Hosting Under Duress
by Milo Trujillo (illegaldaydream@ddosecrets.com)
On June 19 2020, Distributed Denial of Secrets published BlueLeaks, approximately 270 gigabytes of internal documents from U.S. local-LEA/federal agency fusion centers, municipal police departments, police training groups, and so on.
The documents have revealed a range of abuses of power, from tracking protesters and treating journalists and activists like enemies, to willful inaction against the alt-right, with additional BlueLeaks-based stories emerging each week. Thank you, Anonymous, for leaking this data!
The retaliation against DDoSecrets has been significant.
Twitter promptly banned @ddosecrets, followed by Reddit's bans of /r/ddosecrets and /r/blueleaks, all for violating content policies regarding posting personal information and hacked material. Both blocked the ddosecrets.com domain name in posts, and Twitter went as far as blocking it in DMs, and blocking URL-shortened links by following them with a web spider before approving the message.
German police seized a DDoSecrets server on behalf of U.S. authorities (our hosting providers are geographically scattered), and goons from Homeland Security Investigations paid a visit to some folks operating a mirror of DDoSecrets releases, asking questions about the BlueLeaks documents and the founder of DDoSecrets, ultimately attempting to recruit them as informants and offering money for info that led to arrests.
None of these actions have hindered distribution of the BlueLeaks documents, which were released by torrent, and all are directed at the publishers of the documents, not the hackers that leaked them. WikiLeaks maintains an active Twitter account and has faced no such domain banning. What we have is a warning: publishing information on U.S. law enforcement, even when clearly in the public interest, will not be tolerated.
So how do you design server infrastructure to operate in this hostile space, where third-party corporations will ban you and self-hosted servers are liable to be seized? Distribution, redundancy, and misdirection.
All the documents published by DDoSecrets are distributed by torrent, so there is no central server to seize or account to ban to halt distribution, and data proliferates so long as there is public interest. But leaking data is only half of the DDoSecrets mission statement: raw documents aren't valuable to the public, the ability to extract meaning from them is.
Therefore, DDoSecrets works closely with journalists and academics to help them access and analyze data, and runs a number of services to make analyzing leaks easier, like Whispers (whispers.ddosecrets.com) a search tool for so-called "Nazi" chat logs, or X-Ray (xray.ddosecrets.com) a crowd-sourced transcription tool for leaked business records with formats too challenging to OCR. These services have to be hosted somewhere.
Static services like Whispers or the home page are easy: they're set up with backups and Docker containers and Ansible scripts. If a server disappears, rent a new one from a different hosting provider and re-deploy with a couple lines in a terminal. A few services aren't quite so easy to replicate, though. The data server maintains a copy of every leak, available over direct HTTPS, mostly so we can give a URL to less technical journalists that "just works" in their browser, without walking them through using a torrent client.
All the data is available by torrent and nothing unique is on the server, but finding a new hosting provider to spin up a 16-terabyte system (not counting redundant drives in the RAID) and then re-uploading all that data is, to say the least, inconvenient. The same goes for Hunter, the document-ingesting cross-analyzing leak search engine. It would be nice if we only had to migrate these servers infrequently.
The solution for these large servers is to hide them away forever, and make a repeat of the German seizure unlikely. These servers are now hosted only as Tor onion sites, and are only connected to, even for administration, via Tor.
A tiny "front-end" virtual machine acts as a reverse-proxy, providing a public-facing "data.ddosecrets.com" that really connects via Tor to the much larger system. The reverse-proxy can be replaced in minutes, and doesn't know anything about the source of the data it's providing.
We'll end with a call to action. None of the design outlined above is terribly complex and, with the exception of the Tor reverse-proxy, is pretty common IT practice in mid-sized companies that have outgrown "a single production server" and want scalable and replaceable infrastructure. The technical barrier for aiding the cause is low.
Hacking has always been about challenging authority and authoritarianism, and that mindset is needed now in abundance, at DDoSecrets and beyond.
No time to waste - Hack the Planet!
- BlueLeaks: Magnet, IPFS
- CopSnitch.com