Original page on the clearweb: http://vpnscam.com/tesonet-data-mining-company-owns-nordvpn-protonmail-protonvpn/
Offline archive (READ NOTES BELOW ON HOW TO OPEN): https://i.imgtc.com/FSzFXt6.png
TL;DR for those of you who won't bother reading:
NordVPN and Protonmail share a CEO. They claim to operate in Panama/Switzerland, but both companies are shell companies, owned fully by PROTONVPN LT, UAB, which is located in Lithuania, which has a law requiring 6 months of data retention (this matters, because, even though they tell you they keep no logs, they are legally required to maintain them). Finally, the headquarters of PROTONVPN LT, UAB, is in the very same building as TesoNet, a Lithuanian data mining service. ProtonVPN claims that the colocation is just happenstance, and they don't actually work with TesoNet, but researchers found NordVPN using privacy certificates signed by TesoNet in their official app binaries.
This also applies to DuckDuckGo as well, who was started by (((Gabriel Weinberg))) to capitalize on all of those wanting to jump ship from google, and does track clicks and links (though it claims not to). An article by the timesOfIsreal on Weinberg's site, which didn't have any traffic worth speaking of until the Snowden limited hangout, which pushed everyone even mildy privacy-aware straight into the dragnet.
Notes on "stealth archives": The archive is a zip file of the page as retrieved a few days ago by me via wget, renamed as a png so the imagehost would accept it. Rename to a zip file to view, or, if on linux, 7z can open it as is.
I call them "stealth archives" because the image host can't tell a download to view the content apart from a download by a browser to display the page, the ISP can only see the DNS resolves to an image host (which gives no hints), and it bypasses the (((internet Wayback Machine))), which watches who is interested in what sites and when, and will memoryhole 'dangerous' sites.
BTW, if the owner of imggoat sees this, your site crashes, showing a traceback, when uploading a not-png named as a png. Could be a security vulnerability, just throwing that out there.
Shoutout to @BloodAndHonour, whose recent recommendation of NordVPN prompted this post.
SearchVoatBot ago
This submission was linked from this v/QRV comment.
Posted automatically (#4106) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
SearchVoatBot ago
This submission was linked from this comment by @skywalker7777.
Posted automatically (#1738) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
SearchVoatBot ago
This submission was linked from this comment by @skywalker7777.
Posted automatically (#1639) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
SearchVoatBot ago
Bleep bloop, someone mentioned this submission!
'Now Chrome Doesnt Delete Google Cookies Even If You Clear All Cookies' was posted in v/technology and includes this reply from skywalker7777:
This notification (#1351) was posted automatically by the SearchVoat.co Cross-Link Bot. You can suppress this notification by appending a forward-slash(/) to the Voat link. More information here.
SearchVoatBot ago
Bleep bloop, someone mentioned this submission!
'Google Chrome Begins 'Syncing' All Browser Data to Your Identity Without Asking' was posted in v/news and includes this reply from skywalker7777:
This notification (#1250) was posted automatically by the SearchVoat.co Cross-Link Bot. You can suppress this notification by appending a forward-slash(/) to the Voat link. More information here.
alele-opathic ago
Then you didn't look. The provided source cites his sources, which are all publicly and freely accessible. You can run the whois lookups, review the binary certs for the droid apk, review the Lithuania business directories, as well as review the thread where the CEO was called out on hackernews (Ycombinator's forum) and all of his misdirecting responses.
Every claim is cited and freely provided as publicly available information on the internet. You can doublecheck everything stated for free easily.
I'm helping make it common knowledge. It is accurate to say it is more common knowledge now. This will only improve in the future; as I said, these claims are easily verifiable.
GlassSmith ago
It's based out of Germany, if you have been following just how repressive the regime is there then you would be hard pressed to say anything in that country is secure other than the "rights" of the Muslim invaders to do whatever they want.
coinphrase ago
This seems like astroturfing folks. Nobody is curious why a wordpress site is the only source. In true fake news fashion refers to itself as proof and hackernews, which is notoriously liberal, worse than reddit imo? If you go to the post on hackernews you can see that this claim was refuted and is definitely not proven.
Read the hackernews thread: https://news.ycombinator.com/item?id=17258203 [http://archive.is/yrtp1]
alele-opathic ago
Classic misdirection. The site refers to four business registries in 3 countries (which you can verify yourself), the official APK data (which you can also verify yourself), a few whois lookups, and the CEO's own misdirection in a comment thread.
If you actually went to the thread, you'd see the guy is talking through his teeth, contradicting himself multiple times ("we don't work with Tesonet" -> "we only outsourced some HR tasks" [poor excuse] -> "we outsource everywhere" -> both companies have the same CEO). The whole exchange is enough to break any credibility the companies had.
Your response seems like weak damage control.
boekanier ago
In other words, don't trust the internet.
meaoaoaoaoa ago
If company A is established in country A (has headquarters and is paying taxes there), and company B owns it (holds 100% of shares) but is established in country B, the B laws apply to only company B. That's because company A is operating from country A.
Turn_Coat ago
You may be right, but I could also see this as a blackpill campaign. The original article, posted on vpnscam http://vpnscam.com is detailed. However, the website only has a total of 6 articles all targeting the vpns that people frequently own.
Easiest idea; some one proxy an email address from a .gov email, contact tesonet, and see if they'd be willing to sell you access to their data. If they are, then there's a problem. If they aren't, then there isn't. This creation of political uncertainty can serve our enemies ends.
This feels like a 10 xanatos pileup.
oc_taov ago
tl;dr: i avoid "the cloud" as much as possible and try to limit my options to foss.
i come from the position of not trusting anybody. i try to avoid corporations and businesses with corporate ties. i don't use email for anything but work, financials, and junk mail. i constantly push client to client messaging on my contacts. i use a vpn when necessary. seedboxes may be useful for me if i can find the right host and want to pony up for the cost. i try not to leave a trail, be it, handles, emails, ip addy, etc. i like the approach of adnaseum and trackmenot that spams big brother, though i'm not sure of the effectiveness.
without these, i use gray man theory and blend in.
i2p and zeronet or something similar would be a more anonymous internet but the entry-level is higher than opening a browser. they offer similar services but they must remain in their respective networks to keep their level of anonymity. also, because they are p2p, the speeds vary depending on the traffic and your ip addy might be at risk. also, there isn't much activity on these networks yet.
modsrcuntz ago
Thanks for that Info! I would never have thought of any of that. Do u have network security background or something?
Do u know any good private phone apps, or all they all a bust too?
alele-opathic ago
This isn't original research - I stumbled upon this whilst researching VPNs for my own personal use.
modsrcuntz ago
Cool dude thanks for the info. You are very helpful.
HulkInformation ago
What are they going to do with all that encrypted data until the new crypto-breaking quantum computers come into vogue.
GlassSmith ago
You are assuming they have to break the encryption, the companies that provide the service have the keys so no cypto-cracking is required if the source is whats compromised.
whatisbestinlife ago
do you run background checks on all the sites that correspond with voat?
boredTech ago
I run bgc's on a couple. Usually when looking for spammers.
heygeorge ago
@discoball there is a note to you at almost the bottom of OP
mattsixteen24 ago
Good find. I always suspected protonmail due to its popular push.
mrnicegoy ago
if you dont pay for it, how do they make money to stay operating? I use hushmail, not sure how great it is either but I at least have to pay a modest amount for it yearly, passes the sniff test.
meaoaoaoaoa ago
nord vpn is not free and you have to pay for it
BlackOwl ago
Could anyone give us a list of proven viable alternatives?
GlassSmith ago
Good post, saving this for later. Thank you, alele-opathic.
Now the only question is where the fuck do I go for a non-compromised email?
The big problem is that any email provider that has any power will be inevitably compromised either by the state or (((internal forces))), while any email provider that could stay off the radar of the (((powers that be))) would likely be small and thus easy to be pushed around by larger companies with fat wallets, squadrons of lawyers, and government support.
alele-opathic ago
Again, this is the same question that attracts astroturfing (which I'm trying to encourage people not to ask), but I've been looking into this myself, and I think the problem is twofold. Any email 'provider' provides a central point of failure, and thus a trust issue, regardless of their fancy encryption schemes. Additionally, the protocols themselves (IMAP/POP) are in no way secure at all, even if the provider is trustworthy.
