Pages:
Author

Topic: [ANNOUNCE] Bitcoin Fog: Secure Bitcoin Anonymization - page 30. (Read 301618 times)

member
Activity: 84
Merit: 13
Quote
Also, I think you guys need a news section or a Twitter account. It would make you seem more professional, and it would keep users in the loop. For example, you could let us know when you lower the minimum withdrawal, or when the site goes down.

There is already a Twitter account: https://twitter.com/BitcoinFog

But we try not to spam it with small changes.
Also, and we are sorry for this from the usability point of view, but we are very careful with publishing info about when the site might be down, to make it harder connecting these times with real world events/outages afterwards, to try and find us. This way someone looking to do that must either happen to notice we are down by chance, which is unlikely, or actively try to keep track of that, which given the inherent Tor instability should create many false positives.

Quote
Exactly, i am speaking only of deposits. My withdrawls come out fine,

but why does it matter how long I leave my bitcoins in the fog if they dont move anywhere for weeks to a month after deposit anyway? 0% taint is 0% taint, is it not?

I imagine that by now, someone somewhere has sniffed enough information about fog addresses for being able to tell when a transaction goes in or out of the Fog. (For a deposit transaction this is harder, since an address can be completely new and unseen on the network, but it would be possible to make that connection afterwards.)

So it is not only a question of which addresses do transactions go to and come out of, it is also about timing. If someone sees two transactions, in and out of the fog, approximately for the same amount at the same time, there the connection can be made as well. It is still difficult and they couldn't prove it was your transaction without finding us anyway, but the simple truth is that timing gives a lot of information. Of course in some way, we already combat this by having the lowest withdrawal time period of 6 hours, which given the current deposit rate at around 10x per hour gives enough obscurity for small deposits.
member
Activity: 81
Merit: 1002
It was only the wind.
Quote
I am curious, every deposit I've ever made has never gone anywhere in the last month. Is that normal? Or is it magic?

What do you mean not gone anywhere? Did you withdraw it? Or it didn't get registered to your account?
The system is fully operational, there are around 10 deposits per hour registering without any problems...
Also why didn't you open a ticket on the service itself? We do answer all the tickets, but if you rather discuss your usage of an anonymizing service on a public forum, please Smiley

I think he means he checked on a block explorer, and the actual coins he sent haven't moved.

Also, I think you guys need a news section or a Twitter account. It would make you seem more professional, and it would keep users in the loop. For example, you could let us know when you lower the minimum withdrawal, or when the site goes down.
sr. member
Activity: 322
Merit: 250
Quote
I am curious, every deposit I've ever made has never gone anywhere in the last month. Is that normal? Or is it magic?

What do you mean not gone anywhere? Did you withdraw it? Or it didn't get registered to your account?
The system is fully operational, there are around 10 deposits per hour registering without any problems...
Also why didn't you open a ticket on the service itself? We do answer all the tickets, but if you rather discuss your usage of an anonymizing service on a public forum, please Smiley

I think he means he checked on a block explorer, and the actual coins he sent haven't moved.

Also, I think you guys need a news section or a Twitter account. It would make you seem more professional, and it would keep users in the loop. For example, you could let us know when you lower the minimum withdrawal, or when the site goes down.
Exactly, i am speaking only of deposits. My withdrawls come out fine,

but why does it matter how long I leave my bitcoins in the fog if they dont move anywhere for weeks to a month after deposit anyway? 0% taint is 0% taint, is it not?
member
Activity: 84
Merit: 13
Quote
I am curious, every deposit I've ever made has never gone anywhere in the last month. Is that normal? Or is it magic?

What do you mean not gone anywhere? Did you withdraw it? Or it didn't get registered to your account?
The system is fully operational, there are around 10 deposits per hour registering without any problems...
Also why didn't you open a ticket on the service itself? We do answer all the tickets, but if you rather discuss your usage of an anonymizing service on a public forum, please Smiley
sr. member
Activity: 322
Merit: 250
I am curious, every deposit I've ever made has never gone anywhere in the last month. Is that normal? Or is it magic?
newbie
Activity: 14
Merit: 0
I find it strange that only casascius is voicing these concerns over your service. I'd like to state some thoughts that came to mind reading this thread.

The last 4 or 5 bytes of every bitcoin address is a checksum, you should be able to check that an address is valid the same way that the client does. Anything less would mean you're lazy. Wink
Fair enough, this goes into the TODO-pile.
Really? Really?
This is such a common and trivial thing to do, any developer who has worked with bitcoin for 3 days will code it as an afterthought to his base58 decode function. It is literally the difference between

Code:
def DecodeAddress(address):
    hex = b58ToHex(address)
    address = hex[0:-4]
    return address
and
Code:
def DecodeAddress(address):
    hex = b58ToHex(address)
    address = hex[0:-4]
    checksum = hex[-4:0]
    if hash(address)[0:4] != checksum:
        error "This is not a valid address"
    return address

I've been a web app developer for years and I've worked at shops at all levels of, uh, evolution in the software development as engineering vs "code it, wrap it, ship it."  This is also what raised the biggest red flag for me.

