Lots of minor upgrades to sporestack-python. It's now typed (more or less), CLI argument underscores have been replaced with dashes, and the executable is `sporestack` instead of `sporestackv2`. The package now follows semver.
We are out of lockdown. Cryptocurrency builds are back. Hopefully this lasts. Settlement token minimum buy in is now $20 instea dof $100. It used to be $10, but especially if paying in Bitcoin, $20 makes more sense.
We are back in lockdown mode, unfortunately. We have one customer who continually builds botnet control servers. Digital Ocean has generally been pretty gracious, but this appears to be impacting them now and we have to put a stop to this.
New builds will have to come from a settlement token. Minimum buy in now is $100. Maximum buy in is now $10,000.
I hate to do this, but unfortunately we have to do something and options are limited with a malicious user.
For some time, we offered some Torified flavors. tor-1024, tor-2048, tor-3072, and tor-4096. These were servers only accessible through a .onion, and all traffic was routed out through Tor.
Almost no one used it, it never made us any money, the code and infrastructure to handle it was significantly more complicated than the rest, and it was becoming neglected as a result. If there's enough demand, we could consider bringing back a refactored Torified hosting service.
In the meanwhile, if you wish to run a Tor hidden service, I recommend you setup your own hidden service with Tor (as you had to do with Torified hosting, anyway), and lock it down appropriately. Make sure your web server or what not is listening on localhost and not globally. You can also manually torify your outbound traffic if you desire.
Over the next minutes, hours, days, or however long I feel like it, it'll start to be disabled. That said, the last server will be able to renew for the time being. Eventually, we may retire the host entirely and disable renewals, so keep that in mind.
SporeStack is in desperate need of a simplification and overhaul, and the Torified codebase is holding us back quite a bit from that. I know that it's disappointing to remove a really cool feature, but it could've been better in the first place and it's literally a drop in the bucket usage wise. I do appreciate all who used it and gave it a try, though. Just not worth the hassle at this time. Maybe again in the future.
I had received some feedback about this. It was an issue I've known about for a while, and I guess slipped under the rug. It got worse with putting the estimated price on the website and CLI.
While I've done part of the work to make the issue more clear, it's still not in. I've been busy with things and not giving SporeStack as much time as I should. At a minimum, to explain the issue, if you buy a 1 day, 1GB server, it's going to be something like 39 cents. 39 cents, if paying with Bitcoin with today's $35k~ prices, is such a low value that it hits the "floor" of network transactions. This is something like 10,000 Satoshis. You can't send transactions smaller. And realistically, the actual floor of transactions that confirm with reasonable fees is quite a bit higher than that. 10,000 Satoshis is much higher than 39 cents. So if you want to pay with Bitcoin, get a server for a longer time period. It'll actually cost you the same as one day, in effect. Ideally though, consider a Settlement Token or any currency other than Bitcoin to get away from the fees and such.
More work needs to be done here. Even the smallest Bitcoin transaction you can send will cost me more money than it's worth in transaction fees. Just the nature of the beast at the moment.
Update: The USD price now reflects a much more accurate price.
I received an email from someone who claims to be (hopefully) the culrpit. They were very sincere and honestly it was probably one of the nicest things to read in a very long time. They didn't know port scanning wasn't allowed. I realize now that I have not done an effective job of communicating that and certainly contributed to the problem.
Pretty often I feel done with SporeStack. I feel it gives me a fair amount of liability and I take the service seriously in general, I don't want to deliver something lackluster.
The truth is that I ended up moving my own blog elsewhere -- I made a personal account at Vultr and Digital Ocean. For me, it's no longer a requirement to pay in cryptocurrency. And yet at the same time, it's stupid at at Vultr I have to put down a name, email, credit card number, etc, even if I want to make crypto payments. Digital Ocean doesn't even take crypto payments.
I guess SporeStack is really for a niche market. If you don't mind having a card number on file and your name/info, Vultr is way better than SporeStack. If you can pay in fiat, then you might as well pay with that. You'll pay almost half at Vultr or Digital Ocean. But generally speaking, I'm a huge proponent of self-hosting and recommend everyone do that if possible.
I guess for every use case, self-hosting isn't possible or desirable, and sometimes you really do need to be somewhat anonymous and pay with crypto. Then maybe SporeStack is useful for you.
I don't know what the future of SporeStack is. How long it will keep going. If it can grow into something amazing and extremely self-sustaining. I have a lot of other priorities in life, so working full time and juggling live plus SporeStack can be a bit much. I do have some help with SporeStack from a really great guy -- but it's a hard thing to design it so I can just step away and take a breather if I want.
Somehow though, that email I got today renewed my hope a bit. I guess I was feeling like whoever was doing this just didn't care that this was harming me and giving me real anxiety about SporeStack ultimately getting shut down. But I was wrong, they did care afterall and didn't understand. I just didn't explain it properly.
So I will have to make some adjustments. No promises yet and I have other work (my "real job") to get back to. But I'm very happy. I'm really touched to have the customers I do. I remember someone in the early days of SporeStack saying they'd tell people at parties about it. I never knew I'd make something like that. SporeStack really isn't much, but I guess it means something to me. I appreciate that to many of you it means something to you as well.
In the past couple days I have deleted over 50 servers for suspicious behavior (port scanning, DDoS, brute force login, etc). These are from reports I've gotten from Digital Ocean. Each report, presumably, puts the entire Digital Ocean account at risk. SporeStack isn't big enough to host its own clearnet servers and manage the risk more effectively. And financially for the past two years it's been barely worth the time I've put into it. That's not to say that I'm not extremely grateful for my customers. The fact is that I'm very fond of most of them. But given the mostly anonymous nature of SporeStack, it is ripe for abuse. And that is what it's been getting.
