Passionate write up, very well put and beautifully presented.
However, I think that worrying about your IP address and encouraging the same as a major "Security Thing" is missing way more important aspects of IT security. For many people who follow your line of thinking via your blog and say the ads for VPNs and the like, they might feel they have achieved "security" by obfuscating or hiding one small aspect of their on-line life.
Online profiling is generally way more detailed than an IP and will include browser finger printing (agent string) and fonts loading, and much much more with some pretty impressive Javascript tricks.
I live at 1 Eldonthingie Road, BendInARiverTown, Summersetshire - I have obfuscated that lot quite a bit but not too much that a determined person could work it out and see where I live. Back in the day it would be published in the phone book for all to see.
There are way more important security enhancements that you can deploy before you worry about VPNs and that. I only use a VPN when off site and need to get back to the office or home.
Today, I was working on a customer site and they have a TLS man in the middle box which buggered up my VPN (OpenVPN on 443/tcp) That costed them an additional four hours of my time at my rate!
You turn on VPN meanwhile your OS, Adobe CC, Office, etc is busy phoning home with all kinds of fingerprintable if not personally identifiable data. Even Firefox phones home with tons of data at launch and exit with telemetry off.
Getting real anonymity online is way more complicated than I think most people realize. Then again maybe that’s fine, it depends on your threat model.
Cracked Office works great if you deny 100% of all network connectivity via Little Snitch. Same for cracked Adobe CC. If you don't want to fly the black flag, buy a dongle for Davinci Resolve Studio and download LibreOffice; both also work fine with 100% of all network connectivity denied.
You can disable all of the built-in LS rules for macOS services and never make/use an Apple ID (so, no App Store, no iCloud, no FaceTime, no iMessage, no Apple Music, etc) and your mac will still work to launch local apps just like it did in 1999. This is how I use mine.
Note well that you must install LS on a fresh boot offline, before you connect the mac to the network, otherwise APNS will phone home from your IP with client certs that are linked to your hardware serial number.
I give friends cash to order the new/fast BTO macs to their addresses on their payment cards, then go pick them up from them; you can't usually get the max-spec apple stuff for cash at the store.
You can actually at some stores get almost maxed out models, they have specific 'ultimate' configurations. Use the inventorywatch app to figure out whatever a store has in stock.
Like the 16" M1 Max with 64GB & 4TB SSD is the 'ultimate' retail config for that model for example.
I just have been using alternative firewall softwares such as simplewall (Windows) and Little Snitch (Mac). You can configure them such that you are alerted every time any process makes any form of network request, and either temporarily or permanently blacklist/whitelist as well as even have fine-grained control over specific hosts/domains/etc.
Do those firewalls block all network activity? Would a DNS lookup trigger an alert?
I had an application that was phoning home and after some digging I found that it was doing so through DNS. It would lookup something like $KEY.some.domain.com and the response would decode to the value.
As far as I can tell it’s any and every network lookup or request. Frankly, ever since I started using them (several years ago) I’ve only been feeling more and more that it may be the only way forward.
My data isn’t up for grabs for profiteering/aggregating/snooping on, sorry.
EDIT: Your comment made me curious so I will do more due diligence and return with an update.
EDIT2: So after not that much investigation--mostly just rereading what's shown on their project page (https://github.com/henrypp/simplewall) -- it confirms my belief that this adequately shields me from any and all networks without my knowledge or consent. In my opinion, it's kind of dystopian that The Industry basically operates on the assumption that most people will in fact just not care, but maybe more would care if it was presented as more of a choice than a concession.
Like, I don't mind sharing for the purpose of analytics. I read through privacy policies (is this being an adult?) kind of frequently these days, and as much as I hate to say it, Apple is still probably what I consider the poster child for big tech data privacy, they are doing the absolute bare minimum by clearly and plainly disclosing what data is used for what and how, and it allows my mind some rest.
Little Snitch catches a lot but gives a blank check to large parts of macOS as not to cause weird behavior of the OS. Some of macOS's phone home calls don't use DNS and instead directly use random IP ranges belonging to Apple so that the only way to block them is to blackhole their ranges at the router. Unless you do that per interface, that means now iOS iMessage won't work and bunch of other things break when your phone is on wifi. Really fixing this problem is a complete PITA.
You can't use iMessage if you want privacy from Apple; trying to block phone-home to Apple while still using their hardware-serial-number-linked-services is silly. You have to give up iMessage, FaceTime, Handoff, iCloud, App Store, Apple Music, all of it if you want privacy from Apple (obviously).
I disagree. Your IP can group you with at most a few million other people. The bits of entropy needed to identify you is very small if you know the IP.
> Back in the day it would be published in the phone book for all to see.
What do you mean with "back in the day"? Is this not common practice anymore? In my country all this data is public information, including your social security number and tax records. The only way to obfuscate it is to get a "protected identity" court order but even then I think it will only hide a small fraction of your PII.
Whilst single hop proxies are great at stopping IP level tracking, they are just that: single hop. They can be trivially torn apart to uncover the real person behind it, much like a VPN.
Multi hop makes it more difficult. You could chain a bunch of proxies together to make trivial correlation attacks much harder, just like Tor does.
As for Apple's private relay: it's a cute idea, but Apple has other telemetry endpoints it can use to see what you're doing on a device. Whilst private relay does the job, you are surveilled in other ways by Apple, so it's really a marketing ploy and 'privacy washing' on the part of Apple.
Then there's extreme steps you can take like booting a Whonix workstation coupled with a gateway if your threat model requires it and you really don't want to be decloaked.
Most are happy buying a few SOCKS5 proxies and calling it a day. You can mess with AD tech by regularly changing your IP and surfing in isolated sessions to stop cookies correlating your old IP with your new IP.
>Virtual desktops with AWS via disposable credit card is pretty good, imho.
there's zero chance that you can create an AWS account with disposable credit cards, presumably for fraud/spam related reasons. Even many VPS providers will reject prepaid cards for the same reason.
AWS is the only provider who accepts prepaid cards and your name doesn't even have to be on the card.
Just make sure you know the card's billing address.
With Microsoft and the ads in the start menu, you now get tracking right of the box!
if you think, that vpn protects you from anything, i have a bridge to sell you.
Oh and lets not get started about a lot of propriary software that does exactly the same. Or how apps that you use once a month need background updates.
I have a customer that uses a 10 year old inventory system, that came to me with the problems that it "sometimes freezes" for a couple of seconds. It does that when their "tracking server" takes a couple of seconds to process the request and once that is done, he has peace for 15 minutes. Guess what the software is not doing in those 15 minutes?
Also please dont get me started on IP Cams, im conviced that if there is a a tech i like to use, someone alreday installed some redicoulus metrics system into it and calls that "customer insight".
I don't think that VPNs are any good at protecting privacy nowadays... Maybe Tor or I2P just might work.
Team Cymru are collecting flow records from backbone routers worldwide, with the permission of the ISPs. They claim to be able to trace through VPNs by simply looking at the timing of flows.
https://www.team-cymru.com/pure-signal-recon-threat-hunting-...
Perhaps we should try experimenting with satellite or radio data broadcasting? Just send highly compressed text to make it low bandwidth? Then anyone can receive the stream without intelligence agencies from finding out. Ever. Assuming it's a receiver that cannot physically be connected to a network. Bye bye NSA and GCHQ surveillance... For good this time.
Thank you for that! in my younger days I imagined a system like this would come sonner rather than later.
I also dont believe that there is really an incetive for corporations to keep the web "free" (as in freedom) and while - A LOT - of people are hyping the crypto scene or TOR as solutions, I have come to think, that we soon simply have identiy tokens (on cards or phones or usb sticks) and that identity will be provided not requested.
Its what the movie studios wanted since the 90s, its actually what your government wants too!
I finish with the thought that blocking the api for adblockers on chrome is only the beginning. And yeah, firefox also sends home a lot of data. We as programmers need to find solutions to this. It would be organized open source, but without proper funding, noone is going to be organized
the other commenter is correct i was implying on George C. Parker selling the brooklyn bridge =) Also i picked this up in my circles, im sorry if it was not clear right away.
I also feel like ""you're wrong but I don't feel like explaining why"" is a bit harsh, because what i mean is that your ip address is not even used in most high end tracking softwares anymore. There are much more elaborate ways to track you and everything you use.
I always heard it as "some swampland in Florida to sell you". Given recent events, the statement has proven true but probably should be retired as it feels a bit insensitive now.
Don't. That's backwards thinking. Go the other way. Host your website and other services from your home IP (and syndicate elsewhere). Participate in the internet as an equal. It's not going to significantly change the chance you'll ever get DoS'd or otherwise "attacked" or your vulnerability to such things. By far the biggest attack surface on any end-user computer is the browser automatically running untrusted code from anywhere.
So what you are suggesting is to host software on my private ip (which changes) in order to have the trackers interpret this as "ohh this is hurrudurrs webserver making requests and therfore not an individual!"?
I can see how this helps when someone is actively profiling me, like listening in to my connection, but does it help me further´?
By self hosting you don't have to depend on others and their perverse profit incentives. I'm saying that hiding your IP is missing the point entirely. When you give up your ability to participate as a peer in the internet and go through 3rd party services you have no expectation of privacy.
Someone knowing your IP address does not matter. It is not private information.
while true, its still cheaper and greener (at least in europe) to go rent a vm somewhere instead of hosting it yourself. not to speak about availability or failover. Or the risk of allowing foreign traffic on your network. Or bandwith caps. Or a whole lot of other downsides no?
I mean sure, not everybody needs and AKS supercluster, but so far im still seeing the advantage of self hosting besides the point that "my users made those requests to the illicit servers your honor" which at least in phase two means strict logging for you.
I did the math recently and abandoned the "bare metal k8s at home" theorem simply because the energy cost at 30 Eurocents and hour are already more that the vm im renting with limitless traffic.
Im also not a tor end node, because, at least in europe, you are responsible for the traffic that leaves your home connection too.
A personal website does not care about availability, failover, green-ness, "deployment", or issues of massive available bandwidth. Those are cargo cult concepts and they don't matter at all for a personal website hosted from home. It's okay to be down for a few days. It is okay to throttle your upload to 200 KB/s. It's okay to install nginx from your distro's repository and serve files from a regular ~/www/ directory. It's just for you! You don't have to work with a dozen other people on a team or all that that implies.
The electrical cost is extremely marginal. But I guess I was just assuming if you're going to host your website from home you're a geek and you already have computers running.
While I appreciate the effort, this is just your opinion man! Im Sorry that this is going to sound like a rant because i disagree with allmost everything you said.
Of course High availability matters to me because i can be proud of what i build. No Its 2022 its not enough to just make public your /var/html/ folder and call it a day. While creating my rootles container builds i learn about the software that i am putting into my servers.
No its not okay for my site to be down for a couple of days because if i would not assume someone would be using it, why do i bother to create content in the first place?
Finally talking about electrical costs: 3 pies with k3s is about as much power as some people put into their IDLING graphics card.
You're not talking about a personal website. You're talking about your profit motivated resume for work. Of course work stuff has to use stupid technologies and do cargo cult stuff. You're trying to show you can do the things that for-profit contexts require.
sure come to my site learn about all the awesome stuff I did as a resume, that's totally not what my blog is about :D
My Blog literally headlines that i want to give back to the people that taught me tech over the last 20 years, nothing more and nothing less. there is also no cargo cult, because i have not told a single soul besides you how this runs and is hosted :D
Stupid technologies, and cargo cult stuff, you seem bitter my friend.
I come from a time where you didnt have websites but shared folders, that worked too! Just as going to the library did.
