Could use some advice re: anonymous surfing

I agree, website owners have the right to protect what is theirs, but there is something sinister about malicious website owners tracking and stalking someone through their surfing habits.

I've long given up getting anything quick on the net, as I have dial-up. So I'm willing to trade convenience for security, and a little slower web browsing.

I have to agree that unless your doing something illegal, then simply blocking web bugs is sufficient. Though what is legal in our countries, may be illegal where human rights are a forethought in the minds of their government.

Just my two cents.

 

Wow. I am again amazed at P2K's ability to succinctly say what needs to be said.

I wanted to add something here about the paid services. Several give you a choice of an encrypted VPN, secure SSH tunneling or SOCKS5 proxy service. I have used most all of them for at least a couple of months each. My favorite, for many reasons, is FindNot.com. They allow for anonymous payment and even, if you know how to do it (using some of the tools P2K has discussed) anonymous access to their service.

P2K is right that not using the tools to access these services anonymously basically makes them a third-party ISP. However, their sole purpose is to provide private communications. Because of this, they are far less likely (and more importantly less able) to easily hand over information requested by authorities of any kind. For example, COTSE keeps logs for a maximum of either 48 or 72 hours before all is purged. For all practical purposes of tracing information --- its non-existent. FindNot claims to keep no logs whatsoever, but I honestly doubt that claim. The problem with keeping no logs is abuse of your service. FindNot claims that abuse is rare and when it happens and they lose a provider, they simply will find new pipes with another provider. Currently, as of today, FindNot is running 23 different servers all over the world - and most of them are extremely fast.
http://www.findnot.com/

When looking for a paid service, do some research. There are reviews from ordinary users found scattered here and there. One thing is a given: It's always better to find one that is not located within the boundaries of your home country. The only exception to that I have ever made is COTSE as I know his commitment to privacy issues is rock-solid, he's been at it for years, and he openly participates in the USENET discussions on these issues.
http://www.cotse.net/home.html

Good luck!

On edit....Here is FindNot's "22 Reasons to Use FindNot.com" pitch. It gives you a flavor of what some of these services offer:

22 Reasons to Choose FindNot?

1. NEW! SSH encrypted tunnel via port 80 for ultimate firewall penetration at work or at school. If your computer can browse websites, you can connect to our service and anonymize any internet activity, not just browsing. The SSH tunnel has full "dropped connection protection" so your real IP address will never be revealed even in the event of a dropped connection to our server. This service is run on all 23 servers for your internet enjoyment with full privacy and complete security.
2. All 23 servers are set up for both VPN and SSH encrypted tunnel access.
3. Works with virtually any application program from web browsing to file sharing!
4. No software required! Very fast and simple to use.
5. The SSH tunnel can be activated from a link on our website without running a software installation. Great for travel!
6. The VPN tunnel can be run from a built-in windows wizard so it can be used from any computer.
7. SOCKS5 PROXY service is available to all 23 servers.
8. 128bit Encrypted access to our 23 ultra fast servers located all around the world. This ensures you are able to connect at good speeds whenever you need to be anonymous.
9. Our servers are located on 10 different IP blocks in 5 different countries (USA, Canada, British Columbia, Malaysia, Netherlands, and Russia). You can use all 23 servers and change your IP and/or country appearing to come from a different part of the world ... all effortlessly in a matter of seconds!
10. Anonymous Secure Email Server (your real IP address does not appear in the e-mail). You communicate to our e-mail server using SSL 128 bit encryption so your ISP can't log all your e-mails as they normally do. Our secure e-mail server is located in Malaysia.
11. Anonymous File Storage in your E-mail Account allowing 50 Megs of storage. Encrypt the files you store if you like.
12. Findnot.Com makes free E-mail Services like Yahoo etc. anonymous.
13. Run any application or program anonymously through our world wide network using any one of our 3 methods of connectivity.
14. We keep no logs to protect your privacy.
15. You can access the system from any number of computers, just one at a time per account. This means you can use the service while traveling, at work., at school, or away from home.
16. We offer E-Gold for secure anonymous payments.
17. Our Credit Card Processor is not in the USA or EU.
18. Findnot.Com is not an American or EU company. We do not place you at risk for any privacy violations that seem to come from these jurisdictions. We do have servers in these locations but they have no sensitive data on them that could violate your privacy or security.
19. Use Findnot.Com and become anonymous without installing any software. (although we offer software installation for your convenience as well)
20. Instant Activation with us means you can become anonymous within minutes.
21. Customer Support by E-mail 7 days a week. All E-mails answered promptly.
22. We do not have any censorship at all, full internet always.



-

 

Thanks for the info Gerald. COTSE was one service I was seriously considering when I was looking for an anonymiser. The need to research cannot be overstated here - some services have limitations they do not disclose until you use them. For example The Cloak blocks HTTP POSTs, ostensibly to prevent credit-card fraud, but this also stops you from submitting any data to websites, including posting at forums.

Another point to mention, some services may change your IP address frequently (one product, Steganos' Internet Anonym makes this a selling point - note I do *not* recommend this product since it does not appear to encrypt traffic). This can cause problems with some websites which use the IP address to keep track of your session - the one example I have encountered is Spamgourmet (see Using Spamgourmet with anonymizing proxies for more details).

 

Hi Spanner!

I've never had any trouble connecting VPN. Are you getting an error message?

Here's what I found from their support page. You may have already read this, but thought I should include it here for you in case you missed it:

If you are getting another error then do the following: If you have a router check to make sure ports 1723 and 47 are open. Your firewall software or hardware or network router may be blocking this communication. If you have a software firewall temporarily disable it and retest. Many routers/firewalls have an option to enable "PPTP passthrough". If your router has such an option then you should enable it. If not you will need to enable ports 1723 and 47 manually in both directions. If you are not sure how to do this email the support department at your router manufacturer's website and tell them you need to be able "login to the vpn server at work". This is very common and they have to have a solution.

I use the free Sygate Personal Firewall. I can't remember if I had to change any settings there or on my hardware firewall (Linksys router).

Another word about "The Cloak"....I'm glad P2K brought them up....I have tried them and they REQUIRE Java and Javascript both if I remember right. Outrageous! As is there privacy policy, btw.

 

Oh my, you don't want to be using Sygate with any local proxy software, including anonymiser clients due to its local proxy vulnerability which means that it will allow any application to connect to your proxy and gain network access via its rules.

If the service you use does not need a separate client and you have no other proxy software running (e.g. web filters, some anti-virus email scanners) then this is a non-issue - but it is worth checking if you have not already done so.

 

Hi,


***Genarally speaking

*The first target and function of a moderator is to huphold and maintain the policy (so the law) of the forum.
It's not to have the absolute truth and answer for any question.

Expert, specialist, moderator, security enthusiast, member, newbie...NONE has the monopoly of the truth and ALL can make mistakes.

*Communication=Signal=Possibility to be captured/heard/listening/recorded/tracked...

But which anonimity are we talking about?
The Anon. of the datas or the Anon. of the personal identity (name of the user)?
It makes a big difference.
If i want to make a little joke, i can go in a public computer in another town , where no one know me and where i don't have to give my name: I'll have anonymity.

Criminals, advanced attackers/hackers don't need to use JAP, TOR or any free or paid anonymiser service.
Wireless/wardriving, IP spoofing, zombies computers...could be used.
The communications and datas can be tracked and reconstituted, but it will be more difficult to find the "bad guys".

***JAP, TOR and all others anonymity solutions .

With JAP,the ISP can't see the visited pages in real-time, but each communications between the mix can be intercepted.
The ISP don't know the visited sites, but what about the DNS Server which knows each web server that was consulted?
And the ISP contains the DNS server and then have the ability to track the user behaviour on the web (but not the seen pages).

