5

My goal is to build a perfect stationary workstation from which I can work anonymously.

Most instructions on being anonymous usually involve, at some point, moving around and switching from coffee shop to coffee shop. Is there any way around this?

Currently, my best-possible imagined setup involves tails OS plugged into an android device (anonymous second-hand cash purchase, no cameras) with a pre-paid 3g SIM (anonymous second-hand cash purchase, no cameras) and then everything goes through Tor (because Tails). But I expect that all ISPs are geolocating (via cell towers?) all cellular devices all of the time and storing this data, timestamped, alongside the device ID/SIM numbers and the IP they are allocated.

So if Tor can be compromised via some malicious third party with government-sized resources, perhaps by them owning significant numbers of entry and exit nodes which I unfortunately use simultaniously, allowing them to link end-to-end the original 3g IP with my web activity, then this malicious third party could then query my ISP for the geolocation data associated with the relevant IP address at that specific time and find out where I was.

Over time, they could profile my location and look for patterns. In the case of a stationary workstation, my cover is blown. In the case of a going to a new coffee shop every day, in the case that this malicious third-party has live monitoring of the TOR network and can instantly query the ISP in question, then the could litterally watch you as you work, totally destroying all anonymity.

Now, I am split on whether or not I believe a malicious third party has compromised Tor as such. On one hand, it seems quite doable, many research papers point to entry/exit vulnerabilities, and we have the recently pulled conference talk. On the other hand, Schiener, Snowden, and others still recommend Tails/Tor as sufficient to protect anonymity, and surely they know better than I. But it would be prudent to act in a manner, if possible, which allows me to be wrong without reprocussions.

What is the ideal anonymous workstation setup?

user52987
  • 59
  • 1
  • 3
    "_My goal is to build a perfect **stationary** workstation from which I can work anonymously._" This way there will always be a way to locate and find out who you are as described [here](http://security.stackexchange.com/questions/16467/how-to-be-completely-anonymous-online) – BadSkillz Jul 31 '14 at 07:52
  • 2
    Can you explain why you have a requirement to be stationary? – Graham Hill Jul 31 '14 at 09:04
  • Perhaps this should become a community wiki as it is likely to change over time. – Matthew Peters Aug 27 '14 at 21:31
  • Recommend to break this down into multiple specific questions on theory rather then a product recommendation or setup description. – Eric G Aug 28 '14 at 01:12

2 Answers2

1

Just some ideas:

  1. Using a radio broadcasting device of any sort will allow signal finding to identify the source location. I would not use a cell phone regardless of its origin.

  2. By implementing a private VPN service prior to entering the TOR network you can shift point of origin and further muddy the path.

  3. Make sure you update Tails to get the fix to the latest compromise. This compromise is just a famous one, there are security holes detected very often. Update Tails regularly.

user10008
  • 4,355
  • 21
  • 33
Polymath
  • 121
  • 2
  • Against a state-level attacker like the FBI, a VPN provides no protection beyond what TOR does. Once the attacker discovers the VPN, they can find out who's using it just by asking, and it creates a money trail leading to you. That same money trail will *reduce* security if you use public wireless: the attacker no longer needs to figure out who the wireless user is. – Mark Aug 01 '14 at 20:13
1

The compromised tor you were mentioning was tor-browser, which was a browser a couple of version older than its bleeding edge counterpart but came with some privacy plugins installed. Always use updated browser and software if you want to be more safe. Regarding rogue exit nodes, it would require a lot of luck (there are way more exit nodes than what they can control) and they should be able to fingerprint you to identify any pattern (easier one would be browser fingerprint IMHO).

Using a VPN which may seems a good idea, in my opinion just introduce another untrusted party like the 3G IPS over you do not have any control and which will be unlikely to go to jail to protect you privacy.

Francesco Manzoni
  • 21
  • 1