Anonymous, together with a group known as the Peoples Liberation Front, Tuesday announced the immediate availability a new website for hacktivists to dump their stolen ("doxed") data.
Dubbed AnonPaste, the website has been created as an alternative to Pastebin and other websites that allow people to anonymously upload large amounts of text, the two groups said in a joint press release. Shared content can be set to expire after 10 minutes, an hour, a day, a month, a year, or never. In addition, the site promises to remain advertising-free and unmoderated, maintain no connection logs, and store only encrypted data.
AnonPaste, which accepts donations via WePay and BitCoins, was built using the open source ZeroBin software, which doesn't record the IP addresses of uploaders. In addition, the software encrypts and decrypts all text in the browser--before uploading it--using 256-bit AES encryption. The software also automatically convert URLs into clickable links.
[ Anonymous members don't always cover their own tracks. See Anonymous Hackers Not Smart On Anonymity, Feds Say. ]
But should would-be submitters of anonymous information trust the software on which AnonPaste is based? ZeroBin was created by, and is hosted on the personal website of, Sebastien Sauvage, a French developer with experience in developing online payment and authentication systems for French banks, which suggests he brings relevant knowledge to bear. Likewise, the software's tagline--"Because ignorance is bliss"--suggests that the software has been purpose-built to keep anonymous submissions anonymous.
But the ZeroBin software itself comes with numerous cautions: it's a "test service" and data may be deleted at the administrator's discretion. The ZeroBin site also warns, "Kittens will die if you abuse this service." That suggests that the server software hasn't been stress-tested against--or possibly, built to resist--the types of distributed denial-of-service attacks to which sites like Pastebin have been subjected.
Why the need for a new Pastebin? In part because Pastebin hasn't warmly embraced hacktivists who use it as a dox dumping ground. In fact, the site was created by Paul Dixon back in 2002 as a place for programmers to share snippets of source code. After 20,000 Hotmail account credentials were leaked via a Pastebin post in 2009, Dixon temporarily took the site offline while he added modifications to help prevent such data dumps.
Regardless, after the site was sold to Dutch entrepreneur and programmer Jeroen Vader in 2010, Pastebin became the go-to site for LulzSec to release dox or brag about attacks. By the middle of 2011, the site was recording its highest levels of traffic ever.
At the time, Vader told Social Media that the site had put a system in place to deal with takedown requests over sensitive data that ends up on the site, and said the site "always complies with requests from authorities."
But earlier this month, Vader apparently triggered hacktivists' ire with comments he made to the BBC when discussing the 1,200 daily abuse reports the site receives, requesting that specific posts be erased. "I am looking to hire some extra people soon to monitor more of the website's content, not just the items that are reported," Vader told the BBC. He also noted that the site, which records the IP address of every uploader, tends to comply with requests from authorities for that IP information, provided they have a proper court order.
Vader's revelations led to a backlash from the Anonymous set, which took to Twitter to accuse him of practicing censorship. Many also began promoting alternatives to Pastebin for would-be document dumpers.
Interestingly, AnonPaste wasn't the only Anonymous version of a popular service to debut this month. Another service being talked up by Anonymous fans has been TalkOpen, which offers itself as an alternative to Twitter that will never share users' information with outsiders. The site runs on StatusNet, which is free, open source "microblogging" software that offers a Twitter-like, stream-oriented interface.
But the service offers some non-Twitter-like promises. "This service will NOT comply with court orders to turn over your private information," states the TalkOpen FAQ. "We aim to run a secure yet private service, and doing this would defeat the purpose of TalkOpen. In cases regarding child pornography or murder however, we will comply."
Of course, talk is cheap when it comes to promising to keep customers anonymous at all costs, since in the event of a court order, the site's administrators might be forced to share information with authorities or risk imprisonment, not to mention seeing their site forced offline. A whois lookup of the "TalkOpen" domain name reveals that the server running the site is hosted in France, by French ISP Ovh Systems. Notably, its terms of service state that it can discontinue service for any customer that doesn't comply with its code of conduct, which requires customers to abide by all applicable French laws and regulations, as well as the intellectual property rights of others.
Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)