Author: Cthulhu

A VAT MOSS Victory!

by

I’d just like to take a moment to share a recent victory of mine. Before 2015, EU companies used to charge VAT at the rate of where the business was, leading to companies like Amazon setting up in in low VAT jurisdictions and making sales from there to lower the overall cost of an item, irrespective of where the customer resided in the EU. On the 1st January 2015 however, the VAT MOSS system was introduced which mandated VAT for online sales should be charged in the country of the customer, in an alleged reasoning to make the VAT system fair. However, this imposed a very problematic situation: a requirement for the company to know where the customer is located.

The VAT MOSS guidance added further headaches, especially to one of my upcoming business projects by requiring “proofs” of customer location information, as detailed within the explanatory notes to the legislation. After hours of reading through the document, the main issues arising were that for an anonymous web hosting service, any information being collection would not only breach the breach the privacy of customers, but negates the entire point of the business. As the guidance offers no advice as to how to handle anonymous online transactions, I consulted with HMRC, the UK’s tax authority which is where my company is registered.

Throughout a series of exchanges, HMRC repeated to me the need for 2 proofs to be in line with the VAT MOSS system. However, I have always rejected that happening as I would rather close my business than break the promises I offer. I made various offers to the tax authority on how to reach a middle ground, such as assuming the UK rate is payable on global sales, and to also possibly switch to another VAT scheme even if it costed my business more money.

The deadlock has finally been broken! I received this email from HMRC recently which has now been verified by an accountant to be binding for my business. This means unless there is a law change or the EU courts come to a different conclusion, I may now process transactions anonymously without being required to know the address or any other information about a customer and still charge the required VAT on transactions. Hip hip hooray!

———————————————

Dear Mr White

Thank you for your email and I apologise for the delay you have experienced in getting a reply to your question, which presents an unusual and difficult situation.

As you collect no information on where your customers belong, and therefore cannot evidence a different place of supply, we will expect you to charge and account for UK VAT on your supplies on the basis that the supply of services are made in the UK.

If a customer contacts you to say that they belong outside the UK, we will expect you to retain the evidence to support the non-application of UK VAT. A simple assertion that they do not belong in the UK will not suffice. If the customer does not provide you with a VAT number, you will be liable to register in the customer’s Member State. If the records presented by the customer enable you to meet the record keeping requirements you may be able to use MOSS to bring the VAT to account.

I hope this is helpful but if you have any further questions please do not hesitate to ask.

Yours sincerely
[HMRC Rep name redacted]

———————————————

The Legality of Sharing Dumped Data

by

Note: The below does contain information as indirect quotes or paraphrasing of legally privileged communications with my solicitor. I have not authorised the disclosure of legally privileged material and the below disclosures, therefore, do not constitute a right for law enforcement to snoop further privileged communications.

Over the last few months, as per my other posts, I have tried to explain my reasoning for posting leaked data. Some have claimed I haven’t thought it through, others have said I am simply reckless. I want to assure everyone that I am neither reckless nor naive in the consequences for my actions.

Having spoken to my legal team, who have already demonstrated to me their exceptional legal knowledge in defending me from legal charges, they have assured me that my position from a legal perspective is just. I have explained openly what I am doing and have made no attempts to mislead people in my actions and have also posted plenty of warnings on where my responsibility ends for anything downloaded from my mirrors.

Some possible legislation any charges could be brought up are the following:

 

The Data Protection Act 1998: As I am not covered under the definition of a data controller or handler, I am exempt from regulation under the act.

 

Computer Misuse Act 1990: This Act of Parliament introduced three offences within the scope of the act that are as follows:
1. unauthorised access to computer material, punishable by 12 months’ imprisonment and/or a fine “not exceeding level 5 on the standard scale” (since 2015, unlimited);
2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by 12 months/maximum fine on summary conviction and/or 5 years/fine on indictment;
3. unauthorised modification of computer material, punishable by 12 months/maximum fine on summary conviction and/or 10 years/fine on indictment;

My initial impression was that under offences 1 and 2, I may be liable as I did not have authorisation to access or provide access to the material. However, the offences above apply only to those who took the initial data and that is where the breach of proper authority to access it took place. Subsequently, when I download data from the open internet (even if said material has been stolen when unauthorised), I am not accessing that material unlawfully. If I was to download the material from the source (i.e., directly from the Patreon or Ashley Madison servers) then that would constitute an offence.

 

Theft Act 1968: Section 22(1) provides the scope for an offence usually associated to shoplifting or buying stolen goods, usually referred to as “Handling stolen goods”. The actual offence is as follows:
“A person handles stolen goods if (otherwise than in the course of the stealing) knowing or believing them to be stolen goods he dishonestly receives the goods, or dishonestly undertakes or assists in their retention, removal, disposal or realisation by or for the benefit of another person, or if he arranges to do so.”
There is an element of me making the data available to the public being construed as the retention of stolen goods for the benefit of another person, however as I have not paid for the data or otherwise encouraged the original offence of stealing the data, and that I accessed such data through legitimate means (downloading from a public source), I have been assured that it is highly unlikely a prosecution can be brought forward under these charges.

 

I believe most angles to prosecute are covered in the above and most have good case law to back me up in the event criminal investigations are ever launched into my conduct. That said, I have been warned by my legal team of the potential repercussions in other jurisdictions. For example, he has acknowledged that while US law is not his area, he believes my actions would constitute an offence under the Computer Fraud and Abuse Act (CFAA) which is a US law. Fortunately, I am not a US citizen, nor do I ever plan to visit the US or use US infrastructure (I make a point of boycotting US products where possible). Therefore, their laws do not apply to me and they never shall, so as far as I am concerned their level of authority over me matches the authority of Ghana’s legal system or North Korea even.

All in all, I still stand by my comments on why I am willing to host the data even when it is highly controversial. In extreme circumstances, I would be willing to omit some sections of the data or even remove the data. If that ever does need to happen I will clearly explain why and what sections of data were removed. Until that day though, my work shall continue.

On the importance of decentralisation

by

As many of you have noticed, there was an FBI seizure page on some of my mirrors earlier tonight. Thankfully, these were fake, and I put them there, intending to ensure this message reaches as many people as possible and to draw attention to the problem that we face. Firstly, for verification though:

echo “You may have just seen the takedown notice on https://patreon.thecthulhu.com. This notice was put up by myself and was not a real takedown thankfully. It is, I hope, a reminder to everyone of the importance of decentralisation and that just because somebody like myself posts a resource, does not mean it will be there forever. I encourage everyone to repost the magnet URI on their sites or setup their own mirrors to prevent such a single point of failure in the future. I included the SHA1 and SHA256 sums of the file for a very good reason too if you wish to verify the integrity of data downloaded from other sources before executing or opening it.” | sha1sum | awk ‘{print $1}’

Produces: 63300df2199f61822fef6c440014359f052ffe61

The hash should match here: https://twitter.com/CthulhuSec/status/650451139473862656

The problem we face is that since the Patreon leak, I have been the only known mirror out there offering the full file, as well as a magnet URI. Many people have been downloading and investigating the data, but no new mirrors have popped up, not even simple magnet URI reposts. This causes a dangerous centralisation problem if I become the only mirror, thus heightening the chance of law enforcement targeting me, but also means there are fewer sources for people to verify the integrity of the data.

Mirroring the data is not hard. The magnet link I provided on the page ensures just linking to that data, is sufficient to mirror it (magnets are a modern replacement for torrents to minimize the need to host a file) securely, but very few have done so. I would like to encourage everybody to make mirrors somewhere of the magnet URI at least, and if possible a full download available over TLS. This not only helps me but improves the security of everyone seeking the files.

I understand not everyone has the resources to put up a mirror, but for those that do and have downloaded the data, remember to give back to the cause in some way. Mirroring data, donations to organisations like Tor Project, or teaching others how to improve their security are all great ways we can make a positive impact on our societies, and I encourage everyone to get involved to do so.

A short reasoning for sharing leaked data

by

There have been plenty of times I have received personal abuse, deaths threats and other forms of harassment online in response to my efforts hosting leaked data, most recently in the case of Patreon. As a result, I thought I would take some time out of the day to explain why I do what I do, and what I hope to accomplish with it.

Hosting the leaked data is a risky business. I accept the fact that one day I may be arrested for handling the data if it is alleged to have been stolen. As a result, my legal team are aware of my actions and we already have legal challenges to such an arrest should it be made. However, my reason for doing so is that there is a public interest whenever such data is leaked, both from journalists in established outlets and independent forms of media.

The alternative of not sharing the data is also rather grim. Frankly whether or not I make it available, that data will still be on the internet, and it only takes a quick Google search to reveal this. Most of the other places to obtain the data, however, are from unknown sources and are very difficult to verify the authenticity of the data. Not to mention, I have come across plenty of these sources where said files have malware attached to them, designed to work as people scramble to fulfill their curiosity and download the material without any form of scrutiny as to their origin. So regardless of who hosts it, that data shall always be available. By taking the responsibility to host a copy, it allows journalists and others to focus on the work of analysing the data and leaving the management of that source to me.

The exposure of the information further allows the public to vet what procedures are in place at companies to protect data. The unfortunate reality is that their security is already bypassed at the point of the leak, but that isn’t the end of the story. Passwords for example in the Patreon leak used bcrypt, a hashing algorithm designed to be extraordinarily difficult to brute force and reveal a user’s true password. This is an example of a very good security measure that other organisations and businesses should take note of, especially the many who still store passwords in plain text. It also allows people to identify vulnerabilities, such as how although Ashley Madison employed bcrypt as well, but this was negated thanks to them cutting corners and using MD5 in the process of storing the login tokens (see Joseph’s article on Motherboard here).

Using leaked data allows us an understanding of the true state of affairs of how companies handle your personal data and emphasises to the corporations that personal data is not just another commodity. An organisation with strong password hashing policies like LastPass or indeed Patreon, means they have plenty of time to warn users to change their login credentials. Furthermore, a timely disclosure can repair the company image much better than trying to ignore the problem, as HackingTeam found out (and who still hold a grudge against me to this day for). All in all, the only way to avoid a major catastrophe is for companies to start adopting better ways they collect, use and dispose of data. If they do not need to store some information, then it should be disposed of, a fatal flaw in the operations of Ashley Madison. One of the reasons I support the use of bitcoin is that with no fraud risk from chargebacks, personal information does not need to be collected in the very first place.

Like many of the data breaches this year, it is not what happens once the data is leaked that is a problem, but what you do before it that matters. Taking the proper precautions and maintaining minimal user information, is the only way to safeguard against misuse either from the legal forces in play, or the rogue hackers looking for their next victim.

Goodbye Jabber.ccc.de, Hello OpenXMPP.com

by

Hello all,

As you may have noticed, Jabber.ccc.de has been down for over 24 hours now for reasons at this time, are unknown. As a result of constant downtime over the past year on the service, and the rather sobering fact so many of us in the tech community use Jabber.ccc.de, I have decided to launch my own XMPP server that anyone can sign up to and use.

OpenXMPP.com is now open for registrations. I will be making improvements over the coming weeks that would guarantee 99.99% to 100% uptime. It has upstream DDOS protection, fast connectivity and works perfectly in tandem with existing XMPP servers so you can add contacts who are using any federated service.

As with everything I do, maintaining privacy for users is very important, and, as a result, we will always be trimming back on the amount of data logged. Furthermore, we will regularly clear the system of all but the bare necessities to stay online. Even with this, I still recommend using OTR and Tor for your conversations to guarantee end-to-end encryption.

I foresee this server growing considerably in the coming 12 months and hope everyone uses the service responsibly!

-Cthulhu