Posts by Baneki

keeping up appearances

Are we still pretending that the early-August "torploit" injection attack on Freedom Hosting hidden services visitors was somehow enabled by the FBI, rather than being an NSA-driven expansion of cyber-military offensive tech against a massively increased target population? I know that's the lame-ass story the U.S. Feds are churlishly peddling to the unwashed masses, but since now we have confirming documents (courtesy Snowden) that it's all NSA tech, can we stop acting like it's an open question now?

http://torsploit.cryptostorm.org

Oh, and when are all those journos who printed the "FBI behind torsploit" disinfo as "fact" going to put out formal corrections (not the Reg, just to be clear, who characteristically never entirely swallowed the whole fantasy FBI story nor printed it as "fact")? That'd be nice to see, since spreading police state disinformation really doesn't help create a better future... unless you're the police state, I suppose.

Waiting expectantly...

Beyond the Borders

Cryptocloud VPN set up shop outside the United Police States of America back in 2007, expressly to protect against the obviously expanding dragnet surveillance it has so disastrously come to love. Having learned the lessons of Echelon and Carnivore.

At the time, the "cool kids" laughed about how silly and paranoid such decisions were. After all, "the law" prevented that kind of thing from happening so only tinfoil-hatted nerds worried about such things. They claimed "America" was the safe place to be - that or some American ally like Sweden.

We decided we didn't trust any government that much, and we set up so that no one country had jurisdiction over enough of the network to do anything to compromise the whole thing. And we vowed to fight like wildcats if some government tried to get us to backdoor our systems. We said we'd go to prison if they threatened us, and if that didn't work we'd erase the entire system and every bit of data on it before we'd turn on our customers.

Turns out one of our founders went to prison after the Feds tried to force access to the network. Nobody had to wipe the servers, because the Feds realized the company would never backdoor itself under threat or pressure.

The story wasn't cool enough for the "cool kids" to report on truthfully, so it got swept up in a wave of Fed disinformation and press lackey smears. That's what happens to companies who have the balls to tell the Feds to fuck right off: they get smeared, tarred, ripped up in the mainstream press. Oh, and the little girls at Wilder's forum jump right on board - carrying water for the Fed Gestapo.

But you know what? Not a single customer had a single bit of data exposed to the surveillance monster. Not once customer. Nobody ever reported on that - because something not happening doesn't make a sexy story, I guess. It sure mattered to those customers who got the protection they were promised. It still matters

So, yeah, some companies were astute enough to see it all coming - and strong enough to resist the extra-legal pressures brought to bear even on those with infrastructure and corporate existence outside its borders. The cost paid by those who stand against the surveillance state is high: it's not like in the movies, where the heroes get a rose petal parade.

But right is right, and in the end it's the courage to stand against oppression that matters most. No technology can substitute for that, nor can choosing the "right" country protect against nation-states gone bad. To do that you need courage. Real courage.

Career advancement through imaginary success

We're aware of a case in which a company's sysadmin generated a bunch of fake reports of "DDoS attacks" that never happened, scaring non-technical executives silly with dire warnings of pending Armageddon.

Then he hired a whole raft of "anti-DDoS" firms to protect against these fake attacks.

Then he convinced the aforementioned executives he was invaluable for defending against attacks that never happened, by spending money on services that never did anything but sit idle.

The whole thing fell apart when an exec with some technical competence requested excerpts from the logfiles to do some analysis of the DDoS attacks, purely out of curiosity to see the raw data. Only there were no logfiles because there were no DDoS attacks. And of course the anti-DDoS companies couldn't be bothered to make fake reports on the fake attacks... so the jig was up.

So, yes protecting companies from nonexistent threats can be not only a good business model... it can even be a short-term career boost. At the expense of one's integrity, of course. There's that...