"Well," said Pooh, "what I like best," and then he had to stop and think. Because although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were, but he didn't know what it was called." - A. A. Milne
About the creators:
THC (The Hackers Choice) is a well known hacker group active since 1995. One of their most famous project is Hydra[0].
> "We research and publish tools and academic papers to expose fishy IT security that just isn’t secure. We also develop and publish tools to help the IT Security movement."[1]
How could there possibly be assurance of that? People who get coerced and turned into being informants don't go around advertising it to everybody else.
A virtual root server is a cloud server
giving you full access, root in Linux. As opposed to some web page hosting thing. I think has been mainstream for more than 10 years. DNS root servers just work, nobody talks about them. Well, unless there were a major incident some day.
Was wondering what the limits are on this service - turns out they quite sensibly restrict the number of shells allowed per source IP address. This script shows it starts refusing new SSH sessions after a few connections back to itself:
[ERROR]
--> You (172.22.0.21) have to many servers running
--> Read https://www.thc.org/segfault/youcheapfuck
--> Contact us on Telegram: https://t.me/thorg
Connection to 127.31.33.7 closed.
Also their Tor hidden service currently seems to be inaccessible. Perhaps there's a hard limit on the number of connections via that route, given that one can't restrict per any individual source due to the design of Tor.
Most places require payment, which is hard to do anonymously.
Here, you don't have to take many promises at face value. You do have to assume that everything you do on that server is monitored if you don't trust it, but you can connect to it via Tor and/or a VPN.
I can totally see the market for this. Imagine being a young person (let's say between 10 and 17), you read 2600 or something like it, you cannot pay for a server, you do not have your own Linux because the only family computer is running Windows and you're not an administrator on it. This is free and full of wonderful tools to try and explore.
Seems like this situation would have been common 25 years ago, but even poor families today have more than one computer at home. Indeed, every family member probably owns a smartphone, which is way more powerful than the “family computers” of decades past, and a quite capable Linux box if rooted and paired with a Bluetooth keyboard. If you’re a burgeoning hardware hacker, a Raspberry Pi is a few tens of dollars and a more than capable machine for that purpose.
For a teenager in a poor family, spending $60 on an Orange Pi (good luck finding a Raspberry Pi for cheaper) with power supply and keyboard is a substantial investment (and that assumes you can get an old monitor for free from somewhere, your family PC is likely a $300 laptop after all)
SSHing into a VPS from the family computer is definitely a lower barrier to entry. You can get dirt-cheap VPS for $3/month, but this free offer is even cheaper and comes without the hassle of payment methods (no explaining to your parents why you need to use their credit card for this).
Is dumpster diving for computers still viable? All the computers, monitors, etc I had when I was a teen were free, scavenged from dumpsters in commercial parks. Maybe this supply has dried up now that the pace of hardware obsolescence has slowed.
I'm sorry, it's sad, but that's just not how it works. Even "a few tens of dollars" is too much for some people, much more than you can imagine. I teach at university and every year I have students who never had a personal computer and are still not able to afford one. And mind that this in France (not your typical third-world country) and that I teach computer science…
Those can also be had for tens of dollars. But my general point was not about the Pi; it was that even poor teens likely already have access to their own Linux-capable machine.
At that point, you’ve spent well over a hundred bucks on a very basic machine, esp once factoring in shipping. A decent Chromebook with Linux support can be had for about 250-300.
Exactly, if i want to test my pf firewall with "triggers" then this is one way, test my IDS etc, and with installed Kali everything is possible ;) just perfect!
Agreed, I am not sure I understand the "how can you expect this to be secure" argument. I paid nothing, and it's sometimes fun to have a thing to play with that someone created. I am not using this to proxy a hack into Bank of America, nor am I storing my 20 page manifesto.
If you do such a thing through here, you deserve whatever happens to you.
`nmap` or pentesting from dedicated hosting or your home fiber may lead to permban from your service provider. Here you can experiment without much consequences.
Is it safe?
Nobody ever got arrested for choosing segfault.net.
Take a close look at how that question isn't answered. It's best not to do any work on these, where you need to trust the platform. You might even get blamed for people's actions on their box next to you.
Not much remains outside of this being a honeypot or for criminals.
I can’t see the easy way you mentioned - could you explain?
I agree that a target of interest could be located to this service, but to correlate activity of two users would seem to require detailed logs from the provider - the logs they claim not to keep.
Also, by visiting a bank, there’s a chance you could end up being mistaken for a bank robber; or by jogging through a neighborhood, there’s a chance you could be mistaken for a thief; etc. We don’t usually give much thought to these possibilities, although they do sometimes happen. Is there any reason to treat this differently?
Sure, it's perfectly reasonable from a privacy perspective but it raises questions: I don't run around showing my passport to everyone (except for my authoritarian government) and yet I drive around with an id that the authorities can link to my identity.
Don't get me wrong, I'm all for removing layers of surveillance, but I will still assume tor users on my website are either trying to hack it or have something to hide from their government.
Yes, a vpn is clandestine. However, it isn't correct to say that Tor's traffic is clandestine (which it is), but using it isn't clandestine. Hiding your traffic's contents is the same as hiding your traffic's contents.
The weaselworded non answer to “is it safe” is obviously technically true. Even if they’ve disclosed all activity and logs and user ip addresses to law enforcement, which resulted in hundreds of people going to jail, they went to jail for what they did with this, not for “using it”…
It’s a fun curiosity. But anyone relying on it to cover up illegal activity should be very very careful. If what you’re doing can improve a cop’s chance of promotion, you should assume they’ll take advantage of that. And for “lesser crimes”, you can bet that most things you want to do from there are already on blocklists. You’ll have as much chance of getting your spam runs out of there as you do from any cheap vps or tor exit…
It looks like they bind the Docker socket into the guest controller[1], but maybe not the guest itself. But yeah: unrestricted container root plus any capabilities means that they're only one low-effort bug away from a container escape.
Given how valuable 0-day container escape exploits are and how knowledgeable the people are who host this, it would seem to make sense economically to host this for free with the explicit hope that someone does in fact escape and pwn the box, assuming they can log enough to determine the method of exploit and be able to reproduce it.
That was my first thought. Shut down voluntarily in 2019 for no particular reason after 22 years? Mysteriously back and even better? Doesn't pass the smell test.
The page talks a big game about hating criminals, but these days if you don't put up a cookie banner RoboCop will shoot you in the dick. And if someone really isn't a criminal we've got a fix for that, too: Just ship them to a country where they are!
On the other hand maybe this post-HSA, post-Snowden world has made me jaded and the site really is just good clean fun.
> Your server will self-destruct on log out (and all data & traces will get wiped).
This does not seem to be entirely accurate (and it would also be very obnoxious, especially for use over Tor, if a dropped connection meant starting from scratch). The servers do allow reconnects, and data is preserved (presumably in encrypted form).
I had a play and created a file and logged in and out and the file persisted as did my ability to look at the /onion directory via Tor after the ssh session was stopped.
Pretty sure that mosh uses ssh initially and then the communication is over udp. Not sure if an ssh connection is even maintained then.
Tmux I guess you would run locally and put in the background when you want to work on something else. But then your ssh connection could still drop or tmux could crash on your local machine.
"Good purpose" is ambiguous. Even if you start with a "reasonableness standard" that is something like a "test particle" that is white, male, raised in Minnesota to vaguely Christian parents born in the 80's watched Sponge Bob squarepants, it's less ambiguous. It means respecting the law, including ones you don't agree with. Including the laws that you think it would be good to break.
This server sits there as a perfect vehicle from which to break the law. It's like someone leaving a fleet of getaway cars and guns, with tips on which banks are loaded right now left on the drivers side seat, and delivering it to a poor neighborhood, where it is rational to accept higher risk for a higher reward.
There may be some who use it out of intellectual curiosity, and who are careful not to run afoul of any laws. LEOs will be of this type, I assume. I'm curious to know what is in that 8GB of tools that is included in every shell, for example. So for me the appeal would be a "safe" place to play with tools that I may have concern about even installing myself and what lists that adds me too. So in that sense its quite a good thing, it is freeing from risk of state involvement if your experiment/exploration goes wrong.
Presumably all serious hacking attempts originate from a remote process anyway, as only a very silly/young/foolish hacker would try certain tools from their actual home IP address and personal laptop. So one argument for this service is that it reduces the demand for (coerced) botnet nodes. If you squint your eyes it's a similar argument for providing clean needles and methodone to a community, no questions asked. No, it's ugly that people use, but it's even uglier that people use and reuse/share needles to avoid detection.
So while I agree it's probably a honeypot, there is also a sound argument for it to exist, legitimately, as a public service - a hacker's hamsterdam.
That wasn't really my point. It's clear from the feature-set what people are intended to use the service for.
My point was — without tracking users, how do you ensure quality of service for this system, when someone could just generate 10k distinct SSH keys (= distinct "accounts" in this system) to run their botnet with, and so consume all your resources with purely their traffic? (Where "a botnet" here is just standing in as an example of a use-case that requires as many nodes as possible, rather than being satisfied with just one. Could be a distributed web scraper; could be a crypto-mining pool; etc.)
If you're not requiring some kind of user registration that does enough KYC to deduplicate registration attempts — and you're not tracking usage with fine-enough granularity to be able to surface + ban people who are "taking more than their fair share" — then this isn't going to be of benefit to the entire hacker community, but rather the whole thing is going to be gobbled up by the first person willing to write a script to do so.
It's like making a large donation to a community in a war-torn developing nation, where as soon as you leave, the whole thing gets extracted out into the coffers of the largest local warlord.
