[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hidden Service Shared Hosting Platform

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Hidden Service Shared Hosting Platform
From: Thomas White <thomaswhite@xxxxxxxxxx>
Date: Thu, 28 May 2015 16:10:41 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 28 May 2015 11:36:30 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1432825852; bh=VRuW8uwWcm2JXPQkdkGHR6p2AiSjG26pxp9uHeaZVM4=; h=Date:From:To:Subject:References:In-Reply-To:From; b=LUGCehuC9ej+qyRQgKSNSnVZqYOFnvpTOH1jcj5LYLtz10w9YQGX+LG7gqZZfu7Si Cr5MHOQVwh0smNj79D+vb9g88ZdywrRsinjI67pyj3HVuE2asRsBQAWn7gj7eesIdw yAHJRiPudkSKvn186wQ6PDldUYSJM0ibBjxG6JUw=
In-reply-to: <55672BF5.10009@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <55667F67.8040101@xxxxxxxxxx> <55672BF5.10009@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Moritz,

Payments are already covered. Accepting bitcoin is the first platform
to look to, as well as Darkcoin possibly, but that only provides a
pseudo-anonymous means of security. Instead payments will be
tokenised, so that a person without needing to login may purchase a
token, which is stored as a hash on the database. A user can then
redeem any token to add credit to their account, but no log of whom
the token was redeemed by would be kept, nor would I be able to see
what tokens any individual account has used, therefore even using a
tracable means of payment like a debit card, I could not associate
that payment to a particular account or person using the system.

Regarding what is hosted, I feel getting too complex on the matter
will open up insecurities in some ways and would require significantly
more investment (thus more cost) and probably confuse the heck out of
people wanting to use it. My personal policy, which will be
transferred into the business policy, is never to hand over data
unless I am legally obliged to. For a warrant to be served in the UK,
there must be a degree of proof that I host the site concerned. As I
will not be publishing how many customers I will have, or what sites I
serve, I owe no obligation to monitor or report domains under my
control without a court order to do so. I feel good technology will
solve this problem, but I feel it is beyond my current capabilities to
design. So for now I am sticking to the one method I can rely on
against intrusive surveillance and law enforcement bullying: standing
my ground against every adversary and hold as little information on
customers as possible.

The big problem right now is the dispute I am having with tax
authorities. Under new EU VAT rules (VAT MOSS) I am required as a VAT
registered business to obtain 2 "proofs" of which country a client is
located in, so I can charge the correct rate of VAT. This is not a
privacy friendly regulation and whereas you can usually use just an IP
if no other source is available, I will not even have access to that
as a hidden service portal. Thus I am in the process of negotiating
and getting legal clarifications on the situation from the UK's
professional representing body for accountants.

So many battles to fight in this project, not to mention a new Tory
government to keep an eye on.

Tom

On 28/05/2015 15:53, Moritz Bartl wrote:
> Hi Thomas,
> 
> Great! I've been toying with the idea for quite a while now, too.
> Glad that someone is picking it up. :-) It would be ideal to find a
> way to make it hard even for yourself to find out whether a
> particular hidden service is hosted by you. I didn't really spend
> too much time thinking about it, but one idea I've had is to spin
> up and bootstrap 'remote' VM instances (on servers maintained by
> third parties) that you than hand over to individuals, complete
> with an interface for users to easily generate more
> hostnames/virtual hosts on 'their' VM. Apart from some update
> channels you could lock down the systems so you don't have easy 
> access. You could still check whether a certain VM has been paid
> for, but you don't have to know about the hostnames generated on
> the VMs.
> 
> I don't see a good way to achieve this if you maintain the VM
> hosts yourself. Maybe one can built it so users decrypt their
> hidden services (keys) on reboot so they're only available in RAM.
> 
> If we think hard enough, there's probably a nice way to keep the 
> relationship of users (and their payments) and running hidden
> services separate (or at least hard/expensive to recover).
> 
> Good luck!
> 

- -- 
Activist, anarchist and a bit of a dreamer.
Keybase: https://keybase.io/thomaswhite

PGP Keys: https://www.thecthulhu.com/pgp-keys/
Current Fingerprint: BA81 407C BD61 CD15 E5D9 ADA9 5FA2 426F F34E 0FD4
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 77E6C8C6 95FDE863 1172A1E1 8C114C01 691398AC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVZy/vAAoJEF+iQm/zTg/UYz0QAI4tPJNbBbeBzFfdDqHJPOPG
JA6M1aVBOF2gFw7myp0AW4D8+KD+xcr2oKw6SHn4GcBdiMo/virDOKhMLFO4WwNn
NGC5dyxV+bdLO0Z4Ydv5XmhPktz9cX7Il9aUzF7kTsbI2GYL5RJIdg+oPemh7b86
QgfNNN9vXeSI97ZYjM5jgDP6A4Pex+fbe93d8mRnQPK5T89cx5+BasHyRiqd/DKb
wVqz1gajS0dBopBk3zbge+y5yvAxcjjZYddYlqrUI6wSlcHcMmzqDXuqSDcravMz
6Zmi9Q5YQNwRzPeMvQ0anIvmDCUt9yL7bnWwo4hdrlC1Lqc15JPQs6JJXlmiCE5r
wZIQGc3RsbDRbFlzLLiYRwDufcWt1q4EFYOeCQBCFn/Ah7AjYVLBkEabD3B02ZFl
/6qrM852jLdwglhzFLikPSfPs1w5Qxo/62qmZbY4AiYoJVsrEdR8PnUfSKtyZHmE
pQBio5/4/lp3UfqW1dEqnBHEqZEZ0a++jUqqZG7d7zTR83m/4sCH2q8aRONOd42Q
dNBi1JpvfdQlZP923kCiHGdw8EpnCOJJ7Z7NhX7XJeyr1TD68Ki1L7hvH5v8ppBt
AWQ0jiA1yrE2ZfPP4Bl3jcPMXyrUozImCypdJSo0f/Yepagb4SBSjOyXRRuywD+7
r19LnQctuyAsSY+ReY0t
=y2iR
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Hidden Service Shared Hosting Platform
  - From: Thomas White
- Re: [tor-talk] Hidden Service Shared Hosting Platform
  - From: Moritz Bartl

Prev by Author: [tor-talk] Hidden Service Shared Hosting Platform
Next by Author: Re: [tor-talk] Work needing done, volunteer / comp'd [was: T-shirts]
Previous by thread: Re: [tor-talk] Hidden Service Shared Hosting Platform
Next by thread: [tor-talk] Tor Weekly News â May 28th, 2015
Index(es):
- Author
- Thread