The Hitchhiker’s Guide to Online Anonymity (Updated to v0.9.8)
anonymousplanet.orgDisclaimer: I'm the maintainer/writer of the guide and I would appreciate any opinion, suggestion, criticism (even harsh criticism) from the HN community. Feel free to point out any inaccuracies or errors if you spot any. It would be more than welcome. Obviously, I don't want to spread misinformation or inaccuracies. I also know my guide was posted before by someone else but unfortunately not by me and I completely missed that post. It was significantly updated since then.
How about a section on physical destruction? I am often stuck in neverending debated about how to properly destroy plaintext data on physical media. Does cracking a platter suffice? Do I have to grind up every little chip in an SSD? What parts of a laptop have serial numbers that might be used to track down it's owner?
Yeah I guess I should add some information about that. But I would probably argue that if you just damage the hardware enough (to make it look ruined) and just throw it in a random trash can then chances are low that someone will try to salvage/fix it. And I think it will just end in some dump/incinerator/recycling center somewhere without anyone ever trying to "track you". As for SSDs (or HDDs), I think I do provide enough information to make sure data is thoroughly deleted on them with very high confidence that no forensics will be able to retrieve anything from them.
If your plaintext is that sensitive, it should never touch media in that form.
If the storage media (spinning rust, SSD, USB key, etc) is to see sensitive data, the device must be encrypted at the block level such that plaintext never touches it.
At that point, destroying it is a "nice to have," but not really required. Without the encryption key, it's just a source of pseudorandom data, and destroying a key securely is an awful lot more reliable than destroying a large amount of data.
However, if you have some media that you don't want recovered, what you do to it depends somewhat on the media.
If the drive is encrypted and spinning rust, I totally trust a dd of /dev/zero, followed by a hexdump of the device to verify that it's all zeros (hexdump, by default, won't show repeated lines, so if you see a line of 0s, a ** line, and then it finishes, the drive is zeroed).
For SSDs that either haven't contained sensitive data or have been encrypted, blkdiscard is fine, though enough devices don't implement it properly that you must hexdump it after, and if that shows anything, give 'er a couple passes of /dev/zero with a blkdiscard after. And then let it sit, powered on, for a couple hours to finish processing whatever it has queued.
If a drive has sensitive plaintext on it, you should zero it a few times, then, how's your industrial grinder look?
For spinning rust, to actually remove any residual data, you'll want to bring the platters above the Curie temperature that will scramble magnetic domains. "Glowing red from a propane torch" should do this, though thermite may be a bit more fun.
Putting bullets through them will satisfy the requirement for preventing casual recovery, but any residual data is still there if you wanted to get really fancy, even with a bullet hole or few in the drive.
For SSDs, I would generally take a good torch to the drive, get it "as glowing as possible," then sledegehammer it. There shouldn't be much left beyond powder after that, and at that point, the data is well and truly gone. If you want to be sure, a good "Will it Blend?" test of the remains should cover your edge cases, though I wouldn't use a blender you ever intend to use on food...
But, really, if you're at all concerned about this realm of data destruction, you must be using block device encryption.
>> If your plaintext is that sensitive, it should never touch media in that form.
I don't disagree, but I am not god emperor yet. There are plenty of occasions when very sensitive information is stored as plaintext with no practicable encryption options. For instance, good luck finding a reasonably priced camera that encrypts data when it saves it to a card. Say that camera was used to gather evidence of crimes, perhaps by photographing victims in hospital. Plaintext. Very sensitive data. On a USB-readable consumer-grade device. I once had a client with a desk drawer full of old cards from such a camera.
In such situations, ironically, a cellphone might be a more secure option. Although using a phone introduces lots of other problems, at least the images can be saved encrypted immediately upon creation.
As a submission to HN, most of the homepage wasn't useful to read. You should change the link to https://anonymousplanet.org/guide.html#table-of-contents and link straight to the contents.
Can't do that anymore I'm afraid ... Sorry
Nice guide, this is like a platonic ideal of anonymity we'd like to have but never will.
Years of using FB when I was younger, general lapses in judgement or overlooks in privacy when in tense or pressing situations, compromises I've made in using services with certain people or jobs, many regretful apps or purchases and sign ups, years of my email and phone number shared to 3rd parties, I could go on...
And that's just the data I've shared knowingly, mostly due to the social contract when functioning in certain groups. The odds are stacked up against an individual.
The reason I mentioned that it's a platonic ideal is because it takes a lot of education and experience for one to even _know_ how to be anonymous—we're not born a priori with an understanding of privacy wrt technology, and we don't learn about tech privacy early say compared to privacy in the physical world. Maybe older folk that were wise to all of these violations as they became prevalent, but younger people are already profiled and marketed to before they understand any of these concepts—it's so dire. I think an approach that may work is for the blocking and scrubbing to be on the hardware and software vendors level with privacy-options baked in and set as default. A given, sort of like how you expect a bathroom stall to be private.
Another solution, assuming we can't escape being tracked, would be to weaponise our data with tools like trackmenot[0] and adnauseam[1].
sigh The reminder that, no matter how paranoid you think you are, there's always something you've missed.
Always a good read, I'll see if I find anything in particular that stands out as lacking or wrong!
that's the thing about paranoia
Like laundry or John McAfee, it doesn’t just hang itself?
I know stylometry is a thing, but is it good enough to fingerprint you according to what you know or talk about? What about in the future as NLP advances?
For a historic example, '...although Newton's solution was anonymous, he was recognized by Bernoulli as its author; "tanquam ex ungue leonem" (we recognize the lion by his claw).' https://en.wikipedia.org/wiki/Later_life_of_Isaac_Newton#Ber... I am guessing the proof techniques were so hard/original that Bernoulli concluded only Newton could've come up with it at that time.
Likewise, I would assume there's only a handful of people in the world who have this level of expertise on online anonymity. So do you then have to keep this expertise completely isolate to one particular anonymous account to avoid being correlated?
My concern applies to knowledge that isn't particularly world class too, as long as it's in a unique combination. I guess in some sense what we know makes us who we are so it's hard to avoid being "identified" that way without splitting your personality?
Yes, I think it's possible to correlate two identities just using stylometry. Or at least it would be sufficient to shorten the list of possibilities significantly. But I also think this is something that (at this stage) only a highly skilled/motivated adversary with considerable resources would do (such as a state agency). And I also guess this depends on your "original identity" being "talkative" online so that the correlation could find something to correlate to. I don't think my guide is paranoid enough to protect fro such adversaries as for instance Tor itself made it clear in their design paper that protection against a "global adversary" is not really intended. In my case, this seems "out of scope" for now and above the threat model of my guide.
What if you want to let someone you trust (friends, family, lawyers, journalists …) that you are in trouble and they should look out for you?
I think you left out the word know from the above paragraph.
For a lot of people, their biggest threats will be personal relationships: an abusive relative or ex, someone they are currently divorcing. That seems to not make your threat assessment chart and I don't know if that's a good thing or not.
Indeed :) Thank you! Already fixed it in the online version.
I'm not sure this level of "paranoia" is required to evade an abusive ex in most cases. But in any case, if a reader thinks it is, the guide can help for sure.