I didn't think much of it when I got an email with the subject "Njalla: New Message", and the body just being a link, while traveling.
This is not what I would call professional behavior by Njalla. Apparently everything they send you, including "hey try our new iOS app in the app store!", comes in the form of "Njalla: New Message <hyperlink>". So you have to click-login-read every one of those "new app in the app store!" spams in order to not miss the "hey we might suspend your domain" messages. And of course you can't write spam filtering rules for any of this since it's all forced through a browser flow instead of your mail client. Great.
And this login-to-read-the-link is with the credentials that control transfers of your domain -- heaven forbid you might not want to keep those on every machine from which you read email...
Wow, I don't think I'll be doing business with Njalla then.
I've always wanted to own my domain anonymously and considered moving it to Njalla, but the idea that they could evaporate and I'd lose control of my domain forever put me off. Now I have another reason.
I would not recommend Epik after their data breach 2 years ago where all their customer info got leaked because it was all sitting unencrypted on their servers.
Njalla is, sadly, garbage. It is a disgrace to the legacy of The Pirate Bay. I've heard horror stories of domains being stolen, without possibility of transfer, over fake reports.
This is no different from Amazon though. All their emails, including the “we wont refund you if you don’t respond” ones come with exactly the same “about your order” subject.
You seem to have selectively ignored everything about this discussion except "unhelpful subject line". All of Amazon's emails have a complete body with all the important text instead of just a "click link to read". Spamfiltering against this works very well.
Compare apples to apples: what do Amazon's account suspension emails look like?
The point in the original message on Github was that you see an email in your inbox and ignore it because it looks like the other 100 emails you get every day.
Maybe their account suspension emails are different, maybe not. I wouldn’t bet on it anyway.
This would be an even further step. Reminds me of how Cable /Xfinity won't let you cancel sports package over chat....they send you a link to your phone that you must click, log in (password verification, captcha etc...) and than change the terms of your account.
Even on phone they make you respond to a text to confirm. Of anything happens (internet is not working, whatever, your bill will not be reduced).
Every extra link you must click to a third party source will remove half of your people.
That is extremely disturbing. Njalla is the owner-of-record (i.e. nominee) for all domains registered through them, rather than merely the registrar. If they run off with your domain you have significantly fewer options for dealing with it than with any other registrar.
I expected better than "shoot first ask questions later" from them. At least shoot while asking the questions; the owner should've had an explanation for the suspension waiting in their inbox.
Njalla is a misunderstood company. You can buy domains and VPCs with monero over VPN / Tor and be totally anonymous. However they will immediately roll over and give everything away to LEO. If you are conducting activity and a valid legal request comes to end that activity, they will. It is on you, the customer, the ensure you are operating privately and not conducting activity in a way that attracts valid legal requests.
Nitter should have anticipated this and planned accordingly. The law is the law. Njalla is a wonderful service but they are not outlaws. They are structured in such a way to make it more difficult to stop their customers, and they hold less data about them. But they operate within the law.
If you use their service and don’t take the adequate steps to protect your privacy, they will give away your data in accordance with the laws of the domicile they operate under.
Dude how do we know the legal request was valid? Or that there even was a legal request?
You're jumping the gun here. The primary concern is the absurd radio silence from Njalla. Not acceptable. Once they rectify that maybe there will be other problems revealed, but at the moment them being AWOL is the issue.
It’s the weekend, maybe give them a few days. Njalla is not going to destroy their reputation over Nitter. Likely they didn’t even know anyone cared about this service.
That's exactly my point: if the reason for suspending the domain was SO URGENT that it had to be done on a Saturday, then they can find time to explain their actions on the same day they took them.
> Likely they didn’t even know anyone cared about this service.
Er, you do know that both Njalla and Nitter cater to the surveillance-disliking crowd, right? I would be shocked (shocked!) if there aren't multiple Njalla employees who use nitter instances daily.
> Njalla is not going to destroy their reputation over Nitter
What exactly is this supposed to mean?
Building your product on top of a domain that someone else owns (by design) is an inherently risky proposition. The only type of customer Njalla would attract in the first place are fringe privacy-conscious customers who begrudgingly accept this risk.
This is exactly the type of nightmare scenario their customers don't want to run into. If they don't treat these issues as a matter of urgency and don't support their customers as much as they're legally allowed to by fighting BS requests, they'll very quickly find themselves out of business. I suppose the irony of this is lost on you, "monero-xmr".
I'm pretty sure tor is not anonymous. I read a while back that the US gov controls most of the exit nodes (or something like that) + can do some decrypting monkeybusiness
Apply the same logic to your assertion. There could be many legitimate reasons for Gov intelligence to control exit nodes without prosecuting every illegal activity.. Same as with local police not prosecuting every crime openly committed in nightlife districts of every major city.
