from 0807@lemmy.world to privacy@lemmy.ml on 18 Jun 19:19
https://lemmy.world/post/48335808
I run 0807, a file host I host myself.
You drop a file, you get a short link, and you choose when it disappears.
I am posting it here because the whole thing is built around privacy, and because I would rather lay out the real threat model than call it “secure” and let you find the gaps later.
The privacy side:
- No account, no sign up. An upload is not tied to any identity.
- No ads, no third party trackers, no analytics. Nothing is loaded from outside domains, so no fonts or scripts phoning home.
- The server does not log IP addresses or requests. The rate limiter holds an IP in memory for a few minutes to count requests, then forgets it. Nothing is written to disk.
- Reachable over Tor through an onion service.
- Auto delete by time (one hour to thirty days, or never) or after a chosen number of downloads.
- Optional password on files and on text notes.
- Files up to 20 GB.
- Executable types like exe, bat and scripts are blocked so it cannot be used as a malware drop.
The honest part, which this community will and should ask about:
it is not end to end encrypted. The server can read what is stored, on purpose.
I want to be able to remove illegal uploads when they get reported, child sexual abuse material above all. A server that cannot see its own contents cannot act on those reports, and I am not willing to run one that cannot.
So I gave up that form of secrecy in exchange for being able to take that content down.
What that means for you in practice the password is casual access control, not protection from me as the operator or from anyone who breaks into the server.
If you need real confidentiality, encrypt the file on your own machine before uploading and share the key separately.
Treat 0807 as a way to move files around with self destructing links and no account, not as a vault for secrets you cannot afford to expose.
It is open source, and I host the code on my own server instead of GitHub, so there is no third party in that loop either.
You can read every line check the no logging claim yourself suggest a change, or open an issue all without an account:
Questions and criticism welcome. If you think the encryption tradeoff is the wrong call, I will read the argument
threaded - newest
Wouldn’t people looking to host illegal content also just do this?
With that in mind, wouldn’t it be better to implement E2EE and have that user trust?
I get where you’re coming from, but that’s the unfortunate dilemma of file hosting, I’m afraid.
You’re right, and I won’t pretend otherwise. Someone determined to host illegal content can encrypt it client-side and I’d never see it.
But that isn’t where most of the abuse on an open drop host comes from. The whole point of dumping that content somewhere is that the link is easy to click and the file just opens.
Client-side encryption breaks that the recipient needs the key, nothing previews or streams so the lazy and opportunistic uploads which are the bulk of it stay in plaintext.
Being able to remove what I can actually see is real harm reduction even if it never catches the careful ones. Locks don’t stop a determined burglar either, we still fit them.
The deciding factor for me is reports. With plaintext, when someone flags a file I can look and pull it. With E2EE I’m structurally incapable of acting on any report even when I want to.
I’m not willing to run a server where, if you show me there’s CSAM sitting on my disk, I cannot take it down. That’s the line and it’s not a technical one
As for the trust E2EE would buy, anyone who genuinely needs confidentiality already has it they can encrypt before uploading to any host, mine included.
So adding E2EE here would cost me all of that moderation ability in exchange for convenience my privacy-minded users can already get themselves. For a casual share-with-expiry tool, that trade isn’t worth it to me. You’re not wrong that it’s the dilemma of file hosting.
I just landed on the side of being able to answer a report, and I’d rather be honest that the password is casual privacy than sell E2EE I’d then be helpless behind.
I was going to say as I started to read through this, it’s either brave or foolhardy, especially with the TOR integration. That sounds ripe for abuse. Even with your precautions that sounds like a risk I personally wouldn’t want to take, but good luck to you!
As for TOR, that’s my biggest concern right now especially regarding abuse. So far everything’s going well, and if things get out of hand, I’ll remove the onion.
Thank you. I hope to keep the project going for as long as possible
Why? “Yes” to all the possible subjects that question could be applied to.
Is this a repost? I’m sure I saw a post like this already a few days ago.
Yes, I took the liberty of reposting it (by creating a domain specifically for the source code) and adding some major improvements
I see, is there a reason why you don’t just link to the GitHub repository (or better yet, use Codeberg)? Seems a bit strange to have the logo there when it goes to a different domain. This project looks like it could be useful.
Edit: I found the contribute pages, I’m assuming you did it this way for those that wish to stay anonymous (e.g: Tor visitors).
Hi, yes, everything is hosted on my own servers. And I’m not a big fan for several reasons, including this one:
Copilot was trained on publicly available code without consent and in violation of open-source licenses githubcopilotlitigation.com
The source code is available here: src.0807.st, viewable without an account or registration. And you can push commits anonymously.
Do you see any lack of wisdom in providing and describing a way for people to anonymously share encrypted CSAM on your servers, politely asking them not to do it after explicitly telling them how to do it, and then making your logo a Japanese schoolgirl?
./honeypot.sh
Criticizing just for the sake of criticizing is all you know how to do constantly shouting honeypot even though the src is available.
And I even recommend that people run it locally if they don’t trust me (which is understandable).
it’s not for the sake of criticism. as a sw eng myself, it’s about realizing the source may be available but the implementation is sketchy as fuck. this is glowie if there ever was one.
You really need to start waking up, man. The hosting service that would actually be suitable for this type of content is one with end-to-end encryption, which I chose not to implement.
As for the part where I explain to them “how to do it,” it seems pretty logical to me that anyone including me who runs a file-hosting service and responds to reports can see your files. So this “tip” that I “suggested” (in quotes) to encrypt your files is just common sense.
People didn’t wait for me to upload CSAM, and malicious actors didn’t wait for me to figure out how to encrypt their files. I won’t even address the comment about the logo, which is childish and irrelevant to the discussion
My comment is literally only about the logo. Your choice of it is the thing that highlights literally everything else I said.
If it weren’t for the logo, there would be no comment. Would I want to know whether people were hosting encrypted CSAM on my servers? Yes. You are free to take risks that you want to take. But the public image you choose is your own doing.
Very cool. Glad you’re still working on it.
You can implement end-to-end encryption and simply delete anything that was flagged as csam, even without validating that it is. Do you really want to see that shit? No. So are you really going to spend the time validating before deleting? I know I wouldn’t.
The worst that would happen is you’d end up deleting someone’s actual file because someone else maliciously reported it. And it would have to be someone who knew the link was even there to find it and report it. That’s a pretty unlikely scenario for a temporary file share.
Why are only some executable and source code file formats blocked? Wouldn’t it make sense to also block Python, Pascal, Fortran, MatLab, JS, TS, BF, ELF, A, B, C, C++, C#, D files?
Malware distributors would find another way, and broad restrictions would only frustrate legitimate users.