Hacker 10 – Security Hacker

Category: Anonymity

Internet anonymity

  • Windscribe vs. PIA VPN: Which Offers Better Privacy in 2025?

    Windscribe vs. PIA VPN: Which Offers Better Privacy in 2025?

    I have been using Private Internet Access VPN for three years, and I recently moved to WindScribe, now that I have used both companies I can make a fair comparison, I don´t use AI anywhere in this blog.

    Both companies PIA and WindScribe have strong no logs privacy policies and are based in countries involved with mass surveillance, The Five Eyes, this does not put me off if you trust their no logs claims but it concerns me that the UK free speech laws are some of the most limited in the Western world, the UK is know to arrest people posting nationalist British views in social media, this is the main reason why I moved to WindScribe but since I moved I also discovered that WindScribe not using virtual servers considerably reduced the number of captchas and wrong IP locations I get. It is also noteworthy that WindScribe engages with the community in Reddit, something PIA does not despite having an official subreddit too, and WindScribe does not have any affiliate program that could buy them good reviews like PIA VPN does.

    Even though WindScribe is more expensive than PIA, this is to be expected when you only use real servers and I decided to keep WindScribe as my VPN provider, but avoiding what I consider unsafe locations like India and Hong Kong (China), countries where unregistered VPNs are not legal or demand them to keep logs, that is the only regard where PIA VPN has done better by refusing to do business in those countries instead of renting a server and hoping for the best. On the other hand if you need a real VPN server in Russia, WindScribe is one of the few VPN providers able to provide it, what I consider a handicap could be a blessing for others, overall, so far I am really happy with WindScribe.

    PIA VPNWindScribe
    StrengthsVery cheap if you pay yearly

    Audited no logs    		They only use physical servers

    They engage with the community in Reddit

    They don´t own any other VPN company and are transparent about ownership

    They have real servers in exotic locations

    They have no affiliate program to pay VPN top lists and influencers

    Free generous plan to try the VPN without payment
    Drawbacks
    Owned by Kate Technologies with headquarters in the UK

    Parent company owns other big VPN companies like ExpressVPN and CyberGhostVPN

    Parent company owns VPN review site VPNMentor where they recommend their own VPN (conflict of interests)

    They have many virtual locations and it is difficult to find out where the real physical server is located

    There is no community engagement in Reddit or any other place

    There are lots of fake reviews in VPN top lists due to their affiliate program    		Headquarters in Canada

    Non serious marketing communications full of jokes for children

    They have servers in countries where no logs VPNs are not legal like India and Hong Kong (China)



  • Man using HideMyAss to harass ex-girlfriend arrested

    Man using HideMyAss to harass ex-girlfriend arrested

    A judge from Galveston County named Chris Dupuy has been forced out of office after being charged with online harassment for placing fake hooker advertisements with the photographs and phone numbers of two former girlfriends in the escorts section of a classifieds ads website.

    Harris County Sheriff’s investigator Scott Hardcastle subpoenad Backstage.com to find out who had placed the adverts and found out that the IP had been masked with offshore proxy servers. Houston Press reports that the affidavit of the lead detective says that he “had worked backwards from the ads to trace masked IP addresses in Venezuela, Colombia and Germany.” and the articles goes into making fun of the software name “hidemyass.com

    If Chris Dupuy was using software to hide his computer IP, it could not have been Hide My Ass free online proxy as it is web based and there is no need for software, the article also mentions masked IPs in Venezuela and Colombia, servers that are not available to free users, only somebody with a paid account can access those proxies. Based on this Chris Dupuy was possibly using HideMyAss VPN and not the online proxy.

    Chris Dupoy HideMyAss arrest
    Click to enlarge Chris Dupoy HideMyAss

    There are no further details on how the detective “traced masked IP addresses” from HideMyAss but the VPN provider logging policy page states that HideMyAss keeps logs of:

    • a time stamp when you connect and disconnect to our VPN service;
    • the amount data transmitted (upload and download) during your session;
    • the IP address used by you to connect to our VPN; and
    • the IP address of the individual VPN server used by you

    The data is more enough to identify a customer if necessary and it is stored for in “between 2 and 3 months“, or “longer if required by law”, HideMyAss parent company Privax LTD operates from England and was recently acquired by AVG Technologies.

    Futhermore, HMA terms and conditions do not allow using the VPN for filesharing, if you are found doing this “then we may store your VPN data for an extended period of time beyond the normal 3 month maximum“, and HMA online proxy is even more detailed than VPN logs, they record the address of every single website you visit and files you view, keeping it for 30 days.

    If HideMyAss has handed over the logs for one of his users, which is not confirmed as there are no specific details on how the detective traced back the IP, this would not be the first time they help out the law enforcement, in 2011 Cody Kretsinger, was arrested thanks to HideMyAss handing over logs proving that he was responsable for hacking Sony.

  • Police plants own computers in Freenet, log IPs, makes arrest

    Police plants own computers in Freenet, log IPs, makes arrest

    Freenet, a P2P network routing traffic across multiple nodes to hide people’s IP when filesharing, and often cited by the media as part of the dark web, appears to  have been broken by law enforcement.

    Court records related to Paul Bradley Meagher, a University of North Dakota police officer arrested for downloading child porn from the “anonymous” peer to peer network Freenet, reveal that the North Dakota Bureau of Criminal Investigation had been running an undercover operation in the network since 2011, planting their own nodes inside Freenet to be able to log people’s IPs and trace the final destination of users downloading illegal material.

    The Dakota student news site relates how Investigating Officer Jesse Smith managed to get hold of Paul Bradley’s laptop still switched on and running Freenet on the Wifi network, law enforcement discovered child porn images during the preview before seizing the laptop, arresting the suspect, whom, at that point refused to talk with the investigators. Paul Bradley has now been charged with 10 counts of possession of child pornography and can be sentenced to up to 5 years in prison for each count, facing a possible 50 years in jail.

    Freenet network jSite
    Freenet network jSite

    The Grand Forks Herald from North Dakota cites detective Jesse Smith in the affidavit as admitting to her department running nodes in Freenet to be able to track people downloading files included in a list of known child porn file hashes from the police database.

    Unsurprisingly, when a journalist contacted the Bureau of Criminal Investigation of North Dakota they declined to make any comment about the story, so little is known about how they track people. It could be because Freenet has far less nodes than Tor, or because Freenet code has some bug (it requires Java to run).

    With further research I found that the ICAC Internet Crimes Against Children Task Force, in 2014 ran a Freenet workshop for law enforcement to present what they called the “Black Ice Project“. Quoted on their website as “This session will describe the basic functioning of Freenet, how persons exchanging child abuse material, the system’s vulnerabilities and how the Black Ice project exploits them.

    References:

    Child predators use technology, but law enforcement does too

    http://www.grandforksherald.com/news/crime-and-courts/3885134-child-predators-use-technology-law-enforcement-does-too

    Bail set for UPD officer

    http://dakotastudent.com/7191/news/bail-set-for-upd-officer/

  • OnionMail an anonymous mail server running on Tor

    OnionMail an anonymous mail server running on Tor

    OnionMail is an open source mail server developed by hacktivists fighting mass surveillance, it runs on the Tor network and is able to communicate with the Internet as well as Tor hidden nodes.

    Running an OnionMail server and joining the federated network is open to everybody, connections in between servers are always encrypted with SSL, transition servers do not store any data, only in the final destination OnionMail server saves messages and it automatically erases them after reading or if they have not been picked up by the user in a period of days, using the wipe command (Linux) to make forensic recovery impossible.

    An OnionMail email inbox is encrypted with RSA/AES asymmetric encryption keys and user passwords, data is then hashed and scattered around multiple OnionMail servers in the network, if a server is seized no meaningful information or metadata can be obtained. Another security feature is the ability to remotely nuke a server’s digital certificate, this is useful if an administrator loses physical access to the server, OnionMail checks the legitimacy of digital certificates in the network and servers not using a valid one will be disconnected.

    OnionMail anonymous Tor email
    OnionMail anonymous Tor email

    In Tor you don’t have to worry about revealing your computer IP but a local email system clock can give away your approximate geographical location, to stop this, OnionMail spoofs your time zone, it will also spoof the PGP version you are using, helpful in case a vulnerability is discovered in a specific PGP release, an attacker would be unable to find out who is using it without testing everybody.

    For internal email communications inside the Tor network you are assigned a cryptic .onion address, this is automatically transformed into a a clearnet comprehensible address using the Virtual Mail Address Translation protocol to append the .com/.net/.info of your Tor exit node so that people on Yahoo or Gmail can reach you.

