Anonymous Surfing?

Just Alex asks: "I just got Comcast High-Speed Internet service, and found out that just up to a few months ago they were recording the actions of all of their users and saving it for who knows what. Now I'm thinking about getting an 'anonymous' service like anonymizer.com, but I wonder what other folks are using. Are all of these services the same? What should I be looking for? And what people recommend given their experience with them? Also, which ones play better with Linux?"

Remembering anon.penet.fi...

[prisonernumber7]

Remembering anon.penet.fi, the world famous anonymous remailer and news posting service, I can only *stress* that your anonymity will be guaranteed only as long as nobody sues to resolve it.

Re:Remembering anon.penet.fi...

[AtariDatacenter]

Assuming that the 'anonymous site' keeps logs or otherwise tracks userids and relates them to an identity somewhere else. In the case of anon.penet.fi, they had to store which anonymous ID remails to which email address.

However, something like FuckedCompany is completely different. If you post anonymously there, they don't keep server logs, and as Pud would tell you, "Sue me all you want. There aren't any logs to get your hands on."

Re:Remembering anon.penet.fi...

[prisonernumber7]

However, something like FuckedCompany is completely different. If you post anonymously there, they don't keep server logs, and as Pud would tell you, "Sue me all you want. There aren't any logs to get your hands on."

If I may, there is a strong concern rising inside me in regards to this method aswell. Once the entity that offers such a valuable and privacy protecting service has their pants down, your privacy is in jeopardy again.

Logs are something that can be generated at a future point - if the user in question would be gone after due to repetitive action of his side then logs could be installed at any point of time and have merit for the suing party.

Not expecting that he would be monitored and certainly not informed about it, the user's anonymity would be broken. And as pitiful as it sounds, history has proven that exactly these things happen.

As much as I respect people who grow services like these to protect the innocent (for god's sake, there are countries in this world where free speech is a crime!), my trust in them would be very limited. You simply cannot expect anybody to suffer all his life due to a frivolous lawsuit simply to protect *you*.

Re:Remembering anon.penet.fi...

[AtariDatacenter]

Point taken.

As much as I respect people who grow services like these to protect the innocent (for god's sake, there are countries in this world where free speech is a crime!), my trust in them would be very limited. You simply cannot expect anybody to suffer all his life due to a frivolous lawsuit simply to protect *you*.

There are cases in THIS COUNTRY where free speech is a crime! (Don't worry. They've redefined "free speech" to only include legal things, thus decriminalizing free speech.) ;)

uh

[tps12]

If your ISP is monitoring you, you're out of luck. All your packets are going down a wire to Comcast before they go to whatever "anonymizer" you use. Encryption would help, but if you're doing anything in plaintext then there's not much you can do to prevent them from looking in on it.

(Note to the good folks at Verizon: I'll get my bill in the mail today, I promise.)

Re:uh

[roachmotel3]

Did you read the article that was cross referenced in this original article? Comcast was watching people's browsing habits through an anonymous proxy. If you configure your browser to not go through the proxy, they will no longer be monitoring you. Now, if they said that they were using distributed IDS's to monitor the packet flow, that would be a different story.

Re:uh

[kableh]

And if they are doing that, they are most likely redirecting requests to port 80 through their proxy, thus negating any settings your browser is using. This is trvially simple to do in any ipfw/chains/tables firewall, as well as a commercial unit like a PIX.

Though I'm impressed you managed to get the word "distributed IDS" in your post. 100% buzzword compliant! =)

Re:uh

[roachmotel3]

Actually, I'm a comcast user. They do proxy by configuring your browser to send all requests through their proxy. Once you install their software, that is. Oh, and the software also makes it such that the entry for their proxy is stored in a windows registry entry, so even if you remove it from IE, next time you reboot it's back. I know they use Cisco gear, but I'm not sure about PIX'es. I know that the modem itself is in 10 space on the WAN end and on the LAN end it's 192.168 space, but it's doing some kind of NATing. And, the 10 space WAN address is routed within their network, so if you're really bored you can do SNMP gets on the modems other folks use (assuming you know their address). Lots of fun. Back before comcast was running their own ISP and it was still @home, I had a bunch of tech calls, and I ended up getting logins to their NMS. For some reason, you could hit it anywhere too. It would tell you if your modem was capped, how many bits you were pushing per day, etc. Read only, unfortunately, as otherwise I wouldn't have been capped!

Re:uh

[Anonymous Coward]

What are you talking about? If you are going through an anonymizer, EVERY PACKET you send should go there. Comcast won't have a clue unless they analyze the contents of the packet. Comcast would only see your packets going to the anonymizer.

And the rest is easy to take care of. If you have a decent proxy service, they should use crypto, otherwise Comcast could identify the contents of the packets you send and construct where you were going anyways. With adequate crypto, Comcast would only know that you use some anonymizer, but won't know where the packets thereafter were being directed to. They can't decrypt your packets, and your anonymizer should be off their network anyways and shaping their traffic intelligently (otherwise, if they download a 2 meg file, and send you a 2 meg file, folks sniffing will know who downloaded what).

Multiproxy

[Truckle]

Multiproxy [multiproxy.org] is good for windows. It changes annonymous proxie every 20 seconds or so...

Why not drop the service?

[dasunt]

Sure this will be the more expensive route, but drop cable (and explain that the reason you are dropping them is that they are monitoring your surfing habits), and get DSL.

If enough people did this, the company will what they are doing or go out of business.

After all, why pay for an inferior service?

Re:Why not drop the service?

[m_evanchik]

Can't a DSL provider monitor your traffic just as easily as a cable-based provider?

Re:Why not drop the service?

[zsmooth]

Sure, but generally they don't. And that's the point. Any ISP can monitor your traffic but so far cable providers are the only ones that do.

Re:Why not drop the service?

[stefanlasiewski]

Why do cable providers monitor your traffic, but not DSL providers?

Re:Why not drop the service?

[Anonymous Coward]

Because telephone wire laws are much much much stricter (and older) than cable wire laws. There is some protection in DSL not offered in cable.

Re:Why not drop the service?

[Rick the Red]

Some of us have no real option. In my case, the local phone monopoly provides such a crappy circuit that we can only get 24,000 bps on a dialup, and NOBODY offers DSL here -- too far from the switch. We're damn lucky AT&T Broadband offers internet service (although if they raise our rates again we're gonna seriously consider going back to dialup) -- friends of ours further down the road can't even get cable TV (they're closer to TPC's switch, but still no DSL).

who am us anyway?

[boowax]

Well despite what someone else said, though comcast is looking at your traffic, it will simply show up as you repeatedly going to whatever site (probably anonymizer.com) that the software sends to before it redirects the traffic. The web-based ones like the late, great safeweb.com seem to be gone now, so you may end up having to pay for this service :(

Re:who am us anyway?

[Yottabyte84]

Is it able to keep up with your line? how fast is your line?

Which anon sites are honeypots?

[Anonymous Coward]

How does one know that the anonymizer and or
proxy sites are not honeypots run whatever
corps or agencies that are especially
interested in tracking users who *want* to
be anonymous?

Re:Which anon sites are honeypots?

[DNAGuy]

Whoever modded parent down is nuts. This is an excellent point. When everyone uses postcards, only criminals will have envelopes.

Anonymous proxies

[ralphus]

Anonymizer [anonymizer.com] works ok as long as you are not trying to hide from the government. Use SSH to tunnel your traffic to anonymizer proxy and you are safe from your ISP monitoring and the site you are going to knowing where you are coming from. Go get a bunch of kiddie porn or terrorist stuff and Anonymizer will have to give you up when the FBI comes knocking on their door.

Someone already mentioned multiproxy [multiproxy.org]. Also check out Java Anonymous Proxy [tu-dresden.de] and Peekabooty [peek-a-booty.org]. You seem kind of new to the game of paranoia. Why not just start here [dmoz.org] and do some reading.

It's important to understand exactly what these anonymous services get you and who and what they are protecting against so take some time and realistically educate yourself to the risks and threats.

Oh, and don't forget to check out Freenet [freenetproject.org]

One more data point and question

[vegetablespork]

It truly pales in comparison to the old freedom.net, which securely tunneled http, telnet, and IRC (but died in the post-9/11 hysteria for "lack of market"), but ZKS also sells an (IE only) anonymizing proxy, WebSecure [freedom.net]. Note well, though, that ZKS are not who they once were: with the old freedom.net, they couldn't give you up if they wanted to, provided you chose a route with servers not under their control. Now, their privacy policy [freedom.net] says (in usual flowery legalese) that they pretty much give themselves carte blanche to log, monitor, and report:

To securely browse the Internet, Freedom WebSecure customers must login with their usernames and passwords. This is always done in a secure manner, e.g. using encrypted SSL connections, to prevent unauthorized interception.

nice

To ensure the fastest service and minimal performance degradation, Zero-Knowledge does not collect or store any information about WebSecure customers' online browsing activities.

the above paragraph giveth

Please note that, in some exceptional instances, we may need to log certain traffic data, for example, in order to detect and diagnose technical problems, prevent network abuse, or if compelled to do so by law

while that one taketh away--emphasis mine

"Compelled to do so by law" could mean anything from an airtight subpoena to some random LEO flashing a badge and asking nicely. Thus, this service is only useful for protecting against casual snooping. It's strong point is that it uses an ActiveX control and can easily be used on (non-locked down) public machines.

The-cloak

[doofsmack]

I rarely have to, but when I need to surf anonymously, I use The-Cloak [the-cloak.com].

Also forgetting the little guy

[portwojc]

Look in the phone book and find the local "been there since the dawn of time" ISP and call them up. See what they can offer you for DSL access.

Everyone has forgotten the small ISPs that cleared the trail for the big companies. Those usually take the "common carrier" stance and don't go all big brother.

Of course if you need an anonomizer then you have troubles on your own. Take a page from Chris Tresco's interview as seen here on slashdot.
"My advice: get out of the scene"

Unless your just paranoid.

DSL providers usually don't offer their own servic

[pardasaniman]

You see, it does not matter whether DSL providers are small or big, they usually buy DSL equipment and rent infrastructure from a larger company. If that large company wants to monitor you, it does not matter if the puny DSL company monitors you or not.

the-cloak.com

[first axiom]

The-Cloak is by far the best service out there. It is not a proxy, but rather an SSL connection. This means your ISP can't see the URL of webpage nor it's content: only that you're surfing through the-cloak. They have a free trial service with every feature the real service has, and they're pretty cheap. They also have special rates for people on broadband (they charge per MB).

Check them out: the-cloak [the-cloak.com].

Re: anonymisers?

[blibbleblobble]

/Links/Dir/Privacy/Anonymisers/ [blibbleblobble.co.uk]

Just a list from my site.

There is no such thing as anonymous surfing...

[Hyped01]

Everyone considering "anonymous" surfing should first consider their reasons for doing so or more appropriately what their fears are of being monitored.

We run a web based newsgroup service called BinFeeds [binfeeds.com] and sometimes have users who are concerned about anonymous surfing.

First point we often tell them is this. We dont care what service you use, we know who you are. Like any subscription service... you have to log in, and thus we know who we are sending the data to - unless someone stole your account. Many of our customers think that services like the anonymizer will protect them from that. In our experience, webmasters running protected sites more often run into "anonymizer-like" users actually being people with stolen accounts or who are using it for other purposes (site mirroring, etc). 75% of Anonymizer users on our service have been of that type and they (The Anonymizer owners) refuse to act (disable the account, block the user, assist in the credit fraud investifation, etc) or take months (thus we currently block all Anonymizer users). On signups, 95% of Anonymizer users are those trying to fraudulently use a credit card. We expect both from noting the increase of such errors on Anonymizer and from our own decisions, that many webmasters will be blocking such services on an increasing basis, because for us to track anonymous users is very difficult (even though I learned it is trivial from my time at a very very large ISP/Telco).

Basically, if you just dont want your ISP to have a log of where you are surfing and what you are doing, then great! Look into one and sign up for whichever service best meets those needs.

If you are worrying about law enforcement officials or a big ISP tracking usage then just surf normally.

Though they will never admit it the telcos (or fiber providers of similar technology) know exactly what you are looking at and more importantly, where you are. By "where you are" I mean that literally. Your physical address.

On CableModems as in the initial post, it may be more difficult, but under DSL, T3, T1 (DS1, which is often dual sDSL circuits nowadays) and dialup, etc, there are multiple networking protocols and layers not ever discussed. The telcos run their own network protocols and layers on their hardware that route the data for the ISP's data layer over the telco equipment.

In the past, while working for a major ISP (who owns a very large chunk of the Internet backbone and their own fiber network and telco), a person was seriously breaching our AUP terms and the law for actions he was doing using one of our customer's accounts. He THOUGHT he was anonymous, but since we owned our telco arm (and since they are all interconnected) we did a network (circuit) trace on the connection and viola! Through that we end up with the physical address (street address and number) of the loser.

Most people forget or dont realize that in order for your local telco to be able to route internet data to you, they needed your physical address to bring the wires to your house. The network hardware isnt computer based in the sense we all think and runs different protocols in a transparent fashion that doesnt make the end user think of it as anything more than a wire going to a router someplace else (like on an internal ethernet/TCPIP network), but it is not. It is it's own network on different hardware that transports the signals to "standard" network routers (Cisco, Ascend, etc). Much like NetBIOS over TCP/IP. To the user once configured, it's "Windows file sharing" and that's it, but the reality is it is running through TCPIP.

Since "we" (my former employer) ran such a large telco, a simple call to the NOC (telco) got us the info in under 5 minutes. This can be done to an active connection or to a past connection via the activity logs. Also easy to coordinate with the other telcos for cooperation since they needed us/we needed them for the telco services to work.

If you as a user or owner of a small ISP try to get that info you will get a dozen different "I dont think that's possible" or "There is no way of doing that" or "I dont know what you are talking about" answers. Just the way it works. No one is supposed to know it works that way, and few people actually seem to think nowadays - even the technical ones - about how such a system would work - or half the world would realize that any entity with enough "power" or authority can determine exactly where you are at what you are connected to, anonymous surfing, encryption and proxying aside.

Just the sad truth... even if you are on a cell phone (btw, the logs for your location when your cell phone is ON (and in some phone's cases, off as well as long as it has power) are kept for decades and have been since the late 80's at least... right down to a few hundred foot circle.

- Rob

Local Library

[jhunsake]

Wander down to the local library (that doesn't have surveillance cameras) and wear gloves. Of course this only works for those rare, absolute-privacy-needed situations.

Re:Local Library

[vegetablespork]

And only for those libraries that don't require a library card and a written log for use of the machines, as is done in my locale.

JAP

[Danta]

Try JAP [tu-dresden.de], it's a Java proxy program that you run on your system, which connects to a network of anonymizer servers. It is a breeze to setup and use, even your grandmother could use it. It is also more secure than many other systems, because it makes use of a network of anonymizing servers in a way that if one server owner went evil and decided to log your traffic, he couldn't. One would need to have control of all the nodes of the anonymizing network in order to successfully track you, which is much more difficult and unlikely. BTW, the project is sponsored by the German government (!) and FREE (for the moment at least).

Re:JAP

[vegetablespork]

Granted, if you're a USian, it's less likely the German government would care what you're doing, but aren't you at all cynical of any kind of government sponsored anonymizing service?

but why?

[fattybob]

I have to admit that its a lot of fun surfing around anonymously, and keeping all that neat encryption software handy, but if and when the men in the dark suits turn up, I would be the first to furnish them with a full suite of passwords - otherwise - what exactly is it I am hiding???
- assuming I am not a huge corporation with super secrets - and we all know that they use lousy encryption and insecure mail systems, with holes in their data management setups - called mail rooms!