The VAT MOSS guidance added further headaches, especially to one of my upcoming business projects by requiring “proofs” of customer location information, as detailed within the explanatory notes to the legislation. After hours of reading through the document, the main issues arising were that for an anonymous web hosting service, any information being collection would not only breach the breach the privacy of customers, but negates the entire point of the business. As the guidance offers no advice as to how to handle anonymous online transactions, I consulted with HMRC, the UK’s tax authority which is where my company is registered.

Throughout a series of exchanges, HMRC repeated to me the need for 2 proofs to be in line with the VAT MOSS system. However, I have always rejected that happening as I would rather close my business than break the promises I offer. I made various offers to the tax authority on how to reach a middle ground, such as assuming the UK rate is payable on global sales, and to also possibly switch to another VAT scheme even if it costed my business more money.

The deadlock has finally been broken! I received this email from HMRC recently which has now been verified by an accountant to be binding for my business. This means unless there is a law change or the EU courts come to a different conclusion, I may now process transactions anonymously without being required to know the address or any other information about a customer and still charge the required VAT on transactions. Hip hip hooray!

———————————————

Dear Mr White

Thank you for your email and I apologise for the delay you have experienced in getting a reply to your question, which presents an unusual and difficult situation.

As you collect no information on where your customers belong, and therefore cannot evidence a different place of supply, we will expect you to charge and account for UK VAT on your supplies on the basis that the supply of services are made in the UK.

If a customer contacts you to say that they belong outside the UK, we will expect you to retain the evidence to support the non-application of UK VAT. A simple assertion that they do not belong in the UK will not suffice. If the customer does not provide you with a VAT number, you will be liable to register in the customer’s Member State. If the records presented by the customer enable you to meet the record keeping requirements you may be able to use MOSS to bring the VAT to account.

I hope this is helpful but if you have any further questions please do not hesitate to ask.

Yours sincerely
[HMRC Rep name redacted]

———————————————

Over the last few months, as per my other posts, I have tried to explain my reasoning for posting leaked data. Some have claimed I haven’t thought it through, others have said I am simply reckless. I want to assure everyone that I am neither reckless nor naive in the consequences for my actions.

Having spoken to my legal team, who have already demonstrated to me their exceptional legal knowledge in defending me from legal charges, they have assured me that my position from a legal perspective is just. I have explained openly what I am doing and have made no attempts to mislead people in my actions and have also posted plenty of warnings on where my responsibility ends for anything downloaded from my mirrors.

Some possible legislation any charges could be brought up are the following:

The Data Protection Act 1998: As I am not covered under the definition of a data controller or handler, I am exempt from regulation under the act.

Computer Misuse Act 1990: This Act of Parliament introduced three offences within the scope of the act that are as follows:
1. unauthorised access to computer material, punishable by 12 months’ imprisonment and/or a fine “not exceeding level 5 on the standard scale” (since 2015, unlimited);
2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by 12 months/maximum fine on summary conviction and/or 5 years/fine on indictment;
3. unauthorised modification of computer material, punishable by 12 months/maximum fine on summary conviction and/or 10 years/fine on indictment;

My initial impression was that under offences 1 and 2, I may be liable as I did not have authorisation to access or provide access to the material. However, the offences above apply only to those who took the initial data and that is where the breach of proper authority to access it took place. Subsequently, when I download data from the open internet (even if said material has been stolen when unauthorised), I am not accessing that material unlawfully. If I was to download the material from the source (i.e., directly from the Patreon or Ashley Madison servers) then that would constitute an offence.

Theft Act 1968: Section 22(1) provides the scope for an offence usually associated to shoplifting or buying stolen goods, usually referred to as “Handling stolen goods”. The actual offence is as follows:
“A person handles stolen goods if (otherwise than in the course of the stealing) knowing or believing them to be stolen goods he dishonestly receives the goods, or dishonestly undertakes or assists in their retention, removal, disposal or realisation by or for the benefit of another person, or if he arranges to do so.”
There is an element of me making the data available to the public being construed as the retention of stolen goods for the benefit of another person, however as I have not paid for the data or otherwise encouraged the original offence of stealing the data, and that I accessed such data through legitimate means (downloading from a public source), I have been assured that it is highly unlikely a prosecution can be brought forward under these charges.

I believe most angles to prosecute are covered in the above and most have good case law to back me up in the event criminal investigations are ever launched into my conduct. That said, I have been warned by my legal team of the potential repercussions in other jurisdictions. For example, he has acknowledged that while US law is not his area, he believes my actions would constitute an offence under the Computer Fraud and Abuse Act (CFAA) which is a US law. Fortunately, I am not a US citizen, nor do I ever plan to visit the US or use US infrastructure (I make a point of boycotting US products where possible). Therefore, their laws do not apply to me and they never shall, so as far as I am concerned their level of authority over me matches the authority of Ghana’s legal system or North Korea even.

All in all, I still stand by my comments on why I am willing to host the data even when it is highly controversial. In extreme circumstances, I would be willing to omit some sections of the data or even remove the data. If that ever does need to happen I will clearly explain why and what sections of data were removed. Until that day though, my work shall continue.

echo “You may have just seen the takedown notice on https://patreon.thecthulhu.com. This notice was put up by myself and was not a real takedown thankfully. It is, I hope, a reminder to everyone of the importance of decentralisation and that just because somebody like myself posts a resource, does not mean it will be there forever. I encourage everyone to repost the magnet URI on their sites or setup their own mirrors to prevent such a single point of failure in the future. I included the SHA1 and SHA256 sums of the file for a very good reason too if you wish to verify the integrity of data downloaded from other sources before executing or opening it.” | sha1sum | awk ‘{print $1}’

Produces: 63300df2199f61822fef6c440014359f052ffe61

The hash should match here: https://twitter.com/CthulhuSec/status/650451139473862656

The problem we face is that since the Patreon leak, I have been the only known mirror out there offering the full file, as well as a magnet URI. Many people have been downloading and investigating the data, but no new mirrors have popped up, not even simple magnet URI reposts. This causes a dangerous centralisation problem if I become the only mirror, thus heightening the chance of law enforcement targeting me, but also means there are fewer sources for people to verify the integrity of the data.

Mirroring the data is not hard. The magnet link I provided on the page ensures just linking to that data, is sufficient to mirror it (magnets are a modern replacement for torrents to minimize the need to host a file) securely, but very few have done so. I would like to encourage everybody to make mirrors somewhere of the magnet URI at least, and if possible a full download available over TLS. This not only helps me but improves the security of everyone seeking the files.

I understand not everyone has the resources to put up a mirror, but for those that do and have downloaded the data, remember to give back to the cause in some way. Mirroring data, donations to organisations like Tor Project, or teaching others how to improve their security are all great ways we can make a positive impact on our societies, and I encourage everyone to get involved to do so.

Hosting the leaked data is a risky business. I accept the fact that one day I may be arrested for handling the data if it is alleged to have been stolen. As a result, my legal team are aware of my actions and we already have legal challenges to such an arrest should it be made. However, my reason for doing so is that there is a public interest whenever such data is leaked, both from journalists in established outlets and independent forms of media.

The alternative of not sharing the data is also rather grim. Frankly whether or not I make it available, that data will still be on the internet, and it only takes a quick Google search to reveal this. Most of the other places to obtain the data, however, are from unknown sources and are very difficult to verify the authenticity of the data. Not to mention, I have come across plenty of these sources where said files have malware attached to them, designed to work as people scramble to fulfill their curiosity and download the material without any form of scrutiny as to their origin. So regardless of who hosts it, that data shall always be available. By taking the responsibility to host a copy, it allows journalists and others to focus on the work of analysing the data and leaving the management of that source to me.

The exposure of the information further allows the public to vet what procedures are in place at companies to protect data. The unfortunate reality is that their security is already bypassed at the point of the leak, but that isn’t the end of the story. Passwords for example in the Patreon leak used bcrypt, a hashing algorithm designed to be extraordinarily difficult to brute force and reveal a user’s true password. This is an example of a very good security measure that other organisations and businesses should take note of, especially the many who still store passwords in plain text. It also allows people to identify vulnerabilities, such as how although Ashley Madison employed bcrypt as well, but this was negated thanks to them cutting corners and using MD5 in the process of storing the login tokens (see Joseph’s article on Motherboard here).

Using leaked data allows us an understanding of the true state of affairs of how companies handle your personal data and emphasises to the corporations that personal data is not just another commodity. An organisation with strong password hashing policies like LastPass or indeed Patreon, means they have plenty of time to warn users to change their login credentials. Furthermore, a timely disclosure can repair the company image much better than trying to ignore the problem, as HackingTeam found out (and who still hold a grudge against me to this day for). All in all, the only way to avoid a major catastrophe is for companies to start adopting better ways they collect, use and dispose of data. If they do not need to store some information, then it should be disposed of, a fatal flaw in the operations of Ashley Madison. One of the reasons I support the use of bitcoin is that with no fraud risk from chargebacks, personal information does not need to be collected in the very first place.

Like many of the data breaches this year, it is not what happens once the data is leaked that is a problem, but what you do before it that matters. Taking the proper precautions and maintaining minimal user information, is the only way to safeguard against misuse either from the legal forces in play, or the rogue hackers looking for their next victim.

As you may have noticed, Jabber.ccc.de has been down for over 24 hours now for reasons at this time, are unknown. As a result of constant downtime over the past year on the service, and the rather sobering fact so many of us in the tech community use Jabber.ccc.de, I have decided to launch my own XMPP server that anyone can sign up to and use.

OpenXMPP.com is now open for registrations. I will be making improvements over the coming weeks that would guarantee 99.99% to 100% uptime. It has upstream DDOS protection, fast connectivity and works perfectly in tandem with existing XMPP servers so you can add contacts who are using any federated service.

As with everything I do, maintaining privacy for users is very important, and, as a result, we will always be trimming back on the amount of data logged. Furthermore, we will regularly clear the system of all but the bare necessities to stay online. Even with this, I still recommend using OTR and Tor for your conversations to guarantee end-to-end encryption.

I foresee this server growing considerably in the coming 12 months and hope everyone uses the service responsibly!

-Cthulhu

I have known Lauri for a while now, and we have both talked at length of our own struggles, shared some comforting advice and helped one another progress through difficulties as they arise. Today it deeply saddened and enraged me to hear his extradition has been demanded by the United States of Assholes.

Lauri Love is a British citizen. He lives in the UK. Therefore following this assumption, any alleged wrongdoing must fall within British laws. I, therefore, question why the need for extradition must exist when the frameworks for his prosecution in the UK are already in place if he was indeed guilty of any offense. Should he be found guilty of any offence then he should also be punished under British law, which is where he resides.

The only thoughts that cross my mind on why an extradition would be necessary are as follows; the US knows what evidence it has will not stand up to scrutiny in British courts. Protocols exist where evidence gathered overseas can be used against citizens in a UK court, and so it would seem logical to prosecute a person in their home country as it would be quicker, easier and cheaper for everyone involved. Furthermore, to prosecute Lauri in the UK would at least show some respect to British sovereignty and that British laws must rule the actions of it’s citizens.

Instead, the US has again sought to bring a person into their own territory for prosecution. I find this deeply insulting. Unlike many countries in the world, the US attempts to force the laws of its nation upon all people, irrespective of where they reside and assume their laws reign supreme over all others. If the UK or any other country where to make such an assumption, it is likely that the US would refuse to comply or kick up a fuss about the matter seeing it as an insult to them, without regard to their hypocrisy.

So I feel it is time to use this phrase, despite my hatred of it: If the US has nothing to hide in prosecuting Mr Love, why are they not using established protocols for the presentation of evidence in British courts? “Nothing to hide nothing to fear” huh? If the US has material that they feel is in some way privileged and thus cannot be handed over the UK, then this would be a clear violation of Article 6 of the EU Convention on Human Rights. In that case, the extradition request should be denied immediately.

On this matter, I stand firmly by Lauri’s side. So to the US government I would like to remind you that I am not a member of Anonymous, nor do I agree with many things that they do. But I do not forgive or forget either. You should perhaps look into your sins very deeply because new alliances are forming against you daily, and I am firmly within their ranks on this matter.

I first met Caspar a few years ago and talked to him on many occasions. One conversation that stood out to me is during the Tor Project summer developer meeting in Paris in mid-2014. Little did I know what started as a small matter would soon turn into a pattern of me becoming a surveillance target of the UK government, followed by a campaign of intimidation and bullying. Throughout my ordeal, Caspar was there for me with his vast reserves of expert knowledge, patience and care, like a father to us all. He never cared for what somebody stood accused of or who they were, he was willing to stand there for everybody equally.

He was a friend, a mentor, a teacher. If the time ever came where you had lost all hope in the fight against tyranny and injustice, along Caspar came to pick you up with a new found drive to continue.

RIP Caspar Bowden. You will be missed.

I should point out that I am not a good person to threaten. The idea of a threat is to subdue or otherwise intimidate another to your will. As somebody acting on their own identity and with the capability to de-anonymise a lot of the sites out there, I am a pretty poor target for such threats.

So here we go. The Russian market/classified area onion address is:
http://map2rampqm6qxbvz.onion/

I feel obliged to point out I have no idea if this was the market making the threat, nor do I care. I hope this serves as a gentle reminder that as somebody doing research and trying to remind people about vulnerabilities in their sites, I am not against the “dark net” sites. I can’t use magic and thus if you have no vulnerabilities, you are safe from me. If I can find your server, so can a capable state agency, and who would you prefer sent you this reminder?

So, here is some of the information on the site:

IP: 188.32.214.154
Document root: /home/map2ramp/www/
Server admin: root@work.local3
Internal IP: 10.0.0.13
OS: Gentoo

Unmasking this server was rather straightforward and again is down to a misconfiguration on their behalf. This time, however, it was a poorly configured PHP module with the web server. Another reason not to use PHP.

http://thecthulhu.com/wp-content/uploads/article_biuk/index.html

The original can be found here:

http://uk.businessinsider.com/dark-web-researcher-discovers-ip-addresses-in-plain-sight-2015-6?r=US

A few days ago I complained that part of the “dark web” problem is that we often see sensationalist claims from media outlets who don’t put the time into proper research. Well, I have one excellent example of this that I was to dissect for some quite key errors.

“This specific forum, called the Tor Carding Forum v2, was quietly shut down, but White was still able to uncover its hosting address even though the forum currently appears to be completely shut down. “

The article on Motherboard, along the with the accompanying information on my blog and Twitter, made clear that I seized the unmasking information many months prior to publication. I intentionally placed emphasis on this fact through the use of hashes and including the original tweet, which is dated. I have not in any way been able to recover the IP address of the service since it shut down. The reason that it is published now is precisely due to the fact it is now offline.

“Additionally, White found another dark web marketplace’s IP address: A site called Kiss Marketplace, which reportedly offered goods like illegal drugs. The IP address White posted on his website still works if you put it in any browser, meaning that the servers powering this site have ostensibly been unmasked.”

No. Again, this marketplace is now offline and has been for a few weeks according to DeepDotWeb before I published, this was an intentional action. The IP address, therefore, does not work and at this point, is obvious to me you haven’t even tried. The screenshot included on Motherboard was taken by @josephfcox several months back when I first showed him the information. We sat on the information until we deemed it safe to release.

“With the IP addresses of these dark web marketplaces becoming public knowledge thanks to White’s recent discoveries, the police will also be able to use this knowledge to shut down the websites if they decide to follow up on White’s findings.”

The police might be able to chase up who rented the server associated with the IP address, but at this point it is questionably useful since it is unlikely there will be remaining forensic data to extract. Furthermore, for it to stand it court it is likely they would need my testimony on how the evidence was obtained. I have made clear that I am totally unwilling to assist law enforcement at this point for how they have treated me in recent months/years.

“It appears that criminals are scrambling online to use these new ways to create black markets, but their lack of diligence shows.”

Speak for yourself.

cthulhu@cthulhu:~$ echo -n “The Tor Carding Forum V2 at hidden service address ba6i2qxajcioadj4.onion and IP address 185.10.57.138 will be seized by the British or Dutch police in the very near future. They have used no magic or special technical ability and Tor is not broken.” | sha1sum | awk ‘{print $1}’
ba993b4a132df12537aab9fde4b297197b92a45a

From 3rd February 2015: https://twitter.com/CthulhuSec/status/562549685802774528

Information was still correct up until the time of closure. This fuck-up was thanks to them not routing their external lookups through Tor. They also must not check the logs of their webserver given how often I performed this to validate it and it was never fixed.