fobegano.htm: How to search the web, by fravia+ fobegano

~ Anonymity lore for beginners ~

				For beginners

Last updated: March 2004

Check your client header right now!

[Elementary anonymity steps for beginners] [When posting on Usenet]
[When they dare to spam you (and you have some spare time)]
[When you search]
[Anonymity essays]

"Recently, I 've changed the way I connect to the net. I was in a highly unsafe LAN, with many potential sniffers doing their job. As you see, the problem was a big one, since proxys are not a solution (sniffers get the trafic anyway), obscuring was too crude and painful for the amount of traffic I generate and I couldn't get NNTP proxys to work. The tool that actually made me feel so very happy is Tectia SSH Server/Connector. I installed the server on a trusted PC outside the LAN, and the connector on my PC. So, what happens is that the connector transparently encrypts ALL traffic and sends it to the server. Then data come back in a simillar way. And as a bonus, you can keep using your proxys :)

Anyway, I am too happy with this. I hope it helps people out there!!"
Kriton

Elementary anonymity steps for beginners

How d'you begin a "crash-course" in anonymity lores for beginners? Ah! Parum tuta per se ipsa probitas est! Let's just be frank and direct... let's use a lore... sort of...

"Yep!" - said fravia+ - "so you want to understand why anonymity is important? Easy, just read on:... I believe that each time ANYBODY asks you for some personal info you should by all means do a mix from the following":

You NEVER give real info, no matter how pressing they are - unless you really - and I mean REALLY - know what you are doing. You can bet they are going to use those data / sell them / throw them to the wolfes.
You should ALWAYS lie so much that your falsehood cannot possibly be outdone. It's great fun and, as you will see, it is pretty useful - surfing to-day's web.
To begin with, you should already have found some "alternate" personalities - it should possibly be somebody that 'almost' really exists: fetch data from any personal pages on the web... see geocities and fortunecity for hundreds of ready made "dull" lifes, you'll have "visited schools", "year of birth", name of the beloved one, everything... those pages are real goldmines in order to fetch valuable lusers' info. I personally found also all those "bride for sales" pages very useful as well for 'identity gathering' purposes. They give fotos, biographies, cities of birth and whatever else you need to get a faked bank account in Groenland...

Should you need a false name, here they are in order of frequency (Taken from http://www.lifesmith.com/comnames.html, Thanks Nemo :-)

50 Most Common American Surnames (US Census 1990)
1. Smith 11. Anderson 21. Clark 31. Wright 41. Mitchell

2. Johnson 12. Thomas 22. Rodriguez 32. Lopez 42. Perez

3. Williams 13. Jackson 23. Lewis 33. Hill 43. Roberts

4. Jones 14. White 24. Lee 34. Scott 44. Turner

5. Brown 15. Harris 25. Walker 35. Green 45. Phillips

6. Davis 16. Martin 26. Hall 36. Adams 46. Campbell

7. Miller 17. Thompson 27. Allen 37. Baker 47. Parker

8. Wilson 18. Garcia 28. Young 38. Gonzalez 48. Evans

9. Moore 19. Martinez 29. Hernandez 39. Nelson 49. Edwards

10. Taylor 20. Robinson 30. King 40. Carter 50. Collins

50 Most Common American Surnames (US Census 1990)
1. Smith	11. Anderson	21. Clark	31. Wright	41. Mitchell
2. Johnson	12. Thomas	22. Rodriguez	32. Lopez	42. Perez
3. Williams	13. Jackson	23. Lewis	33. Hill	43. Roberts
4. Jones	14. White	24. Lee	34. Scott	44. Turner
5. Brown	15. Harris	25. Walker	35. Green	45. Phillips
6. Davis	16. Martin	26. Hall	36. Adams	46. Campbell
7. Miller	17. Thompson	27. Allen	37. Baker	47. Parker
8. Wilson	18. Garcia	28. Young	38. Gonzalez	48. Evans
9. Moore	19. Martinez	29. Hernandez	39. Nelson	49. Edwards
10. Taylor	20. Robinson	30. King	40. Carter	50. Collins

