Re: Anonymize internet access

["Michael Painter" <tvhawaii () shaka com>]

Good points all...and well taken.

> > If you read the threads I pointed to above, you'll see that several people
researched the locations of some specific servers and their governing laws.
With disheartening results.<<

I was unable to find that thread and I'd really like to read it.  What do I do with:
Message-ID: <9f464ef2.0409060652.7b0113ee () posting google com> (?)

I did search google groups alt.privacy for 'findnot' in the msg subject and came up a couple of hours of reading, but not the thread 
you're speaking of.

Some years back, I tested a beta program from Zero Knowledge Freedom which (I think) chained together their servers such that it was 
supposedly impossible to trace from the endpoint, even with logs.  For whatever reasons, they folded up but I've always wondered if 
it was it was really true or if a hole was discovered.

> > Pay your money if you want, and take your chances. That's entirely up to the
individual. But before you do, consider the possibility that you can invest a
little effort and most likely achieve a more real anonymity for free.<<

I'm all ears...can you point me to how/where to get started?

Thanks,

--Michael


-- Original Message ----- 
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
To: "Michael Painter" <tvhawaii () shaka com>
Cc: <security-basics () securityfocus com>
Sent: Tuesday, September 27, 2005 12:26 PM
Subject: Re: Anonymize internet access


> On Tuesday 27 September 2005 04:22 pm, Michael Painter wrote:
>
> > > There's some indication that they have made false claims in the past. A
> > > conversation in alt.privacy about a year ago  brought to light the fact
> > > that at least some of their servers were located in Texas (I believe),
> > > while they play on potential customers' fear of "Big Brother" by claiming
> > > they're an off shore entity.
>
> [snippage]
>
> > Since I'm a customer of findnot.com, I asked them for comments on the
> > above. They (quickly) replied with this:
>
> I have no real desire to get into a long, protracted argument about any
> service, so I'll respond to this once, and try to speak in generalities where
> possible.
>
> First of all, someone, possibly not even an agent of Findnot, made the claim
> that their servers were located over seas. That claim was immediately
> discovered to be false, and that person was never disclaimed by Findnot as
> far as I know. In fact, someone claiming to be Findnot administration
> eventually replied with a statement that they were setting up servers over
> seas "this week". Draw your own conclusions.
>
> Message-ID: <9f464ef2.0409060652.7b0113ee () posting google com>
>
> This is also a good point to start looking through the twisted threads that
> made up that dispute, and begin to realize why I care nothing about
> duplicating it here. ;)
>
> Findnot administration speaking:
>
> > We do not keep logs at all, and won't. Is it harder to keep servers up and
> > running that way? Sure it is, but it is possible we do it every day. Our
>
> It's also possible to claim not to log, and log anyway.
>
> Within the realm of anonymity and privacy, claims are never enough. When
> you're dealing with security, you MUST be of the mind set that if some breach
> is possible, it's a reality. To think any other way is utter foolishness.
>
> If you saw a bare wire hanging from a tree, would you grab it simply because a
> random stranger claimed it was dead? Would you hold on to it indefinitely
> because that stranger said it always would be?
>
> I hope not.
>
> For this reason alone, no such "anonymity" service can be trusted. Their
> actual logging policies are irrelevant. They have the ability, and that is
> more than enough to negate any claim that they can provide any real
> anonymity at all.
>
> > server location are not some big secret, you can check it out for yourself
> > here:
> >
> > http://www.findnot.com/servers.html
> >
> > Our company IS an offshore entity, and we are not in a jurisdiction that
>
> The location of an "entity" is totally meaningless beyond how it affects the
> security of its human owners. Their location might very well shield them from
> some legal actions, but what about their customers?
>
> The important thing for the consumer is where the company's servers are
> located. Most anonymity providers realize this. I believe it's what lead to
> the false claims made concerning Findnot.
>
> > would compromise our privacy or yours. If we were forced to keep logs, we
> > would move our server to another location. We demand control of the servers
> > to suit our needs, and if we can't get it we move to another server
> > provider.
>
> This raises the issue of control. Since a company might be located in one
> place, and their servers located in another, it's absolutely impossible for
> that company to know if anything on their servers is logged or not.
>
> The people who actually own and administer the machines can, and most likely
> do, log anything they want. In fact, servers might live in countries that
> make logging mandatory as a matter of law. You'd be surprised at just how
> many countries do things that way.
>
> If you read the threads I pointed to above, you'll see that several people
> researched the locations of some specific servers and their governing laws.
> With disheartening results.
>
> Some other points to consider...
>
> A service provider knows who you are the second you connect.  If they know who
> you are, you're not anonymous. That much is simple math. They will tell you
> that you can sign up anonymously, and connect anonymously, but if you need to
> be anonymous to use their services, how can they make the false claim that
> you're anonymous with them alone?
>
> And if you're anonymous before you get to their servers, why would you give
> them any money for their anonymity services? ;)
>
> Even if they don't log they can be forced to, or they can change their policy
> on a whim and without notice. They have that ability. They could take offense
> to something you do or say, or they could fall under the rule of law and be
> forced to give you up. Moving the server may not even be an option at that
> point. They could be under a gag order,  or they could very well be
> incarcerated with their server running apparently normally. Or their servers
> could be compromised, and they might not even know it.
>
> The bottom line here is that if a service provider claims they will make you
> anonymous and/or untraceable, they're trying to sell you a big old industrial
> sized jar of snake oil. They have NO sound basis on which to make this claim,
> and you have NO concrete reason to place your trust in them. Quite to the
> contrary, you have every reason not to trust these types of services.
>
> Pay your money if you want, and take your chances. That's entirely up to the
> individual. But before you do, consider the possibility that you can invest a
> little effort and most likely achieve a more real anonymity for free. Or shop
> around for a service provider with enough integrity to not try and mislead
> you into believing they can provide you with something they obviously can
> not. Those services are out there too...
>
> Whatever you decide, remember that nothing is 100% fool proof. ;)
>
> --
> Hand crafted on September 27, 2005 at 16:42:01 -0400
>
> Outside of a dog, a book is a man's best friend.
> Inside of a dog, it's too dark to read.
>                                  -Groucho Marx