# Thought Experiment: A Completely Anonymous Web Site



## raindog308 (Sep 9, 2013)

I was talking with someone at lunch today about anonymity on the Internet and it sparked the question of whether it is possible to setup a completely anonymous web site.

By this I mean that nothing in the creation or ownership of the site can be traced to a person.  

1. You need a domain name.  I think you can register a .tk without much self-identification, and perhaps there are others.  Otherwise, I think the only way would be to buy a pre-paid Visa/Mastercard and use a fake name with a registrar.  I've heard .tk domains have periodically been snatched by the registrar in the past when they got popular but that might be myth.

2. You need internet service.  A VPS would give you control over logs and such, though ultimately I don't think VPS vs. dedicated matters because you don't have physical security no matter what you do.  So you'd need a VPS/dedi provider, presumably one who takes Bitcoin or use your prepaid card.

It's disappointing to me that it's impossible to achieve a truly anonymous presence without resorting to some level of fraud.  Of course, I understand why (crime, spam, etc.)

Before you ask...no, I don't really have a need for this level of anonymity.  I'm not a criminal, hacktivist, spammer, or underground agent.  Just thinking about anonymity.


----------



## Aldryic C'boas (Sep 9, 2013)

Sadly enough, lack of personal responsibility ruins any such endeavour before it could begin, thanks to the GIFT.

Now.. as far as practically possible - you should look into Jester (th3j35t3r , his Twitter account, is the best way to find him).  The man has made a profession of not only remaining anonymous (insofar as his personal identity), but has waged a constant blackhat campaign against various "lulz" groups and jiihadist groups for years now, and nobody has managed to track this guy down.


----------



## RiotSecurity (Sep 9, 2013)

Aldryic C said:


> Sadly enough, lack of personal responsibility ruins any such endeavour before it could begin, thanks to the GIFT.
> 
> Now.. as far as practically possible - you should look into Jester (th3j35t3r , his Twitter account, is the best way to find him).  The man has made a profession of not only remaining anonymous (insofar as his personal identity), but has waged a constant blackhat campaign against various "lulz" groups and jiihadist groups for years now, and nobody has managed to track this guy down.


I beg to differ.

His name is Thomas Ryan (Tom Ryan), here's the facts:

Do some research. Same wiritng styles, same locations, same tweet times, both were at defcon, both wearing exact same shirt, etc.


----------



## Aldryic C'boas (Sep 9, 2013)

Ineffective troll is ineffective.  For starters, I highly suggest you look up the actual definition of _fact_.  A fact is _not_ telling someone "do the research" when you obviously have not done so yourself.  And no, blithely repeating the butthurt claims of the people pissed off at him is not 'proof', and never will be 

Now, instead of trying to derail the topic with your own agenda, how about addressing the question at hand.


----------



## HalfEatenPie (Sep 9, 2013)

Simply just thinking about it I'd have to agree with you.  Without going into fraud there's no truly "anonymous" way to run a website.  While idealistically it'd be awesome if this was possible, I feel that there are too many people in the world who would use it for malicious intent for it to actually be useful.  

Probably the best/only way for you to be anonymous on the internet is just to be a user and not a content provider (site owner).


----------



## WebSearchingPro (Sep 9, 2013)

Very interesting thought - one that I have toyed around with in my mind. It is extremely hard to stay completely anonymous in this information and log rich world we live in. 

I guess it depends the level of anonymity your are looking for though - I'm thinking secret agent type stuff 

As for a website you could (in the past) get free subdomains from certain places with no account data needed - you could then proceed to sign up with certain free webhosting platforms that also did not require identification.

I assume it would not require PHP or anything advanced like that, just a few .html files - this was definitely viable in the past.

You would need to secure yourself with an anonymous tunnel, as well as have completely clean email accounts (and a few other things) in-case an account gets hacked or someone attempts to trace you from the hosting company or your email provider.

As you you use the internet - you leave a trail of crumbs. As insignificant as those "crumbs" may seem, its usually very easy to let your identity slip if someone wants to take the time to actually collect all the relative information and process it.


----------



## KuJoe (Sep 9, 2013)

I've come up with a nice plan to become completely anonymous online but there is a key ingredient that only a few of us have. While I won't divulge this info, I am interested in testing it out somehow.


----------



## raindog308 (Sep 9, 2013)

So getting an reasonably anonymous email is still possible, I think - though Yahoo now requires a mobile phone number to sign up for email.  Sheesh!

From there, you can get some sort of free web hosting shell account.

Assuming you do everything over VPN/TOR (well, TOR to VPN actually), ssh, etc., then I suppose that's as anonymous as one can get.


----------



## Aldryic C'boas (Sep 9, 2013)

raindog308 said:


> So getting an reasonably anonymous email is still possible, I think - though Yahoo now requires a mobile phone number to sign up for email.  Sheesh!
> 
> From there, you can get some sort of free web hosting shell account.
> 
> Assuming you do everything over VPN/TOR (well, TOR to VPN actually), ssh, etc., then I suppose that's as anonymous as one can get.


Well.. while in theory it's possible to obtain a public email account that won't be traced back to you - Lavabit has already shown us that email should no longer be considered secure.  If you really wanted to drop off the radar, you'd want to consider single-use throwaways.


----------



## tchen (Sep 9, 2013)

Does it still count as anonymous if you get a bona fide person to do it for you?  A blind maildrop sort of system.  Once you get root and a vpn setup, open cafe wifi's are your oyster.


----------



## wlanboy (Sep 9, 2013)

Hidden service protocol of Tor might do the trick:

If we still trust Tor.

Freenode is using this protocol too.


----------



## WebSearchingPro (Sep 10, 2013)

tchen said:


> Does it still count as anonymous if you get a bona fide person to do it for you?  A blind maildrop sort of system.  Once you get root and a vpn setup, open cafe wifi's are your oyster.


Idk, if they were able to find that person that initially signed up for the system and torture him he is likely to talk so I wouldn't bet on it. It really needs to be at a point where it cant be pinned on a particular person.


----------



## raindog308 (Sep 10, 2013)

That's interesting, wlanboy, but I was speculating more about speaking anonymous in the public forum (Internet), rather than speaking secretly.  Well, true, a TOR hidden service need not be secret...I guess it's a different path.  I hadn't really thought of that.

I'm getting the sense the best path is free/fake/disposable email + free hosting, presumably mirrored around the net.

Now if only I had something to say...


----------



## nunim (Sep 10, 2013)

I've thought about this kind of thing before, doesn't seem to difficult.

Step 1. 

Buy a prepaid visa gift card that you can use for online purchases with cash.  A better idea is to get a strawbuyer to buy it for you, someone you do not know, i.e. homeless guy out front who wants to make a quick buck. 

Step 2.

Head to a nearby Library/Starbucks or other open Wifi.  I would pick one that's not too close your residence and that you've never been to before.  Boot off a live cd/live USB to ensure no cookies or viruses are present, you can also change your Mac just to be safe. 

It would be better to use the wifi as far away as possible, i.e. the parking lot so that you and your screen cannot be seen on camera.

Step 3.

Use prepaid visa to obtain a VPS or AWS account, pick a provider with Instant Setup and make sure your GeoIP is reasonably close to the address you put for the gift card to avoid flagging MaxMind.  Use a disposable mailbox service such as Mailinator or you can always sign up for a new Gmail.

Step 4. 

Either buy a domain using the same method as above or grab a free one from a service such as dot.cf or dot.ga.

Step 5. 

Setup your website with whatever content you desire.

Step 6.

????

Step 7.

Profit!!!

When you want to make changes only do so via open Wifi and don't use the same one frequently, I would also recommend TOR or an open proxy on top.  An alternative to open wifi, would be to buy a prepaid cellphone and prepaid data, ensure you remove the battery from the phone after use and don't use it from anywhere near your home.


----------



## HalfEatenPie (Sep 10, 2013)

See the issue with that though nunim is that I feel that's borderline fraud.  Assuming the address you're using isn't yours, I feel like that's 100% fraud.


----------



## rm_ (Sep 10, 2013)

> That's interesting, wlanboy, but I was speculating more about speaking anonymous in the public forum (Internet), rather than speaking secretly.  Well, true, a TOR hidden service need not be secret...I guess it's a different path.  I hadn't really thought of that.


Not sure what you're getting at, and what a _forum_ has to do with this. Didn't you first want a domain and a VPS.

Tor hidden services are absolutely *the* solution, you can host a web (or any other server) and no one will know who's running it or where it's hosted.

Admittedly you will not have a very pretty domain name, but people still can read you either via the Tor Browser or any of the myriad of Tor2web gateways. E.g. a Hidden service via onion.to: https://kpvz7ki2v5agwt35.onion.to/wiki/index.php/Main_Page


----------



## peterw (Sep 10, 2013)

HalfEatenPie said:


> See the issue with that though nunim is that I feel that's borderline fraud.  Assuming the address you're using isn't yours, I feel like that's 100% fraud.


And you are using the address of someone else. So they will be f*cked up because of someone's actions.



rm_ said:


> Tor hidden services are absolutely *the* solution, you can host a web (or any other server) and no one will know who's running it or where it's hosted.
> 
> Admittedly you will not have a very pretty domain name, but people still can read you either via the Tor Browser or any of the myriad of Tor2web gateways. E.g. a Hidden service via onion.to: https://kpvz7ki2v5agwt35.onion.to/wiki/index.php/Main_Page


Onion.to is a great service!



> onion.to Tor Hidden Services Gateway
> This gateway to Tor hidden services provides convenient access to Tor hidden services. It is a pure proxy that forwards requests to the respective hidden service. We do not store any data and are not liable for the content.
> 
> No anonymity!
> Onion.to as a gateway *cannot offer any anonymity for the visitor*. For example, both onion.to and the hidden service itself can see the visitor's IP address, and use browser fingerprinting to track users across different sessions. In _all cases_, it is better to download the Tor Browser Bundle and access the hidden service using Tor (don't forget to remove the .to from the URL!).


----------



## rm_ (Sep 10, 2013)

> Onion.to as a gateway *cannot offer any anonymity for the visitor*


That's correct, you can:1. Publish anonymously

2. Read anonymously

3. do both

4. do neither

And the question of this thread is how to do #1.

There are still lots of cases when you do not care about being anonymous as a reader, but want to access information that was anonymously published. For that, services like onion.to are useful.


----------



## stim (Sep 10, 2013)

Thinking outside the box, what if you were to do away with the weakest link - hosting - and instead publish your content using Bittorrent Sync and a one-way secret?


----------



## raindog308 (Sep 10, 2013)

rm_ said:


> Not sure what you're getting at, and what a _forum_ has to do with this. Didn't you first want a domain and a VPS.


"Forum" in the generic sense of the word - a place to speak.


----------



## drmike (Sep 10, 2013)

Good thread.  Keep it going.

Big catch points here as I see it:

1. Free services like free shells and VPS are bound to evaporate at any time.

2. Retail VISA and Mastercard prepaids - don't they ID folks for those? Someone know?

3. Internet access --- must be a clean terminal/machine only for this purpose and never should connect to anything else and especially not a network connected to you.  And, access should be out of your proximity physically and you unknown by owner/operator.


----------



## Aldryic C'boas (Sep 10, 2013)

buffalooed said:


> 2. Retail VISA and Mastercard prepaids - don't they ID folks for those? Someone know?


Not as long as you pay cash for them.  When I did HUMINT we'd use multiple prepaids to keep from being tracked based on purchase habits/etc.  It's actually more difficult to track prepaid users than people using cash due to the bill/coinage patterns involved.


----------



## nunim (Sep 10, 2013)

HalfEatenPie said:


> See the issue with that though nunim is that I feel that's borderline fraud.  Assuming the address you're using isn't yours, I feel like that's 100% fraud.


 

Well, you can use the address of a public facility, such as homeless shelter, library, government facility, etc.. or you can just use an entirely fictional address so that no one can be blamed for your actions.  I don't think it's fraud as you're not personally gaining anything, would probably be more of a hoax but I'm not a lawyer.

 

 Either way, I wouldn't feel bad about using a fictional address or the address of a government institution, one of my .EU domains is using the address of parliament.

 

Bottom line if you want to be completely anonymous on the Internet you're going to have to lie about who you are at some point otherwise why bother being anonymous?  Do you think it's wrong to put a fake name on the signup form for an email provider?





buffalooed said:


> 3. Internet access --- must be a clean terminal/machine only for this purpose and never should connect to anything else and especially not a network connected to you.  And, access should be out of your proximity physically and you unknown by owner/operator.





That's why I would suggest booting off a live cd/usb and changing the MAC address.  Simpler then having a dedicated machine and leaves no trace behind in case the machine is later compromised. You could also use a public terminal such as at a library or internet cafe just ensure there are no cameras covering that terminal.

The hardest part in my opinion would be to keep your writing sufficiently different from your normal writing style to avoid identification.  I would suggest using a group of authors to combat this but it would be hard to maintain complete anonymity from each other, even then with enough sample data it is likely that someone would be able to identify who wrote which article.  See - http://en.wikipedia.org/wiki/Forensic_linguistics#Author_identification

A lot of this stuff depends on who you're trying to keep your identity hidden from, if it's just internet users and the like (lulzsec etc..) then it's not very difficult but national intelligence agencies are likely going to be able to find you eventually no matter what precautions are taken.


----------



## HalfEatenPie (Sep 10, 2013)

nunim said:


> Bottom line if you want to be completely anonymous on the Internet you're going to have to lie about who you are at some point otherwise why bother being anonymous?  Do you think it's wrong to put a fake name on the signup form for an email provider?


That's the thing though. We're trying to find ways to be anonymous and not lie. You're assuming that being anonymous == having to lie but I think we can probably find a way around it (or hopefully). I personally see this as an issue.


----------



## drmike (Sep 10, 2013)

The age old question you run into as a moral person is that lying is nearly inevitable in life, unless you want to voluntarily be dragged off and hung on a cross.

Self preservation is a right and expectation like all others.  Who loses if you lie about who a domain is registered to or who is spending cash to buy a legal good?  No one.   You are feeding them bad data and nothing more.  It should be a common exercise in civil disobedience.   Make the data collection pool so utterly useless that they stop collecting the data.


----------



## nunim (Sep 10, 2013)

HalfEatenPie said:


> That's the thing though. We're trying to find ways to be anonymous and not lie. You're assuming that being anonymous == having to lie but I think we can probably find a way around it (or hopefully). I personally see this as an issue.


I don't see how you can be anonymous and not lie about who you are, I mean, if you do get a website together using free resources are you going to post in your real name?  No?  Then aren't you lying about who you are?

If you want to use your real name your only options are to use an open mailbox, i.e. Mailinator to register for a free hosting service and use the same mail to get a free domain (dot.tk).  Although most free hosting services are going to want at least a name from you.


----------



## rm_ (Sep 10, 2013)

> if you do get a website together using free resources are you going to post in your real name?  No?  Then aren't you lying about who you are?


Nope, he's going to honestly say "sorry guys I am not telling you my real name", or in a shorter form, "I am anonymous".


----------



## nunim (Sep 10, 2013)

I've found a couple free hosting platforms that you can signup with just an email address and no name, but they require you to use their shitty website builder.

http://vpsboard.tk - My completely anonymous site, created without entering any personal information whatsoever.

So if you don't want to lie about your name for some odd reason and buy a proper VPS and domain, you're limited to crap like that but it is possible.  You could also probably do a post-to-host scheme to get a free VPS/site hosting with just a forum username.


----------



## raindog308 (Sep 11, 2013)

HalfEatenPie said:


> That's the thing though. We're trying to find ways to be anonymous and not lie. You're assuming that being anonymous == having to lie but I think we can probably find a way around it (or hopefully). I personally see this as an issue.


Right.  Ideally, no deception is needed.  Because ideally, it shouldn't be needed.

Now if I was working in some dissident movement under a repressive government, would I think twice about using a fake name to sign up for Gmail?  No.


----------



## nunim (Sep 11, 2013)

raindog308 said:


> Right.  Ideally, no deception is needed.  Because ideally, it shouldn't be needed.
> 
> Now if I was working iorn some dissident movement under a repressive government, would I think twice about using a fake name to sign up for Gmail?  No.


I don't live under a repressive [SIZE=10.5pt]government [/SIZE]anymore (I've moved from the USA to Canada ) , but only one out of the 5 email accounts I frequently use has my real name attached to it  and it is strictly used for work related correspondence.

[SIZE=10.5pt]I’m not sure what has happened during the last ten or so years, but when the internet was younger everyone was cautioned about posting their information online lest they be found by an “internet stalker”.  These days it’s trivial to learn someone’s personal information by following their Facebook or Twitter accounts. [/SIZE]

[SIZE=10.5pt]I would like to know why people have become more willing to post their personal information on the internet. Am I one of only ones who still use fake names and other information whenever possible?  [/SIZE]


----------



## peterw (Sep 11, 2013)

nunim said:


> [SIZE=10.5pt]These days it’s trivial to learn someone’s personal information by following their Facebook or Twitter accounts. [/SIZE]


You talk about the people using vpn and tor only to login into their facebook account anonymously :lol:


----------



## Aldryic C'boas (Sep 11, 2013)

HalfEatenPie said:


> That's the thing though. We're trying to find ways to be anonymous and not lie. You're assuming that being anonymous == having to lie but I think we can probably find a way around it (or hopefully). I personally see this as an issue.


I've known legitimate, non-skid hosts that would occasionally allow someone to sign up anonymously, after they explained the situation, what they planned on doing, etc.  It's rare, but trust does still exist in places.



nunim said:


> [SIZE=10.5pt]I would like to know why people have become more willing to post their personal information on the internet. Am I one of only ones who still use fake names and other information whenever possible?  [/SIZE]


You'll notice the majority of those people have next to no experience with the net.  Years back, tons of people fell for ponzi/pyramid schemes because it was a 'new' thing they knew nothing about, and had no inkling of the danger/scam.  Same thing with the net - it's 'cool' to have a Facebook/etc (and even worse, convenient).  They willingly believe that Facebook is the product, and the ads/games provide the capital - completely unaware that Facebook is merely a broker, with their personal information/pics/posts/etc being the commodity to be sold.


----------



## wlanboy (Sep 11, 2013)

Aldryic C said:


> I've known legitimate, non-skid hosts that would occasionally allow someone to sign up anonymously, after they explained the situation, what they planned on doing, etc.  It's rare, but trust does still exist in places.


Yup there are some providers left that give someone a hand if they need support.

Even if they know that it might get burned by public authority.


----------

