Hacker News new | past | comments | ask | show | jobs | submit login
This page is anonymous (voidnull.sdf.org)
450 points by voidnull on May 1, 2013 | hide | past | favorite | 243 comments

Looks like the HN account is working again.

There have been a couple of quick updates I posted on the linked page. First, SDF does accept Bitcoin for validation.

Second, SMJ is personally upping the prize to $100. See the link for details.

I am very happy with the result of this stunt. So far this page has gotten over 100,000 which works nicely towards the goal of driving more users towards Tor and SDF.

To give some context, I did this as a publicity stunt for SDF and the Tor project. I have no affiliation with either of these, other than being a grateful user. SDF especially can always use more money and users. As opposed to pastebin, SDF lets you have an email account, message other SDF users, use IRC, etc.

As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).

Just in case someone finds $10 too little, I will add 1 bitcoin to the pot for anyone who finds the identity.

Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).

And now this is a test of how secure HN is as well.

No, because it's a new account only associated with this thing. Granted, access logs on HN could be used to crack the problem, but getting to those is non-trivial.

I'm guessing he is using HN over tor, as well.

Looking out for HN users (other than voidnull) that write about Internet privacy a lot will give some candidates.

I'm not sure about that. I mean, he can register with HN with just about any anonymous e-mail address, no money needs to change hands so as far as I can tell it's perfectly anonymous.

HN doesn't require an email at signup. You only need to give one if you want password recovery to work.

Of course we have no way of telling that the voidnull website is by the same person as the voidnull HN account used to start this thread. Thats one problem with being anonymous, anyone can impersonate you, I can't think of any way to have a 'verified' account which is also anonymous.

PGP signed messages.

a challenge based on public key crypto, user has a known public key and can sign a specified message with his private key to prove he owns that public key while remaining anonymous.

This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.

If I open a paid Wordpress.com account using my real e-mail address and a credit card registered to my home, and post a $10 reward for revealing my identity, the fact that I strongly doubt anyone will claim the reward is not proof of Wordpress.com's perfect safeguarding of my identity, just that their systems are secure enough to not be trivially hackable and that nobody cared enough to find a way to obtain a court order to compel WP.com to hand over my info.

He'd probably even send $10 to SDF if they could find him. It would be somewhat more trivial for a Wordpress employee if the site was at voidnull.wordpress.com.

The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.

Actually, I think mseebach's point was the opposite: that this challenge, even if nobody claims the prize, does not prove that tor + sdf-shell-paid-by-mail is secure against leaking your identity.

Oh, I see. Yeah, I think you're right. Actually, the $10 cash prize matches Bruce Schneier's Security Snake Oil Warning Sign #9: Cracking contests.


Well then if you want you can say that Keccak/SHA-3 matches snake oil in the same way. They were giving away chocolates for crypto results!

voidnull is trying to prove that SDF is NOT a perfect safeguard.

I don't think he's trying to prove anything, just providing a fun game of wit and a challenge. He will surely be delighted if he gets a postcard.

It also helps SDF to know about possible vulnerabilities. And, there's also the stated reason: to get Tor and SDF some publicity.

There's no proof here maybe just an experiment. To see if SDF is truly secure or can he still be tracked. I would wager as long he doesn't use that handle anywhere else he is safe.

I have no intention of trying to find out voidnull, but here are some thoughts on what we know:

1. We have a little bit of text we can be reasonably sure voidnull wrote -- some sort of text-likeness algorithm might be able to give us some candidates -- pointed at newsgroups/forums/etc where SDF users might hang out.

2. Using the above, I would note that there are some grammar/typos/mistakes from possibly careless writing. That might be something to specifically try to isolate

3. The HTML on the page is very simple, but malformed -- perhaps look for pages like that (some missing </p> tags)

4. adnam made a comment that showed some familiarity with voidnull and SDF -- adnam might be easier to locate and an association might be discovered.

5. If I believe #4, voidnull is possibly a handle that has been used before (seems really dumb, though) -- perhaps it's a very recognizable alteration.

Anything else?

Assuming malicious intent on the part of the provider, the envelope sent to SDF will have a post office stamp from the city from which he sent it. Intersect the IP subnets for the area with the IPs used to connect to SDF to find a connection he made to a non-anonymous account.

Second, the command `ssh -o ProxyCommand="nc -X 4 -x localhost:9050 %h %p" sdf.org` seems to be unique (to Google), and may be in a script he has written previously.

This type of pattern recognition is a very interesting approach to fingering people, even anonymous ones. I've often thought that perfect anonymity is essentially impossible, mostly because nobody wants to enable it, and nobody is smart enough to pull it off for long enough (essentially have a split personality, from even before the time of beginning the anonymous side). As benmanns points out, that ssh command is unique so far. If voidnull has been talking IRL with people about this, they would be able to associate him with it.

Related to the issue of the postmark, there is also the issue of (potential) fingerprints on the envelope and money. The point is, even if the public cannot find identities, the authorities (almost) always can.

Anyways, anonymity is an odd thing: in the US, anonymous speech is allowed (by court decision), but not guaranteed. The government isn't obligated to facilitate it and businesses aren't forced to allow it. voidnull's access to anonymity rests solely on SDF's goodwill and solvency. And the government could easily harrass them, even if they are overseas.

Which brings up an interesting thought experiment: what would it look like if anonymity were guaranteed by law, how could it be implemented reliably and verifiably, and what would the counter-balance be against illegal activity?

The IP method won't work since he's using Tor to access SDF.

> Assuming malicious intent on the part of the provider, the envelope sent to SDF will have a post office stamp from the city from which he sent it.

Unless they got someone to remail it from the other side of the country.

Then there is an accomplice. Two people are easier to find than one.

The postal service will cheerfully act as that accomplice:


My mother took advantage of that when my brother was in the hospital for several months.

When the morning mail came around on Valentine's day, he had a ton of mail from women he'd never heard from from half the towns in the USA with any kind of romantic name.

When the afternoon mail came around, he got the same from the half that didn't arrive in the morning.

For the rest of his stay, he had an unassailable reputation as a super stud. Not a particularly bad thing for a marine in a military hospital!

I'm going to bounce a letter off of Bridal Veil, OR and Lovejoy, GA. I'll follow up if/when it gets back to me.

Edit: Here we go: http://i.imgur.com/ZAXzlT8.jpg

Mail something to a friend in New York, ask them to remail via a super-busy mail box and destroy the original envelope. Sure it'll technically be possible to review CCTV around the mail box, but then the investigators have to find out who asked the remailer to do this. More difficult than just cross-checking IP addresses to find potential matches for one person.

Daisy-chain the remails a couple of times and it gets ridiculously complicated for all but highest security purposes. Get the accomplices to each wait some semi-random amount of days before remailing to help improve chances that one of the CCTVs will roll-over and write over footage of a remailer...

Or mail it yourself while travelling without connecting to the server while in the area. Sure, you can technically cross-check CCTV from mailbox with transport centres footage with transport records, but...

Do U.S. stamps have identifying features like printers these days? Shown a stamp or three stamps, can you tell e.g. which store chain sold them?

Make sure your friend isn't FBI, or FBI, Police, or other informant.

Make sure your friend isn't going to rat you out.

Make sure your friend isn't going to just take the money and tell you he mailed it.

Make sure your friend doesn't get caught.

Make sure your friend can resist NYPD torture (cough, I mean Enhanced Interrogation) because how do they know it's not ricin in the envelope, so they can't take any chances.

Make sure your friend understands that if you're doing something shady, something that could be considered Postal Fraud, that he could then be prosecuted as an accomplice. Make sure he understands that he could spend years in jail for blindly remailing something of yours.

For someone willing to take those risks based on your friendship, that would be some really close friend! (or an FBI informant).

I think it's safer to just not mail the letter if you really want to be anonymous.

Think of your friend's safety!

I think you just send the SDF a dollar bill, that's it. You could just call a friend at the other side of the country and ask them to send it.

> 1. We have a little bit of text we can be reasonably sure voidnull wrote -- some sort of text-likeness algorithm might be able to give us some candidates -- pointed at newsgroups/forums/etc where SDF users might hang out.

People call me extremely paranoid for this, but I've seen how effective author-analyzing software is.

I would almost certainly try to learn a new language if I want to stay anonymous, and only use that language for my anonymous alter-ego.

There are plenty of non-English communities out there, and if you're data is sufficiently interesting, people will translate it for you.

3a. The HTML is formatted in a specific way, with indents and white space.

Just going to point out that matches HTML code style to a person that shares traits with "voidnull" means nothing. Silly HTML pages I've written in vi over puTTY terminals look practically identical to that page.

Additionally, I would assume if he is to write something going "find me" he will likely purposefully change his styling or attempt to remove any styles he uses. Such a simple page devoid of any CSS or unique traits really shows that it could be written by a seasoned vet or a highschool kid with a good idea. Its the html equivalent of notepad file if you ask me.

> Silly HTML pages I've written in vi over puTTY terminals look practically identical to that page.

Sure, but it's a hint that the person might have written it in vi. Only some people would write HTML in vi. Sure that group overlaps quite strongly with group of people that would put out such a challenge, but it's still a couple bits of information.

Regarding #5, I doubt that the name is a useful lead. It seems to me that "voidnull" is just a play on the concept of anonymity and not something that you could tie personally to the OP.

It was adnam's recognition that made me think it was used before. Also voidnull appears to have a long standing interest in this concept, and so might have used a variant of it before. Again, just a data-point -- the idea is to sort a giant list, not necessarily filter it.

> 3. The HTML on the page is very simple, but malformed -- perhaps look for pages like that (some missing </p> tags)

The w3.org validator says it's okay.


That might be so, but it's still a possibly identifying fingerprint.

Sorry, but only people who have never written HTML by hand could think that omitted </p> tags are a useful identifying fingerprint.

It can fit in with word choice, indentation, line length, etc as part of a personal pattern. But by itself it is as meaningful as saying "and".

I have 4 errors, 5 warnings...

So, do I, now. But it's the ISP's over-quote page, not the page originally posted.

Ok, my bad.

voidnull claimed the page was legal, but it is not legal in Germany (according to other comments here). voidnull appears to be a native English writer and uses $ when referring to monetary amounts in a few contexts.

Omitted </p> tags have always been perfectly conforming in HTML, just not XHTML. The same goes for </li> tags. It's more common than you think for people to omit closing tags for those elements.

> Yes, it is legal.

It saddens me that this needed to be clarified, that anyone would wonder whether putting a page on the internet without going through the "proper channels" was legal. Not surprising, but sad.

This depends on your jurisdiction. It might surprise you that even in western countries like Germany it is not possible to legally have an anonymous web page.

I don't have a reference in English, but http://de.wikipedia.org/wiki/Impressumspflicht (in German) is very clear about it.

  Wie sich aus § 55 Abs. 1 RStV ergibt, trifft 
  einen Anbieter somit nur dann keine Impressumspflicht, und
  er kann seine Webseite völlig anonym ins Internet stellen,
  wenn sein Angebot ausschließlich persönlichen oder
  familiären Zwecken dient.
Doesn't this say it is allowed to anonymously put a website online, if it is a purely personal/family page? I don't think she is running a business or has any commercial goals.

IANAL, but perhaps. The following paragraph actually states, that if all your content is password protected and you only give this password to personal acquaintances, then you clearly don't need an impressum. ( Along with two other examples, which also not very helpfill.)

The problem with this law is, that is says something about a page with some baby pictures ( so that grandma can see her grandchildren), and something about media corporations. However it simply does not address the case of a private blog, were the audience is not personally related to the author, but the author does also not try to make money with it.

If you publish anything that might concern anyone outside of your family you are already required to add an imprint. A complete address is required information.

A blog, a portfolio, bookmarks, dotfiles or even a simple memorial (if it's for someone outside of family) is enough.

I have not added one to anything I have ever put online nor do I intent to. I neither host in my country nor do I publish in my mother tongue. I think it is ridiculous to be forced to divulge information that allows people to knock on my door.

That it is actually illegal in some jurisdictions doesn't make it any less sad that people have to wonder about it.

There's a short description in English here: http://en.wikipedia.org/wiki/Impressum

No, it is not clear as you present it. It says that for personal use this is not required. However, what is personal is hard to say.

It may be illegal, but it's impossible to prevent. It forever will be and always has been difficult, but not impossible, to publish to the Internet in a manner that is approaching pure anonymity. The reason people will wonder if it is legal is because of the negative connotations that anonymity itself brings (ie. the mindset that people with something to hide are usually doing something wrong). Nations may try to outlaw such a thing, however, it will forever be a stop-gap measure, doomed to perpetual failure. The Internet knows no legal jurisdictions. The very idea that posting something 100% anonymously is illegal is oxymoronic anyway. How can you charge someone with posting something anonymously on the Internet if you were able to figure out who they were in order to charge them? Obviously their method wasn't very anonymous.

The law and courts can specify, recognize, and decide things based on judgements of intent.

Not for long.

For example, what if a corporation set up the page? Oh, we can't let corporations have free speech, according to popular sentiment (which is packaged up as "campaign finance laws"). So, we had better make sure we know who says everything, to make sure it's not a corporation.

In a society that hates freedom, freedom dies. We live in that society.

I can't tell if your comment is subtle parody. But on the theory that you're really not kidding:

I have never heard of a campaign finance law that would prevent a corporation from putting up a web page. Have you? If so, please post a link to the text of the law. I'd be fascinated to read it. Heck, even if it's just a proposed law, that'd be interesting, so you can just put up a link to the bill.


The infamous McCain-Feingold Act made it unlawful to, among other things, publicly criticize a politician within months of an election, unless you were on a list of exceptions that did not include ordinary corporations. It was the law for nearly a decade until recently being declared unconstitutional by the Supreme Court.

It's a little ambiguous if a mere webpage would count because the rules for internet communications are even less clear than those for traditional media.

Could you point me to the specific section that you believe outlaws publishing a web page?

As far as I could tell, it only outlawed broadcast advertising, which is a very different thing.

My point isn't about specific legal "switch statements" (to use programming terminology). It's about the fact that the _principle_ of free speech is being actively attacked in this country.

I'm quite surprised that, as a brother/sister comment to this one pointed out, a law such as the one you described actually did (does?) exist.

I think the other poster is wrong.

Also, I think you don't understand free speech.

The reason democracies are universally big on free speech is that the citizenry must be able to freely discuss how to run their country.

You appear to be a free-speech fundamentalist. Which is an opinion you're entitled to hold. But personally, I strongly disagree that free speech should privilege those spending millions or billions manipulating the opinion of the voters, especially when that's an attempt to line their own pockets.

If any Fortune 500 CEO would like to stand on the streetcorner and explain his views on an issue, I believe no law should stop him. But I believe the current system is just a fancy form of corruption, and does significant harm to the goals that led to the adoption of the first amendment.

>>>>>>In a society that hates freedom, freedom dies. We live in that society.

Why do you think we have over 11 million illegal aliens living here and over a million people who gained citizenship last year?

Clearly, they must think that freedom is alive and well in the United States my friend.

> 11 million illegal aliens

If I were running for president, my #1 campaign promise and the first thing I'd do upon election would be to shroud the Statue of Liberty, which is currently the greatest symbol of hypocrisy in the world. 99.999% of American citizens' ancestors came here from other countries, which is now regulatory hell, i.e., practically illegal.

> Clearly, they must think that freedom is alive and well in the United States my friend.

May be better than where they came from. But anyway, what anybody thinks is not evidence for what's true.

I don't disagree with your point, but your hyperbole does you no credit. 99.999% implies there about 3000 American Indians in the US. There are closer to 3 million (depending on exactly what you count), or about 1%. The US census has the number at 1.2%.

> the greatest symbol of hypocrisy in the world

Really? The single greatest signal in the whole world? You can't think of anything that better exemplifies hypocrisy?

Your basic point, which I agree with, would carry a lot more weight if you cut down on the rhetoric.

He's also wrong - it is illegal.

Oh, hang on, which jurisdictions does he fall under? And sdf.org? And the various Tor relays? And, dear reader, you?

Who care's if it's legal laws can be wrong. Hell they usually are. (they are made by people to control other people most of the time) Is it right? Yes!

