Hidden Services Hosting and DMCA

Mike Perry mikeperry at fscked.org
Sat Jun 12 20:28:03 UTC 2010

Thus spake Moritz Bartl (tor at wiredwings.com):

> On 12.06.2010 13:13, Marco Bonetti wrote:
> > On 12/giu/2010, at 12.49, Moritz Bartl <tor at wiredwings.com> wrote:
> >> The barrier to create hidden services is quite high.
> > I'm not too sure about this: you can run hidden services on tor clients
> > which do not relay any traffic for the network.
> > Starting a service is not that difficult: an home flat Internet
> > connection and a low power computer are ideal for a small personal
> > hidden service.
> That machine should be up 24/7, and you still need to maintain (ie.
> update) it.

Actually, the uptime problem is a rather good reason not to
consolidate hidden services with your exit node. An anonymous user on
the I2P network used to run a public intersection attack on I2P router
uptime vs eepsite (hidden service) uptime. It was rather easy to
correlate which I2P nodes were running which services with this data.

Of course, running hidden services in a separate VM might not have the
correlation that using the same Tor process will, but host OS
downtimes will still be correlated. If it is known that you are a
large provider of hidden services, it becomes useful for an adversary
to closely monitor your host OS for downtime to correlate to downtime
of hidden services.

As a related point, you need to be very careful about your opsec when
providing services like this. While US law protects you from
incriminating yourself by revealing your own encryption keys
(probably), it does not protect you from divulging encryption keys of
your users if you have them, nor does it protect you from court orders
requiring you to install monitoring software into your user's systems
to see what they are doing.

Add in the correlation properties for hidden services or other data
that may be available due to knowledge of your hosting setup (think
apache+php versions, etc), and there may be a sufficient level of
cause for such court orders to be binding.

Of course, you can try to simply ignore these orders due to the fact
that you're German and they're not likely to extradite you over them,
but you'll probably lose your server, and you might have trouble
entering the US at a later date then.

Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100612/897c9c12/attachment.pgp>

More information about the tor-talk mailing list