[HN Gopher] Z-Library Returns on the Clearnet in Full Hydra-Mode
___________________________________________________________________
Z-Library Returns on the Clearnet in Full Hydra-Mode
Author : bertman
Score : 283 points
Date : 2023-02-13 16:58 UTC (6 hours ago)
(HTM) web link (torrentfreak.com)
(TXT) w3m dump (torrentfreak.com)
| gwbrooks wrote:
| So where does one go to log in and be redirected to their
| personal domain?
| deedree wrote:
| Per the Torrenfreak article: https://singlelogin.me/ to login
| on Z-lib
| dkjaudyeqooe wrote:
| They give you your domains when you log in on Tor.
| politician wrote:
| This headline reads straight out of Cyberpunk. OK, now I will
| click the article.
| Lacerda69 wrote:
| I wonder what they use to build this Hydra feature...
| user3939382 wrote:
| Let's keep iterating on the takedown evasion strategies until
| they're impenetrable. It's the only hope the People have of
| actually being in control of anything important.
| unsupp0rted wrote:
| > It's the only hope the People have of actually being in
| control of anything important.
|
| Well I wouldn't go that far. There are more $5 wrenches than
| there are people.
|
| https://xkcd.com/538/
| xboxnolifes wrote:
| You can make systems that even the creator cannot take down.
| [deleted]
| user3939382 wrote:
| Yep, aka rubber-hose cryptanalysis.
|
| The real test here was Assange who embarrassed the U.S.
| military by publishing drone footage of them killing
| civilians not to mention everything else.
|
| They got him on an individual level (IMHO by blatantly
| discarding any remaining vestigial pretense of abiding by the
| law) but-- the site is up.
| DennisP wrote:
| That only works if you can track down who the people are.
| unsupp0rted wrote:
| It works if you can track down and wrench a tiny % of them,
| causing the rest to wonder if they're next.
|
| See: Belarus, 2020 or Iran, 2022 for recent examples
| Steltek wrote:
| That title is straight out of a cyberpunk novel.
| kristianp wrote:
| Where do these books come from in the first place? Have
| publishers systems been leaked/hacked?
| labster wrote:
| In the first place, the books come authors who write words
| based on what a muse or ChatGPT tells them.
| mardifoufs wrote:
| > Where do these books come from in the first place? Have
| publishers systems been leaked/hacked?
|
| Most of zlib is libgen, and I think libgen relies on user
| uploads and sourcing from their forums
| in_vestor wrote:
| ELI5 why the gov doesn't just seize the servers.
| dkjaudyeqooe wrote:
| Because you can buy an infinite number of globally located,
| cheap, disposable front end VPSes starting at $1 a month or
| less that hide your critical infrastructure.
| fulafel wrote:
| It seems the US Postal Inspection Service has some sort of
| judical powers over domains especially, possibly related to DNS
| root through ICANN being rooted in the US.
| thedaly wrote:
| Can you elaborate on this?
| fulafel wrote:
| I'm possibly wrong about the Postal, just searched for
| seizure news involving them and there seemed to be many and
| made more of a leap than seems warranted, I guess they just
| do ops and the seizures are via DoJ/FBI... But in any case
| ICANN is well known to control DNS and is a US org.
| thedaly wrote:
| Interesting. It does seem like they are involved, but I
| do not think the USPIS has jurisdiction over cyber crime
| unless it invoices mail, although they can participate in
| inter-agency operations.
|
| > Cybercrimes are crimes committed through the Internet
| or using computer devices. These crimes almost always
| intersect with the postal system. That's why the Postal
| Inspection Service is committed to protecting the public
| from criminals who steal digital information for
| financial gain, revenge, or even political advantage.
|
| > These crimes almost always intersect with the postal
| system.
|
| I don't understand this part at all.
|
| https://www.uspis.gov/tips-prevention/cybercrime
| sudosysgen wrote:
| They're not in a country that wants that to happen.
| irrational wrote:
| Which government? Where are the servers located? Whose
| jurisdiction? Are all the servers in the same place?
| dragonwriter wrote:
| > ELI5 why the gov doesn't just seize the servers.
|
| Because "the government" is not a single unitary global
| institution.
| Infernal wrote:
| ...yet
| [deleted]
| carlosjobim wrote:
| The servers can easily be duplicated in infinite numbers.
| gen3 wrote:
| You have to know where something is to seize it. Operations
| over international lines are hard to do. They likely have a
| series of bouncers/reverse proxies before the "main" back
| infrastructure. It is also likely that they rotate their
| bouncers regularly, different datacenters, countries, etc
| thedaly wrote:
| Don't the proxies just point back to the main infrastructure?
| How do the site operators deal with bandwidth usage and QOS
| and all the edge vps/proxies?
| gen3 wrote:
| Generally, something like a nginx reverse proxy is pretty
| performant. The opsec gains come by rotating the
| infrastructure you run on. If you had something like a
| ingress -> middle -> backend, and then regularly changed
| hosts, by the time someone is able to get a court order to
| seize the ingress, you've already moved on and they need to
| start the process over.
|
| In terms of system hardening, since the outer machines are
| almost bare, they are hard to hack. Attempting to attack
| the backend server isn't easy either (assuming the the
| webadmin knows what they are doing. Things like blocking
| outgoing traffic and configuring the system to not leak the
| backend server's IP)
| [deleted]
| oseityphelysiol wrote:
| How did they take it down the domain last time? Was it by picking
| on the registrar?
|
| In my country they so this by asking all the ISPs to block the
| domain from their DNS servers. This works for 90% of the
| population, but all you have to do is just change the DNS server
| to something other than what the ISP gives you and you're good to
| go.
|
| Also, I just don't get how current approach is any better. As far
| as I understand, there's still a single point of failure, i.e.
| the site you get your "personal" domain from.
| EarlKing wrote:
| I'm honestly shocked no one has openly laughed themselves silly
| at the idea of "personalized domains" for a site openly
| engaging in piracy... because surely that wouldn't be a way to
| build a stronger case against individual users engaged in
| piracy, riiiiiight?
| braingenious wrote:
| I have heard of people using throwaway emails and VPNs for
| this sort of stuff!
| jocaal wrote:
| you can get the personal domain from tor and then use the
| domain on the regular net.
| redtriumph wrote:
| Anyone has any links or good intro videos about what is Hydra-
| mode?
|
| Reading through the article, it seems the domain name is not
| publicly exposed and a new domain (?) is created on-the-fly? I am
| not sure if I understand how it works. But every user who logs in
| with a inter-mediator would get his own domain and that's their
| strategy to keep shop open for now.
| danaos wrote:
| > Anyone has any links or good intro videos about what is
| Hydra-mode?
|
| Probably just a reference of Greek mythology. You chop one
| head, two grow. An analogue of spawning multiple domains a site
| is taken down.
|
| https://en.wikipedia.org/wiki/Lernaean_Hydra
| jrochkind1 wrote:
| Are people making money off of z-library, or is it being run
| purely out of principle/generosity, or what?
| musicale wrote:
| I'd expect enterprising bad actors to upload malicious PDFs and
| rent out compromised machines.
|
| Site operators could potentially re-render uploads and inject
| their own exploits.
| super256 wrote:
| What's the difference between Library Genesis and Z-Library?
| Aren't they the same catalogue?
| pessimizer wrote:
| Z-Library is a superset of Libgen, if I remember correctly it
| has lots of files that haven't been cleaned up enough to put
| into Libgen.
| IronWolve wrote:
| z-library uses a freemium model, a for-profit model.
| droopyEyelids wrote:
| Do you have evidence they make a profit or are you smearing
| the way they accept donations into "a for-profit model"
| DoItToMe81 wrote:
| Z-library began as a Libgen mirror, but stopped mirroring
| uploads back. In some cases, it has documents that Libgen does
| not.
| grapesurgeon wrote:
| [dead]
| heywhatupboys wrote:
| wait, is this about zip compression or no?
| bhaney wrote:
| Z-Library the book/article piracy project, not zlib the
| compression library
| heywhatupboys wrote:
| my comment was a joke :(
| bhaney wrote:
| Haha, sorry. It's very hard to tell, since that's a real
| confusion a lot of people have.
| DougN7 wrote:
| I actually wondered the same thing since I've never heard
| of z-library
| helf wrote:
| Wow really? I used it for damn near a decade.
| loeg wrote:
| No, Z-library is not related to zip or compression.
| aborsy wrote:
| I don't know what's the solution to this problem, but this
| library is extremely useful. Most of the time, you don't want to
| read the books entirely, but mostly to check something, read a
| section or browse see if what you're looking for is there.
|
| Eventually, you may buy a book that you know is worth it. Right
| now even the table of contents may not be available before
| buying.
| pradn wrote:
| Current shadow libraries (zlib, libgen, scihub) suffer from
| centralized data hosting and opaque librarians/custodians (who
| modify metadata and gate inclusion/exclusion of content). We
| already have the tools to solve this.
|
| 1. Files are stored in a distributed fashion and referred to via
| their content hash. We already have IPFS for this.
|
| 2. Library metadata can be packaged up into a SQLite DB file. The
| DB would contain IPFS hashes, book names, authors, etc.
|
| 3. Teams of volunteers assemble and publish the library metadata
| DB files. There can be multiple teams, each with their own
| policies. The latest library files can be published via RSS. Each
| team can have their own upload portal.
|
| 4. A desktop app can pull multiple RSS feeds for multiple
| libraries. The libraries can be combined together and be searched
| easily on the client side. Users can search for content via the
| latest library metadata files, locally on their desktop. Content
| can be downloaded via IPFS.
|
| 5. The desktop app can also double as an IPFS host, allowing
| users to choose specific files to pin or simply allocate an
| amount of space for the purpose (100 GB, etc). There could also
| be servers that aggregate pinning info to make sure no gaps are
| there.
|
| 5. For ease of access, people can run websites that preclude the
| need to setup your own desktop app / download libraries.
|
| 6. Library teams can publish metadata DBs and content via
| torrents, too, for long-term/disaster-recovery/archival purposes.
|
| This would be a true hydra. No one centralized team, no reliance
| on DNS. If one team's library set up goes down, you can use
| another's.
| dark-star wrote:
| 1. yes, ipfs could solve that, but it relies on people hoting
| content. Previous examples of content-based addressing showed
| that little-accessed content tends to disappear as nodes go
| offline over the years. This would need to be solved, and I
| think the only way to solve it is to have a battery of
| centralized ipfs servers mirroring each other, which defeats
| the "fully distributed" setup
|
| 2. this would also need to be hosted and could be taken down.
| You'd need to mirror this too, but that's a simpler problem to
| solve (gigabytes instead of terabytes)
|
| 3. the upload portals and the RSS feeds would, again, be
| centralized or would have to change so regularly that they
| become impractical
|
| in the end you would end up with a dozen (a hundred? more?)
| different z-libraries, which would make it actually worse from
| a preservation standpoint, since only the most popular content
| would be shared, libraries that focused on rare/exotic/fringe
| material would be endangered of being lost since they have
| fewer volunteers/mirrors/seeds/...
|
| Also, freenet and other projects already showed that end-users
| allocating some storage and using that to spread data around is
| not an easy problem, the fluctuation in end-nodes is so big
| that it slows down the entire network to a crawl. I'm not sure
| this problem has been solved yet.
| mike_mg wrote:
| wait, aren't "they" going to gather evidence on user of "my
| account" and associate the downloads from this domain to "me" and
| come after me and ask hard questions?
| irrational wrote:
| I tried it. The url I got looked like guid.domain.net. At first I
| was thinking that the guid part must be unique for every user,
| but then the domain.net part is still susceptible to being
| seized. So... without being able to compare the url I got with
| other people, I'm left wondering how this actually works.
| [deleted]
| BHSPitMonkey wrote:
| FTA:
|
| "The domain names in question are subdomains of newly
| registered TLDs that rely on different domain name registries."
|
| There are multiple TLDs/SLDs involved (and the pool will likely
| grow over time)
| dkjaudyeqooe wrote:
| > domain.net part is still susceptible to being seized
|
| Yes it is, but how do you discover the domains? There could be
| just a few hundred users per domain. Then you have to expend
| substantial effort to seize each domain.
|
| Meanwhile any affected user just moves to their second domain.
| Even if the authorities got much better at taking down domains
| the only issue would be increasing the number of extra domains
| per user.
|
| I can't see how the authorities can beat this.
| stevenhuang wrote:
| I had to use https://singlelogin.me/ for it to generate the
| special domain, so can't the central https://singlelogin.me/
| domain be seized at some point?
| esposm03 wrote:
| From the article:
|
| > If users can't access the universal login page, Z-Library
| says they can log in through TOR or I2P and get their
| personal clearnet domains there.
| bogwog wrote:
| Yeah but that's only used for creating the unique domain,
| and it wouldn't affect user domains. So if that one goes
| down, they'll just have throw the registration page up on a
| new domain.
| ilaksh wrote:
| Dumb question.. how do I find the URL?
| braingenious wrote:
| I'm so happy to see this available to everybody! Z-lib is
| definitely in my top 5 favorite websites of all time.
| ChewFarceSkunk wrote:
| [dead]
| mikewarot wrote:
| Domain names turned out to be a weak point susceptible to attack
| by the statists. To route around this weakness, an array of names
| is used.
|
| However, there is still the matter of having an account to get to
| these names. Which was the original reason the statists went
| after them in the first place. The users themselves will thus
| become the next target, just like in the days of Napster.
| fudgefactorfive wrote:
| To me that was the real strength in IPv6. (I know I know
| innefficient protocol with complex upgrade path lead to near
| negligible adoption)
|
| NAT "fixed" the problem of address exhaustion, but it killed
| the old internet. You _cannot_ run your own network anymore. In
| the "old" times, I gave you a phone number or IP address and
| that's it, direct connection. All anyone could do was show up
| and take the computer to stop that. Sure there's a phone
| company or ISP involved, but they just powered the pump, you
| completely controlled what went through it.
|
| Now I can't do that. They ran out of addresses and I share an
| address with X unknown others. So I can't give you a home
| address, just to a bank of doors. I could give you an apartment
| number, but that's also shifting transparently, so num X to you
| is num Y to someone else.
|
| IPv6 would have solved the problem of exhaustion while
| preserving the right to an address. I could be some number
| permanently and you could reliably find a connection to my
| system using it. In that world I could set up a private DNS
| service in my house no one can alter without physically
| plugging in. Then have that store records to other addresses.
| Every part of that chain requires someone finding you and
| showing up at your door to disrupt.
|
| Instead now I have to pay digital ocean 5 bucks to keep an
| address for me so anything can find me via them. A bunch of
| servers in my home effectively an island without a coordinate
| until DO points me out on request. Like having all mail
| addresses be to the local town hall for them to forward to me.
| Sure maybe you trust your local town hall, but they are
| fundamentally beholden to someone else.
|
| With IPv6 support and adoption a whole network could be set up
| independent of any other authority besides BGP. Which requires
| nation-state levels of mobilization just to block an address,
| with fallout affecting literally thousands of others. They'd
| have to nuke a block to suppress any site, only for that site
| to find another address and be back to normal within minutes.
| Instead they do a WHOIS, send a scary email and boom, you're
| unknown, unfindable and disconnected. Hoping that word of mouth
| brings people to your new "address" exactly like losing your
| phone (and SIM) while abroad.
|
| I know it sucks as a protocol but v6 to me is a massive
| extremely important development that would change how the
| internet, and from that all communication, works.
| sitzkrieg wrote:
| your isp is sharing an IP with other customers? i have never,
| ever seen that in 3 countries worth of residential isps and
| doubt its possible and want to make sure its true (and
| concerning)
| simcop2387 wrote:
| you'll see it called CGNAT (aka Carrier Grade NAT) and it
| can be a really big annoyance for a lot of things, usually
| I see it on mobile/cell connections but I've heard of some
| DSL providers here in the states using it too.
| heywire wrote:
| Metronet in the US does CGNAT. I've had them for about a
| year and a half. Hasn't caused me any real issues other
| than the occasional captcha.
| WeylandYutani wrote:
| 4chan is a funny one. Apparently I had the IP of someone
| who posted "child models".
|
| I'm pretty sure that wasn't me unless I have an alter ego
| called mister Hyde.
| atahanacar wrote:
| If you have ever used mobile data, you've shared your IP
| address with other customers. Many residential ISPs around
| the world also use CGNAT. I had to call the customer
| support of mine to have a dedicated IP address. Other
| providers may force customers to pay for a static IP
| address if they want to avoid CGNAT.
| fudgefactorfive wrote:
| Having your own address in most places is a part of a
| "dedicated business line". My ISP in Switzerland literally
| refuses to issue so called "static" addresses at all,
| business or not.
| scarmig wrote:
| Can't they just send a scary email to the AS administrator
| who then removes the offending address block from its routing
| tables? Or are you imagining folks migrating to ones that
| don't respond to such requests?
| [deleted]
| dark-star wrote:
| > With IPv6 support and adoption a whole network could be set
| up independent of any other authority besides BGP. Which
| requires nation-state levels of mobilization just to block an
| address, with fallout affecting literally thousands of
| others.
|
| This is not how it works. Taking down a single IPv6 IP
| address (or whole AS) is a very simple thing and is done
| daily to combat spam and DDoS attacks, without requiring
| "nation-state levels of mobilization" (whatever that means).
| Also there is essentially no "fallout" at all in IPv6, and
| there wasn't any fallout in IPv4, too, since routes can be as
| specific as a single host
| mindslight wrote:
| IP addresses are just a different type of name, and also
| assigned by hierarchical entities. NAT isn't the issue,
| rather it's the incumbent power structures gradually
| tightening the identity/control screws. If you have a public
| IP on your physical connection and use that for banned
| publishing, they go after the account holder listed for the
| physical connection, which eventually gets back to you - the
| same as if you obtain that public IP from Digital Ocean or a
| tunnel broker.
|
| The only way around that is using naming systems that don't
| rely on centralized authorities, or at least can't be coerced
| by governments.
| fudgefactorfive wrote:
| I miss the days of sending someone a letter with some cash
| for them to associate address A with line B. All I'd have
| to do to stay essentially anonymous is finding a someone
| with bad record keeping.
|
| Suddenly someone shows up with address A and threats and
| then drowns trying to interpret that persons mappings.
| While that's happening I can find 5 other someones and
| suddenly I have 6 addresses all of which essentially
| ephemerally link to my system. Someone else does that for
| their mapping system and you get to Dijkstra levels of
| working out how to block connections.
|
| After like 3 levels of middlemen even centralized
| authorities just struggle to do the actual work of
| blocking, outside of just issuing the order.
| musicale wrote:
| I'm not sure how to deliver packets on the internet without
| destination IP addresses of some sort.
| 0xDEF wrote:
| Why did they go so hard after Z-Library when all of the other
| Library Genesis mirrors are still up and running? Is it because
| Z-Library have ads and paid subscriptions while the others are
| non-profit volunteers?
___________________________________________________________________
(page generated 2023-02-13 23:00 UTC)