Feeds

Staying anonymous in the internet jungle

Is it possible?

Using blade systems to cut costs and sharpen efficiencies

The opening passage to True Names, a novella written by noted science fiction author Vernor Vinge nearly 25 years ago, delivers an eerily prescient summary of modern Internet usage.

"In the once upon a time days of the First Age of Magic, the prudent sorcerer regarded his own true name as his most valued possession but also the greatest threat to his continued good health, for - the stories go - once an enemy, even a weak unskilled enemy, learned the sorcerer's true name, then routine and widely known spells could destroy or enslave even the most powerful."

Criminals pursuing identity theft, phishing scams, and spam rings are running rampant on the internet. Just a few years ago our major concerns were more to do with securing servers and avoiding virus outbreaks. Now anonymity and protecting one's information has become paramount.

Anonymity on the Internet is a heated subject. It's also amazing the cross section of interested parties, too. We have the old-school cypherpunks, and the hacker community on both sides of the law. There are teams of lawyers, and of course, governments everywhere trying to protect the average person's anonymity and privacy. And then we have the average internet user himself, bombarded with alerts and warnings but is unsure what he should do.

If you ask me, the problem started with Caller ID. All joking aside, this now ubiquitous technology really opened our eyes at the time to the concepts of identity and location. Fast forward past all the war-dialing and the insecure, open networks of yesteryear. With pervasive broadband access, one's IP address is virtually his Caller ID. It begs the question: is anonymous internet usage even possible? The answer of course is, it depends.

IP spoofing

I wrote a SecurityFocus article on IP spoofing over two years ago, and to this day I still get many emails about it. It causes a lot of confusion, especially for non-technical users because the casual term "IP spoofing" seems to imply a technique that hides one's IP address. As we know, this isn't the case. It's relatively easy to modify the bits of an IP packet encapsulating some other protocol, specifically the source address. However, this also means the modifier cannot receive a response, since a fake source address is used. Therefore, IP spoofing cannot be used to effectively protect one's identity on the Internet. It works wonders for attacks like Denial of Service floods and passive fingerprinting techniques during network scans, but doesn't add much to our debate on anonymity.

Proxies and chaining

One of the most popular methods for protecting an identity would be the use of a proxy. A proxy is something that acts as a buffer for communications between two machines. Many companies use web proxies to monitor employee access, filter restricted content, improve performance via caching and protect the internal network. These might be transparent proxies, where the user does not even know their content is being watched.

Virtually any network application, such as the web, FTP, SSH or email can communicate through a proxy. Several companies sell anonymous proxy services, primarily for web surfing, aimed at people looking to obscure their identity without the hassle of setting up and maintaining a server. There are also several free proxies open to the public, generally geared towards privacy groups. However these machines tend to be unstable, slow and are constantly changing.

The catch-22 with any proxy are the log files. While the destination machine never sees the client it is truly interacting with, the proxy certain does and records this interaction in a log file. Several commercial companies and the public proxies promise anonymity and claim to destroy log files, however, it's nearly impossible to guarantee or verify such claims. And there have been multiple instances of court orders issued for proxy logs that were supposedly destroyed.

Taking this approach further, many people employ proxy chains, using multiple proxies that further obscure their identity. Instead of a single proxy, they might use six, each one making it increasingly more complex to trace back. This approach is as old as the Internet itself, but it's still quite effective. It's very similar to a cracker who might have shell accounts on a dozen compromised machines. He logs into machine 1, then connects to machine 2 and so on, until he is using a shell 12 links down the chain. Such chaining techniques make it extremely difficult for investigators to determine the true identity of an end user. Malicious hackers often employ chains spanning several countries, using the differing legal complexities of various nations to create an impenetrable wall of red tape. Even with a legal army and the government on your side, tracing an attack through such a maze is a nearly impossible task.

Onion routing

The next generation of privacy and anonymous services lies in a concept known as onion routing. Combining aspects of proxies, peer-to-peer networking and encryption, onion routing looks to create a method for virtually any application to communicate securely and anonymously via the internet.

Conceived in 1996 and now in its second generation of design, the most popular implementation of the onion routing concept is Tor. Initially funded by the US Navy, it works as follows. An initiator obtains a list of nodes via a centralized server. A path to the destination is randomly generated, and each server in the path only knows where the request came from and where it is going. Individual encryption keys are negotiated at each point.

The beauty of the Tor design is that the content, source and destination of a message are protected at all points in the link. No single machine can see beyond where it received a message from and where it is forwarding it to, it can only peel away one layer - hence the term 'onion' routing. Someone analyzing the traffic could only acknowledge that communication is taking place, but what or between whom remains completely protected. It's extremely difficult to track someone using Tor.

The problem with Tor is that complaints about performance are common. I'm not sure how usable it is for regular surfing because of this, and of course it might be rendered ineffective by sites that use free IP-to-country filtering, if the site is extensively filtering by country and the final node in the routing list is in a banned country. But this is unlikely for most sites, and since the project is still relatively new it should scale to handle increased bandwidth as more people offer up their computer resources so that nodes come online. Unfortunately, many ISPs would seek to restrict such usage from their customer accounts.

Wireless access

My favorite way to stay anonymous is also one of the easiest – simply by using unsecured wireless hotspots. They're everywhere. They're useful and convenient in coffee shops and restaurants for people doing legitimate work, but honestly if someone wanted to attack a network or communicate anonymously (although not necessarily securely), this is the easiest way. A quick drive through virtually any metropolitan area will reveal hundreds of open networks, some by design, others by negligence. The majority of these networks operate using inexpensive SOHO routers with minimal logging capabilities, and they are virtually never monitored. The only real identifying component would be a MAC address.

Why is privacy important?

A vocal minority always claims that one must be doing something wrong if he prefers to remain anonymous. That's most often not the case and it troubles me when people employ such reasoning. There will always be those who abuse certain privileges or liberties, but those few cannot ruin an entitlement for the rest.

There are many factors why privacy is important. First there are repressive governments that forbid access to certain sites, censor the internet, and then track users who show interest in particular topics. There are people who want to tell the truth without fear of repercussion, such as corporate whistleblowers and bloggers. There are intelligence needs, in both corporate and government sectors. But most importantly, we live in an age where our names, social security numbers, phone numbers, dates of birth, buying habits, credit reports, demographics and surfing tendencies are traded like commodities amongst big companies. We all knew this day was coming, the information age has been upon us for some time. But even in these digital times, it remains our right to protect our privacy, our identities, our true names.

Copyright © 2005, SecurityFocus

Matthew Tanase is president of Qaddisin, a services company providing nationwide security consulting.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.