I like history, current events, privacy and security as subjects for reading and thought. An interesting subject at the intersection of these is that of honeypots. I thought it might be a good subject for off-topic discussion.
I’ll throw out the famous CryptoAG honeypot as a historical example and the FBI’s Anom network as another.
A recent piece of news along these lines was Tutanota being fingered last month as a honeypot by a Canadian official on trial for espionage crimes and then issuing a spirited denial.
Probably all of them, if you broaden the definition a little bit. Everything that is not 100% open source cannot be 100% trusted.
I’ll give you examples: Bitwarden offers zero-knowledge vaults. Meaning the server doesn’t know your password, they’re used locally to decrypt the content downloaded from the server, and you can attest it by looking at the client’s source code. But that “sign up” page where you create your account probably isn’t, and even if it is you can’t really be sure the server is running the open-sourced code.
Same goes for Proton. And Tuta. And all services where you input your password online.
"Oh, but it’s audited“ you may say. Yes, audited by those cybersecurity companies/researchers that keep finding lots of activity by Russian hackers, Chinese hackers, etc, but never anything done by our hackers in the west. No reason to believe they’ve haven’t all received a visit by a man in suit telling them to look the other way or else…
Thats an interesting point. I had never considered it in that manner. Im used to seeing banks being reported as solid by auditors only to collapse a few weeks or months later but I tend to trust software audits, taking them for an honest appraisal. Maybe thats not necessarily the case
Exactly. And you can bet small cybersecurity auditing firms are cheaper to buy than the billion-dollar accounting auditors that were complicit with all major accounting scandals (Enron, WorldCom, Lehman, FTX, etc)
Like others have noted, answers to this question are primarily based on speculation (by definition, a honeypot is designed to look and feel like a legitimate server/service/etc).
That being said, many of the big services (email providers, vpns, and others) have had run-ins with the authorities before, so a statement that a government attempted to subpoena a user’s information but wasn’t able to, is a pretty good indicator. (Mullvad, for example.)
But there’s gonna be the folks that call it staged and insist that these things are indeed honeypots. And the only way to have a 100% secure email provider, for example, is to not have an email account. It’s all about your threat model
“Authorities” includes both “the law”, which is stuff that needs to be proven in court, and what’s outside the law. That includes spy agencies, political persecution, etc.
Want to see an interesting example? If you look it up, you can find multiple news stories of the FBI recovering ransomware money but not arresting anyone or taking any other action. That means they couldn’t get through any service through the legal means (probably didn’t even try), but were able to hack VPNs, Tails, Tor, cold wallets, whatever technology criminals were using to get to the money and transfer it back.
The source is their own Twitter feeds. If you spend 5 minutes there you’ll see half are little more than fake NGOs weaponized against the US government external and internal enemies.
But I’m not telling you to “read Twitter”. I’m telling you to read what the companies tell about themselves. And the. connect the dots for yourself. It’s not hard, they’re not trying to hide anything.