HOW TO POST ANYWHERE WITHOUT BEING TRACED BY COPS

Note to readers: protecting yourself from the pigs and the FBI is a field that always is changing. I try to keep this as up to date as I can, but remember: this is cyber-warfare. Always layer your defenses, never trust just one defense. When it really counts, verify that no new information has invalidated any component of your chosen defense before you use it! This is long, but that’s because you really could write a whole book about this subject.

Last Updated 7-22-2020
Update 2020: Posting to anywhere requiring an email account is becoming a serious nuisance due to so many email providers now requiring SMS verification to create an account. Best to post to places that do not require any kind of account formation, but there are still a few free email providers out there that offer SMS-verification free account formation. Tutanota (tutanota.com) for instance allows SMS verification, “donation” or just wait three days for the account to become active. Forget Gmail or even Hushmail these days due to the SMS issue, unless of course you are using a burnphone. Do NOT use any email account that was created from or ever accessed from an IP address associated with you for obvious reasons!

Site Warning:

This site is hosted on WordPress, which should be presumed cooperative with law enforcement. All precautions apply. It’s up to you to block ad agency tracking, IP logging, and law enforcement thugs. We have no resources to set up a semi-secure server. We do not sell ads on this (or any) site, but cannot stop WordPress from doing so without paying them, which would introduce new security risks as well as unfunded expense.

Special warning for cases where life and death are at stake:

If you have reason to believe identification of the source of a post could expose the poster to execution, torture, or decades in prison the four most important rules are:

1: Get rid of every last piece of equipment that had anything to do with writing or posting the article. Destroy it utterly and dispose of the pieces where they will never be connected to you. Some governments make criticizing the dictator a capitol offense, in those countries treat equipment disposal like getting rid of a murder weapon.

2: Do not post such an article from your home or any place you are known to frequent, no matter what your electronic defenses. Defenses such as Tor really do work most of the time, but this is an arms race and is ever-changing

3: Remember how Ted Kaczinski was caught: his brother recognized his writing and snitched him out. Be sure your writing cannot be recognized by any possible reader, and never boast. Snitches get a lot more people arrested than electronic investigations ever will.

4: Do NOT trust me or any other unverified source with your life! Study this but do your own research. Check and recheck EVERYTHING if you are up against a dictator’s executioners. One mistake can get you killed.

Use cases: levels of security

A “normal” case would be using Torbrowser on Linux for things like organizing walkouts from school against standardized testing or posting nasty reviews to Yelp without worrying about being sued, creating any accounts and all accounts needed to create them on the spot(or three days in advance for Tutanota) and not logging into anything else. This must be done in a coffeeshop or library if it’s cops and not just civil lawsuits that you are worried about. At home, accessing Google only through Tor can keep you from building an unwanted Google search history accessable to who knows who.

A “high” security case would be something like posting an anonymous call for a Black Bloc at the Counterinaugural against Trump, or while working for the government calling for a strike and walkout against his administration.

For this you need to usethe Tails live Tor-based Linux distro from a public wifi access point, making sure at boot time the option to spoof the MAC address is checked (the default). If serious jail time is possible, a disguise should be worn in case electronic defenses fail. This used to be a good example of a high security use case, a communique on Anarchist News taking credit for smashing up a Well Fargo bank (GEO Group/private prison investor) in solidarity with hunger striking prisoners, but no longer seems to be available on Anarchist News. Still, this remains a good example of a “high security” use case. Tails not only protects you from spyware (a rather uncommon threat on Linux) but also protects you from many common mistakes, such as connecting to the network before changing your MAC address. It’s not idiot-proof, but it’s the closest thing to idiot-proof posting security you will find. For “high” security always use a fresh download and always set “noscript” to block script globally (not the default). Tails won’t protect you from stupid mistakes like logging into your email and having that tied to your post by MAC address, however!

An “ultra-high” security case is the “national security”/state level situation. The most extreme possible case is something that could change the outcome of a war, such as the Snowden revelations, the Pentagon Papers or Chelsea Manning’s Wikileaks work In these cases you are up against the NSA, and need serious computer skills to get away with it. Insider revelations of Russian hacking into the 2016 election to put Trump over the top also rise to this level, as you then are up against the Russian FSB and whatever scratch team of hackers and thugs Chump can gather.

Things like posting government secrets to Wikileaks requires good research on your part first, again-this stuff changes all the time. Right now my recommendation where 10+ years in prison are on the line is a laptop that can boot TAILS(not Apple) bought randomly with cash (and not activating windows), the Tails live distro, a wifi acces point not requiring use of the non-Tor TAILS “unsafe browser” to set up the connection, using this from a place of concealment from all security cameras, then destroying and trashing all the hardware used. It costs less than one billable hour of a top lawyer’s time.

Snowden-level security also requires buying all that stuff not only with cash but without getting your face usably photographed at the cash register. Sunglasses and a good disguise are needed at the very least, a person was once convicted of murder after a UPC sticker left on the murder weapon (a crowbar) led to Home Depot cash register footage. Assume you are toast if the computer can be identified remotely, so never use smartphones, Apple, or Microsoft Windows unless you bought the computer on the street and covered any webcam before first boot. This is probably why overseas militias and insurgencies that can trust their operatives use couriers to move burn phones from buyers to field operators.

*****************

HISTORY OF THIS KIND OF ATTACK ON ACTIVISTS, AND HOW THIS KIND OF INVESTIGATION MIGHT WORK

It is trivially easy to find the poster of any internet story on a site that logs IP addresses, posted from a home internet connection without use of Tor or any other defense. Many arrests have come from such communications in ordinary life, but few activists are that stupid.

There has been to my knowledge one case where an ALF/ELF case was “solved” by identifying the poster of a communuque. The person involved used a library computer, but the library required student ID cards to enter. The post was traced to the library’s IP address easily enough, then all student ID’s that had entered the library around that time were read out, yielding someone they must have already suspected.

Had that poster used Tor or another proxy, the cops would not have found the library. Had the poster used wifi from outside the library or gone to a library not requiring ID documents, the cops would have found only the library and maybe the MAC address of the wireless card. If that was spoofed or the card was a throwaway, the electronic trail stops there. If the library copied all packets and sorted them by MAC address, a highly skilled computer forensics specialist might have been able to identify the poster anyway if s/he had logged into something. Security camera footage would have been checked, but would have been useless if the poster was a person unknown the those doing the checking or was in disguise. There was a known case of a right-wing militiaman being caught based on security camera footage after always posting communiques from the same Kinkos without Tor or other proxies. Had he used a different wifi access point each time, or been in disguise he would probably still not have been caught.

********************

COUNTERFORENSICS TACTICS AND METHODS FOR SECURE INTERNET POSTING:

First things first: securing the computer

It goes without saying that Microsoft Windows cannot be trusted now or ever with any information or activity that could potentially lead to criminal charges. If you use a Windows computer, never use it for this other than with “Tails” or another live linux disk unless you are only blowing the whistle on a “gropy” high school principal or something like that.

Unfortunately, ALL of the major browsers have also become privacy problems, even Firefox. By default they phone home with performance statistics and intergrate everything from ad-supported search engines like Google or Bing to online chat. Tor Browser is based on Firefox but gets an ever-increasing amount of work to secure it and remove the crapware.

Once you have Linux installed or are running from a linux live USB stick, you can now run Torbrowser without worrying about Windows exploits or spyware written for Windows.
Also if you use a live USB stick you don’t have to worry about spyware or policeware getting installed at home and following you to the library, coffeeshop, etc.

A big part of the advantage of using the Tor-based TAILS security/privacy live linux distro is you can leave most of the hacking to the pros. Once you have something booting it, your computer is far less likely to be trying to snitch on you and incredibly difficult to track, especially if it is not on your own internet connection. Even if someone planted supercookies or spyware, they are not on the TAILS drive and are not available or running. More on TAILS further down in this article:

General summary of available defenses against Internet tracking and forensics

1: Not using any Internet connection traceable to you by name or address. Remember that most websites log your IP address and that if you are connected to the Internet by IPv6 they may also get your router’s MAC address. If you are connected directly to the Internet with no router it will be your computer’s MAC (network card hardware) address that gets sent with an IPv6 connection.

2: Protecting the connection you are using with Tor to stop or delay any investigation there. The site you post to gets the IP address of a Tor exit node with no clues to your IP address. The connection you posted from cannot be found, so neither your MAC address nor security footage camera is available UNLESS someone finds a way around Tor. The NSA is on record as as saying they hate Tor and have trouble getting around it.

3: Not using a MAC address (network card hardware address) that can tie your computer to the posting. This protects you from someone getting past Tor. This is taken care of automatically in TAILS, othewise the link below will tell you how to change it:

https://wiki.archlinux.org/index.php/MAC_address_spoofing

Also, not using an IPv6 connection, though I’ve yet to have a wifi router give me one that I know of. PLEASE comment if you are getting IPv6 from wifi hotspots in your area! Tor does not support IPv6, so if you are using Torbrowser you are not sending your MAC address, the router’s MAC address, etc to any website. Install Macchanger on Ubuntu-based Linux distros and use it prior to connecting to your chosen wifi hotspot.

4: Protecting yourself from security cameras at the site you connect to the Internet from. Tor might keep them from ever finding what cameras to check, but if you sit where no camera can see you, you don’t have to bet your freedom on that.
Beware of facial recognition cameras, wear your sunglasses!

5: Protecting your computer from CIPAV or other law enforcement spyware. Never use Microsoft Windows! When it really counts, use a USB/CD live Linux system with Tor such as Tails. The big advantages of Tails is are twofold: with all the software ready to go you are less likely to make a dangerous mistake, and since it is a read-only operating system it is impossible to install persistant spyware that can identify you later.

6:Using https to prevent the wifi hotspot you are using or their ISP from keeping your unencrypted content and serving it up to the cops. Torbrowser does this by default-and thankfully the Snowden stuff has caused most of the Internet to abandon unencrypted http, a real improvement since this was first written. Keep in mind that https is NOT trusted against the NSA and maybe not the FBI directly, but should be more than enough to deny readable copies of your work to your ISP or to a cop-friendly wifi hotspot, and thus makes investigation via 3ed party copies of your content much more difficult.

6: Using the “NoScript” extension for Firefox and in Torbrowser. Both the security of Tor and your security against CIPAV type spyware are greatly helped by using the “Noscript” extension for Firefox (see below) to turn off Javascript by default and enable only when absolutely needed. Note that NoScript has become much easier to use since the Firefox 57 revisions of a while ago.

7:Ensuring your typing cadence are not used to identify you. Assume that if you ever have logged into any website on a browser that permits ads and trackers, your typing cadence is known and stored. Typing into a text editor, then cut and pasting the results will defeat this kind of tracking.

8: Ensuring your writng style is not used to identify you. If you have done a lot of writing, consider having someone else in your crew write the text altogether. Keep in mind, the Unabomber was caught when his brother recognized his writing in a print newspaper insert of his long communique, so this is not unique to electronic communication at all.

9: Neither using your normal phone for any part of this, nor carrying it while doing do. If you are not using a burnphone (unregistered phone bought with cash and activated with no name or personal information) to post or to arrange transportation/pickup, do not carry any phone at all. If you are posting from a laptop via public wifi, any phone is just another potential risk.

OK, on to some details:

1: TOR, TORBROWSER, AND TAILS:

Tor is an “Onion Routing” encrypted proxy system that routes traffic through (usually 3) multiple stops, in addition to the source and destination. Only the connection from the “exit node” to the remote website is unencrypted (since they are not running Tor), and only that connection’s IP address is visible to the remote website or anyone watching it. Tor does not support IPv6, so your MAC address does not go beyond the router. In the future this may change, but surely Tor will then force use of IPv6 privacy in some way to prevent the MAC address from being sent. Even if any one Tor node is malicious (and some certainly are), no one Tor node can see both the source and the destination at the same time. Only the exit node and final destination can read the contents of your traffic, and even the exit node can’t read or copy it when https is used. The NSA is reputed to save all Tor traffic, but it is all encrypted and apparently they can’t crack it, based on all those “we hate Tor” statements and the use by both FBI and NSA of plain old Windows viruses to go around Tor, implying even they cannot simply crack it.

Warnings needed due to limitations of Tor:

Do not rely on Tor to protect you from malicious Javascript on a website or any of its third party trackers. Turn javascript OFF unless you know for sure the site in question won’t try to use it to get your real IP address sent to a server somewhere. More on the “Noscript” plugin included with Torbrowser and how to use it below.

Do not rely on Tor to protect your home Internet service while communicating with a server that is being watched (like this one). Tor is not designed to protect communications when both ends are watched at once, and another bug like Heartbleed is always possible. This is the first layer of your defense, not the only layer.

Do not rely on Tor to keep you from building a Google search history if Google is also your internet service provider, as anyone controlling both ends at once can see around Tor entirely.

How to use Tor on an existing Linux install

https://www.torproject.org/

Tor is now easy to get working. Go to https://www.torproject.org/projects/torbrowser.html.en and download the Tor browser bundle that matches your operating system (which should never be Windows or Apple!) Follow the instructions to extract the folder inside to your desktop or somewhere else and click on the “start-tor-browser” script to run it. Torbrowser will take a while to start, but a Firefox browser window will open and automaticaly test itself to see if you are using Tor. Wait for that test to finish and if it says you are using Tor you are almost ready to proceed. You need to click on the circle-S “noscript” logo and set it to “block javascript globally” to prevent attacks using Javascript. Enable Javascript on a per-site basis, only if necessary, only if you trust the site not to attack your computer and then snitch.

Torbrowser will prevent websites from logging your true IP address unless the same company that owns the website also controls the internet connection on your end. It will also reliably block any ISP from logging anything you do for the cops, the FBI, or the NSA by themselves. Local investigations without top-level NSA support will go nowhere.

Pay attention to the Tor Project’s warnings about how to use Tor safely and block attacks

https://www.torproject.org/download/download.html.en#Warning

How to run Tor using the Tails USB operating system for maximum security

If you are using Windows, do not trust Torbrowser running inside Windows, although many do exactly that. If you are doing something really heavy, you might not want to expose your normal operating system no matter what it is. This is why the a Linux-based operating system called “Tails” exists. TAILS boots a Linux operating system from a flash drive or a CD, and runs Torbrowser very safely and saving nothing to any disk. You can run it without replacing Windows 7 or earlier. The “unsafe browser” which does not use Tor is used only to connect to “captive portal” wifi connections and for no other purpose.

First of all, from someplace other than where you intend to send anything important, download TAILS from:

https://tails.boum.org/
at this installer page:
https://tails.boum.org/install/index.en.html

The Tails website now has an “installation assistant” to make installing tails onto a USB stick or DVD much easier than before. Follow the instructions exactly, you will end up with a DVD or USB stick that can boot directly to a Linux desktop with Torbrowser ready to use and nothing ever saved to disk.

Reboot with that tails drive for each separate secure communication. A note concerning flash drives: never use one you found on the ground, as it was probably dropped there loaded with attack software on purpose.

Be sure to learn how to boot your new Tails CD or USB stick before you hit the road on a mission, as different computers invoke boot menus or boot from USB or CD different ways. At least Tails can now boot on UEFI laptops, though you may need to disable “secure boot” in the UEFI menu. Do this in advance, especially if you have to boot Windows to get into the UEFI menu at all. In any case, test all your hardware well away from any home Internet wifi connections and get yourself familiar with using it before you take it on the road. The stress of a mission can make you nervous and make troubleshooting difficult or impossible.

On pre-Windows 8 machines, F10 or F12 will usually bring up a boot menu, or you can go into setup and tell it to boot from CD or USB stick first. Procedures may vary on later UEFI machines but most still have boot menu options, again from F10 or F12. There are a number of oddball UEFI machines out there that cannot boot Linux at all without firmware updates due to bugs and only testing on Windows. If you download that firmware update to an IP address known to be connected to you it may have malicious modifications and cannot be trusted. Best bet is another laptop of a different brand. Lenovo for years was a known brand to avoid (though recently they have started selling machines with Linux pre-installed), somein the past with malicious UEFI code, some Wiondows 8-era machines even had code requiring the boot image be called “Windows 8” or “RHEL” and most recently some Windows 10 laptops that won’t boot any Linux (tails included) without a firmware update applied through Windows. The first two cases are no longer sold new but beware of them if buying used.

Some very old computers won’t boot from USB but boot easily from CD’s or DVD’s. Once you have done this once, using Tails becomes easy: plug in the stick or CD, select it in boot menu, and let everything come up. If you can connect to the wifi without having to “log in” to the hotspot, you are good to go with maximum security. A wifi hotspot that does not use a “captive portal” login should be used if one can be found, it’s one less point of attack. If you can’t find one with good security against cameras, see below for how to use the “unsafe browser” to get past the captive portal login:

https://tails.boum.org/contribute/design/Unsafe_Browser/

There is a “chicken and egg” issue with TAILS on hotspots with “checkbox” or “captive portal” login pages: Since everything is done over Tor, you need a Tor connection to talk to any landing page used by the wifi access point. The only thing is you won’t be able to make that Tor connection in TAILS’s secure Torbrowser without having already been to that page, meaning Torbrowser can’t connect without first making a non-Tor connection to the landing page. The TAILS team therefore includes an “unsafe browser” in TAILS to make a direct connection and get a login page wifi working, which should be used for absolutely NOTHING else. With this method of connection you certainly know your MAC address is being logged, fortunately TAILS uses a fake (spoofed) MAC address by default. To use it, go to something like http://www.startpage.com, not using https because some landing pages error out in https. Click through the agreement, then shut down the unsafe browser and fire up Torbrowser. Do your work, shut down and leave.

When you shut down any changes are erased. Even if the FBI got spyware into Tails (which would be something new for them), it won’t help if you are on the road, don’t log into anything tied to who you are, and avoid security cameras. When you go home and log into email from the same machine, even if you use Tails again it is a new session with all changes gone, if you use your normal operating system any saved data or malicious changes never reached it. This method of connection is far, far safer than exposing a normally used operating system that could contain policeware/spyware or pick it up during the secure session. Tails will protect you from any pre-existing attack on your computer except one attacking the BIOS or UEFI. It protects you from having one posting session tied to another by software installed during your session as well. Any determined attack on the unsafe browser could possibly see your Tor session but not that hard drive you are not using. For this and other reasons you must still not log into any email or other website not actually used for the secure post and then discarded.

Tor can protect you from being snitched on by your Google Search History, even at home

Using Tor for every Google search at home is a great idea. This way Google doesn’t get your “Google search history” by IP address. This is one of the few uses of Tor that might be safe from Windows. Even if the NSA can somehow find a way see what you are doing, Google cannot and therefore cannot give it to the police or FBI in response to a search warrant or subpeona. There is an exception to this: if you have Google fiber or are on any wifi connection provided by Google, they control both ends of the connection and can watch both ends at once. That allows the “confirmation attack” that can go around Tor. Either don’t buy Internet access from Google or don’t use Google for anything else.

Unlike the FBI, Google can only watch their own server and whatever you send them, they cannot watch your router, modem, or ISP unless you get them from Google. You can keep them from watching your browser by blocking Google Adsense and Google Analytics.

Whereever possible, use search engines that claim not to log your searches like startpage.com or duckduckgo.com. Beware of IP address based data retention orders, some research really does require Tor. Some regard Google as a private version of the NSA where you search them in return for being searched.

Tor is also great for bypassing censorship and getting to sites your ISP blocks, at home and everywhere!

Some websites have had real trouble with someone blocking them in between user’s connections and their server connections. Virgin Mobile, T-Mobile, DC Public Library, and even certain Verizon FIOS customer have reported difficulty reaching them some sites. Liveleak is blocked by some online filters used by public wifi hotspots for “work safe” reasons. Once connected, Torbrowser reliably cuts through all the blocking like a machete through an invasive, tree-choking vine. In this case you can ignore most security concerns and use it freely from home-you are just trying to connect. The Torproject themselves list bypassing censorship as just as important a reason for Tor to exist as defeating monitoring of Internet use.

There are also wifi providers who try to block Tor. The DC libraries did for a while but gave up. Tor is hard enough to block that censorship-minded wireless internet providers like T-Mobile simply block access to http://www.torproject.org, attempting to use “chicken-and-egg” to keep their users from getting Tor at all. The counter is to download Torbrowser, Tails, etc over a wifi connection that does not block, fire it up and you have just beaten their attempt to block Tor. Probably you are now free to surf all of the Internet without interference from Web Guard, though as I boycott T-Mobile’s internet service I cannot test and verify that directly.

Possible attacks against Tor, this is why you wore those sunglasses and that funny hat (you wore your mask so you would not catch COVID 19 and make anything the FBI did irrelevent)

The NSA is on record as hating Tor, a very strong endorsement of its security. None the less, Tor is not perfect and those who can’t see you through Tor can seek to find ways to go around Tor instead. The obvious way is to attack your computer and have it tell them directly what you are doing, as dicussed below in the CIPAV section. This is rare, so far only reported to work against Windows, and the FBI is known to avoid using it against “hackers” for fear of more of their code being captured. Short of that, there are other, much less effective ways.

Theoretically, the NSA or even the FBI could work around Tor if they already know both internet connections to watch and only want to prove something they already know. If you are at home, they are watching “www.stopsnitching.org” and watching your ISP at the same time, they need only execute a “timing attack” by watching exactly how many bits enter and emerge from the Tor network at exactly the same time. This is known as a “confirmation attack,” it produced no new information, only proves what they already suspected.

Of course, if you go to a coffeeshop to use Tor, any attacker now has to guess which coffeeshop to watch at the exact same time they are watching the target server on the other end. If you use that coffeeshop once only, this is even harder. Based on the fact that the FBI bothers to write CIPAV’s and even the NSA is relying on bugging endpoint computers, this might still be a theoretical mode of attack not being effectively used. On the other hand, the authors of Inspire probably never used the same connection twice, I’m surprised they ever used the same computer twice either. Of course, you have much bigger problems if your opponent already knows what coffeeshop to watch.

To defeat Tor outright and get IP addresses of everyone connecting to the destination server would require watching all Tor exit and guard nodes at once, something even the NSA cannot do. This is because many Tor exit nodes are located in countries hostile to each other. As a result, Tor effectively protects communications where at least one of the IP addresses involved cannot be guessed in advance. The NSA, like the FBI, has a LOT of trouble with Tor, it took them 8 months to find al-Qaeda’s “Inspire” magazine’s nasty theocratic posters by passing spyware from a compromised location through Tor. Even the NSA can’t easily bypass Tor, they have to work and work and rely on exploits against computers on either end.

WARNING-Turn off JavaScript when security is a factor

The recently captured sample of the FBI’s CIPAV or Computer IP Address Verifier used 3ed party Javascript to run its malicious code against a Firefox 17 (Torbrowser) memory vulnerability. The malicious code’s payload only worked in Windows, but could have been written to attack any operating system. The vulnerability was in Firefox 17 as formerly used by Torbrowser and was cross-platform.

Torbrowser comes with the NoScript plugin, without Flash or Javascript enabled this kind of attack is far more difficult. Always set NoScript to disable Javascript by default and enable Javascript only when you need to, in ALL Internet use. Never, ever allow an unknown or untrusted 3ed party site to run Javascript, whether using Tor or not.

Most of the ways of unmasking Tor users on Linux require Javascript, Java, or (in days gone by) Flash, as do many “zero-days” used to install spyware on Windows machines. Warning: Torbrower has NoScript installed by default but you need click on the onion in the toolbar, open “security settings” and set the “security level” slider to something other than minimum. Whenever possible, use “maximum,” and enable only the JS needed to use the site to accept your post by clicking on the NoScript icon and using the dialog to enable the necessary scripts. Note that “medium” and “maximum” Torbrowser security settings break video playback on sites that do not support click-to-play video, notably Twitter. Setting security level to “mimimum” keeps your Torbrowser configuration common but permits all 3ed party Javascript to run (trackers and malware included). If you use “minimum” and click on the NoScript icon to “turn off scripts globally” and re-enable only the ones you need, this is an uncommon configuration and could be used to tie multiple accesses to the same site together. On the other hand, that may be the only way to deal with video on sites like Twitter. I have no idea how to post video to Twitter though as I do not have nor want an account. Also note that Torbrowser never saves any per-site JS settings, and defaults to allowing sites to use “iframe” and “other” which could potentially load dangerous Facebook or Google content though not their Javascript. Consider turning those off before surfing unless you know for sure you will be using only sites free of social media content. Also note that Torbrowser by default does NOT turn on “tracking protection” that blocks communication with 3ed party trackers such as adservers and social media buttons. The most dangerous of all 3ed party content is probably the Facebook “like” button. It’s job is to build the most complete possible surfing histories on as many people as possible. Facebook is even suspected of building “shadow profiles” of those without Facebook accounts.

Browser Fingerprinting warning for browsers other than Torbrowser

Techniqes for harvesting browser and hardware information have existed for about a decade. They are commonly known as “browser fingerpringing,” and to defeat them you need to disable Javascript for any secure communications to commercial sites using a computer you do not intend to destroy afterwards. Most browser fingerprinting techniques require Javascript to gather enough information to uniquely identify a user. Most of the time, this is 3ed party Javascript from dedicated tracking servers, but unless you directly examine the code you don’t really know what the toplevel site is doing either.

Google (including Youtube) is strongly suspected of browser fingerprinting, their terms of service openly allow it under the name “Device ID” which could also refer to smartphone serial numbers being harvested. Banking sites are confirmed to do this, and all other commercial websites should be presumed to log browser and device information that could tie you to a posting. Browser fingerprinting, unlike IP logging, does not generate suspects unless you have an account with the server you are communicating with, but can tie you to a post after the fact. Facebook is worst of all, and should be presumed to use all available tracking tools unless proven otherwise. Browser fingerprinting is often too inaccurate for the courts, with advertisers estimate it gives only about an 80% probability that two transactions really came from one computer. Still, that is the kind of fact that prosecutors like to conceal from juries and judges.

Torbrowser is hard to fingerprint

According to the Electronic Freedom Foundation, Torbrowser “standardizes” a lot of browser data, weakening browser fingerprinting to the point that tracking one user by browser “fingerprint” should be impossible. This might make a common piece of hardware like a popular netbook impossible to prove is yours, but don’t rely on this alone to keep you out of jail until more is known. Instead, use Torbrowser as one part of a layered defense.

CIPAV: FBI “phone home” software as used in an attack on one hidden Tor webserver: One version of CIPAV has now been captured, reverse-engineered, and countermeasured by Torbrowser’s publishers

There have been cases where the FBI was totally unable to get past Tor or other proxies by normal means. These cases all concerned repeated communications consistant with each other, believed to be from the same user. In one reported case, a social networking page was used, and the FBI posted a malicious link where the administrator was sure to see it. It contained a Windows virus called “CIPAV” or Computer Internet Protocal Address Verifier.” CIPAV is probably a generic name for any program used by the FBI to hack into a target computer.

Back in 2013, a sample CIPAV set to collect only the system name and MAC address was captured. It relied on a Firefox memory vulnerability to get into Firefox 17 as used in Torbrowser. Although the danger was cross-platform, the exploit code was Windows-only. This vulnerability has been patched, but surely new ones will arise. Keep Torbrowser up to date, never trust Windows with Trobrowser or anything else. Remember, this cannot possilbly be last version of CIPAV, but it is unknown if they have ever succesfully written a CIPAV payload targetting Linux. No Linux CIPAV had ever been mentioned in open court when this was reported shortly before 10-12-2013.

The Tails live disk makes both CIPAV and browser fingerprinting useless

For any posting where a person might face serious charges because of the post, the “Tails” live disk or USB drive operating system is the way to go. Be sure to use only the newest version because this stuff is always an arms race.

If the server you are posting to is “hot” and a CIPAV uploader is on it, your session could still be infected if they write a version of CIPAV against Linux and therefore Tails. This gets them only the information from that one session. If you are on a public hotspot and spoof your MAC address they can’t prove the computer is yours, and you do nothing else in the session they can’t identify you. Avoid security cameras and they have nothing. Turn off Javascript and the recently captured exploit would fail entirely.

Needless to say, if the FBI and NSA had had much success in using confirmation attacks against Tor by watching all coffeeshops and libraries, they would not have bothered to write CIPAV. That says something about the real world effectiveness of Tor, about the unwillingness of the NSA to appear in court and be cross-examined (required to use their data for warrants and prosecutions) or both. Consider newer CIPAV versions to be more dangerous than PRISM, as their take is far more usable in court.

*****************

2: FREE PUBLIC WIRELESS ACCESS POINTS

You must use Internet access that is not connected to your name or address, even when using Tor, if you or another person could be arrested for what you are posting. It may be watched, but the watchers won’t know in time to correlate a random coffeeshop with a one-time post to a previously chosen target website.

Free wifi access is offered at some coffee shops, libraries, and even some fast food restaurants. A post from these cannot be traced past the wireless access point. Assume the wifi access point copies your transmitted data, data coming back, and your mac address. With https, they get gibberish for the data. With a spoofed MAC address, as is the default on TAILS, that too is useless.

If you are posting anything “arrestable” do not open your email or log into anything, Those logs the wifi access point or anyone watching it might keep must contain nothing but the post, and you should clear the area immediately if it concerns anything that could be construed as a felony. Also, do avoid legacy websites that require the use of unencrypted http content, though thankfully these are going extinct fast.

Your MAC address (wireless card ID number) is presumed to be logged, but doesn’t generate suspects unless you are later arrested with that computer or possibly if something you are known to be connected to has logged it. Your MAC address can be changed, or a throwaway USB wireless card can be used. Always assume that the original wireless card on any machine on which Windows was ever activated was logged by Microsoft and available to the cops, never use that wireless card without “spoofing” the MAC address. Again, this is taken care of automatically in TAILS. A program called “macchanger” can be installed in Ubuntu, Mint, etc to make changing your MAC address easy. Learn to do it every time for practice. The safest approach of all is to remove the original wireless card entirely and use a USB wireless card bought at a random shop with cash, used once, and then thrown away.

