If the owner of the standard notes will now be a proton, doesn’t that contradict this principle? I have a proton email account but I don’t want it linked to my standard notes account. I don’t strongly trust companies that offer packaged services like google or Microsoft. I prefer to have one service from one company. I am afraid that now I will have to change where I save my notes. What do you guys think about this?

  • gamedeviancyOP
    link
    fedilink
    English
    arrow-up
    14
    ·
    8 months ago

    Ok, but what does it mean, is that, when proton will be compromised, all of your data also can be compromised. When we have our data divided between different independent services, compromising one does not mean violating the others.

    • Imprint9816@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      2
      ·
      edit-2
      8 months ago

      This whole line of thinking seems to be based on FUD more then anything else.

      There is no evidence or reason to believe some major compromise of proton will happen.

      If your that worried about proton you probably should just not use the service at all.

      Also using the 3-2-1 backup rules should help mitigate this fear of having everything with one service.

      • gamedeviancyOP
        link
        fedilink
        English
        arrow-up
        13
        ·
        8 months ago

        No, I’m not saying that I don’t trust proton at all. I think that they have great services but as I wrote in the title - don’t put all eggs in one basket.

        I think I won’t trust any company with holding ALL my data.

        • Imprint9816@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          8 months ago

          If all your eggs are encrypted, having those eggs in one basket or five doesn’t matter from a security perspective. Its the same reason you wouldn’t split up your passwords to multiple password managers.

          That being said the much more likely scenario is that at some point in your lifetime Protons values change (either by being purchased or new leadership) and you have to move on. That’s why, regardless of how good a providers security is, its good to have backups elsewhere.

          • LWD@lemm.ee
            link
            fedilink
            English
            arrow-up
            6
            ·
            8 months ago

            There’s a lot of metadata Proton passes around, and two of their oldest flagship products (email and VPN) require you to put a lot of trust in one company. For email, you trust them to encrypt them without snooping. For VPN, you trust them to not collect logs about where you’re going.

            And in the former case, they were compelled to give up at least a little data in the not-so-distant past.

            • Imprint9816@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              1
              ·
              edit-2
              8 months ago

              It doesn’t matter what is being discussed, if its about proton the email incident gets brought up.

              Here is the deal. No major company is going to break the law for its users. Had the activist been using proton vpn to create and access their email, Proton would not have had the info they were forced to give up. The takeaway from the story is bad opsec is usually what gets people caught whether its activists or hackers.

              Whether you use Proton or someone else you will need to trust that service. If you don’t trust them, don’t use them. Its that simple, no need for conjured up FUD excuses.

              • LWD@lemm.ee
                link
                fedilink
                English
                arrow-up
                7
                ·
                8 months ago

                I bring up “the email incident” because it’s a reminder that Proton may record stuff that’s not encrypted, which includes the vast majority of emails.

                And it’s not to say that you wouldn’t trust it with one individual service, but whether it’s wise to trust it with so many services at once, from a security, privacy, and even monetary perspective.

                Not every concern is FUD, and I think you’ll start seeing diminishing returns every time you repeat it.

                • Imprint9816@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  8 months ago

                  Not every concern is but ones where concern is based solely on fear and hypotheticals are. This all eggs in one basket line of reasoning is FUD and has no real bearing in reality.

                  Even this email issue, it really has nothing to do with if you should trust proton in terms of OPs post. If you really believe Proton is going to sell you out, you wouldn’t use them anyway and Proton following the laws is something every legit business is going to do, not something specific to Proton. If you have the threat model of an activist you need to careful about your opsec as i explained in a previous comment.

              • gamedeviancyOP
                link
                fedilink
                English
                arrow-up
                4
                ·
                edit-2
                8 months ago

                Had the activist been using proton vpn to create and access their email, Proton would not have had the info they were forced to give up.

                What? If protonmail collects any metadata, why do you assume protonVPN doesn’t?

                • Imprint9816@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  8 months ago

                  Proton can see my traffic. I already know that. Any vpn provider you use could. Its not that i trust proton implicitly its that i trust them more then my ISP that would be able to see it if i did not use a vpn. Couple that with their record of audits and im not sure what else you could expect from them.

                  • gamedeviancyOP
                    link
                    fedilink
                    English
                    arrow-up
                    5
                    ·
                    8 months ago

                    You wrote that if the activists used proton VPN to register their mail account, proton would not have the information he needed to pass on. It’s not true cause they would probably have the same metadata about them.

      • flatbield@beehaw.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        8 months ago

        All security is porous. So there is every reason to believe that Proton or any other org will have a major breach at some point.

        Edit: Just think of the LastPass debacle.

        • Imprint9816@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          edit-2
          8 months ago

          “All security is porous” is pure FUD reasoning and, completely disregards the security audits Proton does to make sure its not anything like LastPass.

          Using LastPass as a strawman is not a compelling argument.

          OP and You are also assuming if Proton was breached that it means all the user encrypted data would somehow be available to the malicious party which is also extremely unlikely.

          • flatbield@beehaw.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            Security audits do not guarantee security. They are just the best we have. Just as code reviews do not guarantee good and trustworthy code. In the end, we do not know what we do not know. In the end, every system has its weaknesses.

            Sure I believe Proton is a reasonable supplier. Even with that Proton for example is on the record of giving out user info to governments. I am sure they did not meet the expectations of that activist.

            • Imprint9816@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              My point is Proton did something every legit business would do.

              If your threat model is such that governments are going after you, you should be aware enough to not create an email with an IP that identifies you. That email issue was bad opsec not some specific problem with Proton.

              • flatbield@beehaw.org
                link
                fedilink
                English
                arrow-up
                1
                ·
                8 months ago

                Well that is the point isn’t it. Companies are not very reliable. The only thing they can be relied on to do is whatever butters their bread and that can change at any time. There is also a PR component and a fact component and they do not always agree.

                Proton is really no different. I seem to remember they changed what they said on their website after outing that activist. Presumably to be a little less misleading. Again, I am impressed with Proton but not infinitely impressed.

                • Imprint9816@lemmy.dbzer0.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  8 months ago

                  You seem to be avoiding the fact component, which is they have proven through audits, yearly, their security is what you would want in a service that holds your data and have decided to instead rely on one instance (in 10 years of that service being around), that has nothing to do with the issue and your own feeling of how companies operate (FUD).

    • Cyborganism@lemmy.ca
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 months ago

      I don’t know about that. If I use Google to sign in to different separate services, if my Google account is compromised, then so are all the other services, no?

      If they’re all independent services then it becomes a hassle. Having to have multiple apps or accounts to manage.

      You make a valid point, but I think there should be some kind of middle ground between the two.