Sometimes it's good to be an average Joe


By Standard security settings, or by “standard settings” in general, I mean default settings. Those that exist when the user downloads the browser and does not make any changes. I believe this is the most common. Agreed?
In those settings, Javascript will be active, no doubt. It’s even active with the default settings of Tor Browser…


Average Joe doesn’t use Tor browser. Average Joe doesn’t even know what is Tor, or maybe he heard about it but has no reason to think this is relevant for him. He uses Chrome or Firefox or IE or Safari.
Average Joe’s IP is certainly not a Tor exit node.

Average Joe does not think anonymity is very important. Most of the things he does online are not anonymous anyway, he willingly identifies himself even at places that don’t require real personal details. He shares a lot of his life to the public.
Average Joe could not even use his gmail or google translate or even yahoo or live email with Tor, without constantly getting elaborate captchas or phone verification requests again and again.
Average Joe probably cannot log into his bank account or make any credit card purchase or log in to many other places with the Tor Browser.


Of course. Average Joe is tracked and profiled, he may even think it is for his own benefit. Each Average Joe is unique in the eyes of FB, Google. But Average Joe isn’t me.

This isn’t partially anonymous vs. anonymous.
This is “an identity” vs “avoiding having an identity” (there are probably better terms for that conflict).


3 million is less than 0.1% of internet users. Still a small enough number for many places to either block access or make it difficult for you to access.
If it was, I don’t know, 300 million, they couldn’t afford giving such a hard time to Tor users.


Hi Chicken

Average Joe would is certainly all of these things but I don’t see the point in using Whonix configured in this manner regardless if using Tor Browser of not. It defeats the purpose and your not gaining anything. Many Tor users make use Firefox, Chrome etc. for normal browsing or when accessing banking websites etc. They know who the users is anyways so I guess it doesn’t matter. There are also many other sites that will block users if they show a Tor exit node IP. Unless its my bank or some important site I need to access I won’t even bother with them.

You are being tracked and profiled. You visit sites and forums that interest you. you buy stuff from e-commerce with your credit card etc. Average Joe is certainly you.

Why make it easy for them??


Joe can’t visit sites chicken is interested in, he has no idea who chicken is and what forums he visits. If he knew that, he wouldn’t be Joe. He would be chicken. And of course Joe can’t use chicken’s banking sites or credit cards.

Joe is a completely different identity and this setup is only used by Joe. Chicken will use the standard Whonix-Wrokstation for actions that don’t require identification and clearnet for actions that do.

Let’s take an imaginary example. Chicken is a member in the “Free the Eggs” organization. Most members of the organization are anonymous, but the organization itself, or its leadership, aren’t (kinda like Whonix when you think of it). The organization has an address, known representatives, bank accounts, credit cards and so on.
As part of his (volunteer) role, chicken helps to maintain the finances of the organization. He will need to use the credit cards and have access to bank accounts. Now the heads of the organization know chicken personally, but chicken would still like to maintain his anonymity from the public, Including his ISP and the services he uses.

How will chicken be able to do his work while maintaining anonymity? he needs to be Joe. But only when he’s working. His personal activities should be kept separate.


LOL. Thinking a handful of addons for a mainstream browser will save you in the age of high precision surveillance analytics and fingerprinting.

It seems parasitic power structures need Joe to survive. Enjoy being Joe but don’t expect us to agree with you.


Thank you for the constructive answer.


No problem amigo. Let us know if you have further questions.

  1. Why would you use windows instead of Whonix Workstation?
  2. How can an average joe create email addresses without phone verification in Whonix Workstation? I tried tutanota, and it sucks. Although yahoo japan mail and yandex allow me to create email addresses without phone verification, I’m not comfortable with yahoo japan and yandex. I hope gmail didn’t require phone verification.


I still need to test all this stuff. Linux by itself make you stand out to some extent. The signature of Tor-Browser shows Firefox with Windows 7 as far as I know, but I’m not sure if there are any traces of Linux left.

One thing that certainly affects how those sites treat you is the IP and especially the fact you’re changing IPs on each login. They are designed to recognize IP + OS + Browser + Cookies and trust you when you stick to the same settings, or suspect you otherwise.

Yandex will also start asking you for phone verification at some point if you change IPs. Outlook will allow you one month without phone verification or something similar. Gmail I believe will initially ask anyone for phone verification.

I’d say using a standard browser in Whonix-Workstation but with VPN after Tor solves 80%-90% of the issues (naturally you need to purchase that VPN anonymously). All those sites start to behave like really good boys when you have a constant, non Tor IP. And you get no issues even if you set firefox to “Never Remember History”. It’s still acceptable for them if cookies are cleared. Javascript is a must almost everywhere (even here).

The final 10%-20% are tricky. Those will be sites that have been heavily abused and have zero tolerance for anything fishy. They’re not going to take any anonymization monkey business from you. They are many things that easily give you away. Your time zone won’t match the VPN’s time zone unless it’s British so you need to change that. Linux traces perhaps. Maybe also WebRTC as I mentioned above. VPN servers are public knowledge and are sometime blacklisted too. That’s where proxies can be useful, of course if they’re not openly published and didn’t get abused. Now if the proxy has open ports 80 and 22 that’s isn’t exactly what you’d expect to see at a home user’s PC as well so another thing to worry about.

You can use proxies with Tor Browser, maybe that good as well. If you use Firefox in Whonix-Workstation it’s visible you’re a Linux user. Perhaps Windows isn’t required. Don’t think I’ll work with Windows more than I absolutely have to, I hate this thing.


Are you saying that I should purchase VPN anonymously and connect to VPN in Whonix Workstation to circumvent phone verification?
How can I purchase VPN anonymously? With bitcoins made anonymized through monero? I don’t know if I can anonymize bitcoins purchased on bitcoin exchanges through monero.


I not saying you should, I’m saying that’s a way that works for me.

Regarding bitcoin and anonymity - don’t purchase anything on an exchange. Don’t open an account on an exchange that needs your details. Get your bitcoins elsewhere. And if you want to anonymize them, change to monero and back to bitcoin. Not the same amount. Not at the same time. Not at the same service.


I don’t know a way to avoid phone verification other than connecting to VPN in Whonix Workstation.

Other than cryptocurrency exchanges, I only know local bitcoin exchanges. As far as I know, I would have to meet a person on street and exchange bitcoin with money. This reminds me of street drug dealers.

Do you know a more efficient way to buy bitcoin anonymously than local bitcoin exchange?


You could also use a proxy instead of a VPN, same principle.

You don’t have to meet anyone on the street although that’s also an option. In localbitcoins and paxful you have many ways to purchase bitcoin, for example a cash deposit to a bank account. No ID required. There are also Bitcoin ATMs. Depends on your country, you may be able to buy Debit / Gift card in a retail shop without an ID and use that.

When you’re talking VPN fees, they are pretty low. It’s not like you’re taking your nest egg and converting it into bitcoin. With such small amounts, even cash by mail can be a working method.

By the way some VPN providers also accept cash by mail so you won’t even need to buy bitcoin at all.


Usual Chrome and Firefox still reveals you are using a virtual machine through Webgl. Just check browserleaks website. There is no easy way to spoof these details.


Thanks. I’ll ask further questions elsewhere.


What about remote desktop on a VPS then?


check this research paper http://www.theses.fr/2017ISAR0016/abes

In short there is a possibility to detect the remote desktop with high probability


BTW phone verification is a pain but not a very big issue.
There are services online where you can rent a number for a few bucks (for say a month) and receive sms there.
There are also free ones but those will be recognized by some sites.

When there is a will there is a way :slight_smile: