Welcome back, my rookie hackers!
"How can I travel and communicate over the Internet without being tracked or spied on by anyone?" It's a question many Null Byteans have asked me, so I have decided to write a comprehensive article addressing this issue.
There are a multitude of reasons for wanting privacy for communications on the Internet. I think it goes without saying that every human being has an inherent right to privacy. In our current technological state of surveillance, this right to privacy has been severely compromised. Google, the NSA, and GCHQ are all spying on our private communications.
Furthermore, I believe that we have a right to free communication and uncensored communication. Many nations and companies limit what sites its citizens and employees can visit and view. In some cases, if they do go to certain sites, they are immediately suspected of criminal or anti-government activities (often those two are conflated). In these cases, browsing the Internet anonymously can be a matter of life and death.
Take back your right to privacy on the web by using some or all the technological fixes listed below. Most of these technologies will provide you with some level of privacy on the Internet, and one option in particular can get you almost total privacy (nothing is absolute, but this solution is the best available).
Remember, encryption is your friend.
The Onion Router (Tor) is a specially designed Internet routing system that routes traffic while encrypting the IP address of where it came from. To enable routing, only the last and next IP addresses are available at each hop. The original and all other hops along the way are encrypted and can only be decrypted by a Tor router.
Tor can evade detection from nearly everyone except the most powerful state-owned surveillance machines. Even then, the NSA has some challenges in breaking Tor, but they have and still can. In general, Tor is safe for most traffic, but if someone or some agency wants to spend the time and resources to watch you, they can and will.
Using proxies is a tried and true method of obscuring your identity on the Internet. Although your traffic is not encrypted and can be sniffed, the traffic cannot be attributed to any person as the proxies use their IP addresses rather than yours. Of course, this does not prohibit your traffic being tracked by your cookies.
As the name implies, a virtual private network, or VPN, is a private way (encrypted) to connect over a public network (Internet) to a private network. It requires an authentication mechanism and then encrypts all the traffic between the client-to-server or peer-to-peer communication. It can encrypt all communication including the control channels, making it very hard to crack or identify the user.
You can access private VPN services where you will connect to their VPN server through an encrypted tunnel and then browse the Internet with their IP address. All of your traffic appears to be from their IP address and your communication to the service is encrypted so the traffic can not be traced back to you.
By default, VPN capabilities are NOT included in Kali, but I will be doing a tutorial on installing and stetting up VPN services on Kali in the near future.
Often, people want to chat or use voice communications over the Internet. Both can be intercepted and read. There are at least two technologies available to encrypt these types of communications that makes it very difficult to intercept and read.
For Internet chats, CSpace is among the best. Like so many of these technologies, CSpace relies upon encryption. CSpace uses a 2048-bit RSA key for authentication and each user has a unique public key to identify themselves. Users are only identified by a hash of their public key on a central server. All communication is encrypted with TLS (Transport Layer Security). You can find more information about CSpace here, though, it is no longer in active development.
If the members of Anonymous had been using this service, many of those now serving time in prison (Jeremy Hammond received a 10 year sentence for hacking Stratfor and releasing the information to WikiLeaks) would still be free.
For VoIP, consider ZRTP for private voice communication. ZTRP is an open-source (thank the heavens for open-source developers) technology for VoIP communication that authenticates both ends of the communication with Diffie-Hellman and then encrypts the communication with a pre-shared key and salting.
For those of you not familiar with cryptography and password-cracking, salting makes it more difficult for a third-party to break the encryption. This technology (ZRTP) was developed by Philip Zimmerman, the same guy who developed PGP and a longtime advocate for privacy rights (Zimmerman fought the U.S. government all the way to U.S. Supreme Court when the NSA demanded a backdoor to his PGP). As a result, I have a lot of trust in ZRTP.
ZORG is an implementation of ZRTP and is available on the Android, BlackBerry, iOS, Linux, Mac OS X, Symbian, and Windows platforms.
When Edward Snowden released confidential NSA documents in 2013, we got some insights into this super-secret snooping agency. In one of these documents, the kindly folks at the NSA rated their ability to snoop on communications when users were using any number of different anonymity technologies. On a scale from 1 to 4, 1 was the least difficult and 4 the most difficult.
According to the NSA, the combination of Tor, a VPN, and either CSpace or ZRTP basically blinds, so this combo received a 4 rating. In their own words, the "good" folks at NSA described these circumstances when trying to surveil users combining these technologies as "near-total loss/lack of insight to target communications, presence."
I am very reluctant to use any proprietary, commercial product for purposes of maintaining anonymity. The reason is that these companies easily bow to pressure from state authorities to enable snooping on their networks and products. Although not perfect, open-source products are more likely to give you a greater level of assurance for maintaining your anonymity and privacy.
Keep coming back, my rookie hackers, as we explore the arts and technologies of hacking!
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: