%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Maintaining Your Anonymity on the Internet By Opic [CodeBreakers 1999] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." -The United Nations' Universal Declaration of Human Rights (http://www.unhchr.ch/udhr/lang/eng.htm) Disclaimer: The following article should be used as a primer to internet anonymity. While this article has been written primarily for the VX community, it may be implimented by anyone interested in heightening their personal privacy, and not having their online activities monitored. You should understand simple remailer operations and the tracing capabilities associated with IP addresses before approaching this article. Some foundational philosophy: Rather then reiterate some of the main points and arguments for the right to privacy and anonymity I have decided to include one of my favorite pieces of writing on the subject; "A Cypherpunk's Manifesto" by Eric Hughes: Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world. If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to. Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must _always_ reveal myself. Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy. Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one's identity with assurance when the default is anonymity requires the cryptographic signature. We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor's younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor. We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do. We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money. Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down. Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation's border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible. For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one's fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals. The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace. Onward. Eric Hughes (hughes@soda.berkeley.edu) 9 March 1993 If you'd like to read more about the Cypherpunks goals, works, and philosophies you might want to check out the Cyphernomicon at: http://www.kender.es/~alday/english/cyphernomicon/ The Problem With Secrecy; Openess As A Weapon(?): "The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness." -Niels Bohr "What is the 'weapon of openness' and why is it the best weapon of a democracy? Openness here means public access to the information needed for the making of public decisions. Increased public access (i.e. less secrecy) also gives information to adversaries, thereby increasing their strength. The 'weapon of openness' is the net contribution that increased openness ( i.e. less secrecy) makes to the survival of a society. Bohr believed that the gain in strength from openness in a democracy exceeded the gains of its adversaries, and thus openness was a weapon." (Gleaned from: The Weapon of Openness by Arthur Kantrowitz) Introduction: Privacy and Anonymity may very well be necessary evils, as many of it's advesaries argue. Secrecy (ie: concealing information which directly effects the public) is certainly controversial and I would not peddle it to you, as it can be (and often is) implimented as a tool for corruption. By giving people the tools to unitilize thier choice of privacy, anonymity, and secrecy we give them the power to do very good or very bad deeds. It seems to me a better bet to give these capabilities to the general public, then to covet then to the choosen elite. We must take bad deeds along with the good ones, and hope that a general humanity prevails. All of this is done in the name democracy, human rights, and the protection of freedom. It has become quite obvious how the Vx community has taken the issue of their privacy and anonymity for granted. And now, some persons are paying *dearly* for thier lack of initiative when it comes to being "proactive" in regards to protecting thier identity and anonymity from those who may wish to "expose" them or ruin thier lives due to the beliefs they hold or rights they choose to excercise. So here is my own respose to what I see as a potentially lethal failure in judgement and under-estimation of our "opponents" on the part of the entire Vx world. I have taken alot of time and energy into putting together this paper which will walk you through step by step processes which you can take to insure your anonymity and still utilize all the internet has to offer in way of communicating with the rest of the Vx underground. It's all here for you, there are no more excuses, and in 'leu of all the unfortunate incidents that have occured pertaining to the Vx underground in the last few months I think youd have to be a fool not to take me up on it ;-) 99% of your homework is already done for you here...just sit back read and prepare to disappear into more secure shadows... The article is split up into two different sections. Part One deals with the use of Proxy servers for http/ftp/irc privacy, and Part Two deals with remailers, PGP encryption and the use of Nym servers and creating your own Nym email address. *Warning: Remember, nothing is 100%. There is always human error and "luck of the draw". In other words; nothing is 100% secure or 100% anonymous 100% of the time. The odds of your identity being compromised are greatly decreased by using many of these methods (do you want to wear a t-shirt or a bullet proof vest?)*. *** PART ONE: PROXYS *** -Using Proxy Servers- With few exceptions it is a good idea to use proxy servers whenever possible. I wont go into the technical details of how proxys work in this article as there is ALOT of literature out there which adequately explains how proxys work, and quite frankly; it isn't entirely necessary for you to understand every detail of each proxy you use (though for anonymities sake it might be advisable). Instead I'll simply tell you how to use them for your different internet needs. For more information on proxys, and on testing thier level of anonymity I recommend visiting these sites: http://home.clear.net.nz/pages/research/sorm.htm http://www.bikkel.com/~proxy/ http://www.lightspeed.de/irc4all/index.htm http://natasha.warezbbs.com/contributors/morality/bncingwingates.html http://www.anonymizer.com When you use a proxy essentially what you are doing is gaining access to the internet through another "host" computer. It is important to preface this by noting that the use of "public" or "misconfigured" proxys is in NO way entirely anonymous (unlike Nym servers which I will get into later). By this I mean that the proper authorities could quite easily goto the administrator of the proxy you use and ask who has connected and done this or that, upon which the administrator would hand over his logfiles (which nearly ANY proxy keeps) and that would be that. However proxys are good for not allowing other users to collect you IP or other information about you. It is also useful for sending / uploading data via http or ftp, and can be used on IRC as well, where many Vxers expose their true identities and IP numbers to whomever wishes to find them. -Finding Proxys- Finding reliable proxys is almost always a daunting task. It will take some time but consider it a worthwhile investment in the undertaking of the protection of your freedom. There is no sense in making an elaborate nym email account and then showing your nick on IRC everyday -you defeat your own purpose, so take the time and do it right. There is alot of different software for finding open proxys and wingates by scanning IP masks. Perhaps the best one is "Proxy Hunter" which you can find at: http://www.netease.com/~windzh/software/proxyht/download.htm It is easy to use and very flexible. There are also many sites (which often go up and down on a daily basis) which will provide you with new and open proxys. Again a little legwork will go a long way. The main ports (usually but not limited to) for proxies are as follows: 8080 = http/ftp 1080 = irc (SOCKS) Common Wingate Ports: 21 = FTP Proxy Server 23 = Telnet Proxy Server 53 = DNS Proxy Server 80 = WWW Proxy Server 110 = POP3 Proxy Server 808 = Remote Control Service 1080 = SOCKS Proxy Server 1090 = Real Audio Proxy Server 7000 = VDOlive Proxy Server 8000 = XDMA Proxy Server 8010 = Log Service -HTTP / FTP- Using a proxy server via http is a very easy process with most of todays browsers. It may even at times speed up your connection. Also logfiles taken by www sites will collect the proxys IP address and not your own. In Netscape: edit | preferences | advanced | proxies | manual configuration | view will bring you to the field in which you will want to enter the proxy you have found and wish to use. simply fill in the "http" and "ftp" fields with "proxy.someserver.com" with port "8080" and you're good to go. Could it be made any easier? M$IE probably has somthing similar to it, but if you are using M$ products then you probably dont care about your security/privacy anyhow ;-) -IRC- Using proxys in IRC is also quite simple. If you are using mIRC (as most do) then you can simply goto: file | options | connect | firewall check the "use SOCKS firewall" box, choose "Socks 4" protocol, enter your proxy in the "hostname" field (leaving userID and password blank), and enter port "1080". Hit OK and you're done, again: simple. It's worth noting that there are also many misconfigured "wingates" running on personal PC's which will allow you access on port 1080 which are worth scanning for. -Footnotes on Proxy Use- Some proxys are not anonymous as they will show not only thier IP but yours as well. For this reason you'll want to test your proxys headers b4 using then on http/ftp/irc. Many cgi scripts are available to help you in this matter again check http://home.clear.net.nz/pages/research/sorm.htm for a list of links to some. Chaining proxies together is highly reccomendable as it makes the task finding the end user (yourself) much more difficult. Using proxies in linguistically, geographically, and culturally differnt countrys further complicates and sometimes even subterfuges tracking efforts. The price to be paid for this security is a good/reliable/fast connection. *** PART TWO: NYM's *** -Understanding, Creating, and managing Nym Accounts- *Note: You should have a working knowledge of how anonymous remailers are used and function before attempting to set up a nym account. If you dont Lord Natas has written a good tutorial on it called "Intro to e-mail and usenet anonymity" which is located in Codbrk#4. A working understanding of PGP's public/private key system is also needed. This tutorial is a "next step" as I'll be showing you step-by-step how to set up and use your nym account with client software.* -What is a nym account?- A nym account is essentially an anonymous pseudonym email account. It is the best absolute way to send and recieve email anonymously. Its by far the most secure way to remain anonymous while communicating with others. Below is a description from the nym.alias.net helpfile (to recieve it in its entirety send an email to help@nym.alias.net): <-snip-> The nym.alias.net server allows you to send and receive E-mail pseudonymously through a username of your choice on nym.alias.net. If, for instance, you choose username , you will be able to send and receive E-mail at that address, and even get fingered at that address. The system is designed to prevent anyone, even the administrators of nym.alias.net, from finding out the real person behind any mail alias. If you use this service properly, an adversary will have to compromise multiple remailers operated by different people in order to find out your real identity. For each mail alias or "nym" (short for pseudonym) on nym.alias.net, the server has on file a PGP public key, a reply block, and a few configuration parameters. The PGP public key is used to authenticate both configuration requests for your nym and outgoing messages you wish to send from your nym.alias.net address. Such messages should be sent to nym.alias.net anonymously, to avoid any connection between your real E- mail address and your pseudonym. The PGP key can also be used to encrypt any mail received for before that mail is forwarded to you through the remailer network. The reply block contains instructions for sending mail to your real E- mail address (or to a newsgroup such as alt.anonymous.messages if you want your mail delivered there). These instructions are successively encrypted for a series of so-called Type-1 remailers in such a way that each remailer can only see the identity of the next hop. To send you an E-mail message (after optionally encrypting it with your nym's PGP key), the server will prepend your reply-block to that message and feed the result directly to the Type-1 remailer . [Note that this remailer is reserved for use by nym.alias.net aliases and people debugging their reply-blocks, so you shouldn't see it listed in any of the standard remailer lists.] Thus, mail you send to nym.alias.net arrives anonymously through the remailer network. Mail you receive from nym.alias.net leaves the server with an encrypted reply block, and can be sent either directly to you or to a message pool such as the newsgroup alt.anonymous.messages. When used properly, therefore, nym.alias.net provides the convenience of an ordinary E-mail address with a strong assurance that your true identity will remain a secret. <-snip-> OK, so that might be too much jargon for some, lets break it all down. -How do nym accounts work and why are they so secure?- Nym accounts use a combination of anonymous remailers, a main (nym) server, and PGP encryption in order to maintain your anonymity. The reason nym servers are so secure is due to the fact that even the administrators of your nym account and the remailers you use never know your true identity. First let me show you a small chart illustrating how an email is sent from a plain old anonymous remailer: your email ---> remailer ---> recipient |-----------| |-----------| |------------| |headers | |xxxxxxxxxxx| |remailer | |-----------| |-----------| |header | |your | ---> | your | ---> |------------| |message | |message | | your | |-----------| |-----------| |message | |------------| Essentially what occurs when you send an email through an anonymous remailer is this: 1)You send a email from your email account to the anonymous remailer. 2)The remailer first strips your headers from the email (the headers from your email give vital information by which you can be identified, such as your true email address, SMTP, and IP address). 3)The remailer then resends the email to the person which you addressed it to, along with its headers. When the mail is recieved it looks somthing like this: ----------------------------------------------------------------------- X-From_: remailer@mail.replay.com Sat Apr 03 03:03:03 1999 Date: Sun, 13 Apr 1999 03:13:13 +0200 (EST) From: Anonymous Comments: This message did not originate from the Sender address above. It was remailed automatically by anonymizing remailer software. Please report problems or inappropriate use to the remailer administrator at . Subject: Yer secret admirer To: GillBates@Micro$ux.com Your OS sucks rocks. Please stick it where the sun don't shine. Love, Some guy who got stuck with a win box. ----------------------------------------------------------------------- Now when you are using a nym server you are (generally) chaining remailers together, using PGP encryption for each remailer "hop", as well as to/from your nym sever. This adds increasing safety, anonymity, and privacy to the above example. The added safty of a nym account comes from the fact that: 1)the ISP on which your POP3 email account is located can no longer read/monitor your email since all incoming and outgoing email is PGP encrypted either before it is sent to your SMTP or by the nym server before delivery to your POP3. 2)People you send email to can no longer check the header of your email to find out your IP address or other information about you as all headers will lead back to your nym address and the nym server (more on why this is safe later). Here is a chart showing how an email is sent from your nym account: (Remember: all remailers remove headers from recipient) You --> Remailer #1 --> Remailer #2 --> Nym server |-----------| |-----------| |-----------| |-----------| |Mail from | |Decrypts | |Decrypts | |Decrypts | |you (PGP | |mail which | |mail which | |mail which | |encrypted) | --> |reveals | --> |reveals | --> |reveals | --| | | |encrypted | |encrypted | |original | | | | |mail to | |mail to | |email to | | | | |remailer #2| |nym sever | |recipient | | |-----------| |-----------| |-----------| |-----------| | | Recipient | |-----------| | | You email | | |from your | | |nym with | <------------------------------------------------------| |nym headers| |(anonymous)| | | |-----------| When you send a nym mail, it is encrypted with the PGP public key of each remailer in your chain as well as the nym server. You can use as many or as few remailers as you like; the more remailers you use the more anonymous you become but the less likely it is that your mail will be sent properly. The fewer remailers you use the more likely your mail is to be delivered properly, but the "easier" it becomes to compromise your anonymity). If you were to send the above email it would be packaged(encrypted) like this: |-------------------------------------| | REMAILER 1 | | |------------------------------| | | | REMAILER 2 | | | | |------------------------| | | | | | NYM SERVER | | | | | | |------------------| | | | | | | | MESSAGE | | | | | | | |------------------| | | | | | | NYM SERVER | | | | | |------------------------| | | | | REMAILER 2 | | | |------------------------------| | | REMAILER 1 | |-------------------------------------| Each layer in the above chart is a layer of encryption (except for the final message to be delivered). As you can see from the above charts remailer #1 never knows where the emails final destination is (ie: who the final recipient is), nor the contents of the message being sent. It only knows that it must forward the encrypted email to the next "hop". When remailer #2 recieves the email it doesnt know where the email originated (ie: from you) as all original headers have been stripped from it by remailer #1. Furthermore, it doesnt know the contents of the message nor the final recipient; it only knows it must forward the encrypted email to the nym server. Once the nym server recieves the email it decrypts it; and forwards it to the final recipient under your nym addresses name (ie: you@nym.alias.net). However, the nym server doesnt know where the email originated or how many remailers it had gone through before being delivered to the nym server (as each remailer strips the headers from the previous one) making it virually impossible to verify the original sender with his or her nym account. the way the nym server knows to send under your nym address is by matching the signed message with your public key which is stored on the nym server. Your tracks can be further obscured by using remailer options such as adding "junk" to each message so the email size cannot be monitored and compared to email sent by you, or latentcy could be added to each hop so your email is sent while you are offline. As you can see, this is probably the most secure systems available. To compromise a nym account user one would have to: 1)compromise the nym server (to attain the nym's pgp private key and your reply-block). 2)Decrypt your reply block to find the next remailer in your chain, 4)compromise each following remailer by attaiting its PGP secret key until the last one storing your real email address is found. In other words each hop and nym server used would have to be compromised in order to reveal your true identity. Which, as long as you use good, trusted remailers in good chains; should never happen (ie: you are relying on the integrety of the remailers for your anonymity more then the nym server. As long as the remailers dont compromise you, the nym server could offer up no information leading to you). It is feasable to say that it would be unlikly that even people of great authority (ie: government agencies etc) could trace a nym account back to its originator/owner if properly used, and from the "common man" it is virtually impossible to trace. In short; no better system to insure anonymity exists to date. *However it is worth noting that there is much speculation as to the abilities of such organizations as the NSA and other governments cryptography agencies ability or lack there of to crack PGP and/or other strong encryption algorithyms. To date no public demonstration of this has been seen or heard of though. Also, there is speculation (some factual, most rumor) that governments often times run remailers themselves to monitor remailer traffic. While they may not be able to read the encrypted data sent through the remailers it certainly helps analysis of certain people, events, etc. In other words: investigate and use trusted public remailers.* In either case the most "likely" attack would be that of "mail traffic monitoring" on remailers and you ISP's connection. These are highly technical, and cost a great deal of money to conduct, so it is unlikely unless you are involved in some crazed international conspiracies or whatnot. Again using remailers in several differnt contries is quite advisable, as it further complicates the process and in most cases halts any governments jurisdiction. To read more on mixmaster and remailer attacks check out: http://www.obscura.com/~loki/remailer/remailer-essay.html -Alright, now what about recieving email?- Well, when you set up a nym account you send the nym server 3 things: 1)your PGP public key which will be used to encrypt your mail. 2)the configurations which you wish your nym account to use. 3)a reply-block which to deliver your mail with. Your PGP public key is used by the nym server in encrypting the mail sent to you. Your configurations are the options which you want the nym server to use. And your reply block is what is used by the nym server to forward your email to you (anonymously). Here's a chart showing how an email sent to you works with a nym account: (Numbers "[ ]" in each box coincide with numbers below) |-----------| |-----------| |-----------| |-----------| | | | | | | | | | Sender | --> |Nym Server | --> |Remailer #1| --> |Remailer #2| --| | [1] | | [2] | | [3] | | [4] | | | | | | | | | | | |-----------| |-----------| |-----------| |-----------| | | |-----------| | | | | | You | <------------------------------------------------------| | [5] | | | |-----------| 1)A plain old email addressed to you @ your nym address. 2)The Nym server encrypts the email to your pgp key, and additionally conventionally encrypts it using a 128 bit IDEA encryption passphrase, decrypts the 1st layer of your reply block and sends it to the next remailer. 3)Remailer #1 encrypts the received email using another conventional encryption passphrase, and then decrypts the 2nd layer of the reply block and sends it on to the next remailer. 4)Remailer #2 adds another layer of conventional encryption (with yet another passphrase), decrypts the final layer of your reply block and sends it to your real email address. 5)When you receive the email it has 3 layers of conventional encryption plus one layer of PGP public key encryption. *Note: You can recieve your email without having each remailer conventionally encrypt it (ie: only encrypted by the nym server with you public key) but it is senseless to do so since you would be sacrificing a great deal of security for no particular reason. It is much more secure to have each remailer use conventional encryption (ie: 128 bit IDEA encryption) and there are no drawbacks other then the time it takes to decrypt by hand (this is of no concern to us since we will be using client software which automates the entire process).* Make sense? I hope so. The real stength in this system is, again, in the chain of remailers. The nym server never knows your final delivery address; it can only see the next hop in the chain, and the remailers can only see the previous hop. This is acomplished by the fact that each hop in your reply block can only read IT's portions of your reply block, and therefore never is allowed access to the entire chain. This makes NYM accounts a VERY secure system which would take alot more money, energy, and luck to compromise then most gov't agencies have available to them or are willing to spend on you (ie: mission acomplished!). -What you will need- Now, as you can see from my above charts and explanation, sending and recieving email via a nym account is quite complicated and would be very time consuming to do entirly by hand (though it IS possible to do so). But why break your back on your nym account when there is client software available to make using a nym address almost as easy as using eudora and a regular pop3? Exactly! So heres what you will need to use and manage a nym account on a win3.x, win9.x, or win.NT box (there is client software for managing nym accounts available for *nix boxes as well, but that is beyond the scope of this article: "premail" is one however): 1) PGP 2.6.2 (for DOS), also 2.6.2i, or 2.6.3 will work. Pretty much any DOS version of PGP will do, but I would not use anything earlier then 2.6.2. Also, please check the export/import laws of your coutry regarding cryptography before downloading PGP (There's are also international versions for those outside of the USA). Here is one reliable locations you can download PGP 2.6.2 from: ftp://ftp.replay.com/pub/crypto/pgp/OLD/pc/dos/pgp262.zip 2)Jack B Nymble 1.3.6 (aka JBN). This is your nym client software. It is an AMAZING program, and is, of course, freeware. You can download it from: ftp://ftp.efga.org/privacy/potato/jbn136.zip or ftp://ftp.skuz.net/pub/potato/jbn136.zip There is, at this time, a JBN v2.0 beta which is compatible with versions of PGP for Windows. HOWEVER; I do not reccomend using it as it has limited capabilities and has not been as thoroughly tested as JBN 1.3.6. More info about JBN and other help on setting up a nym account with it can be found at: http://www.skuz.net/potatoware/jbn/index.html. That's all you'll need! Now its worth mentioning that youll be using a RSA key with PGP 2.6.2 and your nym account rather then a Diffie-Hellman/DSS so its really worth getting a windows version of PGP that supports RSA (ie: PGP for personal privacy RSA 6.0.2 also available at ftp.replay.com) if you wish to have a windows version of PGP on your system as well. 3)A pop3 email account. This is not entirely necessary, as you can get your mail forwarded to a usenet newsgroup, such as alt.anonymous.messages so even if each remailer and your nym server were to be compromised, your mail would only lead to a usenet newsgroup. This is a bit more inconvienient though, and I reccommend you get a pop3 email account used ONLY for sending and recieving your nym email (keep a seperate one for other purposes if you like). Many free pop3 email accounts are available on the net. Just do a search for "free pop3 email" and you should find a variety of choices. -Installing the software- OK, now Im gunna quickly walk you through the installation of your PGP and JBN just to make sure we are on the same page. First, unzip PGP26.zip. If you are using my PGP26.zip there will be a setup.txt file, a pgp262i.asc (for verifying that pgp has not been tampered with) as well as another zip file named PGP262i.zip. Unzip the contents of this file and place them in a dir named: C:\pgp262i. Next you will need add a few lines to your autoexec.bat. These are the lines you wish to add: SET PGPPATH=C:\PGP262i SET PATH=C:\PGP262i;%PATH% You will also want to set your timezone in autoexec.bat, pick the line which location is closest to you and add that line to your autoexec.bat: For Los Angeles: SET TZ=PST8PDT For Denver: SET TZ=MST7MDT For Arizona: SET TZ=MST7 (Arizona never uses daylight savings time) For Chicago: SET TZ=CST6CDT For New York: SET TZ=EST5EDT For London: SET TZ=GMT0BST For Amsterdam: SET TZ=MET-1DST For Moscow: SET TZ=MSK-3MSD For Aukland: SET TZ=NZT-13 *Dont forget to save your changes to autoexec.bat once you are through* Now PGP is installed. Next you can unzip JBN136.zip and install it. JBN has a nice little automated setup as do most windows programs. Just sit back and let it install itself. I would recommend that you install JBN into its default path C:\JBN (to aviod confusion). Now go ahead and reboot your system to let the changes to autoexec.bat kick in. -Setting up JBN and your Nym- Ok there are a number of preparatory steps we must make before the actual setting up and use of your nym account. -Choosing Your Nym Server and Email Address- The first thing youll need to do is decide which nym server you want to use and what you want your email account to be named. There are only 3 nym servers that are available to the public at this time. The following is vital info about each nym server: ------------ NYM.ALIAS.NET -Located at MIT university in Massachusetts, USA. URL: http://www.publius.net Helpfile: help@nym.alias.net List of used nyms: list@nym.alias.net Send config file to: config@nym.alias.net or: send@nym.alias.net ------------ REDNECK.EFGA.ORG -Located at Electronic Frontiers Georgia in Georgia, USA. URL: http://anon.efga.org/ or www.efga.org Helpfile: help@redneck.efga.org List of used nyms: list@redneck.efga.org Send config file to: config@redneck.efga.org ------------ DONGCO.HYPERREAL.ART.PL -Located in Poland. URL: http://www.hyperreal.art.pl/cypher/remailer/nym.html Helpfile: help@dongco.hyperreal.art.pl List of used nyms: list@dongco.hyperreal.art.pl Send config file to: config@dongco.hyperreal.art.pl or: send@dongco.hyperreal.art.pl ------------ Of these 3 nym server I have used both nym.alias.net and redneck.efga.org. Both of these nym servers are quite reputable within the crypto/anon community. I have never used dongco.hyperreal.art.pl as it seems to go down quite often. Either one: nym.alias.net or redneck.efga.org seems to be a good choice. Pick the nym server you want to use and then the full name of your email address (example: YourName@nym.alias.net). Next send a blank email to list@nym.alias.net (or whichever nym server you choose). And check the list of used nym names sent back by the nym server to make sure your nym name isn't already used. -Making Your PGP Key- The second thing we will do is make a PGP key to be used with your nym account using JBN. Go ahead and open up JBN and goto: Window | Nym Accounts and click on the button on the right side of the box which says "Create Key" (duh). This will open up a PGP Dos box to create your key. You probably want to make the strongest key possible, so at the prompt type: "2048" and press enter. *Note: on international versions of PGP (PGP 262i) you will actually end up with a 2047 bit key; dont ask me why (it is rumored to be a "bug"), but it's really of little consequence as it would take an enormous amount of time/money/energy for even a government facility to crack 2047 bit keys encryption (ie: you shouldn't sweat it too much). Next PGP will ask you for a ID for your public key. This should be your name and your intended nym account address in brackets. Example: Joe Blow Next PGP will prompt you for a passphrase. I will only say this once: MAKE YOUR PASSPHRASE AS STRONG, LONG, AND VARIABLE AS POSSIBLE! This means combinations of numbers, letters, words, special characters etc. etc. If your passphrase is strong enough even if every remailer, nym server, and your computer itself were to be compromised your email would remain uncrackable. But, I'm not your mother so that's the last I'll say about it. After entering your passphrase PGP will prompt you for a large number of random bytes by entering random text into your keyboard. Do so (duh). After you finish PGP will generate your key. -Getting Remailer public keys- The third thing we need to do is to get all the remailers PGP public keys using JBN. Now goto: Options | Global Settings | Remailers Tab. For the space that has "Cypherpunk Keys URL" enter: http://anon.efga.org/~rlist/pubring.asc For "Cypherpunk Statistics URLs" enter these three: Finger: rlist@anon.efga.org Finger: rlist@publius.net Finger: rlist@anon.lcs.mit.edu Then hit the "update" button. The "Cypherpunk Keys URL" is the address from which we will be collecting all the current remailer public keys. The "Cypherpunk Statistics URLs" are the addresses where we will collect statistics on remailer reliablity, options, lag-time, etc on a regular basis when using our nym account (keeping updated stats helps to insure us against lossing mail to troubled remailers). The addresses listed above has been most reliable in my experience, but in the case that one of more of them fail you in the future JBN has a list of alternatives which you can choose from on the scroll down menu. Next goto: Window | Stat Book | Tools | Update Cpunk Keys. This will bring up a PGP Dos session which will ask you: "Do you want to add this keyfile to your keyring 'C:\PGP262i\pubring.pgp' ?" Say Yes. Next PGP will come up with a user ID for a remailer and ask you if you want to: "Add this user ID ?" Again say yes. Then PGP will ask you how much you trust this keys authenticity. Your can chose whichever answer you want but I would suggest you choose "1= I dont know" since you don't. After which PGP will ask you if you want to sign each key with your key. each time you will want to say "yes" and sign each individual key (this is important to do now). It will take a bit of time, but is necessary, and you will only have to go throught the process once. Each time a new key is brought up it will ask you your trust level, if you want to sign the key, and then for your passphrase so you may sign the key. Once this process is done you can update your remailer stats by going to: Window | Stat Book | Update just so we have everything in JBN updated and ready to go. -Giving JBN your Info- Next we need to tell JBN how we want to send/recieve email. Goto: Options | User Profile. In the "SMTP-1" tab enter your real email address, and SMTP server; just as you would in any other mail client. The rest of the fields on this tab are optional and can be left blank. Next goto the "POP3-1" tab. Enter your POP3 server, username, and password. Also there is the option of deleteing mail from server on retrieval and checking email every X minutes. Now press the "Active" button in, and press the "Update" button. -Making your nym configuration file- O.K, now we have everything we need in place to make your nym configuration file (your actually nym request to the nym server). Goto the main window in JBN, click the "Nym Folder" Tab, then in the "Nym Books" double-click "Default.nbk". This will open up the default notebook in another window which we will be making our Nym account with. In the "Default -Nym Book" window goto Edit | Clear Book | OK, which clears the book so we can make our new nym account configuations. -In the "From:" field type your nym address (example: JoeBlow@nym.alias.net). -Click the "*" button next to the "UserID" field and choose your PGP key from the list. Then make sure that the "send key" box is checked (this is very important). -Make sure the "Nym-Commands" box is checked as well as the boxes: "Create?", "Acksend", and "Cryptrecv" -Now fill in the "Name:" field with your nym address name (example: joeblow) NOT your full address, only your nym name (ie: everything before the "@"). -Making your reply block- Next thing to do is make your reply block/blocks which the nym server will use to send mail to you. For this we will have to choose certain remailers to use and give the conventional encryptions keys we want them to use as well. You can have more then 1 reply block, which insures that if one of the remailers in your reply block goes down you will still recieve your email from the other reply block (unless a remailer in each reply block goes down). However you will recieve 2 copies of each email (if you use 2 reply blocks). I'd suggest using 2 reply blocks in order to prevent loss of mail. -Make sure "Reply-Block" box is checked and make certain "block" field is "1*" and that the "Active" button is pushed in and highlighted in red. -In the green box "nym server" should be listed. We want to create a random conventional encryption key for the nym server to use. So first click on "Nym-Server" so it is highlighted blue. -Now click the "R" button to the right of the "Encrypt-Key" field to generate a random 128 bit key. You may be prompted for some random keystrokes. If you are, enter some. Once some text enters into the "Encrypt-Key" field (such as: "IlO0+8FYcvLpNqBT6Mzv6G") press the "Add" button. Which adds the key to the nym server portion of the reply block. -Now we will add a remailer to our reply block (I will only show you how to add one, but you may choose however many you like repeating this exact step for each remailer). In the "Remailers" field press the down arrow which will give you a list of current remailers and thier stats. The more reliable will be listed at the top with the least at the bottom. Select the most reliable one from the list and then press "Add". Now press the "R" button again to generate another random key. Then press "Set" to add the key to that remailer. Repeat this process for each remailer you want to add to your chain. -Making Additional Reply Blocks- To add another reply block simply goto the "Block" field in the "Reply-Block" section and choose "2" (or appropriate number), press the "activate" button in, and repeat the above process of adding remailers. -Final Headers- Once you're completely done adding remailers to your reply block(s) you need to add the final address which you want your mail delivered to (ie: your real email address). You can do this by making sure the line in the "Final Headers" section says "Request-Remailing-To:" and enter your real email address (ie: joeblow@MyRealEmail.com). You also have the option of getting your email delivered to a newsgroup (such as alt.anonymous.messages) with a certain subject line of your choosing (subject: My Secret Mail). This can be done by "Anon-Post-To" and "Post-To:" in the "Final Headers" section and entering the needed information (more info on this in the JBN help file and knowledge base). *Note: Be sure you fill out the "Final Headers" section for EACH reply block you make.* -Saving Your Nym Book- Now that all the information you need has been entered in, it is time to save your nym book. Simply goto: File | Save Book As | and enter: MyNym.NBK -Running Your Nym Book- Running your Nym book will open up the actual email which you will send to the nym server to request your nym address (ie: your config request). To run your nym book press the "& Open" button. This will open a dos box for a moment and then open another JBN window. It will be addressed to config@nym.alias.net (or whichever nym you chose). And it will contain you Nym request, including your pgp public key, your configurations, and your encrypted reply block. The message look somthing like this: -------------------------------------------------------------------------- Config: From: JoeBlow Nym-Commands: create? +acksend -signsend +cryptrecv -fixedsize -fingerkey -nobcc -disable name="JoeBlow" Public-Key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 GYUNYTBu5688y9hi88798GN567rt87Og65N4746RFGTYIUN455Wuytnrttftfyuykhi JKHNtyfy6tg78NOUPpm8Mgi65ir8768yu9=MuNUBD4t4VY56tfybjuihnUryh5r56B67 HIUyug65G85tg989PU87n5r6G4r58T678Y887j867j88JMyT7UliJIMUJ UHGby545 -----END PGP PUBLIC KEY BLOCK----- Reply-Block: :: Request-Remailing-To: remailer@someplace.net Encrypt-Key: hiuLhhu656jjhN67ljm;Klg7jy :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.6.2 TGhvInjlM;K0[m89Y678fBJYJhp880-o],[PMUIMNtygyuBUinbUN7b89UnMTFvgbiIJN9I UJYGbyjHKjjiollmyiuftgyh7809TN56gbih87UINJPM89MO;JHNYBERtrfG67BIUBNH7 jhnuJNGHtytuGU8NH88o546teD5TrvGHYHKjm;p'""?.PPLo9k8jUHYuggT677yh78HU nbyue45gf4685GT8I6GYUKBfg567tYBG UF6VYTgbbnhbYg8bv463s5YTFg87h7nN9 gvbhvTYBTGbkuHNuniNHBg7T68e645YUhtgyn =yu8i67INhni -----END PGP MESSAGE----- ** Reply-Block: :: Request-Remailing-To: remailer@somewhere.org Encrypt-Key: NKJ87y5r6dtyrgh89p78Om :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.6.2 KHJNGyjuhbjtYN9ny6789Tgf8n7NUIJu97uj98Y8h97ti6GVYhbwgzyw4f35G6T6yhnih UHNynNJIULynomPU98n86548G657yhN67T6Hg7458G67Y87hngh568797n8n96YU munhyITIG87iybB88g768ybG56845R8i867btFGB645g7v685rt7iGUYNHb6gV54E76R hknbgTYVDT45754465Itv6yF787b968UHNIgbygvtfcQA3WC4ERtgyjykuhJMU8hm6n9 JGT5BIG56FVtc345F6YTGB67G685T7IYbftvyFEU5ut6f6G756t7uuyGHiy8NHIYH8hgj BGvb5uyYTUBYIn89mMN8u8j9NHYTHgi7RF5ED6f75G8tiur8GIt87yBGF45FGR5 ,jhkuimNYJUGYBH9 =NLKt6yj -----END PGP MESSAGE----- ** -------------------------------------------------------------------------- This is the critical point at which we will be sending our request. So DONT change anything in the opened book. Simply pick 2 (minimum) remailers from the "remailer" pull down menu and press the "add" button to add them (there is no need to add crypt keys as you did with your reply block, JBN will automatically encrypt your message to each remailer you choose). After you have added a few remailers to send your configuration request through (so the nym server won't know where the request really came from) press the "& Send" button. This will open up a DOS session and you will be prompted for your PGP secret passphrase. After entering it the message will be completed and you can watch the progress of JBN connecting to your SMTP and send your message at the bottom of the nym book window. Now the hardest part is over. You can now sit back and wait for a reply from the nym server. Once the nym server recieves your configuation request you will recieve an email which looks somthing like this: -------------------------------------------------------------------------- To: joeblow@nym.alias.net Date: Sun Apr 13 13:13:13 1999 EST From: config@nym.alias.net Your configuration request completed successfully. A new reply block has been received for your mail alias, but has not yet been activated. In order to start receiving mail with your new reply block, you must confirm it by sending an (anonymous) E-mail message to the following address: confirm+a4ba2b13bc8934ab@nym.alias.net The contents of the message can be anything. Any message delivered to this address will activate your reply block. =====END PGP MESSAGE===== -------------------------------------------------------------------------- Next you will send an email to the addressed given (in this case: confirm+a4ba2b13bc8934ab@nym.alias.net) Which will activate, your nym account. You can send an anonymous email from JBN by opening the default.bk message book, filling in the recipient headers, adding your remailers and pressing "& Send". Once the nym server recieves your confirmation email you will be sent a message which looks similar to this: -------------------------------------------------------------------------- To: joeblow@nym.alias.net Date: Mon Apr 13 13:13:13 1999 EST From: confirm@nym.alias.net Your new reply block has been confirmed and installed. Your mail alias is currently active. =====END PGP MESSAGE===== -------------------------------------------------------------------------- This indicates that your nym address is active and functional. You now have a new email address (and the most secure type in the world no less). -Recieving, Decrypting, and Viewing Email with JBN- I highly recommend that you use JBN for all sending and recieving or your nym mail as it will make your life much easier. To check your mail with JBN simply goto: Tools | Check Email (or Cntrl+E). To view your mail goto: Window | View Mail (or Cntrl+M). When you recieve mail it will be encrypted (not only to your PGP key but also with several layers of conventional encryption). To decrypt your mail highlight the message in the "inbox" and "right-click" on the mouse and choose "decrypt" from the menu that appears. The layers of conventional encryption will be decrypted and you will be prompted for your PGP secret passphrase (unless you have saved it in the registry, which I DONT recommend). You have alot of options on how to store your mail, such as wiping the decrypt (so you only store encrypted emails), and the nice option of secure wiping entire messages. -Sending Email From Your Nym Account- To send mail from your nym account open your "MyNym.NBK" and press the "& Open" button. Next goto: Edit | Clear All Text. Now in the "From:" field enter your nym address r choose it from the pull-down menu. Now clear the "To:" field. Then goto: File | Save As | and enter: "MyNym.BK". Now when ever you want to send mail you can simply open MyNym.BK and enter the recipient in the "To:" field and send mail as you would with any other email client. However, each time you send mail you want to update your stats (Window | Stats Book | Update) and choose a few reliable remailers and add them to your chain (as you did when you sent your configuation request). When you finish adding remailers and your message just press the "& send" button and your message is sent. Simple! *Note: It is also quite simple to post to usenet with JBN by choosing a "mail2news" remailer in the "To:" field and entering the subject and newsgroup in the fields below it.* -Nym Conclusions- At first using a nym account can be confusing. There are many options you have and it can get overwhelming. But just play around with a practice Nym or two and you will soon get the hang of it. There are some great options like -acksend and other functions which you can learn about by refering to the JBN help file. Also it is quite easy to change your reply blocks (which you will probably need to do on a semi-regular basis due to the inconsistancy of most remailers), you can do this the same manner you made and sent your first nym request (again, refer to the JBN help file and knowledge base). Once you have mastered the use of remailers and nym accounts I highly recommend investigating, using, and installing Mixmaster which will heighten your secure email transactions even further (as it is even more secure then the cypherpunk type remailers we have been using/discussing in this paper. -Important Footnotes On Concealing Your Identity- Aside from Nym accounts and proxy server the thing that most often leaves "tracks" to be followed is human error. If you are shooting to be a truely anonymous figure you must give as little information as yourself as possible. The more you say, the more they know. Also you want to disassociate yourself from the ISP/ISP's which you choose to use. Never let you nick be connected to any specific ISP (and if it is necessary then never allow it to be more then a generic service for a short period of time). Guest accounts are your friend. Large commercial ISP's can be used to your advantage, but you should *never* trust any one person with your privacy and/or your identity; this is the core theory which allows nym servers to be so secure. -Final Thoughts- It is a somewhat mixed blessing that using and managing proxys, nym account and hiding your identity is as complicated as it is because it hinders immature individuals from abusing these wonderful public service which are some of the most secure and anonymous type of mass communication available ever in history; so learn them well. They will allow you to speak and act only a person with true freedom can. Also be responsible with this freedom and what you choose to do with it. The best way to enslave yourself (and others) is by abusing your freedoms rather then using them to speak your mind. Opic [CodeBreakers 1999] opic@redneck.efga.org