# Completely anonymous?

## Hell-Razor

I know nothing is 100% but is there anything out there that is damn near 100% anonymous for hiding / encrypting a signal? say going from here to the gentoo torrent or a cvs repo? i am just starting to get more and more anal after my parents somehow had their online cc (only used for online purchases) "hacked" so to speak and me getting hacked (or what i think was hacked) before i built my new machine. i mean im getting to the point now where i don't even want my isp to be able to read what is going in and coming out. i have switched to hardened - everything that i can. i am currently using tor and privoxy, will this be enough? or is there a better program out there?

----------

## UberLord

Don't confuse the two issues.

Anonymous internet just prevents what you're downloading/uploading being traced directly to you.

It does not stop you from being hacked / socially engineered.

----------

## champ

I agree with Uberlord. Tor does encrypt everything inside the tor network, but the link from your computer to the first tor server and back is NOT encrypted.

I very good article about tor, anonymity, and privacy can be found here: http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html

----------

## fangorn

If you wanna be ultimately safe, don't plugin the network cable.   :Twisted Evil: 

There are solutions that more or less "protect" your intended network traffic from being tracked to you or read by third party (Tor, Freenetproject.org, i2p, ...). Nonetheless a third party could monitor your second part in data transfer directly, so that encryption of data sent will not help. Also none of these solutions prevents your machine from being attacked from the internet, to which you still have to be connected in some way to use those services. If someone installs a monitoring program on your machine, the encryption is useless also. 

Security and Anonymity are "work in progress" where YOU have to stay up-to-date all the time. And you never can be sure. If someone _really_ wants to hack your machine - for what reason ever - you can only increase the effort needed to get in.   :Rolling Eyes: 

----------

## Hell-Razor

Yeah thanks I should have been more precise. I know the whole thing about encryption is simply that it should take long enough to de-crypt so that the information should be useless / irrelevant. Anyway whats the best way to encrypt my traffic from (example) my machine to the tor server. I do understand that it is a difficult and still a work in progress but I would like to hide myself from others.

And yes I understand the most safe thing is to not even use the net but whats the fun in that?

----------

## fangorn

If you don't want to run a TOR node on your local machine - which would eliminate the problem to connect to the first server - you have to have access to a TOR node via ssh and tunnel the TOR port through it. That mostly means you have to run a TOR node somewhere else than your local machine.   :Rolling Eyes: 

----------

## Tekeli Li

To protect yourself from CC data theft: Well, you can't have 100% absolute protection, but you can minimize damage, in case your CC gets compromised.

Get a debit card, not a credit card, and keep only minimum amount of money on it, to keep it alive. And by minimum I mean the bank minimum which is usually a couple of bucks or euros, depending on where you are. Then, when you want to purchase something, put some money on the account first, and then use the card to pay online.

Also, combine this with PayPal so vendors don't have your CC data, and if PayPal is compromised, who cares, the card can't be charged for more than there is money on it, meaning a couple of bucks, unless you are so unlucky to become hacked right between putting money on the account and attempting to purchase something with it, which is possible, but unlikely.

I use Visa Electron for that, it's a debit card accepted almost anywhere -- I have yet to find an online store that accepts Visa, but not Visa Electron.

----------

## cazort

Honestly?  I think computer security is good, and it's good to use as many precautions as possible for other reasons--but if you're worried about your credit card information, all these security measures may be a waste of effort because they're not focusing on the weakest link.

People don't want to admit this but you simply can't prevent credit card theft in any other way than never using a credit card.  I know many people who never use a computer, and have had their card numbers stolen.  I have known people who have had card information stolen in restaurants and stores where an employee writes down or memorizes the information on a customer (including the number and enough information--address and phone) to make purchases themselves.  I've read articles about people attaching card-readers to the outside of machines in a gas-station or other auto-card-swipe and retrieving numbers that way too.

Often, the person will record the numbers, and in order to avoid being caught (and losing their job) will often only start making purchases months later, when they may be at a different job and maybe even in a different state.  Often, if they don't have enough information to make large purchases, they will make small (<$20) purchases at gas stations, supermarket auto-checkout counters, and other places where the transaction is approved automatically.

I think the best course of action is to keep track of your purchases, and watch your credit card statement.  If you catch a purchase on the statement it occurs, you will not be held liable for paying it.  Also, there are many ways credit cards can screw you other than being stolen.  I've had banks deliberately send out my statement late, and I've had corporations overcharge my credit card NUMEROUS times.  Watching your account is necessary to do these things.  So...yeah, focus on computer security--but not as a means of preventing credit card fraud.  To do that, all you need to do is watch your statement--which you should be doing even if you never use a computer.

