Which leads to
(Web Developer and Computer Science Student)
Which leads to the homepage of
Who doesn't design website templates.
Edit: It is wrong, Github search finds the `turkeltaub`
Though here is the github repo link
The repo: https://github.com/elisehein/Pageturner
The file that URL comes from: https://github.com/elisehein/Pageturner/blob/master/source/_...
Theme demo: http://www.fivetonine.eu/
I made an Octopress theme a long time ago, and it looks like someone forked/used that theme to make their own theme. Source of that specific Feedburner tag is here: https://github.com/eturk/ethan-archive/tree/55a01aaa03398a57...
Whoever first forked it probably just commented out, and then someone used that and so on.
I did see this article, I just didn't read the comments. No idea that this would be here had it not been for that tweet.
So, I just found it not so much an "Aha! Busted!" moment, as much as it was noteworthy.
Using anonymity techniques and then intentionally but subtly leaking information that points toward someone you want to frame would likely be tremendously successful.
The target would scream "I'm innocent" as they're dragged off to jail.
Why would he do that? Untraceable?
EDIT: He just used someone else's source code, that explains it.
Edit: Here is the ssh pubkey: https://github.com/untraceableblog.keys
And he/she was using Debian Live to do this as well.
Alright, wasted enough time on this. I'm gonna say its Turk in Vic.
No matter how small the mistake, if you made it, the cat is out of the bag and you're screwed. No matter whether you notice and correct it - in light of the current spying climate, you can be certain that your mistake was logged somewhere.
There's so many things to keep in mind in order to avoid mistakes, I can't even imagine them all.
Misconfigured your browser to not use tor when posting? Sending the bitcoins donated to you to somebody who gets compromised later? Disconnecting from tor without first logging out of StatCounter and then checking your stats? Plugging your USB-stick into a machine infected with some BIOS malware?
The possibilities are endless and you don't get even a single "extra life" (to use a gaming term). Screw up only once and you're screwed forever.
It's kinda like software security: It has to be perfect. Even if it's mostly perfect and only one single vulnerability exists and is known, you're as screwed as if your software was open like a sieve.
The days of anonymity on the internet are over. Yes, you can build sufficiently high hurdles to guard against most people, but those that really want to know, will know in time.
Perfect anonymity: 1 in 7e9
Fluent English speaker: 1 in 7e8
Tor user: 1 in 3e6
Tor user today: 1 in 1e5
Fluent English speaker and Tor user today: 2 in 10,000
Fluent English speaker and Tor user today and accessed both Google Translate and Outlook.com outside Tor today (because Google and Microsoft block Tor exit nodes): 1 in 1,000
All of the above and purchased a Kingston Digital DataTraveler from Amazon in the last year: 1 in 10
Your logic may have found that needle in the haystack, but we don't even know which haystacks to look in.
And probably bad analogy, b/c not a heavy computer user, but if it took so long to find bin Laden, I'm sure many others (even heavy computer users) could hide for much, much longer.
The real risk, like others have said on this board, is one slip up can ruin you.
That's how the Harvard bomb threat guy got busted, because his Tor usage was a big flashing red light among non-Tor users.
That's how law enforcement knows what haystacks to search.
And since the OP used his own IP address (didn't go to a coffee shop), that narrows the search by 3 or 4 orders of magnitude.
Does anyone have a reasonable estimate on what per cent of Tor entry nodes are known to ISP's, law enforcement, and the NSA?
Tor is designed to hide who you are talking to, not the fact that you are using Tor. IPs and other metadata about normal Tor relays are published publicly by the network and are used by the client to build circuits through the network.
There is a special form of hidden entry node called a bridge that is designed for use in censorship-happy countries like China, but using them is a manual process that isn't the default. Traffic through bridges is a very low percentage of overall Tor usage.
The "one slip up" does appear to be the more common risk today, but I think the reason the NSA wants to archive everything for later analysis is precisely panarky's scenario.
You are right that today it remains a bit difficult, but as time goes on, sheer engineering effort will give us a better set of tools to do this kind of "show me TOR + Outlook + Kingston buyers + Mozilla user agent" queries.
For example instead of everyone having a unique email address, why not have shared email accounts with many hundreds of thousands of people, but where messages meant for you are encrypted with your public key. Your email client will attempt to decrypt all messages the account receives but will only succeed with yours.
Or for making a blog post, rather than publishing on one single server / blog domain, why not post to hundreds or thousands of different blogs at once, using all kinds of different IP addresses. Perhaps even have other people that blindly post for you (mechanical turk/crowd sourcing)
Perhaps the meta level idea here is if we want to restore privacy, we need to sacrifice our individual identity (my email address, my blog, my phone) and lose ourselves in the crowd
But yes, I fucked up and posted a USB drive similar to the one that I've ordered from Amazon in the last year.
I take issue with the second point. It reflects a common post-NSA scandal sentiment, which is that we should throw up our hands and give up because security is hard and spy agencies are brazen.
Like invasions of privacy, rape, murder, bank robberies and traffic accidents will inevitably occur, no matter how hard we and our communities establish defenses against them.
Yet we keep trying to confront these serious societal problems, year after year, and if we can help or save just one individual, the effort has been worthwhile.
So, let's focus on gradually improving our security through action and education. It's time to do away with the spirit of apathy and hopelessness that is starting to pervade discussions about online privacy.
The crucial difference between invasions of privacy and the rest of your list is that strong deterrents exist for the latter part of your list. Even if you ignore the legal consequences of rape, murder, and bank robberies, all expose you to the risk of violence in response to your actions. Traffic accidents are by definition both unintentional and unexpected, whereas most invasions of privacy are not.
These things have all been minimized to soceitally acceptable levels because of specific deterrents that are in play. Presently, there are few deterrents to both public and private invasions of privacy by large companies or institutions. Until strong deterrents exist, the violations will continue. This is why a few changed rules at the NSA and a slap on the wrist for senior intelligence officials won't prevent privacy violations in the long term. Until jail sentences start getting handed out that are comparable to those for robbing banks, large institutions will continue collecting troves of data and using it to rob people of their privacy.
A look back in time reveals that the deterrents against these violent crimes have been established gradually, through education, civil organizing and political lobbying. For example, contrast the perceived consequences of rape in the 1940s with those in 2014.
The United States has also made considerable strides toward the right to privacy. For example:
- Weeks vs. United States, establishing Americans' right against unreasonable search and seizure
- Lawrence vs. Virginia, which reinforced couples' rights to privacy concerning sexual conduct
- Griswold vs. Connecticut, which solidified the right to marital privacy.
I don't dispute that protecting personal privacy is hard. Nor do I dispute the fact that agencies such as the NSA have cast an ominous shadow on the United States' hard-won victories in the privacy arena.
But American history is full of victories concerning privacy, some of which seemed far-fetched in their times. The silver lining of the NSA scandal is that it made everyday Americans more aware of privacy issues. That awareness should be leveraged in a positive way, to demand accountability and build on deterrents against snooping.
If there were a successful way to protect information, it'd be known and used.
But there isn't. All you can do is make it harder. It's not apathy, it's reality.
This is not to say that a government agency couldn't crack my encryption, or break into my car, but I take small reasonable steps to protect my property and information.
Protecting and guaranteeing beyond a doubt are two distinct concepts. When people create a false dichotomy between these things, they give themselves a license to not even try.
Are they over for the NSA? No. That's what should change.
Simple isn't the same thing as easy.
It turns out that it's really fucking difficult. Also, it kind of sucks that I couldn't talk to any of my coworkers about being on the front page of Hacker News!
If you're doing something illegal that will attract serious attention from competent police, you are dumb for using electronic communication to do it. Smart mobsters did their business face to face in the 1950's. Smart street-level drug dealers use proxies (kids, grandparents, etc) to conduct transactions.
If it's just an exercise in screwing around looking for theoretical security, nobody cares. Best case, you're wasting time better spent elsewhere. Worst case, you're going to get in trouble for laundering money via bitcoin.
If you're a leaker, etc. You'd have better security printing and mailing cash to people. Mail content is protected legally and requires a warrant to open. If you insist in using technology, print a GPG-encrypted letter in an easily OCRable font.
..Make Obama, and any "Obama", wear a cam and mic, open all the time, connected to the inet. Make all bank accounts and transfers of everybody (corps included, of course), open to see to anyone.
..The above of course is extreme and won't happen. But that's the direction we should aim for. Not protect ourselves. We lost already. Open up the opponent.
You think a free market is efficient at allocating resources? what about a free market with perfect information for all players. It changes from poker to chess, deception is no longer a valid strategy.
I'm all for that.
When Facebook pushes privacy concerns, it's actually just reflecting our new reality and trying to stay relevant.
The "issue" that we will be coming up against is that people need time to adjust and to be honest, people aren't used to knowing everything about each other.
To give an absurd example for the purposes of illustration: If your boss finds out that you like to cross dress on the weekend it may reflect poorly on you . In reality this is simply b/c he knows something unusual about you and your coworkers continue to look "normal" in his eyes. If he knows that you crossdress, Jeff likes to be tied up, and Bob's wife is a tranny then it no longer becomes a big deal.
The same goes for more sensitive things, like the amount of women that have abortions, or misscarriages, or people that have mental disabilities or are on antidepressants, or do hard drugs in their spare time. We shield ourselves from certain things to the point where when we get exposed to them we don't react appropriately b/c we have no reference point.
The reason Obama wouldn't be okay with a mic is mostly because no president before him has had a mic. So if he cusses out other world leaders on the daily, he'll look like a grade A asshole - regardless of whether or not other presidents have done it.
The degree at which they oppose me or protect me is unknown by me, but for the most part I believe they are protecting me, not for me, but because I naturally align with them.
Now, if you are not an American, their interests are much less aligned with yours. In that case, I agree.
For example, I would appreciate if all foreign government officials had all their emails, phone calls etc. open, but would like to protect my officials.
Hypocritical? I don't think so, its basically a matter of wanting the people with alignment to me to continue having power.
Citation needed? If you were a eg a google employ at the time of wage fixing, would you think it cared about you, cause "your had aligned interests"? Maybe you should q what your interests are, and what of the politicians and mega corps.
Call me cynical, but they care for your protection, as much, and for the same reasons, as the kings used to "care" about their serfs.
"The degree at which they oppose me or protect me is unknown by me, but for the most part I believe they are protecting me"
Stockholm syndrome? Sad love story? You (us) being played, manipulated and exploited?
1) Forget USB drives, they are a nightmare. In fact, forget any writable medium. Get an old laptop and take out the HD. Boot it from a live CD. Use only this machine to edit your blog.
2) Make your passwords complex and write them down on a piece of paper hidden somewhere. Don't host them in any digital form anywhere. You're much more likely to screw up the digital stuff than get pipe-wrenched.
3) Forget bitcoin or any other funding mechanism. Just pay for your computer yourself and use a free blog hosting company. Don't buy a domain, just use domain.wordpress.com or whatever. Don't let money touch the blog at all ever.
4) Don't collect stats on your blog. What do you need them for?
5) Do all your posting from public WiFi points like coffee shops. (Buy your coffee with cash.)
To go deeper, consider the pattern of your traceable activities. Don't deny who you obviously are. For instance if you see one of your blog posts on Reddit, HN, Facebook, etc., click through and read it from your regular computer. After all it is probably a topic that you're demonstrably interested in, and the point is to pretend that you've never seen that post before.
7) On the way there do not fill up at a gas station, do not use the subway with an identifying pass.
8) Thwart cameras, try to disguise yourself, but in an inconspicuous matter.
1, 2, 3 agree absolutely. As popular as computers are becoming, just keeping data in a physical form makes it a less obvious target, and easier to hide/dispose of.
But the convenience of Tails persistence is really tempting. I can just unlock it with a really long master password, and have access to my SSH keys, passwords (Keepass), Electrum bitcoin wallet, packages, source code, etc.
But yes indeed, a live CD, a simple blog hosted on Wordpress or Tumblr, random MAC address, and Tor on coffee shop Wifi over a long-range antenna would provide almost guaranteed security.
P.S. It's no fun without stats. 25,000 page views is a success, I think! And $25 USD in bitcoin donations. Now I just need to work on anonymously converting or spending them.
When I set up a pseudonym GitHub, I was shocked to find a script that linked the two accounts. The first giveaway is using the same languages. Not as much of a problem with a blog. The second was commit patterns and timestamps.
This is the blog's commits, where you can find an e-mail and timestamps: https://github.com/untraceableblog/untraceableblog.github.io... You know the timestamps are accurate because Tor needs a valid system clock to keep a good connection.
Solution: I developed a gem 'GitFog' to randomly backdate my commits up to 48 hours in the past. More about that here: https://github.com/msjoinder/gitfog/
No, you suspect they're accurate, but you have no way of knowing whether the author was connected to Tor when the commits were made.
That said, GitFog sounds like a useful tool!
I actually think the combination of a custom domain and Github makes it much more likely he'll be discovered. Buying a domain means transacting bitcoin, which as others have pointed out, is not foolproof. And Github actually provide plots which make estimating the timezone easy... https://github.com/untraceableblog/untraceableblog.github.io...
Everybody will see addresses where you spend your donated bitcoins:
Similarly anybody who receives bitcoins spent by IT Itch will be able to see addresses where they got bitcoins from, and that may include bitcoin address of the person you bought bitcoins from.
I guess that mass blockchain de-anonimization may be a big business (or NSA side-project) in the future, so I suggest "laundering" bitcoins for anonymity too (find somebody who will swap wallets with you, so you get coins with completely irrelevant history and no trace of that swap in the blockchain).
You could just buy a prepaid visa in cash at the grocery store, for a similar amount of anonymity. Wear a hat and a scarf.
Or use a BTC mixer.
But even if they did all that, they'd learn that the author of Untraceableblog.com uses Tor which is what he wrote he does.
Then, if you really cared, you could set up malicious Tor nodes in hopes of getting traffic from that particular user. I only have a superficial knowledge of the Tor protocol, but I imagine if you set up a malicious first Tor node (a node that takes the initial incoming request from a Tor browser), you could track all the IP addresses, and mark any of them coming from that particular city. You wouldn't know what the person was seeing, but I imagine you could tell if there was activity on that particular IP address.
From there, you could do some sort of analysis on the blog, and see if any updates correlate to traffic you see from that city based in the IP addresses that had activity at that particular time. Since the US has about 400k users in total, I would harbor a guess that maybe the top city might have 100k users max, and then if you could whittle down based on time, you should be able to narrow it down to 100 users. Then you start knocking on doors.
The luxury organizations like the government have is that they can take their time and wait for you to make a mistake.
So you can go from:
Domain seller -> "Anonymous persons bitcoin address" -> Bitcoin address of the person who sold him those BTC.
You then find that person (as i'm pretty sure they're not so focused on anonymity) and wrench-attack a description of this guy and location + time of the meet from him (and also the e-mail he sent to arrange it -- tone, etc).
CCTV camera footage of the meet/people in that area at the time, etc. Home and dry.
Blockchain.info has a fantastic almost-free one.
Wouldn't this then make it almost trivial for Google or the NSA to find you with textual analysis by matching what is pasted in translate with any other writing sample you've done? So the OP isn't really concerned about anonymity from Google or NSA at all... amiright?
One important step towards real anonymity would to completely anonymize your writing style. Make sure the distribution of stop words in your writing is absolutely banal. Make sure to not use your favorite expressions, that can be found in your previous writing. Etc. Algorithmically measure your style before posting, and make sure it is non-identifiable.
The analysis added weight to that revelation but it wasn't enough in itself to confirm it for sure.
Actually, that's incorrect. Nick Szabo is a candidate to be Satoshi Nakamoto, but the post claiming to use stylometry to out him is garbage. Gwern (who is no stranger to stylometry) explains: http://www.reddit.com/r/Bitcoin/comments/1ruluz/satoshi_naka...
Stylometry was only used on JK Rowling after a tip-off from an anonymous source. Even then, it's not clear how useful it was in outing the author. Tools and algorithms are getting better, but even modern stylometric methods will give you false positives on a large corpus. People simply aren't that unique.
Seems possible, although the textual analysis seems a bit weak. Combined with everything else its quite convincing
I think better protection is simply not to publish much under any alias. If there isn't a large body of text, an alias writing a few thoughts on one or two issues can't really be mined.
edit: oops, should have read the whole post.
Then use Tor to register and manage it.
The only catch - you'd have to use their domain, like:
But who cares - you can get your free, fully anon place to throw up :)
All of them accept it.
If so, it's also found on this forum, posted by "turk", in reference to a different USB drive make/model.
(Looks like the comment was edited to use a different link, but the original was quoted in the next comment down)
They'll just keep hitting you with the wrench until you give them the second password. Sucks if you don't actually have a second encrypted partition.
You can't have this sort of thing because it is easily circumvented by opening the encrypted volume on a read-only disk.
- buy a new laptop that has never been used to sign into any services that know your true identity
- get rid of the camera and microphone
- never connect to the internet from your own network or locations you frequent
- rotate randomly through public wifi spots and use a long range wifi antenna whenever possible
- obsessively monitor your network traffic so you know if your true IP is ever compromised so you can change your behavior in time
This is smart, except... Google presumably records your translations, likely linking them with your Google account (and - even if not - could easily look up which translations led to your blog).
So, textual analysis is not quite dead, and you may have given away your anonymity by taking this measure.
Question 2): Can't you buy a domain name and hosting using https://www.nearlyfreespeech.net/about/mailing and mailing in an anonymous cashier's check / postal money order?
Question 3): Why not just (using Tor/VPN/Proxy) sign up for a Tumblr or Wordpress Blog anonymously and only logging in or editing the blog when using Tor/Proxy/VPN?
Where there is a need and a poor solution, there is an opportunity for a startup. Anyone want to join up and contemplate starting "TABlog" Truly Anonymous Blogging platform?
2) Looks like a good suggestion, I'll have to check that out if I ever start a Tor hidden service.
3) The main factors are having control over the HTML, and differentiating the site from just another wordpress blog. Anyone can start a Wordpress blog using Tor, and that wouldn't make a very interesting blog post.
This was done mostly as an excercise and experiment. If the goal were just to publish sensitive articles, I would use a free blogging platform.
Just dont add a return address and you're solid.
Whilst this may be nothing and I'm sure he/she wouldn't leave a trail like this, I thought it worth noting. This tumblr user has gone out of their recently to delete all of their past posts (even those made last month) and leave just one.
Just like if you're the only person in a country using Tor, writing about stuff internal to that country, yeah, they might notice.
In the Harvard case, as far as we know, they went to everyone running Tor and this kid freaked out immediately and it was case closed. If he has insisted on his rights and not talked about it, or provided another plausible reason (assuming he didn't leave evidence on his computer), they'd have had no solid leads. Or if he had used another network that wasn't Harvard's.
Personally, I hope his/her posting sparks a conversation about internet anonymity, or the lack thereof.
There are no public grounds on the Internet. Even if there were, there aren't any public ways to get to those public grounds.
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '22.214.171.124 - 126.96.36.199'
% Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com'
inetnum: 220.127.116.11 - 18.104.22.168
descr: Fastly Frankfurt 1 Operations
status: ASSIGNED PA
source: RIPE # Filtered
person: Artur Bergman
address: 501 Folsom St.
address: San Francisco CA
% This query was served by the RIPE Database Query Service version 1.70.1 (WHOIS1)
For example, if you cannot access http://explorer.bit then you can just add .pe to the URL and access http://explorer.bit.pe
And they just have a server running that passes the requests through?
1) get access to the request logs of third-party includes on his page
2) look for requests made just before the page is published publicly
Random guess based on "couldn't be fucked" and "you might have assumed that English was my second language".
Also, the guy the author met could ID the author.