I was searching for methods or tools to remain completely anonymous on the Internet. Tor came up, but it is seems that it is far from perfect. Are there any 100% foolproof ways, or approximately 100% foolproof ways? I suspect that 100% may be possible. How else do some cyber criminals behind big crimes never get caught?
This is what I've read about Tor so far:
Tor Weaknesses (Wikipedia)
Is Tor actually anonymous, and how to use it
My main goal is to prevent detection of my IP.
With the current state of the interent and how it works (in my opinion) I do not think that it is possible at the moment. Tor (among other onion-routing services), while a good idea in theory, there are issues with exit nodes being compromised etc. Essentially, anything that accesses the 'normal' internet at any point could theoretically be traced back to you. Systems such as I2P while, inherently more anonymous, only allow access to material that is stored on the I2P network itself, so you would be a bit stuffed if you wanted to access random website.
With regards to cyber-criminals, a couple of things can happen with regards to them not being caught:
I think Tor is probably the closest thing you can get to anonymity, but there is indeed a small risk to get exposed. Also don't forget that some criminals don't get caught because they route their traffic through multiple countries. When choosing the countries to route through they make sure they aren't friends with eachother. This makes it very difficult and will increase the time for the police to get information. (it's not because because they have access to some special anonymity network)
There are no absolutes when it comes to security. You can not achieve 100% anything. The proficient security practitioner calculates risk and applies resources proportionately. So the question becomes anonymous to who, while doing what, and for what length of time. I can be anonymous to an adversary who relies on tracking my internet footprints by not using the internet for weeks. Of course most people would not consider any abstinence tactics even for a day or two.
So, if you are using the internet how could you prevent someone from finding the IP address that you are using, and for how long?
The first tactic is to change IP addresses, and do it frequently. Depending on the kit you use, most IP capable devices have the ability to set their own IP address. This tactic does come with a penalty, because the frequent changing of IP addresses is highly anomalous. Depending on the internet service you are using at the time it may be quickly or slowly noted.
The second tactic is to spoof and twin an IP address. With the first method you are using IP addresses that are valid for your local node, but are currently unused. For spoof and twin you want to use an IP address that another node is currently using. This method only works when your network adapter can be put into promiscuous mode and read traffic destined for other IP addresses. It requires that your device time transmission so as not to interfere with the target device, and that it continue reading open traffic until the target device receives a reply from whatever server you sent to.
Even if I provide you with the best available anonymity methods, if you are doing something that would attract the attention of a national government, those methods will only delay your eventual deanonimization. Anyone with the capability of enlisting the help of large national or international telecommunication companies will find you in hours.
Nothing in security is ever 100%. Even a 1 time pad (the most secure code ever) is only secure if the key is able to be kept secure and never reused. Even if we think something is secure today, there is no guarantee that it will be tomorrow or that someone hasn't already figured out some issue they haven't released. Onion routing is just about your best hope of getting anonymity. Using Onion routing and an encrypted connection to your trusted end point is even better. Ultimately though, there is still a chance of it failing for any number of technical or even non-technical reasons.
A burner laptop, someone else's wireless connection (when you have an alibi to not be within 1,000 kilometers of that connection), Aircrack-ng, and gloves. Works every time, but you must be sure that you will torch that laptop after the mission is over.
In my opinion it is impossible to stay anonymous on Internet.
If you send some request to any server (and that's what the Internet is all about) this server must be able to send you a response. So the server must be able to send his answer somewhere and this is traceable.
Even with TOR the answer reaches you in some way and this is traceable. It could be very difficult to trace it but it is possible.
Therefore a 100% anonymity is impossible.
Care!
Buy a mantle, a hat and black glasses, take the train, go to another town, enter in a cybercafe, connect via anonimizers and have a good alibi.
Big brother stay watching you!!
Regarding the use of pre-paid SIMs that don't require registration:
If you are using a mobile network, the location of your SIM can be detected to within a few hundred feet. This means that if you live in a block of flats, you are just one in several hundred people. BUT if you then use that same SIM at work or in a hotel, LEA just need to compare a list of workers or guests with a list of residents in a block of flats. Then they can pinpoint you.
In other words, for a SIM to be anonymous, use it ONLY at home and if there are lots of people there.
Having said that, LEA can still only identify Internet usage with a SIM, not with a person. So deny everything and encrypt everything.
