Feeds

Internet anonymity for Windows power users

An advanced tutorial

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Our previous article, "Do-it-yourself Internet anonymity" was targeted towards average Windows users. It generated a startling number of e-mail requests for some advanced tactics, which I'm happy to supply. However, power user or not, I'd recommend at least skimming the earlier article if you haven't read it, just to ensure that you're not forgetting something obvious and useful. I'm not going to re-cap much of it here.

Anonymous browsing

We've already discussed finding and using proxies and choosing more secure browser settings, but for those who wish to take control for themselves, it's easy to install James Marshall's free CGI Proxy if you have access to a server.

CGI Proxy supports SSL, and can be configured to filter images, ads, cookies and scripts. A group of people who know and trust each other can share the proxy. Best of all, it doesn't require an executable or a plug-in on the user's machine, which in some countries can in itself be incriminating. It's also handy because once running, users can access it from any computer they happen to be on.

It's a good choice for people in neurotic countries like Saudi Arabia, say, or China, where there are national firewalls. (If the local Feds discover it and ban it, it can be moved about whack-a-mole-wise.) Marshall says he started the project as a means of defeating firewalls, and that its anonymity features evolved later, in line with popular demand.

I rate this one as the best because it's free and gives admins control over all functions (including logs if you own the server), and requires no download to be accessed. But you do have to know what you're doing to make it work properly.

If you're unsure of your abilities, then you're better off with something like Anonymizer or Freedom or Java Anonymous Proxy (JAP) or Crowds, where the magic is performed by people who (we pray) know what they're doing and can be trusted.

The drawbacks here are:
-- JAP: Availability problems and requires a plug-in.
-- Freedom WebSecure: New and improved following the death of Freedom Net, with a free trial version available now. Requires a plug-in. Will cost money after 30 January 2001. Closed source. No idea about access logs.
-- Anonymizer: Costs money if you want speed, reliability and freedom from ads.
-- Crowds: Decent anonymity if you're in a large crowd, but problems with privacy. What you send and receive may be viewed by others.

HTTP & Socks proxy advanced tips

We've already discussed finding and using HTTP and Socks proxies, and using SocksCap with other clients such as e-mail, Telnet and FTP clients. Power users won't mind using a simple daisy chain of proxies to access Web sites. This is accomplished by constructing a URL thus and copying it into your browser's address field:

http://firstproxy:portnumber/http://secondproxy:portnumber/ http://thirdproxy:portnumber/http://www.destination.com

This can be done in addition to any proxy you have loaded in your browser normally with its setup options. I don't recommend this for beginners because it won't work all the time, and because proxies have a way of dying suddenly. If you've got a dead proxy in there, you'll have to test them all until you find it.

You should be maintaining lists of good Socks and HTTP proxies, and using ProxyHunter to verify them occasionally and an env checker to determine their relative anonymity.

You should also use ProxyHunter to verify quickly the long lists of proxies you'll find on Web sites like Proxys4All. Often these are listed as domains, not IP's, and that's a problem since ProxyHunter needs a list of IP and port combos.

Often these Web sites will list proxies written as IP's and as domains in the same group, so you'll need to get them separated and organized. First copy and paste the whole list to a .txt file, and then cut and paste -- using a second .txt file -- to separate the domains from the IP's in two different files. The straight IP file can be imported to ProxyHunter for verification immediately, so long as it contains only HTTP proxies. If they're domains, or if they're Socks proxies, they'll need a bit more preparation.

To deal with a list of HTTP proxies written as domains, you'll have to confront a fine but awkward little command-line progie called Plookup, which will resolve long lists of domains to IP's (or vice versa, if you like), so you can verify them quickly with ProxyHunter and discard the dead ones.

The Plookup commands are counter-intuitive, with the output file entered before the input file: a minor inconvenience, but you can't resolve a long list faster. Another hassle is that it won't create an output file, only write to one, so you'll have to create an empty output file before you start, and take care not to overwrite an existing one.

Let's call the output file plookout.txt, and the input file plookin.txt. The input file contains a list of domains with ports (the second file mentioned above) that we want to convert to IP's. Put both the input and output files in your C:\ directory, and install Plookup in your C:\ directory as well, to save on typing at the command line.

Assuming you have Plookup and Script.com installed, and have your input file and empty output file ready to go, open a DOS window and enter: cd c:\plookup

Now enter: script -f c:\plookout.txt plookup -p -f c:\plookin.txt

This resolves all the domains to IP's with the default ending @HTTP attached, and writes the results to plookout.txt. This @HTTP ending is not actually necessary for HTTP proxies, because Proxy Hunter defaults to checking all proxies as HTTP when there's no ending, but it does no harm. It's a minor problem for Socks proxies, as I will explain below.

First, remove all the comments and dead domains from the Plookup output file, and make sure there are no blank lines.

Now you can import the cleaned-up output file directly to ProxyHunter, and then run Verify All. (Just because Plookup was able to resolve a domain doesn't mean you necessarily had a working proxy there). ProxyHunter will verify them all pretty quickly.

Now you have to remove the garbage. I recommend that you tick every box except Good! in the ProxyHunter Remove command field. Do the remove, and you're left with a list of good proxies that you can copy and paste to a .txt file or automatically save with ProxyHunter. This is just what you would have done if you had imported a list of HTTP proxies listed as IP's.

Proxy Hunter will default to checking all proxies as HTTP if there's no ending (and naturally if there's an @HTTP ending added by Plookup), so in those cases it would test all your Socks proxies as if they were HTTP, and the good ones will appear dead.

So, for those Socks you found listed as IP's (ending with port 1080) you need to open the .txt file you've collected them in and do a search/replace. Simply replace 1080 with 1080@Socks4 and 1080@Socks5. You should make two files at this point, one with each proxy ending in @Socks4 and one with each ending in @Socks5. Verify the two files separately with Proxy Hunter, and then merge all your good results into a final file. Some proxies will be 4, and some will be 5, but some will appear dead unless you test all for both Socks versions.

If you're going to convert a list of Socks proxies from domains to IP's with Plookup, there's one more step, because Plookup defaults to the ending @HTTP even though your proxies are all port 1080 and clearly Socks.

Once the Socks output file is created and cleaned up, open it with a text editor, and do a search/replace, changing @HTTP to @Socks4 and @Socks5 as described above, before you import the file to ProxyHunter. Add the @Socks4 and @Socks5 endings before you import the files, because from within ProxyHunter you have to use the Modify Results command, which only works on one IP at a time.

Encryption and anonymous mail

We've already discussed using PGP in connection with an anonymous Web e-mail account. I recommend this because it enables ordinary users to send and receive anonymous, encrypted mail for free, and bandwidth restrictions can be circumvented by opening multiple accounts with fictitious personal data. Anonymous re-mailers are more secure, but they do have significant reliability problems, and can be extremely slow. And you obviously can't receive replies to your mail.

Another option is HushMail, which costs about $30.00 per year for the full service. Obviously, if you're paying with a credit card, it will be possible for the Feds, armed with a subpoena, to get at least some information about you. However, Hush accepts money orders and e-Gold, which can go a long way towards hiding your identity. The less they know about you, the less they can reveal about you.

A crypto product called BestCrypt will now encrypt your Windows swap file along with any other files you choose. This is quite important, as the swap file contains copies of all sorts of documents, especially ones created with Microsoft Office. The BestCrypt program isn't free, however.

Whatever you want to encrypt, whether it's a file or a partition or an e-mail message, the single most important security factor is your pass-phrase. You must never use a dictionary word, however obscure, or a proper name or a common phrase such as okeydokey.

You want at least ten characters with at least one number, one uppercase letter and one special character. Don't be afraid to use passes of up to twenty characters. Make it very difficult to guess or to brute-force, but reasonably easy to remember. Try for something a bit odd, yet meaningful, with substitute characters -- such as, 'bring on the nubiles!' thus: br!ng@nth3nUb1L3z It's not hard to memorize (but for God's sake don't use it now.)

If you're worried about your pass-phrase being captured by a key logger surreptitiously installed on your machine, see our Magic Lantern article for ways to defeat it.

PC hygiene

Every time your machine crashes, a vast heap of temporary files full of information are left behind. Your browser cache will be as well, even if you've set it to be deleted on closing.

Nosey government forensics specialists exploit system crashes most profitably. We already covered secure file wipes in our first anonymity article, and that's important to know for properly eliminating your swap file (if you're not going to encrypt it), your temporary files, your browser cache and your history and cookie directories.

But it's better if this data is never written to disk in the first place. I've been trying to hack an installation of Windows 98-SE so as to assign all of this data to RAM, from which a simple cold boot will eliminate it permanently. I've been only partly successful, and I'd welcome any reader who wishes to work with me in getting the last bits nailed down.

For now I've got part of it solved, and it's worth noting. RAM is so cheap nowadays that most users should be able to do without a swap file in Windows -- 256MB ought to be adequate for Win-9x; and 512 for NT, 2K and XP. This is not going to break you. So that's another solution to your swap file problem; just strap on some RAM and disable it.

As for your temporary files, if you're using Win-9x, these can be assigned to a RAM drive (we'll name it G:) in your autoexec.bat file thus:

XMSDSK 86352 G: /C1 /T /Y
MD G:TEMP
SET TMP=G:TEMP
SET TEMP=G:TEMP

Download the files needed to set up a RAM drive from here, and unzip them in your C:\ directory.

There is also a RAM disk driver for Win-2K, which ought to work with NT and XP. It's really meant as an example and requires some tweaking, if you're up to it. You'll have to get into the registry and alter its size to suit, but 30 MB is the maximum.

(Note: You should disable your RAM drive before you install an application. Once the installation is complete you can clean up any leftover temporary files and re-enable the drive.)

So, now you either have no swap file or an encrypted one, and all those annoying (and potentially incriminating) little temporary files are set to evaporate completely whenever your system crashes or you decide to re-boot. You no longer have to think about it.

As for your browser cache, simply open your browser settings and assign it to your RAM drive. This works perfectly.

But we're still stuck with History and Cookies being saved to disk, which is a huge security hole. It hardly matters that you don't have your cache saved if your history is available for inspection.

I've tried to assign cookies and history to a RAM drive, but it's hopeless in '98, which presumes to 'restore' several of my registry changes each time I re-boot. For now, you'll just have to remember to wipe both directories periodically, and properly. You can block cookies, but that's inconvenient for surfing. You can set your history to zero days, which actually has the effect of setting it to one day. Ideally, one should be able to accept cookies, but never have them, or the history, written to disk.

Cautions

There's no such thing as perfect anonymity if you're going to insist on connecting a computer to the Internet. But there is a lot you can do to make it extremely difficult for anyone to track you. When you use an Internet cafe or a library, for example, look for CCTV cameras inside, and in the neighborhood as well. These can jam you up seriously. You might consider trying to change the local time on the computer you're using for a small, added measure of distance.

Beware of anonymity honey pots run by the Feds. Apply good judgment when using any anonymity service or Web proxy. Do you know who's behind it? Do you trust them? Do they have a financial stake in protecting your anonymity and privacy? How much do they want to know about you? Do they require you to download and install anything?

Watch out also for privacy and anonymity advice offered in IRC channels and on BBS and in newsgroups, especially ones affecting hacker, warez, political resistance and forbidden-porn airs. These are always crawling with Feds.

So proxy up, encrypt, and don't forget to wipe those files. ®

Note I'm assuming that most Linux users are savvy about these matters. But if you'd like to see an article like the two we've done for Windows users adapted to Linux, e-mail me. If the demand is there, I'll gladly do it.

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.