Our interview series has featured a wide opinions and views. Today’s interview is no exception – and it’s a real treat to read! Curtis from IncogNET joins us to discuss privacy, free speech hosting, canary warrants, vpsBoard, and backpacking. I thoroughly enjoyed reading this interview and I think you will, too!
Be sure to check out their latest offer on LowEndTalk.
Where in the world do you live?
I’m currently enjoying life in the American midwest. It’s not always where I want to be, but anytime I’ve lived elsewhere in the country I somehow always find myself coming back this way.
How did you get involved in the hosting industry?
Oh man. Well, let’s see… When I was younger and a teenager, think early 2000’s, I always had little project websites. This was back in the Angelfire, Tripod, GeoCities day. Basically little sites that had some BMX or skateboarding content. As a teen I would make skateboarding and BMX videos with friends or just film dumb skits and wanted a place to showcase them. This was pre-YouTube days if some of you younger ones can imagine. So I sort of always had project websites and loved webhosting from an early age.
Fast forward to 2010 or so, I was living and working on a organic pomegranate orchard / wildlife bird refuge in Nevada and parted ways with the business and decided to come back home. While helping manage the orchard, I had done some things like develop an online marketplace where we could sell our fruit direct to customers and was very much into managing our online presence at the time.
After leaving that job and finding myself back in the midwest, I started Surmounted.NET – And I’m not even for sure why, exactly. In Nevada I was managing a business, a fruit orchard. I guess I wanted to continue to do something business related, while involving another thing I was interested in: Web Hosting. It actually went pretty well, we didn’t deadpool or anything, but it was probably about 18-20 months after starting it that we got bought by GigaTux. As far as I know there are still customers of the brand however the website remains as I have left it in 2011.
So, even though my first dive into the industry as a provider didn’t last forever, I learned a lot. After that I spent years in other industry roles with various companies, everything from front line support and sales for larger companies to some management level stuff for smaller ones.
Let’s step back in time and talk about vpsBoard. As many of our readers know, it was a VPS discussion site using IPB. What lead you to its creation?
Well, I think at the time I, as well as many community members of this very site, (LowEndBox / LowEndTalk) were unhappy with the management of this community. And although this community ultimately stood the test of time and is managed better than it previously was, there was a time when many were unhappy. Unhappy enough to turn a brand new forum into a pretty active and happening spot online for a while, at least. I can honestly say I never really anticipated it becoming as popular as it did at it’s peak, but when comparing the two forums today – LowEndTalk is definitely came out the victor and is far superior today.
You put a ton of time, effort, and money into vpsBoard – what happened? Any lessons learned? (Best logo ever, btw)
What happened? Things fizzled out. While we had a ton of community members and daily activity, as well as some unique projects, in the end… “things just fizzled out.” I’m not sure if there was any particular single instance that was a turning point, I’d like to think it was a combination of several small things that added up. Everything from software updates and a new UI to things I hesitated on like better mobile functionality as well as battling user input of, “Too much industry drama” or “Not enough industry drama” depending on who you asked. Anyone who has ran a community knows what I’m talking about, you can’t please everyone and you try to find good common middle ground to accommodate both sides and sometimes you end up with no one happy.
I tried so hard to keep things alive, introduced things like our article bounty program, ran DailyServerDeals which was a unique and fair platform, and more… but in the end things just slowed down to the point where, with combined with “life”, I decided to just shut the site down. I was working 6 days a week at the time at job outside of my home, in an environment where I wasn’t able to have a phone on me to check on things, and it didn’t make sense to leave it without someone babysitting it.
The original plan was just going to consolidate all of our servers (we rented a lot of servers from community members to power different aspects of the site and related projects) and then do a HTML archive of everything as it was at the time. I wanted the content to live on and continue to be available. There was some public discussion about what I wanted to do. I didn’t want to sell it and was pretty publicly against the idea and I still get some grief for it today, but ultimately in the end sold it to KnownHost. I convinced myself that it’d be better to keep it alive and available under the management of a large enough company that could keep it online without much concern for the cost of keeping the lights on. To this day it remains online, and it appears to be more or less unmoderated. But at least the original content that made it great at it’s prime still lives. I still get vpsBoard in my search results all the time.
Mind you, prior to all of this I had been offered a much larger sum of money for the site from an “industry competitor” and declined the sale without hesitation. The folks at KnownHost are good people, and even though the forum today is nowhere near what it once was and isn’t where I’d hope it’d be under new management, in it’s prime it was something pretty great. I learned a lot and met some great people, many of which that I remain in contact with to this day and have fond memories of it.
Now you’re working for IncogNET. Tell us about them.
Towards the end of 2020 I was really itching to do something different and started working on IncogNET. I guess it had something to do with the how politicized the internet has become, how freedom of expression didn’t really exist with big tech, and how online privacy has been relatively disregarded by many. I was annoyed at how much personal information companies required for relatively basic online things. I was concerned by how often even big companies had that information leaked. Hell, just the other week T-Mobile had a huge data breach. Things like that aren’t relatively uncommon, y’know? But more importantly I wanted to do something that encouraged the publishing of regular, normal use content to alternative networks like Tor and I2P.
So yeah, I just wanted to do something different. I asked, “What information is even required to provide a service? What purpose does it really serve the company to have all of this data?” – In the end, I determined that we just don’t want to know all that much about our customers. I mean, we’re not calling them to tell them happy birthday. I’m not mailing Christmas cards to them. Why collect this information to begin with?
Having a background in this industry, both from small companies and big, I can tell you that the vast majority of these companies have horrendous management of your personal details. The ID you submit as a ticket attachment to verify your cheap purchase? Guess what? It’s usually going to stay there indefinitely. It can be seen by most members of that company’s staff or outsourced help. The common software most these companies use to manage their customers don’t really have any privacy specific features that would purge verification attachments. It remains accessible to anyone with helpdesk access for the most part, and that is absolutely insane. If you’re a customer of various hosting providers, do you know how many people within their organization have access to your personal information? Are you really comfortable with that? I guess I just don’t want to collect information that I don’t really need.
But yeah, I decided to do something that was privacy focused. It’s more than just not wanting to collect personal details. I want to normalize privacy for regular people. It boggles my mind that average people think that privacy is only for those who are trying to hide something or that those who seek it are ‘up to no good’. Privacy is definitely something everyone needs to be concerned with regardless if you’re a service provider or an end user.
I’m always on people to find something that differentiates their company from others so their services are not just a copy of a copy of a copy. I’d say IncogNET’s differentiator is your extreme focus on privacy. How do you see your position in the market?
Ha! Yeah we definitely do things a bit different. The thing with other companies is that they’re mostly using the same off-shelf commercial products to sell their service, from similar hardware configurations, network setups or geographic locations. This means there are a ton of providers using the same control panels and technologies, using the same billing / portals and more. And that’s not a bad thing really, many use what work and work well and it’s things customers come to expect and things customers are familiar with. But it leaves little room to differentiate between two separate companies, so it’s not uncommon to see providers compete on price alone or other value added features like software licensing or support.
So, aside from privacy, one aspect of our business is our plans are more sustainable. We’re a small business, bootstrapped from the ground up. It’s easier to manage a smaller number of higher paying clients and provide them with an excellent service versus managing a larger number of clients who pay a lower price. Although we do some deals for this website, we get plenty of sales at our normal, non-discounted pricing as shown on our website. If the revenue at the end of the month remains the same, it makes more business sense to operate in a way that requires less manpower to manage effectively. To put it in perspective, although we’re new with our business being formed in April, only our first month of operation was ‘in the red’ with each month after being green. We’re in a good place where we’re able to leverage some of the great relationships we’ve formed in the industry over the years to get good deals on what we need to take care of our customers.
When I posted your recent offer, I noticed you are heavy into crypto payments. Do you find the exchange rate volatility there difficult to manage, or do you intend for those funds to be “crypto forever”?
It’s still very much too early to really say. I’ve found the crypto payments, so far, have been far more worthwhile than PayPal but we’ve talked about starting to accept additional methods as well such as Stripe and more localized / regional processors that some of our customers outside of the US and Europe may enjoy. The customers who pay with crypto have seemingly been ‘better’ so far as well, meaning less tickets opened by them and no instances of abuse that I can think of. Some of our upstream providers accept crypto so our biggest operational costs are actually paid with it towards the end of the month. The only things we’ve been paying in fiat recently is licensing costs and our bill with Hetzner, which as you know will increase dramatically next year.
Oh yeah, that’s right. You guys use Hetzner in Finland. Hetzner recently announced a huge increase in their IP pricing, an increase so large many providers and customers are leaving Hetzner. What are you plans with that?
I mean, I get why they’re doing it but the rate of increase is absolute insanity. It’s such a financial burden that I see why people are dropping them. Luckily, we don’t have a huge presence in Finland and the cost of the IP addresses that we do lease there won’t be too much of a burden on us and we can absorb the cost and make up for it elsewhere. For now, we’re planning on staying and keeping everyone online on the nodes we already have, but have no plans in the immediate future to deploy any new nodes with Hetzner. For example, some of our own dev boxes and internal stuff that we had there we’re moving to our location in the Netherlands to free up those IP addresses and resources for paying customers, and we’re not accepting orders in Finland for our smallest packages. We’ll only accept orders on the remaining space for packages that are larger, to help recoup the cost of the price increase and have already reserved a large chunk of one node to be used for our own Shared Hosting customers since we have more resources than IP’s there.
Now, we do plan on hopefully shipping some hardware to a different provider in Finland at some point in the future, but have no real plans beyond it just being a thought and something we want to do. No one has been contacted yet, but it’s all on the drawing board. Finland is a great location for privacy and it’ll be nice to grow our presence there. We’ll be working on acquiring our own ASN and some additional IP space soon to accommodate future growth like that, then we’ll start trying to source a datacenter there that can better accommodate us. If we can’t find a home there, we’d like to find something very similar in terms of location uniqueness and privacy laws from a company that is local to whatever location we ultimately settle on.
How do you like using DirectAdmin as your shared hosting platform, compared to the typical alternative cPanel?
My opinions of DirectAdmin is that it’s an excellent panel for the end-user. If you’re a customer of a hosting company and they use DirectAdmin, then the panel works pretty great and it’s going to feel pretty familiar to cPanel. My opinions of DirectAdmin from the perspective of someone who has to use the admin side of things and setup servers with it is that it’s “pretty okay”.
I guess it’s not bad. I spent years working for companies that utilized cPanel so my main experience is with that so perhaps I’ve just gotten used to WHM and what not, but DirectAdmin just seems harder to navigate and clunkier on the admin side of things.
With that said, I have found the documentation to be pretty on point and a great help for when it’s needed. Setup of a new DirectAdmin server seems to take more work than I recall setting up a new cPanel server, but in the end I’m really only concerned about customer experience, and DirectAdmin provides a great end-user customer experience, and cost: DirectAdmin is simply more affordable and offers the same features that your average end-user customer would want. This in turn has allowed us to adopt some commercial value added products like CloudLinuxPro to the mix and things like Softactuous for script installations without having to charge too much for a crazy good service.
I see you offer the option to have shared hosting customer’s sites mirrored to the Tor and I2P network. Do you get a lot of people wanting to host .onion and i2p sites, or is that still somewhat exotic?
It’s pretty rare so far, honestly. I sort of thought it may be a bit more popular but at the same time it’s still very much a beta service that we’re not pushing super hard. It’s not that difficult to offer, but one of these days I’ll be able to mark, “automate TOR / I2P webserver configs with DA” off my to-do list.
The goal behind even offering this is to publish and make available normal, everyday content on these networks. So you have a customer wanting to showcase their artwork, or some dude’s blog about old cars, or whatever. Just normal, everyday internet content. These networks need that type of content in mass to be adopted by your normal everyday internet user. Tor and I2P are great networks and part of normalizing online privacy is publishing ‘normal’ content to these networks that regular people may enjoy. It doesn’t all have to be tech blogs and 4chan style image boards or some of the random sketchy stuff that people often associate with these networks. And for the handful of our users who have opted in, their sites are just as normal as you’d find anywhere else.
You guys have a warrant canary on your site. There’s been some debate about the legality of those – i.e., if posting and then removing it when served with a request is the same as breaking the court-ordered silence. What are your views on this?
