When you self-host, the government has to come to you for your data.
When you use third-party services, the government can go to them. The third party might not fight the request the same way you would. And, you might not even know it happened. The third party might be expressly forbidden from telling you it happened, in fact.
This was why Hillary Clinton wanted to host her personal email in her basement. A physical server that she owned, on property she owned; there was no legal way to request that data without going to her personally. If she had used the State Dept server for her personal email, Congress could have accessed all her personal emails simply by asking State to send them over.
That’s a controversial example, but the same principle is followed by many companies and organizations who have kept some portion of their data self-hosted. It’s often email or some core of file storage that they consider legally sensitive.
This is getting harder to do, though. Look at the recent revelation that the government tried to get newspaper email metadata from Proofpoint, a spam filter provider. Self-hosting a good spam/phishing filter seems almost impossible in 2021, because of the huge amounts of data needed to train filters well.
Spam filtering on your own mail server is easy. 99% of spam are generic automated E-Mails that are sent in bulk with lots of spoofed metadata (domain, sending address, date, etc.). I have an address on a domain that used to be hosted by a third party and it got tons of spam. At some point I moved the domain to my own server with mailcow, and it blocked the vast majority of spam out of the box with no false positives. It uses rspamd, not sure if they have a tweaked config for it or something
Generally I really like mailcow. It makes dealing with all the ugly parts of hosting E-Mail fairly simple
I'm using mailinabox, very similar to mailcow. Before that, did all the config myself.
Incoming spam is hardly a problem. Spammassassin, rspamd and those catch most. Greylisting the rest. Once a year I see an uptake in spam, spend a few minutes dilligently marking everything a spam/not spam which the server the uses to retrain itself a little.
Spamfilgering when selfhosting is hardly more work than on gmail, live, proton and such.
Your outgoing mail icw spamfiltering, however, is an entirely different, and tough problem.
In the country I live, Brazil, federal police has been breaking into people's homes/offices and taking away all digital devices at once: laptops, phones, thumb drives etc.
That makes me think what type of contingency I should have in place to stay minimally operational after such event happens to me. A VPS somewhere with my work toolkit installed and files synced via syncthing, for example? Maybe... but what if the police could get to the same VM via the confiscated devices? I don't know...
You can make an authentication method strong enough on the VPS, multiple factors, even IP block lists so they'd have to do it from your home.
Secondly, you're local machine should encrypt itself if that's your threat model. They can take it while it's still on but if that's actually a concern for you, you can figure out a way to trigger a lock or a shutdown if things change. If it's a stationary machine, it can be easy to notice your environment changing. maybe you can't find the mac addresses of your switch any more, maybe all 10 of your neighbor's ssid info is no longer visible. Perhaps lack of internet is good enough.
Phones are a lot harder because their environment changes a lot more, but you can still check things like has my computer decided to go to lock itself? In the end, if your threat model involves that kind of risk, you can set your devices up to brick themselves or at least shutdown and encrypt themselves.
Last, you'd probably want a device so that you can do the things. A phone and or old laptop with an OS already installed that you can retrieve.
That's an interesting opsec problem. Here is the solution that requires writing more software:
1. Find some friends or people you trust to not sell you out to the police. Ideally, these people should be in another country.
2. Place a server box on their property. This box will be a replica of your every-day home-server and devices.
3. However, in order to stop law enforcement from technically [1] finding this replica-box, you will need to use Tor. This ensures your home-server does not store the ip address or the physical location of the replica-box.
4. If your home-server is taken by law enforcement, you can buy another home-server and use memorized details (or call your friends on a burner phone) to restore a backup from the remote device [2].
[1] Please note that law enforcement can legally compel you with threats of jail time to reveal where these replica boxes are.
[2] Since you will probably be under surveillance, it's unlikely law enforcement will allow you to freely communicate on the internet with new devices and servers.
Regarding [1], do you know Brazilian law? I don't. In any case, the right to not incriminate yourself has been widely adopted, and in principle, could perhaps be invoked here, too.
Yes. For that I've been thinking of using VeraCrypt's hidden volumes. A volume inside another volume where an adversary cannot see their boundaries, which could allow some plausible deniability for passwords. I guess.
Manually rotated offline backups. Copy all your stuff to an external hard drive and stash it at your least technical friend's place. Go visit them once a week and swap the drive while you're there. You might lose up to a week's work but the bulk of your data will be safe.
If your server has full disk encryption it should be relatively safe against attacks where they just take the device, and so whatever you use to sync should be safe too?
It depends whether you want to preserve your work somewhere so that it cannot be wiped, or if you want to secure it so nobody has access.
In the first case I would set up a "append only" system where you cannot delete anything, just append information. This could simply be a incremental backup system.
Have it managed by someone outside your country, you would just be a user.
In that case if they grab everything they cannot delete what you have there, and the cannot access it as administrator either.
If you want to protect from the second case, its gets much more complicated.
You need to encrypt the systems that hold the data and make it so that the encryption key is wiped from the systems if they are in a panic state. This can go as far as you want: no more Internet (the machine was disconnected), or the trigger on the door of your basement starts a countdown of a few seconds you can only stop by logging in - otherwise the system shuts down (or better, cuts the power).
An extra complication is if you fear that you can be forced to provide decryption keys. In such a case you could either go for dynamic keys that are provided to you by someone else outside your country, though a process that ensures that you are safe.
Pick a VPS from a hosting provider outside of your home country (Brazil in this case). Use it to hold encrypted backups. Either a Syncthing instance configured as untrusted, or just btrfs send incremental snapshots and filter the stream through gpg on the way out.
I suppose your other issue is making sure that payments still get made in a timely manner if for some reason your home country freezes your assets or you get arrested. I guess it just depends on what you're up to and how paranoid you are. Personally I wouldn't worry about it too much. You could probably just deposit a portable hard drive with a friend or relative periodically if you're that concerned.
> When you use third-party services, the government can go to them. The third party might not fight the request the same way you would. And, you might not even know it happened. The third party might be expressly forbidden from telling you it happened, in fact.
I just read the LinkedIn Incident [1] from the Darknet Diaries, and it's scary how the FBI managed to get all that information about the Russian hacker.
I'm a bit astonished that LinkedIn's IT[0] needed the FBI to figure out that the person had a unique useragent. And that they don't have alerts for unknown IPs SSH'ing into their server.
[0] though this is before Microsoft acquiring them, so it was probably just the usual startup reckless abandon.
I recently had to hand-over a ton of data for a police investigation. The data had to come from off-site backups, I had to write manual SQL queries because of unique data requests that required cross references. All in all a lot of work that would be hard and time consuming to get if they bypassed me and accessed the raw data from my VPS provider. It would have saved me a ton of time though had they bypassed me.
No, I didn't. Not sure this is possible in the Netherlands. I had an hour long Teams call for them to know what data they could request. After the formal request came in it took a good part of the day to get everything they requested. Received some follow up requests so probably a full day "lost". If nothing else it was a good test of the backup system.
If it happens again, it may be worth asking. I don’t think this is the kind of thing agencies offer cash for out of hand.
I don’t know how law-enforcement is funded there, but presumably they do use contractors and service providers.
If their alternative is to pay a contractor who has no familiarity with your system, it would be preferable to simply pay the person who knows what they’re doing and be done with it.
It doesn't work that way. Government forces us to use their service for a fee, and forces us to provide services for free. Tax filing, and handling authorities requests are prime examples.
Some agencies will pay companies to perform digital forensic work necessary to offer data. Even administration of the job of forensic work, ie PM level assistance can be compensated.
This includes if a company is served a subpoena and a warrant to provide certain data.
Billing can be good, certainly valley-competitive.
Iirc, this has been well covered as a thing that happens at big tech companies, including fb, but it also can apply to small ones.
> When you self-host, the government has to come to you for your data.
Right, and your example of a literal server in a basement supports that, but if you are colocating or using a VPS they will almost definitely go to your provider first and probably won't even tell you.
Nope. If you colocate hardware which you own (which is what colocation means), then they can't just go get your hardware. Even if they break the law and nab your hardware, you'll know because it's down.
With VPSes, they can get your data and you might never know. It's an extremely important distinction.
To clarify this, the government has to go through certain procedures to seize your private property. If you own a hardware server, it is your property, even if it is sitting in someone else’s data center.
Supposedly they have to do that for safety deposit boxes too, but as recent events have shown in LA, that doesn't stop them from seizing everything including those boxes and then opening them up to take inventory. A judge objects, but it's too late. Now people are having to prove that they own whatever was in those boxes to get back their stuff back, and if they can't -- everything is gone.
If you encrypt the disk is a VPS provider going bother going to effort of trying to hook into the running machine via their hypervisor in a way that won't be evident to the owner of the server?
I'm not saying they can't I just don't see that they would spend their time doing this when they can send to the request to the server's owner and then it's no longer their problem to deal with.
Unless you’re in an environment where you literally have to type or provide the decrypting key on each start, you are dealing with a situation where your provider has both the encrypted data and the encryption key.
> Unless you in an environment where you literally have to type or provide the decrypting key on each start
The OS may boot up, but one could have the data on a separate volume. Services won't start until that volume is mounted, which could be manual-only. Either LUKS-on-any-FS or encrypted ZFS would work.
With encrypted (Open)ZFS you can actually send encrypted bits remotely: the destination does not need the key to save the bit stream to disk, so you can have a secure cold storage copy of your data.
> There's an even more compelling reason to choose OpenZFS native encryption, though—something called "raw send." ZFS replication is ridiculously fast and efficient—frequently several orders of magnitude faster than filesystem-neutral tools like rsync—and raw send makes it possible not only to replicate encrypted datasets and zvols, but to do so without exposing the key to the remote system.
> This means that you can use ZFS replication to back up your data to an untrusted location, without concerns about your private data being read. With raw send, your data is replicated without ever being decrypted—and without the backup target ever being able to decrypt it at all. This means you can replicate your offsite backups to a friend's house or at a commercial service like rsync.net or zfs.rent without compromising your privacy, even if the service (or friend) is itself compromised.
Nobody is arguing that it's not possible. We're just saying it's a huge hassle and that even being willing to go through the hassle on every boot is itself a red flag.
Full disk encryption with the key stored in a TPM or something makes sense as a way to enable a quick secure erase. If you clear the key from the TPM, the storage is useless; or if the storage gets removed for decommisioning, it's going to be hard to match it back up to the TPM, even if the TPM isn't cleared.
> you still have to take the VPS provider's word that they've enabled them
No, you don't. Both of those implementations provide hardware attestation via vendor keys securely embedded in the CPU. I have no idea if any providers currently make such features available though.
I self host my personal mail server with stock debian / exim / spamasssasin without any tweaking on a tiny A20 Olimex Server. Spam filtering works better than that of the professional posteo.de service which I also use for a club.
How is your email deliverability though? My main issue was having my mail sent to spam even if my IP was clean. I resigned and moved to O365 and haven’t had issues. But I hate that I had to do that.
Not OP, but I have had deliverability problems with only one provider, and that is outlook.com. They seem to not care at all whether you have set up everything correctly (I pass all checks for reverse DNS, SPF, DKIM, etc., and I am not on any blacklists) but just have their own shitty whitelist of senders and throw everything else in spam. I had to throw in the towel and send through an SMTP proxy hosted by my VPS provider which solved all issues.
Please try to avoid using O365 as they literally are the main culprits that make self-hosting email a pain in the butt.
I've set up everything according to best practices (SPF, DKIM, TLS, static IP for almost a year, reverse DNS, blacklist removal, spam checks).
I've also repeatedly contacted Microsoft support to get unblocked. All my requests to whitelist the IP in the last year or so have been ignored.
Microsoft is the sole bad actor I've encountered in more of a decade of self hosting email.
On principle, I've decided not to use a different provider, and users on Microsoft services will not get emails from me or from my websites.
This will only change if enough people complain. As a paying O365 customer, I'd encourage you to open support tickets that you're not receiving emails from some the smaller email servers, e.g. those hosted on DigitalOcean.
same experience.. I run a small ISP. we only take paid clients so no one is a spammer (other than lost passwords). no delivery issues elsewhere. yet Microsoft filter absolutely everything into spam.... emails to support just get a "your request has been denied as not applicable" or some such junk
No problem at all. I do not host from home because the IP's of private cable providers are blacklisted in spam lists, but from a colocation in a small data center.
Not the OP but I have a similar environment, and do not know of any deliverability problems. Early on I found mails to one or two providers, like Yahoo and some Canadian ISP were bouncing, but I got a new IP and those troubles went away.
> When you self-host, the government has to come to you for your data.
And better, if you catch wind they're after you, you can format your HD to zeroes, or (if you don't want even the physical drive around) throw it in a fire or something :).
Friendly reminder that if law enforcement asks you for data, you can fight it in court, but they can require you to preserve the data while you fight. Deleting data under such protection could end with you facing an obstruction of justice charge.
Better yet is for the government to not even know the data existed, non? (Of course, you'd better make damn sure that they had no way of knowing before.)
And when you do this they go ahead and convict you for that instead often much easier than whatever they were trying to get you for in the first place.
The person in the example got to use any criteria she wanted to distinguish personal from work email (which seemed to be sorting on keywords and phrases), do all this privately before turning the work emails over, and IIRC charge the government for the time it took. If she had co-located, I bet they could have carted that server away, and her person would have to do the same process in some office with officials in and out of the room and over their shoulder.
I agree keeping all or some portion of data self-hosted should be an important aspect of data storage for everyone, but the same does not hold true for email. You see, the problem with emails is that unless you are sending emails just within your organization and controlling where it lands (landing server), you cannot guarantee where it lands.
Email is communication with other people, if you are sending an email to a person using Gmail your basement server for email gives you no protection over your email data a such. Govt. can easily request email data from Google of the recipient's account.
> if you are sending an email to a person using Gmail your basement server for email gives you no protection over your email data a such. Govt. can easily request email data from Google of the recipient's account.
It does give you protection on the fact that they then need to know the recipients emails and do multiple warrants to gather them if they are over multiple providers, which may or may not go through. For sure it's easier considering that most people use a few US providers, but it's not always the case (even less so for governments matters, which include foreign countries, thus foreign providers too).
The most notable example of self hosting going right is CNN, they self hosted their emails and were therefore able to fight the court order until it is narrowed and there was a change of leadership in the white house & DoJ.
If you aren't going to self host write it into the contract that you must be informed (Google pushed back on court order because it would have violated the contract with NYT)
Instances of data seizure that went unimpeded: Phone records (both work and personal) for all orgs. Emails for Politico, buzzfeed, the Times, a congressional staffer, and more. iCloud metadata for at least a dozen individuals associated with the House Intelligence Committee, and more.
Mail-in-a-box [0] has a very good mail filter. Junk mail is about at Gmail levels for me, with almost zero false positives and almost zero false negatives. Some of my accounts are fairly high volume and I have found its performance to be very acceptable.
The fact that I can host as many domains and accounts as I want with all kinds of filters and rules and forward them all to my main account as needed with rules is just gravy.
Hillary Clinton was being investigated for using her personal basement server to handle official emails containing classified or confidential information. Something which, if I had done it when I had a security clearance, I would have been not only fired on the spot, but escorted off the facility in handcuffs for doing.
Anyone can put classified information into your email account by forwarding the right news story or Wikipedia page to you in an email. There is a lot of classified information that is also publicly known. Federal law enforcement understands this and takes it into account when deciding to prosecute.
Note that Hillary Clinton was not prosecuted despite the subsequent administration basically running on a promise to do so.
Official business with classified information is never done via email, even if everyone is using the government email servers. There are separate networks, devices, and protocols for storing and operating with classified information.
Also, as has been said repeatedly, the US government doesn’t have a binary “classified” or “not classified”. There are many different levels and administrations introduce/adapt them as necessary[1], and there is a practice of retroactive classification.
What was the most popular TPM chip for many years had a broken RSA key generator. It produced private keys that could be cracked with $76 worth of computing power:
It is really hard to see this as anything other than a bugdoor.
My laptop has this TPM chip. I am really glad I never used it, and even went so far as to disable support for it when I built my coreboot image.
Products sold with the buzzword "trusted" are a magnet for this sort of garbage. They've painted a "please bugdoor me" target on their back. The only thing you can hope to trust is general-purpose computing devices, with a large market, that obey their owner. Unfortunately it is increasingly difficult to find those.
As long as it's running, anyone can exfiltrate your key material from SDRAM. And even for a few minutes after it's running, if they can dump them in LN2 quickly enough. There are kludgy schemes to make this harder, like Schneier's Boojum, but in the end your attacker just needs enough resources and patience.
Most FDE schemes don't run crypto ops on the TPM itself - key derivation occurs there, then the results are cached in RAM ( or sometimes, protected CPU registers, in which case they may be able to inject privileged code into the kernel address space? ).
LUKS on a colo will probably protect you if you're a fentanyl distributor or movie pirate. Probably not if you're a terrorist or a high-value nation-state target.
I left open a proxy by mistake on an ovh server years ago, for 4 days. People found it and used it for fraud.
A few months later, all my personal gmail account are seized and I reveive an email (that I could read after changing my password) from a police department in god fuck knows where middle of nowhere countryside asking me for data on the proxy usage.
Sadly I had revoked the server subscription since I didnt need it anymore (and probably hadnt kept any logs anyway since I was just playing aroud with a server) but I really really wanted to help.
I mean, it s rare the police would call you for a legitimate usage and political suppression. They call you for fraud with damage and it s awful being responsible in small part but unable to help... I was not mad they read all my emails, I was sorry someone lost money because of my mistake.
Getting a reputation for handing customer data over to the government without a fight seems like the sort of thing that would damage a hosting company.
It’s probably better than you think. You’ll need a competent lawyer but beyond that you’ll depend on the court system, which attempts to put you and the government on equal footing.
Depending on the legal issue at stake, it might also be possible to access additional legal expertise pro bono, or through an organization like the ACLU.
What guarantee do you have that Amazon will delete it when you tell them to, though? It doesn't even necessarily come down to whether you trust Amazon ethically and legally, but also whether you trust their internal processes.
Shredding the data on your own hard drive gives you a pretty good guarantee. Drilling a big gaping hole through it afterwards gives you an even better one.
> When you self-host, the government has to come to you for your data.
Yes, and rather than sending a letter to the hosting company, they can come to your house and confiscate all electronic equipment. (that's not a joke btw, when local LE comes to your house, you can lose anything electronic from laptop/server down to backup drives and ipod, possibly taking years to recover) For me that doesn't sound like a good potential tradeoff.
> This was why Hillary Clinton wanted to host her personal email in her basement.
When you use third-party services, the government can go to them. The third party might not fight the request the same way you would. And, you might not even know it happened. The third party might be expressly forbidden from telling you it happened, in fact.
This was why Hillary Clinton wanted to host her personal email in her basement. A physical server that she owned, on property she owned; there was no legal way to request that data without going to her personally. If she had used the State Dept server for her personal email, Congress could have accessed all her personal emails simply by asking State to send them over.
That’s a controversial example, but the same principle is followed by many companies and organizations who have kept some portion of their data self-hosted. It’s often email or some core of file storage that they consider legally sensitive.
This is getting harder to do, though. Look at the recent revelation that the government tried to get newspaper email metadata from Proofpoint, a spam filter provider. Self-hosting a good spam/phishing filter seems almost impossible in 2021, because of the huge amounts of data needed to train filters well.