I've read a few things about 'hiding' your IP address to protect your privacy. Does anyone have any tips about how to go about this? I use Firefox rather than IE.

Presumably this would give any sites you visit a dummy IP address, but your ISP would still know who you are and what you're doing?

Coincidentally I just received an email from Zone Alarm offering "Anonymiser" to hide my IP address for $19.95.
Do I need to hide my IP address?
If so can I do it without spending $19.95?
All comments welcome from those more computer literate than me (i.e all of you).

Thanks
Jeff

You cannot be anonymous on the internet. Just accept the fact and get over it !

(1) Your ISP is governed by the regulatory environment, if the Police ask them to cough up information then they will.
(2) Disgruntled/Insider engineers working for your ISP could see your traffic flows if they wanted to (even though this would be illegal with no suitable justification).
(3) Even if you use a third party service such as "Anonymiser" .... they are still subject to a/ the regulatory environment ... i.e. Police wanting to track you down, and b/ how do you know they are not watching you ?

Basically, if you've got nothing to hide, you've nothing to worry about.


Actually, there is one way you can be anonymous. Go to an internet café, but make sure it's one where you can pay in cash, there are no CCTV cameras and hope that the guy behind the counter is dumb enough not to remember your face, oh, and you had better find a lot of them, because you don't want to go back to the same one twice. That's anonymous, or at least it is until the forensics officers track you down ... :cool:

There is no privacy in this world. Tell me, how do you anonymise your phonecalls ..... the withold number feature is worthless you know !

You cannot be anonymous on the internet

You can get some of the way there for everyday use. Tunneling encrypted proxy service such as Guardster, Proxify, Shadowsurf, Anonymization, Anonymizer, Tor, Snoopblock, etc. Work with a service in a nominally secure country (i.e. not most of the US ones listed above). Sweden's got a couple. As long as the session is encrypted to the proxy, you're 90% done since most logging at the superficial level is done at your local ISP or maybe NIX.

Anyway, hiding your IP address only hides it from the web site logs, etc. Cookies and beacons will still follow you around unless you use a service that strips them out.

After the recent uproar in our neighbour country, I'm not sure I'd put my faith & fate in the Swedes' when it comes to internet privacy. ;)

Swedish law allows tapping of emails and phone. (http://www.guardian.co.uk/world/2008/jun/20/2)

As long as the session is encrypted to the proxy, you're 90% done since most logging at the superficial level is done at your local ISP or maybe NIX

You still leave that trail behind you .... they know you've been using the proxy even if they can't see the data without requesting it from the anonymising service.... therefore a means to track you down still exists.

proxy service

A proxy service exposes you to security issues for e-commerce/online banking ....man in the middle attack..... :ok:

I'm not sure I'd put my faith & fate in the Swedes' when it comes to internet privacy.

Think you'll find it's not only Sweden .... you can probably also forget privacy in the US and the UK to start with. Oh, and various countries in an Easterly direction too of course. :cool:

You think you’ve got problems! Proxy servers are also illegal.

As of August 23rd 2008 private firms, organisations and government agencies in Thailand will be required to store all internet traffic data for 90 days...


From the Nation

Beginning from August 23, all businesses and government agencies that provide computers and other related services must keep records of computer and Internet use and Internet traffic for the last 90 days.

This is a part of the 2007 Computer Crimes Act, which took effect on July 18 last year. Granted a grace period of one year, only local Internet Service Providers have so far compiled to the law. Now it is time for the remaining entities, designated as the so-called "third and last group", follow the law.
This includes all government agencies, private and government schools, apartments and residential complexes, online game shops and Internet cafes. Those who fail to comply with the law will face a Bt500,000 fine.

The Act indeed applies to operators of both mobile and fixed line telephone services, who have built data storage facilities to record their clients' usage.

Under this law, businesses, schools and government organizations have to provide data storage facilities to collect users' identification details such as names and addresses of people registered with websites or online applications, logs of Internet use and Internet Protocol addresses and URLs to websites surfed by those users.

Pol Colonel Yannaphol Yangyuen, a senior Department of Special Investigation official, said it would be a priority for organisations to prevent employees from harassing people by sending insulting or defamatory messages on web boards or forwarding pornographic material via email by setting up recording procedures for internal computer use. They must make the stored information available every 90 days

The 2007 Computer Crimes Act is the first Thai law that aims to tackle all types of electronic crime committed through the use of computers and information technology.

by setting up recording procedures for internal computer use. They must make the stored information available every 90 days.

