Cyber Ninjitsu - The Art of Invisibility Online


Networking, Cryptography

Cyber Ninjitsu
"The Art of Invisibility - Online"

I. Introduction
When discussing "computer security" anonymity is often avoided or 
simply forgotten. I believe the reason is because we always begin 
the thought of "computer security" assuming that we are a target.

The benefits of investing in computer security also only arise when 
we are actually targetted. My strict firewall is pretty pointless
if nothing out of the ordinary ever happens. 

Really, we always begin with the fundamental assumption -
"They have my IP Address. Now what?"

This is a perfectly valid starting point if you are already know.
For example, Google has every right to begin with this assumption.

However for you and me, this isn't necessarily true.

The only 'real' security
Government. Let's just say it. The government is the biggest/best
hacker of us all. Why? How?

I'm not going to ramble on about some mythical uber technology they 
may or may not have. The truth of it is quite simple:

If the government wants your computer, all they have to do is 
bust down your door and take it. If you try to stop them they just 
subdue you, either by force or by some other means. If you try to 
protest on some form of legal ground, they throw up a warrant in your
face and laugh.

It doesn't matter what kind of network security you have or physical 
security you have. They'll rip out your harddrive and mount the partitions 
to access your files without ever booting your computer. 

Government here is just the most obvious form. Really, anybody with a gun
can do the same thing. Government is just the only ones who do this quite 

So what do you do against this? My firewall doesn't mean jack shit here. 
My local system permissions are worthless. My useraccount is pointless. 
Deleted files can be recovered. Encrypted files are a little better but 
all they need to do is lay in some legal pressure to get the password. 
They do, afterall, have a warrant. God forbid it's really bad and 
they drug you with some kind of truth agent. Ok so that's unlikely, but 

God forbid you have anything incriminating in your deleted files - or 
swap memory - or your file system is a journaling file system that you 
can easily see the history of or "rewind" - or you have restore states
on your OS. Etc...

The only 'real' hope of keeping your ass out of this kind of situation is 
never get into it in the first place. 

In enters anonymity. The only 'real' security that you have.

Yea ok, so getting raided by FBI or worse is unlikely for most of us. We're 
not exactly international terrorists (or are we?).

That's not the point. We have a right to privacy. Maybe I don't want my 
ISP keeping a full history of my traffic. Maybe I don't want the good
people of to know where I'm from and be able google maps 
my ip address to find the exact address of my house. 

Perhaps I'm a well known member of the republican party and I want to 
make a donation to a democrat candidate that I believe is a good man? 

Who knows? Who cares? The point is, I have ever right NOT to tell 
someone my name, let alone my hobbies, interests, address, and credit 
card information.

II. How to be Anonymous
Anonymity is getting harder and harder. The more gifted people we have 
developing methods to track and trace end users, the more difficult it 
is to stay off the radar. I've been doing research for the last few months, 
truely trying to stay anonymous online. I've found that it takes a lot
more than just using the right tools.

The Mindset
We're all used to thinking about how we can be unhackable. It's much like 
securing a prison. We put up as many walls and alarms as we can. We have 
a guard constantly patrolling for "infestations". We have penetration testing
trying to break through the walls. Etc..

Computer Security really is Isolation - trying to be as isolated as possible. 
Then we control who comes in and who goes out. 

Anonymity is NOT isolation. Stop thinking about it the same way you normally 
think about computer security.

Take the old oriental tradition of the wise man on the mountain. Getting to 
the wise man was very difficult. You'd have to climb a mountain. But you always
know who the wise man was (because you never saw him) and where he lived 
(mountains are obvious).

Anonymity is different. You want to be normal. You want to be common. You 
want to look no different than everybody else. Essentially, you want to be a 
brainwashed drone in boot camp - just like everyone else.

But let's be realistic. 9 times out of 10 if you're going out of your way
to be anonymous, you usually have a good reason, and that reason alone 
causes you to not be like everyone else. So, you need to hide.

