Firstly, it has been a while since I’ve updated anything here. I have updated the Links page to clean out the stale and, most importantly, to add David Cowen’s blog “Hacking Exposed – Computer Forensics Blog“. David has been putting up a tremendous number of articles and hosts a lunch webcast every Friday at noon central. Guest speakers are encouraged to respond and give a brief talk, but David Cowen and Matt Seyer hold their own just fine when interaction drops.

Now for the book review. I am a bit of a sucker for cheap and short books on staying anonymous. The latest disaster is “How to be Anonymous Online“. The book really does not live up to its name, but that’s expected for a $5 purchase weighing in at 35 pages. If it had a table of contents, it would look like this:

  • Obtaining TAILS
  • Burning TAILS
  • Configuring TAILS
  • Installing TAILS to USB
  • Anonymous Email
  • Setting Up PGP
  • Using PGP
  • Updating TAILS
  • Bitcoins

Upon closer inspection, the majority of the book revolves around TAILS. The Amnesic Incognito Live System (“TAILS”) is a TOR enabled, Linux LiveCD. Their download page covers everything that the book covers, even setting up persistent volumes. The page also links over to a documentation page. It’s at this point that the author starts laying down “fact” without any references to support their claims.

The first issue lies in persistent volumes. If one it attempting to be as anonymous as possible, as the book leans towards, then having persistent data is far from ideal. The author does acknowledge that the volume is encrypted, but seems to be satisfied with “it’s encrypted.” TrueCrypt is not mentioned at all; only the magical and unnamed system (LUKS in this case).

The coverage of PGP is nice, but PGP has been covered many times and the TAILS documentation page does an adequate job. Webmail was mentioned and a link provided to the author’s blog which lists webmail services that do not require confirmations, uses no Javascript, and allows for TOR connections. This is nice, but there is no mention of the Claws mail client. Using a standalone client has its own issues, but it does avoid the Javascript issue after the account has been created. In fact, in the author’s checklist for creating a persistent volume, they include having Claws store emails to that volume.

Javascript is its own issue. Iceweasel (Firefox), the default browser, makes use of the NoScript addon. TAILS mentions that the use of Javascript is a compromise between functionality and security. Since many sites require Javascript to render, it is a decision that should be left to the user and not a mandate from an author without explanation. The author disables Javascript from the browser which will impact the toggling of features via NoScript and the TOR Button. This will be problematic for some users. No mention is made of offline caching, such as that used by HTML5. This is why education and not checklists are key to security and anonymity books.

And that’s where the book falls hard. The re-publishing of the TAILS documentation, mention of Plop Boot Manager without any discussion of Plop, or the flat statement that Bitcoin is not anonymous are bad. But, anonymity is not about being absent and leaving no trace as the book suggests. It is about not revealing the true identity. Learning to minimize one’s tracks and to misrepresent what is left is key. The book does not delve into this point with any recognition or authority.

In short, use TAILS. Use their documentation to get up an running. But, follow up with more education and know that software can not fix wetware (your thinking and habits) mistakes. Anonymity requires conscious actions that deviate from our typical human interactions.