Is Anonymous Surfing Impossible ?

Discussion in 'privacy technology' started by parpi, Jan 15, 2009.

Thread Status:
Not open for further replies.
  1. parpi

    parpi Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    4
    Most net users don't realise their private details / surfing habits / net transactions are easily found by web masters n users of special pro searchware.

    After more than 20 years of personal computer/net use and
    a trillion software programs for every conceivable use it appears that our basic right to privacy is not available.

    There are many programs claiming to offer anonymous surfing to stop those accessing your personal computer
    and from web operators recording your details but all
    are found to be less than perfect.

    It appears a few expensive commercial proxy servers may offer privacy but waht is the best software alternative ?

    In the last week there is a lot of positive net chatter about latest Sandboxie edition.

    Such chatter may be genuine private users or contrived by the software promoters.

    Any experts in anonymous net surfing or users of latest Sandboxie please give your advise to help us all.

    Parpi
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Parpi, Sandboxie helps preserve privacy by running your browser, etc in a virtual sandbox. It does not provide any kind of anonymous surfing.

    A "software" solution for anonymous browsing is all the same as what you get from XeroBank or any other VPN or proxy service. They just package it in a box (like Anonymizer). Even a PPTP VPN is software, albeit just what comes with the OS. A VPN using OpenVPN technology, for example, is a "software" solution in that you download the OpenVPN software and it's just all pre-configured with that particular service. So, in reality, besides a simple CGI Proxy or a web-based SSL-VPN like Megaproxy, it's really all going to be a software solution (and then you have to use a browser which is, alas, software).
     
  3. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    First, break apart privacy from anonymity. They are not the same.

    Privacy is nobody seeing what you do, but potentially knowing who you are.

    One example of privacy is your home. Everyone knows who lives there, but nobody knows what you do inside of it.

    Anonymity is nobody knowing who you are, but potentially seeing what you do.

    One example of anonymity is a suggestion box. Everyone can eventually see what you wrote for a suggestion, but not discover who wrote it.

    Client side software can deliver only privacy, via encryption. It cannot create anonymity. There is no one-man anonymity system. Anonymity, on the internet, is to blend in with the crowd so that your activities are not attributable to you. It means that it necessarily requires the participation of others. Free systems will always be slow and prone to abuse and attack, fast and abuse-free systems can not be free. This is the tragedy of the commons.

    Sandboxie provides neither privacy nor anonymity, it is not relevant, nor does it assist (very well) against attacks on privacy or anonymity.

    Softwares that provides privacy are encryption and anti-homing software. Encryption applies to storage and communication. Free storage encryption software is TrueCrypt disk encryption, and free communication encryption is available via Tor or xB Browser. Tor is encryption + anonymity, xB Browser is encryption + anonymity + anti-homing + pre-configured.

    Anonymity networks that are free are I2P, Tor, and Jap. MixMaster is an ancient technology for sending email anonymously, but sending the message may take 24 hours.
     
  4. Klaus_1250

    Klaus_1250 Registered Member

    Joined:
    Jun 24, 2006
    Posts:
    45
    Software cannot provide you with anonymity on its own. You need an anonymity network.
    Same goes for privacy. Software can do all sorts of things to make your computer more private and stops leaks to the outside, but it cannot give you complete privacy. You will always need some sort of service provider to help you out. But even then, it is not a perfect solution.

    But that are you aiming for? 100% anonymity doesn't exist. 100% privacy doesn't exists. 100% security doesn't exists. Not online, not in meatspace.
     
  5. NeilC

    NeilC Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    31
    Services like VPNOut offer a lot of anonymity. You have an encrypted tunnel to their server and the only IP address that shows up to servers on the net is theirs. They supposedly don't log who has what externally facing IP address and what logs they do keep (your IP and the IP you connect to on their server in order to have the service) they erase every month.

    Now I guess some governmenal agency with the ability to analyse network traffic could get some way into this but how much of that would be provable in court is another matter.

    It's as good as you are going to get. If you just wanting to download music over P2P then it's perfect. If you are a terrorist then maybe not.
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    What you are talking about is not anonymity, only privacy on a simple VPN using encryption. There are no non-attribution techniques there, and infact they keep logs. That doesn't require any traffic analysis to defeat, it would already be known by both the vpn company, and the state, independently of each other.
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    If you REALLY want to be anonymous check out SurfSolo by SecurStar. You can select any one of their servers, many of which are in countries that do not require logs. Also, using an ultimate ISP that is not in your home country puts a wall of legal and costly obstacles before anyone who would try to get your IP, through a subpoena or otherwise even if that ISP did keep logs. Downside is that the service is $105 YSD/yr.
     
  8. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I think they might only be reselling Privacy.li. Not good.
     
  9. parpi

    parpi Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    4
    Hi guys,

    Many thanks for your replies. I am a computer dummy in my late 60's and only just mastered the VCR.

    I will need time to absorb your advice, translate it to dummy speak and surf related subjects mentioned.

    Not associated with the mahommed bin loader team n not planning to run a scam so don't care about examination by governments.

    Last year, my daughter used my computer to pay some of her bills when she visited us. Later she was subject to an online fraud attempt. Over the years I have had trojens, spyware etc and although I use a variety of software on I still get hits.

    An anonymous audit scan reveals that much of my details are available to those with the right gear - and they would have illegal / ulterior motives for using it.

    It amazes me that after more than 20 years of widespread use of computers / net by general public and a million software programs for almost anything - we still cant surf net in privacy / anonymity - a basic right.

    Our surfing habits recorded, marketed and sold - money, money.

    Perhaps software companies who offer partial answers know how to truly do it but its not in their financial interest to provide a FINAL solution - money, money.

    Read that a good proxy not only gives anonymity but greatly improves security - whatever ever happened to vanishing ink and the abacus ?

    Regards

    Parpi
     
  10. NeilC

    NeilC Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    31
    Could you explain further about how these techniques and logs stop this from offering anonymity?

    If you visit a particular website how would that site or someone else for that matter know you have done so?
     
  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Neil, please look here. You have anonymity from a website you visit, but no anonymity from your ISP or that vpn service. That is no different than your normal internet connection, as a website is not able to identify your IP address back to your identity, but your ISP can, and now so can that vpn service. You have privacy from your ISP, but no privacy from your vpn service or website you visit.

    Adding that VPN service had the following net effects:
    1. VPN Service can now read your traffic without privacy.
    2. VPN Service can now read your traffic without anonymity.
    3. You now have privacy from your ISP, which you could have had just by using encryption.

    You did not gain any anonymity, and you just allowed a third party full access to your identity and your surfing habits.

    Incase you were unaware, a webmaster has full access logs and information about everyone who visited their website. What your IP address is, where you are, what kind of browser you use, what plugins you have installed, what website referred you to the one you just arrived at. All of this is known. What is not known by the webmaster is the identity of the person who used that IP address. But your ISP certainly has a list of what IPs are registered to which people.
     
    Last edited: Jan 20, 2009
  12. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Steve is absolutely right.

    As for ISP handling and archiving of data, I can confirm that Cox Communications (in the USA) can see all past IP numbers attached to your account. I called once and said my IP is supposed to be dynamic, but it's been months since it has changed, They said "It looks like it's been about 9 months ago" I asked if that was the XXXX-6765 one and they said "Yes, and before that you had XXX blah blah and you had that for over a year."

    Just thought some of you might find that kind of data retention interesting. All right there on the screen in front of the customer service rep.
     
  13. parpi

    parpi Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    4
    Hi SteveTX. n other techies. Please take a heavy dose of patience before reading –

    As I understand, it’s not possible to have total anonymity / privacy net surfing due to the process -

    1)
    My computer records what I type and who I post to and receive from. Software available to erase this or prevent others reading same.

    * Is there software to prevent data being recorded to HD
    files in first instance ?

    2)
    ISP has my personal details to trace / bill me
    When I enter X web address, my ISP connects me to X, records traffic to / from sites n site details.
    I can’t prevent this but I can use encryption to stop my ISP reading what I send ?

    3)
    Operators of X site broadcast back to me record my ISP, scan a variety of info about me and my computer.
    They can sell my info, use it to place mal/spyware on my computer. They can divert me to third parties.

    I can’t stop X site knowing my IP but I can protect my ID n other details by using JAP, TOR, Surfeasy,xB Browser etc or a commercial proxy service ?

    4)
    A firewall / server helps stop malware /spyware. Other software helps locate - remove what has got past firewall.

    Have I got the above right ?

    Gather open source has some advantage because it is always evolving adding difficulty for hackers. I tried Firefox TOR download about 8 months ago but couldn’t get it to work properly and surfing slowed up a lot.

    * Please recommend effective software for each of above
    items for use by a dummy.

    Sometimes the dummy asks questions others were too embarrassed to ask and all the class learns something.

    I reckon the best software designer is the one who keeps it light, effective and simple ?

    Parpi.
     
  14. NeilC

    NeilC Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    31
    OK some semantic differences there between privacy and anonymity and rightly so - I take your point.

    Clearly you need to trust the VPN provider in some way or at least believe that what is in their interest is in your interest and study their policies carefully

    I think you can gain usefully from this arrangement, depending on what you want out of it. E.g. if you want to download files over P2P then RIAA or whomever cannot track you down anywhere near as easily. You have gained some anonymity from them. All they have is the VPNs IP. Before you did this they had your dynamic IP from your ISP and they have shown themselves happy to divulge this to 3rd parties. If the VPN has the right sort of policies (and you believe them), are located in the right country etc, it should make it very hard for the other party to find you. By definition that is some anonymity from the RIAA. Also they cannot use your ISP logs against you as your ISP now has no idea what files you were downloading. Before that, as you say, they had a complete list of everything you did. I know this because I got some records off an ISP for a client and it took the freedom of information act to get it. They had sites, times, port connections, file names - everything.
     
  15. Klaus_1250

    Klaus_1250 Registered Member

    Joined:
    Jun 24, 2006
    Posts:
    45
    When it comes to downloading / P2P, there are very few VPN's which will provide you with reasonable protection. Look at their Privacy Policies and Acceptable Use Policy, most are just as bad as those of ISP's.
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    It can be *reduced* in Windows, but your better bet is to not create tracks rather than try to erase them. Tracks become a liability for you on your computer, and anyone who is able to access your computer locally or remotely. To avoid making tracks, use a virtualized operating system or a bootable operating system.

    Another thing you can do is encrypt your harddrive with a product like PGP's WDE. Many people will suggest TrueCrypt, but I have my doubts.

    Kind of. You'll need to use encryption the keep them from seeing what you send but they'll still know what website addresses you visit if you aren't using a VPN.

    You can keep them from knowing your IP by using the TorVM or xB Machine. There is no secure implementation of JAP. If you aren't going to allow sites to run scripts, you can use xB Machine or Tor Browser.

    Kind of. A firewall keeps uninvited traffic out, and lets you monitor what is leaving your computer (phoning home). A VPN will keep all uninvited traffic out as long as it isn't 'forward facing' like Relakks. Anti-spyware and Anti-malware help clean and keep those out. A good free one to use is Hitman Pro 3.

    Opensource is actually easy for hackers to break than closed source. Typically opensource programmers are not hackers, they depend on hackers to scan their code for vulnerabilities and generously not use them, and then tell the developers about them. This is quite foolish, and as proof there are many 0-day hacks to be had in the "zero bugs" Tor network. They simply haven't been told, or they have and said "it's not our problem."

    I recommend proven software. I do not recommend software that only says it is proven. Unfortunately, software can only be disproven. There will be an uncoming site on such pseudo-anonymity software and services, where a new service will be taken apart every month/week or so.

    The best software designer is the one who uses open source modules, has source viewable code, and charges a fee, because that means they have a contract to provide service and responsibility. Opensource according to the FSF includes code that is allowed to have malware/spyware/viruses in it. Opensource licenses are inappropriate for security, privacy, and anonymity software; beware of GPL, LGPL, and 3BSD licenses. Security requires a license like the HESSLA or TESLA, which states the software is open to anyone who isn't using it for spyware or malware, so it holds an irresponsible vendor liable for malicious code in their products. Despise free software, because nothing is for free, and if it costs nothing, you'll get what you paid for when it fails, disasterously so. Ask all the people who've lost their drives to TrueCrypt, who've been secretly hacked for running Tor.
     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes. You must evaluate for trust and trustworthiness.


    I'll tell you what happens when the RIAA / MPAA comes knocking at an ISP.
    1. We get an email from our upstream providers
    2. Upstream provider says terminate the torrent
    3. We terminate the torrent
    4. If this has happened more than once or is happening frequently, we temporarily block the torrent site from uploading.
    5. Otherwise the upstream may terminate our service, costing us more time and money than the client is worth. It is simpler to terminate the client than let him "get away" with whatever the torrent is.

    A VPN service will only tolerate torrent users for so long. If you are wanting pseudo-anonymity from torrent tracking, you need a low quality pirate service like relakks or torrent vpn. The traffic quality is terrible, blocking is massive, it leaks like a sieve, but you won't get requests from RIAA.

    An interesting notice about client and service prices:
    Tor = Free = Scummy traffic, worst of the worst. maxed out speed.
    Relakks = $5/m = Torrent kids, bad traffic. heavy users.
    Metropipe/Swiss VPN = $10-$15/m = Average joe, occaisonal bad traffic.
    XeroBank = $35/m = Professionals, rarely bad traffic.
    Onyx = $100k/y = Corporate & Government, never bad traffic.
     