I’m not sure this follows. Intelligence and federal police services routinely “manage” crime to various ends. Go read Tim Weiner’s Legacy of Ashes or Enemies for myriad examples.
Whether they can or can’t isn’t really the question. Tor is publicly believed to be private and the government has never tipped its hand that it’s not. In cases where maybe they could compromise Tor, they would have had to use parallel construction, because in court they have never stated they can compromise Tor.
So from an opsec perspective, the question is if the level of your activity rises to the point such that a government entity would take the effort to create parallel construction. If you are not doing something that would anger the government so much, then Tor is a good smoke screen in front of your activity.
Everything is effort and probability. Given enough time and resources you will always be unmasked - always!
Even if the government controls all of the Tor exit nodes, that does not give them omniscient knowledge. Presumably the wrapped communication protocols are still going to be encrypted. There would have to be a different information leakage to completely compromise you. So, not great if your interested in maintaining total secrecy, but better than nothing.
That being said, if the government was really interested in correlating timestamps with Tor activity, it is reasonable to assume they have that power. I assume Tor activity stands out, and every ISP might already be logging such connection events.
As a thought experiment, assume the government has perfect knowledge of Tor activity, yet chooses not to reveal this fact. I would say government compromise is the perennial anxiety of Tor enthusiasts.
My point is that even if it’s true that Tor is compromised, the value of Tor as a honeypot is so great that the government has thus far refused to acknowledge they can. Because if they did, Tor would die overnight and something even stronger would replace it.
So even if you operate under the theory that Tor is compromised, it’s still vastly superior to clearnet because the value of Tor as a honeypot means most people using it for anonymity will remain anonymous.
One thing to remember is that Tor was created by the government, specifically to encrypt the communication of CIA spies. They released it to the public specifically to provide plausible deniability to those spies. So backdooring the protocol right out of the gate would be an own goal.
That being said, I have no clue if they still use it. Presumably if the US government found a vulnerability in Tor, they'd either stop using it, or run some other layer of encryption on top.
Same reason the US didnt reveal they had an engima machine. If word got out, the Germans wouldve changed the codes or made a new process practically over night.
You just use the information to plan "random" "oopsie we spotted you" missions
Was this about that time the US govt paid CMU $1m?
From memory that attack involved running a huge number of exit/relay nodes and someone was able to show a massive spike in online nodes as evidence, but I can't remember who.
Wow, really surprising that Njal.la is the registrar and suspended zedeus, given they advertise themselves as resilient to government requests (not as trigger-happy when it comes to legal threats as other hosters). Their about page says:
> The idea behind Njalla is to make sure that your visibility to the public is minimised if you need it to be. We're not going to give your customer data out easily. However, we will help if there are legal merits to any formal government requests to our system. If you use our service in a way that affects anyones health or safety, we reserve the right to suspend your service.
Does this mean Twitter gave a very valid legal threat? Or worse, is there some Twitter content that is being mirrored that is unsavory and triggered an immediate suspension from Njalla? This is unfortunately very common for Nitter in particular [0] [1].
What's interesting about this is when you use Njalla you give your domain to them. So it seems in worse case they could just keep the domain with no legal recourse too? Given from my understanding nitter is simply a proxy service too this makes it odd.
> given they advertise themselves as resilient to government requests (not as trigger-happy when it comes to legal threats as other hosters)
That does not mean they're ok with illegal things... such as CSAM which was the case here. They're not a bullet proof registrar, they're meant to be private, they're not even a registrar
Of course, but presumably they would look into these requests to investigate for validity. According to the thread, zedeus says the URLs reported are not even valid and don't work.
> zedeus says the URLs reported are not even valid and don't work
I don't see him saying that.
He said
> A funny thing to note here is that the image link, which first points at nitter.it, is a /enc/ link which only gets created by Nitter if the instance admin enables base64 link encoding for media proxying. This is not enabled for nitter.net, so I know for a fact someone copied an image from another instance (presumably nitter.it), changed the domain, and sent a complaint to Njalla.
nitter.net returns images from tweets as something like "/pic/orig/media/DP5UreOXcAEz6EI.jpg"
another instance with "base64 link encoding for media proxying" returns images from tweets as "/pic/enc/bWVkaWEvRFA1VXJlT1hjQUV6NkVJLmpwZw=="
That just means whoever got the link went to another instance first, copied the path and replaced it with nitter.net
I tried this myself, I went to another nitter instance which had "base64 link encoding for media proxying", copied the link, replaced the domain with nitter.net and it loaded the image just fine.
This so called Njalla's website screams scam. No contacts, no people. Just a mention of some 1337 LLC in the depths of pages and a lot of attention to "what Njalla means ... From the dictionary ... /ˈɲalla/ (Sami)" on every page as if someone gives a shit. And, of course, it's overpriced, too. No wonder, the account has been suspended.
