Friendly reminder that NordVPN and ProtonMail are a honeypot; headquarters colocated with Tesonet, a Lithuanian data mining service. (whatever)

submitted ago by alele-opathic

Original page on the clearweb: http://vpnscam.com/tesonet-data-mining-company-owns-nordvpn-protonmail-protonvpn/

Offline archive (READ NOTES BELOW ON HOW TO OPEN): https://i.imgtc.com/FSzFXt6.png

TL;DR for those of you who won't bother reading:

NordVPN and Protonmail share a CEO. They claim to operate in Panama/Switzerland, but both companies are shell companies, owned fully by PROTONVPN LT, UAB, which is located in Lithuania, which has a law requiring 6 months of data retention (this matters, because, even though they tell you they keep no logs, they are legally required to maintain them). Finally, the headquarters of PROTONVPN LT, UAB, is in the very same building as TesoNet, a Lithuanian data mining service. ProtonVPN claims that the colocation is just happenstance, and they don't actually work with TesoNet, but researchers found NordVPN using privacy certificates signed by TesoNet in their official app binaries.

This also applies to DuckDuckGo as well, who was started by (((Gabriel Weinberg))) to capitalize on all of those wanting to jump ship from google, and does track clicks and links (though it claims not to). An article by the timesOfIsreal on Weinberg's site, which didn't have any traffic worth speaking of until the Snowden limited hangout, which pushed everyone even mildy privacy-aware straight into the dragnet.

 

Notes on "stealth archives": The archive is a zip file of the page as retrieved a few days ago by me via wget, renamed as a png so the imagehost would accept it. Rename to a zip file to view, or, if on linux, 7z can open it as is.

I call them "stealth archives" because the image host can't tell a download to view the content apart from a download by a browser to display the page, the ISP can only see the DNS resolves to an image host (which gives no hints), and it bypasses the (((internet Wayback Machine))), which watches who is interested in what sites and when, and will memoryhole 'dangerous' sites.

 

BTW, if the owner of imggoat sees this, your site crashes, showing a traceback, when uploading a not-png named as a png. Could be a security vulnerability, just throwing that out there.

Shoutout to @BloodAndHonour, whose recent recommendation of NordVPN prompted this post.

You are viewing a single comment's thread.

view the rest of the comments →

modsrcuntz ago

So what are truely the best email and search engines...any?

alele-opathic ago

This is the exact question which can't have any trustworthy answer. Although I expound on why here, the gist is that you have no way of discerning genuine replies from shill answers. Additionally, shills target these questions because they directly impact consumer decision making, meaning there is a very high likelihood noise will exceed signal in a question like that.

Just set aside 3 or 4 hours this upcoming weekend, and put the topic to rest for yourself.

modsrcuntz ago

Is signal a good app or is that not what we have been told either?

alele-opathic ago

I hadn't heard of Signal before you mentioned it, but decided to look into it. Here's what I found.

  • The front page is a substance-less advert heavy on rhetoric and testimonial -> minor suspicion
  • The first recommendation is by spook Edward Snowden, from the massive limited hangout that drove everyone into DDG in the first place. You should look more into his background if you are curious why this is a -> major suspicion
  • The owner, Moxie Marlinspike is really (((Moxie Rosenfield))). This will either be of major suspicion to you, or none at all. For me, it is of -> major suspicion
  • Supposedly they are entirely financed by 'charitable donations' and grants, which are funneled through foundations (the most common way money is laundered into these new ops) -> minor suspicion
  • The foundation supposedly started for Signal is never disclosed (Signal Foundation), and no information on it is given/can be found around the web -> minor suspicion
  • The IRS nonprofit search (all non-profit records are public records) returns 3 signal foundations. I searched the three respective states' business license registries and all are long dead (i.e. it doesn't exist) -> major suspicion

To me, this WAY fails the smell test. This ignores a number of other circumstantial problems with Signal.

1F4A9 ago

  • Design choices that are anti-anonimity. There is no good reason for an app like Signal to require that you register with your phone number, other than that is what it's meta-data collecting financiers want -> major suspicion
  • Receives financing from US goverment -> major suspicion
  • It's company and foundation are founded under American jurisdiction. That's like starting a platform comitted to free speech in North Korea. If you're serious about privacy you don't primarily operate from a country that is known for extensive data collection programs and a legal obligation to cooperate and shut up about it -> major suspicion
  • Initially Signal refused to provide an APK, basically encouraging you to use the Google Play store -> minor suspicion

t3soro ago

Run your own mail server. There are easy ways to do it without being a leet hacker. I won't list the names here so people can do their own research.

GlassSmith ago

Just set aside 3 or 4 hours this upcoming weekend, and put the topic to rest for yourself.

I tried that before (only I spent a lot more than 4 hours) and came up with nothing, I couldn't find any concrete evidence that pointed me in one direction or another. My conclusion was that short of having your own email server in some shithole country there is no way to ensure security... and even then it's useless because you would still be forced to communicate with people who haven't taken such measures so your efforts are in vain; this is on top of the fact that your private email is likely to be filtered out by just about every major email provider.

alele-opathic ago

I tried that before (only I spent a lot more than 4 hours) and came up with nothing

This is part of the problem - there really isn't an easy way to know whether or not some entity can be trusted anymore.

My conclusion was that short of having your own email server in some shithole country

The server doesn't need to be located elsewhere, if it is, then you are relying on trust and reputation again. It's easy enough to run your own with a domain (and an ISP that'll assign you a static IP), like what this reply describes.

there is no way to ensure security

The problem is twofold - the first is all of the email being stored on external servers (which you can mitigate by running your own), and the second is the protocols themselves, which have no ideal solution at the moment. The best idea would be to use PGP with your friends who will tolerate it, and look/wait for a solution/better protocol for those who won't (there are some ideas out there, if you feel like looking around).