Knowing that internet is not all cute and cuddly and that the line between real and virtual sometimes gets kind of blurry, it is important to think a bit before acting, and possibly save you from getting in trouble.
What I meant by “blurry line between real world and virtual one” is that what happens on internet not always stays on internet. If you read news, it is possible that you have noticed articles about police raids on some sort of network based service providers or their servers, governments asking communication service providers (e-mail, IM, others) to hand them private conversations to help in their investigations, or blocking network access and disturbing donation receiving.
While some “shady” network services were started by paranoid people (in a good sense), who think a lot about their security and anonymity, most others don’t realise how important it could be or just don’t care.
Who should care about this? People who call themselves media, political organisations, internet pirates and people who want to stay anonymous.
Here are some quick tips that could be of some use to you:
1. Domain name
Since most of the visitors reach your service through domain name, make sure you use domain name(s) that can’t be easily taken away by your country’s government or get you in problems for using them.
2.1. Choosing country
Make sure your files are hosted on servers outside of your government’s reach. In case of piracy, countries that don’t care about piracy or anti-piracy are best suited for this (Canda?).
Also make sure that your country doesn’t have official international investigation agreements with the hoster country.
2.2. Choosing data center
It would not hurt if the data center would be located deep under ground in some fortress that was previously used as a bomb shelter. Probably most countries have those.
2.3. Don’t bring your work to home
If there is something physical that can’t be encrypted and hidden, don’t keep it at home. Hell, don’t keep it at home even if it is encrypted!
3. Laws of your country
In certain cases, make sure that you can’t be extradited to other country. If necessary, move to new home. If you are dealing with some really powerful people, this could be really tricky (Wikileaks case).
4. Inability to reach users after takedown
Nothing scares away users more than leaving them wondering what is going one. Make sure you have some social messaging account that is hosted on safe grounds, that all your users know about. In case of problems inform them using those tools.
Keep your data encrypted and don’t give the key to anyone. Also recommend this to your clients.
Since computers are getting more powerful all the time, complaining about CPU power needed to use data encryption is silly.
Also make sure that your encryption key can’t be accessed using cold boot attack. If needed, glue the RAM to the motherboard! Seriously, this could help.
5.2. Connection encryption
Use connection encryption between your server and clients.
If you don’t trust your government and certificates given out by some companies, make your own and make sure your clients recognize it.
7. Data loss and downtime
Good old saying “Real men don’t make backups” is meant more like a joke and should not be taken seriously. Do make backups! Keep them far away from your main server, hide them, encrypt them, but make sure you have them (and try not to loose the key).
Having not only your data but also server configuration backed up could help reduce downtime in case of server change.
8.1. Fake identities for fake servers
Hiding your super powerful server behind cheap, anonymous VPS could help you stay unidentified by less powerful people. There are some hosting companies that provide cheap VPS hosting and allow you to enter fake owner data for small fee. If you can then hide your payment account and fake your domain name owner data, you could stay anonymous as long as your proxy hoster doesn’t give out your real server address. In this case even if your proxy is taken down, reopening is just a matter of getting new proxy server in some other part of the world.
8.2. Anonymous administration
There is always some risk that your server could be taken and data searched for leads.
If possible, leave no log files about your clients and administrators or make up some fake ones.
Use proxy! Tor Project should help you hide yourself.
8.3. Don’t use Skype
Since Skype was bought by Micro$oft, it can’t provide anonymous communication anymore. As an extra, they probably added the famous “generic crash library” to it. OK, to be serious, most of the public IM and e-mail networks should be considered unsafe. Set up your own private encrypted IM network and don’t log stuff.
But if we keep talking about Micro$soft, try to stay away from it. You never know what is hiding in their lame binaries and “security through obscurity” (M$’s motto?) is stupid. Open source software is the future, go with it, explore how “security by design” works.
It is hard to write universal hiding guide for every project and each case is different. If you think it is necessary, get someone to give you good advices.
Remember that it takes only one small mistake to fail completely.
Most importantly keep your conscience clean and be good! If you are doing it for the right reasons (and have good PR campaign), people will support you (shouldn’t they?).
P.S. Feel free to add more tips or point to some errors in the comment section. I’l try to keep this post up to date.