Original sources of this guide (might be more up to date in case you're viewing a mirror of it):
In this guide I will go through how to anonymously host the continued development of youtube-dl offshore using companies that have a track record of being very resilient to DMCA takedowns. As a general disclaimer, youtube-dl is not illegal, no matter how much the RIAA wants it to be. Hosting it is not illegal, but the RIAA doesn't care about what's legal, so we'll have to act accordingly and not rely on companies that will bend over backwards for them. This post is basically my way of flipping the bird to the RIAA.
DMCA ignored hosting providers
RIAA report including DMCA ignored hosting providers
United States Trade Representative report including DMCA ignored hosting providers
ESA report including DMCA ignored hosting providers
MPAA report including DMCA ignored hosting providers
Europol report including DMCA ignored hosting providers
Former bulletproof hosting reseller reviews offshore hosting providers
Former bulletproof hosting reseller on what the most warez friendly hosting provider is
(Novogara aka Ecatel recently got busted for tax evasion and are shady as hell in general, allowing anything to be hosted on their servers, so its probably best to stay away from them.)
Take into account what data center the hosting provider uses. If they don't run their their own data center the company running the data center can shut down the server if the data center isn't DMCA ignored. That isn't to say that resellers can't be resilient, but it depends on how resilient the data center they use is.
Some countries like Ukraine, Kazakhstan, and Korea force hosting providers to use government SSL certificates, meaning that they can MITM the connection.
If anyone here is serious about hosting the continuation of the youtube-dl project, PM me and I'll give you a more specific recommendation. Keeping the hosting provider secret makes it a lot harder to take down.
CDNs and proxies to hide the real hosting provider
DDoS-Guard - Highly recommended. Based in Russia. Doesn't care about DMCA at all. Currently provides protection for Nyaa (the world's largest public torrent tracker for anime and manga) and Sci-Hub (the world's largest piracy website for academic papers which is under constant legal pressure from big US publishers). Has a free plan and accepts Bitcoin for paid plans.
While I recommend DDoS-Guard, I'll list some other alternatives in case something happens:
CloudFlare - Might be a honeypot, especially since I'm not sure how they'd be able to get away with this otherwise, but CloudFlare works for now. Just don't expect privacy from them. They're a US based company so they'll probably be reigned in eventually, but for now they're having their Wild West days. CloudFlare has a free plan. If CloudFlare is not configured properly when set up the real hosting provider will be leaked. More info about that here: 1, 2, 3, 4, 5, 6, 7
It's a myth that Cloudflare does not forward DMCA complaints, they forward everything. However, Cloudflare does not store any "sensitive data", which means forwarding "useless" information is similar like ignoring the DMCA request. A general advice is that whenever you use Cloudflare you should use a bulletproof backend server as well to avoid DMCA takedown request in the first place, so less or nothing gets forwarded (less "leakage risk").
Source: CHEF-KOCH / Warez / Bulletproof Hosting.md
OVPN's public IPv4 proxy (the Switzerland proxy) - Swedish company that provided a proxy for The Pirate Bay for a while, went to court because of it, and won. The two advantages with their Switzerland proxy in particular is that it's hosted by Interxion - the same Netherlands based company that is hosting Feral Hosting's DMCA ignored seedboxes - and that Switzerland is a pretty good jurisdiction. OVPN also scores well on That One Privacy Site. Accepts Bitcoin.
Before we go into registering a domain, I think it's worth considering if it's really worth keeping the name youtube-dl or if it could be spun off into a more accurate and less trademark infringing name like media-dl, for example. It downloads video and audio from a lot more sites than just YouTube, after all.
Resilient TLDs (there are more options than just these)
.is - As of a few years ago ISNIC had only ever suspended one domain and it was connected to ISIS.
When we asked whether ISNIC would follow Greenland’s lead and move for a proactive suspension, we got a clear answer.
“The short answer is no. Such an action would require a formal order from an Icelandic court. ISNIC is not responsible for a registrant’s usage of their domains,” ISNIC’s Marius Olafsson told TorrentFreak.
“This policy applies equally to any .is domain,” Olafsson says, adding that it’s the domain owner’s responsibility to abide by the law, not theirs.
Source: https://torrentfreak.com/pirate-bay-finds-safe-haven-in-iceland-switches-to-is-domain-130425/
“Domains can hardly be considered illegal any more than a street address. A street address is not illegal even if there is illegal activity in one apartment at the address,” ISNIC says.
Source: https://torrentfreak.com/torrent-domain-suspensions-damage-credibility-registrar-says-140617/
.to - Used by a lot of torrent and other filesharing websites. I have never seen one get suspended.
.ru / .su - Good for anything that doesn't affect Russia or go against Russian interests.
In case you want cheaper options that are available on Njalla, .ch and .ws are said to be pretty good.
.cr is a resilient TLD according to the International Intellectual Property Alliance's (IIAP) report:
thepiratebay.cr domain is still online despite actions against it from the Internet Corporation for Assigned Names and Numbers (ICANN) and the U.S. Embassy in Costa Rica. Other notorious infringing sites are following the trend of using .cr domains as a safe haven (e.g., kickasstorrents.cr). Costa Rica’s failure to deal effectively with its obligations regarding online infringement, more than eight years after they came into force under DR-CAFTA, is a serious concern.
.ec is also looking pretty solid as Library Genesis (the world's largest book piracy website, which is under constant legal pressure from big US publishers) have been using it for some time without getting suspended.
Vulnerable TLDs
.com, .net, .name, .cc, and .tv are operated by VeriSign, a Washington DC based company that is controlled by the US government.
.info, .mobi, .org, .asia, .aero, .ag, .bz, .gi, .hgn, .in, .lc, .me, .mn, .sc and .vc are operated by Afilias, a company that blocked one of WikiLeaks' domains.
Resilient domain registrars/resellers
Recommended:
Njalla - As anonymous as you can get when buying a domain. Njalla is a Nevis registered company that buys the more common domains from Canada based Tucows, which is pretty abuse friendly and some TLDs like .is they buy from the registry directly. They then lease it to you while legally speaking they own the domain. This means that you don't have to give them any personal information to register it and they take Monero. Njalla has a Tor Hidden Service, PGP key, and has support for registration via XMPP with OTR. Njalla is run by one of the Pirate Bay founders and they kept the Pirate Bay sense of humor alive when dealing with DMCA.
Other:
NiceVPS - As anonymous as you can get when buying a domain. NiceVPS is a domain reseller based in the Dominican Republic that buys the domain from easyDNS and then leases it to you, meaning that you don't have to provide any personal information since they own the domain on paper. Accepts Monero. Has a Tor Hidden Service, PGP key, and warrant canary. I've seen NiceVPS recommended on some websites, but I'm not sure how solid it is. Doesn't seem to offer all of the TLDs that Njalla, Openprovider, and easyDNS offer, including a lot of the more resilient ones.
Openprovider aka Hosting Concepts B.V. - Netherlands based registrar that is one of the most abused registrars by rogue pharma sites. Doesn't suspend domains without a WIPO decision or court order. Has a full section dedicated to it in the United States Trade Representative's 2019 report and a brief mention in the 2020 report.
easyDNS - Canada based registrar that has a big focus on due process. The current registrar of The Pirate Bay's .org domain, which it defended against the RIAA. Wouldn't suspend a domain for a video downloader like youtube-dl unless ordered by ICANN, CIRA, or a court according to their takedown policy. Accepts Bitcoin.
There are a few resellers of bulletproof Russian and Chinese registrars that accept cryptocurrency, but because those are pretty much only used by cyber criminals they would not be a good look for this project. And there's also the risk that they'll just be gone one day without a word and no way to transfer domain and not much recourse. Because of those reasons I'm omitting them from this list. I think the above mentioned registrars and resellers will be good enough, the project is legal after all.
Worth considering:
In order to anonymously directly register a domain at any of the other mentioned services than Njalla and NiceVPS you'd have to fake the WHOIS information, which violates ICANN's rules and registrars usually suspend domains because of that. I could especially imagine easyDNS doing this. Not sure how the other registrars would react to that, but ICANN does have the power to withdraw their accreditation - meaning that the registrars would lose the ability to issue domains - if they don't follow ICANN's rules. In the cases of Njalla and NiceVPS they aren't a registrar, they just fill in their own details and buy the domain for you from a registry/registrar when you register a domain using them.
If you use Njalla or NiceVPS you're handing over control of the domain to somebody else and have to take their word for it that you'll always have access to the domain. It's easier to trust Njalla than NiceVPS in this case since it's known who owns Njalla and they have more of a track record than NiceVPS, which is fairly unknown.
TLS/SSL
Let's Encrypt - Free, uses open source software, backed by EFF, Mozilla, and others. Easy to set up and easy to maintain with an auto-renewal script.
If you're using CloudFlare, you'll have to use their phony SSL certificate.
Keeping your server secure and other technical advice
Check your server, and how reliable it is in terms of security and privacy, online services like https://centminmod.com can test your server and it's configuration to ensure nothing is "leaking".
Check if someone can see your hidden backend server IP via https://dnsdumpster.com. In general you should block every IP connection to your backend server, only allow your own connection, VPN's or reverse proxies. You quickly can check if someone has an "open" backend IP service via services like https://censys.io.
Source: CHEF-KOCH / Warez / Bulletproof Hosting.md
If you use CloudFlare, also check that your backend isn't leaking using CrimeFlare.
If you have set up email with your domain, use SMPT and a custom mail server so it doesn't leak your origin server IP. Email is the easiest way to leak origin server IP addresses.
Use a password generator for all accounts and have it set to the max number of characters. Don't put the login information into a proprietary password manager or an online password manager. Make sure to back up the login information to multiple hard drives/SSDs/USBs/etc.
If possible, try and make the site portable so that all software and all configurations can be saved to an ISO that can be spun up at any hosting provider at a moment's notice in case the site has to move at some point.
If you get a VPS, make sure it's KVM. KVM is much more secure than OpenVZ since OpenVZ doesn't have much separation between different customers on the same server. OpenVZ is also easy to oversell. Xen is also secure, but has worse performance than KVM.
Use nginx, it has a lot better performance than Apache.
Use MariaDB. It's a more up to date fork of MySQL developed by MySQL's original developer after he sold MySQL to Oracle. Contains bug fixes that sometimes have not gotten into MySQL yet. It is of course fully compatible with MySQL databases.
Basic security hardening (I'd probably use OSSEC + Shorewall instead of fail2ban and ufw, but I'm not an expert at this ¯\_(ツ)_/¯ )
Let's Encrypt auto-renewal script
Disable password access for administration, require login using SSH key, and limit the amount of login attempts.
Change default ports, like SSH. If anyone tries to access the default SSH port, have the firewall block them for a few hours.
Disable root login.
Disable nginx logging once everything is set up to protect user privacy and improve performance.
Don't use analytics. If you have to, self-host Matomo (formerly known as Piwik). It's open source.
Keep up to date backups of the site on multiple hard drives/SSDs/etc.
Anonymous payments
Bitcoin is fully traceable nowadays and tumbling/mixing your Bitcoin won't make any difference.
Tumblers are useless
Against my better judgement, I’m going with this click bait heading, but the premise is correct. Due to the software running real time analysis on the ledger, simply avoiding taint and breaking up coins is now entirely ineffective, as it matches the full bitcoin amount to be received over a period of time, as the software is built around a neural net of sorts (talking out of school here, I’m not a programmer) it appears to self-correct in real time as a more "likely" or "accurate" owner conclusion is reached.
Source: Blockchain Analysis and Anti-Money Laundering (X-post from /r/DarknetmarketsOz)
Meanwhile Monero was the only cryptocurrency that that the US government couldn't track when they took down one of one of the biggest darknet drug markets and seized the site operator's cryptocurrencies. This is because Monero is the only major cryptocurrency designed to be truely private.
Either get cryptocurrency donations or use a peer-to-peer exchange that doesn't enforce KYC (Know Your Customer) to buy Monero or Bitcoin. Even if you get all of the cryptocurrency via donations and it therefore has no connection to your real identity at all you should still anonymize it via Monero so that it can't be traced from the donation wallet to the hosting provider which you want to keep hidden.
Some private sellers on peer-to-peer exchanges won't require IDs, while some might require it. If nothing is mentioned, it's worth asking the seller before you send them any money. A few even accept cash meetups and cash by mail (watch out for being scammed or mugged though). LocalCoinSwap, LocalCryptos, and LocalMonero even has sellers that accept gift cards (which you could buy with cash in a physical store). However, most gift cards are only redeemable in the country they were bought in, making this an option that won't work outside of the countries the sellers are based in. The one exception to this that I know of are Steam Wallet gift cards, which work internationally.
From what I've read there are some centralized exchanges that don't require KYC, but at least some of them freeze funds if they think it seems suspicious (which I would imagine a Tor IP would fall under) and they refuse to release the funds until they have been provided with an ID.
If you decide to buy cryptocurrency using a normal payment method, a wire transfer would be the option that involves the least amount of companies getting the transaction info, though I don't think you'd have much recourse with getting your money back if you got scammed and paid via wire transfer.
Bitcoin ATMs may require ID and usually have surveillance cameras around them, but this may vary depending on where you live.
If you bought Bitcoin, use XMR.to to exchange it to Monero. If the service provider only accepts Bitcoin and not Monero, exchange the Monero back to Bitcoin so that the Bitcoin has been anonymized. Don't pay in Bitcoin without exchanging it to Monero and back first.
Prepaid cards usually require SMS verification and are sometimes limited to purchases within the country they were sold in, so be sure to read up on whatever card you're considering using. Vanilla Visa gift cards used to be the go to for VPN buyers back in the day since they only required putting a zip code into a website, but things change, so read up about activation requirements and international purchases for the card in your country before buying anything and if you get information from an unofficial source, try and make sure that it's at least somewhat recent. If SMS activation is required there are two options. One option is buying a push-button burner phone and a prepaid SIM card at a physical store using cash, activate it at a major public place and then once the prepaid card is activated shut off the phone and take out the SIM card and the battery. Another option is buying access to a dedicated number in the same country that you bought the card in at an online SMS inbox site using cryptocurrency (the free SMS inboxes that have shared phone number might be used up already). The catch 22 there is that you wouldn't have any cryptocurrency yet at this stage, so it's not really an option unless you figure something out that I wasn't able to think of. Expect the prepaid card to almost certainly get frozen if you try to pay with it over Tor. The risk is lower when paying via a VPN IP, but it's still a notable risk, especially if it's a VPN server with lots of users and you can never verify that the VPN provider isn't logging you. An anonymously paid for self-hosted VPN on a dedicated IP address in the same country that you bought the prepaid card would be less likely to cause the card to get frozen. Just don't connect to that self-hosted VPN directly using your real IP address since your ISP would see that and since you would be the only user of that self-hosted VPN it would be directly identifying. You could use the prepaid card on public WiFi, but that will give out your general location and will give the WiFi network your IP address. It will also give the WiFi network your MAC address, so be sure to set the MAC address to be random (just search something like "[operating system] random mac address on wifi" on DuckDuckGo). Then there's the issue that most browsers other than Tor Browser, SecBrowser, and Bromite are bad combating browser fingerprinting. Sure you could also customize Firefox with arkenfox user.js (formerly known as ghacks-user.js) and a bunch of add-ons to combat all the different kinds of tracking, but you'll just make your browser more unique the more you modify it.
Anonymous Internet browsing
Use Tor when doing anything in connection with the site. Verify the integrity of the Tor Browser installer using PGP before running it so that you know that it hasn't been tampered with. Use a bridge if you don't want your ISP/government to see that you're using Tor. Running Tor over a VPN may seem like a good idea, but even if the VPN provider really doesn't keep logs (which is impossible to verify) using Tor over VPN can make you easier to track since that makes the VPN service a permanent entry node [1][2][3][4] and there's also VPN fingerprinting. If Deep Packet Inspection (DPI) is a concern you can use Pluggable Transports [1][2] to disguise the Tor traffic. Keep Tor Browser up to date. Never run Tor Browser in full screen. That makes you more easily trackable as websites can detect the real resolution of your screen. Don't install any add-ons or plugins, that makes you a lot easier to track. If you have logged in and then logged out of a site it can link you to other accounts you have on the same site using session cookies if you login to those accounts without hitting the "New Identity" button to relaunch Tor Browser with a clean slate. Block JavaScript when the website doesn't require it, that's the closest thing you'll come to an ad blocker. Use the Hidden Service version of sites when available, that way your Internet traffic never goes onto the clearnet and it also adds three more proxies between you and the site's server for a total of six proxies.
Since you shouldn't use an ad blocker with Tor Browser it's important that you keep your operating system up to date to minimize the risk of getting infected in case you come across some malicious JavaScript via for example malvertising when you have JavaScript activated.
If you use Windows and don't want to switch to Linux (even though you can set up dual boot or just boot it from a USB without even having to install it on your computer), use a non-admin user account and have an admin account that you only use to authorize trusted software to run, that will mitigate 94% of critical Windows vulnerabilities. You can use a tool like W10Privacy to decrease the amount of tracking in Windows 10, just be sure that the tool you use is updated to match the latest version of Windows 10 or you might brick your OS.
Use an end-to-end encrypted no logs email provider located outside of Five Eyes, Germany, Enemies of the Internet, and countries under surveillance - preferably ProtonMail - when signing up for all of those services. Use a different email address for anything not related to the administration of the website. ProtonMail has a Tor Hidden Service, but signing up for ProtonMail is only possible on the clearnet address, so you'd have to go into Tor Browser's privacy settings and change "Prioritize .onion sites when known" from "Always" to "Ask every time" when you register the ProtonMail account. Change it back to "always" once the registration is complete. And yes, it is possible to sign up for ProtonMail via Tor. It's not easy finding an exit node that hasn't gotten blocked yet, and you will most likely need a secondary anonymous email account on another email provider to send a verification code to, but it is possible. Don't try using a disposable email service, ProtonMail blocks pretty much all of them so you'll just waste time and will probably get your account frozen. Once you have made an account, go into Settings > Security and then wipe and disable the authentication logs. Once that's done - before you sign up for anything - log out and wait a while then log back in, just to see if their anti-fraud system decides to freeze your account or not.
If you go for a email provider other than ProtonMail, keep in mind that it has to be there for the long haul in order to be usable. If it suddenly shuts down without notice, you're pretty much shit out of luck. So try and go for one that has been around for a while and seems like it will continue to stick around.
Comparison of alternatives:
https://privacytools.io/providers/email/
https://thatoneprivacysite.net/email-comparison/#detailed-email-comparison
Other
Use a new username that you haven't used before.
Use DuckDuckGo instead of Google. At least when doing work related to the site. It has a Tor Hidden Service that you can easily find by searching "duckduckgo onion" or "duckduckgo hidden service" on DuckDuckGo.
Use end-to-end encryption for all private communications. ProtonMail has built-in end-to-end encryption between ProtonMail accounts. If you want to encrypt email with PGP when communicating with non-ProtonMail users you can ask them to attach their public PGP key to their email. That will allow you to import it into ProtonMail. Just remember that the subject line will not be encrypted by PGP. PGP/MIME gives out less metadata than PGP inline and is just better in general, so use PGP/MIME. For file transfers you can also use OnionShare if the receipient also uses Tor Browser or put the file(s) into a password protected .7z file using 7-Zip with the "Encrypt file names" option enabled + a password generator set to the max number of characters that you then upload to Disroot Upload. Be aware that the lufi software that Disroot Upload runs on keeps the filename visible after the file has been deleted. If you need an end-to-end encrypted pastebin, self-host PrivateBin or use Disroot's PrivateBin. Disroot uses a privacy respecting hosting provider and claim that they don't keep logs for services that don't require an account, such as Disroot Upload and Disroot's PrivateBin.
Rely on open source software and privacy respecting services when it comes to processing and storing data related to the site. PrivacyTools.io, awesome-privacy, AlternativeTo, and GitHub makes it easy to find privacy respecting alternatives.
And yeah, I probably went pretty deep on some of the less relevant sections, but I thought it was best to include everything.