Pages:
Author

Topic: Lavabit.com and Tormail Email Alternatives... - page 2. (Read 31158 times)

b!z
legendary
Activity: 1582
Merit: 1010
Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.

I think he means the site still works if he disables JS in his browser
legendary
Activity: 1512
Merit: 1049
Death to enemies!
Not entirely true about JavaScript and hijacking. If the server is rooted or seized by pigs they can add anything to it. Tormail also did not require JavaScript.
newbie
Activity: 16
Merit: 0
I haven't seen anyone mention www.anonymousspeech.com so i will.
Its main selling point for me is that it requires no Javascript so no badman can hijack the site and insert funky code as we saw happend with tormail. Has some others neat features as well like time-delayed emails. I havent used that function but im guessing it uses a rnd delay before sending your message, very cool.
And yeah- Bitcoin accepted!
Enjoy.
hero member
Activity: 602
Merit: 500
R.I.P Silk Road 1.0
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink

What does The Pirate Bay have to do with this?



Because a founder of The Pirate Bay is behind the creation of Hemlis.
legendary
Activity: 1512
Merit: 1049
Death to enemies!
Self-hosting is a way to protect against court ordered censorship of users or protect the mail server from direct database access by NSA. The e-mail still can and will be read when it travels the internet in unencrypted form. The solution already exists and it is called PGP encryption. But almost nobody uses it.

They say that they don't commit crimes so they don't need encryption. But most people still wear pants in public even if they don't hide crimes under them. The ignorance of average computer user is unbelievable.
legendary
Activity: 2126
Merit: 1001
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.

I see your points!
My approach, however, comes from two directions:
- be paranoid, assume the worst
- playfully wrap your mind around it for beating an overwhelming thread or creating a 100% secure system (you see the "playful here, right?)

For the real situation, out there, you are right!

Ente
legendary
Activity: 1316
Merit: 1003
The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?
They say:
http://online.wsj.com/article/SB10001424127887324108204579022874091732470.html Cheesy
full member
Activity: 140
Merit: 100
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

I believe (and obviously can't support this) that intercepting packets in flight is still too massive a job for any of the three-letter-agencies to be able to do effectively. That doesn't mean that they aren't trying, but the variables involved in how network packets get routed, the amount of traffic, and the difficulty involved in putting all that data together and building a coherent picture from it on a nanosecond by nanosecond basis are most likely still beyond the capability of any organization. That said, of course that doesn't mean that they aren't trying. The question is: how much of the traffic are they able to "read?" Is it 10%? 1%? 0.0001%?

So I agree that anything not encrypted should be *considered* intercepted, but that doesn't mean that other measures shouldn't be put into place as well.

The fact that the TLAs are still issuing orders to companies like Google and Facebook—and Lavamail—indicate that they still need to read email at the endpoints in order for them to reliably get what they want. The advantage to having mail served by a local server is twofold: first, it makes it necessary for them to show up at my location and serve the warrant (or Security Letter) directly to me, so I know that it is happening. Second, it makes that kind of surveillance much more expensive and difficult to keep secret. You might be able to keep Google and Facebook and Apple shut up about what you're doing, but the more people/companies they order to surrender system passwords, the more some of those people will be squawking about it.

Also, it's not just governments (or our own government) that we need to worry about.

Decentralization is not a silver bullet, but it is nevertheless desirable.
legendary
Activity: 2126
Merit: 1001
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink

What does The Pirate Bay have to do with this?
(at first I misread some Dread Pirate thingie here..)
Well isn't there (more) established solutions for end-to-end encrypted mobilephone messaging?
Redphone, Textsecure for example.
More on Android:
https://encrypteverything.ca/Cell_phone_privacy_guide_%28Android%29#Encrypting_communications_and_files

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

Now that's a treat! Thank you! :-)


About the whole thread:
Different ideas, needs and concepts seem to be mixed here.
- Anonymous mail? Anonymous IM?
- End-to-end encrypted? Non-traceable?

I, personally, liked tormail for it's non-traceability. GPG and OTR is great and all, but simply doesn't work with 99% of the recipients. So I *assume* my mails will be intercepted and use onionland for doing stuff anonymously. This works with many regular mailproviders, obviously.
Now if you want to communicate encrypted, it all depends if it's a few, recurring contacts, or *any* contact.
And, honestly, I don't see a place for a self-hosted mailserver in this discussion. If your mail is (GPG-)encrypted, a regular mailservice works. If it's not encrypted, consider your mail intercepted, analyzed and manipulated. Right behind your mailserver.

Oh, maybe I should edit "I" to "a friend of mine"..

Ente
full member
Activity: 199
Merit: 100
Support http://www.mailpile.is/blog/ .Eventually  it'll become a mail client-server, 100% Free and Open Source.
hero member
Activity: 899
Merit: 1002
With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

Gmail according to posts on Hacker News will feed you a new TOS to agree to should they receive a national security letter to hand over your emails. If you find yourself logging into gmail and having to agree with new TOS then ruh-roh.

Setting up "anti-logging" is dead simple. NSA left this handy bash script for debian lying around one of their command & control servers: http://pastebin.com/vyfwkXm8  they also used OpenVZ because apparently forensics on their virtual drives are much more difficult. Doesn't really matter though, not like there won't be logs from the ISP/host of every email that was relayed to you or every ssh login.

hero member
Activity: 899
Merit: 1002
Just make your own, using a VPS in Iceland and either using qmail + djbdns or OpenSMTPD.
Look around for scripts that will encrypt all incoming mail to your public PGP key or do it yourself: https://grepular.com/Automatically_Encrypting_all_Incoming_Email  if you want now make it a Tor hidden service and access it .onion to download encrypted messages

Obviously this is just to prevent passive government spying and political blackmail, but doesn't prevent targeted spying (they break into your VPS, capture traffic before it is encrypted) or NSA metadata traffic analysis seeing who you are talking to.

Countermail I would expect if you should ever be targeted by authorities they will simply feed you a MITM login screen that captures your password so they can hand it over to whoever asks for it. This is exactly what Hushmail did numerous times.

Rayservers offer a pretty attractive package as well, servers are in Panama and I believe they have .onion access but they are still a US based company so open to government harassment and coercion. http://www.rayservers.com/blog/rayservers-mail-server-features-and-faq

Apparently the guy who runs Torservers.net posted to tor-talk mailing list he was creating his own Tormail for free use https://lists.torproject.org/pipermail/tor-talk/2013-August/029464.html



full member
Activity: 140
Merit: 100
I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).

I'm not sure where you're getting this. No, as I pointed out earlier, if you aren't encrypting the messages before they get sent out into the wide world that isn't any different than gmail. And the complexities of securing a server against attack are probably wider than the scope of this post.

But what you know for sure is that if law enforcement has a warrant for the contents of your computer that there will be a knock at (or down) your door and you'll either have a warrant in your hand and an opportunity to call your lawyer or else come home and find your computer missing. You at least know that the system is compromised. With gmail, we pretty much have to assume that everything ever said in an email on gmail is duplicated in close to real-time on the NSA's servers.

And what are you talking about regarding your mail server sticking out like a sore thumb? I'm imagining an NSA agent looking through logs and stopping, shocked. "Hold the phone, Joe, look! This email was sent from LINUX. That NEVER HAPPENS. Quick, send a SWAT team to that location!"

I'm also curious what you mean by anti-logging. The only interpretations I can come up with are either impossible or trivial. And googling the term just came up with a bunch of Earth First websites.
hero member
Activity: 882
Merit: 501
Ching-Chang;Ding-Dong
I think setting up your own email solution is probably the least secure option. It's very difficult to properly setup a secure email solution with proper encryption and anti-logging.

Installing Ubuntu and some mail server ontop of it doesn't provide any more security than using PGP with gmail. Also, unless your a unix expert, securing your own unix system can prove to be difficult, especially if you are ever targetted (and your mail server would stick out like a sore thumb in the headers of any email you send).

legendary
Activity: 1400
Merit: 1013
I run my own IMAP server (Dovecot) on a home server and use Fetchmail to download mail from my various email accounts.

It's nice because it lets me collect all kinds of mail into a single mailbox that can be read from my PC or phone. I've got a VM running a POP/SMTP-enabled version of Bitmessage that Fetchmail can poll, so that pulls any messages I receive via that network into my normal workflow.
full member
Activity: 140
Merit: 100
I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.

I thought "end-to-end" referred to the sender and receiver. If you're not encrypting the contents of the emails with a key specific to your recipient, or if someone send you mail in cleartext, that can be read in transit.

But yeah, good for you. Hopefully we'll see more of that. I'm possibly returning to hosting my own mail again. I remember it being a hassle, but I suspect that with or without the root password my hosting service can paw through everything I've got on my VPS. I certainly trust them enough not to do it… unless they get pressure from the government. *sigh*
legendary
Activity: 916
Merit: 1003
I'm in the process of setting up my own email server.  End-to-end encryption, including the server data itself.
I'm the only one who has to trust it since I'm the only one using it.  Come at me, bro.
hero member
Activity: 602
Merit: 500
R.I.P Silk Road 1.0
Did anyone on here donate to their project?
legendary
Activity: 2674
Merit: 3000
Terminated.
Looks like we're all screwed. At least until The Pirate Bay releases Hemlis.  Wink
https://heml.is/

Soon™
For anyone curious and lazy to google.

Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.
Well my facebook not being private is not a concern, since it's constantly being cleaned up. What i send in messages on the other hand, should be, as there tends to be valuable info there from time to time.
full member
Activity: 140
Merit: 100
Thats for sure a strange mix, encrypted end to end communication and posting your personal infos on facebook and twitter.

As long as it's optional, I don't see a problem. It's good to be able to share personal information, privacy is about choosing which information to share and with whom to share it.

My problem with Hemlis is this:

Quote
Your server only?

Yes! The way to make the system secure is that we can control the infrastructure. Distributing to other servers makes it impossible to give any guarantees about the security. We’ll have audits from trusted third parties on our platforms regularily, in cooperation with our community.

As much as I applaud their effort, this shows that they simply don't get what "security" and "privacy" mean.
Pages:
Jump to: