Tuesday, September 23, 2008

Staff Privacy

Running a tracker can gather quite a bit of heat under your persona, especially if you live in a country that dislikes sharing the type of material on your site. It's good to insulate yourself as an admin from these type of things as much as possible, so be diligent and conscientious. Think ahead for the long term when exposing yourself. There was a good writeup on this sort of thing at TorrentFreak, so I'm going to expand from there.

Encryption is king, but nothing quite takes the crown like OTR messaging. For chatting between staff, running OTR offers encryption, authentication, deniability, and perfect forward secrecy. As a supplement and/or alternative, it's very convenient to run your own private XMPP chat server such as OpenFire or Jabberd. XMPP/Jabber allows greater control over configuration and supports SSL encryption.

Paranoia is a positive feeling as a admin, and nothing satiates that feeling quite like running your network connections over Tor, the encrypted onion routing software. This works well when you want to obscure your location or ISP. Practically, it's a difficult thing to put up with considering you'll likely see a significant drop in network speeds over Tor. Nevertheless, it's possible to run two browsers or their mobile package in order to not disturb your normal surfing. Using a VPN solution such as OpenVPN is another handy option to encrypt traffic or create a tunnel.

As a brief aside, never torrent over Tor. Despite the tempting alliteration in the names, they do not go well together. Tor is, by and large, extremely slow, and running BitTorrent through it is a gross abuse of the bandwidth donated by willing volunteers that believe in the free flow of information. Tor is slow for all of us, and if you're torrenting on it, that speed is your fault.

Anyway, if you're like me and don't trust a free email host with your information, set up an email server on your box with webmail. The most easily configured mail setup I've come across is Postfix with RoundCube Webmail, but be aware that the learning curve for the inexperienced is daunting. I still suffer headaches and driving pains to my geeky ego. :P At any rate, this allows you to send and receive site-related email without worrying about your origin or alias. Note that it wouldn't be wise to send email via your server's SMTP service as this could expose your IP in the mail headers.

If you've been good about obfuscating yourself, you won't need to delete server logs that might point to an IP you used, but it's reassuring to not log those things just in case. Scrutinize both Apache and SSH server logs as well as any other services you connect to.

I hope I've provided you with some options to protect your privacy. The best summary would be to quote the TorrentFreak article, "Identity is everything , If you never tell anyone, no-one will ever know."

2 comments:

Gian-Pa said...

In order not to send your ip address when you use an email client through an SMTP server, what is smart solution? IMAP?
Thx for this blog
Keep it up

OnionRings said...

Actually, both POP3 and IMAP are incoming protocols. What you need to do is use a solution such as webmail to send the messages directly from another IP.
Alternatively, you can run your email client on Tor, and it will masquerade the origin IP address.

Clicky Web Analytics