Why do you need physical security at all?
by Jamie Zawinski (email@example.com) /
Lots of people are asking questions about physical security, and how you're going to repel missiles and commandos, but I've got the opposite question: why do you need physical security and a physical location at all? Would not the best way to protect your customers' data be to wrap it in hard crypto and distribute it far and wide across the whole of the net, ensuring that there is not a single point of failure or a single physical installation that can be isolated?
As we've seen again and again recently, the best protection against censorship and other legal attacks is massive redundancy and decentralization.
Ryan Lackey: This actually brings up several issues, which I will address in turn.
- Physical location vs. distributed presence
You seem to be suggesting a distributed data store, a la Eternity, by Ross Anderson. Basically, a federation of servers on the net, possibly hidden servers interfaced to the outside world through remailers (such as Blacknet) or ZKS Freedom. These servers would move data around among themselves, opaque to the outside world, and users would be able to store their data, manually or automatically, on as many servers as possible. There would presumably be some kind of payment system so users could anonymously pay for documents to be stored (as if you run the system for free, it will end up collapsing due to a flood of useless content; if you use a MRU/LRU scheme for your caches, script kiddies will just run scripts to keep their favorite documents in the cache, dropping real content out).
While this approach is interesting from a theoretical standpoint, there are no production-quality systems ready yet. Additionally, there are fundamental limits to distributed computation -- latency, as you add nodes, or threat of compromise, if you have very few nodes.
We're going to be incorporating some distributed cache technology which should provide our datacenters with some of the benefits of freenet/eternity type systems. Our system will, however, have a small number of very secure nodes, such as our facilities on Sealand, in which customers can conduct trusted transactions -- the intermediate results are guaranteed confidentiality and integrity in processing.
The distributed data serving systems are also not practical for any transaction oriented site, especially low-latency transaction oriented sites, at least without a small number of trusted nodes to do the processing. Due to security constraints, this means tamper-resistant hardware, and since this hardware is expensive, it needs to be purchased in limited quantity, and protected from theft/attack, meaning you want to put it in a small number of high security physical environments. Since it becomes a critical link in all of your transactions, you also need high quality bandwidth.
These distributed hosting systems are certainly interesting, but don't really meet all the neets of our customers. If we borrow 10% of the technology in building a secure distributed cache system, we'll be able to offer 95% of the benefits, as well.
- Secret physical location vs. single well-defended point
If you're going to have a physical location, there's no easy way to distribute to a very large number of physical locations; you have a base cost per site, and your security is incredibly low until you spend a substantial multiple of that. There are definite economies of scale in running larger datacenters.
Keeping physical locations secret is difficult. Keeping active physical sites, with actual servers connected to the net, secret, while still having decent pingtimes and large pipes, is almost impossible. You would need to go with hidden fiber cables laid through some kind of territory in which you could destroy anyone or anything looking for them, and your physical site would need to have the same density as the surrounding area, as well as no magnetic anomaly, or unusual power consumption, or whatever. Or, you could communicate by non-DFable HF SS radio, but that would severely limit your bitrates. I'd say this is basically hopeless.
- How much of our security is HavenCo, vs. Sealand
A fair bit of the security on Sealand is related to protecting the Principality of Sealand from the kind of takeover which was attempted in 1978, rather than strictly necessary for HavenCo itself. HavenCo's security is primarily due to tamper-resistant hardware and cryptography, not the site security of Sealand.
What will you do WHEN you get shut down?
by joshamania (firstname.lastname@example.org)
I haven't seen this question yet, so now I ask. In order to do the proper due dililgence on this matter, I would like to know what you will do when you get shut down? I don't think it likely at all that the UK will not take a serious look at what you are doing and disagree with it. They are not going to allow you to operate within their territorial claim and not be subject to their laws. Period.
Ryan: We are not within the UK's territorial claim. In the event the UK were to illegaly move against us, we would respond as appropriate; lawsuits would be the most likely course of action. It is highly unlikely the UK would intervene with military force, as they are a primarily law-abiding country with a strong tradition of respecting the law, due process, etc.
I've read that you have plans for other locations, but the information was very vague (as is this question ;). What do you plan to do when, either the UK invades, the U.S. invades (highly likely from where I sit, there are entirely too many people in this country that think that my business is their business), or some non-governmental organization invades? Why wouldn't some unscrupulous individual bent on corporate espionage and blackmail just hire some mercenaries and come steal your servers?
We intend to have multiple physical locations, with ideally the same level of physical security we have on Sealand, and as much bandwidth as possible, at the earliest possible opportunity. We have identified a set of sites around the world in various stages of development, and can set up more sites relatively rapidly. Certainly major moves by the UK or others against Sealand would accelerate this process dramatically.
It's almost impossible for anyone to steal a functional server, and I'd say it would be much more difficult than that (almost impossible, but nothing is really impossible) to extract useful data from that server. Certainly a well-funded terrorist could shut us down, at least temporarily, but a well-funded terrorist could cripple almost all Europe to U.S. connectivity by cutting a couple of cables, blowing up 4 cable landing stations, or taking out Telehouse in downtown London. Or doing the same kind of DDoS tricks done during the NANOG meeting earlier in 2000.
If one of our sites is taken down temporarily, we'll have sufficient spare capacity in others to allow customers who have wisely stored backups and hot-spares elsewhere to be online almost instantly. Some users will be particularly smart and purchase operational servers in multiple sites, using distributed technology to keep servers in sync, and may notice no outage at all even if multiple HavenCo sites are rendered nonfunctional.
I love the idea, but this is just ridiculous. Unless you've got unlimited capital coming out of your ears, this is not going to happen. Even if the governments leave the physical location alone, they are bound to shut off your land lines. Satellite bandwidth is beyond prohibitively expensive right now and will remain so for many years. Do you plan to launch your own satellite and man your own ground station in some secret location in order to maintain connenctivity?
There are various legal obstacles to shutting off landlines running through a country.
You have apparently not priced satellite bandwidth recently, or have a high-bandwidth, low-value application in mind when you say "beyond prohibitively expensive." For many applications, satellite bandwidth is cheap enough to not matter; for a high-value financial transaction conducted in under 10 KB, it is insignificant how much it costs to move a megabyte of data? Even for relatively bulk data (not illegal mp3 archives, or pr0n, or warez, but original-content Web sites, etc.), satellite bandwidth is affordable today. Additionally, we will have distributed cache technology to avoid sending the same static data over satellite links. And we will obviously try hard to maintain landline connectivity.
Even that wouldn't be enough. Governments would find that and shut it down too...
by The Dodger (email@example.com)
What exactly is HavenCo offering? On the one hand, you refer to yourselves as "the world's most secure managed colocation facility" (setting aside for the moment the fact that HavenCo is not a co-location facility) and on the other, your Web site makes vague references to the fact that Sealand is a sovereign territory.
Ryan: We offer the ability for anyone in the world to come to us, pay for service, and have a host suitable for running ultra-high security e-business, ready in near-realtime, with the highest levels of reliability and performance, in a variety of jurisdictions/locations/replicated sites. We're picking locations based on proximity to users, proximity to major pieces of net infrastructure, and unique advantages of the location (regulatory, image, security, cost, etc.) We provide these hosts with support systems designed for how secure e-businesses need to operate; 24x7, anywhere in the world, and with the highest levels of security and professionalism.
Five years ago, when I first heard of Sealand and its alleged sovereignty, I looked into it as a potential site for a hosting facility. However, I concluded that Sealand's claim to sovereignty wasn't anywhere near strong enough to ensure that it could avoid being subjected to British law (in particular financial law). Given the fact that it exists, in my opinion, because its owners are viewed as relatively harmless eccentrics by the British authorities, and that it is not recognised as a bona fide principality by any other nation (notwithstanding the visit by a German diplomat), I concluded that if a hosting facility were to be established on Sealand from which, subsequently, actions were carried out or services provided, which sufficiently antagonised a bona fide government, steps would be taken to ensure that such actions or services ceased.
In short, whilst the idea of Sealand existing as the world's smallest independent nation is a good read in the newspapers, and makes for terrific brochure blurb for a company like HavenCo, I don't believe it to be a truly tenable position.
We feel the Sealand location is viable as a secure colocation facility regardless of the actions of the British government. In its current sovereign state, it is highly useful, but even if it were at some point in the future considered fully part of the UK, it would continue to be an ultra-high security colocation facility with very high speed links to the core of Europe's Internet (London and Amsterdam).
The strength of Sealand's claims to sovereignty has been repeatedly confirmed by academics and those in the legal profession; the only ones who downplay it are those who feel they have something to lose by Sealand's sovereignty.
Additionally, HavenCo has no intention at all of engaging in any business which would "sufficient[ly] antagonize a bona fide government" (including Sealand). Our AUP prohibits infrastructure-threatening content (spam, network terrorism), and Sealand's laws prohibit child pornography. HavenCo itself serves no objectionable data, and engages in no business which would be illegal in any major country of the world; we simply sell server colocation to users.
Security was something else I looked at. I looked at four methods of connectivity - fibre, microwave, satellite and packet radio. Any means of connectivity (except, perhaps, for packet radio), exposes a "Seahouse" to the prospect of its connectivity being shut off at the mainland (whether it be in the UK or the Continent). From a pure security point of view, fibre is obviously the best option. Microwave, satellite and radio can be snooped both from Earth and space. Satellite and radio links have their own problems with regard to latency.
I do not understand why you care about snooping on public IP links; this is data, encrypted and unencrypted, which is entering or leaving the facility via the public Internet, and could be just as easily monitoring anywhere else. There is no problem for us in broadcasting this information. If you want your data in transit on the Internet to be private, everyone knows to encrypt it.
Satellite does not need to terminate in UK/Europe to reach Sealand.
There are specific laws in many countries regarding cutting communications to third-countries or isolated communities, so we are not as worried about cutting service on microwave/fiber links as you are.
The provision of traditional utilities to a "Seahouse" present further problems - unless a cable could be install ed to bring power from the mainland (which, again, leaves the facility open to being shut down by mainland authorities), such a facility must generate its own power. I dismissed wind and wave as too unreliable, leaving diesel-based generation. This would be expensive and the possiblity of being unable to resupply because bad weather arises (note that, at one point, Sealand was abandoned because of bad weather). Any interruption to power would result in disruption of environment control (AC, fire suppression systems).
We run entirely on locally-generated power, currently with reciprocating Diesel engines, and substantial onsite fuel storage. We are confident in our ability to ride out any storm, as far as fuel resupply. Generating power from Diesels is a well-tried technology on offshore platforms.
I've never actually heard the "Sealand abandoned due to bad weather" story, and the Royal Family of Sealand, who are involved in management, deny that such an event ever occured. (I think another tower or radio ship from the pirate radio days may have been abandoned due to weather, but not Sealand.)
The actual environment itself was also a concern - I'm not sure how suitable a sea-tower is, as a facility for hosting sensitive computer equipment.
We have suitable environmental control systems to provide a superior environment for hosting machines, with high levels of redundancy in our engineering plant.
Finally the security of Sealand itelf was a concern. I conducted an analysis aimed at examining what sort of operation would be required to attack, conquer or destroy Sealand. With the help of an individual with experience of this type of military operation, I determined that carrying out a professional operation designed to invade and seize temporary control of the tower, would cost somewhere in the region of 200,000 (around $320,000). This would involve sourcing weapons and experienced personnel, as well as arranging for a suitable method of accessing the target.
Security is not my job, but two points to consider:
- Security has been upgraded, and continues to be upgraded. Presumably your estimate was based on the condition 5 years ago. Certainly at one point (1978), a semi-trusted group were able to conquer the fortress for less than $320,000 in today's money. I would definitely put my money on the defense if the same situation came up today.
- HavenCo's security does not depend crucially on the security of Sealand. We have tamper-resistance and cryptographic technology so as long as Sealand security serves its purpose as a "speedbump" to a major attacker, it will allow machines to be placed into a secure state prior to loss of control. Even in the event of a rapid attack, or compromised insider, customer data inside tamper-resistant processing devices would not be vulnerable at any point.
Conquering the tower would be a different matter, requiring a long-term commitment to both the security and logistics of the tower. Destroying it by UDT methods would not be easy or cheap, although severaly disrupting its habitability by something like mortar attack would be a lot cheaper.
Placing a warship with mortar in the waters near the UK's major container port would be ... highly unpopular.
Placing mortars ashore for long enough to close on target would also inspire a very unfavorable response from the UK military. Any mortar which could hit Sealand from shore could also threaten hundreds of thousands of British citizens. British gun laws, being what they are, and the British experience with mortar attacks on Heathrow being what it is, I would not want to try it.
We don't promise customers protection from denial of service, of a physical or electronic kind, but we do try our hardest to prevent/stop DoS attempts.
In the end, I decided that Sealand sovereignty/legal position, security and suitability as a hosting location were not up to scratch.
I find it interesting that HavenCo have found otherwise. I note with interest that the HavenCo Web site indicates that they intend to open hosting facilities in other countries, and I find myself wondering whether the SeaLand thing is merely a publicity stunt/gimmick, purely for the purpose of impressing the press, potential clients and investors.
I am unclear on exactly why your analysis was so different than ours; we have a well-developed security model for global secure colocation, and Sealand fits into the model perfectly (admittedly, we're unlikely to need to buy drysuits for any of our future datacenters, but that's a minor issue). We are using only a very small number of novel or cutting edge technologies, and relying on standard best industry practice for most of our operations. I think we have addressed any of the engineering concerns you have; I don't understand why you feel the power situation is so complex, or the network situation so dire.
It may be that we have different target markets; we're providing a very specific product, global high-security colocation, rather than general-purpose server hosting for the average user.
As for your security concerns, I think our security model simplifies this dramatically, and our security team are responsible for dealing with the kind of threats you mention. I have complete faith in their ability to provide us with defense against all viable threats.
The jurisdictional issue is of course an open one, but we have substantially hedged our bets by ensuring Sealand is a viable colocation location regardless of any future change of sovereignty status.
Finally, addressing that issue of the definition of co-location. A co-location facility allows companies (typically telcos, ISPs) to locate equipment within the same building, to enable interconnect/exchange of IP traffic. HavenCo says that it will not allow clients to place it's own equipment in the facility. If this is the case, then HavenCo's Sealand facility will be a hosting facility, where clients are constrained to choosing equipment which HavenCo can supply/support.
As for whether or not we provide true colocation, it depends (as for spelling, I prefer the shorter/European spelling "colocation"; some within HavenCo like "co-location", others like "collocation"). We will allow arbitrary equipment to be housed within our facility if we can be assured it will not interact poorly with other equipment, just like if you want to put your equipment in a cage at a local AT&T office. This means we need to know HVAC/power specs, inspect it to make sure it's not a bomb or monitoring device, etc. The easiest way for us to do this is say "we will not accept end-users, but will instead order to customer spec from known/reputable vendors". If you want a Juniper M160, we'll get one from Juniper for you and install it, giving you the ssh keys. If you want a Sun Ultra Enterprise 6500, same thing. If one wishes to have media shipped separately, we can x-ray/chemical sniff just the media, and pop in your drives into hardware which has been shipped separately, so you don't need to rely on us to do initial system setup and handoff. Or, you can ftp us a disk image, and we'll just write it to a standard drive and install it in the machine for you when it arrives.
We can do arbitrary cross-connects (fiber only), and can connect to telco circuits as required, in arbitrary locations. Many other true colo facilities require that all cross connects be done by facility staff (I don't actually know of any which allow customer-run crossconnects between cages). We also offer the standard complement of "remote hands" through full sysadmin service.
The one area where we prefer that our customers use standard hardware which we supply is x86 1U PCs. We'd prefer if all of our customers used our standard config 1U machine, which is sold at a very good price, as it simplifies our engineering, sparing, and logistics. We can get your server up in seconds, once our online ordering systems are up, by maintaining inventory. If we allowed people to colo arbitrary crappy $200 PCs, we'd face an endless cycle of dealing with broken power supplies, fans breaking and taking out the whole machine, etc., and I'd be happy to charge people 10x more than for our 1U servers to colo their own no-name 1U box. We can provide a free "if it breaks while it's with us, we'll fix/replace it" warranty on our standard 1U boxes, too, since we've got the spares onsite, and know they are top-notch hardware which should very rarely fail.
We'll even provide people with access to their own hardware. Compared to places which allow customers onsite, we've got very high latency for this; we need to ship the machine to either your own address, or to a neutral facility ashore, and you can screw with your machine, and then ship it back to us (at which point we'll go through the same security process to make sure nothing bad has been added to the machine).
I can't think of any service offered by other colos which we do not offer:
- Colo arbitrary equipment, provided it meets facility requirements
- User access to hardware, outside the secure hosting area
- Remote hands/config service
- Arbitrary crossconnects or telco connects.
possible questions for HavenCo
by leto (firstname.lastname@example.org)
1 ...The Web site displays a copyright logo. Did Sealand sign the Berne Convention, and thus does it respect copyright?
Ryan: We weren't supposed to have the copyright logo on our site; it has since been removed (the Web site was kind of rushed).
2... Explain who is the real owner, because outsiders are confused with havenco, principality-sealand.net and sealandgov.com
HavenCo, Ltd. is a company doing global secure colocation. Our first (and presently only) site is in the Principality of Sealand. We hope to expand rapidly to other locations; secure colo in five jurisdictions is worth far more than five times as much as secure colo in one jursidiction.
Principality-Sealand.net is run by criminals from Germany who formerly staged an invasion of Sealand, and were repelled through force of arms. More info about this incident is on sealandgov.com
Sealandgov.com is the official Web site of the Government of the Principality of Sealand. HavenCo is providing technical assistance. (fruitsofthesea.demon.co.uk/sealand is the former official Web site of the Government)
3...Will I be allowed to store encrypted files there that HavenCo can't possible read, condone nor condemn?
We encourage customers to encrypt data so malicious attackers on the Internet cannot hack into your machine and read your data. We provide tools by default to do this on the machines; there are some tradeoffs between security and performance and security and convenience, and the user gets to turn the dial.
We encourage customers to use SSL or other transport-security when dealing with their end-users to keep end-user data safe from attackers who would snoop on the traffic, or malicious parties who would try to spoof/modify data in transit.
4 ... Why does Havenco insist on policies that allow them to remove content based on their discretion? How many judges does Sealand have to deal with this, or will Joe random Sysadmin play judge?
It is mainly in the case of serious threat to HavenCo/Sealand. We want to always keep our promises to customers; the only promise we can reasonably make and always keep, as far as security, is that no one will be able to affect the confidentiality or integrity of your server. We have to reserve the right to shut off a given customer and anonymously refund payment, as if we didn't, and someone presented a serious threat to us (even if only just to see how we would react), we would be forced to either break a contract with a customer, or shut down all of our operations. We want to have a way to respond to such circumstances (and if you get your money refunded, it's just a minor inconvenience...truly controversial data should be backed up and replicated, and you can be back online relatively quickly after such an incident. And you can be sure we'll work to make sure we never have to exercise this ability to pull a given customer.)
5...How will havenco prevent their backbone ISP or that ISP's country from interfering with Sealand/Havenco?
Our number one way of preventing people from cutting our links is by making sure we provide a net benefit to the world; we provide a place for secure e-commerce, privacy-protected internet services (do you really want people to be able to subpoena online psychiatric records in civil cases?), and uncensorable free speech (information about repressive regimes, corporate malfeasance, corrupt politicians, racial/ethnic/etc. discrimination), etc.
Even if a company or country is against a given piece of data one of our customer hosts, the company or country will benefit more by our continued availability than they would gain by censoring the data.
Additionally, we will have redundancy across network providers and countries so that even if one of them incorrectly decides to cut off service, we will not be substantially affected. We have lots of technical means for dealing with this kind of problem.
Additionally, various contracts and laws exist so countries and companies can't arbitrarily terminate backbone services; it's possible they would then become 'editors', rather than common carriers, and many countries have laws guaranteeing communications transit for third-countries.
Is this site permitted?
by broody (clue@localhost)
After reading your TOS I have become rather curious in regards to the following clause:
"Unacceptable publications include, but are not limited to:
1.Material that is ruled unlawful in the jurisdiction of the originating server (Such as child pornography, in the case of our flagship Sealand datacenter)"
In the case of the Sealand datacenter, what are some of the limitations?
Ryan: Aside from the HavenCo AUP (no spam, no network attacks), the only laws regarding content hosting in Sealand are those against child pornography.Please note that in the following examples I am not equating one example with any other or implying that any of the following should be censored; rather they are examples of what I would consider sticky wickets when running a "data haven" and wonder how such things will be handled.
Imagine the following:
- I am a rabid anti-choice activist in the United States. I wish to post
a site with a hit list of doctors performing abortions in the United
States. After each "accident" I wish to mark them with a big red X. I
publish detailed information on how to find each of these doctors. Is
this site permitted?
This material being hosted on Sealand is legal. I am not a lawyer, but it is possible posting the site may be illegal if you live in the U.S. U.S. authorities will certainly investigate, and civil lawsuits may be filed if the site is linked to an identifiable U.S. person or organization.
We won't pull the site on Sealand, even if it is illegal to post in the U.S., but it is entirely possible the poster, if living in the U.S. and proven within the U.S. by U.S. authorities to be linked to the site, may suffer legal penalties until the site is pulled. (We will pull the site if the customer himself requests we pull the site, of course.)
(This is a case of data where even if you oppose it, censoring it leads you down the slippery slope to authoritarianism. We believe free speech will primary serve as a tool for constructive public debate, commerce, and greater understanding between adversarial groups.
If someone set up a site such as the one above, more free speech, rather than less, would probably render it impotent -- those opposed to it could express their concern, and the groups who directly benefit from the site would probably lose more in public support/legislative power than they would gain from trying to create a culture of fear. And the same privacy/security technologies could be applied the other way -- keep the identities of doctors performing abortions in the United States confidential. Privacy can be a powerful tool for accountability as well as secrecy)
- I am a hacker who wants to play DVDs on my Linux box and I want to use
free software. I want to place source code on my Web site. The United
States says this violates some stupid law and some annoying people object.
Is this site permitted?
DeCSS does not violate Sealand laws in any way. DeCSS can be posted freely on Sealand. Again, caveat emptor if you are a known person in the U.S. who can be provably linked to posting it outside the U.S.
- I am a devoted Iron Chef fan and Fuji TV has just sent me a cease and
desist order. I wish to move my materials to Sealand. Is this site
It is permitted on Sealand. It may be legally risky to move data to another jurisdiction if you've already received a cease and desist order yourself, but that risk is confined to your own jurisdiction, not Sealand.
- I am a regular guy in the UK creating a Web site about my daily life. Some
people don't like the way I talk about them and my site is pulled. Is
this site permitted?
I do not see how this could possibly be against our AUP on Sealand, so it would be acceptable. Your own risk in your own jurisdiction is up to you.
- Will you allow sites advocating the overthrow of rival goverments,
challenged uses of intellectual property, bomb making instructions, and other
information that will get other nation-states panties in a twist?
If you don't violate our AUP, we don't care. We don't have time/staff to monitor what you're doing, anyway. Buy a box, keep up to date on the bills, and we will keep it up on our net; any hassles you have in your own jurisdiction are your own problem, but you don't need to fear us doing anything to you or your box, except in the extreme circumstance in which our continued survival is threatened, in which case we may decide from a pragmatic basis to discontinue service and anonymously refund the balance in your account.
According to the Sealand Government web site, Havenco "will now take over operations of the government of Sealand." As I understand the other text on the same page, it is generally believed that the government of the UK would not interfere in any acts of piracy, terrorism, or assault on your "territory."
Since you are now within the limits of the territorial waters claimed by the UK, you probably won't have to worry about a full-out assault from a sovereign nation, but another attack like that of 1978 could happen again. Of course, there is nothing but a few court rulings to protect you from Her Majesty's Armed Forces.
Ryan: Two minor points:
- We're not within UK territorial waters, due to the fact that Sealand was occupied and declared sovereignty prior to the action by the UK to extend territorial waters. Sealand's territory and territorial waters are not diminished by actions taken by the UK after Sealand's sovereignty was declared. If the UK decides to declare 200km territorial waters next year, it will not affect the sovereignty or territorial waters of France, Belgium, Sealand, Ireland, etc.
- The UK would have been very reluctant to allow a fully fitted out warship from some remote power to even pass through the Channel, let alone get within 7nm of her major container port, even if it only had 3nm territorial waters, if the UK believed that warship was coming to attack near the UK. Missiles have sufficiently long range, and ease of targeting, that anything which threatens Sealand also threatens Felixstowe, and even London, so a threat warship appearing near Sealand would probably be responded to by the Royal Navy regardless.
In addition [to] "a few court rulings", we have international law on our side. Several legal authorities have confirmed over the years that Sealand meets all the requirements for a sovereign state. There's also the complete PR catastrophe that would befall a major country which invaded the world's smallest country over a free-speech issue; I can't imagine any elected government taking that risk.
Given the precarious nature of the "sovereignty" of Sealand, will you be seeking international recognition and treaties to guarantee your physical security from such attacks? Will you be joining any of the international protocols for cooperation in law enforcement or other areas? I would think that joining these would go a long way to cementing your viability.
I'm not responsible for the actions of the Government of the Principality of Sealand, but from what they've done in the past, and what I've heard discussed, they have every intention of being a responsible international citizen. Sealand is likely to seek recognition or enter into treaties whenever it is in the best interest of Sealand. Particularly relevant to Sealand are international telecommunications treaties and organizations.
Compared to the average state, however, Sealand has very limited resources, both in personnel and money, so I wouldn't expect Sealand to open embassies with every country in the world, sponsor major international aid organizations, or spend huge amounts of money on nationalistic extravagance.
by laborit (email@example.com)
Let's say that you do manage to completely secure your clients' hardware and data. Do you think you can also completely obscure the fact that said client is doing business with HavenCo?
If so, may we have more details on how?
Ryan: Yes, this is a major issue. We believe we can do this.
There are several issues:
- Anonymize initial contact and decision to buy
This is simple; browse our Web site from a Web cafe, or use ZKS Freedom, or just hide in the crowd (we get a lot of hits, and if every one of those hits was a server sale, I would already have my toy (C-17 fitted out as a corporate jet/cargo carrier)).
- Anonymize initial setup communications
We can accept a service order through an anonymous remailer system, or through ZKS Freedom to an SSL Web site. This service order should include cryptographic authentication information so we can authenticate you in the future. We'll have this ready for review in advance of commercial sales. It will also be broadcast, so if you trust us, you can just pick up a signed copy from a newsgroup or mailing list, rather than going to our Web site and downloading.
- Anonymize initial and continuing payment
This is perhaps the trickiest part. We can be rather flexible on this. There are some effectively-pseudonymous payment systems out there, and there is always cash. We can certainly come up with a solution in almost any case; it just adds complication. This situation will, I'm sure, improve in the future, as it's only a matter of time before someone develops and deploys truly payer/payee anonymous electronic cash, now that there is a large and credible potential market.
- Anonymize future administrative interactions
Again, ZKS Freedom browsed SSL pages, or remailers. You'll need to authenticate yourself to us, be it by client cert, PGP signature, magic token, one time password list, or something else.
- Anonymize systems administration connections
ssh through ZKS Freedom is what I would personally use, but you can probably do something tricky with a shell interfaced to email and pgp, run through remailers (high latency, though), or Web-based administration, or something novel. If your server accepts lots of SSL connections from users, you could masquerade as a regular user, and then tunnel ssh/telnet through SSL.
