Anonymity is something that doesn't exist today. Everything you do in the world is tracked, from the purchases you make to surfing the internet—even taking pictures on your iPhone. Everything you have ever said and done on the internet is still there—somewhere. This is called caching. For example, when a site is down, you can view its cached page on Google.
Even if this data was not stored and got deleted, it would have been written on a hard drive, which means it's vulnerable to file carving and data recovery. No matter what you do, something about you will be on the internet. If you buy a house, get married, even if you die, something pertaining to you will reside on the net. The information is in public records everywhere and can be found with a simple Google search.
This guide is for everyone—everyday web users and black hat hackers alike. And it's intended to educate on the importance of practicing anonymity and using security on the internet.
Let's face it, trolls exist on the web and we are bound to make one of them angry. This could be the biggest mistake you've ever made. If you have a username that can be Googled and your Facebook page pops up, someone can find out your real name. This can prove to be big trouble for you. A troll can have his cronies and followers all DDoS you in some form. Spamming your home with phone calls, getting nasty letters, and having your home network directly attacked can be a result of this. Your personal information would be everywhere, causing a huge strain on your life. This is referred to on the internet as a d0x.
Everyone is a potential target. But don't worry, there are ways that you can mitigate these chances, or even remove them completely, depending on how much damage you may have inflicted to yourself. This guide is here to teach you how to live a normal life on the internet and operate normally, but stay secure and keep your information and dealings safe from prying eyes. There are a million reasons to want to keep your internet biddings seperate from your real life ones. You have a right to anonymity.
It depends. If you use the same username and use your real name on any website whatsoever, you can be easily exploited. Here are some habits and activities that are bad ideas when practicing anonymity.
- Social networking sites—These reveal all sorts of information. Most commonly, people will list birthdays, post pictures of family, list contact information and phone numbers, and show their real name. This is dangerous and sensitive information to make public. Just imagine the people you wouldn't want to possess this information. Social networking sites post this information publicy, and some of you may not even know. This is not the best stuff to have visible to the public.
- Committing crimes—Not only is commiting crimes wrong, but you end up getting arrested, and that leads to your name in a news article. This makes a huge irreversible footprint on the internet. You will be searchable via many online databases. The bottom line is: try not to divulge in anything illegal.
- Keeping a blog—If you maintain a personal blog as a journal, you're posting all of your private information for the whole world to see. You may want to re-assess what you are doing. Is a blog really that important to the point that you might let strangers know things they shouldn't know about you? Exposing a window this personal into your life is practically begging for a creepy disaster. This should be avoided at all costs for the sake of anonymity.
- Posting public comments—Bear in mind when you post to a public board, that comment will be viewable through a search engine. A lot of you post private information publicly, thinking you are safe because you hide behind the usename haxx0r9000, but if you use a Facebook with a real name that holds the URL https://facebook.com/haxx0r9000, you're pretty much out of luck.
- Public phone records—Having a number reachable just by searching a name is bad news. Stick with prepaid phone services. You can get a Motorola Droid on a prepaid plan, so how can you complain?
- Making purchases with credit cards—You can't rely on the security of someone else. For example, say you buy something on an online auction site and store your credit card information there. If someone hacked their network, who knows if the information would be encrypted. All of your personal information, credit card numbers, and even your purchase history would be available to the hacker. Same would hold true if a business didn't shred sensitive paperwork. An alternative would be to withdraw cash from an ATM.
For perfect anonymity, you will likely need to start over from scratch. We need to take care of our old accounts. Prior to doing so, flood it with inaccurate information. This will ensure that if the information is ever recovered, it will be really hard to determine which data is correct and which isn't.
Methods of Flooding and Secure Deletion
- Fill your mail inboxes with mailbombers. This will flood the caches and makes sure the sensitive information is overwritten. Bomb yourself using one of the many email bombers around the internet. They are easy to use.
- Upload random pictures of other people found on Google. This will make it hard to determine who an account belonged to.
- Change your information for given accounts to innacurate nonsense. This will also aid in removing the link to you in real life.
Delete all Prior Social Networking Sites and Accounts
Delete Your Account is a great site to help delete any major (or minor) scale account that you may own on the internet. You can search alphabetically for sites like Facebook, Reddit, Monster, Hotmail, Google, etc.
Adversely, if you feel that you must keep your accounts, it is up to you to delete pictures, videos, comments on others' profiles, etc. to get some degree of anonymity. I would never recommend doing this for someone who wants complete anonymity.
If you have residual information left over in Google's cache, as we have stated previously, you can get rid of it by removing it with this request form. It is worth it if you want your anonymity. Once you are sure that your online presence has been deleted and you are ready to start from scratch, proceed.
Get a Solid State Drive
Scrap your hard drive. If we are talking about having perfect anonymity, it's the only way to make sure. An ideal solution would be to use a Solid State Drive (SSD). SSDs are impervious to file carving and data recovery unlike Hard Drive Disks (HDDs), because SSDs use flash memory. In laymen's terms, bits of the data are not retained after deletion on SSDs, the data is immediately released and gone forever.
If You Have to Use a HDD, Use a Virtual Machine
On the other hand, regular hard drives use an actuator arm inside of the hard drive to polarize the platter with a magnetic charge (positive or negative). These translate into the binary 1's and 0's that create our computers. On a standard hard drive, leftover fragments of files can be easily restored to their previous states.
If the price of SSDs are too much for your budget, and you are forced to use a normal hard drive, a trick to keep your operating system from storing any sensitive data is to have a host computer, and then create a virtual machine within it. Use that as the actual computer, and if you need to make sure information from your computer can't be recovered, securely delete the files and they can never be recovered. This is because the data is written over multiple times to damage the ability to read and recover it.
Drive and Data Encryption
To protect yourself locally before you even get on a network, drive encryption is a good idea. Encryption obfuscates data so it is unreadable—unless a passkey is supplied that matches the hash found in the encrypted data's header. When the passkey is entered, the data is decrypted and readable. To learn how to encrypt your hard drive, check out this Null Byte.
You need to create a new email that has nothing associated with you in real life, and nothing to do with your former internet handle, as this could lead to your information being traced to your new identity. Names such as "jparker1983" says a lot about who you are.
What if the Email Service Requires a Phone Number to Activate?
If the email address you create requires a phone number, as they often do, set up a free forwarding phone at iNumbr. This will allow you to essentially hide your phone number. After you set up an account, iNumbr calls your phone and the target number. It bridges the two calls, effectively masking your phone number.
Get into the practice of creating a new email for everything you use, for ultimate anonymity and safety. This will:
- Prevent single email accounts from being stolen (if, by chance, it ever does happen), which in turn will cause you to lose access to all of your accounts because of it.
- Keep personal contacts, business contacts and internet only contacts separate. This separates people you know in real life, to people you may not trust enough to mix in with your personal friends or associates.
- Keep things organized.
- Allow you to use a test email for sites that may spam you, but require an email address.
This is an internet security must. A good password does not mean creating a string of text that someone else will not think of. There are many things that go into creating a good password. However, not only does creating an algorithmically strong password matter, but how you manage them also does. Null Byte created a guide a while back on doing just this.
Good Requirements for Creating a Strong Password
- Greater than 20 characters.
- Full use of ASCII characters.
- Never use the same password twice.
- Never answer security questions accurately, they just allow another way for an attacker to get in.
- Click Preferences.
- Click Content.
Use Tor to Mask Your IP Address and Encrypt Your Traffic
You can also use the Tor bundle and have a standalone browser that can be securely deleted at any time. It also will encrypt your traffic and mask your IP address (your unique ID on the internet). This makes your traffic unable to be sniffed or searched, even by your ISP. Your IP also becomes safe from people who you don't want seeing it (or whatever reason you want your IP to be hidden for).
We have a few solutions at hand. Encrypting traffic and spoofing our IP protects our identity from websites. This also protects us from people sniffing our traffic when browsing away from home.
Spoof Your MAC Address to Make Yourself Anonymous on the Network
First and foremost, you need to spoof your MAC address if you are using a connection away from home. This will make your computers burned-in address spoof to one that you specify. With this in practice, we will be protected from other users on the network, and the router. It will also make sure our MAC address can't be traced back to our person (because if it was bought with anything other than cash or prepaid, they know exactly who you are) . If someone sees your MAC address Windows users can use this guide here. If you are running Linux, enter the following command in the Terminal:
sudo ifconfig wlan0 down && sudo ifconfig hw ether 00:11:22:33:44:55 && sudo ifconfig wlan0 up
Encrypt Your Traffic with an SSH Tunnel or a VPN
You need your traffic to be safe from traffic analysis when using Wi-Fi away from home. The simplest solution is to set up a home SSH tunnel. This will encrypt, and then forward your traffic back to your home computer before sending it to its destination, which protects it. An alternative solution that can cover all ports on all platforms would be to use a VPN. These anonymizing solutions can also protect you at home when you want to access a website while masking who you are and where you are from. I recommend trying to get Eastern block VPNs from countries like Asia. The United States has no jurisdiction there, thus, logs cannot be obtained.
If you are in a circumstance where you absolutely need to use social networking sites, there are a number of things that can go wrong, so you will need to be careful. Any social networking site that you own must use fake information to maintain anonymity.
Don'ts for Owning a Social Networking Site
- Do not use real information of any kind. No names, no address, no anything.
- Do not upload real pictures of yourself (or do as I do, use an obfuscated picture of yourself. However, do not include your nose and eyes together, that triangular area on your face is what makes a brain recognize a face easily).
- Do not talk to strangers. Only talk to family and personal friends who know you and your alias. A stranger that you confide in could wind up leaking your information.
- Do not post in public comments.
- Do not display a phone number.
- Do not display your email.
- Do not let Twitter or anything else expose your location. Make it a habit to check application settings to make sure it isn't posting information of yours anywhere without your permission.
How can I Test my Anonymity?
There are a number of free services that exist on the internet for you to use at your disposal to aid you in getting personal information on yourself, or others. Even when you have only a little to begin with, you can get a full d0x on someone.
- Pipl is a search engine that searches non-indexed web pages, as well as indexed, for common usernames, email addresses, phone numbers—even name and location. This is an immensely useful tool. You can look a person up via email, name, number, or other information.
- Tineye is an advanced, reverse-image lookup tool, whereby you can take an image on the internet, then find sites that have the same image in it. A helpful tool, if you weren't getting anywhere with a d0x. If the person uses different usernames, has a fake name on their facebook, and sets it to private, you can take their default picture, and find other sites that the picture is on. Since people most commonly use the same default profile picture, you will likely end up with another social networking site, that can perhaps reveal more information.
- Archives (Disclaimer: This is probably frowned upon). This little gem of a site is one I found that's got quite the interesting flaw. They have real records of peoples' employers, phone numbers, previous residences, family trees (even kids), arrest records, newpaper articles that the person has been mentioned in, and more. This is a PAID service. But don't be alarmed, I said it had a flaw.
Exploit Archives Purchasable Services
- Go down to a gas station or Walmart, and buy a prepaid debit card, spend the money on something you actually want.
- Make an account on Archives (use a new spam email, they send boatloads of the stuff). Search the user and buy records of choice. Even if you have no money on the card, the transaction goes through and they give you the records. The website has a mechanism that retries a card number if the transaction fails, and gives it about 30 minutes. So you can go nuts for a little while and "buy" what you need. It's a great little glitch, but after that, they ban the card from use on the site (this was personally found and tested by me.)
If you need to use your phone number online for business or Craigslist ads and such, you have a couple pretty good options available to you. My favorite option is to use Google Voice. With Google Voice, you can operate even better than before.
Features of the Google Voice App
- Forward calls to your home phone.
- Make calls with your home phone appear to come from your Google Voice number.
- Archive logs.
- Text message.
- Ability to change your phone number and infinite amount of times.
Don't worry, you can keep it. You do need to make sure location options are turned off, though. By default, I know the iTouch stores your GPS location on every picture you take. If this were ever on the internet, you could examine it in hexadecimal to find the coordinates.
Windows file explorer even supports reading the GPS location in its properties view.
If you don't want anyone reading data passed through on your phone, you might want to get rid of your phone completely. iOS and Droid have been proven to track everything you do. They can even expose data when on an HTTPS connection.
This can also be done! Anonymous spending isn't as hard as you would think. To spend anonymously online, we first must purchase a prepaid debit card and activate it. They can be found at any gas station or supermarket.
Care dos and
- During activiation DO NOT enter your social security number.
- Pay for the card in cash.
- Do not register the card with any of your real information, such as address and name.
For added anonymity, you may want to use Tor to anonymize your traffic and spending accounts, not just who is spending the money.
Spending Money on the Internet
- Open up a PayPal account with a fake name, address, etc. Make its information match the fake stuff that you entered when registering the debit card.
- Create an eBay account with the same information. This will be your spending and receiving account.
- Purchase something on eBay with your new PayPal account, and have it shipped to a friend's house under your fake name (to avoid the question being asked, packages are delivered according to address, not name).
Receiving Money on the Internet
- Sell something on your fake PayPal account.
- After you receive payment and mail the goods, have your real PayPal and eBay accounts post an ad for a piece of paper.
- Sell the paper for the amount of money the goods were sold for to your fake account. This allows for a nice, natural-looking transfer. Anonymous.
Eventually, someone will want to find out more information about you. Means such as social engineering can give this "someone" the information about you that they want. A person may contact you directly or go through your friends and social engineer them. The below list of rules should be held onto with your dear life.
Try not to Talk to Strangers
Your first concern on the internet should not be to make friends. Having online friends is a security risk that I do not advise taking. Also, how do you know that you can trust them in the first place? Only do this if it is a must. Remember, it is your own fault if you don't cover your own back!
Don't Divulge Personal Information
Don't give any real information, such as location, DOB, names, etc. Give legitimate sounding info. Come up with your own new life story and this will keep people from accurately searching for you. Skilled d0xers and social engineers like myself can find out who you are just as easy as if you plastered your name and social security number on the front of your house. This is a big technical no-no.
Change Your Speech Patterns
I have d0xed people many times just by analyzing speech patterns and common phrases used by them. Do not underestimate the power of psychology or deductive reasoning skills. Some people possess them, so it is safe to never assume that you are too lucky to fall victim to it.
Follow this guide to the bone and you should never have to worry about your anonymity on the internet. You become a ghost, free to do as you like, without anybody telling you not to. If you found this guide useful, please, send it to your friends to help others become anonymous.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.