Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

handling abuse #9

Open
elandorr opened this issue May 17, 2022 · 19 comments
Open

handling abuse #9

elandorr opened this issue May 17, 2022 · 19 comments

Comments

@elandorr
Copy link

This is the best quick upload tool I've ever seen, an admin's dream with the simple curl available.

How do you prevent abuse without ANY logs at all, though?
I'm no perl whiz and I haven't looked much at the code, but I can't find anything at first glance.

I'd be interested in setting one up as well, but completely limitless seems like it'd be abused to death. If you have some, as you say, '3rd world country hosting behind a gajillion proxies', alright, the usual is covered. What about storage and CPU for hashing trash though?

I'm curious how you handle this.

Thanks for this!

@somenonymous
Copy link
Owner

somenonymous commented May 17, 2022

Hey! It really depends on the use case thus there is no universal answer to this question.

Based on the oshi.at experience I can tell it's not much a problem here, since people use the abuse report form and we simply remove the reported elements, except for cases when reports go directly to frontend provider abuse-c boxes, because they usually give some time to remove the content before suspending the server, however even if a suspension happens, we have a monitoring script that switch DNS record to another frontend server that is used as backup for such situations. In any case, our backend server (one that hosts this repo) is never exposed and remains online independently of the frontend (reverse-proxy) servers and even if all of them go offline, we will still have onion address working and all the data fully accessible.

Also you may rely on some decent providers that don't suspend everything instantly without looking up. I also recommend to discuss your server's content and abuse handling scheme with a provider prior to making a purchase.

Moreover, I could say that it's mandatory to use a similar scheme we have here for the use case you described, in case it needs a clearnet address. This means using multiple reverse-proxy servers (vps or dedicated) and a bare-metal dedicated server for this repo. Connect them via VPN tunnel and use these docs for help https://github.com/somenonymous/OshiUpload/blob/master/doc/haproxy.txt#L39 https://github.com/somenonymous/OshiUpload/blob/master/doc/reverse_proxy_tcp.txt

Regarding logging - you are not required to log anything on your server and there are no such laws or regulations that require you to do so as an end-customer. Mandatory logging only applies to providers in some countries and law enforcement agencies usually handle criminal investigations directly with them, however there is always .onion to bypass ISP-level logging.

Also if you worry about some users uploading the same thing repeatedly and sharing publicly, we could implement hashsum blacklisting.

For avoiding malware abuse, this repo has recently implemented the extensions and MIME types that are enforced to be deleted after N downloads, this helps a lot to prevent spreading and being listed as a malicious site - https://github.com/somenonymous/OshiUpload/blob/master/app/config.example#L184 - this way we still let users to share executable files but don't let them spread

Regarding hardware - I'd recommend getting 4-8 cores, at least 8 GB RAM and SSD.

@elandorr
Copy link
Author

@somenonymous Thank you so much for this detailed response! Can't tell you how much I appreciate the thought that went into this. So many clones of clones out there, but this goes beyond.

What I'd be worried about mostly is a storage explosion - no ratelimits, no captchas, excellent access via curl - people can fill the disk in hours. We don't have much money, so no infinite NFS available.
Has nobody tried that yet? Like pirates? Apart from being convenient for CLI users, this is just convenient all around. 90d, 5GB, not even any ads. I can't even find a donation page. I suppose you are wealthy enough to handle it, but with zero ratelimits it still seems like it'd overwhelm anyone.
Even if you have a ton of storage, hashing large files over and over kills the i/o and CPU.

Or maybe the 90d limit is enough to not get DOS'd into submission.

I absolutely love your zero-log approach. I do keep temporary logs for rate-limiting mostly. Alone the trillion bots bombarding every possible login daily..

Some jurisdictions in modern day global dystopia are weird in that regard - you are forced to log to some extent, otherwise you are liable. Many have insane laws that are intended to murder every last bit of freedom, such as only giving you mere HOURS to handle abuse. (Or what they claim to be 'abuse' - these days politics already kill you for speaking online.)
Many also hold providers of open networks liable. If you want to be a nice guy and share your internet with the rest of the block, you go to prison.

I don't worry about abuse notices at this point as it's mostly private. But I really admire that you take a stand! Details like the 'fast Tor link' are also genius in their simplicity. Nice, clean software with a purpose is so rare, thank you.

@somenonymous
Copy link
Owner

somenonymous commented May 18, 2022

I am glad you find it useful @elandorr and appreciate your feedback.

The whole setup we have here wasn't expensive at all until this year, but this changed recently due to increased demand. For example the current reverse-proxy VPS we started with costed 3.50$/mo until this year, but recently we had to upgrade it to another plan due to increased bandwidth usage, so yeah, we will definitely start accepting donations soon. Me and my team weren't accepting them because this project started as something for private use primarily for a group of friends and since we always had unmetered bandwidth there was no major hesitance of providing the service to public too. The backend server was running on a HDD, so it wasn't expensive until we had to migrate to a newer setup exactly due to the concerns you described in your last reply, and since we have encrypted storage, the IOPS demand increased to the extent that we needed to upgrade to SSD. Anyway, to provide a public instance of this repo you don't really need to be wealthy or something, since it can start up on a 1GB RAM server randomly picked from lowendtalk.com offers (that's how this one started actually).

Storage overload attacks don't happen often and on oshi.at it happened only 1 time in last 3 years as I remember, but such attacks are quite pointless waste of resource from the perspective of attacker, since this service doesn't compete with anyone nor represent any commercial interest. oshi.at sometimes (rarely) runs out of storage naturally and to handle it we have this very basic script running every 15 minutes in crontab that purges older files in case usage is equal or above 95%:

#!/bin/bash

STORAGEDEVICE=/dev/mapper/enc_disk1
STORAGEPATH=/mnt/disk1/uploads/

cd $STORAGEPATH

# remove files uploaded more than 30 days ago if disk usage is >=95%

LOADPERC=$(df -h $STORAGEDEVICE  | awk '{print $5}' | tail -n1 | sed 's/%//')
if (( ${LOADPERC} >= 95 )); then
    find . -type f -mtime +30 -exec rm -f {} \;

# remove files uploaded more than 15 days ago if disk usage is still >=95%

LOADPERC=$(df -h $STORAGEDEVICE  | awk '{print $5}' | tail -n1 | sed 's/%//')
if (( ${LOADPERC} >= 95 )); then
    find . -type f -mtime +15 -exec rm -f {} \;

# remove files uploaded more than 5 days ago if disk usage is still >=95%

LOADPERC=$(df -h $STORAGEDEVICE  | awk '{print $5}' | tail -n1 | sed 's/%//')
if (( ${LOADPERC} >= 95 )); then
    find . -type f -mtime +5 -exec rm -f {} \;

# remove files uploaded more than 1 days ago if disk usage is still >=95%

LOADPERC=$(df -h $STORAGEDEVICE  | awk '{print $5}' | tail -n1 | sed 's/%//')
if (( ${LOADPERC} >= 95 )); then
    find . -type f -mtime +1 -exec rm -f {} \;

Given that the nature of this project is a temporary storage and users are aware that their stuff won't remain permanently here, this approach is acceptable for now. For a permanent storage mode I wouldn't run this as a public instance, unless there is some commercial interest covered by appropriate funding.

While the script above is just a temporary solution that was made in a few minutes without planning too much, this feature is yet TBD and it's in the TODO list here #7 and will be implemented in the engine itself with flexible settings, so I will be glad to hear any ideas that could improve it.

p.s. btw there is no guarantee the file will remain there for 90d, because this depends directly on the storage usage and ofc it's not limitless, but I think most users understand this. Regardless I might put a notice that warns about that in some form. I am just not sure if it's extremely necessary.
The retention time selection should be understood as an element of control only. We could've made it in a way 0x0.st did - "the file retention period depends on the disk load and you can't decide when it's deleted" - however it was more preferable to implement manual selection because this approach gives more flexibility of file control to users.

@elandorr
Copy link
Author

I'm sorry for the late response. I don't have more time right now, but I want to thank you for the thorough reply! I noticed you cannot set 90d via curl and do face a (simple, non google <3) CAPTCHA when trying to extend in the UI. Guess that helps.

By 'limitless' I meant that you don't log and can't ratelimit, using oshi 24/7 is possible. I love using it for quick CLI transfers right now. Simple and no bullsht. Feels great to see that still exists. Thanks for sharing the source too, might give it a shot when there's time.

@SkyLostTR
Copy link

Thank you for clarifying all the issues and providing this service to us without any ulterior motives or interests. @somenonymous

@kkarhan
Copy link

kkarhan commented Apr 12, 2023

Re: Abuse I do think that te same issues apply here

Obviously oshi.at isn't setup as a commercial filehoster since they'd already been forced to setup uploadfilters aka. Content-ID alike checksum matching systems due to the Copyrightmafia being bullish - espechally in Austria [which is likely why the surface web domain is dormant]...

That being said I wounder amidst the 7+ months of inactivity, which do hint to some developments...

@kkarhan
Copy link

kkarhan commented Apr 12, 2023

Apparently abuse of oshi.at for hosting & sharing of CSAM is a problem if the OSINT via commit messages is to be believed...
3c416d9

Which is not surprising given that 1fichier shut down it's services after being bombarded with thousands of reports re: CSAM being hosted on their site (YouTube video - in German)...

And yes, sabotaging CSAM forums by crawling URLs and reporting them to filehosters is kinda considered a "noble scutwork" by some - espechally since it's highly automateable (same video, later timecode)...

So I'd not be surprised if Pedos are currently abusing the service...

@kkarhan
Copy link

kkarhan commented Apr 12, 2023

Considering the fact that I'm doing bona-fide - only stuff, I've pulled oshi.at from my onion.domains.list.tsv...

Whilst not legally obligated nor pressured into anything. It's just how the world is:
If you offer people a free parcel storage service, they'll inevitably abuse it to store all their nefarious shit.

The only option I'd see is to shift gears: Get it funded with Donations or selling accounts in Monero.
Cuz I can totally understand that at this point, @somenonymous is pissed off and chose to kill the cleanweb-site so all those pedos will be deterred by the low bandwith over Tor...

Just to repeat the obvious it's pretty clear noone here wants or defends CSAM - not even the people behind oshi.at...

Otherwise they'd not explicitly say that they take action...

@elandorr
Copy link
Author

What a messed up world. The EU is a dystopia like never before seen. The copyright nonsense is absurd on every level, it doesn't make sense whatsoever. I wonder where they got their 'expert advisors' from. Pack the file and circumvent it... It's just harassment and stops actual real normal non-rich people from starting anything.

Haven't heard the term 'CSAM' before, but since you mention pedos, I can guess.

Considering the fact that I'm doing bona-fide - only stuff,

As a victim of abuse myself, I can't let that stand.

That notion is insulting. I highly doubt the operator supports this shit in any way. What do you want him to do, require identity cards and social credit EU dystopia style? Should he watch every single file beginning-to-end? What about encrypted files? Want to go full EU and attempt to outlaw encryption?
How about 'smart'-CCTV-underpants?

Either you have 100% brain-dead robots, or you have freedom. The former is not an option, the latter is almost always perfectly fine. In places with literal anarchy there's usually much less abuse, even. It's time to figure out where the problem stems from, instead of increasing dystopia and universal harassment.

Pedo shit is really not a problem and the allegation exclusively exploited against free-thinkers by a self-declared 'elite', which ironically, is caught time and time again to be full of pedos and even ritualized abuse. There's more child abuse out there than ever, and it's less hidden than ever, harassing a microhost is unbelievably stupid.

It's terrible that it's so easy to harass free hosters, there really is no 'pedos using freehosters problem'. There's a pedo problem, and it's deliberately unsolved and even encouraged by the current political caste. Same with drugs. You try doing anything in private in the EU - almost impossible. Yet, magically, there are literally TONS of drugs coming in via giant containers. Magic, eh? If there's money involved, every politician scum will look away. They operate de facto as if they were officially permitted to. They don't need some tiny filehoster to distribute files. They use snail-mail and even straight up organize child-murder-parties. Not even very well hidden anymore. I'm too curious for my own good; if I see a term I don't know, I check it out. Bad idea. Certain words are openly used on all the degenerate social media sites (FB,SC,TT etc.) and directly lead to actual child abuse. Not even 'new normal' hormone-filled early-mature 12 year olds, you'll find literal babies... If you see some 'anime' people on the internet use terms you don't recognize, don't click for your own sanity!

If even billion dollar sites can't avoid it, how would a real human running a small site?

Given the temporary nature of oshi, if you have the motivation @somenonymous, I'd highly suggest making it a legal case. Someone has got to be the first to bring common sense back. This isn't even a public-public service like e.g. wordpress. There are zero arguments here, you'd just need a lawyer to wrap common sense up in a format for polsters.

Instead of harassing innocents, they ought to look at what hormone-laden politically-correct dystopia they created, and be honest about the reasons behind child abuse rates exploding. It's not coincidence.

Their arguments are just as much of a bullshit lie as knife laws in Germany. If you want to hurt someone, you grab a rock, a regular kitchen knife, or even a pencil. Sharpen a butter knife, if you must. Or you just feed him toxic EU-permitted food, and watch him wither away. Pedos have been operating long before the internet, and nothing ever changed. Look at the guy in the Philippines who lived until his 100s and was only 'caught' after doing this for decades. Every politician is scum and can be bought. I speak from local experience; it takes much less than people assume. You don't get into politics for being altruistic. Yes, 'western' 'proper' politicians routinely ruin peoples' lives for a few Euros on the side. From a little bit of bureaucratic harassment, to torture and death, anything goes. (Especially western polsters operate freely, since they're implicitly protected by their fantastic marketing manipulation. 'west=good' is still so embedded in peoples' minds, they don't have to fear anything.)

My original intent with this thread was more avoiding deliberate abuse of raw resources, particularly by the new 'internet trolls'. oshi's no-bullshit approach to privacy makes it theoretically easy to be a douche. Someone being dumb enough to harass an ephemeral filehoster for what a tiny fraction of users upload didn't cross my mind. With that logic, one has to ban absolutely everything that ever existed in the universe.

Do you consider water not 'bona-fide', because the Chinese used it for mental torture? I'd really like to know what you'd expect the operator to do.

Besides: If you use youtube, you will undoubtedly know about it being the biggest hoster of videos of naked kids. Not too long ago, before the wannabe 'left' normalized 'pedosexuality' and all that abuse, pedos were seen as the lowest form of life, and much less present. Families uploaded home videos without hesitation, nobody cared about little kids running around naked. They weren't seen as sexual objects. Some languages even express that by the word for 'child' being neutral gender. Today, you can't even upload a baby photo without having to consider where it may end up.

@somenonymous Your LE cert expired by the way.

@somenonymous is pissed off and chose to kill the cleanweb-site so all those pedos will be deterred by the low bandwith over Tor...

The clearnet site works fine, I just uploaded this image https://oshi.at/bnMw/roPY.jpg. The only thing that's changed is this toggle:
image

Now, some people who don't think ahead may accuse him of this benefiting pedos, but that's not the case. Pedos can already use other services, encrypt, or simply re-upload. There's no complex logic here. This does exactly what he mentioned in the commit - fewer annoying reports. I can see this being useful for sharing with less-techy or less-dystopia-aware friends who may use clearnet out of laziness. Although I'd strongly suggest encrypting in the first place, as you should not trust oshi, either. (He's been nothing but straight as far as I know, just general advice.)

I don't know, if the hit limitation was there a year ago, but in addition to the time limit, this makes oshi very unsuitable for pedos (or any other type of bigger-than-group-of-friends distribution). If you go down that rabbit-hole, and I suggest you don't, because you can't un-see it, you'll find that a ton of it is even on plain torrent. Unencrypted, not proxied, plain open. And guess what, the government doesn't give a shit about it.

As a real-human service provider that isn't rich you cannot handle abuse reports en masse. You already get enough just from trolls being trolls. It makes sense for him to want less of those.

Everyone who genuinely wants to fight child abuse has to reject the modern world. This will never end, unless society goes back in time. When there was more to life than shallow thrill, when people helped each other, when money wasn't God. The Philippine case was essentially public, neighbors knew. Most 'regular' perps are known, too. But people were more concerned with exploiting the situation for their own profit, rather than stepping in.

Cops are useless as always. Nothing but thugs of the state harassing innocents. If you see something, do something. Even, if you spend life in prison, due to unjust laws. These 'people' don't expect anyone to step in. Looking at past incidents, they typically don't even need to be subdued. You can tie them up for police or 'forget' and leave.
Someone has to start.

reporting them to filehosters is kinda considered a "noble scutwork" by some - espechally since it's highly automateable (same video, later timecode)...

These 'internet warriors' are laughable and completely useless. Haven't they learned anything from piratebay? The youtube scum makes more money in a month than a normal guy will in his lifetime, this is just for show and narcissism.

It takes a whopping 5 minutes to just use some other site. There are entire projects dedicated to mirroring automatically. If content distribution were a problem, and it isn't, there are easy fixes. Also consider the era we live in. Poverty and especially 'working-poor' poverty is higher than ever before, there are more homeless people than during WWII now, and most 'normal' people are one foot away from starvation. Run up to some random guy, ask to use his internet, or register a sim card via a homeless guy. These people obviously don't care about others, so they don't care about ruining some random guy's life, either. You don't even need complicated technical shit. There are enough poor out there who won't hesitate and are beyond asking what for.

This shit video is also hugely offensive to actual victims. Scary music, sensationalized bullshit. For a LINKCHECKER? REALLY? THAT'S THEIR MILLION VIEWS WORTHY 'EFFORT'?
The very first minute one-click-hosters came up twenty years ago every script kiddie had his own. The same ones, that then automated mirroring.
If they put as much energy into helping in real life as they do for internet-ego and money, we'd live in paradise.

@elandorr
Copy link
Author

Addendum: This is also just sensationalizing the 'dark web'. Total bullshit. Stop thinking like a spoiled rich western middle-class brat, and think practically. Pick any free platform out there, use it, create mirrors. When it gets banned, move on. Even with dystopian registration requirements, no big deal. Ask one of the more than 1 MILLION homeless in Germany alone. If someone is willing to hurt a baby, the one thing most mammals instinctively protect even, if it means its own demise, do you think they mind moving around?

People routinely find government IPs involved in this, and nothing happens.

