Also can anyone point me to resources on preventing doxing while hosting a website? I want a checklist of things that can possibly leak my identity. For example:
- Some basic stuff is use whoisguard and don't reuse any existing hosting / cloud infrastructure or even google analytics accounts
- But for new accounts, does using real credit card information matter? I am not sure how easily a company will give that information up. For example how hard is it to social engineer or get a court order/subpoena for it?
- Even then you can still be fingerprinted by ip, browser agent, hardware if you ever even log in with the same computer. For example HN certainly knows who my alts are just by checking request logs ip.
- What about sharing similar coding style / code base? Or even just speech/writing patterns? Is NLP sufficiently advanced to fingerprint you by that yet?
Are some of these too paranoid? I really think there's no way to fully prevent doxing for anyone sufficiently motivated. What's actually good enough in practice?
Use Tails or Whonix. Buy Bitcoin with cash via mail on Localbitcoins.com. Depending on your level of paranoia, don't use bills directly withdrawn from the bank/ATM.[1] Be careful to not get fingerprints/hair/traceable writing on the envelope. What I've done is ask someone at the store (buy a card/envelop at CVS or something) to write the address for you. With BTC-via-mail, the only thing you leak is a rough physical location. Running the coins through Monero or something should blind things and render all this moot, but hey just in case?
With anonymized currency, then you're free to start signing up for stuff. If a site doesn't accept Bitcoin, use Localbitcoins.com to buy a prepaid debit card (Visa/Mastercard). If a site insists on a phone number for confirmation, use a darknet market to buy a pre-made Google Voice account. You can't access it over Tor or it'll get blocked, so use darknet markets to rent a Windows client box ($10-20 a month) so you have a "clean" IP and Google won't block you.
Then it's a matter of not giving away your info. You should adopt an entire persona when you're doing anything related to your site. Come up with a backstory (name, location, etc.). Ideally, none of this would matter: You're over Tor and using an entirely separate system for everything related to the site. But from the indictments I've read, it seems like a lot of first steps in finding someone's ID are just going off small hints. The way they write, mentioning the weather, etc. I would assume it to be very effective to fake these things. (For instance, notice a flood in a part of the country. Stay offline during the flood. When you get back on, write a small note that you had to be away due to flooding.)
None of this will protect you from an adversary that can correlate your home-connected-to-Tor times with site-gets-updated-times. But it'll stop people without that access, even if they're willing to fake a subpoena/warrant/etc. to your registrar/hosting provider (easier than you'd think). And hell, it doesn't always take a legal order to get those details; social engineering can do it just fine.
1: I asked Wells Fargo and they claimed they don't keep track of serial numbers and have no way to do so, but it seems so trivial I wouldn't believe it.
Also can anyone point me to resources on preventing doxing while hosting a website? I want a checklist of things that can possibly leak my identity. For example:
- Some basic stuff is use whoisguard and don't reuse any existing hosting / cloud infrastructure or even google analytics accounts
- But for new accounts, does using real credit card information matter? I am not sure how easily a company will give that information up. For example how hard is it to social engineer or get a court order/subpoena for it?
- Even then you can still be fingerprinted by ip, browser agent, hardware if you ever even log in with the same computer. For example HN certainly knows who my alts are just by checking request logs ip.
- What about sharing similar coding style / code base? Or even just speech/writing patterns? Is NLP sufficiently advanced to fingerprint you by that yet?
Are some of these too paranoid? I really think there's no way to fully prevent doxing for anyone sufficiently motivated. What's actually good enough in practice?