[notsoanonynous]

Tor is amateur hour. The Feds can easily deanomymize things where a server is up 24/7 servicing requests.

The author of this article is also very wrong: Anonymity is not on a spectrum. It’s all or nothing. Like a Mario game where any mistaken encounter makes you start over (and that’s if you don’t get in trouble for what you did).

First step is to understand that any system could be bugged. Every IRL confidant could sell you out. Every keyboard could have a keylogger, etc. Every store could have a security camera. Phones are giving out their MAC numbers to every cell tower and wifi radio. They now have chips you can’t turn off, and so forth.

You should also assume there is no such thing as an “anonymous” account and that every service COULD sell out whatever information you gave it. (Yes, even Telegram or ProtonMail, however unlikely that may be.)

The below is a playbook for how to become truly anonymous. Continue to live your everyday life but the below is only for your “anonymous” identities, which you can gradually bootstrap as a hobby:

The first thing you do, therefore, is bootstrap your identity by taking advantage of unlinkability that is available to you. Buy a bunch of Android phones on Craigslist for cash, for example. (Or pay a homeless guy to buy a phone in a store for you.) Do not use SIM cards at all, only WiFi. Never take photos, etc. Keep your phone off or in a faraday cage until you use it. For extra points, always use it through a VPN on WiFi at home, which you purchased using the accounts below:

Then make an anonymous google account on the Android phone. Make some ProtonMail accoung usinf such an anonymous Google account. Now you can bootstrap from email addresses.

Buy some Google Play gift cards and download some apps to get a second number. Now you can bootstrap from a phone number. Sign up to Telegram, Signal and other accounts using this. Now you have end to end encrypted messaging.

Frankly, though, realtime messaging is a bit of a luxury to continue to stay in normie world. To stay truly anonymous, you should continue to:

1. Schedule posts and mail send/receive at random times. Do not ever use realtime audio or video because it might be recorded. You might make an exception for early days of your projects when people would have no reason to go out of their way to record you — just to give them confidence you’re a real person. But afterwarss, stop doing that. Let the people build your movement for you.

2. Never mention your anonymous identity or projects from your real one, and vice versa. This means your anonymous identity MUST NEVER have confidants or colleagues IRL. Build up a network of colleagues who are “fronts” for what you do. Eventually you can step back and let the movement do things for you.

3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).

4. You will only ever be able to spend the crypto on paying people for services and DeFi protocols. You can never cash out to fiat, because the IRL purchases catch up with you when they follow the money. There is a surprising amount of online services you can spend $97 million dollars on, while staying anonymous ;-) If you really do need to spend money IRL (because you went broke somehow in your everyday life) then you can cashout using cross-chain bridges and Monero to pay for goods. But still, never get ostentatious wealth IRL!

5. The weakest link then becomes your writing or coding style. Never publish any code or writing, let others do it for you. Make your communication to others from your anonymous identity sufficiently different than anything saved later would not identify you (this is the weakest link, but you can consider “playing a character” when speaking to others).

6. Any private keys that you used to sign your messages can be periodically published in some conspicuous place, effectively giving you plausible deniability about all your previous and future posts. It’s hard to prove a negative (that no one else has access to your private keys before your public disclosure.)

Alright, Hacker News. I have given away the non-amateur anonymity playbook using https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Go ahead and try to deanonymize this in the comments below. Assume you are a state actor with all tools at your disposal.

[BbzzbB]

>Anonymity is not on a spectrum

Is it not, for the non-criminal user? My HN, Reddit and Twitter accounts are "anonymous" (pseudonymous would be more accurate), and it matters to me to the extent I share thoughts I would not on Facebook or if Googling my name lead straight to it - not that I'm ashamed of them, I try to be decent (tho I slip at times and am more brash than I would IRL), it's just that they hold some personal opinions and matters, kind of like that lady in OP's post (except I wouldn't reuse pseudonyms, especially not openly cross-linked to identified accounts). Obviously, a governmental agency that had any reason to look for me would link them in the blink of an eye, but it is "anonymous" enough for my needs: people who matter to me or people like prospective employers do not know of them and hardly could. Even if they leaked to some dark corners of the Internet like my SSN (screw you, Equifax), that hardly doxes me as far as regular humans are concerned. If someone emailed me with my online usernames, it would creep the fuck out of me, but ultimately be inconsequential, at worse it would threaten to shame me for my opinions.

So how's that not on a spectrum of anonymity? OP's post obviously does not say your anonymity when it comes to three letter US agencies is on a spectrum, that is black and white and s-he recognizes it, but rather the link-ability of your online presence(s) to your real life identity. With that Tinder lady at the "IDGAF"-end of it, your paranoid (or criminal) Jane Doe on the other end and me somewhere in between (but much closer to the former).

[sockbot]

Changing the definition of anonymous to include pseudonymous is not a compelling argument that anonymity is the same as pseudonomity.

[BbzzbB]

So, you know who I am or how to reach me? Send me an e-mail (or, better yet, dox Satoshi) and I'll take your point. I don't see how pseudonymity can't be a flavor of anonymity, even cyber-criminals who have every reason to remain truly anonymous online - as in hidden from FBI and gang - can pick some form of pseudonym so people can address them, Dread Pirate Roberts would be an obvious example (tho he failed to be anonymous to govs).

Per Wikipedia:

>Anonymity describes situations where the acting person's identity is unknown. [...] The important idea here is that a person be non-identifiable, unreachable, or untrackable.

[ipaddr]

Just some suggestions for the connection part.

Using a phone is probably the first mistake. If you are going to use your home network you are better off using a machine you control and an operating system that is open source.

I suggest these steps: Step 1: Connect to a popular vpn. Step 2: Connect to tor Step 3: Get free vps or pay with cryto you trade for gift cards purchased or some other method Step 4: Connect to vps with desktop running. Use virtual desktop. Step 5: Use vpn. This time use vpn with best rep to be accepted as regular traffic. Step 6: Signup for services

Step 1 solves the k issue. Many people using that vpn will connect to tor

Step 4: Seems slow but at the virtual desktop level out things are fast from that machine to new hosts. Use scripts could help.

[hsbauauvhabzb]

Iirc phones will broadcast previously connected access point max addresses. I doubt gp truly understands what it takes to be anonymous (imo it’s probably impossible).

[notsoanonynous]

So what if they find that you used a phone?

They still had to somehow link your online identity to your phone. And how would they do that? The phone is simply a computer that you use, through VPNs, to send and reveive mail and post messages to groups etc. They’d have to approach ProtonMail, then your VPNs in order, and then get security footage from the place where you were accessing the VPN at that time. And then cross-reference your gait etc. to a database. Maybe in 10 years they would have such coordination, and we will need better tactics.

What’s far more interesting is what to do if VPNs are banned in a country. You can’t be using one there. You’d have to have set up anonymous hosting and port forward stuff yourself.

Again, it’s possible that all anonymous hosting, VPN etc. is shut down and requires KYC by say 2050. That is why you must bootstrap from what are valid but essentially “compromised* accounts now while you still can, and hope they are grandfathered into the new totalitarian surveillance system. Buying phones on craigslist is one example.

Another example is those eyes Anderton installs in Minority Report, but security in that movie is like a bad joke, IRL he’d be outed instantly by his gait, heart patterns via wifi and so on. In fact they didnt even change the access keys after he ran LMAO

[toss1]

>>Buying phones on craigslist is one example.

It seems that this would work for a while, but if we're trying to bootstrap well into the future, a shiny new phone of the hour Samsung S22 showing up new on the network only 15 years out in 2037 would stick out like a beacon, and that's assuming it would even connect to the then-current comms protocols.

This is nontrivial

[aaaaaaaaata]

You're going to call out someone for being uninformed,

but you can't find the "Don't automatically connect to this network" flag that stops a device from doing what you described?

Don't tell people what is and isn't possible unless you're sure.

Your opinion is purely speculation, and only true for people of your skillset.

[Riverheart]

Not nearly on the level as what is being suggested but my company has had several anonymous surveys and I started thinking about writing style when taking them. If you're prone to certain phrases, words, use of contractions or lack thereof, especially when the pool of people is small and you're providing critical (but needed) criticisms, you could potentially be identified by your immediate supervisor. Introducing typos and avoiding phrases you commonly say, adjusting your "tone" is a lot of effort when you can just disengage entirely and/or behave like everything is public (which it may as well be at this point).

[Agentlien]

Most "anonymous" surveys I've been asked to take through work require listing more than enough information for unique identity. One assured I would be anonymous, then asked me to fill in the name of my manager, my team, and job title.

[Riverheart]

Fortunately mine have not but at a certain point they're useless because no matter no low the scores go nobody in their right mind wants to provide long-form feedback to identity actionable fixes because product teams are usually small even if there are a lot of developers in the pool your pain points will be unique to what your working on.

[Agentlien]

Yes, this is usually my experience as well. What makes sense for you to bring up identifies who you are. Hardly anonymous. But sometimes I've also been asked to explicitly identify myself as mentioned yet it's still supposedly anonymous.

[ziml77]

We can give anonymous feedback about others where I work. We can submit it at any time about anything, positive or negative. I have never touched it despite knowing that HR doesn't get my name. It's not hard to figure out who's submitted a piece of feedback from their writing style and the specific situation you're writing about. Like if I were to give feedback related to working on a project with one other person, any sort of specifics about the project would make it very obvious that it was me writing the feedback.

[notsoanonynous]

I am open to ideas for how to mitigate this remaining vulnerability even further

[nisegami]

One idea I've seen is running through translation services. IE, convert to spanish and then back to english. But unless we have good offline services, it defeats the point.

[sndwnm]

Maybe not very practical, but to combat targeted writing analysis on the internet you could try running such analysis software on your own writing to find out what makes it stand out. Work to make the writing as "bland" as possible, perhaps with aid of software translators or filters.

[yosame]

Maybe you could run all your communications through a translator twice (e.g. English -> French, French -> English), and fix any typos?

It would hopefully keep the sentiment while changing the words.

[coolspot]

You thought this through too well. Probably should be traced back, put in a list and investigated just for this comment.

[notsoanonynous]

And what would they find?

The hardest investigation to defend against is the rubber hose investigation. Gotta give them what they want, without them even suspecting you could be that mysterious founder. The only way people suspect you’re someone is if your k is small, eg how many people could be Satoshi?

If you’re efficient, you can retire the mysterious founder identity and simply have multiple “early adopter” addresses that generated rewards early, among actual adopters. Make an exit from your projects as early as you can after they gain momentum with the wider crowd.

There is no way to stop people from starting open source projects, accruing the early rewards and then selling those rewards to others in a decentralized exchange or async OTC deal. If every country worldwide ever closes down all such anonymous mechanisms (maybe by 2050) and makes register in order to sell your rewards, you simply sell your private keys to the wallet in an async OTC deal. The buyer will have to trust that you won’t move the money after they register the address and before they move it.

[panqueque]

Don't worry, we're all on the list already.

[pc86]

Kind of makes the concept of lists pointless, doesn't it?

[coolspot]

~150 people commented on this post is manageable number. Narrow it down by sophistication in the topic.

[notsoanonynous]

Maybe I already did this and maybe I didn’t. Maybe it’s all armchair theorizing. Then again…

https://m.youtube.com/watch?v=wUJccK4lV74

https://m.youtube.com/watch?v=SYZqC7EGMfM

To not share how you secure anonymity is to rely on security by obscurity. Now I think it’s better to lay out the playbook using Kerchkoff’s principle so k will become far larger than 150. Remember… to improve anonymity, at some point you have to publish your private keys. And where better than Hacker News?

The playbook is yours. Improve it!

Step 1: try to break it. Post how you’d defeat the anonymization scheme. The threat model is that you’re all state level actors combined. I’d love to see what you come up with.

[panqueque]

> I’d love to see what you come up with.

Nice try, Feds! :P

[panqueque]

It does indeed. Dragnet surveillance is dumb and expensive.

[ccn0p]

Awesome writeup thanks. That said, anonymity might literally be binary as you point out so eloquently, but the point of the article is that most people only need to think about it as a spectrum and be somewhere on it to be safe. Most people aren't running OmegaBay and need 14 burners handy and always be on the move. Boy would that be tough on one's social life. That said, a little bit of care and attention to the everyday shit we leave out there is a good idea. Bad actors will likely go to the lowest hanging fruit.

[majormajor]

> 3. Pay and get paid in cryptocurrency. Have smart contracts send you the money (think Richard Heart’s Hex origin address, but actually anonymous).

My first question about this plan is "what are you getting paid for and how do you advertise your services"? You need to never meet the people paying you in person, and ideally you are selling some purely digital good. So, something like underground illegal programming or hacking or such? Is there anything else that would work?

[notsoanonynous]

I thought it was obvious, but I guess not.

No, you don’t do work for money. You start an open source project and get many people to run your software. You meanwhile generate as many early rewards as you can (you can even do it under multiple accounts) and when the ecosystem is up and running, you’ll be the mysterious founder, generating millions (or billions) in passive income.

Sounds familiar? It should…

Simply never move money using your first few accounts, and whoever early people you pay, have them stake your currency for a long time, and borrow against it on decentralized lending marketplaces, to avoid spooking people that the mysterious founder has moved their money.

[CRConrad]

So lemme spell it out: This is what you're claiming Satoshi did / is doing.

[majormajor]

Well that's not interesting at all, then. How repeatable do you think that is?

That's one of the problems with trying to stay anonymous, right? The playbook constantly goes out of date.

[dento]

Some blockchain project offer grants for (completely legal) programming work, and some of them wont require real world identification.

[frodo_77]

I would also add:

Living in no-extradition countries, using GrapheneOS on an Android phone, using Jabber/OTR chat for communication.

[Pq2Vvv8MtzTCFWS]

To comment on point 5. The three spelling errors I caught tell me you are using a phone with autocorrect turned off.

[pzs]

How do you pay for Google Play gift cards (which you mentioned before Step 1) without creating a link to yourself?

[notsoanonynous]

Buy on Craigslist. Go to a store. Or, as mentioned previously, pay a homeless guy to go into the store and buy it.

It’s a modular system. The key is Kerchkoff’s principle — I can describe it to you all day long, but as long as I don’t reveal each identity from the other, you all won’t know what projects I am doing, even if they earned $97 million already.