Key points to learn from this document

As this HOWTO has grown in size and scope it has occurred to me that it now requires at least some form of topical index, especially since it is very easy to skim over some crucial point without realizing that it is key to maintaining your anonymity. As such, I've provided a "Self Quiz" that contains questions about anonymity best-practices that you should be able to answer off the top of your head. Answers are in the following section with links to relevant sections of the HOWTO.

Anonymity Self-Quiz

  1. You are on an open wireless network. Name 3 ways you can be tracked.

  2. Name 3 ways your IP address can be revealed through your web browser even if you use Tor for http.

  3. Sometimes you find Tor unbearably slow and turn it off, or have a filter in place to only use Tor for certain sites. Why is this dangerous, and what measures can you take to protect yourself?

  4. Why is Javascript dangerous? Give 2 ways it can be used to track you and one way you can easily protect yourself without globally disabling it.

  5. What are some ways you can eliminate the hassle and worry over a particular application bypassing your proxy settings, yet still use Tor?

  6. Name 4 local services that can reveal your identity to your local network or VPN endpoint.

  7. A service you intend to access blocks Tor. Name at least two things you can do to circumvent this ban while still achieving Tor-caliber protection.

  8. You want to set up an anonymous email account. What providers are dangerous to use, and why? What dangers do you face no matter what provider?

  9. You need to anonymously access a public IRC server. What properties of your client of choice are dangerous, if any?

  10. You wish to use google groups to post to usenet or to watch for responses to a post you have made through some other means. What should you do before and after access?

  11. You are behind a corporate firewall that monitors your internet access and prohibits you from using certain ports and applications. What can you do?

  12. You also suspect that they may be monitoring your access of the computer itself via a keylogger. What can you do if you want to enter a password to your bank account or home machine?

  13. Give a generic, easy way to detect a self-concealing rootkit on your filesystem.

  14. What is dangerous about purchasing books online? What can you do about it?

Anonymity Self-Quiz Answers

  1. You are on an open wireless network. Name 3 ways you can be tracked.

    You can be tracked via your MAC address, your 802.11 Nickname (hostname), and your DHCP properties (hostname, previous lease, version, etc).given that some localities have recently begun to criminalize usage of open wireless points, changing these attributes is probably a good idea no matter what.

  2. Name 3 ways your IP address can be revealed through your web browser even if you use Tor for http.

    Basically this answer boils down to various types of webbugs. The three main ways are: via java applets; via media objects such as video player and flash plugins; and via https, ftp, gopher, or other protocols used to load images and things from the page. Make sure your browser is configured to use Tor for ALL protocols, not just HTTP. Also, you probably want to globally disable Java from your browser's preferences, and have a look at the next question as well.

  3. Sometimes you find Tor unbearably slow and turn it off, or have a filter in place to only use Tor for certain sites. Why is this dangerous, and what measures can you take to protect yourself?

    The main issue at stake here is cookies from ad sites. Consider the case where you only use Tor for your private email account. If that email account displays an ad banner, google adwords, and so on, that ad banner has the ability to set a cookie. If you then visit a site without Tor that displays an ad banner from that same ad company, the cookie created during your visit to your email account will be sent from your real IP, thus destroying any anonymity you had. This process can also happen in the reverse (where cookies are created while Tor is off, and then sent when Tor is switched on). You can be sure that ad server marketing data is sold all over the place, and is readily available to private investigators who can be hired by anyone. There goes your anonymity. The moral of the story is that you must clear all your cookies both when you turn Tor ON, and ALSO when you turn it OFF. The cookie culler Firefox extension can make this easier, because it allows you to protect certain cookies such as news sites that you would like to keep.

  4. Why is Javascript dangerous? Give 2 ways it can be used to track you and one way you can easily protect yourself without globally disabling it.

    Javascript is nasty. While there is currently no known way it can be used to directly reveal your IP address, it can be used to gather enough information to profile you and determine where you have been. For several examples, visit BrowserSpy. The primary countermeasure is to use NoScript to enable Javascript for only those sites you trust. Unfortunately, NoScript does not provide the ability to separately whitelist Java and other plugin objects. It's all or nothing.

  5. What are some ways you can eliminate the hassle and worry over a particular application bypassing your proxy settings, yet still use Tor?

    Your main options here are to combine OpenVPN and Tor or SLiRP and Tor. Some people even go so far as to set up a Linux router which routes their traffic through Tor for them. In this case, you can use either of two methods on the gateway and have the gateway do regular NAT, or you can turn the gateway into a transparent socks proxy, or you can just use it as a regular socks proxy and have your client machine have no other means to access the Internet. FIXME: Future versions of this HOWTO will include details on transparent proxying, but for now, see the (rather gimpy) Tor wiki page on the subject and this mailinglist post. Also, be aware that SLIRP will soon be unnecessary, as OpenSSH 4.3 provides a built-in tun/tap VPN, which you can combine with Tor as is described in this section.

  6. Name 4 local services that can reveal your identity to your local network or VPN endpoint.

    This depends on your OS. Have a look at this section.

  7. A service you intend to access blocks Tor. Name at least two things you can do to circumvent this ban while still achieving Tor-caliber protection.

    There are several ways of combining Tor with other proxy mechanisms such that your IP is not a member of the Tor network. They are documented in this section.

  8. You want to set up an anonymous email account. What providers are dangerous to use, and why? What dangers do you face no matter what provider?

    In general, you want to avoid any provider whose services you use for other things. In particular, I would avoid yahoo and gmail, since it is common to use either provider's map or yellow page services, which can be a dead giveaway of your location if you are not extremely careful about cookies.

    Last, but definitely not least, note that email is only protected for 180 DAYS if it is served on a server other than your own. This mind bogglingly short limit is a result of the ECPA. After 180 days, your email can be obtained by anyone WITHOUT A WARRANT. EVEN IF YOU DELETE THIS MAIL, IT IS STILL POSSIBLE TO RETRIEVE IT OFF OF THE SENDER/RECIPIENT'S ACCOUNT. I provide links to some services that provide "self destructing" email capability in the email section.

  9. You need to anonymously access a public IRC server. What properties of your client of choice are dangerous, if any?

    The main three are DCC, CTCP TIME, and hostname/username info upon connection. For more information, see the IRC section.

  10. You wish to use google groups to post to usenet or to watch for responses to a post you have made through some other means. What should you do before and after access?

    Much like email, in this situation you need to be extremely careful about purging cookies.

  11. You are behind a corporate firewall that monitors your internet access and prohibits you from using certain ports and applications. What can you do?

    This depends on your environment. I would say that your best options are either using Tor with the FascistFirewall config option, or using an SSH Proxy or OpenVPN to home.

  12. You also suspect that they may be monitoring your access of the computer itself via a keylogger. What can you do if you want to enter a password to your bank account or home machine?

    There are basically a couple of things you can do in this situation. You can switch between windows while typing your password, and type a few characters into each window. You can also cut and paste letters from other windows.

  13. Give a generic, easy way to detect a self-concealing rootkit on your filesystem.

    Self-concealing rootkits/keyloggers are easy to find if you use a boot cd to compare a directory listing from the live system versus the system while it is being examined from the CD. The Windows UBCD provides a utility called RootKitty to do this for you. See the Rootkits section for more info.

  14. What is dangerous about purchasing books online? What can you do about it?

    Buying books online, especially through sophisticated recommendation sites such as Amazon.com is incredibly dangerous. National Security Letters enable the FBI to demand records of anyone for whom Amazon might recommend a particular book. Even this aside, it is possible for anyone to mine your favorites and recommendations quite easily without any special access.

    Also, assume mail order booksellers WILL SELL YOUR INFORMATION to third parties. Obviously this is incredibly dangerous, but it happens.

    Your best bet is to obtain a prepaid debit or gift card and a mailbox in an alternate name. If you are reluctant to bend various mail resellers ID rules, many do have an option to have a fictitious business name added to a mailbox. This probably only provides minimal protection, however, since most likely they will sell this data at some point, or have it regularly collected en-masse via National Security Letters.

Must-Have Firefox Extensions

Several Firefox extensions are crucial to enabling you to maintain your anonymity and privacy on the web. Again, these are all mentioned in the text, but it is easy to skim over them and miss them, so I've decided to include the entire collection here.

  1. NoScript

    NoScript is an extremely useful extension that filters out all Java, Javascript and Flash for all sites except the ones you explicitly allow. The only downside is that you cannot enable just Javascript, you have to enable everything at once.

  2. ProxyButton

    ProxyButton is an extremely handy little extension that allows you to quickly turn your proxy settings on and off via a button on your toolbar. Be sure to clear cookies every time you switch Tor both on and off, however, since cookies created for an ad banner displayed in one proxy mode can of course be retransmitted in another proxy mode.

  3. Cookie Culler

    Cookie culler provides a toolbar button that allows you to "protect" certain specified cookies while making it easy to purge all the rest. It also allows you to specify that you do not wish to receive cookies from sites you have already deleted. Very useful.

  4. Add N' Edit Cookies

    This extension allows you to search for, edit, and delete cookies from particular sites. Very handy if you would like to quickly purge a single site's cookies without losing all your cookies. Also has a toolbar button you can install for easy access. Does not conflict with Cookie Culler.

  5. CookieButton

    CookieButton is another toolbar button that allows you to delete/block cookies from the current domain.

  6. User Agent Switcher

    User Agent Switcher allows you to change your user agent on the fly. Also has a toolbar button you can install. Unfortunately, they don't provide any options that resemble a modern Mozilla-compatible browser. For that, you're stuck creating your own (or importing this one)..

  7. Adblock Plus and Filterset.G

    Adblock Plus is an extension that you can configure to block just about any regular expression you can dream of. The Filterset.G extension automatically updates the Adblock Plus white and black lists of your browser. Not only makes the web more bearable, but reduces the chances that you may be tracked by an ad banner server that happens to appear when you have turned off Tor.

  8. BugMeNot

    Bugmenot is an impressive service that provides user-submitted logins to websites that have annoying compulsory registration. As these sites grow in number, the web becomes increasingly annoying and unnavigable, not to mention the privacy implications of someone's ability to profile the types of news articles and other information that you typically obtain from a given website. The extension is very slick, and now allows you to report logins that fail, which was a severe problem with the service in the past.