With ever more Supreme Court fuckery going on I’d like to help comrades in my local org be better secured against potential breaches.

Ideally I’d like to recommend 1-3 options that meet these needs:

  • Easy to use
  • Can be used on phones as well as mobile devices
  • Doesn’t retain any network traffic data

Any ideas on what options we have?

  • imogen_underscore [it/its, she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    22
    ·
    edit-2
    4 months ago

    mullvad

    insert spiel about how VPNs are generally pretty overhyped as a privacy tool but if you’re in US you want one that’s not american owned, mullvad is swedish and does actually have very good protection policies for customer data. https://mullvad.net/de/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised they got raided by swedish authorities and due to their no logging policy the data that was sought after simply didn’t exist. you can also pay them in various anonymous ways including cash in a postal envelope lol. also it’s only 5 euro

  • hello_hello [comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    21
    ·
    edit-2
    4 months ago

    A lot of VPNs are owned or connected to Israeli intelligence agencies or other assorted shell companies.

    Mullvad is your best bet but VPNs don’t make you private. In fact they should just be called Virtual LAN networks. Most of your traffic on the clearnet is encrypted already via HTTPS and VPNs only obfuscate your IP address from the website you’re connecting to. A lot of the fuckery comes from the nonfree clientside JS code that is executed on a lot of websites that can track you as well as nonfree web browsers.

    VPNs won’t protect you against bad digital practices.

    A much better approach to digital privacy is to make sure that your org can function entirely on free software that respects your freedoms. Example: instead of organizing via Discord, Social Media, etc. you can organize via XMPP or Matrix which can be deployed by your org if needed. Instead of creating documents via M$ Office or Google Docs you can use a office suite like LibreOffice and store everything locally and only share copies when needed. Instead of meeting over Zoom you can meet over Jitsi Meet.

    This in my opinion, is far more impressive and worthwhile task than asking your members to pay for a VPN. It actually educates your org on good computing practices rather than security theatre that you’ll have to pay into.

    There’s a big fucking reason why YouTubers can sponsor VPNs but no one seems to be aware of FOSS.

    • sovietknuckles [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      14
      ·
      4 months ago

      and VPNs only obfuscate your IP address from the website you’re connecting to.

      If you’re in the US, ISPs can legally sell your data since 2017, so another purpose of VPNs is to obfuscate what sites you are visiting from your ISP.

      • silent_water [she/her]@hexbear.net
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        4 months ago

        under most cases, they only have this data via DNS. it’s encrypted once the actual https request is made - only the destination ip address is available at that point. so encrypting DNS and securing that is probably more important than the protection a VPN provides. if you use a VPN without some form of DNS encryption, you’re trading one ISP you don’t trust for a second you shouldn’t trust but inappropriately are. DNS anonymization is an extra step you can and should take to ensure you’re not trusting your DNS provider, either - it works by tunneling encrypted DNS requests through shared, public relays.

        what you actually need a VPN for is to mask your ip address to the website you’re visiting and to mask the ip address you’re visiting from your ISP. these are important considerations but it’s useless if you don’t first protect DNS, ensure you can’t be tracked via cookies/be fingerprinted, and ensure you’re only connecting to websites over https.

        VPNs are an important and useful tool but they’re not the first or best tool for digital hygiene. you have to tackle each layer, one at a time. start at the top and work down the hierarchy.

        • sovietknuckles [they/them]@hexbear.net
          link
          fedilink
          English
          arrow-up
          7
          ·
          4 months ago

          it’s encrypted once the actual https request is made - only the destination ip address is available at that point.

          HTTPS includes the domain of the site you’re visiting in plaintext, and your ISP will get that information about every request you make unless you’re using a VPN/a proxy/Tor, DNS aside.

  • dead [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    20
    ·
    4 months ago

    You’re asking the wrong question. VPNs are cool and all, it won’t really protect your communication, especially not from a government actor. A VPN can sort of trick a website into thinking you are at a different location and in some ways can mask what you are doing from your ISP. It won’t protect you from the government.

    What you want is GPG encryption of your communications. GPG can be used in 2 main ways, you can encrypt files/text or you can sign files/text. Each person has a private key and a public key. In the case where you encrypt a message, you would take the public key of the person that you want to receive the message to encrypt the message and then the encrypted message can only be decrypted by the recipients private key. In the case where you sign a message, you use your private key to generate a “signature” string and then other people can take your public key and the signature to confirm that you wrote the message that you signed.

    You can set this up with an email client like Thunderbird (equivalent to firefox).

  • Feinsteins_Ghost [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    8
    ·
    4 months ago

    Mullvad.

    No US based. Actual decent Swedish protection laws, which is where they’re based. No logging of anything. Accepts cash in the mail anonymously.

  • CO5MO ✨@midwest.social
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    4 months ago

    m u l l v a d

    Mullvad is paid, tho.

    ProtonVPN has a free subscription so maybe that would help less tech-savvy comrades dip their toes 🤷🏼‍♀️ it’s very limited, but might just be what gets them into online privacy. Good luck & be safe out there ☮️

  • Aradina [She/They]@lemmy.ml
    link
    fedilink
    English
    arrow-up
    7
    ·
    4 months ago

    Proton or Mullvad.

    Proton has the benefit that you can also get their google replacements in the same package.

    Though as said, vpns are overhyped for security.

  • wtypstanaccount04 [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    I suggest the high tech of a pencil and a piece of paper. The NSA can’t read shit. If they want to spy on you, they have to pay some guy to do it, and that costs money.

    • wtypstanaccount04 [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      4 months ago

      If you mail stuff then they have to pay someone to tamper with your mail and it should be kind of easy to tell if that’s happened. Use codes. I kinda wonder if the lemon juice thing still works.

      • Preflight_Tomato@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Pack rice around packages extremely tightly using clear packaging (tape). Send a photo to the recipient. If it was opened, then the rice orientations won’t match the image.

  • macerated_baby_presidents [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    4
    ·
    4 months ago

    Mullvad fits your criteria. Proton is annoying to use on phones I think but they do have a free VPN.

    Really there’s very little that a VPN is suitable for over TOR. Probably, if you can’t run it over TOR it’s not secure over a VPN either.

  • farting_weedman [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    There’s two ways to do this:

    The online organizing way is to use a paid vpn to prevent local WiFi attacks and isp snooping, harden all devices and computers that will be used, only use encrypted communications and develop data security practices compatible with the possibility of being jammed up.

    You gotta have real knowledge and awareness to pull this off as an individual, or a huge point of trust/failure in one person who does it for you.

    If you do all that then the cops will just use metadata and inference to get warrants or just have someone infiltrate you or turn a trusted member.

    The other way, the way the bolsheviks used, is to only organize in person and develop a no-trust framework for interacting with your community.

    Then the cops will infiltrate or turn members but you have at least prepared for it and expect it.

    • MayoPete [he/him, comrade/them]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      IDK if we’re at this level of need right now. But I want to start people on the path to doing these things as a habit.

      I could see our org doing mutual aid to help undocumented immigrants hide, help women cross state lines for abortions, etc. in the near future. I want us to be ready to cover our tracks before we need to.

      • farting_weedman [none/use name]@hexbear.net
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        I’m saying this not to belittle or hurt you, but to make my point clear:

        You are not capable of what you’re saying. It is not possible to safely include people in your group while doing what you’re saying.

        If that sounds like too much of an assumption, if it sounds like I’m being hyperbolic, think of this completely not yanked from the local headlines amalgamation of cop activities in the surrounding handful of rural counties over the last year:

        You’re doing something, an opponent shows up to agitate. There is violence, the police show up. Did everyone leave their phones at home? Does everyone’s phone have biometrics turned off? Is everyone trained to resist interrogation? Has everyone changed login credentials from data breaches? If their phones are Apple, do they have lockdown and advanced data protection turned on? are they not carrying the recovery code on their person? If they’re using an android phone, is it running a trustworthy non manufacturer install? Are they capable of figuring out if an android version is trustworthy? If they’re all in some trustworthy encrypted chat, are they treating it like there’s someone screenshotting?

        A vpn wouldn’t help at all if any one of those things were wrong.

        Just recently, a peaceful talk about Palestinian resistance was interrupted by Zionists and violence broke out. Are all your people 100% prepared even when it’s a seemingly friendly environment?

        Don’t organize online. In person or bust. Don’t take computers with you unless they’re wiped clean except for the bare minimum that is needed to do the job they’re gonna be used for. A phone is a computer.

        • MayoPete [he/him, comrade/them]@hexbear.netOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          I understand completely and I am aware that there are levels of security my little org is not going to realistically meet.

          For anyone reading this planning more “sensitive” things: loose lips sink ships, and follow the advice above!

          My org is what I would consider more of a pipeline for disaffected Democrats to become baby leftists and eventually, maybe, do something cool for the community. As such the threat is more from right-wing activists disrupting events or trying to doxx members, get people fired, etc. So I want folks to start getting the basics locked in now so that if they radicalize more it will be easier going from “I have a password manager and VPN” level secure to “drop the phones in this Faraday bag before entering this meeting”.