I'm asking because I'm curious how one would go about doing something like this in 2019. What are the things you need to think about, and what measures would one need to take to ensure continued anonymity over time. In particular, I'm curious about just information transfer, like a simple, not-for-profit blog.
Since the threat model can get pretty vague, I guess I'm thinking about two main scenarios:
1. Easier case: how to prevent being de-anonymized by curious individuals and specific corporations (e.g., multiple ISP's colluding together may be able to de-anonymize you, but for example a specific company like Google can't).
2. Harder case: ensuring anonymity even from state-level actors.
Thanks!
1. Buy a credit card in cash from somewhere without cameras.
2. Use that credit card to buy a phone number through many of the real voip providers.
3. Buy a used laptop on CL/Kijiji in cash, making sure the pickup is someone's house. Bonus points if you make a friend do it.
4. Go to a Starbucks with your new laptop, sign up for gmail or protonmail using your new phone number.
5. Nuke your laptop and reinstall. It's a burner. Make sure you change the MAC address, just for profit.
6. Sign up for free VPN (500MB start) with something like TunnelBear, using your new email address.
7. Connect to your VPN from the laptop. Now use TOR.
8. Remember that credit card? Time to buy another one - this time so that you can pre-fund Amazon credits (or DO). They'll both accept prepaid credit cards.
9. Blog, do your thing - but only ever publish from a dedicated VM on the laptop. Make sure you're using firefox (or something else) in your VM to test your blog - through the SOCKS proxy you establish (ssh -D) to the host.
10/11. Nuke and rebuild VM and machine at will.
12. Every ~3 months, do a Kijiji exchange for a new laptop.
The above is in no way foolproof. But it's a reasonable start. For the record I don't consider this anonymous or paranoid enough.
For #7, make sure you do VPN over Tor, not Tor over VPN. The former is more secure for you, and has the additional benefit that sites won't know you're using Tor. The latter sucks for you and Tor if you relay any traffic.
I'll definitely agree that VPN over TOR is (by far) more secure - but I feel as if most people aren't capable of it, even though TAILS exists.
In Canada just buy your prepaid credit card at one of the independent corner stores we have all over the place. Several don't have cameras. Equally, there's nothing to stop you from walking in with a facemask; it wouldn't be abnormal at all.
What billing address would you use on these though?
Domain name, since the registrar will probably have your information. Namecheap allows bitcoin payment, but I think they still require contact information. Going with an onion url would limit that impact.
Hosting, again, they will almost certainly have your information. Swisslayer allows bitcoin payments, but contact info might still be required. Could be mitigated by going with Tor or some other service, but that limits discoverability.
Server software -- you would want to limit the ability to be compromised, so something like OpenBSD with the built in httpd and raw html files would be a reasonable bet for preventing intrusion. Keeping it simple would leave less attack surface, and less potential to leak information.
Using Tor to connect would mean less logs between.
Any information you gave in content could be used to trace, but that is difficult and would require being careful in the writing style, and what information is leaked in that channel.
EDIT: As beefhash points out, piggybacking on an already accessible public endpoint negates a lot of the leaking of your information through your own services.
I've used https://localbitcoins.com.
2. Add bitcoin-wallet-stealing code.
3. Upload to NPM.
Spitball idea: Host your data in the script portion of bitcoin transactions. Now the part you host on Github or other platforms is just the JS script that fetches your transactions from online blockchain explorers.
Use localbitcoins.com to trade cash for bitcoin face to face. Just trade $10.
The idea being that it's easier to pass around a JS script than the corpus of a blog. And platforms like Github are probably less likely to remove your pages if the potentially-troublesome plaintext of your blog isn't actually in their database. And the purpose of storing the data on the blockchain is so you don't have to keep rehosting content as it gets taken down.
I'll admit this is more of a fun weekend project (storing stuff on the blockchain with a JS script that can fetch and present it) that I've repurposed as an answer.
Maybe using the script to fetch from IPFS? (I have absolutely no clue if this is even feasible and how it would work)
For the threat model described in the post here, if an adversary can narrow you to one of hundreds or thousands of possible sources, you've lost.
2) Don't buy a domain name
3) Deploy a static blog (gatsby, jackyll, etc...) to Github or Netlify
4) Done
Now you just need a VPN every time you log into these accounts and publish your content.
You might also want to randomize the times you access these services and publish content. That further obscures where you are in the world.
