
Going dark: online privacy and anonymity for normal people - danso
https://www.troyhunt.com/going-dark-online-privacy-and-anonymity-for-normal-people/
======
sixhobbits
I'm surprised he doesn't mention NoScript, Privacy Badger, etc. "Normal
people" should be more concerned about about the highly detailed profiles that
companies are building based on browsing habits. "Normal people" read about
data breaches and embarrassing leaks that force politicians to resign. "Normal
people" know nothing about the behind the scenes tracking that goes on when
you google medical symptoms[0] or visit pages which have Facebook like buttons
as footers[1].

Yes, this article is targeted at people who don't understand the problem of
using their .gov email address to sign up for dodgy sites, but think about
whether you'd rather have your bank statement made public or a large,
visualizable data set representing most of your browsing history.

I would love to see more work done on privacy through noise/obfuscation, such
as that started by Adnauseum[2] and TrackMeNot[3] - not necessarily publishing
your credit card details online as suggest in another comment here, but in
making random search queries and clicking on random ads when your device is
idle. Most of us have sufficient processing power and bandwidth for the
overhead not to be a problem. It's sad that it looks like both add-ons have
failed to make a splash, and seem to have fallen out of active development
(end of 2015 marks the last commits for both projects, which is too soon to
pronounce them dead, but they definitely don't seem to be hives of activity).

[0] [http://motherboard.vice.com/read/looking-up-symptoms-
online-...](http://motherboard.vice.com/read/looking-up-symptoms-online-these-
companies-are-collecting-your-data)

[1] [http://www.allaboutcookies.org/cookies/cookie-
profiling.html](http://www.allaboutcookies.org/cookies/cookie-profiling.html)

[2] [http://adnauseam.io/](http://adnauseam.io/)

[3] [http://cs.nyu.edu/trackmenot/](http://cs.nyu.edu/trackmenot/)

~~~
INTPenis
I do a lecture at local hackerspaces about basic security for the common
person and anonymity is far down on the list.

Much higher on the list are basic protection from dangers on the internet,
like browser based exploits. So Noscript is one major selling point for
Firefox due to most browser based exploits using Javascript. Even if you
whitelist all the sites you're still more secure with noscript than without
simply because it blacklists the unknown sites you don't know about, the ones
that e-mail links open or pop-ups force your browser to load through various
tricks.

~~~
coldpie
I wonder if there's any demand for a pre-built whitelist for NoScript that
includes stuff like Amazon, Google, Apple, banks, and most other popular
sites. The admin would err on the side of allowing scripts to run, while the
default-block rule would still block unknown and ad/tracker domains. It would
obviously be less secure than an intelligent user making all their own
decisions, but it would make the barrier to using NoScript much lower.

Edit: While I'm musing on this, I wonder if NoScript could use a UI overhaul.
A little icon that says "Something broken? Try activating these domains" with
some heuristics e.g. first try allowing the current domain, then stuff on
common CDNs, then maybe digging into DNS records or SSL certs for common
ownership...

~~~
dredmorbius
I'm finding uMatrix is useful, and have deployed it _with ongoing support_ for
non-technical users.

It's possible to whitelist (and blacklist) specific targets, including local
site, and a set of specified third-party targets.

That said, overall, it's a bit of a complexity bunghole, and may not be for
the general public. But then, computers in general aren't, in many ways,
either.

------
xrorre
I appreciate the intention of this article. Written for people only starting
to change their surfing habits in light of Snowden. But the example of the
tools they should use are not thought out very well.

First: Freedome by F-Secure is closed source and there is no OpenVPN
alternative. Always choose a VPN that has OpenVPN so that users can configure
the connection to their needs. No need for this bloated mess.

Second: Whilst disposable Google accounts might seem like a good idea, there
are any number of ways for Google to cross-correlate a disposable identity
with your actual identity using fingerprinting captchas or even your screen
resolution. Google does this to spot serial re-registrations and to stop
people gaming Google Plus voting rings and spammers in general.

Third: Be careful of online websites offering fake-name services. Most of this
data is generated server-side and logged for the purposes of cross-correlation
with your IP address and useragent string. Quite possibly the vast majority of
fake-identity sites are run by LEA

\- I like to write some quick and dirty ruby gems to generate fake identities
because then it can't be correlated. (The names are pulled in from disparate
sources and I always ensure true-randomness).

\- In terms of email, use things like Riseup which use TLS at every hop so
that passive dragnets cant sniff the password. 99% of all IMAP and SMTP
services can be passively sniffed because they use weak STARTTLS.

\- Use 'honeywords' in an email to correlate different emails with different
activities. For example:

    
    
        john.doe+shopping@riseup.net
        john.doe+gaming@riseup.net
        john.doe+correspondant@riseup.net
    

This way you can whitelist those addresses for the purposes of filtering out
spam and phishing attempts.

~~~
craigds
I don't see the point of using honeywords. I mean, I've used them a bit, but
any spammer is going to strip them immediately, so they're useless for
identifying which provider leaked your address, right? And now to login, you
need to remember the honeyword you used to register, which is a big
inconvenience for anyone not using a password manager. (Use a password
manager!)

~~~
Jtsummers
If you primarily use honeywords, then you can filter out anything going to
craigds@host.tld as spam. The hard part would be transitioning people you
_want_ to communicate with to
craigds+{family,friends,correspondence}@host.tld.

Optionally, retain craigds@host.tld for personal and professional
communication/correspondence, and move everything else to
craigds1+{something}@host.tld (or a different host).

~~~
cmdrfred
I just bought an entire TLD for signups/spam and made it a catchall. One
positive is I know when companies are breached often before they announce it
as my pagerduty@domain.com told me a little while ago.

[http://www.theregister.co.uk/2015/07/31/incident_managers_pa...](http://www.theregister.co.uk/2015/07/31/incident_managers_pagerduty_pwned/)

~~~
Abundnce10
This is a great idea! What's it like viewing email? Which client do you use?
Is it easy to see which email address the email was sent to?

~~~
cmdrfred
Viewing email is as you would expect, the email they sent to is in the header
so it's just a single click away in Thunderbird.

------
apecat
Great article.

The only real omission I noticed is the lack of mention of advanced browser
fingerprinting techniques that can be used against browsers, even if caches
are emptied, 'porn modes' activated, VPNs opnened. As demonstrated here by the
EFF's Panopticlick initiative.
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

One of the most important points about the anonymity provied by the Tor
project to remember is that the Tor Browser is painstakingly hand crafted to
avoid many of these problems. In other discussions about TOR it is worryingly
common to see other ways to route browser traffic through TOR, without
mentions of the implications.

For those interested, here's a recent look into the Tor Browser system by one
of the developers.

[https://www.youtube.com/watch?v=Rq5Qbj2Aouo](https://www.youtube.com/watch?v=Rq5Qbj2Aouo)

~~~
tiatia
What do you mean with "VPNs opnened"?

The article is wrong about Tor being an alternative option to a VPN. If
anonymity is your concern, you should use TOR to connect to a VPN (paid with
Bitcoins).

~~~
apecat
"VPNs opened" was poor wording. Clarifications provided by the guys below seem
to match what I remember from listening to talks on Tor by the project's
developers.

Operational security and Tor is such an interesting and frankly, quite scary
subject. I've mainly used and instructed people on Tor for read-only uses of
the web.

For my own needs, masking the origin of an actively participating persona is
out of scope. I generally warn people about doing anything that requires sign-
on/nicknames etc without very careful research.

I recognize that my lack of a need for serious anonymity for basic political
activism etc is a huge privilege. So I try to give back by running a bunch of
Tor middle relay myself.

For serious anonymity, I'd really be strict about using a forensically clean
Tails USB boot environment, on varying public Wi-FI hotspots with a dedicated
laptop that never has touched my regular network. The laptop must not ever be
powered on near my house. Lots of systems, like Cisco Meraki business Wi-Fi
APs take note of all nearby Wi-Fi and Bluetooth devices for 'location
analytics'.

