
Ask HN: How to create an anonymous site? - Murkin
The reasons are plenty, free speech, regulation and even criminal (piratebay?)<p>How can one register a domain anonymously and host a site without anyone being able to trace the owner&#x27;s identity ?
======
patio11
Much like security, you pick your countermeasures in advance in the hopes of
raising the cost of an attacker to penetrating your security. You're not
anonymous. You're anonymous to an adversary with a given amount of
technical/legal/intelligence/etc resources to bring to bear on deanonimizing
you.

People will probably give you links which describe adequate methods for
securing you against adversaries without $1,000 or equivalent amounts of
brainsweat. If that's your adversary, there. May you execute properly.

If your theorized adversary is a nation state, pick another adversary. You're
guaranteed to lose that fight in the long run. If you bid the price of your
identity up to $5 million, they will counter with "We routinely pay that to
kill mosquitoes" and mean that _entirely_ literally.

~~~
Murkin
Obviously there are limitations on both how hard it is for "attackers" to
reach you and how hart it is for "users".

SilkRoad - Was extremelly hard to "catch" but also hard for users (only Tor)

BTC-E - Still identities hidden, easily accessible by users.

Does anyone know how BTCE set it all up ?

~~~
askmike
Not hard to find out, according to their whois you can just email legal @
instra.com to find out..

------
yoha
Don't.

More specifically, if you truly care for anonymity, you won't be using a plain
DNS+Web site. Instead, you should go for Freenet [1] or a Tor-hosted website
[2].

[1] [https://freenetproject.org/](https://freenetproject.org/)

[2] [https://www.torproject.org/docs/tor-hidden-
service.html.en](https://www.torproject.org/docs/tor-hidden-service.html.en)

~~~
herokusaki
What are the technical differences between Tor (hidden services), Freenet and
I2P?

~~~
yoha
Initially, Tor and I2P only pass information from one node to another while
obfuscating it. At either end, you can now what the information is, but you do
not know where it went through. It's basically a tunnel that goes _somewhere_.
It is why you can use Tor to browse the web: you just use it to hide where you
are connecting from.

On the other hand, Freenet is a paranoia-driven network over the Internet
which makes information available and resilient. There is no such thing as a
webserver on Freenet. An encrypted version of the data is sent to some nodes
and passed from one to another. You don't know where the information comes
from, you just get it at some point.

Finally, Tor implemented hidden services. This is almost the opposite of the
initial situation where an user wants to access a known website without being
known. The hidden service is hosted on some node, and you access it through
the "Tor tunnel", meaning that you don't know where the service is. The user
is still hidden by the network too.

~~~
herokusaki
Is any of them good for SSH (MOSH) access to computers behind NAT?

------
igvadaimon
Here are a couple of interesting links:

[http://untraceableblog.com/](http://untraceableblog.com/)

[http://voidnull.sdf.org/](http://voidnull.sdf.org/)

To answer your questions - you can buy domain for bitcoins and use some free
hosting like Wordpress or Github Pages.

~~~
dijit
Domain names can be withdrawn if you supply invalid WHOIS information.

~~~
igvadaimon
But that's not what OP asked for :)

~~~
mosselman
To be fair the OP never asked anything.

------
captainmuon
Besides the technical measures in the other comments, there are a bunch of
other tricks that might be useful. (Please don't take this as advice, but just
as a thought experiment! If I were writing a spy novel, these are some things
my characters would do.)

Find a homeless person, and ask him/her to register a bank account in exchange
for some cash or a meal. Use that account to set up your website anonymously.
You'll find that you need to dirten money if running such an operation -
reverse laundering or taking "clean" money and putting it untracably into the
business. Such a proxy account is a vital ingredient.

Don't rely on Tor alone. It might be completely subverted, you wouldn't know
until it's too late. Buy access to a botnet and route your stuff over it.

Have multiple servers. If you have one single server, its easy to trace.
Either by brute force: the ISPs disconnect/slow down 50% of customers for a
split second, depending on wheter your site went down or not they know in
which half you are, repeat until they find you. There are much more
sophisticated techniques that don't require active interference. But if you
have at least two or three identical servers at different locations, it makes
it a lot harder to catch you. Don't forget tamper-proofing your servers.

