Lavabit.com and Tormail Email Alternatives...

[pa]

Countermail looks good. . . and they accept Bitcoin. . . any opinions as to whether they are secure?

[MysteryMiner]

Countermail looks good. . . and they accept Bitcoin. . . any opinions as to whether they are secure?

Look at these quotes from their webpage:

CounterMail is a secure and easy to use online

it requires no specialized computer skills or knowledge

There is no real way to verify their claims about diskless servers (lol) or no IP logging. First might be true, the second probably not. They are operating on clearnet. The owners can be traced by LEA and they still can be forced to do nasty things to their users by LEA cockheads.

[NewLiberty]

http://www.cbsnews.com/8301-201_162-57599579/nsa-gathered-thousands-of-americans-emails-fisa-court-records-show/

Looks like one surveillance step backward (after countless steps forward).

If only trust was so easy to regain, once lost.

[bernard75]

Lavabit, Silent Circle, Tormail and now Bitmessage:

It seems like all users received the following message today:

Bitmessage has several potential security issues including a broken proof of work function and potential private key leaks.

 Full details:
 http://secupost.net/*RefNumber/bitmessage-security

Somebody is collecting IPs, i wonder who?

[The 4ner]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 

[bernard75]

http://www.chronicles.no/2013/08/bitmessage-crackdown.html

Mr "Robert White" was behind the "attack" (message from secupost.net and Bitmessage):
-- -- --
This message is also available at http://secupost.net

Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.

As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.

It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.

I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.

So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.

Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.

Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.

Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:

def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]

This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.

This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.

Robert White (BM-2D8yr4fzoMzwndqPwLMVyzUcdfK9LWZXjY)

[idev]

ByteMail

ByteMail is a decentralized, P2P, communication protocol for sending messages over a secure connection on the internet. ByteMail was created in order to provide people with a way to send messages without worrying about a third party intercepting and reading these messages. ByteMail ships with a webUI as well as a command-line UI.

If you are a developer and would like to contribute to the ByteMail project, check out the project on Github here: http://github.com/ByteMail

Official project home: bytemailproject.org

ByteMail seems interesting but the fact that the project seems to be at its infancy is a bit of let down.
It will definitely discourage many potential users from adopting it.

Yes it's still in it's infancy but it's usable now and supports multiple OS and it's free and opensource.

[Lauda]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 

https://heml.is/

Soon™
For anyone curious and lazy to google.

[bernard75]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 

https://heml.is/

Soon™
For anyone curious and lazy to google.

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.

[smscotten]

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.

As long as it's optional, I don't see a problem. It's good to be able to share personal information, privacy is about choosing which information to share and with whom to share it.

My problem with Hemlis is this:

Your server only?

Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularily, in cooperation with our community.

As much as I applaud their effort, this shows that they simply don't get what "security" and "privacy" mean.

[Lauda]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 

https://heml.is/

Soon™
For anyone curious and lazy to google.

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.

Well my facebook not being private is not a concern, since it's constantly being cleaned up. What i send in messages on the other hand, should be, as there tends to be valuable info there from time to time.

[The 4ner]

Did anyone on here donate to their project?

[stevegee58]

I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.

[smscotten]

I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.

I thought "end-to-end" referred to the sender and receiver. If you're not encrypting the contents of the emails with a key specific to your recipient, or if someone send you mail in cleartext, that can be read in transit.

But yeah, good for you. Hopefully we'll see more of that. I'm possibly returning to hosting my own mail again. I remember it being a hassle, but I suspect that with or without the root password my hosting service can paw through everything I've got on my VPS. I certainly trust them enough not to do it… unless they get pressure from the government. *sigh*

[justusranvier]

I run my own IMAP server (Dovecot) on a home server and use Fetchmail to download mail from my various email accounts.

It's nice because it lets me collect all kinds of mail into a single mailbox that can be read from my PC or phone. I've got a VM running a POP/SMTP-enabled version of Bitmessage that Fetchmail can poll, so that pulls any messages I receive via that network into my normal workflow.

[joesmoe2012]

I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).

[smscotten]

I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).

I'm not sure where you're getting this. No, as I pointed out earlier, if you aren't encrypting the messages before they get sent out into the wide world that isn't any different than gmail. And the complexities of securing a server against attack are probably wider than the scope of this post.

But what you know for sure is that if law enforcement has a warrant for the contents of your computer that there will be a knock at (or down) your door and you'll either have a warrant in your hand and an opportunity to call your lawyer or else come home and find your computer missing. You at least know that the system is compromised. With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

And what are you talking about regarding your mail server sticking out like a sore thumb? I'm imagining an NSA agent looking through logs and stopping, shocked. "Hold the phone, Joe, look! This email was sent from LINUX. That NEVER HAPPENS. Quick, send a SWAT team to that location!"

I'm also curious what you mean by anti-logging. The only interpretations I can come up with are either impossible or trivial. And googling the term just came up with a bunch of Earth First websites.

[moni3z]

Just make your own, using a VPS in Iceland and either using qmail + djbdns or OpenSMTPD.
Look around for scripts that will encrypt all incoming mail to your public PGP key or do it yourself: https://grepular.com/Automatically_Encrypting_all_Incoming_Email  if you want now make it a Tor hidden service and access it .onion to download encrypted messages

Obviously this is just to prevent passive government spying and political blackmail, but doesn't prevent targeted spying (they break into your VPS, capture traffic before it is encrypted) or NSA metadata traffic analysis seeing who you are talking to.

Countermail I would expect if you should ever be targeted by authorities they will simply feed you a MITM login screen that captures your password so they can hand it over to whoever asks for it. This is exactly what Hushmail did numerous times.

Rayservers offer a pretty attractive package as well, servers are in Panama and I believe they have .onion access but they are still a US based company so open to government harassment and coercion. http://www.rayservers.com/blog/rayservers-mail-server-features-and-faq

Apparently the guy who runs Torservers.net posted to tor-talk mailing list he was creating his own Tormail for free use https://lists.torproject.org/pipermail/tor-talk/2013-August/029464.html

[moni3z]

With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

Gmail according to posts on Hacker News will feed you a new TOS to agree to should they receive a national security letter to hand over your emails. If you find yourself logging into gmail and having to agree with new TOS then ruh-roh.

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

[testconpastas2]

Support http://www.mailpile.is/blog/ .Eventually  it'll become a mail client-server, 100% Free and Open Source.