- Anonymize end-user connections to the server
This is not strictly necessary in all applications. End-users can always use something like Freedom, or crowds, or anonymizer.com. Maybe your server interacts with users through email/remailer nets, like Tim May's Blacknet.
I think it is highly unlikely this will happen, but we've certainly considered it, and want to make sure we have a credible plan in case it does happen; by having such a plan, we can remove any value in making doing business with Sealand illegal, after all, so maybe it won't happen.
I think any country which starts restricting what countries its citizens can do business with is headed down a slippery slope. The U.S. certainly does this already, with the "seven evil countries", but we're not going to be supporting state-sponsored terrorism, or expropriating property from influential Florida voters, so I think we're sufficiently benign to not be at much risk. Certainly there are countries in the world where conducting commercial transactions with a non-local business, in dollars, is illegal for the average citizen; those are some of the countries to which HavenCo's service can bring the greatest benefits.
Do you need any help?
by BoLean (TLowing.firstname.lastname@example.org)
Is there any way that we Internet users or the Open Source Community could help with Heavenco? Are there any specific software/software security need that you have? Have you considered working with individuals/groups from other countries to help politically support your operations from their native soil?
I'm working on preparing a list, but there are several areas where we could use help.
In general, I'd prefer to work with the existing authors of existing packages to incorporate new features into the mainline. We don't have a huge number of programmers, and our requirements are not terribly unique; mainly we can assist with some requirements definition and design, and would want the teams to handle deciding if it's worthwhile, design integration into their future plans, implementation, and support/maintenance.
- We're working with the OpenSSL people to get better support for OpenSSL using some more obscure crypto adapters. We'll probably do the same with GnuPG for OpenPGP.
- I'd like a security-audited subset release of Debian GNU/Linux, with some additional cryptographic signing of packages by auditors. I'd also like to get Debian support for some more esoteric hardware platforms we might use (without revealing too much info :). My personal favorite platforms are Debian and FreeBSD; there are lots of nice automated systems management/upgrade tools one can do with ports and debs.
- I'd like a Web-based application, using applets or tamper-resistant hardware, which can send/receive OpenPGP-compliant messages.
- Various enhancements to NOC management, network monitoring, etc. open source tools (rrd, nocol, etc.).
- A decent SMS-to-email (and reverse) gateway for the Orange cellphone network in the UK :)
- Various enhancements to networking tools, practices, etc. for increased DDoS resistance.
- Some cache and SSL enhancements, probably to be presented at IETF.
- Secure time that doesn't suck (there's a wg, but I want tools).
- People developing for tamper-resistance, using a common-across-all-tamper-resistant-devices API, such as JavaCard. I'll speak about this at Defcon this summer.
- Good open-source SQL databases; I like PostgreSQL, others like MySQL, and having good open-source SQL db alternatives is always good.
- A Web-based time management/scheduler/etc. I've looked at Xen, for Zope, and it looks promising. I don't want to use MS Project. UNIX clients would be great too.
- Web-based general ledger/accounting tools; again, I don't want to be stuck using Quickbooks/MS Excel. UNIX/Gnome clients would be great too.
by Julian Morrison (email@example.com)
What motivates you to set up a data haven? Are you motivated primarily by libertarian principle, or do you intend it mostly as a way to make money from Sealand's sovereign status? Or both?
Ryan: Initially, we were motivated primarily by libertarian principle, but that includes a desire to make money. The business would not be possible, nor would we pursue it, if it did not hold the promise of being wildly profitable if successful.
Will you allow data that does any of the following:
- evades taxes or excise?
Sealand has no taxes nor customs duties, so it would be impossible to evade Sealand taxes or excise. It would be even harder to do so with an Internet server. :) We have no responsibility to assist in enforcing tax or customs regulations of arbitrary other countries, within Sealand.
- - breaks local morality and legislated morality (including where
oppressive eg: Iran)?
Again, Sealand has no local morality or legislated morality, at least as applies to Internet servers on Sealand. No content would be rejected due to this, in the Sealand datacenter. We regulate based on location of the server. If a country, such as Iran, decides content hosted in Sealand is inappropriate for Iranians, they can make it illegal within Iran, and then Iranians accessing HavenCo colo'd servers in Sealand would be violating Iranian law in Iran, and potentially subject to Iranian prosecution. Not Our Problem.
- - belongs to political dissidents?
As far as I know, Sealand has no political dissidents; it's too small. No content would be rejected due to belonging to political dissidents in other countries (and I'm sure Sealand would happily allow content belonging to dissident Sealanders to be hosted in Sealand as well).
We have no real way of knowing if a user setting up a server is a political dissident in another country, anyway. It's not one of the questions on our account creation form :)
- - belongs to terrorists, organised-crime, etc.?
We certainly don't support terrorism or organized crime, but anyone can set up a server. We do not screen customers as they set up servers, nor do we conduct four week background checks prior to beginning service. Think "cash and carry."
- - is uploaded and maintained completely anonymously?
We encourage users to upload/maintain content/servers as anonymously as possible, for security reasons -- if people don't know who the admins of a server are, they won't try rubber-hose tactics, or will they try to steal your laptop, install BO2k on your machine, etc.
- - is maintained with absolutely no access granted to anyone
trying to prosecute on grounds of its content?
Users are welcome to keep information private and restricted to any group they choose. In general, we think most users will be publishing data to be visible to as many users (at least paying users) as possible.
Do you percieve what you're doing as moral? If so why?
Yes. We provide a valuable service to customers, promising a certain level of quality, security, and privacy, and work very hard to keep those promises. We do not mislead or coerce anyone into being our customers, and do not engage in anticompetitive or illegal practices against anyone.
by dingbat_hp (firstname.lastname@example.org)
Sealand will inevitably have thin comms links and so will be more exposed than most to a DoS attack. Recent cases have involved ISPs pulling user sites simply for being attacked in this way - they accept the target site is blameless, but pulled it "for the good of the majority of users" and the restoration of their own comms.
Ryan: Our network architecture is actually going to be relatively advanced. Basically, private peering in insane quantities at nexuses of Internet traffic around the world, quality cache/filtering at those sites, and then encrypted tunnels over private links back to our datacenters. In the short term, these pipes back to the datacenters will be a bit undersized (10-200mbps), but we're planning to have gigabits of connectivity all the way to our datacenters in the medium term.
Resistance to DoS and DDoS is sort of the age-old battle of arms vs. armor; the newest arms will always win, but slightly older arms will lose against the newest armor.
We're in a better position than most w.r.t. DDoS; because we're on the side of individual liberty and privacy, it's unlikely any actual hackers/packet warriors/etc. would *want* to attack our network; if they did, they'd be suppressing free speech, exactly the thing many of them say they're for. And of course the people developing all the cutting edge stuff are the internet community, not governments and corporations; if we can resist several-month-old tools, we'll probably be able to resist most government or corporate sponsored DoS attempts.
DoS attempts are against terms of service, and the law, in most jurisdictions and networks. We'll work with companies and authorities in other countries to eliminate any sources of DoS against our networks, and will work with other service providers to eliminate the pathetic configurations which are used to effect most DoS attempts. If you look at how rabidly people go after spammers, multiply that by 100 and that's how hard people go after DoS.
How would Havenco respond to such an attack ? Taking the moral highground, or the pragmatic approach of letting individual users be picked off?
I don't think we'd shut off a customer simply for being the target of a DoS attempt, provided the customer was not violating our AUP. We may as needed take pragmatic steps to ensure maximal connectivity and fulfillment of our SLAs for the maximum number of customers, such as partitioning our network during heavy DoS attempts, etc.
Disconnected Living in a Connected Business
by Amoeba Protozoa (email@example.com)
Setting up a company on a remote island, even one that doesn't require a lot of on-site workers, was undoubtably difficult.
Ryan: Yes. We actually delayed a lot of the onsite work, which we could have started as early as November, until March/April, due to inclement winter North Sea weather and negotiations with the Royal Family.
What were the major challenges of setting up on the island? How many people, and what sort of equipment did it take? Is there more left to do?
The single biggest challenge in setting this up has been scheduling; certain items have really long lead times, and there are long critical paths. For instance, you need power to operate tools/computers/etc. during buildout, but installing a major power system requires quite a bit of engineering already be completed onsite. We were lucky that a lot of facilities were already in place, including a small generator, housing, kitchen, and a winch.
We have learned a LOT about how to do this in the future; we should be able to create a new datacenter on a green-field site in a matter of a few weeks! Hint: use technologies and procedures with more in common with military logistics than traditional datacenter buildout. (anyone with a nice site in a country with favorable laws and/or government partnership? Email me, firstname.lastname@example.org!)
We had to do a bunch of interim steps in order to install larger equipment; for a while, I was using a laptop and portable phone for IP connectivity, then geosync satellite transponder, and finally a combination of multiple technologies.
Our power system is still under construction; we've got small UPSes and generator power, but the production system, with a set of large UPSes, 3-phase PDUs, etc., is still in progress.
We've used a variety of transportation technologies; various helicopters, boats and ships, containerized transport, etc. (I must say I prefer the helicopter to the boats, even if it's less exciting)
I'd say that in total, there have been up to 40 people involved so far, within HavenCo, the Sealand Government, and key vendors.
Some of the most useful tools are exactly the same ones you'd use in setting up any kind of techie venture anywhere in the world:
- relocatable power taps (i.e. power strips)
- Gerber Multitools/leatherman, pocket knives
- De Walt power drill/screwdrivers
- Duct tape
- Cat 5 UTP for temporary 100baseTX runs
- Free OSes, on CD and off the net
- Quality generic PC clone hardware
- Linux, *BSD
- VMware (yes!)
- ssh (quite possibly the single most useful piece of network software ever invented)
- thttpd (otherwise, we'd have a hard time standing up to slashdot effect, combined with media effect, on random webservers)
- laptops running UNIX, to make temporary servers, do NAT, etc.
- email-to-fax, fax-to-email services
- cellphones (yes, we can get cell coverage on Sealand, at least on deck; this has saved us quite a bit of hassle)
- drysuits (like in my photo in Wired...if you don't wear one, and you're going along at 30 kts in a small boat, you will freeze)
- Rigid Inflatable Boat (the 22' thing in a lot of the pictures)
- canned goods (although eating some variant on corned beef hash, or rice pudding, gets kind of old after a few days)
- winches and list motors, angle grinders, oxy-acetylene torches
- 1 ton plastic pallet tanks, for water, diesel, etc.
- Our best friend, a 25 gallon/hour reverse-osmosis watermaker, without which one would be unable to shower (a very recent addition to the Sealand family ...)
What are some of your day-to-day facilities like (food, shelter, perhaps even recreation)?
We have a small kitchen, and make two meals a day (breakfast is generic cereal and stuff). For housing, people have from 50 to 150 square feet of space each; it's not great, but is totally passable. We have one room dedicated to recreation, the lounge, with a TV and a bunch of books. You can also go out on deck and admire the view. My favorite room for recreation is the NOC, though, since I'd probably spend my spare time hacking on new tools or webpages, reading online books or Web sites, or playing computer games.
We have a professional cook/housekeeper onsite (a recent addition), which greatly improves quality of life -- I have better food when I'm on Sealand than I ever did when I cooked for myself (that it's free is nice too).
(FYI, last night I slept on my desk in the NOC because I was too lazy to walk 300' to my bedroom...it was surprisingly comfortable. Antistatic foam makes a good pillow, too.)
We're planning to improve the food/shelter/recreation situation, but it's sufficiently good now that it's not a priority. People have discussed getting a DVD library, video projectors, satellite TV system, better books, putting computers throughout the recreation spaces so we can play networked video games against each other (and others on the net), a hot tub, nice commercial kitchen, professional chef, etc.
The most impressive thing is that the Sealand Royal Guards (mainly ex-British soldiers who provide security, physical maintenance, and logistics support), many of whom had never used a computer before, have started using the PC we left in the lounge, and now want me to get them laptops. Sadly, it's a win98 box, so the GNOME/KDE people should hurry up and produce a viable alternative so I can give them Linux laptops...) IRC, the Web (ok, mostly porn), etc. seem like the best way to introduce people to the net -- in less than a week, they've become pretty self-sufficient on the Internet.
What is your daily cash burn rate? Are there ways to cut it? I don't know what the daily cash burn rate is; we don't have the kind of absurd burn rate common in Silicon Valley, though, even though we have substantial physical construction involvement.
We could almost certainly cut burn rate if we needed to, but we'd rather focus on increasing revenue, which is potentially infinite, than decreasing costs, which becomes exponentially harder as you get closer to $0, and is finite.
Are you making a profit now? If not, when do you plan to be able to?
This I don't know; I do techie stuff. I don't think the financial people would share this information at this point, either.
Do you have a plan in case of a hostile takeover?
Our stock is closely held, so a stock-based hostile takeover is unlikely.
If you mean a military takeover, yes, we have comprehensive security plans, but this is handled by our onsite security people, and I have little involvement. My personal plan is "don't get shot", and "stay away from where people might potentially be shooting." While people may focus on the extreme possibilities where we get raided by some corporate mercenary team or religious fundamentalists or something, in reality, our security concerns are much more likely to be "someone falls down a ladder and breaks a leg; how to we deal with this" or "minor electrical fire in the kitchen"; that kind of thing is handled quite well.
Where can I send my resume? :)
email@example.com. Include a description of what kind of job you would *want*, along with a resume. Please please please only use .txt or URLs, not .doc! (guess which resumes I don't even bother reading...)
Interesting concept...I wish you luck!
Web Email (was: Re:Disconnected Living)
Ooo! The more interesting question to ask is: Can I get (either for free, or since this is a business, for pay) an e-mail address at havenco.com, or some other domain hosted at Sealand?
Ryan: You can definitely not have a havenco.com e-mail address, unless you work for us.
If anyone with a server at HavenCo/Sealand sets up a mail server on Sealand, you are welcome to contract with that person to buy an account. I imagine Web-based and non-Web based outsourced e-mail provided from Sealand will be a major market, for the reasons you mention.
You could set this up yourself, too. $1500/month for the box, you should be able to get a few thousand accounts, and if people paid $10/month each for non-subpoenable e-mail, you'd be profitable quickly. Dedicated machines per major user would also work; if a company wanted to oursource their Intranet/Extranet and e-mail servers, you probably would want to just resell one or more machines per customer.
In reality, the most important data any person or organization has is their e-mail! It can be read, spied on, subpoenaed, etc. I'd pay MONEY for this service.
I agree. You'd definitely want Web-based via SSL or applet security for viewing, or PGP in/out relaying, though; it would be silly to just put the mail server on Sealand and not protect the messages in transit.
Will Sealand be getting a top-level country code? If so, you could also sell domains, but let me say that I think the hottest idea is selling Web-based e-mail accounts.
You're welcome to point .com/.net/.org domains at HavenCo IP addresses. Same goes for country codes.
We'd really like our own country code, but getting one is a really long and involved process, so don't hold your breath. .com is still the most respected commercial domain, so I think it will be a really long time before any serious commercial business relies on non-.com domains.
Dibs on "firstname.lastname@example.org" :-)
Points of Contact to the Internet
by gregor_b_dramkin (gregor_b_dramkin@my-Deja.com)
What will you do when pressure is exerted on your landlubber ISP to shutdown your connection? Move to another ISP? What happens when no one else will give you bandwidth? A renegade server farm doesn't do any good if no router will accept its traffic.
Don't say it can't/won't happen. Unfortunately, it can and probably will.
Ryan: We don't buy transit from ISPs. We only buy transit from tier 1 and 2 network providers, and arrange peering with as many as possible.
We are relying on having a very high quality, very well run network, with a large amount of desired content, as well as a top-notch well-known network administration team, to encourage as many networks as possible to privately peer with us at our major points of presence.
I certainly agree that if no one will carry our traffic, we're in bad shape, but luckily this is the Internet, and most of the people making those decisions are still fundamentally pro-freedom and individual liberty, with a techical background. We're going to be a very good internet citizen, participating in a variety of infrastructure development programs with pro-internet organizations, and peering with us is good for everyone.
Many countries have third-country communications laws which would make it unlawful for the government to exert pressure on ISPs to drop routes for given customers in other countries. Additionally, the value of the Internet will fall dramatically if major governments get involved in censoring traffic at that level; we've already seen examples of countries which try to block all potentially offensive or subversive traffic at their borders; not a lot of net startups moving there, eh?