
Cock.li server seized again by German prosecutor, service moves to Romania - Koahku
http://arstechnica.com/tech-policy/2016/01/cock-li-server-seized-again-by-german-prosecutor-service-moves-to-iceland/
======
striking
Mr. Canfield's thoughts on the matter:

>> Of course, though the facts of the case are yet to be seen since no one in
Germany is talking to us, I will definitely never host anything in Germany
ever again

He was trusting of authorities and purposely did not use TLS (beyond STARTTLS)
or encrypt his hard drives. And this is what happens. They take his hard
drives immediately and seize his entire service.

How are we supposed to trust the authorities when they make themselves
untrustable?

How are we, as server admins, supposed to stand down and backdoor our servers
for law enforcement when this happens, when we know we can't trust them to use
their powers responsibly?

Every time some big NSA exposé is unveiled, every time someone gets raided for
no particular reason, I get to reaffirm my distrust of the Internet police, in
whatever form they choose to take.

Policing the Internet is untenable and useless. Don't help the authorities
attack your users, because oftentimes...

you're their last defense.

~~~
belorn
I wish that Debian installer (and other distributions) would have encryption
on as default, especially if the installer ask you if you intend to install it
as a mail server. Users are entrusting their communication to the server which
means that the sane defaults should address their need for privacy and
control.

Law enforcement always operate on what is easiest and cheapest. A common
practice seem to have been established to raid a data center and take anything
that could be valuable and then have it put on the backlog to be sorted in the
next 5 years or until statute of limitations. By adding encryption to the
situation, its possible to change the economics so its more economical to go
through a judge and compel the service provider to provide the specific record
that is being requested.

~~~
jlgaddis
IMO, "sane defaults" are missing from pretty much every operating system out
there -- both in their installers and the resulting installed system.

It all comes down to that "convenience versus security" trade-off and, for
better or worse, those implementing these systems tend to lean more towards
the "convenience" side. It's going to take some major changes before we start
seeing systems that are "(mostly) secure by default".

------
darklajid
Ignoring the childish domain name, hopefully the discussion won't go down that
route again - that guy seems quite sincere and explains the situation quite
well.

My take away: Don't (blindly) trust Germany, and certainly don't use Hetzner.
If he's correct ("Hetzner didn't provide a copy of the confiscation order to
me or my lawyer") I'm glad to be the first in this community that runs around,
arms flailing, shouting "Hetzner is bad, Hetzner is the devil".

~~~
ryanlol
Yeah, Hetzner also has this strange habit of spitting out SQL errors when you
put apostrophes into forms on their website.

I'd avoid them.

~~~
dawnbreez
As someone who just applied for (and failed to get) a job at a DB company:

Not sanitizing your inputs is unacceptable, _even for a newbie_. These guys
must be _really_ stupid.

~~~
herbst
They are to big to fail at this point. And based on their price the servers
are amazing. (If you dont care about a perfect uptime.)

------
teddyh
Running a server containing users’ data (especially an e-mail server) in 2016
_without full-disk encryption_ is like running a web server _without HTTPS_.
Just _don’t_. It’s a privacy disaster waiting to happen.

This can happen in any country, even to a silly cock joke site like this, and
your users _will_ be hurt by it, possibly for many years to come. There is no
longer any excuse not to do it.

~~~
nonninz
Excuse my ignorance, but how does full-disk encryption work if you don't have
console access to it?

How do you enter the password after, say, a hard reset/power outage?

~~~
teddyh
For Debian and Ubuntu servers: Mandos
([http://www.recompile.se/mandos](http://www.recompile.se/mandos))

Introduction here:
[http://www.recompile.se/mandos/man/intro.8mandos](http://www.recompile.se/mandos/man/intro.8mandos)

Disclosure: I am a co-author. (Yeah, yeah, we _will_ switch our certificate
from CACert to LetsEncrypt. Soon. Ish.)

------
rdl
His video statement is pretty funny; I wish they were all this funny.
[https://u.pomf.is/imrkjv.webm](https://u.pomf.is/imrkjv.webm) "Steadfast
commitment to a cock joke".

I'm kind of surprised Hetzner didn't replace a hard drive after the first
raid; it was apparently operating in degraded RAID-1.

~~~
darklajid
I'm surprised that they give out your drive(s) without handing out a document
that explains why they had to do that.

As far as I'm aware (not a lawyer, a complete layman) there's no 'gag order'
here. So, my limited understanding so far is that this is either a complete
fuck-up ("Nah, we don't care to provide that document") or malicious. Even if
I follow the 'probably stupid, not malicious' argument: Why would you want to
pay Hetzner if this video is correct and you won't even be able to get the
documentation for them handing out your data?

~~~
necessity
Why do you assume there's no gag order? From what I understand it's either
that or what you suggest.

~~~
detaro
If there were a gag order, why would they have told him at all? Grab the disk,
blame a hardware failure, done.

------
Koahku
Previous discussion on HN after the first time it was seized

[https://news.ycombinator.com/item?id=10774152](https://news.ycombinator.com/item?id=10774152)

------
glasz
since people seem surprised, let me reiterate on those laughable german data
protection laws:

[http://glasz.org/sheeplog/2015/02/data-privacy-
regulations-i...](http://glasz.org/sheeplog/2015/02/data-privacy-regulations-
in-the-eu-are-among-the-strictest.html)

DO NOT trust any government or company. everything is full of submissive
sheep. particularly so in germany.

~~~
bitwize
One of the remarkable things about the U.S. constitution is that it
theoretically allows no escape rope from protection of rights; by contrast the
constitutions of many European democracies as well as Canada contain
"notwithstanding clauses" that allow free rein to the government when they
deem it necessary for any reason to trample on your rights.

Not saying the USA is particularly good about upholding those rights... pur
government has been looking for loopholes in the Bill of Rights since it was
ratified.

~~~
345218435
i have to admit i'm quite jealous of the u.s. constitution as it is very
restrictive and works by the assumption that the state has no rights except
those explicitely granted therein. really a beautiful document.

though there are some stupid loopholes it heavily depends on the people to
defend it. but meanwhile, everybody is whining, brainwashed, focussing on the
2nd amendmend. unable to see its purpose.

other shit is more important, i guess. like what the gas price is and if
silicon valley is eating money.

sheep have just lost their way.

~~~
cmurf
It was rather uncommon at the time of its writing to have a written
constitution. It's something to point to and say, "no that's not what it says,
look here, it says this." I think the founders would have said nothing's
perfect, there is no magic, of course the people have to decide, including by
arguing a lot, whether to defend it and what detailed policy that translates
into. If they don't defend it, they're f'd no matter what anyway.

