Ask Slashdot: Best Country For Secure Online Hosting?

An anonymous reader writes: I've recently discovered that my hosting company is sending all login credentials unencrypted, prompting me to change providers. Additionally, I'm finally being forced to put some of my personal media library (songs, photos, etc.) on-line for ready access (though for my personal consumption only) from multiple devices and locations... But I simply can't bring myself to trust any cloud-service provider. So while it's been partially asked before, it hasn't yet been answered: Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information? And does anyone have a recommendation on which provider(s) are the best hosts for (legal) on-line storage there?

Ah, I see what you want.

[Anonymous Coward]

You need to go to Bir Tawil.

It is the only place in the world to get what you want.

the same question was asked before

[Anonymous Coward]

http://yro.slashdot.org/story/... [slashdot.org]

Which country is best to choose for hosting Internet services and locating VMs to avoid government surveillance (both NSA and local)? It should be a country with good connectivity to the US and Europe, but have strong legal protections from mass surveillance. People talk about Switzerland, Norway and Iceland (even Spain). Anyone worked through the pros and cons of each of these? I'm not concerned about legitimate (with court order) surveillance, just the un-targeted mass surveillance most governments seem to do. I don't believe this bad behavior should be rewarded or made easy.

Re:

[Anonymous Coward]

Whatever happened to Sealand? It was supposed to become the world's hotspot for unregulated internet.

Re:Ah, I see what you want.

[zidium]

Burned to the ground, I'm afraid ;-(

Get a contract.

[jellomizer]

Let's take it for wrote that the NSA will spy on us and the snowden leaks were only to show the NSA where they were holes in its operation that it closed down.
So no country is safe from the NSA.

They are not suppose to spy on citizens though. So I guess that still makes US the safest place.
However when shopping for online hosting, we rarely put the effort that is deserving for the cost of the information. If you want extra protection, then you need to work up a custom contract for work, and not their standa

Did we learn nothing from Snowden?

[PhrostyMcByte]

There is no safe place to put your data. If someone wants it they'll get it. If you want to keep something private, encrypt it.

Re:

[fyngyrz]

If you want to keep something private, store it somewhere that isn't connected to a network.

And encrypt it. And prevent others from physically accessing it. And never carry any media or printout from said that machine outside the physically secure area in which it is installed. And never, ever, mention any of this to anyone.

There's no such thing as a "secret" when two or more parties know. When one party knows, that's a secret. When two or more parties know, that's just gossip -- you have completely lost c

Re:

[alvinrod]

Even further, treat anything you post or put online as though it's public and everyone knows that it's you who posted it, even if you feel as though you have some expectation of privacy or anonymity. It's been shown time and again that if some group on 4chan dislikes you enough, they'll probably be able to find out who you really are and send pizzas to your house or worse.

Re:

[Gr8Apes]

Even further, treat anything you post or put online as though it's public and everyone knows that it's you who posted it

This, 1000 times over. Even this alias is known to be this me, by at least someone, somewhere, mainly because it's not anonymized by TOR nor HTTPS, and even then, there's no guarantee it's not another me, because who knows how many people have access to any given account? Sharing is the only true way to be anonymous anymore, because then it becomes particularly difficult to prove which person out of a pool of potentials actually posted any particular thing, and was it really one of the pool in the first pla

Re:

[allo]

Or as he said: Good encryption helps.

The whole "snowden showed, its pointless to secure myself" attitude is shitty and even he doesn't say this. It's the people who think "oh, security needs attention and work. So i better avoid it".

The great nation ...

[Anonymous Coward]

... of Flashdrivia.

Re:The great nation ...

[postbigbang]

There's Long Key, which is pretty good.

I otherwise am of the firm belief that so long as a machine is connected to the Internet, or we can hear the keyclicks nearby, that it's total folly to believe any data is safe, many air gaps included. There's a variant of Murphy's Law stated thusly: with a big enough hammer, you can break anything.

Perhaps your router was slipstreamed some code enroute to the data center. Maybe it was your little RAID 6 array. Perhaps the kernel has had a long dormant back door or nice stack overflow to hijack. Ever plugged in your smartphone to your machine to maybe, synch something?

My guess is that in one way or another, we're all already infected, it's just a matter of hassle to get what's needed by those desiring to smash you. You may believe this to be dystopian, but once you take a long look at the CVEs out there, multiply them by two for the probably-unknowns, and even machines living their life solely in Faraday cages become suspect.

Re:

[fyngyrz]

You don't even need a big hammer. The combination of some easily-obtained drugs, any solid surface, the secret-holder's fingers or other body parts, and just a small ball peen hammer will fully suffice to access any data, or the password to get at said data.

XKCD explains it in a nutshell. [xkcd.com]

Re:

[Qzukk]

That sounds like a lot of work. Why not just declare he's got kiddy porn and we can't show our proof because national security, trust us?

Re:

[RockDoctor]

Ever plugged in your smartphone to your machine to maybe, synch something?

Err, not as far as I know, no. I never did understand this "sync(h)" thing, or how it differs from copying the files I want from one storage device to another.

But the laptop does make a convenient charger for the phone. It's a pity that it is such an absolute bummer finding my data on the phone and getting it off. It completely destroys the potential utility of a smart phone.

Host it yourself

[wbr1]

If you do not trust cloud providers for whatever reason, then DIY. A business class account with a static IP works best, but it can by done with dyndns, etc. Set up your server, and and a VPN to your network. OpenVPN clients are available for just about any device, and then you can access anything you are running inside your lan, UPNP, SMB shares, whatever. You can pick up a crappy firebox on ebay and load an alternate firmware in it for cheap (I got one for 5 bucks at a church yardsale). Or you can just port forward and run your VPN software on some boxen inside your router.

My total cost is about $130 to comcast a month for a single static and business class 50/10, and my own time. This setup allows me to run whatever services I deem fit, and typically keeps me clear of ISP DCMA notices. I did get one, but once I pointed out that I repair random PCs that do not belong to may, and many may auto launch a torrent app, it was quickly dropped.

Add a chromecast or two, slingTV, and a good antenna, I do not need cable TV at all, and can stream all my services out.

Re: Host it yourself

[Anonymous Coward]

Yep, I would DIY with a $35 raspberry pi, $10 microSD card, $15 case, and a $5 micro USB cable. Then follow one of the many online guides for setting up a pi as a relatively secure/hardened nginx/mysql/owncloud server.

Re:

[rwa2]

This. I like the cloud as much as anyone, probably more. But can't fathom why, if you're already paying for home internet access, would anyone not just host everything on a leftover home shoebox server. It plugs into the same little UPS as the rest of my home networking equipment, and runs a little RAID, and does offsite backups to Glacier and whatever other shoebox servers my friends run in their basements. It's nice not having to worry about running the minimum amount of stuff to reduce billing, but r

Re:

[Anonymous Coward]

In the past, a major reason is that you don't have enough upstream bandwidth for this. DSL and cable are asymmetrical; the upload speed being much slower than the download. A second reason is that ISPs often forbid hosting servers of any kind.

Re:

[wbr1]

This is why I specifcally mentioned a business class, cable account. Business class so you can host without interference, and get a static ip, cable as is sccalable to usable upload speed.

Re:

[iggymanz]

So, you haven't solved the issue at all, in the sense your data is in hands that can be trusted as far as Glacier can be trusted. Maybe they are trustworthy, or maybe they are in country that makes that impossible.

Re:

[rwa2]

or maybe I just still remember my gnupg encryption key from decades ago

Re:

[DuckDodgers]

Right. Any cloud backup is reliable if you encrypt the data yourself before you give it to the service.

On the other hand, SpiderOak claims they encrypt everything before it leaves your computer, and if you lose your password they insist they can't help you recover your data. Big portions of their code are open source, but not all. You still risk that a hacker or government agency court order will release a revision to the SpiderOak software that transmits your password to their servers. There's also

Re:

[wootcat]

Dunno if this means anything anymore, but they also post a warrant canary [spideroak.com].

Re:

[iggymanz]

depends, do you have old encrypted files with weak encryption? best rotate the crop! and if the only place you have the key is your home, guess what happens if your home goes up in smoke?

