Anonymous is not anonymous

At this point, most of us would welcome shelter from the gaze of government cyber spies. Here are six reasons why that may be unattainable

1 2 Page 2
Page 2 of 2

Unfortunately, most users choose relatively weak passwords. Even those who enter what they think are strong passwords are fooling themselves -- and it's inherently easier to guess a user's password than it is to try and crack the private key that does the protecting. I have to assume that organizations like the NSA have specialized hardware-only chips that are adept at cracking the passwords to particular programs. Heck, they probably just extract the relevant parts of the program, along with the key pair, and crack away. I'm guessing their bank of crypto-cracking computers will make short work of most users' allegedly "strong" passwords, and I'll bet the designers of such hardware chuckle at our gullibility.

Reason No. 4: You don't really know where your packets are
Services like Tor work by randomly rerouting encrypted packets of information between varying participating hosts. The bad guy would have to know which Tor computers were used by you end to end, compromise those, then tackle the other encryption issues. Sounds like a pretty high bar to overcome, doesn't it?

Except that Tor software has vulnerabilities just like any other software. In one recent example, it was speculated that law enforcement agents used a privately known vulnerability to track and locate child pornographers. Moreover, I think the entire premise of Tor's anonymity through router obscurity is flawed.

The biggest advantage of using Tor is that your packets are randomly routed through "volunteer" computers all over the Internet. But Tor can't really guarantee that. Who's to say most of Tor's volunteer computers aren't owned by governments that want to keep a hand in?

If I was interested in invading Tor's privacy, I would create a very large cloud of computers that would make up most of Tor's network. They could even ensure that your traffic would only be routed on owned Tor computers by manipulating where future Tor packets go once they enter the owned segment. Even if Tor's software hasn't been manipulated, you can't trust it if the volunteer computers are owned and manipulated. They could make participating Tor clients do anything. (Tor experts, if you think I'm wrong, please message me and explain how Tor would prevent this.)

Of course, it's probably far easier just to break into the originating endpoint client, and government hackers are already very capable of that.

Reason No. 5: People make mistakes
A lot of people who think they've hidden themselves stumble sooner or later. Antimalware hunters have a pretty successful record of tracking malware writers back to their personal accounts, usually due to one small mistake that links account A to account Z. One friend, Brian Krebs, tells entertaining stories about following trails between private and public accounts. He's talking about guys who are making millions of dollars stealing money online and have every incentive to keep their private lives private.

Reason No. 6: You don't really know who you're talking to
Lastly, the person you're communicating with may already have been caught in some cyber sting and is using you as his ticket to a lesser sentence. A perfect example is Hector Monsegur, an Anonymous leader who lured several high-profile members to capture and incarceration. Monsegur not only helped the FBI nail Anonymous members, but he actively encouraged them to do more criminal hacking. Heck, one of the best arguments against guaranteed anonymity is how many of the Anonymous group's members have been arrested since law enforcement authorities started concentrating on them. You could build a new Wikipedia entry on it. At least half of them fell because of the reasons I've listed on this page.

If you want anonymity, that's great. Just don't think that you'll have guaranteed anonymity. Because you won't. My advice: If you need absolute anonymity, don't use the Internet. You're far better off using just about any other method of communication.

This story, "Anonymous is not anonymous," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline