1. 27

  2. 16

    If getting found out is high risk, you should think about stylometry as well.

    1. 4

      You may find that this is also an important consideration when releasing source code, not only text: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-caliskan-islam.pdf

    2. 6

      Make sure you don’t mention the blog or the pen name to anyone. This is most likely the hardest step.

      There’s another issue there, and that’s if at least one person is on to you. Perhaps, in the process of writing the blog posts, you learned something interesting. You must drop the exciting information from all other identities until it is brought back to you (e.g. third parties linking the sites to you).

      Another pro tip: If your goal is only to get information out and not to build a reputation, it might be easier to just make and discard identities for just a single post.

      1. 5

        That’s the key, right? If we learn anything from infosec in the last 10 years it’s that maintaining utterly rock solid operational security is VERY hard for most people.

        1. 4

          That seems to be a spot where going through a journalist might serve you well. That layer of indirection can paper over some opsec indiscretions for someone who’s generally OK at it unless the journalist is also trying to expose them.

        2. 3

          Another pro tip: If your goal is only to get information out and not to build a reputation, it might be easier to just make and discard identities for just a single post.

          I think that’s very obviously correct, to a point. If you don’t care about reputation and don’t care about attention, just drop an anonymous pastebin over tor and be done.

          The problem comes when your goal is not just to “get information out” but to “draw attention to some information you just published”. You might not want a reputation in general terms, but you might want to make sure people who are positioned to take action in response to your pastebin dump actually see it. To effectively do that, you might really want a pseudonym whose postings can be collated but not attributed to you. And then you’re back in the tough opsec problem space again.

          1. 1

            I mean, again it all depends upon the goals of the anonymous poster.

            If the goal is simply to get the information published at all on the internet, going through a journalist is probably a patently BAD idea.

            It’s more potential exposure for both you and them, even with things like SecureDrop and the like.

            On the other hand, if the goal is to have as large/wide an audience as possible, then a journalist is indeed a wise choice, provided you can find one that will represent your ideas well. A lot happens on the editor’s desk. Ask anyone who gets misrepresented in an interview.

        3. 5

          Why not just use a paste bin instance. Links to the other posts can be given inside the paste bin.

          1. 1

            Depends upon the goals of the blogger, right?

            1. 1

              What blogger goals this wouldn’t cover?

              1. 1

                The goal of ‘owning your own printing press’.

                What if you’re trying to anonymously blog in a context where you want to own the site you’re blogging from? What if it’s part of a larger franchise, maybe forums or chat or whatever.

                1. 1

                  If you own it (and others know about it) it is not anonymous anymore. Or am I missing something?

                  1. 1

                    You’re missing something.

                    Plenty of ways to anonymously host a site on the intertubes. People elsewhere in this read gave some hints.

                    Tor, I2P, etc etc.

                    1. 1

                      I don’t see how it is different compared to paste bin.

          2. 4

            What’s your threat model? A lot of these things only matter if your hosting platform is untrusted. For example, if you buy a VM from some provider, they know who you are, but that information is typically not publicly visible. Similarly, if you’ve registered a domain name, your registrar will know who you are, but can hide this from whois.

            If your threat model is your government finding that you are a dissident, then they can probably lean on these providers (maybe not if it’s a foreign host, but then your interactions with them may be easy to track, especially your payments). You need to do more than is listed in this article. In contrast, if your threat model is a curious individual or company who is not part of your hosting platform finding out who you are, then several of the things that this article is suggesting aren’t required.

            1. 6

              Getting a VM anonymously isn’t that difficult. Here’s a recipe.

              1. Get a paysafecard from a shop somewhere.
              2. Wait two months for any camera footage to be overwritten,
              3. Go to some café with free wlan, but don’t enter. Sit nearby, in case there are cameras.
              4. Search for something like “gameserver rootserver vhost” and find a provider that accepts paysafecard.
              5. Make a freemail address.
              6. Order a VM, and give the VM provider a plausible street address and the freemail address from step 5.

              Getting a domain is more of a challenge. EDIT: Oops, no, “register domain paysafecard” returns possibilities now. That’s what I call progress.

              1. 1

                For domains, https://njal.la/

                EDIT: looks like they do VPSes now too.

                1. 2

                  Don’t name anyone like that please… if someone gets a reputation for serving those pesky inconvenient anonymous people instead of gamers (and whoever else comes along and pays using the gamers’ preferred payment systems), they may stop.

            2. 3

              Let’s say that you do everything that is outlined in the post to set up the blog, what protects you from forensic linguistic analysis that can be used to identify you? For example, let’s say that you start an anonymous blog leaking information that just a few people have access to? It should be fairly easy to cross-reference other known writings from that group of people to the blog.

              1. 3

                translate it to German in Google, translate that German back into English via Bing. Or something like that.

                1. 1

                  Back and forth conversion doesn’t seem to be all that efficient it seems. What appears to be more efficient is copycatting someone else’s writing style. You can always do the conversion thing on top of this.

                  1. 1

                    Then maybe the translations have their own unique patterns derived from the writer’s unique patterns.

                    1. 2

                      Almost certainly. One technique perhaps would be to break your sentences into slightly smaller parts, and compare them to a corpus from a prolific known writer, with clever enough software it could suggest patterns extracted from that and let you select from a few generated outputs that which you think most closely matches your original intention.

                      Hard software to write though, without access to the kinds of tools people use to actually compare writers and attempt attribution. Also, I’m not sure how many courts actually accept such evidence in criminal trials, so it might be only really useful to put the work in against private antagonists.