AnonPaste: anything-goes, zero-knowledge version of PasteBin, hosted by some Anons

Jeroen Vader, the owner of PasteBin (a service that provides a simple way to share blobs of text, originally popular for sharing code-fragments and error messages, now also very popular as an anonymous repository for leaked documents and manifestos, especially those affiliated with Anonymous) has revealed that he sometimes shares his server logs with law enforcement agencies, and sometimes censors the material posted by Pastebin's users. People acting under the Anonymous banner and the People's Liberation Front have responded by creating a PasteBin clone called AnonPaste, running a free/open zero-knowledge PasteBin implementation called ZeroBin. AnonPaste's administrators claim that they will not censor or cooperate with law-enforcement, though as far as I can tell, there is no facility in ZeroBin for auditing the admins' adherence to these promises (that is, they could be censor-happy snitches and it wouldn't be easy to learn this fact or prove it to third parties). ZeroBin does have a facility for encrypting the data between the browser and ZeroBin, which means that to the extent that ZeroBin is free from defects, and the hosts of a ZeroBin instance have not added malicious (or incompetent) modifications, ZeroBin's administrators can't know what content is being hosted there.

AnonPaste's admins expressed their intentions in a press-release posted to their own service (of course!):

And so the PLF and Anonymous have teamed up to offer a paste service truly free of all such nonsense. Here is a brief list of some of the features of AnonPaste: 1) No connection logs, period. 2) All pastes are encrypted BY THE BROWSER using 256 bit AES encryption. This means there is no usable paste data stored on the server for the authorities or anyone else to seize. 3) No moderation or censorship. Because the data on our servers is unreadable by us (or anyone), the responsibility for the legality or appropriateness of any paste is the sole responsibility of the person posting. So there will be no need for us to police this service, and in fact we don't even have the ability of deleting any particular paste. 4) No advertisements. This service will be totally user supported through donations. Links for this are available on the web site. Paste services have become very popular, and many people want to post controversial material. This is especially so for those involved in Information Activism. We feel that it is essential that everyone, and especially those in the movement - have a safe and secure paste service that they can trust with their valuable and often politically sensitive material. As always, we believe in the radical notion that information should be free. SIGNED -- Anonymous and the Staff of the Peoples Liberation Front

Megan Geuss of Ars Technica has more detail:

Indeed, without the possibility of deleting information, authorities might argue the site poses a threat to personal privacy and institutional operations. Vader told Ars, "Here at we think freedom of speech is very important, but we do think there should be some form of content moderation, because people do abuse paste websites, and if there is really no delete option, this could cause major harm." He added that yesterday his site released a "My Alerts" feature, which allows people to track names or keywords on Pastebin, so if illegal information shows up they can submit a takedown request to Pastebin in a timely manner.

And InfoWeek notes that ZeroBin has not been stress-tested against the kinds of DDOS and other attacks that might threaten AnonPaste's operation and philosophy of anonymity. As of this afternoon, access to AnonPaste has been on-and-off, suggesting there are still many hurdles for the endeavor to function at all.

Anonymous builds its own Pastebin-like site



  1. All pastes are encrypted BY THE BROWSER using 256 bit AES encryption. This means there is no usable paste data stored on the server for the authorities or anyone else to seize

    But if you want your paste to be public the decryption key has to be public too, so the pastes can still be grepped by anybody with the key.

    1. If you do not broadcast the URL, it’s kept secret.
      Anyway, the point is not to protect the user, but the server admin.

  2. “256 bit AES!”

    I see your double long word, and raise you 3840.

    256 bit AES … well, by 2025 a childrens’ SpeakNSpell will crack it.

    1. Go back and reread your cryptography books.  256-bit AES, for symetric keys, is pretty bullet-proof.  You may not realize just how big a 128-bit number is, let alone 256-bit numbers.

      128 bits (all 1s) works out to 340,282,366,920,938,463,463,374,607,431,768,211,455, or 3.4E+38 in decimal. 
      Assuming brute-forcing works within trying 50% of the keys, and overwhelming computing power, etc, etc, it still takes billions of years to crack.  It’s pretty safe.

      256 bits is 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,935. 
      That number is of the order of the number of atoms in the visible universe.

      Imagine the time it takes to brute force that 128-bit key. Now, repeat that 3.4E+38 times in a row. That’s how long it’ll take to brute force the 256-bit key.

  3. One more sweet pasty utility:  I’ve been using it to serve up some anonymous webpages.  Fun stuff!

  4. Woao… my little project on BoingBoing.  oO
    I feel a bit overwhelmed by the magnitude it has reached. All that for 700 lines of code.

    Thanks, Cory.

Comments are closed.