Apologies and Thank You for reading even though the line breaks were
lost.Apparently even 7bit ASCII is difficult to publish in.In case it happens
again, I will include paragraph breaks at the #, and repeat the initial email
between ==='s.#============================================================#I
know it is dead, because I have tried to do it, and I can assure you it is
dead.#Text is easy of course I can still blast a simple email out to a mailing
list, I can lay my claims out in 7bit ASCII and let the world judge the merits
solely on this simple medium.But media publishing a story with supporting
images, scans, video or audio it is dead, left only to the elites. And perhaps
worst of all is the promise made by all of you that if you just.... try a
little harder, if you just use this service over here, if you just think about
it another way that it is still possible.#It is not.#Some time ago as an
experiment I began the process to publish material fully anonymously
no compromises.I obtained a prepaid line of credit, paid in cash, verified
with a prepaid telephone, also paid in cash, and only turned on in an ambiguous
physical location.And I set about to find a Virtual Private Server I could run
a Tor Hidden Service on.My requirements throughout all of this were simple: use
Tor for everything, pay cash or cashequivalent for everything, leave no account
on a service run by a US/UK/AUS/NZ/CA company, have the VPS hosted outside the
same, pay a reasonable sum.#I needed an email of course.Nymservers like
http://isnotmy.name/ or http://mixnym.net should have been the solution but of
course they didn't work.No amount of guesswork or trial and error got me a
nym.Free webmail became the next goal.The more trustworthy (gmail), the less
satisfactorily anonymous it was.The easier it was to register (in.com) the
less trustworthy it was deemed.#After signing up for a lowtrust but easytoget
email, I narrowed down my hosting options to a group of VP
S in the price range, hosted outside the 'bad' countries, and whose company
itself was also outside.There aren't a lot.#The next problem became finding a
VPS I could pay for.You see, most VPS sellers are small resellers and don't
process their own credit cards they outsource it to a payment processor,
usually Paypal. Paypal doesn't work.Paypal or AlertPay too stringent
verification; Liberty Reserve blocks Tor; CashU no easily found online
merchant able to convert from a prepaid Credit Card; one after another all
online payment methods fell by the wayside.#You might think 'Bitcoin'.You would
be wrong.No bitcoin service accepts any anonymous funding source most only
accept bank transfers.Apparently people performed chargebacks on credit cards
to defraud the merchants.I can't blame them for this, but it certainly kills
the idea of 'anonymity'.And I don't trust the blockchain to provide
anonymity.#After finding one of three or four VPS' I thought I could pay for, I
encounte
red the next obstacle: MaxMind.MaxMind is a fraud detector built into
WHMCompleteSolution which in turn is the VPS management tool used by every
budget VPS.I set off every detector it had: proxy software, low trust email
account, strange addresses, no valid phone number, etc etc.When I inquired to
one company about this, I was laughed off.Even though I was willing to let them
charge my card and sit on it for a month before providing service no such
luck.#At this point, I needed to find a company large enough they processed
their own credit cards, didn't block Tor, and didn't use fraud detectors.I
found one, a competitor to Amazon EC2, that I thought I could fall through the
cracks of.It didn't like my low trust email address, but after enough
searching, I found an ISP I could get an account on without paying.After
getting that, creating and verifying an account, and finally set up to make my
payment... the prepaid card is declined.There's no explanation, it just didn't
work
.#I thought at this point, perhaps there was a service that could be
used.There was an announcement recently: http://karelbilek.com/anontorrent/
Supposedly this guy will seed anything until it has 20 seeders of its
own.Except the file limit is 50MB.And you can't upload copyrighted material.How
about any of the muchacclaimed 'leak sites' that spun up after Wikileaks
shuttered their wiki and submission system?Well, I went through all of these:
leakdirectory.org/index.php/LeakSiteDirectory and all of them seemed to be
either wannabes who had never published a thing or news organizations who were
security illiterate and had no way to accept content.#Anonymous Publishing Is
Dead.#You may seek to respond with the 'right way' to do it, the company you
know will let me fall through the cracks, the trick you use to whitelie your
way through the process.Don't bother.If there is a way through, and I'm not
convinced there is, it is so difficult to find that a technically unsavvy user
wo
uld never be able to; and even technically savvy users like myself who
understand all the tricks of firewalling off my machine so nothing but Tor
escapes are groping blindly for it, unlikely to find it.#What can be done
about this?What compromises are 'safe'?Is a Hidden Service sufficiently
trustworthy to host any material, and have it stand up to investigation when
the server running it is in your name?Is the correct approach not to publish
anonymously at all, as cryptome.org does?Should we rely on the Streisand
effect, bittorrent, newsgroups, something else?#These are mostly rhetorical
questions.My purpose in this email is to tell you that anonymous publishing is
an unsolved problem.Any solution available today is not robust: it falls down
in some situation: content, capacity, anonymity, or something else.What can be
done about it? What will be done about
it?#============================================================#To address
specific points:# Bitcoin Mixing is promi
sing, but infantile at this stage.Tor disables options like optimistic data
initially because it reduces the anonymity set.I'd consider bitcoin, but having
to link my bank account to get them in the first place?Or meet someone in
person?A stronglynonanonymous link followed by a maybeanonymous link makes a
weak chain.# VPS. Part of the exercise is also takedownresistance. The only
affordable service I would consider takedownresistant today is Tor Hidden
Services.Other providers, dedicated hosts, may be takedownresistant but they
are not cheap.Their monthly cost was my yearly budget.AFAIK there is no Hidden
Service hosting provider willing to host content rather than text.#
tor2web.This is nice, and enables ordinary people to reach Hidden Services, but
doesn't solve my problem of deploying a Hidden Service anonymously.I think it's
an important question to ask: Are Tor Hidden Services trustworthy enough to run
on a box in your own name?The level of exploitation necessary to ro
ot a box is much higher than the level of exploitation required to trick a
server (web server, SSL library, or application code) into revealing its IP
address.At that point, the anonymity is dead.Perhaps APAF problem will solve
that to the point where a Tor Hidden Service is safe enough.#
_______________________________________________
tor-talk mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