There is no way to fight this digitally, the mere attempt shows a lack of understanding.

kkarhan referenced this issue Apr 18, 2023
…AL ONE AFTER IT'S FULLY TESTED ON oshi.at)

- Added DOWNLOAD_LIMIT_PER_FILE config option to limit total download hits per file
- Added "Onion only" option for downloads to disable clearnet access for them (so all those child porn abuse reports won't bother me again but files can continue to exist on a Tor domain since nobody can blacklist it)
- Enforce UTF-8 encoding for files on downloads
@kkarhan
Copy link

kkarhan commented Apr 18, 2023

@elandorr I don't deny the issues and AFAICT oshi.at as a service explicity went out of it's lenght to remove any kind of "Dashboard" functions.
I'm convinced the NIC that maintains the ccTLD of Austria [ .at ] got pesky, thus the surface web domain got killed.

OFC abuse of any service or system is inevitable. We don't ban public transport just because terrorists / wanted criminals are able to use it as well...
Thus the only effective means is to react to abuse reports - which oshi.at presumably does when it comes to said content.

I think we all can agree that we don't want tech-illiterate shitheads like Zensursula von der Leyen to make decisions or laws.
Y' know: The kind of facist asshole that literally insults everyone able to set custom DNS settings as "hardened pedo-criminal" to the point that abuse victims literally had to start their own nonprofit to debunk her bs...

Since I don't want any shitty "ContentID" or similar "Upload Filters" I think the only reasonable options would be to set strict quotas for non-authenticated users and implement at least some basic authentification.

Cuz if the latter one was implemented, I'd consider hosting an instance myself or at the very least setup a server in some capacity in future projects as it's pretty nifty as part of one's IT pentesting toolkit...

It's not the fault of any machine, tool, software/technology or law that it gets abused.
Regardless if guns, drugs, cryptograpy, filehosting, ...

The only reasonable approach can be to go after those that abuse those in violation of laws - and if human- and civil rights mean some people may get away with their crimes than that's considered an acceptable tradeoff for having freedoms in the first place...

After all, we don't jail guns but the people pulling triggers!

@elandorr
Copy link
Author

I don't want to spam his repo, but I always appreciate conversation:

@kkarhan I don't know why you think the clearnet domain has been touched. It's alive. The cert has also been renewed. Maybe your network censors it?

As Austria is not only ethnically German, but also de facto emulates whatever the BRD does legally, it's a terrible location. But I don't know, if location really matters much now, in a globalist-terrorist controlled world. A plain com might still be best, ICANN doesn't take stuff down easily, but all cc and new hedgefund tlds will sell you out in a heartbeat.

Thus the only effective means is to react to abuse reports - which oshi.at presumably does when it comes to said content.

It's physically impossible. Even giant trillion dollar corpos can't do it, so they use all kinds of more or less terrible automatic filters. Or simple 3 strike systems that auto-delete all reported files and auto-ban after x incidents.

I've never managed anything large scale, and I already barely keep up with regular maintenance. It quickly becomes far too much.

Go through the process. You must verify the validity of reports - so you have to click whatever links people send you, then watch God knows how much child porn. You can't start deleting files just because some troll sends a report. What looks like 1 click turns into many minutes of messing around each, especially since oshi does not abuse privacy. Without any sort of logs you must go one by one. If that's just one link a month okay why not, but even with modest publicity that quickly turns to hundreds.

Yes, I hate that we may have babyrape on our servers at any given time, but that's a symptom of the modern, 'liberal' world. In traditional, tribal societies, everyone knows everyone, responsibility is common, that's not the case today. We're far removed from each other and stuck behind screens.

I have to reiterate that, even, if you could physically react to reports, because you have an army of monkeys, it's not effective. Deleting content doesn't stop it, it's as pointless as it gets.

Any fool can use 7-zip, set a password, and distribute any content right in public on facebook/VK/tiktok/idontuseanyoftheseanddontknowwhichsitesletyouuploadfiles.

One could arguably even encrypt, create a torrent, and then share this torrent on clearnet. You can't legally be held liable for something you can't access. Keep the decrypted files only on encrypted storage offline, and nobody can say anything. You might have found a bunch of torrents and downloaded them just like you download Debian, be a good netizen and keep seeding anyway. That's very plausible. Some people still seed the very first knoppix. A babyraper would probably not have that in the title. And even, if, it could just be avantgarde music.

set strict quotas for non-authenticated users

That doesn't help at all. I don't know how old you are, or how involved you have been, if, in cough warez, but splitting files is routine.

Allowing bigger files is just a convenience for regular users. It's annoying to have to deal with split files, but it's not that big of a deal. Download managers exist and something as open as oshi has direct downloads, so you can even just curl it.

Authentication means data storage. The entire point of oshi is to not have that. But I agree that a user system would be useful anyway, to use oshi privately. But linking files to accounts leads to accumulation of metadata. We use a different tool since years and have it locked away to avoid having to deal with this.

But I've admired oshi since I first saw it, because it does (almost) not compromise on anything.

I can admit I'm personally not that brave (to handle zero-log public hosting), because I'm already under a lot of stress, and couldn't handle a possible raid. Police are known for destroying what little you have, never reimbursing you, never giving anything back. But everyone who has more money available should stand his ground and go to court, rather than give up. They will probably beat you a little bit, but stay calm and get a lawyer right away. If you have enough money to live and enough free time to deal with the slow bureaucracy, this is a good cause that helps establish precedent!

Cuz if the latter one was implemented, I'd consider hosting an instance myself

There are a bunch of tools like it out there. If you only want to use it for yourself or few people you could use httpauth and forget about it. Just pick any tool you like, oshi is just fine, slap httpauth in front.

if human- and civil rights mean some people may get away with their crimes than that's considered an acceptable tradeoff for having freedoms in the first place...

These terms unfortunately have always only been marketing tools, my friend. The globalist governments provably colluded to spread a dangerous 'vaccine' that murdered loved ones - guess what - there isn't even monetary compensation. They have some legal loophole that protects them from any responsibility. Not that money would undo death.

In the last few weeks several mainstream unis and media finally reported about the documents they tried to keep locked away for 70+ years (the FOIA request passed). Now suddenly everyone acts as if they 'always knew'. Bullshit. They are responsible for the torture and death of my loved ones because they wanted some quick profit. That's modern life. Since the end of WWII the entire western political class engaged in human experimentation, mass-murdered in places around the world they had no business in (Doesn't anyone remember NATO's genocide in eastern Europe? All the scandals and personal enrichment of a few that led to huge bloodshed? It's scary how few even remember that.). It's so common, even the ultra-system-compliant wikipedia has a page on it.

The value of a human life has never been lower in history. Even a slave of old had more value. People speak of the holocaust and forget that the US alone have killed orders of magnitude more for nothing but money, and still actively kill every single day. The US haven't stopped killing in decades. Even the liberal favorite Obama has been drone-killing children from the comfort of his luxury villa. But they have money, so it's okay. /s

How is it possible that normal humans are tracked and profiled 24/7 in the EU, when literal container ships full of heroin and fentanyl make it into the EU?

It's extremely hard for a normal non-rich guy to afford and even find healthy, really natural food. But drugs? Trivial! You can buy heroin for cheap without much effort, in the middle of Germany, France, no problem. System media stopped talking about it... cui bono?

How is it possible that Germany had more than 1 million homeless in 2019, probably far more now, when human rights declare:

Everyone has the right to life, liberty and security of person.

The homeless cannot even escape into the woods and build minimal shelter there and live primitively, that's illegal too.

How is it possible that people who work all their life barely have enough cash to eat, and pensioners routinely dig through trash to avoid starvation, when human rights declare:

No one shall be held in slavery or servitude; slavery and the slave trade shall be prohibited in all their forms.

Slavery is more common than ever before, especially in 2023, when food prices are so high, that even full-time white collars often barely have enough to eat. People degrade themselves, and worse, are willing to hurt their fellow brothers just for a few bucks. Human life has never been cheaper. Prostitution out of desperation is standard now, no limits.

How is it possible that I can have you arrested and violently forced to be injected with psychoactive drugs for uttering wrongthink in the EU, when human rights declare:

No one shall be subjected to torture or to cruel, inhuman or degrading treatment or punishment.

All I have to do is make up some story about how you said anything that is an evil 'hate crime' and insinuate you may be 'schizophrenic' and you lose all your rights, with zero chance of defending yourself. Every time you protest, they will declare that an act of 'aggression' and inject you with more brain-melting tranquilizers.

How is it possible that the outcome of a lawsuit is entirely defined by your social caste and the money you can dump on lawyers, when human rights declare:

All are equal before the law and are entitled without any discrimination to equal protection of the law.

Law is a joke in general, the Germans even have a word for that, the 'Gummiparagraph'. Law has not been related to justice in a century.

It's all a joke! And has been since day 1.

to the point that abuse victims literally had to start their own nonprofit to debunk her bs...

Reminds me of the CoC nonsense. As an abuse victim myself, I had rich, sheltered brats tell me which words I may or may not use. It's more profit and attention seeking.

Remember the EU idiot who praised China for their digital abuse a few years ago? I think the guy was even from 'Austria'.

Thanks for the chat and hope you find a fitting solution for yourself. Give plain httpauth a shot, peace of mind at zero cost. The entropy is limited there (the algos have limits in the most popular servers), but it should be decent enough.

While a lot of this is depressing, I believe it can also be highly beneficial. The sooner basic truths are out, the better. Then we can move on to fixing problems, such as looking for the reasons why sexualizing toddlers is becoming more and more acceptable. (cough mainstream 'liberals' have been teaching how babys and small kids are 'sexual' for the last 5 decades, and now we reap what we have sown...)

After all, we don't jail guns but the people pulling triggers!

In Europe you aren't allowed to defend yourself anyway. Had that happen in real life. Without leaking personal details since it was in the news: Major violent attack, people tried to defend, still a bloodbath. European 'law' ended up punishing the victims. Police did absolutely nothing, they can only beat innocents and docile people. Try calling the cops in a ghetto, if they even show up, they're deliberately so late, you're on your own. Europe has been creating a continent full of broken slaves since '45. The complete lack of family structures for many/most millennials led to more solitude than ever, and single people hardly want to fight the system. It's understandable, since you're minced meat, alone.

They want to extend that to the internet. Don't let them. It may just be the only thing we have left.

@kkarhan
Copy link

kkarhan commented May 17, 2023

@elandorr notwithstanding the excursions into how tech-illiterate politicians push cyberfacism, I still want to go back to the original question...

One thing that would be cool is a way to automate/ticket any abuse reports in a yes/no fashion but I guess that not a good option as it would basically mean one would've to build a ticketing system from scratch.

Instead I'm convinced it'll be easier to just shove it into some OTRS or similar ticket system via the contact form's webmailer and I'm convinced that's how @somenonymous actually does it...

At this point I'd like to ask a naive and stupid question:
How many abuse reports does oshi.at recieve per day/week/month/year on average?
OFC feel free to decline to answer that and/or coarsely guesstimate the amount.

@elandorr
Copy link
Author

elandorr commented May 17, 2023

@kkarhan We're going in circles. Please tell us your perfect idea!
I'll respond to your UI idea: It still leaves you with the elaborated physical impossibility of processing them, once your site is more than private-use. The UI part is trivial, your physical existence can't scale.

Every major site pays human censors and nowadays buys EU-style content auto-filters.

My original question you referenced was more about storage trolling/DDoS/pirates finding it too convenient/etc. And the summary to that is 'the ephemeral nature makes it work until someone really wants to hurt you specifically, which is rare enough'. The big pirates find it too inconvenient and have better options, and trolls would have to spend a lot of resources to keep being annoying. It checks out. (FYI the modern for-profit piracy simply does it in a non-DMCA country and earns money off ads)

Your options:

  • genuine humans with eyes watching the content -> does not scale, no matter a ticket system or not
  • outsourcing human censors to India and China like the big sites do -> who watches the watchers don't just click randomly, and who funds it (Also your DC won't care, they only see reports on their end. You need your own ASN, complete autonomy and a legal defense team for that scale.)
  • automatic deletions if x reports -> a common procedure, allowing any troll to mess with you
  • EU style content auto-filters -> no comment needed
  • logging and identifying the users -> standard procedure, though useless as the shady ones won't use their own clearnet obviously or pay with their own cards
  • recognizing the dichotomy and living with it

Pick your poison.

How many abuse reports

In my experience from running smallish public stuff for 10+ years, it varies wildly from dead silence to 50+ a day. Hosters usually kick you after max. of 3 unhandled ones, if they send it upstream. (many give you only 24h to respond, hence oshi's reverse setup I don't quite understand, but he clearly went through the pain before)

This is not about oshi or some specific number anyway. One day you get a troll that posts some nonsense on 'twitter'/'youtube' and you get 100,000. Then what? Please explain exactly how you would handle this. This happens every day. Your concept must be able to handle this, or it's faulty logic.

It's also not 1 report == 1 link. You'll get whole collections of links you have to click one by one. Even 1 report can have 1000 links, and commonly does, at least in case of copyright trolls. (They often blanket-copy paste everything they see.)

Since we're here speaking about oshi it's probably popular enough to be on the upper end.

I'm still interested in your solution. You're posting negatively about oshi elsewhere, but you have not suggested a fix either. A 1-click yes/no isn't helpful, as that's not what eats time.

Say you establish a standard protocol all reporters have to follow, all valid regex-able urls, then slap them in a yes/no interface. You still have to download/watch/view the content. What takes longer?

And when you're done for the day, someone who wants to spread the content goes and re-uploads it, as oshi does not log.

And even, if you log, someone who wants to spread the content will use VPNs/TOR/a random homeless guy's phone or identity.

If you start your own fingerprinting database you have 1. violated the 'do not log' principle and 2. increased resource usage that has no upper limit, as anyone with half a brain cell will circumvent it instantly at almost zero cost, but you have to keep the entire previous archive.

Please let us know your idea that solves this issue! Without starting to log or any of the listed issues.

And you never responded to the basic tech facts: encryption/re-uploading/my simple and likely legally viable torrent concept. All things that are much quicker than you clicking yes/no all day every day.

If techies don't understand this, it's no surprise EU bureaucrats don't. I don't mean to offend you, but please, think this through from A to Z and then let everyone know your concept. If you find some 4D chess move, I'll be the first to listen.

Edit: Besides, child porn is one thing, you watch it, click no, done. Copyright stuff? You have to actually verify the claim, if you want to be genuine. That takes a lot more effort and by all practical means, a lawyer that verifies the documents.

@kkarhan
Copy link

kkarhan commented May 17, 2023

I honestly want to find a good solution that actually works.

OFC there isn't a "magic bullet" / "one size fits all" solution.

  • Other providers do choose to paywall a lot of functionality and/or cripple free tiers for the sake of reducing them to a unlimited trial option in order to sell plans - obviously that's not the case with https://oshi.at ...
    • This is how wsend does it.
  • As discussed earlier, restricting access or rather crippling functionality would not work in deterring determined actors - where there's a will there's a way [as we all know from the age of splitted RAR archives]...
    • rather said mechanisms would only backfire against people using Tor or a VPN and not serial abusers.
  • Login-walling is not part of the plan as there ain't even logins in the sense but just a managment URL at most.
  • Checksumming will only work for the most blatant cases, as compressing and espechally encrypting and splitting files will render these useless...
  • Moderation can't be automated and
  • Human moderation is either too costly or not only ethically questionable

I'm not a lawyer but AFAIK based off DMCA & OCILLA the hosters have no mediation option whatsoever, and the fact is that they legally can't even protect their customers against notorious serial abusers.

That being said I'd propably VPN or loginwall or at least hide any server if I ever were to setup one.

Truth be told, I do owe you an apology @elandorr & @somenonymous in that regard, as there ain't many options to tackle this at all, without having to introduce new problems caused by the mitigation attempts...

I'll re-add oshi.at ...

@kkarhan
Copy link

kkarhan commented May 17, 2023

I assume geoblocking is partially used to deal with abuse, @somenonymous ?

See #25

@elandorr
Copy link
Author

Don't worry about it, this stuff is counterintuitive. Thanks for actually thinking it through!

Many sites block Germany as they're one of the worst dystopias, (well, besides Sweden). There have been countless providers that got raided with extreme brutality, had all their livelihood stolen and lives ruined. Germany is just not worth the trouble. But it works, here, I'll reply in the specific issue.

Technically it's also illegal, GDPR bans geofencing :D (the most useless set of laws ever made)

@somenonymous
Copy link
Owner

Thank you very much guys for making and keeping this discussion here, I find it very important. I am reading it from time to time but can't participate much at this time due to some other projects, however I will return to more activity at maintaining this repo once I got more time.

In fact HostSlick served pretty well for us for the last time because they seemed to completely ignore all the abuses that many activists send to our ISPs daily. We have also met an agreement with Incognet to not suspend our server on abuses and let us take action within 24 hours, which seemed a good idea, however I'm keeping them as a backup option for DNS for now because I have to switch from Tutanota to my own email server to keep an eye on the abuse reports and notifications, since there is no option to use Tutanota via a Tor proxy on Android and I don't want Tutanota to know my IP, so for now I could only access this project's email from my desktop.

Some issues happen to our server from time to time due to performance degradation at increased traffic and resource usage, but when I am available I just readjust database performance options or make some decision to disable some functionality of the Oshi engine so it can live again. I am still studying those cases which sometimes seem to be intentional abuse of our IOPS and other resources since the Oshi engine is not very limiting at all, but I will for sure deploy some update soon that would give a node operator to enforce some temporary policies to prevent abuse of resource usage.

@kkarhan
Copy link

kkarhan commented Nov 17, 2024

@somenonymous re: email, consider cock.li which works like a charm and can be setup and used completely over Tor and provides POP3, IMAP4 & SMTP access, so they never have any IP address (Espechally when you use it via their OnionService).

As for abuse (may it be checksum-based deletion of undesired files, limiting bandwith and IOPS to reasonable speeds,) I'm confident you'll come up with a solution (even if it's just some option in a config file).

Re: authentification and blocking of abuse, that can be done with layers above (i.e. reverse proxy).

As for funding, consider posting a Monero/XMR (sub)wallet address people can donate to.
I'd even list it public among others.

And yes, I still think Oshi is one of the best Onion Services out there.

Either way thanks to you and @elandorr so far.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants