POLICY SUGGESTION: E-Mail Requests From The Religious

In the current sociopolitical climate, I would be extremely suspicious of requests for E-mail addresses from newcomers, especially given the manner in which US Christian Nationalists have effectively been given the green light to launch their long-awaited Inquisitional theocracy. Right now, if you’re an atheist and a US resident, these people are an existential threat to you. Who knows what activity they’re gearing up for, and to what nefarious ends they will use any information on US members they happen to glean from here?

For reasons of personal safety, I would suggest that as a matter of board policy, any request for ‘personal’ communication on the part of any religious newcomer here be treated as a potential ICE intelligence operation, with a view to ‘disappearing’ anyone foolish enough to reply. The US climate is now that dangerous.

I suggest in addition that the admins act accordingly to protect US board members, or members of other nationalities posting from US locations, from the very real threat of an unpleasant fate.

Clearly, the US is now headed not by a ‘government’ or an ‘administration’ in the normal sense, as understood in regular jurisdictions, but instead is now run by a junta. One whose rhetoric is explicit - namely, that said junta considers anyone outside the Christian Nationalist pale as an enemy to be extirpated. Not only atheists will be affected by this, but people of faiths other than Christianity, and indeed progressive and socially concerned Christians who disagree with the hijacking of their religion by fascists.

We live, sadly, in extraordinary times, and extraordinary measures are called for. I suspect the admins are aware of this, and if so, I am not going to aid and abet the enemy by asking for a public statement on this. Instead, I will urge that they take whatever sanguine measures are required in a suitably silent manner.

Our forum could become, quite literally, a lifeboat for many. Let’s make it a secure one.

Although no guarantee, electronic prophylactics and adequate opsec (operations security; preventing sensitive information from getting into the wrong hands) gets you a long way.

Today, it is extremely easy to make new and anonymous email accounts. That is, they would in practice be as anonymous as your own opsec. And key for opsec in such circumstances is, among other things, to use a pseudonym or a non-descript generic word when registering it. And also to register at a place where your real name and the content of your mails will be protected. Among the email providers I am aware of that fulfill these requirements is ProtonMail(*), located in Switzerland. It will deliver adequate security for consumers.

Combine this with a decent VPN (ProtonMail also has VPN) and possibly also an additional email forwarder that gets rid of email trackers, and you should be adequately protected.

But first and foremost: opsec is the most important step. Don’t give away personal information that can identify you, directly or indirectly. Be intentionally vague about personal details, and never mention details that can identify you.

(*) For the record, I am not affiliated with ProtonMail in any way, I’m just a happy user of their services.

This scares me. I sure hope they don’t start a Salem Witch trials on Atheists in the states. If so, it was good knowing all of you.

Same here. I use both their email and their VPN.

The VPN is a bit of a PITA, as all VPNs are. I have to remember to turn it off when sending business emails because my client’s email server rejects foreign IP addresses. Once in awhile, I have to cycle it on & off to get access to a particular web site un-stuck. That is just enough that my non-techie wife finds it unusable; I take it in stride, but she can’t. This is a problem for some users and there’s no easy way around it. Adding more moving parts to a system creates opportunity for more edge cases.

I think such requests are more likely to be for personal reasons such as a desire to directly proselytize. It’s going to be very inefficient in the context of an at-scale survellience state. The greater threat IMO is this site being subpoenaed for logs and things of that nature. I’d feel better if its servers were physically located outside the US. My concern is about logs of connections and IP addresses moreso that access to posts, which anyone can read by browsing the site anyway.

If people in the U.S. government really want to find you because of your posts in this tiny corner of internet, I don’t think a vpn is going to prevent it. If it gets so bad that they want to hunt down atheists or folks who are not magats, they will, whether you’re paying for a vpn or not.

VPNs obfuscate one’s real IP address, rendering the traffic untraceable. With Proton VPN up, one will generally appear to be posting from Switzerland or Finland, sometimes even a different IP in the US from your actual one, depending on various factors.

Many here don’t use the extra protection of a VPN.That is why I do not want your logs being subpoenaed. Also, the site has my “real” email address and I don’t want that outed, either. Which is why being beyond the reach of the US regime is desirable.

Now if I let slip some detail of my personal life that could be cross referenced or used to narrow down where I live with some accuracy, that’s on me, and could happen no matter where the servers were. I’m responsible for that piece.

