Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Starting an Anonymous Blog in 2019?
146 points by mvanga 13 days ago | hide | past | web | favorite | 86 comments
Hey folks,

I'm asking because I'm curious how one would go about doing something like this in 2019. What are the things you need to think about, and what measures would one need to take to ensure continued anonymity over time. In particular, I'm curious about just information transfer, like a simple, not-for-profit blog.

Since the threat model can get pretty vague, I guess I'm thinking about two main scenarios:

1. Easier case: how to prevent being de-anonymized by curious individuals and specific corporations (e.g., multiple ISP's colluding together may be able to de-anonymize you, but for example a specific company like Google can't).

2. Harder case: ensuring anonymity even from state-level actors.

Thanks!






Well, if you're willing to accept my paranoia - here's what I did for a reasonable test. Again, it's only a start - there's more fun and paranoia to be had. At the end of the day it's about having an identity, not a blog.

1. Buy a credit card in cash from somewhere without cameras.

2. Use that credit card to buy a phone number through many of the real voip providers.

3. Buy a used laptop on CL/Kijiji in cash, making sure the pickup is someone's house. Bonus points if you make a friend do it.

4. Go to a Starbucks with your new laptop, sign up for gmail or protonmail using your new phone number.

5. Nuke your laptop and reinstall. It's a burner. Make sure you change the MAC address, just for profit.

6. Sign up for free VPN (500MB start) with something like TunnelBear, using your new email address.

7. Connect to your VPN from the laptop. Now use TOR.

8. Remember that credit card? Time to buy another one - this time so that you can pre-fund Amazon credits (or DO). They'll both accept prepaid credit cards.

9. Blog, do your thing - but only ever publish from a dedicated VM on the laptop. Make sure you're using firefox (or something else) in your VM to test your blog - through the SOCKS proxy you establish (ssh -D) to the host.

10/11. Nuke and rebuild VM and machine at will.

12. Every ~3 months, do a Kijiji exchange for a new laptop.

The above is in no way foolproof. But it's a reasonable start. For the record I don't consider this anonymous or paranoid enough.


This list is awesome. I would love to shake your hand, but I am fairly sure I would never be able to find you.

Is #2 even possible? Which phone providers accept prepaid cards and no way to verify the user's identity?

For #7, make sure you do VPN over Tor, not Tor over VPN. The former is more secure for you, and has the additional benefit that sites won't know you're using Tor. The latter sucks for you and Tor if you relay any traffic.


#2, you can walk into a Target and by prepaid SIM cards for about $15/each. You can also signup Google Fi for free, but they will need an address to ship the card to.

Mind you, you'll also have to travel out of the country if you're basically anywhere in Europe, where buying anonymous prepaid cards is simply not possible anymore because laws mandate taking and storing the identity of the buyer.

Yeah, if you have no social skills. I've never had trouble with "Uh, I left my ID home. I remember my passport number though, can I just give you that?"

I've bought lots of prepaids in probably most European countries.


You buy prepaid sim cards in Ireland for cash in all phone shops and give any name you like. No id required.

> #2, you can walk into a Target and by prepaid SIM cards

That is in direct violation of #1.

>#1 ....from somewhere without cameras

Target has cameras everywhere, even OUTSIDE the Restroom (for "Loss Prevention") and inside the elevators between floors, as well as at self-checkouts and customer service kiosks.


How long do they keep it? You could walk in with a getup that makes you unidentifiable. Or even ask a random kid to go buy it for you.

What brand? Most prepaid sims require some kind of account with your legal name :(

Absolutely. In fact it's possible with at least 3 different providers for whom I have accounts. Before you ask, yes they're all reputable.

I'll definitely agree that VPN over TOR is (by far) more secure - but I feel as if most people aren't capable of it, even though TAILS exists.


I admit that I don't know about the US - but I'd assume this would work somewhere there. Might vary by state.

In Canada just buy your prepaid credit card at one of the independent corner stores we have all over the place. Several don't have cameras. Equally, there's nothing to stop you from walking in with a facemask; it wouldn't be abnormal at all.


this time so that you can pre-fund Amazon credits (or DO). They'll both accept prepaid credit cards.

What billing address would you use on these though?


Thanks for this, I was entertaining the idea but this sounds exhausting.

Always depends on your threat level. If you are, say, whistle blowing on a major government or corporation and don’t want to be public, it isn’t that bad compared to being (psychologically only if lucky) tortured 24/7 for the rest of your life.

Exactly. Journalists in particular need to have more guides like this

Centre for Investigative Journalism (UK) does workshops to teach these concepts, they welcome volunteers to sign up and share tech knowledge. The conferences are always extremely interesting, too. Well worth attending.

https://tcij.org/


Instead of nuking your system and trading it away all the time, why not use Qubes?

Things like canvas fingerprinting and other hardware “side channels” will most likely persist through reimaging

Absolutely. Some of this is solvable through the use of the VM abstraction layer (hence!). Others do rely on macaddress (hence the constance rejig).

Ideally one would have multiple machines for this - but we have to be realists about the quick and dirty.


> 1. Easier case: how to prevent being de-anonymized by curious individuals and specific corporations (e.g., multiple ISP's colluding together may be able to de-anonymize you, but for example a specific company like Google can't).

GitHub is Tor-friendly, so you can piggyback off GitHub pages with Tor/proxies and get something out of that at no cost. Occasionally, they may automatically determine you to be a bot account, but support is responsive and reinstates it within at most days if you seem human enough. Censorship remains an issue, but shoving the pages manually into archive.org should help build some resilience at least.

Maybe mirroring on BitBucket and GitHub will also work.

> 2. Harder case: ensuring anonymity even from state-level actors.

This is a very, very hard problem. Your best bet would probably be compromising a few poorly-secured websites outside the sphere of influence you're trying to hide from, doing this from a public hotspot in a foreign country and then connecting to them only via Tor. Of course, if Tor is enough of a red flag in and of itself, you'll always have to travel to post, which is just as suspicious.


> GitHub is Tor-friendly, so you can piggyback off GitHub pages with Tor/proxies and get something out of that at no cost. Occasionally, they may automatically determine you to be a bot account, but support is responsive and reinstates it within at most days if you seem human enough. Censorship remains an issue, but shoving the pages manually into archive.org should help build some resilience at least.

Interesting insight about using archive.org to build resilience against censorship.

Also, is there something like a distributed version of GitHub pages/Netlify that might be less centralized? (e.g. perhaps a blockchain-based publishing platform that anyone can host a frontend for if one is taken out)

> This is a very, very hard problem. Your best bet would probably be compromising a few poorly-secured websites outside the sphere of influence you're trying to hide from, doing this from a public hotspot in a foreign country and then connecting to them only via Tor. Of course, if Tor is enough of a red flag in and of itself, you'll always have to travel to post, which is just as suspicious.

With behavioral patterns, I'm guessing it's nearly impossible to stay anonymous for extended lengths of time. However, it might still be good for releasing one-time long form content such as books.


> Also, is there something like a distributed version of GitHub pages/Netlify that might be less centralized? (e.g. perhaps a blockchain-based publishing platform that anyone can host a frontend for if one is taken out)

There are, but I’m not sure about accessing them with conventional browsers of today. There’s Beaker Browser (beakerbrowser.com) and there’s IPFS (ipfs.io).


I think both have content pinning and/or HTTP gateway services; one example is Hashbase: https://hashbase.io/

Lots of good technical advice has been given and I won't rehash that, but I think there are lots of other methods you'll need to consider, too.

1) Time of publish. You'll want to make sure the times you publish entries are random and can't be correlated with things you are doing. If you take a vacation, you'll need entries going up.

2) How you write. You'll want to ensure your writing isn't too similar to your own. Either have others write it, excessively use synonym dictionaries, or introduce writing styles and elements exclusively to the posts you write.

3) What you write about. It should be as diverse as possible. If you only write about one topic, or clearly have a bias for one topic, then it is easier to pin down your interests and focus searches against you to that. Write about cooking, about programming, about art, about politics, etc. Even if you hate or aren't good at it.

4) Fabricate entries. You'll want to write about topics you dislike, or topics you don't believe in or about places you have never been. Reference dates and times that would be impossible with your schedule, your income, your skills, or your connections. For areas you are most versed in, introduce simple errors to reduce your apparent expertise. In areas you are most ignorant, plagiarize from experts in a non-obvious way to fake expertise.

5) Write in only your native language so as to not giveaway where you learned some other language. If this isn't enough, then run your writing through an automatic translator each time into some other language you might know and only do a light touch up of the most egregious errors.

You kind of get the drift. Lots of people here can give technical advice, but that is always one slip-up from going wrong and you getting caught. Having lots of disinformation and mixed information in the blog itself can help provide cover and deniability.


> your writing through an automatic translator each time

Don't forget that this is a sure way to get deanonymized, if you don't do this anonymously, too.


Much of this seems like good advice. This definitely seems like the way you'd have to think to pull off something like this reliably with a strong enough attacker on your heels.

It's amusing to think of what happens if you follow this too far though. Essentially you're putting on a mask that is as uncorrelated with yourself as possible. But if your intent is to publish something, that seems contradictory to some extent. Can't use your own point of view, can't use your own expertise, can't use your daily experiences or any information specific to yourself. The only sense you'd be publishing a blog would be mechanically. Anything you actually intended to say would be lost in the white noise of everything you must say in order to stay hidden.


That could happen in an extreme case, but I think if the intent is to write something to inform, then regardless of one's expertise the content should make clear the value.

I think when assessing anyone's work that is done through a pseudonym, anon, or what appears as a clearly fake profile, one needs to really pick and choose how they decide to ingest that information.

I would be hesitant to even remark on the anon blog that the blog is written in the most defensive manner possible, as that indicates to adversaries the level of aggression the target expects, which can itself narrow-down where they might be.

It is a truly hard problem, but if the value of OP is complete anonymity and the signal to noise ratio isn't as important, then these obfuscation steps are valuable. Not the least because they can be implemented or dropped at any time as one's security threat changes.


You have to blend in with the crowd to avoid sticking out. This means not buying a domain name (since domain registrations, even with contact information hiding, require real addresses in many cases for the registrar to process).

Then you use Tor to create a couple of ProtonMail and Tutanota addresses. Use these email addresses to create accounts on sites like GitHub while using Tor (make sure you link multiple addresses so that you have ways to get back in if one of them doesn’t work or you get kicked out).

Mirror all the writings on archive.org and another free site so that you have a backup to point people to (list the address of the other site in each site). Never trust any provider not to kick you out for “violating their terms and conditions” without telling you what you did or how you can fix it. When you get locked out, it’s usually with vague statements and no way to get back in. You’re at the mercy of bots and other people who may make it their mission to shut you down (depending on what you write).

Create multiple throwaway accounts without a lot of history to share the posts elsewhere.

Use Tor for everything related to the blog.

Edit: Building on what zelly said on translating from one language to another and back to reduce the chances of being identified by your writing. Somewhat similar in nature to hashing iterations, use one service to translate from X to Y, another to translate from Y to Z, and then yet another service to translate from Z to X. Then post X after making any necessary corrections. This could be automated with simple scripts. Using simple and short sentences could also help against any language analysis. Write, then feed it into something like Hemingwayapp, simplify it, then process it further with translation rounds.


It's not that hard to buy a domain name anonymously with Monero and providing fake information. Some don't even ask for anything, see for example njal.la.

Having to sacrifice style completely like this: that’s a drag. Are the style models accurate enough to id people already?

Seems like they’ve been using this with a good amount of success in certain cases. The Wikipedia page for Stylometry has more details. Bruce Schneier has also written about it a few times over the last decade.

Upvoted because this is a super important topic. I don't feel comfortable shining a spotlight on my industry because I don't trust that I could keep my identity secure. I imagine many feel the same way.

This is a very simple question to a very complex problem/issue. Simple answer it isn't possible. The current way the internet, law, and society works it is impossible to start a anonymous blog. You can create hurdles and do simple things that would stop the easy to find things. But, if someone or corporation really put any effort into finding you they could.

The internet was not design for people to be anonymous. Our law's weren't made to keep you anonymous. Our society doesn't allow for people to be anonymous.


Realistically the only way I could see this being possible on the standard internet and not some service like Tor, etc. is to register multiple corporations and hire multiple lawyers.

For instance register an LLC in your country or somewhere like St. Nevis, that owns a LLC in New Mexico, that owns another LLC in New Mexico that pays for hosting, then using ideally another chain of LLC's pay a lawyer to actually post the content on the blog.

Basically following the same standards as money laundering but with content publishing. That way anyone who wants to find out who actually published the content would have to track down the owners of multiple corporations and the legal barriers with that, especially with cross jurisdiction challenges this can be effective.

It wouldn't be cheap, and nothing is 100% bullet proof. However this would largely protect you against private corporations and individuals from tracking your postings.


People have already given the advice of hosting your blog entirely on a platform like Github.

Spitball idea: Host your data in the script portion of bitcoin transactions. Now the part you host on Github or other platforms is just the JS script that fetches your transactions from online blockchain explorers.

Use localbitcoins.com to trade cash for bitcoin face to face. Just trade $10.

The idea being that it's easier to pass around a JS script than the corpus of a blog. And platforms like Github are probably less likely to remove your pages if the potentially-troublesome plaintext of your blog isn't actually in their database. And the purpose of storing the data on the blockchain is so you don't have to keep rehosting content as it gets taken down.

I'll admit this is more of a fun weekend project (storing stuff on the blockchain with a JS script that can fetch and present it) that I've repurposed as an answer.


This sounds like a good idea — dissociating the actual content from a platform like GitHub. But I wouldn’t suggest the bitcoin blockchain. Unless the OP has a decent amount of disk storage (which is easy to get) and a good amount of network bandwidth to keep it in sync and also push changes to the network, this would be cumbersome. The OP would also have to consider the time delay for propagating the update into the blockchain network (which could be several minutes or sometimes hours, AFAIK).

Maybe using the script to fetch from IPFS? (I have absolutely no clue if this is even feasible and how it would work)


You don't have to run a full node yourself to embed data into the blockchain. Just use a light wallet (but be sure to obscure your IP) and push the transaction.

This seems like a fast way to get de-anonymized. Not that hard to track backward from those posts to a localbitcoin purchase, even through attempts at obfuscating the source.

For the threat model described in the post here, if an adversary can narrow you to one of hundreds or thousands of possible sources, you've lost.


In that case, use the Bitcoin to purchase Monero. If it needs to be on the Bitcoin blockchain then for each blog post use the Monero to buy a small amount of Bitcoin in a new wallet.

#2 is not a good idea. Do not attempt to publish information that could get you in trouble with any governments.

Instead, get connected with a tech-savvy media outlet via SecureDrop or Signal. They can publish the information, have experts on hand to help you stay anonymous, and can likely connect you to legal resources should that become necessary.

https://www.theguardian.com/securedrop

https://www.washingtonpost.com/securedrop/

https://theintercept.com/source/

https://www.nytimes.com/tips


You might want to cross The Intercept off that list, since they inadvertently burned their source, Reality Winner.

https://blog.erratasec.com/2017/06/how-intercept-outed-reali...


That is horrifying and Orwellian

1. Login to a hosted blogging platform with Tor Browser.

2. Put Tails on a live USB drive. Only ever do your blogging on Tails. Purchase hosting for a hidden service with Monero. Watch out for people tackling you in libraries.


1) Don't run your own infrastructure

2) Don't buy a domain name

3) Deploy a static blog (gatsby, jackyll, etc...) to Github or Netlify

4) Done

Now you just need a VPN every time you log into these accounts and publish your content.

You might also want to randomize the times you access these services and publish content. That further obscures where you are in the world.


You won't be anonymous to the VPN company so a specific corporation can identify you though. Something like Tor would be a better choice.

Oh, indeed I forgot that good VPN-s are paid :)

Besides Tor, you could get a free AWS/Google Cloud account and do content submission from a free, minimal VPS machine.


You need to add a credit card, even for free accounts

Fair, but you get the idea, you can edit the GIT repo easily that's hard to detect who's doing it.

https://www.gitpod.io/

https://visualstudio.microsoft.com/services/visual-studio-on...


I think privateinternetaccess accepts money in envelopes? Either them or ProtonMail

>Now you just need a VPN every time you log into these accounts and publish your content.

Are you paying for this VPN or really trusting a free VPN?


can't you buy a domain with a pre-paid debit card ?

Off the top of my head:

1. Use all free technology since payments are a great way to figure out who you are. (So gitlab/github pages, blogger etc)

And then the usual info hygiene:

2. Always use a VPN to log in

3. Don't use the same username or password anywhere else

One final thing:

4. If you put out enough samples of your writing anywhere else tied to your identity (email archives, a non-anonymous blog, publications), people can probably use ML to figure out who you are. I don't know if there is a "style obfuscation" engine to help with this.


> I don't know if there is a "style obfuscation" engine to help with this.

Machine translate from language X to Y. Then Y to X again.


Somewhat similar in nature to hashing iterations, use one service to translate from X to Y, another to translate from Y to Z, and then yet another service to translate from Z to X. Then post X after making any necessary corrections. This could be automated with simple scripts.

Using simple and short sentences could also help against any language analysis. Write, then feed it into Hemingwayapp, simplify it, then process it further.


I like the Hemingway app approach better than the translation approach because if you are blogging you presumably want it to be well written for the ultimate reader, though I recognize it would be less effective.

While making sure the engine isn't cloud based or phones home.

Previous discussion:

"OnionShare makes it easy for anyone to publish anonymous, uncensorable websites"

https://news.ycombinator.com/item?id=21253668


Some great answers here, but if you're doing anything that involves going out and about (e.g. buying phones / cards / starbucks etc) - Don't forget to leave your regular registered phone(s) at home or office, and never allow burner and registered phones to be active (powered on) near each other.

This is a sore spot with me, because here in Germany you just can't. At least not legally. And more than that you have to openly announce your name and address on your website. It's called "Impressumspflicht". Theoretically it doesn't apply to "private" websites but there is enough ambiguity there that not including an "Impressum" is considered too much of a risk.

Some try to render the "Impressum" as a picture so that it doesn't get indexed by search engines but it's not clear wether that is sufficient.

You also can't just rent a post box somewhere to get around announcing your address. The address has got to be a "ladungsfähige Anschrift" which means that it has to be the place where you live.


What is the risk? And if it's anonymous how do they find you? You don't have to host your blog on a .de domain.

For the former, just having a private domain registration, not putting any personal information on the site and avoiding any type of presence in media posted there (like face/voice in videos) will often be enough. Most people and companies aren't that technically inclined, nor motivated to try and track down anonymous creators. Unless you're being specifically targeted by a dedicated group of obsessives, no one would even bother looking into things like writing styles and background trivia.

For the latter case (or when dealing with said obsessives deliberately targeting you), then things get trickier. The challenge with infosec is that messing up even once compromises everything, and most people/groups mess up multiple times.

Some advice there:

1. Don't try and be a 'ghost', throw people off with fake identities. Manufacture social media accounts/history to send people barking up the wrong tree.

2. Use burner equipment wherever possible, or at least computers/phones that aren't used for real life activities.

3. Get an anonymous email account, use it for a VPN, use Tor, etc.

4. Access the internet from a variety of places under said conditions, maybe with different online identities each time

5. Use services based in countries your current one have no treaties with

6. Deliberately vary your writing style so it can't be linked to previous work (may be difficult)

Plus a whole bunch more steps that would make anyone writing them seem super paranoid when posting.


Several things to think about, weak points could be:

Domain name, since the registrar will probably have your information. Namecheap allows bitcoin payment, but I think they still require contact information. Going with an onion url would limit that impact.

Hosting, again, they will almost certainly have your information. Swisslayer allows bitcoin payments, but contact info might still be required. Could be mitigated by going with Tor or some other service, but that limits discoverability.

Server software -- you would want to limit the ability to be compromised, so something like OpenBSD with the built in httpd and raw html files would be a reasonable bet for preventing intrusion. Keeping it simple would leave less attack surface, and less potential to leak information.

Using Tor to connect would mean less logs between.

Any information you gave in content could be used to trace, but that is difficult and would require being careful in the writing style, and what information is leaked in that channel.

EDIT: As beefhash points out, piggybacking on an already accessible public endpoint negates a lot of the leaking of your information through your own services.


Is there a reasonably easy way to get anonymised bitcoins? Mining is currently out of the question, purchase on exchange will leave a trail.

Just use Monero?

Trade bitcoin locally face-to-face.

I've used https://localbitcoins.com.


Localbitcoins requires KYC these days.

You don't even need to register to use localbitcoins, they only require KYC to put up a listing.

Monero and xmr.to!

1. Create JS library.

2. Add bitcoin-wallet-stealing code.

3. Upload to NPM.


If you're trying to beat top tier state actors, and you're posting content of high enough profile, you're going to lose. There are too many fingerprints and timing attacks that will give you away. The way you construct sentences, the types of words you hyphenate, the way you spell words, the words you select, etc.

> The way you construct sentences, the types of words you hyphenate, the way you spell words, the words you select, etc.

There are ways of countering these kinds of analyses. A search for "defeating stylometry" turned up this link: http://www1.icsi.berkeley.edu/~sadia/papers/adversarial_styl...


Id look into crypto space. Buy a unique blogging computer and connect to free wifi. These may not be the solutions, but possibly.

https://www.cryptovibes.com/blog/2019/01/02/iota-introduced-...

https://zeronet.io/


One route you could go down is sharing with a newspaper. Several newspapers have projects where they want to be able to accept stories anonymously.

E.g.: https://www.theguardian.com/help/ng-interactive/2017/mar/17/...


Don't get your own domain. Use a service like Wordpress.com. Register with them using a outlook.com alias. Use one VPN to set the account up then cancel that VPN. Then use another VPN to post new content. When administering the blog don't use your own machine and everyday browser - instead, spin up a clean VM.

If you were able to find someone, somewhere, who you otherwise have no relationship with, perhaps you could get that person to setup the blog, and post the messages that you send to them via some other (offline) method.

While clearly difficult, I'm not sure this is really any harder than the other technical solutions listed here.


Case 2 probably involves some (and likely a _significant_) amount of identity theft, and even then I don't think you can do better than pseudonymous - if you want your intended audience to reliably know which sources of information comes from you, then any and all adversaries can know the same.

0. Visit a library or starbucks in a nearby town using a computer that has no association to you (wiped or loaner)

1. Use TOR or some kind of proxy service

2. Sign up for Proton Mail

3. Use Proton Mail to sign up for wordpress.com blog

4. PROFIT!!!


You can't signup to ProtonMail from a VPN or Tor Exit node without SMS validation.

Go to a starbucks then; no tor needed

Sure, but now they have a location of where you are... which depending on the contents of the blog might be all they need. Unless you're advocating that they take a cross country trip to sign up for an email.

Could you buy a burner with cash?

Great thought experiment that I’d like to expand to the question of how to send a single anonymous packet on the Internet?

Isn’t the Internet built for spoofing who/what sent something? As I understand it, when you peel the layers and look deeper, there is no stringent authentication or identity verification that really happens, which makes it easy to exploit for DDoS attacks (using IP spoofing, which may help for certain kinds of attacks, or BGP spoofing).

Just spoof it. This is already how many volumetric ddos attacks work because of all the ISPs who still don't filter egress. Like an envelope with a bogus return address.

Use ZeroNet.io with Tor And fork ZeroBlog or use ZeroMe



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: