Actions

Surfing Posting Blogging


About this Surfing Posting Blogging Page
Support Status stable
Difficulty easy
Maintainer HulaHoop
Support Support

Introduction[edit]

Tor Browser is installed in Whonix by default to browse the Internet anonymously. Tor Browser is optimized for safe browsing via pre-configured security and anonymity settings that are quite restrictive. Users are recommended to read the Tor Browser chapter for tips on basic usage before undertaking any high-risk activities.

Anonymous File Sharing[edit]

Audio Recordings[edit]

It is possible for adversaries to link audio recordings to the specific hardware (microphone) that is used. It is also trivial to fingerprint the embedded audio acoustics associated with the particular speaker device; for example, consider ringtones and video playback in public spaces. [1] For these reasons it is recommended to follow the operational security measures in the Photographs section when sharing audio files.

This recommendation equally applies to any data that is recorded by each and every other sensor component, such as accelermoeters. [2] The best way to defend against this threat is to deny all access to the hardware in question, while also avoid the sharing of unencrypted data recorded by sensors. Similarly, it is inadvisable to share audio with third parties who have limited technical ability or if they are potentially malicious.

Documents[edit]

Digital watermarks are a subset of the science of steganography and can be applied to any type of digital media, including audio, pictures, video, texts or 3D models. [3] In basic terms, covert markers are embedded into the "noise" of data which are imperceptible to humans: [4]

Digital watermarking is defined as inserted bits into a digital image, audio or video file that identify the copyright information; the digital watermarking is intended to be totally invisible unlike the printed ones, bits are scattered in different areas of the digital file in such a way that they cannot be identified and reproduced, otherwise the whole goal of watermarking is compromised.

A digital watermark is said to be robust if it remains intact even if modifications are made to the files. [5] [6] In addition to protecting copyright, another watermarking goal is to trace back information leaks to the specific source. A good countermeasure to this threat is to run documents through an optical character recognition (OCR) reader and share the output instead.

According to a talk by Sarah Harrison from WikiLeaks, [7] source tracing can also happen through much simpler techniques such as inspecting the access lists for the materials that have been leaked. For example, if only three people have access to a set of documents then the hunt is narrowed down considerably.

Redacting identifying information in electronic documents by means of image transformation (blurring or pixelization) has proven inadequate for concealing the intended text; the words can be reconstructed by machine learning algorithms. Solid bars are sufficient but they must be large enough to fully cover the original text. Otherwise, clues are left about the length of underlying word(s) which makes it easier to infer the censored text based on the sentence remainder. [8]

Photographs[edit]

Every camera's sensor has a unique noise signature because of subtle hardware differences. The sensor noise is detectable in the pixels of every image and video shot with the camera and could be fingerprinted. In the same way ballistics forensics can trace a bullet to the barrel it came from, the same can be accomplished with adversarial digital forensics for all images and videos. [9] [10] Note this effect is different from file Metadata that is easily sanitized with the Metadata Anonymization Toolkit.

Photo-Response NonUniformity[edit]

A camera fingerprint arises for the following reason: [11]

Photo-Response NonUniformity (PRNU) is an intrinsic property of all digital imaging sensors due to slight variations among individual pixels in their ability to convert photons to electrons. Consequently every sensor casts a weak noise-like pattern onto every image it takes and this pattern plays the role of a sensor fingerprint.

The reason for this phenomenon is all devices have manufacturing imperfections that lead to small variation in camera sensors, causing some pixels to project colors a little brighter or darker than normal. When extracted by filters, this leads to a unique pattern. [12] Simply put, the type of sensor being used, along with shot and pattern noise leads to a specific fingerprint.

The threat to privacy is obvious: if the camera reference pattern can be determined and the noise of an image is calculated, a correlation between the two can be formed. For example, recent research suggests that only one image is necessary to uniquely identify a smartphone based on the particular PRNU of the built-in camera's image sensor. [13] Major data mining corporations are starting to use this technique to associate identities of camera owners with everything or everyone else they shoot. [14] It follows that governments have had the same capabilities for some time now and can apply them to their vast troves of data.