Please dont get me wrong, I can setup a nice http server from bash scripts that runs on an egg timer for you too, I just dont believe that it is appropriate and usually iam actually hired to get rid of the stuff that "has worked for the last 15 years, we dont need no updates" ;)
> Host your website and other services from your home IP (and syndicate elsewhere).
DO NOT do this if anything on your website might make other people want to kill you while you sleep, or if you anticipate becoming prominent enough to be read by the criminally insane percentage of the general human population.
Your home IP address (along with a timestamp) is a single cash bribe away from the physical location where you and your family sleep unguarded at night.
If you wouldn't put your home address on the website, don't host it on your home IP. It's the same thing in the hands of a motivated attacker.
If the above is your actual threat model I'd suggest getting off the internet entirely. You have more serious, life threatening, problems to deal with.
IPv6 temporary addresses solve this problem and are part of the IP standard. An IPv6 temporary address is a public facing address composed from your actual IPv6 address using a standard algorithm like a routable hash. If your locally connected switch (WiFi router) doesn’t support IPv6 there are various standard tunneling techniques for pushing IPv6 traffic over IPv4 end points. This won’t work though if the destination provides no IPv6 interface, but otherwise these are the best bets as they are closest to the network standards.
Not really. I have a /56 at home and /48 at work. Despite having zillions or rather more IP addresses available to me, my prefixes will lock me down, or a few people down. At home me and the wife and at work me and my colleagues.
My wife is a massive FB user (int al). She and I (I have one too but I don't use it much) have been sold on many, many times. Our data will have sifted down into all sorts of places, Nothing personal - it's just data.
We have Android phones - Samsung, UK: O2. Oh, so now Microsoft (preloaded and enforced), O2, Google and who knows else are in scope and wanking over our data.
Now, I'm an IT bod and I know that I've allowed things to work instead of breaking the cycle completely. I'm not quite sure what is a healthy data grab yet. Do we go all in or not?
I do know that you don't fiddle with third party VPNs if you are worried about privacy - that's just daft. If you VPN - then you should do your own VPN.
What exactly is "daft" about using a 3rd-party VPN service? Yes, you're trusting that service to protect your privacy, but why would you distrust them over, for instance, your ISP or your government? If you live in Iran or something, trusting your own government over an ISP service in the US would be utterly stupid. The whole reason these services exist is to protect privacy; if they didn't do that, they wouldn't stay in business long. Of course, there's limits to how much they really can protect your privacy, but still there's been no evidence that any of the major services have not done so.
It depends on your threat actors. If you’re trying to make sure dang can’t find where you’re posting from, a VPN is probably good enough - especially if you go through one outside the country.
If you’re worried about committing crimes than a VPN is relatively pointless - it slows down the law a bit and some may be difficult to penetrate but if you keep using it they can be.
And if you have a nation state you will want to layer things and almost certainly use tor.
This is my whole point. Most VPN customers aren't trying to commit high crimes, they're doing things like getting around region blocks (e.g. Netflix doesn't allow viewers in the USA to watch show X, but it is available for viewers in Canada for some stupid reason), torrenting (much safer legally if your traffic is going through a different country), or trying to obscure their IP address and/or location for some reason. Offhand, I'd say the region block thing is probably the #1 reason these days.
> What exactly is "daft" about using a 3rd-party VPN service?
Generally speaking, when push comes to shove, their “no logs“ policy lets them turn over whatever information $law_enforcement_agency asks for.
I have a super-cheap VPS which I setup wireguard on but that’s 100% to get around whatever safety filters the random free Wi-Fi networks I connect to throw up. One of them blocks YouTubes videos, not YouTube itself but just the videos — which actually makes it pretty speedy since I don’t have to compete with other YouTube watchers.
>Generally speaking, when push comes to shove, their “no logs“ policy lets them turn over whatever information $law_enforcement_agency asks for.
Not really, no. No company is required to cooperate with law enforcement from foreign countries.
So if you're trying to hide activity from government X, and you use a VPN in country Y, you don't have much to worry about. A US-based VPN, for instance, is going to laugh at demands from the Chinese police for their logs. Similarly, a Hong Kong-based VPN is going to laugh at demands from American police.
> their “no logs“ policy lets them turn over whatever information $law_enforcement_agency asks for
You're treating this as a "black and white" scenario, which is wrong in my opinion. There are also a few trustworthy VPN services which don't log, and do respect privacy.
However, obviously they can be forced to log your connection, in case a government wants to solve some crime/threat. But this is just the same for VPS providers, so there's no advantage there.
Assuming you're talking about RFC 8981, then I don't think this actually helps as much as you would like, because typically you would have an assigned /64 and then just randomize the low order bits, but the /64 would be static and usable as a tracking identifier, as noted in the Security Considerations. And if you're in an environment where you can have randomized prefixes, you can probably also have randomized v4 addresses.
It's invaluable that someone with expertise is providing the public with this knowledge; thank you. There is too much misinformation out there.
I wonder if a tl;dr with concrete advice in non-technical language would reach a much wider audience. I know the technology professionally, I already understand almost everything in the article (that I read), and I'm not sure what you are recommending - Tor? Apple's proxy service (whatever they call it)? I think Brave offers something now? Firefox VPN?
Also, another reason "even the best system provides only limited protection" is that there are many other ways to track people. I know the article is about IP addresses, but a non-technical reader might not grasp that IPs are only one piece of a larger puzzle.
Not the original author, but my blog post from last year sounds like it might be along the lines of what your looking for. It includes some specific recommendations for different use cases.
I see you touched on Private Relay and QUIC but chose to not discuss IETF MASQUE working group standardization of it. In general, as oblivious HTTP, IP over QUIC, Private Proxies over QUIC etc continues to gather pace (surprisingly, it is Google alongside Cloudflare and Apple leading the charge), do you think browsers bundling in tech (relays, proxies based on blind tokens etc) to mask IPs would be the default and free going forward? How do you see trackers adopt to this new reality, in that case?
To be honest, I meant to mention MASQUE as an aside, and it's in my notes somewhere to put in but it seems to have gotten lost. Anyway, I think it's great that we're seeing some new tech here, but it's of course been possible to do proxying in the browser using HTTP CONNECT for some time. The MASQUE piece is an incremental improvement over that. I think at some level the change is an increased awareness of the problem and more interest in doing something about it.
It seems to me that the main obstacle to having really widespread proxying is financial: there are substantial incremental costs to proxying the traffic, someone needs to bear that. I expect this is why Private Relay is part of a iCloud+ rather than free for everyone. So, I'm not sure how that's going to shake out.
Question out of mostly ignorance: why are the network interfaces (is this the right terminology?) set up so that your IP gets set randomly all the time? It seems crazy that we have to treat our IP address as if it's a secret in order to avoid nefarious and commercial actors from correlating our activities and it seems like for casual and consumer computing, changing the IP of the client shouldn't be a problem. I guess I'm asking whether operating systems could/should be configured to randomly change your IP instead of having to rely on a VPN. Am I thinking about this incorrectly?
IP address is analogous to your house/apartment address. Which you "randomly" send out as your return address, whenever you mail a letter. You probably even put your real name above the return address.
Which gets at the problem- anonymity. Your physical mail habits are not completely collected and retained. And your electronic footprint has FAR surpassed your snail mail equivalent in the 50 years since the invention of IP. Your electronic footprint can reveal at your minute-by-minute location (maps), your buying habits, interests (searches, reddit subs), and a whole lot more (especially over time).
IP addresses are used for routing, which requires them to be structured.
The basic idea here is that your ISP advertises a route that consists of a "prefix", i.e., a block of addresses it controls. So, for instance it might advertise 192.0.2/24 which means "Every address which starts with 192.0.2". That means it can only give its customers addresses in that block. So, it could randomize which customers have which addresses, but it can't give them anything in 192.0.3 because that's in some other block.
The question of why it doesn't shuffle the addresses is more complicated, but the TL;DR is that it's a pain for the ISP to do.
I'm using IPv4 addresses as an example here, but similar concepts apply to longer IPv6 addresses, except that customers are given a block of addresses themselves that they can allocate internally. They can randomize the low order bits but the customer's block (prefix) is routed the same way as I described earlier, and so that can be used for tracking if you just ignore those bits.
Thanks for the thorough reply! So I knew the ISP wouldn't be able to give you an IP outside of the cidr block, but was wondering why not shuffle within it.. but I understand your point about it being a pain for them to shuffle even within that block.
Some can, and do, although not usually with privacy in mind.
https://en.wikipedia.org/wiki/Carrier-grade_NAT for the main example, although even in cases where IPv4 exhaustion is not as imminent, you might be assigned a dynamic IP address. (Whether that dynamic IP address rotates on a regular basis is another question... but it's really just the ISP reserving the right to do so.)
In general, you need some stable identifier for a connection. Traditionally (namely with TCP) that's been the "5-tuple" (source IP address, dest IP address, protocol, source port, dest port). This provides network routability and dispatch to the appropriate application within a host. Your ISP can't just rotate your IP address without breaking all of your existing TCP connections.
With QUIC, that identifier is now the QUIC connection ID (although you still have the 5-tuple). Connection migration (if supported by the application) could allow you to persist a connection across lower-level protocol events (even something as drastic as switching from WiFi to 4G, where you might not even have the same ISP).
Even multi-hop is not enough to hide your IP. There are timing correlation attacks, you need to build a system with jitter and randomness to somewhat hide your IP. It is a very complicated topic. You cannot hide your IP by just chaining two VPNs.
TOR isn't adequate too, far too many state actors maintain the nodes.
Only option is to use a public WiFi. There are still issues with public WiFi usage but it is still far better than other options listed.
That being said, Multi-Hop VPN is more secure than single hop as the article claims.
Hiding your IP, although essential, is far from enough if you want to achieve online privacy. And since VPN providers might disclose your real IP to interested parties, relying on a VPN to hide your IP might not be the best idea always.
You can setup your own VPN pretty easily. I use a stardust instance at scaleway on which I installed wireguard. I was just curious and learned a lot in the process.
Has anyone been concerned about the inverse problem—hiding your IP address as a server instead of as a client? If so, what approaches have you considered for addressing that concern?
Something I’ve been thinking about lately is setting up a VPS with wireguard kind of like a Tor gateway but without having the “incriminating” Tor traffic being interesting to the NSA or whoever cares about those sorts of things. All the traffic between me and the VPS is wireguard while everything leaving is tor.
Not that I need it but it sounds like an interesting way to spend an afternoon.
I'm really impressed at how this article uses exactly the right amount of detail to illustrate the points it's trying to make. I've read too many that either have too much or (more typically) too little. That's a really difficult balance to achieve.
However, I think that worrying about your IP address and encouraging the same as a major "Security Thing" is missing way more important aspects of IT security. For many people who follow your line of thinking via your blog and say the ads for VPNs and the like, they might feel they have achieved "security" by obfuscating or hiding one small aspect of their on-line life.
Online profiling is generally way more detailed than an IP and will include browser finger printing (agent string) and fonts loading, and much much more with some pretty impressive Javascript tricks.
I live at 1 Eldonthingie Road, BendInARiverTown, Summersetshire - I have obfuscated that lot quite a bit but not too much that a determined person could work it out and see where I live. Back in the day it would be published in the phone book for all to see.
There are way more important security enhancements that you can deploy before you worry about VPNs and that. I only use a VPN when off site and need to get back to the office or home.
Today, I was working on a customer site and they have a TLS man in the middle box which buggered up my VPN (OpenVPN on 443/tcp) That costed them an additional four hours of my time at my rate!