Have trustworthy accomplices. Generally, the less people you tell what you are
doing, the better. But if you have a close circle of people you can really
trust, it becomes much easier to pull this off. You can work from multiple
locations, give each other alibis, etc..

Build fake personas. Don't just take a pseudonym, but create fake identities.
Keep records on their interests, their motivations, what you disclosed about
them. The purpose is to throw investigators off. You should be aware of
techniques used by them, such as behavioral analysis, stilistic analysis,
etc.. Working with accomplices can help alot in creating these fake identities
and concealing your own (e.g. writing style).

Go somewhere safe. If possible, move your servers, or even yourself, somewhere
where what you are doing is not punishable, or the authorities can be bribed.

This list could go on for ever... I'm not sure how practical many of these
ideas are, but one thing is clear, you'll need a certain amount of "criminal
energy" to pull this off - no matter whether your intentions are criminal or
not. (Disclaimer: I'm too pussy to actually have done any of the above, so it
may or may not work :-))

------
austerity
1\. Buy BTC with cash

2\. Buy a domain with BTC via Tor

3\. Buy hosting with BTC via Tor

4\. Do not accidentally leak your identity in one of million possible ways

#1-3 are pretty easy, but #4 is next to impossible. If nobody cares about you
there might be some small room for error. But generally it takes one smallest
mistake and you are ultimately busted.

~~~
dlsym
> 1\. Buy BTC with cash

This actually is harder than it sounds.

~~~
sickpig
localbitcoins?

~~~
dlsym
AFAIK sellers often require some data like a verified mobile phone number.

Than there is your registration on localbitcoin. You would need a truely
anonymous email address.

And the site behaves really poorly if you try to use it over tor.

If you do the cash transfer in person, the seller might be able to identify
you.

If you don't do it in person you would have to send it via some money transfer
service.

It is allways hard not to leave traces when you interact with something /
someone.

Edit: As 'austerity' stated: 4. Do not accidentally leak your identity in one
of million possible ways. [...] But #4 is next to impossible.

------
wellboy
The untraceableblog.com below is a great resource.

However, in the end, there is always text analysis though that can give your
identity away, which the untraceable blog does not address.

That's why you possibly need a ghost writer that you provide with a script or
a robot audio recording if you want to go 100% sure. You need to be able to
trust your ghostwriter a 100% though then. :)

~~~
andypants
It is addressed under the section "Word and character frequency analysis".

He runs his posts through google translate to another language, and then back
to english.

~~~
lignuist
Better use Anonymouth:
[https://github.com/psal/anonymouth](https://github.com/psal/anonymouth)

The translation method is not really effective:

> We also show that automated attempts at circumventing stylometry using
> machine translation may not be as effective, often altering the meaning of
> text while providing only small drops in accuracy.

[https://www.cs.drexel.edu/~sa499/papers/adversarial_stylomet...](https://www.cs.drexel.edu/~sa499/papers/adversarial_stylometry.pdf)

------
p4bl0
I would go with a Tor [1] hidden service or an EepSite on I2P [2].

Both are easy to setup and are accessible by anyone using "inproxies" such as
onion.to or i2p.us.

Another advantage is that you can host the sites anywhere even behind a
firewall or a NAT as long as the computer it's hosted on can run Tor or I2P.

I personally have a preference for I2P, since this is its main purpose while
Tor's hidden services are not the primary purpose of Tor (which is to
anonymize users on the clearnet).

[1] [https://www.torproject.org/](https://www.torproject.org/)

[2] [https://geti2p.net/](https://geti2p.net/)

------
tiatia
Take this as a start:
[http://grugq.github.io/presentations/Keynote_The_Grugq_-
_OPS...](http://grugq.github.io/presentations/Keynote_The_Grugq_-
_OPSEC_for_Russians.pdf)

~~~
epsylon
And basically his whole blog:
[http://grugq.github.io/](http://grugq.github.io/)

------
tmikaeld
Maybe someone with experience of such hosting? Like:
[http://www.nearlyfreespeech.net](http://www.nearlyfreespeech.net)

I should add: Goes under US Law, so forget pirating or illegal content.

~~~
computer
Nearlyfreespeech is explicitly not for anonymous hosting. They are just very
unlikely to take anything down without a court order forcing them to do so.

