• Members of the previous forum can retrieve their temporary password here, (login and check your PM).

Encrypted eMail

Migrated topic.
Very interesting articles and thank you so much for sharing so I could read!

I should point out that a site like this seems to best be used for brief, temporary discreet exchanges.

I would never suggest using any encrypted email accounts for any sort of blatantly illegal activities that may draw unwanted attention. Always be skeptical of a company who claims NO ONE can access their info.

Unfortunately, we live in a time now where privacy is hardly an option and a simple court order can be used to literally get away with anything that LEO and Fed wants to get away with, for a time at least. They have a funny way of wording things and using technicalities to accomplish this.

And as much as I wish I was wrong, more and more countries are beginning to follow this trend. :(
 
Shaolin said:
Don't rely on others to do your encryption for you.

PGP + any email provider.

More or less this. Personally I use GPG and run my own mail server off a dedicated server.

EDIT: If anyone or there friends are to lazy to set up GPG or PGP (don't be!) bitmessage is good too imo.
 
Unfortunately, we live in a time now where privacy is hardly an option and a simple court order can be used to literally get away with anything that LEO and Fed wants to get away with

This is why you want an offshore service in a country that is not friendly with our government agencies. This seems to be the only free email service that seems trustworthy. I don't trust hushmail because of what's already been mentioned. And I forget why I don't trust Safe-Mail. I think more than one reason. The location of their servers I believe.


Need an email application to use.
I use Thunderbird with enigmail plug-in.
 
Someone told me that safe-mail allow police access to accounts if theyre is suspicion of any law breaking, heard the same thing about hushmail, this is just hearsay though obviously theres more to the hushmail thing.
 
Another interesting option is to use encrypted email including only a link to a self-destructive note. If you want, you can get a message when the note has been read (and therefore destroyed). If it wasn´t read by the guy you send the mail to, you know somedbody else has read it.
 
Ancotar said:
My favorite is www.hushmail.com

You need to login once every 30 days to keep your free account active, or it'll deactive automatically.

Good place to go for a temporary, encrypted exchange.
Hushmail has turned over account encryption keys to LE in the past so definately encrypt. Under duress any provider might or if their server gets seized the keys may be discovered.
Do not trust encryption to any provider. Encrypt your own communications with PGP so even if the server and all your mail is collected they cannot read it unless they get possession of your private key and password. For mac users gpgtools (dot) org It is a great tool to have for anyone who might want to encrypt sensitive password lists, business and financial documents etc to keep them safe in their own system from hackers and the like.

Forget privnote. Cute but not proved secure. There were also some nasty malwares that were passed off to people as pgp upgrades from a 3rd paty that installed keylogging bots hackers were using to steal passwords etc... so be careful what you download.
 
Another backdoor has been found:

Samsung Galaxy Back-door

This page contains a technical description of the back-door found in Samsung Galaxy devices.

[..]

This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.

Abstract

Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.


So if you own a Galaxy device with still the original OS running, it's a good time to switch to Replicant.

Edit: or update your CyanogenMod

Alternatively, the kernel could block the incriminated RFS requests and keep a trace of them in the logs for the record. That option would work for CyanogenMod, where the incriminated proprietary blob is still used.

 
+1 for CyanogenMod.

I've been using CM since the original Dev Phone 1. I am currently running CM 10.2.1 on my Nexus 10 and can't praise the OS enough. Unfortunately, it is not available for my mobile... but that's OK. Rooting and applying various mods (like AdAway, SuperSU, etc) solves this problem. Still wish I could run CM though.

If privacy is a serious concern then you should probably avoid carrier-loaded ROMS -- and esp Samsung.

-----
Update: “Virtually no evidence” for claim of remote backdoor in Samsung phones
 
Any systems that do the encryption for you or rely on the browser doing the encryption for you are not secure.

If you rely on an OS by Microsoft or Apple, then you are not secure either (there are backdoors in place that will subvert any encryption before/after encryption/decryption, but I guess you'd have to be a high profile target - as far as I know this is not routinely done, it would be too obvious); not saying an open source system is foolproof, but you're lightyears ahead using Qubes or OpenBSD instead of Windows.

Unless you know what you're doing, secure communications on a mobile device is much harder to achieve. And like the recent Stagefright Android security advisory demonstrates, these devices are especially vulnerable. Also in no small reason because in all but a few, the baseband processor essentially has free reign over your mobile device, rendering any app or os-level protections essentially useless; This does a fairly good job of explaining this problem and some others, and it is, in my opinion, an interesting read.


Unfortunately, even on desktops or laptops the security put in place by the OS can be potentially bypassed in certain other ways (of which the linked one is but one among many).. your network card essentially has free reign over your whole computer memory, and any exploitable bug in the cards' firmware means game over. The network card is connected to a global computer network. You see the problem.


The strength of your email encryption will only be as strong as the security of your whole system [weakest link]. For instance, if you have a keylogger installed, encryption is essentially useless. You need to secure your system to the best of your skill if you're going to do anything important with your encrypted communications; If your key passphrase is 'lol123', it won't be very hard to crack.


Regarding the security of email itself, it's simple: what you want is end-to-end encryption, like GnuPG. Use >=2048bit keys and make sure to confirm the fingerprints through another secure channel.

Also, if you can use Tor and a service which supports emailing to .onion addresses (like sigaint), then that is ideal, as there will be less metadata being generated - your email will never leave the Tor network then.

As a further step, you want to create different identities for different contact groups, and use something like The Tor Browser so that a) your browser fingerprint is the same as millions of others, and b) your location is concealed; the idea here is using the providers' webmail rather than directly sending over SMTP (even over Tor); less information to fingerprint and uniquely identify you this way.



To sum it up, ideally use an open-source operating system, prefer desktops/laptops to mobile, don't install any more software than you need to, prefer open source software to commercial software, use GPG (GnuPG), prefer emailing over ther Tor network and using webmail rather than smtp/smtps, and make your key passphrase strong.

Additionally, encrypting your entire hard disk is almost never a bad idea. Just remember that it is easy to recover the encryption keys and thus bypass the protection that disk encryption offers if your laptop is seized while it's suspended or hibernating (there are some possibly mitigations if you *hibernate*, but lets not go there here). I would recommend shutting down the laptop for instance while crossing borders.
 
Please be aware that protonmail is no longer recommended for any communications requiring privacy. A few months back, they redid their policy to allow the logging of IP's. This following compliance with authorities, resulting in an arrest.

Please be cautious of offers that seem too good to be true, especially regarding cyb-sec.


Stay safe out there.
 
Back
Top Bottom