We know that there is no such thing as absolute 100% anonymity.


So can we discuss some of the best ways to maximize anonymity where it would be too difficult or costly to track you down that you are pretty much anonymous? (Unless it was something severe like real terrorist activities etc)


For example: using VPN
Using Xerobank and XB Machine? Would this setup make you near 100% anonymous?


Steve? I remember in a thread you said this is 1 of the most anonymous setups out there....http://www.wilderssecurity.com/showpost.php?p=1287975&postcount=4



Can we list the best methods to maximize your anonymity?

1. Best Commercial Methods: XeroBank Onyx + Cryptorouter or Kryptohippie + Cryptorouter
2. Best Free Methods: JAP or I2P
3. Best Illegal Method: Zombie Botnet

There are no metrics for measuring anonymity yet, but 1, 2, and 3, are in proper order, each by an order of magnitude.

{QUOTE-> 1. Best Commercial Methods: XeroBank Onyx + Cryptorouter or Kryptohippie + Cryptorouter
2. Best Free Methods: JAP or I2P
3. Best Illegal Method: Zombie Botnet

There are no metrics for measuring anonymity yet, but 1, 2, and 3, are in proper order, each by an order of magnitude. <-QUOTE}

I would agree with this list. I would also add something extremely simple, but very effective. Using open wifi, outside a large apartment building or any dense neighborhood. From one to the next to the next and never using the same one twice. I know we've all talked this to death, but I have yet to see how it fails as anonymous.

Steve, Is the cryptorouter for individuals available yet? I'm ready to roll with it if it is.

{QUOTE-> 1. Best Commercial Methods: XeroBank Onyx + Cryptorouter or Kryptohippie + Cryptorouter
2. Best Free Methods: JAP or I2P
3. Best Illegal Method: Zombie Botnet

There are no metrics for measuring anonymity yet, but 1, 2, and 3, are in proper order, each by an order of magnitude. <-QUOTE}

I personally would suggest against using JAP, they have remote monitoring built into the code to detect and trace "illegal" activities trivially. I2P looks good for hidden services, I would suggest that for some goals but I think it is lacking in out proxy ability. I personally suggest Tor for most people, I2P for people doing things based around hidden services.

Also spoofing Mac address and using WiFi will help a lot, especially if you hit up new WiFi hotspots each time.

{QUOTE-> Steve, Is the cryptorouter for individuals available yet? I'm ready to roll with it if it is. <-QUOTE}

Yes, if you get it from Kyle via JanusVM. We're ironing out bugs in the implementation and interface.

{QUOTE-> I personally would suggest against using JAP, they have remote monitoring built into the code to detect and trace "illegal" activities trivially. <-QUOTE}

Not quite. You are speaking of the incident in 2003 when German authorities forced JAP to include code in their software (among other things). Since JAP is open source, it was placed in the code in such a way as to make it obvious what was happening. Actually, JAP passed the test by the actions they took. It's a different model now, but the privacy terms are even stronger. You can read about LEA terms here https://www.jondos.de/en/lawEnforcement

I hate it when I read these old and passed around rumors that twisted the 2003 incident into something it was not and act like it's still taking place today. Usually passed around, such as this case I suspect, completely innocently. The old start a story at the beginning of the circle of people and see how the story ends by the time you get to the last person.

This is one rumor we should should help put to rest.

Keep in mind JonDoNym is not the same as JAP. Same technology but much fewer peers, all in the EU, making it not anonymous because of the data retention laws. Most jondonym servers are in germany/austria, which is kind of a joke.

{QUOTE-> Keep in mind JonDoNym is not the same as JAP. Same technology but much fewer peers, all in the EU, making it not anonymous because of the data retention laws. Most jondonym servers are in germany/austria, which is kind of a joke. <-QUOTE}

When I said it was a different model, I was talking of the infrastructure. I was really pointing out the error of this "it's built-in to JAP" stuff. It may not be the highest anonymity, but then again, even XeroBank runs the budget service with USA servers and it's not necessarily a joke.

Thanks for the info on Kyle's cryptorouter. I didn't realize, or I had forgotten, that it could be used with XeroBank. Thank you!

No budget USA services for XeroBank. USA servers are 100% cryptographic terminators with relay/cascade to international exit nodes. ShadowVPN however is a 1-hop in Netherlands that crowds with XeroBank traffic for extra anonymity.

{QUOTE-> Not quite. You are speaking of the incident in 2003 when German authorities forced JAP to include code in their software (among other things). Since JAP is open source, it was placed in the code in such a way as to make it obvious what was happening. Actually, JAP passed the test by the actions they took. It's a different model now, but the privacy terms are even stronger. You can read about LEA terms here https://www.jondos.de/en/lawEnforcement

I hate it when I read these old and passed around rumors that twisted the 2003 incident into something it was not and act like it's still taking place today. Usually passed around, such as this case I suspect, completely innocently. The old start a story at the beginning of the circle of people and see how the story ends by the time you get to the last person.

This is one rumor we should should help put to rest. <-QUOTE}

They show on their website that they can monitor JAP connections to certain websites if court ordered to do so, and did so in 2008 actually. I am not sure how exactly they do it, but its straight from the horses mouth so to speak.

{QUOTE-> They show on their website that they can monitor JAP connections to certain websites if court ordered to do so, and did so in 2008 actually. I am not sure how exactly they do it, but its straight from the horses mouth so to speak. <-QUOTE}

Well of course they can do that. XeroBank can do that too if it's absolutely necessary. No secrets there.


{QUOTE-> No budget USA services for XeroBank. USA servers are 100% cryptographic terminators with relay/cascade to international exit nodes. ShadowVPN however is a 1-hop in Netherlands that crowds with XeroBank traffic for extra anonymity. <-QUOTE}

I'm sorry Steve. I thought ShadowVPN servers were US servers. My mistake. The Netherlands is a data retention country and crowding would have nothing to do with retaining data on use of Dutch servers. The difference with JonDoNym servers in Germany is simply length of data retention, right?

{QUOTE-> Well of course they can do that. XeroBank can do that too if it's absolutely necessary. No secrets there.




I'm sorry Steve. I thought ShadowVPN servers were US servers. My mistake. The Netherlands is a data retention country and crowding would have nothing to do with retaining data on use of Dutch servers. The difference with JonDoNym servers in Germany is simply length of data retention, right? <-QUOTE}

Tor can't do it trivially. For Tor to do it one or more of the following would need to take place

1. The user doesn't have Tor configured properly, or doesn't have Java/Flash/ActiveX/Javascript/(CSS in some cases!)/ETC disabled.

2. The adversary owns all of the Tor nodes in the circuit the user is using (plus can monitor incoming connections also, if the user is set to relay)

3. The adversary compromises all the nodes in the circuit the user is using and they have logs

4. The adversary gets cooperation of ISPs to view traffic, and they still have the information stored.

JAP can trivially trace users. Tor requires in most cases that the user not know what they are doing, the adversary to get lucky, or ISPs around the world to cooperate with each other.

Correct me if I am wrong but I do not think I am.

{QUOTE-> ...The user doesn't have ... Java/Flash/ActiveX/Javascript/CSS/ETC disabled. <-QUOTE}

it is getting easier to protect against the catastrophic failure of anonymity via side channels like this by transparently relaying ALL traffic or filtering it :)

[for example, https://www.torproject.org/torvm updated on Mar 28 to include information on using Flash or Java as a restricted user]

best regards,

{QUOTE-> 3. Best Illegal Method: Zombie Botnet
. <-QUOTE}
:lurking: I'm skeered.

One factor that people using commercial services probably tend to overlook is the issue whether the PAYMENT for the service can adversely impact privacy/anonimity.

Especially a high quality service like Xerobank.

Assuming one doesn't use a fake ID, people registering for anonymity services could be identified by the payment, like credit card, bank account etc. ?

Of course, what you have to 'hide' may be innocuous, but if that's the case, why pick a 'premium' privacy service ? I'm sure various organizations are very interested in who uses those services.

I'm known to be wrong on occasion :lurking:

Can anyone shed some light on this ?