    For example, if you are using the onionmail.info exit node, your .onion email address will be transformed into test.serveraddress.onion@onionmail.info when you send an email message to the Internet. Spam is eliminated using custom blacklists that mail server operators can tweak.

    You can find a few Tor email providers but they are not chained and their addresses can’t be used to contact people outside Tor. OnionMail stands out from the crowd uniting all email servers in a single network and allowing users to send and receive email to the Internet from within Tor.

    More than a dozen OnionMail servers are listed in the homepage, to open an account you only need to select one of them with Tor installed in your computer, or download a python script that can be used in Tails to configure your email client. Windows users can download a beta version of OnionMail and the more technical advanced people can install OnionMail in a rooted Android device with Orbot, a free proxy app that runs Tor, the K9 Mail client, and APG, a PGP key manager.

    OnionMail anonymous email
    OnionMail anonymous email

    OnionMail does not hide that it has been specifically developed to stop the NSA and similar espionage agencies from following you. The developers know what they are up against and they make sure that their zero knowledge design will withstand rogue operators and mail server seizure, which leaves only a trojan horse or spear phishing attack as the only way to get into your email account.

    A very well designed, thought out email system with good documentation and help screenshots that has all a security paranoid person can wish for, anonymity, encryption, free and running on Tor.

    Visit OnionMail homepage

  • StegoTorus a camouflage tool to hide Tor traffic

    StegoTorus a camouflage tool to hide Tor traffic

    StegoTorus is an open source tool that disguises Tor traffic simulating it is an innocuous protocol, this foils packet analysis making Tor harder to monitor and block. A client and server are both available for download, the software is available for Linux, Mac and Windows but is is command line operated and it has to be compiled from source, you will have to be knowledgeable in computers to benefit from it. StegoTorus website has clear instructions on how to do this, it is not exceptionally challenging.

    Any Tor operator can run StegoTorus in their own bridge. Tor bridge relays not listed in the main directory, they are intended for people living in countries where public Tor nodes are blocked. Bridges can be acquired sending an email to bridges@torproject.org from Yahoo or Gmail accounts only.

    Tor network bridge configuration
    Tor network bridge configuration

    When you run StegoTorus with Tor an intermediate connection is created to an StegoTorus server acting as the first node to the network, the software running on that server will camouflage all traffic as PDF, JPEG or HTTP, a payload is introduced in the downstream data before passing it on to you with the real requested file or website visited hidden using steganography techniques. A StegoTorus proxy will make believe anybody watching network traffic that no Tor connection is taking place, your Internet browsing should not slow down noticeably, the payload injection is done within miliseconds.

    If you are worried about Deep Packet Inspection by your ISP, used by China and Iran in between others, your only choice to avoid blockage is what the Tor project calls Pluggable Transports, these are used together with secret Tor relays, aka bridges, and they transform traffic to hide that you are using Tor. A few supported transport type Tor bridges are Obfsproxy, ScrambleSuit and the Format-Transforming Encryption, other schemes like SkypeMorph and StegoTorus can be deployed but they are not officially assisted, although both projects are listed in the Bridges Tor project website, bridges of this type can not be requested by email.

    If you know of a bridge that is running StegoTorus, you can connect to that node going to the Tor browser network settings and entering the custom bridge address that leads to it.

    Visit StegoTorus homepage

  • Top anonymous digital currencies for untraceable payments

    Top anonymous digital currencies for untraceable payments

    The aim of the currencies below is to make it impossible for an investigator to analyze a public ledger, known as block chain in Bitcoin, and to hide the identities of those making and receiving payments. Other advantages are that the money can not be seized and transaction fees are very low or non existent.

    WARNING! The world of cryptocurrencies contain elaborate scams, pump and dump and pyramid schemes. I am not endorsing any of the currencies below, it is your duty to double check claims about anonymity and trust.

    Dash (DASH): One of the most popular, Digital Cash is a Bitcoin based electronic currency focused in privacy. The wallet contains a coin mixer, you have the choice to make your financial operations public or anonymous, using a decentralized network of servers called masternodes that anonymize the transaction, the level of anonymity can be configured to in between 2 or 8 node hops. Digital Cash coins can be earned if you help the network running a masternode but this is not necessary.

    CloakCoin (CLOAK): Every CloakCoin user becomes part of the network which increases anonymity, in exchange for keeping your wallet open and helping others be anonymous, you earn interest on the CloakCoins you hold. A built in decentralized market called OneMarket can be used to spend your currency anonymously, anybody can advertise and buy services or goods in OneMarket, or you can exchange your coins in CloackTrade.

    anonymous cryptocurrency cloakcoin
    anonymous cryptocurrency cloakcoin

    ShadowCash (SDC): Decentralised cryptocurrency with the choice of making public or private anonymous payments. When you open your wallet it will help run the peer to peer network and you will be compensated with electronic cash. ShadowCash comes with an embedded private messenger that encrypts communications and allows you to talk with other users on the network.

    LEOCoin (LEO): The Learning Enterprise Organisation coin has a focus on being user friendly, it has a decentralized peer to peer payment system with proof of work and proof of stake validation. The public ledger is encrypted. An article in Coindesk has scam accusations against the developers of this currency, I would be very careful with it, the accusations are somehow substantiated with real facts.

    AnonCoin (ANC): Anonymous cryptocurrency with native support for the I2P network, it can also be used over Tor, AnonCoin will not only decentralized operations but it also anonymizes computer IPs when you connect to a client. This currency has been around for two years and development is very active, with good documentation, a Wiki and discussion forum, it can be traded in various exchanges.

    Anoncoin wallet
    Anoncoin wallet

    Monero (XMR): Open source untraceable currency using peer to peer transactions and a distributed public ledger, receipts and money transfers remain private by default. Ring signatures add a degree of ambiguity to make it harder to link a transaction with an individual computer. This currency can be integrated in the I2P anonymous network and you can run a full node if you want to, another choice is to use a web based Monero account.

    BitcoinDark (BTCD): It has a very novel unproven approach to currency anonymity, BitcoinDark uses what they call Teleport to clone and exchange currency denominations out of the block chain. A hard to understand technology, first generation cryptocurrency. BitcoinDark is part of SuperNET, a decentralized currency exchange that makes it very difficult to steal digital currency by storing it in multiple nodes.

  • Anonymous online payments with Shadow Cash

    Anonymous online payments with Shadow Cash

    ShadowCash (SDC) is a decentralised crypto currency with a focus on privacy and anonymity, one of the beautiful things of ShadowCash is that you can have two addresses, one that works like Bitcoin, with the operation recorded on a public blockchain called shadowchain, and a second stealth address for anonymous payments where the cryptographic transactions are untraceable to the source.

    A P2P encrypted messenger called ShadowChat comes integrated with the software, conversations are secured with AES256 bit without any central server that could be compromised. The existance of ShadowChat gets rid of the need for email or phone calls outside de client, you don’t have to learn PGP or beg the other part to use encrypted means of communication, ShadowCash software is all that is needed to negotiate deals and send money securely. The messenger is text only but audio, video and sending of attachments are in the road map for the next version.

    I can’t see myself using video chat not knowing who is at the other end of an anonymous payment but the attachments option is definitely welcome. Even if you don’t make any financial transaction, ShadowChat could be used for day to day chatting and anonymously trading of files.

    anonymous electronic currency ShadowCash
    anonymous electronic currency ShadowCash

    There are dozens of alternative currencies out there but ShadowCash offers something that is in high demand and very few can fulfil, real anonymous payments. The software is well documented, available for Windows, Mac, Linux and mobile device wallet (ShadowGo). Initially ShadowCash has to be bought with Bitcoins, after that it can be traded in major exchanges like Cryptsy and Poloniex. A fairly active community using ShadowCash provides you with support, this currency looks like it is here to stay.

    You can get free SDC coins running the ShadowCash client contributing to process parts of the P2P shadowchain. If you do you will see a message saying “Staking expected time” this let’s you know when and how many SDC coins will be awarded to you.

    A marketplace software called ShadyBay (sbay) is also being developed, currently in alpha, when fully completed you will be able to set up your own online shop to sell goods and services with anonymity.

    After seeing all that ShadowCash has to offer, I have decided that I will make payments with it whenever possible. I have used Bitcoin before and without a bitcoin tumbling service, that takes a commission and carries risk of the bitcoins going missing, anonymity does not exist.

    I believe ShadowCash to be superior to Bitcoin in many aspects, my favourite feature being the included encrypted messenger that saves me of having to send insecure emails, which is often necessary when selling and buying. I loved this project, however, the Windows version crashed a couple of times in my computer, since ShadowCash is still new, I will be giving them another try soon.

    Visit Shadow homepage