%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

		Maintaining Your Anonymity on the Internet

			By Opic [CodeBreakers 1999]

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
           
"Everyone has the right to freedom of opinion and expression; this right 
 includes freedom to hold opinions without interference and to seek, receive 
 and impart information and ideas through any media and regardless of 
 frontiers."  
               -The United Nations' Universal Declaration of Human Rights
                                 (http://www.unhchr.ch/udhr/lang/eng.htm)

Disclaimer: 

The following article should be used as a primer to internet anonymity. 
While this article has been written primarily for the VX community, it may 
be implimented by anyone interested in heightening their personal privacy, 
and not having their online activities monitored. You should understand
simple remailer operations and the tracing capabilities associated with IP 
addresses before approaching this article. 

Some foundational philosophy:

Rather then reiterate some of the main points and arguments for the right
to privacy and anonymity I have decided to include one of my favorite
pieces of writing on the subject; "A Cypherpunk's Manifesto" by Eric Hughes:

 Privacy is necessary for an open society in the electronic age.
 Privacy is not secrecy.  A private matter is something one doesn't
 want the whole world to know, but a secret matter is something one
 doesn't want anybody to know. Privacy is the power to selectively
 reveal oneself to the world.

 If two parties have some sort of dealings, then each has a memory of
 their interaction.  Each party can speak about their own memory of
 this; how could anyone prevent it?  One could pass laws against it,
 but the freedom of speech, even more than privacy, is fundamental to
 an open society; we seek not to restrict any speech at all.  If many
 parties speak together in the same forum, each can speak to all the
 others and aggregate together knowledge about individuals and other
 parties.  The power of electronic communications has enabled such
 group speech, and it will not go away merely because we might want it
 to.

 Since we desire privacy, we must ensure that each party to a
 transaction have knowledge only of that which is directly necessary
 for that transaction.  Since any information can be spoken of, we
 must ensure that we reveal as little as possible.  In most cases
 personal identity is not salient. When I purchase a magazine at a
 store and hand cash to the clerk, there is no need to know who I am.
 When I ask my electronic mail provider to send and receive messages,
 my provider need not know to whom I am speaking or what I am saying
 or what others are saying to me;  my provider only need know how to
 get the message there and how much I owe them in fees.  When my
 identity is revealed by the underlying mechanism of the transaction,
 I have no privacy.  I cannot here selectively reveal myself; I must
 _always_ reveal myself.

 Therefore, privacy in an open society requires anonymous transaction
 systems.  Until now, cash has been the primary such system.  An
 anonymous transaction system is not a secret transaction system.  An
 anonymous system empowers individuals to reveal their identity when
 desired and only when desired; this is the essence of privacy.

 Privacy in an open society also requires cryptography.  If I say
 something, I want it heard only by those for whom I intend it.  If
 the content of my speech is available to the world, I have no
 privacy.  To encrypt is to indicate the desire for privacy, and to
 encrypt with weak cryptography is to indicate not too much desire for
 privacy.  Furthermore, to reveal one's identity with assurance when
 the default is anonymity requires the cryptographic signature.

 We cannot expect governments, corporations, or other large, faceless
 organizations to grant us privacy out of their beneficence.  It is to
 their advantage to speak of us, and  we should expect that they will
 speak.  To try to prevent their speech is to fight against the
 realities of information. Information does not just want to be free,
 it longs to be free.  Information expands to fill the available
 storage space.  Information is Rumor's younger, stronger cousin;
 Information is fleeter of foot, has more eyes, knows more, and
 understands less than Rumor.

 We must defend our own privacy if we expect to have any.  We must
 come together and create systems which allow anonymous transactions
 to take place.  People have been defending their own privacy for
 centuries with whispers, darkness, envelopes, closed doors, secret
 handshakes, and couriers.  The technologies of the past did not
 allow for strong privacy, but electronic technologies do.

 We the Cypherpunks are dedicated to building anonymous systems. We
 are defending our privacy with cryptography, with anonymous mail
 forwarding systems, with digital signatures, and with electronic
 money.

 Cypherpunks write code.  We know that someone has to write software
 to defend privacy, and since we can't get privacy unless we all do,
 we're going to write it. We publish our code so that our fellow
 Cypherpunks may practice and play with it. Our code is free for all
 to use, worldwide.  We don't much care if you don't approve of the
 software we write.  We know that software can't be destroyed and that
 a widely dispersed system can't be shut down.

 Cypherpunks deplore regulations on cryptography, for encryption is
 fundamentally a private act.  The act of encryption, in fact, removes
 information from the public realm.  Even laws against cryptography
 reach only so far as a nation's border and the arm of its violence.
 Cryptography will ineluctably spread over the whole globe, and with
 it the anonymous transactions systems that it makes possible.

 For privacy to be widespread it must be part of a social contract.
 People must come and together deploy these systems for the common
 good.  Privacy only extends so far as the cooperation of one's
 fellows in society.  We the Cypherpunks seek your questions and your
 concerns and hope we may engage you so that we do not deceive
 ourselves.  We will not, however, be moved out of our course because
 some may disagree with our goals.

 The Cypherpunks are actively engaged in making the networks safer
 for privacy.  Let us proceed together apace.

 Onward.

 Eric Hughes
 (hughes@soda.berkeley.edu)
 9 March 1993

If you'd like to read more about the Cypherpunks goals, works, and 
philosophies you might want to check out the Cyphernomicon at:

http://www.kender.es/~alday/english/cyphernomicon/

The Problem With Secrecy; Openess As A Weapon(?):

"The best weapon of a dictatorship is secrecy, but the best weapon of a 
 democracy should be the weapon of openness." -Niels Bohr

"What is the 'weapon of openness' and why is it the best weapon of a 
democracy? Openness here means public access to the information needed for 
the making of public decisions. Increased public access (i.e. less secrecy) 
also gives information to adversaries, thereby increasing their strength. 
The 'weapon of openness' is the net contribution that increased openness (
i.e. less secrecy) makes to the survival of a society. Bohr believed that 
the gain in strength from openness in a democracy exceeded the gains of its 
adversaries, and thus openness was a weapon."
(Gleaned from: The Weapon of Openness by Arthur Kantrowitz)

Introduction:

Privacy and Anonymity may very well be necessary evils, as many of it's 
advesaries argue. Secrecy (ie: concealing information which directly effects
the public) is certainly controversial and I would not peddle it to you, as 
it can be (and often is) implimented as a tool for corruption.  By giving 
people the tools to unitilize thier choice of privacy, anonymity, and 
secrecy we give them the power to do very good or very bad deeds. It seems 
to me a better bet to give these capabilities to the general public, then
to covet then to the choosen elite. We must take bad deeds along with the 
good ones, and hope that a general humanity prevails. All of this is 
done in the name democracy, human rights, and the protection of freedom.

