Your only option is to have it based in a country that doesn’t cooperate with the US and ensure MITM isn’t possible.
There is a wide scope of “cooperation with US”, from extradition treaties (so the US could demand the operator be legally extradited & jailed as opposed to kidnapped) to mutual legal assistance treaties (police collaboration), to “cybersecurity agreements”. And the US military/economic strength (such as their control of SWIFT or the widespread military and “intelligence” apparatus) means very few countries won’t cooperate. The US does not follow international law unless it wants to. US most often collaborates with EU & Anglosphere countries (UK “commonwealth” countries).
Comparison of NSA spying collaboration (known) https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/ NSA are also interested in undersea cable wiretapping: https://www.vice.com/en/article/wnnmv9/undersea-cable-surveillance-is-easy-its-just-a-matter-of-money https://www.theatlantic.com/international/archive/2013/07/the-creepy-long-standing-practice-of-undersea-cable-tapping/277855/
MLAT data: https://web.archive.org/web/20180325141949/https://www.mlat.info/
Extradition: https://qz.com/97428/map-how-to-stay-out-of-reach-of-us-extradition-treaties/ Note that they could probably use a third country that has treaties with both the US and the country where the operator is located.
The NSA also works to gather information before it is encrypted, or to weaken random number generators and encryption schemes. https://www.schneier.com/blog/archives/2013/09/good_summary_of.html https://www.zdnet.com/article/has-the-nsa-broken-ssl-tls-aes/ https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html Intel ME is a good example, also keyloggers, hardware surveillance devices. https://news.softpedia.com/news/intel-x86-cpus-come-with-a-secret-backdoor-that-nobody-can-touch-or-disable-505347.shtml Intel ME can be set to disable (ironically thanks to NSA), but since it’s proprietary, you can’t be certain. AMD and other chip makers likely have similar subsystems. https://privacysos.org/blog/did-this-tor-developer-become-the-first-known-victim-of-the-nsas-laptop-interception-program/
Oh and NSA is allowed to share with FBI. https://www.rt.com/usa/373644-new-rules-access-nsa-data/
Hmm depends on which part you want to read more about.
Basically you want to avoid 14 eyes+ countries, basically any country that you think would be friendly to US requests for data. China might be the best option.
I personally just don’t out anything I wouldn’t want anyone to read in email.
For MITM that means you need e2e encryption. This way, your email sending service can’t read the contents of your emails even though you’re sending them to them to pass on to the recipients’ servers.
Been wondering lately if the folks who tell us shit like “we don’t log your IP” are instead keeping a hash of the IP, which a dedicated actor (like a state intelligence apparatus, or law enforcement) could probably combine with other sources to out you.
The IPv4 address space is small enough where hashing is effectively useless. Though a bigger concern IMO is DDOS mitigation services like Cloudfare. It doesn’t matter if websites log or not if half of the internet is using the same reverse-proxy service.
DDOS mitigation services like Cloudfare
Hexbear using Cloudflare
:side-eye-1: :side-eye-2:
Lol if it makes you feel any better it’s basically impossible to be anonymous on the internet anymore, so we’re fucked anyway
Been wondering lately if the folks who tell us shit like “we don’t log your IP” are instead keeping a hash of the IP, which a dedicated actor (like a state intelligence apparatus, or law enforcement) could probably combine with other sources to out you.
Good thing this site is open source so we don’t have to wonder.
Well yeah, of course. Otherwise there’d be more of us here who could build cool shit. My point is that it’s all there for anyone to vet who has put in the time to learn how.
@LeninWeave linked to a good example of when we’ve noticed stuff and brought it to the devs / admins: https://hexbear.net/post/127316
If you’ve got any proof hexbear is hashing all the IPs of everyone and storing them, then please make a post about it because I think we’d all want to know.
Yeah, what’s weird is that they were advertising that they wouldn’t do something that they then went and did.
100% agree.
Rick Falkvinge, Pirate Party cofounder, had a good article making this point. https://falkvinge.net/2017/12/09/privacy-promises-company-worth-nothing-companies-cant-promise-anything/
Is there an alternative that is better?
doing everything in plain sight, and possibly getting some type of software that makes random internet activity to make even more cluttered data to sift through
it’s just common sense, using a VPN basically screams “hey I’m not a normie and I have something to hide”. Now you’ve cut down their work by 95%, because only 5% of people use VPNs at all
Trusting a company to be truly secure is, unfortunately, a terrible idea. They exist in a world where they can be compelled to cooperate or be shut down. They’ll make the choice that continues to make some money.
Also any claim of no logging may as well be marketing nonsense. There’s no way to verify it, logs have to be kept to some extent atleast for a little while to allow functionality, and adversaries may compel or compromise and thus create logs.
:france-cool:
