Hacker News new | past | comments | ask | show | jobs | submit login
How to Start an Anonymous Blog (untraceableblog.com)
153 points by lewisajackson on Jan 28, 2014 | hide | past | favorite | 171 comments



Are you sure you didn't leave your feedburner url in the index source.

http://feeds.feedburner.com/turkeltaub

Which leads to

https://twitter.com/ethnt

(Web Developer and Computer Science Student)

Which leads to the homepage of

http://ethnt.me/profile/

Who doesn't design website templates.

Edit: It is wrong, Github search finds the `turkeltaub`

https://github.com/search?o=desc&q=turkeltaub&ref=searchresu...

Though here is the github repo link

https://github.com/untraceableblog/untraceableblog.github.io...


No, you haven't found him, the blog is using an open source theme and that theme contains the commented out feedburner URL.

The repo: https://github.com/elisehein/Pageturner

The file that URL comes from: https://github.com/elisehein/Pageturner/blob/master/source/_...

Theme demo: http://www.fivetonine.eu/


Hi all, owner of that Feedburner link here.

I made an Octopress theme a long time ago, and it looks like someone forked/used that theme to make their own theme. Source of that specific Feedburner tag is here: https://github.com/eturk/ethan-archive/tree/55a01aaa03398a57...

Whoever first forked it probably just commented out, and then someone used that and so on.


I have to say that it's interesting that you so quickly found that a reference to your theme had made its way on to HN, and on this particular thread. Unless I am missing something obvious?


He has been using HN over 900 days, and this is on the front page -- it's quite possible he simply saw the article and comments just like you and I did.


Nope, got a tweet from @epaga: https://twitter.com/epaga/status/428182592895328256

I did see this article, I just didn't read the comments. No idea that this would be here had it not been for that tweet.


Sure it's possible. But, given that he hadn't commented or submitted on HN in 20+ days 'til now, it just seemed unlikely that he's currently actively delving into submissions/comments to the extent that he'd catch this so quickly.

So, I just found it not so much an "Aha! Busted!" moment, as much as it was noteworthy.


Your comments bring up an amazing point for someone that is wanting to respect their anonymity.

Using anonymity techniques and then intentionally but subtly leaking information that points toward someone you want to frame would likely be tremendously successful.

The target would scream "I'm innocent" as they're dragged off to jail.


<!--<link href="http://feeds.feedburner.com/turkeltaub" rel="alternate" title="Untraceable" type="application/rss+xml" />-->

Why would he do that? Untraceable? EDIT: He just used someone else's source code, that explains it.


You might be on to something, at least both domains are using the same registrar and whois privacy protection service.

Edit: Here is the ssh pubkey: https://github.com/untraceableblog.keys


Yep, that's my SSH public key. And here's my PGP public key: https://gist.github.com/untraceableblog/8683769


Whoops, I should apologize to that guy. Didn't notice the link in the source.


You can skip straight to the Github repo if you searched for the string 'sc_project=9570855' from the stat counter code near the bottom of the html source. First thing I did.

And he/she was using Debian Live to do this as well.

Alright, wasted enough time on this. I'm gonna say its Turk in Vic.


That is hilarious, and also sad. As in, sad that someone can be so confident but also wrong about their secrecy. Imagine how bad it is for non-technical people with actual things to hide.


While OPs reasoning is sound (though the question of tracing how they spend their donations still remains open), the thing is that however well you started, you don't even get afforded one single mistake you can make.

No matter how small the mistake, if you made it, the cat is out of the bag and you're screwed. No matter whether you notice and correct it - in light of the current spying climate, you can be certain that your mistake was logged somewhere.

There's so many things to keep in mind in order to avoid mistakes, I can't even imagine them all.

Misconfigured your browser to not use tor when posting? Sending the bitcoins donated to you to somebody who gets compromised later? Disconnecting from tor without first logging out of StatCounter and then checking your stats? Plugging your USB-stick into a machine infected with some BIOS malware?

The possibilities are endless and you don't get even a single "extra life" (to use a gaming term). Screw up only once and you're screwed forever.

It's kinda like software security: It has to be perfect. Even if it's mostly perfect and only one single vulnerability exists and is known, you're as screwed as if your software was open like a sieve.

The days of anonymity on the internet are over. Yes, you can build sufficiently high hurdles to guard against most people, but those that really want to know, will know in time.


It's not like your anonymity is one in a billion. In fact, your security habits make you stick out like a flashing red light.

Perfect anonymity: 1 in 7e9

Fluent English speaker: 1 in 7e8

Tor user: 1 in 3e6

Tor user today: 1 in 1e5

Fluent English speaker and Tor user today: 2 in 10,000

Fluent English speaker and Tor user today and accessed both Google Translate and Outlook.com outside Tor today (because Google and Microsoft block Tor exit nodes): 1 in 1,000

All of the above and purchased a Kingston Digital DataTraveler from Amazon in the last year: 1 in 10


sure, there may only be 5,000 fluent English speakers who used Tor today (number seems low, btw), but you and the NSA have no idea (per NSA docs--away from Firefox users) who those people are.

