So what's the best way to browse anonymously these days? Is it running a hypervised OS (some hardened GNU Linux/BSD Unix variant?) with a randomly changed LAN MAC upon every boot, connected to a VPN operating outside US with OpenVPN & 4k PK (e.g. in Romania), browsing using TorBrowser with NoScript and WebGL turned off? Or even two VPNs at the same time, one in the base OS, the other in the hypervised one?
Drive to a state you don't live in, boot Tails from CD-ROM, connect to a hacked VPN account through someone else's wifi, then run everything through Tor. Then make sure you're using default browser configuration and resolution as not to be foiled a la panopticlick. Even then I wouldn't be so sure you're anonymous.
And all of the above while avoiding security cameras that will capture your license plate, and using a $200 thinkpad you bought for cash. Oh, and you drove to another state, you DID leave your tracking device (LTE smartphone) at home, right?
And you paid for gas and everything else in cash only, right? It's trivially easy to track a person's movements if they use credit/debit for most payments.
Cash? Those bills have serial numbers on them! I'm not sure exactly how frequently they're checked or scanned by banks, but a scanner in the ATM you withdrew from + scanning the daily deposits by the gas station would paint a pretty clear map, even if a few of them get tendered back out as change, and a few more aren't tracked due to OCR failures.
Best stick to bills tendered as change only. Although who knows what red flags someone trying to hide their spending habits might be able to trip, alerting the feds that someone frequenting your favorite restaurant is trying to hide their trail...
Suppose you did all that. And maybe you even pulled it off, and left no tracks. Something else happens, and this is what many fail to realize - human nature kicks in and you get high on your own success. Therein lies your downfall. Name one relatively successful person who's done something wrong or criminal who hasn't been caught by the most insanely stupid mistake, even after not being caught for days, months, years even.
This is why privacy, while it is a legitimate need to shield things like personal info, bank accounts, bills, your own home or communication with coworkers, friends, family, etc, when it is used to shield illegal activities, almost always, if not always, it is to the detriment of the person.
Now, some will cry foul to what I said... "If you're careful enough, you will never get caught".. or the best one, "If you've a group of people to support you (i.e. mafia style :), organized efforts are harder to break"... or "if smart people who are wicked join you..." etc.
Go ahead, try it, I double dog dare you. Come post on HN how it went. Or maybe we'll read about you on Ars or HN, but not from your direct reporting.
The point is to avoid a Stasi-like spying future and to CYA. What if the official "PC" public opinion changes in 5 years dramatically and a witch hunt starts on anyone expressing a certain opinion that was considered normal in the past? Look at what happened to Brendan Eich. So officially you can generate "approved" traffic by visiting "safe", publicly endorsed and usual established sites and in private you can browse whatever you wish, e.g. discuss political issues without a fear of repercussions, invent a new science that would pose problems to established ones and group with similarly-minded people as much as you wish without blowing your cover. Frankly, what I am doing is none of your business if I try to adhere to the golden principle as much as I am capable of; I don't need my biometrics taken by Facebook, stylometry learned by Google, coding style footprint generated by GitHub , my online history stored by my ISP, my opinions revealed by Reddit etc.
And for your point - I am sure we hear only about the "stupid" ones that made a silly mistake; we would never hear about the clever ones that can restrict themselves when they don't have 100% control of the situation. They do exist. And most men can't even spot clear signals when their wife is cheating on them, not mentioning the ones that can blend in perfectly... Often the balance of power is achieved by secrets the ones in power know on each other via MAD, so when there is no deviating data, there is no secret to crucify you for.
I know lots of criminals that are still free even with shitty OPSEC. Many do their stuff openly. Some are clearly CI's given they get busted regularly but are always free and operating. FBI says for every one they convict there's almost 10 times as many they miss due to lack of evidence or resources.
So, between all that, I think you're dramatically overestimating how effective both police and surveillance dragnets are. ;)
I want to expand on your point about privacy by pointing out that arrests are often entirely up to police discretion. A suspended license could result in a warning, a ticket, or an arrest; ultimately, it comes down to whether an officer is in a good mood when he stops me or whether he likes my face. Allowing surveillance dragnets just makes it easier for law enforcement to have something to charge you with if they don't like you.
More in my area or classified as missing persons to make murder rate look lower. Common trick in a lot of places, esp small towns. Yeah, clearance rate is a great measurement showing how often crooks get away with stuff. I didn't think of that now obvious piece of data. :)
" it comes down to whether an officer is in a good mood when he stops me or whether he likes my face. Allowing surveillance dragnets just makes it easier for law enforcement to have something to charge you with if they don't like you."
This is true. We already see that in some U.S. states and European countries. There are all kinds of BS laws on the books. The cops or courts want money. So, some percentage of people are pulled over with an assortment of "violations" to use against them. Troublemakers might be hit with a more serious version of it. Especially can be used to squelch dissent or activism.
Aaron Schwartz is a perfect example of the power prosecutors hold in a given situation. Because of who he was and his crime, they decided to go all out to set an example of him rather than keep charges lower or ignore it given students were supposed to have access. Discretion can make or break a person's life.
> Name one relatively successful person who's done something wrong or criminal who hasn't been caught by the most insanely stupid mistake, even after not being caught for days, months, years even.
This is an extremely fallacious argument. How are you supposed to know who they are before they've been caught?
MACs are a unique hardware ID and there are various ways they can leak over L3, such as software that uses your MAC to compute its own ID that can be reversed.
IPv6 auto-configuration can encode the ethernet hardware address into the IPv6 address. Then anything that advertises that IPv6 address is advertising your hardware address. Even if you don't use IPv6 -- or especially then since that's when auto-config most commonly happens.
"In the OSF-specified algorithm for generating new (V1) GUIDs, the user's network card MAC address is used as a base for the last group of GUID digits, which means, for example, that a document can be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa virus." from https://en.m.wikipedia.org/wiki/Globally_unique_identifier
iOS randomizes MAC addresses when not connected to wireless networks. The stated goal is to lower the probability of being tracked by third parties in, e.g., convenience stores. http://www.imore.com/closer-look-ios-8s-mac-randomization
Apple device uDIDs are generated by concatenating the serial number, the MAC address, and some other things, then running the result through a hash function. (I don't have a source at the moment, sorry).
I have heard of HTML5/WebRTC API browser fingerprinting that can expose a user's RFC1918 private IP address (10.x.x.x whatever...) on their client device, but not MAC address.
If you're running a hypervised OS and don't want to run another OpenVPN program within it, make sure that the settings of the program (e.g. VirtualBox) don't treat the hypervised VM as a separate machine. Some people might not realize that the VM can actually establish a connection directly to the router, thus escaping the OpenVPN tunnel.
You can browse with Tor but most sites (including this one and Twitter) won't let you sign up/post with Tor. Very dubious practice by the site operators IMO.
How do you differentiate between legitimate new users with no record, and a returning shitposter's 10000th spam account with no record?
How do you differentiate between legitimate new users with a bunch of existing users vouching for them, and a returning shitposter's 10000th spam account with a bunch of existing stealth-mode accounts vouching for them?
I think you're using an extremely weak definition of "solve".
Thats actaully what I've noticed too, I believe even Facebook at one point didnt let me log in becasue it kept asking me to verify who i was (granted I was using a VPN at a local Starbucks).
It's interesting that Twitter made a name for itself as a platform that could "cause a revolution" (arab spring), but there is no way they can claim that now that they block Tor. Who's going to start a revolution when you're not anoymous?
I don't know what the justification for Hacker News not allowing Tor is since there's no economic incentive to track users.
Hopefully more people will be made aware of this and start asking the question: Why do you need to know who I am?
