Untraceable

How to Start an Anonymous Blog

Introduction

I believe that by following the steps I outlined in this post, no one will ever be able to reveal my identity. My domain may be seized and my blog can be closed, but I am confident that my identity will remain a mystery.

I can say these things mainly because I believe in a very important tool called Tor. Developers and operators of Tor nodes work to ensure that anyone can be anonymous on the internet. Tor is a great pain to the NSA, and any other organization or country that wants to spy on internet activity.

The Tor network makes it very difficult to track down IP addresses, and domain registration is now available via Bitcoin, so I never needed to provide any personal information when setting up this blog.

Tools and Resources

Tails / Tor

Tails is started from a USB disk, which also includes an encrypted partition. The encrypted partition holds a Bitcoin wallet, blog source code and Keepass database. My passwords for third-party services are randomly generated, and very strong. Tails makes it very hard to go wrong, because all network connections are forced through Tor. For example, to develop this blog locally, I must add some firewall rules to allow local connections on port 4000, download a different browser (Midori), and then tell it to skip using a proxy server. The firewall rules block all external requests in Midori, but I can access http://localhost:4000.

So unless I do some nonsense like log in to StackOverflow using my real Google account and use the “untraceableblog” username, I believe it will be almost impossible to track me.

I make a backup of the USB flash drive on my primary computer and save it to a TrueCrypt hidden volume. I like the idea of hidden volumes, I feel like a fucking spy. The idea is that you can have a fake password that unlocks the encrypted fake folder, and a real password that unlocks the real encrypted folder, and there is absolutely no way to know which one you unlocked. In my fake encrypted folder, I keep my personal Keepass database, credit cards, and scans of my passport and driving license. So if someone forces me to enter my password to unlock my computer, and finds that in their opinion, I have a volume of TrueCrypt, then there is no way of knowing if I entered the real or fake password.

This feature allows even a little protection from “wrench attacks”:

Most of the time I hide the stick in a secret location in the house. When I need to go somewhere and want to be able to update this blog, I’ll back it up to the hidden volume, and then securely erase the USB disk, so I can take it with me without fear. This is what I must do until the Tails adds its own function for ‘hidden volumes’.

E-mail

I signed up for a free email account from Outlook.com, and used anonymousspeech.com account as a verification and backup.

I tried Gmail first, but Google makes it very difficult to sign up for accounts, when you use Tor, because they require phone verification. This is fair enough, because people like to create a huge number of fake accounts Gmail to send spam.

Blog

This blog is free on GitHub Pages. It uses Octopress to create a static site, and I installed the Page Turner theme. I push to GitHub with an SSH key, which is, of course, encrypted and stored on my USB stick.

I can think of two vectors, which can give out information about my identity:

Message Timestamps

The Tails operating system has a good policy of forcing the system time to always be UTC. But if I wrote a series of blog posts in the coming years, you could maybe analyize timestamps to determine my time zone. However, the compiled site shows only the date. Also, I travel a lot. (Or do I?) ;)

Word and character frequency analysis

You may be able to find out my country of origin or identity by my words and phrases. You might even be able to find a match with the other content that I posted online under my real identity. I counter this by running all my posts through Google Translate. I translate into another language, then to English, and then correct the errors. It’s great for mixing up my vocabulary, but I wish it didn’t fuck up Markdown and HTML so much. Until this point, you might have assumed that English was my second language. But let me assure you, I will neither confirm nor deny it.

One problem is that Google can see my original messages, and the NSA can probably see them too. If I wanted to avoid it, I could post some anonymous translation jobs and pay the translaters via Bitcoin.

Analytics

See the email section for reasons why Google Analytics was unavailable. I signed up for StatCounter instead.

But even if Google Analytics were available, I wouldn’t use a tracking ID linked to my real identity. Many anonymous bloggers have been busted by Google’s Reverse ID Lookup tool.

Buying Bitcoins with maximum anonymity

I bought the Bitcoins from local Bitcoins, using an anonymous account that I set up over Tor. I found a seller who was willing to meet in person, and we agreed on a time and place. We met, I gave them money, and they released the Bitcoins from escrow using their phone.

Buying a domain name with Bitcoins

IT Itch is a domain registrar that accepts payments via BitPay. Their domains are quite expensive at $15 USD each, but worth it for completely anonymous registration. This was an easy process, but it took a long time for the domain to become active (over an hour). Once it had been activated, I configured the DNS records for GitHub Pages, and then my blog was live at http://untraceableblog.com

One thing that IT Itch did terribly wrong was to e-mail me my password in plain text after I signed up. NO GOOD! If someone got access to my outlook email, they could have signed in and ruined my domain. So I deleted the message and changed my password, and luckily they did not email me a new password.

How I could get busted, Part One

Tracing the Bitcoins

In theory, you could follow the trail of Bitcoin transactions and discover my identity. However, in this case, it is very unlikely that even the most sophisticated and well-funded organizations would be able to find me.

See, I bought these Bitcoins using an anonymous account on localbitcoins.com (created using Tor). The seller and I agreed on the spot to meet in person, and I paid cash. To reveal my identity, you would need to break or work for every service that I used. Like this:

1) Get access to the ititch.com database, and find the BitPay transaction identifier for untraceableblog.com

2) Get access to the BitPay database, and find the Bitcoin address that sent Bitcoins for this transaction

3) Get access to the localbitcoins.com database. Find the Bitcoin address which sent the coins to BitPay, trace the transactions back until you find a localbitcoins escrow address.

4) From the escrow address, you might be able to find the localbitcoins accounts, and then you can read the messages that we exchanged about meeting up.

5) You would need to visit this location, and hope that there are some surveillance cameras that might have captured us on the day.

6) You’d finally need access to the security company that has security camera footage archives, get a clear picture of my face, and somehow run a facial recognition scan to find my identity. Working for Facebook or the NSA may help if you get that far.

How I could get busted, Part Two

Everything is hacked. All of it.

The Internet is a machine based on trust, and there are many ways that this trust can be broken. Someone may be able to generate trusted SSL certificates for any domain, demand that ISPs route all traffic through them, or control a huge amount of Tor nodes and perform traffic analysis attacks. I will not go into details, but if you’re interested, you can read more about Tor attacks:

Conclusion

This blog was just a fun exercise in anonymity, although I might use it to post some things in the future. I am just using the tools built by people much smarter than me, and I’m certainly not the first anonymous blogger, but I hope you learned something new.

Of course, the rabbit hole can go much deeper than this. I could have hosted this blog on a VPS that I rented with Bitcoins, and set up the server as a Tor hidden service. The server’s IP address would be fully protected, but then you could have only read the blog by connecting to the Tor network, and onion links just don’t make it to the front page. I could have also done all my activities from a coffee shop, just in case Tor was compromised, but I couldn’t be fucked. Finally, I could have chosen an “.se” domain if I was scared about U.S. government intervention. That’s what The Pirate Bay is using now, and the Swedes are just letting them do their thing.

Please feel free to send me some spare Satoshis if you enjoyed the post: 146g3vSB64KxxnjWbb2vnjeaom6WYevcQb.

And if you can find me, I’ll be very impressed.

Discuss this post on Hacker News.