my friend and I are trying to make the most anonymous setup for a computer to do things across the internet without being known the location from which it came.
Our setup is as follows:
A windows machine, with linux running in virtualbox, with a spoofed mac address using tor to do internet things.
Will this setup provide anonymity on the internet?
Is any of it redundant, or useless?
What could we do better?
Tor does not always protect your ip fully when you need to interact with the end node. You can check your efforts with online checks like this.
What has worked for me on every check I've tried is JanusVM. It runs as a VM, which you use as a proxy for your hardened browser VM. Janus uses Tor, squid, dns-proxy-tor, and privoxy to cover your ip. It is very simple and easy to setup.
I use VirtualBox's 'Seamless mode' so that my browser (in a guest VM) looks and acts like a local app on the host. Very convenient as long as you still remember which window is in the protected environment. :)
You should use a live CD like BackTrack. This comes with Tor and software for breaking WEP and WPA2-PSK. Then you can go war driving... are you old enough to drive?
Also brush up on your OSI model, the MAC address is only needed by the data link layer and is there for scrubbed off by whatever router you are behind. However, some routers log what MAC addresses they have communicated with.
Legalities and ethics aside, the following could theoretically provide a reasonable level of anonymity:
Then it's just up to you to ensure you don't post or share information on the internet which could be used to identify you.
You should consider how your browser profile looks to the web servers on the net. Check out https://panopticlick.eff.org/ for a test of just how unique your setup might be. If you turn out to be one in a million unique like many you will need to consider what you actually mean by anonymous in this case.
with a spoofed mac address
This doesn't do anything for you. The IP address of your local gateway is what matters, which there's not much you can do about. Tor is better than nothing, but I wouldn't count on it for much.
So, how anonymous? Anonymous enough to counter your average passive monitoring, but certainly not a determined attacker.
You should think about footprint as well as thumbprint; i.e. one could change their browser user agent to disclose no info about browser build and so on, more anonymous but also more unique than the typical firefox or ie headers.
Depending on who your trying to hide from...
Your currently using systems all developed by the G man.
Tor is far from anonymous but, it does however provide a very good method of scrambling traffic, for a little while longer.
Its relatively easy to distinguish a virtual machines traffic.
Encrypting said VM might help ;-)
I believe there is something called Tails you'd be interested in.
Good luck.
One big thing I see you missing is blocking of cookies. Either block them in the browser or use do not track plus extension for chrome.
You should also read this: http://nmap.org/book/osdetect.html There was a hak5 episode about modifying IP settings in Windows to make your Windows PC look like a linux box.
I'd also add a foreign private proxy before you enter Tor, this should obviously not be registered under your details so you should look into hosts which will set up the host on your behalf (some will even take bitcoins). This will help mitigate the fact that a lot of Tor exit nodes are run by law enforcement agencies (some as honey pots of sorts, some for their own internal use).
I think lastly is the issue of web habits. All of this is pretty useless if you use the box to look at all your friend's Facebook profiles. Use one box for your Blackhat persona and another for your IRL persona. If you can even try to write differently ie using txtspk on your Blackhat persona and proper English on your IRL persona, I've been on forums where people would detect duplicate accounts by just their grammar.
