While not exactly software per-se, I created a system of multiple text files to manage todos, long term goals, and various reminders (eg, IOUs, deadlines, etc). This was inspired initially by Jeff Huang’s blog post [1] but then grew to a complex collection of different files. A problem I ran into was building an interface for displaying and editing these text files (each file has a different width and for some files I want to have different heights when editing them). Ultimately I settled on multiple vim tabs in a terminal window. Been using this for close to five years now and I couldn’t be happier with it. However, at this point the system of files (and the terminal “user interface”) is completely customized to my life and would likely never fit someone else’s requirements.
I disagree. Avoiding PKI and post-quantum security correlate very much. Even under plausibly post-quantum assumptions we only have a couple of assumptions from which we can build public key encryption. In contrast, here they avoid all use of public key cryptography which makes it provably post-quantum secure. It’s not using a buzzword for the sole sake of selling the paper. In general, using “minimal cryptography” (like random oracles / one-way functions) translates to real-world efficiency because you can instantiate these from a plethora of different concrete candidates.
> Avoiding PKI and post-quantum security correlate very much. Even under plausibly post-quantum assumptions we only have a couple of assumptions from which we can build public key encryption.
These statements presuppose an overly expansive definition of PKI, i.e., distribution of keys for public-key encryption. A more conservative definition is PKI = availability of trustworthy publicly verifiable signatures (i.e., public-key certificates). Post-quantum signatures can be based on target collision-resistant hash functions, like XMSS.
The paper assumes pairwise private and authenticated channels. While in practice this is not necessarily a good substitute for PKI, in theory it is a strictly weaker setting.
I think that bit is saying the chemists who synthesized the compound were desensitized to it, it’s right after a passage where they were ostracized and sprayed with deodorant at a restaurant during lunch
Full quote, which seems to say it defies the expected effects of dilution _because_ the chemists weren't bothered by it when they were right next to it, but when they were many yards away they could.
"The odours defied the expected effects of dilution since workers in the laboratory did not find the odours intolerable ... and genuinely denied responsibility since they were working in closed systems. To convince them otherwise, they were dispersed with other observers around the laboratory, at distances up to a quarter of a mile, and one drop of either acetone gem-dithiol or the mother liquors from crude trithioacetone crystallisations were placed on a watch glass in a fume cupboard. The odour was detected downwind in seconds."
In other words, the smell intensity increases with dilution, _not_ decreases. We must protect this data from the homeopaths.
I don't think so. In NileRed's video it was clear that dilution made the odor worse than bring right next to it, which otherwise invoked a "chemical"-ey smell rather than a putrid trash+sewage smell.
I've never smelled this chemical, but I wonder if it's a little bit like skunk spray smell?
There's a saying! "Skunks don't have the WORST smell, just the MOST smell"
It's not the worst smell in the world. I would say it's not even remotely as unpleasant as summertime "dumpster soup", sewage, or whatever. But man, skunk smell is just so intense and overwhelming.
> “Skunks don't have the WORST smell, just the MOST smell"
I did my coding bootcamp in downtown Chicago, near the Merch Mart, and (at least back in 2013) there was a chocolate factory not too far away. I remember walking to class and being almost overpowered by the smell. For awhile it turned me off of chocolate entirely, and I normally have a pretty strong sweet tooth.
I remember feeling so sorry for the people who had to work there, day after day.
> I remember feeling so sorry for the people who had to work there, day after day.
As a kid one of the tours we did was a chocolate factory. When the person leading the tour told us the employee told us workers were allowed to take as much chocolate as they wanted we were super jealous.
At the end of the tour, there was a buffet of chocolate snacks nobody wanted to touch (though we were allowed to and did bring bags of products home), the person told us that after a day of working at the factory, most workers have no taste for chocolate snacks whatsoever, and those which do will generally fuck up, binge, get an indigestion, and at best be a lot more reasonable (at worse stop eating chocolate if it was bad enough). Without the allure of the forbidden fruit (sneaking snacks out), chocolate is definitely overpowering enough that it's a turn-off.
Soup factories are notorious for smells. A single pot of cooking food generally smells good, but layer up a dozen different soup flavors and in total it smells like rot.
I live in 3 blocks from a chocolate factory, and don't find it disturbing. Rather nice. The first time I felt it at a marketplace nearby, and thought someone was making some hot chocolate stuff, and even wanted to take a look what it was, but couldn't find. Sometimes it gives a mild chocolate smell around, nothing more.
When my dog got sprayed by a skunk, it smelled overwhelmingly like a combination of burning rubber and rotten motor oil. Neither of these brands of smells is the worst I’ve ever encountered from a pure quality standpoint, but yes, it felt like it completely coated your nasal and throat passages. You choke on it.
Oh, dogs and smells, this makes me remember my poodle who, as every dog, would routinely look for stinky stuff to lay in. Once he found a dead cat -- it was rather nasty to wash him in the bath after that. Another time he was running around and found a rot fish thrown away near a trash tank -- this was the smelliest washing ever. Had to wash him twice with soap, then with shampoo. Another time, in winter, there was parking area covered with hard snow, compacted by car tires. And he laid and started rolling on a seemingly featureless spot. It turned out, some diesel fuel had been spilled there.
I think there has to be a component of “jadedness” in this attitude, for lack of a better term. It feels as though there are so many problems in the world (income inequality, climate change, covid, homelessness, political polarization, and now the very real possibility of a nuclear war). The world doesn’t feel like a place we can save anymore, which I think can be a driver of the “bring it on” attitude you mention, not unlike the Monty python scene with the defeated knight…
You're absolutely right. It is not enough to use anonymity tools, you also have to make sure everything else around you doesn't compromise your anonymity. Made me think of a Harvard bomb threat incident where the student posting a fake bomb threat (through Tor) to avoid final exams was the only person using Tor on campus at the time, which trivially identified him.
From what I remember about that case, he was one of 8 people who were on the network at the time, but the authorities told him he was the only one, leading to his quick confession. Meaning that if he had stuck to his guns and denied it there wouldn't have been a good way to prove he was the one who did it.
It was indeed his immediate and voluntary confession that did him in. If he had not snitched on himself he would have just been a person of interest. He was one of several people who happened to be using Tor on the campus at the time, but that doesn’t mean anything, the person making the threat could have been someone in LA or Moscow or Beijing just looking to cause mischief and having no connection to the school at all. If he had kept his cool he probably would have gotten away with it.
No, it just means they couldn't have stopped digging at that point. Having dramatically reduced the search scope to a small number of people, they would have just needed to find one other small piece of evidence to narrow down the group suspects further.
I remember being shocked at the time that he had the foresight to use Tor but not to use literally any wifi network other than the campus wifi. That being said, there are a whole list of things he'd have to do to keep anonymous and it only takes one slip to identify someone.
Tor is amateur hour. The Feds can easily deanomymize things where a server is up 24/7 servicing requests.
The author of this article is also very wrong: Anonymity is not on a spectrum. It’s all or nothing. Like a Mario game where any mistaken encounter makes you start over (and that’s if you don’t get in trouble for what you did).
First step is to understand that any system could be bugged. Every IRL confidant could sell you out. Every keyboard could have a keylogger, etc. Every store could have a security camera. Phones are giving out their MAC numbers to every cell tower and wifi radio. They now have chips you can’t turn off, and so forth.
You should also assume there is no such thing as an “anonymous” account and that every service COULD sell out whatever information you gave it. (Yes, even Telegram or ProtonMail, however unlikely that may be.)
The below is a playbook for how to become truly anonymous. Continue to live your everyday life but the below is only for your “anonymous” identities, which you can gradually bootstrap as a hobby:
The first thing you do, therefore, is bootstrap your identity by taking advantage of unlinkability that is available to you. Buy a bunch of Android phones on Craigslist for cash, for example. (Or pay a homeless guy to buy a phone in a store for you.) Do not use SIM cards at all, only WiFi. Never take photos, etc. Keep your phone off or in a faraday cage until you use it. For extra points, always use it through a VPN on WiFi at home, which you purchased using the accounts below:
Then make an anonymous google account on the Android phone. Make some ProtonMail accoung usinf such an anonymous Google account. Now you can bootstrap from email addresses.
Buy some Google Play gift cards and download some apps to get a second number. Now you can bootstrap from a phone number. Sign up to Telegram, Signal and other accounts using this. Now you have end to end encrypted messaging.
Frankly, though, realtime messaging is a bit of a luxury to continue to stay in normie world. To stay truly anonymous, you should continue to:
1. Schedule posts and mail send/receive at random times. Do not ever use realtime audio or video because it might be recorded. You might make an exception for early days of your projects when people would have no reason to go out of their way to record you — just to give them confidence you’re a real person. But afterwarss, stop doing that. Let the people build your movement for you.
2. Never mention your anonymous identity or projects from your real one, and vice versa. This means your anonymous identity MUST NEVER have confidants or colleagues IRL. Build up a network of colleagues who are “fronts” for what you do. Eventually you can step back and let the movement do things for you.
3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
4. You will only ever be able to spend the crypto on paying people for services and DeFi protocols. You can never cash out to fiat, because the IRL purchases catch up with you when they follow the money. There is a surprising amount of online services you can spend $97 million dollars on, while staying anonymous ;-) If you really do need to spend money IRL (because you went broke somehow in your everyday life) then you can cashout using cross-chain bridges and Monero to pay for goods. But still, never get ostentatious wealth IRL!
5. The weakest link then becomes your writing or coding style. Never publish any code or writing, let others do it for you. Make your communication to others from your anonymous identity sufficiently different than anything saved later would not identify you (this is the weakest link, but you can consider “playing a character” when speaking to others).
6. Any private keys that you used to sign your messages can be periodically published in some conspicuous place, effectively giving you plausible deniability about all your previous and future posts. It’s hard to prove a negative (that no one else has access to your private keys before your public disclosure.)
Is it not, for the non-criminal user? My HN, Reddit and Twitter accounts are "anonymous" (pseudonymous would be more accurate), and it matters to me to the extent I share thoughts I would not on Facebook or if Googling my name lead straight to it - not that I'm ashamed of them, I try to be decent (tho I slip at times and am more brash than I would IRL), it's just that they hold some personal opinions and matters, kind of like that lady in OP's post (except I wouldn't reuse pseudonyms, especially not openly cross-linked to identified accounts). Obviously, a governmental agency that had any reason to look for me would link them in the blink of an eye, but it is "anonymous" enough for my needs: people who matter to me or people like prospective employers do not know of them and hardly could. Even if they leaked to some dark corners of the Internet like my SSN (screw you, Equifax), that hardly doxes me as far as regular humans are concerned. If someone emailed me with my online usernames, it would creep the fuck out of me, but ultimately be inconsequential, at worse it would threaten to shame me for my opinions.
So how's that not on a spectrum of anonymity? OP's post obviously does not say your anonymity when it comes to three letter US agencies is on a spectrum, that is black and white and s-he recognizes it, but rather the link-ability of your online presence(s) to your real life identity. With that Tinder lady at the "IDGAF"-end of it, your paranoid (or criminal) Jane Doe on the other end and me somewhere in between (but much closer to the former).
So, you know who I am or how to reach me? Send me an e-mail (or, better yet, dox Satoshi) and I'll take your point. I don't see how pseudonymity can't be a flavor of anonymity, even cyber-criminals who have every reason to remain truly anonymous online - as in hidden from FBI and gang - can pick some form of pseudonym so people can address them, Dread Pirate Roberts would be an obvious example (tho he failed to be anonymous to govs).
Per Wikipedia:
>Anonymity describes situations where the acting person's identity is unknown. [...] The important idea here is that a person be non-identifiable, unreachable, or untrackable.
Using a phone is probably the first mistake. If you are going to use your home network you are better off using a machine you control and an operating system that is open source.
I suggest these steps:
Step 1: Connect to a popular vpn.
Step 2: Connect to tor
Step 3: Get free vps or pay with cryto you trade for gift cards purchased or some other method
Step 4: Connect to vps with desktop running. Use virtual desktop.
Step 5: Use vpn. This time use vpn with best rep to be accepted as regular traffic.
Step 6: Signup for services
Step 1 solves the k issue. Many people using that vpn will connect to tor
Step 4: Seems slow but at the virtual desktop level out things are fast from that machine to new hosts. Use scripts could help.
Iirc phones will broadcast previously connected access point max addresses. I doubt gp truly understands what it takes to be anonymous (imo it’s probably impossible).
They still had to somehow link your online identity to your phone. And how would they do that? The phone is simply a computer that you use, through VPNs, to send and reveive mail and post messages to groups etc. They’d have to approach ProtonMail, then your VPNs in order, and then get security footage from the place where you were accessing the VPN at that time. And then cross-reference your gait etc. to a database. Maybe in 10 years they would have such coordination, and we will need better tactics.
What’s far more interesting is what to do if VPNs are banned in a country. You can’t be using one there. You’d have to have set up anonymous hosting and port forward stuff yourself.
Again, it’s possible that all anonymous hosting, VPN etc. is shut down and requires KYC by say 2050. That is why you must bootstrap from what are valid but essentially “compromised* accounts now while you still can, and hope they are grandfathered into the new totalitarian surveillance system. Buying phones on craigslist is one example.
Another example is those eyes Anderton installs in Minority Report, but security in that movie is like a bad joke, IRL he’d be outed instantly by his gait, heart patterns via wifi and so on. In fact they didnt even change the access keys after he ran LMAO
It seems that this would work for a while, but if we're trying to bootstrap well into the future, a shiny new phone of the hour Samsung S22 showing up new on the network only 15 years out in 2037 would stick out like a beacon, and that's assuming it would even connect to the then-current comms protocols.
Not nearly on the level as what is being suggested but my company has had several anonymous surveys and I started thinking about writing style when taking them. If you're prone to certain phrases, words, use of contractions or lack thereof, especially when the pool of people is small and you're providing critical (but needed) criticisms, you could potentially be identified by your immediate supervisor. Introducing typos and avoiding phrases you commonly say, adjusting your "tone" is a lot of effort when you can just disengage entirely and/or behave like everything is public (which it may as well be at this point).
Most "anonymous" surveys I've been asked to take through work require listing more than enough information for unique identity. One assured I would be anonymous, then asked me to fill in the name of my manager, my team, and job title.
Fortunately mine have not but at a certain point they're useless because no matter no low the scores go nobody in their right mind wants to provide long-form feedback to identity actionable fixes because product teams are usually small even if there are a lot of developers in the pool your pain points will be unique to what your working on.
Yes, this is usually my experience as well. What makes sense for you to bring up identifies who you are. Hardly anonymous. But sometimes I've also been asked to explicitly identify myself as mentioned yet it's still supposedly anonymous.
We can give anonymous feedback about others where I work. We can submit it at any time about anything, positive or negative. I have never touched it despite knowing that HR doesn't get my name. It's not hard to figure out who's submitted a piece of feedback from their writing style and the specific situation you're writing about. Like if I were to give feedback related to working on a project with one other person, any sort of specifics about the project would make it very obvious that it was me writing the feedback.
One idea I've seen is running through translation services. IE, convert to spanish and then back to english. But unless we have good offline services, it defeats the point.
Maybe not very practical, but to combat targeted writing analysis on the internet you could try running such analysis software on your own writing to find out what makes it stand out. Work to make the writing as "bland" as possible, perhaps with aid of software translators or filters.
The hardest investigation to defend against is the rubber hose investigation. Gotta give them what they want, without them even suspecting you could be that mysterious founder. The only way people suspect you’re someone is if your k is small, eg how many people could be Satoshi?
If you’re efficient, you can retire the mysterious founder identity and simply have multiple “early adopter” addresses that generated rewards early, among actual adopters. Make an exit from your projects as early as you can after they gain momentum with the wider crowd.
There is no way to stop people from starting open source projects, accruing the early rewards and then selling those rewards to others in a decentralized exchange or async OTC deal. If every country worldwide ever closes down all such anonymous mechanisms (maybe by 2050) and makes register in order to sell your rewards, you simply sell your private keys to the wallet in an async OTC deal. The buyer will have to trust that you won’t move the money after they register the address and before they move it.
To not share how you secure anonymity is to rely on security by obscurity. Now I think it’s better to lay out the playbook using Kerchkoff’s principle so k will become far larger than 150. Remember… to improve anonymity, at some point you have to publish your private keys. And where better than Hacker News?
The playbook is yours. Improve it!
Step 1: try to break it. Post how you’d defeat the anonymization scheme. The threat model is that you’re all state level actors combined. I’d love to see what you come up with.
Awesome writeup thanks. That said, anonymity might literally be binary as you point out so eloquently, but the point of the article is that most people only need to think about it as a spectrum and be somewhere on it to be safe. Most people aren't running OmegaBay and need 14 burners handy and always be on the move. Boy would that be tough on one's social life. That said, a little bit of care and attention to the everyday shit we leave out there is a good idea. Bad actors will likely go to the lowest hanging fruit.
> 3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).
My first question about this plan is "what are you getting paid for and how do you advertise your services"? You need to never meet the people paying you in person, and ideally you are selling some purely digital good. So, something like underground illegal programming or hacking or such? Is there anything else that would work?
No, you don’t do work for money. You start an open source project and get many people to run your software. You meanwhile generate as many early rewards as you can (you can even do it under multiple accounts) and when the ecosystem is up and running, you’ll be the mysterious founder, generating millions (or billions) in passive income.
Sounds familiar? It should…
Simply never move money using your first few accounts, and whoever early people you pay, have them stake your currency for a long time, and borrow against it on decentralized lending marketplaces, to avoid spooking people that the mysterious founder has moved their money.
Buy on Craigslist. Go to a store. Or, as mentioned previously, pay a homeless guy to go into the store and buy it.
It’s a modular system. The key is Kerchkoff’s principle — I can describe it to you all day long, but as long as I don’t reveal each identity from the other, you all won’t know what projects I am doing, even if they earned $97 million already.
I got into computer science by making video games for the first couple generations of the iPhone; now I’m a phd student writing papers. Things were fun and simple back then and my games were quite successful. There was something so magical about it. However, the magic was that people were actually playing my games and I could focus on making the game rather than dealing with all the crud that one has to do to ship an app now. While I still get the urge to make a mobile game sometimes, there is little real life “reward” in it beyond making something beautiful and maybe showing it off to a couple friends. Gaining visibility on the AppStore is next to impossible without turning it into a full time job (which was never my end goal). I think if there was even a small but non negligible chance that say 50k people would download and play my game (as I had with some of my old games) I would get the motivation to turn some of my ideas into reality. However, the way things are now, I would be lucky to get 1000 downloads and that would require me developing for all the different interfaces, versions, etc. making it really difficult to focus on “just the game.”
Unfortunately, this is standard practice across schools (and most big employers). This is definitely not a problem unique to Brown, or even elite schools.
There was a scandal back in 2010 where a high school in Philadelphia was accused of spying on kids through school-issued laptop webcams [1], which is arguably more egregious.
[1] https://jeffhuang.com/productivity_text_file/