Why would you go through the hassle of trying to anonymously buy bitcoins with cash so it's not traceable when you could just send the cash? Unless you have mined your own coins there's no anonymity to be had via bitcoin. In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.
> In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.
Assuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.
Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.
Besides that, there are a ton of ways to keep it anonymous using bitcoin.
Even if every transaction has a new address, you have to get BTC in to the wallet somehow, and the most common method to do this is to buy BTC online with a credit card.
You could buy BTC with cash of course, but then why not just send the cash direct?
I suppose you could also use washers but I'm not sure how reliable those are.
as far as I know most exchanges and gambling sites pay out from a different wallet that you pay in to, so washing coins this way may be possible depending on how long each company keeps track of internal transactions.
As a matter of fact :) : for me, it would actually be more easy to ping one of the local miners in my online contacts (I've traded coins before via localbitcoins), meet with them, hand them the cash, get the coins to a bitcoin wallet, and send them to SDF, were they to accept bitcoins. (The verification could also be automated that way, and would be real quick.) The alternative would be to go to a local exchanger or bank, probably hand in ID even though I'm only buying $1 for local currency, then go to the PO to buy an envelope and stamps, make sure the dollar bill is not visible from the inside, and actually send the letter out.. oh, and wait for 2-3 weeks because outgoing overseas mail originating from here is slow.
..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash [1] to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!
(Also see: [2]) :)
Just saying!
In any case, I root for SDF, Godspeed you awesome people.
[1] Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in [2]) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.
Reminded a bit of anon.penet.fi, from the long long ago in the time that was before the Internet took off as a consumer thing. http://en.wikipedia.org/wiki/Anon.penet.fi
(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)
A mail address is not required to create a HN account, as far as I can tell. It's been a while though, and I don't want to create a random dummy account to find out for sure.
Do you really need to post personally identifiable information in a public place? In the Netherlands it's not even legal, not sure about where you live. And regardless of whether it's legal, it's not done. I wouldn't want my information to be posted like that.
Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.
That's the output of whois voidnull.com. Too obvious to be the guy making the challenge, of course, but it's not exactly classified information, and has already been "posted" in a public place (the whois records).
To give some context, I did this as a publicity stunt for SDF and the Tor project. I have no affiliation with either of these, other than being a grateful user. SDF especially can always use more money and users. As opposed to pastebin, SDF lets you have an email account, message other SDF users, use IRC, etc.
As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).
I'm not sure about that. I mean, he can register with HN with just about any anonymous e-mail address, no money needs to change hands so as far as I can tell it's perfectly anonymous.
No, because it's a new account only associated with this thing. Granted, access logs on HN could be used to crack the problem, but getting to those is non-trivial.
Of course we have no way of telling that the voidnull website is by the same person as the voidnull HN account used to start this thread.
Thats one problem with being anonymous, anyone can impersonate you, I can't think of any way to have a 'verified' account which is also anonymous.
a challenge based on public key crypto, user has a known public key and can sign a specified message with his private key to prove he owns that public key while remaining anonymous.
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.
Just in case someone finds $10 too little, I will add 1 bitcoin to the pot for anyone who finds the identity.
Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).
So publishing content is anonymous, but ultimately SFT is responsible for hosting? Will they, for example, stop hosting your content if the MPAA/RIAA make copyright claims?
If I open a paid Wordpress.com account using my real e-mail address and a credit card registered to my home, and post a $10 reward for revealing my identity, the fact that I strongly doubt anyone will claim the reward is not proof of Wordpress.com's perfect safeguarding of my identity, just that their systems are secure enough to not be trivially hackable and that nobody cared enough to find a way to obtain a court order to compel WP.com to hand over my info.
There's no proof here maybe just an experiment. To see if SDF is truly secure or can he still be tracked.
I would wager as long he doesn't use that handle anywhere else he is safe.
He'd probably even send $10 to SDF if they could find him. It would be somewhat more trivial for a Wordpress employee if the site was at voidnull.wordpress.com.
The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.
Actually, I think mseebach's point was the opposite: that this challenge, even if nobody claims the prize, does not prove that tor + sdf-shell-paid-by-mail is secure against leaking your identity.
