Bitcoin Forum

Hey fellow bitcoiners,

I am really a registered user in this forum since at least summer 2012. I set up this secondary, hopefully anonymous identity to give away some free bitcoins by ways of a challenge:

challenge:

I hereby challenge you to find the real me!

I set up a site on the net: http://findmeifyoucan.eu

I hereby promise to pay BTC 14 to anyone who provides one of the following pieces of information identifying the operator of findmeifyoucan.eu or (which is the same) the author of this post:

• forum account id of 'real me'
• my real name and (address or phone number or date of birth)
• any IP-address that could be traced to my real identity by authorities

rules:

• Rules are t14 BTC bountyo be interpreted by me, in case of dispute, I am right, you are wrong
• you must post here one of the above infos and a bitcoin address to which the bounty should be sent
• you must provide a credible story of how you obtained the info
• a 'hunch' is not enough, no guessing
• I can change these rules at any time and will do so in OP (Original Post, the one you're reading)
• the state of the OP at the time of claim is decisive for the rules, so please quote OP when claiming bounty

   
notes:
 

• I'll give away small amounts of bitcoin to people pointing out flaws/mistakes/possible improvements regarding my anonymity
• speculation in this thread is encouraged

additional info leaked:
 

• theymous publishes the IP I use to access bitcointalk: 188.165.73.235
• theymos publishes PM in which I ask MysteryMiner wether he was one of the german guys wearing masks at the Conference in London.
• it is discovered that joe uses lastpass
• "real me"s timezone has leaked: "it indicates timezone somewhere near UTC."

rewards payed for valuable feedback to:

• MysteryMiner
• Jasinlee
• Openyoureyes

feel free to ask any questions... I might be happy to answer... or not.

joe is dead, see this post by real me: https://bitcointalk.org/index.php?topic=120918.msg1304572#msg1304572

screenshot of my electrum wallet:

https://i.imgur.com/dsq3s.png

Matthew?

no guessing, but made me LOL

Scammer tags have been dole out for less. Do you realized that with your answer you've broken two rules in the OP?


Blazr asked a question in the form of a speculation. The correct answer would have been with a 'no', but you went with the 'no guessing' which translates to 'no speculation'.

I have reread your rules, and...

Okay. I figured out which user you are--someone703.

1EWRJ5BeibZxMguujPLzqM8WWiHpFJtLLx

since at least summer 2012 = January, 2012

You both use tormail.net

You both use https://i.imgur.com to post images.

The operators of Silk Road can find at least your SR username given time and amount of deposit. If it is a SR deposit address at all :D

All other steps seems to be secure if Tor was used all the time. Weakest link might be a VPS if you are using it for VPN.

Have not tried to follow coins in both directions with blockexplorer to see if they are linked with some known addresses here on forum. I'm too lazy to type the address from image lol I save this for some more BTC desperate members.

thanks for all your replies, I have not been identified yet.


true. BTC


thanks for checking man, this is reassuring so far.



you wouldn't have found anything about the "initial funding transaction", I think. I "cleaned" the funds using silkraod, that 10 BTC "initial load" is a silkroad withdrawl.

AndrewBUD.

I analyse your England. Derp.

BTC goes here 1H8uBfk6bw8kj3CWurjct5KHKe6NY3HAp4
Thanks.

he can speculate all he wants, but will not get an answer to a guess.

I didn't break my rules and even if I had: I'd just change them ;).

This is for fun (although I most definitel will pay the bounty when I get identified according to the rules)

I'm also not opposed to escrow.

Yes, I'm using the VPS that hosts the page as a proxy (through tor) to access bitcointalk because bitcointalk disallows tor ips.

Is that best practice?

The problem of staying hidden is not in the short term. In long run you get comfortable, relax on security, reuse the same address or e-mail or whatever and you have instantly linked yourself to some other person You.

Such periodic checks are great idea if your security is at stake. Better lose some bitchiness than lose anonymity and freedom.Chaining Socks proxy at the end of Tor? Yes it is how it's done!

Darn! I was just about to send you a PM with a transparent gif image in it to record your IP, in the off-chance you were browsing the forums without TOR or a proxy.

I'm thinking about giving you guys access to the server in the end (maybe I will lower the bounty then) to simulate "officials" gaining access to the machine.

Girls can't do that! Go back to kitchen and make me a hot meal!For LEA it will take at least few days to do this "officially" if both the source of offending IP address (Bitcointalk) and VPS are in the same country. More if some parts of chain is located overseas. So at least don't give access right now to keep this interesting.

UPDATE: someone manages to bribe theymos to give out the IP used to access bitcointalk as joe23: it's consistently 188.165.73.235

Just checked he cleared metadata on the pic if anyone was planning to look. I think maybe tradefortress.

just loaded more funds to joes wallet

https://i.imgur.com/iptLL.png

will increase bounty soon

ok, I will keep it realistic and wait for a couple of days.

wow. good idea. Didn't think of that. Got lucky my screenshot-tool (scrot) seems to not leak any info OR maybe imgur trims it. Will check that out.