I think that it may turn out to be most practical/secure/cost effective just to buy your own domain, run your own web-facing email server on a pi variant, and use PGP until someone comes out with a better protocol. This sounds like it requires a lot of effort (it's easier than it sounds), which makes it less likely people will do it - most people would rather just switch providers.
Turn_Coat ago
Where does some one who isn't quite that tech literate, and doesn't have the time, go for a non-compromised email?
Kill-Commies ago
someone once told me as a rule of thumb: the "E" in e-mail stands for evidence.
ShineShooter ago
Yep, their sales were too good to be true.
Syndicalism ago
I might forward this thread to the staff and see if I get a response. Just to see if they come back with anything substantial.
Goathole ago
Does anyone have that article posted a couple of months ago about VPN and which ones actually keep no logs? Avast, which is weird to me, scored number three or something.
The article sort of said the same thing as you but not quite. Dammit, I wish I would have saved it.
Syndicalism ago
Dang it. Well, its still gotta be better than the 11 year-old yahoo account I moved to Proton from. If I ever decide to communicate something nefarious I'll get a pidgen I guess. I don't even want to ask for alternatives at this point.
modsrcuntz ago
So what are truely the best email and search engines...any?
alele-opathic ago
This is the exact question which can't have any trustworthy answer. Although I expound on why here, the gist is that you have no way of discerning genuine replies from shill answers. Additionally, shills target these questions because they directly impact consumer decision making, meaning there is a very high likelihood noise will exceed signal in a question like that.
Just set aside 3 or 4 hours this upcoming weekend, and put the topic to rest for yourself.
modsrcuntz ago
Is signal a good app or is that not what we have been told either?
alele-opathic ago
I hadn't heard of Signal before you mentioned it, but decided to look into it. Here's what I found.
To me, this WAY fails the smell test. This ignores a number of other circumstantial problems with Signal.
1F4A9 ago
t3soro ago
Run your own mail server. There are easy ways to do it without being a leet hacker. I won't list the names here so people can do their own research.
GlassSmith ago
I tried that before (only I spent a lot more than 4 hours) and came up with nothing, I couldn't find any concrete evidence that pointed me in one direction or another. My conclusion was that short of having your own email server in some shithole country there is no way to ensure security... and even then it's useless because you would still be forced to communicate with people who haven't taken such measures so your efforts are in vain; this is on top of the fact that your private email is likely to be filtered out by just about every major email provider.
alele-opathic ago
This is part of the problem - there really isn't an easy way to know whether or not some entity can be trusted anymore.
The server doesn't need to be located elsewhere, if it is, then you are relying on trust and reputation again. It's easy enough to run your own with a domain (and an ISP that'll assign you a static IP), like what this reply describes.
The problem is twofold - the first is all of the email being stored on external servers (which you can mitigate by running your own), and the second is the protocols themselves, which have no ideal solution at the moment. The best idea would be to use PGP with your friends who will tolerate it, and look/wait for a solution/better protocol for those who won't (there are some ideas out there, if you feel like looking around).
draaaak ago
That is the longest TL;DR I've ever seen, so, feeling misled, I didn't read it.
RugerLCP_2 ago
Any email service, where you don't encrypt the email before it leaves your computer is a honey pot.
white_male30 ago
AFAIK their IMAP "bridge" still blocks emails that are PGP-encrypted by you ie. not encrypted by protonmail itself.
ribble ago
son of a bitch
jewd_law ago
that's what I'm saying. what's the alternatives then? I moved all my Jewmail to Proton.
HulkInformation ago
There is no way to know one way or the other, could be just as likely op is trying to dissuade you from using these services because they're a jew trying to confuse. They don't know anything about it same as you or me. The email is encrypted, in fact they were struggling for a while with a bug that would encrypt it twice. So that the message that was sent and decrypted was gobbeldygook. If they're going through that much trouble just to collect data for the Lithuanian government then they earned it.
At least your email isn't being outright read by google anymore, analysed, and catalogued so that they can build an AI assisted human profile of you.
Turn_Coat ago
You make an excellent point. If this company is operating as a Lithuanian company and not a proxy, i'm ok with that government gaining access to my data. If, on the other hand, they're a proxy for a western conglomerate, we may have a problem. I am suspicious of OP's motives due to the url posted not actually showing up; https://i.imgtc.com/FSzFXt6.png
... however some of my own research does indicate that-
... and your account is 1 month old, roughly as old as it was that first information on this subject began coming out. Fantastic.
HulkInformation ago
I nuke my accounts. :) At the cost of credibility, because I'm overall fairly paranoid like that.
Turn_Coat ago
It doesn't help tho I do understand the motivation.
jewd_law ago
Hulkinformation is a 1 month old shill account
bothrubberandgum ago
Tesonet is a data mining company, the last line is not true.
Flour ago
Conspiracy hat: this is an astroturfing post used to discredit secure services
Conspiracy aside, looks pretty legit that they are both compromised. Also, always wondered whether or not it’d be better to just use the big tech services and attempt to be lost in the web of traffic using coded language and such.
RugerLCP_2 ago
might be better to use competing country's email service that would never let the cia spy on it.
Flour ago
To be honest, if you wanted to beat the snooping agencies, why don’t people just communicate in an online moba game or something in a coded language?
Runescape always comes to mind that it would be easy to do. VPN your connection to the game and yea?
alele-opathic ago
They thought of that - a half decade back or so, they claimed terrorists were using COD lobbies to shoot messages into the walls to each other. Given that this was raised as a national security threat, I am all but sure there is monitoring for this sort of thing now.
See also: https://duo.com/decipher/debunking-myths-do-terrorists-use-game-consoles-to-communicate-with-each-other Btw notice that they call it 'debunking', when all that they do is show it to be hard, vis a vis impossible. Some interesting info in the comments on their article.
alele-opathic ago
Well, this is why I advocate you do your research. Astroturfing only works if your recipients only plan to skim the surface.
IMO, blending in assumes that they expend equal resources monitoring each person, which can only be true if you can enforce anonymity. If you can, as Google/Facebook has, make everyone use their 'Real Name' online, then you can profile-build and triage them, and watch only the 'maybes' intensely for key words or key phrases. Look into an AI natural language concept called 'Sentiment Analysis', it is this triage I speak of, by a different name.
There isn't any way out except widespread forced anonymity.
Turn_Coat ago
That'd mean war...
Empire_of_the_mind ago
it's important to always consider astroturfing but the answer is revealed by the evidence. In the case of both DDG and ProtonMail there is real evidence connecting them to shady operators. The biggest piece of evidence is of course media attention and resources. Both managed to get major media press and both managed to handle huge growth without a hick-up. They were established as "brands" intentionally by people who had access to media hype and access to resources to backstop their technical operations.
No mail service you're not paying for is secure.
For internet searches, there are a number of options. My recommendation is to spread out your searches across them all. You don't really care that they know someone, even you, once searched for "Hitler did nothing wrong." What you care about is that they know you searched that as well as other unrelated interests that allow them to figure out what topics people with certain political views are also interested in.
Conspirologist ago
Thanks. They said ProtonMail was a serious company run by Swiss scientists. They can be sued for false advertising.
alele-opathic ago
How? According to Wikipedia, only the UK, US, Australia, and NZ have laws forbidding deceptive advertising. The only reason Google is about to go down over lying about location tracking is because they are headquartered here. Usually these guys run with impunity.
alele-opathic ago
Cheers pal.
alele-opathic ago
It's also worth pointing out that the growth of both Proton/VPN and DDG can be attributed to very successful astroturfing campaigns. Very little conventional marketing was used - it was mainly shills sitting on imageboards/forums/social media that would respond to "are there any good VPNs/Emails/Search engines?" with "Idk, but my buddy has NordVPN/ProtonMail/DDG and he says its pretty good". After some time, an artificial reputation is built that is indistinguishable from companies actually having a good reputation.
In other words, don't ask questions like these - they are flawed in a way that makes it impossible for you to tell whether or not you are getting genuine information back, especially considering astroturfing shills specifically target questions like this. The only way is to do the research yourself (or at least parts of it).
SearchVoatBot ago
This comment was linked from this v/technology comment by @PapShamir.
Posted automatically (#9978) by the SearchVoat.co Cross-Link Bot. You can suppress these notifications by appending a forward-slash(/) to your Voat link. More information here.
Empire_of_the_mind ago
this was the single biggest red flag - ALWAYS pay attention to this. if it's a household name, chances are it's crap.