1. Buy a prepaid credit card at a store with cash.

2. Use the credit card to buy hosting with whomever you wish to use.

3. Enjoy your anonymity.

I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.

Edit - Responses to some of the comments:

In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.

As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.

> I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are.

Well then it's not fucking well anonymous, is it?

For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.

The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.

Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).

Because of the Patriot Act, don't prepaid credit cards now require Social Security numbers and other identifiable information to activate (I would imagine including your name, which you would provide with the credit card when you buy hosting)?

Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).

Only reloadable prepaid cards require SSN. Non-reloadable (Gift) prepaid cards don't require an SSN. Some even allow you to set an address for AVS purposes.

So don't do it in the USA

Instead you can buy virtual visa with bitcoins, and then you aren't on camera buying a prepaid card. Even better use bitcoins for hosting payment directly and avoid credit cards completely.

You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting

No need to find a russian host. WordPress accepts Bitcoin! http://en.support.wordpress.com/bitcoin/

Most online services, in my experience at least, will reject credit cards that are not associated with a name.

Most payment gateways provide no name-based authorization - a fake name will work just fine.

Kind of like electronic signatures at stores. You can draw a cat face at one place and a penis in another. Never really understood the point of them.

Same with paper signatures. A signature isn't supposed to rigidly identify you, it is supposed to provide evidence that you signed the document / agreed to the contract. It's a subtle distinction.

Having signatures match is just one straightforward kind of evidence that you agreed to the contract.

Then why the farce of matching your signature with the signature on the back of the credit card? Or if you don't sign the credit card, asking for an ID? It always makes me laugh when the high school student making minimum wage checks my signature. Do they all need to be certified signature experts before getting a job as a cashier?

Do people still check the signature? I haven't had one on any of my cards for at least five years nor do I sign receipts with my name; nobody has ever questioned me or asked for ID.

Me neither - in 10 years, only one girl in a mall validated my sig with the one on the card. It was in a huge outlet "village".

Alive and well in my home town, admittedly outside of the city.

Cashiers are not supposed to check that the signatures match, they are supposed to check that the card is signed. A credit card is not a valid form of payment unless it is signed on the back. "See ID" is not a valid signature BTW. Cashiers who see that are supposed to direct the cardholder to actually sign the card before charging it.

Yea, but they reduce to saying that someone was present and agreed to the contract. I've ordered things online, don't receive them, and the courier tells me it was delivered and signed for. I don't know who agreed. Nobody is going to investigate the curves on the signature.

I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.

Strange, I believe I tried that after receiving a bunch of gift cards for Christmas -- I even tried entering in the exact title that's below the CC number on the card, but had no luck.

That's a different issue, namely address verification. You can sometimes log-in to the issuers site or call and give an address (can be fake, just needs to be something you remember) and then use that address on whatever online form you're trying to use. It will pass AVS and you're good to go.

http://www.americanexpress.com/us/content/prepaid/gift-cards... http://usa.visa.com/personal/cards/prepaid/gift_card_faq.htm...

I have had the opposite experience. I just put in John Smith for the name and I have never had any issues.

You can read about someone who is a bit obsesses (in a pragmatic way) about that here: http://snarfed.org/privacy_through_prepaid_credit_cards

Simon Malls was one of the first companies to offer prepaid credit cards at a retail location. They started selling them 10 or 11 years ago. I used to re-encode them with stolen magnetic stripe data back when I was into credit card fraud.

What about cameras at the place you bought the card?

2.5. watch as the prepaid credit card gets declined

But you still get to do step 3!

> Edit - Responses to some of the comments:

HN has a button for that, you know.

The article received unofficial HN post of the week award. @voidnull please post contact details, so the prize can be sent to you.

sneaky social engineering at work.

Reminded a bit of anon.penet.fi, from the long long ago in the time that was before the Internet took off as a consumer thing. http://en.wikipedia.org/wiki/Anon.penet.fi

Tor was essentially an evolution of these remailers. Probably a lot of the same people involved to this day.

With the notable exception of Len, obviously.

(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)

Strangely fitting, SDF is the french word for homeless: https://fr.wikipedia.org/wiki/Sans_domicile_fixe.

It's a reference to Macross[1], though I wonder if the SDF abbreviation (in Macross) has any relation to the Japanese Self-Defense Force[2].

[1] https://en.wikipedia.org/wiki/The_Super_Dimension_Fortress_M...

[2] http://en.wikipedia.org/wiki/Japan_Self-Defense_Forces

I've tried before to set up even somewhat anonymous identities online before -- not for law-evasion purposes, just for things like working on anti-spam tools.

It's difficult, and I've noticed recently that it's getting worse.

It used to be you could open a hotmail (or gmail) account pretty trivially without using any real personal info.

But lately these email services have started requiring you to link a phone number, and/or an alternative email address... in theory these are to reduce lockouts, account hacking, etc. -- and they really can help -- but they also mean it's far easier to connect those email addresses with a real person.

I had a gmail address that was "anonymous", linked to some content I was hosting on Google Pages and participation in discussion lists, etc..

Then one day YouTube accounts were merged into Google accounts; and I happened to be logged into the anon google account (and youtube) simultaneously. The was one prompt that I didn't read carefully... and then my public YouTube account that was obviously me was permanently, irrevocably linked to the anon gmail account.


I don't have any pressing need nowadays for an anonymous persona online, but I'm inclined to try again at some point, just because it's something I feel should be still possible.

Whoever that guy is, he is going to be getting a lot of postcards.


    Diaz Gonzalez, Ruben  
    C/ Angosta de los Mancebos 5
    Madrid, ma  28005

Do you really need to post personally identifiable information in a public place? In the Netherlands it's not even legal, not sure about where you live. And regardless of whether it's legal, it's not done. I wouldn't want my information to be posted like that.

Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.

That's the output of whois voidnull.com. Too obvious to be the guy making the challenge, of course, but it's not exactly classified information, and has already been "posted" in a public place (the whois records).

There has been highly sensitive data published on pastebin which have led to intense FBI witchhunts but I've never heard of the pastebin user being revealed.

Yes, well I doubt the FBI is quick to publish it's snitches unless it has to.

Although I like SDF, a physical letter is a lot more evidence and perhaps hassle than what you'd incur with Tor and some boring free shared hosting service, or running a Tor hidden service if you want interactivity and don't mind slowness, or even joining a Bitcoin mining pool and using the (minimal) payout to anonymously pay for hosting.

Hey voidnull, long time no see! Welcome to HN :) Great to see SDF being promoted here, I've been a member for over 13 years

This page is anonymous... and it also seems to be down.

Google cache to the rescue: http://webcache.googleusercontent.com/search?q=cache:ivvU0sx...

If keeping your identity anonymous is your goal, there is no better example than Satoshi Nakamoto, that managed to create Bitcoin, run and manage the project for almost couple years, mine a bunch of coins and still remain completely anonymous.

You need a great deal of fore-planning, but it's certainly doable and there is probably no bigger unspoken bounty on an anonymous user's head than Satoshi's, to prove the point.

Also, for those thinking of finding out his identity through text analysis of his writings (you can view about 500 posts of his in the forums archive, iirc), from my experience reading them (though not actually analyzing through proper tools), he seems to deliberately always use the simplest words and short sentences.

His/her/their story is very interesting.

Didn't Satoshi have email conversations with other developers or interested users? What about forum or wiki accounts for the bitcoin sites? Domain name registration? Web hosting account?

Today, to host a piece of content on the Internet, you must link your identity to the content on some level

Completely incorrect.

There are any number of free web hosts who require nothing more than an email verification.

Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.

If Wordpress.com accepts BitCoin, couldn't you just acquire some BitCoins not tied to your personal ID (you can use Moneygram with fake information and route it through mixers, buy them offline, etc.), and utilize Tor/Tor Services to set up the account, and give them fake information?

Possibly, but it wouldn't have the benefit of being 100% legal, as voidnull's solution appears to be. Also if Wordpress were to discover your fake info they might take your site down.

However, because you can't delete your Wordpress.com account http://www.accountkiller.com/en/delete-wordpress-account && http://tosdr.org/#wordpress-com providing false information is the only viable option in case you want to get rid of it.

Why is that not 100% legal?

Providing false information to WordPress is probably not legal.

This is what I had in mind; good old CFAA. Ditto for entering false info in moneygram. (Not commenting on whether these things should be illegal.)

Well, it also touches on fraud and impersonation, old, long established crimes, not just computer hacking.

Is laundering legal money and then using it for legal purposes illegal?

If the money was obtained legally to begin with, concealing the source is not illegal.


If the laundering method is illegal, then yes.

Giving them fake information would be illegal and probably be breaching their ToS.

I can see this breaching their ToS and would probably be shut down by them if brought to their attention. However, what law would you be breaking when you give a private company a fake name.

Regretably, in the US the "Computer Fraud and Abuse Act" (CFAA) makes it illegal to access a computer without "authorization". Courts have interpreted that to mean that accessing a site when you are in violation of their terms and conditions (for instance, with a fake name) is a violation of this law and thus a felony. Learn more: https://www.eff.org/ja/issues/cfaa

New question: does it matter if it's illegal if it's 1) moral and 2) you're anonymous?

If its illegal, then it's much more likely to be shut down. Do you want to release some information once off, or do you want a reliable Web host.

Or you could use a pastebin and sign your messages with a private key.

You'd still need to use tor though.

Ofc, as for any internet access

pastebin doesn't work over tor, most of the exit nodes appear to be blocked.

Another good way of setting up an anonymous website is to set up a Tor hidden service, and then allow non-Tor users to access it by handing them a tor2web.org URL: http://tor2web.org/

It would be better to set up your own Tor2web service anonymously, then only have it host your hidden service.

Tor2web and the other gateways will remove service to a hidden service if they receive DMCA or other complaints/takedown notices so if your hidden server was about how you haxx0red the government they would have it shut down, unless of course you hosted in Russia or Egypt where they wouldn't care about western govt.

Is there something like a prebuilt tor2web-like-gateway server image? The best response to takedowns would seem to me not to be to create your own gateway (just moving your Single Point of Failure), but rather for lots of people to run "open proxy" tor2web servers, so that no individual server can enforce any takedown policy (because they'll just switch to a different server in the pool, run by someone else.)

ToR is funded by the US government.

Don't ever forget that...

The design of the protocol (the spec for which is public and open) was funded by the government. What you said was akin to a mathematical discovery being made by a university with federal funding and not trusting the math because of that.

It's also open source. Why does the source of the funding for the research matter? We have the code if we wish to audit it.

Better not use SELinux either then! Or Linux in general for that matter!


Please lick some of your DNA onto an envelope containing $1 to use our anonymous service.

So don't lick it. And unless your DNA is in a database somewhere (are you a sex offender?), it wouldn't matter anyway.

Or have you been arrested? Or have you undergone a security clearance investigation in the united states?

I don't think you have to give DNA for a security clearance

Actually, that's not true. There's a new technique called familial searching that can locate relatives that have had their DNA taken. The cops can then ask a brother, sister, parent, or cousin if they have a particular kind of male or female relative.

Most military/contractor DNA is now in a "personnel recovery" database with the government, too.

I get very uneasy when i see people actually licking the dry glue from envelops. maybe it's just a different culture. but for me it's weird as hell.

It is actually made non-toxic with the notion of people licking it in mind. It's not like it is just regular glue or a toxic adhesive. But I get what you mean. I don't lick them either. I don't get why people are even bothering with the point about DNA on the envelope though. Anyone who has ever mailed out lots of handwritten letters has used a moisture pen. You can go buy them for a few dollars at any office supply store. I use one to seal close to a hundred envelopes for the stamps every Monday at work.

asbestos were first advertised as non-toxic :)

but even despite the health issues, having one spreading body fluids around is not very acceptable where i came from.

If the rest of the internet is presumed to be linkable with a specific identity, I challenge someone to figure out who represents http://www.banksy.co.uk/. And Pest Control doesn't count. And if it does, then that's a pretty easy way to hide your identity.

This is a good question. Most of the comments here seem to be concerned with figuring out voidnull's identity, rather than the motivating idea of whether such a thing is possible.

The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop[1] might have some leads. Seems solvable, that is.

[1]: http://www.banksyfilm.com/

Only $10 for finding out who you are? Its sounds like you don't have very much confidence in your anonymity scheme.

It's about the challenge, not the money.

This is tough without voidnull leaving some sort of clue, or the involvement of SDF ( access logs and mail) and the post office , and/or an very detailed tor exit node analysis. Or of course finding an exploit in SDF's system.

Text/source matching is a no go, if you search for specific words used in the text maybe he has posted elsewhere on the subject of SSH/TOR/SDF, I came up with 2 names (last name withheld since this is a wild guess) Doug and Patrick.

Snooping around SDF shows very little, no gopher setup or usage by username voidnull.



Name: Void Null

Directory: /udd/v/voidnull

Shell: /usr/pkg/bin/bash

New Mail received: May 1 19:21 2013

Unread mail Since: Apr 22 08:17 2013

The mail might elude to the fact that he set this account up a week + ago and tested this out before he posted it. So the best bet would be to figure out what was mailed to SDF during the week of April 22nd.

Best bet:

1. Find a security hole in SDF

2. Stake out an pay off someone at Post Office Box 17355 Seattle, WA 98127

You can always just buy hosting in Russia with bitcoins and use ssh through Tor to set it up. Russia doesn't care about names, email addresses or anything else.

I recall a few Iceland hosting services that do the same. As long as you aren't doing something incredibly illegal they won't care what you are hosting

Question for you all:

Why is the ability to post something in complete anonymity onto the internet a worthwhile goal?

Say you live in Syria and one of these days wake up to find the other side of the street where you live completely smashed down by shelling. Oh, there's been a civil war going on (or so the media calls it; "public uprising" maybe?) for some time now alright, but you could be dead tomorrow, you need to understand.. what is truly happening? what's the prognosis? Better ask everyone around. Oh, it's the government, targeting rebels. Ok. Well, what's next? While at it: what's the rebellion up to now? Nobody among your acquaintances wants to talk about it, or knows anything certain. The official news is a joke and is of no help in any case. You've heard there are facebook groups for that, and you have internet.. better log on and post a message. Whoops, apparently somebody did not like your 'too neutral => pro-rebellion' point of view, and now various body parts of yours are being sent out to your relatives, as a message, or just because.

There's been actual demand for anonymous message boards for folks in Syria / friends/relatives of those living there to discuss matters, to understand what the hell is going on. I can't quote sources, though. And there've been incidents of 'facebook message -> whoops, body cut to parts', discussed in some CCC talks, though I haven't tried to follow up and find anything more conclusive. (could dig up the CCC video in question maybe.) In any case, a mere illustration.

Tor usage spikes up during Iran elections (next one's in June).

Folks in cartel-controlled places, or places where public uprising is happening, wanting to understand what is truly happening, or to organise something, etc. are afraid to post to FB etc., and sometimes they are very right to be afraid.

TL;DR This is for real.

[/drama mode]

None of what you say answers the question posed. Your concerns seems to be with the right of free speech, which is valid, but has nothing to do with being anonymous.

> Your concerns seems to be with the right of free speech, which is valid, but has nothing to do with being anonymous.

Oh but it does! See, if I were to reside in Syria and to simply post antigovernmental sentiments online, I very well might end up dead. I would not end up dead (not necessarily) were I to succeed in posting anonymously (let's simply say, 'under a pseudo + (somehow) hidden IP address'). 'Anonymous' here for me simply means 'my online identity [which can post things, read things, whatever] is not connected to my real identity', where 'real' can usually be simply be evaluated to 'my real name' and/or 'my physical location'. I would be too afraid to (merely) invent fake pseudonyms on FB - what if Syrian gov't were to succeed and subpoena FB (who knows) and acquire my IP address? Anonymity would matter very much to me!

However, at the same time I see what you mean. In this case, anonymity is a free speech obstruction circumvention tool, in a (limited) sense. Perhaps I'm a pessimist who does not really believe in free speech really being possible. (The regimes are simply extreme cases/illustrations of this.) :)

The value of anonymous free speech in the situation you describe (eg, Syria) should never be taken at anywhere close to face value.

It's nothing more than rumour and stories - precisely because it is anonymous! There is no way to verify it is anything: A true account, a biased account, a popular opinion or the ravings of a lunatic.

In areas where free speech does not exist, anonymous free speech adds nothing at all. It's basically the propaganda the reader wishes to hear. You may as well toe the government line.

Free speech only exists with attribution. Fiction and stories without. While I appreciate the struggles of those in the situation you describe, you advance nothing in an environment of anonymity.

While I see the gist of what you are saying, and the rumour / credibility thing is realistically always an issue in such cases AFAIK, I do not think it is true that "Free speech only exists with attribution [...] you advance nothing in an environment of anonymity."

If a new space for anonymous speech comes up, things will be chaotic at first, trust chains and circles - 'web(s) of trust' (not sure of terminology heh) do emerge, and I've seen it happen [citation neeeded]. Consider the Bitcoin over-the-counter marketplace (#bitcoin-otc on Freenode), where a web of trust (based on (potentially) anonymous PGP identities/keypairs) does function quite well (not without failures). Actually, if the identities are tied to something like a PGP keypair, it obviously works across (e.g.) forum boards (cough (Tor, etc.) underground forum scene cough). You could actually use PGP signature chaining, etc. (it does work very nicely!)

Of course, in my (vague) illustration, it'd be much more chaotic and nasty. The thing is though that in the end, people do sense a need to have a medium to coordinate efforts, exchange info, etc. (Consider also e.g. the idea that I can disclose my real identity to a select party (pre-arranged IRL, e.g.), but not necessarily to the whole forum. However, if that party is trusted by other nodes, then those nodes can trust me without knowing who I am. Lots of human factors and points of failure here, though. But it is not always futile!) At the very least, one could coordinate an IRL meeting (you would of course say, what if the organizers are covert government agents, etc.) In the end, a system connected to IRL matters and lives will have IRL-bound points of failure. That does not mean that it could (or does) not work, or that it would be as fallible as a non-(quasi-)anonymous solution.

But I agree that it's usually a lot of effort; not necessarily futile though, and that's my only point really.

In a country where government is not protecting the right of free speech, or where its protection is not enough to protect you from powerful organisations seeking to stifle it (which is pretty much every country in existence, since the government can not control everything everywhere) anonymous speech may be the only way to achieve free speech.

Anonymous speech has no value.

The issue is to create the right of free speech, however difficult that is.

Anonymous speech has a lot of value, which can be obvious from the fact that so many efforts are taken to stifle it. If it were ineffectual, nobody would bother to inhibit it. So it is obviously effective in influencing people. If it is effective, it has value.

You apparently didn't read his post? Sadly, there are places where the only free speech is anonymous speech.

Anonymity is very helpful to whistleblowers in various fields of life - and the importance of whistleblowers has even been recognised by laws protecting them.

It's important to note that anonymous posting does not mean that the content is illegal, only that the publisher wishes to remain unknown. I'm sure SDF takes down any copyright infringement or other illegal content promptly.

Anonymity is not a concept to whistleblower protection; in fact, the opposite - whistleblower protection is a protection of your non-anonymous actions.

This is an interesting concept. I would have first logically arrived at the conclusion that whistleblower protection would exist for anonymous releases of sensitive information. Makes sense though that these are put in place to protect people who come forward with information publicly.

In theory, the rule of law will protect your right to say what needs to be said.

In practice, you may have things to say that could be damaging to your career, or that may anger powerful interests, or even your government. That doesn't mean these things aren't worth saying. So anonymity allows you to say them without being prosecuted.

(Unless of course you're making a distinction between anonymity and pseudonymity. Pseudonymity is a special case of anonymity, and requires anonymity as a base condition.)

Because it would be _not_ legitimate for the government to _stop_ us from doing so.

That's because it's not legitimate for the government to use non consensual physical force against us.

Unless we've given up my right to not consent by using or threatening to use non consensual physical force against someone else.

As a sidenote, the point where you have to use violence to advocate for political goals instead of persuasion is when free speech is disallowed.

Because it would be _not_ legitimate for the government to _stop_ us from doing so.

One could argue that the ability of anyone to know what and with whom they are dealing with in everyday life is essential, and therefore the role of the government to attribute an action to a source is paramount. We place a tremendous value on reputation and authenticity. I highly doubt you would send an anonymous source a large sum of money, for example.

As an aside, we already do this with our legal systems (assuming western ideals). Everyone has the right to face their accuser in a public court. (I appreciate that right has been degraded in certain cases over the last 20 years or so.)

> One could argue that the ability of anyone to know what and with whom they are dealing with in everyday life is essential

Only in some cases, so that's not a very good argument.

> the role of the government to attribute an action to a source is paramount

It is paramount in, say, the case of a crime. It is not paramount when it's outside the scope of crime or threat of a crime (i.e., outside the scope of initiated violence).

> I highly doubt you would send an anonymous source a large sum of money, for example.

That's true. If I want to send a large sum of money to someone, I know who they are. That's not something I need the government to adjudicate. (I do think the government should prosecute fraud as an initiation of force, though.)

>Only in some cases,

I'd argue in every case where you aren't completely gullible to everything you read or hear.

Anonymous speech is nothing more than rumour. It has little to no positive value.

If you require the identity of a person you would give money to, why then to you not require the same standards of the person who's thought you would entertain?

Because if we don't have the right to incredibly unpopular, witchhunt-inducing speech, then we don't have free speech at all.

Many things that need to be said for a society to remain free are things that many people really don't want to hear.

Inducing mass cognitive dissonance can be physically dangerous.

I'm not arguing against free speech, nor is free speech in any way related to non-attributed speech.

The US Supreme Court, in 1995:

Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.

Because while freedom of speech is (in some places?) considered an inalienable right, speaking on the internet (writing/publishing) is nearly impossible to do anonymously. I guess one could argue that speaking in person in any context is impossible to do anonymously, but it's still an interesting technical challenge to figure out whether we even can publish anonymously. It's interesting because on the one hand, it's easy to get wrong, and because on the other hand, perhaps it's provably possible, in a manner such as this.

Freedom of anonymous speech is not a right in any jurisdiction or country that I'm aware of.

For very good reason, I might add.

In fact, most anonymous speech can safely be discounted as nonsense.

Keep reading, it's a little more complex then simply suggesting anonymity is guaranteed:

"A defendant in a defamation lawsuit attempted to use this case as a precedent that "sources have the right of anonymous speech under the First Amendment", but in 2011, the New Jersey Supreme Court rejected the argument, distinguishing that case from McIntyre."

Your second link doesn't really pertain to the topic at hand.

Nonetheless, it's an interesting concept that I'm not sure I particularly agree with.

It may not be a right, but it can help protect that freedom of speech and I think that is a pretty worthwhile goal. Also, I agree most anonymous writings don't amount to much of anything, but it doesn't mean they don't have their uses.

Even if nobody manages to identify him (and probably nobody will), this says nothing about what a resourceful organization (such as an intelligence agency or a criminal organization) can do.

Better way to do this:

Go on localbitcoins and find people who mail cash for bitcoins, or find somebody on IRC to do it.

Sell them bitcoins, have them mail the cash to SDF for your payment. Now you avoid all the problems of physically mailing something from where you live. It's actually common for people to ask for single US bills in the mail too, for collecting.

I also would edit Torrc file to use semi trusted exit nodes from torservers.net so you aren't using a malicious exit node.

Then they get investigated, then give the investigators your contact info that they used to transact with you.

Oh noes, then they get a Tor exit node where you contacted them on IRC or Bitcointalk forums, or a JonDonym free proxy you will never use again

It's also hard to get any significant amount of bitcoins anonymously in the first place to begin this process.

Even easier, SDF accept bitcoins.

I think bitcoin would be perfect for these guys...

Why would you go through the hassle of trying to anonymously buy bitcoins with cash so it's not traceable when you could just send the cash? Unless you have mined your own coins there's no anonymity to be had via bitcoin. In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.

> In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.

Assuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.

Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.

Besides that, there are a ton of ways to keep it anonymous using bitcoin.

Even if every transaction has a new address, you have to get BTC in to the wallet somehow, and the most common method to do this is to buy BTC online with a credit card.

You could buy BTC with cash of course, but then why not just send the cash direct?

I suppose you could also use washers but I'm not sure how reliable those are.

as far as I know most exchanges and gambling sites pay out from a different wallet that you pay in to, so washing coins this way may be possible depending on how long each company keeps track of internal transactions.

There are ways, but I feel you're gilding the lily here. A ten dollar bill in the mail is a pretty decent way of staying anonymous.

As a matter of fact :) : for me, it would actually be more easy to ping one of the local miners in my online contacts (I've traded coins before via localbitcoins), meet with them, hand them the cash, get the coins to a bitcoin wallet, and send them to SDF, were they to accept bitcoins. (The verification could also be automated that way, and would be real quick.) The alternative would be to go to a local exchanger or bank, probably hand in ID even though I'm only buying $1 for local currency, then go to the PO to buy an envelope and stamps, make sure the dollar bill is not visible from the inside, and actually send the letter out.. oh, and wait for 2-3 weeks because outgoing overseas mail originating from here is slow.

..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash [1] to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!

(Also see: [2]) :)

Just saying!

In any case, I root for SDF, Godspeed you awesome people.

[1] Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in [2]) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.

[2] http://en.wikipedia.org/wiki/Hawala ; & a simple image: http://en.wikipedia.org/wiki/File:Hawala.png

edit expanded footnote1, etc.

My vote would be thomask@sdf http://sdf.org/tour/sdfers/gen.cgi?thomask@sdf. Searched around the internet archive for versioning of SDF tutorial pages, and matched language in the voidnull page to his contributions to the various tutorials.

It's not very hard to be anonymous like this. Similarly, can you find the postal address lucb1e.com, which points directly to my home IP address? (Social engineering my ISP is an option.)

The real question is whether authorities can find the postal address. They're not going to try of course.

The page appearently has the IP adress, with it being hosted by Xs4All Internet Bv, Postbus 1848, 1000Bv Amsterdam, The Netherlands. According to google plus, your name is Luc Jansen, where the last name is fake, which really doesn't help. I guess I could send you an email with an image sent from a server, which then reads you ip adress out of the request, but i guess you have html embedded images disabled in all your email accounts. There is some photos of you on G+, but then you only share them with some of your friends, which means I'd need to find a less computer savy friend of yours and see whether I can acess his account. Depending on how many, and what kind of photos there are, I might be able to narrow down roughly where you live and how you look or where you go to school (you're 19, so that's kinda hit or miss). You don't look like a picture person from your twitter though. So there'd be multiple avenues for SE. I'm pretty sure Authorities could find you quite easily given only that link.

Given first name and birth date (from age down to seconds), any authorities worth their salt can find him in a minute.

edit: well, unless he was not born in a territory under the authority of the authorities in question, and is an undocumented resident of the territory in question...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact