theymos
Administrator
Legendary
 Offline
Activity: 5194
Merit: 12972
|
 |
October 28, 2012, 10:28:38 PM |
|
How can you possibly embed such code in a forum post?
It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology. |
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
|
|
|
|
|
|
|
"You Asked For Change, We Gave You Coins" -- casascius
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
October 28, 2012, 10:32:08 PM |
|
How can you possibly embed such code in a forum post?
It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology. eh, after all theymos has sense of humour. lol |
|
|
|
|
|
OpenYourEyes
|
|
October 28, 2012, 10:37:26 PM |
|
My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software? One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box! As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it. |
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
October 28, 2012, 10:44:08 PM |
|
My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software? One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box! As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it. If you wanted to catch only joe's IP you should've sent him a PM and not post in in this thread. BTW, joe is gweedo. Why? Because gweedo can't stand BitcoinINV lol |
|
|
|
|
|
OpenYourEyes
|
|
October 28, 2012, 10:50:39 PM |
|
My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software? One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box! As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it. If you wanted to catch only joe's IP you should've sent him a PM and not post in in this thread. BTW, joe is gweedo. Why? Because gweedo can't stand BitcoinINV lol I thought of that, but if I was in his shoes I would have find it quite suspicious of being asked to click a link, especially with a strange free hosting domain name, but hey, I'm paranoid by nature. |
|
|
|
|
fergalish
|
|
October 28, 2012, 10:51:07 PM |
|
How can you possibly embed such code in a forum post?
It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology. Ah, I had looked at the "previous post", but there was no image. I guess he edited the post to remove the image so. Guess I'd better not take up a hacking career - I'd not get very far. Even took me a couple of minutes to figure out 1337est.  But wait, OpenYourEyes said he was using a flash beacon to catch the IPs. I found this which shows how to embed flash code into a forum post, and the first reply says "allowing users to embed flash is a security risk". So... what gives? OpenYourEyes can't have just used a regular image because that would have gone over joe23's TOR connection - he specifically tried flash which often ignores proxy settings. |
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
October 28, 2012, 10:55:13 PM |
|
My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software? One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box! As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it. If you wanted to catch only joe's IP you should've sent him a PM and not post in in this thread. BTW, joe is gweedo. Why? Because gweedo can't stand BitcoinINV lol I thought of that, but if I was in his shoes I would have find it quite suspicious of being asked to click a link, especially with a strange free hosting domain name, but hey, I'm paranoid by nature. No need to click any link. You just embed it as an image on the PM just like you did in the thread reply. PM's can also use bbcode. As soon as he opened the Messages page, which has your latest 20 or so messages showing, it would call your script and you'd have the data you wanted, but without all the garbage  |
|
|
|
|
|
OpenYourEyes
|
|
October 28, 2012, 10:57:55 PM |
|
How can you possibly embed such code in a forum post?
It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology. Ah, I had looked at the "previous post", but there was no image. I guess he edited the post to remove the image so. Guess I'd better not take up a hacking career - I'd not get very far. Even took me a couple of minutes to figure out 1337est. But wait, OpenYourEyes said he was using a flash beacon to catch the IPs. I found this which shows how to embed flash code into a forum post, and the first reply says "allowing users to embed flash is a security risk". So... what gives? OpenYourEyes can't have just used a regular image because that would have gone over joe23's TOR connection - he specifically tried flash which often ignores proxy settings. You're right, you can't embed flash on here. I just posted an image, but I had also posted a link to a website which had the Flash video embedded. I have no idea any more as to whether Flash abides proxy settings, it never used to, but some are saying other wise now, plus my test failed so I'd be inclined to agree. No need to click any link. You just embed it as an image on the PM just like you did in the thread reply. PM's can also use bbcode.
As soon as he opened the Messages page, which has your latest 20 or so messages showing, it would call your script and you'd have the data you wanted, but without all the garbage True, but I don't have the ability to run PHP/JS/Flash code on here, hence why I had to ship him off to a point I control.  |
|
|
|
|
fergalish
|
|
October 28, 2012, 11:05:53 PM |
|
You're right, you can't embed flash on here. I just posted an image, but I had also posted a link to a website which had the Flash video embedded. I have no idea any more as to whether Flash abides proxy settings, it never used to, but some are saying other wise now, plus my test failed so I'd be inclined to agree. True, but I don't have the ability to run PHP/JS/Flash code on here, hence why I had to ship him off to a point I control. I feel less stupid now. The internets haven't suddenly changed the rules after all.  |
|
|
|
|
juggalodarkclow
Legendary
Offline
Activity: 980
Merit: 1000
|
|
October 29, 2012, 12:39:50 AM |
|
I bet it's Nefario making sure he can't be traced, and then if someone figures it out he'll cry and say he can't pay back GLBSE accounts until he gets the 14BTC back lol
|
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1028
|
|
October 29, 2012, 01:37:57 AM
Last edit: October 29, 2012, 02:39:17 AM by deepceleron |
|
My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software? One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box! If you browse here, you're not that anonymous (unless you turn off images, or connect so that your IP address being logged doesn't matter). Here's a web bug:  (it can be a blank image too) Here's where you can see email notifications of everybody that viewed the image, along with their IP address, reverse domain name, and browser user agent: http://spypig.mailinator.com/Update: spypig.com only sends information about the first five views, so the fun was over pretty quick. I'll leave this here to freak you out instead:  |
|
|
|
|
|
jasinlee
|
|
October 29, 2012, 01:55:37 AM |
|
Lol thats pretty funny they use a pig lmao  |
|
|
|
|
MelMan2002
|
|
October 29, 2012, 03:22:15 AM |
|
Hey fellow bitcoiners, I am really a registered user in this forum since at least summer 2012. I set up this secondary, hopefully anonymous identity to give away some free bitcoins by ways of a challenge: challenge:I hereby challenge you to find the real me!I set up a site on the net: http://findmeifyoucan.euI hereby promise to pay BTC 14 to anyone who provides one of the following pieces of information identifying the operator of findmeifyoucan.eu or (which is the same) the author of this post: - forum account id of 'real me'
- my real name and (address or phone number or date of birth)
- any IP-address that could be traced to my real identity by authorities
rules:- Rules are to be interpreted by me, in case of dispute, I am right, you are wrong
- you must post here one of the above infos and a bitcoin address to which the bounty should be sent
- you must provide a credible story of how you obtained the info
- a 'hunch' is not enough, no guessing
- I can change these rules at any time and will do so in OP (Original Post, the one you're reading)
- the state of the OP at the time of claim is decisive for the rules, so please quote OP when claiming bounty
notes: - I'll give away small amounts of bitcoin to people pointing out flaws/mistakes/possible improvements regarding my anonymity
- speculation in this thread is encouraged
additional info leaked: - theymous publishes the IP I use to access bitcointalk: 188.165.73.235
- theymos publishes PM in which I ask MysteryMiner wether he was one of the german guys wearing masks at the Conference in London.
- it is discovered that joe uses lastpass
- "real me"s timezone has leaked: "it indicates timezone somewhere near UTC."
rewards payed for valuable feedback to:- MysteryMiner
- Jasinlee
- Openyoureyes
feel free to ask any questions... I might be happy to answer... or not. you wouldn't have found anything about the "initial funding transaction", I think. I "cleaned" the funds using silkraod, that 10 BTC "initial load" is a silkroad withdrawl.
You are molecular. He is the only one who mistypes "silkraod" like that. 1FV1BnSMYKDiqYtBtxZEhiT5TKg4TcDAKq |
19F6veduCZcudwXuWoVosjmzziQz4EhBPS
|
|
|
|
Nite69
|
|
October 29, 2012, 06:09:37 AM |
|
Is your IP at all 24.143.xx.xx or 217.114.xx.xx (xx'd for privacy), or are you Smoothie, or someguy123. (Took a few stabs there).
I'm in the process of doing an explanation for my results.
My original intention was to try and use Flash to log your true IP:
Plugins such as Adobe Flash don't normally respect your browsers proxy settings (this must have changed recently, or I went about it the wrong way because it didn't work).
Good idea is to use NoScript and Flashblock on by default (firefox). Did you find my ip: 82.128.xxx.xx? However, I have enabled javascript in bitocointalk. |
Sync: ShiSKnx4W6zrp69YEFQyWk5TkpnfKLA8wx
Bitcoin: 17gNvfoD2FDqTfESUxNEmTukGbGVAiJhXp
Litecoin: LhbDew4s9wbV8xeNkrdFcLK5u78APSGLrR
AuroraCoin: AXVoGgYtSVkPv96JLL7CiwcyVvPxXHXRK9
|
|
|
joe23 (OP)
Newbie
Offline
Activity: 14
Merit: 1
|
|
October 29, 2012, 06:36:58 AM |
|
So if you ask him and he's ok with it, I will give him my consent to publish anything he has on me in this thread.
joe23@tormail.org188.165.73.235 Ignores BitcoinINV thanks, theymos. |
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
October 29, 2012, 06:49:06 AM
Last edit: October 29, 2012, 07:08:52 AM by molecular |
|
you wouldn't have found anything about the "initial funding transaction", I think. I "cleaned" the funds using silkraod, that 10 BTC "initial load" is a silkroad withdrawl.
You are molecular. He is the only one who mistypes "silkraod" like that. 1FV1BnSMYKDiqYtBtxZEhiT5TKg4TcDAKq holy FUCK!  We have a winner. Really, this is not how I thought it would end. Melman2002 found me. One could argue it was a guess, but I think it was according to the rules (credible story and he wasn't stabbing around a lot). Why did I only give 7 BTC so far? Because I would really like to know the flaw Sans-EXP caught me overlooking . What do you guys think. All 14 BTC to MelMan2002? MelMan2002, would you be ok with splitting the bounty with Sans-EXP if he presents the info on how he caught me? I must say, you guys are fucking awesome!EDIT: a fucking typing quirk of mine got me, I really can't get over it! EDIT2: domain for sale: findmeifyoucan.eu EDIT3: too bad I can't ever do this again, it's been so much fun! |
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
joe23 (OP)
Newbie
Offline
Activity: 14
Merit: 1
|
|
October 29, 2012, 07:13:56 AM |
|
Is your IP at all 24.143.xx.xx or 217.114.xx.xx (xx'd for privacy), or are you Smoothie, or someguy123. (Took a few stabs there).
I'm in the process of doing an explanation for my results.
My original intention was to try and use Flash to log your true IP:
Plugins such as Adobe Flash don't normally respect your browsers proxy settings (this must have changed recently, or I went about it the wrong way because it didn't work).
My post above contained a tracking beacon which was logging IPs & useragents; the link in
This could well have worked, I didn't protect against that. I'm not sure how you embedded flash, can you explain? just <img>blah.swf</img> or what? Do you see 85.17x.xxx.xxx in your logs? |
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
October 29, 2012, 07:42:58 AM |
|
It really is quite amazing:  I really am the only one who mistypes sr like that. |
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
|
fergalish
|
|
October 29, 2012, 09:54:33 AM |
|
I'll leave this here to freak you out instead: I suppose this is a dynamic image. The server grabs your IP address, writes the text into an image and serves that image. Still wouldn't get you a TOR user's real IP address. The thing that freaked me out was that I misunderstood OpenYourEyes' post to mean he could embed arbitrary flash or java code into a simple HTML forum post AND make it execute on the victim's computer automatically and so, through these systems' bypassing of proxy settings, learn joe23's real IP. This would be a very serious security flaw, I expect. Can anyone suggest a web page where the privacy of your web browser is tested? Like one that tries java, js, flash, html, php, other bug exploits to track an IP, even behind tor? I know panopticlick from the EFF. Anything else? |
|
|
|
|
|
fergalish
|
|
October 29, 2012, 10:04:32 AM |
|
I triedthe panopticlick service with a few browsers:
1. standard firefox profile, with tor proxy set (as OP did for this thread [with chrome])
2. torbrowser bundle
3. torified w3m
Results are:
1. unique browser fingerprint (in over 2.5million tested!)
2. 1 in 4400 browsers have the same fingerprint
3. 1 in 500000 browsers have the same fingerprint
So - like I suggested earlier - don't use w3m as an anonymous browser!
edit: just in case it's not clear - torbrowser bundle is the best of the bunch. Can anyone get better?
|
|
|
|
|
|