Your logic may have found that needle in the haystack, but we don't even know which haystacks to look in.

And probably bad analogy, b/c not a heavy computer user, but if it took so long to find bin Laden, I'm sure many others (even heavy computer users) could hide for much, much longer.

The real risk, like others have said on this board, is one slip up can ruin you.


Your ISP and law enforcement know what IP addresses are using Tor.

https://www.eff.org/pages/tor-and-https

That's how the Harvard bomb threat guy got busted, because his Tor usage was a big flashing red light among non-Tor users.

http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18...

That's how law enforcement knows what haystacks to search.

And since the OP used his own IP address (didn't go to a coffee shop), that narrows the search by 3 or 4 orders of magnitude.


> Your ISP and law enforcement know what IP addresses are using Tor.

Does anyone have a reasonable estimate on what per cent of Tor entry nodes are known to ISP's, law enforcement, and the NSA?


Around 100% for anyone using the normal Tor browser bundle.

Tor is designed to hide who you are talking to, not the fact that you are using Tor. IPs and other metadata about normal Tor relays are published publicly by the network and are used by the client to build circuits through the network.

There is a special form of hidden entry node called a bridge that is designed for use in censorship-happy countries like China, but using them is a manual process that isn't the default. Traffic through bridges is a very low percentage of overall Tor usage.


Really interesting conversation.

The "one slip up" does appear to be the more common risk today, but I think the reason the NSA wants to archive everything for later analysis is precisely panarky's scenario.

You are right that today it remains a bit difficult, but as time goes on, sheer engineering effort will give us a better set of tools to do this kind of "show me TOR + Outlook + Kingston buyers + Mozilla user agent" queries.


Perhaps we're looking at this problem the wrong way. What if, instead of trying to hide our activity online we drown our signal in noise; make activity logs worthless.

For example instead of everyone having a unique email address, why not have shared email accounts with many hundreds of thousands of people, but where messages meant for you are encrypted with your public key. Your email client will attempt to decrypt all messages the account receives but will only succeed with yours.

Or for making a blog post, rather than publishing on one single server / blog domain, why not post to hundreds or thousands of different blogs at once, using all kinds of different IP addresses. Perhaps even have other people that blindly post for you (mechanical turk/crowd sourcing)

Perhaps the meta level idea here is if we want to restore privacy, we need to sacrifice our individual identity (my email address, my blog, my phone) and lose ourselves in the crowd


I did not have any problems accessing Google Translate and Outlook.com while connected to Tor.

But yes, I fucked up and posted a USB drive similar to the one that I've ordered from Amazon in the last year.


You're calculating as if these are independent.


Your argument has two parts: 1. Ensuring one's online privacy is hard. Very hard. 2. Because of this premise, the days of anonymity are over.

I take issue with the second point. It reflects a common post-NSA scandal sentiment, which is that we should throw up our hands and give up because security is hard and spy agencies are brazen.

Like invasions of privacy, rape, murder, bank robberies and traffic accidents will inevitably occur, no matter how hard we and our communities establish defenses against them.

Yet we keep trying to confront these serious societal problems, year after year, and if we can help or save just one individual, the effort has been worthwhile.

So, let's focus on gradually improving our security through action and education. It's time to do away with the spirit of apathy and hopelessness that is starting to pervade discussions about online privacy.


> "Like invasions of privacy, rape, murder, bank robberies and traffic accidents will inevitably occur, no matter how hard we and our communities establish defenses against them."

The crucial difference between invasions of privacy and the rest of your list is that strong deterrents exist for the latter part of your list. Even if you ignore the legal consequences of rape, murder, and bank robberies, all expose you to the risk of violence in response to your actions. Traffic accidents are by definition both unintentional and unexpected, whereas most invasions of privacy are not.

These things have all been minimized to soceitally acceptable levels because of specific deterrents that are in play. Presently, there are few deterrents to both public and private invasions of privacy by large companies or institutions. Until strong deterrents exist, the violations will continue. This is why a few changed rules at the NSA and a slap on the wrist for senior intelligence officials won't prevent privacy violations in the long term. Until jail sentences start getting handed out that are comparable to those for robbing banks, large institutions will continue collecting troves of data and using it to rob people of their privacy.


The main point I take away from your comment is that the fights against rape, murder and bank robberies are more mature than the fight against invasion of privacy.

A look back in time reveals that the deterrents against these violent crimes have been established gradually, through education, civil organizing and political lobbying. For example, contrast the perceived consequences of rape in the 1940s with those in 2014.