----------

## Hell-Razor

Well this CC was only for online purchases ie it never left the house. The other main thing would be so that my data is safe when i send it and retrieve it from the net. I understand this may be difficult.

fangorn - If i start up a tor node on my machine, does that mean then everything will be encrypted / decrypted from this machine so i don't have to cross my fingers that nobody reads my info (ie my isp)?

----------

## Carnildo

 *champ wrote:*   

> I agree with Uberlord. Tor does encrypt everything inside the tor network, but the link from your computer to the first tor server and back is NOT encrypted.

 

Wrong: it's the last link, the one between the TOR exit node and the server, that isn't encrypted.  If the link between your computer and the TOR network wasn't encrypted, the whole thing would be pointless.

----------

## Hell-Razor

Alright well, how hard is it to "decrypt" / "trace" the traffic going into/coming out of the first tor node to/from my machine?

----------

## alistair

 *Hell-Razor wrote:*   

> Alright well, how hard is it to "decrypt" / "trace" the traffic going into/coming out of the first tor node to/from my machine?

 

I believe it is just as vulnerable to dnspoisoning, "man-in-the-middle" attacks as any encrypted link.

----------

## Hu

 *Hell-Razor wrote:*   

> Well this CC was only for online purchases ie it never left the house. The other main thing would be so that my data is safe when i send it and retrieve it from the net. I understand this may be difficult.

 

It is possible that the card in question was compromised through negligence on the part of a vendor with whom your parents initiated a legitimate transaction, rather than through a weakness in your local computer security.  There have been many news stories about vendors who retained credit card information long after they no longer had a legitimate need to have it on hand, leading to an unnecessarily large group of people being affected when the vendor was compromised.

----------

## Hell-Razor

 *Hu wrote:*   

> It is possible that the card in question was compromised through negligence on the part of a vendor with whom your parents initiated a legitimate transaction, rather than through a weakness in your local computer security.  There have been many news stories about vendors who retained credit card information long after they no longer had a legitimate need to have it on hand, leading to an unnecessarily large group of people being affected when the vendor was compromised.

 Yeah. I am more worried now though about my traffic. Once I get that nailed down as secure as possible I will then worry about my CC / Debit card.

I know somebody said get a debit card intead of a CC but its hard to live in America (not sure about the rest of the world, though) without lots and lots and lots and lots of credit.

----------

## tuber

With regards to cleartext private data, using Tor can be more dangerous than not as many Tor exit nodes are used as sniffers. A while ago, a group ran an exit node and managed to retrieve many passwords because people were retrieving mail using an unencrypted protocol over Tor.

As for credit cards, some credit cards have a feature in which you can generate a one-time credit card number. If that gets hacked, no problem. To be honest, I don't understand people's concern with credit card numbers. If you find a fraudulent charge in a timely manner, a quick call and letter to the credit card company and you're done. I've had several fraudulent charges before and it's not a big hassle to deal with.

----------

## Carnildo

 *tuber wrote:*   

> As for credit cards, some credit cards have a feature in which you can generate a one-time credit card number. If that gets hacked, no problem. To be honest, I don't understand people's concern with credit card numbers. If you find a fraudulent charge in a timely manner, a quick call and letter to the credit card company and you're done.

 

No, you're not done.  Now you're without a credit card until the new one arrives, and when it does, you need to update the billing information for any automatic payments you've got set up.

----------

## ScarletPimpFromHell

If your seriously interested, check out the SASL or ISAKMP or IPSEC frameworks.

SASL or Simple Authentication and Security Layer is avalable to all of us, you have the option of Cyrus-SASL or Dovecoat-SASL, do an emerge and have a read.

Personally, I'm becomming more and more anal about security (I have had similar ID theft experiences in the past) so I have just spent the last week setting up SASL authentication and TLS (Transport Layer Security) between the company's POSTFIX SMTP relay server and the Cyrus IMAP mail store. Purely academic of course ... both systems are on the same LAN. But none the less its been a hell of a learning curve.

Once you get your head around the SASL/TLS framework the benefits are obvious and the potenial installation base is HUGE. All in all, I reackon the SASL/TLS model for inter-application security is the way to go.

----------