It's worth mentioning SDF still (IIRC) provides dialup service. So a USB modem, telecoupler and payphone are all required to really truly publish without leaving much trace.
1. Buy a prepaid credit card at a store with cash.
2. Use the credit card to buy hosting with whomever you wish to use.
3. Enjoy your anonymity.
I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.
Edit - Responses to some of the comments:
In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.
As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.
Because of the Patriot Act, don't prepaid credit cards now require Social Security numbers and other identifiable information to activate (I would imagine including your name, which you would provide with the credit card when you buy hosting)?
Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).
Only reloadable prepaid cards require SSN. Non-reloadable (Gift) prepaid cards don't require an SSN. Some even allow you to set an address for AVS purposes.
Same with paper signatures. A signature isn't supposed to rigidly identify you, it is supposed to provide evidence that you signed the document / agreed to the contract. It's a subtle distinction.
Having signatures match is just one straightforward kind of evidence that you agreed to the contract.
Yea, but they reduce to saying that someone was present and agreed to the contract. I've ordered things online, don't receive them, and the courier tells me it was delivered and signed for. I don't know who agreed. Nobody is going to investigate the curves on the signature.
I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.
Then why the farce of matching your signature with the signature on the back of the credit card? Or if you don't sign the credit card, asking for an ID? It always makes me laugh when the high school student making minimum wage checks my signature. Do they all need to be certified signature experts before getting a job as a cashier?
Do people still check the signature? I haven't had one on any of my cards for at least five years nor do I sign receipts with my name; nobody has ever questioned me or asked for ID.
Cashiers are not supposed to check that the signatures match, they are supposed to check that the card is signed. A credit card is not a valid form of payment unless it is signed on the back. "See ID" is not a valid signature BTW. Cashiers who see that are supposed to direct the cardholder to actually sign the card before charging it.
Strange, I believe I tried that after receiving a bunch of gift cards for Christmas -- I even tried entering in the exact title that's below the CC number on the card, but had no luck.
That's a different issue, namely address verification. You can sometimes log-in to the issuers site or call and give an address (can be fake, just needs to be something you remember) and then use that address on whatever online form you're trying to use. It will pass AVS and you're good to go.
Simon Malls was one of the first companies to offer prepaid credit cards at a retail location. They started selling them 10 or 11 years ago. I used to re-encode them with stolen magnetic stripe data back when I was into credit card fraud.
Instead you can buy virtual visa with bitcoins, and then you aren't on camera buying a prepaid card. Even better use bitcoins for hosting payment directly and avoid credit cards completely.
You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting
> I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are.
Well then it's not fucking well anonymous, is it?
For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.
The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.
Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).
Although I like SDF, a physical letter is a lot more evidence and perhaps hassle than what you'd incur with Tor and some boring free shared hosting service, or running a Tor hidden service if you want interactivity and don't mind slowness, or even joining a Bitcoin mining pool and using the (minimal) payout to anonymously pay for hosting.
Isn't the way to get through this is to start running a lot of Tor nodes and hope to trap voidnull? If so, don't we think that those that care about breaking Tor are doing this?
If Wordpress.com accepts BitCoin, couldn't you just acquire some BitCoins not tied to your personal ID (you can use Moneygram with fake information and route it through mixers, buy them offline, etc.), and utilize Tor/Tor Services to set up the account, and give them fake information?
Possibly, but it wouldn't have the benefit of being 100% legal, as voidnull's solution appears to be. Also if Wordpress were to discover your fake info they might take your site down.
I can see this breaching their ToS and would probably be shut down by them if brought to their attention. However, what law would you be breaking when you give a private company a fake name.
Regretably, in the US the "Computer Fraud and Abuse Act" (CFAA) makes it illegal to access a computer without "authorization". Courts have interpreted that to mean that accessing a site when you are in violation of their terms and conditions (for instance, with a fake name) is a violation of this law and thus a felony. Learn more: https://www.eff.org/ja/issues/cfaa
Today, to host a piece of content on the Internet, you must link your identity to the content on some level
Completely incorrect.
There are any number of free web hosts who require nothing more than an email verification.
Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.
She's a gay, transgender, atheist, member of the very wrong political party who once stole a loaf of bread while starving and who slept with her boy/girlfriend (who was white) at an age where, although there was only a day between them, she was an "adult" while the other was a "child" in Zimbabwe.
Sorry Zimbabwe, you were at the bottom of the "Freedom Index" I looked at.
For parts of the above, she could have been anywhere in Africa, the Middle East or, indeed, the first world.
On top of all that, she also didn't want her parents to know she's got a tattoo and was concerned that her colleagues would be upset that she'd negotiated a higher pay package than them.
Or, in the flip side, a white male who says stuff that embarrasses or offends people who have US Attorney cellphone numbers on speed-dial. Examples include Assange, Weev, the two girls one cup guy, etc.
If they are already suspicious of you, then you've already lost. In the above scenario, voidnull's dna or fingerprints would have to be cataloged for them to find him.
If the rest of the internet is presumed to be linkable with a specific identity, I challenge someone to figure out who represents http://www.banksy.co.uk/. And Pest Control doesn't count. And if it does, then that's a pretty easy way to hide your identity.
This is a good question. Most of the comments here seem to be concerned with figuring out voidnull's identity, rather than the motivating idea of whether such a thing is possible.
The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop[1] might have some leads. Seems solvable, that is.
Actually, that's not true. There's a new technique called familial searching that can locate relatives that have had their DNA taken. The cops can then ask a brother, sister, parent, or cousin if they have a particular kind of male or female relative.
It is actually made non-toxic with the notion of people licking it in mind. It's not like it is just regular glue or a toxic adhesive. But I get what you mean. I don't lick them either. I don't get why people are even bothering with the point about DNA on the envelope though. Anyone who has ever mailed out lots of handwritten letters has used a moisture pen. You can go buy them for a few dollars at any office supply store. I use one to seal close to a hundred envelopes for the stamps every Monday at work.
247 comments
[ 3.9 ms ] story [ 349 ms ] threadAssuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.
Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.
Besides that, there are a ton of ways to keep it anonymous using bitcoin.
You could buy BTC with cash of course, but then why not just send the cash direct?
I suppose you could also use washers but I'm not sure how reliable those are.
..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash [1] to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!
(Also see: [2]) :)
Just saying!
In any case, I root for SDF, Godspeed you awesome people.
[1] Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in [2]) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.
[2] http://en.wikipedia.org/wiki/Hawala ; & a simple image: http://en.wikipedia.org/wiki/File:Hawala.png
edit expanded footnote1, etc.
(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)
http://www.20minutemail.com/TemporaryEmail/TemporaryEmail.as...
:)
Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.
As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.
Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).
[1] https://en.wikipedia.org/wiki/The_Super_Dimension_Fortress_M...
[2] http://en.wikipedia.org/wiki/Japan_Self-Defense_Forces
But the anonymity of the poster and the inviolability of the content are two separate concerns.
The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.
https://www.schneier.com/crypto-gram-9902.html
2. Use the credit card to buy hosting with whomever you wish to use.
3. Enjoy your anonymity.
I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.
Edit - Responses to some of the comments:
In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.
As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.
Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).
Having signatures match is just one straightforward kind of evidence that you agreed to the contract.
I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.
http://www.americanexpress.com/us/content/prepaid/gift-cards... http://usa.visa.com/personal/cards/prepaid/gift_card_faq.htm...
You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting
Well then it's not fucking well anonymous, is it?
For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.
The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.
Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).
HN has a button for that, you know.
http://www.law.cornell.edu/uscode/text/18/1957
Completely incorrect.
There are any number of free web hosts who require nothing more than an email verification.
Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.
Sorry Zimbabwe, you were at the bottom of the "Freedom Index" I looked at.
For parts of the above, she could have been anywhere in Africa, the Middle East or, indeed, the first world.
On top of all that, she also didn't want her parents to know she's got a tattoo and was concerned that her colleagues would be upset that she'd negotiated a higher pay package than them.
Were you wearing gloves when you handled the dollar bill and the envelope? Did you lick the envelope to seal it?
The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop[1] might have some leads. Seems solvable, that is.
[1]: http://www.banksyfilm.com/
but even despite the health issues, having one spreading body fluids around is not very acceptable where i came from.