Tonight I made an appearance on the EMS Garage, and boy did I pick a big one.  (As of this writing, it is the not yet published episode 65.)  Dr. Wesley decided to throw down and take on all bloggers.  One of his main beefs seemed to be that he didn’t think that anonymous blogging was productive or an appropriate tool for anything.  He was very careful about how he worded his arguments, so I do not want to misrepresent him or put words in his mouth.  Nevertheless, he made it clear that he didn’t think it should be happening, and that he hoped that we lived in a world where people would not have to remain anonymous to right the wrongs of humanity.

I’m sorry Dr. Wesley, I couldn’t disagree more.  You are a well paid, (Yes, believe it or not M.D.s are paid quite a bit more than EMTs and paramedics.  You know what, I didn’t look up those specific statistics, but I have been living them for the last few years and I know of what I speak.)  well known physician whose advice is sought and admired.  I imagine that for quite some time you have not felt the need to hide your opinions from your employer at the threat of not being able to feed your daughter or pay your mortgage.  If one of us lowly EMTs or paramedics have witnessed horrible safety violations, patient abuse, or unethical business practices there is really no safety net for us.  Confronting our employer means falling, failing, and financial ruin.

So I have decided to publish this guide to anonymous blogging.  Yes, you too can blog anonymously without fear of reprisal from your employer.  What can one do with an anonymous blog you ask?  You could organize a union, form petitions, collect eye witness accounts of misconduct, and generally be the all seeing, all knowing eye over your employer’s shoulder that may make them straighten up and fly right.  But, just like anything, this set of tools can be used for evil.  So don’t be an idiot.  Use this new knowledge wisely.

Disclaimer:  Use some sense people.  Blogging is technically difficult in itself.  Podcasting is like blogging on steroids and crack.  Anonymous blogging is just plain ninja shit, and you should not play here if you don’t know what you are doing.  If you are not very good with computers and you find yourself doing everything you find in this post step by step and don’t really understand much of it then QUIT WHAT YOU ARE DOING RIGHT NOW.  YOU WILL MAKE A MISTAKE AND GET CAUGHT.  Who is the intended audience of this post?  If you are a fairly computer savvy person who has done a little blogging and has a good rudimentary knowledge of HTML and how packets move around on the internet, then you may proceed IF YOU ARE REALLY FREAKING CAREFUL.  I take absolutely no responsibility for the reader’s abject stupidity in playing with fire and I accept no responsibility for your ill fate whether or not you follow these instructions.  Something else to be considered is that this post was written in December of 2009.  If you are reading this post in October of 2016 you may wish to rethink this.  Do yourself a favor and seek more up to date information.  Make no mistake about it, YOU ARE ON YOUR OWN.  The internet is cold and dark and no one can hear your electrons scream, so BE RESONSIBLE.  Okay, off my soapbox now.  On to the good stuff.

Your Rig

You will need a computer with which to do all your dirty work.  Unless you are a super ninja master, do not try this on your home desktop.  Most of the safety techniques you are about to learn rely on the fact that you are not working from your home, or your ISP account.  This means you need a laptop or a notebook.  The way to stay truly anonymous is to use a many layered technique that will take a rocket scientist and a Hollywood budget to plow through.  At the end of it they will find out that the IP address belongs to the local coffee shop or the library.  So it is pivotal that you be able to take this show on the road.

But to be truly secure and paranoid you should assume that your laptop will someday be seized and scrutinized by a third party.  So here are some techniques for setting up your hacking laptop to be seizure proof.  By the way, all of these things are free.  The best things in life are, aren’t they?

1. Whole Drive Encryption

The first step in keeping the man from seeing what you have done is to encrypt your entire hard drive.  If your computer is seized in a legal battle it will be a brick unless you give them the password, and in the United States people cannot be made to incriminate themselves.  Therefore you will be able to hold out for a long time without giving up your password.  Truecrypt is my weapon of choice here.  This is an absolutely free and open source program that will scramble your hard drive well past the ability of any government agency to descramble it, rendering it a paperweight unless the password is provided at start up.  In order to use this fantastic tool correctly, please read up on it very carefully.

2. Never Blog With Your Main OS

What are you trying to do, leave evidence behind?  Never ever do any anonymous blogging with your regular setup.  You can go a few routes with this.  You can do this with Windows or Linux quite easily:

     A. Emulate another version of Windows inside the version of Windows you are currently using.  Believe it or not, Windows provides a virtual emulation environment as a free download to all Windows users.  If you run Windows XP, Vista, or Windows 7, and you have hefty enough hardware, you can go here to download everything you will need to run a virtual XP environment inside your current OS.  You can emulate other things, but XP is what I recommend if you go the Microsoft route.  The neat thing about this is that you will be able to delete the file that functions as the saved state of your hardware and software, completely obliterating your tracks.  You can also encrypt this file with Truecrypt and another password.  If you wish, you may restore it to a fresh backed up copy every time you do a clandestine blogging session.  Think of it like this: instead of trying to erase the history and links from your browsing session, simply nuke the whole computer.  Yes, it is overkill, but it is super effective.

     B. Another method if you are using an older computer without enough power to emulate another OS is to use a bootable copy of Linux.  There are a couple of options here.  Knoppix is a great standby that will allow you to create a bootable CD of Linux that will give you a basic OS with internet access.  By using Knoppix you are guaranteeing that nothing from this blogging session will remain on your hard drive to be found later.  Nothing will be written to the CD either so when your computer wakes up, it will be none the wiser.  Alternately, you may wish to use one of the many USB drive versions of linux found at pendrivelinux.com.  To be honest though, this may leave some evidence on the stick, so you will want to use Truecrypt to encrypt your USB drive for an added safety measure.  Yet another option is to install Wubi which will emulate a linux environment inside of Windows.  Again, there will be a file that contains all the saved state information about your emulated hardware and software.  Nuke this and you have also nuked your tracks.  Replace it with a fresh clean copy every time you have a blogging session.

     C. Hide your MAC address.  And no, this doesn’t mean Macintosh.  Uhhhggggg.  That gave me the creeps.  Apple computers are for girly men who cry while they watch Steel Magnolias.  A MAC address is the Media Access Control address.  By law, every network device in the United States is assigned an individual MAC address.  There are various ways to monitor a network and get the MAC address of origin of a certain piece of sent traffic.  This can be used as evidence.  There are ways to hide or spoof a MAC address, but a simpler route is just to simply use a removable wireless network card that you bought for cash.  In other words, turn the wifi switch off on the side of your computer and use this network card with the alternate MAC address when you blog.  Don’t keep the card with that laptop.  Keep it in your sock drawer or some other place that is safe.  If the feds come knocking and want your laptop, give it to them and the MAC address won’t match the traffic they monitored.  Sneaky, eh?

     D. Special note: don’t simply erase anything you do with one of these emulators.  Really and truly erase it for good with a professional open source eraser program like Eraser.  This program can be set to not just rewrite the file allocation table to make it look like the data is not there.  Eraser can be set to write pseudo random binary noise over those data sectors a set number of times.  Seven times should thwart the efforts of even a well equipped government hard drive forensics lab.  Whatever you do, just don’t drag it to your trashcan.  That’s just asking for trouble.

The final word on your rig is this:  Use your laptop, but don’t really use your laptop.  Do you know what I’m saying?  Let’s say someone suspects you of being the author of something that made a big company mad.  They started a lawsuit, and have subpoenaed your machine.  Hand it to them happily.  Meanwhile throw that network card in the river, and throw that Linux bootable CD away, or throw that pendrive in the fireplace…you get the idea.  When they call back asking for the password to your whole drive encryption scheme, be a dick and hold out for as long as possible.  If they threaten you with jail time, then give it to them.  Then they will call back asking for the password to the encrypted file that contains the saved state of the emulated OS you were using while surfing.  Be a dick and don’t give it to them.  Hold out on that until they threaten jail time and then give it to them.  They will find a clean and pristine copy of Windows or Linux that you replaced your last session with and nothing will incriminate you.  If you really want to be a dick you can call them every couple of days asking if they are done with your computer yet.  By the time this is over they will have no evidence against you and your accuser will have thousands of dollars worth of hard drive forensics bills that got them nowhere.  You’ll never get your laptop back, but this will be fun.

3. Use The Right Browser With The Right Ad-Ons

This is absolutely crucial to the success of your mission.  My weapon of choice is Firefox for many reasons.  Many add-ons to Firefox make this browser a hacker’s paradise.  There are two add-ons that will be discussed in detail here.  You may wish to use more in your quest to remain anonymous, but these are the bare minimum.

     A. The first add-on you will install is No Script.  As a matter of fact I do not recommend getting on the internet for even regular business without this fantastic free bit of software blocking for you.  No Script does exactly what the name implies.  It will not allow any script to run in your browser without your informed consent.  Many free blogging sites run scripts in the background which may give away your identity.  This will block them from running in your browser.

     B. The Torbutton add-on for Firefox with be your first line of obfuscation from people discovering your origin IP address.  Tor networks are complicated, and some people have written whole books and series of blog posts about them.  So study up before you jump in.  Basically, what it does is this: you will be able to set your browser to run encrypted traffic through a proxy on the Tor network.  The Tor network will be a series of computers all over the world that bounce your encrypted traffic through many nodes located all over the globe before arriving at the last node.  The last node will decrypt your traffic and send it on to its destination IP address stripped of all identifying headers that would point back to its origin.  That node waits for a reply.  When it comes, it grabs the packets, encrypts them and sends them back through a crazy twisted route of servers all over the world until it gets to the end again where the still encrypted traffic is sent to your computer where it is decrypted for your use.   This specific zig-zag connection will not last long before the tor configuration you are using resets and the server logs are erased from old sessions to hide every user’s tracks.  The beauty of this setup is simple, there is no government agency that has the manpower to have agents waiting in strategic places all over the globe so that they can converge on every server and secure the logs the next time little ol’ you decides to make a blog post.  It’s just not going to happen.  Don’t be fooled though.  Tor is not perfect and does have its weaknesses, but it should be safe for blogging.  The weaknesses of Tor are the subject of many security papers and tests.  Most of it hinges on the fact that it is an open source project and so the government would be able to seed its own servers in the mix, keeping server logs that could be analyzed.  If you were a large evil doer with a lot of traffic, a government seeded Tor network might be a dangerous place to be.  The rogue servers may be able to piece the puzzle together to identify a mass email spammer or the like.  But one of two blog posts a week have virtually no chance of being discovered in this way.  Still, the other safety measures you have in place should prevent you from being discovered should the Tor network fail you.

     C. The Firefox browser itself should have the default settings of a paranoid person.  There are many places where you can find this information as well.  But at a very minimum you should have the browser set to not accept third party cookies, not record browser history, not save passwords, etc.  Don’t discount the browser itself as a danger.

Alright.  So now we have the perfect rig set up.  We have the whole drive encrypted, and we have a removable network card.  We are using an emulated OS that is encrypted and erased with a professional program after each session.  We are using a browser within that emulated OS that has the right settings and we have tested our tor network and are sure that our IP address is hidden.  Now it is time to blog.

The Deed

1. You Need An Anonymous Email Address

Every blogging solution out there asks for an email address at minimum.  So we need to find an anonymous email address.  Hushmail is a good solution, but you might find them asking for a good email address when you first register.  “What?” you may ask.  What good is an anonymous email address if they have your real one?”  What good is it indeed?  That’s why we have to secure our anonymous email address with a disposable email address.  Don’t worry, just follow me.  Mailinator is a fantastic service that lets you give out a fake address.  Let’s use my old standby, buckman@mailinator.com.  If I signup for something and give this address, the mailinator server will keep the message for about 10 minutes.  If I go to mailinator.com and ask if anything has come for buckman@mailinator.com in the last few minutes they will serve up that message to me.  So, go over to Hushmail, and when they ask you for your real address, give them your mailinator address.  Go to mailinator and click the activation link, and before you know it you will have a completely anonymous and permanent email address at Hushmail.  If you did this from your tor network no one will be the wiser.

2. Pick A Blog

Alright, now that you have an anonymous email address, you can provide that to the blog of your choice.  Most of these blogs will have you up and running in no time as long as you can confirm your email address.  Now that you have an anonymous one, this becomes pretty easy.  WordPress or Live Journal should be fine.  Pick any of them.  Just make sure you give them all fake information and a fake email address.  If you took a few precautions and covered your tracks you will now have a blog that cannot be traced to you.  Have fun.

3. Pick A Message Board

You may wish to start a message board as well.  Most blogging sites don’t allow you to do this, but this is a cool way to build a community.  Just remember that if your users are not tech savvy, their IP addresses may be obtained and used against them for posting to the site.  Same thing goes for comments on your blog.  Just be careful.  Pro Boards and Free Power Boards should be acceptable for this purpose.  Many others will do as well.

Best Practices

All of this technology will get you nowhere if you slip up and do something stupid.  Get a routine going, and keep your guard up at all times.  Never let it down for a second.  What follows are some practices that are a must for this to succeed:

1. Never Do This From Home

Let me say that again.  NEVER DO THIS FROM HOME.  Always go to a local coffee shop or restaurant that has free wifi that does not require registration.  Use your head with this.  Do not go to Starbucks, register on their network with a credit card, and then try to anonymously blog.  I can lead a horse to water, but I can’t train stupid.  The best practice is to rotate a number of known sites randomly.  It doesn’t take long to do this.  Write your post at home if you feel like it.  Then drive to the nearest hospital, local library, or bar that has free wifi.  Set up shop in the parking lot for a few minutes, check your email, upload your post, and drive away.  If you get about 5 to 10 local sites that fit your quick needs, what are they going to do?  Stake out every site 24/7 just in the hopes you will show up for a few seconds in the parking lot?  No one, and I mean no one has that kind of budget.  Also, if they brought out the big guns or had friends in high places that could piece together a tor jigsaw puzzle, the IP address still leads to an open coffee shop.  They still have nothing.

2. Loose Lips Sink Ships

This should go without saying, but be careful what you post.  Most anonymous bloggers do not get ousted by technology.  They get caught by saying something stupid that identifies them.  Don’t let this be you.  If you are starting a union site, don’t talk about the call you made yesterday.  Think about it.

3. Tiny Man Syndrome

Don’t get too big for your britches.  If you don’t break the terms of service of the blogging network you have joined, then they won’t have any reason to pull your site down at the request of the offended company or service.  That having been said, almost all blogging sites have a rule in their policies that states that if a company is offended by the content, then the site can be brought down.    This can be fun in and of itself though.  Sign up for multiple accounts and have the next one ready and waiting for when the current one gets shut down.  Send out emails letting everyone know where the new one is and let them play whack a mole for the next couple of months.  This game costs you nothing.  It will cost your opponent thousands of dollars trying to keep up with you.  They will grow tired of it quick.  It’s fun to watch lawyers dance.

4. Fun With Timers

Don’t post immediately.  Use a timer.  Almost all blog platforms allow you to post an item but not make it public until a date and time that you chose.  This is not easily discerned from the outside site.  Make all your posts go up at 4am to drive management mad trying to be up when your next rant hits the airwaves.

The Final Analysis

You want to be paranoid.  Depending on your goal with this blog, and the policies of your employer, this might be an offense worthy of instant termination.  Mouths to feed and mortgage companies could care less about your crusade to change healthcare.  They want a check.  Your employer knows this, and this is the first place they will strike.  Also, most services have lawyers on retainer who sit around waiting for something interesting like this to happen.  It will cost the company absolutely nothing to get this guy out of his chair and file a few papers to make your life a living hell.  It will cost you thousands upon thousands of dollars to defend yourself.  Don’t just assume that the Electronic Frontier Foundation is going to come running to your defense.  If they are busy that day or their budget is tapped you are boned.  Plan accordingly.  Be paranoid.  Don’t get caught.

The many layered approach looks like this:  Let’s say they want to find you.  They go to the blogging site and the lean on them for the IP address.  They follow the IP address to Tajikistan and many angry people in cubicles at the company you hate will learn what a Tor network is.  The search may stop there, and they may go the route of shutting your blog down, in which case you introduce them to the very expensive game of whack-a-mole.  If they have a lot of influence and shady people on the payroll, they might be able to get through the Tor network and find the 5-10 local IP addresses that you have been using.  They have to contact each one only to find out that they are all public wifi spots.  Then they are at a complete loss unless they stake out each individual wifi spot 24/7 to try and catch you posting something.  That is, if they never take a break and are watching the parking lot for ANYONE who may be driving by.  If by some miracle, or more likely a mistake of yours, they manage to convince a judge that the blogger is you and they subpoena your machine or confiscate it, simply turn it off.  Hand it to them, and play the “I’m going to be a dick game” described above until they figure out that spending tens of thousands of dollars on hard drive forensics gets them nowhere and they give up.

In the end, no single blogger is worth that amount of trouble.  There is no CSI for bloggers.  Most companies will make a few phones calls and find out that this is going to be expensive and quit.  No one has the resources to tackle this level of obfuscation.  Blog away.

In case the above approach seems a bit too much for your level of expertise, you may want to try something simpler.  There is a product called Ironkey.  The purchase of an Ironkey will remove many of the steps outlined above.  But be forewarned.  I wouldn’t use one unless I could find one in a retail store and buy it for cash.  Don’t tie the damn thing to your credit card.  Once you found one for cash, you would be able to go to some internet cafes or libraries that allow you to use USB devices and blog from behind the ironkey’s built in tor network.  You could also simply go commando and use library computers, or internet café computers.  There are drawbacks to every idea, just make sure you don’t do this at home with your own email address hoping that nothing will happen to you.

Again, I would urge all of my readers to NOT JACK WITH THIS UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING.  If you are familiar with technology, and the above post connected a lot of knowledge in your head in a way you hadn’t thought of before…and you thought to yourself, “Oh man, that would work…” then feel free to proceed with caution.  If you read the above post and decided to print this out and spent the next two days trying to figure out what a tor network was, THIS IS NOT FOR YOU.  Back away from the computer before you get fired.  This is my last warning.

And if you are going to be a thorn in the side of corporate America and you have dreams of sticking it to the man responsibly, then proceed.  If you want to just post fake facebook profiles of your management staff, don’t bother.  If you must though, at least send me the links before you get caught.  To Dr. Wesley I will say that any attempt to make people behave on the internet is simply a waste of time.  It may be a bigger waste of time than putting copy protection on DVD’s.  Some kid is just going to break it in five minutes from his mom’s basement.  Resistance is futile.  The internet is what it is.  And as Princess Leia once said, “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.”  I was looking for something even nerdier than that to end this blog post, but I couldn’t find any applicable quotes from Shatner.