It seems that most of these issues have been coming from one user as of late. He or she never wrote in. I could delete 20 servers and not get a single email. There would just be more servers coming up doing more nefarious things which will get you flagged on *any* mainstream VPS host. I've not been able to contact the user, I suspect they know what they are doing and that it's causing me grief.
As such, my only control other than pulling the plug on SporeStack altogether, is to raise the financial barrier to entry. Settlement tokens will now be the only supported payment method for new servers on clearnet (Digital Ocean -- non-Torified). You can still topup as you have been if you already have one.
If you pay $100 for a settlement token and you make servers that are getting complaints over and over, if the server is up for an hour and is already using an insane amount of bandwidth nefariously, your server will be deleted. If you keep it up, all servers on the token will be deleted and the token revoked with no refund on the remaining credit.
I know this is harsh. I don't want to do it. The thing is that I'm working full time and have a lot else on my plate. Even if I wasn't, I'd be tempted to do this because the risk to the Digital Ocean account is too high. All of my good customers don't deserve having their servers lost because of one bad apple.
I'm sorry to do this. I know it isn't what SporeStack is about. I just don't have the time to make SporeStack all it can be right now. Especially not with this going on.
If this change doesn't solve this problem and existing customers are still at risk, more drastic measures will be taken.
PS: CockBox states that they allow port scanning, up to 40k packets per second. If you're going to do it, might as well go there.
Greatly simplifying SporeStack internally and externally, I'm deprecating cores/memory/disk/ipv4/ipv6 in favor of --flavor. Web users won't notice a difference, but CLI users will. The default --flavor is vps-1vcpu-1gb. More flavor "slugs" can be found on the pricing page.
--flavor is the default way to work with the Python SporeStack 1.4.0 CLI. Library use and eventually API use will be phased out in time.
To tell you the truth, I actually haven't been on Bitmessage for a couple of months. I switched away from Debian to FreeBSD and there were no packages for Python QT4 support available as far as I could tell. I tried for a while to get it going, but eventually gave it up.
PyBitmessage is the reference implementation of Bitmessage. It's still Python 2 only. Python 2 has been end-of-lifed. While I like Bitmessage very much, it feels a bit like a dead project. I hope the developers can update it to Python 3 and QT 5 so I can use it once more. Until then, it's probably best if I don't advertise it as a way that you can reach me, as it isn't. I am planning to get PyBitmessage going on a Debian instance to check and respond to final messages but for the time being email is your best bet.
In case you were cheering that another loathsome business was going under, I hate to disappoint you but it's not yet so. A friend of mine has stepped forward to continue with SporeStack's support and operations. One of the few I'd trust to help run it. It'll be some time before I get SporeStack ready for someone else to have access to, but I'll inch towards it as I can. At least I know I can get to a point where I can breathe a bit if I want to go off the grid for a while.
He's actually the administrator of one of the servers on SporeStack, I've been communicating with him for a while. He liked that he could email me with "Heil Hitler!" and get a response. So, I think (when I finally give him access) he'll be the man for the job.
While I am now working full time and can't devote nearly as much time to SporeStack, it's not going away just yet. As always though, backup your servers, plan for failures, and know that nothing lasts forever. So learn how to fish, farm, and ride out the upcoming apocalypse. Till then, let your servers buy servers with Magic Internet Money and participate in the Holy Orgy of Skynet: SporeStack.
PS: Ubuntu 20.04 has been added to clearnet (Digital Ocean) servers.
For now, this only affects Torified servers. You'll need to update to the latest SporeStack pip and do --flavor tor-1024 instead of --cores 1 --memory 1 --disk 5 --ipv4 tor --ipv6 tor, etc. If you set --flavor, --cores, --memory, --ipv4, etc, will be ignored silently.
The price went up just a hair, but you get 8GB of disk (instead of 5GB) on the 1GB memory server. I designed it to have a tor-512 flavor, but am having issues with iPXE installing Debian at that size. I will likely need to make more changes before I can add tor-512. At which point, it'll be under $4/28 days. There's also 2GB, 3GB, and 4GB flavors if you need bigger servers. Still all just 1 core, at least for now. Existing servers don't have any upgrade path yet, but will likely be billed at the slightly higher price. Feel free to contact me if you have any issues with this, want the larger disk, etc.
This may come as a bit of a surprise. And first off, I don't have a buyer. It might be in two years. It might be in two months.
I love SporeStack and the customers I've had along the way. It's kind of funny how much I've gotten to interact with some of you, on a anonymous hosting platform of all places. Of course, I get some bad apples. But on the whole, you all are really awesome and I like hearing from you.
In time though, I've found I can never really unplug. I try to check in every 24 hours at a minimum. This has been going on for over 3 years now. And while most of the time everything is fine, sometimes it isn't. It may be an email I need to reply to. A bug to fix. A payment issue. It isn't much time on the whole, but it's always there. And I simply can't have SporeStack and pretend it's okay for me to go away for a week while someone might be having an issue with something I made.
Ideally, SporeStack would grow to the point where it can sustain me. That would help. Then it would grow to the point where I could hire someone to run it. At least for when I feel like going away for a while. Right now, it isn't making me much at all. I can't live on it. Maybe if I already had a house paid off, it might barely be enough for the bare essentials. But it isn't, and I don't have a house paid off.
As it is, I'm not burned out yet but I am starting to get to that point. I see the writing on the wall. I can't run SporeStack by myself for the rest of my life. And I know the odds of it growing to a size where I could hire an operations team are really slim. As much as possible, I want to honor all of the commitments I've made to my customers. Topup dates, settlement tokens, etc. And to be clear, I'm not turning anything off anytime soon (nor do I have any plans to do so). I just need to be honest with all of you and say that this can't last forever. Maybe somehow I keep it going another 5 years. But honestly, I don't think that will happen.
If SporeStack can't grow to a size where it can be self-sustaining, I need to hand it off for someone (or some group) who's looking for a new adventure. But only someone who I can seriously trust my customers with. I may never find that, but I hope I do.
I hope you can understand. I know I might be shooting myself in the foot writing this, but you all deserve the truth. If you happen to want to buy SporeStack, send me an email and we can talk. But I don't want to sell to just anyone. I trust relatively few people with something like this. I'm proud of what I've made.
Thank you for reading. And thank you for your support over the past three years.
The sporestack pip installable version 1.2.3 has settlement token management, so you can generate, enable, topup, and query balance on settlement tokens without using your browser.
The CLI and web interface have both been updated to show whether the server is running and expiration is fetched from the API. This way the expiration is always correct. It's also made more clear if a server is deleted but not expired, etc.
I will be making changes soon to server expiration. It will no longer be a 24 hour window but something more dynamic. Always pay before expiry if you don't want to lose the server, of course. So use a calendar or what have you. But if the server was launched for one day, I lose money keeping it up for two and I need to fix that.
In general, lots of little tweaks. The web interface now uses the fetch API and await for info. It is so, so much easier to write and I wish I had started that way. I will likely convert more of it to a fetch-based API. But please let me know if you run into any problems.
I've started work on improving the situation with expiration times. If you save a server's JSON, renew the server, and paste the original JSON in later, it would show the old date unless you copied the updated JSON. Now, it will query for the correct expiration and set that regardless of what's there. This is the start of cleaning up that mess, it should be able to get better from here.
The "status" and "exists" endpoints have been removed from the API, being replaced with an enhanced "info" API which is powering the above. Note that the output differs between clearnet and Torified servers, the only stable keys (at present) are "expiration" and "running." Though it's possible "running" may become "status," so let me know first if you want to rely on that.
I caught a user doing double spends with a settlement token and taking advantage of another bug as well. The bug has been fixed and SporeStack may require confirmations on all transactions now. At least certainly for settlement tokens. So building a server and paying from a 10 minute confirmation cryptocurrency like Bitcoin might take a while, but it should still work as it did before.
Hidden Hosting has had more users, but it's still eating a hole in my pocket. So I will reserve the option to shift off the host that was separated from SporeStack LLC and designed to run if I still had a heartbeat and an internet connection, whether or not SporeStack LLC was legally permitted. The new host will still use one time filesystem encryption, so if I'm raided and the server is found it won't do much good if they pull the power. That said, *please* don't host anything on it that would get me raided. It's still possible for me to host on infrastructure entirely separate from SporeStack, but I've been losing money on it as it is so have no plans to do so unless demand picks up enough to justify it.
The power off before expiry thing has worked out great except when people build one day servers, since I end up paying for two and losing money on them. I'll likely adjust this, maybe to be a number of hours times days the server has been up, up to 24. Note that this still is not yet enabled on Hidden Hosting and is confusing when using the CLI.
You said nothing, and we listened. No one was using the Torified hidden hosting, making it quite expensive for us. We've decided to drop the prices substantially, from $17.92~ per 28 days to $7.00~ per 28 days. This is for a 1GB memory, 1 vCPU, 5GB SSD VM. If we get enough adoption this should still be profitable. So yes, our cheapest torified hosting is now cheaper than our cheapest clearnet hosting.
I've been wanting to add this for a while. Servers, at least launched on Digital Ocean, will be powered off when they expire and only deleted 24 hours later. This gives you a signal that your renewal has failed before the server is deleted, assuming you wanted to keep it. This may be adjusted in the future or be an API opt-in feature, but I'd like it to be the default for servers launched via the website.
I made a pretty big mistake and lost the server handling settlement tokens. The last database backup was before the one person who purchased a settlement token came in.
If that's you, please contact me and tell me what you paid with and how much it was. I'll do what I can to make it right. It will be easiest to make you a new token, but I can reenable your old one if you have any difficulty changing it on your end, and fix the balance. I know what the balance should be because of my graphs, which are hosted separately.
A few mistakes happened together to make this possible.
I didn't automate the backups, so they didn't happen. I started with a single command to back it up to my laptop. I forgot to run it after the first token was bought.
I saw missing data in my graphs and it didn't occur to me that the server had died until a few hours later. Granted, it is a Sunday and I'm trying to relax a bit.
The server it was on was set to use the API to automatically renew itself. My renewal code was really old and used at, which doesn't show up as a failed service. Something in the renewal failed but I wasn't alerted in any way, not even in my graphs.
Because this is a critical server, I will do my usual hack of setting expiry to 0, manually so it never expires and doesn't have to top itself up. But, I do need to do live testing of topups, so will make an unimportant server (probably a Monero miner + Tor relay) which will top itself up daily. If it dies, it's my canary and I know something needs to be fixed.
I will also automate database backups and credit the user who lost his/her settlement token to make up for my mistake and for wasting their time.
Thank you. I'm sorry. I would like to make this right.
This was mostly a feature for one exceptional customer, but I'd like to announce it for anyone as well. You can use a settlement token to prepay a balance with SporeStack and then draw on that balance. It can be a single server renewing itself from the token or any number of server builds using that token. Right now, token creation and payments are a manual process. But this enables the ability for you to pay with Bitcoin Cash, potentially other cryptocurrencies, gold, silver, etc, if you really wanted to. While it's kind of anti-SporeStack in nature, I believe it will be useful enough for some of you to warrant using it.
If interest in this is notable, I will automate the process and have an easy way to create a token, add to it, and check the balance.
Bitcoin Cash support has been broken for a couple days now. Worse yet, it'll give you an address and an amount to send. The one still working backend API for Bitcoin Cash as used by bitcash is down, but sends 200s. If it had failed "properly", at least SporeStack would throw some error and not give you anything to pay. Anyways, while I want to fix this, I have a bit on my plate and Bitcoin Cash payments account for something like $10 over the last 90 days if my graphs are correct. If you would like it fixed faster, contact me or submit a pull request. In the meanwhile, you might see it removed in some way from the API to try to keep the (very rare) user from not getting a server for their payment.
For an update to the previous post, business has actually gone up a bit since then. I don't really know why. But to sound cheesy, thank you all for your business.
When I started SporeStack back in January of 2017, I knew I was ahead of the rest of the market. Hosting without having to sign up is the future. Especially compared to those awful cart-style VPS hosts that let you get one server at a time. I think they're still in the Dark Ages, relatively speaking.
Recently, I found out about a second competitor. I talked about the first one a while back. It was a pretty sad knock off of SporeStack called Faceless Cloud. What upset me the most was that the guy had the nerve to advertize it on one of my Youtube videos about SporeStack in a comment, acting like he didn't make it and just found it. What didn't upset me about it is that the CLI didn't work (I opened a bug report) and the English on the website was horrible. It's actually quite a bit better now and I'm not sure if the CLI was fixed or not. I never did hear back on that bug report. It was mostly a copy of SporeStack v1. Now my open source code is released into the public domain, so anyone is free to take it and compete with it if they like. But still, I think it was pretty lame to not even contact me about it.
Now this second competitor is much less of a knock off in terms of code. I can't tell in the API that any of it is mine. Certainly probably inspired in parts, and the language on the website is, but it isn't like a rebranded SporeStack. Now, I think it has a lot more potential. It's cheaper than SporeStack and the web interface is maybe a bit easier.
I have to admit that I was pretty upset when I first saw it. But later realized I had kind of authorized it. A few month back, I heard from the owner of the bitvps.com domain on Reddit. We exchanged a few PMs. He asked if I would sell SporeStack or rent out some backend. I was interested in doing some kind of affiliate system, but still haven't for a number of reasons (and yes, one of them is just not taking the time to do it). I offered some exorbitant amount for SporeStack and told him I wasn't even sure if I'd sell it then. We didn't come to an agreement. He did ask if SporeStack was open source and if he could use it. I pointed him to the code and said he could. So really, I got upset over something that I was at least somewhat okay with back then. I shouldn't be changing my mind over this kind of stuff. I guess I felt pretty bitter as it actually looked like it had potential. And I am, maybe legitimately a bit upset that I wasn't let know when it went live. We're talking about a market (accountless VPS hosting) that has (to my knowledge) three companies in it and mine was the first. Is it really that hard not to say hi?
Now, this got me thinking. Two of my favorite companies are Backblaze and Go Ruck. The reason I like both of them is because they are honest and open. Go Ruck tells you how they make their backpacks, why they started using "batwings" where the strap attaches at the bottom, and so forth. I find it fascinating and I know in reading their blog that they are serious about their backpacks and are actually trying to make something that is meant to hold up through just about anything. I did buy one of their ridiculously expensive backpacks for $400 and do not regret it at all, for the record. Now Backblaze, I've never used. But going through their blog, it's like an engineering treasure chest of data. They have data on drive statistics, their enclosures are open source, and they talk about how they do just about everything. I like those companies. And I probably haven't been running SporeStack as openly as I should. I guess, maybe it has been open, but what it is lacking (from news posts and such) is actually going into detail and telling a story. I just write obnoxious ad-like news posts. Maybe because when I'm writing one of those, I spent a few solid days on a feature and just want to get it out there.
So looking at BitVPS, their interface is better and their pricing is cheaper. Why would anyone use SporeStack?
I could just lower my prices to match but I don't want to. I think SporeStack is better because I made it. SporeStack is not your typical consumer project. It is an engineering experiment that has never been done before. Before SporeStack, have you ever heard of a service that replaced its own API nodes automatically? It is the pinacle of dogfooding, which I encourage everyone to do if they offer a product.
After reading that ego trip, what does it mean for you? Possibly nothing. Nothing at all. You may not care about how many 9's of uptime your Bitcoin VPS API has. You probably just want a VPS server for cheap and without giving up any info. And you probably want the interface to not give you a migraine while using it. This is what I have to conclude. Most people don't care about ephemeral hosting. They just want easy and maybe anonymous. Almost the whole time I made SporeStack, I've been slaving away working on things that most people will never care about. This is the sad truth. I'm very good at systems/backend. My frontend sucks, and it's what people care more about. It took me two years to release a web launcher and it's still not all that easy to use.
For all I think I know, there's a lot I don't know. And it may well be that BitVPS or Faceless Cloud are better hosts for you. Or maybe, you don't care about anonymity and you can provide a credit card number to put on file. In that case, go host with Vultr. They accept Bitcoin and for most people it's just going to be better than SporeStack. For reference, at the moment a typical 1GiB memory/1vCPU/25 GiB disk/1TiB transfer VM will run you $5 on Vultr, $7.50 on BitVPS, and $9 on SporeStack a month. And actually, SporeStack is slightly higher yet because that's not for a month, but 28 days.
Last year I got really lucky and had one huge customer where I peaked out at 2,600 servers. And yes, that was a ton of money and I was making a killing. It didn't last long. You want to know how many servers I have right now? I'll tell you. I have 17 on Digital Ocean. I have 3 on a laptop for Hidden Hosting because my one Hidden Hosting server crashed (which is fatal, by design). And 2 on the new replacement host. (The laptop is set to drain now and no customer builds went there.)
To make matters worse, how many of those servers are customer's? All of the hidden ones are mine (I know because I have 5 hidden servers right now) and about half of the ones on Digital Ocean are mine. It's not enough to live off at all. So I don't know, maybe it will stay that way, maybe it won't. And while it's pretty humiliating to spend so much time on something like this and to have so few customers, I don't want to give up, either. SporeStack is my baby, whether it shines or not. I have worked my butt off to get it to where it is today and there's still tons to do. Knowing what I do now, I could have written BitVPS in a week. But I didn't. I made SporeStack. And for most people, it's completely irrelevant. Maybe I'm shooting myself in the foot by telling you the truth, but so be it.
I don't want to hide from anyone who they're paying. I'm so politically incorrect that I think many places would never want to hire me. But when it comes down to it, I have a really hard time wanting anything other than free speech and a free market. My main philosophy is that I don't want to be told what to do. I'd like to be a free man, especially if that means living in the mountains and living by the skin of my teeth. Now regardless of that, I want you to know so that you're not sending your money off to some faceless corporation that's donating money behind your back to things you find vile. You know pretty darn well what I'm up to and what I do. If it isn't for you, that's fine. If it is, that's great.
So how do I differentiate SporeStack? I don't really know. I still think the API is the best out there if you want that. I'd even be open to providing managed services if people really wanted that. If you're a SporeStack customer now, thank you. If there's another host that's better for you, you should go there. But if I can take care of you, please send an email and let me know what you need if it isn't obvious already (which, it probably isn't).
I'd like to give one last shoutout to CockBox. I'd call it gross for most, hilarious, and authentic. Not the same thing as SporeStack as you have to login, but it's cool. I like to see someone, or some people, making something that isn't just another product made solely for the market with no personal touch.
Hosting can become a utility very quickly. One thing I learned from working at Rackspace is that people will pay double or way over that if you actually connect with them, care about their lives and their business. We had possibly the best customer support in the market. Our products were out of date and way, way, overpriced. But when something broke, you called in and got someone wearing cargo shorts, riding around in gokarts on off hours, covering up the light sensors so the lights would finally go out on second shift, and put everything aside if you actually had a problem. You knew when you called in that you were going to be taken care of. If you ever didn't get that impression, you weren't talking to a Racker. Unfortunately, I think Rackspace hasn't been that way in years, but I am proud to have worked there for a while when it was the case. My first boss told me to make the customer happy and gave me no further instructions. That, to me, is a job.
Now SporeStack isn't currently a managed service. It's just some guy who eats potatoes and travels around. But it is pretty reliable, can scale if needed to, and actually has an API and a library to go with it. Maybe you don't want to hand off your hosting to the lowest bidder. Maybe, for a moment, you might think there's value in the unknown. I mean, maybe SporeStack is like the Flat Earth of hosting. Maybe you just have to believe, even if it's retarded. Or maybe you really do need to have your own customers pay for their servers, you configure them, and take a profit. Automatically. And you want them to pay in Monero over a hidden service. And not some old fashioned V2 hidden service, a V3 because it's new and cool. And when all is said and done, and it all breaks, you get to send in an email to some crazy guy who might be getting eaten by a grizzly bear in Idaho while your servers burn in flames. Or maybe, if you're lucky, you'll hear back and get things fixed.
Too many people give too many fucks. SporeStack doesn't give a fuck.
You can now launch a hidden server (all traffic in/out through Tor) just as easily as a clearnet server using the web launcher. Just select Tor from the networking mode dropdown. Preferably, use the web launcher over our Tor Hidden Service.
It's more expensive. I have seen no service like this on the market. It is a premium service for those who want the best possible anonymity. This is designed that I could continue to run it even if SporeStack was shut down through the legal system.
Using the web launcher or --operating_system (some OS) --ssh_key_file ~/.ssh/id_rsa.pub on the SporeStack Python 3 CLI, your operating systems are much more limited.
It's going to be less reliable.
Given the nature of the hosting, while you can use top up on some hidden hosts, preferably create new ones to replace your own old ones. They may be destroyed for any number of instances. For instance, our hidden hosts use a one time encryption that if the power is pulled on the host or it kernel panics, data is gone for good.
Sizes are very limited.
OS installs may fail, especially because they're running over Tor which is less reliable.
OS installs will probably take 20-30 minutes
All of these things aside, if you're accessing this site through our .onion, it's using one of two servers that automatically replace and configure themselves every week. Does it require some poking? Yes. Does it work most of the time? Yes.
Size limitations (as of right now)
5GiB of disk.
2GiB of memory.
1 core (for security reasons).
OS limitations (last updated 2019-08-28)
If you are not using iPXE and want the easiest way possible, your OS numbers are limited.
Debian 10: debian-10
Debian 9: debian-9
CoreOS Stable (requires 2GiB of memory): coreos-stable
If you want to watch the progress of the install, you'll need to install the SporeStack CLI. Then run sporestackv2 serialconsole yourhostname after you've launched your server through the CLI. Or, copy/paste the JSON provided from the web launcher output to ~/.sporestackv2/(your hostname).json and then run the serialconsole command. Ideally, start it earlier rather than later. If it fails, you will likely have to run cat youripxescript.ipxe | sporestackv2 ipxescript (your hostname); sporestackv2 stop (your hostname); sporestackv2 start (your hostname).
Full CLI launch example without directly using iPXE: sporestackv2 launch Your_Internal_Hostname --api_endpoint http://spore64i5sofqlfz5gq2ju4msgzojjwifls7rok2cti624zyq3fcelad.onion --ipv4 tor --ipv6 tor --disk 5 --days 1 --currency XYZ --operating_system debian-9 --ssh_key_file ~/.ssh/id_rsa.pub
If you want to use Hidden Hosting with bigger servers, or a whole bunch of them, contact us first and we will see if we can tailor the product to you depending on your expected demand.
Delete action is only on Digital Ocean for now. It's not likely something you want as you're deleting you server with no refund on unused credit. But, it may be more useful in the future. The CLI has been updated with a list feature and a remove to remove expired servers. Additionally, the launch output has been cleaned up a fair bit to be easier on the eyes.
Odds are, your servers are hosted on Digital Ocean. Before today, you couldn't start/stop (power on/off) the VM on that backend. Now, you can. Even in the web launcher. Web launcher also has an optional hostname field for you to help know which server is which.
Finally, I spotted a competing service to SporeStack. Not a Bitcoin VPS service, but something with an API. This one is quite interesting in that it uses some SporeStack client code (exact copy of the SSH key validation function). This is completely fine, that code is in the public domain. Although the README says "Originally written by Faceless Cloud" under "Authors and maintainers". The code structure is quite similar and also uses aaargh.
It appears to be written using the SporeStackv2 client code as a basic reference, however is more similar to SporeStackv1, using Vultr's API.
I found this service reviewing my Youtube channel comments. For some reason, the comment does not show up publicly.
I'm happy to announce that SporeStack now offers truly hidden hosting. Hosting where a VM's traffic is entirely pushed in/out of Tor, access is over a hidden service, and the VM does not even know where it is hosted.
Further, this has been designed in such a way that the hidden infrastructure is independent of the "clearnet" business. If a government agency or other group managed to "shut down" SporeStack LLC, the hidden hosting could still function. At the moment, there is a different endpoint for Tor hosting than for clearnet hosting -- they may be "combined" at some point as long as the halves can function independently of each other. What this means is that the hidden endpoint must be used for launching Tor servers and the clearnet endpoint must be used for launching clearnet servers.
There are numerous caveats. iPXE is the only supported boot option. Renewal is not supported at this time (which is fairly intentional). It's expensive (about $24/month for a 1GiB VM with 1 core and 5 GiB of disk). It basically has one flavor which maxes out at 5GiB of disk. With demand we can adjust these things, but I'm not sure if such a service has been launched before. The upstream hosting for our Tor hidden service is kept separate from the rest and should not be easily identified as being from SporeStack. Funds send to the upstream hosts are "mixed", as needed. The dedicated server(s) hosting the VMs store data in disposable encrypted mount points. Meaning, the host won't survive a reboot, but this means that if the host were pulled for examination the disk contents would be worthless. The SporeStack Tor API nodes are hosted on this infrastructure and don't even know where the physical hosts reside.
All of this said, this could be the most secure and advanced API driven hosting that exists on Tor. It is a premium service at a premium price.
If you want to give it a try, use sporestackv2 as usual, but be sure to set --ipv4 tor, --ipv6 tor, and --api_endpoint http://spore64i5sofqlfz5gq2ju4msgzojjwifls7rok2cti624zyq3fcelad.onion.
Our V2 Hidden Service is spore64zke3ofvbp.onion. To help protect our customer's privacy and security, it is being replaced with a V3 Hidden Service: spore64i5sofqlfz5gq2ju4msgzojjwifls7rok2cti624zyq3fcelad.onion. spore64zke3ofvbp.onion will redirect to spore64i5sofqlfz5gq2ju4msgzojjwifls7rok2cti624zyq3fcelad.onion, but please update your links. API functionality to this endpoint will be slightly "different," and is not yet recommended at this time.
On an unrelated note that has nothing to do with Tor, SporeStack V1 has been terminated. Remaining servers should run 6 months past their expiry date but will be deleted in the future.
SporeStack V1 has been deprecated in favor of V2. If you use the SporeStack pip installable, you'll want to use `sporestackv2` instead of `sporestack`.
We do not have a phase out deadline in place yet for V1. For the foreseeable future, V1 topups will be allowed but migrating entirely to V2 is preferable. Expect launching on V1 to be disabled sooner than later, however.
Feature wise, we are still not at parity. If you're finding an important feature missing in V2, please contact us and let us know. Development is driven largely by demand.
SporeStack V2 API is now in public beta. It's quite different, now very provider agnostic. It's been used for a couple months now in private beta. API documentation can be found on any 404 page on the new endpoint, sporestack-python (sporestack on pip) will now install with a sporestackv2 binary side by side. It's very different, without launch profiles, QR codes for payment, and Vultr's IDs have been replaced with requested amounts of disk, memory, text operating system names, etc. Can pay straight from a Walking Liberty wallet. More news to come. V1 API will be deprecated but not yet.
If ipxescript and operating_system/ssh_key is specified, you will have a greater capacity of backends to be provisioned into. There are less features in some ways, and more in others (start, stop, serialconsole on baremetal hosted VMs, IPXE only). While this is not much of an immediate improvement in ease of use, the backend is significantly more flexible and should improve in time. Open to suggestions. For the time being, there is no Tor discount for V2. That may or may not come back, however there will be more news on the Tor front in the future.
SporeStack is now a Wyoming LLC. Regarding the previously mentioned capacity issues, we have been scaling rapidly and have some room, but not lots. More is on the way.
Update: SporeStack has changed to a Texas LLC.
We had immense growth over the past couple of months and have been scrambling to keep up. We've ran into limits with our current hosting and work is nearly complete for a revised system that will allow us to keep scaling, while adding making SporeStack more like a traditional VPS host in terms of start/stop/console features. Still as anonymous as you make it, with Bitcoin and Bitcoin Cash payments, and at a similar price point.
At the moment, we are cutting things pretty close but the end is in sight. However, please contact us before making any large deployments on SporeStack over the next few weeks. Stay tuned for updates.
We are starting a shift away from hostnames in SporeStack. It's best if you use the IPv4 and IPv6 addresses provided directly. If you can, use the IPv6 as a default.
Initially, all servers were setup with a resolvable hostname of uuid.node.sporestack.com. That is being phased out. Now, the hostname returned will look unusual, having a prefix with the IPv6 and IPv4 addresses of the server on a aaaaplusa.hostnameomatic.com suffix. This is primarily for backwards compatibility. Hostnameomatic server and "client" are both open source.
For now, uuid.node.sporetack.com is still being created. That will be phased out, along with the reverse DNS records. Older SporeStack client implementations explicitly used uuid + '.node.sporestack.com' explicitly and should be upgraded to the latest version.
This may seem like a step backwards, but it is not. This will help increase the reliability and performance of the SporeStack API and allows for future growth. And in general, DNS servers are some of the most common failure points due to DDoS attacks. It's fairly straight forward to run your own nameservers (or use existing ones that are designed for high traffic) and can eliminate a fairly easy target. Say you were using CNAME or NS records to point to uuid.node.sporestack.com instead of adding A/AAAA records on your own domain. Someone might not like another customer's content hosted at SporeStack using similar DNS tactics. They send a 20Gbit/sec attack to the nameservers and now even though your server is likely fine and online, it can't resolve. We believe this is a more sensible and stable long term approach.
If you have any questions, please reach out: support at sporestack dot com
When Bitcoin Cash first came out, it was customary to use the same address format as Bitcoin (the 1-prefixed addresses with base58 encoding). The community has now settled on "CashAddr" which uses bech32 and has some advantages with QR code size and error detection. It also helps keep people from sending money to the wrong place as Bitcoin and Bitcoin Cash are two distinct currencies.
Unfortunately, any new change can be tricky to maintain backwards compatibility. And there get to be a lot of chicken and egg problems, very, very quickly. On Valentine's Day (Wednesday, the 14th of February) I will switch SporeStack's Bitcoin Cash payment address to CashAddr. Make sure that your tooling supports both formats. If you need to convert back and forth, this Python library can be handy.
In anticipation of this, I have added CashAddr support to bitcash, and with it, WalkingLiberty, and bitcoinacceptor. As well as to sporestack-python 0.7.2 (the 'sporestack' pip installable package).
If you have any questions, please reach out: support at sporestack dot com
I launched SporeStack just over a year ago, unsure of what would happen. It pretty immediately had customers and compared to my earlier services, it was a clear success. Usage has slowly but steadily gained since then.
I'm very grateful to my customers who have decided to host with me. All in all, it's been a really good year.
Now on a not so great note, I've had my second abuse report and have had to delete a server. It was pretty blatant, multiple reports (Spamhaus, scanning, etc), and the server hadn't even been up 24 hours. Had a 6 hour window pushing 106GiB with almost nothing inbound. As I discussed before, if you create a server that's just spamming and such, my only course of action is to delete it. And no, there's no refunds.
The first abuse ticket I got was a few weeks ago. It was actually completely my fault. I was setting up Tor relays to try and help the network. I accidentally disabled the exit policy and the server acted as an exit node long enough to be noticed (a few hours).
Even though I have PTR records set in place and an abuse policy written on the front page, people still go through Vultr for abuse reports. I'm guessing they go by whois data on the IP block.
This does challenge my earlier assumption that this would be too expensive to be worth buying servers for blatant malicious use. If it continues I may have to set a higher price floor where you only end up with a decent rate buying a week at a time. I'm also thinking about adding an optional Bitmessage Address field in the spawn call. That way I can at least notify someone/something about what's happened. I think that will matter more in the less blatant cases (server's been up for two weeks, had one trivial complaint, maybe was compromised or playing too much with nmap).
Of course I think it'd be unfortunate to make the day-long servers more expensive. There's lots of possibilities like paying into a redeemable services card of sorts, where you use --paycard XXXXXXXXX and then top up one "card" in particular. That would help a lot with 1 day servers where fees often cost more than the transaction itself. I also do not want to sacrifice the potential anonymity of SporeStack as that's one of its most important traits (paycodes and Bitmessage can be done with no risk to anonymity).
Anyway. Thanks for reading and Happy New Year!
Update: I started work on mitigation features for malicious users. I want to keep a good reputation with Vultr so they don't pull the plug on my account and impact both myself and all of my problem-free customers (which has been all of them until today). The first mitigation is a "cents floor", which you can see in the /node/options endpoint. The floor only comes into effect on the cheapest servers. So say the "cents floor" is 50 cents and you order a 1GiB server for a day, which comes out to 44 cents. The price will be rounded up to 50 cents. If you bought that same server for two days, the price would still be 2*44=88 cents. Keep in mind that the "cents" calculation is before converting to cryptocurrency which has its own payment floor so that only spendable amounts are sent. For now I will be setting a "cents floor" of 50 cents so I can watch the code's behavior and output in the graphs. I'll be able to see how often it's hit. And if this user does prove to be malicious, I will raise the value until they give up. Most likely to 200 cents and then 500 cents if I absolutely have to. If the coast is clear, I'll lower it back down. While I hate to impact my good users, in the end I have no "users" from a technical standpoint since all API requests don't have any mandatory data which associates them. While I dislike randomly raising prices, this is most commonly a 6 cent increase for single-day servers. At the end of the day, refer to the API's output for how much your server will cost. If it's too much, you don't have to pay it.
Mitigation 2 is if double spends start to become a problem, I may set a minimum confirmation (most likely of 1) to avoid such attempts at "free" servers.
If you have any questions, please reach out: support at sporetack dot com
SporeStack has now deprecated Bitcoin (BTC) payments given the unspendability of small inputs in the Bitcoin blockchain. Today, the recommended fee has hovered over 900 Satoshis per byte. At current rates, this has meant even the most basic single input, output, return output payment (226 bytes~) costs $27 to send and have confirmed in a short amount of time. Thus, SporeStack loses money on any Bitcoin transaction under quite a large amount. Break even might be on a very large server for 28 days where we are not even profiting. Anything less than that and we have to cover the cost of the server while you pay an exorbitant amount in transaction fees. And the money sent our way is literally unspendable at the amount of most of SporeStack's transactions. This is unfortunate and we hoped it wouldn't come to this so soon, but it has. Bitcoin is not functional as a currency for any "small" denominations anymore.
Bitcoin Cash has none of these problems and is cheaper for you and sustainable for us. Why would you want to launch a 1GiB server for 28 days, paying $14, to then pay an additional $27 in transaction fees?
We will be updating libraries and utilities to select Bitcoin Cash as default. This will break those not explicitly specifying Bitcoin who wish to pay with it. The next course of action will be to either set an enormous Bitcoin price floor or remove the option entirely.
SporeStack now accepts Bitcoin Cash. Paying in Bitcoin Cash will likely be cheaper as the price floor is not yet being hit and transaction fees are substantially less. Buying a server for 28 days with Bitcoin might cost $14 normally and with another $14 in fees. If you bought that same server with Bitcoin Cash it'd be $14 and fees could be $0.50 or less. Of course, fee algorithms are highly variable but you should easily come out ahead.
We highly recommend switching over to Bitcoin Cash as soon as possible for SporeStack use. We have been losing money on most Bitcoin transactions as a server for a week might cost $4, but spending that input can easily cost $5 as part of a larger transaction. If this congestion trend continues with Bitcoin we may set a very large price floor, likely 100,000 Satoshis, so that we can still afford to accept Bitcoin. Bitcoin Cash will be able to have a much lower price floor given the much higher transaction handling rate of the network. You may already have BitcoinCash if you held Bitcoins at the time of the hard fork on 2017-08-01. If not, converting Bitcoin to Bitcoin Cash with ShapeShift should be straight forward, of course there are numerous other exchange options.
In preparation for this, we have forked the Python 3 bit library to bitcash, upgraded WalkingLiberty with Bitcoin Cash support, and refactored bitcoinacceptor to also accept Bitcoin Cash. This was a large undertaking but we believe the Bitcoin Cash community as a whole can benefit. If you've previously had the SporeStack cli installed, upgrade it with pip install -U sporestack. Python 3 is now recommended and Python 2 support for the SporeStack Python library and CLI may be removed in the future.
Update: Unfortunately, this is no longer the case. However, we have more in the works as far as Tor goes.
SporeStack now gives a 10% discount to users connecting to its Hidden Services endpoint of spore64zke3ofvbp.onion. Keep in mind the price floor mentioned here, and the "security Satoshis" used to identify the transaction. In effect, it should be roughly 10% less for servers that are more than 3 days in life at current BTC/USD rates. Tor is a valuable tool for protecting privacy and we would like to encourage its use.
SporeStack (finally!) has prices pinned to the US dollar. The incredible rise in th Bitcoin price made this even more important than it was before. This breaks the "SATOSHIS_PER_DAY" feature in the API, library, and CLI client. But, you should get consistently much more reasonable prices. If the fiat US dollar proves unstable, we may pin to gold grams. Note that there is a price floor around 10,000 Satoshis, so 1-2 day 1GiB servers may seem quite expensive whereas the same server for a week or a month should be more reasonable. There can be issues transacting with less than 10,000 Satoshis, so it's generally not advised.
With self-spawning infrastructure it can be dangerous to pin to just one datacenter and have you respawning script fail because the datacenter was out of capacity. Now you can specify AUTO, AUTO-EU, or AUTO-NA to give you a random datacenter with capacity. AUTO is the new default if you specify null. But setting --dcid with any of the AUTO options will require the SporeStack Python CLI 0.6.8.
We've dropped prices by 25%. Well, sort of. Prices have always been pinned to Bitcoin and not the US dollar. As the US dollar has climbed we've not been adjusting automatically. This is something we may do in the future, especially if there is demand for it. But for
now, you can now buy 25% more nodes for your coin.
Since launch, SporeStack has never required a single personal detail to launch a server. No credit card, name, email address, phone number, or date of birth. We only require non-reversable payment up front with Bitcoin.
While fraud, spam, or Denial Of Service has not been an issue for us (most spammers don't have high enough margins to afford servers that aren't part of botnets), we see the value in the fight against serial pirates, casual tor users, non-mainstream opinions, and convenience.
As of today you will need the latest SporeStack client, so run pip install sporestack --upgrade if you're out of date.
In the past, you could launch a server in this fashion:
Once payment has been processed your information will be validated, logged, and then your server will be launched.
While we've been traditionally a Bitcoin-only shop, the credit card requirement will help reduce fraud. You will be liable for any "damages" caused by your server. This greatly simplifies copyright violation reports.
Such an inquiry might look like:
127.0.0.1 has been caught seeding SAVING PRIVATE RYAN over Bit Torrent. Please pay a fine of $3,000 for the three complete seeds we logged.
Unfortunately, in the past we had no personal information to give such inquiries. Now, we can simply reply with your personal information. Due process would involve too much overhead. While some innocent users will be affected, we trust in the thoroughness and certainty of anti-piracy requests.
SporeStack now supports topping up server lifetime. While SporeStack is intended for ephemeral use (replacing your server frequently), under current circumstances it is now possible to top up your node balance and extend its lifetime. This makes SporeStack an alternative to existing VPS hosts in the fashion that most users are used to using.
This will require the latest SporeStack client, so run pip install sporestack --upgrade if you're out of date.
Be prepared for this to not always work. Always back up your data and have a plan in case the server's life cannot be extended, or if there is a failure and the machine is terminated. But, it is a best-effort convenience feature. In the future, not all providers may support this. For instance there may be a case where a physical host machine is scheduled for an upgrade. Top ups beyond a certain point will not be allowed for servers on that host so that the maintenance can be performed when all servers have expired. Certain maintenance may not be so ideal, but hopefully most can be done with no live nodes on the machine.
It is possible for anyone to top up any server. If for your particular use case it is an issue for someone to top up your server and have it live longer than expected, please contact us. Your best bet may be to force a scheduled shutdown with at.
SporeStack now supports iPXE scripts and basic chain URL loading. This allows you to use netboot.xyz, boot.rackspace.com, and others.
For a basic example, we'll use CoreOS. Already supported by an image with our Vultr provider, but this should give you an idea. This will require the latest SporeStack client, so run pip install sporestack --upgrade if you're out of date.