(Given the pull date noted by the archive and the date listed in the related cache of the canary are off in some cases by months, may guess is it is meaningless that the current canary is off by a few days.)
Not choosing US-based hosting providers is sound advice for various reasons, if not only for the reason that the US has invented crimes that do not exist in other countries or the sentences for existing crimes are 10 x higher than anywhere else. (I do not want to defend criminals but some of those "crimes" also affect people who e.g. write p2p programs or decompilers. You get what I mean.)
As for the value of encryption to keep governments from snooping -- no way, that's not going to work ever. Endpoint security is a joke, PC and mobile phone are insecure on all levels, from applications over OS to firmware and microcode. And if Snowden's educational slide show leaks have shown anything, then certainly that the guys at NSA know what they are doing in terms of side-channel attacks.
Government snooping and privacy decay is a social and political problem and should primarily be addressed at that level.
> Government snooping and privacy decay is a social and political problem and should primarily be addressed at that level.
Please don't attempt to bolster support for one approach by discouraging another. There is no "primarily". None of the approaches have worked so far, so it's premature to say that fewer approaches are necessary.
Personally, I don't see how the NSA (never mind Google) would ever be politically prevented from most mechanisms of surveillance. To the extent that political power could be used to categorically end surveillance, it can just be used to constrain the application of surveillance. We can encourage people to value privacy, but it's another thing to convince them to completely dismantle the capabilities against everyone, including say child pornographers.
A social mechanism can work to prevent privacy invasion. It requires that societal attitude change. Imagine how big a scandal it would be to have bribery or corruption in the govt'. If we give these privacy issues the same weight, then problems can get fixed
My point is you've got to overcome the attraction to "only processed by a computer or under lawful process".
For example, NSA surveillance has no direct effects on the average US citizen. It is a setup for bad things to happen, has possible political meta-effects, and is a worrying trend. But if the process is successfully constrained by law, then to your average person it represents a capability rather than a vulnerability. This has little to do with your average person not understanding technology, but instead with their feeling safe as part of a majority.
IVPN are based in Gibraltar and should be considered to be on the UK list. While they have separate courts and legal systems, their defence, including intelligence gathering is run by the UK.
I'd also suggest striking anyone from the 14 eyes off the list too.
All great tools (ghostery is missing, although there is Disconnect), but the lack of a great search engine like Google is a big deal. I don't use DuckDuckGo regularly because, although I believe it's a great search engine that works mostly fine, sometimes the results are somewhat unexpected, and you need to be fast and focused. The rest is okay, there seems to be a good amount of email providers, but Search Engines? :(
DuckDuckGo can still help somewhat here. You can search pretty much anywhere via DuckDuckGo and it strips out some of your personal data when it redirects you. It's not perfect but it helps. Also, the bang syntax (i.e. search google with !g, google images with !gi, wikipedia with !w, etc.) is so damn helpful. Whenever I'm using a browser without DDG as the default I find it so much slower to search something.
I know, I have used and I still use DuckDuckGo. However, I have found that for many queries I need, I end up typing continuously "!g query". So, I just don't see the point. Many of the results are just not relevant - of course, I send the feedback. It's not a criticism, it's just that in my case I don't want to open 4-5 tabs, lose focus trying to understand whether the content is relevant or not, and then use Google.
To be fair, I pretty much never go to the home page or use their actual search engine except for unit conversions. It's pretty good at that. I end up searching everything through !g for regular search results. But I'm constantly searching other websites via DDG. It's just so much quicker.
Does this happen when you opt-out the GhostRank feature? My understanding is that if you decide to support them, then they'll use such data. However, I think I will start using Disconnect. Thanks for your hint!
Linux has a bunch of security tools that can be used to encrypt files locally before they are uploaded to the cloud and cryfs-gui[1] provides a single,simple to use GUI frontend to a range of fuse based tools that stores data in encrypted folders.
whenever i turn on my VPN i imagine it was secretly set up as a honeypot by the NSA. it would be a perfect strategy for them: implement a low-cost, high quality VPN with great service and bandwidth, from a country with legal privacy protections. how would anyone find out?
Exactly. You have to trust the owners, management, admins, any maintenance staff, hardware, OS, VPN, and distribution of it & updates to you. Oh yeah, the jurisdiction matters too. ;)
It's fine if you don't want to use privacy tools run from the US. I wouldn't use a privacy tool run from the People's Republic of China, for a bunch of reasons.
But the logic this post uses to make the case against US privacy tools is specious.
The United States Government didn't ruin Lavabit. Lavabit did that to itself. Lavabit was a "secure" email system whose servers kept the keys to your email. There is no safe way to design such a system, and Lavabit didn't even approximate safety.
Lavabit didn't make this terrible decision to help the DOJ (although they did help the DOJ, multiple times, before the Snowden case). Rather, they did it because they wanted users. Building a better security system would mean prospective users would need to download and install software on their computer, and nobody wants to do that anymore. Lavabit chose user adoption over security. We all see what that cost, not just them, but all their users.
So I'd submit that while making it's legit to make political statements by carefully choosing the country of origin of your privacy tools, your first priority is to select tools that are actually secure. It does you no good to adopt a crypto tool from Iceland if it's using unauthenticated AES-CBC, unpadded RSA, or bad elliptic curves --- and there are tools, probably some of them quite popular, that make these kinds of mistakes.
If you're talking about how a chat tool comes from Switzerland before you're talking in detail about how its security works, your priorities are out of whack.
I've called out both Lavabit and jurisdiction-first claims on Schneiers blog repeatedly with similar points. I totally agree with this comment. That other companies were actively selling secure messaging or email services that avoided Lavabit's foolish design just supports it further.
25 comments
[ 3.7 ms ] story [ 83.5 ms ] threadThough when checking a few i found,
"Statement VPNSecure has not been silenced by legal and or anti-democratic law. Last updated Thur Jul 30 00:57:30 EDT 2016
If there is no statement, please proceed with caution"
It doesn't state how often/recent it should be updated, its august 2nd now, did this canary choke in the mine?
Archive of the page your looking at maybe found here: https://web.archive.org/web/*/https://www.vpnsecure.me/files...
(Given the pull date noted by the archive and the date listed in the related cache of the canary are off in some cases by months, may guess is it is meaningless that the current canary is off by a few days.)
As for the value of encryption to keep governments from snooping -- no way, that's not going to work ever. Endpoint security is a joke, PC and mobile phone are insecure on all levels, from applications over OS to firmware and microcode. And if Snowden's educational slide show leaks have shown anything, then certainly that the guys at NSA know what they are doing in terms of side-channel attacks.
Government snooping and privacy decay is a social and political problem and should primarily be addressed at that level.
Please don't attempt to bolster support for one approach by discouraging another. There is no "primarily". None of the approaches have worked so far, so it's premature to say that fewer approaches are necessary.
Personally, I don't see how the NSA (never mind Google) would ever be politically prevented from most mechanisms of surveillance. To the extent that political power could be used to categorically end surveillance, it can just be used to constrain the application of surveillance. We can encourage people to value privacy, but it's another thing to convince them to completely dismantle the capabilities against everyone, including say child pornographers.
But I'll still applaud you for trying.
For example, NSA surveillance has no direct effects on the average US citizen. It is a setup for bad things to happen, has possible political meta-effects, and is a worrying trend. But if the process is successfully constrained by law, then to your average person it represents a capability rather than a vulnerability. This has little to do with your average person not understanding technology, but instead with their feeling safe as part of a majority.
I'd also suggest striking anyone from the 14 eyes off the list too.
[1] http://mhogomchungu.github.io/cryfs-gui/
But the logic this post uses to make the case against US privacy tools is specious.
The United States Government didn't ruin Lavabit. Lavabit did that to itself. Lavabit was a "secure" email system whose servers kept the keys to your email. There is no safe way to design such a system, and Lavabit didn't even approximate safety.
Lavabit didn't make this terrible decision to help the DOJ (although they did help the DOJ, multiple times, before the Snowden case). Rather, they did it because they wanted users. Building a better security system would mean prospective users would need to download and install software on their computer, and nobody wants to do that anymore. Lavabit chose user adoption over security. We all see what that cost, not just them, but all their users.
So I'd submit that while making it's legit to make political statements by carefully choosing the country of origin of your privacy tools, your first priority is to select tools that are actually secure. It does you no good to adopt a crypto tool from Iceland if it's using unauthenticated AES-CBC, unpadded RSA, or bad elliptic curves --- and there are tools, probably some of them quite popular, that make these kinds of mistakes.
If you're talking about how a chat tool comes from Switzerland before you're talking in detail about how its security works, your priorities are out of whack.
6 lines of Bash
https://github.com/codeotter/sharenow