Marijuana Example
Take smuggling marijuana for example. You want the make the marijuana 
as anonymous as possible. So, before you take a drive, mow your yard and 
mix all the grass clippings in with the marijuana. I'm talking a 'lot' 
of grass. Then get a bucket full of garlic cloves and smash it all up. 
When thoroughly ground up - season and stir your grass/marijuana together
until you have the weirdest smelling trunk in the world.

At that point, finding the marijuana in your trunk is going to be literally
like finding a needle in a haystack. Of course.. this is going to be true 
for you as well as any authorities. ;-)

Rules when Hiding
1. Don't trust your software. 

When surfing online using a webbrowser you usually have javascript turned 
on by default. Client side scripts can be written to reveal your true 
identity. Ever heard of Ajax? Same with java, flash, etc. All this is 
on by default. Some browsers don't let you turn them off. 

2. Don't identify yourself

Duh right? This also goes for nicknames. I use the name Kayin here 
at SoldierX. If I then go and hack a website and write "Kayin was here"
all over the website, clearly that can be traced back to SX - which 
could potentially trace back to my real self a lot easier than the traces 
left over on the victim server.

3. Spoof what you can when you can

I use linux at home. If you were to log my Http Requests 
you would think I'm runing IE7 on windows vista. I do this by
spoofing my browser user-agent. There's an add-on in firefox to do this:

Take this idea and run with it. The following sections will discuss 
"spoofing your IP Address". I'll leave the rest up to you.

4. Clean up after yourself. 

Your local operating system caches a lot more than we think. I've been at 
this for probably 10 years now and I STILL learning about new caching 
mechanisms inside of Windows. If you're doing something extremely sensitive
then I wouldn't even bother with Windows. That's just my personal preference.

I'm not saying Windows isn't secure, but i am certainly saying it isn't 
anonymous - and i'm not just talking about clearing your browser cache. It'd 
be a 400 page book to describe everything that damn OS does. Doesn't help
they change their methods every new release. 

Side note: I don't believe the developers of the OS do this
intentionally. In software, verbosity is a side effect of complexity and
Windows is just damn complex.

You see, software doesn't intentionally try to trap you. It's just what 
accidentally happens. That's the real reason it's so damn hard to stay 

III. Tools for staying anonymous

When it comes to anonymity online (and your following the rules 
by not entering any personal information about yourself anywhere) then
the next biggest obstacle is your IP address.

I once downloaded a tool to "spoof my ip address" on my machine. At 
the time, I didn't really understand why that was a really stupid thing
to do. 

You can't 'really' spoof your IP address. To do so just doesn't make any 
sense. If I sent Rat a letter and I put a different return address on it, then
when he responds he'll send the response to the return address and not to me.

I'll never get his response letter. It's the same with computer networks. I'll
never be able to establish a TCP connection if I fake the source IP Address.

Side Note: You can change the IP source address of outgoing packets. This is often
useful for various types of attacks. However, for anonymity in everyday browsing,
it's not useful.

Fortunately, there are ways to "hide" your ip address.

Proxy Server
I'm assuming by now everybody's heard of a proxy server. A proxy server
is basicaly something you act through. It is the most basic tool when it comes 
to anonymity. 

For instance, I want to deliver a message to santa clause. I give my message to 
Mr. X and Mr. X relays that message to Santa Clause.

Likewise, I want to connect to an IRC server but still hide myself. I can use 
an IRC 'proxy'. 

Me => Proxy => IRC Server.

The trick with proxies is that they don't tell the destination who the source is.
For instance, Mr. X doesn't tell Santas Clause who I am. 

There are many proxies for various types of applications:


Web Proxy Failure
There is a problem with several web proxies due to the "crapiness" of 
HTTP 1.1

When you type in in your browser what happens is:
1. Your browser requests to fetch HTML from the path given.
2. The browser then receives the HTML from the web server and begins 
   to render this html. 
3. When the browser encounters an Image in the webpage, it'll make 
   A SEPARATE HTTP REQUEST for that image. The same with style sheets,
   javascripts, etc. Any extra file.

