Topic: Lavabit closes down (Read 2958 times)
It's coming back. Better than before (?): http://silentcircle.wordpress.com/2013/10/30/announcing-the-dark-mail-alliance-founded-by-silent-circle-lavabit/
http://www.chronicles.no/2013/08/bitmessage-crackdown.html
Quote
Mr "Robert White" was behind the "attack" (message from secupost.net and Bitmessage):
-- -- --
This message is also available at http://secupost.net
Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.
As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.
It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.
I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.
So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.
Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.
Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.
Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:
def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]
This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.
This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.
Robert White (BM-2D8yr4fzoMzwndqPwLMVyzUcdfK9LWZXjY)
-- -- --
This message is also available at http://secupost.net
Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.
As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.
It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.
I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.
So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.
Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.
Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.
Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:
def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]
This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.
This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.
Robert White (BM-2D8yr4fzoMzwndqPwLMVyzUcdfK9LWZXjY)
Lavabit, Silent Circle, Tormail and now Bitmessage:
It seems like all users received the following message today:
Somebody is collecting IPs, i wonder who?
It seems like all users received the following message today:
Quote
Bitmessage has several potential security issues including a broken proof of work function and potential private key leaks.
Full details:
http://secupost.net/*RefNumber/bitmessage-security
Full details:
http://secupost.net/*RefNumber/bitmessage-security
Somebody is collecting IPs, i wonder who?
Don't use Russian or Chinese e-mail providers at all! mail.ru is just as bad as gmail the only difference is that it have direct link to FSB and Russian oligarchs instead of FBI/NSA.
Self-hosted server is great but it have many points of failure. Then comes mail servers hosted in Latin America or Africa.
Self-hosted server is great but it have many points of failure. Then comes mail servers hosted in Latin America or Africa.
There was an article in our local newspaper today about a company called Privato which offers double encrypted email. It's not free - the article says they charge $100 / year, but I just thought I'd throw it out there as an option. Looks like they are geared more towards businesses than personal email, but I'd doubt they'd turn you down if you'd want to shell out the money.
Personally, I'd probably just stick with my Gmail account and encrypt the messages that I want to be secure. The government would still be able to tell who I'm sending things to, but not what's actually in the message. It's a shame more people don't use encryption - for me, that's the hard part about encryption, I know how to use it, but most people I'm communicating with don't use PGP / GPG.
Personally, I'd probably just stick with my Gmail account and encrypt the messages that I want to be secure. The government would still be able to tell who I'm sending things to, but not what's actually in the message. It's a shame more people don't use encryption - for me, that's the hard part about encryption, I know how to use it, but most people I'm communicating with don't use PGP / GPG.
There's a decent list of alternatives here:
http://www.dailydot.com/lifestyle/tor-tormail-dark-web-communication-pgp/
Looking forward to when Tox.im is fully developed
Plus an interesting interview with Lavabit boss here:
https://www.youtube.com/watch?v=Ui3KpztUzVg
http://www.dailydot.com/lifestyle/tor-tormail-dark-web-communication-pgp/
Looking forward to when Tox.im is fully developed
Plus an interesting interview with Lavabit boss here:
https://www.youtube.com/watch?v=Ui3KpztUzVg
There is still Riseup:
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.
Also MEGA is setting up an encrypted email service, but it still several months before its finished.
http://www.zdnet.com/mega-to-fill-secure-email-gap-left-by-lavabit-7000019232/ or
http://www.techhive.com/article/2046445/kim-dotcoms-mega-vows-to-create-useable-encrypted-email-for-the-masses.html
.
soooo, I forgot my dropbox password great! 
since I have my lavabit account tied to it I cannot reset it 
Hopefully dropbox support gives me a positive answer.....
since I have my lavabit account tied to it I cannot reset it Hopefully dropbox support gives me a positive answer.....
There is still Riseup:
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.
A word on hushmail:
https://en.wikipedia.org/wiki/Hushmail
https://en.wikipedia.org/wiki/Hushmail
Quote
However, developments in November 2007 led to doubts among security-conscious users about Hushmail's security and concern over a backdoor. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.
yeah, safe money and open a gmail or yahoo. still better than a fake privacy mail service
A word on hushmail:
https://en.wikipedia.org/wiki/Hushmail
https://en.wikipedia.org/wiki/Hushmail
Quote
However, developments in November 2007 led to doubts among security-conscious users about Hushmail's security and concern over a backdoor. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.
or just use bitmessage with pgp. 
seems like the only thing left
or just use bitmessage with pgp.
Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.
Ive heard of your kind, you guys are very dangerous.
I don't have any child porn to hide. I use torbrower for other things.
id stop digging XD he could have been referring to drugs not just child porn
anyhow onto more important things if i could get the interest and a couple of coders together i might be open to hosting a private encrypted email service...
id also refuse any information requests from any LEA and probably host it on the Tor network
id like to start off with something super simple like Tormail and work up to something a bit more complex.. and id make sure emails dont have a tiny 3mb limit maybe something like 10mb to start with
You can use Chinese/Russian email services. Like qqmail and mail.ru
I considered it, but I'm afraid that the language is going to be a problem. mail.ru doesn't even offer alternative language choices for their home page!Besides, I trust the Russians and Chinese even less than the U.S. government. The only good thing is that my own government is not a close ally of them.
Does anyone know whether this is worth its money?
https://www.trilightzone.org/securemail.html
The closest I'd be able to get to a site that meets your requirements is magnesium.net, which probably fits most of your requirements. Unfortunately, I can't really recommend it because it hasn't really been reliable lately. Most of the time it's up, but there are occasions when it's down for weeks at a time, so reliable it isn't.
If you can afford it, the easiest way to get something like this is to host your own website, then you can have an email address that you control more than you would otherwise since it's hosted on your own domain. I'm going to buy my own hosting eventually and would be happy to sell you an email address through it if you like, but I'm not planning on setting it up for a while so that doesn't really help you now.
Edited to add: Actually, I would be remiss if I didn't mention Hushmail here. They're based in Canada and I think they meet all your requirements: PGP based email, good support, no advertisements. I don't know how reliable they are, but I've heard good things about them, so that's what I'd go for if I were you.
If you can afford it, the easiest way to get something like this is to host your own website, then you can have an email address that you control more than you would otherwise since it's hosted on your own domain. I'm going to buy my own hosting eventually and would be happy to sell you an email address through it if you like, but I'm not planning on setting it up for a while so that doesn't really help you now.
Edited to add: Actually, I would be remiss if I didn't mention Hushmail here. They're based in Canada and I think they meet all your requirements: PGP based email, good support, no advertisements. I don't know how reliable they are, but I've heard good things about them, so that's what I'd go for if I were you.
Thanks for the advice. Hushmail looks good to me (even when taking into account the criticism they've received), except their free account has extremely little storage space and doesn't support POP/IMAP. For their paid accounts, they don't accept Bitcoin or other anonymous payment methods.
I already own a domain name, and I think I'm going to use it for the e-mail address I communicate to my (non-pseudonymous) contacts. Right now, my hosting account only supports redirecting, but I'll check whether it is possible to upgrade it to a POP/IMAP mail box.
I considered self-hosting on my home server, but since it has so many single points of failure (ISP, modem, server, power supply etc.) I don't think I can reach the reliability level I'm looking for without significant investments.
Does anyone have experience with the e-mail services that accept Bitcoin?
When it comes to privacy, I'm thinking in two categories of e-mail:
E-mail with peers who don't care enough about privacy to put effort in protecting it:
- This is, unfortunately, the huge majority of peers
- E-mail has to be sent/received as plaintext, so it can be wiretapped
- Temporary plaintext storage at an e-mail provider (few days at most, until I move it to my own computer) probably makes little difference
- That is, unless the provider spontaneously does freaky analysis stuff on the e-mail data (like gmail does)
- Therefore, I want a good privacy statement for non-authority privacy, and don't expect much privacy protection against authorities
- I need a secondary account if I don't want the other (non-authority) party to know who I am (for temporary contact I'll use mailinator).
E-mail with peers who care about privacy:
- We'll use end-to-end encryption (e.g. PGP)
- Might use the same account as other e-mail if I don't care that others know the 'meta-data' (who talks to who on what moments)
- When I do care about the meta-data, I need a fully pseudonymous account, accessed with something like TOR.
Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.
Ive heard of your kind, you guys are very dangerous.
I don't have any child porn to hide. I use torbrower for other things.
Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.
Ive heard of your kind, you guys are very dangerous.
And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.
So the government went after a hosting service that hosts child porn? Oh no!
LOL, thats all i got to say.
Quote
Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network
That's from the article you posted.
Think it out. What does this actually mean? That Tor actually is effective in hiding the identity of the surfers? Seems like otherwise, they would have wanted the site left open as a honeypot.
There's a story here, and it's not just a shrug and a laugh and....
So the government went after a hosting service that hosts child porn? Oh no!
It is a shrug and a laugh. I don't have to worry about my identity being compromised because I don't go to those kinds of sites... Yes, I suppose that now technically we are all at risk for our identities to be exposed. But the thing is, the government isn't doing one massive attack on every tor user. They're going after people associated with child porn, which is not something I disagree with. I don't have anything to worry about, so I am just going to shrug it off and laugh.
Jump to: