Slashdot Mirror
Ask Slashdot: Best Country For Secure Online Hosting?
An anonymous reader writes: I've recently discovered that my hosting company is sending all login credentials unencrypted, prompting me to change providers. Additionally, I'm finally being forced to put some of my personal media library (songs, photos, etc.) on-line for ready access (though for my personal consumption only) from multiple devices and locations... But I simply can't bring myself to trust any cloud-service provider. So while it's been partially asked before, it hasn't yet been answered: Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information? And does anyone have a recommendation on which provider(s) are the best hosts for (legal) on-line storage there?
You need to go to Bir Tawil.
It is the only place in the world to get what you want.
There is no safe place to put your data. If someone wants it they'll get it. If you want to keep something private, encrypt it.
... of Flashdrivia.
My total cost is about $130 to comcast a month for a single static and business class 50/10, and my own time. This setup allows me to run whatever services I deem fit, and typically keeps me clear of ISP DCMA notices. I did get one, but once I pointed out that I repair random PCs that do not belong to may, and many may auto launch a torrent app, it was quickly dropped.
Add a chromecast or two, slingTV, and a good antenna, I do not need cable TV at all, and can stream all my services out.
Silence is a state of mime.
Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?
NONE. Zip. Zero. Nada.
If you wish to secure what you host, then use a solution that encrypts it on the client side.
I believe BitTorrent Sync is an example of that.
Some hosting and online backup providers also offer solutions where every file is encrypted on the client side, and the hosting provider never gains access to the plaintext files.... this is what you need.
Go with 1984.is. Shared-host web hosting with unlimited storage, or you can rent a full VPS. Throw OwnCloud on either, then put an encfs volume up and shared via OwnCloud, and you've got a reasonably secure system with very little effort at a reasonable price.
Quote from some company based there:
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and entities. Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
The US Government has only just started re-normalization of relations with Cuba. They certainly don't have the bureaucratic relationships or procedures in place to get search warrants processed via INTERPOL or otherwise. Even the most trivial of requests will have to go through the state department making the prospect prohibitively expensive for anything but the most important of tasks.
Don't trust anyone, especially not cloud providers.
I think a more appropiate question would be to ask for some solution where the untrustworthiness of the cloud provider is a given and is accounted for (like storing everything encrypted and not handling the decryption key to the provider).
Real life is overrated.
If you want your data secure, the last thing you do is put in on SOMEONE ELSE'S server.
No hacking laws, and nobody gives a damn about piracy laws.
http://yro.slashdot.org/story/...
Which country is best to choose for hosting Internet services and locating VMs to avoid government surveillance (both NSA and local)? It should be a country with good connectivity to the US and Europe, but have strong legal protections from mass surveillance. People talk about Switzerland, Norway and Iceland (even Spain). Anyone worked through the pros and cons of each of these? I'm not concerned about legitimate (with court order) surveillance, just the un-targeted mass surveillance most governments seem to do. I don't believe this bad behavior should be rewarded or made easy.
A small plug for Tahoe-LAFS.
It doesn't matter where it is. It uses cryptography to give you what you want. Mirror in many places including on your own machines for redundancy.
https://www.tahoe-lafs.org/tra...
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Not sure where they are, America probably. The software has an option to use your own key to encrypt the data with (in addition to user/pass).
But I would go for this: if your country is X, then most hosting not being in X *and* the USA is likely to be more secure from snooping and breach.
The only service online that you can secure to your satisfaction is your own. Get a business class connection, set up your server/OS of choice, implement your encryption scheme of choice, and manage/operate it yourself. If a government, for example the US, wants to get its hands on you, they will find a way, regardless of the laws of your host country. Example: Swiss banking clients that were dodging US tax laws.
Keep the data at your home, they need a warrant to get into your home.
Eben Moglen was pretty clear about that (no I don't know at what minute exactly he said this):
https://www.youtube.com/watch?...
If you are going to store your data with somebody else, encrypt it before you upload it and you keep the encryption key.
Nothing wrong with keeping a backup with someone else as long as you encrypt it:
http://duplicity.nongnu.org/
http://www.duplicati.com/
I'm forgetting about an other provider which also has an open source program with encryption.
New things are always on the horizon
If its value for money then a Greek hosting company is what you will be looking for. You will need somebody who can read and speak the language to get the best deal a server for the lowest price which you control. The setup and control panel will have to be in English for yourself. You will get many companies advertising themselves in the English language and in reality they will be U.S. companies or large German company 1&1 / Fasthosts with U.S. links and U.S. hosting and so on. Avoid them if you don't want state spying. The most important thing is not to get carried away with the price difference and purchased too much because you will be paying every year usually. When you first setup your log files will be filled with malicious scans this always happens when you first start up under a new domain name. If all is good it should settle down within two weeks or so. P.S. Linux is best for web hosting. Even if you know most of this already perhaps somebody else does not.
wuala was perfect until the NSA shut them down. Now they're recommending we use Tressorit which seems like a pretty good solution as it's hosted in Switzerland where very few law enforcement agencies can access what Little data is actually available to the company since they use client-side encryption. They also have apps that work on most devices.
The good chaps at Clipperz moved to https://1984.is/# for reasons that they explained out in this blog: https://clipperz.is/blog/2013/...
Their logic seems compelling.
You need to host, you haven't explained why, but let's take it as a given and not suggest you host from home. I don't have enough bandwidth to do that myself, so I wouldn't do it either.
You can't trust any service.
Whether you run your own server or use another server, you can encrypt data before you upload it.
Otherwise, you can run your own server, encrypt the storage volume and log in to supply the key so you can unlock and mount it. Disable all the ports on the machine. Have another machine at home, the colo facility can mail you the disks for maintenance if something goes wrong if you're not close enough to go pick them up. It would take someone with a substantial clue to compromise that even with physical access, especially if you use the built-in full-disk encryption. Assuming you trust that :)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Switzerland gave up banking secrecy without a fight. What makes you think they'll protect your data?
" I'd look for Icelandic hosting. They seem to appreciate privacy at a national and local level."
Yes, they're so private, they sold the DNA of all their citizens to a private company.
http://www.wired.com/2015/03/i...
If you don't trust them, and know that, that it doesn't matter what you use.
Encrypt, and only use encrypted. You can do this in many different ways, but if you never reveal the encryption key to them, YOU CAN GIVE YOUR ADVERSARY ALL YOUR ENCRYPTED DATA. That's the whole point of encryption.
Encrypt, store in the cloud in any location you like. All they get is encrypted data that they can't do anything with. As only you need to access it (and not random general public, which is a much more difficult thing to secure), only you need the key.
Problem solved.
Just break up your data into lots of little (encrypted) chunks and post them to web forums like Slashdot which never delete anything. You'll need some kind of map as to where all the pieces are, so do the same with that. Recurse until you have something small enough you can remember.
-- Alastair
... is don't.
It little behooves the best of us to comment on the rest of us.
It seems to me a big leap to go from 'hosting company is sending all login credentials unencrypted' to a silo on a private island guarded by mercenaries, which seems to be what you are now looking for. Find a less idiotic host and stop worrying about govt agencies - if they want your data they'll get it, and the best you can hope for is that is all they want from you.
Assume that everything MIGHT be insecure. Your Internet connection is wide open. Your upstream routers may be controlled by governments. Hard drives might have malicious firmware payloads. Typical PC hardware might have a BIOS that does nefarious things and may have intentional back doors. Your OS and the software you run might have had backdoors introduced.
I personally don't trust anything with the word "cloud". It just means that a ton of people are responsible for it, so if anything goes wrong, there's no specific person to blame. The NSA could and probably does have people working at any given "cloud" provider.
Virtual server hosting is also completely insecure. Hypervisors can be manipulated without you knowing, so even if your OS is 100% secure (obviously nothing is, but for argument's sake), people can read your OS' memory and access your data without you knowing.
If you want to try to keep your data secure, you need your own hardware. Using something completely different helps - a hard drive infected with some form of firmware Trojan won't do any harm to an UltraSPARC or PowerPC machine, for instance. Next, you need to use a minimal OS without the proverbial kitchen sink, which rules out most GNU/Linux distros since they want to include everything. Try a nice BSD where you can compile the entire OS yourself from a local copy of the source tree. Then, compile the OS itself again on the newly compiled and running OS. This reduces the chance that any given toolchain has been compromised. Make sure it's stable and colocate it somewhere that has excellent privacy laws.
Encrypt everything.
While someone could pull a drive (or drives) from your machine and can image them, it's hard to fake uptime on non-mainstream machines, so you'll definitely notice if someone is playing with the hardware.
Don't log in to it from a Windows machine or from any machines you don't control.
If some state actor wanted to spend virtually limitless resources, there's nothing they can't fake, but you can feel pretty secure knowing that your data is most likely safe unless someone cares so much about your data that they're willing to spend a heck of a lot of money and resources.
(1) When quantum computing works they'll decrypt everything. They're storing everything now and they'll come back to it later with keyword searches etc in some unpredictable future political climate we may not like. [I don't like the present!]
(2) If quantum computing already worked they wouldn't let on. Turing etc was kept secret from us for decades, so who knows what their capabilities are now?
Paul Beardsell
Let's take it for wrote that the NSA will spy on us and the snowden leaks were only to show the NSA where they were holes in its operation that it closed down.
So no country is safe from the NSA.
They are not suppose to spy on citizens though. So I guess that still makes US the safest place.
However when shopping for online hosting, we rarely put the effort that is deserving for the cost of the information. If you want extra protection, then you need to work up a custom contract for work, and not their standard terms of services. That will cover all the holes you want to be sure is covered. You may end up paying a lot more for it too. But if your data is that valuable then you need to go threw the extra effort.
I work in a Mid-Large size Hospital and we take HIPAA and your personal health records very seriously, sometimes we need to work with an outside vendor who will host some systems, the contracting will take months to insure the data is secure, and if there is a breach they will legally on the line for their mistake not us, and they will have to face nearly all the burden including paying us back for any work on our end, for their damage. Now in generally I tend to really hate this, because it takes months, and I have to explain to the vendor's Project Managers, our end users and upper management, that it is still in contracting and they get frustrated as there is no movement, I get frustrated too, because this may take an unexpected amount of time so it is hard to prioritize my work. However the data is extremely important and we need to be sure that we have covered all the holes that we can think of.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Also line the inside of your main computer room with tannerite. You should also use some battery backup explosive triggers, in case They shut off the power when attempting to breach your Evil Lair. Always add a deadman's switch too on a 72 hour timer so if They do catch you it will all disappear anyway. I would also put a thermite block directly over the hard drives too just in case. Tannerite runs under $100 for 1-2lbs and it's available all over the internet.
Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?
Depends which country you want to protect yourself from.
If you are mostly afraid of US companies and the US government, put your server into Russia. They laugh in the face of US companies that make any demands.
For strong privacy laws, many european countries have laws in place much stronger than the US, but beware that they usually have a "if you agree to it, anything goes" clause (which is why these small "I agree to ..." checkboxes are so important there.
Assorted stuff I do sometimes: Lemuria.org
Sealand of course. That didn't work to well unfortunately.
http://arstechnica.com/tech-policy/2012/03/sealand-and-havenco/1/
HavenCo's failure—and make no mistake about it, HavenCo did fail—shows how hard it is to get out from under government's thumb. HavenCo built it, but no one came. For a host of reasons, ranging from its physical vulnerability to the fact that The Man doesn't care where you store your data if he can get his hands on you, Sealand was never able to offer the kind of immunity from law that digital rebels sought. And, paradoxically, by seeking to avoid government, HavenCo made itself exquisitely vulnerable to one government in particular: Sealand's. It found that out the hard way in 2003 when Sealand "nationalized" the company.
"I drank what?" - Socrates