There are methods to destroy, forge or remove PRNU, but these should only be used with caution. The reason is related research on the question of spoofing sensor fingerprints in image files has proven non-trivial and easily defeated. [15] [16]

Operational Security Advice[edit]

This advice assumes the user wants to preserve their anonymity, even when publicly sharing media on networks that are monitored by the most sophisticated adversaries on the Internet. Always conduct a realistic threat assessment before proceeding. These steps do not apply for communications that never leave anonymous encrypted channels between trusted and technically competent parties.

Current Devices

  • It is almost a certainty that photos and videos have been shared from your current devices through non-anonymous channels. Do not use any of these devices to shoot media that will be shared anonymously.

Suitable Devices

  • Most users will probably want to avoid phones altogether and use tablets instead, but for most situations phones are a reasonable choice:
    • Buy a new Android phone with cash if possible.
    • Avoid other choices because a proprietary operating system is a nonstarter.
    • Users must flash a freedom and privacy-respecting ROM before using the camera. Be aware that the glorified corporate malware that comes pre-installed on the phone will leak a range of data to the cloud.

Safe Use

  • The camera must only be reserved for anonymous media.
  • Do not commit serious mistakes like taking "selfies" or photographing places or people associated with you.
  • Sanitize metadata with MAT before sharing photographs anonymously online.
  • Completely obscure faces with solid fills using an image manipulation program. Advancements in neural nets and deep machine learning make pixelated or gaussian blurred faces reconstructable. [17] [18]
  • Consider using the ObscuraCam app from The Guardian Project to protect the identities of protestors: [19]
    • It pixelates images using a technique resistant to facial reconstruction.
    • ObscuraCam also offers a full pixel removal "black bar" option.

Keystroke Fingerprinting[edit]

Keystroke biometric algorithms have advanced to the point where it is viable to fingerprint users based on soft biometric traits. This is a privacy risk because masking spatial information -- such as the IP address via Tor -- is insufficient to anonymize users. [20]

Users can be uniquely fingerprinted based on: [21]

  • Typing speed.
  • Exactly when each key is located and pressed (seek time), how long it is held down before release (hold time), and when the next key is pressed (flight time).
  • How long the breaks/pauses are in typing.
  • How many errors are made and the most common errors produced.
  • How errors are corrected during the drafting of material.
  • The type of local keyboard that is being used.
  • Whether they are likely right or left-handed.
  • Rapidity of letter sequencing indicating the user's likely native language.


A unique neural algorithm generates a primary pattern for future comparison. It is thought that most individuals produce keystrokes that are as unique as handwriting or signatures. This technique is imperfect; typing styles can vary during the day and between different days depending on the user's emotional state and energy level. [21]

Unless protective steps are taken to obfuscate the time intervals between key press and release events, it is likely most users can be deanonymized based on their keystroke manner and rhythm biometrics. Adversaries are likely to have samples of clearnet keystroke fingerprinting which they can compare with "anonymous" Tor samples. At a minimum users should not type into browsers with Javascript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.

In addition, users must also disguise their linguistic style to combat stylometric analysis and be aware of mouse tracking techniques available to adversaries.

Mouse Fingerprinting[edit]

Mouse or cursor tracking occurs when software collects the positions of the mouse cursor and click data on the computer. While this can have benefits for web designers, it also poses a privacy (profiling) threat. Without explicit user consent or awareness, a range of data can be leaked via JavaScript, plug-ins or other software: [22]

  • JavaScript readily allows developers to track users' mouse movements by simply entering relevant code on the webpage. This has already been employed on high-traffic websites, such as search engines.
  • Similar to JavaScript, installed and enabled software modules (plug-ins) can track mouse movements.
  • Specific mouse tracking software can reveal:
    • Mouse location.
    • Time stamps.
    • Mouse clicks.
    • A mouse cursor hovering over embedded links and its duration.
    • The amount of time spent in certain webpage areas.
    • Heat maps.
    • Full playbacks which retrace the mouse's trajectory.

For a practical example of deanonymization, consider a user who regularly uses both clearnet and Tor with JavaScript enabled. Individuals have distinctly unique characteristics associated with mouse movements and mouse clicks. Therefore, if these research methods are used in the public domain, supervised learning methods are likely to "learn" the typical behavior of individuals. Over time, it may be possible to link "anonymous" activities with the known profile of a clearnet user with a high degree of probability. [22] [23]

Stylometry[edit]

Whonix does not obfuscate a user's writing style. Consequently, unless precautions are taken (see below), users are at risk from stylometric analysis based on their linguistic style. Research suggests only a few thousand words (or less) may be enough to positively identify an author and there are a host of software tools available to conduct this analysis.

This technique is used by advanced adversaries to attribute authorship to anonymous documents, online texts (web pages, blogs etc.), electronic messages (emails, tweets, posts etc.) and more. The field is dominated by A.I. techniques like neural networks and statistical pattern recognition, and is critical to privacy and security. Current anonymity and circumvention systems are focused on location-based privacy, but ignore leakage of identification via the content of data which has a high accuracy in authorship recognition (90%+ probability). [24]

There are multiple ways to conduct statistical analysis on "anonymous" texts, including: [24] [25]

  • Keystroke fingerprinting, for example in conjunction with Javascript.
  • Stylistic flourishes.
  • Abbreviations.
  • Spelling preferences and misspellings.
  • Language preferences.
  • Word frequency.
  • Number of unique words.
  • Regional linguistic preferences in slang, idioms and so on.
  • Sentence/phrasing patterns.
  • Word co-location (pairs).
  • Use of formal/informal language.
  • Function words.
  • Vocabulary usage and lexical density.
  • Character count with white space.
  • Average sentence length.
  • Average syllables per word.
  • Synonym choice.
  • Expressive elements like colors, layout, fonts, graphics, emoticons and so on.
  • Analysis of grammatical structure and syntax.


Fortunately research suggests that if users purposefully obfuscate their linguistic style or imitate the style of other known authors, this is largely successful in defeating all stylometric analysis methods so they are no better than randomly guessing the correct author of a document. However, using automated methods like machine translation services do not appear to be a viable method of circumvention. [24]

Tips for Anonymous Posting and Blogging[edit]

Whonix-Workstation contains all necessary tools to run a blog anonymously. Some hints:

  • Step 0. Before doing anything make sure you understand and exercise a healthy dose of Operational Security (OpSec). Even the best anonymity tech in existence cannot save you if you mess this up.
  • For an anonymous blog hosted on third-party services, you will usually need a new and anonymous e-mail address (see separate E-Mail article) for registration. Partition your activities and use this address only for your blog. Always use Tor to login into this e-mail account.
  • You may register your blog at different providers anonymously. For example you could use https://wordpress.com/. Keep always the option to pay anonymously (e.g via BitCoin or cash cards, ex. Paysafecard) in mind if you are using a premium product. (See Money page.) Note that cash card codes differ by country and could theoretically also contain an ID to specific in which shop they have been bought. Usually you may administrate your blog using a web interface only. Always use Tor for all activities concerning your blog.
  • A browser is no safe environment to write stuff such as for example forum posts or e-mails, webmail or IMAP.
    • You could accidentally paste things you don't want to paste for example into the search or URL bar, which could trigger a search for text that you did not intend to sent into the public internet.
    • With JavaScript enabled, user behavior can be tracked and profiled. Tor Browser defenses are based on skewing JavaScript's perception of time.[26][27] Kloak, a system-wide solution for keystroke and mouse profiling is currently in progress.
      • It reveals, how fast you type, how long your breaks are[28], which mistakes you make and how you correct them while writing the draft, also which type of local keyboard you are using.
      • Mouse tracking[29] analyzes your click speed, the position and speed of cursor movement unique to each person as they interact with webpages. [27]
    • Combined with stylometry which works with less data (final text only), keystroke fingerprinting will completely de-anonymize you. An adversary can compare statistics about user's typing over clearnet, then compares it to texts composed over Tor in real-time.
    • Write the text in an offline text editor such as KWrite and copy and paste the text into the web interface once you are done.
    • This is a variation of an older attack perfected during the Cold War where recording typewritter sounds gives enough information to accurately reconstruct what was typed. This still applies today and you should avoid typing in places where open mics are used.[30][31]
  • Mouse movements are potentially another biometric fingerprint. High accuracy is achieved in limited situations - active authentication during log-on. Does not clear EU false positive requirements however so they recommend it for combining with keystroke dynamics as extra confirmation.[32][33][34] It is good practice to keep JS disabled.
  • Mind your cookies! Remember to empty your browser's cookie and history cache periodically. When you are using Tor Browser, which is recommended for many reasons anyway, simply close Tor Browser after you are done working on your blog, then restart it. For more advanced separation use Multiple Whonix-Workstations.
  • Attention should be given to the password-retention policy of the browser. If the browser supports a master password that encrypts every password it saves, use that feature. It is however best not to save your blog password in the browser.
  • Every blog software offers the option to select the point in time when new postings shall be published. Do not publish a new posting "at once" but rather choose a point in time when you are not online anymore. [35]
    • Over time, pseudonymous activity can be profiled to give an accurate estimate of your timezone and reduce your anonymity set. Try to restrict your posting activity to a fixed time that fits the daily activity pattern of people across many places.
  • Stylometry (deanonymization using your spelling style) is a powerful tool long used by Intelligence services. It is possible to automatically analyze and attribute anonymous postings to an author. Countermeasures such as faking one's authorship style can work.
  • Use a spell checker to confuse Stylometry a bit. You could use KWrite. To start it, use Start menu button -> Applications -> Utilities -> Text Editor (KWrite). Once KWrite is open, click on Tools -> Automatic spell checking. Mistyped words will be underlined with red color.
  • Use random usernames and passwords for anonymous accounts. The pwgen tool included in Whonix can give output that you can customize length, capitalization, special symbols and numbers for. Its reliable enough that its used by Debian Installer to recommend stronger passwords.
  • Generally, before uploading to the blog pictures and other documents must get anonymized. Usually, pictures contain a unique camera id in the meta tags, which may deanonymize you, and perhaps GPS (location) coordinates. See Metadata for more information. See also #Anonymous Photo Sharing below.
  • Avoid places where people are likely to shoulder surf or where CCTV cameras are deployed.
  • Though less of a threat in the real world, thermal imaging can capture body heat remains from keys touched to input passwords up to one minute after the fact.[36]
  • Depending on your situation you are advised to shut off your speakers and microphone at all times as newer methods of ad tracking can link multiple devices via ultrasound covert channels. This works by playing a unique sound inaudible to human ears which is picked up by the microphones of untrusted devices - deanonymizing you completely. Watermarked audible sounds are equally dangerous. So hardware incapable of ultrasound is ineffective protection. To decrease risks its recommended to play video/audio from untrusted sources with headphones connected and adjusted at a low volume. [37] [38] [39]
    • For higher computing assurance you are advised to move all phones, tablets etc. out of the room to avoid them issuing watermarked sounds as well as listening to keystroke sounds and watermarked sounds.
  • Another keystroke snooping technique involves a WiFi signal emitter (router) and malicious receiver (laptop) that detects changes in the signal that correspond to movements of the victim's hands on their keyboard.[40] The attack has many limitations in the real-world that make it non practical and susceptible to noise but its important to keep in mind that public places are generally more risky computing environments. An attack variant using USRP (cellphone radio ranges) have performed poorly because of background energy interference.
  • Energy leaks that reveal sensitive information are a long studied area of cryptography research. There is no need for alarm as all attacks were foiled by software countermeasures in crypto libs and GPG. Side-channel research: Extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle.[41] Another involves measuring acoustic emanations. [42] A poor man's implementation of TEMPEST attacks (recovering crypto keys by measuring EM emissions) using $3000 worth of equipment was proven possible from an adjacent room across a 15cm wall. These attacks were only possible for adversaries with nation-state resources for the past 50 years.[43] Keep in mind this is still a highly targeted attack that requires dedicated and skilled attackers and not a drag-net surveillance threat.
  • The coil whining of LCD screens is unique enough to give away the information on your screen as reconstructed by machine learning applied on wiretapped data.[44] Don't make/take calls in a room where you're doing anonymous surfing. Close Orfox and other sensitive docs open on your phone before calls.
  • Google's CAPTCHAS fingerprint your behavior. Disable JS if you absolutely must solve one.[45] CAPTCHAS also directly enhance militant drone strike capabilities. [46]
  • In most cases you can bypass Tor blocks by destination servers using simple proxies.

Footnotes[edit]

  1. Do You Hear What I Hear? Fingerprinting Smart Devices Through Embedded Acoustic Components
  2. Mobile Device Identification via Sensor Fingerprinting.
  3. For detailed information on this topic, see: Steganography and Digital Watermarking.
  4. https://www.daoudisamir.com/steganography-and-watermarking/
  5. https://en.wikipedia.org/wiki/Digital_watermarking
  6. Notably the watermark does not change the size of the carrier signal.
  7. Missing footnote.
  8. On the (In)effectiveness of Mosaicing and Blurring as Tools for Document Redaction
  9. http://dde.binghamton.edu/download/camera_fingerprint/
  10. Fingerprintable Camera Anomalies
  11. https://www.slideshare.net/justestadipera/digital-image-forensics-camera-fingerprint-and-its-robustness
  12. https://www.futurity.org/smartphones-cameras-prnu-1634712-2/
  13. The error rates is less than 0.5%
  14. https://www.google.com/patents/US20150124107
  15. Sensor Noise Camera Identification: Countering Counter-Forensics
  16. Anonymizing the PRNU noise pattern of pictures remains a promising area of research.
  17. https://github.com/david-gpu/srez/blob/master/README.md
  18. Defeating Image Obfuscation with Deep Learning
  19. https://lists.mayfirst.org/pipermail/guardian-dev/2016-September/004895.html
  20. https://github.com/vmonaco/keystroke-obfuscation
  21. 21.0 21.1 https://en.wikipedia.org/wiki/Keystroke_dynamics
  22. 22.0 22.1 https://en.wikipedia.org/wiki/Mouse_tracking
  23. This deanonymization technique is likely to succeed, since it is already used to lock persons out of secure accounts (pending identity verification) when their monitored behavior significantly deviates from behavior that has been learned.
  24. 24.0 24.1 24.2 https://www.cs.drexel.edu/~sa499/papers/adversarial_stylometry.pdf
  25. https://en.wikipedia.org/wiki/Stylometry
  26. https://trac.torproject.org/projects/tor/ticket/19186
  27. 27.0 27.1 User Behavior

    While somewhat outside the scope of browser fingerprinting, for completeness it is important to mention that users themselves theoretically might be fingerprinted through their behavior while interacting with a website. This behavior includes e.g. keystrokes, mouse movements, click speed, and writing style. Basic vectors such as keystroke and mouse usage fingerprinting can be mitigated by altering Javascript's notion of time. More advanced issues like writing style fingerprinting are the domain of other tools.

  28. https://en.wikipedia.org/wiki/Keystroke_dynamics
  29. https://en.wikipedia.org/wiki/Mouse_tracking
  30. https://freedom-to-tinker.com/2005/09/09/acoustic-snooping-typed-information/
  31. https://www.schneier.com/blog/archives/2016/10/eavesdropping_o_6.html
  32. User re-authentication via mouse movements
  33. On Using Mouse Movements as a Biometric
  34. http://www.cs.wm.edu/~hnw/paper/ccs11.pdf
  35. This will trick smaller adversaries, who can not force the blog service provider to reveal the fact, when and for how long you log in. It won't trick the blog service provider nor someone recording all internet traffic.
  36. https://www.schneier.com/blog/archives/2018/07/recovering_keyb.html
  37. https://www.schneier.com/blog/archives/2015/11/ads_surreptitio.html
  38. https://www.newscientist.com/article/2110762-your-homes-online-gadgets-could-be-hacked-by-ultrasound/
  39. https://trac.torproject.org/projects/tor/ticket/20214
  40. Keystroke Recognition Using WiFi Signals
  41. Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation
  42. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
  43. CDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
  44. https://arstechnica.com/information-technology/2018/08/researchers-find-way-to-spy-on-remote-screens-through-the-webcam-mic/
  45. http://scraping.pro/no-captcha-recaptcha-challenge/
  46. https://joeyh.name/blog/entry/prove_you_are_not_an_Evil_corporate_person/

License[edit]

Gratitude is expressed to JonDos for permission to use material from their website. (w) (w) [1] The Surfing, Posting, Blogging page contains content from the JonDonym documentation Surfing and Blogging page.


Random News:

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)