Ideas about perfect anonymity

The worm of misunderstanding between people is born due to different needs and different models of threats. Suppose you want to leave the most anonymous comment in the world on a social network. What do you need for this? VPN? Tor? Ssh tunnel Not at all, it is enough to buy an “empty” SIM card on the near collapse and there is also a used smartphone. Move away from your place of residence, insert one into another, write a message and drown the phone. You have coped with the task with an excellent rating.

But what if you need to not just leave a one-time comment, not just hide your IP address from some site? What if you need to have such a level of anonymity, which will constitute the most difficult puzzle and practically will not give the opportunity for disclosure at any level? And also to ensure the secrecy and to some extent the fact of the use of anonymization tools. That's what I wanted to talk about.
')


Ideal anonymity, like everything perfect - is rather a dream, but it is quite possible to get close to it, and this happens at the expense of many different layers of protection. When one technology begins to complement and strengthen another, and even when fingerprints of system parameters and other methods are used for your identification, you still remain indistinguishable from the general mass of network users. In this article I will try to tell how to achieve this.

This material is not a guide to action, the author does not even urge categorically against the violation of any laws or states of any kind. This material should be taken solely as the author's fantasies on the topic: "If I were a scout."

Basic security level

The basic level of protection and anonymity looks like this: client → VPN / TOR / SSH-tunnel → target.

In fact, this is only an advanced proxy alternative that allows you to simply replace the IP. There is no need to speak about any real and qualitative anonymity. No longer necessary. One incorrect or default setting of the notorious WebRTC and your real IP is already known. This type of protection is vulnerable both to the compromise of the node, and before fingerprints and before a simple analysis of the logs at the provider and in the ds.

By the way, the same opinion is often found that a private VPN is better than a public one, since A person is confident in his system setup. Let's imagine for a second, someone knows your external IP, respectively, and the data center is known, respectively, the data center knows which server this IP belongs to. And now we will think whether it is difficult on the spot, to establish from which real IP they were connected to this server? If you're one customer there, huh? But when there are 100 customers, for example, everything is much more complicated.

It doesn’t even touch upon the aspects that a rare person would get confused on encrypted disks and protection from dredging, they would even hardly notice if their server was rebooted from init level 1 and enabled logs on VPN, describing it as “minor technical problems in the data center”. And is it really necessary if all the incoming addresses to the server and outgoing ones are known?

As for Tor, firstly, its use can directly cause suspicion, and secondly, the output nodes, of which about 1000 pieces are known and many of them are banned, for many sites it is like a red rag. For example, in Cloudflare, it is possible in Firewall to allow or accept connections from the Tor network. T1 should be used as a country. In addition, the use of Tor is much slower than VPN (The speed of the Tor network at the moment does not exceed 10 Mbps, and is often at a level of 1-3 Mbps).

Bottom line: If you just don’t need to carry your open passport around the world and bypass the simplest website bans, have a good connection speed and the ability to completely allow all traffic through another node, then you should choose VPN. And for this role, paid service is better suited, for the same money that you would give for your VPS, in the 1st country, which still needs to be set up and, after all, supported, you will receive dozens of countries and hundreds or even thousands of weekend IPs.

In this case, it makes no sense to use Tor, but in some cases Tor is a good solution, especially if there is an additional layer of security, such as a VPN or SSH tunnel. But more about that further.

Medium level of protection

The average level of protection looks like a further development of the initial, basic level. Client → VPN → Thor → purpose and variations on the topic. This is an optimal and working tool, for anyone who is not indifferent to changing a person's IP address, this is the case when a combination of technologies has strengthened each of them. But you should not have illusions, yes, it will be difficult to find out your real address, but you are still subject to all the same attacks as above. Your weak point is your physical place of work, your computer.

High level of protection

Client → VPN → Remote workstation (via RDP / VNC) → VPN

The work computer should not be yours, but deleted, for example, on Windows 8, with Firefox, a couple of plugins like Flash, a pair of codecs, no unique fonts and other plugins. Boring and indistinguishable from millions of others on the net. And even in the event of any leakage or compromise of your system, you still remain covered by another VPN

It used to be thought that a high level of anonymity was achieved by using Tor / VPN / SSH / Socks, but today I would recommend adding the use of a remote workstation to this scheme.

Ideal

Client → Double VPN (in different data centers, but next to each other) → Remote workstation + Virtual machine → VPN

The scheme offered to you is a primary connection to a VPN and a secondary connection to a VPN (in case the 1st VPN is compromised through any leak) to hide the traffic from the provider and in order not to issue your real IP address in the data center with a remote workplace. Next, the installed virtual machine on this server. Why do I need a virtual machine, I think it is clear? To make every download rollback to the most standard and banal system, with a standard set of plug-ins. It is on a machine with a remote workplace, not locally, because people who used a virtual machine locally, and from under it TripleVPN on elliptic curves, once going to whoer.net , were very surprised to see their real and real IP in WebRTC. address. What "mulku" they implement tomorrow and without asking you, they will update your browser, I don’t know and don’t want to think about it, and you don’t think, do not hold anything locally. Kevin Mitnick already knew this 30 years ago.

This scheme has been tested by us, the brakes are very decent, even if geographically the whole scheme is correct. But it is quite possible and tolerable. In this case, it means that a person does not spread the server on the way across different continents. Suppose you are physically located in Moscow, and build a scheme so that the first VPN is also in Moscow, the second for example in Monaco, etc., a remote workplace, for example in the Netherlands and the final VPN, for example, in Ukraine. The build logic should be such that you should not use all the servers inside, for example, the eurozone, because there is a well-established cooperation and interaction of various structures, but it is not necessary to distribute them far from each other. Neighboring states hating each other - this is the key to the success of your chain! ;)

You can also add an automatic visit to websites in the background, from your real machine as an imitation of surfing, so that there is no suspicion that you are using some kind of anonymization tool. As the traffic goes only to one IP address and through one port. You can add the use of Whonix / Tails, access the Internet through a public Wi-Fi in a cafe, while changing the data of the network adapter, which can also lead to de-anonymization. Even to change the appearance, not to be identified by the person in the same cafe, this is the future and it is already here - https://cvdazzle.com/ . You can be identified as by the location coordinates, in the photo file taken by your phone ( https://news.ycombinator.com/item?id=4868170 ) before diagnosing a specific writing style. Just remember this.

On the other hand, most people are quite anonymizer, but even ours, in a real attempt to make it convenient, it is still not very convenient for surfing. Yes, a normal VPN is a normal and competent solution to bypass simple locks and work on the network at a good speed, do you want more anonymity, though in speed gaps? Add Thor here as well. Want even more? Do as written above.

Fingerprints, as well as attempts to determine the use of VPN, by the means of measuring the time of departure of the package from the user to the website and from the website to the user's IP address (we do not take into account such a “crutch” as blocking only incoming requests of a certain type) is not so easy to get around. Something is possible to deceive, one or two checks, but there are no guarantees that another “evil” will not appear tomorrow. That is why you need a remote workplace, that is why you need a clean virtual machine, that is why this is the best advice that can be given at the moment. The cost of such a decision can start from as little as $ 40 per month. But note that for payment, Bitcoins should be used exclusively.

Instead of an afterword. The most important part and the most important key to success in protecting anonymity is the separation of work with personal data and with secret data that are of some value. All these tunnels and lined schemes will be absolutely useless if you log on from it, for example, to your personal Google account.

Be anonymous!