25 Most Popular American Male Names ---------25 Most Popular American Female Names
1. James 11. Christopher 21. Ronald 1. Mary 11. Lisa 21. Michelle

2. John 12. Daniel 22. Anthony 2. Patricia 12. Nancy 22. Laura

3. Robert 13. Paul 23. Kevin 3. Linda 13. Karen 23. Sarah

4. Michael 14. Mark 24. Jason 4. Barbara 14. Betty 24. Kimberly

5.William 15. Donald 25. Jeff 5. Elizabeth 15. Helen 25. Deborah

6. David 16. George 6. Jennifer 16. Sandra

7. Richard 17. Kenneth 7. Maria 17. Donna

8. Charles 18. Steven 8. Susan 18. Carol

9. Joseph 19. Edward 9. Margaret 19. Ruth

10. Thomas 20. Brian 10. Dorothy 20. Sharon

(Note that "Mendacem memorem esse oportet", though :-)

Yet the oldest trick is indeed quite effective: just take a book from your library and have a look at the data there. Let's say you are working and accessing the web from the States... I could fetch - here behind me - "Using assembly language" by Allen L.Wyatt. Let's see: look! This book is edited by Que corporation (on a side note I think this is about the only book worth buying from this crappy editor :-). And see here, on page 2: Bingo! Que corporation: 11711, North College Avenue, Carmel, Indiana, 46032. You are done: Let's say your new identity is - Nescio N. Nomine, 11711, North College Avenue, Carmel, Indiana, 46032, United States (that's a country in North America, duh).
You can keep the "Nescio N. Nomine" part, but if you are accessing the web from - say - Germany, you better use a german book of course (and so on mutatis mutandis). Let's see what's here behind me... a nice one: Joachim Schildt & Hartmut Schmidt Berlinisch, edited by the Akademie Verlag Berlin in 1986, which has the added advantage of being a "disappeared" Geografical location: See: Berlin, 1086, Leipzigerstrasse 3, GDR (German Democratic Republic: gone for good, I'm afraid :-)
Great fun to tease data-collectors feeding them such "disappeared" places: Chekoslovakia, Yugoslavija, GDR... It will take some time before they come clear with that.
Now you surely dig it: wherever you live find three-four LOCAL COMPLETE REAL EXISTING ADDRESSES (unless you want to tease :-) and learn them by heart. You'll use them from now on for EVERYTHING on the web, unless you are really compelled to give out your real name (which should NEVER happen if you are clever enough :-)
First thing you do with your new "faked" identity: you open half a dozen addresses on yahoo.com and other "free" email providers. You'll not need to give much info away (you'll give the faked one, access them from a proxy) but they will find out who you are nevertheless THROUGH THE EMAIL YOU WRITE. Of course no one here is so naïv to believe that 'free' email providers provide email possibilities for altruistic reasons... eh?
So what? This is not -by far- "real" anonymity, it is just a "preparation phase". You'll learn more advanced techniques in due time. To begin with, just play with them. Use those "free" email addresses (chained or through the autoresponder / autoforwarders) as feedback for page providers or sites that require you to have a "working" email address. Finally note that some "free" email addresses hqve the "org" suffix. These may be useful for those cases where they may require you to sign using an email addresses without any "com" suffix.
You should ALWAYS give completely faked credit card numbers, when asked without sound reason (and I would be careful in giving my real data even when asked for some apparently valid reason). Use a credit card number generator if you don't know how to fake credit card numbers on the fly by yourself (the algos are very easy to crack, centered on divisibility by 10: in fact all numbers are based on an underlying algorithm originally designed to simply prevent key-punch errors by store clerks. You just simply need to create a number using that algorithm, which makes it easy to come up with a legit account). Note also that it is VERY EASY to find REAL credit card numbers on the web (especially now that Goggle indexes excel files :-)