If JAP was backdoored one time, why not a second time?
This solution is not really secure and can be attacked: http://www.securityfocus.com/archive/1/334612/2003-08-18/2003-08-24/2


And just take a look at its proxy vulnerabilities: http://secunia.com/search/?search=squid

And if it's strong, SSH is not perfect: http://secunia.com/search/?search=ssh

In the past, even OpenSSH was backdoored: http://www.cert.org/advisories/CA-2002-24.html


And what about TOR?
Just take a look at the paragrah 1.4 on the General section of the faq:
http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ

In all case, if Jap and Tor can permit a certain degree of anonymity, they can be attacked (Man in the Middle, DOS...) and most of all, No one can certified that they're not "backdoored".
N S A is well known for broking what they want and i'm not sure that they will permit a private, encrypted and anonymous communication which can be used by all kinds of criminals (terrorists, child's predators, activists...).

With some subjects, i like to keep the door open for the doubt.

And the life sometimes demonstrates that even when we have definitively closed the door, the doubt get back by the keyhole.
Government agencies don't care about administratives procedures: they do their job where and how they want.

In the future, it will be more difficult to get anonymty with the evolution of TCP/IP Protocol.

NB:With these pdf papers, i hope that Paranoid will be less affirmative and keep less certitudes about WebMix cascades (JAP) or onion Routing (TOR):

*In this page, 2 or 3 interesting but technical papers about the weaknesses of theses anonymity solutions:
http://www.cs.umass.edu/~mwright/pubs.html

*A real bible about all kinds of anonymity solutions by Georges Danezis from the University of Cambridge (also technical):
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-594.html



PS:Thanks for the links Gerard, but i don't think i have to pay for anonymity.
I'm agreed with Dvk: It's often a waste of time and money!
I've already invest in Knowledge and it's enough for me.

Thanks for your attention and sorry for my english.

Regards

kareldjag

 

Not by the ISP they can't - but government agencies can. However they still need to use traffic analysis to link the encrypted streams with the original incoming request, i.e. they can see lots of streams of traffic, but they don't know which is yours without doing significant extra work.

With JAP, this is not an issue. The last JAP mix server does the DNS request using its server. With Tor this can be an issue if you have not configured it using Socks4a. However all the ISP would see in this case is DNS requests coming from a Tor server, they would have no way of knowing who was responsible - unless you were their only Tor user.

As has been said time and time again, the backdoor was detected because the JAP client was open source. "Backdoor" is also an inaccurate term since it only reported if a specific IP address was accessed - it did not provide details of online activity generally.

Try naming one item of software that has not had vulnerabilities. If you want to be "completely" secure then throw away your computer. For virtually everyone here security is about minimising risk, it should be a no-brainer that using an anonymiser minimises the risk to your privacy from ISP/Government data retention.

So the Tor project are being honest and upfront about the danger that they may be required to compromise their system and you consider that a problem? Tor, like JAP, is open source - any such change could be detected. This is more secure than a closed-source anonymiser and far more secure than browsing in the clear.

Man in the Middle attacks require the attacker to be in the right place (on your network segment) at the right time (when you start a new connection). JAP/Tor include certificate checks for their mix servers so MitM attacks are far harder (though not impossible) - compare this to browsing in the clear where MitM attacks would be quite easy to carry out. If anything, this is an argument for using anonymising proxies.

As for the NSA, they may have cracked AES, they may be able to keep track of every JAP or Tor user - however the concern of most users is not defeating the NSA, it is of maintaining their privacy from their ISP (and the chance of the NSA responding to an ISP's request for information is about on the level of me being elected President of the United States... )

Since IPv6 offers encryption at packet level, I find that statement somewhat dubious - even without packet level encryption, proxies will still work and can encrypt traffic at higher levels which is all that onion routing needs.

