In this guide I will go through how to anonymously host the continued development of youtube-dl offshore using companies that have a track record of being very resilient to DMCA takedowns. As a general disclaimer, youtube-dl is not illegal, no matter how much the RIAA wants it to be. Hosting it is not illegal, but the RIAA doesn't care about what's legal, so we'll have to act accordingly and not rely on companies that will bend over backwards for them. This post is basically my way of flipping the bird to the RIAA.
DMCA ignored hosting providers
RIAA report including DMCA ignored hosting providers
United States Trade Representative report including DMCA ignored hosting providers
ESA report including DMCA ignored hosting providers
MPAA report including DMCA ignored hosting providers
Europol report including DMCA ignored hosting providers
Former bulletproof hosting reseller reviews offshore hosting providers
Former bulletproof hosting reseller on what the most warez friendly hosting provider is
(Novogara aka Ecatel recently got busted for tax evasion and are shady as hell in general, allowing anything to be hosted on their servers, so its probably best to stay away from them.)
Some countries like Ukraine, Kazakhstan, and Korea force hosting providers to use government SSL certificates, meaning that they can MITM the connection.
If anyone here is serious about hosting the continuation of the youtube-dl project, PM me and I'll give you a more specific recommendation. Keeping the hosting provider secret makes it a lot harder to take down.
CDNs and proxies to hide the real hosting provider:
DDoS-Guard - Highly recommended. Based in Russia. Doesn't care about DMCA at all. Currently provides protection to Nyaa (the world's largest public torrent tracker for anime and manga) and Sci-Hub (the world's largest piracy site for academic papers which under constant legal pressure from big US publishers). Has a free plan and accepts Bitcoin for paid plans While I recommend DDoS-Guard, I'll list some other alternatives in case something happens: CloudFlare - Might be a honeypot, especially since I'm not sure how they'd be able to get away with this otherwise, but CloudFlare works for now. Just don't expect privacy from them. They're a US based company so they'll probably be reigned in eventually, but for now they're having their Wild West days. If CloudFlare is not configured properly when set up, the real hosting provider will be leaked. More info about that here: 1, 2, 3, 3, 4, 5, 6
It's a myth that Cloudflare does not forward DMCA complaints, they forward everything. However, Cloudflare does not store any "sensitive data", which means forwarding "useless" information is similar like ignoring the DMCA request. A general advice is that whenever you use Cloudflare you should use a bulletproof backend server as well to avoid DMCA takedown request in the first place, so less or nothing gets forwarded (less "leakage risk").
Source: CHEF-KOCH / Warez / Bulletproof Hosting.md
OVPN's public IPv4 proxy (the Switzerland proxy) - Swedish company that provided a proxy for The Pirate Bay for a while, went to court because of it, and won. The two advantages with their Switzerland proxy is that it's hosted by Interxion - the same Netherlands based company that is hosting Feral Hosting's DMCA ignored seedboxes - and that Switzerland is a pretty good jurisdiction. OVPN also scores well on That One Privacy Site. Accepts Bitcoin.
Before we go into registering a domain, I think it's worth thinking about if it's really worth keeping the name youtube-dl or if it could be spun off into a more accurate and less trademark infringing name like media-dl, for example. It downloads video and audio from a lot more websites than just YouTube, after all.
Resilient TLDs (there are more options than just these)
.is - As of a few years ago ISNIC had only ever suspended one domain and it was connected to ISIS.
When we asked whether ISNIC would follow Greenland’s lead and move for a proactive suspension, we got a clear answer.
“The short answer is no. Such an action would require a formal order from an Icelandic court. ISNIC is not responsible for a registrant’s usage of their domains,” ISNIC’s Marius Olafsson told TorrentFreak.
“This policy applies equally to any .is domain,” Olafsson says, adding that it’s the domain owner’s responsibility to abide by the law, not theirs.
Source: https://torrentfreak.com/torrent-domain-suspensions-damage-credibility-registrar-says-140617/
“Domains can hardly be considered illegal any more than a street address. A street address is not illegal even if there is illegal activity in one apartment at the address,” ISNIC says.
