Re: Hidden Services Hosting and DMCA
Hi Mike, Thanks for your valuable input. What you are saying implicates that there might be forces interested in investigating what I am hosting. In a way, you need to compare it to any ISP hosting illegal content without knowledge. In the case of hidden services it might be harder to determine the ISP, in the Internet today it is trivial. Regardless of that, in the end I am just an ISP. If they put so much work in finding the source, and the source turns out to be me - as in an ISP -, what else is there to do other than contacting me? I will do everything I can to shut down illegal services, not only because I am forced to by law, but because I feel it is the right thing to do. The hosters I deal with all agreed to forward abuse to me based on DCMA (or the appropriate country specific equivalent), and I approached them with a commercial partnership background. If I were to defend the idea, I could say that if you tried to find the source of a hidden service, personal servers with worse/less regular uptime on a residential line would be much easier to track down. > Of course, you can try to simply ignore these orders due to the fact > that you're German and they're not likely to extradite you over them, > but you'll probably lose your server, and you might have trouble > entering the US at a later date then. Sad as it is, if that's what it takes, I'm up to it. My education spans carefully crafted rights, and if these rights are no longer guaranteed, I will, I want to, stand up for them. I will never *ignore* any orders, but I will carefully examine the legal basis of the inquiry. I've been maintaining a fairly high bandwidth Tor exit for years now, and I know how to deal with abuse. The worst thing that happened was a murder case investigation, but it was no problem to clear it up without any interruptions of my Tor node. I have contacted enough cooperating ISPs outside the US if that turns out to be necessary (and I hope to find more through this project). This specific server at Softlayer is paid for on a monthly basis. I will not provide decryption keys, and luckily I am not forced to do so. If I were, I would not consider doing this. I have closely looked at (somewhat) related incidents in Germany, and all charges have been dropped for lack of evidence if the respective disks were encrypted, in all cases. I feel that this discussion is on the brink of something off topic, but the implications are something that definitely need to be clarified in any case, no matter how I decide. Speaking to the list: I understand that most of you are skeptical about this venture, and you have all the right to be. You should be. But don't just give up one me, tell me about it. Especially with the current political situation, I see a market around Tor, and you should not misconceive that. Commerce is not all bad. Moritz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: webdav as hidden service?
Yes, you can use WebDAV as a hidden service. FYI, Windows also has it's "Web Client", aka WebDAV, built into most newer windows OS's. Security Note: If you're using Windows and shitty browser like Internet Explorer, then it's possible for your Username, Domain/Workgroup, and various other little tidbits of information to be leaked out using WebDav. Best regards, Kyle startx wrote: > hi. > > i was wondering if anybody has tried to set up a webdav > directory as a hidden service? > > on the server site this should be relatively straight forward: > webdav is technically nothing else then a http service > and apache/mod_webdav would handle that probably the same way > it would handle the vhost for a hidden service. > > however, is there any webdav client which could be used for that? > firefox does afaik not support webdav (at least not on linux) > and i would have no idea how to torify nautilus (gnome). > > or are their other objections why this would not work? > > startx > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden Services Hosting and DMCA
Thus spake Moritz Bartl (t...@wiredwings.com): > On 12.06.2010 13:13, Marco Bonetti wrote: > > On 12/giu/2010, at 12.49, Moritz Bartl wrote: > >> The barrier to create hidden services is quite high. > > I'm not too sure about this: you can run hidden services on tor clients > > which do not relay any traffic for the network. > > Starting a service is not that difficult: an home flat Internet > > connection and a low power computer are ideal for a small personal > > hidden service. > > That machine should be up 24/7, and you still need to maintain (ie. > update) it. Actually, the uptime problem is a rather good reason not to consolidate hidden services with your exit node. An anonymous user on the I2P network used to run a public intersection attack on I2P router uptime vs eepsite (hidden service) uptime. It was rather easy to correlate which I2P nodes were running which services with this data. Of course, running hidden services in a separate VM might not have the correlation that using the same Tor process will, but host OS downtimes will still be correlated. If it is known that you are a large provider of hidden services, it becomes useful for an adversary to closely monitor your host OS for downtime to correlate to downtime of hidden services. As a related point, you need to be very careful about your opsec when providing services like this. While US law protects you from incriminating yourself by revealing your own encryption keys (probably), it does not protect you from divulging encryption keys of your users if you have them, nor does it protect you from court orders requiring you to install monitoring software into your user's systems to see what they are doing. Add in the correlation properties for hidden services or other data that may be available due to knowledge of your hosting setup (think apache+php versions, etc), and there may be a sufficient level of cause for such court orders to be binding. Of course, you can try to simply ignore these orders due to the fact that you're German and they're not likely to extradite you over them, but you'll probably lose your server, and you might have trouble entering the US at a later date then. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpfRAgqRsjIQ.pgp Description: PGP signature
Re: Hidden Services Hosting and DMCA
On 12.06.2010 22:15, Moritz Bartl wrote: > I sorry you're right. LOL now that was a typo. :) *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden Services Hosting and DMCA
Hi Scott, On 12.06.2010 21:10, Scott Bennett wrote: >> That machine should be up 24/7, and you still need to maintain (ie. >> update) it. > What a strange thing to say! How can you credibly claim to know the > availability requirements for other persons' hidden services? I sorry you're right. Being not a native speaker, you shouldn't take all my phrases literally. ;-) Let me rephrase that: I see a group of people who might to provide hidden services, but don't have the resources and/or expertise and/or will to do it all by themselves. Cheers, Moritz *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden Services Hosting and DMCA
On Sat, 12 Jun 2010 13:15:47 +0200 Moritz Bartl wrote: >On 12.06.2010 13:13, Marco Bonetti wrote: >> On 12/giu/2010, at 12.49, Moritz Bartl wrote: >>> The barrier to create hidden services is quite high. >> I'm not too sure about this: you can run hidden services on tor clients >> which do not relay any traffic for the network. >> Starting a service is not that difficult: an home flat Internet >> connection and a low power computer are ideal for a small personal >> hidden service. > >That machine should be up 24/7, and you still need to maintain (ie. >update) it. > What a strange thing to say! How can you credibly claim to know the availability requirements for other persons' hidden services? Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
webdav as hidden service?
hi. i was wondering if anybody has tried to set up a webdav directory as a hidden service? on the server site this should be relatively straight forward: webdav is technically nothing else then a http service and apache/mod_webdav would handle that probably the same way it would handle the vhost for a hidden service. however, is there any webdav client which could be used for that? firefox does afaik not support webdav (at least not on linux) and i would have no idea how to torify nautilus (gnome). or are their other objections why this would not work? startx *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden Services Hosting and DMCA
Hi, On 12.06.2010 13:13, Marco Bonetti wrote: > On 12/giu/2010, at 12.49, Moritz Bartl wrote: >> The barrier to create hidden services is quite high. > I'm not too sure about this: you can run hidden services on tor clients > which do not relay any traffic for the network. > Starting a service is not that difficult: an home flat Internet > connection and a low power computer are ideal for a small personal > hidden service. That machine should be up 24/7, and you still need to maintain (ie. update) it. -- Moritz Bartl http://www.torservers.net/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Hidden Services Hosting and DMCA
On 12/giu/2010, at 12.49, Moritz Bartl wrote: The barrier to create hidden services is quite high. I'm not too sure about this: you can run hidden services on tor clients which do not relay any traffic for the network. Starting a service is not that difficult: an home flat Internet connection and a low power computer are ideal for a small personal hidden service. -- Sent from my iPwn *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Hidden Services Hosting and DMCA
Hi, We are currently having a discussion over at torservers.net on whether it is wise to offer hidden service hosting. Most people don't have a server, they use free email or pay for cheap webhosting. The barrier to create hidden services is quite high. I feel that the Tor network could definitely use an ISP who offers hidden services hosting. My idea was to use a separate, disk encrypted virtual machine for hosting hidden services, and only open it towards the Tor network. Regular, non-anonymous donators should then be able to open their files towards the Internet, too. >> If you use that server for other things beside Tor you will have a >> hard time to explain and argue when abuse requests arrive - in fact >> you can't. >> It is quite easy to differentiate between a client (tor-exit) or a >> server (hosted content) also for authorities. Thank you. You're right, this has to be investigated further. I don't think that hosting content - on a logically different machine - influences the forwarding argument for the Tor nodes. Also, I don't see how it is "quite easy" for authorities to differentiate between middle node traffic and hidden services - that's what they are there for after all. >> You will not be able to use the response template if you get abuse >> requests because it does apply for Tor only. Then it will still apply for the IP addresses of the nodes. >> [...] "We further recommend that you not keep any potentially illegal >> files on the same machine you use for Tor, nor use that machine for >> any illegal purpose. Although no Tor relay in the US has ever been >> seized, nor any relay operator sued, the future possibility cannot >> be ruled out. >> If that happens, you will want your machine to be clean." [...] The Tor machine will be clean. If I rent a virtual machine, I also don't know what happens on other VMs, and this is how I interpret this. I'm not even so sure if DMCA applies for me, a German hoster offering services, even when using US servers. Internet law isn't easy. Moritz Bartl http://www.torservers.net/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