Excuse me for being a little blunt here, but saying that anonymising proxies should not be used since they may have vulnerabilities is like saying an anti-virus scanner should not be used since it will not detect 100% of malware. Even a known-flawed system will enhance privacy, just as a 99% effective anti-virus scanner will improve security.

As for the attacks detailed in the PDFs, passive logging requires that users frequently revisit websites with identifying information (i.e. blocking all cookies would likely rule this out as would adopting a more varied browsing habit) and stay connected for extended periods. Compulsion attacks can (and have) functioned (albeit temporarily) with JAP but would have far less effect with Tor (more servers in multiple legal juristictions). Intersection attacks require the attacker to have inserted their own mix servers so would not be effective with JAP (where only a few trusted mixes are available) but could be used with Tor, if the attacker was prepared to expend resources in supplying enough servers and convincing the project managers that they were trustworthy. Packet counting attacks would work with JAP (where the mix only changes at user request) but likely not with Tor (where multiple TCP streams can share a single circuit).

If you check the design document Tor: The Second-Generation Onion Router, you will find that the designers are aware of many of these attacks and have included counter-measures where feasible, but Tor does not offer strong anonymity as the client software states whenever it is started.

That just leaves the "reputation" attack, which is presumably where your post would come in. As for my "certitude", this has been limited to stating that (a) using anonymising proxies is necessary to protect individual privacy and (b) non-commercial open-source options like JAP and Tor are more secure than commercial systems where you can be tracked by your payment details and where you have no ability to see if the client software has been backdoored. Sorry, but nothing in those PDFs changes these views (though they are of academic interest - thanks for posting them). If anything they demonstrate that mix-server/onion-routing networks are the more secure (if not completely secure) method of maintaining anonymity compared to just using a single proxy.

It's your privacy, it's your choice.

 

I have a question about tor and jab. Are these suitible for your average computer user or do you really need to know what your doing to be use them because from what i have read so far it looks interesting and I wouldnt mind giving it a go.

 

JAP is easier to set up but does tend to be slower. Please review the first page in this thread (specifically posts 19 and 21) for specifics and links to threads covering setup.

 

I have to side with Gerald and Paranoid2000. I see two people wanting to help with those seeking some semblance of privacy. I see a couple of other posters here who, very frankly, hit a sort of condescending tone. I mean it in the actual dictionary definition of the word:
con·de·scend·ed, con·de·scend·ing, con·de·scends
To deal with people in a patronizingly superior manner

You can disagree without sounding like you are better than someone who, for instance, dares to use a commercial service. All the winking smilies in the world can't change the fact that the posters were obviously feeling superior. In fact, I find both Gerald and Paranoid2000, both people who are not willing to wallow in everything that is wrong with this or that, but offering thoughts on the subject at hand without claiming they are perfect solutions.

Suppose I said "I'll give the one poster a pass because they are French and we all know how the French feel superior to everyone else" it wouldn't help to put a winking smiley after such a comment. Somehow, it seems that condescending comments are all too often followed up with those emoticons. It doesn't change the obvious highbrow attitude. What makes it all the more puzzling is that it's clear to me that Paranoid2000 and Gerald Morentzy could talk circles around the two other posters in question when it comes to these issues. That deserves a

Alan
http://www.eff.org/

 

you say to and jap slow down your connection how much slower on average would it be for me? i am on dial up and my average connection speed is 48kbs. Would it go even more snail pace with it?

Which would suggest to a new user of such services because i am kind of looking at Jap because of ease of setup.

I have looked at both tor and japs site but I am not entirly sure I understand how it affects you. Does it only make you annoyminious when browsing the web or does it work with other operations like p2p file sharing or downloading, streaming etc? Sorry if this type of thing has been asked before.

One last thing if I decided to use jap are there shed loads of settings on each program I need to change like my virus scanner etc, browser, firewall etc?

Thanks

Michael

 

Hi P2K!

I have never thought that would be an issue for what I do.....however....what would you recommend? I went with Sygate Personal Firewall because of the ability to tweak advanced rules - and in the free edition! ZoneAlarm didn't allow it in the free edition when I was looking around. However, I am willing to pay for something that is safe and secure. Is ZoneAlarm that product? Look forward to hearing your thoughts on this. Maybe it IS time for a change.

 

Spanner, Are you still having troubles connecting? It's been a long time since I messed with 98SE so I don't know how much I can help. It fires right up and works fine on XP. You should be able to just use the VPN client and sign right in. Hummmm.

I hope you got it working!

Gerard

 

I don't really find Tor to be faster than JAP, at least not in my experiences. But if you've been using anything other than dialup you'll be in for a veryyyyyyy slow surprise when using either. That's the price you pay.... I guess they're not really completely free after all lol.

Frankly, I don't really understand why others say JAP is so much easier to set up than Tor. I didn't find Tor difficult at all to setup, and wonder what is so difficult about it. Just follow the simple instructions here http://tor.freehaven.net/cvs/tor/doc/tor-docwin32.html

I don't want to sound like I think I'm superior to anyone else, but setting up Tor is pathetically simple. I can understand doing something for the first time can seem somewhat daunting, but just follow the steps given on the web page I posted, and you should do fine. Once you figure it out you'll see how easy it all really is, and you'll probably look back and have a good laugh at how difficult you once thought it once was.

Both JAP and Tor as really very easy to set up and use. There are a few options on JAP to choose from, but nothing to worry about, just start JAP and check 'Activate Anonymous Web Access'. I'm pretty sure Dresden Dresden is the default mix for JAP so you should be able to connect to it right away, you can worry about using other mixes later, just get that one working first. Then go to something like http://www.ipchicken.com to make sure your ip is not your true ip, you can check your true ip by just going to ipchicken without JAP on and it should be different.

Tor is more straight foward, you just start it and Privoxy and your good to go. If you have any trouble setting them up just ask. Good Luck.

 

Oops here the correct link to setting up Tor. http://tor.freehaven.net/cvs/tor/doc/tor-doc-win32.html

 

See if this helps, Spanner.

"To set Zone Alarm to allow you access to findnot, go to the Log Viewer in the Alerts and Logs section. Switch it to Firewall mode using the dropdown. You should see attempts to reach an IP address starting 193.xxx.xxx.xxx. Right button click, then select Add to add it to your trusted zone."

"You will probably need to add more than one address, I added two and all was then well. If you move between findnot servers, you will need to add all the IP addresses you use."
From:
https://www.wilderssecurity.com/showthread.php?t=65154

 

Time to bring out the old "Straw Man" now, huh? That old dog won't hunt. A lot of the things we discuss all over this forum can be used for good or bad. That's the nature of security products - and especially computer security. To change the argument with the old "Straw Man" though is rather interesting from a Global Moderator.

Derek, I don't want to argue with you about anonymizing and privacy products, proxies, or anything else. Some of us believe that protecting privacy is worth whatever we spend, whatever we learn, no matter what. It didn't take the FindNot point about using their service to "get around" a firewall to know that the service could be used in that way. Did you not realize that? So what's the dicey ground? That proxies can circumvent IT policies - or that FindNot had the "gall" to come out and say it? If this is news to you, you are wayyy behind the curve on this issue. For every kid that can break out of his school's firewall by using proxies (paid or otherwise), there are thousands of people who can circumvent official government censorship of the Internet and freely read the news not made available to them by their authoritarian governments. Think China, Iran, Vietnam.....sadly, the list is long. Can it be used for "bad" purposes? I suppose. In the same way the same gun that robs a grocery store can also stop an intruder as they storm into your house and head for your wife and children. Your particular Straw Man argument is, in my opinion, a pathetic one to make at a forum like this. Millions rely on the research into security and privacy to just get to GOOGLE without their government discovering their "errors in thinking."

Why do you want to keep jumping into this thread and disturb it with these provocations against those who believe in using tools to achieve privacy on the Internet? Some of us desire to discuss it and last I knew, there was nothing wrong with that. To me, with your last post, you have shown the true colors of one who is openly HOSTILE to the aims of those who seek freedom to surf, freedom of speech, freedom to learn, freedom from big brother and his attempts to control the free-flow of information.

I object - strongly - to your antagonism to that cause as a moderator of a forum dedicated to computer security and privacy. I'm sorry if I am now coming across rather harsh, but I am at a loss why it is so important to you to attempt to tear down the arguments in support of FREEDOM on the net and tools that will allow that to blossom. What is fun and games to some when it comes to proxies and anonymity is a matter of life and death in parts of this world. I stand with them.


.

 

ZoneAlarm is a good introduction but if you are looking for a rules-based firewall, there are better choices in my view. For a free solution I would suggest looking at Kerio (though many here recommend the older version 2 over the current version 4). If you are prepared to pay, then Look'n'Stop and Outpost (which I prefer and use myself) should be worth considering.

Look'n'Stop is lighter and faster but more limited and has fewer features than Outpost, Outpost's strengths are its UI, local proxy control (proxies need a rule for incoming traffic while programs need an outgoing rule to contact the proxy - the second is included by default), logging and plugins. Its weaknesses are poor FUS support and weak termination protection (get the free version of Process Guard to cover this).

If you don't wish to install/uninstall trial versions, then the manuals can give some idea of how each product operates. Kerio's manual can be downloaded from here and Outpost's manuals are available here (also check the Web-Hiker's Guide - while it covers Outpost v1, much of it applies to v2 also). There does not appear to be any downloadable documentation for LnS.

For configuration advice, BlitzenZeus has a thread at DSLR on Kerio 2.x Replacement Rules. Phant0m did have a page for Look'n'Stop but it has now disappeared, but the forum here appears quite active. For Outpost, there is a separate forum where yours truly *ahem* has done a Secure Configuration Guide.

Any further information is best obtained in the "Other Firewalls" forum.

So why did you choose to take this thread off on a tangent by focusing on one specific item from FindNot's marketing and trying to use that to impugn anonymising systems generally, rather than addressing the replies made to your previous posts? Gerald's point of bypassing state censorship (like the Great Firewall of China) is a valid one, but this thread is supposed to be about providing advice to someone concerned about their privacy.

 

Derek, This is one small thing you picked out. I am not going to argue with you about it. For one, you obviously know just enough about the subject to cause confusion and harm rather than being helpful in any way. Stick to spyware and HijackThis which seem to be your areas of expertise.

To play your game, I could argue that we shouldn't be involved in telling people how to detect and rid their computers of keyloggers like Spector Pro since parents all over the world use the software to monitor their children's activities and try to keep them safe on the Internet. See, this plays both ways. I wouldn't make that argument because i know that most things we talk about here can be used for good or bad, for better or worse.

Why not allow this thread to continue without attempts to hijack it with dire warnings about how privacy tools can be a threat to school network administrators? Just remember, these same tools allow MILLIONS (literally) to free themselves from the cyber-bondage of repressive regimes that forbid - some by penalty of death - an individual to simply read a Western news report.

.

 

Good suggestions, P2K. I think I'll spend a part of the weekend taking a look at Outpost. I had already (after your last post) been to "Other Firewalls" and read some good stuff. Thanks for the links and helpful info.

 

Setting up JAP involves installing a Java applet (with Java itself if your system does not already have it) and reconfiguring your browser to use it.

Setting up Tor requires extra software (either Privoxy or SocksCap/FreeCap), which in turn requires configuration along with your browser (with Privoxy, a textfile needs to be edited while SocksCap/FreeCap can be configured via their UI). This may seem easy to some, but there are subtleties to watch out for (as the threads here on setting up Tor with Proxomitron and Privoxy indicate).