In any shop/group with a solid software development and quality assurance process, the revelation of the checksum thing would have been met (assuming embarrassment wasn't being concealed) with an "oh shit, I have NO idea how we could've overlooked that, but my partner himself just committed a fix, we all code reviewed it on Skype 30 min ago, and it'll be live by tonight" type response.

I'm not trying to be a pain, and I don't think  casascuius is either, it's that sites like Bitcoin Fog are really important and we want you to get them right.  Thanks for even trying, BTW.

as of now, all payouts are mostly done from the same address
That seems strange, for an anonymizing service, but you plan on fixing that, so it should be okay.

"It should be okay."  ...what.  Those are not words you should be saying as a developer on BitcoinFog.

There is no hard logic to what you are proposing. If you or anyone else has any hard math on this, please provide it. We couldn't find any. And your answer only suggests that it "feels" secure to you, and you don't have any actual models of this.
I haven't seen you post any hard math, or hard logic. For example, you "feel" 28 addresses is more secure than 3. Maybe this is the case. Maybe it's bullshit. Did you do any calculations?

I'm gonna step up and say that I hope to fucking $deity that somebody running some of these services has done some of the shit you see in your discrete math / state machines / logic class in an undergrad CS curriculum, but beyond that: mathematical proofs.  I can't do that, I retook that fucking class twice, but I'd raise BTC and pay somebody who can if I were launching a coin mixer.

It's ironic - all this runs over Tor - have y'all read any of the papers these guys write?  About the holes in their own system?  There's very little "thinking it should be okay."  Again - not to be mean - but be aware of the complexity of the problem you are trying to solve and that you need mathematical assurance that you're selling something other than snake oil, if you give two shits about your users thinking they're anonymous by using your service, and then getting jailed, tortured, or killed because they were not.

[1] http://hal.inria.fr/docs/00/47/15/56/PDF/TorBT.pdf
[2] http://swiki.cc.gatech.edu:8080/ugResearch/uploads/7/ImprovingTor.pdf
[3] http://archives.seul.org/or/dev/Jul-2010/msg00021.html
[4] http://dl.acm.org/citation.cfm?doid=1029179.1029199
[5] http://link.springer.com/chapter/10.1007%2F978-3-642-14527-8_10
[6] http://link.springer.com/chapter/10.1007%2F978-3-642-14527-8_11
[7] https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise (hell, even the blog posts involve a ton of thought about security)

For further light reading, here is a bibliography on the topic of digital anonymity which starts in 1977: http://freehaven.net/anonbib/#DBLP:conf/ccs/EdmanS09

Quote from: BTCurious
In summary: I think your service does some things right (e.g. the having no public IP, only connecting through tor), while other things seem a bit strange. The core though remains, that you've shattered all my trust in your skills at the very beginning, when you didn't implement a core safety mechanism, which is trivial to implement but paramount to prevent mistakes. This mistake, along with your attitude about it the ~5 posts after that, leads me to question a lot of other things about your service, which I might normally assume to be secure/obvious. I can see that casascius's reasoning is similar. (casascius: correct me if I'm wrong)

+1.  Thank you, thank you, thank you for trying.

Now throw it away and write it again, with proofs, and open source the fucker so there are a million coin mixers.
member
Activity: 84
Merit: 13
We have the support form on the website which we have been using for all customer contacts. We trust that form much more than any other external service, forum or mail server, since that way we don't have another link in the compromization chain that could become the weakest.
To access the form you must be logged in which usually works, since it's very easy to register. (No other way really to know who the messages are from, for a Tor HS...)

About your request about not being able to login, we shall check some things and contact you more and PERHAPS help you get back the money, but generally our policy is to not help users in these cases.
As we warn on the registration page, our service does not do e-mails and so you have to be VERY careful with your password. We have been in operation for more than a year and are in no business of stealing random accounts. Otherwise there would be plenty of reports of this on various forums.
The policy basically makes the assumption that if someone has any money to consider, they will remember their password, it's not very hard, our service uses no JavaScript or any other things that might tangle with the login form, and we provide some extra information about the login to make sure we don't intervene with entering proper data.
Any attempts to help any users with such requests are very shady for us, since we have no actual way to verify or identify the user, since we are an anonymous service. We might just be helping someone trying to get other user's account... This simply does not send any good message about the integrity of our service to other legitimate users, if they would find out that someone who somehow would obtain any piece of information about an account could persuade us to give him/her the account itself.
Our primarty concerns are anonymity, security and integrity, and every one of our users must know this, and that is the reason for this policy.
newbie
Activity: 3
Merit: 0
Well, it's been 3 days and no responses. 
newbie
Activity: 3
Merit: 0
I'd advise you not to use this service right now.

 I registered an account and transfered BTC into it.  Now i can't access log into my account.  There's no support option at the page.  I'll try to contact Akemashite via pm and keep you updated.
member
Activity: 84
Merit: 13
The service is in no way down. We have had some software problems today which resulted in some deposits being delayed, but that's about it; we have warned about this on the deposit page. It should be working fast now again.

If the website is not opening for you, you might want to try use "get new identity" Tor function, which will relay you through a different node, or try the clearnet gate: http://gate.bitcoinfog.com

Also please be aware of the copycats, of which there are now a number of: http://idg2wioimyjaekih.onion/, http://ecf5dppffhim3faw.onion/, http://kfdrua2bjbz7h243.onion, etc. (That's only the ones we could find.)
We are NOT AFFILIATED WITH THEM IN ANY WAY, use them on your own risk!
The only real link is http://fogcore5n3ov3tui.onion/
newbie
Activity: 14
Merit: 0
Website down. Another failed bitbiz. Mods any way to flag these it would be nice to only have active businesses on the threads. Otherwise I'll let people know so they don't waste their time clicking on dead links.
newbie
Activity: 8
Merit: 0
Is the website functioning well right now?  Undecided
member
Activity: 84
Merit: 13
Correct!
The actual link to the modification should be
https://en.bitcoin.it/w/index.php?title=Trade&diff=prev&oldid=32931

Sorry, it's kind of funny that we make this kind of mistakes when you've just noticed our "attention to detail"  Smiley
legendary
Activity: 4760
Merit: 1283

Yes, the service is operational, alive and well!

your persistence and attention to detail (snipped) is causing increased credibility in my mind.  Had I a need I would certainly be making partial use of your services by this time.  (I would always select multiple services and a carefully chosen scheme since as long as one of them were not a honeypot it would make the washing much more reliable.)

Some news then:
It has come to our attention that user “Jefferson1” (https://en.bitcoin.it/wiki/Special:Contributions/Jefferson1) on the Bitcoin Wiki has changed addresses to both our service and Bitcoin Laundry to supposedly an address of a scamming website. The scammer's link has been there for a little more than a week, we just hope that not many users have sent money there. We are not affiliated with that link in any way, our hidden service address has not changed from the start, you should always use the address http://fogcore5n3ov3tui.onion to access the real Bitcoin Fog.

What a dirtbag.  In this circumstance and very few others, I think it would be kind of amusing if whoever had any info (ip addresses and such) about this guy to 'accidentally' make it public so if anyone had the time and interest he might be able to be identified and shamed, or at least tied to any other ventures that would best be avoided.


In a cursor glance, it looks to me like the link should be to his only other mod.

member
Activity: 84
Merit: 13
Yes, the service is operational, alive and well!
We have been handling all the support through the secure contact form on the hidden service, so we haven't been checking this thread. It is nice to see that people haven't forgotten about it Smiley

Some news then:
It has come to our attention that user “Jefferson1” (https://en.bitcoin.it/wiki/Special:Contributions/Jefferson1) on the Bitcoin Wiki has changed addresses to both our service and Bitcoin Laundry to supposedly an address of a scamming website. The scammer's link has been there for a little more than a week, we just hope that not many users have sent money there. We are not affiliated with that link in any way, our hidden service address has not changed from the start, you should always use the address http://fogcore5n3ov3tui.onion to access the real Bitcoin Fog.

You can see the malicious modification here:
https://en.bitcoin.it/w/index.php?title=Trade&diff=prev&oldid=32931

We have of course rolled back the changes, both for our address and for Bitcoin Laundry.

Now for some good news: we have launched a Tor gate so that the service can be accessed even without tor: https://gate.bitcoinfog.com

This is less secure than going through tor itself, but all connections are going through SSL so information leaks are minimal (basically, only the fact itself that you are accessing the website could be observed by an adversary). Still, if you have Tor installed you should be going to the hidden service link directly.

If you are using the Tor gate, make sure to keep an eye on the SSL indicator. The real bitcoinfog service should always have a valid certificate for “gate.bitcoinfog.com”, you should not receive any SSL warnings!
The Tor gate is operating in testing mode, and since it is in Clearnet, it could be shutdown at any time, the hidden service is still the primary access point for Bitcoin Fog. But if the site loads and the SSL looks fine, you can use it relatively safely.
legendary
Activity: 1078
Merit: 1003
+1 Hazek
It was MY stupid mistake in excel sheet ...  please remove my post from yours(quote) too ... i recommend this service and will use it again for sure

I'm glad to hear it! Wink
newbie
Activity: 11
Merit: 0
+1 Hazek
It was MY stupid mistake in excel sheet ...  please remove my post from yours(quote) too ... i recommend this service and will use it again for sure
legendary
Activity: 1078
Merit: 1003
Is this service still working?
Seems to be not working.

The site opened for me just now, although I don't have an account so I couldn't test if it's actually functional.
newbie
Activity: 32
Merit: 0
Is this service still working?
Seems to be not working.
hero member
Activity: 588
Merit: 500
firstbits.com/1kznfw
Is this service still working?
Pages:
Jump to: