I would advice against hosting servers in Russia, though. Police raids on datacenters, where they literally rip servers out from the racks, are, unfortunately, a common occurence.
IANAL, but, from a purely technical standpoint, Netherlands is a big hub of east-west Eurasian communications, so the latency, on average, is at least decent from everywhere on the continent. Germany seems to be popular option too, with lots of hosting companies just selling shares of Hetzner nodes. I myself host all my crap in the US because all the good stuff is over there. If you’re asking about the pirate stuff… I don’t know, maybe consider India? They seem to be struggling with cybercriminals over there
The info is a bit buried under the news of Ukraine’s police apparently raiding lots of data-center since 2014 (mofos got their own language but still post news in Russian, smh), but I’m pretty sure that rghost, rutracker, rutor, RAMP, zaycev and the likes were also raided this way at some point - the police just came to the data-center, out of the blue, and literally just ripped the servers out. There was also some drama with some major hosting I don’t quite remember the name of, where police got involved at some point, prevented the staff from entering and caused a massive outage back in the day, I’ll update if I remember which one was it.
Overall, though, there’s not as many sources as I expected. Feels like either my memory is giving up or I’ve travelled dimensions… or it’s just roskomnadzor being at it again. I’ll check with my sysadmin friends, who personally had to deal with those situations, to check what is up and why there’s so little coverage on this.
This is good evidence. Thank you for finding and linking these. Though I’d still object to ‘common occurrence’ if there aren’t a lot more; the most recent one is still 8 years old and all the examples are for sure guilty of breaking laws while having properly registered offices with their own data centre – high profile targets. Rather than a scenario where my VPS might randomly go offline because I hosted Invidious or Lemmy on it.
That’s about the time they’ve figured what they’re really after - personal data. In 2015 they’ve expanded the 152-FZ(Russian GDPR) to force everyone who operates in Russian market to store all user data in Russia, and forced operators to provide it on request. Completely blocked linkedin as an example of non-compliance outcomes. They’ve also put a shit ton of spy-boxes everywhere that can inspect and block any traffic on the fly, so the need to physically confiscate servers is significantly reduced. Recently they’ve also started to force everyone to install their root certificate so that not even encryption is of help there. Yeah… should’ve mentioned all that in the first comment too
because I hosted Invidious or Lemmy on it
That could land you (or the person who paid for or owns the server) straight in jail
This time I must say your evidence and reasoning is much weaker. I disagree strongly with how you interpret this. Demanding foreign companies keep data on your citizens in your country is a good thing. The alternative is foreign spy agencies and governments having control over it. The fact that they have laws requiring companies to dox users is a completely separate issue. It’s bad, but it’s in-line with many EU nations. The NY Times article is especially bad because the tool they’re talking about, whois, is included standard with Mac and Linux. It’s not scary spy software. Inspecting and blocking traffic on the fly isn’t supported by the article as far as I can tell. And finally, having someone’s root certificate does not at all stop you from encrypting data. It lets websites that have been verified by the issuer have a green check mark in Firefox. You likely have tens or hundreds of root certificates installed on your computer. You can still keep data hidden from their issuers. It doesn’t affect your ability to encrypt.
In the case of that last link. He did go to jail for 20 days, but on the other hand, running Tor did literally save him from prison. This isn’t from that article but looking up his name, it seems he was cleared of all charges a week after he got out of jail and the judge’s reasoning was that because of Tor there wasn’t undeniable evidence. He wasn’t asked to stop hosting Tor either. Not defending the Russian justice system allowing them to jail you with only probable cause and not an actual conviction, that’s still bad, but where I live, I would get convicted instead, which is worse. This case sounds like positive confirmation that if I rent a Russia VPS and use it for Tor, I’m not breaking any laws and don’t need to worry about regular downtime, which was the original premise.
The NY Times article is especially bad because the tool they’re talking about, whois, is included standard with Mac and Linux. It’s not scary spy software. Inspecting and blocking traffic on the fly isn’t supported by the article as far as I can tell
Sorry, the article is terrible but I couldn’t find better English articles. Here are couple of auto-translated articles with some technical details on said spy-boxes. I remember there was a great combined push of state-owned market majority ISP Rostelecom along with state’s truth agency Roskomnadzor to implement all of this, for the first it was to push out independent ISP’s who couldn’t afford any of it, and for latter to erase and block out any info that the government doesn’t like, e.g. protest movements. The pretense was that it was for protection against foreign threats and autonomous operation of Russian side of the internet in case of hostile actions from the west, which has a grain of sense - e.g. of the 13 root DNS servers, 10 are operated by US and the rest by it’s allies. But the fact that this was not a joint initiative with other countries who are not on good terms with the US, and that those tools were used to combat political opposition, tells that this was not at all the real reason for it.
In the case of that last link. He did go to jail for 20 days, but on the other hand, running Tor did literally save him from prison. This isn’t from that article but looking up his name, it seems he was cleared of all charges a week after he got out of jail and the judge’s reasoning was that because of Tor there wasn’t undeniable evidence
That’s a dangerous precedent though, that a person can be arrested and held for indefinite amount of time without any significant evidence - just based on IP address. And in Russia, the laws are often written backwards, like the religious people feelings law in response to pussy riot case, the veteran feelings law for Navalny, the meme laws… for everyone… and…
This case sounds like positive confirmation that if I rent a Russia VPS and use it for Tor, I’m not breaking any laws and don’t need to worry about regular downtime, which was the original premise.
If you are not located in Russia, and you are not a figure in Russian politics, you indeed have nothing to worry about, except for the downtime, and certain protocols and endpoints being unreachable… and having your business ruined, but I figure if you’re not planning on doing any if you don’t care about downtime.
Though, if you are a political figure, the advice would still be to not touch anything Russian even with a 10-foot pole
And finally, having someone’s root certificate does not at all stop you from encrypting data. It lets websites that have been verified by the issuer have a green check mark in Firefox. You likely have tens or hundreds of root certificates installed on your computer
This allows them to perform MITM attacks by connecting to the website on your behalf, decrypting it, then re-encrypting it with their own cert and you’d still get the checkmark. Do you ever click on it to see who issued the certificate? They can, and most definitely will use it to attack their political enemies. Currently, they’re still forcing users to install it by holding online payments hostage, but even if you don’t pay online, nothing stops them from forcing it on all outbound communications in the future.
Here are couple of auto-translated articles with some technical details on said spy-boxes.
I found the technical exploration interesting, even if the translation I read might not have been completely accurate. But at least 8 years ago, they didn’t seem to have any ability to analyse and modify content, instead relying on a simple domain block-list. There’s domain blocking where I live too. I imagine it’s handled similarly on a technical level. Seems more of a concern for home users, I don’t think one of these boxes sitting outside a data-centre would affect you at all. Your hosted web application would have proper encryption and they’d only see the destination of one leg of the journey. Even for 8 years ago, this doesn’t really seem like a level of technical sophistication that trumps even non-rigorous general best practices.
That’s a dangerous precedent though, that a person can be arrested and held for indefinite amount of time without any significant evidence - just based on IP address.
Absolutely.
the entire Tor network was outlawed in Russia, so it won’t work as a defense any further.
This just says blocked, not outlawed. I also couldn’t find any other articles about Tor being outlawed. As long as it’s not illegal it’s no practical problem for me/you. According to this article, Tor and someone else is suing, which they wouldn’t do if they didn’t have a legal basis for operating. It even says it’s unconstitutional.
The decision violates the constitutional right to freely provide, receive and disseminate information and protect privacy.
Assuming that’s true, then that’s a pretty easy win for any data centre hosting my blackbox VPN-routed seedbox or whatever it would be.
you indeed have nothing to worry about, except for the downtime, and certain protocols and endpoints being unreachable
Yeah but I don’t feel you’ve demonstrated that at all. There were a few high profile raids, but they were decades ago. If my cheaper than average hosting has average downtime then I’m still getting a good deal. Based on what you’ve provided, it sounds like the anonymous computer in a cave scenario in the meme would go completely unnoticed by an averagely aggressive and averagely competent police state.
Though, if you are a political figure, the advice would still be to not touch anything Russian even with a 10-foot pole
assassination attempt to poison Sergei Skripal, a former Russian military officer and double agent for the British intelligence agencies
Come on. I’m not planning to spy on the Russian military for the MI6! That’s several levels of shady beyond ‘anti-establishment website’.
This allows them to perform MITM attacks by connecting to the website on your behalf, decrypting it, then re-encrypting it with their own cert and you’d still get the checkmark.
In theory that is true. And not particularly hard. But it’s not invisible, and so it would get discovered quickly. And it can also be mitigated with a VPN and not using the state’s DNS. Users of Russian e-banking are be susceptible to MITM, but my VPS isn’t, because I don’t have that certificate. And the Russian banking public isn’t being spied on because they’d burn the card when they use it. Is it being deployed to discretely and sparingly MITM-attack specific individuals? I mean maybe. But I think it’s being deployed so they can have a green check.
relying on a simple domain block-list. There’s domain blocking where I live too. I imagine it’s handled similarly on a technical level
To block a domain, it requires looking at the HTTP headers, though. So the only ways to do this with HTTPS is by either somehow breaking SSL or blocking based on domain’s IP, which causes high collateral damage due to cohosting, especially if the infringing domain is behing clourflare or is on amazon/azure/google infra. Oh and you can’t just block whatever IP’s the DNS is responding with, they got burned by it already when someone intentionally got their domain into blocklist and made DNS server resolve to 127.0.0.1. If your place also does this and it has a working democratic and judicial systems, I would suggest starting to raise questions about it.
This just says blocked, not outlawed. I also couldn’t find any other articles about Tor being outlawed. As long as it’s not illegal it’s no practical problem for me/you. According to this article, Tor and someone else is suing, which they wouldn’t do if they didn’t have a legal basis for operating. It even says it’s unconstitutional.
You’re right. I’ve looked into it and it seems that the reasoning behind the ban isn’t that it allows anonymity but the fact that exit nodes don’t restrict access to blocked sites, which is not at all possible for Tor. So I imagine they will soon, if not already, start going after it using DPI methods like they do with VPN’s already.
Based on what you’ve provided, it sounds like the anonymous computer in a cave scenario in the meme would go completely unnoticed by an averagely aggressive and averagely competent police state.
Well, based on what this computer is actually doing, it’s going to get cut off from all communications the moment anyone in that police state notices it. If it’s just pirate stuff then it’ll happen fairly quickly based on the amount and the obscurity of the sites in the blocklist. If it’s political - the owner of the server will be called for questioning. They’ll throw some of the bullshit laws at them to stack up (Got camera on your phone? Spy equipment! $2000 fine + confiscation! Liked any racist meme at any point in time? bam, extremism, 6 years in prison!) possible fines and jail time, but it’s all just to coerce them into cooperation.
Come on. I’m not planning to spy on the Russian military for the MI6! That’s several levels of shady beyond ‘anti-establishment website’.
Who knows what you might want to do with that server in the cave. This was just to show that they can and do reach outside the country in some cases. It’s not just for spies, though, they tried to do the same with Navalny and Kara-Murza, and a bunch of other less prominent figures. Also note, that all of those are botched attempts. In case of success, there will be no signs of poisoning as those chemicals are designed to break down quickly and leave no traces.
It can also be mitigated with a VPN and not using the state’s DNS
True, if your VPN protocol of choice isn’t banned already. But then, renting a box in Russia just to break out of it using a VPN kind of defeats the whole purpose.
Overall, you put it fairly accurate at “averagely aggressive and averagely competent police state”, we’re just going back and forth over specific details, but the point is that if you’re dealing with anything in Russia, you’re basically dealing with said police state, and the more you get involved with it, the harder you’ll eventually get rolled over by it. That’s why I suggest not getting involved with it at all in the first place. Having said that, I myself have certain obligations to visit Russia at some point in the future and I honestly dread of that moment. Wish me luck, I guess, but do you happen to know any good “dead hand” kind of software?
That may all be correct but I don’t think that the Russian authorities are going to target me, a foreigner because I downloaded some movie. They will also not share data with law enforcement in my country in any effective way.
Exactly this can happen in some western countries.
Russia is bad and all but they might be busier shutting down VPNs and censorship of their own people than with piracy.
They are probably doing a nonfantastic job with that too.
I would advice against hosting servers in Russia, though. Police raids on datacenters, where they literally rip servers out from the racks, are, unfortunately, a common occurence.
It’s required to have literally zero knowledge of worldwide piracy and its current state to post or upvote such things.
Where would you recommend?
IANAL, but, from a purely technical standpoint, Netherlands is a big hub of east-west Eurasian communications, so the latency, on average, is at least decent from everywhere on the continent. Germany seems to be popular option too, with lots of hosting companies just selling shares of Hetzner nodes. I myself host all my crap in the US because all the good stuff is over there. If you’re asking about the pirate stuff… I don’t know, maybe consider India? They seem to be struggling with cybercriminals over there
are you absolutely insane recommending hosting piracy in Germany those fuckers will take your house as Pfand
Sweden? I know VPNs tend to like Sweden from a privacy standpoint
Depends on what you are hosting I guess. My website is hosted in Finland but there isn’t anything illegal on it.
I’m sure you can corroborate this with evidence.
Sure
https://torrentfreak.com/vpn-provider-pia-exits-russia-server-seizures-160712/
https://www-comnews-ru.translate.goog/content/38669?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
https://newsland-com.translate.goog/post/4016630-sotrudniki-mvd-iziali-servery-piratskoi-onlain-igry?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
https://habr-com.translate.goog/ru/articles/87933/?_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
The info is a bit buried under the news of Ukraine’s police apparently raiding lots of data-center since 2014 (mofos got their own language but still post news in Russian, smh), but I’m pretty sure that rghost, rutracker, rutor, RAMP, zaycev and the likes were also raided this way at some point - the police just came to the data-center, out of the blue, and literally just ripped the servers out. There was also some drama with some major hosting I don’t quite remember the name of, where police got involved at some point, prevented the staff from entering and caused a massive outage back in the day, I’ll update if I remember which one was it.
Overall, though, there’s not as many sources as I expected. Feels like either my memory is giving up or I’ve travelled dimensions… or it’s just roskomnadzor being at it again. I’ll check with my sysadmin friends, who personally had to deal with those situations, to check what is up and why there’s so little coverage on this.
This is good evidence. Thank you for finding and linking these. Though I’d still object to ‘common occurrence’ if there aren’t a lot more; the most recent one is still 8 years old and all the examples are for sure guilty of breaking laws while having properly registered offices with their own data centre – high profile targets. Rather than a scenario where my VPS might randomly go offline because I hosted Invidious or Lemmy on it.
That’s about the time they’ve figured what they’re really after - personal data. In 2015 they’ve expanded the 152-FZ(Russian GDPR) to force everyone who operates in Russian market to store all user data in Russia, and forced operators to provide it on request. Completely blocked linkedin as an example of non-compliance outcomes. They’ve also put a shit ton of spy-boxes everywhere that can inspect and block any traffic on the fly, so the need to physically confiscate servers is significantly reduced. Recently they’ve also started to force everyone to install their root certificate so that not even encryption is of help there. Yeah… should’ve mentioned all that in the first comment too
That could land you (or the person who paid for or owns the server) straight in jail
This time I must say your evidence and reasoning is much weaker. I disagree strongly with how you interpret this. Demanding foreign companies keep data on your citizens in your country is a good thing. The alternative is foreign spy agencies and governments having control over it. The fact that they have laws requiring companies to dox users is a completely separate issue. It’s bad, but it’s in-line with many EU nations. The NY Times article is especially bad because the tool they’re talking about, whois, is included standard with Mac and Linux. It’s not scary spy software. Inspecting and blocking traffic on the fly isn’t supported by the article as far as I can tell. And finally, having someone’s root certificate does not at all stop you from encrypting data. It lets websites that have been verified by the issuer have a green check mark in Firefox. You likely have tens or hundreds of root certificates installed on your computer. You can still keep data hidden from their issuers. It doesn’t affect your ability to encrypt.
In the case of that last link. He did go to jail for 20 days, but on the other hand, running Tor did literally save him from prison. This isn’t from that article but looking up his name, it seems he was cleared of all charges a week after he got out of jail and the judge’s reasoning was that because of Tor there wasn’t undeniable evidence. He wasn’t asked to stop hosting Tor either. Not defending the Russian justice system allowing them to jail you with only probable cause and not an actual conviction, that’s still bad, but where I live, I would get convicted instead, which is worse. This case sounds like positive confirmation that if I rent a Russia VPS and use it for Tor, I’m not breaking any laws and don’t need to worry about regular downtime, which was the original premise.
Sorry, the article is terrible but I couldn’t find better English articles. Here are couple of auto-translated articles with some technical details on said spy-boxes. I remember there was a great combined push of state-owned market majority ISP Rostelecom along with state’s truth agency Roskomnadzor to implement all of this, for the first it was to push out independent ISP’s who couldn’t afford any of it, and for latter to erase and block out any info that the government doesn’t like, e.g. protest movements. The pretense was that it was for protection against foreign threats and autonomous operation of Russian side of the internet in case of hostile actions from the west, which has a grain of sense - e.g. of the 13 root DNS servers, 10 are operated by US and the rest by it’s allies. But the fact that this was not a joint initiative with other countries who are not on good terms with the US, and that those tools were used to combat political opposition, tells that this was not at all the real reason for it.
That’s a dangerous precedent though, that a person can be arrested and held for indefinite amount of time without any significant evidence - just based on IP address. And in Russia, the laws are often written backwards, like the religious people feelings law in response to pussy riot case, the veteran feelings law for Navalny, the meme laws… for everyone… and…
the entire Tor network was outlawed in Russia, so it won’t work as a defense any further.
If you are not located in Russia, and you are not a figure in Russian politics, you indeed have nothing to worry about, except for the downtime, and certain protocols and endpoints being unreachable… and having your business ruined, but I figure if you’re not planning on doing any if you don’t care about downtime.
Though, if you are a political figure, the advice would still be to not touch anything Russian even with a 10-foot pole
This allows them to perform MITM attacks by connecting to the website on your behalf, decrypting it, then re-encrypting it with their own cert and you’d still get the checkmark. Do you ever click on it to see who issued the certificate? They can, and most definitely will use it to attack their political enemies. Currently, they’re still forcing users to install it by holding online payments hostage, but even if you don’t pay online, nothing stops them from forcing it on all outbound communications in the future.
I found the technical exploration interesting, even if the translation I read might not have been completely accurate. But at least 8 years ago, they didn’t seem to have any ability to analyse and modify content, instead relying on a simple domain block-list. There’s domain blocking where I live too. I imagine it’s handled similarly on a technical level. Seems more of a concern for home users, I don’t think one of these boxes sitting outside a data-centre would affect you at all. Your hosted web application would have proper encryption and they’d only see the destination of one leg of the journey. Even for 8 years ago, this doesn’t really seem like a level of technical sophistication that trumps even non-rigorous general best practices.
Absolutely.
This just says blocked, not outlawed. I also couldn’t find any other articles about Tor being outlawed. As long as it’s not illegal it’s no practical problem for me/you. According to this article, Tor and someone else is suing, which they wouldn’t do if they didn’t have a legal basis for operating. It even says it’s unconstitutional.
Assuming that’s true, then that’s a pretty easy win for any data centre hosting my blackbox VPN-routed seedbox or whatever it would be.
Yeah but I don’t feel you’ve demonstrated that at all. There were a few high profile raids, but they were decades ago. If my cheaper than average hosting has average downtime then I’m still getting a good deal. Based on what you’ve provided, it sounds like the anonymous computer in a cave scenario in the meme would go completely unnoticed by an averagely aggressive and averagely competent police state.
Come on. I’m not planning to spy on the Russian military for the MI6! That’s several levels of shady beyond ‘anti-establishment website’.
In theory that is true. And not particularly hard. But it’s not invisible, and so it would get discovered quickly. And it can also be mitigated with a VPN and not using the state’s DNS. Users of Russian e-banking are be susceptible to MITM, but my VPS isn’t, because I don’t have that certificate. And the Russian banking public isn’t being spied on because they’d burn the card when they use it. Is it being deployed to discretely and sparingly MITM-attack specific individuals? I mean maybe. But I think it’s being deployed so they can have a green check.
To block a domain, it requires looking at the HTTP headers, though. So the only ways to do this with HTTPS is by either somehow breaking SSL or blocking based on domain’s IP, which causes high collateral damage due to cohosting, especially if the infringing domain is behing clourflare or is on amazon/azure/google infra. Oh and you can’t just block whatever IP’s the DNS is responding with, they got burned by it already when someone intentionally got their domain into blocklist and made DNS server resolve to 127.0.0.1. If your place also does this and it has a working democratic and judicial systems, I would suggest starting to raise questions about it.
You’re right. I’ve looked into it and it seems that the reasoning behind the ban isn’t that it allows anonymity but the fact that exit nodes don’t restrict access to blocked sites, which is not at all possible for Tor. So I imagine they will soon, if not already, start going after it using DPI methods like they do with VPN’s already.
Well, based on what this computer is actually doing, it’s going to get cut off from all communications the moment anyone in that police state notices it. If it’s just pirate stuff then it’ll happen fairly quickly based on the amount and the obscurity of the sites in the blocklist. If it’s political - the owner of the server will be called for questioning. They’ll throw some of the bullshit laws at them to stack up (Got camera on your phone? Spy equipment! $2000 fine + confiscation! Liked any racist meme at any point in time? bam, extremism, 6 years in prison!) possible fines and jail time, but it’s all just to coerce them into cooperation.
Who knows what you might want to do with that server in the cave. This was just to show that they can and do reach outside the country in some cases. It’s not just for spies, though, they tried to do the same with Navalny and Kara-Murza, and a bunch of other less prominent figures. Also note, that all of those are botched attempts. In case of success, there will be no signs of poisoning as those chemicals are designed to break down quickly and leave no traces.
True, if your VPN protocol of choice isn’t banned already. But then, renting a box in Russia just to break out of it using a VPN kind of defeats the whole purpose.
Overall, you put it fairly accurate at “averagely aggressive and averagely competent police state”, we’re just going back and forth over specific details, but the point is that if you’re dealing with anything in Russia, you’re basically dealing with said police state, and the more you get involved with it, the harder you’ll eventually get rolled over by it. That’s why I suggest not getting involved with it at all in the first place. Having said that, I myself have certain obligations to visit Russia at some point in the future and I honestly dread of that moment. Wish me luck, I guess, but do you happen to know any good “dead hand” kind of software?
That may all be correct but I don’t think that the Russian authorities are going to target me, a foreigner because I downloaded some movie. They will also not share data with law enforcement in my country in any effective way.
Exactly this can happen in some western countries. Russia is bad and all but they might be busier shutting down VPNs and censorship of their own people than with piracy.
They are probably doing a nonfantastic job with that too.