Jump to content

this really smarts

crp
 Share

Recommended Posts

V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Interesting...

 

http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden

 

http://www.techdirt.com/articles/20130808/13092724113/ed-snowdens-email-provider-lavabit-shuts-down-to-fight-us-govt-intrusion.shtml

 

This is probably only the beginning of things like this. I see TOR and Hushmail and others going down under the pressure of U.S. Federal legal attacks. Not many will have the $$$ to fight it, either.

Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted

I'm disappointed he didn't find someplace where the emails could be parked and picked up by users like me.

Also, some 2nd authentications are sent to my lavabit account and since they don't accept a change without

confirmation that it is ok to change from the lavabit account ...

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Lavabit, email service Snowden reportedly used, abruptly shuts down - BoingBoing

 

Remember when word circulated that Edward Snowden was using Lavabit, an email service that purports to provide better privacy and security for users than popular web-based free services like Gmail? Lavabit's owner has shut down the service, and posted a message on the lavabit.com home page today about wanting to avoid "being complicit in crimes against the American people."

 

According to the statement, it appears he rejected a US court order to cooperate with the government in spying on users.

 

More in the article.

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Well, I know it is hard on the people who used Lavabit to have it shut down, but is it better to do what Hushmail was just reported to have done, or what Lavabit did?

 

Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer."

 

But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

 

A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

 

 

I have no love for Big Pharma, but that's not the point. It is that the impression was that Hushmail claimed the encryption was such that even they couldn't read the mail.

 

Now that was their 'less secure' offering, but according to the article:

 

A subsequent and refreshingly frank e-mail interview with Hushmail’s CTO seems to indicate that government agencies can also order their way into individual accounts on Hushmail’s ultra-secure web-based e-mail service, which relies on a browser-based Java encryption engine.

 

Although the more secure Hushmail never has an unencrypted copy of the email on their servers or in transit, since it decrypts the message on the user's computer via a Java applet, they can still be required to turn over the encrypted emails from any account.

 

It's more the difference between what they said about their services, and what they can be required to do....I guess.

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

To help differentiate between the Hushmail offerings:

 

However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.

 

It was good that Hushmail gave refreshingly frank answers on the Cryptography Mailing List. They didn't have to. So have to give points to Hushmail for that.

 

NOTE: The Hushmail item was from 2007 but very timely as it's been happening for awhile.

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Yep, posted about that on my blog today: Silent Mail from Silent Circle shut down:

 

Silent Circle has shut down Silent Mail.

 

After what happened with Lavabit which led to Lavabit shuttering their email service, I can’t say I blame Silent Circle for preemptively shutting down Silent Mail too.

 

From their Silent Circle Blog posting entitled To Our Customers:

However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

 

We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that the worst decision is always no decision.

 

Silent Phone and Silent Text, along with their cousin Silent Eyes are end-to-end secure. We don’t have the encrypted data and we don’t collect metadata about your conversations.
They’re continuing as they have been. We are still working on innovative ways to do truly secure communications.
Silent Mail was a good idea at the time, and that time is past.

BOLD emphasis mine.

 

Much more in Silent Circle's blog posting.

Edited by LilBambi
Link to comment
Share on other sites
  • 2 weeks later...
Cluttermagnet

Cluttermagnet

Posted
Posted

Or Yahoo...

 

No point worrying about any of this.

 

Snowden has made clear that many who were accused of wearing tinfoil hats

were actually just swathed in righteous moral indignation- and were right all along...

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Let's all just use Gmail so the GOV can have easy access and Google can make a buck or two. ;)

Or go back to "good old days" when you sent email from host to host to host and everyone ran an open relay email server (before the www and "the" Internet).

Add in some nasty encryption and send email without going through any one gathering point.

Then they have to get access to and monitor every single computer on the Internet.

A much more difficult task and impossible to keep secret.

 

Eric and all of us pessimistic, conspiracy theorists

You have to admit that no matter how bad the political/spying situation really is, we aren't quite to the point where everyone will accept complete and universal lack of privacy and worldwide government monitoring.

  • Like 1
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

But then there is always ePOST Serverless Email which was reviewed on WindowsSecrets.com back in 2005 (note: it is paid content, but they give you the ability to read it if you answer a few survey questions; you can skip any question you don't like).

 

 

INTRODUCTION

 

 

ePOST is a cooperative, serverless email system. Each user contributes a small amount of storage and network bandwidth in exchange for access to email service. ePOST provides

 

[*]A serverless, peer-to-peer email service

[*]Secure email emong ePOST users

[*]An organically scaling service that requires no dedicated hardware

[*]Very high availability and data durability

[*]Compatibility with POP/IMAP clients, SMTP mail servers

 

WHY DID WE BUILD EPOST?

 

Peer-to-peer systems have gained wide popularity, partially due to their self-scaling properties and their resilience to failures. However, most existing peer-to-peer systems provide best-effort services, whose availability is not critical to their users. A question is whether peer-to-peer systems can provide service that users depend on in their daily lives and work. We deployed ePOST to show that a cooperative peer-to-peer system can provide availability, reliability and security that matches or exceeds that of server-based solutions, while reducing hardware cost and administrative overhead.

 

HOW CAN I USE EPOST?

 

The ePOST project is no longer under active development. You can still download the ePOST sources and setup your own ring by following the directions on the Download page. ePOST supports Microsoft Windows, Mac OS X, and Linux running on java versions 1.4.2 or greater.

 

Not sure if it's safe since it's no longer under active development, but there have to be others out there.

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

But if you were going to go that far, I would want to have secure end to end encryption as well as peer to peer email.

 

There are other ways to communicate real time that are likely much safer, such as PGP's Phil and friends', Silent Circle realtime communications, and other secure realtime clients that trade keys in person, etc.

 

Silent Circle on secure electronic communications: 'You may wish to avoid email altogether...'"

 

Louis Kowolowski explains that while it's possible to encrypt the body of messages, the metadata can be 'just as damaging'

 

When American firm Silent Circle shut down its Silent Mail encrypted-email service earlier this month, it claimed that "e-mail as we know it today is fundamentally broken from a privacy perspective".

 

Now the company has been elaborating on the claim in response to questions about why it couldn't just use an asymmetric key cryptography plug-in for email applications to secure communications between its users.

 

In short, it's all about the metadata.

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Thanks for all these posts/links LilBambi!

And I think you are right, someone else is working on peer-to-peer fully encrypted email, we just don't know who yet.

It won't be long though.

Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted

open relay was fine before the spammers came

the program for doing peer-to-peer on Unix (before it was bundled in Unix) was called ? (answer below)

 

If you want a frustrating laugh on how silly the patent process can be, check out a search result for 'google peer to peer patents'

 

For my lavabit replacement, i'm leaning to combining https://www.privateinternetaccess.com/ and http://xfsmail.com/

 

Answer: mail, i remember getting the 8" floppy and wondering why would i want this when there is chat .

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Hmmm... this is the reason I like northwestern New Mexico so much; no history if any type of natural disasters going back to its volcanic era when it was at the bottom of an inland sea. That was a few million years ago. Of course, there have been a few manmade disasters there, like the A and H bomb testing down near Los Alamos. :(

 

I guess I could always go live in a plywood shack in Montana somewhere. I could write my manifesto on my old Dell laptop (if the batt holds out). ;)

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

But if you were going to go that far, I would want to have secure end to end encryption as well as peer to peer email.

 

There are other ways to communicate real time that are likely much safer, such as PGP's Phil and friends', Silent Circle realtime communications, and other secure realtime clients that trade keys in person, etc.

 

Silent Circle on secure electronic communications: 'You may wish to avoid email altogether...'"

 

Didn't Silent Circle shut their email service down recently?

 

Adam

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Didn't Silent Circle shut their email service down recently?

 

Adam

Yes, they shut down their Silent Mail email service.

But they offer other types of private communication service.

Silent Phone and Silent Text

Link to comment
Share on other sites
amenditman

amenditman

Posted
Posted

Thanks for all these posts/links LilBambi!

And I think you are right, someone else is working on peer-to-peer fully encrypted email, we just don't know who yet.

It won't be long though.

And here is the first of many at least a few.

 

MailPile, open source, fully encrypted email for the real world user.

Lots of info about what they are doing.

 

Here's the reality parts

Einarsson, an ex-Googler, points out that one of the biggest problems with e-mail is that large providers like Gmail make tempting targets for both malicious hackers and overzealous governments. A government service or a hacker with “direct access” to Google could tap thousands, perhaps millions, of e-mail boxes. But if no single e-mail provider had such a large user base, government and attackers would have a much harder time.

“It’s more expensive to subpoena hundreds or thousands of [e-mail providers] all over the world than it is to subpoena one big target like Gmail,” Einarsson says.

“If you’re actually concerned that someone will know who you’re communicating with, that’s not something that PGP can help,” Reitman says. She says secure real-time chat tools — like the Off-the-Record plugin for the Pidgeon and Adium instant message clients, or an anonymous file uploading system like the New Yorker’s open source project DeadDrop — might be better under some circumstances.
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Eric, I don't think you have the correct sexual preferences to be a Pitcairn islander.

 

Oh, did I miss something on that Wikipedia article about Pitcairn? ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...