There have been a couple of quick updates I posted on the linked page. First, SDF does accept Bitcoin for validation.
Second, SMJ is personally upping the prize to $100. See the link for details.
I am very happy with the result of this stunt. So far this page has gotten over 100,000 which works nicely towards the goal of driving more users towards Tor and SDF.
As for the $10 reward, yes it is small, but the point is to see whether people can breach any of security, not to offer lots of cash (which I don't have anyway).
Of course the details are a bit tricky. I will accept voidnull's judgement as to whether the reward is due (which begs the question of which identity is voidnull in a philosophically interesting way). Also voidnull could claim this reward, but then I would have unmasked her by simply buying her off (a perfectly valid offensive security technique).
This also allows for password recovery in the opposite direction, site can publish passwords signed with users public keys and then users can decrypt their own using their private keys.
The difference seems to be that he doesn't want to have trust anybody, whereas you'd be happy trusting organizations such as Wordpress and the US legal system.
1. We have a little bit of text we can be reasonably sure voidnull wrote -- some sort of text-likeness algorithm might be able to give us some candidates -- pointed at newsgroups/forums/etc where SDF users might hang out.
2. Using the above, I would note that there are some grammar/typos/mistakes from possibly careless writing. That might be something to specifically try to isolate
3. The HTML on the page is very simple, but malformed -- perhaps look for pages like that (some missing </p> tags)
4. adnam made a comment that showed some familiarity with voidnull and SDF -- adnam might be easier to locate and an association might be discovered.
5. If I believe #4, voidnull is possibly a handle that has been used before (seems really dumb, though) -- perhaps it's a very recognizable alteration.
Second, the command `ssh -o ProxyCommand="nc -X 4 -x localhost:9050 %h %p" sdf.org` seems to be unique (to Google), and may be in a script he has written previously.
Related to the issue of the postmark, there is also the issue of (potential) fingerprints on the envelope and money. The point is, even if the public cannot find identities, the authorities (almost) always can.
Anyways, anonymity is an odd thing: in the US, anonymous speech is allowed (by court decision), but not guaranteed. The government isn't obligated to facilitate it and businesses aren't forced to allow it. voidnull's access to anonymity rests solely on SDF's goodwill and solvency. And the government could easily harrass them, even if they are overseas.
Which brings up an interesting thought experiment: what would it look like if anonymity were guaranteed by law, how could it be implemented reliably and verifiably, and what would the counter-balance be against illegal activity?
Unless they got someone to remail it from the other side of the country.
When the morning mail came around on Valentine's day, he had a ton of mail from women he'd never heard from from half the towns in the USA with any kind of romantic name.
When the afternoon mail came around, he got the same from the half that didn't arrive in the morning.
For the rest of his stay, he had an unassailable reputation as a super stud. Not a particularly bad thing for a marine in a military hospital!
Edit: Here we go: http://i.imgur.com/ZAXzlT8.jpg
Daisy-chain the remails a couple of times and it gets ridiculously complicated for all but highest security purposes. Get the accomplices to each wait some semi-random amount of days before remailing to help improve chances that one of the CCTVs will roll-over and write over footage of a remailer...
Or mail it yourself while travelling without connecting to the server while in the area. Sure, you can technically cross-check CCTV from mailbox with transport centres footage with transport records, but...
Do U.S. stamps have identifying features like printers these days? Shown a stamp or three stamps, can you tell e.g. which store chain sold them?
Make sure your friend isn't going to rat you out.
Make sure your friend isn't going to just take the money and tell you he mailed it.
Make sure your friend doesn't get caught.
Make sure your friend can resist NYPD torture (cough, I mean Enhanced Interrogation) because how do they know it's not ricin in the envelope, so they can't take any chances.
Make sure your friend understands that if you're doing something shady, something that could be considered Postal Fraud, that he could then be prosecuted as an accomplice. Make sure he understands that he could spend years in jail for blindly remailing something of yours.
For someone willing to take those risks based on your friendship, that would be some really close friend! (or an FBI informant).
I think it's safer to just not mail the letter if you really want to be anonymous.
Think of your friend's safety!
People call me extremely paranoid for this, but I've seen how effective author-analyzing software is.
I would almost certainly try to learn a new language if I want to stay anonymous, and only use that language for my anonymous alter-ego.
There are plenty of non-English communities out there, and if you're data is sufficiently interesting, people will translate it for you.
Additionally, I would assume if he is to write something going "find me" he will likely purposefully change his styling or attempt to remove any styles he uses. Such a simple page devoid of any CSS or unique traits really shows that it could be written by a seasoned vet or a highschool kid with a good idea. Its the html equivalent of notepad file if you ask me.
Sure, but it's a hint that the person might have written it in vi. Only some people would write HTML in vi. Sure that group overlaps quite strongly with group of people that would put out such a challenge, but it's still a couple bits of information.
The w3.org validator says it's okay.
It can fit in with word choice, indentation, line length, etc as part of a personal pattern. But by itself it is as meaningful as saying "and".
It saddens me that this needed to be clarified, that anyone would wonder whether putting a page on the internet without going through the "proper channels" was legal. Not surprising, but sad.
I don't have a reference in English, but http://de.wikipedia.org/wiki/Impressumspflicht (in German)
is very clear about it.
Wie sich aus § 55 Abs. 1 RStV ergibt, trifft
einen Anbieter somit nur dann keine Impressumspflicht, und
er kann seine Webseite völlig anonym ins Internet stellen,
wenn sein Angebot ausschließlich persönlichen oder
familiären Zwecken dient.
The problem with this law is, that is says something about a page with some baby pictures ( so that grandma can see her grandchildren), and something about media corporations. However it simply does not address the case of a private blog, were the audience is not personally related to the author, but the author does also not try to make money with it.
A blog, a portfolio, bookmarks, dotfiles or even a simple memorial (if it's for someone outside of family) is enough.
I have not added one to anything I have ever put online nor do I intent to. I neither host in my country nor do I publish in my mother tongue. I think it is ridiculous to be forced to divulge information that allows people to knock on my door.
For example, what if a corporation set up the page? Oh, we can't let corporations have free speech, according to popular sentiment (which is packaged up as "campaign finance laws"). So, we had better make sure we know who says everything, to make sure it's not a corporation.
In a society that hates freedom, freedom dies. We live in that society.
I have never heard of a campaign finance law that would prevent a corporation from putting up a web page. Have you? If so, please post a link to the text of the law. I'd be fascinated to read it. Heck, even if it's just a proposed law, that'd be interesting, so you can just put up a link to the bill.
The infamous McCain-Feingold Act made it unlawful to, among other things, publicly criticize a politician within months of an election, unless you were on a list of exceptions that did not include ordinary corporations. It was the law for nearly a decade until recently being declared unconstitutional by the Supreme Court.
It's a little ambiguous if a mere webpage would count because the rules for internet communications are even less clear than those for traditional media.
As far as I could tell, it only outlawed broadcast advertising, which is a very different thing.
I'm quite surprised that, as a brother/sister comment to this one pointed out, a law such as the one you described actually did (does?) exist.
Also, I think you don't understand free speech.
The reason democracies are universally big on free speech is that the citizenry must be able to freely discuss how to run their country.
You appear to be a free-speech fundamentalist. Which is an opinion you're entitled to hold. But personally, I strongly disagree that free speech should privilege those spending millions or billions manipulating the opinion of the voters, especially when that's an attempt to line their own pockets.
If any Fortune 500 CEO would like to stand on the streetcorner and explain his views on an issue, I believe no law should stop him. But I believe the current system is just a fancy form of corruption, and does significant harm to the goals that led to the adoption of the first amendment.
Why do you think we have over 11 million illegal aliens living here and over a million people who gained citizenship last year?
Clearly, they must think that freedom is alive and well in the United States my friend.
If I were running for president, my #1 campaign promise and the first thing I'd do upon election would be to shroud the Statue of Liberty, which is currently the greatest symbol of hypocrisy in the world. 99.999% of American citizens' ancestors came here from other countries, which is now regulatory hell, i.e., practically illegal.
> Clearly, they must think that freedom is alive and well in the United States my friend.
May be better than where they came from. But anyway, what anybody thinks is not evidence for what's true.
> the greatest symbol of hypocrisy in the world
Really? The single greatest signal in the whole world? You can't think of anything that better exemplifies hypocrisy?
Your basic point, which I agree with, would carry a lot more weight if you cut down on the rhetoric.
Oh, hang on, which jurisdictions does he fall under? And sdf.org? And the various Tor relays? And, dear reader, you?
2. Use the credit card to buy hosting with whomever you wish to use.
3. Enjoy your anonymity.
I realize it may be possible for law enforcement to find you through tracking down the location the card was purchased at but in reality no one else can find who you are. Even then you could go out of your way to purchase the card outside your home area at a grocery store since they often have minimal / poor camera coverage.
Edit - Responses to some of the comments:
In the USA SSNs are only required for customized reloadable cards with your name on them which is obviously not the type you'd want.
As for AVS / name verification, most prepaid cards now have websites which allow you to set a name and address for use online. Others will pass AVS checks with any address. The packaging will often say if they can be used for online purchases.
Well then it's not fucking well anonymous, is it?
For saying things that won't piss off the cops, we can just sign up on Tumblr from our residential ISP IP.
The whole point of having anonymity is for safely exercising the right to unpopular speech. If the cops can track you down, then it's not anonymous.
Imagine if Wikileaks had been fully pseudonymous, and then tried what you suggest. They'd be just as fucked as they are now (for being non-anonymous).
Sure, you could lie, but you would probably be breaking the law (which the method advocated in the article doesn't do).
You can also find any Russian host you wish, then plug in Bitcoins to a Russian exchange such at btc-e and then withdraw straight to their WMZ account to fund your hosting
Having signatures match is just one straightforward kind of evidence that you agreed to the contract.
I am curious though which biometrics will eventually replace the signature, especially with so many transactions online where I can spend thousands of dollars without signing anything.
HN has a button for that, you know.
(and anon.penet.fi was mostly NOT a cypherpunks type thing, it had very little technical security; it was all policy and jurisdiction, which worked well until Scientology.)
It's difficult, and I've noticed recently that it's getting worse.
It used to be you could open a hotmail (or gmail) account pretty trivially without using any real personal info.
But lately these email services have started requiring you to link a phone number, and/or an alternative email address... in theory these are to reduce lockouts, account hacking, etc. -- and they really can help -- but they also mean it's far easier to connect those email addresses with a real person.
I had a gmail address that was "anonymous", linked to some content I was hosting on Google Pages and participation in discussion lists, etc..
Then one day YouTube accounts were merged into Google accounts; and I happened to be logged into the anon google account (and youtube) simultaneously. The was one prompt that I didn't read carefully... and then my public YouTube account that was obviously me was permanently, irrevocably linked to the anon gmail account.
I don't have any pressing need nowadays for an anonymous persona online, but I'm inclined to try again at some point, just because it's something I feel should be still possible.
Diaz Gonzalez, Ruben
C/ Angosta de los Mancebos 5
Madrid, ma 28005
Oh and if you say "he asked for it", well yes but you got the wrong person, so that's kinda screwed up for whoever happened to own that domain.
Google cache to the rescue: http://webcache.googleusercontent.com/search?q=cache:ivvU0sx...
You need a great deal of fore-planning, but it's certainly doable and there is probably no bigger unspoken bounty on an anonymous user's head than Satoshi's, to prove the point.
Also, for those thinking of finding out his identity through text analysis of his writings (you can view about 500 posts of his in the forums archive, iirc), from my experience reading them (though not actually analyzing through proper tools), he seems to deliberately always use the simplest words and short sentences.
Didn't Satoshi have email conversations with other developers or interested users? What about forum or wiki accounts for the bitcoin sites? Domain name registration? Web hosting account?
There are any number of free web hosts who require nothing more than an email verification.
Some may say that free web hosting is inferior to paid, and I will agree, however my content hosted on free web hosts is still not tied to my real identity.
Tor2web and the other gateways will remove service to a hidden service if they receive DMCA or other complaints/takedown notices so if your hidden server was about how you haxx0red the government they would have it shut down, unless of course you hosted in Russia or Egypt where they wouldn't care about western govt.
Don't ever forget that...
but even despite the health issues, having one spreading body fluids around is not very acceptable where i came from.
The easy answer to your question is, Banksy represents that domain. But perhaps he's not so easy to pin down? Still, I'd think the crew involved in Exit Through the Gift Shop might have some leads. Seems solvable, that is.
Text/source matching is a no go, if you search for specific words used in the text maybe he has posted elsewhere on the subject of SSH/TOR/SDF, I came up with 2 names (last name withheld since this is a wild guess) Doug and Patrick.
Snooping around SDF shows very little, no gopher setup or usage by username voidnull.
Name: Void Null
New Mail received: May 1 19:21 2013
Unread mail Since: Apr 22 08:17 2013
The mail might elude to the fact that he set this account up a week + ago and tested this out before he posted it. So the best bet would be to figure out what was mailed to SDF during the week of April 22nd.
1. Find a security hole in SDF
2. Stake out an pay off someone at Post Office Box 17355
Seattle, WA 98127
I recall a few Iceland hosting services that do the same. As long as you aren't doing something incredibly illegal they won't care what you are hosting
Why is the ability to post something in complete anonymity onto the internet a worthwhile goal?
There's been actual demand for anonymous message boards for folks in Syria / friends/relatives of those living there to discuss matters, to understand what the hell is going on. I can't quote sources, though. And there've been incidents of 'facebook message -> whoops, body cut to parts', discussed in some CCC talks, though I haven't tried to follow up and find anything more conclusive. (could dig up the CCC video in question maybe.) In any case, a mere illustration.
Tor usage spikes up during Iran elections (next one's in June).
Folks in cartel-controlled places, or places where public uprising is happening, wanting to understand what is truly happening, or to organise something, etc. are afraid to post to FB etc., and sometimes they are very right to be afraid.
TL;DR This is for real.
Oh but it does! See, if I were to reside in Syria and to simply post antigovernmental sentiments online, I very well might end up dead. I would not end up dead (not necessarily) were I to succeed in posting anonymously (let's simply say, 'under a pseudo + (somehow) hidden IP address'). 'Anonymous' here for me simply means 'my online identity [which can post things, read things, whatever] is not connected to my real identity', where 'real' can usually be simply be evaluated to 'my real name' and/or 'my physical location'. I would be too afraid to (merely) invent fake pseudonyms on FB - what if Syrian gov't were to succeed and subpoena FB (who knows) and acquire my IP address? Anonymity would matter very much to me!
However, at the same time I see what you mean. In this case, anonymity is a free speech obstruction circumvention tool, in a (limited) sense. Perhaps I'm a pessimist who does not really believe in free speech really being possible. (The regimes are simply extreme cases/illustrations of this.) :)
It's nothing more than rumour and stories - precisely because it is anonymous! There is no way to verify it is anything: A true account, a biased account, a popular opinion or the ravings of a lunatic.
In areas where free speech does not exist, anonymous free speech adds nothing at all. It's basically the propaganda the reader wishes to hear. You may as well toe the government line.
Free speech only exists with attribution. Fiction and stories without. While I appreciate the struggles of those in the situation you describe, you advance nothing in an environment of anonymity.
If a new space for anonymous speech comes up, things will be chaotic at first, trust chains and circles - 'web(s) of trust' (not sure of terminology heh) do emerge, and I've seen it happen [citation neeeded]. Consider the Bitcoin over-the-counter marketplace (#bitcoin-otc on Freenode), where a web of trust (based on (potentially) anonymous PGP identities/keypairs) does function quite well (not without failures). Actually, if the identities are tied to something like a PGP keypair, it obviously works across (e.g.) forum boards (cough (Tor, etc.) underground forum scene cough). You could actually use PGP signature chaining, etc. (it does work very nicely!)
Of course, in my (vague) illustration, it'd be much more chaotic and nasty. The thing is though that in the end, people do sense a need to have a medium to coordinate efforts, exchange info, etc. (Consider also e.g. the idea that I can disclose my real identity to a select party (pre-arranged IRL, e.g.), but not necessarily to the whole forum. However, if that party is trusted by other nodes, then those nodes can trust me without knowing who I am. Lots of human factors and points of failure here, though. But it is not always futile!) At the very least, one could coordinate an IRL meeting (you would of course say, what if the organizers are covert government agents, etc.) In the end, a system connected to IRL matters and lives will have IRL-bound points of failure. That does not mean that it could (or does) not work, or that it would be as fallible as a non-(quasi-)anonymous solution.
But I agree that it's usually a lot of effort; not necessarily futile though, and that's my only point really.
The issue is to create the right of free speech, however difficult that is.
It's important to note that anonymous posting does not mean that the content is illegal, only that the publisher wishes to remain unknown. I'm sure SDF takes down any copyright infringement or other illegal content promptly.
In practice, you may have things to say that could be damaging to your career, or that may anger powerful interests, or even your government. That doesn't mean these things aren't worth saying. So anonymity allows you to say them without being prosecuted.
(Unless of course you're making a distinction between anonymity and pseudonymity. Pseudonymity is a special case of anonymity, and requires anonymity as a base condition.)
That's because it's not legitimate for the government to use non consensual physical force against us.
Unless we've given up my right to not consent by using or threatening to use non consensual physical force against someone else.
As a sidenote, the point where you have to use violence to advocate for political goals instead of persuasion is when free speech is disallowed.
One could argue that the ability of anyone to know what and with whom they are dealing with in everyday life is essential, and therefore the role of the government to attribute an action to a source is paramount. We place a tremendous value on reputation and authenticity. I highly doubt you would send an anonymous source a large sum of money, for example.
As an aside, we already do this with our legal systems (assuming western ideals). Everyone has the right to face their accuser in a public court. (I appreciate that right has been degraded in certain cases over the last 20 years or so.)
Only in some cases, so that's not a very good argument.
> the role of the government to attribute an action to a source is paramount
It is paramount in, say, the case of a crime. It is not paramount when it's outside the scope of crime or threat of a crime (i.e., outside the scope of initiated violence).
> I highly doubt you would send an anonymous source a large sum of money, for example.
That's true. If I want to send a large sum of money to someone, I know who they are. That's not something I need the government to adjudicate. (I do think the government should prosecute fraud as an initiation of force, though.)
I'd argue in every case where you aren't completely gullible to everything you read or hear.
Anonymous speech is nothing more than rumour. It has little to no positive value.
If you require the identity of a person you would give money to, why then to you not require the same standards of the person who's thought you would entertain?
Many things that need to be said for a society to remain free are things that many people really don't want to hear.
Inducing mass cognitive dissonance can be physically dangerous.
Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.
For very good reason, I might add.
In fact, most anonymous speech can safely be discounted as nonsense.
"A defendant in a defamation lawsuit attempted to use this case as a precedent that "sources have the right of anonymous speech under the First Amendment", but in 2011, the New Jersey Supreme Court rejected the argument, distinguishing that case from McIntyre."
Your second link doesn't really pertain to the topic at hand.
Nonetheless, it's an interesting concept that I'm not sure I particularly agree with.
Go on localbitcoins and find people who mail cash for bitcoins, or find somebody on IRC to do it.
Sell them bitcoins, have them mail the cash to SDF for your payment. Now you avoid all the problems of physically mailing something from where you live. It's actually common for people to ask for single US bills in the mail too, for collecting.
I also would edit Torrc file to use semi trusted exit nodes from torservers.net so you aren't using a malicious exit node.
Assuming all transactions will go to one address or come from "traceable" sender addresses is a bit presumptive.
Why not let the users sign up for the service (over Tor or whatever), then generate a bitcoin address for them to send BTC to? Then every transaction has a new address.
Besides that, there are a ton of ways to keep it anonymous using bitcoin.
You could buy BTC with cash of course, but then why not just send the cash direct?
I suppose you could also use washers but I'm not sure how reliable those are.
..I guess what I'm saying is that, lo and behold, Bitcoin might actually eventually work as an 'exchanger asset'; I've already discussed with a friend in the UK the possibility / advantages of using BTC to send cash  to them (bank transfer from this place would cost >= 15 pounds otherwise). They could then use a UK-based BTC exchanger, or -- find a local bitcoin trader (and yes there are some)!
(Also see: ) :)
In any case, I root for SDF, Godspeed you awesome people.
 Well, effectively cash: if both of us were to use local miners/traders, I would be effectively depositing cash, and my friend would be taking the cash out of the system. (See illustration in ) The process could be further abstracted away if my wallet were set up to automatically send all incoming coins to a pre-specified address; that address could my friend's trader's address where they would be sitting, sipping tea and waiting for the incoming coins, or (if my friend were not to care about anonymity at all) an exchanger's address; the exchanger could be set up to automatically make a local wire transfer (so free / very cheap) to a local UK bank account upon incoming coins; et cetera, et cetera.
 http://en.wikipedia.org/wiki/Hawala ; & a simple image: http://en.wikipedia.org/wiki/File:Hawala.png
edit expanded footnote1, etc.
The real question is whether authorities can find the postal address. They're not going to try of course.
edit: well, unless he was not born in a territory under the authority of the authorities in question, and is an undocumented resident of the territory in question...