You see, when your browser receives the HTML from the 
connection is closed. That's the end of the transaction. Several web 
proxies (BUT NOT ALL) stop there. They let YOUR machine request 
any images, style sheets, etc.. This breaks the anonymity. 

The correct implementation would be for the web proxy to rewrite the 
image urls in the HTML so that YOUR MACHINE would request the image from 
the proxy server which would then request the image.

These types of failures exist in other application proxies, not just web. 
It's important to look closer at the proxy your using and test them out first.

Alternatively, you can use a Socks Proxy which avoids this problem entirely.

Socks Proxy Server
The above list was several proxies for different applications. This means the 
proxy was setup specifically for the applications.

From a technical standpoint:

Me ------------> Relay ------------> Destination Server
     Protocol            Protocol

The actual relaying that is done utilizes a SPECIFIC protocol. The above 
lists are lists of proxies that operate this way.

A Socks Proxy is a multi-application proxy server. It can technically 
work with any service. This is because it operates at lower network 

The standard proxy (like those in the above list) operate at the 
application layer of the OSI Model (
This makes them application specific.

Socks proxies operate at Layer 4 or arguably 5. In the TCP/IP model, 
they operate at the TCP layer. This means that it simply relays whatever 
communication comes in. It doesn't care about the type of communication.

The good thing about Socks proxies is that they're not susceptible to the 
type of problems found in application proxies such as the issue described
above with web proxies.  

A Socks Proxy operates in app transactions. Instead of protocols specific
transactions like the web problem described above, a socks proxy will 
be used by the application until you either close the application or tell 
it to stop using the socks proxy.

This is the safer bet of the 2. 

Dangers of Proxy Administration
A proxy server is a dangerous thing to own and adminster. Just think about it.
Do you really want someone to be able to control your machine? What could
they do with it?

What if they're using my proxy server to start a big f'kin fight on IRC. 
The result of such an act could get my machine attacked. Alternatively, the 
person could use my proxy to do something illegal. I could get a knock on 
my door by the FBI for something that I didn't even do. 

For these exact reasons, proxy servers keep logs of who uses them and who does 
what with them. In some places it's legally required that they keep logs. 

A proxy server logging things defeats the whole point of using them in 
the first place. Where's the anonymity in that? 

You may be thinking that the solution is to chain many proxies together.

For example:
Me -> Proxy 1 -> Proxy 2 -> Proxy 3 -> ... -> Destination.

This, aside from it being incredibly slow, doesn't solve the problem. The
problem isn't that 1 proxy is logging things. It's that they all
are. You can follow the chain backwards and still arrive at the source.

"Yea but who would do that"
- The government if they want you bad enough. :)

Relying on the laziness of people is not anonymity. So what's the solution then?

Well if all official proxy servers log (or potentially log) then we
can just use an unofficial proxy server right? :)

The idea here is to 'root'/'own'/'hack'/'some other buzzword'  someone's 
computer and then install proxy software on that.

Simple enough really and it seems like a safe idea, though illegal. There 
are a few potential problems with this. 

1. The zombie machine could disappear at any given time. 
   This is not that big of deal really.

2. Zombie machine could be logging things. Again, windows is nasty when 
   it comes to that. Make sure to take care of that ahead of time.

3. ISP - if that ISP is like mine, then they have extremely annoying 
   logging policies that could potentially lead back. Not likely but
   is a possibility.

Overall a zombie isn't that bad of an idea if they have the bandwidth for 
it and it can be stable.

Onion Routing
Onion routing is considered by some to be the final solution to anonymity. 
I only agree to an extent. It is, essentially, a super socks proxy. 

Onion routing works as follows:

Me ~> Entry Node ~> Onion Router ~> Onion Router ~> ... ~> Exit Node -> Destination

My machine sets up a unique encrypted channel to an entry node. 
The entry node setups a unique encrypted channel to another node
That node setups up an encrypted channel to another node
The last node (the exit node) setups an unencrypted channel to 
the destination.

At each router hop, a layer of encryption is performed on top 
of the previous layer. This layer of encryption hides the previous hop
to the router next in the path. 