There are three key aspects: 1) your Internet connection; 2) who you communicate with; and 3) what you say and do. Regarding the first aspect, you can thoroughly obscure your ISP-assigned IP address, or anonymously use another IP address, such as an open WiFi access point.
However, it's very hard to "remain 100% anonymous" once you start communicating and acting. Once you're communicating with others, your anonymity and theirs become linked. It's especially problematic when you communicate with people who know your true name. Clichés such as "Loose lips sink ships." and "[N] can keep a secret, if [N-1] of them are dead." come to mind ;) And if one of them gets busted, all bets are off.
Once you start acting, you establish patterns. Consider how well Google, for example, can find what you're looking for. TLAs apply similar methods to datasets that are far more comprehensive. Browsing patterns alone can say a lot about you.
Using a non-local IP address is easy enough as others have mentioned, but what you do and when you do it can still lead investigators to your door given results of search traffic, forum posts and other data. Searching for "how to wash my new turtle", "replacement pontiac headlamps in Kansas", "best cure of baldness", "WOW cheats" would help narrow down your gender, location and age, and give a suggestion for possible "door to door" enquiries. Given a wider corpus of information, identity could be narrowed further. Research on de-anonymising anonymous Internet data has been successful in the past and is something to be aware of. Changing IP often should help, and performing Internet activity that was designed to introduce misleading search traffic into databases ought to assist. As another example, a Romanian hacker that I was interested in a while back posted a video on YouTube reviewing a phone. In the review there were a few seconds of footage where they hit a screen with a map that from the street names revealed their likely location at the time.
I may gravely err due to misunderstanding, but, if the essential purpose is to enable a pair (and even a group) of communication partners (who know each other) to communicate entirely anonymously, then IMHO a email system of the following kind presumably should work well:
Assumptions:
(A) Someone (hereafter designated provider) in a democratic country with comparatively liberal policy with respect to IT surveillance has the resources and the right to run a server.
(B) Ordinary mails by post from the users to the provider are not intercepted.
Mode of operation:
(a) Anyone can via an anonymous ordinary mail inform the provider a pseudonym and a corresponding password.
(b) The provider publishes on his webpage a list of the pseudonyms and the alloted serial numbers of the accounts.
(c) The user can have at any time a limited number (say 10) of posts of limited length (say 25 lines of 80 bytes) sent to him by his partner (who knows his password and who uses a neutral computer, e.g. one in an Internet-cafe) via an input window in the webpage of the provider and stored in his account in a FIFO manner.
(d) Anyone is free to view the content of any account via the account serial number or the pseudonym of the sender.
Some comments of my own:
(1) Concerning (B): A user from a highly non-democratic country may be able to let a friend living somewhere else to register for him.
(2) If the posts are well encrypted and with authentication (containing date and message serial number), even the provider couldn't do anything evil. For the worst case would be bogus posts, from which the communication partners would very soon learn of the defect. It is of course assumed that the password system is ok such that no outsider can post into a foreign account.
(3) Possible financial problems for the provider could be solved via free donations from sponsors or users (including banknotes sent via ordinary mail) or allowing some commercial stuffs in the webpage of the provider.
(4) An attack through large amounts of bogus registrations is unlikely, for that is not done electronically but via ordinary mails, which costs something. I am not sure that server capacity exhaustion absolutely couldn't occur eventually but surmise that's in any case sufficiently satisfactorily solvable, e.g. through an expiration data of the accounts, raising a small amount of registration fees or yearly fees (with banknotes sent via ordinary mail), etc.
(5) Of course a provider with goodwill is assumed. Hopefully there would also be more than one such providers for any user to choose from.
(6) Mirror sites at different geographical locations may be considered in order to somewhat enhance the availability of the service in unexpected adverse situations. Surely the system would fail to function under the attack of an opponent who is mighty enough to break even certain fundamental security components of the Internet communication, in particular the digital signatures. (Nevertheless no secret will be lost, as long as the encryption done by the user is strong enough.)
(7) In the "degenerate" case, the provider may serve only a single group of anonymous communication partners and he himself may be a member of it.
(8) It is intuitively clear that the scheme described satisfactorily provides anonymity, unobservability, pseudonymity and unlinkability.
Use TAILS on a throwaway laptop in an internet cafe without cameras, and never log in to anything related to you, use different spelling when you type (don't make the same spelling errors) never use javascript, java, flash, etc.
