Hacker News new | comments | show | ask | jobs | submit login

Hi, I'm posting this through Tor. The reason I'm able to do this is because this account is more than two weeks old. I also created this account through Tor, so HN's operators should have no idea who I am.

For example, you have done an experiment below of posting comments through tor using the newly-created account "throughtor": https://news.ycombinator.com/threads?id=throughtor

If you turn on "showdead" in your profile, you'll see that account has a bunch of dead comments. Those comments are dead because the "throughtor" account is less than two weeks old, so HN's system automatically kills them since they're posted through tor. Once two weeks elapse, you'll be able to post comments and they won't be struck down. (Two weeks is the time it takes for the "new account" status to wear off.)

This is a spam prevention technique, and it's necessary in order to drastically reduce the amount of work moderators have to do to filter spam.

So, anyone who wants to post anonymously on HN should open up Tor Browser and create an account right now, and save it for a rainy day sometime in the future.

Remember not to use the same password as your regular HN account, because you'll give your identity away if you do. In addition to the fact that there's nothing stopping any server from logging every password across every service, HN also stores passwords as unsalted SHA-1, so two identical passwords on two different HN accounts will be stored as the same hash in the database, making it trivial to detect your real identity.

At least, unsalted SHA-1 was the case as of arc3.1, which is now several years old. Kogir probably changed it to something more sane in the meantime. But I highly doubt anyone will be able to break into HN's server running BSD anyway, so the unsalted SHA-1 isn't really a concern. This is just a reminder that every piece of information you provide is a piece of information that can be used to determine your identity.

And if you use this information to create more work for HN's operators, then I will ssh into your macbook and scare the crap out of you in the middle of the night by setting your volume to 100% and using text-to-speech. But seriously, don't be lame. It's valuable that we are permitted any anonymity at all.




We switched to bcrypt several years ago.


That's great to hear - thanks for doing so.


I floated the idea on bitcointalk.org of a fully anonymous distributed message board that used small bitcoin payments as the cost to post messages ... possibly softened by having a newbie/spam forum where "free" posts are possible but don't get much attention.

It didn't get much traction. (I can understand why bitcointalk.org is staying where they are. It was when theymos was openly asking what to do with all the donated BTC.)

I would, however, be happy to join a public github repo if there's serious interest.


Something like this? http://www.btcmessenger.com/?page=send just filter it for spam like we do with normal email, maybe an application anyone can run instead of a website that can be taken down.

Also, is there a provable way to generate a public bitcoin address without learning the private key? As a way to keep it fair.


To what you said: yes. Except to not store the messages in the blockchain, which removes the need to generate a bitcoin address.

However, there are some implementation issues that need to be resolved, e.g. on github.


Thank you for correcting me. We have all learned from you.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: