Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Communications EU Encryption Security The Internet

GhostMail Closes in September, Leaves Users Searching For Secure Email Alternatives (zdnet.com) 158

On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."

GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?
This discussion has been archived. No new comments can be posted.

GhostMail Closes in September, Leaves Users Searching For Secure Email Alternatives

Comments Filter:
  • by JustAnotherOldGuy ( 4145623 ) on Saturday August 06, 2016 @10:49PM (#52658143) Journal

    I'm at the point where I have to say that real privacy is truly dead.

    Between the NSA, FBI, CIA, DHS, and the other untold number of government and non-government snoops and spies, I don't believe there is any real expectation of privacy left, period. If they want to read your stuff, they will.

    • by Dunbal ( 464142 ) *
      No, real privacy is so private you will never hear about it.
      • No, real privacy is so private you will never hear about it.

        Maybe I won't hear about, but then I don't have the resources available to me that the US government does. Maybe you think your privacy is really, truly private, but honestly, how would you know? The only way you'd know is if you somehow found out they were snooping, tapping, MITMing, source-capturing, etc etc etc.

        By definition, you can't know that they've not managed to invade your privacy as long as they've done a good enough job of it.

    • by mentil ( 1748130 )

      To be fair, that's what the TLA's WANT you to think: that you have nowhere to hide, therefore you might as well give up trying. Computer security is hard, but some significant progress has been made recently. Compare the security of the latest iPhones to Windows XP, for example.

      • Re:Privacy is dead (Score:5, Insightful)

        by gweihir ( 88907 ) on Saturday August 06, 2016 @11:37PM (#52658323)

        Indeed. In fact, every person that gives up on privacy makes the TLA's jobs easier and increases their power. So please do not give up. These people are not who you want to rule the world.

    • Re:Privacy is dead (Score:5, Informative)

      by gweihir ( 88907 ) on Saturday August 06, 2016 @11:36PM (#52658311)

      It is not. It takes a little effort though. But if you encrypt email with PGP/GnuPG, use TOR or TAILS for sensitive browsing, don't post your life's story on social media and make sure your PC has reasonable security, then unless you are a priority to be spied on, you will not be.

      Sure, they will still know who you did send email to, but that is about it. As far as I remember, the NSA TAO (the "hackers") has capacity for 100-1000 targets, but not much more. The rest is all mass-surveillance and that can be made much, much harder for them. And it should. Mass-surveillance has zero value to make society safer (remember all those spectacular recent failures ?) and a lot of potential to make everybody less safe and to reduce quality-of-life by eroding freedoms.

      • > But if you encrypt email with PGP/GnuPG

        Stealing PGP keys is its own interesting security problem. It's quite intriguing how many people sill store them on unprotected media, especially on NFS shares without NFSv4 based Kerberized access, because "we trust the people we work with". Stealing them off of build servers for software packages is a particularly enlightening penetration test, or subverting the build servers themselves to publish false packages in a vendor's name.

        The penetration of the RHEL and

        • by gweihir ( 88907 )

          If they are used right, it does take a bit more than just stealing the keyfile though as they will be protected by a good passphrase. Build-servers that sign by themselves (and hence the server either has the passphrase or the key is unprotected) are simply insecure on architecture-level. The way to do his right is to sign manually.

        • Stealing PGP keys is its own interesting security problem.

          Why bother with stealing the keys when they can install malware on all your devices and get everything fresh from the keyboard?

          Routers, phones, keyboards, NICs, etc etc....everything is susceptible and exploitable. They're probably giggling at the idea of people carefully protecting their PGP keys when they can capture every keystroke at the source.

          • by gweihir ( 88907 )

            It is not as simple as that. Every time they install such malware, they risk losing the vulnerability used. It just takes one person uploading something suspicious to https://www.virustotal.com/ [virustotal.com] and their $100'000 zero-day exploit may be gone. And the cost is not even the worst. There are at one time always only a small number of zero-day exploits. Hence in order to keep their capabilities intact, they can only ever use these against high-value targets. And they will try conventional hacking (which good sec

            • On any day, there are many known "zero day" exploits that are usable on most computers because the user has not updated their software.

              • by gweihir ( 88907 )

                And if you start ignoring the definition of even more terms, you can make even more nonsensical statements! Try it!

            • > So, no, they are not "giggling", they are very careful to use the limited resources they have only against targets that are high-priority.

              I'm afraid this is a common but misleading belief in security circles. The idea that "we are not an important enough target for anyone to hack us" is widespread in industry, software development, and personal computing. Unfortunately, most attackers are not so elite and there are thousands of them active at any time. The script kiddies are _always_ attacking anywhere

      • by skegg ( 666571 )

        I've taken a different approach to email. (See a previous post [slashdot.org] where I tried to explain my rationale.)
        However when so many people / organisations use Gmail ... it almost defeats the purpose!

        I don't disagree with what you wrote above. I can envisage a model similar to the way TextSecure / Signal handle text messaging:
        where if one's contacts have a PGP key, then the client will obtain those keys and opportunistically encrypt emails to those contacts.

        But can users be trusted to not lose their keys / forget the

        • by gweihir ( 88907 )

          But can users be trusted to not lose their keys / forget their passwords? (And therefore lose access to old emails.)

          Those that want security can. The others are defenseless against attacks anyways.

      • "then unless you are a priority to be spied on, you will not be"

        This is the only thing that matters. As I've said elsewhere, if they want to read your stuff, they will.

        No amount of PGP or encrypted messaging will prevent them from reading or listening to everything you send or say if they decide they need/want to.

        • by gweihir ( 88907 )

          And, fail. Mass-surveillance still counts as "they want to read your stuff" and encryption used right will reliably prevent that.

          • Mass-surveillance still counts as "they want to read your stuff" and encryption used right will reliably prevent that.

            Do you really believe that the NSA, FBI, or CIA couldn't read or monitor your communications if they wanted to?

            • by gweihir ( 88907 )

              They cannot if they want to do the same for 1'000'000 other people at the same time. And that is not a "belief".

              • They cannot if they want to do the same for 1'000'000 other people at the same time.

                But what if for some odd reason they want to read your email and not the email of the other 999,9999 people?

                Again, Do you really think that the NSA, FBI, or CIA couldn't read or monitor your communications if they wanted to?

                Of course they could, but you're probably not on their radar. If by some odd circumstance* you do pop up on their radar, they'll read and listen to whatever they want of yours.

                -

                *Someone mis-enters a number, or you "appear" to be linked to someone else by some simple (yet innocent) circum

  • by mentil ( 1748130 ) on Saturday August 06, 2016 @10:52PM (#52658157)

    It's ok just sign up with Lavabit.

    Oh...

    • I suspect that using any encrypted or "high security" email service will probably get you noticed, or at least earn you a checkmark by your name in some database somewhere.

      If I was the government and wanted to know who might be of interest to spy on, that's what I'd do. Or I'd provide some "high security" email service and watch who uses it.

      • by mentil ( 1748130 )

        Wouldn't work. Paranoid people who fear the government will find out that they know the TRUTH about their extra-terrestrial conspiracy, or that they're hoarding distilled water so that the mind-control chemicals aren't affecting their family, or that they're melting down pennies, outnumber people to ACTUALLY be concerned about by 100 to 1, if not 100,000 to 1. There isn't enough manpower to check up on all of these people, and when the govt. tries, they are usually dismissed as "not a credible threat" even

        • you don't think that, like the farm of foreign workers that work for pennies a day, that the bad guys in our government do not hire them for their human abilities?

          I can easily imagine a distributed HUMAN system done in india, say, that harvests the power of people to do the evil work of the nsa, etc.

          AI can do a lot. pattern matching in pure hardware (like DPI is in hardware these days) and occasional 'human assist' can get the job done.

          I refuse to accept the BULLSHIT plea of 'too much data; you can just di

  • by Antique Geekmeister ( 740220 ) on Saturday August 06, 2016 @10:57PM (#52658187)

    Those of us old enough to remember when Usenet was a critical online resource will remember when anon.penet.fi provided a helpful, pseudonymous email and NNTP service. It was invaluable for people discussing issues that were not work safe, ranging from dating services to gender identity to cancer fears to AIDS help to thoughts of suicide. Some typical coverage was done by Wired, quoting the Observer newspaper, at:

            http://www.wired.com/1996/11/a... [wired.com]

    What was amazing about most of the press reports at the time was how they failed to identify the incident that caused Julf Helsingius to shut down anon.penet.fi. The incident is better described at:

          http://articles.latimes.com/19... [latimes.com]

    Simply put, someone kept using anon.penet.fi to post court documents revealing Scientology's inner secrets. The documents are infamous and broadly available online, but 20 years ago they were not so broadly avaialble.

    Why do I mention this? Partly because it points out that anonymous, and pseudonymous services, are always at risk from court ordered revelations about their clients. And I mention it partly because it's vital to see press coverage about the events as possibly skewed by fears of retaliation by powerful groups. 20 years ago, man reporters were justifiably _frightened_ of covering Scientology stories. They remembered what had happened to Paulette Cooper, who wrote about them and had bomb threats faked in her name by the cult. Today, press coverage that risks the ire of Fox News or of the Department of Homeland Security or run afoul of the so-called Patriot Act are at similar risks of abusive, extra-judicial censorship with little safe recourse.,

    I'm afraid the desire to censor communications is always around. I do look forward to better details about what triggered the closing of GhostMail's free services. I hope it wasn't a similar abuse of authority, but see real reasons to be concerned that it _is_ about Patriot Act or other government enforced tracking of users.

    • by Kohath ( 38547 ) on Saturday August 06, 2016 @11:23PM (#52658279)

      ...Today, press coverage that risks the ire of Fox News or ... are at similar risks of abusive, extra-judicial censorship with little safe recourse.

      Citation needed. Fox News is just somewhat silly partisan news, like NBC News. When/how did they ever commit "extra-judicial censorship"? Or are they merely guilty by association?

      • Re: (Score:1, Troll)

        by mhotchin ( 791085 )

        I think you misunderstand his concern. Fox News gets bent out of shape about something, and a Fox News watcher (perhaps several!) decides to "Do Something About It! (TM)". Fox News here is merely an example of the pulpit, it's the parishioners that you have to watch out for.
         

        • by Kohath ( 38547 )

          So just like anyone who ever voiced an opinion then? Let's not proclaim guilt by association. Innocent people are not guilty by association, even when they express an opinion you don't like.

        • by Antique Geekmeister ( 740220 ) on Sunday August 07, 2016 @01:51AM (#52658643)

          > Fox News gets bent out of shape about something,

          Getting "bent out of shape" is not the problem. It's the fraudulent crusades against political, ethical, or ideological opponents. that are the problem.

          Fox News repeatedly, and sadly effectively, misreports basic news to anger and mislead their viewers for ideological reasons. There were numerous examples during the conservative furor that led to the Iraq War. Such deceit was present during the "Black Lives Matter" protests, the "Occupy Wall Street" protests, and the Fox reporting on the fraudulent "abortion harvesting" videos about Planned Parenthood.

          > Fox News here is merely an example of the pulpit,

          The danger is that they represent themselves as a news organization, not a political pulpit. This means that their fraudulent attacks are taken more seriously than those from a more openly political spokesperson.

          • Fox News repeatedly, and sadly effectively, misreports basic news to anger and mislead their viewers for ideological reasons.

            That sounds like Nancy Grace on CNN. Are you certain you have your facts correct?

            • by Anonymous Coward

              ^^Sounds like MOST major new sources.

              FTFY.

            • I'm sad to say, yes, I'm personally convinced by having watched it. They consistently rate the worst for truthfulness of any national news publisher.

              If it's worth your time, check any level of Fox news reporting about _anything_ where you personally know anyone involved or know the subject matter. It's true even for scientifically verifiable subjects. See http://mediamatters.org/blog/2... [mediamatters.org] as a good example of the problem.

    • Ennetcom (Score:4, Informative)

      by Anonymous Coward on Saturday August 06, 2016 @11:38PM (#52658325)

      A more recent and closer example is surely Ennetcom. The dutch provider of encrypted messaging. The dutch police raided the owner, admitting that encrypted comms is not illegal, but that the communications were being used by criminals.

      The actual charges though, did not reflect the PR. There was no such 'illegal because it could be used by criminals' charge. They did a 'possession of an unlicensed weapon', against the owner and a 'money laundering' charge.

      That second charge, the Dutch press expanded on, saying the company was assisting laundering money by selling the phones which could/were resold by criminals to other criminals to launder criminal money. i.e. a nonsensical vague claim. How would selling a phone to another criminal be laundering? You'd receive criminal money as payment!

      It was timed shortly after the failure by the FBI to force Apple to backdoor their phones and it was by the drug police, a unit trained by the FBI, so it appeared to be related to lobbying from external back actors.

      So be careful what you say.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        You miss a bigger irony! Dutch SIM company Gemalto, employees started using Ennetcom phones after Gemalto was found to be hacked by GCHQ to steal all the SIM card keys. So the secure phones issued to defend a dutch company against foreign government hackers were blocked by their own dutch police force.

        Another thing you missed: Ennetcom's servers were in Switzerland, the money laundering charge was how they were able to get the Swiss to confiscate the servers, which a simple gun license charge wouldn't have

    • by mentil ( 1748130 )

      we do not want to take the risk of supplying our extremely secure service to the wrong people

      Taking GhostMail at their word, that would mean that they think their service is TOO secure, and are deathly afraid that the evil terrists will do evil things with it, but are unwilling to compromise their own security. Therefore, only for-profit businesses and other organizations which are never corrupt and put society's welfare at the forefront (pshaw!) will be allowed to use it.

      • by wvmarle ( 1070040 ) on Sunday August 07, 2016 @12:13AM (#52658431)

        More likely: they are afraid that they will be suspected of helping suspected people that may be suspected terrorists that may in the future blow the whistle about secret invasive government programmes. Because just that tiny air of suspicion is nowadays more than enough to get the whole world against you (just being called "suspected terrorist" or "suspected terrorist associate" is in certain countries enough to take away any legal rights a normal suspect has, and put people in jail for months without even a formal charge against them).

        By targeting corporate clients only, they can even brush away that risk of suspicion.

    • by johanw ( 1001493 )

      Ghostmail is based in Swiss so I doubt very much that the patriot act was involved.

      • May I assume you mean they are "based in Switzerland"? I don't wish to mock your spelling, I just don't wish to echo that typo.

        That is why I mentioned "other government enforced tracking of users". Every hosted service is vulnerable to local government orders. And like anon.penet.fi, they're vulnerable even if the orders are based on fraudulent claims from a criminal or political entity in another nation. Even the Swiss are vulnerable to exposure: their infamous privacy for banking records has been profoun

    • by julf ( 323835 )

      Thanks - happy to see a reminder about the right version of the story!

  • Don't panic - it's homegrown and organic!
    • by Bert64 ( 520050 )

      This, run your own service at home... There are many ISPs out there that will give you static ips these days, modern home connections are more than fast enough for a moderately loaded email server and if the server is at your home you have physical control over it and can monitor it, you can also ensure the disk is fully encrypted since you'll be physically present to re-enter the key on bootup.

      You don't even need a powerful, expensive and noisy server, a raspberry pi is more than adequate for running a mai

      • by swb ( 14022 )

        I think it's generally more secure to have a personal email server at home than to rely on a third party system. It does raise the question as to how physically secure your home is, though.

        And of course it raises the question as to who you exchange email with and how secure they treat your emails.

  • Either these guys are dorks or they were threatened.

    Oh well, it has been said many times before, we are on our own. Best of luck

  • I have had a very secure overseas email service for the last decade and a half. I don't want other people to start using it, however.
  • we do not want to take the risk of supplying our extremely secure service to the wrong people... we have taken a strategic decision to only supply our platform and services to the enterprise segment

    Because of course, and so obviously that no explanation is needed, "the enterprise segment" of the market couldn't possibly comprise "the wrong people", could it? Why, I bet there's not a single large criminal organization or shady financial corporation among GhostMail's enterprise clients!

    • by Etcetera ( 14711 )

      To be fair, it's a different kind of riff-raff. Corporate shennanigans might be of a different type of shennanigans than an ISIS user who got told by his buddy to use the service. Let's not pretend that the differences can't lead to a different moral determination.

      At the very least, having only enterprise contracts leaves them with someone very easy to sue if something is misused.

    • by Burz ( 138833 )

      Because "enterprise" people are, by definition, "the right people". Just ask the Saudi government! [motherjones.com]

  • Until we know how deleted emails on yahoo were recovered (seen on Slashdot here: https://news.slashdot.org/stor... [slashdot.org]) can we know if using encryption on any webmail service is safe? The answers in this might go a long way but with both Google (GMail) and Yahoo saving "draft" emails for you (are THOSE encrypted?) any encryption added around it might not be necessary. Of course, you can use your own email client and send through Yahoo (or others), but how many non-technical people can do that safely?
  • Try ProtonMail [protonmail.com]

    Based in Switzerland. End-to-end encryption. Even the admins cannot access their user's e-mail. and it's free.

    Falls under strict Swiss privacy laws, out of the reach of other governments.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Only problem is you'll end up "vendor locked" due to no support for standard protocols such as IMAP or POP3. :-(.

      Thus, if you ever want to change providers, you'll loose all your emails first.

      • Indeed!
        This is the only thing that stops me from migrating over to ProtonMail; I'd even be happy to pay for their service, but the biggest problem is not having ultimate control over your own email and data - no ability to download emails to your local device.

        It would be cool if they could build an addon for Thunderbird which is able to download and unencrypt the data to be stored locally, i.e. every time you open Thunderbird, it would ask for the decryption password, similar to their web interface.

  • Until a critical mass of users choose to encrypt their messages, it will be inconvenient and ineffective for anyone to do so. For some reason half of Americans, and Europeans too, trust their government to some extent. They protest 'I've got nothing to hide' and continue their lackadaisical ways.

    You may convince your circle of friends to encrypt, but it's Joe Average that needs to join in. And Maria Average. Women and young people especially will resist the inconvenience.

    But why encrypt when really there is

    • Until a critical mass of users choose to encrypt their messages, it will be inconvenient and ineffective for anyone to do so

      That critical mass has to be really big. It's a hard thing to get done, and may not be able to work at all, ever.

      First of all, there has to be a universal encryption protocol, that is supported by all e-mail clients. If there is a need for multiple protocols, they all have to be supported by all e-mail clients. This alone is a massive hurdle to pass.

      Then the encryption/decryption part. For a local e-mail client this can work securely and fairly conveniently and transparently, with your keys unlocked when yo

      • Somehow, somewhere the e-mail has to be decrypted, and both the key and the result have to be kept secure. I don't see how that can be done.

        Erm, with public/private key pairs [wikipedia.org]?
        This is a solved problem: you exchange public keys, then encrypt all your mail to person X with the public key of person X.
        Only they have the private key that can decrypt it.
        When X replies tou you, they encrypt with your public key.
        To authenticate your email, you can even sign it with your private key, and the other side can verify it with your public key.

        • You conveniently left out the rest of my e-mail - the comments about how to (not) keep the secret key secure!

          I know the encryption itself is a solved problem. That's the easy part. Now keeping those keys secure, that's the hard part - lots of e-mailing is done using web clients and even shared computers. Securely exchanging public keys with everyone you want to talk to, that's another hard part (how can you be sure that you get the correct key, and that the key server is not performing a MiM on you?).

          • Well yeah, like I said in my other reply (sent 20 min before yours), I misread what you meant.
            Sometimes you read something, and your mind just runs off with it, I guess. No "convenience" intended...

          • lots of e-mailing is done using web clients and even shared computers.

            Which is totally unnecessary in 2016.

            Securely exchanging public keys with everyone you want to talk to, that's another hard part (how can you be sure that you get the correct key, and that the key server is not performing a MiM on you?).

            Compare the key as acquired from different sources? Make sure the key matches the email address you want to encrypt to? Check the fingerprint confirmed out-of-band?

            And besides, if you encrypt to the wrong pubkey, the "right" receiver won't be able to decrypt

      • Ok, I think I misread what you meant, which was the private key and the decrypted email.
        So long as the decryption is done server side, there is no way to ensure the server doesn't leak this data to third parties.
        So to make webmail secure, it would need to send you the message encrypted, and let you decrypt it locally with a trusted client.
        It could be a plugin in your browser, or some local JavaScript that is under your control, or some local app on your phone that lets you scan the text and decrypt it on th

      • by Burz ( 138833 )

        Other types of messaging clients are doing this conveniently. Signal and Ring.cx come to mind. I think email itself may be obsolete, since it relies on servers and makes hiding metadata difficult.

        • Such messaging services (WhatsApp is also end to end encrypted) rely on a single company. That company has to make money off the service somehow, or it will end, sooner or later. Those companies have an incentive to read your messages and sell your personal data (either direct or indirect in the form of targeted advertising), and they ARE the MiM, so we have to trust them to not decrypt our messages with their own keys, pretending it's end to end encrypted. A government that wants to spy has to go to one an

      • by Kjella ( 173770 )

        Then the encryption/decryption part. For a local e-mail client this can work securely and fairly conveniently and transparently, with your keys unlocked when you log in to your computer, just like encrypted hard disks.

        And this basically means hardware support. There's no way ordinary user passwords like "luggage12345" will be cryptographically strong, it takes hardware that will give you a limited number of attempts to translate this to a private key. Pure software solutions like Truecrypt or dm-crypt on Linux require you to type a very long and comple key so they're not convenient. And so if you need hardware, they won't be universal and it won't work for webmail. Honestly if you don't view it on a personal trusted devi

      • But how could this ever work securely for webmail clients?

        Simple, don't use webmail via a webrowser. Access it with a REAL e-mail client (either desktop or mobile) via IMAP or POP3. For example, I can access gmail via IMAP and send/receive encrypted messages on either my desktop or phone/tablet.

    • The problem is not with "joe average".

      The problem is with technical geeks, who don't feel it is necessary to provide support for industry standard encryption by default in popular email clients.

  • I wouldn't be surprised if Free World police killed more innocent, unarmed civilians over the last couple of years than terrorists.

    Like so many of us, GhostMail's owners have lost track of where the real threat lies.

  • by Anonymous Coward

    The terrorists have won 10-0. Thank you for submitting to the fear. Ordinary people will keep losig their rights, privacy, independence and possibilities.

    • The terrorists have won 10-0. Thank you for submitting to the fear. Ordinary people will keep losig their rights, privacy, independence and possibilities.

      During the Cold War, governments justified the same bullshit with other kinds of fear mongering. And while NSA spying on US citizens is certainly some cause for concern, economic and social policies represent far bigger infringements on our liberties: high taxes, regulations, restrictions on freedom of association, regulation of political speech, governmen

  • If you want privacy then randomly pick a motel, turn on the taps in the bathroom and have your meeting there. As soon as you write anything down you leave a trial. All this nonsense about privacy and email is daft.

  • This situation will get better when President Trump takes over....
  • Poor brainwashed intimidated scared Ghostmail: THERE ARE NO "wrong users". Freedom of personal life against spying is a HUMAN RIGHT. If you only allow cheery apple pie free speech that you agree with, then it's not free speech. And if you deny freedom from spying to random people because, heavens to murgatroyd, they MIGHT POSSIBLY be "bad" people, then you don't believe in freedom, and if you don't believe in freedom then you believe in subjugation.

    One man's terrorist is another man's freedom fighter. The e

  • Your E-mail isn't secure in transit anyway, so using a "secure provider" really only helps with where your data is permanently archived; if you don't want it to be permanently archived on Google/Yahoo/Microsoft/Apple, just download it. Most clients can be set up to do that. If you really think GhostMail-like models give you something, you can always host an E-mail server on a virtual machine, or even more securely, on a RaspberryPi at home ("E-mail server in a closet", popularized by someone recently).

    None

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...