[alfiedotwtf]

FastMail isn't based in the US (we are in Melbourne, Australia).

For those who will point out that some of our servers are in the US, see:

    http://blog.fastmail.com/2014/12/15/security-confidentiality/

For those who will point out about the new Australian data retention laws:

    http://blog.fastmail.com/2015/04/09/fastmail-is-not-required-to-implement-the-australian-metadata-retention-laws/

[mbubb]

Not just 'some' of your servers. Looks like infrastructure is US based.

https://www.fastmail.com/help/ourservice/security.html

   Physical location security
   Our main servers are located at New York Internet (NYI) in  New York City, USA. Their facility is a high security, video monitored location; with backup power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical support. 

I am familiar with NYI - they are a good datacenter - but I do not think they are in any way more or less secure than the Equinixes, Internaps, Telxs, etc.

The security of fastmail is really the security of end to end TLS with forward security. All good practices but industry standard, no?

Do you encrypt traffic between servers? ie http://www.forbes.com/sites/benkepes/2014/03/20/in-an-attemp...

What differenitates Fastmail sec practices?

[robn_fastmail]

> Our main servers

"main" servers. Most services are mastered at NYI, with replicas at other sites (currently Amsterdam, soon LA as well). Soon some services will have the option of being mastered elsewhere. Maybe I should reword that help doc a little bit.

Our security is about as good as is practicable. It might not be the absolute best but I'd wager its better than most, especially when balanced with the usability and reliability guarantees we make. Obviously encasing your server in concrete and dropping it into the ocean is more secure, but that doesn't give you much of a service.

I don't think I can say NYI do better than every other datacentre, because I haven't used ever other datacentre, but they certainly seem to be far above most other players. It also helps that we've worked with them for years and know most of the key staff personally.

We don't currently encrypt traffic between our servers within the same datacentre. We own all our servers and network equipment, so there's no inter-server traffic leaving our own equipment. Of course its possible for some kind of network tap device to be installed but at that point the attacker already has physical access to our servers so we've already lost. This point was addressed in the first blog post alfiedotwtf linked to.

We do encrypt between datacentres, of course.

So to your final question, what differentiates us from other services, its hard to say exactly because I don't know which other services you're talking about. Our general approach is to use the best tools and techniques available, and to understand everything we use so we know what compromises we're making at what our attack surface looks like. Our ops staff know this stuff well, respond quickly (eg we patched Heartbleed before start-of-business in the US, when most of the mainstream media hadn't picked it up yet), we talk very openly about what we do and how we do it, and we offer a generous security bounty to anyone that finds an exploit.

If you think we could be doing more, let me know! I'm happy to be contacted directly (robn@fastmail.com or @robn on twitter) or you can open a support ticket or ping @fastmailfm.

[Numberwang]

Thank you for a comprehensive answer. Another final question if you find the time. Do you have any Americans on your team?

[brongondwana]

Not directly, though we collaborate with Americans on open source projects - one of the main contributers to Cyrus is based at CMU (which is where it came from in the first place) and of course we run plenty of other software developed by people all over the place!

[vincvinc]

Is this an OK question to ask? Should I value firms according to which nationalities they hire?

[alfiedotwtf]

I don't think Numberwang is interested in our developer's nationalities because of any patriotism/racism. I think the question was more about if any of us can be compelled to compromise our user's privacy by either the PATRIOT Act (no), National Security Letters (no), or some other insane US law.