Javascript and stuff must be disabled of course. Carrying any cell phone,
burner or otherwise is out of the question.

The reasons are many, but for starters, you don't want to be identifiable as
the only person at your location making Tor connections, if you're doing
something important.

Here are some good points on the subject.
[https://www.youtube.com/watch?v=eQ2OZKitRwc](https://www.youtube.com/watch?v=eQ2OZKitRwc)

My approach for promoting Tor to regular people around me is through
describing it as a way to do random googling on subjects people don't
necessarily want linked back to them, through analytics and ad companies.

I'm personally pretty convinced that insurance companies around the globe are
looking pretty seriously at how far they could push their use of intelligence
from data brokers. For purposes like identifying people with potential
inherited diseases, recreational drug use habits, mental health problems etc.

So, I think Tor is important for all of us.

~~~
hackney
I love the tor browser, however much of the internet without javascript is not
useable, at all. Very unfortunate for a tor fan like myself. To be quite
honest, if most people weren't like 'grandma' and actually took more interest
in the underpinnings of the computer itself, they would automatically be more
self-aware of said security. However, it can be said that our 'security', and
most importantly, our identity, has been compromised by the very govts and
colluding corporations who regulate the devices with which we network. The
"land of the free" is anything, but not that. I can't stress enough that
societies need to preach good computing habits with encryption first and
foremost. Instead all I ever hear is how wonderful the latest device is
because: it's newer, faster, you can piss on it, etc. Where in the hell is the
spiel on how secure it is and how wonderfully it encrypts everything? The
worst part of it is that most don't take enough interest and the powers that
be are similar to snakes in the grass. The balance of anything, even
information as well as communication is what we all need to strive for.

------
huuu
Doesn't this create a risk of committing fraud and identity theft in some
countries?

I can understand it wouldn't be a crime to create a random email address but
creating a fake house address and using this for payments sounds a little
tricky.

~~~
pdkl95
What you call "fraud" I call "privacy". Anonymous transactions happen all the
time with cash, and any new payment method needs an equivalent. In the modern
era where it is no longer possible to gain privacy by being unobservable, a
new definition of privacy is required. Dan Geer has a very good replacement
definition; privacy is "the effective capacity to misrepresent yourself"[1].
If cash isn't possible, misrepresentation is the only option.

[1]
[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)

~~~
huuu
What you call privacy might be called fraud in some countries. That's what my
question is about.

~~~
tunap
I concur & I tread lightly in my guerilla tactics. My bank, my insurance
company my Dept Of Motor Vehicles & the other "legit" govs that require my
info get it(and I use offline services as exclusively as/while I am still
able). For every other "reg required" service, discount card "brick & mortar"
or any other entity that requires a unique account, they get all the mis-info
I can feed them. In the end, they get their unique identity to track and
disseminate, it's just a falsey.

 __*Granted, it is an easily unravelled ball of lottery hotlines & public
spaces addresses that could easily be traced back to the real "me", but I'm
not really hiding, just preserving my right to be left alone from prying
marketeers and... ahem.... data scientists.

------
btrask
This is just a list of more things for them to clamp down on.

I'm thinking about going in the opposite direction, and broadcasting all of my
personally identifying information (credit card, SSN, etc). Obviously I would
have to set aside a large amount of time to deal with issuing fraud reports,
and make sure that I wasn't risking anything that I can't afford to lose--but
it does seem simpler in some ways.

After all, if you don't have anything to hide, you're bulletproof, right?

~~~
WA
The problem: "Nothing to hide" depends on the context. Maybe you don't have
anything to hide under the current laws, but what about laws in 20 years from
now? Maybe times change and suddenly, you've got a lot to hide.

~~~
sleepychu
I'm having trouble finding it but the perfect example of this is a census that
collected religious affiliation (for innocent statistics) that some brave
citizens went to great lengths to destroy when they came under Nazi occupation
in order to try and protect Jewish residents.

~~~
spangry
Another example would be the internment/deportation of 120,000 Japanese-
Americans during WW2. I'll bet when they were ticking the 'Japanese ancestry'
box on their census form they had no idea they were signing up for future
imprisonment without due cause or due process.

[http://www.scientificamerican.com/article/confirmed-the-
us-c...](http://www.scientificamerican.com/article/confirmed-the-us-census-b/)

~~~
nxzero
Related Wikipedia page:
[https://en.m.wikipedia.org/wiki/Internment_of_Japanese_Ameri...](https://en.m.wikipedia.org/wiki/Internment_of_Japanese_Americans)

Might be worth noting that children that were in these camps are still alive
today.

------
rkrzr
TLDR: Use a VPN + Incognito mode + fake email and info

The VPN hides your IP. Incognito mode prevents your cookies from giving away
your identity. And the fake info helps with things like sites being hacked and
the data being dumped online.

~~~
htns
And you really should try to use a reputable VPN, like the one they recommend
in the article. Plenty of VPN services are in the business of injecting ads
and malware, logging your traffic, stealing passwords and credit card numbers,
etc.

------
amelius
> Going dark: online privacy and anonymity for normal people

Caveat: normal people don't care about such things.

~~~
DarkContinent
Privacy is for everyone, not just the privileged few.

~~~
nobodyshere
It isn't about privilege. It is more about whether privacy is something that
you are worried about or not. Most people don't care about it and don't even
think about protecting it.

~~~
dublinben
Anyone with curtains on their windows, or who closes the door to their
bathroom cares about privacy.

~~~
nobodyshere
Yeah, but that's "real" privacy and they understand it quite easily. Meanwhile
virtual privacy is something different and more complicated.

------
jrcii
I really object to the language of "dark" to describe privacy or anonymity,
which are thereby painted with a sinister connotation.

~~~
stephengillie
Similar to /s/blacklist/blocklist, maybe we can replace this with "Going
Transparent" to describe privacy or anonymity.

~~~
etiam
"Going Clear"?

------
ChefDenominator
The article recommends going to Fake Name Generator (tm) to get a random
online identity. The page is not encrypted and looks very, very fishy.

That page recommends going to Social Security Number Registry. Again, an
unencrypted totally scammy looking page. If you enter a random name and select
a random state, it will 'verify' that your identity has been stolen. Then, if
you click on 'Validate', you can enter your SSN (unencrypted, of course).

I don't even know how to code, and this is a news site for hackers? This tripe
makes it to the top of the front page?

~~~
huehehue
FWIW, there is a "secure" version of the fake name generator, but you have to
pay $1.99/year and sign in with Google, which is hilarious.[1]

Also, as explained by the creator[2], the SSN registry site is worthless and
apparently a joke (although I'm not going to poke around on the site to
verify).

[1]
[https://www.fakenamegenerator.com/premium.php](https://www.fakenamegenerator.com/premium.php)

[2] [http://www.forbes.com/sites/adamtanner/2014/02/03/the-
mormon...](http://www.forbes.com/sites/adamtanner/2014/02/03/the-mormon-who-
creates-billions-of-fake-identities-every-month/#772f8a467582)

~~~
ChefDenominator
That really just makes everything worse, because this site, HN, presents the
blog post as if it is a legitimate guide. The Fake Name Generator(tm) page
states: "You should click here to find out if your SSN is online." Making no
mention that the site is intended to be a joke.

Apparently, HN is a joke.

(Note that the only way to view the Forbes article you linked is through the
cached version.)

------
mirimir
It's a good piece, but the treatment of VPNs is bad. There's a new site about
choosing a VPN service:
[https://thatoneprivacysite.net/](https://thatoneprivacysite.net/) It
summarizes a huge amount of information, for 159 VPN services.

------
descript
It is so difficult to balance productivity/convenience and privacy/security.

Only recently did I stop worrying about privacy/security, and frankly my
online experience is much better. I can now participate in any services/apps
that catch my eye, I now save CC data at some sites, don't have a VPN/Tor
slowing traffic and giving me cloudflare walls/"im not a bot" verification,
don't have noscript/ublock/privacy badger breaking most sites, can sync across
devices and backup online.

Having both secure & private online behavior is a massive inconvenience. You
basically can't participate in the online world as it exists. (There are
definitely opportunities to create secure/private versions of existing tools)

------
maglavaitss
This submission has some more tips for preserving your privacy
[https://news.ycombinator.com/item?id=11706680](https://news.ycombinator.com/item?id=11706680)

------
ikeboy
The SMS receiving sites don't work so well IME. They tend to use a single
number for everyone, and the demand by spammers etc is so much higher than the
free supply that for any given service, your number will probably already be
blocked. Or the receiving will be unreliable, etc. I've gotten it to work
sometimes, but usually not. Definitely too hard and time consuming for "normal
people".

Is there a site that sells phone numbers for viop and sms for bitcoin without
requiring identity?

~~~
slvrspoon
Identity is required by us (and by most "foundational" financial and phone
providers) but for external use with other 3rd parties, not at all.
www.abine.com

------
tmaly
As I am cranking away on some Go services on my laptop on my local coffee shop
wifi, I see log entries popup of people trying to access php pages.

I go and ask the staff, and they said their POS is full of some weird
software.

a good VPN provider is worth it, but finding one that will not keep logs on
you is another story.

------
bunkydoo
Here's the thing, if you are a normal person - you aren't going to read a
guide on something like this. I have a 1 sentence guide on this for the
'normal person' \- If you wouldn't want your grandma to see it, just don't
enter it in an internet browser.

~~~
mirimir
Sadly enough, I tend to agree with you.

I will note, however, that you display some naiveté about grandmothers ;)

------
astazangasta
I'm interested in 'phishing and malware protection', which I think means all
my traffic gets reported to Google. This plus Google Analytics means the
electric eye is on me wherever I go. Tips to browse safely without these?

------
fulafel
The article exemplifies why the widespread misappropriation of of the VPN term
is unfortunate (in same series as "router" for NAT boxes...), it serves to
confuse people about the potential of real overlay networks.

~~~
mirimir
Please say more about "the potential of real overlay networks".

~~~
fulafel
Well, tunneling your web traffic to some random "VPN" provider and having all
traffic flow out in the open to the internet is just defending against your
last mile ISP basically. A real encrypted overlay would be a fully connected
mesh between all the nodes of the network. Like IPSec was originally meant to
work (transport mode, anyone being able to set up a security association to
any other IP address with common PKI)

~~~
mirimir
Thanks.

> Well, tunneling your web traffic to some random "VPN" provider and having
> all traffic flow out in the open to the internet is just defending against
> your last mile ISP basically.

People use VPN services because they can't trust their ISPs. ISPs log traffic,
shape traffic, share data with adversaries, etc, etc. People instead choose to
trust VPN providers. Typically, there are few ISPs to choose from. But there
are numerous VPN services.

> A real encrypted overlay would be a fully connected mesh between all the
> nodes of the network.

Well, there are [https://peervpn.net/](https://peervpn.net/) and
[https://www.onioncat.org/](https://www.onioncat.org/) (which connects through
Tor). From years ago, I recall one from some Russian with a friend in
Antarctica. But not even the name :(

~~~
fulafel
Also [http://hack.org/mc/projects/btns/](http://hack.org/mc/projects/btns/)

------
coldpie
Is this really still the best way to pay for stuff anonymously online? Lie to
a financial institution? I understand the desire to avoid fraud, but boy does
that irk me. Hrmm...

------
kevingrahl
Skimmed the article, saw that he reccomended using Googlemail. Looked at the
title of the post again. Looked at Googlemail reccomendation. Laughed and made
a mental note not to trust "Troy Hunt".

~~~
Intermernet
Maybe try reading the article instead of skimming. He mentions options to
Gmail if you don't want to deal with them.

Pro tip: don't comment if you've just "skimmed the article".