    Last edited: Jan 21, 2009
  18. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    OMG, at last, finally - THANK YOU! I thought I was all alone. Now we are two. ;)
     
  19. Klaus_1250

    Klaus_1250 Registered Member

    Joined:
    Jun 24, 2006
    Posts:
    45
    Easier is a better word. On the short term, it may have undesirable side-effects, on the long term it is the best way to go.
    Hackers can break closed source as well, they just need fancier tools and more skills.

    Sorry, but you don't seem to understand free software and what it means. Just because software is free, doesn't mean there is no income and that it is poor quality. I don't even know where to begin to explain it all, but you should read a good book about it.
    Free and open-source software (whether under GPL-like, BSD-like or whatever licenses) creates shared wealth and knowledge, upon which other can build. Take Apple OS X. Do you know how much free software components are included in it? Yet Apple makes money off it, invests in it, shares code back to the community, etc.

    A side note. I reported a security issue to MS once. Never got a reply and decides to drop IE because of it. Won't be moving to Vista or 7 either.
    Reported a security vulnerability to Apache once. Within days they released a new version, with the security issue fixed (another one as well) and they were so kind to mention my name. And I never payed them a dime.
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Klaus, I'm afraid you don't understand what I'm saying. Free service and free software are two different things.

    Free/Open software, as in FOSS / FSF in standard, is referring to the licensing. Using licensing that allows people to take the code and add malware, spyware, backdoors, and sell it or give it away as security software is bad. Those licenses are inappropriate for security, privacy, and anonymity software. The user is the one who loses. HESSLA is a better license, because you aren't free to make the software "evil" or be used for "evil", only free to make the software "good" and be used for "good".

    Free services is another issue. Free is always abused, always. No responsibility from the providers, no responsibility from the users. As an upcoming culture we cling to the meme of free services and free software, and these are kind of bad things to become accustomed to. People end up using free less-secure software and services, lowering the security level for the entire internet. Remember: There is no such thing as a free lunch. Someone is always paying the price.
     
    Last edited: Jan 21, 2009
  21. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Let me elaborate on that point a little. Let us say I am the developer of OperaTor or some other software. It suddenly becomes popular, and I decide that I'm going to capitalize on it: I'm going to turn everyone's computer into a zombie or spy on them. Guess what? That FOSS license like GPL or BSD allows me to fully do so, legally, with no repercussions, and the user will have signed his rights away without even knowing it. Those licenses are inappropriate, because it puts the onus of checking the code on the user, instead of the reputation of the developer, and has no legal claws in the developer incase they do "evil" with it. HESSLA license does.
     
  22. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Want to hear another reason free is bad? Lets look at the inverse. We all get spam right? Spam is bad. Well what if email cost $0.001 per email to send. What would the effect be? I don't mind paying a tenth of a penny for each email i send.

    Spam would go down to nearly nothing and become more legitimately targeted, and all legitimate email would get through. That spammer can't afford to send 200 million emails at $0.001 each. That would cost him $200,000 per email flurry. And if they did want to keep sending it to you, you would be accumulating many dollars each day worth of spam. Legitimate emails, I send a few thousand a year, so $10 or $20 to stop all the spam AND get paid from spam? What a great idea.
     
  23. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Why would that be better long term? It seems to me that if the hacker is required to be a better hacker and have better tools, there would be fewer hackers. Your example of Apache vrs Microsoft doesn't hinge on open vrs closed source. Microsoft isn't going to respond to anyone. Compare Apache to Tzuk over at Sandboxie for a fair comparison. Or try to book a tour of Fort Knox. :D
     
  24. Klaus_1250

    Klaus_1250 Registered Member

    Joined:
    Jun 24, 2006
    Posts:
    45
    That is immoral behavior. Always happens when things are free / open, but anyone doing that will end up with a tarnished reputation. People will stop using that software and move to something else.

    Agree.

    Disagree. Free isn't bad per sé. It allows money to flow to things we value more in our economy, without losing out on things we value less but still use.

    I would say the community, not the user.

    People are used to that. Never purchase a legitimate service or product? If you read EULA, you waiver just about every legal rights you may have.

    HESSLA is way too complex. Read it, but its terms don't allow government use in many territories and it seems to be focused on the USA only.

    People across the world would pay hundreds of millions of dollars extra per year for a service they already paid for, spammers find an easy way around it and thousands would cry out in desperation because they can't get their blue pills anymore.

    The more bugs found, the more bugs that can be solved. In the end, you get a more robust and stable code-base.

    perhaps fewer, but most certainly better hackers. Net-result will be the same.
     
  25. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Thanks Klaus_1250. :D Its' not the topic of this thread so I wont pursue it. We will just be on opposite sides of the fence on this one. :cool: Good banter regardless. TC
    Mitch
     
Loading...
Thread Status:
Not open for further replies.