All that said, I am aware that physically moving the site to Canada or whatever is a lot to ask for a site that is run by volunteers and probably paid for by one or two people and the occasional donation. So a halfway measure might be to have very narrow retention policy on your logs – just enough to support identifying sock puppets, etc., maybe truncating log entries older than a month or a couple of weeks or whatever you think you can get by with. If you need to retain data longer, it could be downloaded to the admin’s local drive for reference – it would be harder for the surveillance state to find, or know to ask for.

Of course all of this isn’t important, until it is. I have a lot of hedges in my personal life, lacking a crystal ball to know how badly supply chains or the economy itself will falter. So a deep pantry, some basic power backup, water filter and rain catchment, a garden, stuff like that that isn’t a big investment but might smooth out the speed bumps. I think everyone, including site operators, should be thinking about similar hedges. It’s not fun, it’s just another blasted thing to have to do, but the day may come when you’re glad you spent some time on it.

My $0.02 plus inflation – do with it what you will.

I don’t think that’s true. I don’t think anything renders internet traffic untraceable.
Please provide a source that supports this assertion.

There was a case of piracy years & years ago. This guy was going on Torrents and the feds got involved so his VPN providers turned his IP over to the feds.

So whenever someone likes to argue that they’re untraceable, nope…sorry. If you break the law using one, the VPN providers aren’t going to jail for you. They see everything you look at on their servers whenever you use one.

Proxy servers like Tor used to be safer than VPN up until those were compromised back in 2014.

Fuck me, they must have seen some freaky shit then…

A poor quality VPN can leak information. A good one (Proton, or one of the other 2 or 3 typically at the top of review lists) do a far better job.

In particular, a VPN provider can still see your traffic while you are using it. So the main way a VPN can “leak” is to keep traffic logs, which can be subject to subpeona. Proton, in particular, has a strict “no logs” policy, plus Swiss law is such that they aren’t required to keep logs and can’t be required to produce them even if they did.

There are things web sites track, like cookies, that in some circumstances could identify you. There is a protocol called WebRTC that can be leaky, but I don’t use it and Proton has a protection feature for that, should I wish to use it.

It’s possible for DNS requests to go outside the VPN “tunnel” but here again, Proton routes all requests through its own encrypted VPN channel.

So when I talk about a VPN I mean a real one, not one of the free ones that are mostly smoke and mirrors. Due diligence is always necessary when it comes to tech.

I would say that some entity who was truly interested in me specifically could probably cross reference my user names, which are shared between some sites, analyze the corpus of my past postings, and deduce the region I live in, and possibly who my clients are. I have been less careful at times in the past about such discussions. However … I have never made it particularly easy and I certainly am very careful in the past couple of years.

So yeah nothing is utterly foolproof but a good VPN is a LOT safer than no VPN (or a crummy one).

Traceability or untraceability is relative. Given enough resources, everything can be traced. But using a VPN controlled by a company in another country with strong privacy protection laws (such as Switzerland, and to a somewhat lesser degree EU countries), and choosing exit nodes in another country, you should in practice be untraceable for private persons and even quite resourceful adversaries. Any VPN worth their salt operates with a no-logs policy, such as ProtonVPN (Does Proton VPN keep logs? | Proton VPN), to frustrate (or even make impossible) the identification of users retroactively, even by law enforcement.

That’s precisely why I challenged the statement that VPNs render traffic untraceable.

Please help me understand this. Something is either traceable or not. How is it relative?

It is relative to the resources you have available for

• the ways and means for the technical capability to monitor the (global) network
• asking law enforcement or intelligence agencies of other governments to monitor, trace, or get the logs
• accessing insiders that can get you what you want(*)
• putting enough pressure on companies to deliver what you want
• surrepticiously inserting technical monitoring equipment at strategic places and/or insert back doors(*)
• paying lawyers to do the legal work for you

Depending on the situation, on who is asking, and who is being monitored, just one may be enough, but you might need more. A regular, disgruntled individual will most probably not have the resources, so it will be untraceable for him/her. Government agencies with highly technical capabilities and government-funded resources (NSA, CIA, FSB, GRU, Mossad, MI6, BND, and other big and influential intelligence agencies, as well as law enforcement cooperating through e.g. Interpol) will be at the other end of the scale, if the target is important enough. In between these two extremes, you will have persons with shitloads of money (like Musk, Bezos, or Gates) and sufficiently big corporations.

In short, if you are important enough, and persons, corporations, and/or agencies with enough funding and resources want to trace you, there is a chance you will be. If you’re not, and/or you have sufficient opsec and own technical capabilities at your disposal, you can hide so well that even the top dogs don’t want or need to trace you, cannot trace you, or will at least be struggling while trying.

(*) The Crypto AG affair demonstrates this quite neatly.

Exactly. Operational security is an arms race basically. But it isn’t a question of, “VPNs can in theory in limited circumstances be breached, therefore they are useless to anyone for any purpose at all”.

In practice, a quality VPN is highly protective for a typical user and most people should add it to their opsec environment. Even if an added measure just makes hacking or doxxing you more difficult (and VPNs go a LOT further than that), it’s a good thing. Hackers have limited resources and tend to go for the low-hanging fruit. Don’t be the low-hanging fruit.

So, it’s not a matter of being un/traceable, rather it is a matter of tracing entity’s skill and tool set.
Therefore, I stand by my initial challenge of the assertion “rendering the traffic untraceable.”

Not quite. It’s an arms race. Sometimes the tracers will have the upper hand, until suitable counter measures arrive, and the tracee will have the advantage again. It’s like with physical security - you can, in principle and theoretically, break into even the most physically secure vault, even if it is protected by state of the art locks, alarms, and hardened buildings, and protected by a military army with modern weapons. But in practice it will be impenetrable if sound security protocols are followed. Same with cyber security and VPNs - it is in principle and theoretically breakable, but if you apply security measures that are above and beyond your need for protection, you are an unattractive target.

On a semi-related note, it is entirely possible that you will be hit in the head by a meteor tomorrow. But it is so unlikely that you in practice can conclude that it will not happen. And it will be overkill to secure your house and your life on the assumption that it will happen.

Given that this started with a discussion about user information being at risk on this forum for U.S. citizens and given the assertion that a VPN would render a user untraceable, I still stand by my challenge. I would hate for folks to feel safe and secure by using a VPN only to find out, the hard way, that they are not.

You can buy the best safe there is to store your valuables or your secrets. But if you write the code for the lock on a sticky note taped to the back of your safe, you effectively leave your stuff without protection. Likewise, a good VPN gives you good and adequate protection, given that you otherwise use relevant precautions. But if you neglect your online opsec and don’t follow good protocols and digital hygiene, you risk that it becomes just security theater.

An appropriate analogy here is cryptography versus cryptanalysis.

The former is concerned with devising coding schemes that make life extremely difficult for interlopers, even if they succeed in intercepting a message. The latter is concerned with overcoming the difficulties generated by cryptographers, in order to reveal the contents of intercepted messages.

The only genuinely secure cipher is the one-time pad, and even that has its issues. The former Soviet Union relied heavily on this, and upon the conventions of immunity to search of diplomatic baggage, which was used to transmit one time pads to Soviet embassies worldwide. Break that convention, however, and even one-time pads become effectively useless, unless you can find another means of sending the one-time pads that avoids interception.

Ciphers that involve reversible encryption are always in principle amenable to being deciphered by interlopers, but the aim here is to make that effort so onerous as to be practically useless. If cracking your cipher means that even the fastest supercomputer you can buy will take longer than the age of the known universe to succeed, you can regard that cipher as secure for the time being, until of course quantum computing with large memories becomes an affordable reality.

That development, of course, will mean we’re all fucked. It will mean none of us have secrets any more. But, I suspect the principal first users thereof - namely governments - will be relishing the unprecedented opportunities for espionage that this presents, before moving on to surveillance state usage. Affordable (to governments at least) quantum computing (especially if it includes in-memory processing) will launch a race to be the first to hoover up rival governments’ secrets, including their military technology and military policymaking. Which, after all, is the holy grail of any intelligence operation.

Of course, gathering the data is simply one aspect of running a surveillance state. Managing that data effectively is another, and the one that’s going to concentrate minds wonderfully if, all of a sudden, exabytes of hitherto unavailable data becomes freely available to any government with a quantum computing operation. Even a properly trained AI operation is going to have its work cut out sorting out the wheat from the chaff, so to speak, and of course, an improperly trained AI is going to be a civil liberties and human rights nightmare, even in a sane and properly concerned jurisdiction.

Then, of course, there’s the little matter of what’s likely to happen the moment corporations acquire such a facility. Big, fat corporations have a lurid history of rampant technology abuse even now, and frankly they are the last group of actors in this arena I would trust, for good reason.

But, even in a non-quantum present, we face a combination of rapacious corporations being handed free gifts by bought and sold politicians, and a frankly deranged ersatz for government in the USA. One that’s hell bent on turning The Man in the High Castle into a nightmare documentary - with added religious lunacy as icing on the rotting cake.

There’s no such thing as perfect security. But making it as difficult as possible to breach your defences is always a good idea.