IMHO doing this model correctly would necessitate something closer to the "a real person's going to manually verify your sign-up" process of e.g. https://www.nearlyfreespeech.net/signup/signup.
Oh, well by misunderstanding your point I stumbled on what is, IMHO, a more interesting point. In theory its relatively straightforward to develop a "1 human per process" heuristic for a service like this, especially if you reserve the right to observe and interact with users at any time (which this service certainly does).
Doing any interactive external observation would put a lie to the claim that "all data & traces will get wiped" — since there would then be "traces" (in the sense of "trace evidence" — https://en.wikipedia.org/wiki/Locard%27s_exchange_principle) left on the sysadmin-observer's workstation, that would have to be wiped in turn. (And which are unlikely to be, because the sysadmin is likely also the developer, and a DevOps workstation is usually persistent.)
For that claim to actually be true, the system has to be hermetically sealed against outside observation by any other than the user themselves. (Compare/contrast: the claims of a few VPN service providers, that their service is implemented effectively statelessly, in diskless + memory-constrained ASICs on network switches, such that there's no ability even in theory for the machine itself to keep metrics on which user accounts are responsible for which kinds of upstream traffic flows; such that a state actor who wanted to know that would be stuck either replacing the hardware [and so extracting the credential store out of the TPM of the original hardware] or MITMing both sides of the VPN box and doing traffic analysis to match flows.)
IMHO, it's probably very unlikely that the claim is true — but it's interesting and fun to try to threat-model a service that does try to make that guarantee.
Also, separately:
> In theory its relatively straightforward to develop a "1 human per process" heuristic for a service like this
You're forgetting that these accounts aren't strictly intended for use by humans, but rather scripting the system is an accepted (and encouraged!) use-case. Which means that you can't differentiate one user "botting" N accounts, running the same script (presumably bannable); from N users each "botting" their own single account by using the same popular open-source script (perfectly legitimate and protected!)
This, by the way, is the reason that most VPS providers outright ban the deployment of certain types of software, e.g. IRC bouncer bots: it's impossible to tell whether N deployments of such a bot are N users intentionally deploying the same open-source bot, or one user (with N stolen user credentials) deploying a botnet that uses IRC for command-and-control. So they just make the assumption that such deployments are always malicious, and refuse the business of anyone who has a non-malicious use-case for such deployments.
> Reverse Port Forwards (forget ngrok. This is free & better).
i assume this means the 'disposable root server' can send [whatever] encrypted data over the ssh tunnel to my machine (and my network if the machine is not properly segmented)?
That's what their website says, however I had a play and created a file and logged in and out and the file persisted as did my ability to look at the /onion directory via Tor after the ssh session was stopped.
It does shutdown when you log out, the only persisted data in on /sec and /everyone
Your home directory is in /sec/root.
If you install tools outside of /sec/usr they will be reset on your next visit. So if you want to install something that survives a session log out you need to install to /sec/usr
I read somewhere on their site or in GitHub that files in the home directory are encrypted when you disconnect and when you connect again the encrypted file is restored and so you have files back. If you were to install a program with apt however when you log in again that will be gone.
They've either been compromised or severely borked in an attempt to fight abuse. The entire? image is now read-only, or at least /tmp and the home directory both are. Their login script fails and errors out about read-only filesystems and you can't do anything useful with the machine without some extra hacking.
I got excited for a moment reading the title thinking it was referring to (disposable) DNS Root Servers, since that is the only context in which I have heard about “root servers” before.
I've seen the term used to mean dedicated servers or VMs, by European hosting companies. Possibly all German companies though that might not be a solid memory, but it does seem quite localised. I assume it is to differentiate between hosted servers where you have an account, multiple accounts, or a reseller account, but not full admin (root level) access.
Always stuck me as a clunky term, but it was where my head went first on reading the title here (then I thought DNS servers, but that did not compute so the first thought "won").
A “root server” was a pre-cloud term for a rented server you had root on vs a mortal user account. The latter was typically for hosting a canned LAMP. Basically your own VM or physical instead of a user on a shared machine or a limited-use VM.
There’s a bunch of these comments. What would a disposable root DNS server mean? Stand up a DNS server and just claim authority for .?
You could do that here fine I imagine. You have root. Until you log out, of course.
If you can install stuff and listen on 53, you could make your own private DNS tree anywhere.
Now, managing delegations will get weird if you want to delegate outside of what you manage. I’m seeing a spiderweb of stub zones.
I didn’t realize that was a German thing - anyone who’s done much renting of bare metal servers is likely to have encountered the term, but that seems to be because some of the biggest global providers of those services are German, like Hetzner and 1&1/Ionos.
> Since 1995 we have had 3 of our members arrested (0 convicted), we have had visits by the BKA (Germany’s FBI) and BND (Germany’s NSA), we were blackmailed by the British GCHQ and harassed and intimidated by many others
