IE like Crypto AG:

In 2020, it was revealed that the Swiss company, Crypto AG, which provided secure communications services to ~120 governments throughout the 20th century, was secretly ran by the CIA and West German Intelligence. The CIA and later NSA were able to read encrypted communications for many countries such as Saudi Arabia, Iran, Italy, Indonesia, Iraq, Libya, Jordan and South Korea.

    • Korkki@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      26 days ago

      Most people only use vpn providers for streaming location hopping, torrenting, p*rn and on public networks. For day to day 24/7 use you are just trusting your VPN provider not to spy on your traffic instead of your ISP.

    • birdwing@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      0
      ·
      26 days ago

      Especially the ones aggressively marketed, or noted as independent when they cannot give concrete evidence for whence their finances come.

    • Dessalines@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      26 days ago

      I always assume the more popular it is, the more likely it is of being compromised.

      I have no idea if it’s the case, but I switched away from mullvad after seeing billboards and ads of it everywhere, even on city infrastructure like trains and buses.

      • marcie (she/her)@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        25 days ago

        if it makes you feel better i know an employee there and theyre a communist and say a lot of mullvad employees are lefties too, idk if they have a union or anything. nym vpn has chelsea manning backing it. not really a traditional vpn though its basically unfree tor that is not slow as balls, has the benefit of really good server coverage and few people blocking it. coolest thing is you can use a seedbox to route traffic to pay it down.

      • Tundra@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        26 days ago

        If the company is owned by “Kape” its ikely a Israeli honeypot:

        https://medium.com/illumination/vpns-the-privacy-trap-4aef67f39634

        Kape’s portfolio includes ExpressVPN, acquired in 2021 for $936 million; CyberGhost, purchased in 2017; Private Internet Access, bought in 2019 for $127 million; and ZenMate.

        Together, these services account for three of the six most popular VPN products globally, serving approximately 7.4 million paying subscribers.

        Kape also owns VPNMentor and Wizcase, review platforms that rank VPN services — including Kape’s own products — for consumers seeking expert guidance.

  • birdwing@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    Look what autocratic(ising) governments don’t do shit against. And what their opposing governments tell about the autocrat(ising) ones.

    Those are more likely to be honeypots imho.

    • davel@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      25 days ago

      DeepSeek the service censors, but you can run it yourself uncensored.

  • IratePirate@feddit.org
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    Maybe not a honeypot, but definitely too large for my taste by now: Proton. With Mail, VPN, password manager, file storage, AI and whatnot, it’s one ginormous basket to put all of your eggs into, hopping it’ll hold.

  • HiddenLayer555@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    25 days ago

    All of the “delete my information from data brokers” services IMO, especially the ones that advertise on YouTube. Always smelled fishy to me.

    Either that or they’re just more data brokers trying to get exclusivity.

    • GaumBeist@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      Reject Convenience did a pretty thorough rundown on what they’re doing: https://www.youtube.com/watch?v=iX3JT6q3AxA

      It’s been a minute since I watched, but my key takeaways were that they just reach out to one type of broker which barely scratches the surface of the Data Economy iceberg, and since there’s no legal precedent outside of California and the EU, it’s purely up to the brokers to decide whether or not they want to comply.

      So I think it’s probably more likely they really are just private companies preying on people’s anxieties about privacy and relative ignorance about the topic, rather than some kind of governmental conspiracy

  • GaumBeist@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    25 days ago

    Proxies and VPNs seem like the most obvious targets. They mostly prey on people who don’t understand the technical workings thereof (had my mom ask if she needed to get a VPN bc firefox opened on ad for theirs, claiming it enhanced privacy), and serve little benefit to people who are doing the kind of illegal activities that make governments take notice. They serve as a single point of compromise for anyone, and they work worldwide so that all your traffic can be monitored even when you’re on a different ISP/in a different country. It’s like the perfect MITM, and people are even willing to pay to have themselves monitored.

    The truth is that at best they benefit people who only don’t want their network-provider watching, but don’t care who else may be. It’s the perfect setup for a 3-letter agency to just sit and monitor everything anyone does, waiting for someone who’s just a little too careless to access illegal content thinking they’re anonymous.

    • AlteredEgo@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      24 days ago

      They are perfect for torrenting though. The kind of activity 3 letter agencies don’t want their spying to be disturbed for.

      • GaumBeist@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        24 days ago

        they benefit people who only don’t want their network-provider watching, but don’t care who else may be.

        • AlteredEgo@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          24 days ago

          Just FYI: It’s not the network provide we have to worry about in my country. That is specific to the USA I believe.

          Here they have “headhunters” that make a contract with a rights holder, torrent a file, write down the IP of someone who uploads a video to them, then legally request the name to the IP and send an invoice for about $2000. No three warnings or anything. And they are very good at sending legal officials to impound any of your valuable stuff in case you don’t pay.

          Even other “illegal” activity like calling Israel an apartheid regime or supporting palestine or insulting your head of state might get you flagged by a three letter agency, but they won’t use official legal channels. There is a protection of the herd with VPN.

  • electric_nan@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    26 days ago

    Be careful of accepting some of the criticism of Signal in this thread. For most of us, we have to make choices about secure comms from subject matter experts. Almost all the criticism I see of Signal comes from anonymous or otherwise random users online. If you believe in such a thing as expertise, please seek it out when evaluating something like this.

    • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      It is absolutely irrelevant who makes the criticism, what needs to be addressed is the criticism itself. If somebody gives you advice to simply trust people blindly then you should be very suspicious of their motivations.

      • hirihit640@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        25 days ago

        Most issues are complex enough that we have to delegate trust. It’s not feasible to verify every claim yourself. And trust vs “blind trust” is an arbitrary line.

        • ☆ Yσɠƚԋσʂ ☆@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          25 days ago

          The issues people bring up with Signal are very easy for anybody with a minimally functioning brain to understand, and none of these experts are able to provide a credible answer to them.

          The key issues people point out over and over is that Signal is a central server hosted in the US that harvests people’s phone numbers on sign up. The users are trusting server operators with their privacy at that point because there is no way to verify how this data is used. Since the server associates real identity with the account, it is in position to map out networks of people communicating. And if this data is shared with intelligence agencies, which they wouldn’t be allowed to disclose, then those can trivially correlate the personally identifiable information with all the other data they have access to.

          If there’s a person of interest, and you map out whom that person wants to have private conversations with, that’s very useful data. Once you know that, then you can start tracking all the activities of their associates, and map out a whole network of people. Say, people organizing unions, or coordinating labor strikes, and so on.

          This is an obvious problem with Signal, one that doesn’t take any significant expertise to understand, and one that has never been fully addressed. People talk about things like sealed sender, but that doesn’t address the problem I just outlined.

          The core issue is that you have to trust the physical infrastructure rather than just the cryptography. The protocol design for sealed sender assumes the server behaves exactly as the published open source code dictates. A malicious operator can simply run modified server software that entirely ignores those privacy protections. Even if the cryptographic payload lacks a sender ID, the server still receives the raw network request and all the metadata attached to it. Your client has to talk to the server and identify itself before any messages are even sent.

          When your device connects to send that sealed message, it inevitably reveals your IP address and connection timing to the server. The server also knows your IP address from when you initially registered your phone number or when you requested those temporary rate limiting tokens. By logging the raw incoming requests at the network level, a malicious server can easily correlate the IP address sending the sealed message with the IP address tied to the phone number.

          Since the server must know the destination to route the message, it just links your incoming IP address to the recipient ID. Over time this builds a complete social graph of who is talking to whom. The cryptographic token merely proves you are allowed to send a message without explicitly stating who you are inside the payload. It does absolutely nothing to hide the metadata of the network connection itself from the machine receiving the data.

          This once again makes it very suspicious that Signal insists on running a single centralized server.

    • davel@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      25 days ago

      Who are the experts, and who pays their salaries? Crypto AG wasn’t lacking in experts.

      • electric_nan@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        25 days ago

        You’ll have to make your own determinations I guess, but be careful if you find yourself dismissing expertise in favor of opinion or motivated reasoning.

  • hexagonwin@lemmy.today
    link
    fedilink
    arrow-up
    0
    ·
    24 days ago

    i don’t think anyone here considers it a private service at all, but i’m almost certain cloudflare is a honeypot

      • hexagonwin@lemmy.today
        link
        fedilink
        arrow-up
        0
        ·
        22 days ago

        the biggest part is they’re doing way too much of the internet while being quite opaque. and their service is “too generous”, with free tiers, no ads. and the whole MITMing every traffic and serving from CDN architecture seems ideal for a honeypot to me.

        even if cloudflare themselves don’t intend to be one, i’m pretty sure some three letter agency has backdoors to their systems.

  • NihilsineNefas@slrpnk.net
    link
    fedilink
    arrow-up
    0
    ·
    25 days ago

    Any VPN that isn’t actively being sued by world gov/agencies to try and get their data is suspicious.

    Alternatively any VPN company with the ability to store data is untrustworthy.

    Also every cryptocurrency that exsts.

      • AzuraTheSpellkissed@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        0
        ·
        25 days ago

        they were talking about proxy VPNs, whereas tailscale is for building actual virtual networks to connect your devices, which is a completely different thing (besides sharing the same approval foundation).

        If you were to distrust tailscale (and you’re not simply self hosting headscale), an attacker might be able to access for otherwise non-public devices(’ ports), reroute/MitM your traffic and monitor which device connects to which.

  • 45o3b@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    25 days ago

    This thread basically illustrates the challenges for a beginner, such as myself.

    I’ve been locked into the Google ecosystem for nearly two decades and am now trying to free myself.

    I’d like to migrate to a hybrid solution that involves self-hosted NextCloud synchronized with a cloud provider that I can trust more than Google.

    However:

    Proton apparently makes false, or at least misleading, marketing claims and doesn’t fight a vast majority of its inbound government requests.

    Tuta has been publicly accused by a member of the intelligence community of being a honeypot.

    The rest of the email providers seem to implement even fewer protections, relative to these two.

    So, what’s a guy to do?

    Now, to be clear, I’m not saying that either of these companies are bad or that I believe that they’re actually honeypots. I’m just trying to illustrate the challenges faced by newcomers (and probably all of us).

    While I’d prefer to absolutely maximize privacy and security on all fronts, given that my first goal is de-googling, I will probably start with Proton and NextCloud and re-evaluate from there, but I’m open to suggestions.

    Thank you all – I really appreciate this community.

    • Dessalines@lemmy.mlOP
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      Email is a really tough one especially, because it wasn’t designed with security in mind, and of course even if you’re on a secure email service, 99% of the emails you send and receive are going to be with non-secure services hoovered up by google or AWS.

      Anything is better than google at least.

    • hexagonwin@lemmy.today
      link
      fedilink
      arrow-up
      0
      ·
      24 days ago

      for email, the protocol itself is insecure by design. if using it for actual communication you should use something like pgp encryption on top. even proton receives your mails in plaintext, though they claim to store it encrypted afterwards.

      get your own domain and use it instead of the provider’s domain, this way you can easily change email providers later on.

      also btw, proton doesn’t support imap/pop (afaik)

    • whatiswrongwithyou@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      No company is in a position to resist lawful orders from government (not good orders, lawful).

      It’s why every company that sells security makes a big show about planning to leave some western country when they say they’re gonna do mass surveillance. It’s all they can do.

      Email is not secure and cannot be made secure.

      Do not ever send anything through email that you rely on being private.

      • 45o3b@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        25 days ago

        I’m certainly not suggesting that email providers should resist lawful orders, but if Proton complies with 89% of requests while Tuta complies with 25%, it suggests a difference in methodology, no?

        It could, of course, be the case that the Swiss are just much more skilled at sending lawful requests relative to the Germans, but that seems unlikely.

    • communism@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      25 days ago

      Tbh for email I’d say don’t bother with privacy as it wasn’t meant to be private, as Dessalines said. If you care about data sovereignty (which is different to privacy, though often hand-in-hand), you can self-host email—it’s not as hard as it’s reputed to be. I’ve self-hosted my main email address for a couple years now and not had major hiccups. For the most part, after initial setup, it just runs. And if you’re daunted by configuring it, there are out-of-the-box solutions like Mailcow you can use. I’d only really recommend it if you already have a VPS/home lab/etc where you already self-host things.

      • 45o3b@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        25 days ago

        I intend to do that but basically wanted to have an off site copy, for both backup and deliverability purposes.

        I don’t have much in the way of privacy expectations for email, but I figure that Proton or Tuta are probably still safer than Google.

        • communism@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          25 days ago

          I self-host on a VPS, so my off-site copy is the VPS, and my on-site copy is the emails downloaded to my email clients.

          I figure that Proton or Tuta are probably still safer than Google.

          Define “safer”. If you are receiving unencrypted emails (which is the case in the vast majority of cases), there is nothing stopping Proton or Tuta from reading them. Fundamentally, if something arrives at a server unencrypted, the server can read it—nothing can be done about that.

          If you’re exchanging e2ee emails, then it doesn’t matter if you use Google, because the body of the email can’t be read by Google. A lot of metadata is required to be unencrypted though (this is the case for Proton and Tuta too).

          I don’t really see the benefit to using an email service like Proton or Tuta from a perspective of meaningful data privacy. If it were between e.g. Proton and Google I’d probably pick Proton to avoid my emails being used to serve me ads from Google, but I wouldn’t have any illusions about Proton being able to read unencrypted incoming mail.

          • 45o3b@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            25 days ago

            Yes, I know and agree that the mail providers can read unencrypted email. I’d just rather use a provider that probably isn’t intentionally using it to build profiles about myself and others.

      • sudoer777@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        25 days ago

        VPS/home lab

        VPS is probably fine, hosting something this important on your own hardware sounds like a recipe for disaster though

    • vapor_body@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      24 days ago

      Tuta would make sense to me as a honeypot. Who called them out? Add it to the list of free providers I use that are just the CIA… In order to “anonymize” my social media profiles on their other sites lol

    • eldavi@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      25 days ago

      the worse part is that; by the time security professionals’ tribal knowledge is known to the general public; it’s already outdated enough to keep you ensnared.

      they say that you have to become your own lawyer to protect yourself and you have to become your own dentist/doctor to heal yourself; now you have to be your own secops to guard your information.