It has become quite obvious how the Vx community has taken the issue of 
their privacy and anonymity for granted. And now, some persons are paying 
*dearly* for thier lack of initiative when it comes to being "proactive" in 
regards to protecting thier identity and anonymity from those who may wish 
to "expose" them or ruin thier lives due to the beliefs they hold or rights 
they choose to excercise.

So here is my own respose to what I see as a potentially lethal failure in
judgement and under-estimation of our "opponents" on the part of the entire 
Vx world. I have taken alot of time and energy into putting together this 
paper which will walk you through step by step processes which you can take 
to insure your anonymity and still utilize all the internet has to offer in 
way of communicating with the rest of the Vx underground. It's all here for 
you, there are no more excuses, and in 'leu of all the unfortunate 
incidents that have occured pertaining to the Vx underground in the last 
few months I think youd have to be a fool not to take me up on it ;-) 99% 
of your homework is already done for you here...just sit back read and 
prepare to disappear into more secure shadows...

The article is split up into two different sections. Part One deals with
the use of Proxy servers for http/ftp/irc privacy, and Part Two deals with
remailers, PGP encryption and the use of Nym servers and creating your own
Nym email address.

*Warning: Remember, nothing is 100%. There is always human error and "luck
of the draw". In other words; nothing is 100% secure or 100% anonymous 100%
of the time. The odds of your identity being compromised are greatly 
decreased by using many of these methods (do you want to wear a t-shirt or
a bullet proof vest?)*. 

*** PART ONE: PROXYS ***

-Using Proxy Servers-

With few exceptions it is a good idea to use proxy servers whenever possible.
I wont go into the technical details of how proxys work in this article as 
there is ALOT of literature out there which adequately explains how proxys
work, and quite frankly; it isn't entirely necessary for you to understand
every detail of each proxy you use (though for anonymities sake it might be
advisable). Instead I'll simply tell you how to use them for your different
internet needs. For more information on proxys, and on testing thier level
of anonymity I recommend visiting these sites: 

http://home.clear.net.nz/pages/research/sorm.htm
http://www.bikkel.com/~proxy/
http://www.lightspeed.de/irc4all/index.htm
http://natasha.warezbbs.com/contributors/morality/bncingwingates.html
http://www.anonymizer.com

When you use a proxy essentially what you are doing is gaining access to
the internet through another "host" computer. It is important to preface
this by noting that the use of "public" or "misconfigured" proxys is in
NO way entirely anonymous (unlike Nym servers which I will get into later).
By this I mean that the proper authorities could quite easily goto the 
administrator of the proxy you use and ask who has connected and done this
or that, upon which the administrator would hand over his logfiles (which
nearly ANY proxy keeps) and that would be that. However proxys are good for
not allowing other users to collect you IP or other information
about you. It is also useful for sending / uploading data via http or ftp, 
and can be used on IRC as well, where many Vxers expose their true identities
and IP numbers to whomever wishes to find them. 

-Finding Proxys-

Finding reliable proxys is almost always a daunting task. It will take some
time but consider it a worthwhile investment in the undertaking of the 
protection of your freedom. There is no sense in making an elaborate nym
email account and then showing your nick on IRC everyday -you defeat your
own purpose, so take the time and do it right. There is alot of different
software for finding open proxys and wingates by scanning IP masks. Perhaps
the best one is "Proxy Hunter" which you can find at: 

http://www.netease.com/~windzh/software/proxyht/download.htm
It is easy to use and very flexible. There are also many sites (which often 
go up and down on a daily basis) which will provide you with new and open 
proxys. Again a little legwork will go a long way. The main ports (usually 
but not limited to) for proxies are as follows:

8080 = http/ftp
1080 = irc (SOCKS) 

Common Wingate Ports:

21 = FTP Proxy Server
23 = Telnet Proxy Server
53 = DNS Proxy Server
80 = WWW Proxy Server
110 = POP3 Proxy Server
808 = Remote Control Service
1080 = SOCKS Proxy Server
1090 = Real Audio Proxy Server
7000 = VDOlive Proxy Server
8000 = XDMA Proxy Server
8010 = Log Service

-HTTP / FTP-

Using a proxy server via http is a very easy process with most of todays
browsers. It may even at times speed up your connection. Also logfiles taken
by www sites will collect the proxys IP address and not your own.

In Netscape:

edit | preferences | advanced | proxies | manual configuration | view

will bring you to the field in which you will want to enter the proxy you
have found and wish to use. simply fill in the "http" and "ftp" fields with
"proxy.someserver.com" with port "8080" and you're good to go. Could it be
made any easier?

M$IE probably has somthing similar to it, but if you are using M$ products
then you probably dont care about your security/privacy anyhow ;-)

-IRC-

Using proxys in IRC is also quite simple. If you are using mIRC (as most do)
then you can simply goto:

file | options | connect | firewall 

check the "use SOCKS firewall" box, choose "Socks 4" protocol, enter your 
proxy in the "hostname" field (leaving userID and password blank), and enter
port "1080". Hit OK and you're done, again: simple. It's worth noting that
there are also many misconfigured "wingates" running on personal PC's which 
will allow you access on port 1080 which are worth scanning for.