"Felt a bit shitty to have my domain taken down over something I'm not responsible for. The content is only available through Nitter because Twitter makes it available."
He totally is responsible, the argument "i only serve it because twitter serves it" is bad in my opinion, he's still serving it, just because Twitter does it too doesn't absolve him of all responsibility
Yes, it is. Nitter is just a front end for Twitter, doesn't host anything, doesn't have anything to do with what's posted on Twitter, it just shows it.
Twitter would be the party mailing the letter to Nitter, and Nitter is mailing it to the end user. Nitter is responsible for mailing it to the end user. It doesn't matter that they originally got it from Twitter or aliens from Uranus. The mail company is Firefox browser.
Tangential, but Firefox's error message "Hmm. We’re having trouble finding that site. An error occurred during a connection to nitter.net." is so user-friendly it is useless.
Is the certificate invalid? Is the DNS record missing? Was the IP address found, but is returning malformed answers? Is it returning nothing at all? Can I even reach any DNS servers, or is my connection to the internet itself dead?
The browser isn't telling, not even behind a "show details" button. There's only "trouble" and "an error", and some patronizing anthropomorphism with the "Hmm."
- Was the IP address found, but is returning malformed answers?
- Is it returning nothing at all?
Firefox returns "Your connection is not secure" for the first, and the raw data from the HTTP request for the others. (Or Secure Connection Failed for the second if you try to use HTTPS)
"We’re having trouble finding that site." is only ever given if the browser tries to do a DNS lookup and does not get an answer.
Having to first get an error message for every other error condition first, to find what this error is about by process of elimination, is not reasonable or informative.
How would you know any nudity on twitter was unconsensual? How would you prove it to the service you are asking to block it? Do they just assume it is if anything nude shows up?
You can know it's nonconsensual if, say, the subject of the photo complains about it. Presumably they're the ones sending the notice to Njalla, who then sent the complaint on to the wrong subscriber, and thus here we are.
Remember, you own a copyright to your image*. If someone posts a private photo or video of you that you don’t like, whether there’s nudity or not, you can DMCA the hell out of that post while you are waiting for police to do something (which they still often don’t**).
How do you prove it is you on the image? And that you didn't sign a model release?
More importantly, are random registrar or a hosting provider capable of handling such cases? And should they? Maybe police is better equipped for that?
That’s the beauty of it: the hoster is required to take it down ASAP. If it turns out you filed a frivolous claim and someone bothers to follow through, they are always allowed to sue you within a couple of following weeks, and that is not hoster’s concern.
Hoster’s concern is that if they do nothing then they are going to feel the hammer of respective infrastructure providers, none of whom want to be fined or jailed because of some small fish like Nitter.
I would not count on police in such cases, even in a developed country. If someone, say, doxxed you with an address and a photo, what you want is for that to go away before a predator sees it. Police may not act until it is way too late.
Nitter is hobbyist-ran, it is not some big tech company with army of lawyers who can sue you anywhere in the world. Allowing randos to arbitrary and capriciously shutdown any resource on the small web with such "guilty until proven innocent" mechanism is not sustainable in my opinion. This is already happened with videos when anything with sound in it can (and is) harassed by DMCA-wielding bad actors, now we are allowing to do the same with any web page with an image in it.
First, a platform with millions of posts from millions of users could not be further from small Web with its self-published, crafted websites.
Second, this law is precisely what makes it possible to run a social platform and not have an army of lawyers.
Without DMCA safe harbor protection, Nitter could be sued to oblivion the first time they are caught distributing infringing material. Big corporations with armies of lawyers and moderates could maybe afford the legal costs, but if you are just a few guys… you’d never run a website where people can post freely.
Under safe harbor, however, copyright owners can’t sue you, and in return you promise to timely hide content when you are notified. If you can’t be bothered to even do that, perhaps you should not run a platform focused on UGC in the first place. Everyone does it, even 4chan.
Safe harbor law means that website operators can waive responsibility for infringing UGC they host, but in exchange they will remove it timely when notified. If operators were manually verifying every takedown request, no one would get anywhere—how do you prove that it is you on the photo without literally arriving in person? What if you are 20 years older now? And so on.
https://github.com/zedeus/nitter/issues/1150#issuecomment-18...
Extremely not-encouraging.
I didn't think much of it when I got an email with the subject "Njalla: New Message", and the body just being a link, while traveling.
This is not what I would call professional behavior by Njalla. Apparently everything they send you, including "hey try our new iOS app in the app store!", comes in the form of "Njalla: New Message <hyperlink>". So you have to click-login-read every one of those "new app in the app store!" spams in order to not miss the "hey we might suspend your domain" messages. And of course you can't write spam filtering rules for any of this since it's all forced through a browser flow instead of your mail client. Great.
And this login-to-read-the-link is with the credentials that control transfers of your domain -- heaven forbid you might not want to keep those on every machine from which you read email...