The Hacker Mind Podcast: Hacking the Art of Invisibility
In the book The Art of Invisibility, I challenged my co author Kevin Mitnick to document the steps needed to become invisible online. There are a lot .
In this episode, I'm going to discuss how hard it is to be absolutely invisible online. How there are always breadcrumbs and fingerprints left behind that could potentially identify you. That said, there are some steps that you can take to obfuscate your online presence and to eliminate those breadcrumbs in the first place. And as for staying invisible, well, at some point, it's only human that we sometimes fail.
Vamosi: One sunny morning in 2013. In the very quiet science fiction section of the Glen Park Public Library in San Francisco. Ross William Ulbricht was arrested for, among other things, being the administrator of Silk Road. Perhaps you've heard about Silk Road, the online drug Emporium it was located on the dark web, meaning you had to use a special browser, the onion router or Tor to access it.
As you know, I don't really talk about criminal hackers on the hacker mind. I mean, there are so many positive stories about people who are hacking for a living and doing good things because of it. Why glorify the criminal hackers? I mean, they’re criminals, right?
SO I only mention Ross Ulbricht in talks because I use him as an example of an Operation Security, or OpSec failure. Operational Security is typically a military process. It was first used during the US Vietnam War in the late 1960s. It's a process of protecting critical information through encryption and being aware of the potential for eavesdropping on conversations.
US Army Video: Operations security or OpSec, preserves the effectiveness of military capabilities and keeps potential adversaries from discovering our critical information. Critical information must be protected to ensure the enemy does not gain a significant advantage over our soldiers. The elements of secrecy and surprise are vital to the accomplishment of our missions, and the protection of our soldiers. Soldiers, family members, civil servants and contractors should be aware that the enemy obtains sensitive information from a variety of sources, including casual conversations, publications, and even social media. Maintaining OpSec is everyone's responsibility.
Vamosi: Within InfoSec there's an informal use of AppSec as well. It's basic privacy hygiene. And some hackers have done a great job of keeping their private lives private, known online only as their handle or nickname. Such as Dread Pirate Roberts, a name taken from the movie The Princess Bride.
Dread Pirate Roberts: Roberts has grown so rich he wants to retire. So he told me to as Kevin told me see I'm not Dread Pirate Roberts. My name is Ryan. I inherited the ship from the previous strep II Robinson. This is you inherited from me that I inherited from was not real Dread Pirate Roberts he his name was come above. The real Roberts has been retired 15 years and living like a king and then he explained the names The important thing for inspiring, unnecessary. You see, no weapons rendered the Dread Pirate Westly sailed ashore toward an entirely new crew and he stayed aboard for wireless first mate for the time calling me Roberts once the crew believed he left the ship and I had been Roberts ever since.
Vamosi: Use of this nickname was clever. It implied that ownership of Silk Road could be transferred from one person to another. The administrator for the site would always be Dread Pirate Roberts, but different people could assume that identity over time. We know that wasn’t the case. Ulbricht was the only DPR; he neither inherited from others (which was his story to the feds) nor did he hand it off to another person (the Feds shut him down).
Actually, the real hero of this story wasn't within the FBI. In 2013, we only knew that someone calling themselves Dread Pirate Roberts was running the site. It took the curiosity of an IRS agent named Garry offered, who had been running some Advanced Google searches, to see if Dread Pirate Roberts had ever slipped up and revealed something of himself. And he had.
In 2011, there a was user in a chat room by the name of altoid, like the mint. Altoid asked a question and in his post mentioned the name Silk Road, only the site had not launched yet. Anyone talking about it in 2011 most likely had inside information. So Alford started his search for other references to this Altoid. And he found some.
Apparently, Altoid had posted another question to another chat group, but then deleted the original message. However, on the internet, nothing is truly deleted. And sure enough, Google pulled up the response to the now deleted query, and it contained the original message. And in that original message Altoid had asked if anyone could answer his question, to respond to firstname.lastname@example.org
The slip up was enough for law enforcement to unravel a carefully constructed web of deception. Had it worked, it might have been brilliant. Yet despite the meticulous care, invisibility is virtually impossible for anyone to maintain for any length of time. Or is it? In a moment we'll find out what steps you need to take to be truly anonymous online … and there are a lot of them.
