Topic: [joe is dead] http://findmeifyoucan.eu - page 3. (Read 7043 times)

If you browse here, you're not that anonymous (unless you turn off images, or connect so that your IP address being logged doesn't matter).

Here's a web bug:
(it can be a blank image too)

Here's where you can see email notifications of everybody that viewed the image, along with their IP address, reverse domain name, and browser user agent: http://spypig.mailinator.com/
Update: spypig.com only sends information about the first five views, so the fun was over pretty quick.

I'll leave this here to freak you out instead:

I bet it's Nefario making sure he can't be traced, and then if someone figures it out he'll cry and say he can't pay back GLBSE accounts until he gets the 14BTC back lol

I feel less stupid now. The internets haven't suddenly changed the rules after all. 

You're right, you can't embed flash on here. I just posted an image, but I had also posted a link to a website which had the Flash video embedded.
I have no idea any more as to whether Flash abides proxy settings, it never used to, but some are saying other wise now, plus my test failed so I'd be inclined to agree.

True, but I don't have the ability to run PHP/JS/Flash code on here, hence why I had to ship him off to a point I control.

No need to click any link. You just embed it as an image on the PM just like you did in the thread reply. PM's can also use bbcode.
As soon as he opened the Messages page, which has your latest 20 or so messages showing, it would call your script and you'd have the data you wanted, but without all the garbage

Ah, I had looked at the "previous post", but there was no image. I guess he edited the post to remove the image so. Guess I'd better not take up a hacking career - I'd not get very far.   Even took me a couple of minutes to figure out 1337est.  
But wait, OpenYourEyes said he was using a flash beacon to catch the IPs. I found this which shows how to embed flash code into a forum post, and the first reply says "allowing users to embed flash is a security risk". So... what gives?  OpenYourEyes can't have just used a regular image because that would have gone over joe23's TOR connection - he specifically tried flash which often ignores proxy settings.

I thought of that, but if I was in his shoes I would have find it quite suspicious of being asked to click a link, especially with a strange free hosting domain name, but hey, I'm paranoid by nature.

If you wanted to catch only joe's IP you should've sent him a PM and not post in in this thread.

BTW, joe is gweedo. Why? Because gweedo can't stand BitcoinINV lol

As theymos said, just an image: a simple 1px transparent gif hosted on a server which logs IPs of those who requested it.

eh, after all theymos has sense of humour. lol

It's called an image. Thankfully, only the 1337est of hackers can master this arcane technology.

Fascinating! How can you possibly embed such code in a forum post? Surely this indicates a serious bug in SMF, the forum software?

One of the IP addresses you mention is mine, and I'm not joe23. Thanks for doing the xx.xx'ing - I'd hate to have a bunch of you guys suddenly trying to hack my box!

[email protected]
188.165.73.235
Ignores BitcoinINV

This is a great thread. If I had to make a suggestion, I would connect to some translation service over tor, translate what you want to write into some other language, then translate back to English, then post it (better would be to install a local translator). Your English is almost perfect - definitely better than any automatic translation - but that only narrows it down to, oh, maybe 400 million native English speakers. The few mistakes I noticed could either be genuine typos, or maybe deliberate. If I wanted to try, I'd ask you a question which requires an answer with a word such as "randomi(s/z)e" or "trunk/boot" (US & UK respectively for those with English as 2nd language). I just can't think of a suitable question right now.

To connect, I would use TAILS. It sets up two virtual machines within an OS running from an USB drive - one of the vm's runs a TOR server, the other vm's network card is routed through that TOR instance. The user interacts only with the 2nd so no need to worry about DNS, java, flash leaks etc - except if something breaks the vm enclosure I suppose. I haven't tried it out, but it seems really good.

Someone suggested running firefox through x11 forwarding in the torified ssh tunnel. I'd have to say that'd be really slow. You might get away with w3m or lynx maybe, but that might narrow you down even more - how many text-based browser users can there still be in the world?

Is your IP at all 24.143.xx.xx or 217.114.xx.xx (xx'd for privacy), or are you Smoothie, or someguy123. (Took a few stabs there).

I'm in the process of doing an explanation for my results.

My original intention was to try and use Flash to log your true IP:
Plugins such as Adobe Flash don't normally respect your browsers proxy settings (this must have changed recently, or I went about it the wrong way because it didn't work).

My post above contained a tracking beacon which was logging IPs & useragents; the link in my post went to a free hosting provider which I set up using a manner of techniques to log information about visitors (using JavaScript, PHP, and an embedded flash player which was requesting a video from my server), and then after a few seconds forwarded you to a legit blog post.
The Flash player method is the one I was relying on the most (the others were just a fallback in case you messed up somewhere - apparently not), but it doesn't seemed to have worked.
Although, sifting through nearly 60 different IPs and browser information, and then doing lookups on them is quite cumbersome.

I had one visitor come to the site which was using a TOR connection (195.177.253.113), I took a stab in the dark in believing it was you. I know you use Linux, and the useragent matches up. Doing searches on this useragent from the last couple of days lead me to two members here: Smoothie, and someguy123: quite confident it's not you though.

This IP (217.114.xx.xx) got me slightly excited as it originates from Dublin, and your server IP also gave references to Dublin. Plus, the useragent seems to be one of Ubuntu. I'm just linking random data here together, but there is not much else to go on.

I got suspicious with this IP (24.143.xx.xx) as one moment the data originated from a Windows box, but minutes later it was a Ubuntu one.

And finally, these two (85.127.xx.xx, 81.246.xx.xx) visited the website three times in total, all within 30seconds of each other. Not implying these are you, but strange behaviour was noted in my logs.

ok guys and girls, where to go from here?

It seems to me I'm pretty safe for now, right? Many possible flaws and improvements have been pointed out but none of them lead to you guys getting close to me.

That bitcointalk-posting-time-attack seems hard to pull off and will likely take weeks to deliver meaningful data.

I pretty much decided to "have the VPS compromised" at some point, but I think I should wait with that since it could be over pretty quickly after that and I must say I'm quite enjoying this and learning a lot.

So maybe I should try to do some more stuff that might endanger my anonymity to make it more interesting? Like pop up on irc and chat with you guys or something.

Open for any suggestions that don't involve me actually doing anything illegal.

Heres your chance to set up some trap

Awesome!

I could give you an address from joes wallet, but would prefer someone to do escrow for us.

As this thread is highly informative and entertaining I'd like to add 1 BTC to the bounty.

Joe23 please provide me with an address or an escrow where I can send it.

Can we assume he was in that conference? Maybe he is in one of the videos here: http://bitcoin2012.com/

Increase your Electrum anonymity by connecting to a Tor *hidden* service rather than
a regular server. This helps prevent server operators from connecting some dots...

More info:
https://bitcointalksearch.org/topic/electrum-tor-service-at-4lhnnupincd3gydaonion50001-113116