
Privacy Tools: Encryption against global mass surveillance - DyslexicAtheist
https://www.privacytools.io/
======
tptacek
It's fine if you don't want to use privacy tools run from the US. I wouldn't
use a privacy tool run from the People's Republic of China, for a bunch of
reasons.

But the logic this post uses to make the case against US privacy tools is
specious.

The United States Government didn't ruin Lavabit. Lavabit did that to itself.
Lavabit was a "secure" email system whose servers kept the keys to your email.
There is no safe way to design such a system, and Lavabit didn't even
approximate safety.

Lavabit didn't make this terrible decision to help the DOJ (although they did
help the DOJ, multiple times, before the Snowden case). Rather, they did it
because they wanted users. Building a better security system would mean
prospective users would need to download and install software on their
computer, and nobody wants to do that anymore. Lavabit chose user adoption
over security. We all see what that cost, not just them, but all their users.

So I'd submit that while making it's legit to make political statements by
carefully choosing the country of origin of your privacy tools, your first
priority is to select tools that are _actually secure_. It does you no good to
adopt a crypto tool from Iceland if it's using unauthenticated AES-CBC,
unpadded RSA, or bad elliptic curves --- and there are tools, probably some of
them quite popular, that make these kinds of mistakes.

If you're talking about how a chat tool comes from Switzerland before you're
talking in detail about how its security works, your priorities are out of
whack.

~~~
nickpsecurity
I've called out both Lavabit and jurisdiction-first claims on Schneiers blog
repeatedly with similar points. I totally agree with this comment. That other
companies were actively selling secure messaging or email services that
avoided Lavabit's foolish design just supports it further.

------
JohnStrange
Not choosing US-based hosting providers is sound advice for various reasons,
if not only for the reason that the US has invented crimes that do not exist
in other countries or the sentences for existing crimes are 10 x higher than
anywhere else. (I do not want to defend criminals but some of those "crimes"
also affect people who e.g. write p2p programs or decompilers. You get what I
mean.)

As for the value of encryption to keep governments from snooping -- no way,
that's not going to work ever. Endpoint security is a joke, PC and mobile
phone are insecure on all levels, from applications over OS to firmware and
microcode. And if Snowden's educational slide show leaks have shown anything,
then certainly that the guys at NSA know what they are doing in terms of side-
channel attacks.

Government snooping and privacy decay is a social and political problem and
should primarily be addressed at that level.

~~~
mindslight
> _Government snooping and privacy decay is a social and political problem and
> should primarily be addressed at that level._

Please don't attempt to bolster support for one approach by discouraging
another. There is no "primarily". _None_ of the approaches have worked so far,
so it's premature to say that fewer approaches are necessary.

Personally, I don't see how the NSA (never mind Google) would ever be
politically prevented from most mechanisms of surveillance. To the extent that
political power could be used to categorically end surveillance, it can just
be used to constrain the _application_ of surveillance. We can encourage
people to value privacy, but it's another thing to convince them to completely
dismantle the capabilities against everyone, including say child
pornographers.

But I'll still applaud you for trying.

~~~
chii
A social mechanism can work to prevent privacy invasion. It requires that
societal attitude change. Imagine how big a scandal it would be to have
bribery or corruption in the govt'. If we give these privacy issues the same
weight, then problems can get fixed

~~~
mindslight
My point is you've got to overcome the attraction to "only processed by a
computer or under lawful process".

For example, _NSA surveillance has no direct effects on the average US
citizen_. It is a setup for bad things to happen, has possible political meta-
effects, and is a worrying trend. But if the process is successfully
constrained by law, then to your average person it represents a _capability_
rather than a vulnerability. This has little to do with your average person
not understanding technology, but instead with their feeling safe as part of a
majority.

------
banku_brougham
whenever i turn on my VPN i imagine it was secretly set up as a honeypot by
the NSA. it would be a perfect strategy for them: implement a low-cost, high
quality VPN with great service and bandwidth, from a country with legal
privacy protections. how would anyone find out?

~~~
BurungHantu
"Never trust any company with your privacy, always encrypt." Source:
[https://www.privacytools.io/](https://www.privacytools.io/)

------
unstatusthequo
[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

------
thinkMOAR
Nice list, knew many, but didn't really knew of their 'canary' files.

Though when checking a few i found,

"Statement VPNSecure has not been silenced by legal and or anti-democratic
law. Last updated Thur Jul 30 00:57:30 EDT 2016

If there is no statement, please proceed with caution"

It doesn't state how often/recent it should be updated, its august 2nd now,
did this canary choke in the mine?

~~~
nxzero
Canaries have no legal meaning as far as I know:
[https://en.m.wikipedia.org/wiki/Warrant_canary](https://en.m.wikipedia.org/wiki/Warrant_canary)

Archive of the page your looking at maybe found here:
[https://web.archive.org/web/*/https://www.vpnsecure.me/files...](https://web.archive.org/web/*/https://www.vpnsecure.me/files/canary.txt)

(Given the pull date noted by the archive and the date listed in the related
cache of the canary are off in some cases by months, may guess is it is
meaningless that the current canary is off by a few days.)

------
matrixanger
A similar list: [https://prism-break.org](https://prism-break.org)

------
iuguy
IVPN are based in Gibraltar and should be considered to be on the UK list.
While they have separate courts and legal systems, their defence, including
intelligence gathering is run by the UK.

I'd also suggest striking anyone from the 14 eyes off the list too.

------
mk89
All great tools (ghostery is missing, although there is Disconnect), but the
lack of a _great_ search engine like Google _is_ a big deal. I don't use
DuckDuckGo regularly because, although I believe it's a great search engine
that works mostly fine, sometimes the results are somewhat unexpected, and you
need to be fast and focused. The rest is okay, there seems to be a good amount
of email providers, but Search Engines? :(

~~~
keeganjw
DuckDuckGo can still help somewhat here. You can search pretty much anywhere
via DuckDuckGo and it strips out some of your personal data when it redirects
you. It's not perfect but it helps. Also, the bang syntax (i.e. search google
with !g, google images with !gi, wikipedia with !w, etc.) is so damn helpful.
Whenever I'm using a browser without DDG as the default I find it so much
slower to search something.

~~~
mk89
I know, I have used and I still use DuckDuckGo. However, I have found that for
many queries I need, I end up typing continuously "!g query". So, I just don't
see the point. Many of the results are just not relevant - of course, I send
the feedback. It's not a criticism, it's just that in my case I don't want to
open 4-5 tabs, lose focus trying to understand whether the content is relevant
or not, and then use Google.

~~~
keeganjw
To be fair, I pretty much never go to the home page or use their actual search
engine except for unit conversions. It's pretty good at that. I end up
searching everything through !g for regular search results. But I'm constantly
searching other websites via DDG. It's just so much quicker.

------
mhogomchungu
Linux has a bunch of security tools that can be used to encrypt files locally
before they are uploaded to the cloud and cryfs-gui[1] provides a
single,simple to use GUI frontend to a range of fuse based tools that stores
data in encrypted folders.

[1] [http://mhogomchungu.github.io/cryfs-
gui/](http://mhogomchungu.github.io/cryfs-gui/)

------
emblem21
Securely share small files/folders via AES from CLI

6 lines of Bash

[https://github.com/codeotter/sharenow](https://github.com/codeotter/sharenow)