We spent a lot of time on this question. Then we decided we had to split the account holder from the activity of the account itself. That is why XeroBank developed the Variable Anonymity User Letterbox Token System. The way it work is that your payment funds your deposit account. Then the deposit account encrypts the tokens it gets from being funded, and sends them into a pool of other tokens. The access account is the only one that can decrypt the deposit account tokens, and they are redeemed at usage against a massive pool of encrypted tokens. To put it short, we broke the connection between our customers and their actions through a somewhat irreversible way. I say somewhat because that doesn't stop us from creating poison tokens and injecting them into the system if we want to, but it does mean you can't just take some access account and trivially find out which person it correlates to, which is pretty brilliant. It makes it a one-way operation, essentially. Payment -> Deposit -> Access -> Activity, and it can't be reversed directly. So lets say someone somehow gets our database of users. They can't discover who owns what account. They also can't look at an activity log and find out the person behind it, and neither can we

Why don't you guys take liberty reserve or something else anonymous ?

{QUOTE-> We spent a lot of time on this question. Then we decided we had to split the account holder from the activity of the account itself. That is why XeroBank developed the Variable Anonymity User Letterbox Token System. The way it work is that your payment funds your deposit account. Then the deposit account encrypts the tokens it gets from being funded, and sends them into a pool of other tokens. The access account is the only one that can decrypt the deposit account tokens, and they are redeemed at usage against a massive pool of encrypted tokens. To put it short, we broke the connection between our customers and their actions through a somewhat irreversible way. I say somewhat because that doesn't stop us from creating poison tokens and injecting them into the system if we want to, but it does mean you can't just take some access account and trivially find out which person it correlates to, which is pretty brilliant. It makes it a one-way operation, essentially. Payment -> Deposit -> Access -> Activity, and it can't be reversed directly. So lets say someone somehow gets our database of users. They can't discover who owns what account. They also can't look at an activity log and find out the person behind it, and neither can we <-QUOTE}

It looks like a good solution.

But it still won't prevent someone, say a US agency, from collecting a database with your account holders. OK, so they can't look at an activity log.
But there is always the possibility to go after the account holders themselves. And install a hardware keylogger, install surveillance software on someone's computer by direct physical access, infect someone remotely by, for example, an infected email, social engineering, use legal means (including the 'means' of intelligence agancies) to force someone (if necessary by manufacturing evidence, the method of piling up charges) to reveal his online activities/Xerobank activities. While you can't show an activity log, is it possible from the users' end (voluntarily or not) ?

I could imagine matching a suspect (or not even a suspect, but someone used for the intent of harming your organization) with Xerobank payments, and use that somehow. I don't want to discredit your clients, but I assume that more than a few use it for (according to local or other law) unlawful activities.

I know that 'security by obscurity' is far from perfect, but given the current climate with 'the war on terror', 'the war on drugs (including dispensing prescription drugs in violation of local laws)', closer cooperation by Interpol, the fight against cybercrime (which is far greater today than a few years ago), the encroachment of the surveillance state, I wonder how long ultrasecure communications methods can be used freely and without care ?
Even if just to make a point ?

You are talking outside of the threat model. If the end user has their home system compromised, anything is possible. If you are a hot target of specific national surveillance agency, nobody can help you. If you want to avoid dragnet surveillance, or evade most domestic surveillance methods, and prevent surreptitious surveillance, ISP snooping, click-arrests, and data retention, we've got you covered.

Security through obscurity has nothing to do with any secure method of communication, and any method of communication employing such techniques as it's core should not be regarded as secure.

{QUOTE-> Why don't you guys take liberty reserve or something else anonymous ? <-QUOTE}

It's called eCache. :)

{QUOTE-> It's called eCache. :) <-QUOTE}

Xerobank takes ecache? Is Ecache still in business I have been trying to find out what their deal is.

Yeah, we will definitely accept eCache.

