Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.
I think he means the site still works if he disables JS in his browser
Topic: Lavabit.com and Tormail Email Alternatives... - page 2. (Read 31109 times)
I think he means the site still works if he disables JS in his browser
Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.
I haven't seen anyone mention www.anonymousspeech.com so i will.
Its main selling point for me is that it requires no Javascript so no badman can hijack the site and insert funky code as we saw happend with tormail. Has some others neat features as well like time-delayed emails. I havent used that function but im guessing it uses a rnd delay before sending your message, very cool.
And yeah- Bitcoin accepted!
Enjoy.
Its main selling point for me is that it requires no Javascript so no badman can hijack the site and insert funky code as we saw happend with tormail. Has some others neat features as well like time-delayed emails. I havent used that function but im guessing it uses a rnd delay before sending your message, very cool.
And yeah- Bitcoin accepted!
Enjoy.
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis. 
What does The Pirate Bay have to do with this?
Because a founder of The Pirate Bay is behind the creation of Hemlis.
Self-hosting is a way to protect against court ordered censorship of users or protect the mail server from direct database access by NSA. The e-mail still can and will be read when it travels the internet in unencrypted form. The solution already exists and it is called PGP encryption. But almost nobody uses it.
They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.
They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.
I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?
So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.
The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.
Also, it's not just governments (or our own government) that we need to worry about.
Decentralization is not a silver bullet, but it is nevertheless desirable.
I see your points!
My approach, however, comes from two directions:
- be paranoid, assume the worst
- playfully wrap your mind around it for beating an overwhelming thread or creating a 100% secure system (you see the "playful here, right?)
For the real situation, out there, you are right!
Ente
The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?
They say:http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.
I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?
So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.
The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.
Also, it's not just governments (or our own government) that we need to worry about.
Decentralization is not a silver bullet, but it is nevertheless desirable.
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.
What does The Pirate Bay have to do with this?
(at first I misread some Dread Pirate thingie here..)
Well isn't there (more) established solutions for end-to-end encrypted mobilephone messaging?
Redphone, Textsecure for example.
More on Android:
https://encrypteverything.ca/Cell_phone_privacy_guide_%28Android%29#Encrypting_communications_and_files
Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8 they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.
Now that's a treat! Thank you! :-)
About the whole thread:
Different ideas, needs and concepts seem to be mixed here.
- Anonymous mail? Anonymous IM?
- End-to-end encrypted? Non-traceable?
I, personally, liked tormail for it's non-traceability. GPG and OTR is great and all, but simply doesn't work with 99% of the recipients. So I *assume* my mails will be intercepted and use onionland for doing stuff anonymously. This works with many regular mailproviders, obviously.
Now if you want to communicate encrypted, it all depends if it's a few, recurring contacts, or *any* contact.
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.
Oh, maybe I should edit "I" to "a friend of mine"..
Ente
Support http://www.mailpile.is/blog/ .Eventually it'll become a mail client-server, 100% Free and Open Source.
With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.
Gmail according to posts on Hacker News will feed you a new TOS to agree to should they receive a national security letter to hand over your emails. If you find yourself logging into gmail and having to agree with new TOS then ruh-roh.
Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8 they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.
Just make your own, using a VPS in Iceland and either using qmail + djbdns or OpenSMTPD.
Look around for scripts that will encrypt all incoming mail to your public PGP key or do it yourself: https://grepular.com/Automatically_Encrypting_all_Incoming_Email if you want now make it a Tor hidden service and access it .onion to download encrypted messages
Obviously this is just to prevent passive government spying and political blackmail, but doesn't prevent targeted spying (they break into your VPS, capture traffic before it is encrypted) or NSA metadata traffic analysis seeing who you are talking to.
Countermail I would expect if you should ever be targeted by authorities they will simply feed you a MITM login screen that captures your password so they can hand it over to whoever asks for it. This is exactly what Hushmail did numerous times.
Rayservers offer a pretty attractive package as well, servers are in Panama and I believe they have .onion access but they are still a US based company so open to government harassment and coercion. http://www.rayservers.com/blog/rayservers-mail-server-features-and-faq
Apparently the guy who runs Torservers.net posted to tor-talk mailing list he was creating his own Tormail for free use https://lists.torproject.org/pipermail/tor-talk/2013-August/029464.html
Look around for scripts that will encrypt all incoming mail to your public PGP key or do it yourself: https://grepular.com/Automatically_Encrypting_all_Incoming_Email if you want now make it a Tor hidden service and access it .onion to download encrypted messages
Obviously this is just to prevent passive government spying and political blackmail, but doesn't prevent targeted spying (they break into your VPS, capture traffic before it is encrypted) or NSA metadata traffic analysis seeing who you are talking to.
Countermail I would expect if you should ever be targeted by authorities they will simply feed you a MITM login screen that captures your password so they can hand it over to whoever asks for it. This is exactly what Hushmail did numerous times.
Rayservers offer a pretty attractive package as well, servers are in Panama and I believe they have .onion access but they are still a US based company so open to government harassment and coercion. http://www.rayservers.com/blog/rayservers-mail-server-features-and-faq
Apparently the guy who runs Torservers.net posted to tor-talk mailing list he was creating his own Tormail for free use https://lists.torproject.org/pipermail/tor-talk/2013-August/029464.html
I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.
Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).
Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).
I'm not sure where you're getting this. No, as I pointed out earlier, if you aren't encrypting the messages before they get sent out into the wide world that isn't any different than gmail. And the complexities of securing a server against attack are probably wider than the scope of this post.
But what you know for sure is that if law enforcement has a warrant for the contents of your computer that there will be a knock at (or down) your door and you'll either have a warrant in your hand and an opportunity to call your lawyer or else come home and find your computer missing. You at least know that the system is compromised. With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.
And what are you talking about regarding your mail server sticking out like a sore thumb? I'm imagining an NSA agent looking through logs and stopping, shocked. "Hold the phone, Joe, look! This email was sent from LINUX. That NEVER HAPPENS. Quick, send a SWAT team to that location!"
I'm also curious what you mean by anti-logging. The only interpretations I can come up with are either impossible or trivial. And googling the term just came up with a bunch of Earth First websites.
I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.
Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).
Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).
I run my own IMAP server (Dovecot) on a home server and use Fetchmail to download mail from my various email accounts.
It's nice because it lets me collect all kinds of mail into a single mailbox that can be read from my PC or phone. I've got a VM running a POP/SMTP-enabled version of Bitmessage that Fetchmail can poll, so that pulls any messages I receive via that network into my normal workflow.
It's nice because it lets me collect all kinds of mail into a single mailbox that can be read from my PC or phone. I've got a VM running a POP/SMTP-enabled version of Bitmessage that Fetchmail can poll, so that pulls any messages I receive via that network into my normal workflow.
I'm in the process of setting up my own email server. End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it. Come at me, bro.
I'm the only one who has to trust it since I'm the only one using it. Come at me, bro.
I thought "end-to-end" referred to the sender and receiver. If you're not encrypting the contents of the emails with a key specific to your recipient, or if someone send you mail in cleartext, that can be read in transit.
But yeah, good for you. Hopefully we'll see more of that. I'm possibly returning to hosting my own mail again. I remember it being a hassle, but I suspect that with or without the root password my hosting service can paw through everything I've got on my VPS. I certainly trust them enough not to do it… unless they get pressure from the government. *sigh*
I'm in the process of setting up my own email server. End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it. Come at me, bro.
I'm the only one who has to trust it since I'm the only one using it. Come at me, bro.
Did anyone on here donate to their project?
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.
https://heml.is/Soon™
For anyone curious and lazy to google.
Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.
Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.
As long as it's optional, I don't see a problem. It's good to be able to share personal information, privacy is about choosing which information to share and with whom to share it.
My problem with Hemlis is this:
Quote
Your server only?
Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularily, in cooperation with our community.
Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularily, in cooperation with our community.
As much as I applaud their effort, this shows that they simply don't get what "security" and "privacy" mean.
Jump to: