The Non-Attrib Starterpack!

Jordan Drysdale //

Let’s start this post at Walmart. Yes, the visit may be attributable against the purchaser via security camera footage retrieved by warrant, so hand your wife/husband/confidant/whomever a stack of untraceable cash. The first thing to snag is a new burner phone. This one seems acceptable for our purposes:

Wait though, did we define our purposes? Do we need to? Are we hiding from a tyrannical regime? Check. Are we hiding from ad networks trying to group us under demographic profiles that allow injected web responses hijacked through advanced techniques and directed marketing? Check. Are we trying to hide from a customer contractual engagement where attribution is a goal of their SOC? Check. If you happen to be interested in any of these things, this write-up might be for you.

The next purchase item is an activation card. The data inclusion is important because you may need a hotspot in a pinch for internet access.

The last physical purchase item will be your Visa gift cards, small denomination. $25 works well because Digital Ocean’s costs are low. A server is around five bucks a month for a lightweight one with minimal hardware (these make perfect tunnel proxy servers).

Next up, head to your favorite local coffee shop and order something. Wear a hoodie, because it is required, or not. Jump on the wireless from your burnable laptop. Seriously, perma-cookies are easy to track. If you have used this laptop for anything associated with you, your new non-attrib accounts are hosed.

Check out, they will allow new fone activations without an account. You may be concerned that the coffee shop could be attributable… and it might be. McDonald’s has this weird thing where their backbone connections may drop you out of one their primary datacenters. You could get lucky there too and not even be on your local city carrier networks.

The first account required will be a new email account for activation and two-factor purposes. Google’s mail product, “Gmail” if you will, is a fantastic platform. If you haven’t seen this product, I recommend checking it out!

At this point, you also need to consider where on earth you want your new identity to reside. Another interesting note here is that the ad-networks behave differently depending on where you purchase your Digital Ocean node. For example, you do not have access direct access to Axiom, BeenVerified and various other “human data” aggregators in the European Union because of their privacy laws.

Either way, head over Fake Name Generator! This site will give you a pre-packaged identity for non-attributable use.

Next, let’s head over to Paypal, because the lovely people at Paypal will process payments ( <3 ) for you against your prepaid Visa gift cards. You will need a new account, your Gmail account logged in for verification, and your gift cards in hand.

Last on my must-have list for the non-attribution starterpack is a Digital Ocean account. They will allow you to deploy servers in London, Singapore, Amsterdam, Toronto, et cetera. Guess what? Now, with your coffee shop wi-fi connection, you can disappear! Be sure your browser is configured for a proxy. With the standard SSH tunnel command, you can drop on to the internet wherever your node was deployed:

<command syntax>

ssh -D 9999 -fCqNp 8228 [email protected]

(D = local listening socket, the other flags are some SSH magic and the -p is your remote SSH port)

Did I mention GoDaddy allows domain purchases via non-attrib? No? They do, though this is a bit advanced for the starterpack.

Cheers, and safe transit!!!!


Follow Jordan on Twitter @rev10d

Want to learn more mad skills from the person who wrote this blog?

Check out this class from Kent and Jordan:

Defending the Enterprise

Available live/virtual and on-demand!