Bitcoin Forum
November 19, 2024, 03:34:44 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 [7] 8 9 »  All
  Print  
Author Topic: Lavabit.com and Tormail Email Alternatives...  (Read 31137 times)
pa
Hero Member
*****
Offline Offline

Activity: 528
Merit: 501


View Profile
August 21, 2013, 09:31:16 PM
 #121

Countermail looks good. . . and they accept Bitcoin. . . any opinions as to whether they are secure?
MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 21, 2013, 11:13:17 PM
 #122

Countermail looks good. . . and they accept Bitcoin. . . any opinions as to whether they are secure?
Look at these quotes from their webpage:
Quote
CounterMail is a secure and easy to use online
Quote
it requires no specialized computer skills or knowledge
There is no real way to verify their claims about diskless servers (lol) or no IP logging. First might be true, the second probably not. They are operating on clearnet. The owners can be traced by LEA and they still can be forced to do nasty things to their users by LEA cockheads.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
NewLiberty
Legendary
*
Offline Offline

Activity: 1204
Merit: 1002


Gresham's Lawyer


View Profile WWW
August 21, 2013, 11:32:14 PM
 #123

http://www.cbsnews.com/8301-201_162-57599579/nsa-gathered-thousands-of-americans-emails-fisa-court-records-show/

Looks like one surveillance step backward (after countless steps forward).

If only trust was so easy to regain, once lost.

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
August 23, 2013, 02:07:41 PM
Last edit: August 23, 2013, 03:24:10 PM by bernard75
 #124

Lavabit, Silent Circle, Tormail and now Bitmessage:

It seems like all users received the following message today:

Quote
Bitmessage has several potential security issues including a broken proof of work function and potential private key leaks.

 Full details:
 http://secupost.net/*RefNumber/bitmessage-security

Somebody is collecting IPs, i wonder who? Wink

The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


R.I.P Silk Road 1.0


View Profile
August 23, 2013, 03:21:52 PM
 #125

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink
bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
August 23, 2013, 03:35:56 PM
 #126

http://www.chronicles.no/2013/08/bitmessage-crackdown.html

Quote
Mr "Robert White" was behind the "attack" (message from secupost.net and Bitmessage):
-- -- --
This message is also available at http://secupost.net

Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.

As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.

It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.

I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.

So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.

Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.

Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.

Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:

def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]

This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.

This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.

Robert White (BM-2D8yr4fzoMzwndqPwLMVyzUcdfK9LWZXjY)
idev
Hero Member
*****
Offline Offline

Activity: 860
Merit: 1004


BTC OG and designer of the BitcoinMarket.com logo


View Profile
August 23, 2013, 04:13:27 PM
 #127

ByteMail

Quote
ByteMail is a decentralized, P2P, communication protocol for sending messages over a secure connection on the internet. ByteMail was created in order to provide people with a way to send messages without worrying about a third party intercepting and reading these messages. ByteMail ships with a webUI as well as a command-line UI.

If you are a developer and would like to contribute to the ByteMail project, check out the project on Github here: http://github.com/ByteMail

Official project home: bytemailproject.org

ByteMail seems interesting but the fact that the project seems to be at its infancy is a bit of let down.
It will definitely discourage many potential users from adopting it.

Yes it's still in it's infancy but it's usable now and supports multiple OS and it's free and opensource.
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
August 23, 2013, 06:58:14 PM
 #128

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink
https://heml.is/

Soon™
For anyone curious and lazy to google.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
August 23, 2013, 07:22:07 PM
 #129

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink
https://heml.is/

Soon™
For anyone curious and lazy to google.

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 23, 2013, 07:42:57 PM
 #130

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.

As long as it's optional, I don't see a problem. It's good to be able to share personal information, privacy is about choosing which information to share and with whom to share it.

My problem with Hemlis is this:

Quote
Your server only?

Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularily, in cooperation with our community.

As much as I applaud their effort, this shows that they simply don't get what "security" and "privacy" mean.

Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
August 23, 2013, 09:38:22 PM
 #131

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink
https://heml.is/

Soon™
For anyone curious and lazy to google.

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.
Well my facebook not being private is not a concern, since it's constantly being cleaned up. What i send in messages on the other hand, should be, as there tends to be valuable info there from time to time.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


R.I.P Silk Road 1.0


View Profile
August 23, 2013, 09:47:52 PM
 #132

Did anyone on here donate to their project?
stevegee58
Legendary
*
Offline Offline

Activity: 916
Merit: 1003



View Profile
August 24, 2013, 12:03:53 AM
 #133

I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.

You are in a maze of twisty little passages, all alike.
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 24, 2013, 12:33:24 AM
 #134

I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.

I thought "end-to-end" referred to the sender and receiver. If you're not encrypting the contents of the emails with a key specific to your recipient, or if someone send you mail in cleartext, that can be read in transit.

But yeah, good for you. Hopefully we'll see more of that. I'm possibly returning to hosting my own mail again. I remember it being a hassle, but I suspect that with or without the root password my hosting service can paw through everything I've got on my VPS. I certainly trust them enough not to do it… unless they get pressure from the government. *sigh*

justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
August 24, 2013, 12:40:35 AM
 #135

I run my own IMAP server (Dovecot) on a home server and use Fetchmail to download mail from my various email accounts.

It's nice because it lets me collect all kinds of mail into a single mailbox that can be read from my PC or phone. I've got a VM running a POP/SMTP-enabled version of Bitmessage that Fetchmail can poll, so that pulls any messages I receive via that network into my normal workflow.
joesmoe2012
Hero Member
*****
Offline Offline

Activity: 882
Merit: 501


Ching-Chang;Ding-Dong


View Profile WWW
August 24, 2013, 01:27:24 PM
 #136

I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).


Check out BitcoinATMTalk - https://bitcoinatmtalk.com
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 24, 2013, 09:10:58 PM
 #137

I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).

I'm not sure where you're getting this. No, as I pointed out earlier, if you aren't encrypting the messages before they get sent out into the wide world that isn't any different than gmail. And the complexities of securing a server against attack are probably wider than the scope of this post.

But what you know for sure is that if law enforcement has a warrant for the contents of your computer that there will be a knock at (or down) your door and you'll either have a warrant in your hand and an opportunity to call your lawyer or else come home and find your computer missing. You at least know that the system is compromised. With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

And what are you talking about regarding your mail server sticking out like a sore thumb? I'm imagining an NSA agent looking through logs and stopping, shocked. "Hold the phone, Joe, look! This email was sent from LINUX. That NEVER HAPPENS. Quick, send a SWAT team to that location!"

I'm also curious what you mean by anti-logging. The only interpretations I can come up with are either impossible or trivial. And googling the term just came up with a bunch of Earth First websites.

moni3z
Hero Member
*****
Offline Offline

Activity: 899
Merit: 1002



View Profile
August 24, 2013, 09:37:03 PM
Last edit: August 24, 2013, 10:06:22 PM by moni3z
 #138

Just make your own, using a VPS in Iceland and either using qmail + djbdns or OpenSMTPD.
Look around for scripts that will encrypt all incoming mail to your public PGP key or do it yourself: https://grepular.com/Automatically_Encrypting_all_Incoming_Email  if you want now make it a Tor hidden service and access it .onion to download encrypted messages

Obviously this is just to prevent passive government spying and political blackmail, but doesn't prevent targeted spying (they break into your VPS, capture traffic before it is encrypted) or NSA metadata traffic analysis seeing who you are talking to.

Countermail I would expect if you should ever be targeted by authorities they will simply feed you a MITM login screen that captures your password so they can hand it over to whoever asks for it. This is exactly what Hushmail did numerous times.

Rayservers offer a pretty attractive package as well, servers are in Panama and I believe they have .onion access but they are still a US based company so open to government harassment and coercion. http://www.rayservers.com/blog/rayservers-mail-server-features-and-faq

Apparently the guy who runs Torservers.net posted to tor-talk mailing list he was creating his own Tormail for free use https://lists.torproject.org/pipermail/tor-talk/2013-August/029464.html



moni3z
Hero Member
*****
Offline Offline

Activity: 899
Merit: 1002



View Profile
August 24, 2013, 09:42:27 PM
 #139

With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

Gmail according to posts on Hacker News will feed you a new TOS to agree to should they receive a national security letter to hand over your emails. If you find yourself logging into gmail and having to agree with new TOS then ruh-roh.

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

testconpastas2
Full Member
***
Offline Offline

Activity: 199
Merit: 100



View Profile
August 25, 2013, 06:24:54 PM
 #140

Support http://www.mailpile.is/blog/ .Eventually  it'll become a mail client-server, 100% Free and Open Source.

Bitmessage: BM-2DAetLWJBKWHZoPbNCgg5z8jwaPpDYWwd4
gpg key id:C6EF5CE3
Pages: « 1 2 3 4 5 6 [7] 8 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!