Hacker News new | ask | show | jobs
by phantom_oracle 1673 days ago
I will add add a disclaimer to this comment that it is tinfoil-hat and just speculation(bordering on conspiracy) but many of these "we are a privacy-first company" might actually just be honeypots and fronts for 3-letter agencies.

The comment is not wholly conspiratorial, considering the CIA owned Swiss crypto company: Crypto AG [1]

It's within the realm of possibility that most of these privacy services could be owned by 3-letter agencies or small enough to be coerced into cooperation.

[1] https://www.scmp.com/news/world/europe/article/3050193/crypt...
7 comments
jqpabc123 1673 days ago
Haven't you heard? The CIA has gone open source. They don't need to own a company anymore.

They can just download the Searx source code; modify it as they see fit, and make it available on a server someplace.

Can you prove that searx.be isn't run by a "3 letter agency"? Can you prove that the source code running at searx.be is the same as on Github?

The point being --- unless you have full access to the server, open source means nothing with regard to privacy and security of any service. It actually means less than nothing --- it means it is super easy to build into a honeypot.

link
marc_abonce 1673 days ago
Of course, there's no fool-proof solution to knowing what code is running in the server side, but https://searx.space at least shows if an instance modified their client-side code, which you can see in the HTMl column.

To mitigate server-side code from identifying you, you can consume an instance from Tor. Of course, you could try to do that with any other search engine, but most of the other search engines either block exit nodes or provide incomplete functionality if you disable JS.

It's not perfect, but it may be good enough depending on your threat model.

link
jqpabc123 1673 days ago
Note to the CIA --- don't modify the client side code when building your honeypots.

Personally, I just use a VPN with the "lite" version of DuckDuckGo --- no JS.

https://lite.duckduckgo.com/lite

link
ColinHayhurst 1673 days ago
SearX is a project which we respect and a positive contribution to improving search choice. Consideration of how it might be being used is wise.

It's also wise to do due diligence on any company/service where you are revealing sensitive personal information. Traffic coming from Google in 2006, for sensitive medical search queries was a catalysts for us going public in 2006 on our strict no-tracking policy and we maintained that position.

We have yet to be contacted by authorities, but you'll have to trust us on that one for now. Since we don't log any personal or identifying data at all, we would have nothing to share [0]. You can read about our investors on our blog.

Building and maintaining a search engine with independent infrastructure has a huge challenge and has meant building proprietary IP over many years. Since we refuse to use techniques used in growth hacking such as analytics from you know who, and all tools involving any tracking, marketing is a bigger challenge than it is for companies without strong principles. It has been a mammoth effort, by mostly our founder whose story you can read here [1].

[0] https://www.mojeek.com/about/privacy/ [1] https://blog.mojeek.com/2021/03/to-track-or-not-to-track.htm...

link
phantom_oracle 1673 days ago
I should have added that my comment implied as much to do with DDG as it does with cheap-VPN-provider-35 with a shell company in Belize.

The original comment was in reference to DDG proudly making claims of not getting requests from .gov and marketing themselves as a company who "cannot see what you search for".

link
marginalia_nu 1673 days ago
I do think it's a bit of a red flag.

Sort of like how most anti-tracking browser extensions eventually turn out to actually be tracking extensions. Or like how used car dealers that have a name like "honest bob's cheap luxury cars" often turn out to neither be honest, cheap nor luxurious.

link
GhettoComputers 1673 days ago
Isn’t that confirmation bias? uMatrix and uBlock are reliable, the opposite being PrivacyBadger. The EFF has lost my trust before but I never assume maliciousness before incompetence. https://old.reddit.com/r/privacytoolsIO/comments/l2dges/why_...
link
marginalia_nu 1673 days ago
The list of browser extensions that in some form has backpedaled from their central premise and main function, the list is pretty long. Ghostery, Adblock, AdblockPlus, ...
link
GhettoComputers 1673 days ago
I don’t disagree it’s a lot, NoScript was another example, uBlock and uMatrix by no fault of themselves were also hijacked being open source, Ghostery was sold, and Adblock Plus with acceptable ads wasn’t bad as they said. It was widely reported, I continued installing ABP, since it was easy, wasn’t hard to turn off acceptable ads, and I think that direction they tried to move the industry in wasn’t harmful. I might have moved back to Adblock or learned about hosts but if they were successful we’d have less resource hungry ads, a net benefit for everyone, especially when using public computers or helping someone with IT.

Ghostery was more widely reported as Audacity adding telemetry. Everyone who cared knew long before to leave or uninstall it.

Hosts blocking is reliable and I’ve never had a single malicious one with the wide assortment I used. PiHole hasn’t been hijacked either and I think it’s unreasonable to think that no group can make mistakes, faltering can’t ever happen, I really don’t think Adblock Plus was that bad.

If the market wasn’t saturated with methods to block, I would have stuck with them if they were remorseful.

-Sent from my not private Apple device I’ll still use since it’s got a huge userbase on messaging in the US

link
no_time 1672 days ago
Same goes for VPN companies. I do feel bad for all the journalists and whistleblowers who will fall for these scams but as far as I'm concerned, as long as I can avoid for profit data collection companies like Google, it's good enough for me.

If I can't avoid my data being collected, I will still try my best to make it as worthless as possible just out of spite.

link
sleepysysadmin 1673 days ago
The thing is... lets say the CIA/NSA are tapping searx wholely or just instances. What exactly are the ramifications? I feel like they are going to be largely missing the target. A bunch of techsavvy nerds trying different search engines aren't going to be terrorists.

And even if they are? As a Canadian or someone who isnt in the USA. What exactly is the point? Wouldn't this effectively be the safest host? CIA/NSA wont be selling your private infos. They wont be sending me to a blacksite because i look at python documentation and youtube chill music.

link
kwhitefoot 1673 days ago
> CIA/NSA wont be selling your private infos.

Why not? They used to sell cocaine after all and your info is probably rather less risky.

link
sleepysysadmin 1673 days ago
>Why not? They used to sell cocaine after all and your info is probably rather less risky.

It will reveal the operation busting any potential for catching terrorists.

link
sweetbitter 1673 days ago
The purpose of government SIGINT (Signals Intelligence) is certainly not to catch terrorists/pedophiles/money-launderers. Those activities are generally tolerated/endorsed by intelligence agencies, as they are not heinous enough to garner their ire, even helping them whenever they coerce someone into committing a terrorist attack. The true purpose of all of those data is to create a metadata map and to assess who is up to what and who can do what, such that the powers of their nations over the world can be maintained as long as possible.
link
yosito 1672 days ago
While I don't like the idea of a three letter agency honeypot, I'd be even more concerned with ad-tech and surveillance capitalism companies setting up honeypots.
link