Terms of Service

Know Your Rights

This page strives to include all relevant details to transparently inform you of your rights, protections, and expectations when using this blog.

The purpose of this blog is to encourage liberty, security, and privacy in tech. These Terms of Service intend to provide users the same liberties, security, and privacy that is promoted throughout this blog.

ByteCache components

Server

Owner, me: Clark Henry

This server is currently rented from: DigitalOcean Data Center: San Francisco, CA

All of the following components are entirely self-hosted using Docker on this DigitalOcean server:

  • Commento comments section
  • GitLab
  • Nextcloud
  • Matrix homeserver
  • Riot.im

More details coming soon.

License

This blog is published under the GNU General Public License v3.

Web Front End Components - MathJax - Apache 2.0 jQuery - MIT popperjs - MIT Bootstrap - MIT Tocify - MIT

Server Side Components - Debian - Various free software Docker - Apache 2.0 Traefik - MIT Apache HTTPD - Apache 2.0

Acceptable use

4 freedoms:

  • the freedom to use the software for any purpose,
  • the freedom to change the software to suit your needs,
  • the freedom to share the software with your friends and neighbors, and
  • the freedom to share the changes you make.

Free as in Freedom.

TODO Data

More details on the following soon:

  • Server
  • Blog
  • Commento
  • GitLab
  • Nextcloud
  • Matrix homeserver
  • Riot.im

Cookies

I do not use cookies to track you. Commento, the commenting solution for this blog, embeds some cookies. These are entirely self-hosted.

Web storage

Web storage [sessionStorage] is used to store theme preferences.

Privacy policy

I do not share data with any third parties.

I do track IPs accessing my Treafik reverse proxy via access logs and ssh access attempts. This is to investigate brute force attempts, potential threats, incidents, and unauthorized access. 10 MB of access log data is stored on a rolling basis. I do not forward these investigation results to any third parties.

I do not filter access to this website based on geolocation, routing method (e.g., Tor), user agents, or other filters. I will filter access based on results of an investigation, or based on known lists of dangerous IPs.

Safe harbor

CFAA DMCA security research safe harbor.

You are protected and encouraged to provide Full Disclosure of discovered vulnerabilities.

Table 1: Recommended Disclosure Methods
Location Preference Recommended Use Case
Comment section of https://blog.bytecache.io Recommended To provide vulnerability feedback about content provided on that page of the blog.
     

If you prefer, you may Responsibly Disclose the vulnerability to me first, in which case, please email me at sentry@bytecache.io.

Summary

  • I want you to fully disclose vulnerabilities, and don't want researchers in fear of legal consequences because of good faith attempts to comply with this policy. I cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask me before engaging in any specific action you think might go outside the bounds of this policy.
  • If your security research as part of this policy violates certain restrictions elsewhere in my site, these safe harbor terms permit a limited exemption.

Safe Harbor Terms

To encourage research and responsible disclosure of security vulnerabilities, I will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of this policy. I consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). I waive any potential DMCA claim against you for circumventing the technological measures I have used to protect the applications in the scope of this policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not me), I cannot bind that third party, and they may pursue legal action or law enforcement notice. I cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this policy.

Please contact me before engaging in conduct that may be inconsistent with or unaddressed by this policy. I reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contacting me before engaging in any action is a significant factor in that decision. If in doubt, ask first!

Third party safe harbor

If you submit a report which affects a third party service, I will limit what I share with any affected third party. I may share non-identifying content from your report with an affected third party, but only after notifying you that I intend to do so and getting the third party's written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report. I will not share your identifying information with any affected third party without first getting your written permission to do so.

Please note that I cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of this policy. Refer to that third party's policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on my part to defend, indemnify, or otherwise protect you from any third party action based on your actions.

That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in this policy, and you have sufficiently complied with this policy (i.e. have not made intentional or bad faith violations), I will take steps to make it known that your actions were conducted in compliance with this policy.

Limited waiver of other site polices

To the extent your security research activities are inconsistent with certain restrictions in other policies in these sites but are consistent with the terms of this policy, I waive those restrictions for the sole and limited purpose of permitting your security research under this policy. Just like above, if in doubt, ask me first!

Legal

I am not a lawyer. This policy has not been reviewed by a lawyer. I cannot guarantee you legal protection.

Warrant Canary

  • The date of issue of this canary is July 8, 2020.
  • No warrants have ever been served to me with regard to the data or traffic served by any subdomains to the bytecache.io domain.
  • I plan to publish the next of these canary statements in the first month of 2021. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation.

Proof of freshness

date -R -u
Wed 08 Jul 2020 05:30:02 +0000
curl -s 'https://blockchain.info/blocks/?format=json' |\
  python3 -c 'import sys, json; print(json.load(sys.stdin)['\''blocks'\''][10]['\''hash'\''])'
0000000000000000000663a777c01fb41285194b8549b9c175d5951df5ef6e04