The United States has also made considerable strides toward the right to privacy. For example:

- Weeks vs. United States, establishing Americans' right against unreasonable search and seizure - Lawrence vs. Virginia, which reinforced couples' rights to privacy concerning sexual conduct - Griswold vs. Connecticut, which solidified the right to marital privacy.

I don't dispute that protecting personal privacy is hard. Nor do I dispute the fact that agencies such as the NSA have cast an ominous shadow on the United States' hard-won victories in the privacy arena.

But American history is full of victories concerning privacy, some of which seemed far-fetched in their times. The silver lining of the NSA scandal is that it made everyday Americans more aware of privacy issues. That awareness should be leveraged in a positive way, to demand accountability and build on deterrents against snooping.


Protecting your privacy is literally impossible. People will squirm, people will say they do it, but none of it is true. People just hate to not be in control, and so they'll justify their inane behaviors as "protecting my privacy!" when in reality, there is literally no successful known way to do such a thing.

If there were a successful way to protect information, it'd be known and used.

But there isn't. All you can do is make it harder. It's not apathy, it's reality.


I protect my privacy dozens of times every day: closing my blinds, signing out my email account, encrypting some personal documents, locking my car doors.

This is not to say that a government agency couldn't crack my encryption, or break into my car, but I take small reasonable steps to protect my property and information.

Protecting and guaranteeing beyond a doubt are two distinct concepts. When people create a false dichotomy between these things, they give themselves a license to not even try.


That's, almost literally, what I just said.


From a technical perspective, if you were lurking just inside a black hole's event horizon you would be completely anonymous. :)


"the days of anonymity are over"

Are they over for the NSA? No. That's what should change.


So it's simple... Don't screw up and the days of anonymity on the internet are not over. The fact that it's possible should make us all happy: now we have a very low-level techy-only solution to anonymity. Like all low-level techy-only solutions, this can be built upon to make more general-purpose solutions and hey-presto - we're back in the game!


> So it's simple... Don't screw up and the days of anonymity on the internet are not over

Simple isn't the same thing as easy.


It is if you automate it.


Tl;Dr. OpSec is hard. Like really hard. So hard you'll mess it up given enough chances.


That's what really excited me about this challenge. I heard about how DPR got caught from a StackOverflow login, and I wanted to see how difficult it would be to maintain anonymity.

It turns out that it's really fucking difficult. Also, it kind of sucks that I couldn't talk to any of my coworkers about being on the front page of Hacker News!


It's not about being perfect. It's about costs. If de-anonymizing you is prohibitively expensive, no one will do it without a very good reason. Problem is, it's becoming increasingly cheap, because most technologies we use these days are built with blatant disregard for privacy issues. Modern Web is designed to track you and it leaks your personal information left and right in the process of tracking. If we improve the technologies, the costs will shift.


It's a waste of time.

If you're doing something illegal that will attract serious attention from competent police, you are dumb for using electronic communication to do it. Smart mobsters did their business face to face in the 1950's. Smart street-level drug dealers use proxies (kids, grandparents, etc) to conduct transactions.

If it's just an exercise in screwing around looking for theoretical security, nobody cares. Best case, you're wasting time better spent elsewhere. Worst case, you're going to get in trouble for laundering money via bitcoin.

If you're a leaker, etc. You'd have better security printing and mailing cash to people. Mail content is protected legally and requires a warrant to open. If you insist in using technology, print a GPG-encrypted letter in an easily OCRable font.


The answer is not trying to protect ourselves. That's a losing and lost battle. We should try to tear down anonymity, hiding and protection of the powers that be.

..Make Obama, and any "Obama", wear a cam and mic, open all the time, connected to the inet. Make all bank accounts and transfers of everybody (corps included, of course), open to see to anyone.

..The above of course is extreme and won't happen. But that's the direction we should aim for. Not protect ourselves. We lost already. Open up the opponent.


I know you're being hyperbolic, but an economy where every transaction is public and searchable would be AMAZING.

You think a free market is efficient at allocating resources? what about a free market with perfect information for all players. It changes from poker to chess, deception is no longer a valid strategy.

I'm all for that.


Finally someone who gets it! I've been saying this for ever. Our society is moving to one with fewer and fewer secrets.

When Facebook pushes privacy concerns, it's actually just reflecting our new reality and trying to stay relevant.

The "issue" that we will be coming up against is that people need time to adjust and to be honest, people aren't used to knowing everything about each other.

To give an absurd example for the purposes of illustration: If your boss finds out that you like to cross dress on the weekend it may reflect poorly on you . In reality this is simply b/c he knows something unusual about you and your coworkers continue to look "normal" in his eyes. If he knows that you crossdress, Jeff likes to be tied up, and Bob's wife is a tranny then it no longer becomes a big deal.

The same goes for more sensitive things, like the amount of women that have abortions, or misscarriages, or people that have mental disabilities or are on antidepressants, or do hard drugs in their spare time. We shield ourselves from certain things to the point where when we get exposed to them we don't react appropriately b/c we have no reference point.

The reason Obama wouldn't be okay with a mic is mostly because no president before him has had a mic. So if he cusses out other world leaders on the daily, he'll look like a grade A asshole - regardless of whether or not other presidents have done it.


While I believe that any presidential person in power including his staff is mainly interested in their own protection, they are also partially aligned with my protection.

The degree at which they oppose me or protect me is unknown by me, but for the most part I believe they are protecting me, not for me, but because I naturally align with them.

Now, if you are not an American, their interests are much less aligned with yours. In that case, I agree.

For example, I would appreciate if all foreign government officials had all their emails, phone calls etc. open, but would like to protect my officials.

Hypocritical? I don't think so, its basically a matter of wanting the people with alignment to me to continue having power.


"I believe that any presidential person in power [..] they are also partially aligned with my protection"

Citation needed? If you were a eg a google employ at the time of wage fixing, would you think it cared about you, cause "your had aligned interests"? Maybe you should q what your interests are, and what of the politicians and mega corps.

Call me cynical, but they care for your protection, as much, and for the same reasons, as the kings used to "care" about their serfs.

"The degree at which they oppose me or protect me is unknown by me, but for the most part I believe they are protecting me"

Stockholm syndrome? Sad love story? You (us) being played, manipulated and exploited?


Here's how I'd improve the security.

1) Forget USB drives, they are a nightmare. In fact, forget any writable medium. Get an old laptop and take out the HD. Boot it from a live CD. Use only this machine to edit your blog.

2) Make your passwords complex and write them down on a piece of paper hidden somewhere. Don't host them in any digital form anywhere. You're much more likely to screw up the digital stuff than get pipe-wrenched.

3) Forget bitcoin or any other funding mechanism. Just pay for your computer yourself and use a free blog hosting company. Don't buy a domain, just use domain.wordpress.com or whatever. Don't let money touch the blog at all ever.

4) Don't collect stats on your blog. What do you need them for?

5) Do all your posting from public WiFi points like coffee shops. (Buy your coffee with cash.)

To go deeper, consider the pattern of your traceable activities. Don't deny who you obviously are. For instance if you see one of your blog posts on Reddit, HN, Facebook, etc., click through and read it from your regular computer. After all it is probably a topic that you're demonstrably interested in, and the point is to pretend that you've never seen that post before.


6) if you go to a public WiFi point, leave your phone at home.

7) On the way there do not fill up at a gas station, do not use the subway with an identifying pass.

8) Thwart cameras, try to disguise yourself, but in an inconspicuous matter.


I'd amend 5 to use a Pringles wifi antenna, so you don't even have to go in the shop to use their wifi.

1, 2, 3 agree absolutely. As popular as computers are becoming, just keeping data in a physical form makes it a less obvious target, and easier to hide/dispose of.


Great points. I would definitely do something like this if my life were on the line, or I needed to leak something about my government, for example.

But the convenience of Tails persistence is really tempting. I can just unlock it with a really long master password, and have access to my SSH keys, passwords (Keepass), Electrum bitcoin wallet, packages, source code, etc.

But yes indeed, a live CD, a simple blog hosted on Wordpress or Tumblr, random MAC address, and Tor on coffee shop Wifi over a long-range antenna would provide almost guaranteed security.

P.S. It's no fun without stats. 25,000 page views is a success, I think! And $25 USD in bitcoin donations. Now I just need to work on anonymously converting or spending them.


Wouldn't #5 let attackers narrow you down to your city?


This is probably where Tor would come in handy. Onion route to somewhere in Thailand or somewhere.


Yup, I did not mean to exclude Tor with my suggestions above.


mac address changer, or else you're broadcasting to every other wifi enabled device the machine you're using. I'd say a laptop that has a physical switch to disengage the antenna, but I have no idea if those actually work.


> if I wrote a series of blog posts in the coming years, you could maybe analyize timestamps to determine my time zone. However, the compiled site shows only the date

When I set up a pseudonym GitHub, I was shocked to find a script that linked the two accounts. The first giveaway is using the same languages. Not as much of a problem with a blog. The second was commit patterns and timestamps.

This is the blog's commits, where you can find an e-mail and timestamps: https://github.com/untraceableblog/untraceableblog.github.io... You know the timestamps are accurate because Tor needs a valid system clock to keep a good connection.

Solution: I developed a gem 'GitFog' to randomly backdate my commits up to 48 hours in the past. More about that here: https://github.com/msjoinder/gitfog/


You know the timestamps are accurate because Tor needs a valid system clock to keep a good connection.

No, you suspect they're accurate, but you have no way of knowing whether the author was connected to Tor when the commits were made.

That said, GitFog sounds like a useful tool!


I came here to say basically the same thing. If the author uses your gem, the timezone/active timeperiod identification route is greatly lessened.

I actually think the combination of a custom domain and Github makes it much more likely he'll be discovered. Buying a domain means transacting bitcoin, which as others have pointed out, is not foolproof. And Github actually provide plots which make estimating the timezone easy... https://github.com/untraceableblog/untraceableblog.github.io...


Bitcoin blockchain is public and can be partially de-anonymized.

Everybody will see addresses where you spend your donated bitcoins:

http://blockchain.info/address/1NkM7WekyZe6KoHYoyWX8s2YZXZjU...

Similarly anybody who receives bitcoins spent by IT Itch will be able to see addresses where they got bitcoins from, and that may include bitcoin address of the person you bought bitcoins from.

I guess that mass blockchain de-anonimization may be a big business (or NSA side-project) in the future, so I suggest "laundering" bitcoins for anonymity too (find somebody who will swap wallets with you, so you get coins with completely irrelevant history and no trace of that swap in the blockchain).


I don't think bitcoin is a good choice for anonymity when you're only paying $15. The anonymity comes from the in-person cash transaction, hoping that they don't remember you if pressed.

You could just buy a prepaid visa in cash at the grocery store, for a similar amount of anonymity. Wear a hat and a scarf.


Not true. That purchase will lead back to the store you bought it from. Which could be a problem.


>find somebody who will swap wallets with you, so you get coins with completely irrelevant history and no trace of that swap in the blockchain

Or use a BTC mixer.


True, but allowing people to use BTC mixers is probably illegal. Even using one is probably illegal.


Yeah, exactly what jurisdiction you are talking about?


As he said in the post he got his bitcoins face to face. Unless the person he met knew him, knowing the blockchain is useless.


You are never leaking less than you think. There is information in the bitcoin chain. It is not likely to be useful without pairing it with other information (and there are ways to make that harder), but I'd be more than hesitant to say "useless" - and certainly leery of betting my freedom or significant amounts of my privacy on it. That said, it is clearly better against at least some threats than other available payment systems, in terms of anonymity.


For that side of the transaction, sure. But one day he'll probably move those coins around, and he'll have to be careful not to be traced there too.


What stops him from selling his bitcoins for cash the same way he got them, face-to-face?


If you're referencing a CDN for your javascript, chances are somebody at your CDN provider can match your identity up against other data. For instance, since he's serving jquery from a Google CDN, couldn't Google match the call to load JQuery from an administrative page on his blog with an IP address to his GMail account (assuming he has one)?


It's a static blog so I'm guessing no administrative page? Either way, when interacting with the blog, he uses Tails which means all outside connections go through Tor. And he explicitly writes about not creating a GMail account because Google requires phone verification.

But even if they did all that, they'd learn that the author of Untraceableblog.com uses Tor which is what he wrote he does.


No that wouldn't work at all. You could thwart this just with an incognito browser and plugins disabled.


How does an incognito browser hide your IP address?


I thought tor was assumed. I meant with an incognito/private browser while using tor.


What about your browser's "signature"? I know this tool's veracity has been debated, but your web browser is still very "leaky" even in incognito mode.

https://panopticlick.eff.org/


I would probably try to track down the bitcoin used to purchase the URL. It might be anonymous to buy, but certainly the seller might not be as careful as the blog author. If the seller could be tracked down, then you would have a good idea of which city the person lived in.

Then, if you really cared, you could set up malicious Tor nodes in hopes of getting traffic from that particular user. I only have a superficial knowledge of the Tor protocol, but I imagine if you set up a malicious first Tor node (a node that takes the initial incoming request from a Tor browser), you could track all the IP addresses, and mark any of them coming from that particular city. You wouldn't know what the person was seeing, but I imagine you could tell if there was activity on that particular IP address.

From there, you could do some sort of analysis on the blog, and see if any updates correlate to traffic you see from that city based in the IP addresses that had activity at that particular time. Since the US has about 400k users in total, I would harbor a guess that maybe the top city might have 100k users max, and then if you could whittle down based on time, you should be able to narrow it down to 100 users. Then you start knocking on doors.

The luxury organizations like the government have is that they can take their time and wait for you to make a mistake.


Forgive me for being potentially obvious, but can't you trace every single bitcoin transaction ever?

So you can go from:

Domain seller -> "Anonymous persons bitcoin address" -> Bitcoin address of the person who sold him those BTC.

You then find that person (as i'm pretty sure they're not so focused on anonymity) and wrench-attack a description of this guy and location + time of the meet from him (and also the e-mail he sent to arrange it -- tone, etc).

CCTV camera footage of the meet/people in that area at the time, etc. Home and dry.


Not if he uses a mixer to pay you the bitcoins, no.

Blockchain.info has a fantastic almost-free one.


Yeah, maybe he should buy the BTC when vacationing in Venezuela.


> One problem is that Google can see my original messages, and the NSA can probably see them too. If I wanted to avoid it, I could post some anonymous translation jobs and pay the translaters via Bitcoin.

Wouldn't this then make it almost trivial for Google or the NSA to find you with textual analysis by matching what is pasted in translate with any other writing sample you've done? So the OP isn't really concerned about anonymity from Google or NSA at all... amiright?


I don't think identifying someone via textual analysis of a few hundred words is "almost trivial". In fact it seems really, really difficult...suppose your were the NSA and had obtained this sample from Google. Where would you start?


I'd ask Google what the IP address was that accessed the analytic page


The author of the 2008 Bitcoin whitepaper was identified through textual analysis of his writing. JK Rowling was also identified as the author of a pseudonymously published novel using the same methods.

One important step towards real anonymity would to completely anonymize your writing style. Make sure the distribution of stop words in your writing is absolutely banal. Make sure to not use your favorite expressions, that can be found in your previous writing. Etc. Algorithmically measure your style before posting, and make sure it is non-identifiable.


JK Rowling analysis was post-facto, she wasn't outed by the analysis, the leak came from her lawyer's wife [1].

The analysis added weight to that revelation but it wasn't enough in itself to confirm it for sure.

1:http://www.bbc.co.uk/news/entertainment-arts-25575269


I'm guessing it's now her ex-lawyer's wife.


The author of the 2008 Bitcoin whitepaper was identified through textual analysis of his writing.

Actually, that's incorrect. Nick Szabo is a candidate to be Satoshi Nakamoto, but the post claiming to use stylometry to out him is garbage. Gwern (who is no stranger to stylometry[1]) explains: http://www.reddit.com/r/Bitcoin/comments/1ruluz/satoshi_naka...

Stylometry was only used on JK Rowling after a tip-off from an anonymous source. Even then, it's not clear how useful it was in outing the author. Tools and algorithms are getting better, but even modern stylometric methods will give you false positives on a large corpus. People simply aren't that unique.

1. http://www.gwern.net/Death%20Note%20script#stylometrics


"The author of the 2008 Bitcoin whitepaper was identified through textual analysis of his writing."

wait, what?


> https://likeinamirror.wordpress.com/2013/12/01/satoshi-nakam...

Seems possible, although the textual analysis seems a bit weak. Combined with everything else its quite convincing


No. The analysis is complete bullshit, although you'd never know because he still hasn't approved any of the many critical comments left on the post. For example, http://www.reddit.com/r/Bitcoin/comments/1ruluz/satoshi_naka...


I don't think that your suggestions are reasonable. The most memorable phrases we use are also linked to our understanding of certain specific concepts, on a quite personal level. Essentially, you would be forced to generalize everything, and could be left only writing banal youtube-style comments rather than anything reflecting your best attempt at getting your thoughts down. At that rate, why bother writing?

I think better protection is simply not to publish much under any alias. If there isn't a large body of text, an alias writing a few thoughts on one or two issues can't really be mined.


He says he uses google translate to cycle through two languages and then spellcheck the result in order to avoid that.


That means Google Translate has a copy of his original and modified texts. Long shot, but still a liability.


Nick Szabo is probably also a pseudonym. There is not reference to him on the net made by reliable known person. I couldn't find anything about Nick Szabo apart from what he posted himself. Also, no pictures or connection to his George Washington University.


The author briefly touches upon this under the section 'Word and character frequency analysis', but I'm not sure this would really help with writing style?


I had a thought for if I ever wanted to write something completely anonymously: run the text through google translate and back. That should hopefully butcher all identifying features of the text.

edit: oops, should have read the whole post.


That's exactly what the author did here...


Use Jstylo/Anonymouth instead, they know all about the translate trick plus google had the original


Oh, do we know who Satoshi is? Because I missed that.


Too complicated. Just search for hosting companies that offer free plans with basic wordpress hosting.

Then use Tor to register and manage it. The only catch - you'd have to use their domain, like:

yournickname.hostercompany.com

But who cares - you can get your free, fully anon place to throw up :)


But do any of them take bitcoin?


"Free hosting plan" means it will cost zero (0.00000000) bitcoins.

All of them accept it.


This is fascinating, and rather scary that it's this hard to publish something on the internet anonymously, and not even be guaranteed that the NSA couldn't find you if they really wanted to.


It's not though. Anyone can fire up Tor and create a pastebin document.


It's only this hard if you want to pay for publishing things online. You can just paste to pastebin or a github gist over tor for free and not have to do any of this.


Is the "ref" portion of the Amazon url for the USB drive traceable?

If so, it's also found on this forum, posted by "turk", in reference to a different USB drive make/model.

http://www.nsaneforums.com/topic/198758-usb-flash-drive-sugg...

(Looks like the comment was edited to use a different link, but the original was quoted in the next comment down)


You're probably thinking of "tag". The "ref" parameter doesn't have anything to do with Amazon's affiliate program (which is what I understand you're talking about).


Yup. zgbs is the correlator for "Best Sellers", and 3151491 seems to be thumb drives.

http://www.amazon.com/Best-Sellers-Electronics-USB-Flash-Dri...


The fact that he admits to providing false domain registration information on a .com domain is enough to have his domain revoked by ICANN if I am not mistaken.


The hidden encrypted partition might make things worse for everyone: https://defuse.ca/truecrypt-plausible-deniability-useless-by...

They'll just keep hitting you with the wrench until you give them the second password. Sucks if you don't actually have a second encrypted partition.


Does Truecrypt have the capability to provide a password that ruins the secret? You could give your tormentors a password that once used deletes or makes the protected content permanently inaccessible and yeah they'll still beat you to death, but now they can never have what they wanted from you.


If it had, the tormentors would just back up the drive before attempting to access the data.


Good point, that would totally circumvent this, and a read-only system would too.


No, only if they then put a load of files into the opened partition. Which would be stupid.

You can't have this sort of thing because it is easily circumvented by opening the encrypted volume on a read-only disk.


While such a scheme would be possible using quantum cryptography, it is not possible with truecrypt, no.


Or alternately, unencrypts only portions of the drive leaving the rest hidden.


I don't think that's possible.


Contrary to the downvote and claim of implausibility, steganography does exactly that. A partition could easily contain extraneous data which could be used to hide and encrypt a message.


What they neglect to consider is that for the vast majority of truecrypt users, the government will not investigate their computer at all. In this case, it is a better strategy not to use a hidden volume, since it is more work. And most people will always choose the easy way.


Actually, even if you don't want to use a hidden volume, according to game theory the correct solution is for the user to always have a second volume and for law enforcement to continue torturing the user until they divulge their second volume (or die)


I haven't used Truecrypt, but couldn't you create a hidden volume within the hidden volume within the hidden volume?


Truecrypt is limited to one hidden volume, but maybe there's other software that can do more.


The key things I would add are:

- buy a new laptop that has never been used to sign into any services that know your true identity

- get rid of the camera and microphone

- never connect to the internet from your own network or locations you frequent

- rotate randomly through public wifi spots and use a long range wifi antenna whenever possible

- obsessively monitor your network traffic so you know if your true IP is ever compromised so you can change your behavior in time


> counter this by running all my posts through Google Translate.

This is smart, except... Google presumably records your translations, likely linking them with your Google account (and - even if not - could easily look up which translations led to your blog).

So, textual analysis is not quite dead, and you may have given away your anonymity by taking this measure.


What if, instead, you limited yourself to some number of the most common English words?


One idea might be to spell check your writing using a modified English (simple) dictionary. This modified dictionary would only contain the most common and simplest english word, allowing you to easily prune out words that would reveal your fluency in the language.


Question 1): What's the difference between using Tor and http://www.hidemyass.com/proxy/ 's Pro VPN option?

Question 2): Can't you buy a domain name and hosting using https://www.nearlyfreespeech.net/about/mailing and mailing in an anonymous cashier's check / postal money order?

Question 3): Why not just (using Tor/VPN/Proxy) sign up for a Tumblr or Wordpress Blog anonymously and only logging in or editing the blog when using Tor/Proxy/VPN?

Where there is a need and a poor solution, there is an opportunity for a startup. Anyone want to join up and contemplate starting "TABlog" Truly Anonymous Blogging platform?


1) Trust. I trust the Tor developers and nodes much more than HideMyAss, which is a single point of failure.

2) Looks like a good suggestion, I'll have to check that out if I ever start a Tor hidden service.

3) The main factors are having control over the HTML, and differentiating the site from just another wordpress blog. Anyone can start a Wordpress blog using Tor, and that wouldn't make a very interesting blog post.

This was done mostly as an excercise and experiment. If the goal were just to publish sensitive articles, I would use a free blogging platform.


PS: I agree with blockchain bummer - it's actually much harder to anonymize the fact of your bitcoin ownership and much easier to trace illicit bitcoin purchase back to you, than most people think.


Another idea would be to start a service which accepts blog posts through snail mail. The service asks that you add a unique string of numbers and letters to identify youself to the service. Someone on the other simply ocr's your blog post letter and posts it under the requested pseudonym which also matches the secret unique identifier. It's a simple username/password authentication via mail in each post.

Just dont add a return address and you're solid.


Googling "untraceableblog" shows there is a tumblr with the same name:

http://untraceableblog.tumblr.com/

Whilst this may be nothing and I'm sure he/she wouldn't leave a trail like this, I thought it worth noting. This tumblr user has gone out of their recently to delete all of their past posts (even those made last month) and leave just one.


problem is your local isp sees you using Tor, so have to run tails in a VM and on the host tunnel all traffic through Jondo or something.


Lots of people use Tor, that doesn't tell them much.


The student who made a fake bomb threat at Harvard was tracked down because he used Tor on campus.


