The most over-looked threat to anonymity: revealing personal information

Never reveal personal information.

Personal information is a much greater threat to anonymity than your ip address.

An ip address is FAR less identifying because many people/households use the same ip address. Especially a public wifi used by thousands of people. When an adversary traces your ip address, they only know your city and ISP. They need to review the ISP's logs to determine the connection's timing and location. Then, they need to prove you were using the connection instead of a neighbor or someone else

Revealing personal information completely destroys your anonymity regardless of how untraceable you are. Government databases and the public internet will do the trick.

ALWAYS disclose false personal information. Create a fictional identity when interacting with other members of anonymous.

For example, I'm 40-50 year old, studied English & Biology in university, live in Australia, blonde and fluent in a dozen computer programming languages.

Do you believe this? What do you think is my REAL identity?

Don't forgot about stylometric analysis, so alter your writing style.

 

I can't believe nobody replied to this thread.

Maybe what I am stating in this thread is WAY too obvious, but I think it still matters.

 

Of course it matters! But at this site, you're preaching to the choir. I'm confident that the users of this site are pretty sensitive to privacy and take efforts to protect it. The difficult thing is to educate the greater public that bares all at places like Twitter and Facebook. I try to help friends and co-workers all the time with their privacy exposure risks. IMO, I've accomplished very little... Sad!

 

Faking information is pretty obvious but to what extent can we limit ourselves to 'faking it'?

We live in a world where most human beings are naturally social beings. By social, I don't necessarily mean social networking. Even without FB or Twitter or you name it, we can't help but to satisfy our basic need to interact.

Most people I know of CHOOSE to be personally identifiable.

"I want to let others know that this is me writing this."
"I want to let others know these are my thoughts"
"I want to let others know what is going on in my life"
"I want to let others know that I belong to this organization"
"I want to let others know I work for this company"
"I want to let others know that I'm a designer/teacher/artist/musician, etc"
"I want to let others know that I'm a young dude in search of my lady love"
"I want to let others know that I'm a married woman with 2 beautiful kids"

Different people have different tolerance level to privacy risks exposure. Sometimes, it's not about over-looking things but one chooses to ignore it.

Disclaimer: This is not an argument. It's just me pointing out another angle to look at things.

 

True. But the subject line read:

"The most over-looked threat to anonymity: revealing personal information"

Think about it. That's like saying:

"The most over-looked threat to illness: locking yourself in a small room with sick people"

Anonymity can't co-exist with revealing personal information - by definition.

In other words, if one is revealing personal information, they're obviously NOT trying to be anonymous.

 

http://www.smh.com.au/it-pro/securi...-afraid-of-how-they-write-20130116-2csdo.html

Without having the fun with definitions as per LockBox, here is a link discussing the fact that, essentially, the act of writing is itself revealing (stolymetry, as ComputersRock points out).

This will only get more sophisticated. I've not run across any cases where this was major evidence against someone, but it might be enough to narrow the searcher's target.

On other good discussions on this in Wilders - at best one can only hope for "pseudonymity" (limited revelation of potentially identifying information):
https://www.wilderssecurity.com/showthread.php?t=343615&highlight=vpn tor

What might be more useful is some definition that identifies a "scale of anonymity". Perhaps, one that corresponds to various levels of threat that gets increasingly "closer to home". Otherwise, if we don't lock down a definition of what we are talking about, we will continually chase our tails on a topic like this.

Two links from EFF, one gives a high level description, which is closer to pseudonymity, IMHO, and the other gives a detailed nuanced look at various risks/threats to be balanced against costs/objectives.
https://www.eff.org/issues/anonymity
https://ssd.eff.org/

 

Sometimes, revealing personal information and anonymity can coexist peacefully Let me explain: I have a Facebook account, and even though I rarely use it, I am certainly revealing some personal information. However, if I decide to navigate to a specific site anonymously, I can use TOR/VPN and they will not know who I really am.

In conclusion, if you take anonymity as a whole, then yes, it's obvious that revealing personal information breaks it. But if you consider only a narrow scope for anonymity, then it is possible to achieve it even though you share personal information in other places. It's up to everyone to decide.

 

Right, I think it's a compromise.

While on FB or Twitter it's possible to create a fake identity, for shopping on line (amazon, ebay, etc.) obviously if I register as Scipio Africanus (and then this does not match with the credit card) I might have some trouble.

 

Unless the 'personal information' they release...is fake

PD

 

Read about UEFI Secure Boot here (nice graphic for it):

http://infinitybreaks.blogspot.com/2011/10/windows-8-security-features.html

What hit me was that this process relies on verifying the "health" of the boot process through a remote "verifier".

Assuming this is accurate (not sure what it does if one is not connected to the net), seems that this is a potential "leak" of identifiable information (e.g. machine "signature" and/or location), thus, making it a choice of boot security vs potential loss of some "anonymity".

Anyone know the details and can verify this?

 

It seems that the Anti-Malware Client (and its use of a remote verifier) are optional. But in any case, Windows already makes many remote calls. If that were OK with you, this wouldn't be problematic, and it would better protect you from malware. By the way, most all OSes make many remote calls. What's different about Windows (and Apple OSes) is the default money etc trail to your true identity.

 

Thanks for your response.

By definition you are right, if one uses a computer to access the internet, has windows update turned on, etc.. there are many remote calls a user does not typically have to fathom.

I guess you are saying that even if one uses techniques to control remote calls (e.g. disable services, firewall restrictions, etc.) the "necessary" ones that do remain (even if they are deemed problematic because they...) have the same potential to "leak" identifying information, therefore, this one for UEFI Secure Boot is not any different. Is this a correct read?

If I have that right, and even if someone has taken other precautions for identity protection when connected (e.g. VPN, TBB, Whonix, etc.), there will always be the purchase trail (e.g. tying the hardware and OS to an actual person). Correct?

It seems it is all in the details of what exactly happens with each of those calls - probably only a hand full of MS developers know, since it is not open source. Hence, the risk.

At least, the UEFI Secure Boot call is optional. But, not running it maintains the risk we have today of a pre-boot malware (not sure if that is going to grow in future, or remain the domain of targeted/profiled individuals/groups - e.g. evil maid attack).

This is a bit of a learning curve (lots of reading done and still to do), so I thank you and others for responding to these, perhaps, basic questions I've been generating recently.

 

On some websites they want to know stuff like your age, etc, in order to register (and some sites can be alarmingly nosey and just about want to know what toothpaste you use!!!).

Thanks for starting this Thread, is very interesting subject.

 

Yes. Although we don't know which remote calls Microsoft actually can link to true identities of authenticated Windows users, it's prudent to assume that it could link all of them (unless Windows had been purchased "anonymously", which isn't typical). Given that, Microsoft potentially has a record of apparent IP address over time.

Right. If apparent IP addresses are shared by many other users, going from apparent IP address at a particular time to true identity is uncertain. Microsoft could only provide a list of authenticated Windows users at that IP address. But over time, observers could refine the association.

For example, let's say that I were accessing foo.com periodically from an authenticated Windows machine through VPN>Tor>VPN. And let's say that the owners of foo.com really wanted to know who I am, and somehow got full cooperation from Microsoft. Over time, comparing foo.com's weblogs with Microsoft's IP database would reveal my true identity.

That's why I don't use Windows

 

Have encountered websites where you cannot register unless you provide your Area/Postal Code, street address, and phone number!!!

 

Everyone who uses a Microsoft OS is literally sending all the information on their computers and connected auxiliary devices to Mr. Gates and his cronies whether they know it or not, and whether they like it or not. Gates et-al own search engines as well such as Yahoo, and that other one whose name nobody can remember!!!

On top of that there is Google, who in my country were caught red-handed by our Geeks War-Driving everywhere in the "Google Street-Mapping" vans. The Geeks here had always been deeply suspicious of Google because they could never get anything except evasive responses when Google was interrogated by them about what they do with all the user-information they collect.

 

Incidentally, when the Geeks here caught Google War-Driving, Google literally immediately fled from the country with their PR Machine incoherently blathering to the media that they had "accidentally been recording information" which in literal terminology, because the Geeks here themselves were War-Driving the Google Vans and recording what Google was actually doing, is saying: "We Were War Driving Everywhere By Complete Accident And Knew Nothing About What Our Vans Were Doing!!!".

 

Unless you were Linux from the outset and Geeky enough to be able to not only handle Linux Platforms but also Geeky enough to be able to disguise yourself onto Web thru ISP Server(s) then Big Brother has got big fat (and ever-expanding) file on you: Arch Traitors of you are Microsoft and Google and all of their ever-increasing so-called "services".

i am not a Geek but desperately wanted Linux instead of Microsoft; not because Linux Platforms are free to all people in the world who can get a computer and connect to the Web (not all that many, and most who are connected can only scrape by from month to month), but because of the philosophy of the Open-Source Geeks whose fabulous "Guru" Linus Torvaalds, declared open-war on William Gates because the filthy-rich Gates hijacked the universally freely accessed and globally interactive UNIX System and his big-businessman corporate Dad arranged for "Bill" and his cronies to so-called "design Operating Systems" using the Harvard supercomputer for IBM Corporation by slightly altering various areas of the global, free UNIX System, and then literally thieving UNIX and patenting it!!!

IBM are the corporation who avidly aided and abetted the Nazi's to hunt down every Trade-Unionist Card-Holder in Nazi Germany. Because of IBM more than seventy-thousand German Trade-Unionists were grabbed by the Gestapo and murdered. It was actually for the German Trade-Unionists, or, rather, those of them who managed to survive their "interviews" in the police stations, who the original Concentration Camps were constructed for.

"Bill" Gates gets his grovelling hagiographers to endlessly reiterate the corporate American Lie about "College Dropout Makes Good By Finally Getting Off Poverty-Stricken And Lazy Back By Finally Waking Up And Seizing The Opportunities That America Freely Offers To All Americans If Only They Would Just Reach Out And Accept Prosperity!!!".

LOL!!!

HOW MANY PEOPLE IN USA HAVE GOT DADDY WHO SENDS THEM TO HARVARD UNIVERSITY FOR EIGHTY-THOUSAND DOLLARS PER TERM!!!

AND THAT WAS WAY BACK IN 1970's!!! What the fees would be NOW!!!

 

This is simply not true, and it is easily verifiable by using a sniffer like Wireshark.

 

Not using Windows is not really an option where we have other users who don't have the ability to adapt, unfortunately.

I would think a fake identity would provide pseudonymity for these cases...seems like there are a number of ways to make this work, that is, unless you need to use a non-anonymous method of payment for service or goods from those sites.

Aside from MS with potential O/S leaks, Google has the ability to be explicity more pervasive in their data collection - war driving would only be one avenue...think the entire Google "eco-system" (search, email, docs, drive, youtube, maps, chrome, android, etc.)...there is a lot of data threads they are uniquely able to pull together across a broad range of activity. Some sites now/recently require google ajax scripts to run properly...and they are not even owned by Google! Apple is similarly placed, but less broad in scope.

EDIT ON: This is why, as Nebulus and others suggest, one needs to create a separate secured path for each pseudoidentity one keeps for separation of activities. :EDIT OFF.

I'm not sure I buy your world view point...I just think in terms of risk and possibility...if not now, down the road. Still, I did learn a new word...hagiographer! Good one.

Excellent point. Does anyone know of any reliable research we can reference that has had a look at such traffic and analyzed the content?

Right now, it feels like we have a lot of suspicion in the face of a lack of specific knowledge, which seems to drive us to over compensate with various hardening efforts.

 

I don't know of any thorough independent research on the subject, unfortunately. A significant percentage of the communications of interest should be encrypted and thus would require special effort to analyze. An alternative approach would be to read Microsoft's *full* privacy statement, including any supplements that delve into specific features, for the products they would be using:

http://www.microsoft.com/privacystatement/en-us/core/otherproducts.aspx

and then do some searching for (independent) articles/discussions that try to drill into specific aspects.

 

From what I tested, for a Windows XP SP3, with some custom configuration, there is no information sent out neither to Microsoft, nor somewhere else. However, keep in mind that I am not using Automatic Updates, so I can't say exactly what Microsoft is sending to their update servers.

 

What about authentication for activation? From experience, I know that Windows 7 periodically checks authenticity. After making minor host changes, I've seen Windows 7 VMs, which had been activated, start complaining about not being activated. But I typically enable automatic update download (but not installation).

 

You can activate by phone I didn't do it for XP, but I did it for Win7 (for someone else). I highly doubt that this allows "literally sending all the information" on my computer to MS, like Staritza said.

 

My suspicion is more limited than Staritza's I'm just concerned that Windows is checking in, and that Microsoft can link its serial number to my true identity.