Extremely good point, tough, jasinlee. I will award a 0.05 BTC special bonus for that, give me an address and I will send.

I am digging through the blockchain hold it for a few I may find you yet. Right now I am examining your Taint ewww.

Jazztel triple play service that your ISP?

nevermind I think that was a TOR routing.

yep, hopefully tor. Jazztel not my ISP.

The metadata would not helped much because the pic is made from screenshot not digital camera.

theymos is pissed at me and releases my PMs publicly.

In those PMs you can see me asking MysteryMiner wether he was one of the german guys wearing masks at the Conference in London.

well, who knows what screenshot tool puts in there? unix user info? could contain email-address, hostname, whatever.

"registration info" like MS Word does. But as long as the information is kept "generic" this will not help much. Some pedos were busted because they left metadata with GPS coordinates on homemade preteen pussy pictures and back in 90-ties some madman was caught because he sent floppy to police with word document that was registered to some church.

The metadata in electrum screenshot was a minor overlook but most likely it would not let us reveal who you are even if there was metadata.

well, I'm not using a separate client machine for this. Merely a separate user on my day-to-day system. To be safer, it'd probably make sense to use a seperate machine and also block all non-tor traffic from that machine to make sure I don't accidentally go through public net.

One thing for example might be a problem: I use lastpass to manage joe23s identities and passwords for the services. I'm not entirely sure the lastpass addon follow my browsers proxy settings. Anyone know?

Do you mine deepbit? So I can use that as a point of reference? Or can we ask questions?

yes, you can ask questions. This is to simulate the case where I run some anonymous service but I still want to interface with people on bitcointalk, so I engage in discussion and will reveal bits of info.

To answer your question: no, I don't mine at all.

I would not use Lastpass. I manage my passwords locally using KeePass software.

Satoshi did good job hiding his identity. Nobody suspects that he is Casascius :D

keepass seems to be windows-only :(.

I'm not currently doing this, but "for real", I would probably use an encrypted /home/joe folder anyway, so I could just put a text-file with the login pws there.

However: lastpass (or any other password store that has a browser addon) is very convenient.

What are the specific problems with using lastpass?

The classic 1.x version was tested on Wine and it worked. According the 2.x version works under Mono but I have not tested that. So it is not exclusive to Windows.Closed-source. You don't know if it works correctly or have no backdoors. It is suboptimal design for password storage. The synchronization is convenient but it is a tradeoff of security.

fuck wine ;). Does keepass help with filling login forms in the browser? If not, a text file is just as good, right?

Are there better alternatives to lastpass?

MysteryMiner, I would like to give you a little token of appreciation for your great input. So if you want that, give me an address.

Yes it have autofiller and such features. Take a look for KeePassX that is a Linux version. The plaintext file with passwords is usable but if someone gains access to computer it can steal all passwords.

Anyway this is not a scope of this thread. The thing we need to know is that Joe uses Lastpass to manage the logins for the VPS.

My address is 1Aiq9FYv12GQjM9LeBHoNq9c3FfFaA4GTA
Thank You!

sent you some.

lastpass of course I use not only for VPS, but also domain name service and tormail.

1B15JZGtHg4BvbzGdPGKZi7aunR4cpN5jE

Is mine, I checked through everything, the site has 2 open ports but it looks they are both on a host who takes btc so pretty fully anon there. Traces to it bring up ireland which means nothing really. You do however use "joe" which is a commonly used shortened name used in the USA so I would be inclined to think you are here. There is a way I think to find you through the block chain (but would be a huge pain in the ass) I started to do it but then I saw you mixed it more than once and said screw it not worth it. But I could total up the transactions received on the mix, add the % for the mix to that then look for the originator of that balance. (I think thats how the DEA is following people on SR)

sent some bitcents for your great effort so far.

Now for finding me through the blockchain: I cleaned the coins using SR. That means all inputs of transactions contributing positively to my balance are owned by SR.

I deposited a higher balance to SR from my private wallet than I withdrew to joes wallet to make same-amount-attacks a lot harder if not impossible. I waited between deposit and withdraw, making timing attacks harder, if not impossible. Safe?

The address in UK is address of VPS hosting service. Even if that server is compromised and monitored Joe will be connecting it with Tor.

DEA using blockexplorer to follow transactions on blockchain? I could train a monkey to click these addresses with equal success and receive government paycheck.

Probably using blockchain.info to see origination IP address of transaction can possibly lead at least to Electrum server. If the server is not running as .onion address.

Good point, and the electrum server should be pretty safe. Things I have done to remain anon in the past. Go to a cloud desktop site and download onto that desktop a copy of vm. Most cloud sites only store the info for a hour or 2 then overwrite it.

So you would be on your PC > Cloud Desktop > VM > VM > TOR.

