Linode take on Prism
thank you.
18 Replies
This pretty much answers the US Law question.
PRISM seems to primarily target data being stored by particularly large and widely-used companies; I wouldn't expect Linode to be within scope. Other mechanisms exist for monitoring data on the move well upstream of Linode (e.g. Room 641A
Also, for what it's worth, if Linode were a part of this program (or targeted by other things, such as NSLs
@zunzun:
The US Government cannot legally force a Russian citizen who physically lives in Mongolia and is a a company officer for a Swedish corporation to give them data from servers in South Africa, because they cannot directly threaten such people.
The US can and does wreak economic damage on foreign companies all the time. That's what the Denied Persons List (
But I'd be more scared about the CIA program of rendition and torture if I was pissing off the US in any serious way.
Maybe you also want look up the My Lai massacre before judging what the US is and is not prepared to do.
@fimdomeio:
As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.
Just make sure your SuperVillain costumes don't have toooo many superpowers and you should be left alone.
@fimdomeio:
As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.
thank you.
Linode have actually said before that they don't hand over any data without a court order, but if they do get such an order they have to follow it. I think Caker also suggested that you can encrypt your disk image if it makes you feel safer.
PRISM isn't meant to get data from companies like Linode, it's meant to get data from the likes of Skype and Google where the data is in a predictable format and therefore useful without having to burn man-days working out what the hell it is.
If you really want a serious answer from Linode you might want to open a support ticket.
Not that hosting with a non-US company is guaranteed to be different since many countries have similar laws and intelligence sharing relationships. If you value privacy keep off the Internet and if you are likely to be a persecuted minority at some point in the future and must communicate online then you probably need end to end encryption.
I imagine lots of companies already avoid US based cloud and VPS services to comply with local privacy laws and to avoid commercially sensitive information being given to US competitors so I imagine the impact of Prism on Linode business will be minimal.
I wouldn't assume my Linode mail server is any more protected than gmail. Incoming smtp is all plain text and likely captured on the backbone. I talk to it over TLS or ssh but with the keys in my VPS and its backup it probably wouldn't be hard to MITM.
@shirro:
Incoming smtp is all plain text and likely captured on the backbone.
Some? Yes.
All? No.
All the major MTAs and many of the large email providers support STARTTLS, and that will be used to encrypt SMTP between compatible MTAs.
Now, I'm not saying that this encryption is un-breakable, but it's certainly not plain-text.
@vonskippy:
Just make sure your SuperVillain costumes don't have toooo many superpowers and you should be left alone.
How to name your SuperVillian:http://www.smbc-comics.com/index.php?db … 3006#comic">http://www.smbc-comics.com/index.php?db=comics&id=3006#comic
@anderiv:
@shirro:Incoming smtp is all plain text and likely captured on the backbone.
Some? Yes.
All? No.
All the major MTAs and many of the large email providers support STARTTLS, and that will be used to encrypt SMTP between compatible MTAs.
Now, I'm not saying that this encryption is un-breakable, but it's certainly not plain-text.
Where SMTP is encrypted practically no-one sets up the certificates right to detect the other side is who they claim to be and even if they do the whole SSL certificate system is screwed in such a way most governments, and some criminals, could get a certificate to claim they are anyone at all.
SMTP level TLS can't be trusted but yes, it's better than plain-text.
PGP can be trusted but it's a pain to use in practice.
I'm expecting PRISM to prompt a renewed call in our organization to move our server from Linode to OVH's North American datacentre, since there is no US involvement there (French company, Canadian datacentre).