Source: https://torrentfreak.com/torrent-domain-suspensions-damage-credibility-registrar-says-140617/
.to - Used by a lot of torrent and other filesharing sites. I have never seen one suspended. .ru / .su - Good for anything that doesn't affect Russia or go against Russian interests. In case you want cheaper options that are available on Njalla, .ch and .ws are said to be pretty good. .cr is a resilient TLD according to the International Intellectual Property Alliance's (IIAP) report:
thepiratebay.cr domain is still online despite actions against it from the Internet Corporation for Assigned Names and Numbers (ICANN) and the U.S. Embassy in Costa Rica. Other notorious infringing sites are following the trend of using .cr domains as a safe haven (e.g., kickasstorrents.cr). Costa Rica’s failure to deal effectively with its obligations regarding online infringement, more than eight years after they came into force under DR-CAFTA, is a serious concern.
.ec is also looking pretty solid as Library Genesis (the world's largest book piracy website, which is under constant legal pressure) have been using it for some time without getting suspended.
Vulnerable TLDs
.com, .net, .name, .gov, .cc, and .tv are operated by VeriSign, a Washington DC based company that is controlled by the US government.
.info, .mobi, .org, .asia, .aero, .ag, .bz, .gi, .hgn, .in, .lc, .me, .mn, .sc and .vc are operated by Afilias, a company that blocked one of the domains of WikiLeaks.
Resilient domain registrars/resellers
Recommended: Njalla - The most anonymous way to register a domain name. They buy the more common domains from Canada based Tucows, which is pretty abuse friendly and some TLDs like .is they buy from the registry directly. They then lease it to you while legally speaking they own the domain. This means that you don't have to give them any personal information to register it, they take Monero, and they have a Tor Hidden Service. Njalla is run by one of the Pirate Bay founders and they kept the Pirate Bay sense of humor alive when dealing with DMCA. Njalla is registered in Nevis.
Other: Openprovider aka Hosting Concepts B.V. - Netherlands based domain registrar that is one of the most used registrars of rogue pharma sites. Doesn't suspend domains without a WIPO decision or court order. Has a full section dedicated to it in the United States Trade Representative 2019 report and a brief mention in the 2020 report. easyDNS - Canada based registrar that has a big focus on due process. The current registrar of The Pirate Bay's .org domain, which it defended against the RIAA. Wouldn't suspend a domain domain for a video downloader like youtube-dl unless ordered by ICANN, CIRA, or the courts in the Province of Ontario, Canada (or) according to their takedown policy. Accepts Bitcoin. NiceVPS - Dominican Republic based reseller of easyDNS that accepts Monero and other cryptocurrencies. Has a Tor Hidden Service, PGP key, and warrant canary. I've seen NiceVPS recommended on some websites, but I'm not sure how solid is is. To be honest, I'd just get the domain directly from easyDNS if that's the registrar you want and then anonymize the Bitcoin via Monero as described later in this guide. Doesn't seem to offer all TLDs that easyDNS offers either, including some of the more resilient TLDs.
There are a few resellers of bulletproof Russian and Chinese registrars that accept cryptocurrency, but because those are pretty much only used by cybercriminals they would not be a good look for this project. And there's also the risk that they'll just be gone one day without a word and no way to transfer domain and not much recourse. Because of those reasons I'm omitting them from this list. I think the above mentioned registrars and resellers will be good enough, the project is legal after all.
Worth considering:
In order to register a domain at any of the other services than Njalla you'd have to fake the WHOIS information, which violates ICANN rules and registrars usually suspend domains because of that. I could especially imagine easyDNS doing this. Not sure how the other registrars would react to that, but ICANN does have the power to withdraw their accreditation - meaning that the registrars would lose the ability to issue domains - if they don't follow ICANN's rules. In the case of Njalla they aren't a registrar, they just fill in their own details for you when you register a domain for you from a registrar or registry.
SSL
Let's Encrypt - Free, open source, backed by EFF, Mozilla and others. Easy to set up and easy to maintain with auto-renewal script. If you're using CloudFlare, you'll have to use their phony SSL certificate.
Keeping your server secure and other technical advice
Check your server, and how reliable it is in terms of security and privacy, online services like https://centminmod.com can test your server and it's configuration to ensure nothing is "leaking".
Check if someone can see your hidden backend server IP via https://dnsdumpster.com. In general you should block every IP connection to your backend server, only allow your own connection, VPN's or reverse proxies. You quickly can check if someone has an "open" backend IP service via services like https://censys.io.
Source: CHEF-KOCH / Warez / Bulletproof Hosting.md
If you use CloudFlare, also check that your backend doesn't leak using CrimeFlare.
If you set up email with your domain, use SMPT and a custom mail server so it doesn't leak your origin server IP. Email is the easiest way to leak origin server IP addresses.
If you get a VPS, make sure it's KVM. KVM is much more secure than OpenVZ as OpenVZ doesn't have much separation between different customers on the same server. OpenVZ is also easy to oversell. Xen is also secure, but has worse performance than KVM. Use nginx, it has a lot better performance than Apache. Use MariaDB. It's a more up to date fork of MySQL developed by MySQL's original developer after he sold MySQL to Oracle. Contains bugfixes that sometimes have not gotten into MySQL yet. It is of course fully compatible with MySQL databases. Basic security hardening (I'd probably use OSSEC + Shorewall instead of fail2ban and ufw, but I'm not an expert at this ¯_(ツ)_/¯ ) nginx SSL/TLS hardening Let's Encrypt auto-renewal script Disable password access for administration, require login using SSH key, and limit the amount of login attempts. Change default ports, like SSH. If anyone tries to access the default SSH port, have the firewall block them for a few hours. Disable root login Disable nginx logging once everything is set up to protect user privacy and improve performance Don't use analytics. If you have to, self-host Matomo (formerly known as Piwik). It's open source.
Anonymous payments
Bitcoin is fully traceable nowadays and tumbling/mixing your Bitcoin won't make any difference.
Tumblers are useless Against my better judgement, I’m going with this click bait heading, but the premise is correct. Due to the software running real time analysis on the ledger, simply avoiding taint and breaking up coins is now entirely ineffective, as it matches the full bitcoin amount to be received over a period of time, as the software is built around a neural net of sorts (talking out of school here, I’m not a programmer) it appears to self-correct in real time as a more "likely" or "accurate" owner conclusion is reached.
Source: Blockchain Analysis and Anti-Money Laundering (X-post from /r/DarknetmarketsOz)
Meanwhile Monero was the only major cryptocurrency that that the US government couldn't track when they took down one of one of the biggest darknet drug markets and seized the site operator's cryptocurrencies. This is because Monero is the only major cryptocurrency designed to be truely private. Either get cryptocurrency donations or use a peer-to-peer exchange that doesn't enforce KYC (Know Your Customer) to buy Monero or Bitcoin. Some private sellers on those exchanges won't require IDs, while some might require it. If nothing is mentioned, it's worth asking the seller before you send them any money. A few even accept cash meetups and cash by mail (watch out for being scammed or mugged though). LocalCoinSwap, LocalCryptos, and LocalMonero even has sellers that accept gift cards (which you could buy with cash in a physical store). However, most gift cards are only redeemable in the country they were bought in, making this an option that won't work outside of the countries the sellers are based in. The one exception I know to this are Steam Wallet gift cards, which work internationally. From what I've read there are some centralized exchanges that don't require KYC, but at least some of them freeze funds if they think it seems suspicious and they refuse to release the funds until they have been provided with an ID. If you decide to buy cryptocurrency using a normal payment method, a wire transfer would be the option that involves the least amount of companies getting the transaction info, though I don't think you'd have much recourse with getting your money back if you got scammed and paid via wire transfer. Bitcoin ATMs may require ID and usually have surveillance cameras around them, but this may vary depending on where you live. If you bought Bitcoin, use XMR.to to exchange it to Monero. If the service provider only accepts Bitcoin and not Monero, exchange the Monero back to Bitcoin so that the Bitcoin has been anonymized. Don't pay in Bitcoin without exchanging it to Monero and back first. Prepaid cards usually require SMS verification and are sometimes limited to purchases within the country they were sold in, so be sure to read up on whatever card you're considering using. Vanilla Visa gift cards used to be the go to for VPN buyers back in the day, but things change, so read up about activation requirements and international purchases for the card in your country before buying anything and if you get information from an unofficial source, try and make sure that it's at least somewhat recent. And expect it to almost certainly get rozen if you try to pay with it over Tor. The risk is lower when paying over a VPN connection, but it's still a notable risk, especially if it's a VPN server with lots of users. A self-hosted VPN on a dedicated IP address in the same country that you bought the prepaid card would less likely to cause the card to get frozen. You could use the prepaid card on public WiFi, but that will give out your general location and will give the WiFi network your IP address. It will also give the WiFi network your MAC address, so be sure to set the MAC address to be random (just search something like "[operating system] random MAC address on WiFi" on DuckDuckGo). Then there's the issue that most browsers other than Tor Browser, SecBrowser, and Bromite are bad combating browser fingerprinting. Sure you could also customize Firefox with arkenfox user.js (formerly known as ghacks-user.js) and a bunch of extensions to combat all the different kinds of tracking, but you'll just make your browser more unique the more you modify it.
Anonymous Internet browsing
Use Tor Browser when doing anything in connection with the site. Never run Tor Browser in full screen. That makes you more easily trackable as websites can detect the real resolution of your screen. Don't install any add-ons or plugins, that makes you a lot easier to track. Block JavaScript when the website doesn't require it, that's the closest thing you'll come to an ad blocker. Keep your operating system up to date. If you don't want your ISP/government to see that you're using Tor you can run it on top of a good, logless VPN. PrivacyTools.io has a great page about it. IVPN is essentially under UK jurisdiction though, which is bad, so don't use that one. However, there is no guarantee that your VPN provider isn't logging, so take that into account. Another option is self-hosting a WireGuard VPN using Algo on a hosting provider that is located outside of Five Eyes, Enemies of the Internet and countries under surveillance, and Germany, has stood up against mass surveillance, and accepts cryptocurrency, but you'd have to make sure it doesn't leak IP addresses. You also lose the advantage of being one in a crowd of many people using a VPN server when you roll your own VPN server, so you'd have to connect to it using a publically available VPN service in order to hide the self-hosted VPN's IP address from your ISP since you would be the only user of the self-hosted VPN. Using a bridge is another option if you trust a Tor volunteer more than a VPN service. If you want to run something like PuTTY or FileZilla via VPN + Tor you'd have to either configure a router with it via OpenWrt or run it inside of a VM, preferably using a open source software like VirtualBox, KVM, or QEMU. There's some debate that running Tor on top of a VPN makes users easier to track though. I'm not really qualified to judge if that's true though, so read up on it and make your own decision if you're thinking about using VPN + Tor. Just running a software over Tor can be done more easily on the host computer. This section is for if you use Windows 10 and don't want to switch to Linux (even though you can set up dual boot or just boot it from a USB without even having to install it on your computer). You can use a tool like W10Privacy to decrease the amount of tracking in Windows 10, just be sure that the tool you use is updated to match the latest version of Windows 10 or you might brick your OS. If you use Windows and don't want to switch to Linux, use a non-admin user account and have an admin account that you only use to authorize trusted software to run, that will mitigate 94% of critical Windows vulnerabilities.
Use an end-to-end encrypted no logs email provider located outside of Five Eyes, Germany, Enemies of the Internet, and countries under surveillance - preferably ProtonMail - when signing up for all of those services.Use a different email address for public communications and anything else not related to the administration of the website. ProtonMail has a Tor Hidden Service, but signing up for ProtonMail is only possible on the clearnet address. And yes, it is possible to sign up for ProtonMail via Tor. It's not easy findind an exit node that hasn't gotten blocked yet, and you will most likely need a secondary email to send a verification code to, but it is possible. ProtonMail bans pretty much all temporary email inbox services, so you'd have to get another account anonymous email account first to recieve the verification code to. If you go for a email provider other than ProtonMail, keep in mind that it has to be there for the long haul in order to be usable. If it suddenly shuts down without notice, you're pretty much shit out of luck. So try and go for one that seems like it will stick around.
Comparison of alternatives:
https://privacytools.io/providers/email/
https://thatoneprivacysite.net/email-comparison/#detailed-email-comparison
Other
Use a new username that you haven't used before. Use a password generator and have it set to the max amount of characters. Use DuckDuckGo instead of Google. At least when doing work related to the site. It has a Tor Hidden Service that you can easily find by searching "duckduckgo onion" or "duckduckgo hidden service" on DuckDuckGo. Rely on open source software and privacy respecting services when it comes to processing and storing data related to the site. PrivacyTools.io, AlternativeTo, and GitHub makes it easy to find privacy respecting alternatives.
And yeah, I probably went pretty deep on some of the less relevant sections, but I thought it was best to just leave it in.
No comments:
Post a Comment