-Footnotes on Proxy Use-

Some proxys are not anonymous as they will show not only thier IP but yours
as well. For this reason you'll want to test your proxys headers b4 using 
then on http/ftp/irc. Many cgi scripts are available to help you in this 
matter again check http://home.clear.net.nz/pages/research/sorm.htm for a
list of links to some. Chaining proxies together is highly reccomendable as 
it makes the task finding the end user (yourself) much more difficult. Using
proxies in linguistically, geographically, and culturally differnt countrys
further complicates and sometimes even subterfuges tracking efforts. The 
price to be paid for this security is a good/reliable/fast connection.



*** PART TWO: NYM's ***

-Understanding, Creating, and managing Nym Accounts-

*Note: You should have a working knowledge of how anonymous remailers are
used and function before attempting to set up a nym account. If you dont
Lord Natas has written a good tutorial on it called "Intro to e-mail and 
usenet anonymity" which is located in Codbrk#4. A working understanding of
PGP's public/private key system is also needed. This tutorial is a "next 
step" as I'll be showing you step-by-step how to set up and use your nym 
account with client software.*

-What is a nym account?-

A nym account is essentially an anonymous pseudonym email account. It is the
best absolute way to send and recieve email anonymously. Its by far the most
secure way to remain anonymous while communicating with others. Below is 
a description from the nym.alias.net helpfile (to recieve it in its entirety
send an email to help@nym.alias.net):

<-snip->

    The nym.alias.net server allows you to send and receive E-mail
    pseudonymously through a username of your choice on nym.alias.net. If,
    for instance, you choose username <yournym@nym.alias.net>, you will be
    able to send and receive E-mail at that address, and even get fingered
    at that address.

    The system is designed to prevent anyone, even the administrators of
    nym.alias.net, from finding out the real person behind any mail alias.
    If you use this service properly, an adversary will have to compromise
    multiple remailers operated by different people in order to find out
    your real identity.

    For each mail alias or "nym" (short for pseudonym) on nym.alias.net, the
    server has on file a PGP public key, a reply block, and a few
    configuration parameters. The PGP public key is used to authenticate
    both configuration requests for your nym and outgoing messages you wish
    to send from your nym.alias.net address. Such messages should be sent to
    nym.alias.net anonymously, to avoid any connection between your real E-
    mail address and your pseudonym. The PGP key can also be used to encrypt
    any mail received for <yournym@nym.alias.net> before that mail is
    forwarded to you through the remailer network.

    The reply block contains instructions for sending mail to your real E-
    mail address (or to a newsgroup such as alt.anonymous.messages if you
    want your mail delivered there). These instructions are successively
    encrypted for a series of so-called Type-1 remailers in such a way that
    each remailer can only see the identity of the next hop. To send you an
    E-mail message (after optionally encrypting it with your nym's PGP key),
    the server will prepend your reply-block to that message and feed the
    result directly to the Type-1 remailer <remail@anon.lcs.mit.edu>. [Note
    that this remailer is reserved for use by nym.alias.net aliases and
    people debugging their reply-blocks, so you shouldn't see it listed in
    any of the standard remailer lists.]

    Thus, mail you send to nym.alias.net arrives anonymously through the
    remailer network. Mail you receive from nym.alias.net leaves the server
    with an encrypted reply block, and can be sent either directly to you or
    to a message pool such as the newsgroup alt.anonymous.messages. When
    used properly, therefore, nym.alias.net provides the convenience of an
    ordinary E-mail address with a strong assurance that your true identity
    will remain a secret.

<-snip->

OK, so that might be too much jargon for some, lets break it all down.

-How do nym accounts work and why are they so secure?-

Nym accounts use a combination of anonymous remailers, a main (nym) server,
and PGP encryption in order to maintain your anonymity. The reason nym
servers are so secure is due to the fact that even the administrators of
your nym account and the remailers you use never know your true identity. 

First let me show you a small chart illustrating how an email is sent from a 
plain old anonymous remailer:

  your email    --->    remailer   --->     recipient
         
|-----------|        |-----------|       |------------|   
|headers    |	     |xxxxxxxxxxx|       |remailer    |
|-----------|        |-----------|       |header      |
|your       |  --->  | your      | --->  |------------|
|message    |        |message    |       | your       |
|-----------|        |-----------|       |message     |
                                         |------------|

Essentially what occurs when you send an email through an anonymous remailer
is this: 

1)You send a email from your email account to the anonymous remailer.

2)The remailer first strips your headers from the email (the headers from 
your email give vital information by which you can be identified, such
as your true email address, SMTP, and IP address). 

3)The remailer then resends the email to the person which you addressed it 
to, along with its headers.

When the mail is recieved it looks somthing like this:
-----------------------------------------------------------------------
X-From_: remailer@mail.replay.com Sat Apr 03 03:03:03 1999

Date: Sun, 13 Apr 1999 03:13:13 +0200 (EST)

From: Anonymous <nobody@replay.com>

Comments: This message did not originate from the Sender address above.
	It was remailed automatically by anonymizing remailer software.
	Please report problems or inappropriate use to the
	remailer administrator at <abuse@replay.com>.

Subject: Yer secret admirer

To: GillBates@Micro$ux.com

Your OS sucks rocks. Please stick it where the sun don't shine.
Love,
Some guy who got stuck with a win box.
-----------------------------------------------------------------------

Now when you are using a nym server you are (generally) chaining remailers 
together, using PGP encryption for each remailer "hop", as well as to/from 
your nym sever. This adds increasing safety, anonymity, and privacy to the 
above example. The added safty of a nym account comes from the fact that:

1)the ISP on which your POP3 email account is located can no longer
read/monitor your email since all incoming and outgoing email is PGP 
encrypted either before it is sent to your SMTP or by the nym server 
before delivery to your POP3.

2)People you send email to can no longer check the header of your email
to find out your IP address or other information about you as all headers
will lead back to your nym address and the nym server (more on why this is
safe later).

Here is a chart showing how an email is sent from your nym account:

(Remember: all remailers remove headers from recipient)

    You       -->  Remailer #1  --> Remailer #2   -->  Nym server
	      					      	 
|-----------|     |-----------|     |-----------|     |-----------|       
|Mail from  |     |Decrypts   |     |Decrypts   |     |Decrypts   |       
|you (PGP   |     |mail which |     |mail which |     |mail which |  	 
|encrypted) | --> |reveals    | --> |reveals    | --> |reveals    | --|	 	
|           |     |encrypted  |     |encrypted  |     |original   |   |	 
|           |     |mail to    |     |mail to    |     |email to   |   |	 
|           |     |remailer #2|     |nym sever  |     |recipient  |   |	 
|-----------|     |-----------|     |-----------|     |-----------|   |    
	                                                              |
  Recipient					                      |
|-----------|				                              |
| You email |                                                         |
|from your  |  		                        	              | 	
|nym with   |  <------------------------------------------------------|           
|nym headers|
|(anonymous)|
|           |
|-----------| 

When you send a nym mail, it is encrypted with the PGP public key of each
remailer in your chain as well as the nym server. You can use as many or
as few remailers as you like; the more remailers you use the more anonymous
you become but the less likely it is that your mail will be sent properly. 
The fewer remailers you use the more likely your mail is to be delivered
properly, but the "easier" it becomes to compromise your anonymity). 

If you were to send the above email it would be packaged(encrypted) like 
this:

|-------------------------------------|
|            REMAILER 1               |
|  |------------------------------|   |
|  |         REMAILER 2           |   |
|  |  |------------------------|  |   |
|  |  |      NYM SERVER        |  |   |
|  |  |  |------------------|  |  |   |
|  |  |  |     MESSAGE      |  |  |   |
|  |  |  |------------------|  |  |   |
|  |  |      NYM SERVER        |  |   |
|  |  |------------------------|  |   |
|  |         REMAILER 2           |   |
|  |------------------------------|   |
|            REMAILER 1               | 
|-------------------------------------|    

Each layer in the above chart is a layer of encryption (except for the 
final message to be delivered). As you can see from the above charts 
remailer #1 never knows where the emails final destination is (ie: who the
final recipient is), nor the contents of the message being sent. It only
knows that it must forward the encrypted email to the next "hop". When 
remailer #2 recieves the email it doesnt know where the email originated
(ie: from you) as all original headers have been stripped from it by 
remailer #1. Furthermore, it doesnt know the contents of the message nor
the final recipient; it only knows it must forward the encrypted email to
the nym server. Once the nym server recieves the email it decrypts it; and
forwards it to the final recipient under your nym addresses name 
(ie: you@nym.alias.net). However, the nym server doesnt know where the email
originated or how many remailers it had gone through before being delivered
to the nym server (as each remailer strips the headers from the previous one)
making it virually impossible to verify the original sender with his or her
nym account. the way the nym server knows to send under your nym address is
by matching the signed message with your public key which is stored on the
nym server. Your tracks can be further obscured by using remailer options
such as adding "junk" to each message so the email size cannot be monitored
and compared to email sent by you, or latentcy could be added to each hop
so your email is sent while you are offline.

As you can see, this is probably the most secure systems available.
To compromise a nym account user one would have to:

1)compromise the nym server (to attain the nym's pgp private key and your 
  reply-block).

2)Decrypt your reply block to find the next remailer in your chain,

4)compromise each following remailer by attaiting its PGP secret key until 
  the last one storing your real email address is found.

In other words each hop and nym server used would have to be compromised in
order to reveal your true identity. Which, as long as you use good, trusted
remailers in good chains; should never happen (ie: you are relying on the
integrety of the remailers for your anonymity more then the nym server. As
long as the remailers dont compromise you, the nym server could offer up no
information leading to you).  It is feasable to say that it would be unlikly
that even people of great authority (ie: government agencies etc) could trace
a nym account back to its originator/owner if properly used, and from the
"common man" it is virtually impossible to trace. In short; no better system
to insure anonymity exists to date.  

*However it is worth noting that there is much speculation as to the 
abilities of such organizations as the NSA and other governments cryptography
agencies ability or lack there of to crack PGP and/or other strong encryption 
algorithyms. To date no public demonstration of this has been seen or
heard of though. Also, there is speculation (some factual, most rumor) that
governments often times run remailers themselves to monitor remailer traffic.
While they may not be able to read the encrypted data sent through the 
remailers it certainly helps analysis of certain people, events, etc. In
other words: investigate and use trusted public remailers.*

In either case the most "likely" attack would be that of "mail traffic 
monitoring" on remailers and you ISP's connection. These are highly 
technical, and cost a great deal of money to conduct, so it is unlikely 
unless you are involved in some crazed international conspiracies or whatnot. 
Again using remailers in several differnt contries is quite advisable, as
it further complicates the process and in most cases halts any governments
jurisdiction. To read more on mixmaster and remailer attacks check out:

http://www.obscura.com/~loki/remailer/remailer-essay.html


-Alright, now what about recieving email?- 

Well, when you set up a nym account you send the nym server 3 things:

1)your PGP public key which will be used to encrypt your mail.

2)the configurations which you wish your nym account to use.

3)a reply-block which to deliver your mail with.

Your PGP public key is used by the nym server in encrypting the mail sent
to you. Your configurations are the options which you want the nym server 
to use. And your reply block is what is used by the nym server to forward
your email to you (anonymously). 

Here's a chart showing how an email sent to you works with a nym account: 

         (Numbers "[ ]" in each box coincide with numbers below)
	      					      	 
|-----------|     |-----------|     |-----------|     |-----------|                  	 
|           |     |           |     |           |     |           | 	 	
|  Sender   | --> |Nym Server | --> |Remailer #1| --> |Remailer #2| --|	 
|   [1]     |     |    [2]    |     |    [3]    |     |    [4]    |   |	 
|           |     |           |     |           |     |           |   |	 
|-----------|     |-----------|     |-----------|     |-----------|   |    
	                                                              | 
|-----------|				                              |
|           |  						              |	      	
|   You     |  <------------------------------------------------------|           
|   [5]     |
|           |
|-----------|

1)A plain old email addressed to you @ your nym address.