You’re not the first to ask this. Well, at this point if I were to remove it if I felt it’s pointless then it will spook those who think it’s meaningful and it’d be used as some indication of something being off. If we’re given a lawful order and it was loose enough that it didn’t specifically state I couldn’t say anything, then I’m going to state what details I can with respect to the customer in question’s privacy.
I’m actually working on a public transparency portal, something that would serve a few purposes. I want a place to showcase any subpoena or communication between us and law enforcement with private information redacted and quarterly stats as well as place to show off things like bandwidth graphs of resources we donate to anonymity networks or anything else relevant like donations we may have made to pro-privacy causes we care about.
The same portal would also include information on abuse report stats, how we handled them, etc. It’ll probably come at a time when we have more information and data to draw from but ultimately it’ll be a place where people will get a feel for how we manage our network and how we respond to lawful requests, of which we’ve received none so far.
Remember, “We can’t share what we do not know”, and because we don’t require much information and allow access to key areas of our site via alternative networks, there isn’t much we could share even if forced to.
This reminds me of the big news about ProtonMail releasing the details of one of their users who was an activist who drew some law enforcement attention. Everyone wants to blame ProtonMail for abiding by the law, but no one seemingly wants to blame the user who failed to use the tools made available to them such as ProtonMail’s Onion service or even doing simple things like just checking your email at a local coffee shop instead of home. A service provider can only share what they know about you, they’re not investigative units and aren’t going to waste time trying to connect dots for law enforcement. That’s not their job.
You’ve offer a “BS Blocking” VPN service which is designed to block ads, trackers, etc. Is this similar in theory to Pi-Hole, only better? In my experience, so many of the major sites are now pushing ads through their main domain that DNS blocking doesn’t always work. For example, to block Facebook ads, you have to block facebook.com. What’s been your experience?
Yeah, it’s very similar actually and our blocklists that we maintain were actually originally designed for Pi-Hole and are available on our GitHub page and can be used with Pi-Hole, AdGuard, Technitium, etc. While it’s true that many sites are pushing ads through their main domain, it still gets a good majority of them while also blocking the tracking elements and known malicious scam, phishing and other sites from resolving. The real benefit I think is on mobile, where apps ping a lot of different servers to transmit telemetry and analytic data. I’m not saying it’s the perfect solution, it’s not, but it’s still a very good tool in the toolbox. On desktop, using our ad-block VPN to catch all that it can at the DNS level combined in-browser plugins will prevent the ads that stem from the main domain of the site in question. Combined with our no-logging policy and no data-caps, it’s a pretty good service as long as you’re okay with our limited six locations in which we offer it from.
Interestingly enough, while working on rolling this service out publicly and watching our own requests be made in real time, it was noted that the Brave Browser was leaking DNS requests for Tor Onion sites. They have a “privacy feature” that allows users to access .onion domains and we kept seeing .onion domains coming through the network and couldn’t figure out why at first. I posted the details of our finding on a community project of mine, and it picked up steam fast. The news was picked up by ZDNet, MSN, CoinDesk, TheRegister and more tech specific sites. This was a huge mishap on Brave’s part as they put a countless number of their users at risk for a very long time by allowing their Onion requests to be logged by their ISPs since it was showing their real IP address associated with their request. Unfortunately this was before IncogNET officially launched, because it would have been great press for the company to release this information but it is what it is. Glad it was fixed and patched by Brave even though they knew about it for a while prior to fixing it.
Tools to enhance privacy have been around for decades. PGP dates from the 90s, but I can count on one hand the number of PGP-encrypted emails I’ve received in the last 10 years. What is your take on the future of privacy?
Ha! Yeah, PGP isn’t used nearly as much as it should be. I attach my public key to all my emails and I can count on one hand how many times it’s initiated an encrypted back-and-forth. One of our upstream providers is the only one I communicate with regularly using PGP, and by regularly I mean they send us our invoice once per month now, but it was nice having a normal pre-sales exchange between potential customer and provider towards the beginning of us choosing them as one of our VPN locations. All of our communication was via PGP-encrypted email.
Heck, we offer PGP encrypted webmail for our shared hosting clients. The Engima PGP Encryption plugin is pretty popular on desktop clients, but it’s also a stock plugin for RoundCube, one of the most commonly used webmail clients that comes pre-packaged on any modern control panel software. So really it was no effort at all to enable, it’s just not enabled by default. So we’re not really doing anything in that regard that no one else can do. All of your favorite web hosting providers could take a few minutes per server to enable this. The downside to this is that it requires the customer’s key to be stored on the server which will be a turn off some. It’s still a good way to get someone who hasn’t used it before to start using PGP and getting a feel for it and how it works.