Re:

[iggymanz]

oh, which algorithm did you use back then, might have a wee bit of an issue these days

Re:

[AHuxley]

+1 for that. In your own country with the real physical hardware at your own site. Expect and understand every in/out packet will be split at a regional site in your/any country and shared with a growing number of other nations every day, all day.
ie Collect it all.
Encrypt and fully understand any default or suggested settings with any hardware of software.
When buying any new international hardware under your own brand or company expect it to arrive with extra code, tame/junk encryption settings and ha

Don't forget to...

[l0n3s0m3phr34k]

Also line the inside of your main computer room with tannerite. You should also use some battery backup explosive triggers, in case They shut off the power when attempting to breach your Evil Lair. Always add a deadman's switch too on a 72 hour timer so if They do catch you it will all disappear anyway. I would also put a thermite block directly over the hard drives too just in case. Tannerite runs under $100 for 1-2lbs and it's available all over the internet.

Re:

[pnutjam]

My setup has two wireless networks, one that passes to my network, and one that passes directly to a vpn provider for geolocation, torrent protection, etc. I also have my server configured so it is reachable on my main network, but pushes everything out the vpn network.

Encryption

[mysidia]

Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?

NONE. Zip. Zero. Nada.

If you wish to secure what you host, then use a solution that encrypts it on the client side.

I believe BitTorrent Sync is an example of that.

Some hosting and online backup providers also offer solutions where every file is encrypted on the client side, and the hosting provider never gains access to the plaintext files.... this is what you need.

Re:

[chihowa]

Some hosting and online backup providers also offer solutions where every file is encrypted on the client side, and the hosting provider never gains access to the plaintext files.... this is what you need.

Be careful with this, though. If you need to put trust in other people, then you should limit the amount of damage that any single untrustworthy actor can do.

Using a solution where a single company provides the hosting and the encryption software (especially if it's provided as a precompiled binary and/or autoupdates at the provider's desire) should command no more trust than a company that hosts your files and claims to encrypt them server-side. If they want access to your files or are acting on behalf of

Re:

[Solandri]

Boxcryptor does this and works with most of the popular cloud service providers. Really, this is the only way cloud or off-site storage should be handled. The company storing your data has no business being able to read it. The only risk is if you lose your encryption key. But you only have yourself to blame if that happens.

Iceland

[Anonymous Coward]

      Go with 1984.is [1984.is]. Shared-host web hosting with unlimited storage, or you can rent a full VPS. Throw OwnCloud on either, then put an encfs volume up and shared via OwnCloud, and you've got a reasonably secure system with very little effort at a reasonable price.

Re: Iceland

[Neil Boyd]

OP didn't say he wanted it to be cheap

Switzerland

[Anonymous Coward]

Quote from some company based there:

All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and entities. Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.

Re:

[AHuxley]

Yes the US had trained and looked after generations of their top military staff. If your interesting your about as encrypted as in the US.

Re:midphase

[nospam007]

" I'd look for Icelandic hosting. They seem to appreciate privacy at a national and local level."

Yes, they're so private, they sold the DNA of all their citizens to a private company.
http://www.wired.com/2015/03/i... [wired.com]

Cuba

[Anonymous Coward]

The US Government has only just started re-normalization of relations with Cuba. They certainly don't have the bureaucratic relationships or procedures in place to get search warrants processed via INTERPOL or otherwise. Even the most trivial of requests will have to go through the state department making the prospect prohibitively expensive for anything but the most important of tasks.

Re:Cuba

[John.Banister]

I recently read that Huawei is supplying their infrastructure hardware, so I guess it's a matter of picking which government you don't want to have your info.

Re:

[Opportunist]

The one that can actually make my life miserable. Why the fuck should I care about China?

Re:

[Anonymous Coward]

Depends on whether you have any trade secrets worth stealing. If you're putting your personal files online, with little more than your recipe collection, your unfinished pirate-romance novels that in your youth you thought might make a name for you, pictures of the victims geotagged with where you buried them, and the cat pictures that you haven't yet uploaded to Facebook, then yes, you're fine going with the Chinese, who won't give a shit about you. On the other hand, if your hobby includes developing ne

Re:Cuba

[Zocalo]

You jest, but that's actually not a bad idea. Picking a country that you have absolutely no connection with and that has a less than friendly relationship with your own government is probably the best you can do in the current mass-surveillance climate - provided that you don't do anything that violates the local laws of your hosting country in a major way. Sure, they might well be monitoring your data, but they almost certainly won't care about it, and if your own country's law enforcement/copyright cartel/whatever comes knocking for any reason they'll almost certainly get nowhere.

Don't trust anyone

[dabadab]

Don't trust anyone, especially not cloud providers.
I think a more appropiate question would be to ask for some solution where the untrustworthiness of the cloud provider is a given and is accounted for (like storing everything encrypted and not handling the decryption key to the provider).

Fantasyland

[Anonymous Coward]

If you want your data secure, the last thing you do is put in on SOMEONE ELSE'S server.

Egypt

[ruir]

No hacking laws, and nobody gives a damn about piracy laws.

Tahoe-LAFS

[TechyImmigrant]

A small plug for Tahoe-LAFS.

It doesn't matter where it is. It uses cryptography to give you what you want. Mirror in many places including on your own machines for redundancy.

https://www.tahoe-lafs.org/tra... [tahoe-lafs.org]

Re:

[GameboyRMH]

Came here to recommend encryption over choosing "trustworthy" hosts - trust is for suckers.

Backblaze

[Anonymous Coward]

Not sure where they are, America probably. The software has an option to use your own key to encrypt the data with (in addition to user/pass).

There is no easy answer

[Anonymous Coward]

But I would go for this: if your country is X, then most hosting not being in X *and* the USA is likely to be more secure from snooping and breach.

DIY

[Anonymous Coward]

The only service online that you can secure to your satisfaction is your own. Get a business class connection, set up your server/OS of choice, implement your encryption scheme of choice, and manage/operate it yourself. If a government, for example the US, wants to get its hands on you, they will find a way, regardless of the laws of your host country. Example: Swiss banking clients that were dodging US tax laws.

At your home

[Lennie]

Keep the data at your home, they need a warrant to get into your home.

Eben Moglen was pretty clear about that (no I don't know at what minute exactly he said this):
https://www.youtube.com/watch?... [youtube.com]

If you are going to store your data with somebody else, encrypt it before you upload it and you keep the encryption key.

Nothing wrong with keeping a backup with someone else as long as you encrypt it:
http://duplicity.nongnu.org/ [nongnu.org]
http://www.duplicati.com/ [duplicati.com]

I'm forgetting about an other provider which also has an open source program with encryption.

Value for money.

[pigsycyberbully]

If its value for money then a Greek hosting company is what you will be looking for. You will need somebody who can read and speak the language to get the best deal a server for the lowest price which you control. The setup and control panel will have to be in English for yourself. You will get many companies advertising themselves in the English language and in reality they will be U.S. companies or large German company 1&1 / Fasthosts with U.S. links and U.S. hosting and so on. Avoid them if you don't

Re:

[AHuxley]

The UK had regional listening stations over generations.

wuala was perfect until the NSA shut them down

[Anonymous Coward]

wuala was perfect until the NSA shut them down. Now they're recommending we use Tressorit which seems like a pretty good solution as it's hosted in Switzerland where very few law enforcement agencies can access what Little data is actually available to the company since they use client-side encryption. They also have apps that work on most devices.

Iceland

[slimdave]

The good chaps at Clipperz moved to https://1984.is/# [1984.is] for reasons that they explained out in this blog: https://clipperz.is/blog/2013/... [clipperz.is]

Their logic seems compelling.

Do what the above guy is doing.

[AJWM]

Just break up your data into lots of little (encrypted) chunks and post them to web forums like Slashdot which never delete anything. You'll need some kind of map as to where all the pieces are, so do the same with that. Recurse until you have something small enough you can remember.

Re:

[TapeCutter]

...or just put your family photos in your wallet and sit on them, like normal people do.

Re:

[tomxor]

Good idea

YXNhZmc3YXNmZzczZ3IyNzNncjJmZGc3c2RnZmFia2piLHNka2ZoYWxpaDEyMTItNDEtMmhmOTM

Although slashdot seems to be limited to 75 chars of contiguous letters which makes it annoying.

Re: Probably...

[Anonymous Coward]

Switzerland gave up banking secrecy without a fight. What makes you think they'll protect your data?

Colocate and Encrypt

[drinkypoo]

You need to host, you haven't explained why, but let's take it as a given and not suggest you host from home. I don't have enough bandwidth to do that myself, so I wouldn't do it either.

You can't trust any service.

Whether you run your own server or use another server, you can encrypt data before you upload it.

Otherwise, you can run your own server, encrypt the storage volume and log in to supply the key so you can unlock and mount it. Disable all the ports on the machine. Have another machine at home, the c

Any

[ledow]

If you don't trust them, and know that, that it doesn't matter what you use.

Encrypt, and only use encrypted. You can do this in many different ways, but if you never reveal the encryption key to them, YOU CAN GIVE YOUR ADVERSARY ALL YOUR ENCRYPTED DATA. That's the whole point of encryption.

Encrypt, store in the cloud in any location you like. All they get is encrypted data that they can't do anything with. As only you need to access it (and not random general public, which is a much more difficult thing

The best way to have secret stuff ...

[CaptainDork]

... is don't.

Big jump

[namgge]

It seems to me a big leap to go from 'hosting company is sending all login credentials unencrypted' to a silo on a private island guarded by mercenaries, which seems to be what you are now looking for. Find a less idiotic host and stop worrying about govt agencies - if they want your data they'll get it, and the best you can hope for is that is all they want from you.

Re:

[Shoten]

It seems to me a big leap to go from 'hosting company is sending all login credentials unencrypted' to a silo on a private island guarded by mercenaries, which seems to be what you are now looking for. Find a less idiotic host and stop worrying about govt agencies - if they want your data they'll get it, and the best you can hope for is that is all they want from you.

Agreed. It seems the OP makes a jump from "I realized that my hosting provider has been going short-bus full retard with regard to even basic security" to "To what nation should I migrate my online assets to protect them from even the most highly-resourced nation state actors?" I don't see why the pendulum has to swing so far to the other side...and really, the odds are overwhelming that none of the nation-state actors that would be affected by going that far care about his stuff anyways.

And something els

You can only reduce likelihood.

[chaoskitty]

Assume that everything MIGHT be insecure. Your Internet connection is wide open. Your upstream routers may be controlled by governments. Hard drives might have malicious firmware payloads. Typical PC hardware might have a BIOS that does nefarious things and may have intentional back doors. Your OS and the software you run might have had backdoors introduced.

I personally don't trust anything with the word "cloud". It just means that a ton of people are responsible for it, so if anything goes wrong, there's n

Re:

[stebalo]

Sealand of course. That didn't work to well unfortunately.

http://arstechnica.com/tech-policy/2012/03/sealand-and-havenco/1/

HavenCo's failure—and make no mistake about it, HavenCo did fail—shows how hard it is to get out from under government's thumb. HavenCo built it, but no one came. For a host of reasons, ranging from its physical vulnerability to the fact that The Man doesn't care where you store your data if he can get his hands on you, Sealand was never able to offer the kind of immunity f

Encryption worthless!

[psb777]

(1) When quantum computing works they'll decrypt everything. They're storing everything now and they'll come back to it later with keyword searches etc in some unpredictable future political climate we may not like. [I don't like the present!]

(2) If quantum computing already worked they wouldn't let on. Turing etc was kept secret from us for decades, so who knows what their capabilities are now?

depends

[Tom]

Which country has the best on-line personal privacy laws that would made it patently illegal for any actor, state, or otherwise, to access my information?

Depends which country you want to protect yourself from.

If you are mostly afraid of US companies and the US government, put your server into Russia. They laugh in the face of US companies that make any demands.

For strong privacy laws, many european countries have laws in place much stronger than the US, but beware that they usually have a "if you agree to it, anything goes" clause (which is why these small "I agree to ..." checkboxes are so important there.

Re:

[stasike]

Russia? Host your files in Iran.
They are not very likely to respond to a take-down request or a police demand for identification of owner. Especially when such request comes from USA or EU country ;-)