Cock.li server seized again by German prosecutor, service moves to Romania

Cock.li server seized again by German prosecutor, service moves to Romania(arstechnica.com)

39 points by Koahku 10 years ago | 29 comments

striking 10 years ago |

Mr. Canfield's thoughts on the matter:

>> Of course, though the facts of the case are yet to be seen since no one in Germany is talking to us, I will definitely never host anything in Germany ever again

He was trusting of authorities and purposely did not use TLS (beyond STARTTLS) or encrypt his hard drives. And this is what happens. They take his hard drives immediately and seize his entire service.

How are we supposed to trust the authorities when they make themselves untrustable?

How are we, as server admins, supposed to stand down and backdoor our servers for law enforcement when this happens, when we know we can't trust them to use their powers responsibly?

Every time some big NSA exposé is unveiled, every time someone gets raided for no particular reason, I get to reaffirm my distrust of the Internet police, in whatever form they choose to take.

Policing the Internet is untenable and useless. Don't help the authorities attack your users, because oftentimes...

you're their last defense.

gexcolo 10 years ago | |

"Mr. Canfield" here,

I don't know if I would say I was "trusting of authorities" but I'm definitely distrusting now. I didn't bother with FDE because I figured it was more trouble than it was worth for a server that I ultimately don't own and can't control or protect against the oodles of key recovery attacks I'd have to worry about. In the event of a seizure I don't want to be like "hey uh they might have gotten everything maybe not!" so it's just not something I bothered with.

The situation is different now though as the service is being colocated instead of hosted on a rented server, which gives me a lot more freedom what can be done to secure the server against data theft. I'm also hosting with a privacy-conscious host (FlokiNET) I know will cooperate with me and fight bullshit government requests if/when they arrive (not saying what happened with Germany is bullshit, it's yet to be seen and I've been advised not to speculate).

Data theft aside, the service is in a more secure position it's ever been in. There's comfort in that, at least...

belorn 10 years ago | |

I wish that Debian installer (and other distributions) would have encryption on as default, especially if the installer ask you if you intend to install it as a mail server. Users are entrusting their communication to the server which means that the sane defaults should address their need for privacy and control.

Law enforcement always operate on what is easiest and cheapest. A common practice seem to have been established to raid a data center and take anything that could be valuable and then have it put on the backlog to be sorted in the next 5 years or until statute of limitations. By adding encryption to the situation, its possible to change the economics so its more economical to go through a judge and compel the service provider to provide the specific record that is being requested.

jlgaddis 10 years ago | | |

IMO, "sane defaults" are missing from pretty much every operating system out there -- both in their installers and the resulting installed system.

It all comes down to that "convenience versus security" trade-off and, for better or worse, those implementing these systems tend to lean more towards the "convenience" side. It's going to take some major changes before we start seeing systems that are "(mostly) secure by default".

darklajid 10 years ago |

Ignoring the childish domain name, hopefully the discussion won't go down that route again - that guy seems quite sincere and explains the situation quite well.

My take away: Don't (blindly) trust Germany, and certainly don't use Hetzner. If he's correct ("Hetzner didn't provide a copy of the confiscation order to me or my lawyer") I'm glad to be the first in this community that runs around, arms flailing, shouting "Hetzner is bad, Hetzner is the devil".

kybernetyk 10 years ago | |

About 10 years ago I've been running a popular German blog with a lively comments/discussion area. It didn't take long till the police showed up and took the server hard drives.

To my misfortune the procurator in charge didn't know much about how blogs worked so not only did the police confiscate the server drives but also my private computer.

Turns out someone liked Hitler too much and some other user notified the police.

Since then I haven't hosted anything in Germany. It's just too much trouble because German law regarding insults/forbidden symbols/hate speech is very strict. Policing user comments on a popular site would be a full time job.

ryanlol 10 years ago | |

Yeah, Hetzner also has this strange habit of spitting out SQL errors when you put apostrophes into forms on their website.

I'd avoid them.

currysausage 10 years ago | | |

At least a few years ago, shared hosting with Hetzner used to be a complete security mess. By default, every user could access many other users' www directories via SFTP, including loads of PHP config files with MySQL access data inside. No SFTP jails in place, no automated process to prevent 775 (or 777!) permissions. (Yes, you could delete other users' whole www directories.) Real names of all users on the same server world-readable in /etc/passwd. Didn't exactly increase my trust in their products.

dawnbreez 10 years ago | | |

As someone who just applied for (and failed to get) a job at a DB company:

Not sanitizing your inputs is unacceptable, even for a newbie. These guys must be really stupid.

teddyh 10 years ago |

Running a server containing users’ data (especially an e-mail server) in 2016 without full-disk encryption is like running a web server without HTTPS. Just don’t. It’s a privacy disaster waiting to happen.

This can happen in any country, even to a silly cock joke site like this, and your users will be hurt by it, possibly for many years to come. There is no longer any excuse not to do it.

nonninz 10 years ago | |

Excuse my ignorance, but how does full-disk encryption work if you don't have console access to it?

How do you enter the password after, say, a hard reset/power outage?

teddyh 10 years ago | | |

For Debian and Ubuntu servers: Mandos (http://www.recompile.se/mandos)

Introduction here: http://www.recompile.se/mandos/man/intro.8mandos

Disclosure: I am a co-author. (Yeah, yeah, we will switch our certificate from CACert to LetsEncrypt. Soon. Ish.)

ryanlol 10 years ago | | |

SSH?

rdl 10 years ago |

His video statement is pretty funny; I wish they were all this funny. https://u.pomf.is/imrkjv.webm "Steadfast commitment to a cock joke".

I'm kind of surprised Hetzner didn't replace a hard drive after the first raid; it was apparently operating in degraded RAID-1.

darklajid 10 years ago | |

I'm surprised that they give out your drive(s) without handing out a document that explains why they had to do that.

As far as I'm aware (not a lawyer, a complete layman) there's no 'gag order' here. So, my limited understanding so far is that this is either a complete fuck-up ("Nah, we don't care to provide that document") or malicious. Even if I follow the 'probably stupid, not malicious' argument: Why would you want to pay Hetzner if this video is correct and you won't even be able to get the documentation for them handing out your data?

necessity 10 years ago | | |

Why do you assume there's no gag order? From what I understand it's either that or what you suggest.

Koahku 10 years ago |

Previous discussion on HN after the first time it was seized

https://news.ycombinator.com/item?id=10774152

glasz 10 years ago |

since people seem surprised, let me reiterate on those laughable german data protection laws:

http://glasz.org/sheeplog/2015/02/data-privacy-regulations-i...

DO NOT trust any government or company. everything is full of submissive sheep. particularly so in germany.

bitwize 10 years ago | |

One of the remarkable things about the U.S. constitution is that it theoretically allows no escape rope from protection of rights; by contrast the constitutions of many European democracies as well as Canada contain "notwithstanding clauses" that allow free rein to the government when they deem it necessary for any reason to trample on your rights.

Not saying the USA is particularly good about upholding those rights... pur government has been looking for loopholes in the Bill of Rights since it was ratified.

345218435 10 years ago | | |

i have to admit i'm quite jealous of the u.s. constitution as it is very restrictive and works by the assumption that the state has no rights except those explicitely granted therein. really a beautiful document.

though there are some stupid loopholes it heavily depends on the people to defend it. but meanwhile, everybody is whining, brainwashed, focussing on the 2nd amendmend. unable to see its purpose.

other shit is more important, i guess. like what the gas price is and if silicon valley is eating money.

sheep have just lost their way.

herbst 10 years ago | | |

There have been more legit services destroyed trough uncompetent lawyers in the U.S. than anywhere else. (afaik)

herbst 10 years ago | |

Same goes for the U.S. and other five eye countries, even if of other reasons partially.

But to be safe make sure to never use any company to do anything privacy related which is in: U.S., Germany, England, Australia and the one i am missing.

If a gov of any of these decides your privacy is worth nothing anymore, they will just proceed to do so.

jlgaddis 10 years ago | | |

> "... and the one i am missing."

New Zealand.