Network Forensics Evasion: How to Exit the Matrix (Freenet Edition)

Click here first for details how and why this is on Freenet. Also click here to see whether there are new editions of this site!


Revision History
Revision 0.10.22006-3-15AE
Added a target audience section to the intro. Also added some offshore hosting updates, touched up the document scrubbing section a bit to add some basic DRM tips for whistleblowers and a section on image metadata. Updated DHCP information with specifics on blowing away old lease IPs. Validated and updated links throughout the document. Also realized I was setting a bad example by trusting mailvault (or anyone) with my GPG key. I have now created a new key that is fully under my control. Please use that and not my mailvault key if you have anything sensitive to say to me.
Revision 0.10.12006-2-13AE
Updated abstract to more properly reflect the scope and motivation of the document. Added information about Terminal Services to the Local Services section. Added the CookieCuller extension to recommendations for dealing with cookies. Added several new tools to the Rootkit detection section. Added several "self-destructing" email providers to the anonymous email section after learning that email is only protected for 180 days on 3rd party servers. Basic hosting updates, including mention of using offshore hosting providers when freedom of speech is threatened due to US law, as is increasingly common these days. Added a brief section on Guerrilla data exchange for those who do not wish to set up a full-fledged website or bother with P2P. Added information on scrubbing documents of personal metadata, which may come in handy to whistleblowers. Moved the Encrypted Filesystem information into its own subsection.
Revision 0.10.02006-1-23AE
Created a new Network Attributes subsection: Double Black Magic IP Wizardry which discusses ways of combining OpenVPN, SLiRP, HTTP Proxies, and Tor to accomplish various things. Improved OpenVPN section, especially for Mac OS. Ditto for SLiRP. Added a couple of ghost walker market ideas to the intro that were inspired by Towards a Private Digital Economy. Added information about easily changing your MAC address in Mac OS, and also information about DHCP leaks. Added more information about I2P, and also updates about risks of hosting websites on I2P and Tor. Added legal info to the Assuming an Identity section. Attempted to clarify and simplify rootkit material and also provided a Linux kernel auditor. Added some brief material about anonymous blogging. Also added a quiz section to help underscore important points that may be glossed over in a casual read of this text.
Revision 0.9.52005-9-07AE
Updated dm-crypt script for Linux to fsck the filesystem before mounting it (failure to do so risks filesystem corruption, which I had the misfortune to experience personally). Added brief writeup of TrueCrypt, which is an awesome encrypted filesystem/steganography solution for Windows and Linux. Added brief review of which popular browser plugins will obey proxy settings and how to determine this yourself. Added more information on printed document forensics. Other minor updates, including MAC address info and a cool snail mail hack stolen from Lucky225.
Revision 0.9.42005-8-21AE
WARNING: A new type of Java webbug was discovered recently that can trick the JVM into bypassing proxy settings using several different methods. Installation of Firefox+NoScript (which is pretty bad ass) is recommended. Also added very brief info about I2Phex, a gnutella network that runs over I2P. Refurl updates. Found several ebooks and archived them on the Tor site.
Revision 0.9.32005-8-06AE
Fixed bugs in openvpn cert generation. Updated legal info on 5th amendment rights to key protection (you actually might not have any rights if the prosecution is clever and the Judge is a fascist). Added some info about anonymous snail mail. Warned about print media surveillance. Added links to a couple of physical anonymity services that came recommended via email.
Revision 0.9.22005-7-23AE
Minor philosophical updates, including ideas from Usenet/IRC discussions. Added info on virtual offices and some keylogger info.
Revision 0.9.12005-7-2AE
Updated encrypted filesystem material and fixed scripts. Updated rootkit info. Updated intro, adding new section. Added SLIRP+SSH hopping script and clarifications, added social network info to anonymous telephony.
Revision 0.9.02005-6-20AE
Added Objectives and Goals section to philosophical material. Added section on anonymous telephony.
Revision 0.8.12005-6-07AE
Added info on using SLIRP, and some preliminary info on combining it with Tor to use UDP/non-socks apps.
Revision 0.82005-6-01AE
Moved philosophical material into its own chapter and broke it up into 3 sections with added material including numerous potential business ideas. Added more IP address obfuscation material, including I2P. Added more Phy interaction material including information about common scams and fraud. Added more throwaway computing info. Updated encrypted filesystem material. Other misc changes.
Revision 0.7.12005-5-05AE
Added SSH hopping, Social Network, VPN info, Usenet info, Mac OS updates, Phy Interaction updates, IRC, updated intro section, added SeizeD network connectivity tester.
Revision 0.72005-4-10AE
Added Throwaway Computing, Search and Seizure, Assuming an Identity, recommended reading, and other improvements/additions. Lots of work.
Revision 0.62005-4-04AE
Added "What is the Matrix" section, also added some Physical Interaction info.
Revision 0.52005-3-09AE
Updated some info on Physical Interaction. Found some Nym servers.
Revision 0.42005-3-04AE
Added a Physical Interaction section, cleaned up a few FIXMEs.
Revision 0.32005-1-11AE
All chapters and subsections now have text. A few FIXMEs still remain.
Revision 0.22004-12-16AE
OpenVPN config file fixes, Windows rootkit detection, added Makefile and linked tarball.
Revision 0.12004-12-08AE
First xml draft, many FIXMEs remain.


Privacy and anonymity have been eroded to the point of non-existence in recent years. Our personal, private information is stockpiled and sold to the highest bidder like so much inventory at a warehouse. National Security Letters are written to make countless broad, non-specific requests for records from our search engines, libraries, and book stores with no court oversight. Email and especially searchable data is practically unprotected from anyone who might ask to have it. All our electronic communications are tapped. Massive governmental data mining schemes are being built to record everything we publish on the web. In many workplaces, employers spy on and control their employees' Internet access, and this practice is widely considered to be acceptable.

These are dark times. The Fourth Amendment has all but disappeared, thanks to the Wars on Drugs, Porn, and Terror. Any practicing trial lawyer will tell you that you can no longer rely on unreasonable search to be the basis for excluding evidence, especially for digital evidence in the hands of a third party. Likewise the First Amendment has been shredded with exceptions and provisos, and is only truly available to those with the money to fight costly (and usually frivolous) court battles against large corporations. In short, you can say what you want so long as it doesn't effect corporate profits.

How we got to a legal state where this all this activity is the accepted norm, I'm not quite sure. It seems to stem from an underlying assumption that our function at work and at home is that of a diligent slave - a single unit of economic output under the direct watch and total control of our superiors at all times; that we should accept this surveillance because we should have nothing to hide from our benevolent overlords who are watching us merely to protect us from evil.

I believe this view is wrong. Moreover, I believe it is time to reverse the tide. This document seeks to provide the means to protect your right to privacy, freedom of speech, and anonymous net access even under the most draconian of conditions - including, but not limited to, criminal investigation (which happens far more often to innocent people than one might like to think). "So what are you saying? That I can dodge bullets?" "No.. What I am trying to tell you is that when you're ready, you won't have to."

Table of Contents

Document Organization
Where to find this Document
Feedback and Assistance
The Matrix
What is the Matrix
Resisting the Matrix
Subverting the Matrix
Freedom Seekers are Not Terrorists
Spreading the Word
Target Audience
Network Attributes
MAC Address
802.11 "nickname"
DHCP Properties
IP Address
Double Black Magic IP Wizardry
Local Services
ident lookups
ftp logins
ssh keys
Terminal Services/rdesktop
mDNSResponder (Bounjour/Rendezvous/ZeroConf)
Web-based leaks
Browser User Agent And Capability Info
Referrer Url
Browser History
Web bugs
Firefox Extensions
Intrusive Surveillance
Root Kits
Keyloggers and Spyware
Watching Your Back
Throwaway Computing
Search and Seizure
Encrypted Filesystems
Generating Content
Anonymous Emails
Posting to Usenet
IRC/Instant Messaging
Creating Web Content
Scrubbing Document Formats
Bit Torrents/P2P apps
Guerrilla Data Exchange
The Vector of Information
The Social Network
Physical Interaction
Using Anonymous Money
Anonymous Snail Mail
Anonymous Telephony
Assuming an Identity
Protecting Yourself from Fraud
Key points to learn from this document
Anonymity Self-Quiz
Anonymity Self-Quiz Answers
Must-Have Firefox Extensions
Further Information
Books of Interest
Information on the Web


Welcome to the first day of the rest of your life.

Document Organization

This document is organized into seven chapters. The first chapter is an introductory philosophical discussion, and the next six are based on the six main ways you can leak information about who you are onto your network connection, or to an attentive individual.

  1. The Matrix

    A discussion of what the Matrix is, how it functions, and how to resist and subvert it. This forms the philosophical underpinnings of this HOWTO and the driving force behind the author's motivation to work ceaselessly on this document for over a year, and then proceed to give it away for free. Not required reading, but strongly recommended.

  2. Network Attributes of your computer

    This includes your network hardware (MAC) address, your IP address, and your 802.11 nickname. This section describes ways of obfuscating each of these attributes, as well as your network data itself.

  3. Local Programs and Services

    Various programs you run can leak information about you to the network. This section describes how to turn them off.

  4. Web related leakage

    Even after you have taken steps to obfuscate your network attributes, it is still possible to leak a surprisingly large amount of information about who you are through your web browser. It is even possible for websites to determine your original IP after routing through a proxy (or even Tor), if you are not careful.

  5. Intrusive Surveillance

    In some environments (public computers, labs, oppressive work places), your computer may be bugged and under direct deliberate surveillance from a third party. This section describes what to look for, and also describes how to use these same tools to your advantage to conceal your activities. It also covers measures you can take to mitigate information disclosure in the case of equipment seizure.

  6. Generating Content

    The previous 4 sections have dealt with how to access Internet resources without fear of divulging your identity. But what if you have something to say? This section discusses the ins and outs of publishing data and communicating anonymously.

  7. Physical Interaction

    The ultimate goal in anonymity over the Internet is to carry it over into the physical world: to use money, and to be able to buy and sell items and otherwise conduct business without fear of surveillance. The means for doing this exist, yet most are prohibitively expensive for the average individual. In most cases, low cost, "good enough" alternatives are available with some extra effort, however. Hopefully, as the Underground Economy continues to grow, tools to aid in interacting with it safely will become profitable commodities themselves.

Where to find this Document

The latest version of this document can be found at http://n4ez7vf37i2yvz5g.onion/howtos/ExitTheMatrix or at The Anonymity Portal also provides a mirror, along with several other documents. Those wishing to mirror or build their own copy can download this web tarball. This instance was built with xmlto html ExitTheMatrix.xml.


This work is licensed under the Creative Commons Share Alike v2.5 license.


This document exists because of the hard work of literally millions of individuals working in concert to build a free, open world where all can meet, trade and converse without fear. One day The Man will burn.

At the same time, I would also like to thank The Man, because without him, the millions of individuals working in concert to build a free, open world where all can meet, trade and converse without fear would not have such a fascinating hobby.

Furthermore, I would like to thank the dozens of (mostly) anonymous contributors who have tipped me off to various news articles, software, FIXME solutions, etc. Your help is much appreciated!

Feedback and Assistance

If I missed anything you feel is important, or if anything is unclear, please contact me via email at . Particularly if you have any material to cover any of the FIXMEs found in the text, please email me. If you are someone who needs confidential anonymity advice or assistance, do NOT use my mailvault GPG key, since I have no control over preventing leakage of the passphrase. Instead, use this key. While mailvault is not located inside the USA (and thus not subject to the most likely form of assault: a National Security Letter), it is not outside the question that they could be coerced in some other manner.