←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 9 comments | 20 Oct 23 20:31 UTC | HN request time: 0s | source | bottom
Show context
manxman ◴[21 Oct 23 02:26 UTC] No.37963542[source]
A quick warning on hetzner. I needed a personal bare metal machine so signed up.

I was travelling and on an IP in a distant land so their sign up asked for secondary verification via PayPal. All passed and now it’s should get a server?

Nope - next day their support emailed telling me they would not approve my account without… no word of a lie here… either 1: a fax of my passport info page or 2: a scan and email containing the same.

I refused reminding them of GDPR and that email is at best opportunistically encrypted and at worst open to interception.

They replied stating they believed they were GDPR compliant because all they do is use the passport to verify the account and delete the document. They also said I could hide anything sensitive other than my name and date of birth!!

I suggested the process is not GDPR compliant as anyone could intercept unencrypted emails and that they should talk to a lawyer if they did not believe my assertion.

Within a short time the server was approved and online. I queried if they would revise their process in light of our interaction. They did not address the question.

replies(8): >>37963761 #>>37964297 #>>37964364 #>>37964823 #>>37965391 #>>37968710 #>>37970183 #>>37974389 #
1. petre ◴[21 Oct 23 05:19 UTC] No.37964297[source]
They had the option to send it encrypted with PGP. But yes, this reminds me of communist countries where you had to leave your ID at the hotel upon check in. The Stasi mentality lingers on and accomplishes nothing.
replies(4): >>37964394 #>>37964616 #>>37964665 #>>37968756 #
2. orhmeh09 ◴[21 Oct 23 05:46 UTC] No.37964394[source]
What does this have to do with lingering Stasi mentality? Gunzenhausen was in West Germany.
3. schleck8 ◴[21 Oct 23 06:38 UTC] No.37964616[source]
You don't seem to know anything about VPS administration.
4. OmarAssadi ◴[21 Oct 23 06:48 UTC] No.37964665[source]
I think it is less Stasi and more so 30 euro dedicated servers with unmetered gigabit lines are ripe for bad clients.

You've got the general issue of abuse and fraud that all providers face. But I think there are two issues that make it worse for companies like Hetzner, OVH, and other low-cost providers:

1. Chargebacks are a big deal, both in terms of being cut off from payment networks but also the fees imposed, which are especially harsh if your margins are likely razor thin sometimes; looking at the server auctions right now, it's kind of wild that Hetzner manages to give you a place in a datacenter, 3700X, 64GB RAM, 2x1TB enterprise SSDs, and unmetered gigabit on a decent network for 33 euros while still making a profit.

2. I would imagine that attempting the proper credit-card theft kind of fraud is also more of an issue for low-cost providers, not only because of #1, but because I think you'd manage to keep and abuse servers bought with stolen money for a lot longer; I think legitimate owners of said cards are less likely to notice 30 euro charges every month compared to being robbed blind by unexpected AWS fees.

I've had to deal with anti-fraud paranoia from OVH, BuyVM, Hetzner, and many others, likely all for the same reasons as Hetzner.

Both Hetzner and OVH refused to provide me service without photo ID or a passport. BuyVM refused one of my Jordanian friends entirely unless he paid in crypto. And while minor in comparison, I've had to change my PayPal email to match my account email on BuyVM despite it literally previously being paypal@myfirstandlastname.tld.

Not meant to be a dig at BuyVM, btw, even though the crypto bit may seem harsh. I really like them; freedom to host pretty much anything that isn't straight-up illegal, even Tor exit nodes, the support is good, they're often around and transparent in the community chat, and it's hard to beat free BGP announces, up to 10Gbps speeds, anycasted VMs across Europe and the US for <$10/month, and optional $3/month DDoS mitigation -- especially since it's the kind of small enough, tight-ship type of thing to where you can moan about poor routing or custom mitigation filters and potentially have someone actually try to take care of it (and it's also hard to beat for abusive or awful clients too, hence the trouble).

They provide great service, even if only to use as a DDoS-mitigated tunnel for more powerful servers elsewhere, or as a CDN, etc.

replies(1): >>37974425 #
5. chatmasta ◴[21 Oct 23 17:22 UTC] No.37968756[source]
Plenty of modern hotels in Western countries require you to submit your passport to reception, who then scans it and keeps a copy of it. In fact Marriot recently suffered a data breach where the attacker obtained the photos of these passports.

Of course, that's not mutually exclusive with Western nations having "The Stasi Mentality..."

replies(1): >>37970238 #
6. petre ◴[21 Oct 23 20:38 UTC] No.37970238[source]
I know. Most of them have a fill in the blanks sheet with name address and document s/n.

I can understand scanning documents if one rents a vehicle, although for hotels I fail to see why the form shouldn't be enough. It's not like they don't have cameras at the reception desk and I don't pay with a card under my name, they can also check my ID and fill in the form themselves if they don't trust the customer. Why should I trust them to properly handle copies of my ID? They are not a bank operating under strict regulation.

The thing is back then they were physically keeping your ID until you've paid in full and checked out. Last time it happened to us in Serbia, in 2019. The receptionist regarded us with suspicion. Brought back memories from the '80s. If you've played Papers Please you know what I mean. Now about 8 Schengen Area states have introduced border checks. Great.

https://www.euractiv.com/section/justice-home-affairs/news/s...

replies(1): >>37970368 #
7. chatmasta ◴[21 Oct 23 20:58 UTC] No.37970368{3}[source]
Interesting. That didn't happen to me when I stayed a month in an Airbnb in Serbia, although the host did ask me for a copy of my passport. (Not that I'd expect it from an Airbnb host even if hotels were doing it... just an additional data point).

For renting a vehicle (or more likely, something like a bike or moped), I can understand why they take your ID as a form of collateral in exchange for the material goods they're lending you. But for a hotel there's no real reason to hold onto it.

Out of curiosity, did you acquiesce and leave your passport with them?

replies(1): >>37970537 #
8. ◴[21 Oct 23 21:19 UTC] No.37970537{4}[source]
9. immibis ◴[22 Oct 23 11:22 UTC] No.37974425[source]
BuyVM comes off as one of those sites that's explicitly set up to host illegal content, but with plausible deniability. I don't understand how they're still allowed to remain operating. Governments usually err on the side of arresting innocent people.

P.S. Hetzner gigabit is not actually unmetered, but the limits are vague, but high (>100TB/month)