[joe is dead] http://findmeifyoucan.eu

[jasinlee]

Good point, and the electrum server should be pretty safe. Things I have done to remain anon in the past. Go to a cloud desktop site and download onto that desktop a copy of vm. Most cloud sites only store the info for a hour or 2 then overwrite it.

So you would be on your PC > Cloud Desktop > VM > VM > TOR.

If you have to post any pics use screenshot so you dont bleed metadata. Also, when typing information online, I would actively focus on what you are saying, you can analyze a persons way of speaking to relate to other posts. Many people use the same phrases or references when talking about trivial subjects. Also, use separate anon services in case the gov got bold and seized servers, they would have to raid more than 1 place.

Edit: I failed to mention the obvious, use someone elses internet in case all else fails

[Phinnaeus Gage]

Joe of Joe's Data Center in KC. Reason is obvious, couple with Joe DC also joining in the summer. The address is 324 East 11th Street, hence you using Joe23.

[jasinlee]

Joe of Joe's Data Center in KC. Reason is obvious, couple with Joe DC also joining in the summer. The address is 324 East 11th Street, hence you using Joe23.

joesdc ? that one? I thought that was a bit obvious and discarded it lol.

Administrative Contact:
Morgan, Joe joe@moccp.com
Joe's Datacenter, LLC
324 E. 11th St
Suite 2625
Kansas City, Missouri 64106
United States
+1.8167267615

thats what I found on that one, but that was a 2 second search.

[Nite69]

Some information digged from findmeifyoucan.eu:
-IPaddress matches the address theymos releaved (188.165.73.235), ie he is running the www site on the computer he is using. Or he is using a proxy. Using a proxy would make the following go wrong:

-traceroute to that address would give a hint he might live in Frankfurth?
-http://www.iplocation.net/index.php says he lives in Dublin, Ireland. https://maps.google.com/maps?q=DUBLIN,,IE

Nite69
-----------------
xxx@xxxx:~$ dig findmeifyoucan.eu

; <<>> DiG 9.8.1-P1 <<>> findmeifyoucan.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20274
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 16

;; QUESTION SECTION:
;findmeifyoucan.eu.      IN   A

;; ANSWER SECTION:
findmeifyoucan.eu.   14241   IN   A   188.165.73.235

;; AUTHORITY SECTION:
findmeifyoucan.eu.   86240   IN   NS   ns1.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns2.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns3.domains4bitcoins.com.
findmeifyoucan.eu.   86240   IN   NS   ns4.domains4bitcoins.com.

;; ADDITIONAL SECTION:
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.173
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.174
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.229
ns1.domains4bitcoins.com. 28640   IN   A   50.23.136.230
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.96
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.97
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.44
ns2.domains4bitcoins.com. 28640   IN   A   50.23.75.45
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.188
ns3.domains4bitcoins.com. 28640   IN   A   67.15.47.189
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.219
ns3.domains4bitcoins.com. 28640   IN   A   67.15.253.220
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.58
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.221
ns4.domains4bitcoins.com. 28640   IN   A   184.173.149.222
ns4.domains4bitcoins.com. 28640   IN   A   184.173.150.57

;; Query time: 9 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 28 08:30:11 2012
;; MSG SIZE  rcvd: 399
-----------------
xxx@xxx:~$ whois findmeifyoucan.eu
---clicketiclick---
Registrant:
   NOT DISCLOSED!
   Visit www.eurid.eu for webbased whois.

Registrar Technical Contacts:
   Name:   Domain Manager
   Organisation:   PublicDomainRegistry.com
   Language:   en
   Phone:   +1.2013775952
   Fax:   +1.3202105146
   Email:   domain.manager@publicdomainregistry.com


Registrar:
   Name:    PDR Ltd.
   Website: www.publicdomainregistry.com
------------------
xxx@xxxx:~$ traceroute 188.165.73.235
traceroute to 188.165.73.235 (188.165.73.235), 30 hops max, 60 byte packets
----clicketiclick------

 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * ae-63-63.csw1.Frankfurt1.Level3.net (4.69.163.2)  45.509 ms ae-83-83.csw3.Frankfurt1.Level3.net (4.69.163.10)  51.131 ms
14  ae-2-70.edge5.Frankfurt1.Level3.net (4.69.154.73)  46.881 ms * *
15  * * *
16  * * *
17  vss-6a-6k.fr.eu (91.121.128.40)  62.731 ms  62.911 ms *
18  * * *
19  188.165.73.235 (188.165.73.235)  58.420 ms  58.759 ms  60.247 ms

-------------------------------

[jasinlee]

Yeah there was a name on there too somewhere I ran across it Olav or something. Thats just the owner of the host though I think so kinda pointless.

[Nite69]

-http://www.iplocation.net/index.php says he lives in Dublin, Ireland. https://maps.google.com/maps?q=DUBLIN,,IE

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

Edit: Too new site for Wayback machine:
http://wayback.archive.org/web/*/http://findmeifyoucan.eu

[jasinlee]

-http://www.iplocation.net/index.php says he lives in Dublin, Ireland. https://maps.google.com/maps?q=DUBLIN,,IE

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

Edit: Too new site for Wayback machine:
http://wayback.archive.org/web/*/http://findmeifyoucan.eu

On the screenshot he posted he has the payment he made for it. So yeah.

[Nite69]

One more trivial thing to do when hunting someone:
(note: this should be run from a non-consumer network connection; some of the ports are filtered by my ISP)
-----------------
xxx@xxx:~$ nmap -v -A 188.165.73.235

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-28 09:13 EET
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 09:13
Scanning 188.165.73.235 [2 ports]
Completed Ping Scan at 09:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:13
Completed Parallel DNS resolution of 1 host. at 09:13, 0.01s elapsed
Initiating Connect Scan at 09:13
Scanning 188.165.73.235 [1000 ports]
Discovered open port 80/tcp on 188.165.73.235
Discovered open port 22/tcp on 188.165.73.235
Increasing send delay for 188.165.73.235 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Completed Connect Scan at 09:13, 16.00s elapsed (1000 total ports)
Initiating Service scan at 09:13
Scanning 2 services on 188.165.73.235
Completed Service scan at 09:13, 6.12s elapsed (2 services on 1 host)
NSE: Script scanning 188.165.73.235.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 09:13
Completed NSE at 09:13, 0.85s elapsed
NSE: Script Scanning completed.
Nmap scan report for 188.165.73.235
Host is up (0.056s latency).
Not shown: 988 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 c9:7b:57:ea:06:c1:57:e6:51:ea:d5:8a:1a:aa:96:59 (DSA)
|_2048 22:d5:a9:44:18:b2:82:42:ef:58:57:07:1b:5d:d5:dd (RSA)
25/tcp   filtered smtp
80/tcp   open     http            nginx 1.1.19
|_html-title: find me if you can
445/tcp  filtered microsoft-ds
1723/tcp filtered pptp
6666/tcp filtered irc
6667/tcp filtered irc
7000/tcp filtered afs3-fileserver
7070/tcp filtered realserver
8000/tcp filtered http-alt
8001/tcp filtered unknown
8002/tcp filtered teradataordbms
Service Info: OS: Linux

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds

----
Oh, I was a bit careless..
xxx@xxxx:~$ 188.165.73.235
-----------

[Nite69]

Amazon has a big datacenter in Dublin, I guess he (she?) is using a virtual computer in a cloud to access net/keep the www-server up?  

[/quote]

Or, more likely, Ovh:
http://www.plotip.com/ip/188.165.73

https://www.ovh.co.uk/dedicated_servers/


But that does not lead us to him... unless we have an insider in ovh ;-)

[deepceleron]

All I need is a French-speaking lawyer?

Dear OVH France; Dear Patrick Strateman;

On or about 22:26 October 27 2012, my organization was slandered by a user connecting through IP address 188.165.73.235.
Please see the attached slander lawsuit and notice of pre-litigation subpoena for tortious activity demanding identification of and corroborating connections for any and all IP connections on or about this time originating from and connecting through the "Bitcoin Virtual Private Server" service momentovps.com corresponding with this access through your services.

[joe23]

Hey guys,

just got up (hint, hint). yawn.

You seem to have found some info on the VPS even I didn't know (couldn't care less where its located).

I think the basic concept is pretty sound: I'm using that VPS for everything: to host the page and as a proxy. I olny ever connected to it via tor (hopefully). So when the VPS is compromised, I should still be secure.

Things I've learned from you guys (and own thoughts) so far:

• reevaluate use of lastpass, it's a risk, lastpass inc. could be subpoenad or whatever into slipping me custom code or there already is a backdoor of sorts that could leak info, who knows
• isolate joe on the client system better (currently all I do is use a seperate user) and make sure the client can only connect through tor, maybe at the router or something. There's currently the chance that I might accidentally connect through the parent network and reveal my IP to the VPS. Maybe use a virtual machine. Protect it (or /home/joe at least) locally so your visitors or the people you live with don't accidentally find joe. Always unmount /home/joe, shutdown the Virtual Machine when leaving machine physically. Maybe put /home/joe or even a whole system on a usb stick or use an old laptop for joe so he's portable (some secure distro, suggestions?)
• Watch your language, always be very conscious who you are, don't post drunk, avoid using phrases/language the real me notoriously uses,...
• What MysteryMiner said: "The problem of staying hidden is not in the short term. In long run you get comfortable, relax on security, reuse the same address or e-mail or whatever [...]"

I'm upping the bounty to BTC 14 for now. I might lower it again at some point when I intentionally leak more info that'd make it easier.

[AndrewBUD]

AndrewBUD.

I analyse your England. Derp.

BTC goes here 1H8uBfk6bw8kj3CWurjct5KHKe6NY3HAp4
Thanks.

Nop... not me.. Nice to see my name mentioned though...


I could care less if you guys know who I am IRL...............

[OpenYourEyes]

Long and scattered post but here's my 2c.

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

In either case, you need to watch out for DNS leaks. By default, SSH & Firefox (and most applications) will not do DNS lookups through a proxy.

So, if you browse to google.com, your web traffic will be encrypted and tunnelled as you expect, but the DNS request (i.e what is the IP of google) will come from your home internet connection. In firefox (don't know if it affects other browsers), this 'bug' is easily rectified. Go to about:config and set remote.dns to true.
If your connect to your server by running SSH over TOR then never specify the hostname (i.e. ssh findmeifyoucan.eu, or any other domain), as this, again, will force an non-tunnelled DNS lookup. Always use the IP.

A few other things:

• Watch out for any information you leave on the server through log files, etc. (Does a: grep xx.xx.xx.xx /var/log/* -R where xx is your real IP, come up with anything.)
  
• Install some sort of IDS on your server to monitor for new installtions/modifications. If this get compromised then so are you (regardless of if you connecting over TOR). What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
  
• Take a look through your .bash_history, it will show all the commands you've executed: things you've done, files you've modified, etc. which could aid an attacker if they gain access. Disable it in your .bash_rc or just ln -s ~/.bash_history /dev/null
  
• Why are you tunnelling all your traffic from your server? As you said yourself, all your traffic originates from one IP address. Even if no body knows the true identity of the person behind this IP, your a leaving an easy trail for people to follow. One lapse in your security, which reveals who own this IP, and everything then can be linked back to you.
  Why not run TOR on your home machine, tunnel your traffic over SSH to the server, and then run TOR on the server aswell? Everything going in and out of the server is going through TOR, then if there is a break in the chain, you'll be protected by your servers IP.
  

[Blazr]

What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.

This is exactly what I was going to do if he gave us (or I managed to get) access to his server. He's using Linux so this doesn't apply, but some commonly installed Windows applications check for updates without forcing the use of https. It isn't too hard to trick the software into running your own "update" which would give you pretty much unrestricted access to do whatever you like on the victims machine.

[Nite69]

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

He only need one ssh connection to the server and then use the remote just as standalone pc to do all Joe's jobs. The only connection from his own computer to anything which has anything to do with Joe, is that single ssh connection to that server throught tor. And after what you told, it is most likely made directly with the IP address.

Ie; rent a server in a cloud, install linux and X2Go or freeNX or whatever, then never do anything as Joe anywhere else but by using that computer on the cloud.


But he has to pay for DNS and the server. Can these payments be tracked?

[Blazr]

But he has to pay for DNS and the server. Can these payments be tracked?

He paid for the VPS using BTC.

[Nite69]

Hey guys,

just got up (hint, hint). yawn.

This obvious hint; either intentionally misleading or correct information, but it indicates timezone somewhere near UTC. Well, it's weekend, so might also be more to east ;-)

Anyway, Europe, not US. If we can trust that.

These posting times could lead to something. He cannot post two posts at the same time (well,could, but most likely not). But Joe and the actual person are, for example, awake at the same time. Would need some statistics.

[joe23]

thanks, OpenYourEyes for chipping in. That's some valuable info.

Let me answer some of your questions:

Long and scattered post but here's my 2c.

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

I use

  #> ssh -D 0.0.0.0:55555 joe23@188.165.73.235 -o ProxyCommand="~/bin/connect -4 -S localhost:9050 %h %p"

to ssh to the VPS and at the same time setup the proxy, which I connect to using

  #> chromium-browser --proxy-server="socks5://localhost:55555"

I only use chrome through that VPS proxy for bitcointalk. All other browsing activity I do with firefox through tor (use localhost:9050 as proxy).

Very good point about the DNS leaks! Officials could probably evesdrop on the dns server and identify my IP through timing, right?

Would my idea of ensuring at my home router that the box can only go out through tor (drop all other pakets, is that even possible?) help against such "accidental" leaking? Any ideas on how to protect against such accidents in a fool-proof way?

In either case, you need to watch out for DNS leaks. By default, SSH & Firefox (and most applications) will not do DNS lookups through a proxy.

So, if you browse to google.com, your web traffic will be encrypted and tunnelled as you expect, but the DNS request (i.e what is the IP of google) will come from your home internet connection. In firefox (don't know if it affects other browsers), this 'bug' is easily rectified. Go to about:config and set remote.dns to true.
If your connect to your server by running SSH over TOR then never specify the hostname (i.e. ssh findmeifyoucan.eu, or any other domain), as this, again, will force an non-tunnelled DNS lookup. Always use the IP.

A few other things:

• Watch out for any information you leave on the server through log files, etc. (Does a: grep xx.xx.xx.xx /var/log/* -R where xx is your real IP, come up with anything.)
  

I sure as hell wont enter my real IP in the VPS shell at any time. You sneaky guys might have compromised the machine already and are likely keylogging . I might look through the logs manually, though.

• Install some sort of IDS on your server to monitor for new installtions/modifications. If this get compromised then so are you (regardless of if you connecting over TOR). What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
  

I use onion url http://jhiwjjlqpyawmpjx.onion to access tormail using firefox. As said before, I only use the VPS as proxy for bitcointalk.org because they disallow tor.

• Take a look through your .bash_history, it will show all the commands you've executed: things you've done, files you've modified, etc. which could aid an attacker if they gain access. Disable it in your .bash_rc or just ln -s ~/.bash_history /dev/null
  
• Why are you tunnelling all your traffic from your server? As you said yourself, all your traffic originates from one IP address.
  

I might've said that wrong before. I don't tunnel all traffic through the VPS, just when I need to access sites that don't allow tor connections. Sorry about that misinformation, it was not intentional. I will not try to mislead you guys, at least not at this point, only when you're getting close

• Even if no body knows the true identity of the person behind this IP, your a leaving an easy trail for people to follow. One lapse in your security, which reveals who own this IP, and everything then can be linked back to you.
  Why not run TOR on your home machine, tunnel your traffic over SSH to the server, and then run TOR on the server aswell? Everything going in and out of the server is going through TOR, then if there is a break in the chain, you'll be protected by your servers IP.
  

Problem is I need a non-tor exit point somewhere for bitcointalk.org. Any other ideas on how to post to bitcointalk?

OpenYourEyes, I'd like to reward your effort if you give me an address, I will.

[joe23]

These posting times could lead to something. He cannot post two posts at the same time (well,could, but most likely not). But Joe and the actual person are, for example, awake at the same time. Would need some statistics.

I think this could be a viable attack.

It would involve some serious page-scraping of bitcointalk. Assuming you guys do that and then have the posting times of all bitcointalk users you could compute a likelyhood of each user being "real me" using various heuristics. Especially over a long period of time, combined with my roughly known timezone info and maybe some manual language analysis in the end, this could potentially boil it down to maybe a handful of users that would then be suspects.

I would consider that to be a pretty dangerous development for my anonymity.

[jasinlee]

I thought you were dailyanarchist for a while, but couldnt find anything connecting it to your profile.