But you asked what my take is on the future of online privacy. Well, I foresee it being eroded more and more while your average internet user doesn’t really seem to mind. Even if you have ‘nothing to hide’, you should be concerned about where your data exists, who has access to it, and how big of a pain it is to clean up after a company, big or small, has a security breach that reveals your data to the world. Do you want your data, your clicks and online habits be used to manipulate you in a way that makes you spend more time staring at a screen instead of spending your time in a more productive way? How do you feel about the potential of a joke or sarcastic comment you posted online three years ago being the reason that you’re sitting in front of HR tomorrow? These should be the concerns that regular, “not privacy oriented” type of people should consider more, I think.
You’re a backpacker, which has to be the polar opposite of the Mountain-Dew-and-Cheetos sysadmin stereotype. Been any place great? Any place recent?
Man wasn’t made to sit in front of computer screens for 12+ hours a day without feeling the sun on his face or the breeze in his hair, that’s for sure. With that said, I’ve been so incredibly busy this year that I’ve not gotten to enjoy the outdoors as much as I’d like beyond hitting up some local trails for some short jaunts in the woods.
Last year I actually set out to complete the entire 2,100 mile Appalachian Trail. I was going to hike and live in the woods, on trail, for about 120 days that I had set as a goal for myself. I had a lot of training, spent countless nights under the stars, in the woods for days at a time. I felt pretty comfortable and confident as a lightweight / minimalist backpacker that I could actually complete this.
So, I fly to Maine in the middle of a pandemic knowing damn well sections of the trail would be hard to resupply on. Knowing that many hostels in my guide book were closed. I quit my job to do this, y’know? So, long story short I get to Maine, I climb Mount Katahdin, the northern terminus of the trail, and no one is there. No one else was up there. It’s not a super crazy mountain but if you’re into backpacking then you know most of the east coast trails are old and super rugged whereas out west, despite being taller mountains, they’re better maintained and they utilize switchbacks to climb a mountain instead of just going up straight and over, ha! Katahdin is pretty iconic and definitely not an easy mountain to climb, there is a lot of bouldering and areas I ran into where I wondered how I’d get back down.
I’m all alone and I keep getting drizzled on for a little bit at a time, then it’d clear up. I was trying to rush down because I wasn’t for sure what the weather had in store and getting caught on a mountain during a storm isn’t particularly safe. On my way down, I obtained a mild foot injury. At the time it just sort of hurt, but wasn’t too major of an annoyance and I didn’t think much of it and kept on truckin’. I hobbled back into camp after dark and didn’t think too much of it at the time. That was my “day 1” on the trail. Day 2, I get up before the sun, filter some water from a stream, make my breakfast drink and hit the trail. By lunch time my foot just wasn’t having it. It felt like I had sprained some toes somehow, it was odd. I just knew that I couldn’t hike the next section of the trail on just the ball of my foot… The next section being the “100 Mile Wilderness”, the longest unsupported and most desolate section of the entire 2,100 mile trail.
So I used the one bar of cell service I was finally able to obtain to request a pickup and ride into a nearby town to rest for a few days to rest. While there, I ultimately convinced myself my foot wasn’t up for the task and got spooked about the next section. Seemed like the longer I waited the more doubt I begin to have. I considered flying to DC and starting off at Harper’s Ferry, the halfway point, and doing the southern half of the trail since it was easier, but I wasn’t happy with the idea of not doing it all in one long shot. In hindsight this is likely what I should have done, just gone to DC and did the second, much easier half of the trail going southbound.
Anyhow, my friend was doing the Tahoe Rim Trail at the time, and after talking to her I decided to come home and make plans to do that after my foot was better. The Tahoe Rim Trail is a 170 mile loop trail that circles Lake Tahoe in Nevada and California and has some amazing scenery. It’s also closer to towns for resupply and more populated than the Maine wilderness which seemed like a bonus for a guy coming off a foot injury and unsure if I’d need help or not at some point.
About two weeks before I was scheduled to leave, small wildfires were dangerously close to the trail. The week before I was to leave, sections of the trail was closed due to the now large wildfires in the area and air quality conditions. So I canceled my flight. And luckily so, really, as by the time I would be on trail certain large sections of trail remained closed and the air quality was so bad that you often had no views and would just be in a constant fog of smoke and ash. Haven’t rescheduled, but man I wish it would have worked out as it’s a beautiful part of America.
Luckily I’m not alone with IncogNET. I feel like when the time is right, likely next year, I can start disappearing for a few days or a week here and there again and be confident that everything is in good hands while I enjoy the great outdoors. I definitely want to tackle the Appalachian Trail in it’s entirety someday. I thought 2020 was going to be my year, but maybe I’ll wait a few years and give it a go again. Who knows?
Q. Looking at your AUP, as far as content goes, it seems your limitations are pretty small: no spam, no hacking, no child pornography, no offering services as a hitman or fentanyl auctions, etc. When you say “pro free speech,” where are your limits? Is it strictly “everything that’s legal in the US”?
Ha! Honestly our Acceptable Use Policy isn’t much different than other provider’s, it’s just made to be easy to read.
We disallow all the normal stuff that any sane provider disallows, we have zero tolerance against spam and network abuse. We allow adult content like many other providers, but if the legality of the content is questionable then it it’s not allowed. It’s all pretty standard and consistent industry rules up to that point. The only things we do allow that many others don’t is anonymity projects like Tor relays, I2P routers, VPNs, etc. Tor Exits must run a strict exit policy to reduce abuse, of course.
Regarding free speech, we’re big supporters of it. We believe freedom of expression is a fundamental human right, and even those we strongly disagree with still deserve a voice. With that said, we’re an American based business with two live service locations right now in Netherlands and Finland. Those two locations are great for data privacy but not the best locations for true free speech. We’re looking at some Dallas, Texas based datacenters for expanding into the US so those who actually need free speech can have it. The US gets a lot of flack, but when it comes down to it, it still has the best speech laws. You can certainly say and publish things in America that you couldn’t elsewhere.
Regardless of the personal political beliefs or worldview of any particular customer, as much as I may agree with it or as much as I may find it misguided or repulsive, their money spends the same as anyone elses. We’re a service provider, we’re a business. I didn’t start a business so I could pass judgment on others or pick and choose who have the right to speak freely.
Q. I have to imagine that hosting a website that is offensive/controversial would become a DDOS magnet. Even some relatively popular viewpoints can result in attacks if some technologically sophisticated group decides they don’t like them. If someone signed up and hosted a site that was then bombarded, do you view that as resource abuse? I have to imagine your policies are intended more to say “we will host anything legal” than “we will keep your site up at all costs”. How do you resolve that sort of thing?
That’s a good question, and something we’re still figuring out how best to address.
Although we do offer DDoS protection in all locations it’s not what I would personally consider to be optimal for high risk targets or those who are constantly getting slammed. It’s good general use protection, but that’s not what we specialize in, so utilizing a 3rd party protection service may be needed for some. I’ve briefly looked into 3rd party protection services that we may be able to resell or offer as an addon for those who may need it, but it’s not anything we’ve moved forward on just yet.
To put it simply: With the current size of our company and our price point we’re simply not capable of moving hell and earth to put a ton of additional resources behind keeping a site online that has gained some sort of widespread negative attention. As with any provider, you can only do what is within your ability and outside of that you can consult and make some recommendations. I think that as we grow we’ll be able to better position ourselves to respond to situations like that.
Anything else you’d like to add? Whats the plans for the future of IncogNET?
Yeah, buy web hosting from us! Ha. But seriously, we’ve got some good things planned for our future.
Right now we’re planning on spreading our Shared Hosting offering to Finland where we already offer Virtual Servers from, as well as in Dallas, Texas with a provider that we’re wanting to test out as a future home for some colo gear where we can also offer Virtual Servers from.
We also are working on some updates to our anycast DNS over Tor setup that the VPN network uses. This is to increase the capacity and capability of the setup as well as offering domain names with built-in DNS management through WHMCS. Private registration with DNS management under one roof. ETA, end of year or early next year.