Of course I do not condone practicizing credit card scams on the web. Note that the TIME and LOCATION of access are (at least should be: few people use proxies) relevant for the sites requiring such data when checking the validity of an order (I would not trust too much an order made at 2:00 in the night from Moldavia with a credit card number that resolves to Florida :-)
Always remember that if they want they CAN catch you, so do not ever do stupid things.
You should NOT feel bad in the least to lie like a madman to anyone who dares asking your data: such people are just scum that will use EVERYTHING you will tell them for profit the very moment you do, and they don't even have the decence of admitting it. Screw them black and blue, such clowns deserve far worse than that: never believe for a minute that their 'privacy - pleads' about how they will "never use your data" are anything else than cheap sarcasm.
Alternatively, when you (have to) "choose" some options from a menu ("Your income", "Your profession", Your "State" and so on) ALWAYS choose the first option you encounter, whatever it is: State=Afganistan, Income=less than 15 USD per year and so on. Screw them. If you want to play with them, there are some funny logistical options like "American Samoa" "Fortune and Wallys Islands" and so on... the possible option "other" that you may find on these menus is also great, because you will get these idiots thinking hard about updating their options' palette, adding even more idiotical crap to the possible choices.
An exception to the above: When you decide to use a bogus 'predetermined' identity (i.e. for instance Nescio N. Nomine, 11711, North College Avenue, Carmel, Indiana, 46032, United States), then keep COHERENT with the (faked) data you give, stick to them. This will make things even more difficult for those that want to steal and sell your data.
But you don't need to be pseudoanonymous at all if you are really nasty. Quite the contrary: remember that in the frenzy to put up an "e-commerce" most commercial sites don't have any provision whatsoever to check the real commands flows. Errors are not only possible, but frequent. Chances are that if you point out that you never ordered some of the useful goods you have somehow received (commanded by someone you don't happen to know through an ad hoc account - which has been accessed through proxies and will never be reused again - yet sent to your real address with your real cardnumbers) they wont be able to prove that you actually really did order them. They will ask for a restitution, of course, whereby you just sit on those goods and wait until they will send you over enough money to cover the costs of sending back the goods you "so wrongly" received. Any publicity about this would harm the new holy e-business, so you'll soon notice how they will bend backwards to help you 'sort things out'.
Anyway don't try this, it is not ethical, it would enable you to use that PC, watch that TV, read (and scan) those books, burn those games on your cd-roms in the meantime ("Of course I opened the packet... I wanted to see what was inside it!"). So don't do this: such an attitude would not be very correct vis-à-vis the growing new branch of our smart e-business entrepreneurs

25 Most Popular American Male Names ---------25 Most Popular American Female Names
1. James	11. Christopher	21. Ronald		1. Mary	11. Lisa	21. Michelle
2. John	12. Daniel	22. Anthony		2. Patricia	12. Nancy	22. Laura
3. Robert	13. Paul	23. Kevin		3. Linda	13. Karen	23. Sarah
4. Michael	14. Mark	24. Jason		4. Barbara	14. Betty	24. Kimberly
5.William	15. Donald	25. Jeff		5. Elizabeth	15. Helen	25. Deborah
6. David	16. George			6. Jennifer	16. Sandra
7. Richard	17. Kenneth		7. Maria	17. Donna
8. Charles	18. Steven		8. Susan	18. Carol
9. Joseph	19. Edward		9. Margaret	19. Ruth
10. Thomas	20. Brian		10. Dorothy	20. Sharon

Yep!" - said fravia+ - "this is but the beginning..."

When posting on Usenet
by fravia+
Never, never, never use a working email address.
When posting news items use a From: or Reply-To: address like the following ones:

bounce@[127.0.0.1]
bounce@localhost
postmaster@[127.0.0.1]
postmaster@localhost

This will frustrate spammer programs, that are actively grepping email addresses on usenet. There are LISTS of grepped email addresses that are sold by the spammers' masters to the stupid zombies that really believe they can make money that way.
[127.0.0.1] and localhost are synonyms for "the current host". If you're lucky the first two addresses will cause a bounce on the sender's machine as it tries to deliver to the non-existent user bounce. The last two addresses will cause the spam to be delivered to the email administrator of the machine sending the spam. If you're lucky that will be the ISP and not the spammer themselves.
In general use different email for different activities (one for real life, one for posting on usenet group A, another one for posting on usenet group B and so on. There are so many "free" email providers that you can have an infinite number of addresses, using the real one to 'pick' from those that you are using on the web - through pop for instance - and never using it directly.
Note however that ALL 'free' email addresses do use the data and the content of your mail for 'insider trading' and statistical building purposes (that's the real reason they offer you email for "free", duh) so never use these email for sensible data (never use the web for sensible data, for that matter), and learn to use pretty good privacy just in case (version 5 is the last one without backdoors and works fine on windoze).
So that you can be contacted make sure your posting body includes a signature that gives a working email address, in an encoded form - to confuse automated address collectors that scan news article bodies as well as article headers.
Here some good examples:

fravia(at)searchlores(dot)org (WARNING: this is now 'deprecated', since some new grepping bots translate it into a working email address)
fraviaATsearchlores!org (note the "!")
fraviaNIRGENDSsearchloresNIRGENDSorg
fraviafravia@searchlores.org adding, on the line below,
Cut a "fravia" to answer
fravia__A@T__searchlores.org adding, on the line below,
To reply by email, use "@" not "__A@T__"
fravia(ThatfunnycharacteryougetwhenyouuseALT+64)searchlores(thekeybeneaththe3)org

And so on... have fantasy, screw the spammers.

When they dare to spam you
(and you have some spare time)
by fravia+

Another good technique with commercial spammers if you have time enough is to retaliate, wasting as much of their time and resources as you manage to do. This wont help you much, but it is great fun. Use their toll-free telephon number and tell them you want to buy whatever gods / tits / cars they are selling. Chat a lot, let them call back you, let them send you a representative. Then just change your mind.
If you are good at social engineering you can get some real email addresses out of them ("...mmm, hey Liza, how can I reach you in a hurry if I decide to buy another item -just like the one I'll now buy for myself- for my buddy Charlie?"). If you manage to get a spammer's real working email address it's the jackpot! You can then slowbomb him for the eternity.
Alternatively just flood them with order made using bogus credit card numbers and faked identities: let them deliver their goods to a big house full of people that barely speak english and where at least 200 individuals have the name -say- "Chan" you purposedly used to reserve the goods (or whatever name/immigrant combination applies to your country). They'll go nut because they will never be able even to understand that somebody simply retaliated.
There are a lot of tricks you can devise to drive the commercial spammers nut if you have enough time, phantasy and dedication, but imo the best approach (the same you should use when commercial bastards dare to phonecall you) is to immediately look like you are falling for the trick ("...mmm, well, yes, thanks a lot, come to think of it I desperately need a new mortgage-insurance special packet..."), luring them into sending you a representative, if possible carrying all the way a very heavy or very cumbersome box / catalogue / documentation of whatever useless crap he's selling (choose accordingly when you order), that you of course wont buy once he finally arrives (you wont even appear at the meeting place for that matter) because you have simply "changed your mind". Don't laugh at them, don't curse them, don't let them understand you are playing with them: just let them convince you to fix a second rendez-vous: drive them nut (and try once more to get some real & working emailaddresses out of them :-).
Believe me, they will hate this approach, especially if you ordered the "megabigasupraoption" of whatever crap they are selling and thus lulled them into being all excited for their "commercial kill", thinking they had finally managed to fish a zombie. La va sans dire that you should choose for these meetings the most inconvenient time for the spammers, picking weird or far away located places (or expensive restaurants :-) where you will anyway never show up.

In practice, when you search

A good idea would be to chain proxies. See the anonymity lore section.
See also Anonymous surfing through other services and especially Corto's bag of web-tricks
Use (and study) Anonykid's "proxy chaining" forms, that encompasses all the above.

Anonymity essays

[Staying Anonymous in 2002] (by Woodmann ~ January 2002)
[Wolf in sheep's clothing] (by Oh Yeah ~ June 2002)
[How to walk the 'net without kicking yourself later...] (by Angela Natiash ~ January 2003)
[Internet Relay Chat Anonymity] (by Kane ~ February 2003)

[shino_an.htm]: Anonymous E-mail using remailers
by shinohara, March 2003
"A person should learn how to use remailers to send E-mail anonymously. If you just want to send simple E-mail anonymously (no attachments, only text) and not expect an answer, you can do that by using free Web based remailers" part of the [Anonymity lore for beginners] section.

in fieri, of course... what about helping instead of just leeching? :-)