Anonymity is something that doesn't exist today. Everything you do in the world is tracked, from the purchases you make to surfing the internet—even taking pictures on your iPhone. Everything you have ever said and done on the internet is still there—somewhere. This is called caching. For example, when a site is down, you can view its cached page on Google.
Even if this data was not stored and got deleted, it would have been written on a hard drive, which means it's vulnerable to file carving and data recovery. No matter what you do, something about you will be on the internet. If you buy a house, get married, even if you die, something pertaining to you will reside on the net. The information is in public records everywhere and can be found with a simple Google search.
Who and What Is This Guide For?
This guide is for everyone—everyday web users and black hat hackers alike. And it's intended to educate on the importance of practicing anonymity and using security on the internet.
Let's face it, trolls exist on the web and we are bound to make one of them angry. This could be the biggest mistake you've ever made. If you have a username that can be Googled and your Facebook page pops up, someone can find out your real name. This can prove to be big trouble for you. A troll can have his cronies and followers all DDoS you in some form. Spamming your home with phone calls, getting nasty letters, and having your home network directly attacked can be a result of this. Your personal information would be everywhere, causing a huge strain on your life. This is referred to on the internet as a d0x.
Everyone is a potential target. But don't worry, there are ways that you can mitigate these chances, or even remove them completely, depending on how much damage you may have inflicted to yourself. This guide is here to teach you how to live a normal life on the internet and operate normally, but stay secure and keep your information and dealings safe from prying eyes. There are a million reasons to want to keep your internet biddings seperate from your real life ones. You have a right to anonymity.
How Do I Become Exposed?
It depends. If you use the same username and use your real name on any website whatsoever, you can be easily exploited. Here are some habits and activities that are bad ideas when practicing anonymity.
- Social networking sites—These reveal all sorts of information. Most commonly, people will list birthdays, post pictures of family, list contact information and phone numbers, and show their real name. This is dangerous and sensitive information to make public. Just imagine the people you wouldn't want to possess this information. Social networking sites post this information publicy, and some of you may not even know. This is not the best stuff to have visible to the public.
- Committing crimes—Not only is commiting crimes wrong, but you end up getting arrested, and that leads to your name in a news article. This makes a huge irreversible footprint on the internet. You will be searchable via many online databases. The bottom line is: try not to divulge in anything illegal.
- Keeping a blog—If you maintain a personal blog as a journal, you're posting all of your private information for the whole world to see. You may want to re-assess what you are doing. Is a blog really that important to the point that you might let strangers know things they shouldn't know about you? Exposing a window this personal into your life is practically begging for a creepy disaster. This should be avoided at all costs for the sake of anonymity.
- Posting public comments—Bear in mind when you post to a public board, that comment will be viewable through a search engine. A lot of you post private information publicly, thinking you are safe because you hide behind the usename haxx0r9000, but if you use a Facebook with a real name that holds the URL https://facebook.com/haxx0r9000, you're pretty much out of luck.
- Public phone records—Having a number reachable just by searching a name is bad news. Stick with prepaid phone services. You can get a Motorola Droid on a prepaid plan, so how can you complain?
- Making purchases with credit cards—You can't rely on the security of someone else. For example, say you buy something on an online auction site and store your credit card information there. If someone hacked their network, who knows if the information would be encrypted. All of your personal information, credit card numbers, and even your purchase history would be available to the hacker. Same would hold true if a business didn't shred sensitive paperwork. An alternative would be to withdraw cash from an ATM.
Perfect Anonymity from the Ground Up
For perfect anonymity, you will likely need to start over from scratch. We need to take care of our old accounts. Prior to doing so, flood it with inaccurate information. This will ensure that if the information is ever recovered, it will be really hard to determine which data is correct and which isn't.
Methods of Flooding and Secure Deletion
- Fill your mail inboxes with mailbombers. This will flood the caches and makes sure the sensitive information is overwritten. Bomb yourself using one of the many email bombers around the internet. They are easy to use.
- Upload random pictures of other people found on Google. This will make it hard to determine who an account belonged to.
- Change your information for given accounts to innacurate nonsense. This will also aid in removing the link to you in real life.
Delete all Prior Social Networking Sites and Accounts
Delete Your Account is a great site to help delete any major (or minor) scale account that you may own on the internet. You can search alphabetically for sites like Facebook, Reddit, Monster, Hotmail, Google, etc.
Adversely, if you feel that you must keep your accounts, it is up to you to delete pictures, videos, comments on others' profiles, etc. to get some degree of anonymity. I would never recommend doing this for someone who wants complete anonymity.
If you have residual information left over in Google's cache, as we have stated previously, you can get rid of it by removing it with this request form. It is worth it if you want your anonymity. Once you are sure that your online presence has been deleted and you are ready to start from scratch, proceed.
Protecting Your Data & Storage
Get a Solid State Drive
Scrap your hard drive. If we are talking about having perfect anonymity, it's the only way to make sure. An ideal solution would be to use a Solid State Drive (SSD). SSDs are impervious to file carving and data recovery unlike Hard Drive Disks (HDDs), because SSDs use flash memory. In laymen's terms, bits of the data are not retained after deletion on SSDs, the data is immediately released and gone forever.
If You Have to Use a HDD, Use a Virtual Machine
On the other hand, regular hard drives use an actuator arm inside of the hard drive to polarize the platter with a magnetic charge (positive or negative). These translate into the binary 1's and 0's that create our computers. On a standard hard drive, leftover fragments of files can be easily restored to their previous states.
If the price of SSDs are too much for your budget, and you are forced to use a normal hard drive, a trick to keep your operating system from storing any sensitive data is to have a host computer, and then create a virtual machine within it. Use that as the actual computer, and if you need to make sure information from your computer can't be recovered, securely delete the files and they can never be recovered. This is because the data is written over multiple times to damage the ability to read and recover it.
Drive and Data Encryption
To protect yourself locally before you even get on a network, drive encryption is a good idea. Encryption obfuscates data so it is unreadable—unless a passkey is supplied that matches the hash found in the encrypted data's header. When the passkey is entered, the data is decrypted and readable. To learn how to encrypt your hard drive, check out this Null Byte.
Creating and Managing Emails
You need to create a new email that has nothing associated with you in real life, and nothing to do with your former internet handle, as this could lead to your information being traced to your new identity. Names such as "jparker1983" says a lot about who you are.
What if the Email Service Requires a Phone Number to Activate?
If the email address you create requires a phone number, as they often do, set up a free forwarding phone at iNumbr. This will allow you to essentially hide your phone number. After you set up an account, iNumbr calls your phone and the target number. It bridges the two calls, effectively masking your phone number.
Get into the practice of creating a new email for everything you use, for ultimate anonymity and safety. This will:
- Prevent single email accounts from being stolen (if, by chance, it ever does happen), which in turn will cause you to lose access to all of your accounts because of it.
- Keep personal contacts, business contacts and internet only contacts separate. This separates people you know in real life, to people you may not trust enough to mix in with your personal friends or associates.
- Keep things organized.
- Allow you to use a test email for sites that may spam you, but require an email address.
Creating and Managing Secure Passwords
This is an internet security must. A good password does not mean creating a string of text that someone else will not think of. There are many things that go into creating a good password. However, not only does creating an algorithmically strong password matter, but how you manage them also does. Null Byte created a guide a while back on doing just this.
Good Requirements for Creating a Strong Password
- Greater than 20 characters.
- Full use of ASCII characters.
- Never use the same password twice.
- Never answer security questions accurately, they just allow another way for an attacker to get in.
Make Your Browser Reveal Nothing About You
Set up your browser so it doesn't have a user agent. A user agent identifies your browser and OS to a website via JavaScript—something that can reveal who you are. So, we should have it spoof this information. Also, you should have a plugin like NoScript. Alternatively, you could disable JavaScript and Flash. These can leave cookies on your computer that will track which websites you visit.
Disable JavaScript and Flash Manually in Firefox
- Click Preferences.
- Click Content.
- Uncheck JavaScript and disable it.
Use Tor to Mask Your IP Address and Encrypt Your Traffic
You can also use the Tor bundle and have a standalone browser that can be securely deleted at any time. It also will encrypt your traffic and mask your IP address (your unique ID on the internet). This makes your traffic unable to be sniffed or searched, even by your ISP. Your IP also becomes safe from people who you don't want seeing it (or whatever reason you want your IP to be hidden for).
Secure Traffic from Analysis & Make Anonymous Connections to Sites
We have a few solutions at hand. Encrypting traffic and spoofing our IP protects our identity from websites. This also protects us from people sniffing our traffic when browsing away from home.
