[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Anonymous Publishing Is Dead.

Apologies and Thank You for reading even though the line breaks were lost.Apparently even 7bit ASCII is difficult to publish in.In case it happens again, I will include paragraph breaks at the #, and repeat the initial email between ==='s.#============================================================#I know it is dead, because I have tried to do it, and I can assure you  it is dead.#Text is easy of course  I can still blast a simple email out to a mailing list, I can lay my claims out in 7bit ASCII and let the world judge the merits solely on this simple medium.But media  publishing a story with supporting images, scans, video or audio  it is dead, left only to the elites. And perhaps worst of all is the promise made by all of you that if you just.... try a little harder, if you just use this service over here, if you just think about it another way  that it is still possible.#It is not.#Some time ago as an experiment I began the process to publish material fully anonymously  
 no compromises.I obtained a prepaid line of credit, paid in cash, verified with a prepaid telephone, also paid in cash, and only turned on in an ambiguous physical location.And I set about to find a Virtual Private Server I could run a Tor Hidden Service on.My requirements throughout all of this were simple: use Tor for everything, pay cash or cashequivalent for everything, leave no account on a service run by a US/UK/AUS/NZ/CA company, have the VPS hosted outside the same, pay a reasonable sum.#I needed an email of course.Nymservers like http://isnotmy.name/ or http://mixnym.net should have been the solution  but of course they didn't work.No amount of guesswork or trial and error got me a nym.Free webmail became the next goal.The more trustworthy (gmail), the less satisfactorily anonymous it was.The easier it was to register (in.com)  the less trustworthy it was deemed.#After signing up for a lowtrust but easytoget email, I narrowed down my hosting options to a group of VP
 S in the price range, hosted outside the 'bad' countries, and whose company itself was also outside.There aren't a lot.#The next problem became finding a VPS I could pay for.You see, most VPS sellers are small resellers and don't process their own credit cards  they outsource it to a payment processor, usually Paypal. Paypal doesn't work.Paypal or AlertPay  too stringent verification; Liberty Reserve  blocks Tor; CashU  no easily found online merchant able to convert from a prepaid Credit Card; one after another all online payment methods fell by the wayside.#You might think 'Bitcoin'.You would be wrong.No bitcoin service accepts any anonymous funding source  most only accept bank transfers.Apparently people performed chargebacks on credit cards to defraud the merchants.I can't blame them for this, but it certainly kills the idea of 'anonymity'.And I don't trust the blockchain to provide anonymity.#After finding one of three or four VPS' I thought I could pay for, I encounte
 red the next obstacle: MaxMind.MaxMind is a fraud detector built into WHMCompleteSolution which in turn is the VPS management tool used by every budget VPS.I set off every detector it had: proxy software, low trust email account, strange addresses, no valid phone number, etc etc.When I inquired to one company about this, I was laughed off.Even though I was willing to let them charge my card and sit on it for a month before providing service  no such luck.#At this point, I needed to find a company large enough they processed their own credit cards, didn't block Tor, and didn't use fraud detectors.I found one, a competitor to Amazon EC2, that I thought I could fall through the cracks of.It didn't like my low trust email address, but after enough searching, I found an ISP I could get an account on without paying.After getting that, creating and verifying an account, and finally set up to make my payment... the prepaid card is declined.There's no explanation, it just didn't work
 .#I thought at this point, perhaps there was a service that could be used.There was an announcement recently: http://karelbilek.com/anontorrent/ Supposedly this guy will seed anything until it has 20 seeders of its own.Except the file limit is 50MB.And you can't upload copyrighted material.How about any of the muchacclaimed 'leak sites' that spun up after Wikileaks shuttered their wiki and submission system?Well, I went through all of these: leakdirectory.org/index.php/LeakSiteDirectory and all of them seemed to be either wannabes who had never published a thing or news organizations who were security illiterate and had no way to accept content.#Anonymous Publishing Is Dead.#You may seek to respond with the 'right way' to do it, the company you know will let me fall through the cracks, the trick you use to whitelie your way through the process.Don't bother.If there is a way through, and I'm not convinced there is, it is so difficult to find that a technically unsavvy user wo
 uld never be able to; and even technically savvy users like myself  who understand all the tricks of firewalling off my machine so nothing but Tor escapes  are groping blindly for it, unlikely to find it.#What can be done about this?What compromises are 'safe'?Is a Hidden Service sufficiently trustworthy to host any material, and have it stand up to investigation when the server running it is in your name?Is the correct approach not to publish anonymously at all, as cryptome.org does?Should we rely on the Streisand effect, bittorrent, newsgroups, something else?#These are mostly rhetorical questions.My purpose in this email is to tell you that anonymous publishing is an unsolved problem.Any solution available today is not robust: it falls down in some situation: content, capacity, anonymity, or something else.What can be done about it? What will be done about it?#============================================================#To address specific points:# Bitcoin Mixing is promi
 sing, but infantile at this stage.Tor disables options like optimistic data initially because it reduces the anonymity set.I'd consider bitcoin, but having to link my bank account to get them in the first place?Or meet someone in person?A stronglynonanonymous link followed by a maybeanonymous link makes a weak chain.# VPS. Part of the exercise is also takedownresistance. The only affordable service I would consider takedownresistant today is Tor Hidden Services.Other providers, dedicated hosts, may be takedownresistant  but they are not cheap.Their monthly cost was my yearly budget.AFAIK there is no Hidden Service hosting provider willing to host content rather than text.# tor2web.This is nice, and enables ordinary people to reach Hidden Services, but doesn't solve my problem of deploying a Hidden Service anonymously.I think it's an important question to ask: Are Tor Hidden Services trustworthy enough to run on a box in your own name?The level of exploitation necessary to ro
 ot a box is much higher than the level of exploitation required to trick a server (web server, SSL library, or application code) into revealing its IP address.At that point, the anonymity is dead.Perhaps APAF problem will solve that to the point where a Tor Hidden Service is safe enough.#
tor-talk mailing list