If you have to post any pics use screenshot so you dont bleed metadata. Also, when typing information online, I would actively focus on what you are saying, you can analyze a persons way of speaking to relate to other posts. Many people use the same phrases or references when talking about trivial subjects. Also, use separate anon services in case the gov got bold and seized servers, they would have to raid more than 1 place.

Edit: I failed to mention the obvious, use someone elses internet in case all else fails :P

Joe of Joe's Data Center in KC. Reason is obvious, couple with Joe DC also joining in the summer. The address is 324 East 11th Street, hence you using Joe23.

joesdc ? that one? I thought that was a bit obvious and discarded it lol.

Administrative Contact:
Morgan, Joe joe@moccp.com
Joe's Datacenter, LLC
324 E. 11th St
Suite 2625
Kansas City, Missouri 64106
United States
+1.8167267615

thats what I found on that one, but that was a 2 second search.

Some information digged from findmeifyoucan.eu:
-IPaddress matches the address theymos releaved (188.165.73.235), ie he is running the www site on the computer he is using. Or he is using a proxy. Using a proxy would make the following go wrong:

-traceroute to that address would give a hint he might live in Frankfurth?
-http://www.iplocation.net/index.php says he lives in Dublin, Ireland. https://maps.google.com/maps?q=DUBLIN,,IE

Nite69
-----------------
xxx@xxxx:~$ dig findmeifyoucan.eu

; <<>> DiG 9.8.1-P1 <<>> findmeifyoucan.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20274
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 16

;; QUESTION SECTION:
;findmeifyoucan.eu.      IN   A

;; ANSWER SECTION:
findmeifyoucan.eu.   14241   IN   A   188.165.73.235

;; AUTHORITY SECTION:
findmeifyoucan.eu.   86240   IN   NS   ns1.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns2.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns3.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns4.domains4bitcoins.com.

;; ADDITIONAL SECTION:
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.173
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.174
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.229
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.230
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.96
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.97
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.44
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.45
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.188
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.189
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.219
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.220
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.58
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.221
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.222
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.57

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 08:30:11 2012
;; MSG SIZE  rcvd: 399
-----------------
xxx@xxx:~$ whois findmeifyoucan.eu
---clicketiclick---
Registrant:
   NOT DISCLOSED!
   Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
   Name:   Domain Manager
   Organisation:   PublicDomainRegistry.com
   Language:   en
   Phone:   +1.2013775952
   Fax:   +1.3202105146
   Email:   domain.manager@publicdomainregistry.com


Registrar:
   Name:    PDR Ltd.
   Website: www.publicdomainregistry.com
------------------
xxx@xxxx:~$ traceroute 188.165.73.235
traceroute to 188.165.73.235 (188.165.73.235), 30 hops max, 60 byte packets
----clicketiclick------

 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * ae-63-63.csw1.Frankfurt1.Level3.net (4.69.163.2)  45.509 ms ae-83-83.csw3.Frankfurt1.Level3.net (4.69.163.10)  51.131 ms
14  ae-2-70.edge5.Frankfurt1.Level3.net (4.69.154.73)  46.881 ms * *
15  * * *
16  * * *
17  vss-6a-6k.fr.eu (91.121.128.40)  62.731 ms  62.911 ms *
18  * * *
19  188.165.73.235 (188.165.73.235)  58.420 ms  58.759 ms  60.247 ms

-------------------------------

Yeah there was a name on there too somewhere I ran across it Olav or something. Thats just the owner of the host though I think so kinda pointless.

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

Edit: Too new site for Wayback machine:
http://wayback.archive.org/web/*/http://findmeifyoucan.eu

On the screenshot he posted he has the payment he made for it. So yeah.

One more trivial thing to do when hunting someone:
(note: this should be run from a non-consumer network connection; some of the ports are filtered by my ISP)
-----------------
xxx@xxx:~$ nmap -v -A 188.165.73.235

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-28 09:13 EET
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 09:13
Scanning 188.165.73.235 [2 ports]
Completed Ping Scan at 09:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:13
Completed Parallel DNS resolution of 1 host. at 09:13, 0.01s elapsed
Initiating Connect Scan at 09:13
Scanning 188.165.73.235 [1000 ports]
Discovered open port 80/tcp on 188.165.73.235
Discovered open port 22/tcp on 188.165.73.235
Increasing send delay for 188.165.73.235 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Completed Connect Scan at 09:13, 16.00s elapsed (1000 total ports)
Initiating Service scan at 09:13
Scanning 2 services on 188.165.73.235
Completed Service scan at 09:13, 6.12s elapsed (2 services on 1 host)
NSE: Script scanning 188.165.73.235.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:13
Completed NSE at 09:13, 0.85s elapsed
NSE: Script Scanning completed.
Nmap scan report for 188.165.73.235
Host is up (0.056s latency).
Not shown: 988 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 c9:7b:57:ea:06:c1:57:e6:51:ea:d5:8a:1a:aa:96:59 (DSA)
|_2048 22:d5:a9:44:18:b2:82:42:ef:58:57:07:1b:5d:d5:dd (RSA)
25/tcp   filtered smtp
80/tcp   open     http            nginx 1.1.19
|_html-title: find me if you can
445/tcp  filtered microsoft-ds
1723/tcp filtered pptp
6666/tcp filtered irc
6667/tcp filtered irc
7000/tcp filtered afs3-fileserver
7070/tcp filtered realserver
8000/tcp filtered http-alt
8001/tcp filtered unknown
8002/tcp filtered teradataordbms
Service Info: OS: Linux

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds

----
Oh, I was a bit careless..
xxx@xxxx:~$ 188.165.73.235
-----------

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

[/quote]

Or, more likely, Ovh:
http://www.plotip.com/ip/188.165.73

https://www.ovh.co.uk/dedicated_servers/


But that does not lead us to him... unless we have an insider in ovh ;-)

All I need is a French-speaking lawyer?

Dear OVH France (http://www.ovh.com/fr/index.xml); Dear Patrick Strateman;

On or about 22:26 October 27 2012, my organization was slandered by a user connecting through IP address 188.165.73.235.
Please see the attached slander lawsuit and notice of pre-litigation subpoena for tortious activity demanding identification of and corroborating connections for any and all IP connections on or about this time originating from and connecting through the "Bitcoin Virtual Private Server" service momentovps.com corresponding with this access through your services.

Hey guys,

just got up (hint, hint). yawn.

You seem to have found some info on the VPS even I didn't know (couldn't care less where its located).

I think the basic concept is pretty sound: I'm using that VPS for everything: to host the page and as a proxy. I olny ever connected to it via tor (hopefully). So when the VPS is compromised, I should still be secure.

Things I've learned from you guys (and own thoughts) so far:

• reevaluate use of lastpass, it's a risk, lastpass inc. could be subpoenad or whatever into slipping me custom code or there already is a backdoor of sorts that could leak info, who knows
• isolate joe on the client system better (currently all I do is use a seperate user) and make sure the client can only connect through tor, maybe at the router or something. There's currently the chance that I might accidentally connect through the parent network and reveal my IP to the VPS. Maybe use a virtual machine. Protect it (or /home/joe at least) locally so your visitors or the people you live with don't accidentally find joe. Always unmount /home/joe, shutdown the Virtual Machine when leaving machine physically. Maybe put /home/joe or even a whole system on a usb stick or use an old laptop for joe so he's portable (some secure distro, suggestions?)
• Watch your language, always be very conscious who you are, don't post drunk, avoid using phrases/language the real me notoriously uses,...
• What MysteryMiner said: "The problem of staying hidden is not in the short term. In long run you get comfortable, relax on security, reuse the same address or e-mail or whatever [...]"

I'm upping the bounty to BTC 14 for now. I might lower it again at some point when I intentionally leak more info that'd make it easier.

Nop... not me.. Nice to see my name mentioned though...


I could care less if you guys know who I am IRL...............

Long and scattered post but here's my 2c.

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

In either case, you need to watch out for DNS leaks. By default, SSH & Firefox (and most applications) will not do DNS lookups through a proxy.

So, if you browse to google.com, your web traffic will be encrypted and tunnelled as you expect, but the DNS request (i.e what is the IP of google) will come from your home internet connection. In firefox (don't know if it affects other browsers), this 'bug' is easily rectified. Go to about:config and set remote.dns to true.
If your connect to your server by running SSH over TOR then never specify the hostname (i.e. ssh findmeifyoucan.eu, or any other domain), as this, again, will force an non-tunnelled DNS lookup. Always use the IP.

A few other things:

• Watch out for any information you leave on the server through log files, etc. (Does a: grep xx.xx.xx.xx /var/log/* -R where xx is your real IP, come up with anything.)
  
• Install some sort of IDS on your server to monitor for new installtions/modifications. If this get compromised then so are you (regardless of if you connecting over TOR). What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
  
• Take a look through your .bash_history, it will show all the commands you've executed: things you've done, files you've modified, etc. which could aid an attacker if they gain access. Disable it in your .bash_rc or just ln -s ~/.bash_history /dev/null
  
• Why are you tunnelling all your traffic from your server? As you said yourself, all your traffic originates from one IP address. Even if no body knows the true identity of the person behind this IP, your a leaving an easy trail for people to follow. One lapse in your security, which reveals who own this IP, and everything then can be linked back to you.
  Why not run TOR on your home machine, tunnel your traffic over SSH to the server, and then run TOR on the server aswell? Everything going in and out of the server is going through TOR, then if there is a break in the chain, you'll be protected by your servers IP.
  

This is exactly what I was going to do if he gave us (or I managed to get) access to his server. He's using Linux so this doesn't apply, but some commonly installed Windows applications check for updates without forcing the use of https. It isn't too hard to trick the software into running your own "update" which would give you pretty much unrestricted access to do whatever you like on the victims machine.

He only need one ssh connection to the server and then use the remote just as standalone pc to do all Joe's jobs. The only connection from his own computer to anything which has anything to do with Joe, is that single ssh connection to that server throught tor. And after what you told, it is most likely made directly with the IP address.

Ie; rent a server in a cloud, install linux and X2Go or freeNX or whatever, then never do anything as Joe anywhere else but by using that computer on the cloud.


But he has to pay for DNS and the server. Can these payments be tracked?

He paid for the VPS using BTC.

This obvious hint; either intentionally misleading or correct information, but it indicates timezone somewhere near UTC. Well, it's weekend, so might also be more to east ;-)

Anyway, Europe, not US. If we can trust that.

These posting times could lead to something. He cannot post two posts at the same time (well,could, but most likely not). But Joe and the actual person are, for example, awake at the same time. Would need some statistics.

thanks, OpenYourEyes for chipping in. That's some valuable info.

Let me answer some of your questions:


I use

  #> ssh -D 0.0.0.0:55555 joe23@188.165.73.235 -o ProxyCommand="~/bin/connect -4 -S localhost:9050 %h %p"

to ssh to the VPS and at the same time setup the proxy, which I connect to using

  #> chromium-browser --proxy-server="socks5://localhost:55555"

I only use chrome through that VPS proxy for bitcointalk. All other browsing activity I do with firefox through tor (use localhost:9050 as proxy).

Very good point about the DNS leaks! Officials could probably evesdrop on the dns server and identify my IP through timing, right?

Would my idea of ensuring at my home router that the box can only go out through tor (drop all other pakets, is that even possible?) help against such "accidental" leaking? Any ideas on how to protect against such accidents in a fool-proof way?


I sure as hell wont enter my real IP in the VPS shell at any time. You sneaky guys might have compromised the machine already and are likely keylogging ;). I might look through the logs manually, though.


I use onion url http://jhiwjjlqpyawmpjx.onion to access tormail using firefox. As said before, I only use the VPS as proxy for bitcointalk.org because they disallow tor.


I might've said that wrong before. I don't tunnel all traffic through the VPS, just when I need to access sites that don't allow tor connections. Sorry about that misinformation, it was not intentional. I will not try to mislead you guys, at least not at this point, only when you're getting close ;)


Problem is I need a non-tor exit point somewhere for bitcointalk.org. Any other ideas on how to post to bitcointalk?

OpenYourEyes, I'd like to reward your effort if you give me an address, I will.

I think this could be a viable attack.

It would involve some serious page-scraping of bitcointalk. Assuming you guys do that and then have the posting times of all bitcointalk users you could compute a likelyhood of each user being "real me" using various heuristics. Especially over a long period of time, combined with my roughly known timezone info and maybe some manual language analysis in the end, this could potentially boil it down to maybe a handful of users that would then be suspects.

I would consider that to be a pretty dangerous development for my anonymity.

I thought you were dailyanarchist for a while, but couldnt find anything connecting it to your profile.

You seem to have most things covered; but, the more complex you make the chain, the easier it is to slip up and forget/misconfigure something.
Everything were talking about here is what I'm specialising in at University at the moment: digital & anti forensics/security.


:) Thanks.
1HUnQSAEto29XC5PeHUbaWkPUhec7W7DJN

I'm off to grab a bite to eat; I'll rack my brains when I come back to see what else can be done/is being missed. Hopefully we can get even more input from people on this aswell.

I've done things like that in the past, but as you say he's using linux (debian, so nmap says) so it's package manager will check the signature of all packages.

Here's something else which I was intending to do:

If he's using bash, then create an alias within .bash_rc, and link sudo calls to a simple password capturing script.
e.g.
within .bash_rc:
alias sudo="passwordCapture.sh"

Now any time sudo is called (e.g. sudo apt-get update); sudo calls the following 'fake sudo' script which logs the password to a file, tells the user it is wrong, and calls the legit sudo program with the arguments originally passed.



I done this many years ago to my old IT technician, but made the script more fancy by deleting any references once it had complete: he was none the wiser.

--
Thanks joe23, got your transfer.

cool.

sent a little bit to you address as can be seen in this updated screenshot of joes wallet:
(I had to use the VPS proxy to upload it, imgur disallows tor)

https://i.imgur.com/fJdtu.png

OOOPS! I accidentally had electrums connection setup dialog open when I took the screenshot.

If I remember correctly, only signing up using TOR is banned, you can actually login and post using TOR no problem.

Ah, good to know.

I think you also deserve some payment for your effort if you share an address. I hope I didn't miss anyone else? afaik I so far gave some monetary incentives to:

• MysteryMiner
• Jasinlee
• Openyoureyes

Curious if Theymos has a sign up IP which is different than the current IP used...

Maybe he's open to helping you guys by releasing any info he has on joe23 (with my consent)?

So if you ask him and he's ok with it, I will give him my consent to publish anything he has on me in this thread.

-

Would it be safe to add -X to the ssh command and then run firefox (or other browser, bitcoin client etc) on the VPS (or rent another VPS) to do all Joe's jobs? Also, would it be more secure to use certificate on a smartcard for the connection, not passwords.

wow, this bounty keeps climbing, huh?

If you are going to pull a heist, its good to know your prepared :P

Increase your Electrum anonymity by connecting to a Tor *hidden* service rather than
a regular server. This helps prevent server operators from connecting some dots... :)

More info:
https://bitcointalk.org/index.php?topic=113116.0

Can we assume he was in that conference? Maybe he is in one of the videos here: http://bitcoin2012.com/

As this thread is highly informative and entertaining I'd like to add 1 BTC to the bounty.

Joe23 please provide me with an address or an escrow where I can send it.

Awesome!

I could give you an address from joes wallet, but would prefer someone to do escrow for us.

ok guys and girls, where to go from here?

It seems to me I'm pretty safe for now, right? Many possible flaws and improvements have been pointed out but none of them lead to you guys getting close to me.

That bitcointalk-posting-time-attack seems hard to pull off and will likely take weeks to deliver meaningful data.

I pretty much decided to "have the VPS compromised" at some point, but I think I should wait with that since it could be over pretty quickly after that and I must say I'm quite enjoying this and learning a lot.

So maybe I should try to do some more stuff that might endanger my anonymity to make it more interesting? Like pop up on irc and chat with you guys or something.

Open for any suggestions that don't involve me actually doing anything illegal.

Heres your chance to set up some trap ;)

Is your IP at all 24.143.xx.xx or 217.114.xx.xx (xx'd for privacy), or are you Smoothie, or someguy123. (Took a few stabs there).

I'm in the process of doing an explanation for my results.

My original intention was to try and use Flash to log your true IP:
Plugins such as Adobe Flash don't normally respect your browsers proxy settings (this must have changed recently, or I went about it the wrong way because it didn't work).

My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
The Flash player method is the one I was relying on the most (the others were just a fallback in case you messed up somewhere - apparently not), but it doesn't seemed to have worked.
Although, sifting through nearly 60 different IPs and browser information, and then doing lookups on them is quite cumbersome.

I had one visitor come to the site which was using a TOR connection (195.177.253.113), I took a stab in the dark in believing it was you. I know you use Linux, and the useragent matches up. Doing searches on this useragent from the last couple of days lead me to two members here: Smoothie, and someguy123: quite confident it's not you though.

This IP (217.114.xx.xx) got me slightly excited as it originates from Dublin, and your server IP also gave references to Dublin. Plus, the useragent seems to be one of Ubuntu. I'm just linking random data here together, but there is not much else to go on.

I got suspicious with this IP (24.143.xx.xx) as one moment the data originated from a Windows box, but minutes later it was a Ubuntu one.

And finally, these two (85.127.xx.xx, 81.246.xx.xx) visited the website three times in total, all within 30seconds of each other. Not implying these are you, but strange behaviour was noted in my logs.

This is a great thread. If I had to make a suggestion, I would connect to some translation service over tor, translate what you want to write into some other language, then translate back to English, then post it (better would be to install a local translator). Your English is almost perfect - definitely better than any automatic translation - but that only narrows it down to, oh, maybe 400 million native English speakers. The few mistakes I noticed could either be genuine typos, or maybe deliberate. If I wanted to try, I'd ask you a question which requires an answer with a word such as "randomi(s/z)e" or "trunk/boot" (US & UK respectively for those with English as 2nd language). I just can't think of a suitable question right now.

To connect, I would use TAILS. It sets up two virtual machines within an OS running from an USB drive - one of the vm's runs a TOR server, the other vm's network card is routed through that TOR instance. The user interacts only with the 2nd so no need to worry about DNS, java, flash leaks etc - except if something breaks the vm enclosure I suppose. I haven't tried it out, but it seems really good.

Someone suggested running firefox through x11 forwarding in the torified ssh tunnel. I'd have to say that'd be really slow. You might get away with w3m or lynx maybe, but that might narrow you down even more - how many text-based browser users can there still be in the world?

joe23@tormail.org
188.165.73.235
Ignores BitcoinINV

Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software?

One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box!

It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology.

eh, after all theymos has sense of humour. lol

As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it.

If you wanted to catch only joe's IP you should've sent him a PM and not post in in this thread.

BTW, joe is gweedo. Why? Because gweedo can't stand BitcoinINV lol

I thought of that, but if I was in his shoes I would have find it quite suspicious of being asked to click a link, especially with a strange free hosting domain name, but hey, I'm paranoid by nature.

Ah, I had looked at the "previous post", but there was no image. I guess he edited the post to remove the image so. Guess I'd better not take up a hacking career - I'd not get very far.   Even took me a couple of minutes to figure out 1337est.  :'(
But wait, OpenYourEyes said he was using a flash beacon to catch the IPs. I found this (https://www.vbulletin.com/forum/showthread.php/92250-Flash-BBCODE-that-works) which shows how to embed flash code into a forum post, and the first reply says "allowing users to embed flash is a security risk". So... what gives?  OpenYourEyes can't have just used a regular image because that would have gone over joe23's TOR connection - he specifically tried flash which often ignores proxy settings.

