Any hacker? Actually, it's a lot more exploitable than you think. Here's what I'd do if I was actually a bad guy:
Step 1: Have evil app on your lappie forge responses to DNS queries. Everything goes through you. Super easy.
Step 2: Run a simple socket-level proxy on port 80 and 443. Watch traffic on any given device over port 80 until you see a user-agent go by (or just guess off the MAC address). Once you identify an Apple device, forge all SSL connections with a bogus cert. Log all headers and POST data. Maybe HTML returned from remote servers, too.
Sit in Starbucks or Paradise Bakery for a couple hours. Go home, analyze logs, mayhem ensues.
I could easily code this myself. The actual bad guys could certainly do it as well.
Such as the DMCA being used as a tool to prevent people from automating a video game? ;)
This is the true root of the evil that is DRM. It has nothing to do with being ineffective or inconvenient. It's all about creating control over something where it does not legally exist.
In the situation with Adobe's recent announcement, the focus has been too much on the annoyance to the end-user. But looking for the control aspect, it's plain to see how Adobe can change their DRM to create a ton of new licenses. Obsoleting old devices generates a bunch of new purchases, and even existing devices that can be "upgraded" will almost certainly result in more revenue from the device maker to Adobe.
Just rev that DRM every few years to keep the cash flowing. It all comes from the consumer indirectly, anyway.
Of course you have less to fear from the US government's authority outside of the US. Mind you, I'm not saying that hosting something outside of the US is a panacea that somehow makes you safe from government overreaches. I'm sure there are many countries and situations, in general, where they can apply pressure.
But security is always about doing the best possible thing, not simply discarding options because they are imperfect.
It's kind of a question of which is worse: the enemy you know, or the enemy you don't know? What we know of the NSA and the US government is that it is an *extremely* serious enemy.
The NSA has far more technical resources than any other country I can think of. And the US government's ability to strongarm its citizens into doing bad things in the US is among the highest I can imagine, right up there with China and North Korea. We've all seen it and to pretend otherwise is foolish.
Given that, I'd expect anyone interested in privacy to try and get as much physical (and corporate) distance from the US. It might not be perfect, but hosting here is just fucking stupid.
Ninja is right: the primary benefit to having your data live outside the US is you escape the US government.
The NSA itself is not the problem to be avoided for your hypothetical. It's safe to assume that the technical capabilities of the NSA are the same everywhere. It's also fairly safe to assume that the "limitations" imposed on the NSA with regards to US citizens are about as effective as a cheese grater at holding water.
Given that you face the same technical challenges anywhere in the globe, being outside of the US is a huge, huge benefit in that you have less to fear from NSL's and court orders. Those are the tools that the government uses to bypass what technology it cannot.
It's quite simple: without a warrant, a technique can be applied in bulk. There's no such thing (technically) as a "general warrant", so when a method of surveillance requires one, then it can only be used as tool once an investigation is underway.
On the other hand, something that is "warrantless" can be applied to everyone, all the time.
My general rule of thumb when I see a method of surveillance that does not require a warrant is to assume that it is already being used on everyone, all the time. That assumption has proven to be conclusively true many times in the last six months or so.
Ed Felten is a "policy wonk" by his own words. He is exactly the guy that needs to be there.
He's also (or was a few years ago) the administrators of the wireless network in Princeton's main comp sci building. I met him in 2007 when there talking to an expert witness about the Glider case. I had to get on the wifi because my crappy first-gen iPhone couldn't get any of T-Mobile's crappy EDGE in the building.
He said, "Did you do the GeoHot hack on that where you have to jumper the pins on the memory controller while running a program?"
Keep in mind, I wasn't calling for outright refusal, but I still believe it must be done when the time is right.
We don't know what the Lavabit founder got in terms of the NSL. If it is something that the government can reasonably ask for (turn over these records, answer these interrogatories) with a gag order, then I agree it would be stupid and counterproductive to post it. It seems fairly likely that there may possibly be situations where that kind of gag order might be necessary for imminent threats against the country.
But if the NSL contains orders that a normal citizen does not believe is allowed under the Constitution, then someone must fight. I'm thinking "install this device on your network between these two servers, and don't consult an attorney, and don't talk about it" kind of level. If that is being sent to people, as we suspect it might, then it must come out.
Maybe they are never that evil. But if they are, the only way we'll find out is when someone risks life and livelihood to protect our freedom. We'll definitely never get to the bottom of those letters from the other end of the gun through Clapper and the rest of the liars.
Mike: what about the money that the NSA itself is actually spending? It's easy to get caught up in the privacy issues and the financial impact on American business. Those are real and very serious.
But what's being overlooked, probably because it's classified, is how much the program is costing US taxpayers directly. Data centers don't build themselves. Huge checks to telcos to turn over a shitload of data don't appear from thin air. Litigating the hell out of all these indefensible positions takes a lot of effort.
So we're all paying quite possibly a substantial amount for this nothing.