Welcome to the hacker mind that original podcast from for all secure it's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi. And in this episode, I'm going to discuss how hard it is to be absolutely invisible online. How there are always breadcrumbs and fingerprints left behind that could potentially identify you. That said, there are some steps that you can take to obfuscate your online presence and to eliminate those breadcrumbs in the first place. And as for staying invisible, well, at some point, it's only human that we sometimes fail.
When writing the book The Art of Invisibility, I challenged my co author Kevin Mitnick to document all the steps that you would need to become invisible online. And there are a lot of them. Kevin, you should know, spent years hiding from the FBI living under different names in different cities. This was before the commercial internet when it was easier to forge documents to create new identities today. Not so easy.
So in this episode, it's not really a handbook for criminal hackers or want to be terrorists, brother this is a purely academic exercise. I mean, how hard is it to be invisible online. A lot of the examples will be from drug lords if only because they represent the extreme -- they need to operate in the shadows. And they also demonstrate my point, that we’re only human, and at some point we’ll slip up and fail. And for these drug lords, failure means a life in prison.
And a lot of your own success or failure with anonymity will stem from your personal threat model. Everyone is different, and every circumstance is different as well. So privacy in my opinion, is on a sliding scale. I've known people who are very open about their social security numbers. Don't do that. And others who shred and hide as much as they can. So just who are you hiding from? Here?
I want to mention that if you're actively being stalked online, or if you're in an abusive personal relationship, I encourage you to go back and listen to episode 30, where Lodrina Cherne and Martjin Grooten offer resources available to mitigate those circumstances.
And I’m not talking about services that can quote remove your buddy’s Instagram photos where you are tagged doing something Not Safe For Work. Those reputation services basically help you push those images farther down in search results, and in some cases can help you get them removed as much as you can remove something from the internet.
What I’m talking about is making choices that help you become more anonymous line. Some would argue why bother, there's really so much out on line today. But I view internet privacy differently. It's like choosing to go organic to stop and think about the food we're eating every day where it came from. I'm thinking more about the long tail when I choose to do something online. Do I want this activity to be traced? Am I concerned that this will be logged somewhere or should I be concerned that it will be logged somewhere?
In my personal life, I'm not hiding from the law. But I am using DuckDuckGo as my searches aren't logged on that search engine. And as a writer, I think a lot of crazy searches so it's better that one doesn't keep track of all the places that I go for an article or a book. It's crazy. Additionally, my location is turned off and I only use location when it's absolutely necessary on my phone. I keep my Bluetooth off and again only when absolutely necessary. And I use a VPN that doesn't log my websites. I do this not because I'm hiding but for a degree of privacy. I know that in the greater scheme that I'm not capable of the due diligence required to be invisible, and I get that. But again, I feel some comfort in knowing that I can control but I can. Again, this is an academic look at all the steps that would be required to become invisible online.
In the book The Art of Invisibility, Kevin and I came up with some guiding principles such as:
You need to remove your true IP address. This is your point of connection on the internet, your fingerprint, it can reveal where you are down to the physical address where you are using the device. Which leads us to the second point.
Obscure your hardware and software. When you connect to any website online, a snapshot of the hardware and software being used is given to the website. And If someone were to scan or otherwise view a log from your router, they can tell whether you use a desktop, a laptop, a tablet, or mobile device or a TV or refrigerator. They can do so using the device media access control address or MAC address. That’s the hardware. The browser software tells the website what version of the operating system you're using, and sometimes what other software you have running on your desktop or mobile at that time.
Finally, attribution online is hard, don’t make it easy. What this means is that proving that you were at the keyboard when an event occurred. is often difficult. However, you can make that attribution easier. if you walk in front of a camera before going into that Starbucks or you just bought your latte at Starbucks with your credit card, these actions can all be linked back to you a few minutes later.
So it sounds easy to become anonymous online. Just observe those basic rules, right? Well, now it's a little more complicated than that. A lot more complicated in fact.
First, we're really going to have to eliminate any way to trace your activities back to who you are. And for that you're going to need new equipment. The laptop now the mobile you have in your hand. These are associated with you in a number of different ways. It's complex, and it's impossible to clean these devices. So we're going to start with a clean slate. You're going to need a new laptop and you're going to need a new mobile phone. We'll get to the email addresses and phone numbers in a moment. And it goes without saying that you also need tablets and other things if that's important to you. But at a minimum, let's agree that you're going to need a new laptop and a new phone so how do you go about doing that? Well, you can't order these online. Nor can you physically go in and buy these in the store. Wait, why? Well, there are cameras and there are witnesses and you can't just pay with your credit card. That's traceable. So you're going to need cash. And upfront, you're going to need lots of cash. So let's start with some cash. For the moment. This can be from your personal checking account or business account. I mean, it's a withdrawal. It could be for anything. And and a little bit. We'll talk about the need to convert your physical cash into something a bit more private. But for now, cash is good. So laptops are relatively easy to get. A plain laptop in the store can run you about $500 for the basic level. The Chromebook is about $200 Now, the Chromebook however, is going to require you to log into your Gmail account and hiding that is a bit beyond the skill level in this episode. So let's agree. Let's just get a plain laptop. Phones are trickier. You want what's called a burner phone. These are phones that don't require any long term contracts, and often no personal information at all. You pay for these with cash because they don't have a contract. You'll also need to purchase phone cards. Although the burner phone numbers are reported and known to law enforcement, they are relatively untraceable and we'll get to that in a moment. Okay, so how do you purchase these? So you'll need to find yourself what's called the cut out. A cut out is simply someone you don't know. You really don't even have a connection to in any way. Who will do the physical purchasing for you. Say you meet someone in a parking lot or a park and you say go around the corner and buy this burner phone for me. And then you give them the cash for the transaction and you promise them more when they return. Yes, there's a chance they won't come back. So this could prove to be a very costly first step. It's hard to trace back and that's the whole point. If you have one cut out getting you have cell phone then you'll need another cut out to go to the store and buy you a laptop
This is very important. I know that whenever I get a piece of new technology, I'm all excited. I unbox it and I want to power up as soon as I can. Don't. As soon as you turn on the laptop, it will try and connect to your local Wi Fi. And if you're at home, if you've just inadvertently associated your nice clean laptop with their home Wi-Fi, don't turn on your laptop anywhere near your home. Now, this won't necessarily identify you, say to the police. These logs are kept on the router itself physically on the router. But if the police ever suspect you for some reason of a crime, they can use your home Wi-Fi as an identifier to link you to the laptop that was doing some crime online. One of the pieces of information caught by your Wi Fi router is your MAC address. This is a string of hexadecimals that uniquely fingerprints your device. It's cool because the first eight architects are the manufacturer Samsung and the rest of them are unique for your particular device. Well guess what? You can change that. So remember, each time you go online to manually change your MAC address. I'm only suggesting you do that if you want to truly be invisible. You don't need to go that far. If you're not breaking the law. If you're just hiding another caveat do not power up your burner phone as well. Why? Well when you power of the phone, it immediately pings the local cell towers, just as your laptop as your MAC addresses your phone as an International Mobile Subscriber Identity or MC. And that is a 24 bit number that uniquely identifies every user of every self network. Now your MC for your new burner phone is logged and can be later geo located by looking for traces of it on the cell towers. I realized too that this occurs after the fact. I mean somebody would have to be looking for your specific burner phone. But unlike your home router, this can be done externally. It can become an issue if the police or someone are actively trying to identify you.
One of my favorite examples of OpSec failure using mobile phones is that of a known drug dealer, Pat Barbaro. One afternoon in 2007, a container loaded with drug ecstasy went missing from a port in Melbourne, Australia. It was worth about $500 million. Barbaro, the owner of the container, is said to have reached into his pocket and pulled out one of his 12 mobile phones to find out what happened to his shipment. As we will see, having twelve different burner phones didn't work very well for Barbaro.
Burner phones despite what many people think are not truly anonymous. Under a US law all Mzs connected with burner phones are reported just like those from major carriers; in other words, law enforcement could use this list to spot burner phones from a log file just as easily as a registered phone. Well it wouldn't necessarily identify who owned the burner phone. patterns of usage might reveal themselves later.
in Australia where law saw a set of burner phone numbers appear more often than not together with one personal phone, one that was registered and could lead authorities to the individual who owned it..
See the problem with Barbaro having so many mobile phones at its disposal was that no matter which phone he used, personal or burner, as long as he stayed in that same exact spot, it would hit the same exact set of cell towers so the burner phone calls will always appear next to the registered phone call on the cell tower log files. The one in his name with the carrier is entirely traceable, and later helped law enforcement identify the user. It would establish a solid case against Barbaro particularly if his pattern repeated in other locations, which it did. This helped Australian authorities to build a strong case and convict rebars of orchestrating one of the largest ecstasy shipments in Australia's history.
Alright, so pay someone to buy a laptop to pay someone to buy a burner phone, two different people. Do not power either of these on in your home or office. And do not bring your personal mobile wherever you plan to use your burner phone. All that seems like a lot to remember and it is and it requires very good hygiene day to day. You almost have to put on your new identity the minute you walk out of your home or office. Problem is we still haven't really gotten happy online. Alright, so what do we have? We have cash used to buy physical devices. And now we need virtual cash to obtain services online. As I said, cash is good at the start. So you could start with physical gift cards available at the convenience stores. Gift cards such as vanilla Visa cards are a great way to get cash online anonymously. Again, you will need to find someone in a public park or a parking lot. Who is willing to go to the store and make that purchase on your behalf. Start with a prepaid card, walk up to a cutout and say hey, I don't want my girlfriend or my ex boyfriend to see me. So here's 100 bucks, perhaps that person will do that. Now, have another person go in and do the same thing. For another 100 bucks and another 100 bucks. Do this a few times. The temptation is there but do not purchase refillable cards. Here's why. You'll have to provide your real identity per the US Patriot providing made up name, made up birthday and made up Social Security. Number is against the law and therefore it is not recommended. So get instead a plain vanilla Visa card for that you're going to pay a small penalty of 3% At the time of purchase if you're in the EU in the book Kevin has some suggestions on how to get your own anonymous gift cards outside of the United States. So we talked about not using your new laptop with your home Wi Fi. So you want to go someplace else. And we talked about your phone connecting to various cell towers. Again, you want to go someplace else and leave your personal cell phone behind. So you're going to seek out some free Wi Fi in a parking lot of a major store or coffee shop. A word of caution. Cameras, be sure your car isn't unkempt. Your license plate anything that's identifiable about you or the car that's a problem. And if you go into the cafe, just don't connect online. Maybe instead sit outside away from the windows or behind the cafe or the dumpsters are a lot of Wi Fi signals carry so you don't want to be on camera at Starbucks. Okay? So once again, we still
In most cases, when signing up for free Wi-Fi, you might be asked first for an email address as you accept their terms and conditions. So you can fake one like something calm. However, some systems are savvy now and they might require you to respond from that fake email address. Oops. Another thing you can do though, until you get a new anonymous email address is tether your burner phone, if that's even possible, although you might burn through all the data that you just purchased on a card. So once again, this would be something that you would do only until you get your new identity online. And then you can just use your email address to log into Starbucks.
Before you go and burn one of the gift cards in order to pay for a new email address service, you probably need to think about your new identity. End to End. How is the new identity going to get different from your real identity? Remember Dread Pirate Roberts? you’ll want to give your new identity some thought before signing up with your new laptop and mobile.
Often, undercover agents will use their real first name to change everything else. Think about that. If I were in a room and somebody shouted at Robert, I'd probably turn around and become a habit. So consider that. But with an email address, you can be more creative. So you don't have to do a variation of your own identity. And this isn’t a physical representation, so you could change your gender. You could change your ethnicity. You can be creative.
Now remember those Visa cards that you had the cut out to get? We’re going to use one of them to pay for an email service provider. What about Gmail, it’s free? Well, you don't want to be using Google because you've got to provide a lot of information. In the book Kevin has some really good suggestions for email alternatives.
Basically, you want an anonymous email service so you want to pay with your gift card. Find an email provider that allows you to sign up without SMS validation or sign up with a Skype number or your prepaid card first. In other words, Google isn't probably going to be anonymous, so you're going to need to pay another caveat. Don't use familiar passwords seriously. If you want nothing to connect back to you choose an entirely new set of passwords. In the book Kevin recommends using a password manager; that way your new identity has its own set of passwords.
So now each time you use your burner laptop or your burner phone, you have to become that person or that nickname. Here's where it starts to break down the muscle memory of going into your familiar email address. When slip and you have to start the process over again. That means a new burner phone, a new laptop. So you've really got to be diligent about not using your familiar email and social media. Oh man, you cannot use Instagram, you cannot use Tik Tok. Or if you do, you need to sign up with your new email address and your new persona. But then again, do not use either the email address or the social media to contact the real you. Really the whole point of this exercise, the whole point of getting the burner laptop and the burner phone was to distance you from who you really are. Sending an email to yourself or liking a particular post. Not a great idea. Not a great idea. All right, to go online. You're also not just going to go online, you're going to use a special browser you're going to use Tor. There's also ITP but we're going to use the onion router or Tor. Why use TOR instead of Firefox or chrome?
TOR: Right at this moment, if someone attempts to look you up, they will see your real identity, precise location, operating system. All this site you have visited the browser you used to surf the web, and so much more information about you and your life, which you probably didn't just share with unknown strangers who could easily use this data to exploit but not if you're using. Tor Browser protects our privacy and identity on the internet. Core secures your connection with relay or that encryption and passes it through three voluntary operated servers around which enables us to communicate anonymously over the internet. Tor also protects our data against corporate or government targeted and mass surveillance. Perhaps you live in a repressive country which tries to control and surveil the internet. Or perhaps you don't want big corporations taking advantage of your personal information.
Vamosi: So, to explain it a bit more detail, you use Tor to connect to the first proxy, which then uses Tor encrypted network to find a second proxy, and that finds a third proxy or the exit proxy. The proxy could be in a foreign country. So now when you use DuckDuckGo to reach out to a web address, that address sees the IP address for the third proxy and not you. And the TOR network periodically refreshes so you’re constantly obfuscating your true internet address.
There have been some stories about law enforcement successfully backing out exit proxies to find the original IP address. But again, this is an academic exercise. We're not trying to evade law enforcement only to see whether or not someone can be anonymous online. And for the moment, Tor will be sufficient to mask your identity online. For that you're going to need cryptocurrency. Remember those cash cards that your cutouts bought for you? Here's when you buy some cryptocurrency and set up a wallet. use Tor to set up the wallet
All right. Once you've set up an anonymous email account and you've set up your first cryptocurrency wallet, set up a secondary cryptocurrency account. This is yet another obstacle if someone wants to trace back your financial transactions. This is cryptocurrency laundering. And there are some services out there. They're known as tumblers. And well it's not impossible to decipher where those transactions on the blockchain came from. It would just take a long time because what tumblers do is they mix a lot of transactions together and artificially create noise. Okay, so you've got some cryptocurrency in your wallet, and you've got a non traceable email address. You need a VPN. You want a VPN that doesn't log transactions. There are some but they're hard to find. But once you find one that is anonymous enough for your purposes, then you're going to pay with your cryptocurrency or yet another Visa gift card. So you have an anonymous laptop, you have a burner phone, you're using open Wi Fi out of camera range, you have cryptocurrency accounts, your wallet and you have an anonymous email address. And you're using Tor as a VPN. That's a lot to juggle every time you want to go online. Now if you slip up say you type in your legitimate email address or you use an account that you send something to your legitimate email address or your burner phone to call your own home phone number. Check your messages. Well, something then under the rules here. You need to start over and I mean, start over. Like you're going to need cash. You're going to need new cutouts. You're going to need new hardware, you're going to need to start over. And in my experience, it seems people can only keep this straight up. Only so long. I mean, only human
Like Ross Ulbricht, drug lord Joaquín Archivaldo Guzmán Loera Joachim Ar-KEY-VALDO Guzman, aka El Chapo made some serious OpSec errors leading to his re arrest. In this case, El Chap physically escaped from jail and was on the run in Mexico. In order to hide from the law he put in layers of security that isolated him from the outside world. In infosec terms, he created an air gap for as part of his personal communications protocol.
If you wanted to contact El Chapo while he was on the run, you sent a text message to a mobile device. That device was not El Chapo, his personal Blackberry, but it intermediates a cut out. The cut out would be paid to be on call, so to speak, in various public Wi Fi locations, say cafe or a bar and he or she was available to transcribe any incoming or outgoing messages. This was because El Chapo had this need to keep using his Blackberry. I mean, he could have used the more anonymous burner phone, but this mirror that he set up made this need to keep his BlackBerry working. The mirror part of this operation is that the intermediary would type all the messages from one device into another where the original message was sent over a cellular network attack that could be read by the carrier. The retyped message would be sent to another human cutout this time via a Wi Fi enabled tablet. So there was no cellular connection, no cellular record. This was the air gap.
A second human then we take that Wi Fi enabled tablet and transcribe it to yet another cellular phone. That second BlackBerry mobile device then would actually send the message to our child. Even if the police were to watch the communication from El Chapo his Blackberry, they would only see one other connection. The one who was not actually communicating with him, but given the messages were encrypted, the messages themselves without revealing the identity of the people with whom.
So this air gap worked up until Sean Penn --yes, Sean Penn, the actor -- announced that he wanted to write a story about El Chapo.for Rolling Stone. Not only that, there was a potential for a movie deal. Well, what criminal fugitive doesn't want to have a movie made about his or her life?
So the Mexican authorities found out about this and as soon as Sean Penn arrived at the airport, he was followed. As much as chapters, men did their best to change cars and debate crazy routes toward their ultimate destination. This proved to be sloppy. A physical encounter with someone from the outside. Not a good idea when you set up such elaborate means to digitally distance yourself.
And this is all because El Chapo wanted a movie about himself. Long story short, the Mexican police guessed the location of El Chapo and his men just before Penn arrived, so they raided compound. Sure enough there was a shootout and the Mexican authorities rearrested El Chapo.
Bottom line is that becoming invisible online requires some hard and fast lifestyle changes. So once you've gone through the expense and labor of setting up your alternative, anonymous online presence is going to take a lifestyle change to maintain it. In other words, if you're expecting an important email from this anonymous presence, then you can't be logging in from your personal computer or mobile. You have to go to that Starbucks that you use or sit in an alley somewhere and check for updates.
Similarly, you can't be carrying around your anonymous burner phone alongside your registered phone. So this gets really complicated very quickly. And it goes back to what I said earlier about everyone having their own level of personal privacy. What are you really trying to achieve and doing all of this? So if you're harboring state secrets, you're going to need much more. And I'm thinking of a second episode where I talk about, say, a secure iOS and a few other details that can help get you even more privacy. And if you can’t wait, my book, The Art of Invisibility, with Kevin Mitnick, from Little Brown and Co, is available wherever books are sold, and it is full of information on how to become invisible online, along with some great stories from Kevin.
But for the moment, most of us are handling state secrets. So what can you take away? Well, start by using Duck Duck, go start by using a VPN and if you're not already, use Tor when you've got sensitive information access online, and really have more than one email address and keep them for different purposes. You know, innocuously you could use one email address for spam. You don't need to have your main email address getting all those solicitations. You just have one for signups. So there are a variety of things that you can take from this episode and use in your day to day life. And no, you don't have to be running from the law. You could just be a hacker who wants to have a little more privacy. I mean, who doesn’t want more privacy in their lives?
Let's keep this conversation going. DM me at Robert Vamosi on Twitter, or join me on subreddit or discord. You can find the deets at tthehackermind.com.
For The Hacker Mind I remain the enigma, Robert Vamosi.