How would you go about sneding you Ecache it only gives you the option to pay with a credit card for xerobank?

prepay 1 year, provide eCache token admin.

thought i've update this thread with some weblinks that don't provide 100% anonymity guides but do give some good information on being anonymous;
- http://www.zensur.freerk.com/index.htm
- http://www.theregister.co.uk/2001/11/14/doityourself_internet_anonymity/

i though ecache was a very shady anonymous payment system, no one i believe has actually gotten a certificate much less found a exchange that actually exchange it, i've read no one can contact the exchanges or the person behind ecache but maybe someone has recently. how about loom.cc, kinda operates on the same bases.

Here is a very simple rule of thumb: if you're looking for high anonymity, you can immediately avoid everything that is not either OpenVPN or IPSec VPN. That means no cgi proxy, no web proxy, no http proxy, no ssh tunnel, no socks proxy, no PPTP, no L2TP-only, no pseudovpn/dll injection (anonymizer etc). OpenVPN and IPSec VPN do not guarantee or warrant anonymity at all, but all other methods of connection ensure that you are open to common leaks and side-channel attacks, thus zero anonymity. Also, any software/service that does port-forwarding, should be avoided.

Hi Steve, what do you think about Tenebril GhostSurf?
How does it work, and is it a secure VPN?

{QUOTE-> Hi Steve, what do you think about Tenebril GhostSurf?
How does it work, and is it a secure VPN? <-QUOTE}


what do you think he will say he will say only xerobank/kriptohippie is the way to go i cant remember him saying on here or his forum that any vpn provider other than the 2 i mentioned is any good his answers allways leads back to his services

if the bloke spent as much time on his own forums he might be able to solve his email problems his users have been suffering from a while acording to them they are not even exiting from the right country not very good from the professor of anonymity

{QUOTE-> what do you think he will say he will say only xerobank/kriptohippie is the way to go i cant remember him saying on here or his forum that any vpn provider other than the 2 i mentioned is any good his answers allways leads back to his services

if the bloke spent as much time on his own forums he might be able to solve his email problems his users have been suffering from a while acording to them they are not even exiting from the right country not very good from the professor of anonymity <-QUOTE}


You sound pretty jaded. I've only had great experiences to date.

{QUOTE-> You sound pretty jaded. I've only had great experiences to date. <-QUOTE}


I agree. Of course Steve pushes Xerobank quite at bit, he works for them. But if you read what he says about why it's the best out there, all his arguments are true.

I've been a Xerobank customer for awhile now, and I've been very happy with them. Ok other than the fact that there's no file storage service yet (When is this going to be ready Steve?) , and I'm still waiting to buy a Cryptorouter.

{QUOTE-> Hi Steve, what do you think about Tenebril GhostSurf?
How does it work, and is it a secure VPN? <-QUOTE}

If I remember correctly, ghostsurf is not a vpn, it works by dll injection to capture your port 80 web traffic only. I could be entirely wrong. What Kyle has been begging to do is start up an anonymity reviewing site to show people the facts and use the deanonymizer to test the strength and weakness of these services. I'm inclined to agree: why? because if I say something and it casts doubt on another service, people will think I'm shilling, regardless if I am right or wrong. I know I'm right, but I would like people to have facts and details so they can decide for themselves.

{QUOTE-> something about mail and exit nodes <-QUOTE}

have you been on the forum? i don't think there is a single unresolved issue. btw, our support ticket response time is now < 10 minutes on average :D

{QUOTE->
Ok other than the fact that there's no file storage service yet (When is this going to be ready Steve?) , and I'm still waiting to buy a Cryptorouter. <-QUOTE}

It just kills me that i don't get to control what projects are highest priority. As soon as unlimited transfer and upgrading the network capacity was mentioned it went right to the top of the list, prior to that DNS anti-leak tech took priority, and now the new browser development is warming up. I'm going to inquire about the status of storage project. The storage system exists in 2 forms i think, one of them is very secure but very very expensive to maintain, whereas most people want internet drives. Anyway, you can get a cryptorouter right now from Kyle if you contact him directly since they are his baby :)

{QUOTE-> Hi Steve, what do you think about Tenebril GhostSurf?
How does it work, and is it a secure VPN? <-QUOTE}
It's a US company.