No need to click any link. You just embed it as an image on the PM just like you did in the thread reply. PM's can also use bbcode.
As soon as he opened the Messages page, which has your latest 20 or so messages showing, it would call your script and you'd have the data you wanted, but without all the garbage ;)

You're right, you can't embed flash on here. I just posted an image, but I had also posted a link to a website which had the Flash video embedded.
I have no idea any more as to whether Flash abides proxy settings, it never used to, but some are saying other wise now, plus my test failed so I'd be inclined to agree.

True, but I don't have the ability to run PHP/JS/Flash code on here, hence why I had to ship him off to a point I control. :D

I feel less stupid now. The internets haven't suddenly changed the rules after all.  :)

I bet it's Nefario making sure he can't be traced, and then if someone figures it out he'll cry and say he can't pay back GLBSE accounts until he gets the 14BTC back lol

If you browse here, you're not that anonymous (unless you turn off images, or connect so that your IP address being logged doesn't matter).

Here's a web bug: http://www.spypig.com/e405d106-216b-11e2-bfeb-ec84cf83211c/pig.gif
(it can be a blank image too)

Here's where you can see email notifications of everybody that viewed the image, along with their IP address, reverse domain name, and browser user agent: http://spypig.mailinator.com/
Update: spypig.com only sends information about the first five views, so the fun was over pretty quick.

I'll leave this here to freak you out instead: http://www.myspace-compilation.com/ip/white.php

Lol thats pretty funny they use a pig lmao
http://www.spypig.com/581b00c6-216b-11e2-bfeb-ec84cf83211c/pig.png

You are molecular.  He is the only one who mistypes "silkraod" like that.

1FV1BnSMYKDiqYtBtxZEhiT5TKg4TcDAKq

Good idea is to use NoScript and Flashblock on by default (firefox). Did you find my ip: 82.128.xxx.xx?
However, I have enabled javascript in bitocointalk.

thanks, theymos.

holy FUCK!

https://i.imgur.com/plbxy.png

We have a winner.

Really, this is not how I thought it would end.

Melman2002 found me. One could argue it was a guess, but I think it was according to the rules (credible story and he wasn't stabbing around a lot).

Why did I only give 7 BTC so far?

Because I would really like to know the flaw Sans-EXP caught me overlooking ;).

What do you guys think. All 14 BTC to MelMan2002?

MelMan2002, would you be ok with splitting the bounty with Sans-EXP if he presents the info on how he caught me?

I must say, you guys are fucking awesome!

EDIT: a fucking typing quirk of mine got me, I really can't get over it!

EDIT2: domain for sale: findmeifyoucan.eu ;)

EDIT3: too bad I can't ever do this again, it's been so much fun!

This could well have worked, I didn't protect against that.

I'm not sure how you embedded flash, can you explain? just <img>blah.swf</img> or what?

Do you see 85.17x.xxx.xxx in your logs?

It really is quite amazing:

https://i.imgur.com/Gv8rQ.png

I really am the only one who mistypes sr like that.

I suppose this is a dynamic image. The server grabs your IP address, writes the text into an image and serves that image. Still wouldn't get you a TOR user's real IP address.
The thing that freaked me out was that I misunderstood OpenYourEyes' post to mean he could embed arbitrary flash or java code into a simple HTML forum post AND make it execute on the victim's computer automatically and so, through these systems' bypassing of proxy settings, learn joe23's real IP. This would be a very serious security flaw, I expect.
Can anyone suggest a web page where the privacy of your web browser is tested? Like one that tries java, js, flash, html, php, other bug exploits to track an IP, even behind tor?  I know panopticlick (https://panopticlick.eff.org/) from the EFF. Anything else?

I triedthe panopticlick service with a few browsers:

1. standard firefox profile, with tor proxy set (as OP did for this thread [with chrome])
2. torbrowser bundle
3. torified w3m

Results are:

1. unique browser fingerprint (in over 2.5million tested!)
2. 1 in 4400 browsers have the same fingerprint
3. 1 in 500000 browsers have the same fingerprint

So - like I suggested earlier - don't use w3m as an anonymous browser!

edit: just in case it's not clear - torbrowser bundle is the best of the bunch. Can anyone get better?

Once again the human element is the softest part...

Toldja the way you type will be your undoing :P

This was a great idea..... too bad your damn typing error got ya :)

Would be more interesting if it showed the IP of the last person that viewed it.

Like you said before, you make the rules.  I'm perfectly happy with 7btc.

If it makes you happier, it was more than a stab in the dark.  I went through all of joe's posts looking for spelling/grammar oddities and kept searching the forum to look for trends.  It took me a few hours actually.  And when I found a pretty good match with molecular I went through many of his posts to see if anything seemed to convincingly disprove my theory.

I almost gave up a couple hours into it because I wasn't sure that I was getting anywhere...

Anyway - it was a lot of fun.  Thank you very much!

I had a hunch it would not be specifically spring or summer of this year. This thread just goes to prove: Words mean things!

http://dailyrushbo.com/wp-content/uploads/2012/02/RushLimbaughYearbookPhoto.jpg

I think MelMan2002 should get the full bounty, that was a good job by him.

I'm not really clear from reading the post about what technical issue you were supposed to have missed that wasn't covered by people already.

More interesting:
http://amibehindnat.com

If I can get you to follow a similar link to my server, I can see your real IP address regardless of VPS, and I could log it and show it to everybody. That uses Java, which could even send traceroutes out from the user and report back their full IP route to the server. Of course if you have Java and follow a link, you are now PwnD (http://blogs.computerworld.com/malware-and-vulnerabilities/21056/another-critical-java-vulnerability-puts-1-billion-users-risk) anyway.


It was a bulanula-style con trying to claim credit for the previous discovery and get free BTC, posts now deleted.

There is also a user on Silkroad forums that mistypes the SR like that. :D

Well done MelMan2002! I found a few grammatical errors, but didn't spend much time on them thinking I'd find him going the technical route.


If you use Tor, you should disable JavaScript, and certainly disable plugins (such as Flash, QuickTime, DivX, ActiveX, etc).
I didn't embed the Flash into my post (just a tracking image), I had a link in my post to a blog post (don't know whether you clicked it), and it was that page that hosted the Flash.

I didn't see 85.17.* but there was 85.127,* and 85.28*

I need a life, I spent far too long on this :D

We should do that again some time.

Yes, this was awesome. I think it would be cool to have this as a regular thing.

What posts where deleted? The one where SANS-Exp claims I made a serious flaw is still there: https://bitcointalk.org/index.php?topic=120921.msg1304530#msg1304530

Let's give it some more time. If he can show I made a serious mistake and that makes it plausible enough that he could've found me that way I think he'd deserve half the bounty. If not, it will go to MelMan2002.

Oh definitely! Anyone be sure to post in this thread once someone puts up a challenge so we don't miss out.

Unfortunately, I can't be Mr. X any more now ;(.

Looking forward to be on the other side, though.

Maybe someone want to find my other profiles on Bitcointalk?

Yeah, and my heart stopped when I saw 85! I checked my logs (dynamic ip here) and the ones I got always start with 85.176 or 85.177. Started with 85.176 on saturday and sunday.

I didn't click through to your blog page. I'm not sure I even saw the post with the link? You deleted that? I think you could've got me that way, I actually didn't do any securing of my browser other then set the proxy and was naively assuming everything would be forced through the proxy (which is false as I now know thanks to you and others).

Thanks for your effort, anyway.

Are you willing to see that info revealed?

Maybe that 1 BTC someone wanted to chip in could be used as a bounty to find your puppets (or master).

It is not a problem for me. This will be fun! The same thing but in reverse! Have not decided about reward as I don't know how easy or difficult it will be to find my puppets. It should be extremely hard as I have taken every precaution for it.Tor Browser Bundle have plugins and java scripts neutralized. Alternatively you can create separate profile for permanent Firefox installation and install Torbutton and other add-ons that TBB have. Changing just proxy in Firefox to 127.0.0.1:9050 is very dangerous.

Same way I tried to find you, but didn't notice that particular spelling error. Nice work.

Concur. Even use the same domain name.

It's for sale to the highest bidder ;)

should I put it on bitmit.net?

It looks like you sent me the rest of the bounty.  I thank you again.

(oops, the following post was sitting in edit mode for a day, submitting now):

PMed with SANS-Exp, he didn't have anything that would earn him the bounty, so I sent the other 7 BTC to melman2002.

b067aca35f9cdc53df20889b5195a0b2dff19bb79f58b48a39f178c8a62b3989

Congrats again and thanks to you all for participating!

I'm looking forward to be part of the next challenge someone puts up ;)

Oh, and joe wrote from jail: he says he's now pretty poor and he regrets publishing that radical talk on his web-page.
He's holding up allright, though and he hopes his BTC 0.3 will be worth enough to allow him a fresh start by the time he gets out.

There's some other sites that test it. Search "browser footprint test" on google.

Basicly a variant of bayesian filter would have found joe also. Of course, you should be able to import all messages to it.

I would not be surpriced if someone already are using such tools.

what kind of variant of bayesian filter?

https://en.wikipedia.org/wiki/Bayesian_spam_filtering

I am offering a new challenge like this one. https://bitcointalk.org/index.php?topic=168317.0 (https://bitcointalk.org/index.php?topic=168317.0)

lol really?

nope. That was a "simulation". Had theymos done that in reality, the answer would've still been 188.165.73.235, though. Joe23 was giving a hint. He was pretty sure that hint wouldn't help people because it's the IP of the proxy he anonymously bought with bitcoin and only accessed through tor.

Awesome, we have someone doing the same thing: https://bitcointalk.org/index.php?topic=168317. 2.5 BTC reward.