Near 100% anonymity? Best methods to maximize anonymity?

Discussion in 'privacy technology' started by HighFive090, Mar 27, 2009.

Thread Status:
Not open for further replies.
  1. HighFive090

    HighFive090 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1
    We know that there is no such thing as absolute 100% anonymity.


    So can we discuss some of the best ways to maximize anonymity where it would be too difficult or costly to track you down that you are pretty much anonymous? (Unless it was something severe like real terrorist activities etc)


    For example: using VPN
    Using Xerobank and XB Machine? Would this setup make you near 100% anonymous?


    Steve? I remember in a thread you said this is 1 of the most anonymous setups out there....https://www.wilderssecurity.com/showpost.php?p=1287975&postcount=4



    Can we list the best methods to maximize your anonymity?
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    1. Best Commercial Methods: XeroBank Onyx + Cryptorouter or Kryptohippie + Cryptorouter
    2. Best Free Methods: JAP or I2P
    3. Best Illegal Method: Zombie Botnet

    There are no metrics for measuring anonymity yet, but 1, 2, and 3, are in proper order, each by an order of magnitude.
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I would agree with this list. I would also add something extremely simple, but very effective. Using open wifi, outside a large apartment building or any dense neighborhood. From one to the next to the next and never using the same one twice. I know we've all talked this to death, but I have yet to see how it fails as anonymous.

    Steve, Is the cryptorouter for individuals available yet? I'm ready to roll with it if it is.
     
  4. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    I personally would suggest against using JAP, they have remote monitoring built into the code to detect and trace "illegal" activities trivially. I2P looks good for hidden services, I would suggest that for some goals but I think it is lacking in out proxy ability. I personally suggest Tor for most people, I2P for people doing things based around hidden services.

    Also spoofing Mac address and using WiFi will help a lot, especially if you hit up new WiFi hotspots each time.
     
  5. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes, if you get it from Kyle via JanusVM. We're ironing out bugs in the implementation and interface.
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Not quite. You are speaking of the incident in 2003 when German authorities forced JAP to include code in their software (among other things). Since JAP is open source, it was placed in the code in such a way as to make it obvious what was happening. Actually, JAP passed the test by the actions they took. It's a different model now, but the privacy terms are even stronger. You can read about LEA terms here https://www.jondos.de/en/lawEnforcement

    I hate it when I read these old and passed around rumors that twisted the 2003 incident into something it was not and act like it's still taking place today. Usually passed around, such as this case I suspect, completely innocently. The old start a story at the beginning of the circle of people and see how the story ends by the time you get to the last person.

    This is one rumor we should should help put to rest.
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Keep in mind JonDoNym is not the same as JAP. Same technology but much fewer peers, all in the EU, making it not anonymous because of the data retention laws. Most jondonym servers are in germany/austria, which is kind of a joke.
     
  8. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    When I said it was a different model, I was talking of the infrastructure. I was really pointing out the error of this "it's built-in to JAP" stuff. It may not be the highest anonymity, but then again, even XeroBank runs the budget service with USA servers and it's not necessarily a joke.

    Thanks for the info on Kyle's cryptorouter. I didn't realize, or I had forgotten, that it could be used with XeroBank. Thank you!
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No budget USA services for XeroBank. USA servers are 100% cryptographic terminators with relay/cascade to international exit nodes. ShadowVPN however is a 1-hop in Netherlands that crowds with XeroBank traffic for extra anonymity.
     
  10. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    They show on their website that they can monitor JAP connections to certain websites if court ordered to do so, and did so in 2008 actually. I am not sure how exactly they do it, but its straight from the horses mouth so to speak.
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Well of course they can do that. XeroBank can do that too if it's absolutely necessary. No secrets there.


    I'm sorry Steve. I thought ShadowVPN servers were US servers. My mistake. The Netherlands is a data retention country and crowding would have nothing to do with retaining data on use of Dutch servers. The difference with JonDoNym servers in Germany is simply length of data retention, right?
     
  12. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    Tor can't do it trivially. For Tor to do it one or more of the following would need to take place

    1. The user doesn't have Tor configured properly, or doesn't have Java/Flash/ActiveX/Javascript/(CSS in some cases!)/ETC disabled.

    2. The adversary owns all of the Tor nodes in the circuit the user is using (plus can monitor incoming connections also, if the user is set to relay)

    3. The adversary compromises all the nodes in the circuit the user is using and they have logs

    4. The adversary gets cooperation of ISPs to view traffic, and they still have the information stored.

    JAP can trivially trace users. Tor requires in most cases that the user not know what they are doing, the adversary to get lucky, or ISPs around the world to cooperate with each other.

