[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Anonymous Publishing Is Dead.

Dear Anonymous Person,

I have to admit, it was a very interesting read, even though I am not
too sure I agree completely. It seems as if your threat model has
encompassed every single tiny thing that could possibly (theoretically)
go wrong, without much thought given to real-world randomness and
incompetence... so I thought I'd make a few observations.

1. Your use of Tor. If you were to run, say, an instance of TAILS with
tor set up to act as a relay, that would increase your anonymity greatly
(in fact, I have yet to hear of a case where someone running a tor relay
was identified and/or arrested solely based on that fact). If you wanted
to add an additional step, you could run your whole connection through a
good VPN server that allows anon payments (with bitcoin) and doesn't
keep logs, like Mullvad.net, THEN run a tor relay... I'm not saying it'd
be the fastest option imaginable, but it would throw a lot of obstacles
in the way of anyone trying to trace your location.

2. Email. I signed up for mailoo.org through Tor, I believe. But for all
practical purposes, you could easily get a disposable e-mail address
through a Firefox plugin called Bloody Vikings. Otherwise, pretty much
any web mail will do... just war drive and sign up through the first
open wi-fi connection you find ;)

3. Bitcoins. Yes, block chains are not that anonymous, especially
considering the difficulty of buying them legitimately in the first
place. How about a coin mixing service like www.bitcoinfog.com? Their
methodology is very interesting, and it seems like you'd be able to
'launder' ordinary coins, bought legitimately through an exchange...
There are a few other sites like this one: http://vzpzbfwsrvhfuzop.onion.to

4. Do you really need your own dedicated VPS?! And only in developed
Western countries? Have you checked out this list of BTC-friendly
https://en.bitcoin.it/wiki/Trade#Dedicated.2FVirtual_Server_Hosting ?
This guy, for example, will register a wide range of domains, with fees
starting from 1 BTC per year, and you can provide pretty much any e-mail
address you want: http://jetstarforever.com/hosting/ In other words,
it's never in your name... His hosting costs 0.5 BTC/month, though he is
dependant on his provider's T&C...

Anyway, my point is that there are ways to acquire BTC, randomised
enough not to be a concern, after which you can buy all the hosting (and
related) services your heart desires. And if your threat model
encompasses an organisation with vast resources, like the NSA for
example, consider that they haven't yet managed to track down the guys
running the Silk Road drug site (http://silkroadvb5piz3r.onion)... ;)

That's my 0.001 BTC worth :)

> I know it is dead, because I have tried to do it, and I can assure you  it is dead.Text is easy of course  I can still blast a simple email out to a mailing list, I can lay my claims out in 7bit ASCII and let the world judge the merits solely on this simple medium.But media  publishing a story with supporting images, scans, video or audio  it is dead, left only to the elites. And perhaps worst of all is the promise made by all of you that if you just.... try a little harder, if you just use this service over here, if you just think about it another way  that it is still possible.It is not.Some time ago as an experiment I began the process to publish material fully anonymously  no compromises.I obtained a prepaid line of credit, paid in cash, verified with a prepaid telephone, also paid in cash, and only turned on in an ambiguous physical location.And I set about to find a Virtual Private Server I could run a Tor Hidden Service on.My requirements throughout all of this were 
>  mple: use Tor for everything, pay cash or cashequivalent for everything, leave no account on a service run by a US/UK/AUS/NZ/CA company, have the VPS hosted outside the same, pay a reasonable sum.I needed an email of course.Nymservers like http://isnotmy.name/ or http://mixnym.net should have been the solution  but of course they didn't work.No amount of guesswork or trial and error got me a nym.Free webmail became the next goal.The more trustworthy (gmail), the less satisfactorily anonymous it was.The easier it was to register (in.com)  the less trustworthy it was deemed.After signing up for a lowtrust but easytoget email, I narrowed down my hosting options to a group of VPS in the price range, hosted outside the 'bad' countries, and whose company itself was also outside.There aren't a lot.The next problem became finding a VPS I could pay for.You see, most VPS sellers are small resellers and don't process their own credit cards  they outsource it to a payment processor, u
>  ally Paypal. Paypal doesn't work.Paypal or AlertPay  too stringent verification; Liberty Reserve  blocks Tor; CashU  no easily found online merchant able to convert from a prepaid Credit Card; one after another all online payment methods fell by the wayside.You might think 'Bitcoin'.You would be wrong.No bitcoin service accepts any anonymous funding source  most only accept bank transfers.Apparently people performed chargebacks on credit cards to defraud the merchants.I can't blame them for this, but it certainly kills the idea of 'anonymity'.And I don't trust the blockchain to provide anonymity.After finding one of three or four VPS' I thought I could pay for, I encountered the next obstacle: MaxMind.MaxMind is a fraud detector built into WHMCompleteSolution which in turn is the VPS management tool used by every budget VPS.I set off every detector it had: proxy software, low trust email account, strange addresses, no valid phone number, etc etc.When I inquired to one comp
>  y about this, I was laughed off.Even though I was willing to let them charge my card and sit on it for a month before providing service  no such luck.At this point, I needed to find a company large enough they processed their own credit cards, didn't block Tor, and didn't use fraud detectors.I found one, a competitor to Amazon EC2, that I thought I could fall through the cracks of.It didn't like my low trust email address, but after enough searching, I found an ISP I could get an account on without paying.After getting that, creating and verifying an account, and finally set up to make my payment... the prepaid card is declined.There's no explanation, it just didn't work.I thought at this point, perhaps there was a service that could be used.There was an announcement recently: http://karelbilek.com/anontorrent/ Supposedly this guy will seed anything until it has 20 seeders of its own.Except the file limit is 50MB.And you can't upload copyrighted material.How about any of t
>   muchacclaimed 'leak sites' that spun up after Wikileaks shuttered their wiki and submission system?Well, I went through all of these: leakdirectory.org/index.php/LeakSiteDirectory and all of them seemed to be either wannabes who had never published a thing or news organizations who were security illiterate and had no way to accept content.Anonymous Publishing Is Dead.You may seek to respond with the 'right way' to do it, the company you know will let me fall through the cracks, the trick you use to whitelie your way through the process.Don't bother.If there is a way through, and I'm not convinced there is, it is so difficult to find that a technically unsavvy user would never be able to; and even technically savvy users like myself  who understand all the tricks of firewalling off my machine so nothing but Tor escapes  are groping blindly for it, unlikely to find it.What can be done about this?What compromises are 'safe'?Is a Hidden Service sufficiently trustworthy to hos
>  any material, and have it stand up to investigation when the server running it is in your name?Is the correct approach not to publish anonymously at all, as cryptome.org does?Should we rely on the Streisand effect, bittorrent, newsgroups, something else?These are mostly rhetorical questions.My purpose in this email is to tell you that anonymous publishing is an unsolved problem.Any solution available today is not robust: it falls down in some situation: content, capacity, anonymity, or something else.What can be done about it? What will be done about it?Dear tortalk! Get Yourself a cool, short @in.com Email ID now!
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

tor-talk mailing list