IE like Crypto AG:
In 2020, it was revealed that the Swiss company, Crypto AG, which provided secure communications services to ~120 governments throughout the 20th century, was secretly ran by the CIA and West German Intelligence. The CIA and later NSA were able to read encrypted communications for many countries such as Saudi Arabia, Iran, Italy, Indonesia, Iraq, Libya, Jordan and South Korea.
Signal and Tor have both received huge amounts of US government funding, very suspicious.
DNS4EU and WiFi4EU.
i don’t think anyone here considers it a private service at all, but i’m almost certain cloudflare is a honeypot
Why are you so certain?
the biggest part is they’re doing way too much of the internet while being quite opaque. and their service is “too generous”, with free tiers, no ads. and the whole MITMing every traffic and serving from CDN architecture seems ideal for a honeypot to me.
even if cloudflare themselves don’t intend to be one, i’m pretty sure some three letter agency has backdoors to their systems.
Proxies and VPNs seem like the most obvious targets. They mostly prey on people who don’t understand the technical workings thereof (had my mom ask if she needed to get a VPN bc firefox opened on ad for theirs, claiming it enhanced privacy), and serve little benefit to people who are doing the kind of illegal activities that make governments take notice. They serve as a single point of compromise for anyone, and they work worldwide so that all your traffic can be monitored even when you’re on a different ISP/in a different country. It’s like the perfect MITM, and people are even willing to pay to have themselves monitored.
The truth is that at best they benefit people who only don’t want their network-provider watching, but don’t care who else may be. It’s the perfect setup for a 3-letter agency to just sit and monitor everything anyone does, waiting for someone who’s just a little too careless to access illegal content thinking they’re anonymous.
They are perfect for torrenting though. The kind of activity 3 letter agencies don’t want their spying to be disturbed for.
they benefit people who only don’t want their network-provider watching, but don’t care who else may be.
Just FYI: It’s not the network provide we have to worry about in my country. That is specific to the USA I believe.
Here they have “headhunters” that make a contract with a rights holder, torrent a file, write down the IP of someone who uploads a video to them, then legally request the name to the IP and send an invoice for about $2000. No three warnings or anything. And they are very good at sending legal officials to impound any of your valuable stuff in case you don’t pay.
Even other “illegal” activity like calling Israel an apartheid regime or supporting palestine or insulting your head of state might get you flagged by a three letter agency, but they won’t use official legal channels. There is a protection of the herd with VPN.
All of the “delete my information from data brokers” services IMO, especially the ones that advertise on YouTube. Always smelled fishy to me.
Either that or they’re just more data brokers trying to get exclusivity.
Reject Convenience did a pretty thorough rundown on what they’re doing: https://www.youtube.com/watch?v=iX3JT6q3AxA
It’s been a minute since I watched, but my key takeaways were that they just reach out to one type of broker which barely scratches the surface of the Data Economy iceberg, and since there’s no legal precedent outside of California and the EU, it’s purely up to the brokers to decide whether or not they want to comply.
So I think it’s probably more likely they really are just private companies preying on people’s anxieties about privacy and relative ignorance about the topic, rather than some kind of governmental conspiracy
The Crypto AG story shows that the location of a company doesn’t matter that much. The US simply made legal what they were already doing behind the scenes. Intelligence services have always been and stilla are above the law.
Absolutely! Location does not guaranteed anything. The only case against US, four eyes… etc is that they have the power to shut it down easily so they can use it as a threat. Switzerland has, for years now, showed the same drive as any other country to do just that.
Now, I have seen very principled individuals in the US, I would say even more than in the Europe! It is not surprise that we see cases like Lavabit where a right owner chooses to close shop rather than compromise its customers. I hope GrapheneOS will do the same.
I know your example is the opposite, but any service that is run and hosted in the US.
It’s one of the major issues with Signal.
Not to mention Graphite and Pegasus, Israeli spyware.
You got that right.
Probably various VPNs on the market
Especially Israeli owned VPNs. Which seems to be most of them lately.
Oh yeah definitely
Most people only use vpn providers for streaming location hopping, torrenting, p*rn and on public networks. For day to day 24/7 use you are just trusting your VPN provider not to spy on your traffic instead of your ISP.
Especially the ones aggressively marketed, or noted as independent when they cannot give concrete evidence for whence their finances come.
I always assume the more popular it is, the more likely it is of being compromised.
I have no idea if it’s the case, but I switched away from mullvad after seeing billboards and ads of it everywhere, even on city infrastructure like trains and buses.
Mullvad is very likely one of the few good ones. I’d suggest reevaluating it.
My trust in them was definitely shaken after the recent news about fingerprinting exit IPs: https://tmctmt.com/posts/mullvad-exit-ips-as-a-fingerprinting-vector/
They were very responsive but this seemed like a huge fuck-up to me, to the extent that I question whether it was purposeful.
Not sure who else to trust because other providers like Proton seem even worse
If the company is owned by “Kape” its ikely a Israeli honeypot:
https://medium.com/illumination/vpns-the-privacy-trap-4aef67f39634
Kape’s portfolio includes ExpressVPN, acquired in 2021 for $936 million; CyberGhost, purchased in 2017; Private Internet Access, bought in 2019 for $127 million; and ZenMate.
Together, these services account for three of the six most popular VPN products globally, serving approximately 7.4 million paying subscribers.
Kape also owns VPNMentor and Wizcase, review platforms that rank VPN services — including Kape’s own products — for consumers seeking expert guidance.
if it makes you feel better i know an employee there and theyre a communist and say a lot of mullvad employees are lefties too, idk if they have a union or anything. nym vpn has chelsea manning backing it. not really a traditional vpn though its basically unfree tor that is not slow as balls, has the benefit of really good server coverage and few people blocking it. coolest thing is you can use a seedbox to route traffic to pay it down.
Bluesky
Bluesky is like the furthest thing from a privacy app, which it doesn’t even claim to be.
Signal I think. I don’t mean that the end2end algorithm or messaging itself are itself unsafe, the algo has been shown to be secure. This is what people usually rebuke this with, with the reminder of Signal’s OSS nature.
The issue the servers and the social networking data that can be harvested. The server code only partially exists in public and we just have to trust that that is actually what is running on whatever AWS server without tampering and self hosting is nearly impossible in practice if technically possible and nobody does it. The social network data (who talks to who) is more valuable than the actual messages logs, which give a massive, but mainly useless datasets. Until LLMs, like 10-15 years ago they were basically impossible to parse for any useful info without using large quantities of eye pairs. Basically if you are an organizer, criminal, government, part of a hunted opposition, you will leak the whole core group structure of your org with attached phone numbers. Whoever with that data can then target their devices and persons with other means. Plus it’s literally built on top of CIA money. I think signal is totally safe and adequate for friends and family type of use, but not much else, but then all in all so is whatsapp, mostly since signal and Whattsapp share the same end to end algorithm.
It’s funny how every poster who criticizes Signal inevitably makes a technical error. In your case, the claim that “Basically if you are an organizer, criminal, government, part of a hunted opposition, you will leak the whole core group structure of your org with attached phone numbers” entirely lacks basis. The Signal client - the OSS part we can and do control - does not divulge phone numbers.
You have this theory that Signal’s servers are storing communication records. (While there is no evidence to support this, it’s valuable to consider what they could do.) So the data that would be captured here is a network of hashed phone numbers and literally undecryptable messages. It’s impossible for the adversary to determine any phone numbers they don’t already know this way.
And since you can make a Signal account with a burner phone and create a “username”, even a known phone number becomes useless against targets who don’t want to be identified.
The US government could easily force google to put a compromised binary of signal on the google play store.
Good thing you don’t have to get the client app from the Google Store, then!
The point is that they could. We are discussing honeypots here. They don’t advertise the fact if they are.
Be the phone numbers hashed/encrypted or not they will still get your ip. They are not routing anybody’s messages otherwise. Phone number is just more directly tied to a personal details, unless it’s a burner, but with burners you lose the account if you need to log in. Also you can set your phone number public, so it probably can be seen by the signal servers at some point. And what about discovery through phone number? How is that suppose to work if the servers don’t know your actual phone number and it’s on by default. And your anonymity trick only works if everybody you talk to does it, which they don’t. If they want to profile you they can profile you directly or through the people you talk with. If the people you are trying to hide from don’t care about getting message logs and just association with some group is punishable or can lead to punishment or death then tough luck.
And you miss the main point. practically speaking you cant self host a signal server, therefore you can’t trust it fully (in a way ‘fully’ matters anyway). if you do it’s unsupported and not recommended and you probably need a custom client to access it. That added with it being under American jurisdictions, and Signal starting as a spook project should really set off alarm bells.
Signal doesn’t run in a vacuum. It’s main distribution platforms are app stores from Google and Apple. And most people are going to use stock smartphones from these two companies to sign up to Signal. But with them being under the same US jurisdiction, matching the two identities isn’t that far-fetched.
The parent companies of both OS platforms are well known to funnel data and notifications to the US government. It too had no evidence to support it, until there was. There’s a setting for it now, but the person you’re talking to might not be doing the same, so it’s still out for cross-identification.
Other thing, they vehemently oppose F-Droid because “f-droid security flaws” bs, even though they can literally host their own repo for it without anyone else building their app. They would control every aspect of building and supply but they didn’t.
Besides that, they make it very inconvenient to get it from elsewhere, even though they did the bare minimum to provide a standalone installer, after an outcry. And with those stripped down installers, you have to deal with inconsistent notifications, because no apple/google. And they never ever gave unified push a look. I wonder why? Are they a small indie company with just a couple of devs?
Signal protocol may be “secure”, but it’s only a part of a bigger picture.
It’s forced reliance on phone numbers, privacy averted platforms and unwillingness to work with opensource platforms and standards that lets it become decentralized and out of the hands of authoritarian government, leaves a lot to be desired.
Facebook’s whatsapp also uses the signal protocol, but would you call it private or secure after all that zuck has shown to do? Signal creator literally helped them implement it too. I wouldn’t touch a Facebook product with a 10 feet pole.
And now he’s helping them again encrypt Meta AI, whatever that means. Why is he working with one of the worst offenders of privacy?
If that doesn’t tell you these things are concerning, you do you.
The phone numbers being hashed doesn’t matter because of how small the input space is. A standard phone number is a country code plus 9 digits. If we assume that anybody looking at this information already knows what country the people they’re targeting is from, that means there is 1000 000 000 possible phone numbers to check for any hash. Even if the hash is extremely slow, and takes 1 second to compute on a strong CPU, that still only takes 1000 000 000 / (60 * 60 * 24) = 11574 days, or 31 years to compute on a single core. For any large organization (like, say, any government or any large tech company), getting 1000 cores to run the hashes in parallel would be quite simple, reducing the time it takes to have a complete hash list down to 11 days to get a complete database of all possible hashes. Hashing phone numbers is literally just a mild inconvenience.
Edit: Actually looking it up phone number formats vary quite a lot by country, but the point still stands.
All speculation. You gave them your phone number (which also means your real identity), so you should assume they have it. And because its a US-based company, it must adhere to US laws including key disclosure laws, which make it illegal for any signal employee to tell you that any US government has asked for this information.
https://en.wikipedia.org/wiki/National_security_letter
So the data that would be captured here is a network of hashed phone numbers and literally undecryptable messages
With this data you can build social networking graphs: who is talking to who, and when.
Also this is all the more suspect when you consider that US military / government agencies like OTF fund signal, and constantly try to push signal in privacy spaces.
which make it illegal for any signal employee to tell you that any US government agency has asked for this information.
That’s funny so this list of government data requests is just meaningless.
Yep it does. The Obama admin issued ~60 NSLs every single day, and I’m sure the number hasn’t decreased since then.
Signal is def one, otherwise US government orgs like RFA and OTS wouldn’t be defending and pushing for it so hard in western privacy spaces, nor fund it.
Have a look at Deltachat
Its starting to make headway: FOSS, Decentralised and anyone who is tech inclined can setup their own Relay.
Bitcoin.
Hell, monero is the only crypto I think isn’t a honeypot, since so many exchanges refuse to list it. That could just be how the government wants us to think though 🤔
It’s not even that Bitcoin is a honeypot, it’s that it isn’t actually private at all, and through good ol detective work a wallet can be connected to a person, as well as their inflows and outflows and what wallets they’re sending or receiving money from.
yeah, the whole point of Bitcoin is literally everyone sees your transaction on there. not very cryptic if you ask me
Sometimes I think that DNS providers could be, like NextDNS (I use them).
DNS providers can only see which sites you are visiting but not the actual content right?
I briefly used NextDNS but decided against using a DNS server tied to my email.
I wish there was a possible way to run an authoritative DNS yourself. The best I can do is a recursive server blah.
Yeah, that would be perfect. I thought some time ago about doing a DoT port -> nginx -> pihole -> unbound inside a cloud VM for the outside world , like this, but that would be too much work and maybe insecure.
You can tunnel your DNS requests via wireguard to your pihole server. If it has good bandwidth even the full traffic. Why would that be insecure?
Yeah, using a VPN would be good enough, but I want it to be open to the internet, without any port/config restriction, so I can access it from any device and anywhere, so the only remaining thing would be to host and open the port on a VM, only DoT and DoH, no :53 open (that would really be insecure, as DDoS insecure).
Dating apps.
Maybe not a honeypot, but definitely too large for my taste by now: Proton. With Mail, VPN, password manager, file storage, AI and whatnot, it’s one ginormous basket to put all of your eggs into, hopping it’ll hold.
the owner is fine with fascism because fascism makes his product more lucrative
Did he say that? :o
not exactly. the more nuanced inspection of what he said was that donald trump’s plans to deregulate the tech industry he expected to benefit his company. however, that deregulation is in service of allowing more surveillance capitalism, environmental degredation, and worker mistreatment. the wording i provided is what that ultimately means as an analysis of how and why proton would make more money in that type of environment
