Anonymity and Privacy Question

[Privacynut]

Mods, please feel free to move this thread to any other suitable forum.

Hi guys, first of all this is not my first post here, I first registered here to clean my pc of spyware some 7 months back. I was helped by couple of people who seemed very knowledgeable . Unfortunately I have forgotten my user name so I could not login now. Anyways happy new year to all.

Recently i got interested in privacy and anonymity when surfing and generally when online. Now my questions are
Is it really possible to become anonymous (hide yourself) in the web.
What is the difference between privacy and anonymity.
What is a anoymous proxy, a secure proxy ,a public and a private proxy
Can any of you shed some light on anonymity programs like anonymizer, ghotsurf, tor etc
what are the other recommended programs, free if possible, to use for becoming completely anonymous. I realise that google would provide information but I would like to hear the actual user experiences and advice. Thank you.

[Paul Komski]

You can only be relatively anonymous on the net and really only if you send out packets of information but never receive any. That means you cannot surf anonymously because the pages have to be sent back to you. Sure, proxies can muddy the water but the proxies themselves will have an audit back to you and you can be sure that in the post 9/11 era only criminal or terrorist proxies will entertain guarding your anonymity.

You or your proxy can firewall themselves to keep others out and protect "the privacy of your pc" from the uninvited but this is not the same as guarding your anonymity any more than it would be guarded if you sent a request for information by snail mail - somebody would need to know where to send the requested information back to.

[Variable]

I have anonymizer tool bar. I pay the money and I never use it. It is as anonymous as you can be on the web and still use your computer at home. To be truly anonymous you need to surf from locations out side the home and vary your routine.

If you want to use the internet to its full extent you have to give up some anonymity. It is after all, the information superhighway. Information flows both ways like any stretch of road. You cannot have one without the other in real time. It is not possible.

If you do something illegal from home you can be traced, tracked and monitored. Assume that your traffic could be watched and act accordingly.

The greatest strength of the internet, privacy wise, is the sheer volume of packets sent across the web. One friend of mine said, he makes a small footprint on the web and hopes the spiders never notice he's there. This is good advice. In a mass of people, you can become almost invisible by not doing anything out of the ordinary. I think the two most profitable and often used uses of the internet may be porn and gambling. Millions of people are doing things, most would never admit in public, on the web every second of every day. It doesn't seem to be slowing down either.... I should think, in this sea of chaos, it is relatively easy for a normal person to wear tiny shoes and walk willy-nilly all over the silk and never draw a single glance from the eight-eyed watchers.

Variable

[shanmuga]

Quote:

Is it really possible to become anonymous (hide yourself) in the web

There's no absolute anonymity. You can do many things with right tools to make it very difficult to monitor you, but you cannot get absolutely invisible - it's just as impossible in the internet as it is in 'real life'.

Quote:

What is the difference between privacy and anonymity

Privacy is keeping what you do in private...secret
Anonymity is keeping your identity secret when interacting with others

Quote:

What is a anoymous proxy, a secure proxy ,a public and a private proxy

Anonymous proxy - Hides your IP
Secure Proxy - Encrypts the data to prevent others including your ISP from seeing where you are surfing
Public Proxy - Free proxy, mostly not anonymous.
Private Proxy - In this context, proxy services provided for paid subscribers.

Quote:

Can any of you shed some light on anonymity programs like anonymizer, ghotsurf, tor etc what are the other recommended programs, free if possible, to use for becoming completely anonymous.

I am not familiar with Tor, I believe the latest versions are for Linux OS. The latest version of Ghostsurf comes with many features. If you want to try a free software, JAP is the one recommended.

[rahulkothari]

This is turning out to be a very informative thread.

Quote:

Originally Posted by Paul Komski

You can only be relatively anonymous on the net and really only if you send out packets of information but never receive any.

Does that mean, if you only upload data (say) on a TCP/IP network, you cannot be traced back? I am a little confused here, as the IP datagram has a 'Source Address' field which is ofcourse necessary to know who sent or requested the data. So even, if the client only uploads data, the server can determine it's IP address, right?

[Privacynut]

A very informative thread indeed, thanks guys, especially to shanmuga for his specific reply. It was really useful.
Shanmuga, how does anonymizer compare with ghostsurf. is it also true that the anonymizing programs are backdoored by Fbi or by other government agencies. I am also going through the link you provided JAP, looks very promising.

[Paul Komski]

Quote:

Does that mean, if you only upload data...

There's a distinct difference between uploading (which isn't what I was referring to) and transmitting different types of networking protocols/packets. If I remember correctly UDP is broadcast only and there is no acknowledgement required from the receiver. It should, unlike TCP, thus be possible to spoof the IP component of such transmissions (that the UDP would sit on) so that the true source address is obscured.

This may just be theoretical and not practical but I guess a networking guru would know a definitive answer.

[Variable]

UDP isn't a broadcast, it is a best effort protocol and uses IP for routing. It sends its packet with the destination address and has no error checking. It is connectionless. However, the networking is based on TCP/IP. IP is concerned with addressing and routes, TCP establishes sessions and makes sure of reliable delivery of packets. They both (TCP and UDP) use IP to get where they're going, the TCP and UDP packets are wrapped inside an IP packet.. Unless you specifically craft the packet to have a bogus sender, it has the ip of the sender and the destination in every packet. Routers can identify spoofing if configured to do so. It's called IP Spoofing.

There is no free lunch here fellas. You may encrypt the DATA part of the packet but it is simple to see where the data is coming and going from. Commercial cypher programs are all crackable by Big Brother, bet on it. If you want true privacy you can encrypt data with one time pads. But realistically were talking about emails here. If however, where you are going or coming from, is under suspicion for some reason, you must understand that sending encrypted data back and forth from this point will bring you under suspicion. How encrypted is your hard drive?

Did you know email usernames and passwords for SMTP authentication are almost always sent in the clear? Anyone who is sniffing your packets can see them. Your ISP can see all traffic coming and going to you if they want to. I work for one, if your doing anything illegal and the cops come in with a warrant your data is going to be scrutinized and if it looks suspicious enough they will get a warrant for your home and your computers will be taken.

Worried about people knowing where your going on the web? It's wide open unless you use an encrypted proxy server. If you want good protection you have to pay for it. Free services can't afford good lawyers when it comes to crunch time with the law.

[Privacynut]

Ok, what programs like proxomitron, webwasher do, are they also used for anonymous surfing ? If yes, how?

[shanmuga]

Anonymizer and Ghostsurf offer similar features. Anonymizer asks for a high annual fee whereas Ghostsurf comes at a moderate one-time fee. You can read a review/comparison here and choose.

http://www.pcmag.com/article2/0,1759,1706782,00.asp
http://www.anonymizer.com/learn/3steps/sec_3.shtml
http://www.tenebril.com/products/ghostsurf/

Quote:

is it also true that the anonymizing programs are backdoored by Fbi or by other government agencies.

What are you afraid of ? Any number of anonymous chained proxies would not make you invisible if the law enforcement agencies set upon to expose you. These anonymity programs are only useful to protect your identity and privacy during normal browsing...not for masking any criminal or socially unacceptable activity....you can anonymously surf porn sites or sites that are banned by oppressive govts if you belong to one, make anonymous NG postings or have anonymous IRC chats etc., probably nobody will notice you or bother you.

Traditionally the enforcement agencies had the powers to requisition the available information from any service provider...several ISPs eliminate the logs within 48 hours after logging. FBI's 'Carnivore' packet sniffer is another that comes to mind, if asked to do so, any ISP must implement that on particular customers. If Anonymizer or Ghostsurf were to be asked they would also have to obey the laws of the land. But to get a carnivore request you probably need to be in seriously nasty business.

Webwasher, Privoxy, Proxomitron and their ilk are more related to privacy than to anonymity. They can be chained to anonymity programs to add another layer.

[Privacynut]

It's not my intention to indulge in any criminal activity. Rest assured. I just got interested in this couple of days back and trying to get first hand information on the recommended setup.

Shanmuga, I have visited all the links provided by you. Thanks, that was informative. Just one more question before I finally decide on my setup, How does Ghostsurf compare with JAP? oifcourse otherthan the price.

[Paul Komski]

Thanks Variable. Broadcast was used in the sense of "UDP does not establish connections before sending data. It just packages it and… off it goes" so transmitted, or simply sent, would have been better 'networking terminology'.

So the routers would reject spoofed ips; guess that makes sense really or it would be too easy to initiate an "attack" that way without using a drone.

I also suppose that either tapping physically into the internet backbone or the telephone line of another user would be other ways of illegally hiding one's own identity and a little bell rings that this approach has on occasion been used by some spammers.

Privacynut. As has been essentially pointed-out already you can cloak yourself to some degree from the internet by using webwasher, proxomitron, etc and even by daisy-chaining them but the proxies themselves will obviously know where the requests came from so although you are initially 'invisible' to the internet you are not anonymous and there is nowhere that you can really hide if law enforcement come looking for the origin of such surfing access. The very fact that you try to conceal yourself may also increase the likelihood of such traffic coming under suspicion.

[shanmuga]

JAP compares very well with Ghostsurf as a encrypted anonymizer. Please do remember that it is a research project and open source, it has its own quirks, also at times it can slow things down to a crawl. The interface is clunky when compared to Ghostsurf.

JAP when chained with Webwasher is the best compromise between security and usability...IMO.

[FastLearner]

Paul said: "Thanks Variable. Broadcast was used in the sense of "UDP does not establish connections before sending data. It just packages it and… off it goes" so transmitted, or simply sent, would have been better 'networking terminology'."

Paul K: Actually the exact terms (networking terminology) you're looking for are as follows:

TCP is "connection-oriented" and UDP is "connectionless." Just thought I'd throw that in there--proves I was paying attention in class...

This has really been a great thread to read through, by the way.

Shanmuga--welcome back and I wish you a very speedy recovery!

[rahulkothari]

Thanks for replying, all. So, there is no easy way to surf completely anonymously. And I think, that's a very good thing given the way things are going.

[Privacynut]

paul komaski, Sorry, but I think the guy said webwasher, privozy and proxomitron "can be chained to anonymity
programs to add another layer.", not daisy-chaining webwasher and proxomitron which is what your link is about.
[wuote]JAP when chained with Webwasher is the best compromise between security and usability...IMO.[/quote]
no offense, i may have misunderstood

I have downloaded jap and installed it without a problem,
now how do i configure it for anonymous surfing.
I have gone through the jap page and it is way over my head, mixes, cascades
Is there a simple explanation on what jap does to assure anonymity? The only thing that struck in my dull head is Jap = Java anonymous proxy

Leaving for work now, I will check back in the evening.

[Privacynut]

Ok, I have downloaded, installed and configured Jap, but i am still seeing my real ip at the test sites ? Its in the configuration i am sure, but where and how?

[Privacynut]

i am also not sure how this jap works. It seems different when compared to normal proxy servers.

[shanmuga]

Quote:

Is there a simple explanation on what jap does to assure anonymity? i am also not sure how this jap works. It seems different when compared to normal proxy servers.

It goes something like this,

Browser >> JAP client >> Internet (encrypted by jap) >> JAP Servers (mixed with other's requests) >> Internet (Destination)


"JAP uses a single static address which is shared by many JAP users. That way neither the visited website, nor an eavesdropper can determine which user visited which website.

Instead of connecting directly to a webserver, users take a detour, connecting with encryption through several intermediaries, so-called mixes.

Since many users use these intermediaries at the same time, the internet connection of any one single user is hidden among the connections of all the other users. No one, not anyone from outside, not any of the other users, not even the provider of the intermediary service can determine which connection belongs to which user."

More technical info can be had from their architecture page.

On configuration issues, details about your browser, firewall etc,. would help.

Many thanks FastLearner

[Privacynut]

Thanks shamuga for the explanation, I think its a bit clearer now.
Downloaded, installed and configured jap, but i am not still not getting the anonymity right, must be my mistake. Everywhere I check i get my real ip.

OS and other details: xp sp 2, ie, but mostly firefox, zonealarm pro, nod32 and other recommended anti-spyware apps. Hope this helps.

[shanmuga]

It could be due to active content or Java. Please go through the following steps and post back:

1. Download and install the Sun version of Java.
2.

Quote:

ie, but mostly firefox

In IE, disable Active content, Java, Javascript, In Fx disable Java and Javascript.
3. In Zonealarm allow access to internet and also give permission for javaw.exe to act as a server.
4. Where are you checking your IP?

[Privacynut]

i already have sun java installed. Is it really necessary to disable java and javascript, wont that affect the correct rendering of web pages, also isn't java necessary for the running of jap. ? You know better i guess.

I have also given access permission for javaw.exe, should i also do the same
for jap.exe.

[shanmuga]

When you disable Java in your browser, it will affect only the applets, Java that is...embedded in web pages, it's unlikely to affect installed applications like JAP. If you want to be anonymous with JAP, you should atleast disable Java. If you use IE, you should definitely disable active x....it can easily grab your local IP and send it to the server...you are not anonymous anymore.

Javascript is another matter, though it can't grab your IP directly, it can lower your anonymity level, because it can collect environmental information about your browser, OS and more importantly your local time. But it's often needed for displaying websites correctly. There are other work arounds once you get the basics right, if you can live with the possibility of a lower level of anonymity, leave it enabled.

Try again after disabling ActiveX and Java.

[Privacynut]

shamuga,. thanks for your time, i will do as you have suggested
and post back later.

[Privacynut]

Well....Java disabled, Javascript disabled, all cookies cleared in firefox, but I am still seeing my real ip at grc.com

GRC.com

everywhere else the anonymity is working as is should. Do they have someother way of finding the real ip?