Besides Tor, you could get a free AWS/Google Cloud account and do content submission from a free, minimal VPS machine.
Are you paying for this VPN or really trusting a free VPN?
1) Time of publish. You'll want to make sure the times you publish entries are random and can't be correlated with things you are doing. If you take a vacation, you'll need entries going up.
2) How you write. You'll want to ensure your writing isn't too similar to your own. Either have others write it, excessively use synonym dictionaries, or introduce writing styles and elements exclusively to the posts you write.
3) What you write about. It should be as diverse as possible. If you only write about one topic, or clearly have a bias for one topic, then it is easier to pin down your interests and focus searches against you to that. Write about cooking, about programming, about art, about politics, etc. Even if you hate or aren't good at it.
4) Fabricate entries. You'll want to write about topics you dislike, or topics you don't believe in or about places you have never been. Reference dates and times that would be impossible with your schedule, your income, your skills, or your connections. For areas you are most versed in, introduce simple errors to reduce your apparent expertise. In areas you are most ignorant, plagiarize from experts in a non-obvious way to fake expertise.
5) Write in only your native language so as to not giveaway where you learned some other language. If this isn't enough, then run your writing through an automatic translator each time into some other language you might know and only do a light touch up of the most egregious errors.
You kind of get the drift. Lots of people here can give technical advice, but that is always one slip-up from going wrong and you getting caught. Having lots of disinformation and mixed information in the blog itself can help provide cover and deniability.
Don't forget that this is a sure way to get deanonymized, if you don't do this anonymously, too.
It's amusing to think of what happens if you follow this too far though. Essentially you're putting on a mask that is as uncorrelated with yourself as possible. But if your intent is to publish something, that seems contradictory to some extent. Can't use your own point of view, can't use your own expertise, can't use your daily experiences or any information specific to yourself. The only sense you'd be publishing a blog would be mechanically. Anything you actually intended to say would be lost in the white noise of everything you must say in order to stay hidden.
I think when assessing anyone's work that is done through a pseudonym, anon, or what appears as a clearly fake profile, one needs to really pick and choose how they decide to ingest that information.
I would be hesitant to even remark on the anon blog that the blog is written in the most defensive manner possible, as that indicates to adversaries the level of aggression the target expects, which can itself narrow-down where they might be.
It is a truly hard problem, but if the value of OP is complete anonymity and the signal to noise ratio isn't as important, then these obfuscation steps are valuable. Not the least because they can be implemented or dropped at any time as one's security threat changes.
Then you use Tor to create a couple of ProtonMail and Tutanota addresses. Use these email addresses to create accounts on sites like GitHub while using Tor (make sure you link multiple addresses so that you have ways to get back in if one of them doesn’t work or you get kicked out).
Mirror all the writings on archive.org and another free site so that you have a backup to point people to (list the address of the other site in each site). Never trust any provider not to kick you out for “violating their terms and conditions” without telling you what you did or how you can fix it. When you get locked out, it’s usually with vague statements and no way to get back in. You’re at the mercy of bots and other people who may make it their mission to shut you down (depending on what you write).
Create multiple throwaway accounts without a lot of history to share the posts elsewhere.
Use Tor for everything related to the blog.
Edit: Building on what zelly said on translating from one language to another and back to reduce the chances of being identified by your writing. Somewhat similar in nature to hashing iterations, use one service to translate from X to Y, another to translate from Y to Z, and then yet another service to translate from Z to X. Then post X after making any necessary corrections. This could be automated with simple scripts. Using simple and short sentences could also help against any language analysis. Write, then feed it into something like Hemingwayapp, simplify it, then process it further with translation rounds.
1. Use all free technology since payments are a great way to figure out who you are. (So gitlab/github pages, blogger etc)
And then the usual info hygiene:
2. Always use a VPN to log in
3. Don't use the same username or password anywhere else
One final thing:
4. If you put out enough samples of your writing anywhere else tied to your identity (email archives, a non-anonymous blog, publications), people can probably use ML to figure out who you are. I don't know if there is a "style obfuscation" engine to help with this.
Machine translate from language X to Y. Then Y to X again.
Using simple and short sentences could also help against any language analysis. Write, then feed it into Hemingwayapp, simplify it, then process it further.
