does not exist in America, and it is run entirely by corporations. If America has a choice between what is profitable and what is ethical, they will always choose what is profitable. What would happen if America was run by corporation?

Also CISPA has passed in America. Consider the Privacy Policy to be dead. Wiretapping and information sharing FTW.

So what is left?

Using mobile phones.)
Using internet cafés and other public computers.)
Have a worldwide sim card shipped to you from abroad, that gives you an foreign phone number. (You can buy them online if you know where to look.)

Executed correctly, you can be 100% anonymous with these methods, but you can't be an idiot about it. The fact that you didn't know that anonymity is impossible online, and that those 2 methods can be done 100% anonymously, indicates how you might fail leaking information anonymously, using these methods. Don't be an idiot and top up using an ATM machine, go cash in hand, and don't get caught on CCTV, and change your sim card every 2 days (worked for a journalist in China).

--------✂--------------------------

Data Retention Policies and Subpoena Requests

All telecommunications companies such as ISPs and telecommunication networks store logs of all phone calls, texts, and internet usage for a minimum of 6 months. There are certain [terrorist] buzzwords that if you say them on the phone, the FBI will start tapping into your phone calls. Mobile phones also log your location, even with the phone turned off. You would have to turn it off.

BBMs used to be anonymous, but not anymore. I know someone who went to court over them, and he now knows that the government has access to them.

My friend knows someone who's been told off by a British Telecom operator, for swearing too much in their phone calls.

Don't get me started on Facebook. That's funded by the FBI and CIA. They can track you any time for any reason. They've also blatantly tracked people I know.

Ever wondered what a Facebook subpoaena looks like?
http://gizmodo.com/5900015/what-facebook-sends-the-cops-when-your-account-is-subpoenaed

Ever wonderered what a Facebook subpoena request looks like? http://cryptome.org/isp-spy/facebook-spy.pdf

Ever wondered wha ta Yahoo! subpoena request reveals?
http://cryptome.org/isp-spy/yahoo-spy.pdf

Google is the only technology company that sticks their middle finger up to the government. They refuse to disclose information to the government on many occasions.

I forgot to mention that emails aren't anonymous either. They transmit your ip address in the headers. The email provider might even even keep logs. Try to find yourself an anonymous email provider, and see what happens.

The Dreaded CISPA
Since the internet blackout, SOPA and PIPA is dead now that the MPAA and RIAA have learnt that going after the billion dollar internet companies wasn't going to work. Now they have made them exempt of legal trouble, and taken the burden off them. Imagine every privacy policy on the internet being classed as void, and all participating companies sharing your personal data with each other.

That's what CISPA is, and the Senate has secretly passed it now.

Make sure you read this! This is scary!
http://torrentfreak.com/why-cispa-sucks-120412/

http://www.guardian.co.uk/world/2000/oct/24/qanda

RIPA? PIPA? SOPA? ACTA? CISPA? Someone switch it to SIPA and POPA. Protect Online Piracy Act. Protect Intellectual Piracy Act.

Also CISPA has passed in America! Consider the Privacy Policy to be dead. Wiretapping and information sharing FTW.

Combine that with David Cameron (politician)'s plan to monitor all social networking and email communications, by even scanning the packets of your communications (not just the domain names), which he got straight after the riots, and you know that things are going to go bad. This is as part of the Justice and Security bill.
http://www.guardian.co.uk/world/2012/apr/01/government-email-social-network-surveillance
http://www.guardian.co.uk/media/2012/apr/02/internet-companies-warn-government-email-surveillance
http://www.guardian.co.uk/law/poll/2012/may/29/justice-security-bill-poll
http://www.guardian.co.uk/law/2012/apr/04/clarke-defends-secret-courts-plans-clegg

The next time there's a protest, social networks will be cut off.

The Illuminati must be happy. The New World Order is falling into place. Get ready for the one world government.George Orwell's 1984

Miscellaneous
Do you hate WebWasher? Do you hate McAfee Smartfilter? I run the only proxy website in the world, that successfully bypasses it, along with the notorious Generic Body Filter. In fact that got created just for my site, but nobody knows who made it. It also lets you use Facebook at schools/work. When technicians monitor internet logs, they find the site and keep it unblocked, as I have obfuscated what it exactly is to prying eyes.

WikiLeaks are currently working on a 100% secure leaks submission system, that will be completely impervious to network analysis.

Steganography

According to Wikipedia...

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity.

The word steganography is of Greek origin and means "concealed writing" from the Greek words steganos (στεγανός) meaning "covered or protected", and graphei (γραφή) meaning "writing". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter.

The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal.[1] Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.

And that's exactly what Al Qaeda did, and got caught for it.

Steganography: how al-Qaeda hid secret documents in a porn video

When a suspected al-Qaeda member was arrested in Berlin in May of 2011, he was found with a memory card with a password-protected folder—and the files within it were hidden. But, as the German newspaper Die Zeit reports, computer forensics experts from the German Federal Criminal Police (BKA) claim to have eventually uncovered its contents—what appeared to be a pornographic video called "KickAss."

Within that video, they discovered 141 separate text files, containing what officials claim are documents detailing al-Qaeda operations and plans for future operations—among them, three entitled "Future Works," "Lessons Learned," and "Report on Operations."

So just how does one store a terrorist’s home study library in a pirated porn video file? In this case the files had been hidden (unencrypted) within the video file through a well-known approach for concealing messages in plain sight: steganography.

http://arstechnica.com/business/2012/05/steganography-how-al-qaeda-hid-secret-documents-in-a-porn-video/

Deniable Encryption

According to Wikipedia...

In cryptography and steganography, deniable encryption is encryption that allows its users to convincingly deny that some specific encrypted data exists, that a given piece of data is encrypted, or that they are able to decrypt a given piece of encrypted data [citation needed]. Such denials may or may not be genuine. For example, although suspicions might exist that the data is encrypted, it may be impossible to prove it without the cooperation of the users. If the data is encrypted, the users genuinely may not be able to decrypt it. Deniable encryption serves to undermine an attacker's confidence either that data is encrypted, or that the person in possession of it can decrypt it and provide the associated plaintext.

Normally ciphertexts decrypt to a single plaintext and hence once decrypted, the encryption user cannot claim that he encrypted a different message. Deniable encryption allows its users to decrypt the ciphertext to produce a different (innocuous but plausible) plaintext and insist that it is what they encrypted. The holder of the ciphertext will not have the means to differentiate between the true plaintext, and the bogus-claim plaintext.

In other words, I could record you having sex (lol), and you torture me because you want the password for an encrypted file you've found on my computer. I would then give you a fake password of _____ porn, and then when you're gone I would keep the real sex to myself. I would be off the hook.

There is also a deniable file system (alternative to NTFS/FAT32), that allows files to be stored on a hard drive, in such a way that there is also a "ghost file layer" of which encrypted files are stored on the hard drive, without any evidence that files are stored on it. Rather than every cluster of free space on the hard drive be shown as a - symbol, it is instead given a 0 or 1.

Bitcoin Is Not Anonymous

Ars Technica reports the biggest Bitcoin hack so far at the time...

Bitcoin, the decentralized virtual currency whose value has skyrocketed in recent weeks, faced a key test Monday as a veteran user reported that Bitcoins worth hundreds of thousands of dollars had been stolen from his computer.

...

The user known as "allinvain" is a long-time contributor to the Bitcoin forums. He says he's been mining Bitcoins for over a year, and had amassed a fortune of 25,000 BTC. This was a modest sum a few months ago, when Bitcoins were worth pennies, but over the last two months the value of a Bitcoin skyrocketed to around $20, which means 25,000 BTC would have been worth half a million dollars. "I remember watching the price like a hawk," he wrote.
And then disaster struck. "I just woke up to see a very large chunk of my bitcoin balance gone," he wrote. "Needles [sic] to say I feel like I have lost faith in bitcoin." He speculated that a Windows security flaw may have allowed the culprit to gain access to his digital wallet. "I feel like killing myself now," he said.

As Bitcoin is anonymous with irreversible payments and disposable Bitcoin addresses, there is no police to call about the theft.

The bitcoins were worth half a million dollars.

The next day.

lulzsec received bitcoins

Anonymity is not a prominent design goal of Bitcoin. However, Bitcoin is often referred to as being anonymous. We have performed a passive analysis of anonymity in the Bitcoin system using publicly available data and tools from network analysis. The results show that the actions of many users are far from anonymous. We note that several centralized services, e.g. exchanges, mixers and wallet services, have access to even more information should they wish to piece together users' activity.

...

Case Study: The Bitcoin Theft

Even Wikileaks bitcoin donations got tracked. You know those people are going get wiretapped. To illustrate our findings, we have chosen a case study involving a user who has many reasons to stay anonymous. He is the alleged thief of 25,000 Bitcoins. This is a summary of the victim's postings to the Bitcoin forums and an analysis of the relevant transactions.

...

[Lulzsec is in orange.]

Even Wikileaks donations can get traced!

Here are some tips of staying anonymous when shopping with Bitcoin, which shows how even with Bitcoin, anonymous payments is hard to do.

Quote
The possibility to be anonymous or pseudonymous relies on you not revealing any identifying
information about yourself in connection with the bitcoin addresses you use

Much easier said than done. Most routine e-commerce transactions will link the bitcoin address with other identifying information, and determined attackers can overcome the privacy of even extremely careful bitcoin users:

(3) If you use Tor, but forget to or can't turn off web cookies, your bitcoin address can be linked to a web cookie, which in turn is often linked to your IP address by an advertising aggregator like Google/Doubleclick.

(5) Each bitcoin record links your bitcoin address with those of all the counterparties that address has transacted with. Depending on the length and variety of the record it can reveal your shopping pattern which is often uniquely distinguishable from other shopping patterns, just as fingerprints or DNA are unique.

(6) Determined investigators or a software system somebody might write (similar to advertiser's software used to track user preferences across merchants) can gather and integrate information from different bitcoin nodes, vendors, etc. the bitcoin user's software has communicated with. Even if one log by itself doesn't tell much information, an aggregation of logs from several different merchants and transactions might speak volumes.

(7) etc., there are undoubtedly many other ways to link bitcoin addresses with other identifying information, caused by bitcoin itself, by outside entities the information-gathering and sharing nature of which most users will not be aware, or combinations thereof.

Secure anonymity on the Internet is pretty hard to do.

https://bitcointalk.org/index.php?topic=8.msg10621#msg10621

--------✂--------------------------

Extradition Requests Don't Mess About
Look at New Zealand citizen Kim Dotcom, who got a search warrant and assets frozen illegally. Most of the world is America's bitch. When America carries out an extradition request, they typically get what he wants. A British student who ran TV Shack (tv links site) is facing extradition to America for encouraging piracy infringement, despite linking (not distribution) to warez not being illegal under British laws.

The Sad Fact

You'll have to figure out your own way to transmit messages to other parties anonymously. If I reveal my own system here, people will copy it, and it will get popularised and locked off. I keep my exploits to myself. Be inventive.

There is a question here called You are a spy in a 1st world country (which is hostile to your own country) and you must deliver a set of intelligence reports back to your home country over the Internet. The data is 20 GB in size (compressed). How would you do this to avoid interception of the message, personal identification and any video surveillance?

Could you answer it?