Slashdot Mirror
Ask Slashdot: Best Country For Secure Online Hosting?
An anonymous reader writes: I've recently discovered that my hosting company is sending all login credentials unencrypted, prompting me to change providers. Additionally, I'm finally being forced to put some of my personal media library (songs, photos, etc.) on-line for ready access (though for my personal consumption only) from multiple devices and locations... But I simply can't bring myself to trust any cloud-service provider. So while it's been partially asked before, it hasn't yet been answered: Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information? And does anyone have a recommendation on which provider(s) are the best hosts for (legal) on-line storage there?
You need to go to Bir Tawil.
It is the only place in the world to get what you want.
There is no safe place to put your data. If someone wants it they'll get it. If you want to keep something private, encrypt it.
... of Flashdrivia.
My total cost is about $130 to comcast a month for a single static and business class 50/10, and my own time. This setup allows me to run whatever services I deem fit, and typically keeps me clear of ISP DCMA notices. I did get one, but once I pointed out that I repair random PCs that do not belong to may, and many may auto launch a torrent app, it was quickly dropped.
Add a chromecast or two, slingTV, and a good antenna, I do not need cable TV at all, and can stream all my services out.
Silence is a state of mime.
Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?
NONE. Zip. Zero. Nada.
If you wish to secure what you host, then use a solution that encrypts it on the client side.
I believe BitTorrent Sync is an example of that.
Some hosting and online backup providers also offer solutions where every file is encrypted on the client side, and the hosting provider never gains access to the plaintext files.... this is what you need.
Go with 1984.is. Shared-host web hosting with unlimited storage, or you can rent a full VPS. Throw OwnCloud on either, then put an encfs volume up and shared via OwnCloud, and you've got a reasonably secure system with very little effort at a reasonable price.
Quote from some company based there:
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and entities. Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
I had good experience with midphase, but I'm not sure they'd meet your expectations and they're in the US. I'd look for Icelandic hosting. They seem to appreciate privacy at a national and local level.
The US Government has only just started re-normalization of relations with Cuba. They certainly don't have the bureaucratic relationships or procedures in place to get search warrants processed via INTERPOL or otherwise. Even the most trivial of requests will have to go through the state department making the prospect prohibitively expensive for anything but the most important of tasks.
Don't trust anyone, especially not cloud providers.
I think a more appropiate question would be to ask for some solution where the untrustworthiness of the cloud provider is a given and is accounted for (like storing everything encrypted and not handling the decryption key to the provider).
Real life is overrated.
If you want your data secure, the last thing you do is put in on SOMEONE ELSE'S server.
All the lovely piracy sites out there love using OVH, and throw cloudflare in front and Cloudflare will not do jack shit about DMCA's.
No hacking laws, and nobody gives a damn about piracy laws.
http://yro.slashdot.org/story/...
Which country is best to choose for hosting Internet services and locating VMs to avoid government surveillance (both NSA and local)? It should be a country with good connectivity to the US and Europe, but have strong legal protections from mass surveillance. People talk about Switzerland, Norway and Iceland (even Spain). Anyone worked through the pros and cons of each of these? I'm not concerned about legitimate (with court order) surveillance, just the un-targeted mass surveillance most governments seem to do. I don't believe this bad behavior should be rewarded or made easy.
A small plug for Tahoe-LAFS.
It doesn't matter where it is. It uses cryptography to give you what you want. Mirror in many places including on your own machines for redundancy.
https://www.tahoe-lafs.org/tra...
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Stop running. Stop bending over and letting your own military spy on you. Fix your fucking country, and then host at home.
Not sure where they are, America probably. The software has an option to use your own key to encrypt the data with (in addition to user/pass).
But I would go for this: if your country is X, then most hosting not being in X *and* the USA is likely to be more secure from snooping and breach.
There simply isn't any.
The US government (and I'm sure all corrupt governments) have granted themselves the power to snoop anywhere in the world, even outside their legal jurisdictions. See the recent Slashdot News on Microsoft vs the Justice Dept who are demanding access to Emails stored on a server in Ireland. They have no evidence or probable cause and are just on a fishing expedition so the Irish government won't help them and they are trying to force Microsoft to give them a backdoor past EEC privacy laws.
http://yro.slashdot.org/story/14/09/10/0517224/microsoft-agrees-to-contempt-order-so-it-can-appeal-email-privacy-case
http://yro.slashdot.org/story/14/08/30/220255/microsoft-defies-court-order-will-not-give-emails-to-us-government
http://yro.slashdot.org/story/14/08/01/1320218/judge-us-search-warrants-apply-to-overseas-computers
http://yro.slashdot.org/story/14/04/26/1447202/american-judge-claims-jurisdiction-over-data-stored-in-other-countries
The only service online that you can secure to your satisfaction is your own. Get a business class connection, set up your server/OS of choice, implement your encryption scheme of choice, and manage/operate it yourself. If a government, for example the US, wants to get its hands on you, they will find a way, regardless of the laws of your host country. Example: Swiss banking clients that were dodging US tax laws.
Apple seems to be annoying authorities the most and with the least blast back, possibly because they have a former Vice President on the board. I wonder if you can ask Apple to store your cloud content in a particular region that adds a layer safety. Perhaps a feature request. I expect the ironic answer to be Russia of course.
JJ
Keep the data at your home, they need a warrant to get into your home.
Eben Moglen was pretty clear about that (no I don't know at what minute exactly he said this):
https://www.youtube.com/watch?...
If you are going to store your data with somebody else, encrypt it before you upload it and you keep the encryption key.
Nothing wrong with keeping a backup with someone else as long as you encrypt it:
http://duplicity.nongnu.org/
http://www.duplicati.com/
I'm forgetting about an other provider which also has an open source program with encryption.
New things are always on the horizon
If its value for money then a Greek hosting company is what you will be looking for. You will need somebody who can read and speak the language to get the best deal a server for the lowest price which you control. The setup and control panel will have to be in English for yourself. You will get many companies advertising themselves in the English language and in reality they will be U.S. companies or large German company 1&1 / Fasthosts with U.S. links and U.S. hosting and so on. Avoid them if you don't want state spying. The most important thing is not to get carried away with the price difference and purchased too much because you will be paying every year usually. When you first setup your log files will be filled with malicious scans this always happens when you first start up under a new domain name. If all is good it should settle down within two weeks or so. P.S. Linux is best for web hosting. Even if you know most of this already perhaps somebody else does not.
wuala was perfect until the NSA shut them down. Now they're recommending we use Tressorit which seems like a pretty good solution as it's hosted in Switzerland where very few law enforcement agencies can access what Little data is actually available to the company since they use client-side encryption. They also have apps that work on most devices.
The good chaps at Clipperz moved to https://1984.is/# for reasons that they explained out in this blog: https://clipperz.is/blog/2013/...
Their logic seems compelling.
1dd5 17cd 4a83 2cf0
9a73 a2ac bfdd 399b
eab5 1fd8 ef09 8e94
e2ac 2923 5876 04e8
dbb2 246d 6507 3627
e204 3cc5 3a13 8630
e536 a878 ce59 2c3c
6a1a 6718 7f37 0271
Just use SSL encryption and host it yourself from home on a raspberry pi or a laptop, or a server. If your traffic is just regular and not super amazing this is an entirely viable option and should not be dismissed favoring the popular cloud based system for the perceived benefit. Realistically you don't see those benefits very often unless your traffic hits a lottery jackpot sized user count, but the reality is often much more mundane but also much more manageable on a personal level. The security mostly comes from your own control over all of these matters, real security means you understand and built these items rather than you trust someone in some remote location with all of these things.
...Switzerland.
You need to host, you haven't explained why, but let's take it as a given and not suggest you host from home. I don't have enough bandwidth to do that myself, so I wouldn't do it either.
You can't trust any service.
Whether you run your own server or use another server, you can encrypt data before you upload it.
Otherwise, you can run your own server, encrypt the storage volume and log in to supply the key so you can unlock and mount it. Disable all the ports on the machine. Have another machine at home, the colo facility can mail you the disks for maintenance if something goes wrong if you're not close enough to go pick them up. It would take someone with a substantial clue to compromise that even with physical access, especially if you use the built-in full-disk encryption. Assuming you trust that :)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you don't trust them, and know that, that it doesn't matter what you use.
Encrypt, and only use encrypted. You can do this in many different ways, but if you never reveal the encryption key to them, YOU CAN GIVE YOUR ADVERSARY ALL YOUR ENCRYPTED DATA. That's the whole point of encryption.
Encrypt, store in the cloud in any location you like. All they get is encrypted data that they can't do anything with. As only you need to access it (and not random general public, which is a much more difficult thing to secure), only you need the key.
Problem solved.
Just break up your data into lots of little (encrypted) chunks and post them to web forums like Slashdot which never delete anything. You'll need some kind of map as to where all the pieces are, so do the same with that. Recurse until you have something small enough you can remember.
-- Alastair
... is don't.
It little behooves the best of us to comment on the rest of us.
It seems to me a big leap to go from 'hosting company is sending all login credentials unencrypted' to a silo on a private island guarded by mercenaries, which seems to be what you are now looking for. Find a less idiotic host and stop worrying about govt agencies - if they want your data they'll get it, and the best you can hope for is that is all they want from you.
The cloud company doesn't matter. If you aren't encrypting the data with your own key before you send it across the net then it's not secure. Basically any data crossing international borders is subject to those countries search laws and you have no control over how your data is routed to its destination. Any computer that touches it can be legally compromised.
Laws change on a whim, are enforced on a whim, don't matter when no one knows about the breakage, are meaningless with retroactive immunity, are interpreted differently by different people, and do nothing against social harm once data is leaked legally or not. Expecting a law to protect you, especially internationally, is foolish. Choose an easy enough hosting company and do all the encryption yourself. Loss of log-in details shouldn't comprise the hosted data in any way, except in potential deletion or corruption of it.
Assume that everything MIGHT be insecure. Your Internet connection is wide open. Your upstream routers may be controlled by governments. Hard drives might have malicious firmware payloads. Typical PC hardware might have a BIOS that does nefarious things and may have intentional back doors. Your OS and the software you run might have had backdoors introduced.
I personally don't trust anything with the word "cloud". It just means that a ton of people are responsible for it, so if anything goes wrong, there's no specific person to blame. The NSA could and probably does have people working at any given "cloud" provider.
Virtual server hosting is also completely insecure. Hypervisors can be manipulated without you knowing, so even if your OS is 100% secure (obviously nothing is, but for argument's sake), people can read your OS' memory and access your data without you knowing.
If you want to try to keep your data secure, you need your own hardware. Using something completely different helps - a hard drive infected with some form of firmware Trojan won't do any harm to an UltraSPARC or PowerPC machine, for instance. Next, you need to use a minimal OS without the proverbial kitchen sink, which rules out most GNU/Linux distros since they want to include everything. Try a nice BSD where you can compile the entire OS yourself from a local copy of the source tree. Then, compile the OS itself again on the newly compiled and running OS. This reduces the chance that any given toolchain has been compromised. Make sure it's stable and colocate it somewhere that has excellent privacy laws.
Encrypt everything.
While someone could pull a drive (or drives) from your machine and can image them, it's hard to fake uptime on non-mainstream machines, so you'll definitely notice if someone is playing with the hardware.
Don't log in to it from a Windows machine or from any machines you don't control.
If some state actor wanted to spend virtually limitless resources, there's nothing they can't fake, but you can feel pretty secure knowing that your data is most likely safe unless someone cares so much about your data that they're willing to spend a heck of a lot of money and resources.
Additionally, I'm finally being forced to put some of my personal media library (songs, photos, etc.) on-line for ready access
No, you aren't being forced to do anything.
you cannot store data online and be 100% secure. How much trouble you have to go through is a function of how valuable your information will be to others. Are you backing up your own financial information? You should encrypt it with your preferred tool and store it on a shared host. Personal stuff like photos, music, etc? The same will probably work fine. Both? Why don't you rent a cheap dedicated server? Are you protecting national security type secrets? You should it even be storing those online.
At the end of the day this decision is a function of risk. What's the worst that can happen if this stuff gets leaked? If anyone, government included, wants it badly enough, they will get it. See XKCD #538
Read the question. It is what COUNTRY provides for the data to be kept private. He did not ask about encryption, ... they are prone to do that from time to time ...
or keeping keys safe. He just wants the host country to simply no release the data. He did not even say his data
is illegal, or dubious. I think a country like North Korea, maybe Iran, would be the way to go. Provided the USA
doesn't bomb them flat into the stone age
(1) When quantum computing works they'll decrypt everything. They're storing everything now and they'll come back to it later with keyword searches etc in some unpredictable future political climate we may not like. [I don't like the present!]
(2) If quantum computing already worked they wouldn't let on. Turing etc was kept secret from us for decades, so who knows what their capabilities are now?
Paul Beardsell
1. Encrypt
2. Base64 encode
3. Break it at ~2k boundaries
4. Search for each chunk.
Later go to history.google.com and reverse the process.
The old joke for a material, often a metal, with near miraculous properties is: unobtanium.
You want the country version of that.
===
I suggest the OP, and, um, everyone else, rethink our possibly insane reliance on computers. Example:
circa 2000 I took my car to the dealer for a repair (I've since learned to avoid car dealers repair shops if at all possible...). When I went in to pick it up there was pandemonium. Their computer system was down. A few dozen customers waited about 2-3 hours before it got back up, and then they could process our billing.
I suggested to one of the worker there to skip the computer, figure out my bill with a pencil and paper, I would leave, and if they needed to they could stick it in the computer when it got back up.
He was truly mystified, shocked, and maybe even horrified to suggest not using their computers.
I wonder what they would have done if the computer outage lasted past 6 or 7 o'clock (it lasted to about 4:30 PM).
Oh, I never went back.
Let's take it for wrote that the NSA will spy on us and the snowden leaks were only to show the NSA where they were holes in its operation that it closed down.
So no country is safe from the NSA.
They are not suppose to spy on citizens though. So I guess that still makes US the safest place.
However when shopping for online hosting, we rarely put the effort that is deserving for the cost of the information. If you want extra protection, then you need to work up a custom contract for work, and not their standard terms of services. That will cover all the holes you want to be sure is covered. You may end up paying a lot more for it too. But if your data is that valuable then you need to go threw the extra effort.
I work in a Mid-Large size Hospital and we take HIPAA and your personal health records very seriously, sometimes we need to work with an outside vendor who will host some systems, the contracting will take months to insure the data is secure, and if there is a breach they will legally on the line for their mistake not us, and they will have to face nearly all the burden including paying us back for any work on our end, for their damage. Now in generally I tend to really hate this, because it takes months, and I have to explain to the vendor's Project Managers, our end users and upper management, that it is still in contracting and they get frustrated as there is no movement, I get frustrated too, because this may take an unexpected amount of time so it is hard to prioritize my work. However the data is extremely important and we need to be sure that we have covered all the holes that we can think of.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Also line the inside of your main computer room with tannerite. You should also use some battery backup explosive triggers, in case They shut off the power when attempting to breach your Evil Lair. Always add a deadman's switch too on a 72 hour timer so if They do catch you it will all disappear anyway. I would also put a thermite block directly over the hard drives too just in case. Tannerite runs under $100 for 1-2lbs and it's available all over the internet.
Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?
Depends which country you want to protect yourself from.
If you are mostly afraid of US companies and the US government, put your server into Russia. They laugh in the face of US companies that make any demands.
For strong privacy laws, many european countries have laws in place much stronger than the US, but beware that they usually have a "if you agree to it, anything goes" clause (which is why these small "I agree to ..." checkboxes are so important there.
Assorted stuff I do sometimes: Lemuria.org
Seriously use a one time pad for encryption at the bit level and only decrypt it on your machine. Of corse you will have to generate a otp as large as your data set and tag the offset, and maintain security of said otp, but it will be theoretically unbreakable for anyone without access to the pad. At some point you just have to accept that things not in your possession can be seen by others. They do have the ability to see the traffic and by taking the kind of steps you seem to be wanting to take, you are raising a giant red flag saying"please look at me". So rather than being private you are issuing a challenge. Be careful what you wish for.
If you're unimportant to the US government (which is who you'd be worried about accessing your data through legal means), they don't care about your data.
If you're important to the US government, the only hope you have of another country's government refusing to hand over your data when pressured is if you are more important to them than you are to the US government.
If you expect some foreign country to stand up for your data rights in their country, I'd guess that you'll be sorely disappointed. They have no incentive to reject a request other than as a middle finger to the US. If they get pressured at all, they'll look at you, go "he's not useful to our interests" and hand over your data.