2)The Nym server encrypts the email to your pgp key, and additionally 
conventionally encrypts it using a 128 bit IDEA encryption passphrase, 
decrypts the 1st layer of your reply block and sends it to the next remailer.

3)Remailer #1 encrypts the received email using another conventional 
encryption passphrase, and then decrypts the 2nd layer of the reply block 
and sends it on to the next remailer.

4)Remailer #2 adds another layer of conventional encryption (with yet another
passphrase), decrypts the final layer of your reply block and sends it to 
your real email address.

5)When you receive the email it has 3 layers of conventional encryption plus
one layer of PGP public key encryption.

*Note: You can recieve your email without having each remailer conventionally
encrypt it (ie: only encrypted by the nym server with you public key) but it 
is senseless to do so since you would be sacrificing a great deal of security
for no particular reason. It is much more secure to have each remailer use 
conventional encryption (ie: 128 bit IDEA encryption) and there are no 
drawbacks other then the time it takes to decrypt by hand (this is of no 
concern to us since we will be using client software which automates the 
entire process).* 

Make sense? I hope so. The real stength in this system is, again, in the 
chain of remailers. The nym server never knows your final delivery address; 
it can only see the next hop in the chain, and the remailers can only see the
previous hop. This is acomplished by the fact that each hop in your reply 
block can only read IT's portions of your reply block, and therefore never is
allowed access to the entire chain. This makes NYM accounts a VERY secure 
system which would take alot more money, energy, and luck to compromise then 
most gov't agencies have available to them or are willing to spend on you 
(ie: mission acomplished!). 

-What you will need-

Now, as you can see from my above charts and explanation, sending and
recieving email via a nym account is quite complicated and would be very
time consuming to do entirly by hand (though it IS possible to do so). But
why break your back on your nym account when there is client software
available to make using a nym address almost as easy as using eudora and a
regular pop3? Exactly! So heres what you will need to use and manage a nym
account on a win3.x, win9.x, or win.NT box (there is client software for 
managing nym accounts available for *nix boxes as well, but that is beyond
the scope of this article: "premail" is one however):

1) PGP 2.6.2 (for DOS), also 2.6.2i, or 2.6.3 will work. Pretty much any
DOS version of PGP will do, but I would not use anything earlier then 2.6.2. 
Also, please check the export/import laws of your coutry regarding 
cryptography before downloading PGP (There's are also international versions
for those outside of the USA). Here is one reliable locations you can 
download PGP 2.6.2 from:

ftp://ftp.replay.com/pub/crypto/pgp/OLD/pc/dos/pgp262.zip

2)Jack B Nymble 1.3.6 (aka JBN). This is your nym client software. It is an 
AMAZING program, and is, of course, freeware. You can download it from:

ftp://ftp.efga.org/privacy/potato/jbn136.zip

or

ftp://ftp.skuz.net/pub/potato/jbn136.zip
 
There is, at this time, a JBN v2.0 beta which is compatible with versions of 
PGP for Windows. HOWEVER; I do not reccomend using it as it has limited 
capabilities and has not been as thoroughly tested as JBN 1.3.6. More info
about JBN and other help on setting up a nym account with it can be found at: 

http://www.skuz.net/potatoware/jbn/index.html.

That's all you'll need! Now its worth mentioning that youll be using a RSA
key with PGP 2.6.2 and your nym account rather then a Diffie-Hellman/DSS so 
its really worth getting a windows version of PGP that supports RSA (ie: PGP 
for personal privacy RSA 6.0.2 also available at ftp.replay.com) if you wish 
to have a windows version of PGP on your system as well.

3)A pop3 email account. This is not entirely necessary, as you can get your
mail forwarded to a usenet newsgroup, such as alt.anonymous.messages so even
if each remailer and your nym server were to be compromised, your mail would
only lead to a usenet newsgroup. This is a bit more inconvienient though,
and I reccommend you get a pop3 email account used ONLY for sending and
recieving your nym email (keep a seperate one for other purposes if you 
like). Many free pop3 email accounts are available on the net. Just do a
search for "free pop3 email" and you should find a variety of choices.

-Installing the software-

OK, now Im gunna quickly walk you through the installation of your PGP and
JBN just to make sure we are on the same page. First, unzip PGP26.zip. If you
are using my PGP26.zip there will be a setup.txt file, a pgp262i.asc (for 
verifying that pgp has not been tampered with) as well as another zip
file named PGP262i.zip. Unzip the contents of this file and place them in a 
dir named: C:\pgp262i. Next you will need add a few lines to your 
autoexec.bat. These are the lines you wish to add:

SET PGPPATH=C:\PGP262i
SET PATH=C:\PGP262i;%PATH%

You will also want to set your timezone in autoexec.bat, pick the line
which location is closest to you and add that line to your autoexec.bat:

For Los Angeles:  SET TZ=PST8PDT
For Denver:       SET TZ=MST7MDT
For Arizona:      SET TZ=MST7 (Arizona never uses daylight savings time)
For Chicago:      SET TZ=CST6CDT
For New York:     SET TZ=EST5EDT
For London:       SET TZ=GMT0BST
For Amsterdam:    SET TZ=MET-1DST
For Moscow:       SET TZ=MSK-3MSD
For Aukland:      SET TZ=NZT-13

*Dont forget to save your changes to autoexec.bat once you are through*

Now PGP is installed. Next you can unzip JBN136.zip and install it. 
JBN has a nice little automated setup as do most windows programs. Just
sit back and let it install itself. I would recommend that you install JBN
into its default path C:\JBN (to aviod confusion). Now go ahead and reboot
your system to let the changes to autoexec.bat kick in.

-Setting up JBN and your Nym-

Ok there are a number of preparatory steps we must make before the actual
setting up and use of your nym account. 

-Choosing Your Nym Server and Email Address-

The first thing youll need to do is decide which nym server you want to use 
and what you want your email account to be named. There are only 3 nym 
servers that are available to the public at this time. 

The following is vital info about each nym server:
------------

NYM.ALIAS.NET -Located at MIT university in Massachusetts, USA.
URL:                    http://www.publius.net
Helpfile:               help@nym.alias.net
List of used nyms:      list@nym.alias.net
Send config file to:    config@nym.alias.net 
                 or:    send@nym.alias.net

------------

REDNECK.EFGA.ORG -Located at Electronic Frontiers Georgia in Georgia, USA.
URL:                    http://anon.efga.org/ or www.efga.org
Helpfile:               help@redneck.efga.org
List of used nyms:      list@redneck.efga.org
Send config file to:    config@redneck.efga.org

------------

DONGCO.HYPERREAL.ART.PL -Located in Poland.
URL:                    http://www.hyperreal.art.pl/cypher/remailer/nym.html
Helpfile:               help@dongco.hyperreal.art.pl
List of used nyms:      list@dongco.hyperreal.art.pl
Send config file to:    config@dongco.hyperreal.art.pl 
                 or:    send@dongco.hyperreal.art.pl

------------

Of these 3 nym server I have used both nym.alias.net and redneck.efga.org.
Both of these nym servers are quite reputable within the crypto/anon 
community. I have never used dongco.hyperreal.art.pl as it seems to go down
quite often. Either one: nym.alias.net or redneck.efga.org seems to be a 
good choice. Pick the nym server you want to use and then the full name of
your email address (example: YourName@nym.alias.net). Next send a blank email
to list@nym.alias.net (or whichever nym server you choose). And check the 
list of used nym names sent back by the nym server to make sure your nym name
isn't already used.

-Making Your PGP Key-

The second thing we will do is make a PGP key to be used with your nym 
account using JBN.  Go ahead and open up JBN and goto: Window | Nym Accounts
and click on the button on the right side of the box which says "Create Key" 
(duh). This will open up a PGP Dos box to create your key. You probably want 
to  make the strongest key possible, so at the prompt type: "2048" and press
enter. *Note: on international versions of PGP (PGP 262i) you will actually
end up with a 2047 bit key; dont ask me why (it is rumored to be a "bug"), 
but it's really of little consequence as it would take an enormous amount of 
time/money/energy for even a government facility to crack 2047 bit keys 
encryption (ie: you shouldn't sweat it too much). Next PGP will ask you for 
a ID for your public key. This should be your name and your intended nym 
account address in brackets. Example: Joe Blow <JoeBlow@nym.alias.net>
Next PGP will prompt you for a passphrase. I will only say this once:
MAKE YOUR PASSPHRASE AS STRONG, LONG, AND VARIABLE AS POSSIBLE! This means
combinations of numbers, letters, words, special characters etc. etc. If 
your passphrase is strong enough even if every remailer, nym server, and
your computer itself were to be compromised your email would remain 
uncrackable. But, I'm not your mother so that's the last I'll say about it.
After entering your passphrase PGP will prompt you for a large number of 
random bytes by entering random text into your keyboard. Do so (duh). After
you finish PGP will generate your key.

-Getting Remailer public keys-

The third thing we need to do is to get all the remailers PGP public keys 
using JBN. Now goto: Options | Global Settings | Remailers Tab. 

For the space that has "Cypherpunk Keys URL" enter:
http://anon.efga.org/~rlist/pubring.asc

For "Cypherpunk Statistics URLs" enter these three:
Finger: rlist@anon.efga.org
Finger: rlist@publius.net
Finger: rlist@anon.lcs.mit.edu

Then hit the "update" button. The "Cypherpunk Keys URL" is the address from
which we will be collecting all the current remailer public keys. The 
"Cypherpunk Statistics URLs" are the addresses where we will collect
statistics on remailer reliablity, options, lag-time, etc on a regular basis
when using our nym account (keeping updated stats helps to insure us against
lossing mail to troubled remailers). The addresses listed above has been
most reliable in my experience, but in the case that one of more of them fail
you in the future JBN has a list of alternatives which you can choose from on
the scroll down menu.

Next goto: Window | Stat Book | Tools | Update Cpunk Keys. This will bring 
up a PGP Dos session which will ask you: "Do you want to add this keyfile
to your keyring 'C:\PGP262i\pubring.pgp' <y/N>?" Say Yes. Next PGP will come
up with a user ID for a remailer and ask you if you want to: "Add this user
ID <y/N>?" Again say yes. Then PGP will ask you how much you trust this keys
authenticity. Your can chose whichever answer you want but I would suggest
you choose "1= I dont know" since you don't. After which PGP will ask you
if you want to sign each key with your key. each time you will want to say
"yes" and sign each individual key (this is important to do now). It will 
take a bit of time, but is necessary, and you will only have to go throught
the process once. Each time a new key is brought up it will ask you your
trust level, if you want to sign the key, and then for your passphrase so
you may sign the key. Once this process is done you can update your remailer
stats by going to: Window | Stat Book | Update just so we have everything 
in JBN updated and ready to go.

-Giving JBN your Info-

Next we need to tell JBN how we want to send/recieve email. Goto: 
Options | User Profile. In the "SMTP-1" tab enter your real email address, 
and SMTP server; just as you would in any other mail client. The rest of the 
fields on this tab are optional and can be left blank. Next goto the "POP3-1"
tab. Enter your POP3 server, username, and password. Also there is the option
of deleteing mail from server on retrieval and checking email every X 
minutes. Now press the "Active" button in, and press the "Update" button.

-Making your nym configuration file-

O.K, now we have everything we need in place to make your nym configuration
file (your actually nym request to the nym server). Goto the main window in
JBN, click the "Nym Folder" Tab,  then in the "Nym Books" double-click 
"Default.nbk". This will open up the default notebook in another window which 
we will be making our Nym account with. In the "Default -Nym Book" window
goto Edit | Clear Book | OK, which clears the book so we can make our new
nym account configuations. 

-In the "From:" field type your nym address (example: JoeBlow@nym.alias.net). 

-Click the "*" button next to the "UserID" field and choose your PGP key
 from the list. Then make sure that the "send key" box is checked (this is 
 very important).

-Make sure the "Nym-Commands" box is checked as well as the boxes:
 "Create?", "Acksend", and "Cryptrecv"

-Now fill in the "Name:" field with your nym address name (example: joeblow)
 NOT your full address, only your nym name (ie: everything before the "@").

-Making your reply block-

Next thing to do is make your reply block/blocks which the nym server will
use to send mail to you.  For this we will have to choose certain remailers
to use and give the conventional encryptions keys we want them to use as 
well. You can have more then 1 reply block, which insures that if one of 
the remailers in your reply block goes down you will still recieve your 
email from the other reply block (unless a remailer in each reply block 
goes down). However you will recieve 2 copies of each email (if you use 2 
reply blocks). I'd suggest using 2 reply blocks in order to prevent loss of
mail.

-Make sure "Reply-Block" box is checked and make certain "block" field is
 "1*" and that the "Active" button is pushed in and highlighted in red.  
 
-In the green box "nym server" should be listed. We want to create a random
 conventional encryption key for the nym server to use. So first click on 
 "Nym-Server" so it is highlighted blue.

-Now click the "R" button to the right of the "Encrypt-Key" field to 
 generate a random 128 bit key. You may be prompted for some random 
 keystrokes. If you are, enter some. Once some text enters into the  
 "Encrypt-Key" field (such as: "IlO0+8FYcvLpNqBT6Mzv6G") press the "Add"
 button. Which adds the key to the nym server portion of the reply block.

-Now we will add a remailer to our reply block (I will only show you how to
 add one, but you may choose however many you like repeating this exact step 
 for each remailer). In the "Remailers" field press the down arrow which will 
 give you a list of current remailers and thier stats. The more reliable will
 be listed at the top with the least at the bottom. Select the most reliable 
 one from the list and then press "Add". Now press the "R" button again to 
 generate another random key. Then press "Set" to add the key to that 
 remailer. Repeat this process for each remailer you want to add to your 
 chain.

-Making Additional Reply Blocks-

 To add another reply block simply goto the "Block" field in the 
 "Reply-Block" section and choose "2" (or appropriate number), press the
 "activate" button in, and repeat the above process of adding remailers.

-Final Headers-

 Once you're completely done adding remailers to your reply block(s) you 
 need to add the final address which you want your mail delivered to (ie: 
 your real email address). You can do this by making sure the line in the 
 "Final Headers" section says "Request-Remailing-To:" and enter your real 
 email address (ie: joeblow@MyRealEmail.com). You also have the option of 
 getting your email delivered to a newsgroup (such as alt.anonymous.messages) 
 with a certain subject line of your choosing (subject: My Secret Mail). 
 This can be done by "Anon-Post-To" and "Post-To:" in the "Final Headers" 
 section and entering the needed information (more info on this in the JBN 
 help file and knowledge base). *Note: Be sure you fill out the "Final 
 Headers" section for EACH reply block you make.*
 
-Saving Your Nym Book-

 Now that all the information you need has been entered in, it is time to 
 save your nym book. Simply goto: File | Save Book As | and enter: MyNym.NBK

-Running Your Nym Book-

 Running your Nym book will open up the actual email which you will send
 to the nym server to request your nym address (ie: your config request). 
 To run your nym book press the "& Open" button. This will open a dos box 
 for a moment and then open another JBN window. It will be addressed to
 config@nym.alias.net (or whichever nym you chose). And it will contain you
 Nym request, including your pgp public key, your configurations, and your
 encrypted reply block. The message look somthing like this:

-------------------------------------------------------------------------- 
Config:
From: JoeBlow
Nym-Commands: create? +acksend -signsend +cryptrecv -fixedsize -fingerkey 
              -nobcc -disable 
              name="JoeBlow"
Public-Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

GYUNYTBu5688y9hi88798GN567rt87Og65N4746RFGTYIUN455Wuytnrttftfyuykhi
JKHNtyfy6tg78NOUPpm8Mgi65ir8768yu9=MuNUBD4t4VY56tfybjuihnUryh5r56B67
HIUyug65G85tg989PU87n5r6G4r58T678Y887j867j88JMyT7UliJIMUJ
UHGby545
-----END PGP PUBLIC KEY BLOCK-----
Reply-Block:
::
Request-Remailing-To: remailer@someplace.net
Encrypt-Key: hiuLhhu656jjhN67ljm;Klg7jy                    

::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

TGhvInjlM;K0[m89Y678fBJYJhp880-o],[PMUIMNtygyuBUinbUN7b89UnMTFvgbiIJN9I
UJYGbyjHKjjiollmyiuftgyh7809TN56gbih87UINJPM89MO;JHNYBERtrfG67BIUBNH7
jhnuJNGHtytuGU8NH88o546teD5TrvGHYHKjm;p'""?.PPLo9k8jUHYuggT677yh78HU
nbyue45gf4685GT8I6GYUKBfg567tYBG UF6VYTgbbnhbYg8bv463s5YTFg87h7nN9
gvbhvTYBTGbkuHNuniNHBg7T68e645YUhtgyn
=yu8i67INhni
-----END PGP MESSAGE-----

**

Reply-Block:
::
Request-Remailing-To: remailer@somewhere.org
Encrypt-Key: NKJ87y5r6dtyrgh89p78Om
                     
::
Encrypted: PGP

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

KHJNGyjuhbjtYN9ny6789Tgf8n7NUIJu97uj98Y8h97ti6GVYhbwgzyw4f35G6T6yhnih
UHNynNJIULynomPU98n86548G657yhN67T6Hg7458G67Y87hngh568797n8n96YU
munhyITIG87iybB88g768ybG56845R8i867btFGB645g7v685rt7iGUYNHb6gV54E76R
hknbgTYVDT45754465Itv6yF787b968UHNIgbygvtfcQA3WC4ERtgyjykuhJMU8hm6n9
JGT5BIG56FVtc345F6YTGB67G685T7IYbftvyFEU5ut6f6G756t7uuyGHiy8NHIYH8hgj
BGvb5uyYTUBYIn89mMN8u8j9NHYTHgi7RF5ED6f75G8tiur8GIt87yBGF45FGR5
,jhkuimNYJUGYBH9
=NLKt6yj
-----END PGP MESSAGE-----

**
--------------------------------------------------------------------------

This is the critical point at which we will be sending our request. So
DONT change anything in the opened book. Simply pick 2 (minimum) remailers 
from the "remailer" pull down menu and press the "add" button to add them 
(there is no need to add crypt keys as you did with your reply block, JBN 
will automatically encrypt your message to each remailer you choose). After 
you have added a few remailers to send your configuration request through 
(so the nym server won't know where the request really came from) press the 
"& Send" button. This will open up a DOS session and you will be prompted 
for your PGP secret passphrase. After entering it the message will be
completed and you can watch the progress of JBN connecting to your SMTP and
send your message at the bottom of the nym book window. Now the hardest part 
is over. You can now sit back and wait for a reply from the nym server.

Once the nym server recieves your configuation request you will recieve
an email which looks somthing like this:

--------------------------------------------------------------------------
To: joeblow@nym.alias.net
Date: Sun Apr 13 13:13:13 1999 EST
From: config@nym.alias.net

Your configuration request completed successfully.

A new reply block has been received for your mail alias, but has not
yet been activated.  In order to start receiving mail with your new
reply block, you must confirm it by sending an (anonymous) E-mail
message to the following address:

   confirm+a4ba2b13bc8934ab@nym.alias.net

The contents of the message can be anything.  Any message delivered to
this address will activate your reply block.

=====END PGP MESSAGE=====
--------------------------------------------------------------------------

Next you will send an email to the addressed given (in this case: 
confirm+a4ba2b13bc8934ab@nym.alias.net) Which will activate, your nym account.
You can send an anonymous email from JBN by opening the default.bk message
book, filling in the recipient headers, adding your remailers and pressing
"& Send".

Once the nym server recieves your confirmation email you will be sent a 
message which looks similar to this:

--------------------------------------------------------------------------
To: joeblow@nym.alias.net
Date: Mon Apr 13 13:13:13 1999 EST
From: confirm@nym.alias.net

Your new reply block has been confirmed and installed.  Your mail
alias is currently active.

=====END PGP MESSAGE=====
--------------------------------------------------------------------------

This indicates that your nym address is active and functional. You now have
a new email address (and the most secure type in the world no less). 

-Recieving, Decrypting, and Viewing Email with JBN-

I highly recommend that you use JBN for all sending and recieving or your
nym mail as it will make your life much easier. To check your mail with
JBN simply goto: Tools | Check Email (or Cntrl+E). To view your mail goto:
Window | View Mail (or Cntrl+M). When you recieve mail it will be encrypted
(not only to your PGP key but also with several layers of conventional 
encryption). To decrypt your mail highlight the message in the "inbox" and
"right-click" on the mouse and choose "decrypt" from the menu that appears.
The layers of conventional encryption will be decrypted and you will be
prompted for your PGP secret passphrase (unless you have saved it in the
registry, which I DONT recommend). You have alot of options on how to store
your mail, such as wiping the decrypt (so you only store encrypted emails),
and the nice option of secure wiping entire messages.

-Sending Email From Your Nym Account-

To send mail from your nym account open your "MyNym.NBK" and press the
"& Open" button. Next goto: Edit | Clear All Text. Now in the "From:" field
enter your nym address r choose it from the pull-down menu. Now clear the
"To:" field. Then goto: File | Save As | and enter: "MyNym.BK". Now when
ever you want to send mail you can simply open MyNym.BK and enter the 
recipient in the "To:" field and send mail as you would with any other email
client. However, each time you send mail you want to update your stats 
(Window | Stats Book | Update) and choose a few reliable remailers and
add them to your chain (as you did when you sent your configuation request).
When you finish adding remailers and your message just press the "& send" 
button and your message is sent. Simple! *Note: It is also quite simple to
post to usenet with JBN by choosing a "mail2news" remailer in the "To:"
field and entering the subject and newsgroup in the fields below it.*

-Nym Conclusions-

At first using a nym account can be confusing. There are many options you
have and it can get overwhelming. But just play around with a practice Nym
or two and you will soon get the hang of it. There are some great options
like -acksend and other functions which you can learn about by refering to
the JBN help file. Also it is quite easy to change your reply blocks (which
you will probably need to do on a semi-regular basis due to the 
inconsistancy of most remailers), you can do this the same manner you made 
and sent your first nym request (again, refer to the JBN help file and 
knowledge base). Once you have mastered the use of remailers and nym 
accounts I highly recommend investigating, using, and installing Mixmaster
which will heighten your secure email transactions even further (as it is
even more secure then the cypherpunk type remailers we have been 
using/discussing in this paper.

-Important Footnotes On Concealing Your Identity-

Aside from Nym accounts and proxy server the thing that most often leaves
"tracks" to be followed is human error. If you are shooting to be a truely
anonymous figure you must give as little information as yourself as 
possible. The more you say, the more they know. Also you want to 
disassociate yourself from the ISP/ISP's which you choose to use. Never let
you nick be connected to any specific ISP (and if it is necessary then never
allow it to be more then a generic service for a short period of time).
Guest accounts are your friend. Large commercial ISP's can be used to your
advantage, but you should *never* trust any one person with your privacy 
and/or your identity; this is the core theory which allows nym servers to be
so secure.

-Final Thoughts-

It is a somewhat mixed blessing that using and managing proxys,
nym account and hiding your identity is as complicated as it is because it 
hinders immature individuals from abusing these wonderful public service 
which are some of the most secure and anonymous type of mass communication 
available ever in history; so learn them well. They will allow you to speak 
and act only a person with true freedom can. Also be responsible with this 
freedom and what you choose to do with it. The best way to enslave yourself 
(and others) is by abusing your freedoms rather then using them to speak 
your mind.

Opic [CodeBreakers 1999] 
opic@redneck.efga.org