    Correct me if I am wrong but I do not think I am.
     
  13. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    it is getting easier to protect against the catastrophic failure of anonymity via side channels like this by transparently relaying ALL traffic or filtering it :)

    [for example, https://www.torproject.org/torvm updated on Mar 28 to include information on using Flash or Java as a restricted user]

    best regards,
     
  14. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    :ninja: I'm skeered.
     
  15. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    One factor that people using commercial services probably tend to overlook is the issue whether the PAYMENT for the service can adversely impact privacy/anonimity.

    Especially a high quality service like Xerobank.

    Assuming one doesn't use a fake ID, people registering for anonymity services could be identified by the payment, like credit card, bank account etc. ?

    Of course, what you have to 'hide' may be innocuous, but if that's the case, why pick a 'premium' privacy service ? I'm sure various organizations are very interested in who uses those services.

    I'm known to be wrong on occasion :ninja:

    Can anyone shed some light on this ?
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    We spent a lot of time on this question. Then we decided we had to split the account holder from the activity of the account itself. That is why XeroBank developed the Variable Anonymity User Letterbox Token System. The way it work is that your payment funds your deposit account. Then the deposit account encrypts the tokens it gets from being funded, and sends them into a pool of other tokens. The access account is the only one that can decrypt the deposit account tokens, and they are redeemed at usage against a massive pool of encrypted tokens. To put it short, we broke the connection between our customers and their actions through a somewhat irreversible way. I say somewhat because that doesn't stop us from creating poison tokens and injecting them into the system if we want to, but it does mean you can't just take some access account and trivially find out which person it correlates to, which is pretty brilliant. It makes it a one-way operation, essentially. Payment -> Deposit -> Access -> Activity, and it can't be reversed directly. So lets say someone somehow gets our database of users. They can't discover who owns what account. They also can't look at an activity log and find out the person behind it, and neither can we
     
  17. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    Why don't you guys take liberty reserve or something else anonymous ?
     
  18. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    It looks like a good solution.

    But it still won't prevent someone, say a US agency, from collecting a database with your account holders. OK, so they can't look at an activity log.
    But there is always the possibility to go after the account holders themselves. And install a hardware keylogger, install surveillance software on someone's computer by direct physical access, infect someone remotely by, for example, an infected email, social engineering, use legal means (including the 'means' of intelligence agancies) to force someone (if necessary by manufacturing evidence, the method of piling up charges) to reveal his online activities/Xerobank activities. While you can't show an activity log, is it possible from the users' end (voluntarily or not) ?

    I could imagine matching a suspect (or not even a suspect, but someone used for the intent of harming your organization) with Xerobank payments, and use that somehow. I don't want to discredit your clients, but I assume that more than a few use it for (according to local or other law) unlawful activities.

    I know that 'security by obscurity' is far from perfect, but given the current climate with 'the war on terror', 'the war on drugs (including dispensing prescription drugs in violation of local laws)', closer cooperation by Interpol, the fight against cybercrime (which is far greater today than a few years ago), the encroachment of the surveillance state, I wonder how long ultrasecure communications methods can be used freely and without care ?
    Even if just to make a point ?
     
  19. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    You are talking outside of the threat model. If the end user has their home system compromised, anything is possible. If you are a hot target of specific national surveillance agency, nobody can help you. If you want to avoid dragnet surveillance, or evade most domestic surveillance methods, and prevent surreptitious surveillance, ISP snooping, click-arrests, and data retention, we've got you covered.

    Security through obscurity has nothing to do with any secure method of communication, and any method of communication employing such techniques as it's core should not be regarded as secure.
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    It's called eCache. :)
     
  21. n33m3rz

    n33m3rz Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    114
    Xerobank takes ecache? Is Ecache still in business I have been trying to find out what their deal is.
     
  22. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yeah, we will definitely accept eCache.
     
  23. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    How would you go about sneding you Ecache it only gives you the option to pay with a credit card for xerobank?
     
  24. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    prepay 1 year, provide eCache token admin.
     
  25. fuzzylogic

    fuzzylogic Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    149
    thought i've update this thread with some weblinks that don't provide 100% anonymity guides but do give some good information on being anonymous;
    - http://www.zensur.freerk.com/index.htm
    - http://www.theregister.co.uk/2001/11/14/doityourself_internet_anonymity/

    i though ecache was a very shady anonymous payment system, no one i believe has actually gotten a certificate much less found a exchange that actually exchange it, i've read no one can contact the exchanges or the person behind ecache but maybe someone has recently. how about loom.cc, kinda operates on the same bases.
     
Loading...
Thread Status:
Not open for further replies.