He was what, one of six who was using Tor at the time and cracked almost instantly when questioned.


One of six is pretty damn good, and that is before you even consider other factors (such as, how many of those six had a final in one of those buildings at that time.)


That was a lucky guess on Harvard/Police's part. If his local ISP suspected the admin of the blog was on their network (why would they?) then Tor access might help narrow down.

Just like if you're the only person in a country using Tor, writing about stuff internal to that country, yeah, they might notice.

In the Harvard case, as far as we know, they went to everyone running Tor and this kid freaked out immediately and it was case closed. If he has insisted on his rights and not talked about it, or provided another plausible reason (assuming he didn't leave evidence on his computer), they'd have had no solid leads. Or if he had used another network that wasn't Harvard's.


got you! Mr Lewis A Jackson!


Hah, I was thinking the exact same thing. Hopefully he didn't mess up the easiest part.


It wasn't me haha, I just found the article interesting


More relevant: where did you find the article?



What is this a reference to?


The user that submitted the article.


Oh funny.


why not a 2 part blog - accept scanned or mailed in documents. Scan it in and post as blog. Now you will be truly anonymous.


I tried building something similar with http://valleyanon.com/ but for whatever reason, it never caught on. I don't know if people _really_ care about anonymity enough to consider it as a separate service.


It's definitely an interesting case. There's a general problem online nowadays, of enabling people to host truly anonymous information - allowing them to be free to protest.

Personally, I hope his/her posting sparks a conversation about internet anonymity, or the lack thereof.


Protest where?

There are no public grounds on the Internet. Even if there were, there aren't any public ways to get to those public grounds.


whois 185.31.17.133

% This is the RIPE Database query service.

% The objects are in RPSL format.

% % The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to '185.31.17.0 - 185.31.17.255'

% Abuse contact for '185.31.17.0 - 185.31.17.255' is 'abuse@fastly.com'

inetnum: 185.31.17.0 - 185.31.17.255

netname: FASTLY-EU-IPV4-2

descr: Fastly Frankfurt 1 Operations

country: de

admin-c: AB28187-RIPE

tech-c: AB28187-RIPE

status: ASSIGNED PA

mnt-by: FASTLY

source: RIPE # Filtered

person: Artur Bergman

address: 501 Folsom St.

address: San Francisco CA

phone: +1.415.568.8829

nic-hdl: AB28187-RIPE

mnt-by: FASTLY

source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.70.1 (WHOIS1)


Dave's always doing this, and he always gets uncovered. Knock it off, Dave.


[deleted]


I think you could run through translation software (like english -> french -> english) in order to 'anonymise' your style. You'd still have to correct where the translator went wrong (which could leak some informations on your style), and the writing style would be akward, but it should protect you from textual analysis I guess. EDIT : well, there is a section about it in the post. That will learn me to read the comment first ;)


Did you read the article? He claims to have run it through a translator to and from a few languages to protect against this.


http://www.darklogs.com which uses bitmessage may be a significantly safer anonymous blogging service.


I hope you bought your laptop with cash, far away from home.


Would it be better to use namecoin for the domain name?


Probably, and since untraceableblog.bit already points to his host's IP address, all that's needed is for him to configure that domain on the github side (and probably also untraceableblog.bit.pe for folks without .bit resolution).


What does the .bit.pe address do?


It's just a proxy for the .bit domain since most users cannot access .bit sites directly (not yet anyway).

For example, if you cannot access http://explorer.bit then you can just add .pe to the URL and access http://explorer.bit.pe


So someone in the namecoin project registered bit.pe?

And they just have a server running that passes the requests through?


Not sure who did it, but yes.


Here's how I'd trace him:

1) get access to the request logs of third-party includes on his page

2) look for requests made just before the page is published publicly


All requests are made through Tor. The Tails OS is configured to allow absolutely nothing through the clear internet.


I can't imagine that using Microsoft's outlook.com email service is the best avenue to anonymize one's blog posts.


Interestingly enough, outlook.com is the only free email service that let me sign up over Tor. I access it securely, and it's just for verification purposes. Every service needs an email address.


At least, his email is visible in every commit:

> untraceableblog@outlook.com


Aren't the NSA a huge investor in TOR? ... I get what OP is trying to do, but in reality, since you're still using other people's pipes and fibre, you will never reach true anonymity, no matter what you try...


Unless your name actually is Lewis A. Jackson


Jason, I know its you.


Your username on HN is not so anonymous, Jackson Lewis.


why not just post to github pages with github.io domain?


He/She/They are actually using github pages, but with a custom domain.


af3's point is that you can avoid the risk of assuming bitcoin is anonymous by not buying a domain name at all...


yes.


Or pastebin...


Guy's European, possibly British.

Random guess based on "couldn't be fucked" and "you might have assumed that English was my second language".

Also, the guy the author met could ID the author.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: