6

Countries That Don't Retain Data. sofiaglobe.com

Submitted by aiwendil in security_culture (edited )

So far it looks like Sweden and Switzerland have adopted the EU's policy on data retention. I finding it pretty difficult to find countries that don't mass collect data. Bulgaria seems like the best bet at the current juncture. As such I am configuring tor to only use exit nodes located in Bulgaria at the moment, but would like to dig up some information on other countries that respect privacy.

Here is a list of tor country codes that you can use to either whitelist or blacklist certain countries: https://b3rn3d.herokuapp.com/blog/2014/03/05/tor-country-codes/

You can edit your /etc/tor/torrc to include the following lines to force tor to use exit nodes in bulgaria:

ExitNodes  	{bg}
StrictNodes 1

You can also exclude nodes of any type from any country, which I do for nodes in the US, UK and EU member states and other countries that are involved in the 14 eyes agreement:

ExcludeNodes {us}, {au}, {at}, {be}, {ca}, {cz}, {cy}, {dk}, {ee}, {fi}, {fr}, {fx}, {gf}, {pf}, {tf}, {ge}, {de}, {gr}, {gl}, {hu}, {is}, {ie}, {il}, {it}, {jp}, {lv}, {li}, {lt}, {lu}, {nl}, {an}, {nc}, {nz}, {no}, {pl}, {pt}, {pr}, {ru}, {uk}, {sg}, {sk}, {si}, {gs}, {es}, {se}, {ch}, {tr}, {ua}, {gb}, {um}, {uz}, {cn}, {kp}, {kr}

This is by no means exhaustive, but will help to make your connection a little more secure.

Comments

You must log in or register to comment.

4

aiwendil wrote

I'm already noticing that Bulgaria seems to block tor hidden services. Anybody know of a list of reliable exit nodes?

3

BlackFlagged wrote (edited )

For reference:

5 eyes: United Kingdom, United States, Australia, Canada, New Zealand

9 eyes: Denmark, France, the Netherlands, Norway

14 eyes: Germany, Belgium, Italy, Spain, Sweden

2

aiwendil wrote

Alright, I am pretty sure I got all of those in the country codes. At the moment I have to remove StrictNodes part of the settings because it was seemingly causing issues getting to hidden services. Not sure why that would be. My confidence is really going down with tor lately, given everything going on with it.

1

ziq wrote

What's going on with tor?

2

aiwendil wrote (edited )

Well, there is the whole Jacob Applebaum sex scandal thing. Also all the darknet market busts that happened. Seemed like people were careless about letting personal information slip, but really when running a project like that you don't have to be that careless. With all the attention you will get running a darknet site, where ever it happens to be that you slipped up is going to come out eventually. However, Sessions made some cryptic claims about people not being as anonymous as they think they are with tor and shortly there after Lucky green quit saying something along the lines of having to step down for ethical reasons. It seems like a lot of attacks on the credibility of tor all at once. I think it is time for some serious community auditing, because between Lucky's cryptic statements and Sessions' cryptic statements, I am starting to think the is some FISA gag order shit happening. Obviously that is just my impression, I have absolutely no proof, but it just seems like a lot of bad press lately.

In addition to what I covered in this post, I've also been running a script I wrote similar to needl from a few vm's to try to create a lot of dummy traffic through various entry and exit nodes as well as from the computer I typically browse through, so usage meta data theoretically becomes more difficult to collect, but I don't recommend others do this yet as running this code could be potentially identifying in and of itself.

I would like to see tor adopt something like i2p's system for combining multiple packets into one, so it becomes impossible to tell which, if any packet originated from your computer. Also having all computers on the network routing packets seems like another good idea... Also having separate tunnels for inbound and outbound taffic seems like a good idea. Ultimately I think I2P would be the future if there were more outproxy/exit nodes.

All that said, if tor has been infiltrated or compromised from the inside, none of this matters. So I2P's system of keeping the developers pseudonymous is probably a something tor should adopt as well. We don't need to know who the developers are in order to accurately audit the code...

I know that is a lot, but the darknet world is a kind of scary place right now. I could only find one country with favorable laws regarding data retention and they block hidden services somehow, so there are a lot of problems to address.

2

TonySoprano wrote (edited )

Let's hope it stays put at 14.

2

aiwendil wrote

It's hard to really know until we get the next Snowden level leak, which is like a twice a century thing at this point. Most government employees are totally cool with what they are being asked to do in the name of "National Security," So since the modern intelligence community was formed during WWII, there have only been two leaks on that level, including the Snowden leak, but then there was the Pentagon Papers released by Daniel Ellsberg. It would be nice if we could get this kind of information out of the government every couple of years, but since we can't, let's just assume that they are constantly expanding the scope of data collection to the best of their modern abilities. A 5-6 years ago, those abilities were startling and now they should be assumed to be even more startling.

1

Ape wrote

The moment you believe you're secure because of "thing X" you're fucked.

1

aiwendil wrote

I generally agree, but the moment you stop giving a shit about security because it is a lot to keep up with, you and all your comrades are fucked.