An anonymous content server

Posted in hygiene ssh bash apache http qr

Let's say you want to share files or contents with someone you don't know. And you don't want to reveal anything about yourself.

And let's say, being a concerned and responsible cyber-citizen, you will host the service yourself.

A few lines of bash script and a webserver is all you need.

Dis-blamer

Staying fully anonymous is out of scope of this post.

And as you've probably have heard, staying anonymous on the internet is really, really hard.

Correct that. Staying anonymous on the internet will demand inconveniences that you are most likely not prepared to endure.

We'll be getting into that some other time.

Meanwhile, I don't want you to blame me if you dis-, mis- and malinformation [1] Thought Police come knocking because of what you posted on your content server.content server.

So let's first be clear what we don't cover here.

Host registration

To register for a hosting provider, you still need an email. Everywhere. To my knowledge, at least [2].

To get an email, you may need to provide an email. Or a phonenumber. And so on...

Safe connection

Are you using VPN or overlay?

How did you pay for the service?

Are you sure they're not keeping logs?

Is your DNS leaking?

Remember: You need to use a safe connection whenever you are interacting with the server. Not only when you are setting up.

Payments

If you pay with card, privacy is out the window anyway.

So crypto is really the only way. And making sure the crypto cannot be traced back to you is tricky in itself.

The anonymous host

Now, let's pretend you got through all of these precautions, and you are ready to sign up for hosting for your content server.

There are options out there that will let you establish a VPS for a small amount of cryptocurrency per year. I have had luck with using 1984.is [3]. That is not an endorsement, and I'm sure there are other similar options out there.

Now that you have a VPS, you can set up a webserver.

The web server

Settings up a webserver is out of the scope of this post.

I use Apache Webserver myself. I've always used Apache Webserver. You can consider that an endorsement!

You don't really need to set it up much either. All you need is a vanilla server that serves any file in a given directory.

The posts

How do we get the content to the server?

First of all, remember that the same anonymity precautions are valid for any connection you make to the VPS.

Having established that, here's a small shell script [4] that will upload a file to a random identifier, while creating

  • A retrieval URI
  • A QR code for the retrieval URL
REMOTEPROTO=${REMOTEPROTO:-http}
REMOTESSHHOST=${REMOTESSHHOST:-localhost}
REMOTEHOST=${REMOTEHOST:-localhost}
REMOTESSHPATH=${REMOTESSHPATH:-/var/www}
# note this should handle missing start or end slash if exposed!
REMOTEPATH=/
TMPDIR=/tmp

fi=$1

if [ ! -f "$fi" ]; then
        exit 1
fi

uu=$(uuidgen)

d=$(mktemp -d)

ext=${fi##*.}

fn="$uu.$ext"

fo=$d/$fn

cp $fi $fo

scp -q $fo ${REMOTESSHHOST}:${REMOTESSHPATH}
ssh ${REMOTESSHHOST} chmod 644 ${REMOTESSHPATH}/$fn

url="${REMOTEPROTO}://${REMOTEHOST}${REMOTEPATH}$fn"

qrencodebin=$(which qrencode)
if [ ! -z "$qrencodebin" ]; then
        $qrencodebin "$url" -s 10 -m 6 -o $TMPDIR/${uu}_qr.png
fi

echo $url

Simply:

  1. Generate a random identifier as a file basename
  2. Attach the file extension to the filename
  3. Make a file copy through SSH to the public web folder of the VPS
  4. Share the URI (or qr code stored to $TMPDIR with the same name) to retrieve.

Get a way

So you have the link. You show the QR code. The other party scans it and all is good.

But, can it still be used if you share it digitally?

You just send it off to whoever is the recipient, right?

Not so fast.

If you send the link from an email address that is linked to you, that may also link the content server to you. Then all of the above may have been for naught.

And any other email address you send it from, will be linked to the recipient and the content when future emails are sent.

Remember, the recipient's email server (which is very likely to be G00gl€, Amaz0n or Micr0$0ft) can plainly read all your emails. Unless you are messing with PGP. Which you should. Which is very unlikely that you are.

Encrypted messengers? Well, they may not be as encrypted as you think. And the same problem applies: If you use one for something, then that something will create context for other things you use it for.

Proportional paranoia

There is scarcely any limit to how paranoid you can get when you start to decompose problems like this.

So only worry about what is reasonable to worry about.

In this case, the issue is to protect your identity from the recipient. Maybe you shouldn't worry about a third party listening in.

Worrying an knowing doesn't have to be the same thing, though. And one thing we do know is that something is listening. To everything. Always.

[1]You can't make this stuff up: "Malinformation is the intentional spreading of genuine information with the intent to cause harm." - [USA Homeland Security](https://www.dhs.gov/sites/default/files/2022-08/22_0824_ope_hsac-disinformation-subcommittee-final-report-08242022.pdf) ([copy](https://g33k.holbrook.no/1ff4b6a6ad8556884de6fc0bfe4756a1ade34cf32abe67c69dba9f16eeeef283))
[2]If you know of any that do not require an identifier in others' custody to sign up, please let me know: http://holbrook.no/msg.
[3]In general, Iceland seems a good territory for digital anonymity and sovereginty ever since they gave the middle finger to the global banking establishment after the 2008 crash, when they wanted to loot the country under the legal cover of utter fraud of the population.
[4]You will need the qrencode package for that