
Ask HN: Critique My Paranoia - thrwyparanoid
Hello HN. I have a procedure I&#x27;d like to use for accessing the internet in a completely anonymous way. Please critique my method ruthlessly.<p>Step 1: Travel at least two hours from my address, preferably in another state, and purchase a burner laptop with cash and not in sight of any cameras. Also purchase a large capacity SSD and USB.<p>Step 2: Travel at least two hours in another direction and purchase Amazon, Best Buy or Starbucks gift cards from a small third party shop.<p>Step 3. Take the burner laptop to a remote coffee shop and use the Wi-Fi, again in sight of no cameras. Download Whonix and use the gift cards to redeem bitcoin and a VPN, making significant attempts to ensure the chosen VPN does not log.<p>Step 4: Wipe the burner laptop and install the copy of Whonix. Immediately set up the VPN and set internet access to immediately fail and shut off if the VPN or Tor fails. Launder the bitcoin several times.<p>Step 5: Put a piece of paper over the laptop with a checklist to review every time I go to open it, to remind myself of the various compartmentalization checks.<p>Step 6: Create many different burner email accounts. Use a new burner email address for every website. User a novel username and password for every one.<p>Step 7: Only access the internet using cafe Wi-Fi and other networks not tied to myself.<p>Is this sufficient operational security to remain totally anonymous against every reasonable threat save for an extremely motivated nation state?
======
scholia
You might still be tracked by device fingerprinting

[https://en.wikipedia.org/wiki/Device_fingerprint](https://en.wikipedia.org/wiki/Device_fingerprint)

Also, I guess you'd have to make sure you used a VPN that didn't keep logs...

~~~
thrwyparanoid
Great point. I'd probably have to use ad-blocking software, Ghostery and even
then do manual oversight on all outbound requests. I could use a sophisticated
proxy to do this on the fly when necessary.

------
bediger4000
Instead of traveling hours out-of-state to buy a laptop, how about buying one
used, maybe from a pawnshop or a garage sale or one of those one-man-show used
computer stores? Its possible that pawnshops have cameras on all the time, but
anything in it is likely to be, maybe not "hot", but disowned with extreme
prejudice. You'd be putting a cut-out between yourself and the purchase of the
laptop.

The Step 5 checklist should include setting a random hardware address for the
wireless card or ethernet port. Maybe you can obtain MAC addresses using nmap
in one coffee shop, then use them in another shop.

Step 7, get a USB wireless that lets you put a directional antenna with high
gain on it, so you can actually be some distance away from the coffee shop,
library, etc while you use it.

~~~
thrwyparanoid
Excellent points...spoofing a MAC address and using an antenna would make
things safer and easier. Thanks.

------
brudgers
There are a lot of things more wrong than black hatting and the drug trade,
and this smells at least like something illegal given all the concern about
cameras.

My critique, put your energy toward something that you are comfortable being
associated with instead.

Good luck.

------
Mz
_Step 7: Only access the internet using cafe Wi-Fi and other networks not tied
to myself._

I spend a lot of time in libraries on public computers or on public Wi-Fi.
Their policies often state up front that there is no expectation of privacy,
that staff can check up on your activities if they have reason to do so. I
have not paid much attention to policies at, say, Starbucks, but I wouldn't be
surprised if they have similar policies. Furthermore, my understanding is that
Wi-Fi has pretty big security holes compared to a landline. Plus, if you are a
regular, people will recognize you.

I gave up driving years ago and I walk everywhere. This is bizarre and
noteworthy behavior in the U.S. People stop me and talk to me and say "I see
you walking All The Time..." The degree to which people in cars notice me,
recognize me and feel not only free but compelled to speak to me is downright
creepy.

So I will suggest that if you spend time very regularly in cafe's using their
Wi-Fi, etc. people will not only recognize you, they will feel friendly and
curious and like they have some goddamn right to grill you about your life and
why you are there all the time and so on and so forth.

I also agree with AnimalMuppet that the lengths to which you are willing to go
in order to be "completely anonymous" raise enough red flags that someone, at
some point, will take an interest in tracking your ass down and that "someone"
may very well be a government agency. So while I get annoyed at how humans are
wired and how they conclude they have some goddamn right to grill me merely
because they fucking recognize me when I have no clue whatsoever who they are,
beyond being annoyed as hell at the whole thing, I don't really need to worry
too much because walking everywhere isn't actually a crime, no matter how
bizarre and eyebrow-raising it is. But I cannot imagine any reason to go to
the lengths you want to go that don't involve serious crimes and most other
people will be far more critical of your motives than I am. I am pretty live-
and-let-live. On average, other people are much more judgey, butt-in-sky and
controlling than I am. So you can bet dollars to donuts that most people will
assume you are up to something incredibly evil and that suspicion will fuel
their interest in grilling you, tracking you down, etc.

~~~
Nadya
_> The degree to which people in cars notice me, recognize me and feel not
only free but compelled to speak to me is downright creepy._

If you are in a public location they have every right to attempt to speak to
you. Likewise, you have every right to ignore them. At that point - they're
being dicks if they do this - but they have the right to continue to try and
speak to you. I believe there is a legal extent where this can be deemed
harassment but until that point - they have the right to speak to you. I think
the legal point is you explicitly telling them to leave you alone, at which
point you can contact authorities. Acting uninterested or ignoring them is an
implicit message but is not enough, AFAIK. (IANAL)

 _> This is bizarre and noteworthy behavior in the U.S._

You answered why people feel compelled to speak to you and I'm sure you're
aware of this. You follow a bizarre behavior. Want to be ignored? Don't stand
out. People who stand out get noticed.

Also, legitimate question, how do you expect people to make new friends? Let's
go under the following assumptions:

    
    
      1) Nobody has a goddamn right to speak to you.
    
      2) Likewise, you have no goddamn right to speak to anyone else
    

You can see how that would be problematic for meeting new people and doesn't
really jive with most humans (and most cultures) being social?

I'm all for being anti-social and wanting people to leave you alone,
especially if you're doing lawful-even-if-bizarre behavior. But to have an
expectation that in a social culture in a public place that people will leave
you alone seems a little out of touch.

~~~
Mz
The detail you are missing is that there is a huge element of classicism. I
walk everywhere. The people stopping me to chat me up are people who drive
everywhere. They assume I am poor, which happens to be accurate at the moment
but it is not why I walk. They recognize me. I do not recognise them. This
creates a power imbalance.

I walk everywhere because of my medical condition. Your advice to not be
different if I want to not stand out is one I am, in some sense, fundamentally
incapable of complying with.

I am not actually antisocial. But I do see something incredibly problematic in
the assumption, that you apparently agree with, that if I do not comply with
the car owning cultural standard, other people have some right to butt into my
life on grounds that I deserve it for the crime of being weird. I don't agree
with you. Furthermore, given the default assumption that no car = must be
poor, it is an abusive exercise of power to grill me and expect me to answer
your questions.

Speaking to people does not by default have to involve butting into their
lives in an offensive and fundamentally disrespectful fashion. Real friends do
not start the relationship by pissing all over you.

~~~
Nadya
_> I walk everywhere because of my medical condition. Your advice to not be
different if I want to not stand out is one I am, in some sense, fundamentally
incapable of complying with._

You admitted yourself that the behavior is bizarre for the society you reside
in - that's enough to stand out. I'm not saying you're in a position to change
your behavior or even that you _should_. But you seem to be aware that it goes
against social norms and attracts attention. Yet you turn around and act
surprised and disgusted that it does. That seems disconnected to me.

 _> But I do see something incredibly problematic in the assumptioin, that you
apparently agree with, that if I do not comply with the car owning cultural
standard, other people have some right to butt into my life on grounds that I
deserve it for the crime of being weird._

Putting words in my mouth. What I do _agree_ with is that _people have the
right to speak to you_ and it is _expected_ when in a public place within a
social culture. I simply disagree with your social expectations and consider
it more harmful to promote an isolated society over one where an occasional
intrusion is beneficial. They can be irritating to an individual at times, but
promoting a standard of isolation and ignoring other's is not something I can
agree with.

Yesterday, the power was out in my town for scheduled maintenance. I went over
to my neighbor's house to ask if they were busy. Did I have any right to know
if they were busy or not? No, how rude of me. They politely told me they had
nothing to do and were waiting for the power to come back on. I did the
oppressive act of asking them if they would like to play Chess until the power
came on. Did I have the right to butt into his life like that? No, but he
agreed to pass the time. In the end we enjoyed several hours of Chess until
the power came back on.

What I should have done is sat in a pitch-black house for 3 hours because I
have absolutely no right to trespass onto private property to commit the
_revolting_ act of speaking to someone. I'm a terrible person for asking them
to essentially be my _entertainment_ while the power was out. I'm also an
asshole for discriminating by age and suggesting _Chess_ of all things,
because I assumed a 70 year old man would be more familiar or willing to play
Chess than Cards Against Humanity or some other time waster.

Perspective matters. Your story made it seem like you felt you were being
grilled because people were even _trying_ to speak to you, you assume, because
you are walking and that is bizarre. If you want to give it a narrative or
illustrate how they were acting classist - _what_ they say is a lot more
important than the mere _attempting to speak to you_ part.

I don't agree that we would live in a better society if we ignored one another
because we don't have explicit or implicit (ie: being at a social place like a
bar or club) permission to speak with someone. Sometimes both parties benefit
from unsolicited discussion. Other times one party gets annoyed. It's a trade
off - and one I see as worth making.

~~~
Mz
You are completely misunderstanding me and, at this point, I feel like you are
intentionally twisting my words. I will try one last time to clarify and then
I am done:

If you drive everywhere and you visually recognize a person simply because
they walk a lot:

A) It is inaccurate to assume you are "acquaintances." The odds are very poor
they recognize you. Seeing me repeatedly as you drive past absolutely does not
establish a social relationship of that sort.

B) Driving up to a pedestrian, rolling down your window and bombarding them
with personal questions is asshole behavior. (Asking directions is okay.)

C) Assuming that someone is poorer than you, even with reasonable cause, gives
you no right to walk up or drive up to them, pepper them with personal
questions and expect them to politely answer. It is classist in a really ugly
manner.

Furthermore, your replies to me here are personally intrusive and it is off
topic. I commented on my personal experiences to make a particular point
relevant to the question that was asked. That is not an open invitation for
you to question me about my personal life or judge me.

I had two main points: 1) Repeated exposure can cause people to feel an
unwarranted sense of familiarity and social bonding that has no basis in
reality. 2) Doing something out of the ordinary, no matter how innocent or
innocuous, tends to attract interest and/or criticism. --> Those two things
can combine in a way that gets really problematic if, like the OP, you do not
want people butting into your life.

I am done. I would appreciate it if you would drop it.

------
AnimalMuppet
> purchase a burner laptop with cash

Easy.

> and not in sight of any cameras.

Almost impossible, unless you're buying from a fence. Laptops are high-value
items; almost every place that sells them has cameras on the area where they
are sold.

> Is this sufficient operational security to remain totally anonymous against
> every reasonable threat save for an extremely motivated nation state?

You go to those extremes, and you're likely to motivate a nation state...

~~~
thrwyparanoid
Two considerations:

1\. I personally know of a large electronics chain that does not have a
functional camera pointed at a register you can purchase a computer at. While
the rest of the store does, I could try to think of ways around that and bring
bags in my jacket that are opaque.

2\. I could try to innocently go to the store on Halloween with a reasonable
pretext for keeping a mask on in the store.

~~~
bhouston
Use an intermediary to buy the laptop for you in cash.

------
auganov
Why not get a prepaid data card? Using tor on a public wifi is suspicious
enough.

If you're okay with disabling http (and all plaintext protocols really) then
you're better off just using tor instead of a VPN. Keeps the trail of ip
connections more distributed. If not you want to make sure you disable them
during the process of buying that trusted VPN/S.

~~~
thrwyparanoid
I have no experience with prepaid data cards. Can I purchase these in cash
(easily)? That's a good strategy if so.

~~~
auganov
[http://prepaid-data-sim-card.wikia.com/wiki/United_States](http://prepaid-
data-sim-card.wikia.com/wiki/United_States) They will all take cash at retail
locations, the only thing is you want to double check that they won't ask from
an ID.It's not a requirement but it seems like some will ask. I was asked for
my passport when I was in states couple of years ago. Maybe somebody can chime
in.

------
giaour
Instead of buying burner laptops, buy commodity parts and build your own.
They'll be much harder to trace.

Also, keep in mind that the police are much more likely to find you by talking
to people than by tracking your online footprint. So you should also fake your
own death and never talk to another human again.

------
mszyndel
What about using Tails instead of Whonix? I think all this travel makes it
easy to spot you on cameras (traffic, random street cams, etc) which may help
to identify.

I would go of less travel (maybe buy everything in close distance but far
away/unconnected to your main residence)

~~~
mszyndel
Also, unless you took all of those security precautions when publishing here,
your cover is already blown. Have a nice day!

------
wingerlang
Is this something you do on a regular basis? Do you do something "high
profile" when you do this? Or do you do it everytime you access internet?

~~~
thrwyparanoid
No, I don't do this all the time. I didn't even make this throwaway account in
an obfuscated way.

This procedure will only be used for things that I really don't want traced
back to me. I'm not a blackhat or drug dealer, but I'd still prefer these
activities not be associated with me.

The only tedious bits are preparing the burner laptop's OS for
compartmentalization and encrypted/anonymous internet connection (both, not
one or the other). Once the machine is set up and I have a suitable amount of
bitcoin and the VPN set up I don't need to repeat those processes for months
or a year.

However, I really like the idea of getting prepaid data with cash and
exclusively using a mobile hotspot. I also like the idea of simply building a
computer for this purpose and buying all the components separately.

------
RexRollman
You should visit the Friday Squid posts on Bruce Schneier's blog. There are
often good conversations about this kind of thing.

------
rmah
All that travelling is pointless, they will simply track your car.

