Anonymous posting in blogs
This guide to Anonymous Blogging was written by Global Voices.
Global Voices provides the following disclaimer;
"If you follow these directions exactly, you’ll sharply reduce the chances that your identity will be linked to your online writing through technical means - i.e., through a government or law enforcement agency obtaining records from an Internet Service Provider. Unfortunately, I cannot guarantee that they work in all circumstances, including your circumstances, nor can I accept liability, criminal or civil, should use or misuse of these directions get you into legal, civil or personal trouble."
"These directions do nothing to prevent you from being linked through other technical means, like keystroke logging (the installation of a program on your computer to record your keystrokes) or traditional surveillance (watching the screen of your computer using a camera or telescope). The truth is, most people get linked to their writing through non-technical means: they write something that leaves clues to their identity, or they share their identity with someone who turns out not to be trustworthy. I can’t help you on those fronts except to tell you to be careful and smart. For a better guide to the “careful and smart” side of things, I recommend EFF’s “ How to Blog Safely ” guide."
Disguise your IP
Every computer on the internet has or shares an IP address. These addresses aren’t the same thing as a physical address, but they can lead a smart system administrator to your physical address. In particular, if you work for an ISP, you can often associate an IP address with the phone number that requested that IP at a specific time. So before we do anything anonymous on the Internet, we need to disguise our IP.
What to do if you want to blog from your home or work machine: visit torproject.org website and download TOR browser bundle, which is complete ready-made Firefox browser with in-build security settings. TorButton for Firefox is no longer supported. Of course, you can use your other favorite browser with TOR, however, browser settings and doorways in browsers may compromise your security.
You may find that Tor slows down your web use - this is a result of the fact that Tor requests are routed through three proxies before reaching the web server. Some folks - me included - use Tor only in situations where it’s important to disguise identity and turn it off otherwise -
Turn Tor on in Firefox and test it out
Otherwise you will get this message telling you "Sorry. You are not using Tor. If you are attempting to use a Tor client, please refer to the Tor website and specifically the instructions for configuring your Tor client ."
What if Tor never connects?
" Bridge relays (or "bridges" for short) are Tor replays that aren't listed in the main Tor directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor replays, they probably won't be able to block all the bridges. If you suspect your access to the Tor network is being blocked, yo umay want to use the bridge feature of Tor."
You can get bridged by sending an email, from a gmail account, containing "get bridges" in the body of the email to the following email address [email protected]. After this, you will receive an automatic message with the bridges. It is also possible to acquire bridges from the following url : https://bridges.torproject.org/
Open Vidalia's control panel, go to settings > network and click "My ISP blocks connections to the Tor network". Add each bridge address one at a time by pasting it into the "Add a Bridge" window and then clicking the "+" sign.
Generate a new email account
Most web services - including blog hosting services - require an email address so that they communicate with their users. For our purposes, this email address can’t connect to any personally identifiable information, including the IP address we used to sign up for the service. This means we need a new account which we sign up for using Tor, and we need to ensure that none of the data we use - name, address, etc. - can be linked to us. You should NOT use an existing email account - it’s very likely that you signed up for the account from an undisguised IP, and most webmail providers store the IP address you signed up under.
a) Choose a webmail provider - we recommend Riseup.net and Gmail , but as long as you’re using Tor, you could use Yahoo or Hotmail as well. Also, you can easily register a free and quick webmail account with fastmail.fm .
Hotmail and Yahoo mail both have a “security feature” that makes privacy advocates very unhappy. Both include the IP address of the computer used to send any email. This isn’t relavent when you’re accessing those services through Tor, since the IP address will be a Tor IP address, rather than your IP address. Also, Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to webmail - again, this doesn’t matter so long as you use Tor every time you use these mail services. But many users will want to check their mail in circumstances where they don’t have Tor installed - for your main webmail account, it’s worth choosing a provider that has an https interface to mail.
Riseup.net provides webmail with a very high degree of security. They support PGP encryption (Pretty Good Privacy) - which is very useful if you correspond with people who also use PGP. You can sign up for a free account at www.riseup.net and ask your correspondents (recipients) to register a free account as well.
Gmail, while it doesn’t advertise itself as a secure mail service, has some nice security features built in. If you visit this special URL , your entire session with Gmail will be encrypted via https. (I recommend bookmarking that URL and using it for all your Gmail sessions.) Gmail doesn’t include the originating IP in mail headers, and you can add PGP support to Gmail by using the FireGPG , a Firefox extension that adds strong crypto to Gmail. FireGPG brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.
A warning on all webmail accounts - you’re trusting the company that runs the service with all your email. If that company gets hacked, or if they are pressured by other governments to reveal information, they’ve got access to the text of all the mails you’ve received and sent. The only way around this is to write your mails in a text editor, encrypt them on your own machine using PGP and send them to someone also using PGP. This is way beyond the level of secrecy most of us want and need, but it’s important to remember that you’re trusting a company that might or might not have your best interests at heart. Yahoo, in particular, has a nasty habit of turning over information to the Chinese government - Chinese dissidents are now suing the company for illegal release of their data. Just something to think about when you decide who to trust…
b) Turn Tor on in your browser, or start XeroBank. Visit the mail site of your choice and sign up for a new account. Don’t use any personally identifiable information - consider becoming a boringly named individual in a country with a lot of web users, like the US or the UK. Set a good, strong password (at least eight characters, include at least one number or special character) for the account and choose a username similar to what you’re going to name your blog.
c) Make sure you’re able to log onto the mail service and send mail while Tor is enabled. It is most likely that Tor changes its circuit every 10 minutes and this could disrupt your webmail operations, so you should consider limiting the process of writing a new email to 10 minutes.
Register and post
Register your blog
b) Wordpress will send an activation link to your webmail account. Use your Tor-enabled browser to retrieve the mail and follow that activation link. This lets Wordpress know you’ve used a live email account and that they can reach you with updates to their service - as a result, they’ll make your blog publicly viewable and send you your password. You’ll need to check your webmail again to retrieve this password.
c) Still using Tor, log into your new blog using your username and password. Click on “My Dashboard”, then on “Update your profile or change your password.” Change your password to a strong password that you can remember. Feel free to add information to your profile as well… just make sure none of that information is linked to you!
Post to your blog
b) Turn on Tor, or use Tor Browser from your portable media drive, and log onto Wordpress.com. Click the “write” button to write a new post. Cut and paste the post from your text file to the post window. Give the post a title and put it into whatever categories you want to use.
c) Before you hit “Publish”, there’s one key step. Click on the blue bar on the right of the screen that says “Post Timestamp.” Click the checkbox that says “Edit Timestamp”. Choose a time a few minutes in the future - ideally, pick a random interval and use a different number each time. This will put a variable delay on the time your post will actually appear on the site - Wordpress won’t put the post up until it reaches the time you’ve specified.
They start recording the times a post was made on downwithetc.wordpress.com and check these timestamps against their logs. They discover that a few seconds before each post was made over the series of a month, one of their customers was accessing one or another Tor node. They conclude that their user is using Tor to post to the blog and turn this information over to the police.
By changing the timestamp of the posts, we make this attack more difficult for the internet service provider . Now they’d need access to the logs of the Wordpress server as well, which are much harder to get than their own logs. It’s a very easy step to take that increases your security.
Cover your tracks
a) Securely erase the rough drafts of the post you made from your laptop or home machine. If you used a USB key to bring the post to the cybercafe, you’ll need to erase that, too. It’s not sufficient to move the file to the trash and empty the trash - you need to use a secure erasing tool like Eraser or Ccleaner which overwrites the old file with data that makes it impossible to retrieve. On a Macintosh, this functionality is built it - bring a file to the trash and choose “Secure Empty Trash” from the Finder Menu.
b) Clear your browser history, cookies and passwords from Firefox. Under the Tools menu, select “Clear Private Data”. Check all the checkboxes and hit “okay”. You might want to set up Firefox so that it automatically clears your data when you quit - you can do this under “Firefox -> Preferences -> Privacy -> Settings”. Choose the checkbox that says “Clear private data when closing Firefox”. In case you cannot install programs on the computer, use the IE Privacy Cleaner tool from the USB stick to wipe temp browser data.
- Just because you’re anonymous doesn’t mean you shouldn’t make your blog pretty. The “Presentation” tab in Wordpress has lots of options to play with - you can pick different templates, even upload photos to customize some of them. But be very, very careful in using your own photos - you give a lot of information about yourself in posting a photo (if the photo was taken in Zambia, for instance, it’s evidence that you are or were in Zambia.)
- If you’re really worried about your security, you might want to go a step further in setting up your Firefox browser and turn off Java. There’s a nasty security bug in the most recent release of Java that allows a malicious script author to figure out what IP address your computer has been assigned EVEN IF YOU ARE USING TOR. We don’t worry too much about this because we don’t think that Wordpress.com or Google are running these malicious scripts… but it’s something to seriously consider if you’re using Tor for other reasons. To turn off Java, go to “Firefox -> Preferences -> Content” and uncheck the box for Enable Java.
- If you’re the only person in your country using Tor, it becomes pretty obvious - the same user is the only one who accesses the IP addresses associated with Tor nodes. If you’re going to use Tor and you’re worried that an ISP might be investigating Tor use, you might want to encourage other friends to use Tor - this creates what cryptographers call “cover traffic”. You also might want to use Tor to read various websites, not just to post to your blog. In both cases, this means that Tor is being used for reasons other than just posting to your anonymous blog, which means that a user accessing Tor in an ISP’s server logs doesn’t automatically make the ISP think something bad is taking place.
A final thought on anonymity: If you don’t really need to be anonymous, don’t be. If your name is associated with your words, people are likely to take your words seriously. But some people are going to need to be anonymous, and that’s why this guide exists. Just please don’t use these techniques unless you really need to.