Hacker 10 – Security Hacker

Category: Anonymity

Internet anonymity

  • Review anonymous file sharing P2P software Freenet

    Review anonymous file sharing P2P software Freenet

    UPDATE 2015: Read Police arrest Freenet user! This software is not safe!

    Freenet is a free P2P software designed from the ground up for anonymous file sharing, it is targeted at those who want to exercise free speech without fear of censorship or retribution, besides anonymous filesharing Freenet also lets you to publish websites and take part in online bulletin boards that are only accessible to those who use the software.

    The network is decentralized without any central hub, shared files are stored encrypted in different computers around the world, the default folder where shared files are stored is called “datastore“, the size of this folder, just like bandwidth made available, is determined by the user during installation and it can go from a few Megabytes up to dozens of Gigabytes. Because all the stored data is encrypted Freenet users do not know what they are sharing and have no saying on what is being shared, this allows for denial of knowledge, while some people will be sharing Linux distributions, others could be storing copyrighted work but they will not be aware of it because the contents in the disk are encrypted and the user can not see them, communications in between nodes is encrypted too.

    Files in Freenet are kept or deleted depending on popularity, if something isn’t downloaded for some days, Freenet will make way for new uploads.

    Freenet Linkageddon site directory
    Freenet Linkageddon site directory

     How to Install Freenet

    The software is a small 13MB download and it is recommended that you have 650MB of free disk space to store the files being shared, different languages can be chosen during installation, I would recommend you to change the default installation directory somewhere else easy to find, the default folders is set to install in between Windows system folders.

    Once you have installed Freenet, if you have a proper firewall blocking outgoing connections (ie not Windows firewall), you will get a few warnings about Java attempting to access the Internet, you will need to authorize this, after that your Internet browser will launch and a wizard will guide you during the set up of your Freenet node, it took me no more than 5 minutes altogether, Freenet has no fancy GUI it operates from inside your browser but it gets the job done easily.

    Note: Freenet website has been blocked by the Chinese Government for years.

    How to be Anonymous on Freenet

    It is strongly recommended that you do not use the same browser that you normally use to surf the Internet for Freenet (Freenet runs inside the browser), a malicious script while surfing the Internet could break with your anonymity and find out what Freenet sites you have visited, Freenet works well with all major browsers (except IE), just download any other. When you first get started with Freenet you will have to use the “connect to strangers” option in order to find something of value to download, as soon as you make 5 friends on Freenet choose the high security settings called “only connect to friends“, it needs a minimum of 5 friends for this to work and it makes tracing data back to you extremely difficult.

    This anonymous file sharing software include plugins to extend its anonymity service, like for example Freemail, a messaging system where mails are sent over Freenet encrypted and anonymously, Freemail makes it very difficult for others to learn who you are communicating with. Freenet plugins can be fetched over the network to get around ISP censorship (i.e. China), you should be careful about what plugins you install, these are not necessarily approved by Freenet developers and could endanger your P2P anonymity.

    I attempted to use Freenet while running a VPN and Freenet stopped working, I think this is due to the TUN/TAP drivers that OpenVPN uses and Freenet might also be using, I noticed that without the VPN active Freenet forged ahead, in my experience it is incompatible to run Freenet and a VPN at the same time, however Freenet FAQ does not say anything about this, I can’t guarantee 100% it was something else.

    Freenet anonymous file sharing
    Freenet anonymous file sharing

     Freenet advantadges

    • Decentralized filesharing, even if one server goes down the content will still exist
    • Files shared by users are stored encrypted nobody knows what they share (helps reduce legal liability)
    • Self regulated filesharing software keeps popular files and erases files that nobody downloads
    • Communications in between Freenet nodes is anonymous and encrypted
    • Anonymous discussion boards and website publishing can be done on top of P2P file sharing

    Freenet Disadvantages

    • There are lots of offensive material around
    • When using high anonymity settings filesharing is slow (data has to be routed around nodes)
    • It can daunting for newbies, the concepts are not easy to understand

    Conclusion on anonymous P2P over Freenet

    Freenet is as close as one can get to real P2P anonymity, the network can be slow at times due to the data being bounced around nodes but anonymous discussion boards, directories with links to find content, and anonymous email over the network make up for it. This is one of the best darknets that exist for anonymous file sharing in P2P, when used accurately, Freenet is for file sharing what the tor proxy is for anonymous Internet browsing.

    I only found two downsides, the software can be hard to understand and speed is slow, other than that this darknet is brilliant.

    Freenet speed improves a lot after a few hours! Do not give up on it due to speed, the longer you run it, the quicker downloading files over Freenet will be.

    UPDATE 2015: Link to Freenet removed, this software has been cracked by law enforcement. Avoid!

  • List of free programs to edit digital images Exif data

    List of free programs to edit digital images Exif data

    When you take a photograph with a digital camera or edit it with a graphical editor, there will be data embedded in the image file, most smartphones also embed metadata in the pictures they take, this semi hidden data it is called Exif (EXchangeable Image File Format) data, Exif data is not exclusive of image files, it can also be found in audio and video files.

    In images, Exif data typically includes the date and time the picture was taken, type of camera and model, software used to edit the image, picture resolution, and if the device used to take the photograph has GPS capabilities, like the iPhone, it will also include the geographic coordinates of where the photograph was taken.

    How to view image data in Windows

    You can access image file Exif data in Windows locating the image file, right clicking on it and selecting “Properties” from the menu that appears, the “Advanced” tab of “Properties” shows further details, Windows does not show all of the embedded metadata on a file, a proper Exif data viewer will do.

    Digital photographs metadata, aka Exif data, can be read by software programs, if you open, edit and then save an image file with software that does not support metadata you risk losing it altogether.

    Exif data viewers

    Free Photo Viewer: Lightweight Exif data viewer that shows aperture, shutter speed, ISO value, camera model, focal length, time and date, flash settings, etc. IPTC comments are also supported and displayed, you can view all of that in full screen if you wish.

    InfanView: This small free photo viewer show Exif/IPTC/comments information from JPG files, the Exif data can not be edited but the IPTC and comments can, IrfanView plugins are available for download extending the photo viewer capabilities.

    Programs to edit and modify Exif data

    GeoSetter: Image utility that can read and most digital cameras RAW images, it shows existing geo coordinates and tracks on embedded Google Maps, Internet access needed. GeoSetter can change a digital image GPS coordinates, the date it was taken, IPTC data and much more.

    GeoSetter GPS Exif data
    GeoSetter GPS Exif data

    ExifDateChanger: It can change a digital image Exif date indicating when it was taken, the changes include minutes and seconds, it can rename files and captions. Exif Date Changer free version is  limited to JPG files, if you upgrade to the Pro version many other file extensions are supported for Exif editing.

    ExifEraser: Free lightweight software to erase all of your images Exif data, useful if you plan on posting them to the Internet and would like to erase personal details from your photos. Easy to use, lightweight, with no installation needed, it erases digital images EXIF/IPTC/XMP information.

    ExifPilot: It views images metadata directly in Windows explorer, you can edit and create digital images Exif, Exif GPS, and IPTC data. It can export and import EXIF and IPTC data to MS Excel, the free version can only edit one photograph at a time, to batch processing digital images Exif data you need to upgrade ExifPilot with a paid for plug-in.

    ExifPilot Exif image data editing
    ExifPilot Exif image data editing

    ExifTool: Platform independent command-line application for reading, writing, and editing meta information contained in digital images, audio and video files, it supports supports many different types of metadata including Exif, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3.

    PhotoME: Multilingual free metadata editor supporting all of the dominant digital camera brands, it shows information that the camera writes to the image file as well as information that can be calculated from the meta data, it can read ICC profile data, IPTC-NAA tags, Exif tags, GPS data, etc.

    PhotoME digital images Exif data editor
    PhotoME digital images Exif data editor
  • Anonymous web surfing with The Amnesic Incognito Live System

    Anonymous web surfing with The Amnesic Incognito Live System

    Tails, short for The Amnesic Incognito Live System, has Ad-block preinstalled on its Iceweasel (Firefox based) browser, it comes with many other privacy enhancing tools to stop companies and repressive Governments tracking down Internet users.

    This Debian based Linux live CD enables you to hide your IP address while surfing the Internet, it comes preconfigured to use the anonymous tor network for all outgoing connections, this will hide your IP at all times, you do not need to know anything about Linux to use it, just download the ISO file burn it to a CD, reboot your computer, MAC or PC, and it will work straight out of the box.

    Anonymous live CD features

    • Supports mobile broadband devices like 3G USB dongles
    • Can be booted up from a USB thumbdrive instead of a live CD
    • Multilingual support including Arabic, Chinese and Spanish in between other languages
    • Firewall drops incoming packets by default
    • Instant Messenger Pidgin comes with the OTF messaging plugin to proxy communications through tor
    • Internet browser comes with the HTTPS Everywhere, FireGPG and Ad-block extensions
    • Stops cold boot attacks by wiping RAM memory on shutdown
    • Virtual keyboard available to stop keyloggers
    • Support for i2p eepsites, hidden websites hosted anonymously
    • Email client ClawsMail comes with GnuPG support to encrypt email messages
    The Amnesic Incognito Live System
    The Amnesic Incognito Live System

    Live CD with encryption & file deletion

    The Amnesic Incognito Live System includes secure-delete integrated on its file manager, a program to wipe free disk space and sensitive files, a front end encryption key manager called SeaHorse will take care of digital signatures and GPG encryption keys.

    If you are comfortable with Linux command line you can take advantage of cryptsetup to encrypt files and macchanger to change your computer MAC address. Those are only the security features, open source everyday software for production purposes includes OpenOffice.org to edit documents, The Gimp to edit photos, Audacity to edit sound files and many others.

    This operating system to hide your IP address has two preconfigured users: amnesia and root, the password is the same for both of them, amnesia.

    Visit The Amnesic Incognito Live System

  • Hide My Ass VPN service one year review

    Hide My Ass VPN service one year review

    I have been using Hide My Ass VPN service for a year now, during all this time I have seen some servers come and go, mostly come, there has been a considerable increase on server locations. One thing that makes HMA premium VPN service stand out from the crowd it is their vast number of servers and IPs available.

    I am based in Europe using a 10MB ADSL pipe and most of HMA VPN European, USA and Canadian servers almost match my original ISP speed, only the Singapore servers seem to be considerably slower all the time as well as having a huge ping rate (ie. lag). But your results will likely be different depending on where you live, choosing the location of your VPN as close as possible to your home considerably improves VPN speed and ping rate, if you are in Western Europe for example, and want to use a USA VPN, choosing a server on the East Coast of the US should improve performance a great deal.

    The only place where I have found some of Hide My Ass USA VPNs blocked is while watching Hulu, you can easily get around this block by choosing a different US server of the many others available.

    Hide My Ass company headquarters

    My biggest grudge against HMA VPN it is the way they hide where their headquarters are, they don’t seem willing to reveal in what country they are based and this is pretty important because when you use a VPN three country laws must be abide for, the laws of the country where the VPN server physically is, the laws of the country where the VPN company headquarters are and your own (user) local laws.

    The user local laws don’t really matter much because nobody knows where you are unless the VPN company reveals it, but the first two matter much more because it is trivial for a law enforcement agency or RIAA outlet to find that out and if HMA headquarters are located in, for example, China, then they must abide by Chinese law, it is not good enough to keep this secret. Users should be informed of where the VPN company headquarters are located.

    For all that is worth, I would place my bets that Hide My Ass company headquarters are in the United Kingdom because HMA website DNS servers are using ns1.zymic.com Zymic being a hosting company that uses the tagline UK/US on its Twitter account and contains a link to HMA VPN service on its homepage footer. The Zymic domain is also registered in the UK by Netco Solutions but it appears to be a privacy registration.

    The biggest give away is that HMA VPN affiliate program pays out using a British bank account, draw your own conclusions from that. I guess they must be paying their taxes somewhere.

    Hide My Ass Virtual Private Network service
    Hide My Ass Virtual Private Network service

     Hide My Ass VPN receives DMCA complaint

    Various people at HMA forums have posted that Hide My Ass sends out warnings when a complaint is filled due to illegal filesharing activities, HMA as it is their legal duty, complies with the law and hands out a notice so that the copyright infringing torrent is removed. This is a good example that if necessary Hide My Ass will track you down, like any other VPN service will, at least HMA will give you a chance to remove the offending file and not terminate your account straight away.

    You can still use HMA for filesharing as it is not against their terms and conditions but using a USA server for doing that is not too clever, specially since HMA has a server in Russia where filesharing of copyrighted movies does not break any local law, to be safe, make sure that whatever activity you do is legal in the server you are using so that no complaint can be filled.

    If you think that you can carry out illegal activities and get away with it because you are using Hide My Ass VPN, think again, according to their privacy policy, HMA keeps connection logs for up to two years, ,more than enough time to track you down.

    Many VPN services claim to not store any logs, but they will actually produce them when pressured by the authorities because all of the VPN activities get traced back to them. Using a VPN makes the job of tracking you down harder but not impossible, to make it impossible use a tor proxy.

    Hide My Ass VPN service advantages

    Hide My Ass has dozens of VPN servers and thousands of IP available all over the world, there is no bandwidth limit you can download as much as you like, torrents are allowed, their VPN speed is more than reasonable for the average user and it gets through geolocation based online TV blocks.

    Their email support has normally replied to all my queries  in around 24 hours, normally concerning servers that have stopped working, they eventually get fixed, not a big deal.

    Forget about the forums for support, you will not get real tech support there, in case of problems use Hide My Ass VPN export the logs and send them via email to HMA support.

    Hide My Ass VPN service disadvantages

    Your IP can be exposed if your VPN connection drops and you get no clear warning whatsoever, you can be surfing the Internet with your real IP after a VPN disconnection and you will not be aware of this. There is a secure IP binding feature in HMA VPN client but it did not work for me and even if it worked that feature does not support all Internet applications.

    Paying HMA VPN monthly is on the high side of prices and Hide My Ass homepage advert of a 60% discount saying “offer expires soon” is a total lie, that offer was there one year ago when I signed up for it and it is still there now, it has never gone offline at any moment, this does not say too much about HMA honesty.

    I am not a big fan of Hide My Ass VPN management software either, it seems clunky to me, but you can put that down to personal taste if you like, I am not into fancy graphics, I rather have simplicity.

    Conclusion Hide My Ass VPN review

    Assuming you pay yearly their VPN service is great value for money, you have numerous server locations to choose from, coverage is a little scarce for Asia but that is the norm at most VPN providers, something to do with bandwidth availability and expensive server prices in that part of the planet.

    HMA VPN support is fine and server reliability pretty good, with so many servers if one does not work just choose a different one, I am just not too happy the way they seem to hide where their headquarters are, I  like to know where my VPN provider company is and if possible who is behind it, and I am not too enthusiastic about a yearly commitment either, which is when HMA VPN prices become affordable, that is why I am not going to renew my yearly subscription when is up, I would like to try something else and see how it goes, I am always on time to go back to HMA, it hasn’t been a bad experience, they just have a little room for improvement.

    Visit Hide My Ass VPN homepage

  • List of privacy search engines for anonymous Internet search

    List of privacy search engines for anonymous Internet search

    Every time you use a search engine to look something up on the Internet personally identifiable information will be collected by all major search engines. The search terms submitted to the search engine, as well as the time, date, and geographical location of the computer carrying out the search will be logged and stored.

    The search words you enter are often stored within search boxes in your browser, your computer will normally cache those words and pages you visit, your searched for terms can be retrieved by anyone with access to the hard disk.

    Do you really want search engines like Google or Bing to know everything you search for on the internet?

    What information do search engines keep?

    1) IP Address: Your personal computer IP address can be traced back to you through a reverse DNS lookup with tools finding out not only your ISP but also your approximate location such as State or Province.

    2) Date & Time: The exact date and time you were searching for a certain keyword will be logged. The browser you use is normally also stored in search engines logs.

    3) Query Terms: The terms your searched for will be stored.

    4) Cookie ID: A unique code is embedded into the cookie and assigned to a particular computer by the search engine. It allows a search engine to learn if requests came from a particular computer, as long as that identifiable cookie is still stored in the browser Internet searches can be linked and traced back to you independently of what computer IP you use.

    Notice that after some pressure from privacy groups some major search engines have begun to mask the computer user IP address on their search logs but this does not make your search history anonymous.

    What information do search engines send to webmasters?

    After you click on one of the results given by the search engine, your search terms are passed to the website server logs, that webmaster will know what search terms you used to find that site, the referring URL and your IP address, as well as other data like your Internet browser and operating system you are using and even your default browser language, all of this can help to identify you.

    Google maps search
    Google maps search

    Privacy search engine Duck Duck Go

    Your web browser automatically sends information about your user agent and IP address to the search engine but Duck Duck Go will not store it at all. This information could be used to link you to your searches and other search engines will use it to show you more targeted advertising. Duck Duck Go will go out of its way to delete that data.

    At Duck Duck Go no cookies are used by default and they do not work with any affiliate program that will share personally identifiable information like name and address. Feedback at Duck Duck Go can also be given anonymous not having to enter an email address in the form (it can be left blank). This privacy search engine also allows searching via its SSL website and lots of customization options.

    Duck Duck Go pulls results from Microsoft’s Bing and Google search APIs, a lot of what you’re getting are results you could find on those search engines with the added advantage that your personal privacy is respected while searching the Internet. Duck Duck Go also has its own web crawler and web index.

    https://www.duckduckgo.com

    Duck Duck Go no logs search engine
    Duck Duck Go no logs search engine

    Privacy search engine IxQuick & Startpage

     IxQuick was awarded the first European Privacy Seal, IxQuick privacy search engine will not record your IP address, other data like the search queries are deleted from the log files within a maximum of 48 hours, often sooner.

    IxQuick uses the POST method to keep your search terms out of the logs of webmasters of sites that you reach from their results, the major search engines on the other hand, use the GET method which allows web servers to log what search terms you used to reach them.

    You can use encrypted Secure Socket Layer (SSL) connections to carry out your search stopping your ISP from snooping on you, this is of vital importance if you are using a public computer in an internet cafe, library or at work where the network administrator can easily spy on your search terms.

    IxQuick uses a single anonymous cookie to remember the search preferences you saved for your next visit, it will not use cookies with a unique ID like many other websites do.

    IxQuick also allows for advanced syntax search and being a Metasearcher, it pulls some of it results from other major search engines like Bing, Ask or the Open Directory. IxQuick also lets you visit the chosen page with a built in proxy,  the webmaster server logs will only see/log IxQuick IP address and not yours.

    I tested IxQuick search proxy on my server and it also spoofs your agent ID and operating system, identifying itself as Google Chrome and Windows 7, this is a good practice as it makes even more difficult to pin you down.

    The Dutch IP IxQuick search proxy gives once reversed identified itself as Webhosting customers, making it obvious it is not an ISP but a hosted proxy, the URL entry was presented as blank in the server logs, overall, their proxy for searching in privacy does a good job at keeping your privacy online.

    https://www.ixquick.com or https://www.startpage.com

    IxQuick privacy search engine
    IxQuick privacy search engine

     Search engine Findx

     This search engine from Denmark can be used to find webpages, images, videos and shopping, results are crawled by its own bot and it does not rely on Google or Bing, users can contribute to improve search results by rating them.

    In Findx your search history is not saved anywhere, you are not tracked, and no identifiable information is kept, the company has a clear privacy policy easy to find. Findx claims that if required by law to share personal data they will have to comply with it, but since they do not hold anything identifiable, it is impossible for the company to provide data.

    They also plan to release an Internet browser for private browsing, called Privafox in the future.

    https://www.findx.com

    Findx privacy search engine
    Findx privacy search engine

     Usenet search engine BinSearch

     This is not an anonymous Internet searcher but it is included on the list because it carries results that nobody else does. BinSearch specialises in crawling binary Usenet newsgroups results that are ignored by all major search engines. You can search for Usenet posts subject, filenames or .nfo and limit your search to certain newsgroup or timeframe.

    Due to the huge amount of data that Usenet carries, results are refreshed every few weeks and old ones dropped, Binsearch crawls thousands of groups but it is not possible to index all of them, only the major newsgroups.

    http://www.binsearch.info

    BinSearch binaries Unsenet search engine
    BinSearch binaries Unsenet search engine

    Privacy search engine Qwant

    A search engine based in France that promises not to collect your data, they do not even put a cookie in your browser, if you want your settings to be remembered you have the option of opening an account with Qwant anonymously, otherwise the search engine does not remember anything. They have a data protection staff member and their privacy policy is very well explained and clear.

    Search results come from its own crawling bot complemented with Bing, you might see advertising but it is not targeted since Qwant does not track its users. You can use this search engine to find webpages, images, videos, news, shopping, music and social. There are two versions of Qwant you can access, one of them where the search engine displays results from across multiple sources, including social media, and one light URL that only displays results for webpages without pictures, this saves bandwidth.

    https://www.qwant.com

    Qwant privacy search engine
    Qwant privacy search engine

     Tips to search the Internet with privacy

    Do not accept any of the major search engines cookies, they might use them to identify you later on, if you already have a Google or Bing search engine cookie on your computer, delete them.

    Do not sign up for email at the same search engine where you regularly search, your personal email address can potentially be tied up to your search terms. Using Google and Gmail (both Google products) or Bing and Hotmail (both Microsoft products) together is not a good idea.

    Mix up a variety of search engines, this will spread all of your searched terms across different companies and servers. Varying the physical location you search from can also be helpful, you can use a VPN to change your computer and country IP and delete all of your search engine cookies before starting a new private searching session.