[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Hidden Service Shared Hosting Platform

Hash: SHA1

Hi Moritz,

Payments are already covered. Accepting bitcoin is the first platform
to look to, as well as Darkcoin possibly, but that only provides a
pseudo-anonymous means of security. Instead payments will be
tokenised, so that a person without needing to login may purchase a
token, which is stored as a hash on the database. A user can then
redeem any token to add credit to their account, but no log of whom
the token was redeemed by would be kept, nor would I be able to see
what tokens any individual account has used, therefore even using a
tracable means of payment like a debit card, I could not associate
that payment to a particular account or person using the system.

Regarding what is hosted, I feel getting too complex on the matter
will open up insecurities in some ways and would require significantly
more investment (thus more cost) and probably confuse the heck out of
people wanting to use it. My personal policy, which will be
transferred into the business policy, is never to hand over data
unless I am legally obliged to. For a warrant to be served in the UK,
there must be a degree of proof that I host the site concerned. As I
will not be publishing how many customers I will have, or what sites I
serve, I owe no obligation to monitor or report domains under my
control without a court order to do so. I feel good technology will
solve this problem, but I feel it is beyond my current capabilities to
design. So for now I am sticking to the one method I can rely on
against intrusive surveillance and law enforcement bullying: standing
my ground against every adversary and hold as little information on
customers as possible.

The big problem right now is the dispute I am having with tax
authorities. Under new EU VAT rules (VAT MOSS) I am required as a VAT
registered business to obtain 2 "proofs" of which country a client is
located in, so I can charge the correct rate of VAT. This is not a
privacy friendly regulation and whereas you can usually use just an IP
if no other source is available, I will not even have access to that
as a hidden service portal. Thus I am in the process of negotiating
and getting legal clarifications on the situation from the UK's
professional representing body for accountants.

So many battles to fight in this project, not to mention a new Tory
government to keep an eye on.


On 28/05/2015 15:53, Moritz Bartl wrote:
> Hi Thomas,
> Great! I've been toying with the idea for quite a while now, too.
> Glad that someone is picking it up. :-) It would be ideal to find a
> way to make it hard even for yourself to find out whether a
> particular hidden service is hosted by you. I didn't really spend
> too much time thinking about it, but one idea I've had is to spin
> up and bootstrap 'remote' VM instances (on servers maintained by
> third parties) that you than hand over to individuals, complete
> with an interface for users to easily generate more
> hostnames/virtual hosts on 'their' VM. Apart from some update
> channels you could lock down the systems so you don't have easy 
> access. You could still check whether a certain VM has been paid
> for, but you don't have to know about the hostnames generated on
> the VMs.
> I don't see a good way to achieve this if you maintain the VM
> hosts yourself. Maybe one can built it so users decrypt their
> hidden services (keys) on reboot so they're only available in RAM.
> If we think hard enough, there's probably a nice way to keep the 
> relationship of users (and their payments) and running hidden
> services separate (or at least hard/expensive to recover).
> Good luck!

- -- 
Activist, anarchist and a bit of a dreamer.
Keybase: https://keybase.io/thomaswhite

PGP Keys: https://www.thecthulhu.com/pgp-keys/
Current Fingerprint: BA81 407C BD61 CD15 E5D9 ADA9 5FA2 426F F34E 0FD4
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 77E6C8C6 95FDE863 1172A1E1 8C114C01 691398AC
Version: GnuPG v2

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to