Lavabit.com and Tormail Email Alternatives...

[Ente]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 

What does The Pirate Bay have to do with this?
(at first I misread some Dread Pirate thingie here..)
Well isn't there (more) established solutions for end-to-end encrypted mobilephone messaging?
Redphone, Textsecure for example.
More on Android:
https://encrypteverything.ca/Cell_phone_privacy_guide_%28Android%29#Encrypting_communications_and_files

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

Now that's a treat! Thank you! :-)


About the whole thread:
Different ideas, needs and concepts seem to be mixed here.
- Anonymous mail? Anonymous IM?
- End-to-end encrypted? Non-traceable?

I, personally, liked tormail for it's non-traceability. GPG and OTR is great and all, but simply doesn't work with 99% of the recipients. So I *assume* my mails will be intercepted and use onionland for doing stuff anonymously. This works with many regular mailproviders, obviously.
Now if you want to communicate encrypted, it all depends if it's a few, recurring contacts, or *any* contact.
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

Oh, maybe I should edit "I" to "a friend of mine"..

Ente

[1714866425]

1714866425

[smscotten]

And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.

[bernard75]

The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

They say:
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html

[Ente]

And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.

I see your points!
My approach, however, comes from two directions:
- be paranoid, assume the worst
- playfully wrap your mind around it for beating an overwhelming thread or creating a 100% secure system (you see the "playful here, right?)

For the real situation, out there, you are right!

Ente

[MysteryMiner]

Self-hosting is a way to protect against court ordered censorship of users or protect the mail server from direct database access by NSA. The e-mail still can and will be read when it travels the internet in unencrypted form. The solution already exists and it is called PGP encryption. But almost nobody uses it.

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

[The 4ner]

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  

What does The Pirate Bay have to do with this?

Because a founder of The Pirate Bay is behind the creation of Hemlis.

[Pellefot]

I haven't seen anyone mention www.anonymousspeech.com so i will.
Its main selling point for me is that it requires no Javascript so no badman can hijack the site and insert funky code as we saw happend with tormail. Has some others neat features as well like time-delayed emails. I havent used that function but im guessing it uses a rnd delay before sending your message, very cool.
And yeah- Bitcoin accepted!
Enjoy.

[MysteryMiner]

Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.

[b!z]

Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.

I think he means the site still works if he disables JS in his browser

[2dogs]

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

+1

[smscotten]

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

I share your frustration with the difficulty in getting people to use PGP. Though I'm nowhere near as frustrated by the fact that average computer users won't use PGP as I am by the fact that getting liberty- and privacy-minded technically savvy and proficient people to use PGP is like pulling teeth.

"Yeah, I've been meaning to get around to it. It's really important, I agree." Wait two weeks, ask again for their key, get same answer. Rinse, lather, repeat.

I'm at the point where I won't talk about PRISM or any of the zillion surveillance scandals with anyone who won't generate a set of PGP keys. If all they want to do is complain and hope someone else does something about it, I've got no time.

Now back to the average user. Your analogy is flawed and unfair.

1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.

[MysteryMiner]

1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.

1) Some of them will find it in hard way that encryption is a must. Our president's adviser found it in hard way http://www.dzeltenais.lv/wp-content/uploads/2012/06/rgle.png and this is he most decent picture that was copied from her hacked e-mail.
2. Let's teach our children how to use encryption from very young age. Let us be the last generation of neanderthals who run around without pants!
3. Let's advertise that 4096-bit RSA keys are more sexy than 2048 ones!
4. Using PGP is not harder than squeezing into pants. At least for person with 130+ IQ

[marcus_of_augustus]

GPG PGP has it's shortcomings also ....

[smscotten]

1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.

1) Some of them will find it in hard way that encryption is a must. Our president's adviser found it in hard way http://www.dzeltenais.lv/wp-content/uploads/2012/06/rgle.png and this is he most decent picture that was copied from her hacked e-mail.
2. Let's teach our children how to use encryption from very young age. Let us be the last generation of neanderthals who run around without pants!
3. Let's advertise that 4096-bit RSA keys are more sexy than 2048 ones!
4. Using PGP is not harder than squeezing into pants. At least for person with 130+ IQ

1) You don't have to convince me of that. (Although, actually, that's a great reason that everyone else shouldn't use encryption. More pics for the rest of us.) Still, the social repercussions are relatively rare so far, at least compared to not wearing pants in public.
2) Yes, but that teaching starts now or at most 20 years ago. Don't go around blaming the people that didn't get taught from a young age for not having been taught.
3) Yes, lets! And that advertising starts now. Don't go saying nasty things about the people who haven't gotten the message yet.
4) I disagree. It's a whole new vocabulary. I've been using PGP (or I ought to say I've been making PGP keys for myself; it's only recently that I've had anyone to exchange keys and emails with) for nearly 20 years and I still feel like I'm just barely getting the hang of things like managing circles of trust. Granted, you don't have to learn all that right away just to encrypt a message but there are a lot of ideas that are important that go along with just encrypting messages. And 130+ IQ is what, 3.5% of the population? Depends on what scale you use, but no matter what you are a long way from "most people."

Really. Sit down with a reasonably smart person who wasn't either a math or computer science major and try to show them how PGP works. If they are indeed reasonably smart and don't have some kind of mental block about it they will get it, but it will take some time and effort on both your parts. It will be time and effort well-spent, but don't pretend it's trivial.

My point is only that we have a task of educating others ahead of us. Calling people 'unbelievably ignorant' for not yet having learned about PGP doesn't help.

marcus_of_augustus: to what shortcomings are you referring?

[MysteryMiner]

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.

GPG PGP has it's shortcomings also ....

Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

[joesmoe2012]

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.

GPG PGP has it's shortcomings also ....

Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

And since multiple messages are encrypted with the same static key, if the key is ever compromised, all prior communications are compromised.

[MysteryMiner]

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.

GPG PGP has it's shortcomings also ....

Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

And since multiple messages are encrypted with the same static key, if the key is ever compromised, all prior communications are compromised.

It have easy solution - don't let the private key to be compromised! Seriously, if encryption secret key is compromised then it is game over.

[bernard75]

Another attack on the Tor network or "just" bots:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029582.html

[Ente]

Another attack on the Tor network or "just" bots:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029582.html

uh, wtf?
Real attack, or a huge botnet switching to tor maybe?

Ente

[NewLiberty]

I'd guess some cloud service is being utilized to spawn a bunch of clients for some legitimate privacy concern purpose.
Sure, it could be a bot-net, but that would be... wrong.