So you want to interact with the less “white hat” types of security professionals but you don’t want to hang your balls out there and allow people to track back to you? Looking to not put your name which might be attached to your company into the limelight if you just happen to get noticed and on the wrong side of some punk kid who decides to have some fun at the possible expense of your career? Or you are just a rightfully paranoid security guy looking to rub shoulders and learn new things without the possible collateral damage of having to defend your own network at home? Well, here are some tips on staying anonymous online.
For this series of posts, I will try not to get fancy and technically challenging. I know you can leverage even better means of anonymity online by routing through SSH connections and shells, scrubbing packets and information, “borrowing” other computers in disparate parts of the world and using them to bounce your connections, or fancy P2P nets and encryption. Some of that is just not as practical for quick approaches. Of note, not all of the stuff mentioned here is technically legal, although the illegality may still be pretty grey. Open mail relays, web proxies, and nearby wireless networks may not necessarily be freely open, so just be aware of that.
Keep in mind that this guide is not meant to protect you if you want to do illegal and bad things. This guide is meant for non-criminals to add an extra layer or two of protection between yourself and other nosy persons. If you already live in the darker corners of the Internet, this guide will not give you any additional information. I also am not entirely encouraging people to push the lines of legality with some of these ideas and steps. Common sense is your friend.
This series is not meant to protect your identity from credit card thieves or allow you to live out your life in places the IRS cannot find you. This is not about hiding your search queries in Google because you think they and the DHS are tracking you. This is simply about being anonymous on the Internet in regards to how other people find or interact with you and you with them.
I’ll start off with some ground rules.
First, don’t be stupid and immature and pick fights. What some newbies do in communities is pick fights and/or act stupid in an effort to quickly get noticed. This is not the way to go. If you have something useful and novel to offer the community, go for it. But most people new to these communities are better served by sitting back and offering tidbits and discussion as they have an opportunity to do so. Be positive, supportive, friendly, and outgoing when it appears to be welcomed. Learn the tone, the names, and what goes on. That’s really the biggest bit of advice for interacting in a community outside the white hats and office cubicles: don’t be a dumbass. And if someone pounces on you trying to be a pest, just let it slide. This isn’t prison where you need to offer a beatdown to the first person who challenges you or forever be branded easy pickings.
Second, pick a nickname (screename, handle, nick…). If you want to maintain a distance between yourself and the community (which is sometimes prudent considering the curious nature of many crackers), you definitely need to not be known by your real name. Pick a nickname and stick to it. Better yet, pick a fully fake name. I go by Michael Dickey pretty much everywhere in life. But what if I picked Wally Harrison as my name online? I could hide in the noise of Google searches for other people. If you pick something really unique, you’ll be a bit more easily searchable and one slip-up could ruin all of this work. Of course, don’t pick a name that someone else is already using. Using StankDawg might not be kosher with StankDawg.
Third, be aware that staying anonymous is a heck of a lot of work. It is not easy. The more you want to be involved and known, the more you will leak information and screw up. True, full anonymity is not easy at all; in fact, I couldn’t do it, myself. And if you want to make a go of it, be prepared for hard work, lots of time spent troubleshooting your own tactics, and prepare for your failures and slip-ups. True anonymity might not mean making absolutely zero mistakes, but it should be your goal to never show up in any logs with data that might be tied to you. Be aware of your information.
As a general rule, don’t communicate or browse from home as much as is convenient to you. If you have nearby hotspots and open wireless, use them. If a neighbor has wireless, “borrow” their connection if you are feeling too paranoid (I didn’t encourage that…right?).
Lastly, as part of this series of posts (a first for me), I encourage feedback, both in the form of suggestions, corrections, or even challenges saying my advice is crap. And even if you aren’t looking to be anonymous, at least be aware of the ways some of your own users might be trying to stay anonymous.