~~~
tmikaeld
They do accept anonymous money and do not keep logs of who you are, but yes,
they will take down stuff based on court order - but so will all public
hosting.

------
xrctl
I think most answers here are over thinking it; I do not think he wants a
website that can defeat the NSA, just one where the service provider could get
subpoenaed and not lead them to him.

So, just buy webhosting with Bitcoin at somewhere that does not require
contact details.

e.g.

[http://www.orangewebsite.com/](http://www.orangewebsite.com/)

[http://bitcoinwebhosting.net/](http://bitcoinwebhosting.net/)

Sign up at the local library to cloak that IP then use tor after that if you
think you will have a dedicated adversary.

------
anongrid
It is not as much creating an anonymous website as it is about protecting the
users (keeping their anonymity) and their content (from prying eyes). A
service can be in plain sight, but if it employs the correct (often needed -
extreme) practices, it can provide its users with this level of confidence. I
happen to be a Co-Founder of such a service :-) www.anongrid.com is an
extremely secure and anonymous content sharing service. still in its infancy
but you're welcome to check it out and see what I mean.

------
evgen
If you need to ask these questions you are not qualified to run such a site,
or at least not to ask anyone else to trust that you are not going to screw up
when setting it up or at some point in the future and break anonymity. The
more you move away from "free speech" to avoiding regulation and toward
criminal activity the greater the chance that someone out there will actually
try to see how good you really are, and then your whole house of cards will
fall down. Seriously, don't.

~~~
yoha
From the way the question was phrased, I think this is precisely for learning
how to do such things. You still need to start somewhere, and as long as you
know you should not take inconsiderate risks, you can screw up sometimes and
learn from your errors.

~~~
patio11
Importantly, you _don 't_ get to learn from your mistakes in "opsec." Dread
Pirate Roberts asked a question about connecting to a tor site using curl on
StackOverflow under his own name. Seconds later he realized "D'oh, that is in
hindsight a bad move." and changed his name to a pseudonym.

Choose your own adventure:

a) He got to learn from his mistake.

b) That incident was recounted years later in the criminal indictment.

~~~
refurb
That was pretty shocking to read in the indictment.

He obviously didn't think it was a serious issue at the time, but jesus, could
you imagine how it felt to read about that one mistake years later? Makes you
wonder what you have left online that might bit you in the ass years from now.
I know i certainly couldn't run for office now!

------
cturhan
Use subdomain on any known websites like
[http://anonymous.wordpress.com](http://anonymous.wordpress.com) ?

------
bdcravens
Depending on what you're trying to accomplish, couldn't you drop content on
the blockchain? Not a traditional website, but relatively anonymous (depending
on how you move the coin), and more importantly, it can't be seized or taken
down (kinda scary when you think about the potentially implications for
everyone who downloads the blockchain)

------
gesman
Launching and maintaining fully anon site is close to impossible. And maybe
not worth a hassle depending on your purpose of course.

Instead - register Twitter nick and link your tweets to pastebin or similar
repository where you'd post something worthy of reading.

Use Tor for all above.

------
rjzzleep
if you host it yourself, don't forget to clean up your access logs. you might
want to actually fill them with invalid data, rather than completely deleting
them.

------
thesorrow
What is really hard is to have a secure (SSL) anonymous website with a valid
SSL Cert.

~~~
elementai
That's actually not so different from usual way. Matter of trust is generally
hard.

~~~
elementai
And, one can use tools like "Certificate Patrol" (Firefox addon) to ensure
cert isn't changed.

------
kungpooey
For how long? Get a dyndns pro account, laptop(s) and host the site from
multiple coffee shops. I didn't give this much thought, internet advice eh.

~~~
xauronx
I always thought it would be neat to create a raspberry pi server and throw it
in the ceiling tiles of a hotel with free wifi. Setup some kind of routing to
the IP, and let it go.