For example:
NodeA ~> NodeB ~> NodeC

The encryption done at node B hides node A from node C. So, node C has 
no idea about node A. 	

Essentially, each node in the path ONLY knows about the next node and the
previous node. This is why it's called "Onion" routing, because each hop 
adds a layer of encryption. The result is what appears to be an "onion". 

The entire path from source to destination is hidden. The destination server
only knows the exit point. The source user/server only knows about the
entry point. Each node inbetween, only knows about its neighbors.

I want to point out, the initial connetion between my machine and the entry 
point is an encrypted channel. The ISP between my machine and the entry node 
has no way of knowing what I'm doing or where I'm going. In the same way, only
the entry node knows who I am - but not where I'm going.

The exit node is a standard unencrypted connection. It acts like the proxy 
server in this case but it has no idea who made the original request.

This technology hides a person extremely well and also is not illegal. It's
also free. I for one am a huge fan of using onion routing. So are the folks
in China as it allows them to get around the 'great firewall'.

There are some downsides to this:

1. You're connection is traveling across the world several times being 
encrypted at each step. Your bandwidth takes a HUGE hit. I have 
faster than T1 speeds and it reduces me to DSL times. Though this isn't 
that bad for me, but if you're on 56k, it's a major hit.

2. It's breakable by an attacker with a LARGE amount of resources. Onion 
routing, by design, can withstand several "bad nodes". Remember, each node 
only knows about its neighbors. So if there is a compromised node in 
the network it has limited effect. A party with a large amount of resources
could potentially flood the network with bad nodes. Again, they would 
have to have a LOT of resources.

Side Note: In experimentation with onion routing, I've stumbled onto several
nodes in an actual onion routing network that are government hosted. These 
nodes are actually set up in such a way that they are usually chosen "first" 
as entry nodes by onion routing clients. I don't know exactly what they're 
doing there, but it is clear to me that the gov't is watching. Message me 
if you have any questions on these findings. I won't get into too much 
detail here.

3. DNS. DNS requests are still sometimes made by applications outside of 
any proxies. This is basically just application flaws. Again, don't trust 
the software you use. Fortunately, the onion routing client implementations 
have taken this into account and have built in mechanisms to handle this.
Still - be aware that you could have DNS leaks.

4. Timing attacks. If I'm an entry node and I'm a honeypot server, I could 
potentially tell, simply based off the time a connection was requested 
and the time it was established, which user was connecting to the honey pot.
This could be resolved by client implementations that utilize throttling or 
even node relay implementations.

Overall - onion routing is a pretty nifty thing. There is currently an 
onion network available to use. It is called TOR.

Tor is a wonderful technology that is, unfortunately, abused quite often.
It's a spammer's paradise as well as a haven for pedofiles. If the scum
of the earth can survive on it, I suppose then that it is safe for more 
noble uses. Still, I don't believe any other technology has ever challenged
my beliefs in free information like this has. I strongly considered 
not even mentioning it in fear of leading others into this snake pit. 

What you do is your responsibility.

IV Staying Invisible on P2P
A friend of mine IRL recently got disconnected by his ISP for a 
bullshit DMCA violation. He was apparently caught downloading a CSI 
episode. Funny thing was he didn't watch CSI. 

He runs your typical Bit Torrent client on a windows platform. He 
also uses Peer Guardian. 

Disclaimer: So yea, he was doing something illegal. But what if you 
don't want to do something illegal and you still don't want people watching
you. Right? ;-)

Zombies are unreliable and can be difficult to obtain. 
Onion routing takes a significant hit on your bandwidth making it unsuitable
for p2p. What then?

On May 7th, 2009, Google donated $18,000 USD to the freenet project.

Freenet is one potential solution to the p2p problem of our age. I'm going 
to forgo the entire searching algorithm and just tell you how it keeps 
things anonymous. 

When you connect to freenet, you become a node. A large (10 gig for example) 
ENCRYPTED virtual partition gets setup on your harddrive. This is where files
get stored - not the files you download or you upload, just files in general
that travel the Freenet network. 

Freenet basically operates as one GIGANTIC Distributed Cache. Files are spread 
out throughout the entire network. No user actually knows what files he/she 
stores. Even if they wanted to find out, they can't because the files are 
encrypted and the names are hashed. To be really honest, 1 user doesn't 
even store the entire file, just pieces of it. 

When you search for a keyword, it is hashed and through some pretty cool 
algorithms, a file is quickly "located" and you begin downloading. All 
encrypted of course.

This allows for no single person being responsible for file distribution. 
At the same time, nobody knows what you're searching for. And though they're 
connected to you downloading "it" the machine doing the trasfering to the 
downloader has no idea what's being uploaded. Basically, the only person 
who knows what's going on is the downloader doing the downloading.

Of course the problem here is that you're still downloading something from 
someone else. If an attacker has a large amount of resources ;) they could 
potentially flood the network with known files of a certain type and track 
who downloads it.

There has come a recent solution to this. Freenet can operate now using a 
darknet. A darknet being a small network of people he knows and trusts. For 
example, soldierx could form it's own darknet and basically have it's own 
small freenet network. Eventually this could grow as members trust outwardly. 

Freenet (along with all these other anonymous p2p networks I'm going to be
talking about) is currently a fairly small network. It's therefore slow 
and kind of a pain. If the Bit Torrent crowd ever caught on, this could grow 
to extreme heights and become quite powerful.

It's good to note that Freenet does not really provide anonymity but 
rather resistance to being held responsible for contribution. This could 
be the underlying flaw of the whole system.


Gnunet is a fairly 'new' anonymous file sharing network. Unlike Freenet which 
provides legal deniability for file distribution, Gnunet provides actual anonymity
for the distributers. 

Gnunet's fundamental principle is described in 2 sentences on the homepage:

"Anonymity is provided by making messages originating from a peer indistinguishable 
from messages that the peer is routing. All peers act as routers and use 
link-encrypted connections with stable bandwidth utilization to communicate with 
each other."

I love the simplicity. The request to downloader and response distribution
is indistinguishable form routed requests. For example:

A -> B -> C -> D

A requests CSI episode. B Forwards the request to C.  C has no way of telling
whether the request was made by A or by B.  It's just that simple.

An advantage of GnuNet over Freenet is that you don't have to commit 10+ gigs of
harddrive space to a distributed cache... and there's a guarantee of anonymity outside
of a darknet.

Again, an attack with a large amount of resources could both be B and C and 
therefore notice who is doing the original request. This would require a VAST amount 
of resoures in comparison to the number of Gnunet contributers. 


I2P is a fascinating concept. It is not limited strictly to p2p communication 
but can work with any application. The only requirement is that both ends of 
line utilize I2P. This makes it an appropriate fit with p2p, but can also work 
with IRC if the IRC client and server both have I2P.

I2P is like a new encrypted IP layer on top of an encrypted routing layer. 
Client and server both have unique cryptographic addresses. Individual "router"
hops also have unique cryptographic identity. The 'routers' communicate using 
basic TCP/IP communication. The client and server communicate through these 
virtual I2P 'routers'.

It's very similar to taking the TCP/IP stack, building encryption into it, 
and putting it back on top of the existing TCP/IP stack. It's confusing at 
first but really cool when you get it.

A -> B 

Due to the cryptographic identities, A doesn't know who B is and B doen't know 
who A is. And due to the encrypted channel between them, nobody knows what 
they're saying to eachother.

I2P is actually designed to work in a hostile environment and was built to resist 
attackers with a large amount of resources. :)

A lot of time and effort has gone into preserving anonymity, even in this age of 
abundant technology. I find this refreshing that these technologies and networks 
are growing into something more prominent. I'm also disturbed by the abuse 
of such networks to accomplish evil ends. I find myself torn between wanting to
throw it out in hopes to prevent such things, and calling it the price of freedom.

Perhaps you can distinguish for yourselves. I hoped this helps. Enjoy.