Bitcoin Forum
November 01, 2024, 05:14:48 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8] 9 »  All
  Print  
Author Topic: Lavabit.com and Tormail Email Alternatives...  (Read 31113 times)
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
August 26, 2013, 12:43:19 PM
 #141

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink

What does The Pirate Bay have to do with this?
(at first I misread some Dread Pirate thingie here..)
Well isn't there (more) established solutions for end-to-end encrypted mobilephone messaging?
Redphone, Textsecure for example.
More on Android:
https://encrypteverything.ca/Cell_phone_privacy_guide_%28Android%29#Encrypting_communications_and_files

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

Now that's a treat! Thank you! :-)


About the whole thread:
Different ideas, needs and concepts seem to be mixed here.
- Anonymous mail? Anonymous IM?
- End-to-end encrypted? Non-traceable?

I, personally, liked tormail for it's non-traceability. GPG and OTR is great and all, but simply doesn't work with 99% of the recipients. So I *assume* my mails will be intercepted and use onionland for doing stuff anonymously. This works with many regular mailproviders, obviously.
Now if you want to communicate encrypted, it all depends if it's a few, recurring contacts, or *any* contact.
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

Oh, maybe I should edit "I" to "a friend of mine"..

Ente
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 26, 2013, 07:04:47 PM
 #142

And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.

bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
August 26, 2013, 08:05:00 PM
 #143

The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?
They say:
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html Cheesy
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
August 26, 2013, 08:55:47 PM
 #144

And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.

I see your points!
My approach, however, comes from two directions:
- be paranoid, assume the worst
- playfully wrap your mind around it for beating an overwhelming thread or creating a 100% secure system (you see the "playful here, right?)

For the real situation, out there, you are right!

Ente
MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 26, 2013, 11:26:45 PM
 #145

Self-hosting is a way to protect against court ordered censorship of users or protect the mail server from direct database access by NSA. The e-mail still can and will be read when it travels the internet in unencrypted form. The solution already exists and it is called PGP encryption. But almost nobody uses it.

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 602
Merit: 500


R.I.P Silk Road 1.0


View Profile
August 27, 2013, 05:34:14 AM
 #146

Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink

What does The Pirate Bay have to do with this?



Because a founder of The Pirate Bay is behind the creation of Hemlis.
Pellefot
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
August 27, 2013, 06:24:56 AM
 #147

I haven't seen anyone mention www.anonymousspeech.com so i will.
Its main selling point for me is that it requires no Javascript so no badman can hijack the site and insert funky code as we saw happend with tormail. Has some others neat features as well like time-delayed emails. I havent used that function but im guessing it uses a rnd delay before sending your message, very cool.
And yeah- Bitcoin accepted!
Enjoy.
MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 27, 2013, 01:24:41 PM
 #148

Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
b!z
Legendary
*
Offline Offline

Activity: 1582
Merit: 1010



View Profile
August 27, 2013, 01:56:57 PM
 #149

Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.

I think he means the site still works if he disables JS in his browser
2dogs
Legendary
*
Offline Offline

Activity: 1267
Merit: 1000


View Profile
August 28, 2013, 03:47:00 PM
 #150


They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

+1
smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 28, 2013, 09:27:51 PM
 #151

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.

I share your frustration with the difficulty in getting people to use PGP. Though I'm nowhere near as frustrated by the fact that average computer users won't use PGP as I am by the fact that getting liberty- and privacy-minded technically savvy and proficient people to use PGP is like pulling teeth.

"Yeah, I've been meaning to get around to it. It's really important, I agree." Wait two weeks, ask again for their key, get same answer. Rinse, lather, repeat.

I'm at the point where I won't talk about PRISM or any of the zillion surveillance scandals with anyone who won't generate a set of PGP keys. If all they want to do is complain and hope someone else does something about it, I've got no time.

Now back to the average user. Your analogy is flawed and unfair.

1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.

MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 28, 2013, 11:50:42 PM
 #152

Quote
1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.
1) Some of them will find it in hard way that encryption is a must. Our president's adviser found it in hard way http://www.dzeltenais.lv/wp-content/uploads/2012/06/rgle.png and this is he most decent picture that was copied from her hacked e-mail.
2. Let's teach our children how to use encryption from very young age. Let us be the last generation of neanderthals who run around without pants!
3. Let's advertise that 4096-bit RSA keys are more sexy than 2048 ones!
4. Using PGP is not harder than squeezing into pants. At least for person with 130+ IQ

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 3920
Merit: 2349


Eadem mutata resurgo


View Profile
August 29, 2013, 12:05:18 AM
 #153

GPG PGP has it's shortcomings also ....

smscotten
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile WWW
August 29, 2013, 02:25:58 AM
 #154

Quote
1) Most everyone around us already wears pants. Anyone who doesn't faces social (and probably legal) repercussions.
2) Most everyone has been taught to wear pants from a very young age. It has become habituated.
3) There are advertisements everywhere making most everyone think that they will be sexually desirable if they wear the right pants.
4) Most everyone already has a pretty good idea how to use pants.
1) Some of them will find it in hard way that encryption is a must. Our president's adviser found it in hard way http://www.dzeltenais.lv/wp-content/uploads/2012/06/rgle.png and this is he most decent picture that was copied from her hacked e-mail.
2. Let's teach our children how to use encryption from very young age. Let us be the last generation of neanderthals who run around without pants!
3. Let's advertise that 4096-bit RSA keys are more sexy than 2048 ones!
4. Using PGP is not harder than squeezing into pants. At least for person with 130+ IQ

1) You don't have to convince me of that. (Although, actually, that's a great reason that everyone else shouldn't use encryption. More pics for the rest of us.) Still, the social repercussions are relatively rare so far, at least compared to not wearing pants in public.
2) Yes, but that teaching starts now or at most 20 years ago. Don't go around blaming the people that didn't get taught from a young age for not having been taught.
3) Yes, lets! And that advertising starts now. Don't go saying nasty things about the people who haven't gotten the message yet.
4) I disagree. It's a whole new vocabulary. I've been using PGP (or I ought to say I've been making PGP keys for myself; it's only recently that I've had anyone to exchange keys and emails with) for nearly 20 years and I still feel like I'm just barely getting the hang of things like managing circles of trust. Granted, you don't have to learn all that right away just to encrypt a message but there are a lot of ideas that are important that go along with just encrypting messages. And 130+ IQ is what, 3.5% of the population? Depends on what scale you use, but no matter what you are a long way from "most people."

Really. Sit down with a reasonably smart person who wasn't either a math or computer science major and try to show them how PGP works. If they are indeed reasonably smart and don't have some kind of mental block about it they will get it, but it will take some time and effort on both your parts. It will be time and effort well-spent, but don't pretend it's trivial.

My point is only that we have a task of educating others ahead of us. Calling people 'unbelievably ignorant' for not yet having learned about PGP doesn't help.

marcus_of_augustus: to what shortcomings are you referring?

MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 29, 2013, 03:10:31 PM
 #155

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.
GPG PGP has it's shortcomings also ....
Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
joesmoe2012
Hero Member
*****
Offline Offline

Activity: 882
Merit: 501


Ching-Chang;Ding-Dong


View Profile WWW
August 29, 2013, 03:39:37 PM
 #156

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.
GPG PGP has it's shortcomings also ....
Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

And since multiple messages are encrypted with the same static key, if the key is ever compromised, all prior communications are compromised.


Check out BitcoinATMTalk - https://bitcoinatmtalk.com
MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
August 29, 2013, 05:02:53 PM
 #157

PGP Web of Trust is for preventing use of "fake" keys. It is unnecessary for end-to-end encryption as long as the key fingerprints are verified offline or some other reasonably safe method.

Basics of GPG is no so difficult to understand. The problem is lack of software that uses it by default. To use it one need to install Thunderbird, configure POP3 access, then install GPG and then Enigmail. And configure all of this and store the e-mails on his own computer's harddrive. This process filters out large portion of users who don't care about maintenance of his computer or only use webmail from random computers.
GPG PGP has it's shortcomings also ....
Everything has it's shortcomings. When used properly GPG will protect the contents of the message. The sender and recipient still be known to NSA.

And since multiple messages are encrypted with the same static key, if the key is ever compromised, all prior communications are compromised.


It have easy solution - don't let the private key to be compromised! Seriously, if encryption secret key is compromised then it is game over.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
August 30, 2013, 01:20:45 PM
 #158

Another attack on the Tor network or "just" bots:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029582.html
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
August 30, 2013, 02:13:18 PM
 #159

Another attack on the Tor network or "just" bots:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029582.html

uh, wtf?
Real attack, or a huge botnet switching to tor maybe?

Ente
NewLiberty
Legendary
*
Offline Offline

Activity: 1204
Merit: 1002


Gresham's Lawyer


View Profile WWW
August 30, 2013, 04:46:40 PM
 #160

I'd guess some cloud service is being utilized to spawn a bunch of clients for some legitimate privacy concern purpose.
Sure, it could be a bot-net, but that would be... wrong.

FREE MONEY1 Bitcoin for Silver and Gold NewLibertyDollar.com and now BITCOIN SPECIE (silver 1 ozt) shows value by QR
Bulk premiums as low as .0012 BTC "BETTER, MORE COLLECTIBLE, AND CHEAPER THAN SILVER EAGLES" 1Free of Government
Pages: « 1 2 3 4 5 6 7 [8] 9 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!