247 comments

[ 3.9 ms ] story [ 349 ms ] thread
Or you could use a pastebin and sign your messages with a private key.
You'd still need to use tor though.
Ofc, as for any internet access
pastebin doesn't work over tor, most of the exit nodes appear to be blocked.
Only $10 for finding out who you are? Its sounds like you don't have very much confidence in your anonymity scheme.
It's about the challenge, not the money.
I think bitcoin would be perfect for these guys...
Why would you go through the hassle of trying to anonymously buy bitcoins with cash so it's not traceable when you could just send the cash? Unless you have mined your own coins there's no anonymity to be had via bitcoin. In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.
> In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.

Assuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.

Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.

Besides that, there are a ton of ways to keep it anonymous using bitcoin.

There are ways, but I feel you're gilding the lily here. A ten dollar bill in the mail is a pretty decent way of staying anonymous.
Even if every transaction has a new address, you have to get BTC in to the wallet somehow, and the most common method to do this is to buy BTC online with a credit card.

You could buy BTC with cash of course, but then why not just send the cash direct?

I suppose you could also use washers but I'm not sure how reliable those are.

as far as I know most exchanges and gambling sites pay out from a different wallet that you pay in to, so washing coins this way may be possible depending on how long each company keeps track of internal transactions.
As a matter of fact :) : for me, it would actually be more easy to ping one of the local miners in my online contacts (I've traded coins before via localbitcoins), meet with them, hand them the cash, get the coins to a bitcoin wallet, and send them to SDF, were they to accept bitcoins. (The verification could also be automated that way, and would be real quick.) The alternative would be to go to a local exchanger or bank, probably hand in ID even though I'm only buying $1 for local currency, then go to the PO to buy an envelope and stamps, make sure the dollar bill is not visible from the inside, and actually send the letter out.. oh, and wait for 2-3 weeks because outgoing overseas mail originating from here is slow.

..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash [1] to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!

(Also see: [2]) :)

Just saying!

In any case, I root for SDF, Godspeed you awesome people.

[1] Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in [2]) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.

[2] http://en.wikipedia.org/wiki/Hawala ; & a simple image: http://en.wikipedia.org/wiki/File:Hawala.png

edit expanded footnote1, etc.

Reminded a bit of anon.penet.fi, from the long long ago in the time that was before the Internet took off as a consumer thing. http://en.wikipedia.org/wiki/Anon.penet.fi
Tor was essentially an evolution of these remailers. Probably a lot of the same people involved to this day.
With the notable exception of Len, obviously.

(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)

Thing is: to post this link on HN you probably had to give your e-mail address :/
SDF seems to provide an email account. At least it talks about webmail and Unix mail utilities (Mutt etc.).
A mail address is not required to create a HN account, as far as I can tell. It's been a while though, and I don't want to create a random dummy account to find out for sure.
Whoever that guy is, he is going to be getting a lot of postcards.
LoL

    Diaz Gonzalez, Ruben  
    ruben7583@msn.com
    C/ Angosta de los Mancebos 5
    Madrid, ma  28005
    IT
    677417085
Do you really need to post personally identifiable information in a public place? In the Netherlands it's not even legal, not sure about where you live. And regardless of whether it's legal, it's not done. I wouldn't want my information to be posted like that.

Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.

That's the output of whois voidnull.com. Too obvious to be the guy making the challenge, of course, but it's not exactly classified information, and has already been "posted" in a public place (the whois records).
Stephen M Jones, is that you?
To give some context, I did this as a publicity stunt for SDF and the Tor project. I have no affiliation with either of these, other than being a grateful user. SDF especially can always use more money and users. As opposed to pastebin, SDF lets you have an email account, message other SDF users, use IRC, etc.

As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).

And now this is a test of how secure HN is as well.
I'm not sure about that. I mean, he can register with HN with just about any anonymous e-mail address, no money needs to change hands so as far as I can tell it's perfectly anonymous.
HN doesn't require an email at signup. You only need to give one if you want password recovery to work.
No, because it's a new account only associated with this thing. Granted, access logs on HN could be used to crack the problem, but getting to those is non-trivial.
I'm guessing he is using HN over tor, as well.
Looking out for HN users (other than voidnull) that write about Internet privacy a lot will give some candidates.
Of course we have no way of telling that the voidnull website is by the same person as the voidnull HN account used to start this thread. Thats one problem with being anonymous, anyone can impersonate you, I can't think of any way to have a 'verified' account which is also anonymous.
PGP signed messages.
a challenge based on public key crypto, user has a known public key and can sign a specified message with his private key to prove he owns that public key while remaining anonymous.

This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.

Just in case someone finds $10 too little, I will add 1 bitcoin to the pot for anyone who finds the identity.

Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).

Hey voidnull, long time no see! Welcome to HN :) Great to see SDF being promoted here, I've been a member for over 13 years
So publishing content is anonymous, but ultimately SFT is responsible for hosting? Will they, for example, stop hosting your content if the MPAA/RIAA make copyright claims?
Probably. But you'd be safe from litigation.

But the anonymity of the poster and the inviolability of the content are two separate concerns.

If I open a paid Wordpress.com account using my real e-mail address and a credit card registered to my home, and post a $10 reward for revealing my identity, the fact that I strongly doubt anyone will claim the reward is not proof of Wordpress.com's perfect safeguarding of my identity, just that their systems are secure enough to not be trivially hackable and that nobody cared enough to find a way to obtain a court order to compel WP.com to hand over my info.
voidnull is trying to prove that SDF is NOT a perfect safeguard.
I don't think he's trying to prove anything, just providing a fun game of wit and a challenge. He will surely be delighted if he gets a postcard.
It also helps SDF to know about possible vulnerabilities. And, there's also the stated reason: to get Tor and SDF some publicity.
There's no proof here maybe just an experiment. To see if SDF is truly secure or can he still be tracked. I would wager as long he doesn't use that handle anywhere else he is safe.
He'd probably even send $10 to SDF if they could find him. It would be somewhat more trivial for a Wordpress employee if the site was at voidnull.wordpress.com.

The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.

Actually, I think mseebach's point was the opposite: that this challenge, even if nobody claims the prize, does not prove that tor + sdf-shell-paid-by-mail is secure against leaking your identity.
Oh, I see. Yeah, I think you're right. Actually, the $10 cash prize matches Bruce Schneier's Security Snake Oil Warning Sign #9: Cracking contests.

https://www.schneier.com/crypto-gram-9902.html

Well then if you want you can say that Keccak/SHA-3 matches snake oil in the same way. They were giving away chocolates for crypto results!
It's worth mentioning SDF still (IIRC) provides dialup service. So a USB modem, telecoupler and payphone are all required to really truly publish without leaving much trace.
Linking a time to a physical location is not optimal, with the number of cameras around.
1. Buy a prepaid credit card at a store with cash.

2. Use the credit card to buy hosting with whomever you wish to use.

3. Enjoy your anonymity.

I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.

Edit - Responses to some of the comments:

In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.

As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.

Because of the Patriot Act, don't prepaid credit cards now require Social Security numbers and other identifiable information to activate (I would imagine including your name, which you would provide with the credit card when you buy hosting)?

Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).

Only reloadable prepaid cards require SSN. Non-reloadable (Gift) prepaid cards don't require an SSN. Some even allow you to set an address for AVS purposes.
So don't do it in the USA
(comment deleted)
Most online services, in my experience at least, will reject credit cards that are not associated with a name.
Most payment gateways provide no name-based authorization - a fake name will work just fine.
Kind of like electronic signatures at stores. You can draw a cat face at one place and a penis in another. Never really understood the point of them.
Same with paper signatures. A signature isn't supposed to rigidly identify you, it is supposed to provide evidence that you signed the document / agreed to the contract. It's a subtle distinction.

Having signatures match is just one straightforward kind of evidence that you agreed to the contract.

Yea, but they reduce to saying that someone was present and agreed to the contract. I've ordered things online, don't receive them, and the courier tells me it was delivered and signed for. I don't know who agreed. Nobody is going to investigate the curves on the signature.

I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.

Then why the farce of matching your signature with the signature on the back of the credit card? Or if you don't sign the credit card, asking for an ID? It always makes me laugh when the high school student making minimum wage checks my signature. Do they all need to be certified signature experts before getting a job as a cashier?
Do people still check the signature? I haven't had one on any of my cards for at least five years nor do I sign receipts with my name; nobody has ever questioned me or asked for ID.
Alive and well in my home town, admittedly outside of the city.
Me neither - in 10 years, only one girl in a mall validated my sig with the one on the card. It was in a huge outlet "village".
Cashiers are not supposed to check that the signatures match, they are supposed to check that the card is signed. A credit card is not a valid form of payment unless it is signed on the back. "See ID" is not a valid signature BTW. Cashiers who see that are supposed to direct the cardholder to actually sign the card before charging it.
Strange, I believe I tried that after receiving a bunch of gift cards for Christmas -- I even tried entering in the exact title that's below the CC number on the card, but had no luck.
I have had the opposite experience. I just put in John Smith for the name and I have never had any issues.
2.5. watch as the prepaid credit card gets declined
But you still get to do step 3!
What about cameras at the place you bought the card?
You can read about someone who is a bit obsesses (in a pragmatic way) about that here: http://snarfed.org/privacy_through_prepaid_credit_cards
Simon Malls was one of the first companies to offer prepaid credit cards at a retail location. They started selling them 10 or 11 years ago. I used to re-encode them with stolen magnetic stripe data back when I was into credit card fraud.
Instead you can buy virtual visa with bitcoins, and then you aren't on camera buying a prepaid card. Even better use bitcoins for hosting payment directly and avoid credit cards completely.

You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting

(comment deleted)
> I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are.

Well then it's not fucking well anonymous, is it?

For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.

The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.

Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).

> Edit - Responses to some of the comments:

HN has a button for that, you know.

Although I like SDF, a physical letter is a lot more evidence and perhaps hassle than what you'd incur with Tor and some boring free shared hosting service, or running a Tor hidden service if you want interactivity and don't mind slowness, or even joining a Bitcoin mining pool and using the (minimal) payout to anonymously pay for hosting.
I wonder how hard it is to mail Yuan to Seattle?
Isn't the way to get through this is to start running a lot of Tor nodes and hope to trap voidnull? If so, don't we think that those that care about breaking Tor are doing this?
If Wordpress.com accepts BitCoin, couldn't you just acquire some BitCoins not tied to your personal ID (you can use Moneygram with fake information and route it through mixers, buy them offline, etc.), and utilize Tor/Tor Services to set up the account, and give them fake information?
Possibly, but it wouldn't have the benefit of being 100% legal, as voidnull's solution appears to be. Also if Wordpress were to discover your fake info they might take your site down.
Why is that not 100% legal?
Providing false information to WordPress is probably not legal.
This is what I had in mind; good old CFAA. Ditto for entering false info in moneygram. (Not commenting on whether these things should be illegal.)
Well, it also touches on fraud and impersonation, old, long established crimes, not just computer hacking.
(comment deleted)
Giving them fake information would be illegal and probably be breaching their ToS.
New question: does it matter if it's illegal if it's 1) moral and 2) you're anonymous?
If its illegal, then it's much more likely to be shut down. Do you want to release some information once off, or do you want a reliable Web host.
I can see this breaching their ToS and would probably be shut down by them if brought to their attention. However, what law would you be breaking when you give a private company a fake name.
Regretably, in the US the "Computer Fraud and Abuse Act" (CFAA) makes it illegal to access a computer without "authorization". Courts have interpreted that to mean that accessing a site when you are in violation of their terms and conditions (for instance, with a fake name) is a violation of this law and thus a felony. Learn more: https://www.eff.org/ja/issues/cfaa
Today, to host a piece of content on the Internet, you must link your identity to the content on some level

Completely incorrect.

There are any number of free web hosts who require nothing more than an email verification.

Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.

Makes me wonder, what have you got to hide?
She's a gay, transgender, atheist, member of the very wrong political party who once stole a loaf of bread while starving and who slept with her boy/girlfriend (who was white) at an age where, although there was only a day between them, she was an "adult" while the other was a "child" in Zimbabwe.

Sorry Zimbabwe, you were at the bottom of the "Freedom Index" I looked at.

For parts of the above, she could have been anywhere in Africa, the Middle East or, indeed, the first world.

On top of all that, she also didn't want her parents to know she's got a tattoo and was concerned that her colleagues would be upset that she'd negotiated a higher pay package than them.

Or, in the flip side, a white male who says stuff that embarrasses or offends people who have US Attorney cellphone numbers on speed-dial. Examples include Assange, Weev, the two girls one cup guy, etc.
Question for voidnull:

Were you wearing gloves when you handled the dollar bill and the envelope? Did you lick the envelope to seal it?

I wonder if one could train a cat to lick envelopes. The FBI DNA testing people would have some interesting meetings with the agents.
That sounds like one of the harder ways to get cat DNA on an envelope.
Of course you are voidnull. We could tell by the scratches on your forearms.
If they are already suspicious of you, then you've already lost. In the above scenario, voidnull's dna or fingerprints would have to be cataloged for them to find him.
If the rest of the internet is presumed to be linkable with a specific identity, I challenge someone to figure out who represents http://www.banksy.co.uk/. And Pest Control doesn't count. And if it does, then that's a pretty easy way to hide your identity.
This is a good question. Most of the comments here seem to be concerned with figuring out voidnull's identity, rather than the motivating idea of whether such a thing is possible.

The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop[1] might have some leads. Seems solvable, that is.

[1]: http://www.banksyfilm.com/

Please lick some of your DNA onto an envelope containing $1 to use our anonymous service.
So don't lick it. And unless your DNA is in a database somewhere (are you a sex offender?), it wouldn't matter anyway.
Or have you been arrested? Or have you undergone a security clearance investigation in the united states?
I don't think you have to give DNA for a security clearance
Most military/contractor DNA is now in a "personnel recovery" database with the government, too.
Actually, that's not true. There's a new technique called familial searching that can locate relatives that have had their DNA taken. The cops can then ask a brother, sister, parent, or cousin if they have a particular kind of male or female relative.
I get very uneasy when i see people actually licking the dry glue from envelops. maybe it's just a different culture. but for me it's weird as hell.
It is actually made non-toxic with the notion of people licking it in mind. It's not like it is just regular glue or a toxic adhesive. But I get what you mean. I don't lick them either. I don't get why people are even bothering with the point about DNA on the envelope though. Anyone who has ever mailed out lots of handwritten letters has used a moisture pen. You can go buy them for a few dollars at any office supply store. I use one to seal close to a hundred envelopes for the stamps every Monday at work.
asbestos were first advertised as non-toxic :)

but even despite the health issues, having one spreading body fluids around is not very acceptable where i came from.