|
|
|||||||
| Steroids In The News Discuss Safe Mail in the Steroid forums; Originally Posted by webster I could see a paid email fighting a little harder to keep your information private...because if ... |
 |
|
|
Thread Tools | Display Modes |
|
#26
10-24-2011, 12:43 AM
|
|||
|
|||
Japan is a signatory to MLAT, Anonymousspeech is vulnerable like Hushmail
Quote:
Quote:
MOFA: Signing of a Mutual Legal Assistance Treaty between Japan and the United States of America Quote:
Mirrorshades 
|
|
#27
10-24-2011, 01:00 AM
|
|||
|
|||
|
Quote:
The only difference is that Hushmail uses OpenPGP, while Safe-Mail uses the other standard for public key encryption, S/MIME. Safe-Mail generates the public key certificate for you; this means that they have control over the private key, or can get it, just as Hushmail did. When you're dealing with a service that promises encryption, the essential thing to remember is, "Who controls the keys?" The ONLY person who should have a copy of the private key is YOU. If anyone else has access to it, your security is non-existent. Mirrorshades
|
|
#28
10-24-2011, 01:36 AM
|
|||
|
|||
|
Quote:
Quote:
This service is probably the closest in terms of operation to the currently-operating nymservers designed by the Cypherpunks. The main difference between the two types of nymserver is that Securenym stores your email for you to retrieve after encryption, while the Cypherpunk nymservers merely forward the email (after encryption) to a destination specified by an encrypted reply-block. I have seen a copy of an email purportedly from the Admin of Securenym, where he stated that Securenym was subpoenaed as part of Operation Raw Deal, but their lawyer managed somehow to have the subpoenas quashed. He further goes on to describe in his email how it is their philosophy to not collect information that can be subpoenaed -- he states, quite correctly, that one cannot be forced to surrender that which one does not have. The only caveat I would offer is that if one wishes to use this service, that it should be accessed through Tor, to prevent the harvesting of IP addresses. Mirrorshades
|
|
#29
10-24-2011, 01:54 AM
|
|||
|
|||
|
Quote:
Police powers to demand information from ISPs without a warrant will be put in place, giving them the authority to demand -- without a warrant or any other court oversight -- subscriber name, address, IP address, device address, email address, etc. So, say you were using steroids-r-us@hush.com -- the police could demand all theinformation Hushmail has on that user without a warrant, including their IP address, as Hushmail logs all IP addresses that access each account. Even if Hushmail doesn't have your real name, given an email address, they can provide the police with the IP address that, coupled with the dates/times of access could lead to the ISP subscriber being revealed. From there getting a warrant to search the email, and/ or the customer's premises is a no-brainer. Remember, they don't need to show probable cause to get this information. Mirrorshades
|
|
#30
10-24-2011, 02:03 AM
|
|||
|
|||
|
Quote:
In a nutshell, their provisions are as follows: * Any piece of email, less than 180 days old, is considered as "in transit" and requires a warrant to access. * Any piece of email, over 180 days old, is considered as "stored" and does NOT require a warrant to access -- the ISP can simply hand it over at the flash of a badge. Now, there is one additional proviso to this -- email fields such as From:, To:, Subject:, Date:, Time:, and other header fields are considered as "transactional" in nature, and can be accessed by law enforcement at any time without a warrant, regardless of the age of the email(s). Mirrorshades
|
|
#32
10-24-2011, 08:20 PM
|
||||
|
||||
|
Quote:
Good info Mirror.
__________________
All my answers should be used for pretend purposes only.
|
|
#33
10-24-2011, 09:02 PM
|
|||
|
|||
|
Quote:
|
|
#34
10-24-2011, 11:10 PM
|
||||
|
||||
|
That's where tor comes in. They won't be able to trace your IP with Tor. They would have to get a court order for the whole chain and I'm not even sure if it's possible if the peers are not keeping logs. Not worth the time and effort for an aas user(but you never know with the low hanging fruit leo likes to grab).
__________________
All my answers should be used for pretend purposes only. Last edited by prime; 10-24-2011 at 11:20 PM.
|
|
#37
10-30-2011, 01:49 PM
|
|||
|
|||
|
my paranoia just went up 1000% I justwanna get a little biga but great info ,thanks, starting to grow eyes in the back of my head
|
|
#38
01-05-2012, 05:56 AM
|
|||
|
|||
|
Quote:
1) Did Securenym log your IP address at the time of setup? Some email providers do that, and retain this information for the life of the account plus as long as another year. 2) What I am going to describe next is a theoretical attack -- I am not aware that such an attack has even been attempted, much less successfully carried out. That said, you should still be aware of the possibility. As we're all aware, Hushmail was forced to modify its software so as to provide a modified Java applet to those customers under investigation. Accordingly, it is not beyond the realm of possibility that SecureNym might also be forced to modify its emal encryption scripts, so as to preserve the plaintext of any email that comes in to a targeted account. Moreover, the incoming email could still be encrypted, just as before, leaving the target none the wiser. Although Securenym simply cannot decrypt any email, once encrypted with your public key since they do not possess the private half of the keypair, nor the passphrase, there is little to stop them from capturing the plaintext email prior to encryption with your public key. To reiterate, this is a theoretical attack, which I am not aware has ever been attempted, much less successfully carried out. The only countermeasure you can employ in this type of threat scenario is to make use of end-to-end encryption; i.e. any messages sent to you must be encrypted before they leave the sender's machine on its way to you. Quote:
Mirrorshades
|
|
#39
01-05-2012, 06:08 AM
|
|||
|
|||
|
Much of this stuff has come about becuase of the patriate act introduced during the George W administration. It should be called what it realy is, "the repeal of the 4th amendment". Our liberties are being erroded, what is this country becoming, communist china?
__________________
-when you are born you are weak and small, when you get old and near death you are weak and small, what you are in the mean time is up to you!
|
|
#40
01-05-2012, 06:10 AM
|
|||
|
|||
|
Quote:
1) You are using Secure Sockets Layer (SSL) or 2) You have encrypted your traffic (e.g. with PGP/GPG.) or 3) You use a Tor Hidden Service (e.g. TorMail) in which case your traffic never leaves the Tor network, and therefore remains encrypted. Mirrorshades
|
|
#41
01-05-2012, 09:36 PM
|
|||
|
|||
|
DEFCON 18: Your ISP and the Government: Best Friends Forever
DEFCON 18: Your ISP and the Government: Best Friends Forever
Defcon 2010 - Your ISP and the Government Best Friends Forever - Christopher Soghoian.mov - YouTube This video is the basis for my statements about cellphones being the most heavily surveilled devices currently deployed. It's about 45 minutes long, and well worth the time to watch. Mirrorshades
|
|
#42
01-13-2012, 08:15 PM
|
||||
|
||||
|
Quote:
Hushmail is rubbish, they lied and said not even the employees have access to the encrypted user files and emails. But the very second the NSA tossed them a letter, Hushmail folded up like a house of cards and spilled their information to the spooks. »www.wired.com/threatlevel/2007/1···d-e-mai/ Encrypted E-Mail Company Hushmail Spills to Feds For private and secure email, you generally want a few conditions to be met. (and I require them all for any service I use) 1) They use SSL/TLS encryption. 2) They encrypt your database on their servers, and it wipes when you download/delete all of your mail. 3) They scrub headers, so basically all your 'stuff' is removed from the headers before the email ships off. 4) Strong privacy policy, that basically says they can't share anything because they can't read anything! I do recommend offshore email hosting providers for obvious reasons. Unfortunately, not a whole lot of companies meet all of the above criteria. You can find some obscure, high quality ones if you search using a lot of different search terms. Some good ones... »mutemail.com/ »neomailbox.com/services/secure-email »keptprivate.com/ Do some searches, plenty more out there. Again, I recommend 'Offshore' hosting/email services. There are small Indonesian Islands loaded with incredible servers that do this as well. If the spooks send them a letter, they tell them to kiss off. Just the way it should be. I have not checked these email providers and the locations or any updates of MLAT, but this looks like the best bet for starting more thorough research regarding current laws and email security/privacy. This information gets more technical with running your own server from home. Run your own email server, locally hosted (like, in your house) and then the FBI will need to knock down your door, er, show you the warrant before they confiscate your server and read your mail. Of course, your email is sent all over the place, and unless you encrypt it (as others point out) then it doesn't matter where it's stored as anyone can read the packets if they have access to the pipes. Access to the pipes is easy. Oh, and be sure to tell everyone who sends you email to encrypt their email too. -- I have my own domain with a very good host located in a top-tier datacenter. I create my own accounts, and use my own choice of mail scripts on my own server. All SSL, no .JS allowed. I also have custom SpamAssassin rules, use DomainKeys, SPF Records, and the host uses Enterprise-Level Filtering Hardware. It's good enough for normal email. If I need be I can send encrypted as well using my own 256 bit AES (1024 bit RSA/SHA) SSL cert. I don't need much more. I could use GnuPGP....but considering I don't know anyone who'd know how to receive that sort of mail...it's kinda useless. I haven't even used an email client on a computer since about 2007. No worries here. My source top 5 safest and most secure email providers ? - Security | DSLReports Forums I would read all pages, for they contain a lot of hardy information.
__________________
http://www.youtube.com/watch?v=Sk56V...eature=related http://www.youtube.com/watch?v=KPOU-yPGbpY http://www.youtube.com/watch?v=RsvHCQxjMhg http://www.youtube.com/watch?v=b4OdH2JoKMs http://www.youtube.com/watch?v=WsxO1...eature=related http://www.youtube.com/watch?v=PJKz0...watch_response The Iron is the best antidepressant I have ever found. There is no better way to fight weakness than with strength. Once the mind and body have been awakened to their true potential, it’s impossible to turn back.The Iron never lies to you. You can walk outside and listen to all kinds of talk, get told that you’re a god or a total bastard. The Iron will always kick you the real deal. The Iron is the great reference point, the all-knowing perspective giver. Always there like a beacon in the pitch black.I have found the Iron to be my greatest friend. It never freaks out on me, never runs. Friends may come and go. But two hundred pounds is always two hundred pounds.– Henry Rollins. My prelude is never ending in the gym. It is my own private world, my own sanctuary of iron and steel, a place of reckoning, where I can get lost in my mind and better find myself through my soul. BEAST
|
|
#43
04-08-2012, 10:28 AM
|
|||
|
|||
|
Quote:
 So I said "A'ight. No thanks." I then spent my money at a nearby liquor store where I doubt that they would have asked for ID had I purchased a $10.000 money order. Piss on banks.
__________________
"People need to find ways of defining happiness that do not include unhealthy diets."
|
|
#44
04-14-2012, 06:40 AM
|
||||||||||||||||||
|
||||||||||||||||||
Quote:
You're absolutely right about the fact that Hushmail lied to their customers. That said, once a search warrant from a court of competent jurisdiction was issued, Hush had no other choice but to comply. The same would be true for any provider, not just Hush. No provider is going to deny a court order just to protect one of their customers. Where Hush screwed the pooch were in two areas: 1) Lying to their customers. Their own FAQs, archived by the Internet Wayback machine, clearly show they were lying: See below for details. 2) Designing their system for convenience, as opposed to security. Hush violated one of the primary tenets of public key cryptography, in that they stored both halves of the users' PGP keys. The entire idea behind public key cryptography was to separate the (public) encryption key from the (private) decryption key. From my point of view, the ONLY acceptable service is one where the user generates their own PGP/GPG key, using a local copy of PGP/GPG (i.e. on their own machine), and supplies the public half of that key to the service provider. It may be less convenient, sure, but I'll take security over convenience any day. Quote:
1) They use SSL/TLS encryption. The various notary hacks over the last year or so (e.g. Diginotar and/or Comodo, to name just two) have rather shaken my faith in the system. Furthermore, there has been some evidence that the Iranian government has used man-in-the-middle (MITM) attacks using forged SSL certificates to access the Gmail accounts of people in that country, despite the fact that SSL encryption is supposed to protect individuals from such scrutiny. Frankly, if the Iranians can do it, so can other governments. Even using a certificate-checking browser plugin like Certificate Patrol for Firefox, how is one supposed to determine whether a changed site certificate is valid or the result of a MITM attack? 2) They encrypt your database on their servers, and it wipes when you download/delete all of your mail. Nymservers do not store email; rather, they forward it to a destination specified in an encrypted reply-block. Depending on how the reply block is structured, the messages can be sent to an email address (e.g. TorMail) or, for the highest security, they can be directed to an anonymous message pool (i.e. the Usenet newsgroup alt.anonymous.messages). 3) They scrub headers, so basically all your 'stuff' is removed from the headers before the email ships off. Nymservers do this by default. Your email is automatically both encrypted and anonymized. 4) Strong privacy policy, that basically says they can't share anything because they can't read anything! With all due respect, privacy policies aren't worth the paper they're written on. Essentially, they involve contract law, as the privacy policy is incorporated as part of the contract between you and the particular service provider. Most privacy policies have boilerplate exclusions, which state that they will give up information upon receipt of a valid court order or (sometimes) a request by law enforcement. Hushmail had a strong privacy policy, as can be seen from their FAQs published before Operation Raw Deal went down in 2007. While Hushmail did state that their staff did not have access to a customers' email, the wording of their original FAQs went much further than that, as you can see from the following reproductions. The original FAQs can still be seen on the Internet WayBack Machine, even though Hushmail scrubbed them as soon as they could after ORD went down. From Hushmail's FAQ in 2001: Quote:
From Hushmail's FAQ in 2002 -- note the change in wording to make their claims more explicit: Quote:
Part of the reason I recommend the nymservers that I do is: a) The nymservers do not store email, but rather forward it on to its destination; thus there is NO stored email for the authorities to seize. b) All email is encrypted upon receipt with a PGP public key supplied by the account holder; once encrypted, the service operator cannot decrypt the email as they do not possess the private half of the PGP keypair. Now, in theory it might be possible for the authorities to arrange to have an email to a nymserver account holder intercepted prior to its being encrypted with the recipient's public key. Such a potential attack is only theoretical; in the almost 20 years that nymservers have been operational, I have never heard of such a thing even being attempted, much less successfully carried out. Part of the reason for that is outlined in the next paragraph; the authorities would have to break the encrypted filesystem on the server to even attempt such a thing. c) All original headers are removed, especially the From: lines. Subject: lines can be encrypted using a appropriate remailer-directive. (See below for sample output.) d) The server itself is hosted in a secure datacentre, and the server filesystem is encrypted using LUKS (Linux Unified Key System) which is analogous to TrueCrypt. Accordingly, if the authorities attempt to seize the server, they will not be able to access any of the data on it without the operator's knowledge or consent. There has been a documented case in the United States, where the operators of the nym.alias.net (NAN) nymserver were approached by the FBI. It appears that the FBI suspected one of the nymserver's users of involvement in child pornography. The operators were asked to produce what information they had on the user in question, and the FBI were duly supplied with the user's PGP public key and a copy of their encrypted reply block. The operators said they never heard from the FBI again. See: The Design, Implementation and Operation of an Email Pseudonym Server http://www.cs.unibo.it/~babaoglu/cou...m%20Server.pdf One of the basic tenets of information security is that one cannot surrender that which one does not possess. The entire point of using a nymserver is to set things up such that the operator has little or no information which they can surrender to the authorities. As I stated, what is typically going to be surrendered by the nymserver operator are: a) A PGP public key; and b) An encrypted reply block. Using myself as an example, this is what the authorities would get if they approached the nymserver operator: Quote:
Decrypted Reply Block: Quote:
Quote:
The idea here is that you still have access to all the original information, but the authorities do not. Now, what I've shown above is the most secure method using of reply blocks; i.e. having them point to an anonymous message pool, i.e. the Usenet newsgroup alt.anonymous.messages. Newsgroup messages can be accessed from dozens, if not hundreds of services, many of which do not require a user account to read/download Usenet messages. Thus, there is no way to track where these messages are accessed/downloaded from. To put it in non-geeky terms, this is the equivalent of publishing your encrypted message traffic in a newspaper; it would be impossible to know who is reading/accessing these messages as they are so widely available. In order to retrieve your message traffic from alt.anonymous.messages, it is necessary to run a small script, written in Java, which will fetch the messages from alt.anonymous.messages, and keep those intended for you, while discarding the rest. Alt.anonymous.messages gets several hundred new encrypted messages per day; any messages intended for you are mixed-in to a literal torrent of encrypted message traffic. Directing Messages to An Email Account Now using an anonymous message pool is probably overkill for most users here; if one changes a few lines in the reply block, the email can be directed to, say, a TorMail account: Quote:
In either case, whether I use TorMail or an anonymous message pool, the authorities cannot locate me, nor can they read my emails -- stalemate. Quote:
Mutemail.com is headquartered in the U.K. -- ther servers are allegedly housed in the Bahamas. From Mutemail's FAQ: Quote:
Quote:
The Bahamas: Meeting International Standards The Bahamas Financial Services Board Thursday April 23rd, 2009 The Bahamas: Meeting International Standards - BFSB Releases - Bahamas Financial Services Board Neomailbox.com According to Neomailbox's privacy policy, Quote:
Keptprivate is an American-based company. My understanding of the current legislation is that the FBI (or the DEA) can request records using an administrative subpoena. An Administrative subpoena does not require a hearing before a judge, and can be signed-off by an agency supervisor. The only good news is that, as far as I can determine, as of January 2012, Indonesia still has not signed-on to MLAT. Quote:
Quote:
Quote:
Quote:
Quote:
The difference between our two approaches is that your approach is not easily duplicatable, whereas my approach can be taught to people in an afternoon, or at worst, in a day or two. All that is needed is for people to be able to follow instructions. Your approach, while excellent, even superb, cannot be taught to an arbitrary number of people in any reasonable time frame. Quote:
Mirrorshades
|
|
#45
04-17-2012, 04:38 PM
|
|||
|
|||
|
Securenym has always operated on we do not want to know. They have never logged traffic. They have their system monitored for hacking attempts.
Safemail has an interesting method of tagging the two and from lines on accounts of about 10% of gear users. Do a mailing to 100 safemail accounts of gear customers and about 10% of them will have a message sent back saying the user account does not exist. Kept private merely reports back that its banned content if you send a list. Real private. Privacyharbor does not keep their server certificates up to date and so dealing with them is no longer worth doing. Aol just has you targeted as a spammer even though you are responding to a request from a customer for a list and if you do not know that will get anyones provider uncomfortable. The game goes on without them today for us. IPG
__________________
 IPGEAR@SECURENYM.NET WE DO NOT RESPOND TO EMAILS FROM AOL, KEPTPRIVATE, SAFEMAIL, AND PRIVACYHARBOR ACCOUNTS! WE DO NOT CHECK PMS!
|
|
#46
04-18-2012, 06:48 AM
|
|||||
|
|||||
Quote:
My email was sent on a Sunday, and I received a response about 4 hours later. Considering that, 1) I'm not a customer of theirs, and 2) that I asked some fairly pointed questions, I expected to receive an answer in a few days, if I received one at all. I have seen remarks made to the effect that SecureNym's responses to email queries were very quick, and my own experience proves this was no exaggeration. I most certainly did not expect a reply within 4 hours on a Sunday; that in and of itself was impressive. The admin's responses to my questions were guarded, which comes as no surprise, as they don't know me from Adam (nor should they). That said, what did come through loud and clear in their response was their passion for privacy. Quote:
Quote:
Quote:
 Quote:
Mirrorshades
|
|
#47
04-18-2012, 07:56 AM
|
|||
|
|||
|
Mirrorshades,
Your responses lead us to believe you are one of the most credible people to be advising people on the subject. Usually after 12 years of hanging with Securenym we still get hit with stuff like "anyone with servers in USA".... blah blah blah. You got what we have always gotten from them, where we honestly stand in regards to our anonymity and security in regards to their program. If you knew them like we did earlier on you would know that these guys were a core group of bad ass renegades who were some of the most computer savy people in the world. They could rock someones world in a hearbeat. They set it up so they would not know and therefore did not have to care. Over the years there have been court battles with the powers that be argueing that Securenym should be collecting more information on people, have access to accounts ect. But Securenym has always won their right to maintain what they initiated pretty much from the beginning. They give you accurate advise about how to maintain complate anonymity from the point of setting up the account. We have never heard of anyone getting into a securenym account who did not have the password and they do not have it. The system is monitored for hacking attempts and will shut down the account until the owner surfaces. They recognize with a password access can be gained and warn about using PGP for sensitive information if you are worried about that. Today they have to play the game somewhat when it comes to trying to avoid blacklisting created by asshole providers who do care what you do. They are not criminal, and they do not support criminal activity. but they do fight for your right to be anonymous and secure because thats the kind of guys they are. They have always been forthcoming, and they have not to hide in our opinion. Over the years you get a sense of who are the leaders in this business and in our book they are of those. Thanks again for your excellent responses not because we are pretty close on perspectives, but you are bringing good things to the community. IPG
__________________
IPGEAR@SECURENYM.NET WE DO NOT RESPOND TO EMAILS FROM AOL, KEPTPRIVATE, SAFEMAIL, AND PRIVACYHARBOR ACCOUNTS! WE DO NOT CHECK PMS! Last edited by IPGEAR; 04-18-2012 at 08:04 AM.
|
|
| Thread Tools | |
| Display Modes | |
|
|
{vb:rawphrase vbseo_goto_linkbacks}
{vb:rawphrase vbseo_linkback_url}
{vb:rawphrase vbseo_about_linkbacks}
Linear Mode
