Silk Road forums
Discussion => Security => Topic started by: Turkey for Breakfast on August 06, 2013, 09:26 pm
-
I am looking for someplace in the onion world that is still operating for hosting digital goods? Does anyone know any sites that are still up and running?
-
Run your own. I have two. But I'm doing it wrong. I use Apache2, MySQL and phpMyAdmin. It works, but it's not "ready for primetime", yet.
http://torforum.org/viewtopic.php?f=5&t=18268&sid=250c50ecdc8189fc8746a96e180bd043
-
I believe, though can't say for certain: Torhost http://torhostg5s7pa2sn.onion
goblin
-
TorHost has been down for a long time. The only hosting provider I could find with a working link is AnonHosting, although I've never heard of anyone using it. It could be a scam. More importantly, there's no way to purchase an account, since their two contact methods are SimplePM, which is down, and -- you guessed -- Tormail!
Anyway, here's the address: http://wevuysiyescilvc7.onion
-
Wow, what a bitch that torhost no longer exists. Man, are the fuckers actually winning?
-
Make your own hidden service.
Follow the instructions here to set up a relay, except make it a hidden service instead of a relay
https://www.torservers.net/wiki/setup/server
Follow Torproject.org instructions to edit Torrc file to enable hidden service, then copy the private key it generates and save it. Edit lighttpd error pages to not reveal information, even better build it from source and rip out any identifying marks like version numbers ect. Remove binaries like ping, telnet, anything an attacker would use. Bind lighttpd to localhost (Tor). For a tiny information site good enough security
-
I setup a hidden service for image hosting a few days ago. It had security features to prevent IP leaks and entry guard identification, though I won't mention the specific features for obvious security reasons. I still took it down though. Honestly, I'm not comfortable running a hidden service until we find out how Marques was identified. I also don't have the resources to host the entire Tor or even SR community's images if it became the default image host. I also don't have the time or energy to police it for the massive amounts of CP it would get if it became the default image host.
Most people here are not technically savvy enough to run their own hidden services safely. Honestly comsec, it's a bad idea to suggest it to random people. They are going to get themselves into trouble. However, there are technically savvy users here who could consult anyone who has the resources to take on the challenge of running (potentially large) hidden services.
-
comsec, we need to have a talk.
You are a smart guy, but I've noticed a pattern with you, that you vastly overestimate the competence of the average SR user. I'm not knocking them, not everyone can be a tech expert. Weeks ago you recommended against using Tails, when it's pretty much the safest out of the box way random newbs who know nothing about technology can use Tor. Instead you recommended rolling your own hardened Gentoo build. Now you are recommending to random newbs that they should run a hidden service, when they've probably never worked with a web hosting provider, much less configured a web server or a Tor client, especially to security harden it.
People here need advice that makes them safe at the level of knowledge that they have. They shouldn't be persuaded into getting way over their heads, because it's going to get them in a lot of trouble.
-
You are a smart guy, but I've noticed a pattern with you, that you vastly overestimate the competence of the average SR user. I'm not knocking them, not everyone can be a tech expert. [...] Now you are recommending to random newbs that they should run a hidden service, when they've probably never worked with a web hosting provider, much less configured a web server or a Tor client, especially to security harden it.
I think in response to the OP's question, his comment about running your own hidden service is very appropriate. If you are going to host a .onion site, you should damn well know what you are doing... at least IMO.
People here need advice that makes them safe at the level of knowledge that they have. They shouldn't be persuaded into getting way over their heads, because it's going to get them in a lot of trouble.
Definitely tho. Nail on the head there. And that is why solutions like tails are good. Sure, the hardened gentoo build is better - I run a full open source gentoo system on a few of my systems. But these days, most people open their browser and use "the internet". So, partitioning a hard drive with fdisk is going to be more then a challenge to most, let alone building an X11 system from source (albeit emerge is the coolest thing ever).
-
comsec, we need to have a talk.
