Online privacy and anonymity are dead. Get over it!
After Edward Snowden's revelations about the NSA's indiscriminate snooping activities on any U.S.-based individual, a paranoid dread has started spreading around.
Most people started feeling threatened and devoid of their rights, afraid of something they contributed to create by handing over their lives to social media and big data collectors (government agencies included).
For this reason, an increasing number of blogs and websites have come up with tutorials about online anonymity and privacy, most of which talk about something they have no clue about and move from wrong arguments.
Though this is an overly technical problem, I'll try to keep my explanation simple, like I spoke to a fifth grader.
Proposed (delusional) solutions
Some of my most tech-savvy readers have surely heard of Tor (The Onion Router) Browser.
It's a particular version of Firefox, promising to anonymize your connection by using a network of proxy servers.
Tor is what most people consider to be the hackers' browser by choice because it allows you to cover your tracks.
When you enter the Tor network, your original IP is masked and replaced by that of the last exit node.
An even better security can be realized by combining VPN and Tor.
Tor is the entrance way to the so-called Deep Web, a microcosm of websites not indexed by Google.
These websites have a .onion extension and can't be opened with a normal browser.
Other than the Deep Web, Tor allows to access the so-called Dark Web, a bunch of illegal websites where you can find pretty much anything (child porn, illegal drugs, weapons, explosives, hit-men, stolen iPhones, etc.).
Tor problems and flaws
Government actors and intelligence agencies can easily set up fake nodes within the Tor network.
Anyone having a certain level of technical skills can.
If law enforcement could (and they surely can) get hold of a sufficient number of nodes, they can perform a man-in-the-middle attack and analyze all communications taking place within that part of the network (1/9/2017 Update: Check this out: The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users).
Tor is also vulnerable to timing attacks. In other words, by sending certain queries to a system and analyzing how long it takes for them to be run, an attacker can understand what command was entered.
That allows to reverse-engineer what was going on on the victim system.
Even though this scenario doesn't come true, the simple use of Tor could be considered as a threat indicator (5/15/2016 Update: I'm not a prophet, but this prediction has sadly come true. Check out this Supreme Court ruling).
If authorities monitor someone's Internet traffic and the suspect suddenly starts using Tor browser, this very fact could be enough to raise a red flag.
Tor is also vulnerable to timing attacks. In other words, by sending certain queries to a system and analyzing how long it takes for them to be run, an attacker can understand what command was entered.
That allows to reverse-engineer what was going on on the victim system.
Even though this scenario doesn't come true, the simple use of Tor could be considered as a threat indicator (5/15/2016 Update: I'm not a prophet, but this prediction has sadly come true. Check out this Supreme Court ruling).
If authorities monitor someone's Internet traffic and the suspect suddenly starts using Tor browser, this very fact could be enough to raise a red flag.
Moreover, even though Tor can be safer, it's awfully slow, just because your connection is redirected through a bunch of proxy servers.
The more proxies and bounces you use (VPNs, anonymizers on top of Tor and so on) the slower Tor.
Your browser can become as slow as it would be by using an old-timer dial-up modem, making your surfing totally pointless.
Besides, if you surf the Web this way, you should forget about social media, JavaScript, Flash, YouTube and all this stuff.
The more proxies and bounces you use (VPNs, anonymizers on top of Tor and so on) the slower Tor.
Your browser can become as slow as it would be by using an old-timer dial-up modem, making your surfing totally pointless.
Besides, if you surf the Web this way, you should forget about social media, JavaScript, Flash, YouTube and all this stuff.
In other words, Average Joe should give up on the comforts causing him to use the Internet.
Other threats
But there's much more than electronic surveillance, or data collection:
- Behavioral pattern analysis can reveal individual patterns through e-biometrics. Big data can be broken down, revealing specific patterns by cities, specific locations (e.g. libraries), blocks, up to a specific individual subject. For example, the way each one of us uses keyboard and mouse varies for each individual.
Even a keyboard layout can reveal useful information. In my case, using an Italian layout, I'd be easily recognized.
For a quick example, that can give you a little food for thought, check Panopticlick and TypeWatch.
A handy add-on you can use to protect your privacy to this extent is User Agent Switcher.
A handy add-on you can use to protect your privacy to this extent is User Agent Switcher.
- Backdoors in operating systems: Edward Snowden revealed the NSA and other intelligence agencies have installed backdoors in all main operating systems, including Linux. Why's that?
After the initial shock, people have started paying more attention to their online privacy by using encryption, something intelligence agencies don't like at all.
Apple has recently implemented a new encryption algorithm that makes it impossible for law enforcement to break into Apple devices (5/15/2016 Update: The FBI could break it thanks to a third-party hacker, but I don't think this means they found a skeleton key. Very likely Apple will respond to that by hardening encryption).
The way law enforcement faced this new challenge is to insert backdoors in any major operating system, Linux included.
I know it sounds like a conspiracy theory, so I don't ask you to take my word on this. You can check it out for yourself: Bruce Schneider's NSA surveillance: A guide to staying secure.
Though the article could seem to contradict to what I'm stating here, notice its author talks about online security, not anonymity. In fact, while a higher online security can surely be achieved, a total online anonymity is but a delusion.
Citing my Quoran friend CJ Hardy, I'm calling myself out of these tinfoil hat delusional considerations.
Citing my Quoran friend CJ Hardy, I'm calling myself out of these tinfoil hat delusional considerations.
Wrap up
You can harden your information and make it harder for you to get tracked.
However, if you think you can reach a total online anonymity, you're totally delusional.
However, if you think you can reach a total online anonymity, you're totally delusional.
Each packet going through the Internet has a source IP and a destination IP address and, though you can make it harder for someone to track you (by using 300 proxies/VPNs, virtual machines, etc.), in the end there's always a way to track it.
Just consider this: for you to connect to the Internet, you need a subscription to an ISP, which will assign you a source IP address.
You can obfuscate your source IP, but not remove it.
If a criminal investigation gets started and authorities recover your true IP address, they can subpoena your ISP for subscriber information and it's only a matter of time before they knock on your door (of course, if they have jurisdiction, but this is where problems arise, as most attackers live overseas).
What you could do for a higher online security
Just consider this: for you to connect to the Internet, you need a subscription to an ISP, which will assign you a source IP address.
You can obfuscate your source IP, but not remove it.
If a criminal investigation gets started and authorities recover your true IP address, they can subpoena your ISP for subscriber information and it's only a matter of time before they knock on your door (of course, if they have jurisdiction, but this is where problems arise, as most attackers live overseas).
What you could do for a higher online security
The only way for you to have a minimum security would be to surf the Internet from a location not related to you, or not linked to you in any way.
You'd need to use (after wearing gloves) a brand new computer and throw it in the trash after that, preferably browsing through a virtual machine, which you destroy immediately after using it, or in Live CD mode.
Linux distros like Tails and Whonix, which use only Tor browser in a virtual machine, can be interesting under this respect.
Tails has also a camouflage mode, that allows you to disguise its GUI as that of another operating system of your choice.
This feature can be useful if you use a public connection, kinda Starbucks, or other public open WiFi.
You'd need to use (after wearing gloves) a brand new computer and throw it in the trash after that, preferably browsing through a virtual machine, which you destroy immediately after using it, or in Live CD mode.
Linux distros like Tails and Whonix, which use only Tor browser in a virtual machine, can be interesting under this respect.
Tails has also a camouflage mode, that allows you to disguise its GUI as that of another operating system of your choice.
This feature can be useful if you use a public connection, kinda Starbucks, or other public open WiFi.
Is this a real solution?
Sadly, the NSA and other intelligence agencies have attacked the firmware, as well. Snowden said they intercepted trucks containing computers to infect their firmware with rootkits.
There's no way out, get over it.
Comments
Post a Comment