1. Use TOR or some kind of proxy service
2. Sign up for Proton Mail
3. Use Proton Mail to sign up for wordpress.com blog
4. PROFIT!!!
GitHub is Tor-friendly, so you can piggyback off GitHub pages with Tor/proxies and get something out of that at no cost. Occasionally, they may automatically determine you to be a bot account, but support is responsive and reinstates it within at most days if you seem human enough. Censorship remains an issue, but shoving the pages manually into archive.org should help build some resilience at least.
Maybe mirroring on BitBucket and GitHub will also work.
> 2. Harder case: ensuring anonymity even from state-level actors.
This is a very, very hard problem. Your best bet would probably be compromising a few poorly-secured websites outside the sphere of influence you're trying to hide from, doing this from a public hotspot in a foreign country and then connecting to them only via Tor. Of course, if Tor is enough of a red flag in and of itself, you'll always have to travel to post, which is just as suspicious.
Interesting insight about using archive.org to build resilience against censorship.
Also, is there something like a distributed version of GitHub pages/Netlify that might be less centralized? (e.g. perhaps a blockchain-based publishing platform that anyone can host a frontend for if one is taken out)
> This is a very, very hard problem. Your best bet would probably be compromising a few poorly-secured websites outside the sphere of influence you're trying to hide from, doing this from a public hotspot in a foreign country and then connecting to them only via Tor. Of course, if Tor is enough of a red flag in and of itself, you'll always have to travel to post, which is just as suspicious.
With behavioral patterns, I'm guessing it's nearly impossible to stay anonymous for extended lengths of time. However, it might still be good for releasing one-time long form content such as books.
There are, but I’m not sure about accessing them with conventional browsers of today. There’s Beaker Browser (beakerbrowser.com) and there’s IPFS (ipfs.io).
Instead, get connected with a tech-savvy media outlet via SecureDrop or Signal. They can publish the information, have experts on hand to help you stay anonymous, and can likely connect you to legal resources should that become necessary.
https://www.theguardian.com/securedrop
https://www.washingtonpost.com/securedrop/
https://blog.erratasec.com/2017/06/how-intercept-outed-reali...
Some try to render the "Impressum" as a picture so that it doesn't get indexed by search engines but it's not clear wether that is sufficient.
You also can't just rent a post box somewhere to get around announcing your address. The address has got to be a "ladungsfähige Anschrift" which means that it has to be the place where you live.
There are ways of countering these kinds of analyses. A search for "defeating stylometry" turned up this link: http://www1.icsi.berkeley.edu/~sadia/papers/adversarial_styl...
The internet was not design for people to be anonymous. Our law's weren't made to keep you anonymous. Our society doesn't allow for people to be anonymous.
For instance register an LLC in your country or somewhere like St. Nevis, that owns a LLC in New Mexico, that owns another LLC in New Mexico that pays for hosting, then using ideally another chain of LLC's pay a lawyer to actually post the content on the blog.
Basically following the same standards as money laundering but with content publishing. That way anyone who wants to find out who actually published the content would have to track down the owners of multiple corporations and the legal barriers with that, especially with cross jurisdiction challenges this can be effective.
It wouldn't be cheap, and nothing is 100% bullet proof. However this would largely protect you against private corporations and individuals from tracking your postings.
2. Put Tails on a live USB drive. Only ever do your blogging on Tails. Purchase hosting for a hidden service with Monero. Watch out for people tackling you in libraries.
"OnionShare makes it easy for anyone to publish anonymous, uncensorable websites"
For the latter case (or when dealing with said obsessives deliberately targeting you), then things get trickier. The challenge with infosec is that messing up even once compromises everything, and most people/groups mess up multiple times.
Some advice there:
1. Don't try and be a 'ghost', throw people off with fake identities. Manufacture social media accounts/history to send people barking up the wrong tree.
2. Use burner equipment wherever possible, or at least computers/phones that aren't used for real life activities.
3. Get an anonymous email account, use it for a VPN, use Tor, etc.
4. Access the internet from a variety of places under said conditions, maybe with different online identities each time
5. Use services based in countries your current one have no treaties with
6. Deliberately vary your writing style so it can't be linked to previous work (may be difficult)
Plus a whole bunch more steps that would make anyone writing them seem super paranoid when posting.
https://www.cryptovibes.com/blog/2019/01/02/iota-introduced-...
E.g.: https://www.theguardian.com/help/ng-interactive/2017/mar/17/...
While clearly difficult, I'm not sure this is really any harder than the other technical solutions listed here.