I do not know if any public wifi routers connect by (dangerous) IPv6 connections, but Tor does not support IPv6 addresses, and the design specs for Tails call for prohibiting IPv6 entirely. I’ve yet to encounter a refusal of Tor to start caused by an unsupported IPv6 connection, but assume that IPv6 wifi hotspots will eventually proliferate. Check your IP address when you connect, make sure it is the shorter IPv4 address.

Seek visual cover from indoor and outdoor security cameras if possible-especially if NOT using Tor

Warning: do not drive a car or any registered vehicle anywhere you might want to deny having been. Don’t use transit paid for by credit/debit card or anything linked to one either. Walk or ride your bike if possible. Use cash only if riding the bus. In fact, don’t use credit cards, debit cards, or ID within several blocks of the access point (urban) or several miles (suburban/rural).

You must protect yourself from the spread of facial recognition cameras. While “dazzle facepaint” in a coffeeshop would attract unwanted attention, dark sunglasses will not.
COVID-19 update: Masks are now required in many places and are probably now at least permitted in ALL indoor locations. WEAR ONE! Sunglasses deny facial recognition software two of the three most important reference points used to calculate the geometry of a human face: the centers of both pupils. Your mask takes away the tip of your nose too. Sunglasses alone make facial recognition software far less effective and can entirely stop some simpler programs from working. Adding a hat you don’t normally wear will make you harder for a human investigator to recognize as well. Put these on well away from where you intend to post, but also well away from your home, work, school, etc. Masks probably will be OK for years after COVID is gone, so long as any colds or flus are circulation. Many in Asia never stopped wearing masks after the original SARS epidemic.

Drawing a 3ed eye anywhere on your face with a magic marker has been reported to utterly confuse facial recognition software and looks like “new age” body art, so it won’t draw suspicion. It does look odd, however, and has the disadvantage that you will be more easily remembered by any person who is later questioned. Should not be needed anymore thanks to widely accepted wearing of face masks.

If you can find a place outdoors that is visually concealed from cameras owned by the target wireless access point, yet within range of a good quality wireless card, use it!

Consider using a “Pringles Can antenna” to extend your range and access a coffeeshop’s WiFi from the bushes out back, so there is no security camera footage at all. With this setup and a changed/throwaway MAC address, you can do things that Torbrowser makes difficult like uploading videos. Even if cops do show up, there’s no evidence other than whatever the wifi server copied from your work and the (spoofed) MAC address. If you used Tor as well, they get nothing at all.

*****************

3: PREPAID WIRELESS STICK/HOTSPOT/BURNPHONE used with/tethered to a laptop, or PREPAID SMARTPHONE by itself, cash only:

The main danger here is being photographed buying it and later traced by the connections’s device ID. In large organizations, those who buy burn phones do nothing else, and couriers deliver them for this reason. Do not use a smartphone or laptop bought on the street-it’s former owner might be recording your face when you use it, it is probably stolen and this is a known function of anti-theft software.

The best thing about this is you can now access the Internet from deep in the woods, miles from security cameras, so long as a cellphone connection is available and you can get out faster than the cops can read the post, call the cell company, and travel to the site. Tor still works for this, and can hide the cell provider from anyone watching the destination website. That can buy you days or weeks to hike out, maybe forever. Tor may also keep anyone from ever finding the cash register where the 4g hotspot or its activation card were purchased. If it does not, your disguise skills or the loyalty of your buyer might be tested. Be aware that it is much safer and easier to run TAILS on a real laptop and connect via a wifi hotspot than to get Tor installed and working on some smartphones, and safer in all cases.

Plain old IP address logging now gives only a GPS location at most. Assuming the device even has GPS, and assuming you can’t turn it off or they turn it back on, you can still control the GPS absolutely by only putting the battery in in the place you want the trace to lead to. It does not stop browser or hardware fingerprinting, only the IP address is affected. If you post to Google or some newspaper site with Javascript turned on, you will still need to get rid of the computer as well as the 3G/4G stick or hotspot. Again, be sure to use Tor, and if connecting to a 4G hotspot and not a USB stick (the 4G to wifi device is much better supported by Linux so recommended) be sure to spoof your MAC address. IPv4 or IPv6, the cellular company should be presumed to log it.

Find a prepaid provider that does not require ID to buy the hardware or set up the account. Pay with cash, never use credit cards for this! Warning: some stores snap a face picture at the cash register as each item is scanned, Home Depot is known to do this. Wear a disguise if jail time is possible. Self-serve registers are known for this, using a human-operated register and looking away from it as all items are scanned is probably safest if your apearance is not one likely to be remembered by the cashier. If for any reason you are asked for ID refuse, cancel all transactions, and leave the store.

Become familiar with setting up their accounts, perhaps by setting up a “practice” account for someone wanting cellular Internet access. You must be able to activate your device without calling tech support. You will probably have to fill in a name at activation online, give a fake one and no real information of any kind. Presume the cell provider logs everything by GPS, make sure this information is useless! Don’t use T-mobile if you need to use a site that might be censored by “web guard” which you can’t turn off without ID.

Setting up a burnphone

First, buy an unlocked Android phone, and separately buy a SIM card and airtime for it. Be sure you are familiar with setting up phones for that carrier. Set up a “practice” phone for someone very trustworthy if necessary. Beware of locked phones: they are cheaper but if activation fails you might never be able to activate them without calling customer service, which makes the phone no longer safe as a burnphone. Also beware of carrier-provided phones in general if you need to tether a laptop to it: many carriers attempt to prohibit tethering, and block it on the phones they sell. Buy an all-the-way unlocked phone if you need to tether. Avoid Verizon phones, as some “unlocked” Verizon-compatable phones were set up by Verizon and still contain their software.

Next, go some place well away from anywhere connected with you, and in which there are no security cameras. Tape over all cameras on the phone, put in the battery, start it up without a SIM card, and do NOT connect it to a Google Account (skip it) assuming this is an Android phone. Next, disable Google Play Services and the Google Play store. Turn off location, allow “installation of apps from untrusted sources” if you will be installing Orbot, and set all privacy settings to block sharing of information. Now activate the phone, and the carrier should not have access to GPS data and does not have their spyware apps on the phone as they did not provide it.

https://f-droid.org/en/packages/info.guardianproject.browser/

If you can get the Android version of Torbrowser working(issues have been reported with Tor on Android in the past, but Torbrowser seems more reliable), this burn phone becomes even safer as the website you are posting to now gets a Tor exit node instead of your real IP address. If the phone cannot be identified it can’t be tracked back to point of sale for security camera footage. You should still avoid using this phone where security cameras can see you, just in case.

There are so many ways of tracking phones that you must never have used this phone before, must never have turned it on near your home, and must destroy it afterwards. That is the definition of a burn phone.

Warning: I know more about computers than phones so double-check all of this

You can cache the device (only if the battery can be removed!) in a really good hiding place (like a sealed PVC pipe buried on public land) if you are running a press office for an underground organization and all your posts are tied together anyway. Be sure to wipe your fingerprints off it. Otherwise, remember: Each post made with the device should be presumed tied to all other Internet content originating in the same device by a standard good enough for a courtroom. Post from the phone itself, not a computer tethered to it unless you are going to trash them both or cache them both.

For really important shit, remember: You bought a $80 device and $50 worth of minutes at most. It is cheaper to smash it with a hammer and throw it in the trash than it is to pay $500 for the first hour of a lawyer’s time. If you smash both the computer and the phone you tethered to, bought both with cash out of town, and did your work in the woods, even someone getting past every other security tactic posted here would still get nothing unless he can find the store you bought it from and your undisguised/no sunglasses face in the security footage.

*******************

4: PUBLIC ACCESS COMPUTERS:

There are still a few public access computers left that do not require logging in with identity information. Security cameras are a danger here, but the electronic trail generates no suspects unles you log into something. If the poster is a person not known to the police, uses the computer for nothing else, and does not return they may be impossible to find.

Bring any content in by a newly-purchased flash drive, destroy the flash drive afterwards as these machines all use MS Windows. If you can, turn off history and clear cookies afterwards. Make SURE you do nothing else on the chosen machine and all others on the same network within 6 months of so before or after. In particular don’t check email or any other postings-do your secure task, do only that task, clean up, wipe your fingerprints and leave! If the library in question has semi-private cubicles, use one and take advantage of the extra privacy to wear latex gloves. Assume hidden monitoring software logs copies of everything you do, so make damned sure you don’t do anything that can be tied to your identity.

Never use a public computer you have to log onto with a library card or any kind of ID documents, or in a lcation you have to present ID to enter, as said before someone was once convicted of an ALF/ELF action based on having swiped a university ID to enter a library from with a claim of responsability originated. This was logged and the information presented to the cops and the courts.

Instead, go where local cops won’t recognize your face on grainy, low-quality security camera footage, post your work, wipe your fingerprints, leave immediately. A Kinkos card bought with cash, used once, and then destroyed will leave no records other than any local copies of your work (on the machine) or security camera footage. Interestingly, all Kinko’s outlets in DC shut these machines down, going credit-card only, for one day on Sep 11, 2002.

Note concerning public computers for Youtube posting: Youtube/Google will refuse to make an account for you from the library’s network, as more than 5 accounts will surely have already been made from it. They will demand “sms verification,” meaning they demand a phone number and replying to a text message to activate the account. It is better to refuse this and not do business with Google, but if you must use Youtube, you will need to use a web site that offers one-use “phone numbers” that accept an SMS message and provide a Web interface to read the message. Google might try to stay ahead of this but the phone numbers constantly change. If this does not work, burn phones are always an option, though that makes using Youtube instead of some other video host very expensive.

Best way to post video when security counts is probably to post it to http://www.archive.org. You can post files there without using Flash, and using only their own Javascript (no 3ed party Javascript). Archive.org works just fine through Torbrowser, unlike Youtube, Liveleak, et all. Send links to the Archive files instead of to Youtube videos. Make the account using a Tutanota or Protonmail account. Making both accounts at the same time from the same secure session if possible (e.g SMS verified email account ona burnphone, or for Tutanota without a burnphone make the account three days earlier with the same hardware but a different location. Do not use Gmail, Yahoo, or MSN, they are all part of PRISM and are known to collaborate with the cops.