~ Anonymity lore for beginners ~
Last updated: October 2006
Check your client header right now!
[Old elementary anonymity steps for
[More recent elementary anonymity steps for
[When posting on Usenet]
[When they dare to spam you (and
you have some spare time)]
[When you search]
"Recently, I 've changed the way I connect to the net. I was in a highly unsafe LAN, with many
potential sniffers doing their job. As you see, the problem was a big one, since proxys are not a solution
(sniffers get the trafic anyway), obscuring was too crude and painful for the amount of traffic
I generate and I couldn't get NNTP proxys to work. The tool that actually made me feel so very happy
is Tectia SSH Server/Connector.
I installed the server on a trusted PC outside the LAN, and the connector on my PC.
So, what happens is that the connector transparently encrypts ALL traffic and sends it to the
server. Then data come back in a simillar way. And as a bonus, you can keep using your proxys :)
Anyway, I am too happy with this. I hope it helps people out there!!"
Elementary anonymity steps for
How d'you begin a "crash-course" in anonymity lores for beginners?
Ah! Parum tuta per se ipsa probitas est!
Let's just be frank and direct... let's use a lore... sort of...
"Yep!" - said fravia+ - "so you want to understand why anonymity
is important? Easy,
just read on:... I believe that each time ANYBODY asks you for
some personal info
you should by all means do a mix from the following":
You NEVER give real info, no matter how pressing they are - unless
you really - and I mean REALLY -
know what you are doing. You can bet they are going to use those
data / sell them / throw them to
- You should ALWAYS lie so much that your falsehood cannot
possibly be outdone. It's great fun and, as you will see, it is
useful - surfing to-day's web.
- To begin with, you should already have found some
"alternate" personalities -
it should possibly be somebody that 'almost' really exists: fetch
data from any
personal pages on the web... see geocities and fortunecity for
hundreds of ready made "dull" lifes, you'll
have "visited schools", "year of birth", name of the beloved one,
everything... those pages are
real goldmines in order to fetch valuable lusers' info. I
personally found also all those
"bride for sales" pages very useful as well for 'identity
gathering' purposes. They give fotos, biographies,
cities of birth and whatever else you need to get a faked bank
account in Groenland...
Should you need a false name, here they are in order of frequency (Taken from http://www.lifesmith.com/comnames.html, Thanks Nemo :-)
50 Most Common American Surnames (US Census 1990)
| 1. Smith
|| 11. Anderson
|| 21. Clark
|| 31. Wright
|| 41. Mitchell
| 2. Johnson
|| 12. Thomas
|| 22. Rodriguez
|| 32. Lopez
|| 42. Perez
| 3. Williams
|| 13. Jackson
|| 23. Lewis
|| 33. Hill
|| 43. Roberts
| 4. Jones
|| 14. White
|| 24. Lee
|| 34. Scott
|| 44. Turner
| 5. Brown
|| 15. Harris
|| 25. Walker
|| 35. Green
|| 45. Phillips
| 6. Davis
|| 16. Martin
|| 26. Hall
|| 36. Adams
|| 46. Campbell
| 7. Miller
|| 17. Thompson
|| 27. Allen
|| 37. Baker
|| 47. Parker
| 8. Wilson
|| 18. Garcia
|| 28. Young
|| 38. Gonzalez
|| 48. Evans
| 9. Moore
|| 19. Martinez
|| 29. Hernandez
|| 39. Nelson
|| 49. Edwards
| 10. Taylor
|| 20. Robinson
|| 30. King
|| 40. Carter
|| 50. Collins
25 Most Popular American Male Names ---------25 Most Popular American
| 1. James
|| 11. Christopher
|| 21. Ronald
|| 1. Mary
|| 11. Lisa
|| 21. Michelle
| 2. John
|| 12. Daniel
|| 22. Anthony
|| 2. Patricia
|| 12. Nancy
|| 22. Laura
| 3. Robert
|| 13. Paul
|| 23. Kevin
|| 3. Linda
|| 13. Karen
|| 23. Sarah
| 4. Michael
|| 14. Mark
|| 24. Jason
|| 4. Barbara
|| 14. Betty
|| 24. Kimberly
|| 15. Donald
|| 25. Jeff
|| 5. Elizabeth
|| 15. Helen
|| 25. Deborah
| 6. David
|| 16. George
|| 6. Jennifer
|| 16. Sandra
| 7. Richard
|| 17. Kenneth
|| 7. Maria
|| 17. Donna
| 8. Charles
|| 18. Steven
|| 8. Susan
|| 18. Carol
| 9. Joseph
|| 19. Edward
|| 9. Margaret
|| 19. Ruth
| 10. Thomas
|| 20. Brian
|| 10. Dorothy
|| 20. Sharon
(Note that "Mendacem memorem esse oportet", though :-)
Yet the oldest trick is indeed quite effective: just take a book from
your library and
have a look at the data there. Let's say you are working and
accessing the web from the
States... I could fetch - here behind me - "Using assembly
language" by Allen L.Wyatt.
Let's see: look!
This book is edited by Que corporation (on a side note I think
this is about the only book worth
buying from this crappy editor :-). And
see here, on page 2: Bingo! Que corporation: 11711, North
College Avenue, Carmel, Indiana,
46032. You are done: Let's say
your new identity is - Nescio N. Nomine, 11711,
North College Avenue, Carmel,
Indiana, 46032, United States (that's a country in North
You can keep the "Nescio N. Nomine" part, but if you are
accessing the web from -
Germany, you better use a german book of course (and so on
mutatis mutandis). Let's see
what's here behind me... a nice one: Joachim Schildt & Hartmut
edited by the Akademie Verlag Berlin in 1986, which has the added
advantage of being a
Geografical location: See: Berlin, 1086,
Leipzigerstrasse 3, GDR (German
Democratic Republic: gone for good, I'm afraid :-)
fun to tease data-collectors feeding them such "disappeared" places:
Chekoslovakia, Yugoslavija, GDR... It will take
some time before they come clear with that.
Now you surely dig
it: wherever you live find three-four LOCAL COMPLETE REAL EXISTING
ADDRESSES (unless you want to tease :-) and learn them by heart.
You'll use them from now on for EVERYTHING on the web,
unless you are really compelled to give out your real name (which
should NEVER happen if you are
clever enough :-)
First thing you do with your new "faked" identity: you
open half a dozen addresses on yahoo.com and
other "free" email providers. You'll not need to give much info
away (you'll give the faked one, access
them from a proxy) but they will find out who you are nevertheless
THROUGH THE EMAIL YOU WRITE.
Of course no one here is so naïv to believe that 'free' email
providers provide email
possibilities for altruistic reasons... eh?
So what? This
is not -by far- "real" anonymity, it is just a "preparation phase". You'll learn
more advanced techniques in due time. To begin with, just play
with them. Use those "free" email addresses (chained or through the autoresponder / autoforwarders)
feedback for page providers or sites that require you to have a "working" email
address. Finally note that some "free" email addresses hqve the "org" suffix. These may be
useful for those cases where they may require you to sign using an email addresses
without any "com" suffix.
You should ALWAYS give completely faked credit card
numbers, when asked without sound reason (and I would be careful in giving my real
data even when asked for some apparently valid reason). Use
a credit card number generator if
you don't know how to fake credit card numbers on the fly by yourself (the
algos are very easy to crack, centered on divisibility by 10: in fact
all numbers are based on an underlying
algorithm originally designed to simply prevent key-punch errors by store clerks.
You just simply need to create a number using that algorithm, which makes it easy
to come up with a legit account). Note also that it is VERY EASY
to find REAL credit card numbers
on the web (especially now that many search engines index excel files :-)
Of course I do not condone practicizing credit card scams on the web. Note also that
the TIME and LOCATION of access are (at least should be: few people use PROXIES or TOR TUNNELING tools à la
Torpark,) relevant for
the sites requiring such data when checking
the validity of an order (I would not trust too much an order made at 2:00 in the night from
Moldavia with a credit card number that resolves to Florida :-)
Always remember that if they want they CAN
catch you, so do not ever do stupid things.
You should NOT feel bad in the least to lie like a madman
to anyone who dares asking
your data: such people are
just scum that will use EVERYTHING you will tell them for profit
the very moment you do, and they don't even have the decence of admitting it.
Screw them black and blue, such clowns
deserve far worse than that: never believe for a minute that their
'privacy - pleads' about
how they will "never use your data" are anything else than cheap
Alternatively, when you (have to) "choose" some options
from a menu ("Your income", "Your profession", Your
"State" and so on) ALWAYS choose the first option you encounter,
whatever it is: State=Afganistan, Income=less than 15 USD per year
and so on.
Screw them. If you want to play with them, there are some funny
options like "American Samoa" "Fortune and Wallys Islands" and so
possible option "other" that you may find on these menus is also great,
because you will get
these idiots thinking hard
about updating their options'
palette, adding even more idiotical crap to the possible choices.
An exception to the above: When you decide to use a bogus
identity (i.e. for
instance Nescio N. Nomine, 11711,
North College Avenue, Carmel, Indiana, 46032, United States),
then keep COHERENT with the (faked)
data you give, stick to them. This will make things even more difficult for
those that want to steal and sell your data.
But you don't need to be pseudoanonymous at all if you are
really nasty. Quite the contrary:
remember that in the frenzy to put up an "e-commerce" most
don't have any provision whatsoever to check the real commands
flows. Errors are
not only possible, but frequent.
Chances are that if you point out that
you never ordered some of the useful goods you have somehow
received (commanded by someone
you don't happen to know through an
ad hoc account - which has been accessed through proxies and will never be
reused again -
yet sent to your real address with your real cardnumbers) they
wont be able to prove that you actually really did order them.
They will ask for a restitution, of course, whereby
you just sit on those goods and
wait until they will send you over enough money to cover the costs
back the goods you "so wrongly" received. Any publicity about
harm the new holy e-business, so you'll soon notice how they will
bend backwards to
help you 'sort things out'.
Anyway don't try this, it is not ethical, it would enable you
to use that PC, watch that TV, read (and scan) those books, burn
those games on your
cd-roms in the meantime ("Of course
I opened the packet... I wanted to see what was inside it!").
So don't do this: such an attitude would not be very correct
vis-à-vis the growing new branch of our smart e-business
Yep!" - said fravia+ - "this is but the beginning..."
|More recent elementary anonymity steps for beginners|
Fravia's relative guide to anonymity
"Fravia's relative guide to anonymity"
"no need to be 'too' paranoid"
1) buy pc cash elsewhere (not with cards and not where they know you)
2) wardrive in another part of the town, not the one you live in
3) download only, or if you upload, upload only anonymous things or PGP encrypted stuff
4) rotate your wifi card mac address at every access point: I use "Macmakeup"
5) use wardriving laptop ONLY FOR THAT, no personal data whatsoever on it (or use a live LinuxCD à la Knoppix
and/or a USB stick. Boot it with
no access to your harddrive)
1) Find speedy, beefy first wifi accesspoint with netstumbler:
there are so many unprotected at all that you don't even need to fire a
wep-packets-analyzer/cracker à la Kismet.
2) connect, browse, download, you may even let , (still using opera
and proxomitron, he)
3) ISP "A" will register everything "he" does.
4) work half an hour, download the helluja out of it, upload with care
5) Note that your "host" may have his own log files on the router, but
-usually- this is still not a problem since most people do not change the password of
the router so that "admin" and "password"|"passwd"
is always worth a try in order to get admin access to the current hotspot router and delete the logfile.
6) walk ten meters, change access point
ISP "B" will register everything "another he does".
work half an hour, download the helluja out of it
walk ten meters change access point
...rince and repeat at leisure
Reformat hard disk every week just in case, or even better: the moment you buy
the computer immediately create an image of the clean system and store it somewhere (like a DVD).
Every now and then you erase (3-7 passes) the hard disk and then copy your clean system partition back.
Doesn't take much longer than formatting and is even more secure.
next day another part of the town, or another town :-)
and so on...
Note that it can still be a good idea to ADDITIONALLY use TOR TUNNELING tools à la
Torpark, for instance
mounted on a USB stick.
Note that it can still be a good idea to ROUTINELY check what's going on "under the hood" during your connections
with a good sniffer à la wireshark (ex-ethereal).
When posting on Usenet
Never, never, never use a working email address.
When posting news items use a From: or Reply-To: address like the
This will frustrate spammer programs, that are actively grepping email addresses
on usenet. There are LISTS of grepped email addresses that are sold by the spammers' masters
to the stupid zombies that really believe they can make money that way.
[127.0.0.1] and localhost are synonyms for "the current
host". If you're lucky the first two addresses will cause a bounce
on the sender's machine as it tries to deliver to the non-existent
user bounce. The last two addresses will cause the spam to be
delivered to the email administrator of the machine sending the
spam. If you're lucky that will be the ISP and not the spammer
In general use different email for different activities (one
for real life, one for posting on usenet group A, another one for posting on usenet group B and
so on. There are so many "free" email providers that you can have an
infinite number of addresses, using the real one to 'pick' from those that
you are using on the web - through pop for instance - and never using it directly.
Note however that ALL 'free' email addresses do use the data and the content of your mail for
'insider trading' and statistical building purposes (that's the real reason they
offer you email for "free", duh) so never use these email for sensible data (never use
the web for sensible data, for that matter), and learn to use pretty good privacy just in
5 is the last one without backdoors and works fine on windoze).
So that you can be contacted make sure your posting
body includes a signature that gives a working email address, in an
encoded form - to confuse automated address collectors
that scan news article bodies as well as article headers.
Here some good examples:
(WARNING: this is now 'deprecated', since some new grepping bots translate it
into a working email address)
fraviaATsearchlore!org (note the "!")
firstname.lastname@example.org adding, on the line below,
Cut a "fravia" to answer
fravia__A@T__searchlore.org adding, on the line below,
To reply by email, use "@" not "__A@T__"
And so on... have fantasy, screw the spammers.
See also Hostile environments for email address gathering spiders
When they dare to spam you
you have some spare time)
Another good technique with commercial spammers if you have time enough is
to retaliate, wasting as much of their time and resources as you manage to do. This wont help you much, but it is great fun. Use their toll-free telephon number and tell them you
buy whatever gods / tits / cars they are selling. Chat a lot, let them call back you, let them send
you a representative. Then just change your mind.
If you are good at social engineering you can
get some real email addresses out of them ("...mmm, hey Liza, how can I reach
you in a hurry if I decide to buy another
item -just like the one I'll now buy for myself- for my buddy Charlie?"). If you manage
to get a spammer's real
working email address it's the jackpot! You can then slowbomb him for the eternity.
Alternatively just flood them with order made using bogus
credit card numbers and faked identities: let them deliver their goods to a big house
full of people that barely speak english and where at least 200 individuals
have the name -say- "Chan" you purposedly used to reserve
the goods (or whatever name/immigrant
applies to your country). They'll go nut because they will never be able even
to understand that somebody simply retaliated.
There are a lot of tricks you can
devise to drive the commercial spammers nut if you have enough time, phantasy and dedication, but
imo the best approach (the same you should use when commercial bastards dare to phonecall
you) is to immediately look like you are falling for the trick ("...mmm, well, yes,
thanks a lot, come to think of it I desperately need a new mortgage-insurance special packet..."), luring them into sending you
a representative, if possible carrying all the way a very heavy or very cumbersome
box / catalogue / documentation of whatever useless crap he's selling (choose accordingly when you order),
that you of course wont buy once he finally arrives
(you wont even appear at the meeting place for that matter)
because you have simply "changed your mind". Don't laugh at them, don't curse them, don't let them understand
you are playing with them: just let them convince you to fix a second rendez-vous:
drive them nut (and try once more to get some real & working emailaddresses out of them :-).
Believe me, they will hate this approach, especially if
you ordered the "megabigasupraoption" of whatever crap they are selling and
thus lulled them into being all excited for their "commercial kill",
thinking they had finally managed to fish a zombie. La va sans dire that you should
choose for these meetings the most inconvenient time for the spammers,
picking weird or far away located places (or expensive restaurants :-) where you will anyway never show up.
|In practice, when you search|
A good idea would be to chain proxies. See the anonymity lore section.
See also Anonymous surfing through other services and especially
Corto's bag of web-tricks
Use (and study) Anonykid's "proxy chaining" forms, that encompasses all the above.
[Staying Anonymous in 2002] (by Woodmann ~ January 2002)
[Wolf in sheep's clothing] (by Oh Yeah ~ June 2002)
[How to walk the 'net without kicking yourself
later...] (by Angela Natiash ~ January 2003)
[Internet Relay Chat Anonymity] (by Kane ~ February 2003)
Anonymous E-mail using remailers
shinohara, March 2003
"A person should learn how to use remailers to send
E-mail anonymously. If you just want to send simple E-mail anonymously (no attachments,
only text) and not expect an answer, you can do that by using free Web based remailers"
part of the [Anonymity lore for
in fieri, of course... what about helping instead of just leeching? :-)
(c) 1952-2032: [fravia+], all rights
reserved, reversed, reviled, revised, revoked and reverted