Serious question. How would you go about complying with this law?

I run a company with approx 50 PCs attached to the net through a server. Massive amount of official traffic as well as ‘social’ use like this. Additionally there is a wireless router (unsecured) for customer use.

You still leave that trail behind you .... they know you've been using the proxy even if they can't see the data without requesting it from the anonymising service.... therefore a means to track you down still exists.


That might be true if you use a proxy in say UK or US, but if you are that paranoid you will use a proxy chain that uses at least 2 in places like Rumania or the Ukraine who are unlikely to co-operate with western police.

The discussion here seems to be about hiding dodgy activities from the authorities. The sales pitch from 'Anonymiser' is that you need to be protected from identity theft by hiding your IP address.

The sales pitch from 'Anonymiser' is that you need to be protected from identity theft by hiding your IP address.

Tell me Cunliffe. How does a proxy service (be it 'Anonymiser' or otherwise) protect an idiot from clicking on a link in a phishing spam ? How does a proxy service protect an idiot from entering their credit card details on a not so trustworthy website ?

Much like spammers. Criminals will (eventually) find a way around barriers. It's a vicious circle, you think you fix it, they break it ..... etc. etc.


P.S. Not calling anyone here an 'idiot' .... just incase anyone gets their k's in a twist :ok:

P.S.P.S. Identity theft doesn't happen with your IP address ..... it happens from what people put into forms that they shouldn't fill in on websites they shouldn't visit ! :ugh:

(yes, I know, it also happens when data goes missing from reputable websites, but that's becoming rarer now that the Visa & co. have become much more rigerous in their vetting process).

Serious question. How would you go about complying with this law?

I run a company with approx 50 PCs attached to the net through a server. Massive amount of official traffic as well as ‘social’ use like this. Additionally there is a wireless router (unsecured) for customer use.

Much the same ways that ISPs comply with the likes of RIPA.

One technique is port mirroring.

If you've got the right kit, it's easy as a quick change to configuration settings.

I don't think people are trying to hide something they should not be doing. The point is that the bloody Government or anyone else should but out and mind their collective business'. It has nothing to do with crime or Terrorism, It's about control of the people.
Anything that can possibly be done to thwart anyone nosing into my privacy will be taken as I see fit.
I know it's like pi$$ing in the wind but it makes me feel better. All this nonsense about ISP's keeping stuff is just smoke.
The Government and the US use 'Echelon' A super snooping system that snoops on all communication in the UK and US. B@st@rds...:*

Sorry......Rant Over..:O

mixture
I am aware of the dangers of responding to dodgy emails and iffy sellers and as such I have control over whether I publish my personal details. However, the implication from the people who are trying to sell me software is that my identity can be stolen simply because I am broadcasting my IP address. I take it that you are advising that this is untrue.

Cunliffe,

First, my apologies. Second time today I've spent too little time wording a response to a forum posting and making it sound like I'm having a dig at someone when I'm not. So sorry about that, unintentional, I'll spend a few more minutes typing next time ! :\

Generally speaking (and attempting to summarise a rather complex topic in a short post) :

IP addresses are there for the purposes of "routing", that is they provide a unique identifier for every possible destination on the internet. Depending on what service you have subscribed to, there are two ways in which you can be allocated an IP address, "dynamic" or "static".

With "dynamic", as is usually the default service for residential customers, your IP address is randomly selected by your ISP's equipment out of a large pool. There is no way for you or anyone else to predict what IP address you will be allocated, how long you will be allocated it for, and all the publicly available information relating to that IP address is in the ISPs name. Obviously the ISP keeps a log of who was allocated what when, so they can track you down if they receive a complaint or law enforcement warrant, but otherwise it's pretty much impossible for the average Joe to track you down.

With "static", your ISP allocates you a set of IP addresses, which remain yours as long as you remain a subscriber. For residential customers, most ISPs will respect the word of the Data Protection Act, and refer to you by simply your account reference number when registering your static IP address in the public databases, so only they and law enforcement can find out who you are.

If we asssume the worst case scenario that they put your name and address in the database, the only thing that can really happen is that a malicious website operator can see your static IP address has browsed their website and look up your name and adddress. But as I said earlier on, the real damage is done if you put your credit card or other information into a form on that site. Your name and address can be found in many other ways (e.g. directory enquiries, the government loosing a disk etc. etc.) and so on its own would not be much more of a risk than it would be if you were not on the internet at all.

That's my 2p worth anyway. I doubt I'm wrong, but willing to be proven wrong ! :cool:

Thanks mixture.
No apology necessary.:ok:

On the other hand Mixture I find it quite disconcerting when you go on to some "adult" sites to have adverts for escort/dating agencies in your local town appear on the screen, if you use a proxy it then puts the ads up for the proxies local town, so the site must be able to deduce your approximate location from your ip address.

green granite,

You are correct - but I believe that this depends on the reverse DNS entry for the IP addresses, and this is not always provided by the ISP.

In my case, my IP address resolves (ping -a address) to:

cable.ubr02.mort.blueyonder.co.uk

The "mort" is Mortlake in W London, so that's as close as I can be located (without asking my ISP)*. I assume that a whois on the RIPE database will provide similar information.

These details are compiled by various organizations and then they sell access to their databases, which is probably the way these sites "locate" you.

There is a resource record in DNS for specifying geolocation data for a host, where the latitude, longitude and altitude are specified. However, I do not believe that type of record is widely used - and again, this is the ISP location, not you!

SD

*Actually, my public PPRuNe profile locates me closer than that, but that is not relevant!

deduce your approximate location from your ip address.

Green granite, you've got it in one there. "Approximate" is the word.

The mobile phone companies can track you down much closer than that !

Deducing location from IP addresses, or "geolocation", as Saab points out, is (a) an artform, (b) not always accurate.

It is the holy grail. There are lots of companies out there that have a genuine need for accurate geolocation, and would pay millions for the data. Companies such as Akamai, who provide local hosting services for websites with heavy traffic such as large e-commerce sites. They would love to have a magic list that would be guaranteed to point you to their nearest server cluster so that you can browse the busy website of your choice at higher speeds, but instead, they have to take a best guess and hope for the best that they've sent you to the right place. Google too would love to do a better job of balancing search traffic around their global network. But it's just not possible to be that precise. I believe Akamai offer their clients a 99% guarantee on geolocation accuracy when using their technology, but the small print limits that guarantee to country code level, and they can only offer that guarantee because they have some very fancy algorithms that amalgamate data from their 34000 servers plus various other bits of kit spread around 70 countries !

Akamai will show you what they know about your location on this page :
How Our Personalization Works (http://www.akamai.com/html/technology/products/personalization.html)

Saab,

Bear in mind that the WHOIS data is not the stuff that's compiled, any non-authorised use of that (whether commercial or otherwise) is prohibited. What does get compiled is, for example, the lists of IP adddresses that the regional organisations such as RIPE have been allocated by IANA. This is then mixed with other scraps from elsewhere, but WHOIS itself is a no no.*
:cool:

* = won't stop spammers, I know :{

The only *true* way of remaining anonymous is to piggyback off of a neighbour's unsecured wireless connection.
Only works sometimes. You're taking a punt that your neighbour isn't recording the MAC addresses of people who do this ...

... or even recording all their traffic, including emails sent in the clear and that sort of thing.

Not sensible, basically. Setting up an unsecured wireless connection as a trap precisely so as to spy on any traffic from anyone daft enough to use it, with a view to committing identity theft, is hardly a new idea.

The only *true* way of remaining anonymous is to piggyback off of a neighbour's unsecured wireless connection.

Communications Act 2003
Computer Misuse Act 1990

Not a good idea. :=

And anyway, if you kept on using the same neighbor's connection, you would not stay anonymous for long !



precisely so as to spy on any traffic

Indeed.

It's known as a man in the middle attack.

And don't think just because you're visiting a "secure" page such as online banking you're safe. The man in the middle can intercept the secure communications, effectivley relaying on your behalf and capturing passwords and everything else in the process.

Mixture, to clarify (for the benefit and partial reassurance of others):

Communicating over an usecured wifi LAN does not mean that SSL traffic (HTTPS) is unencrypted, but there is the possibility of a MITM attack, even against SSL.

The MITM attack requires the ability to observe and capture traffic on the network as a preliminary to the attack, the observation of itself is not a MITM attack.

It is indeed dangerous, and this is why SSL connections to corporate VPNs or online banking (for example) have moved to two-factor and / or mutual authentication to defeat the MITM vulnerability.

In this case, the MITM cannot supply the correct certificate or password and cannot spoof the connections.

But all unencrypted traffic is visible on an unsecured LAN, and access to the PC itself also becomes possible, both from the local LAN and potentially from the internet as well.

SD

Saab Dastard,

I feel I should clarify your clarification. :cool:

Communicating over an usecured wifi LAN does not mean that SSL traffic (HTTPS) is unencrypted

Yes, that's the theory and reason why SSL was invented. To provide a secure means of data transfer over unsecure networks.

HOWEVER

If your immediate upstream router is, unknowingly to you, providing SSL proxy functionality. Then there is the theoretical possibility of a man in the middle attack because your upstream router could imitate the SSL website.

There are also theorectically DNS based and other ways to at least partially achieve the same goal.

As an example of a form of SSL Proxy that does exist today. Corporate quality firewalls, such as those used by banks, will frequently be configured to intercept SSL requests, decrypt them, do security checks or read packets for load balancing purposes, and then re-encrypt data and pass it on.

Always amazes me in airport lounges with free wi-fi access how many business-bods you see with their laptops merrily checking their emails

It's a theoretically lot harder to do MITM with IPSec VPNs back to the office, specially certificate+two-factor based IPSec, ....because there are fewer avenues than SSL.

However I would still encourage reasonable caution when using untrusted networks, even though arguably you are in a better position than going all the way down the security chain and using untrusted PCs (e.g. internet café), which should always assumed to be full of viruses and spyware and never used for sensitive data. :cool:




Anyway....all this is getting too complicated and boring for PPRune.... so I suggest we put this topic to rest ! :)

You think you’ve got problems! Proxy servers are also illegal.

Really?

In that case virtually every large or medium sized company in the world is breaking the law*

I do wonder at the assertions made on here from time to time....


*jurisdiction unknown

Then there is the theoretical possibility of a man in the middle attack because your upstream router could imitate the SSL website.


Not unless it can somehow forge the SSL certificate, as issued to the genuine site by a trusted public root CA.

Corporate quality firewalls, such as those used by banks, will frequently be configured to intercept SSL requests, decrypt them, do security checks or read packets for load balancing purposes, and then re-encrypt data and pass it on.

Absolutely right - I have implemented such solutions. But the point is that the proxy has the genuine certificate for the protected website!

SD

Saab,

Much as I'd love to mull over it and come up with a counter-argument, I'll stick to my original statement :

all this is getting too complicated and boring for PPRune

:ok:

(Hint: at least one counter-argument is that there's probably a partial reliance on the fact that the victim is naive in the ways of technology).

banana9999,

Quote:
Originally Posted by ZFT http://static.pprune.org/images/buttons/viewpost.gif (http://www.pprune.org/computer-internet-issues-troubleshooting/340555-hiding-your-ip-address-privacy-post4353473.html#post4353473)
You think you’ve got problems! Proxy servers are also illegal.

Really?

In that case virtually every large or medium sized company in the world is breaking the law*

I do wonder at the assertions made on here from time to time....



I can assure you that under the 2007 Computer Crimes Act, proxy servers are illegal in THAILAND.

Before hide your ip-address you can check the ip-address in the site IP-Details.com : Find your IP address Information (http://www.ip-details.com/) after hide your ip-address whether it was hide or not you can check out it that site you know the software working or not..

A while ago I tried a kind of "distributed anonymiser" system called Tor (https://www.torproject.org/overview.html.en). It splits your traffic across multiple proxy servers rather than a single proxy.
Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network.
...
Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination.
It works, but performance is a problem. Note that it doesn't remove the need to encrypt your traffic, that's up to the server you're talking to. So (for example) it doesn't make an electronic banking session any safer in itself, but it can hide knowledge of that session from 3rd parties such as governments.

Only if you are daft enough to walk around with your Bluetooth switched on. It's already happening.

bnt,

re: Tor
but it can hide knowledge of that session from 3rd parties such as governments.

It does have its weaknesses.

And even if we were to assume it was perfect.... there are a multitude of other options available to those who really want to keep an eye on what you are up to. Many of them are not particularly high-tech or complex either. :cool:

I therefore repeat my original statement from August 2008....

You cannot be anonymous on the internet. Just accept the fact and get over it !

Yes, you can make yourself a lot harder to track down. But those with enough weapons at their disposal will make light work of any obstacles you set.

mixture:

Absolutely no issue with having a SPAN/mirror port collect traffic.

The issue is the sheer volume - keeping 90 days worth of traffic in our office in the UK would mean terabytes of storage to be managed. We've not got enough room for all the disks. The only winners are the storage vendors :)

.........those more computer literate than me (i.e all of you).


No, you're more literate than me, you even know what an I.P.address is !

The Nr Fairy:

Slightly confused about the context of your reply....

I assume you are referring to "Data Retention (EC Directive) Regulations 2008", if so I'll PM you ....:cool:

Actually, no - the post from end of August 2008 I was replying to, but didn't realise that till just now :O

Either way the point was that even though technically it's straightforward to comply with regulation requiring the retention of 90 days worth of data from a collection point of view, the storage of the data is nigh on impossible, unless someone comes up with a REALLY dense storage medium.

Going even more off the original point, my view is that if the government wants stuff intercepted then it should damn well have to go to a court to get it organised. Random trawling is ineffectual, the cost falls eventually on the consumer rather than those who want the data in the first place, and the potential for abuse is rife.

The Nr Fairy,

the post from end of August 2008 I was replying to, but didn't realise that till just now

Yes, I was quite surprised to see this thread rise from the dead ! Quite curious that probationer jeeva chose to make a post to this thread his first one on PPRuNe ..... (welcome jeeva ! :ok:)

I'll resist your dangling carrot in relation to having a rant .... :E

Before hide your ip-address you can check the ip-address in the site IP-Details.com : Find your IP address Information (http://www.ip-details.com/) after hide your ip-address whether it was hide or not you can check out it that site you know the software working or not..
Well according to that (and all the other sites that make the same claims) I'm about 200 miles away from my house.
All the sites give a guess and a bad one at that. The closest one has ever got to mine is about 80 miles......:}

The only *true* way of remaining anonymous is to piggyback off of a neighbour's unsecured wireless connection.

There is always the possibility of this (http://xkcd.com/341/) happening to you.

ASFKAP,

could this be seen as breaking the law....?

Depends on the jurisdiction .... but I would guess in your average Westernised country it would probably not be seen as breaking the law if they were not connecting to the other WiFi dishonestly or with the intent of avoiding paying for their own connection.

I'd imagine the reason we can log on to this network is because whoever owns it is not savvy enough to secure it, but if they were savvy enough could they monitor the information thats been sent through their connection...?

Aaah.... but assuming the person who operates the network is a moron, how do you know a savvy individual is not logged into or tampered with the network. It's not exactly difficult to monitor information transmission, and requires even less savvy if unencrypted transmissions are taking place from your browser.


Would suggest you look for ways of changing which network is used by default.

I would hope your PC is using HTTPS connection to the Bank, and that the security on that is sufficient that the bloke watching stuff going through his router can't decipher it anyway.

My laptop and my phone know they aren't allowed to connect to any WiFi network that they haven't been officially introduced to.

Ref. Keef.....
I would hope your PC is using HTTPS connection to the Bank, and that the security on that is sufficient that the bloke watching stuff going through his router can't decipher it anyway.

Oh how nice it is to be in a cloud of innocence.... :cool:

SSL is indeed secure.... as long as you keep your wits about you.

Have a little think about how your average Phishing attack works.

Think about the extra options control over the local router gives you, especially against computers running DHCP to get their IP/DNS details. There is a lot of scope for very realistic looking attacks.

With encrypted communications, it's not necessarily about communications interception (although that of course is the jackpot) .... it's about finding ways to gain keys to the castle. Once you have the keys, you can go take a look around at your own leisure. :cool:

Even with SSL / WPA on there are ways to infer stuff - Your health, tax, and search data siphoned ? The Register (http://www.theregister.co.uk/2010/03/23/side_channel_attacks_web_apps/)

Some people I know of use a clean virtual machine image for anything sensitive, and always revert to the clean snapshot when done.