Data privacy and this forum (cloudflare)

[bluefirecorp_]

Alright, we understand the need to coware behind cloudflare against the mighty DDoS's of today. No sysadmin can single-handly build a mitigation system (it takes a team and piles of burning cash).

With the fact the US will pass the Cloud Act, cloudflare won't have any rights to defend our privacy, I guess no cloud provider really will.

Does anyone have any technical solutions (because politics aint gonna work) in mind for this problem?

[1714830209]

1714830209

[1714830209]

1714830209

[1714830209]

1714830209

[DarkStar_]

It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

[bluefirecorp_]

It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

Any idea of their pricing or services? Cause that sounds like a reasonable solution, even more so if there's a way to post "this data may be monitored" when DDoS attacks are happening?

[DarkStar_]

It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

Any idea of their pricing or services? Cause that sounds like a reasonable solution, even more so if there's a way to post "this data may be monitored" when DDoS attacks are happening?

It's with Radware. I'm not sure about the specific plan/set up, but ProtonMail said it was cheaper than the other companies who offered to help. You can read a bit about it here, though it doesn't go into much detail: https://protonmail.com/blog/ddos-protection-guide/

Not sure if it would be possible for this forum as ProtonMail set up their own ISP which certainly would give them more freedom. They do say that the SSL keys don't need to be handed over though, which is the way that Cloudflare gets our data.

I've never dealt with much DDoS protection, but it should be reasonable to have a warning if it's enabled.

[Quickseller]

Any idea of their pricing or services?

DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.

[bluefirecorp_]

Any idea of their pricing or services?

DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.

So, donate to the ACLU? Seems like a monetary, non-technical solution to the problem at hand.

[Quickseller]

Any idea of their pricing or services?

DDoS protection services are generally very expensive. Large companies/providers enjoy great advantages via economies of scale.

I agree that additional steps should be taken to ensure privacy, although this may be a lost cause at this point. A better use of resources might be to fund the cost of fighting the acceptance of evidence obtained via this law.

So, donate to the ACLU? Seems like a monetary, non-technical solution to the problem at hand.

That might not even be necessary. Theymos can simply be on the lookout for a bitcoin related case in which the law was used and fund the appeal of a ruling allowing the use of the law to obtain information.

The alternative would be to setup your own DDoS protection, which theymos previously tried, without a lot of success. Even with cloudflare, the forum still appears to be under DDoS attack.

[sud]

Wouldn't blockchain be perfect for DDoS prevention system? Seriously, by now we should have at least few projects with cheap, crypto-based solutions for such problems. I only know Gladius is working on something like this.

[Jet Cash]

What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

[bluefirecorp_]

What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

https://en.wikipedia.org/wiki/Nothing_to_hide_argument

The idea is we're giving up data privacy for "security" while in reality it's just giving up our rights with due process.

The fact that any govt can now request records from sites without warrants is scary. Remember when China hacked the Gmail accounts of political activists? Now they just need to submit a formal request and the data is there.

[Jet Cash]

It seems to me that the real issues aren't privacy, but the the lack of information available on the activities of the puppet masters who are controlling the governments. We should remove the privacy from their communications and actions.

[Quickseller]

What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

It could result in private information about you, such as your IP address being released to the government. It could also result in your PMs being released to the government.

The lack of needing a warrant means the process is ripe for abuse by the government. If for example, you are speaking out against the sheriff, the sheriff could go on a phishing expedition to look for illegal activity and then arrest you on a small technical violation of the law. 

[FFrankie]

What's the big issue with privacy? All the posts are public, and if you are doing something illegal through PMs, you should be doing it away from a public forum. Is it just that people want to post without accepting responsibility for their opinions?

Our emails and passwords are not public, nor are our IPs (unless we embed a pixel size image in a post to track that info) our shipping Info that we send via PM or privote are not public either.

What is the big issue with privacy? Isn't that one of the reasons why bitcoin was created in order for a fast and private way to send bitcoins?

[jackg]

To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

It could result in private information about you, such as your IP address being released to the government. It could also result in your PMs being released to the government.

The lack of needing a warrant means the process is ripe for abuse by the government. If for example, you are speaking out against the sheriff, the sheriff could go on a phishing expedition to look for illegal activity and then arrest you on a small technical violation of the law. 

You could always switch to a service like tor but that is immensely slow at loading (not sure if there are any good fast and free services that you can use for a vpn/proxy).

It might be worth it for the forum to consider other DDoS protection services. Not all of them are in the US (EU actually cares about privacy!), and some have different methods of DDoS protection. It might be worth it to consider whatever ProtonMail uses (don't recall the exact company, and too annoying to find on mobile), as I believe everything is still encrypted when they're under DDoS. ProtonMail also only forwards traffic to their DDoS defense when they are under DDoS; it's a direct connection to their servers otherwise.

There's a London based cloudflare and other cloudflare offices in mainland EU I think those could be used (not London though due to the IP act).

A direct connection to the server is also a good idea but I don't think theymos would particularly like that idea as it has a likelihood of being abused and the Bitcointalk server isn't a powerful as the ProtonMail datacentre.
It's a shame none of the admins/moderators don't have a mining pool that we could hide behind (gigabytes of data being transmitted per second would be a nice thing to hide behind as no one is going to want to screen all of that just to pull out the packets for this server).


There have been multiple suggestions of having paid-for direct access to the servers which I wouldn't be apposed to paying say 0.01BTC a month to access the server directly from my own private socket into the server (possibly make it so that transmission has to be encrypted with a sort of private key/public key pair that each user randomely generates every month - unless that's too much of an advanced thing to try to incorporate).

[DarkStar_]

To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

Cloudflare generated and holds the SSL certificate for Bitcointalk. I believe all protection through Cloudflare requires the certificate.

[bluefirecorp_]

To clarify, do cloudflare hold the certificate for this site or does the actual site's server posess that? If cloudflare hold it then that's a great issue for anyone in the US (for people outside, it's an issue but not as big as a problem) though the US intelligence agencies seem even worse than places like the UK for keeping their secrets secret.

Cloudflare generated and holds the SSL certificate for Bitcointalk. I believe all protection through Cloudflare requires the certificate.

Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.

[jackg]

Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.

Theymos can edit what your PMs say and send new PMs. He can't do as much as cloudflare in getting username and passord combinations, however he can do quite a bit on that front.

If you have something significant to say, stake your address somewhere on this forum and sign your message so people can verify it's you (you can also use a PGP key for this).

[bluefirecorp_]

Right. This is still a problem.

So, with cloudflare doing the TLS termination, every PM can be logged by that third-party entity. Not only can they read, but they can also modify messages in transmission.

Theymos can edit what your PMs say and send new PMs. He can't do as much as cloudflare in getting username and passord combinations, however he can do quite a bit on that front.

If you have something significant to say, stake your address somewhere on this forum and sign your message so people can verify it's you (you can also use a PGP key for this).

Theymos is a trusted source. He could easily get our passwords by adding two to three lines of code to the login function (just log the passwords to plain-text file).

Valid point on the securing communication; I was thinking moving entirely to GPG for communications and signing messages to ensure the integrity. However, just because they can't read my message doesn't mean it's secured. They'd still have the metadata available (bluefirecorp sent message to jackg at this time, on this date).