SECRECY: How to be anonymous online?

I'm trying to choose a VPN service to use, but I don't know how I can check for their quality and reliability?

 

I have two suggestions for the OP:

1. Tor Browser - Why? Because regardless of the misinformation that consistently gets thrown around about its security etc. it still remains to best form of net privacy available to date. I wrote about it here:
http://tecseek.com/2016/03/21/the-truth-about-the-onion-router-tor/

2. Opera Browser (developer edition) - Why? It comes with free built-in VPN which makes it so darn easy to use for basically all your web browsing. I also wrote about it on the following links:
http://tecseek.com/2016/05/01/opera-browser-now-vpn-contains-webrtc-vulnerability/
http://tecseek.com/2016/06/02/opera-browser-fixes-webrtc-vulnerability/

I am more than happy to talk about either of them more, but I hope this information helps the OP.

 

Out of those two potential options you reviewed (TOR and Opera) I think TOR is far superior as Opera only lists the four VPN services which could thus be targeted and or exploited?

Whereas TOR relies on a complex network of volunteers which number in the thousands (4.5K +) and it will readily randomise the pathway each time you connect and or readily create a "New Identity".

Using https://ipleak.net/ from one of your links and I do like what outputs TOR produces:

Latitude & Longitude: 0.0000 , 0.0000

and it plot's me in the middle of the ocean "somewhere".......


Click to view full size!

As expected I couldn't do a speedtest unless I expose the systems IP address via NoScript.

Doing Tarcerts to and it was noted there were 15 hops, running it again and the pathway changes each time at the 8th - 10th hop:
IP: 109.163.234.7

 

Check out the firefox plugin "self destructing cookies", another goodie to add to your list.

 

Very rarely are people identified once using VPN/Tor by tracing VPN's.

Normally they make a mistake like use an alias, email, tracking cookie still active or sign into an account such as social media which can tie their identity together.

My advice would be to buy a 100% different computer strictly for 'naughty' work which is stripped down to essentially just a locked down firefox environment.

 

my advice is not to do dumb shit on the internet.

 

Nice thanks for the tip - just added that.

 

Where's the fun in that.

 

No. TOR still has its uses. But people need to remember privacy and security are achieved through the use of multiple tools, and there is no silver bullet, and nothing is impenetrable. Anyone saying otherwise is selling something.

This advice extends to the OP as well. TOR isn't enough. A VPN isn't enough. A combination of these tools, and others, are preferred.

Most of all, education and common sense plays a big part. All the anonymity/privacy tools in the world won't help you if you're still going to post everything to Facebook or use a GMail account. Also, understand that a VPN doesn't magically grant you anonymity. You're simply gambling on the fact that the remote government/ISP/whatever are "more trustworthy" than your local one. There's a good write-up here:

http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/

Just some of the tools worth looking at if you're interested

* Already covered, but various VPN providers. There are sites like these that attempt to rate these on a number of factors

* TOR - https://www.torproject.org/

* A read-only operating system like Tails with TOR and other tools built in.

* PGP, or the open source equivalent, GnuPG (aka GPG). This is good quality encryption for your email contents. Lots of ways to use this with your email client. Thundirbird+Enigmail, Outlook+ GPG4Win or Outlook Privacy Plugin, Webmail + WebPG or Mailvelope, Apple Mail + GPGTools GPGSuite, and many more.

* Good quality webmail providers like ProtonMail, who include PGP tools built in.

* More trustworthy mobile phones like Silent Circle's BlackPhone. (Although as much as I don't trust Apple, their recent public resistance to law enforcement demanding back doors has shown great promise).

* Full disk encryption tools (built in to the OS - BitLocker for Windows, FileVault for Mac, LUKS for Linux, and built in tools for Android and iOS) or external tools like VeraCrypt (fork of TrueCrypt).

* Privacy-focused messaging apps like Wickr, Ricochet , WhatsApp, Telegram, Open Whisper Systems Signal, and many more. Pay particular attention to new projects like Matrix that are serverless/decentralised.

Please remember that every single one of these tools and systems needs to be looked at with your own personal scrutiny. By using any of them you're putting your trust in someone else. Real security is in education - read up on security news, keep an eye out for anything that suggests a provider is doing the wrong thing, and have a way to switch tools quickly if you need to.

Privacy, security and anonymity is a moving target, and as such requires ongoing effort on behalf of the individual.

 

Wow, I really appreciate all the detailed replies!

My son uses an iPad Mini so he needs to stream all of the video he watches from my PC to his iPad Mini wirelessly. I just wanted to know how I could make it so that his apps aren't able to contact the internet?

 

Repeating this. I recommended "Telegram" above. Today, I read this:

https://cpj.org/blog/2016/05/why-telegrams-security-flaws-may-put-irans-journal.php

Stay informed!

Your choice to either block him at the device, or at the gateway. There are a number of parental control apps for iPad that you can use, or you can stop his device from getting to the Internet at your router, depending on the make/model/features it offers.

 

Would I be correct in saying that the best way to maintain my anonymity and PC/tablet/smartphone security by keeping myself educated?

There just seems to be so much for me to learn in this area.

Thanks!

EDIT:
I just read that I.T security is all about "layers" but I'm not sure what it means. Does "layers" mean this:

Layer 1 = using strong passwords
Layer 2 = being careful not to install apps that contact the author via the internet
Layer 3 = using a reliable VPN service

 

Yes.

Yes. If it was trivial, we wouldn't have security problems. (In the same breath, if you want to earn good money, go work in technical security, because it's hard and not many people can do it well).

Human nature is to trivialise things we don't understand. Our psyches are a fine balance between having chronic anxiety over everything we can't control, and not caring about dangerous things. Sadly most people err on the side of not caring, which is a problem.

A kind OCAUer linked to this the other day:
https://en.wikipedia.org/wiki/Four_stages_of_competence

You're transitioning from Phase 1: Unconscious incompetence to Phase 2: Conscious incompetence. You're finding out exactly how much you don't know, and it can be scary. But don't give up. Putting your head in the sand doesn't solve anything. You're asking the right questions, so keep persisting and learning.

That's a good example, but it's not everything. The list of layers is virtually endless, and part of it is choosing a practical limit to things.

A computer that is powered off, encased in concrete and thrown into a river is pretty secure from the Internet. It's also quite unusable. Usability is often inversely proportional to security, and as such balance is needed.

Having said that, there is simply no such thing as a silver bullet in security. Layers of protection and fallback plans are absolutely critical. Relying on any one tool will leave you at risk. But similarly spending all your time locking things down won't let you get on with your life and work.

Difficult, isn't it?

 

Layer 4 - Encrypt downloaded youtube MP3s
Layer 5 - Encrypt PDFs downloaded via bittorrent
Layer 6 - Encrypt your sons friends.

I think you need to stop worrying so much, unless you are doing something wrong or are a person of interest what do you have to worry about? What makes you so important that you think people want to know what you are doing?

 

Best advice here, super secret.

Also use encrypted concrete.

 

Very short sighted outlook. Your privacy online is not about hiding from lawmakers.

Identities are stolen and sold in the thousands by organised crime. Email accounts and social media are used as the first points of attack to getting into people's personal details and stealing credit card information. You as an individual aren't very exciting, but large volumes of personal information in the wrong hands are. Avoiding that is definitely desirable.

Not to mention that sometimes we just want our privacy!

When people ask why privacy matters, I ask them why they wear clothes, or bother to put up curtains in the house, or only have sex in the privacy of their own homes. It's the same concept online - just because I want to keep some things private, doesn't mean I'm doing something wrong.

People who say "if you've done nothing wrong, you've got nothing to hide" are missing the point.

And if you still think that's wrong, let's play a game - you give me the username and password to all of your personal accounts - all of your emails, social media, voicemail, and everything. I'll guarantee you not to abuse any of that data (in any way you like, sign any legal document you like, agree to any terms you like). But I'll just read it all. Every single private message you've ever written or recorded electronically to anyone, ever. Would you be comfortable with that? If not, why not?

Privacy matters, even when you've done nothing wrong.

Encrypted data looks like random noise. What would encrypted concrete look like?

Is that like when people put that shitty vinyl flooring down that's been painted to look like timber?

 

Simplest but most drastic way is just to set a static IP address in the wireless settings (within the same subnet, but outside of the DHCP scope of the DHCP server on your router), and delete the default route. (that blocks the iPad entirely from the Internet.)

Callan

 

It looks nothing like random noise. It looks like encrypted data.

 

https://en.wikipedia.org/wiki/Ciphertext_indistinguishability

If encrypted data looks like something, you're doing it wrong. Patterns and distinguishing features are clues to attack vectors, and are poor practice in cryptography.

 

Indistinguishability and randomness are not the same thing.
If you need your cyphertext to look like random then you need to have XOR the data 1 to 1 with random data.