You are a smart guy, but I've noticed a pattern with you, that you vastly overestimate the competence of the average SR user. I'm not knocking them, not everyone can be a tech expert. Weeks ago you recommended against using Tails, when it's pretty much the safest out of the box way random newbs who know nothing about technology can use Tor. Instead you recommended rolling your own hardened Gentoo build. Now you are recommending to random newbs that they should run a hidden service, when they've probably never worked with a web hosting provider, much less configured a web server or a Tor client, especially to security harden it.
People here need advice that makes them safe at the level of knowledge that they have. They shouldn't be persuaded into getting way over their heads, because it's going to get them in a lot of trouble.
I don't have this philosophy of feudal security, and not everybody reading these forums is totally clueless. Said random newbs can now research how to build lighttpd, or gentoo. Not like Arch linux doesn't have spoonfeeding instructions on their wiki either how to build with PaX. You have to learn somehow. Not like anybody else couldn't have found those same torserver instructions and done it themselves.
I think offering feudal security services like Tormail and FH are far more dangerous. Those were centralized law enforcement magnets that drew the ire of the FBI and their sophisticated heap spraying decloaking payload delivery due to being a highly illegal CP distribution network. I bet if every recommendation for Tormail here to the totally clueless was also followed by "btw: server is full of CP" nobody would've used it. I would rather set up my own tiny hidden service that doesn't attract FBI 0day poorly over tor than use an email service or space on a server that's hosting CP, attracting all the resources of federal LE which ends up with my MAC, IP and hostname (and all my emails) stolen and added to a list beside sex offenders. Information is never bad
-
Was SR having its own image server discussed or shot down by DPR?
After this whole FH fiasco, it might be more attractive to have this community a bit more self contained or insulated from the 'dangers' lurking about the deep web.
I'm still pretty upset with myself for my ignorance and lack of awareness that following image links might be taking me to places I wouldn't want to go, and in the process, potentially exposing myself to an utterly different type of criminality to which I have not subscribed, nor am willing, to be personally, morally or criminally liable for. (Yes, I'm a fucking pothead, and pretty proud of it...online, at least.)
-
I don't have this philosophy of feudal security, and not everybody reading these forums is totally clueless. Said random newbs can now research how to build lighttpd, or gentoo.
You are clearly new here and have a poorly calibrated sense of their competence. People have a hard enough time with extremely basic things like getting NoScript turned on, let alone getting Tails setup. If you stick around, you will see in time how ridiculous this suggestion is.
They are a tiny minority of people here who can do this, but they already know how.
I think offering feudal security services like Tormail and FH are far more dangerous. Those were centralized law enforcement magnets that drew the ire of the FBI and their sophisticated heap spraying decloaking payload delivery due to being a highly illegal CP distribution network. I bet if every recommendation for Tormail here to the totally clueless was also followed by "btw: server is full of CP" nobody would've used it. I would rather set up my own tiny hidden service that doesn't attract FBI 0day poorly over tor than use an email service or space on a server that's hosting CP, attracting all the resources of federal LE which ends up with my MAC, IP and hostname (and all my emails) stolen and added to a list beside sex offenders. Information is never bad
I agree that services need to be decentralized, but that should happen through frameworks that are developed by competent individuals. I'm not saying Torchat and Bitmessage are safe, but they are examples of what I'd like to see in more secure forms. I have mentioned before that I'd love to see a Qubes Server Edition, which would be an out of the box solution for VM isolated servers, like a Whonix version of hidden services. It would be developed by security professionals and could be rolled out by a larger number of users. However, telling people to run and harden their own hidden services is extremely dangerous.
If everyone was running their own hidden service, a lot of people would have been pwned a lot sooner than this FH bust. If those pedo sites had been individually run by their administrators, some of them would have been taken down much longer ago. Same goes for vendors who would have hosted their own drug sites.
BTW, the reason so many people may have been pwned by the FH exploit is they didn't know to disable JavaScript and update their browser bundle in a timely manner, but you expect them to run hidden services. Think about it.
-
I have to say I agree with Astor here. I'm no idiot, but I am far from technically savvy enough to do some of the things being discussed. I freely admit I have a lot to learn yet, even though I managed to set up reply blocks for sending encrypted email through ermailers (with a little help from some friends) and a few other things.
But to set up a hidden service using a VM or something like that, well, that just flies well over my head.
goblin
-
It seems like this is a huge market opportunity for some tech oriented person.
-
It seems like this is a huge market opportunity for some tech oriented person.
It's also a huge risk. This is why noone else has really picked up the slack in regards to .onion hosting. Unless you operate fully out of a country that will not cooperate with other countries law enforcement. But even then, there is still a large risk.
To all thinking about setting up a hidden service. I would first create a server on the clearnet, then after getting comfortable with setup and troubleshooting the service, only then publish it as a hidden service. I see all too often people that barely understand apache or httpd setting up hidden services and thinking "Tor will protect me".
-
"Tor will protect me"
Yeah, famous last words.
-
It seems like this is a huge market opportunity for some tech oriented person.
It's also a huge risk. This is why noone else has really picked up the slack in regards to .onion hosting.
You hit the nail on the head. Unless there is a big financial incentive in it, who wants to risk decades in prison because idiots upload millions of CP images to their free image hosting site and the admin is incapable of controlling it?
-
You hit the nail on the head. Unless there is a big financial incentive in it, who wants to risk decades in prison because idiots upload millions of CP images to their free image hosting site and the admin is incapable of controlling it?
Well an idiot might... but then again an idiot probably couldn't setup a server, let alone hosting infrastructure.
@OP The only current .onion host I could find was Hidden Hosting. Here is the link: hostzdcvmuqacom4.onion
-
TBH, it's easy to set up a hidden service. You can copy-paste commands from a tutorial to install a web server + PHP + MySQL, then install Tor and uncomment a couple lines in torrc. You can be up and running with a hidden service in under 10 minutes.
It's much harder to set up a *secure* hidden service.
-
It's much harder to set up a *secure* hidden service.
Ah, that last line! For a minute I thought Astor had turned over.
-
I am working on something very similar myself, but for obvious reasons, nutting down on the security to make things fusion bomb tight is taking time and I hadn't expected to launch into this field for a good month or two but with FH being taken offline I've got the engines running as fast as I can for image uploaders, file uploaders and more, but web hosting like FH done is still a while out (for now) because each new service opened is another attack angle for hackers or LE.
I agree with astor above - nobody will do it without massive financial incentive, which I do have an incentive and will also be far stricter than FH on what can/can't be hosted there. Any idiot can setup a hidden service, but it is something you don't want to do willy-nilly as when you look into it more deeply, you realise there are cracks which can very easily expose you, and this isn't something you want to make a complete bollocks of.
-
Signed up for hidden host....paid but have not received access info yet. Will post here to let you all know how it goes.
mm
-
24 hours and no response from hidden host...possibly yet another .onion scam. I feel very naive when it comes to the .onion world. I like to bring value to the world in exchange for money and I find it very lucrative to give people good products and good service. I just can't relate to all of the sociopaths out here who think nothing of stealing money.....it's just plain shitty.
mm
-
I have announced upcoming VPNs (shared, dedicated) and SFTP servers and application hosting (forums, imageboards, image hosting, ect).
http://dkn255hz262ypmii.onion/index.php?topic=201319.msg1445277#msg1445277
-
I have announced upcoming VPNs (shared, dedicated) and SFTP servers and application hosting (forums, imageboards, image hosting, ect).
http://dkn255hz262ypmii.onion/index.php?topic=201319.msg1445277#msg1445277
How can we know that you're doing this with great security? Because if it's just middle of the road, there's great danger.
-
I have announced upcoming VPNs (shared, dedicated) and SFTP servers and application hosting (forums, imageboards, image hosting, ect).
http://dkn255hz262ypmii.onion/index.php?topic=201319.msg1445277#msg1445277
You're selling VPN access through SR? This should be interesting.