Spoof Your MAC Address to Make Yourself Anonymous on the Network
First and foremost, you need to spoof your MAC address if you are using a connection away from home. This will make your computers burned-in address spoof to one that you specify. With this in practice, we will be protected from other users on the network, and the router. It will also make sure our MAC address can't be traced back to our person (because if it was bought with anything other than cash or prepaid, they know exactly who you are) . If someone sees your MAC address Windows users can use this guide here. If you are running Linux, enter the following command in the Terminal:
sudo ifconfig wlan0 down && sudo ifconfig hw ether 00:11:22:33:44:55 && sudo ifconfig wlan0 up
Encrypt Your Traffic with an SSH Tunnel or a VPN
You need your traffic to be safe from traffic analysis when using Wi-Fi away from home. The simplest solution is to set up a home SSH tunnel. This will encrypt, and then forward your traffic back to your home computer before sending it to its destination, which protects it. An alternative solution that can cover all ports on all platforms would be to use a VPN. These anonymizing solutions can also protect you at home when you want to access a website while masking who you are and where you are from. I recommend trying to get Eastern block VPNs from countries like Asia. The United States has no jurisdiction there, thus, logs cannot be obtained.
Properly Use Social Networking Sites to Maintain Anonymity
If you are in a circumstance where you absolutely need to use social networking sites, there are a number of things that can go wrong, so you will need to be careful. Any social networking site that you own must use fake information to maintain anonymity.
Don'ts for Owning a Social Networking Site
- Do not use real information of any kind. No names, no address, no anything.
- Do not upload real pictures of yourself (or do as I do, use an obfuscated picture of yourself. However, do not include your nose and eyes together, that triangular area on your face is what makes a brain recognize a face easily).
- Do not talk to strangers. Only talk to family and personal friends who know you and your alias. A stranger that you confide in could wind up leaking your information.
- Do not post in public comments.
- Do not display a phone number.
- Do not display your email.
- Do not let Twitter or anything else expose your location. Make it a habit to check application settings to make sure it isn't posting information of yours anywhere without your permission.
How can I Test my Anonymity?
There are a number of free services that exist on the internet for you to use at your disposal to aid you in getting personal information on yourself, or others. Even when you have only a little to begin with, you can get a full d0x on someone.
- Pipl is a search engine that searches non-indexed web pages, as well as indexed, for common usernames, email addresses, phone numbers—even name and location. This is an immensely useful tool. You can look a person up via email, name, number, or other information.
- Tineye is an advanced, reverse-image lookup tool, whereby you can take an image on the internet, then find sites that have the same image in it. A helpful tool, if you weren't getting anywhere with a d0x. If the person uses different usernames, has a fake name on their facebook, and sets it to private, you can take their default picture, and find other sites that the picture is on. Since people most commonly use the same default profile picture, you will likely end up with another social networking site, that can perhaps reveal more information.
- Archives (Disclaimer: This is probably frowned upon). This little gem of a site is one I found that's got quite the interesting flaw. They have real records of peoples' employers, phone numbers, previous residences, family trees (even kids), arrest records, newpaper articles that the person has been mentioned in, and more. This is a PAID service. But don't be alarmed, I said it had a flaw.
Exploit Archives Purchasable Services
- Go down to a gas station or Walmart, and buy a prepaid debit card, spend the money on something you actually want.
- Make an account on Archives (use a new spam email, they send boatloads of the stuff). Search the user and buy records of choice. Even if you have no money on the card, the transaction goes through and they give you the records. The website has a mechanism that retries a card number if the transaction fails, and gives it about 30 minutes. So you can go nuts for a little while and "buy" what you need. It's a great little glitch, but after that, they ban the card from use on the site (this was personally found and tested by me.)
Before You Enter a Phone Number Online
If you need to use your phone number online for business or Craigslist ads and such, you have a couple pretty good options available to you. My favorite option is to use Google Voice. With Google Voice, you can operate even better than before.
Features of the Google Voice App
You can:
- Forward calls to your home phone.
- Make calls with your home phone appear to come from your Google Voice number.
- Archive logs.
- Text message.
- Ability to change your phone number and infinite amount of times.
Make Sure Your Smartphone Doesn't Betray You
Don't worry, you can keep it. You do need to make sure location options are turned off, though. By default, I know the iTouch stores your GPS location on every picture you take. If this were ever on the internet, you could examine it in hexadecimal to find the coordinates.
Windows file explorer even supports reading the GPS location in its properties view.
If you don't want anyone reading data passed through on your phone, you might want to get rid of your phone completely. iOS and Droid have been proven to track everything you do. They can even expose data when on an HTTPS connection.
How to Spend Your Money Anonymously
This can also be done! Anonymous spending isn't as hard as you would think. To spend anonymously online, we first must purchase a prepaid debit card and activate it. They can be found at any gas station or supermarket.
Care dos and
- During activiation DO NOT enter your social security number.
- Pay for the card in cash.
- Do not register the card with any of your real information, such as address and name.
For added anonymity, you may want to use Tor to anonymize your traffic and spending accounts, not just who is spending the money.
Spending Money on the Internet
- Open up a PayPal account with a fake name, address, etc. Make its information match the fake stuff that you entered when registering the debit card.
- Create an eBay account with the same information. This will be your spending and receiving account.
- Purchase something on eBay with your new PayPal account, and have it shipped to a friend's house under your fake name (to avoid the question being asked, packages are delivered according to address, not name).
Receiving Money on the Internet
- Sell something on your fake PayPal account.
- After you receive payment and mail the goods, have your real PayPal and eBay accounts post an ad for a piece of paper.
- Sell the paper for the amount of money the goods were sold for to your fake account. This allows for a nice, natural-looking transfer. Anonymous.
Protecting Yourself from Social Engineering
Eventually, someone will want to find out more information about you. Means such as social engineering can give this "someone" the information about you that they want. A person may contact you directly or go through your friends and social engineer them. The below list of rules should be held onto with your dear life.
Try not to Talk to Strangers
Your first concern on the internet should not be to make friends. Having online friends is a security risk that I do not advise taking. Also, how do you know that you can trust them in the first place? Only do this if it is a must. Remember, it is your own fault if you don't cover your own back!
Don't Divulge Personal Information
Don't give any real information, such as location, DOB, names, etc. Give legitimate sounding info. Come up with your own new life story and this will keep people from accurately searching for you. Skilled d0xers and social engineers like myself can find out who you are just as easy as if you plastered your name and social security number on the front of your house. This is a big technical no-no.
Change Your Speech Patterns
I have d0xed people many times just by analyzing speech patterns and common phrases used by them. Do not underestimate the power of psychology or deductive reasoning skills. Some people possess them, so it is safe to never assume that you are too lucky to fall victim to it.
In Closing
Follow this guide to the bone and you should never have to worry about your anonymity on the internet. You become a ghost, free to do as you like, without anybody telling you not to. If you found this guide useful, please, send it to your friends to help others become anonymous.
Null Byte members are available for chat and discussion via the forums and IRC. Follow the Null Byte Twitter and Google+ for the latest updates.
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
31 Comments
very good guide :) *alex add one more step, hiding part of your face behind a cat xD
Hehe, obfuscating pictures FTW! Thanks, I'm glad you enjoyed :).
Alex(if that's your real name!), your cat knows your real identity and will probably demand daily bribes!
on a serious note: How does one get removed from peoplefinders, whitepages, free people search and similar sites?
The only way I know is to just prevent it, which means never buying services in your name etc. Registering for services with real info leads to the companies selling it to advertising firms (usually). But the opt-out policies are usually stored in the corresponding sites agreement, so you have to refer to those to actually remove yourself.
Did you try to d0x me for the competition? I can't remember if you said I was secure or not..
You were good for a preliminary d0x. Seemed pretty secure, but I didn't go too far in to it. However, you said you had a temporary hole, I trust it is patched now? After that competition, I got really sick of d0xing for people xD. I still get 3 PMs a week asking me to d0x people.
Yea, the hole I had is all fixed up. And I bet you do :p
Haha, great man :). Good to have you back in IRC.
top guide there Alex ;) Really surprised me! Good work :D
Thanks so much! :)
top notch
This is all i've been looking for!!! :D I saw this tutorialheadline a few days ago, I was like"YEEEES ALL I'VE BEEN LOOKING FOR!" but suddenly Wonderhowto Refreshed, and it disappeared xD :D And I'm almost afraid that I'm skrewed... I've used my real full name for almost everything -.- ... But I'll try some things written here! :D THANK YOU ALEX!!! :D You are a true gentleman (vendetta) xD
Thanks for the flattery, man xD. I wrote it so there can finally be a one-stop-shop for staying invisible, so I hope it really helps everyone out :D.
Great article! hanks for the effort to help open people's eyes to these privacy vulnerabilities.
Michael Rexxfield
Thank you :). Much appreciated.
Great Article! I'm going to do all of these, since the Congress has passed the NDAA(National Defense Authorization Act). One question: Do you think U95 (and newer versions) are better than tor? I personally think Tor is way too slow.
Tor is the ultimate tool for security. Tor IS slow...but I guess it's the price we pay. The best way to go would be dual VPNs that are offshore, and you know they don't keep logs. Those would be secure without having to comprimise much speed.
Good luck using the internet with JavaScript disabled. Mby you should start walking around with tinfoil over your head so they can't read your mind either.
Going back to the technological stone-age isn't worth being anonymous.
Or you can enable Java-script on certian websites... look for a program called Noscript for firefox
Yes, thank you Matt. It is a technique called "whitelisting", which allows you to specifically set which sites are allowed to use what, in this case, JavaScript. I found it rather insulting to insinuate that I am paranoid with the tinfoil hat comment. I will ask you kindly, in the future, please refrain from saying something that might be offensive to others.
Also, I beg to differ about JavaScript being more important that anonymity...maybe I need to make an edit and stress more clearly the dangers of having it fully enabled. People can easily record videos of you without you knowing using JavaScript. Personally, I would rather my child not use Facebook over letting them venture to any old website, and have some perv take pictures of them.
I would love to tell you more Kelly. These issues are a real problem for everyone, I would rather not see you brush it off, you're internet safety is a very real thing and I care about it.
I think, as with everything, you need to step away and look at it from an average user's perspective, Alex. You obviously know how these things work, others might not. Hence the tinfoil comments.
People just don't realise how vulnerable they are online. To them, someone being able to look at you via your own webcam is something from a sci-fi film. Or it's just blatant denial, thinking it won't happen to them. And a healthy dose of paranoia never hurt anyone, for the record. :)
The "internet" (very incorrect terminology here) has long since spun out of control, and has done so VERY quickly. No surprise that some people still think they are safe, what they fail to realise is how all of the advances in tech and software are being misused by certain individuals and how easily under certain conditions it can become severely damaging.
You own !
This is a fantastic post! Looking at the length of the post shows how hard it really is these days to remain anonymous on the internet. It doesn't take much at all. Just one mistake and you could reveal your true identity over the internet.
I found a great little Linux Distro a few weeks ago called "Tails" with the latest version being 0.10 which was released a few days ago. Tails is an operating system based entirely on protecting your privacy online. It comes with TOR, encryption packs and the lot. What makes it even better is it wipes the system clean when you shut down and starts fresh at the next start-up.
I haven't had much time to test it out - but it does seem to work well. I'm rather new to Linux so maybe something you could look into? But in regards to a Linux Distro based on privacy - this is basically the first one I've heard of that goes to such extreme measures.
You can download Tails 0.10 here: https://tails.boum.org/forum/Why_0.10_and_not_1.0_/
Wow..this actually sounds promising o.o. I may be stealing some configs and scripts from this distro, at the very least xD.
The problem I see with tails and the tor network is the ability for someone to spy on what you have been doing while on the network
Getting in on the ground floor huh.. Way to keep us all up to date!
Very nice article with excellent content. I have been thinking about the data cache lately more specifically of the db concept 'crap in, crap out'. Say Reddit, if I look at the list of subreddits someone subscribes to I can get a pretty good idea of their age, interests, location, what they do for a living, hobbies, marital status, age, so on. But what if that person uses that concept and subscribes to a number of subreddits that purposely point me in a different direction, say they subscribe to a city in Canada, CFL team, skiing, on and on. While this could be easily figured out through their posts it makes my point that if I add enough bad data at a certain point it then makes the real data worthless or at least worse than the fake data. While I am certain there is an algorithm to decipher which is real and fake, it would make things much harder if you took these two concepts and combined them, even creating a fake real you on FB/twitter/etc. Thoughts?
great write up ;) good job Alex!
Why would you want to maintain that much of high level anonimity if you have nothing to hide? If you believe that a real hacker will have any reason to attack a simple user.... ....it seems like you don't know how things work. A hacker would not be much interested to attack any user without good or maybe great benefits. A lot of the hackers are exposed on the internet and they intentionally allow companies such as apple or microsoft etc to access their "personal" computers. We all know that there is no much of anonimity when you enter the world wide web. With software such as wireshark you can spy on network packages, therefore everything someone sends through that network, can be exposed and known to hackers and all someone can do is simply connect to wify lol... Keyloggers is another way that not even facebook seems to be able to solve. all you need to do is attach one of those onto a picture and voilah!!! lol Speaking patterns? like dude, really? hahahahahahahahhahaha you are going to have to super analyze and literally burn that super computer just to chase around one idiot. Except if that idiot is super important lol. I think the article is good but too much and based on someone's paranoia. If apple wants to know where I am or what am doing.. hey, who cares? another day at home messing around with my computer...
anyways, go back to the big picture and ask yourself why you would want all that..
Cheers :)
Interesting article but was surprised when I wanted to vote up on a comment I am still required to sign in. I was on the internet trying to find out WHY, even when making a simple inquiry, you can't get anywhere without revealing a name, address and phone number. So I'm a senior and grew up in the days of personal privacy and I still don't understand why we are forced to do so when we just want some information, not involving a purchase.
You can always opt-out of Radaris if you are worried about your information ending up in the wrong hands, but this requires specific steps.
If you do this, you have to follow a specific procedure to ensure that your information is no longer available on any page that Radaris controls.
Share Your Thoughts