There have been a couple of quick updates I posted on the linked page. First, SDF does accept Bitcoin for validation.
Second, SMJ is personally upping the prize to $100. See the link for details.
I am very happy with the result of this stunt. So far this page has gotten over 100,000 which works nicely towards the goal of driving more users towards Tor and SDF.
To give some context, I did this as a publicity stunt for SDF and the Tor project. I have no affiliation with either of these, other than being a grateful user. SDF especially can always use more money and users. As opposed to pastebin, SDF lets you have an email account, message other SDF users, use IRC, etc.
As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).
Just in case someone finds $10 too little, I will add 1 bitcoin to the pot for anyone who finds the identity.
Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).
No, because it's a new account only associated with this thing. Granted, access logs on HN could be used to crack the problem, but getting to those is non-trivial.
I'm not sure about that. I mean, he can register with HN with just about any anonymous e-mail address, no money needs to change hands so as far as I can tell it's perfectly anonymous.
Of course we have no way of telling that the voidnull website is by the same person as the voidnull HN account used to start this thread.
Thats one problem with being anonymous, anyone can impersonate you, I can't think of any way to have a 'verified' account which is also anonymous.
a challenge based on public key crypto, user has a known public key and can sign a specified message with his private key to prove he owns that public key while remaining anonymous.
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.
If I open a paid Wordpress.com account using my real e-mail address and a credit card registered to my home, and post a $10 reward for revealing my identity, the fact that I strongly doubt anyone will claim the reward is not proof of Wordpress.com's perfect safeguarding of my identity, just that their systems are secure enough to not be trivially hackable and that nobody cared enough to find a way to obtain a court order to compel WP.com to hand over my info.
He'd probably even send $10 to SDF if they could find him. It would be somewhat more trivial for a Wordpress employee if the site was at voidnull.wordpress.com.
The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.
Actually, I think mseebach's point was the opposite: that this challenge, even if nobody claims the prize, does not prove that tor + sdf-shell-paid-by-mail is secure against leaking your identity.
There's no proof here maybe just an experiment. To see if SDF is truly secure or can he still be tracked.
I would wager as long he doesn't use that handle anywhere else he is safe.
I have no intention of trying to find out voidnull, but here are some thoughts on what we know:
1. We have a little bit of text we can be reasonably sure voidnull wrote -- some sort of text-likeness algorithm might be able to give us some candidates -- pointed at newsgroups/forums/etc where SDF users might hang out.
2. Using the above, I would note that there are some grammar/typos/mistakes from possibly careless writing. That might be something to specifically try to isolate
3. The HTML on the page is very simple, but malformed -- perhaps look for pages like that (some missing </p> tags)
4. adnam made a comment that showed some familiarity with voidnull and SDF -- adnam might be easier to locate and an association might be discovered.
5. If I believe #4, voidnull is possibly a handle that has been used before (seems really dumb, though) -- perhaps it's a very recognizable alteration.
Assuming malicious intent on the part of the provider, the envelope sent to SDF will have a post office stamp from the city from which he sent it. Intersect the IP subnets for the area with the IPs used to connect to SDF to find a connection he made to a non-anonymous account.
Second, the command `ssh -o ProxyCommand="nc -X 4 -x localhost:9050 %h %p" sdf.org` seems to be unique (to Google), and may be in a script he has written previously.
This type of pattern recognition is a very interesting approach to fingering people, even anonymous ones. I've often thought that perfect anonymity is essentially impossible, mostly because nobody wants to enable it, and nobody is smart enough to pull it off for long enough (essentially have a split personality, from even before the time of beginning the anonymous side). As benmanns points out, that ssh command is unique so far. If voidnull has been talking IRL with people about this, they would be able to associate him with it.
Related to the issue of the postmark, there is also the issue of (potential) fingerprints on the envelope and money. The point is, even if the public cannot find identities, the authorities (almost) always can.
Anyways, anonymity is an odd thing: in the US, anonymous speech is allowed (by court decision), but not guaranteed. The government isn't obligated to facilitate it and businesses aren't forced to allow it. voidnull's access to anonymity rests solely on SDF's goodwill and solvency. And the government could easily harrass them, even if they are overseas.
Which brings up an interesting thought experiment: what would it look like if anonymity were guaranteed by law, how could it be implemented reliably and verifiably, and what would the counter-balance be against illegal activity?
My mother took advantage of that when my brother was in the hospital for several months.
When the morning mail came around on Valentine's day, he had a ton of mail from women he'd never heard from from half the towns in the USA with any kind of romantic name.
When the afternoon mail came around, he got the same from the half that didn't arrive in the morning.
For the rest of his stay, he had an unassailable reputation as a super stud. Not a particularly bad thing for a marine in a military hospital!
Mail something to a friend in New York, ask them to remail via a super-busy mail box and destroy the original envelope. Sure it'll technically be possible to review CCTV around the mail box, but then the investigators have to find out who asked the remailer to do this. More difficult than just cross-checking IP addresses to find potential matches for one person.
Daisy-chain the remails a couple of times and it gets ridiculously complicated for all but highest security purposes. Get the accomplices to each wait some semi-random amount of days before remailing to help improve chances that one of the CCTVs will roll-over and write over footage of a remailer...
Or mail it yourself while travelling without connecting to the server while in the area. Sure, you can technically cross-check CCTV from mailbox with transport centres footage with transport records, but...
Do U.S. stamps have identifying features like printers these days? Shown a stamp or three stamps, can you tell e.g. which store chain sold them?
Make sure your friend isn't FBI, or FBI, Police, or other informant.
Make sure your friend isn't going to rat you out.
Make sure your friend isn't going to just take the money and tell you he mailed it.
Make sure your friend doesn't get caught.
Make sure your friend can resist NYPD torture (cough, I mean Enhanced Interrogation) because how do they know it's not ricin in the envelope, so they can't take any chances.
Make sure your friend understands that if you're doing something shady, something that could be considered Postal Fraud, that he could then be prosecuted as an accomplice. Make sure he understands that he could spend years in jail for blindly remailing something of yours.
For someone willing to take those risks based on your friendship, that would be some really close friend! (or an FBI informant).
I think it's safer to just not mail the letter if you really want to be anonymous.
> 1. We have a little bit of text we can be reasonably sure voidnull wrote -- some sort of text-likeness algorithm might be able to give us some candidates -- pointed at newsgroups/forums/etc where SDF users might hang out.
People call me extremely paranoid for this, but I've seen how effective author-analyzing software is.
I would almost certainly try to learn a new language if I want to stay anonymous, and only use that language for my anonymous alter-ego.
There are plenty of non-English communities out there, and if you're data is sufficiently interesting, people will translate it for you.
Just going to point out that matches HTML code style to a person that shares traits with "voidnull" means nothing. Silly HTML pages I've written in vi over puTTY terminals look practically identical to that page.
Additionally, I would assume if he is to write something going "find me" he will likely purposefully change his styling or attempt to remove any styles he uses. Such a simple page devoid of any CSS or unique traits really shows that it could be written by a seasoned vet or a highschool kid with a good idea. Its the html equivalent of notepad file if you ask me.
> Silly HTML pages I've written in vi over puTTY terminals look practically identical to that page.
Sure, but it's a hint that the person might have written it in vi. Only some people would write HTML in vi. Sure that group overlaps quite strongly with group of people that would put out such a challenge, but it's still a couple bits of information.
Regarding #5, I doubt that the name is a useful lead. It seems to me that "voidnull" is just a play on the concept of anonymity and not something that you could tie personally to the OP.
It was adnam's recognition that made me think it was used before. Also voidnull appears to have a long standing interest in this concept, and so might have used a variant of it before. Again, just a data-point -- the idea is to sort a giant list, not necessarily filter it.
voidnull claimed the page was legal, but it is not legal in Germany (according to other comments here). voidnull appears to be a native English writer and uses $ when referring to monetary amounts in a few contexts.
Omitted </p> tags have always been perfectly conforming in HTML, just not XHTML. The same goes for </li> tags. It's more common than you think for people to omit closing tags for those elements.
It saddens me that this needed to be clarified, that anyone would wonder whether putting a page on the internet without going through the "proper channels" was legal. Not surprising, but sad.
This depends on your jurisdiction. It might surprise you that even in western countries like Germany it is not possible to legally have an anonymous web page.
Wie sich aus § 55 Abs. 1 RStV ergibt, trifft
einen Anbieter somit nur dann keine Impressumspflicht, und
er kann seine Webseite völlig anonym ins Internet stellen,
wenn sein Angebot ausschließlich persönlichen oder
familiären Zwecken dient.
Doesn't this say it is allowed to anonymously put a website online, if it is a purely personal/family page? I don't think she is running a business or has any commercial goals.
IANAL, but perhaps. The following paragraph actually states, that if all your content is password protected and you only give this password to personal acquaintances, then you clearly don't need an impressum. ( Along with two other examples, which also not very helpfill.)
The problem with this law is, that is says something about a page with some baby pictures ( so that grandma can see her grandchildren), and something about media corporations. However it simply does not address the case of a private blog, were the audience is not personally related to the author, but the author does also not try to make money with it.
If you publish anything that might concern anyone outside of your family you are already required to add an imprint. A complete address is required information.
A blog, a portfolio, bookmarks, dotfiles or even a simple memorial (if it's for someone outside of family) is enough.
I have not added one to anything I have ever put online nor do I intent to. I neither host in my country nor do I publish in my mother tongue. I think it is ridiculous to be forced to divulge information that allows people to knock on my door.
It may be illegal, but it's impossible to prevent. It forever will be and always has been difficult, but not impossible, to publish to the Internet in a manner that is approaching pure anonymity. The reason people will wonder if it is legal is because of the negative connotations that anonymity itself brings (ie. the mindset that people with something to hide are usually doing something wrong). Nations may try to outlaw such a thing, however, it will forever be a stop-gap measure, doomed to perpetual failure. The Internet knows no legal jurisdictions. The very idea that posting something 100% anonymously is illegal is oxymoronic anyway. How can you charge someone with posting something anonymously on the Internet if you were able to figure out who they were in order to charge them? Obviously their method wasn't very anonymous.
For example, what if a corporation set up the page? Oh, we can't let corporations have free speech, according to popular sentiment (which is packaged up as "campaign finance laws"). So, we had better make sure we know who says everything, to make sure it's not a corporation.
In a society that hates freedom, freedom dies. We live in that society.
I can't tell if your comment is subtle parody. But on the theory that you're really not kidding:
I have never heard of a campaign finance law that would prevent a corporation from putting up a web page. Have you? If so, please post a link to the text of the law. I'd be fascinated to read it. Heck, even if it's just a proposed law, that'd be interesting, so you can just put up a link to the bill.
The infamous McCain-Feingold Act made it unlawful to, among other things, publicly criticize a politician within months of an election, unless you were on a list of exceptions that did not include ordinary corporations. It was the law for nearly a decade until recently being declared unconstitutional by the Supreme Court.
It's a little ambiguous if a mere webpage would count because the rules for internet communications are even less clear than those for traditional media.
My point isn't about specific legal "switch statements" (to use programming terminology). It's about the fact that the _principle_ of free speech is being actively attacked in this country.
I'm quite surprised that, as a brother/sister comment to this one pointed out, a law such as the one you described actually did (does?) exist.
The reason democracies are universally big on free speech is that the citizenry must be able to freely discuss how to run their country.
You appear to be a free-speech fundamentalist. Which is an opinion you're entitled to hold. But personally, I strongly disagree that free speech should privilege those spending millions or billions manipulating the opinion of the voters, especially when that's an attempt to line their own pockets.
If any Fortune 500 CEO would like to stand on the streetcorner and explain his views on an issue, I believe no law should stop him. But I believe the current system is just a fancy form of corruption, and does significant harm to the goals that led to the adoption of the first amendment.
If I were running for president, my #1 campaign promise and the first thing I'd do upon election would be to shroud the Statue of Liberty, which is currently the greatest symbol of hypocrisy in the world. 99.999% of American citizens' ancestors came here from other countries, which is now regulatory hell, i.e., practically illegal.
> Clearly, they must think that freedom is alive and well in the United States my friend.
May be better than where they came from. But anyway, what anybody thinks is not evidence for what's true.
I don't disagree with your point, but your hyperbole does you no credit. 99.999% implies there about 3000 American Indians in the US. There are closer to 3 million (depending on exactly what you count), or about 1%. The US census has the number at 1.2%.
> the greatest symbol of hypocrisy in the world
Really? The single greatest signal in the whole world? You can't think of anything that better exemplifies hypocrisy?
Your basic point, which I agree with, would carry a lot more weight if you cut down on the rhetoric.
Who care's if it's legal laws can be wrong. Hell they usually are. (they are made by people to control other people most of the time)
Is it right? Yes!
1. Buy a prepaid credit card at a store with cash.
2. Use the credit card to buy hosting with whomever you wish to use.
3. Enjoy your anonymity.
I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.
Edit - Responses to some of the comments:
In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.
As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.
> I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are.
Well then it's not fucking well anonymous, is it?
For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.
The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.
Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).
Because of the Patriot Act, don't prepaid credit cards now require Social Security numbers and other identifiable information to activate (I would imagine including your name, which you would provide with the credit card when you buy hosting)?
Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).
Only reloadable prepaid cards require SSN. Non-reloadable (Gift) prepaid cards don't require an SSN. Some even allow you to set an address for AVS purposes.
Instead you can buy virtual visa with bitcoins, and then you aren't on camera buying a prepaid card. Even better use bitcoins for hosting payment directly and avoid credit cards completely.
You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting
Same with paper signatures. A signature isn't supposed to rigidly identify you, it is supposed to provide evidence that you signed the document / agreed to the contract. It's a subtle distinction.
Having signatures match is just one straightforward kind of evidence that you agreed to the contract.
Then why the farce of matching your signature with the signature on the back of the credit card? Or if you don't sign the credit card, asking for an ID? It always makes me laugh when the high school student making minimum wage checks my signature. Do they all need to be certified signature experts before getting a job as a cashier?
Do people still check the signature? I haven't had one on any of my cards for at least five years nor do I sign receipts with my name; nobody has ever questioned me or asked for ID.
Cashiers are not supposed to check that the signatures match, they are supposed to check that the card is signed. A credit card is not a valid form of payment unless it is signed on the back. "See ID" is not a valid signature BTW. Cashiers who see that are supposed to direct the cardholder to actually sign the card before charging it.
Yea, but they reduce to saying that someone was present and agreed to the contract. I've ordered things online, don't receive them, and the courier tells me it was delivered and signed for. I don't know who agreed. Nobody is going to investigate the curves on the signature.
I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.
Strange, I believe I tried that after receiving a bunch of gift cards for Christmas -- I even tried entering in the exact title that's below the CC number on the card, but had no luck.
That's a different issue, namely address verification. You can sometimes log-in to the issuers site or call and give an address (can be fake, just needs to be something you remember) and then use that address on whatever online form you're trying to use. It will pass AVS and you're good to go.
Simon Malls was one of the first companies to offer prepaid credit cards at a retail location. They started selling them 10 or 11 years ago. I used to re-encode them with stolen magnetic stripe data back when I was into credit card fraud.
Reminded a bit of anon.penet.fi, from the long long ago in the time that was before the Internet took off as a consumer thing. http://en.wikipedia.org/wiki/Anon.penet.fi
(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)
I've tried before to set up even somewhat anonymous identities online before -- not for law-evasion purposes, just for things like working on anti-spam tools.
It's difficult, and I've noticed recently that it's getting worse.
It used to be you could open a hotmail (or gmail) account pretty trivially without using any real personal info.
But lately these email services have started requiring you to link a phone number, and/or an alternative email address... in theory these are to reduce lockouts, account hacking, etc. -- and they really can help -- but they also mean it's far easier to connect those email addresses with a real person.
I had a gmail address that was "anonymous", linked to some content I was hosting on Google Pages and participation in discussion lists, etc..
Then one day YouTube accounts were merged into Google accounts; and I happened to be logged into the anon google account (and youtube) simultaneously. The was one prompt that I didn't read carefully... and then my public YouTube account that was obviously me was permanently, irrevocably linked to the anon gmail account.
Whoops.
I don't have any pressing need nowadays for an anonymous persona online, but I'm inclined to try again at some point, just because it's something I feel should be still possible.
Do you really need to post personally identifiable information in a public place? In the Netherlands it's not even legal, not sure about where you live. And regardless of whether it's legal, it's not done. I wouldn't want my information to be posted like that.
Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.
That's the output of whois voidnull.com. Too obvious to be the guy making the challenge, of course, but it's not exactly classified information, and has already been "posted" in a public place (the whois records).
There has been highly sensitive data published on pastebin which have led to intense FBI witchhunts but I've never heard of the pastebin user being revealed.
Although I like SDF, a physical letter is a lot more evidence and perhaps hassle than what you'd incur with Tor and some boring free shared hosting service, or running a Tor hidden service if you want interactivity and don't mind slowness, or even joining a Bitcoin mining pool and using the (minimal) payout to anonymously pay for hosting.
If keeping your identity anonymous is your goal, there is no better example than Satoshi Nakamoto, that managed to create Bitcoin, run and manage the project for almost couple years, mine a bunch of coins and still remain completely anonymous.
You need a great deal of fore-planning, but it's certainly doable and there is probably no bigger unspoken bounty on an anonymous user's head than Satoshi's, to prove the point.
Also, for those thinking of finding out his identity through text analysis of his writings (you can view about 500 posts of his in the forums archive, iirc), from my experience reading them (though not actually analyzing through proper tools), he seems to deliberately always use the simplest words and short sentences.
Didn't Satoshi have email conversations with other developers or interested users? What about forum or wiki accounts for the bitcoin sites? Domain name registration? Web hosting account?
Today, to host a piece of content on the Internet, you must link your identity to the content on some level
Completely incorrect.
There are any number of free web hosts who require nothing more than an email verification.
Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.
If Wordpress.com accepts BitCoin, couldn't you just acquire some BitCoins not tied to your personal ID (you can use Moneygram with fake information and route it through mixers, buy them offline, etc.), and utilize Tor/Tor Services to set up the account, and give them fake information?
Possibly, but it wouldn't have the benefit of being 100% legal, as voidnull's solution appears to be. Also if Wordpress were to discover your fake info they might take your site down.
I can see this breaching their ToS and would probably be shut down by them if brought to their attention. However, what law would you be breaking when you give a private company a fake name.
Regretably, in the US the "Computer Fraud and Abuse Act" (CFAA) makes it illegal to access a computer without "authorization". Courts have interpreted that to mean that accessing a site when you are in violation of their terms and conditions (for instance, with a fake name) is a violation of this law and thus a felony. Learn more: https://www.eff.org/ja/issues/cfaa
Another good way of setting up an anonymous website is to set up a Tor hidden service, and then allow non-Tor users to access it by handing them a tor2web.org URL: http://tor2web.org/
It would be better to set up your own Tor2web service anonymously, then only have it host your hidden service.
Tor2web and the other gateways will remove service to a hidden service if they receive DMCA or other complaints/takedown notices so if your hidden server was about how you haxx0red the government they would have it shut down, unless of course you hosted in Russia or Egypt where they wouldn't care about western govt.
Is there something like a prebuilt tor2web-like-gateway server image? The best response to takedowns would seem to me not to be to create your own gateway (just moving your Single Point of Failure), but rather for lots of people to run "open proxy" tor2web servers, so that no individual server can enforce any takedown policy (because they'll just switch to a different server in the pool, run by someone else.)
The design of the protocol (the spec for which is public and open) was funded by the government. What you said was akin to a mathematical discovery being made by a university with federal funding and not trusting the math because of that.
Actually, that's not true. There's a new technique called familial searching that can locate relatives that have had their DNA taken. The cops can then ask a brother, sister, parent, or cousin if they have a particular kind of male or female relative.
It is actually made non-toxic with the notion of people licking it in mind. It's not like it is just regular glue or a toxic adhesive. But I get what you mean. I don't lick them either. I don't get why people are even bothering with the point about DNA on the envelope though. Anyone who has ever mailed out lots of handwritten letters has used a moisture pen. You can go buy them for a few dollars at any office supply store. I use one to seal close to a hundred envelopes for the stamps every Monday at work.
If the rest of the internet is presumed to be linkable with a specific identity, I challenge someone to figure out who represents http://www.banksy.co.uk/. And Pest Control doesn't count. And if it does, then that's a pretty easy way to hide your identity.
This is a good question. Most of the comments here seem to be concerned with figuring out voidnull's identity, rather than the motivating idea of whether such a thing is possible.
The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop[1] might have some leads. Seems solvable, that is.
This is tough without voidnull leaving some sort of clue, or the involvement of SDF ( access logs and mail) and the post office , and/or an very detailed tor exit node analysis. Or of course finding an exploit in SDF's system.
Text/source matching is a no go, if you search for specific words used in the text maybe he has posted elsewhere on the subject of SSH/TOR/SDF, I came up with 2 names (last name withheld since this is a wild guess) Doug and Patrick.
Snooping around SDF shows very little, no gopher setup or usage by username voidnull.
Finger:
Login:voidnull
Name: Void Null
Directory: /udd/v/voidnull
Shell: /usr/pkg/bin/bash
New Mail received: May 1 19:21 2013
Unread mail Since: Apr 22 08:17 2013
The mail might elude to the fact that he set this account up a week + ago and tested this out before he posted it. So the best bet would be to figure out what was mailed to SDF during the week of April 22nd.
Best bet:
1. Find a security hole in SDF
2. Stake out an pay off someone at Post Office Box 17355
Seattle, WA 98127
You can always just buy hosting in Russia with bitcoins and use ssh through Tor to set it up. Russia doesn't care about names, email addresses or anything else.
I recall a few Iceland hosting services that do the same. As long as you aren't doing something incredibly illegal they won't care what you are hosting
Say you live in Syria and one of these days wake up to find the other side of the street where you live completely smashed down by shelling. Oh, there's been a civil war going on (or so the media calls it; "public uprising" maybe?) for some time now alright, but you could be dead tomorrow, you need to understand.. what is truly happening? what's the prognosis? Better ask everyone around. Oh, it's the government, targeting rebels. Ok. Well, what's next? While at it: what's the rebellion up to now? Nobody among your acquaintances wants to talk about it, or knows anything certain. The official news is a joke and is of no help in any case. You've heard there are facebook groups for that, and you have internet.. better log on and post a message. Whoops, apparently somebody did not like your 'too neutral => pro-rebellion' point of view, and now various body parts of yours are being sent out to your relatives, as a message, or just because.
There's been actual demand for anonymous message boards for folks in Syria / friends/relatives of those living there to discuss matters, to understand what the hell is going on. I can't quote sources, though. And there've been incidents of 'facebook message -> whoops, body cut to parts', discussed in some CCC talks, though I haven't tried to follow up and find anything more conclusive. (could dig up the CCC video in question maybe.) In any case, a mere illustration.
Tor usage spikes up during Iran elections (next one's in June).
Folks in cartel-controlled places, or places where public uprising is happening, wanting to understand what is truly happening, or to organise something, etc. are afraid to post to FB etc., and sometimes they are very right to be afraid.
None of what you say answers the question posed. Your concerns seems to be with the right of free speech, which is valid, but has nothing to do with being anonymous.
> Your concerns seems to be with the right of free speech, which is valid, but has nothing to do with being anonymous.
Oh but it does! See, if I were to reside in Syria and to simply post antigovernmental sentiments online, I very well might end up dead. I would not end up dead (not necessarily) were I to succeed in posting anonymously (let's simply say, 'under a pseudo + (somehow) hidden IP address'). 'Anonymous' here for me simply means 'my online identity [which can post things, read things, whatever] is not connected to my real identity', where 'real' can usually be simply be evaluated to 'my real name' and/or 'my physical location'. I would be too afraid to (merely) invent fake pseudonyms on FB - what if Syrian gov't were to succeed and subpoena FB (who knows) and acquire my IP address? Anonymity would matter very much to me!
However, at the same time I see what you mean. In this case, anonymity is a free speech obstruction circumvention tool, in a (limited) sense. Perhaps I'm a pessimist who does not really believe in free speech really being possible. (The regimes are simply extreme cases/illustrations of this.) :)
The value of anonymous free speech in the situation you describe (eg, Syria) should never be taken at anywhere close to face value.
It's nothing more than rumour and stories - precisely because it is anonymous! There is no way to verify it is anything: A true account, a biased account, a popular opinion or the ravings of a lunatic.
In areas where free speech does not exist, anonymous free speech adds nothing at all. It's basically the propaganda the reader wishes to hear. You may as well toe the government line.
Free speech only exists with attribution. Fiction and stories without. While I appreciate the struggles of those in the situation you describe, you advance nothing in an environment of anonymity.
While I see the gist of what you are saying, and the rumour / credibility thing is realistically always an issue in such cases AFAIK, I do not think it is true that "Free speech only exists with attribution [...] you advance nothing in an environment of anonymity."
If a new space for anonymous speech comes up, things will be chaotic at first, trust chains and circles - 'web(s) of trust' (not sure of terminology heh) do emerge, and I've seen it happen [citation neeeded]. Consider the Bitcoin over-the-counter marketplace (#bitcoin-otc on Freenode), where a web of trust (based on (potentially) anonymous PGP identities/keypairs) does function quite well (not without failures). Actually, if the identities are tied to something like a PGP keypair, it obviously works across (e.g.) forum boards (cough (Tor, etc.) underground forum scene cough). You could actually use PGP signature chaining, etc. (it does work very nicely!)
Of course, in my (vague) illustration, it'd be much more chaotic and nasty. The thing is though that in the end, people do sense a need to have a medium to coordinate efforts, exchange info, etc. (Consider also e.g. the idea that I can disclose my real identity to a select party (pre-arranged IRL, e.g.), but not necessarily to the whole forum. However, if that party is trusted by other nodes, then those nodes can trust me without knowing who I am. Lots of human factors and points of failure here, though. But it is not always futile!) At the very least, one could coordinate an IRL meeting (you would of course say, what if the organizers are covert government agents, etc.) In the end, a system connected to IRL matters and lives will have IRL-bound points of failure. That does not mean that it could (or does) not work, or that it would be as fallible as a non-(quasi-)anonymous solution.
But I agree that it's usually a lot of effort; not necessarily futile though, and that's my only point really.
In a country where government is not protecting the right of free speech, or where its protection is not enough to protect you from powerful organisations seeking to stifle it (which is pretty much every country in existence, since the government can not control everything everywhere) anonymous speech may be the only way to achieve free speech.
Anonymous speech has a lot of value, which can be obvious from the fact that so many efforts are taken to stifle it. If it were ineffectual, nobody would bother to inhibit it. So it is obviously effective in influencing people. If it is effective, it has value.
Anonymity is very helpful to whistleblowers in various fields of life - and the importance of whistleblowers has even been recognised by laws protecting them.
It's important to note that anonymous posting does not mean that the content is illegal, only that the publisher wishes to remain unknown. I'm sure SDF takes down any copyright infringement or other illegal content promptly.
Anonymity is not a concept to whistleblower protection; in fact, the opposite - whistleblower protection is a protection of your non-anonymous actions.
This is an interesting concept. I would have first logically arrived at the conclusion that whistleblower protection would exist for anonymous releases of sensitive information. Makes sense though that these are put in place to protect people who come forward with information publicly.
In theory, the rule of law will protect your right to say what needs to be said.
In practice, you may have things to say that could be damaging to your career, or that may anger powerful interests, or even your government. That doesn't mean these things aren't worth saying. So anonymity allows you to say them without being prosecuted.
(Unless of course you're making a distinction between anonymity and pseudonymity. Pseudonymity is a special case of anonymity, and requires anonymity as a base condition.)
Because it would be _not_ legitimate for the government to _stop_ us from doing so.
One could argue that the ability of anyone to know what and with whom they are dealing with in everyday life is essential, and therefore the role of the government to attribute an action to a source is paramount. We place a tremendous value on reputation and authenticity. I highly doubt you would send an anonymous source a large sum of money, for example.
As an aside, we already do this with our legal systems (assuming western ideals). Everyone has the right to face their accuser in a public court. (I appreciate that right has been degraded in certain cases over the last 20 years or so.)
> One could argue that the ability of anyone to know what and with whom they are dealing with in everyday life is essential
Only in some cases, so that's not a very good argument.
> the role of the government to attribute an action to a source is paramount
It is paramount in, say, the case of a crime. It is not paramount when it's outside the scope of crime or threat of a crime (i.e., outside the scope of initiated violence).
> I highly doubt you would send an anonymous source a large sum of money, for example.
That's true. If I want to send a large sum of money to someone, I know who they are. That's not something I need the government to adjudicate. (I do think the government should prosecute fraud as an initiation of force, though.)
I'd argue in every case where you aren't completely gullible to everything you read or hear.
Anonymous speech is nothing more than rumour. It has little to no positive value.
If you require the identity of a person you would give money to, why then to you not require the same standards of the person who's thought you would entertain?
Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.
Because while freedom of speech is (in some places?) considered an inalienable right, speaking on the internet (writing/publishing) is nearly impossible to do anonymously. I guess one could argue that speaking in person in any context is impossible to do anonymously, but it's still an interesting technical challenge to figure out whether we even can publish anonymously. It's interesting because on the one hand, it's easy to get wrong, and because on the other hand, perhaps it's provably possible, in a manner such as this.
Keep reading, it's a little more complex then simply suggesting anonymity is guaranteed:
"A defendant in a defamation lawsuit attempted to use this case as a precedent that "sources have the right of anonymous speech under the First Amendment", but in 2011, the New Jersey Supreme Court rejected the argument, distinguishing that case from McIntyre."
Your second link doesn't really pertain to the topic at hand.
Nonetheless, it's an interesting concept that I'm not sure I particularly agree with.
It may not be a right, but it can help protect that freedom of speech and I think that is a pretty worthwhile goal. Also, I agree most anonymous writings don't amount to much of anything, but it doesn't mean they don't have their uses.
Even if nobody manages to identify him (and probably nobody will), this says nothing about what a resourceful organization (such as an intelligence agency or a criminal organization) can do.
Go on localbitcoins and find people who mail cash for bitcoins, or find somebody on IRC to do it.
Sell them bitcoins, have them mail the cash to SDF for your payment. Now you avoid all the problems of physically mailing something from where you live. It's actually common for people to ask for single US bills in the mail too, for collecting.
I also would edit Torrc file to use semi trusted exit nodes from torservers.net so you aren't using a malicious exit node.
Why would you go through the hassle of trying to anonymously buy bitcoins with cash so it's not traceable when you could just send the cash? Unless you have mined your own coins there's no anonymity to be had via bitcoin. In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.
> In fact using bitcoin would make it far easier for someone to start tracking anyone who used the service by tracing back the transaction chain from the wallet of the hosting provider.
Assuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.
Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.
Besides that, there are a ton of ways to keep it anonymous using bitcoin.
Even if every transaction has a new address, you have to get BTC in to the wallet somehow, and the most common method to do this is to buy BTC online with a credit card.
You could buy BTC with cash of course, but then why not just send the cash direct?
I suppose you could also use washers but I'm not sure how reliable those are.
as far as I know most exchanges and gambling sites pay out from a different wallet that you pay in to, so washing coins this way may be possible depending on how long each company keeps track of internal transactions.
As a matter of fact :) : for me, it would actually be more easy to ping one of the local miners in my online contacts (I've traded coins before via localbitcoins), meet with them, hand them the cash, get the coins to a bitcoin wallet, and send them to SDF, were they to accept bitcoins. (The verification could also be automated that way, and would be real quick.) The alternative would be to go to a local exchanger or bank, probably hand in ID even though I'm only buying $1 for local currency, then go to the PO to buy an envelope and stamps, make sure the dollar bill is not visible from the inside, and actually send the letter out.. oh, and wait for 2-3 weeks because outgoing overseas mail originating from here is slow.
..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash [1] to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!
(Also see: [2]) :)
Just saying!
In any case, I root for SDF, Godspeed you awesome people.
[1] Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in [2]) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.
My vote would be thomask@sdf http://sdf.org/tour/sdfers/gen.cgi?thomask@sdf. Searched around the internet archive for versioning of SDF tutorial pages, and matched language in the voidnull page to his contributions to the various tutorials.
It's not very hard to be anonymous like this. Similarly, can you find the postal address lucb1e.com, which points directly to my home IP address? (Social engineering my ISP is an option.)
The real question is whether authorities can find the postal address. They're not going to try of course.
The page appearently has the IP adress
83.161.210.237, with it being hosted by Xs4All Internet Bv, Postbus 1848, 1000Bv Amsterdam, The Netherlands.
According to google plus, your name is Luc Jansen, where the last name is fake, which really doesn't help. I guess I could send you an email with an image sent from a server, which then reads you ip adress out of the request, but i guess you have html embedded images disabled in all your email accounts. There is some photos of you on G+, but then you only share them with some of your friends, which means I'd need to find a less computer savy friend of yours and see whether I can acess his account. Depending on how many, and what kind of photos there are, I might be able to narrow down roughly where you live and how you look or where you go to school (you're 19, so that's kinda hit or miss). You don't look like a picture person from your twitter though. So there'd be multiple avenues for SE. I'm pretty sure Authorities could find you quite easily given only that link.
Given first name and birth date (from age down to seconds), any authorities worth their salt can find him in a minute.
edit: well, unless he was not born in a territory under the authority of the authorities in question, and is an undocumented resident of the territory in question...
If the $1 bill was marked in any way (eg. http://en.wikipedia.org/wiki/Wheres_George%3F), SDF might have some clues. If the post office keeps any logs of mail (eg. letter posted from box on X street to Y address) then that might also provide some useful information. Particularly so if the postbox had any security cameras watching it. Of course, these approaches require a few organizations to be working cooperatively to find voidnull.
Can't the serial number on a dollar bill be traced back to the last bank it was located? Not very accurate, but it's a lead if someone, for example, in the government wanted to find you.
I'm sure it could be traced back to the last bank the Federal Reserve gave it to, but I seriously doubt they scan in every bill that passes through their hands every day.
Isn't the way to get through this is to start running a lot of Tor nodes and hope to trap voidnull? If so, don't we think that those that care about breaking Tor are doing this?
It's worth mentioning SDF still (IIRC) provides dialup service. So a USB modem, telecoupler and payphone are all required to really truly publish without leaving much trace.
So publishing content is anonymous, but ultimately SFT is responsible for hosting? Will they, for example, stop hosting your content if the MPAA/RIAA make copyright claims?
There have been quite a few free speech hosts around. A while ago I tested out MediaOn(.com). Straight forward process. You just need some free email host and snailmail the fees in as cash.
I've seen this kind of post before, and I simply don't get it.
Has the person never heard of pastebins and other services that don't require you to sign up in order to post content? If you are concerned about them tracing your IP, that's a different story. You might go to a public computer and hide from all the cameras. In 5 years, when cameras might be more ubiquitous, you will still be able to post via proxies.
At the end of the day, for his claim to be true, EVERY site that lets users post anonymously would have to record the IP of every transaction, maintain a whitelist of IPs from networks that have at least some identity checking or cameras, and ban everyone else. Unlikely!
A more interesting question would be, how to post anonymously and untraceably on blogs? Well, if the blog owner has a whitelist policy, it might be difficult to fool them into thinking you are someone they trust to post. But if all they rely on is Wordpress' default blacklist of "mailinator" type email providers, then it's a never-ending game of cat and mouse. I doubt the email providers are held liable for not verifying the identity of a user before providing an email address, especially since the email account is often publicly viewable by everyone.
On a related note, I remember being affected by The Digital Imprimatur document, and doing some serious thinking about the questions of Security, Privacy, Identity and Censorship:
If you post on Pastebin via a proxy chain through as many different countries as you can (Home > Chinese Proxy > Russian Proxy > UK Proxy > USA Proxy > Japanese Proxy) I don't see how anyone could ever trace it back to you without total cooperation from every link in the chain.
If they are already suspicious of you, then you've already lost. In the above scenario, voidnull's dna or fingerprints would have to be cataloged for them to find him.
But then can't you trace him based on the hacker news account? Why not just post the text itself on hacker news, is it because HN can take it down while the source should be relatively stable?
How will you trace him based on the HN account? All that's required to sign up is a username/password combination. Looks like reddit is the same. Generate a random password and access them via tor to not get your IP logged and there isn't much to go on.
why go through so much trouble, just host your anonymous content using www.boopoohoo.org they also have an iphone and android app for those who are keen
A mail address is not required to create a HN account, as far as I can tell. It's been a while though, and I don't want to create a random dummy account to find out for sure.
She's a gay, transgender, atheist, member of the very wrong political party who once stole a loaf of bread while starving and who slept with her boy/girlfriend (who was white) at an age where, although there was only a day between them, she was an "adult" while the other was a "child" in Zimbabwe.
Sorry Zimbabwe, you were at the bottom of the "Freedom Index" I looked at.
For parts of the above, she could have been anywhere in Africa, the Middle East or, indeed, the first world.
On top of all that, she also didn't want her parents to know she's got a tattoo and was concerned that her colleagues would be upset that she'd negotiated a higher pay package than them.
Or, in the flip side, a white male who says stuff that embarrasses or offends people who have US Attorney cellphone numbers on speed-dial. Examples include Assange, Weev, the two girls one cup guy, etc.
There have been a couple of quick updates I posted on the linked page. First, SDF does accept Bitcoin for validation.
Second, SMJ is personally upping the prize to $100. See the link for details.
I am very happy with the result of this stunt. So far this page has gotten over 100,000 which works nicely towards the goal of driving more users towards Tor and SDF.