GhostMail Closes in September, Leaves Users Searching For Secure Email Alternatives (zdnet.com) 158
On September 1, "GhostMail will no longer provide secure email services unless you are an enterprise client," reports ZDNet. "According to the company, it is 'simply not worth the risk.'" GhostMail provided a free and anonymous "military encrypted" e-mail service based in Switzerland, and collected "as little metadata" as possible. But this week on its home page, GhostMail told its users "Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people... In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment."
GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?
GhostMail is referring their users to other free services like Protonmail as an alternative, but an anonymous Slashdot reader asks: What options does an average person have for non-NSA-spied-on email? I am sure there are still some Ghostmail competitors out there but I'm wondering if it's better to coax friends and family to use encryption within their given client (Gmail, Yahoo, Outlook, whatever...) And are there any options for hosting a "private" email service: inviting friends and family to use it and have it kind of hosted locally. Ghostmail-in-a-box or some such?
Privacy is dead (Score:3)
I'm at the point where I have to say that real privacy is truly dead.
Between the NSA, FBI, CIA, DHS, and the other untold number of government and non-government snoops and spies, I don't believe there is any real expectation of privacy left, period. If they want to read your stuff, they will.
Re: (Score:3)
Re: (Score:2)
No, real privacy is so private you will never hear about it.
Maybe I won't hear about, but then I don't have the resources available to me that the US government does. Maybe you think your privacy is really, truly private, but honestly, how would you know? The only way you'd know is if you somehow found out they were snooping, tapping, MITMing, source-capturing, etc etc etc.
By definition, you can't know that they've not managed to invade your privacy as long as they've done a good enough job of it.
Re: (Score:3)
To be fair, that's what the TLA's WANT you to think: that you have nowhere to hide, therefore you might as well give up trying. Computer security is hard, but some significant progress has been made recently. Compare the security of the latest iPhones to Windows XP, for example.
Re:Privacy is dead (Score:5, Insightful)
Indeed. In fact, every person that gives up on privacy makes the TLA's jobs easier and increases their power. So please do not give up. These people are not who you want to rule the world.
Re: (Score:2)
You are wondering whether I have a choice in giving up? Are you retarded?
Re: (Score:1)
The company that DID hack the 5C undertook the burden of an expensive and time consuming project so they could sell the hack to a government agency.
The world's biggest corporation chose NOT to ... showing them to be privacy advocates.
FTFY.
Re: (Score:2)
Well said; Apple appears to be the only major company interested in privacy of their users, and dare I say, even fighting for their users' privacy. Each iteration of iOS hardens their system further from gov surveillance. Case [idownloadblog.com] in [theinquirer.net] point [recode.net].
Although iOS and iPhones are fairly well protected against gov surveillance, I'm not sure what Apple is doing against commercial spying apps and advertisers, particularly the most evil of all: Google.
Re:Privacy is dead (Score:5, Informative)
It is not. It takes a little effort though. But if you encrypt email with PGP/GnuPG, use TOR or TAILS for sensitive browsing, don't post your life's story on social media and make sure your PC has reasonable security, then unless you are a priority to be spied on, you will not be.
Sure, they will still know who you did send email to, but that is about it. As far as I remember, the NSA TAO (the "hackers") has capacity for 100-1000 targets, but not much more. The rest is all mass-surveillance and that can be made much, much harder for them. And it should. Mass-surveillance has zero value to make society safer (remember all those spectacular recent failures ?) and a lot of potential to make everybody less safe and to reduce quality-of-life by eroding freedoms.
Re: (Score:2)
> But if you encrypt email with PGP/GnuPG
Stealing PGP keys is its own interesting security problem. It's quite intriguing how many people sill store them on unprotected media, especially on NFS shares without NFSv4 based Kerberized access, because "we trust the people we work with". Stealing them off of build servers for software packages is a particularly enlightening penetration test, or subverting the build servers themselves to publish false packages in a vendor's name.
The penetration of the RHEL and
Re: (Score:2)
If they are used right, it does take a bit more than just stealing the keyfile though as they will be protected by a good passphrase. Build-servers that sign by themselves (and hence the server either has the passphrase or the key is unprotected) are simply insecure on architecture-level. The way to do his right is to sign manually.
Re: (Score:2)
Stealing PGP keys is its own interesting security problem.
Why bother with stealing the keys when they can install malware on all your devices and get everything fresh from the keyboard?
Routers, phones, keyboards, NICs, etc etc....everything is susceptible and exploitable. They're probably giggling at the idea of people carefully protecting their PGP keys when they can capture every keystroke at the source.
Re: (Score:3)
It is not as simple as that. Every time they install such malware, they risk losing the vulnerability used. It just takes one person uploading something suspicious to https://www.virustotal.com/ [virustotal.com] and their $100'000 zero-day exploit may be gone. And the cost is not even the worst. There are at one time always only a small number of zero-day exploits. Hence in order to keep their capabilities intact, they can only ever use these against high-value targets. And they will try conventional hacking (which good sec
Re: (Score:2)
On any day, there are many known "zero day" exploits that are usable on most computers because the user has not updated their software.
Re: (Score:2)
And if you start ignoring the definition of even more terms, you can make even more nonsensical statements! Try it!
Re: (Score:2)
> So, no, they are not "giggling", they are very careful to use the limited resources they have only against targets that are high-priority.
I'm afraid this is a common but misleading belief in security circles. The idea that "we are not an important enough target for anyone to hack us" is widespread in industry, software development, and personal computing. Unfortunately, most attackers are not so elite and there are thousands of them active at any time. The script kiddies are _always_ attacking anywhere
Re: (Score:2)
I've taken a different approach to email. (See a previous post [slashdot.org] where I tried to explain my rationale.) ... it almost defeats the purpose!
However when so many people / organisations use Gmail
I don't disagree with what you wrote above. I can envisage a model similar to the way TextSecure / Signal handle text messaging:
where if one's contacts have a PGP key, then the client will obtain those keys and opportunistically encrypt emails to those contacts.
But can users be trusted to not lose their keys / forget the
Re: (Score:2)
But can users be trusted to not lose their keys / forget their passwords? (And therefore lose access to old emails.)
Those that want security can. The others are defenseless against attacks anyways.
Re: (Score:2)
"then unless you are a priority to be spied on, you will not be"
This is the only thing that matters. As I've said elsewhere, if they want to read your stuff, they will.
No amount of PGP or encrypted messaging will prevent them from reading or listening to everything you send or say if they decide they need/want to.
Re: (Score:2)
And, fail. Mass-surveillance still counts as "they want to read your stuff" and encryption used right will reliably prevent that.
Re: (Score:2)
Mass-surveillance still counts as "they want to read your stuff" and encryption used right will reliably prevent that.
Do you really believe that the NSA, FBI, or CIA couldn't read or monitor your communications if they wanted to?
Re: (Score:2)
They cannot if they want to do the same for 1'000'000 other people at the same time. And that is not a "belief".
Re: (Score:2)
They cannot if they want to do the same for 1'000'000 other people at the same time.
But what if for some odd reason they want to read your email and not the email of the other 999,9999 people?
Again, Do you really think that the NSA, FBI, or CIA couldn't read or monitor your communications if they wanted to?
Of course they could, but you're probably not on their radar. If by some odd circumstance* you do pop up on their radar, they'll read and listen to whatever they want of yours.
-
*Someone mis-enters a number, or you "appear" to be linked to someone else by some simple (yet innocent) circum
Re: (Score:2)
You sound like you already have. Go crawl in a cave instead of posting the same scare tactic shit over and over. "I can't guarantee my own security so I won't even try" that is exactly what you are saying.
Nope, if it sounds that way to you, you're mistaken. I do what I can to preserve my privacy within what I feel are reasonable boundaries.
If you read what I wrote, nowhere do I say I've "given up" or whatever. What I said (in one instance) was, "Do you really think that the NSA, FBI, or CIA couldn't read or monitor your communications if they wanted to?"
As far as privacy being "dead", yes, in most of the ways that matter it is, for all intents and purposes. It's not hard to keep stuff private from a casual o
Re: (Score:2)
They fail to understand the problem. That is the root-cause for most human problems these days. "Stupid" is prevalent and cannot be fixed.
Lavabit (Score:3)
It's ok just sign up with Lavabit.
Oh...
Re: (Score:2)
I suspect that using any encrypted or "high security" email service will probably get you noticed, or at least earn you a checkmark by your name in some database somewhere.
If I was the government and wanted to know who might be of interest to spy on, that's what I'd do. Or I'd provide some "high security" email service and watch who uses it.
Re: (Score:2)
Wouldn't work. Paranoid people who fear the government will find out that they know the TRUTH about their extra-terrestrial conspiracy, or that they're hoarding distilled water so that the mind-control chemicals aren't affecting their family, or that they're melting down pennies, outnumber people to ACTUALLY be concerned about by 100 to 1, if not 100,000 to 1. There isn't enough manpower to check up on all of these people, and when the govt. tries, they are usually dismissed as "not a credible threat" even
Re: (Score:2)
you don't think that, like the farm of foreign workers that work for pennies a day, that the bad guys in our government do not hire them for their human abilities?
I can easily imagine a distributed HUMAN system done in india, say, that harvests the power of people to do the evil work of the nsa, etc.
AI can do a lot. pattern matching in pure hardware (like DPI is in hardware these days) and occasional 'human assist' can get the job done.
I refuse to accept the BULLSHIT plea of 'too much data; you can just di
Similar happened with anon.penet.fi (Score:4, Interesting)
Those of us old enough to remember when Usenet was a critical online resource will remember when anon.penet.fi provided a helpful, pseudonymous email and NNTP service. It was invaluable for people discussing issues that were not work safe, ranging from dating services to gender identity to cancer fears to AIDS help to thoughts of suicide. Some typical coverage was done by Wired, quoting the Observer newspaper, at:
http://www.wired.com/1996/11/a... [wired.com]
What was amazing about most of the press reports at the time was how they failed to identify the incident that caused Julf Helsingius to shut down anon.penet.fi. The incident is better described at:
http://articles.latimes.com/19... [latimes.com]
Simply put, someone kept using anon.penet.fi to post court documents revealing Scientology's inner secrets. The documents are infamous and broadly available online, but 20 years ago they were not so broadly avaialble.
Why do I mention this? Partly because it points out that anonymous, and pseudonymous services, are always at risk from court ordered revelations about their clients. And I mention it partly because it's vital to see press coverage about the events as possibly skewed by fears of retaliation by powerful groups. 20 years ago, man reporters were justifiably _frightened_ of covering Scientology stories. They remembered what had happened to Paulette Cooper, who wrote about them and had bomb threats faked in her name by the cult. Today, press coverage that risks the ire of Fox News or of the Department of Homeland Security or run afoul of the so-called Patriot Act are at similar risks of abusive, extra-judicial censorship with little safe recourse.,
I'm afraid the desire to censor communications is always around. I do look forward to better details about what triggered the closing of GhostMail's free services. I hope it wasn't a similar abuse of authority, but see real reasons to be concerned that it _is_ about Patriot Act or other government enforced tracking of users.
Re:Similar happened with anon.penet.fi (Score:4, Insightful)
...Today, press coverage that risks the ire of Fox News or ... are at similar risks of abusive, extra-judicial censorship with little safe recourse.
Citation needed. Fox News is just somewhat silly partisan news, like NBC News. When/how did they ever commit "extra-judicial censorship"? Or are they merely guilty by association?
Re: (Score:1, Troll)
I think you misunderstand his concern. Fox News gets bent out of shape about something, and a Fox News watcher (perhaps several!) decides to "Do Something About It! (TM)". Fox News here is merely an example of the pulpit, it's the parishioners that you have to watch out for.
Re: (Score:3)
So just like anyone who ever voiced an opinion then? Let's not proclaim guilt by association. Innocent people are not guilty by association, even when they express an opinion you don't like.
Re:Similar happened with anon.penet.fi (Score:4, Interesting)
> Fox News gets bent out of shape about something,
Getting "bent out of shape" is not the problem. It's the fraudulent crusades against political, ethical, or ideological opponents. that are the problem.
Fox News repeatedly, and sadly effectively, misreports basic news to anger and mislead their viewers for ideological reasons. There were numerous examples during the conservative furor that led to the Iraq War. Such deceit was present during the "Black Lives Matter" protests, the "Occupy Wall Street" protests, and the Fox reporting on the fraudulent "abortion harvesting" videos about Planned Parenthood.
> Fox News here is merely an example of the pulpit,
The danger is that they represent themselves as a news organization, not a political pulpit. This means that their fraudulent attacks are taken more seriously than those from a more openly political spokesperson.
Re: (Score:2)
That sounds like Nancy Grace on CNN. Are you certain you have your facts correct?
Re: Similar happened with anon.penet.fi (Score:1)
^^Sounds like MOST major new sources.
FTFY.
Re: (Score:3)
I'm sad to say, yes, I'm personally convinced by having watched it. They consistently rate the worst for truthfulness of any national news publisher.
If it's worth your time, check any level of Fox news reporting about _anything_ where you personally know anyone involved or know the subject matter. It's true even for scientifically verifiable subjects. See http://mediamatters.org/blog/2... [mediamatters.org] as a good example of the problem.
Re: (Score:2, Informative)
Fox News already went to court over this. They successfully argued that they are an entertainment channel and therefor are allowed to lie and make up stories.
Ennetcom (Score:4, Informative)
A more recent and closer example is surely Ennetcom. The dutch provider of encrypted messaging. The dutch police raided the owner, admitting that encrypted comms is not illegal, but that the communications were being used by criminals.
The actual charges though, did not reflect the PR. There was no such 'illegal because it could be used by criminals' charge. They did a 'possession of an unlicensed weapon', against the owner and a 'money laundering' charge.
That second charge, the Dutch press expanded on, saying the company was assisting laundering money by selling the phones which could/were resold by criminals to other criminals to launder criminal money. i.e. a nonsensical vague claim. How would selling a phone to another criminal be laundering? You'd receive criminal money as payment!
It was timed shortly after the failure by the FBI to force Apple to backdoor their phones and it was by the drug police, a unit trained by the FBI, so it appeared to be related to lobbying from external back actors.
So be careful what you say.
Re: (Score:2, Informative)
You miss a bigger irony! Dutch SIM company Gemalto, employees started using Ennetcom phones after Gemalto was found to be hacked by GCHQ to steal all the SIM card keys. So the secure phones issued to defend a dutch company against foreign government hackers were blocked by their own dutch police force.
Another thing you missed: Ennetcom's servers were in Switzerland, the money laundering charge was how they were able to get the Swiss to confiscate the servers, which a simple gun license charge wouldn't have
Re: (Score:2)
we do not want to take the risk of supplying our extremely secure service to the wrong people
Taking GhostMail at their word, that would mean that they think their service is TOO secure, and are deathly afraid that the evil terrists will do evil things with it, but are unwilling to compromise their own security. Therefore, only for-profit businesses and other organizations which are never corrupt and put society's welfare at the forefront (pshaw!) will be allowed to use it.
Re:Similar happened with anon.penet.fi (Score:4, Insightful)
More likely: they are afraid that they will be suspected of helping suspected people that may be suspected terrorists that may in the future blow the whistle about secret invasive government programmes. Because just that tiny air of suspicion is nowadays more than enough to get the whole world against you (just being called "suspected terrorist" or "suspected terrorist associate" is in certain countries enough to take away any legal rights a normal suspect has, and put people in jail for months without even a formal charge against them).
By targeting corporate clients only, they can even brush away that risk of suspicion.
Re: (Score:2)
Ghostmail is based in Swiss so I doubt very much that the patriot act was involved.
Re: (Score:2)
May I assume you mean they are "based in Switzerland"? I don't wish to mock your spelling, I just don't wish to echo that typo.
That is why I mentioned "other government enforced tracking of users". Every hosted service is vulnerable to local government orders. And like anon.penet.fi, they're vulnerable even if the orders are based on fraudulent claims from a criminal or political entity in another nation. Even the Swiss are vulnerable to exposure: their infamous privacy for banking records has been profoun
Re: (Score:1)
Thanks - happy to see a reminder about the right version of the story!
BYO Dovecot + Exim with TLS on both sides (Score:2)
Re: (Score:2)
This, run your own service at home... There are many ISPs out there that will give you static ips these days, modern home connections are more than fast enough for a moderately loaded email server and if the server is at your home you have physical control over it and can monitor it, you can also ensure the disk is fully encrypted since you'll be physically present to re-enter the key on bootup.
You don't even need a powerful, expensive and noisy server, a raspberry pi is more than adequate for running a mai
Re: (Score:3)
I think it's generally more secure to have a personal email server at home than to rely on a third party system. It does raise the question as to how physically secure your home is, though.
And of course it raises the question as to who you exchange email with and how secure they treat your emails.
Re: (Score:2)
If you don't have a static ip with appropriate reverse dns, you will have major trouble sending any email (most spam filters will flag a dynamic or nonresolving ip as suspicious).
Re: (Score:1)
The "wrong people"? (Score:2)
Either these guys are dorks or they were threatened.
Oh well, it has been said many times before, we are on our own. Best of luck
Secure overseas email (Score:2, Interesting)
Re: (Score:2)
Weeding out the riff-raff? (Score:2)
we do not want to take the risk of supplying our extremely secure service to the wrong people... we have taken a strategic decision to only supply our platform and services to the enterprise segment
Because of course, and so obviously that no explanation is needed, "the enterprise segment" of the market couldn't possibly comprise "the wrong people", could it? Why, I bet there's not a single large criminal organization or shady financial corporation among GhostMail's enterprise clients!
Re: (Score:2)
To be fair, it's a different kind of riff-raff. Corporate shennanigans might be of a different type of shennanigans than an ISIS user who got told by his buddy to use the service. Let's not pretend that the differences can't lead to a different moral determination.
At the very least, having only enterprise contracts leaves them with someone very easy to sue if something is misused.
Re: (Score:2)
Because "enterprise" people are, by definition, "the right people". Just ask the Saudi government! [motherjones.com]
Is Hosted Email Really Secure? (Score:1)
ProtonMail (Score:1)
Try ProtonMail [protonmail.com]
Based in Switzerland. End-to-end encryption. Even the admins cannot access their user's e-mail. and it's free.
Falls under strict Swiss privacy laws, out of the reach of other governments.
Re: (Score:3, Informative)
Only problem is you'll end up "vendor locked" due to no support for standard protocols such as IMAP or POP3. :-(.
Thus, if you ever want to change providers, you'll loose all your emails first.
Re: (Score:2)
Indeed!
This is the only thing that stops me from migrating over to ProtonMail; I'd even be happy to pay for their service, but the biggest problem is not having ultimate control over your own email and data - no ability to download emails to your local device.
It would be cool if they could build an addon for Thunderbird which is able to download and unencrypt the data to be stored locally, i.e. every time you open Thunderbird, it would ask for the decryption password, similar to their web interface.
critical mass (Score:2)
Until a critical mass of users choose to encrypt their messages, it will be inconvenient and ineffective for anyone to do so. For some reason half of Americans, and Europeans too, trust their government to some extent. They protest 'I've got nothing to hide' and continue their lackadaisical ways.
You may convince your circle of friends to encrypt, but it's Joe Average that needs to join in. And Maria Average. Women and young people especially will resist the inconvenience.
But why encrypt when really there is
Re: (Score:3)
Until a critical mass of users choose to encrypt their messages, it will be inconvenient and ineffective for anyone to do so
That critical mass has to be really big. It's a hard thing to get done, and may not be able to work at all, ever.
First of all, there has to be a universal encryption protocol, that is supported by all e-mail clients. If there is a need for multiple protocols, they all have to be supported by all e-mail clients. This alone is a massive hurdle to pass.
Then the encryption/decryption part. For a local e-mail client this can work securely and fairly conveniently and transparently, with your keys unlocked when yo
Re: (Score:2)
Somehow, somewhere the e-mail has to be decrypted, and both the key and the result have to be kept secure. I don't see how that can be done.
Erm, with public/private key pairs [wikipedia.org]?
This is a solved problem: you exchange public keys, then encrypt all your mail to person X with the public key of person X.
Only they have the private key that can decrypt it.
When X replies tou you, they encrypt with your public key.
To authenticate your email, you can even sign it with your private key, and the other side can verify it with your public key.
Re: (Score:2)
You conveniently left out the rest of my e-mail - the comments about how to (not) keep the secret key secure!
I know the encryption itself is a solved problem. That's the easy part. Now keeping those keys secure, that's the hard part - lots of e-mailing is done using web clients and even shared computers. Securely exchanging public keys with everyone you want to talk to, that's another hard part (how can you be sure that you get the correct key, and that the key server is not performing a MiM on you?).
Re: (Score:2)
Well yeah, like I said in my other reply (sent 20 min before yours), I misread what you meant.
Sometimes you read something, and your mind just runs off with it, I guess. No "convenience" intended...
Re: (Score:2)
Saw the other reply only later :-)
Re: (Score:2)
lots of e-mailing is done using web clients and even shared computers.
Which is totally unnecessary in 2016.
Securely exchanging public keys with everyone you want to talk to, that's another hard part (how can you be sure that you get the correct key, and that the key server is not performing a MiM on you?).
Compare the key as acquired from different sources? Make sure the key matches the email address you want to encrypt to? Check the fingerprint confirmed out-of-band?
And besides, if you encrypt to the wrong pubkey, the "right" receiver won't be able to decrypt
Re: (Score:2)
Ok, I think I misread what you meant, which was the private key and the decrypted email.
So long as the decryption is done server side, there is no way to ensure the server doesn't leak this data to third parties.
So to make webmail secure, it would need to send you the message encrypted, and let you decrypt it locally with a trusted client.
It could be a plugin in your browser, or some local JavaScript that is under your control, or some local app on your phone that lets you scan the text and decrypt it on th
Re: (Score:2)
That's why I added the phone idea. You need a trusted client to do the decryption.
Don't trust your browser? Then use a dedicated device that is 100% under your control.
Or use pen and paper, since your device contains silicon you didn't create.
But make sure to close all curtains and sweep for bugs first.
If they *really* want your secrets, they'll just use the $5 wrench method [xkcd.com] anyway...
Re: (Score:2)
Other types of messaging clients are doing this conveniently. Signal and Ring.cx come to mind. I think email itself may be obsolete, since it relies on servers and makes hiding metadata difficult.
Re: (Score:2)
Such messaging services (WhatsApp is also end to end encrypted) rely on a single company. That company has to make money off the service somehow, or it will end, sooner or later. Those companies have an incentive to read your messages and sell your personal data (either direct or indirect in the form of targeted advertising), and they ARE the MiM, so we have to trust them to not decrypt our messages with their own keys, pretending it's end to end encrypted. A government that wants to spy has to go to one an
Re: (Score:2)
Ring.cx uses DHT not "a company". Clients connect directly to each other.
Re: (Score:2)
Then the encryption/decryption part. For a local e-mail client this can work securely and fairly conveniently and transparently, with your keys unlocked when you log in to your computer, just like encrypted hard disks.
And this basically means hardware support. There's no way ordinary user passwords like "luggage12345" will be cryptographically strong, it takes hardware that will give you a limited number of attempts to translate this to a private key. Pure software solutions like Truecrypt or dm-crypt on Linux require you to type a very long and comple key so they're not convenient. And so if you need hardware, they won't be universal and it won't work for webmail. Honestly if you don't view it on a personal trusted devi
Re: (Score:2)
But how could this ever work securely for webmail clients?
Simple, don't use webmail via a webrowser. Access it with a REAL e-mail client (either desktop or mobile) via IMAP or POP3. For example, I can access gmail via IMAP and send/receive encrypted messages on either my desktop or phone/tablet.
Re: (Score:2)
The problem is not with "joe average".
The problem is with technical geeks, who don't feel it is necessary to provide support for industry standard encryption by default in popular email clients.
Anybody got numbers? (Score:2)
I wouldn't be surprised if Free World police killed more innocent, unarmed civilians over the last couple of years than terrorists.
Like so many of us, GhostMail's owners have lost track of where the real threat lies.
So, it has come to this (Score:1)
The terrorists have won 10-0. Thank you for submitting to the fear. Ordinary people will keep losig their rights, privacy, independence and possibilities.
Re: (Score:2)
During the Cold War, governments justified the same bullshit with other kinds of fear mongering. And while NSA spying on US citizens is certainly some cause for concern, economic and social policies represent far bigger infringements on our liberties: high taxes, regulations, restrictions on freedom of association, regulation of political speech, governmen
I wish people would just stop with this (Score:2)
If you want privacy then randomly pick a motel, turn on the taps in the bathroom and have your meeting there. As soon as you write anything down you leave a trial. All this nonsense about privacy and email is daft.
Re: (Score:2)
Don't forget to draw the blinds LOL
Not to worry (Score:2)
"Wrong" user?! (Score:2)
Poor brainwashed intimidated scared Ghostmail: THERE ARE NO "wrong users". Freedom of personal life against spying is a HUMAN RIGHT. If you only allow cheery apple pie free speech that you agree with, then it's not free speech. And if you deny freedom from spying to random people because, heavens to murgatroyd, they MIGHT POSSIBLY be "bad" people, then you don't believe in freedom, and if you don't believe in freedom then you believe in subjugation.
One man's terrorist is another man's freedom fighter. The e
client encryption (Score:2)
Your E-mail isn't secure in transit anyway, so using a "secure provider" really only helps with where your data is permanently archived; if you don't want it to be permanently archived on Google/Yahoo/Microsoft/Apple, just download it. Most clients can be set up to do that. If you really think GhostMail-like models give you something, you can always host an E-mail server on a virtual machine, or even more securely, on a RaspberryPi at home ("E-mail server in a closet", popularized by someone recently).
None
Re: (Score:3)
I think the servers are in NY.
Re: (Score:2)
Replying to myself... I've recommend Fastmail to several small business owners. They are happy. Fastmail is a great service.
Re: (Score:2)
So...
Where would a a secure place to place the servers?
Is any country a gold model for Internet privacy and will be willing to stand up to governments who will demand that the release information?
Re: (Score:1)
Australia law don't mean squat. Mega was New Zealand, with servers in Canada, and they still got busted. Anything hosted in the US should be considered hostile due to PRISM.
Re: (Score:3, Informative)
anything in Canada that anybody in the RCMP and/or CSIS even thinks someone in US law enforcement might like to look at gets fedexed there by 9am the next day.
Re: (Score:2)
Re: (Score:2)
Oops, that was me - I managed to get logged out through not posting here for so long.
Re: (Score:2)
I use FastMail, it doesn't scan your emails for advertisement purposes and it doesn't send all your data to Google, Microsoft or NSA.
That you know of. Or maybe that they know of, or believe, but I wouldn't bet my life on the notion that using FastMail (or any other email service) is safe from prying eyes. If they really want to spy on you, they will. And if they want to read your email or SMS or Skype messages, they'll do that too.
-
But even so, still a lot more private/secure than Gmail or Hotmail...
Maybe, but like I said, if they really want to read your stuff, they will.
Re: (Score:3)
We run encrypted channels between our datacentres - we're not trusting telco pipes to be private.
Re: (Score:2)
We run encrypted channels between our datacentres - we're not trusting telco pipes to be private.
And maybe your datacenters have been compromised. How would you know? You wouldn't, basically.
The only way you'd know is if they fucked up and you noticed, but I'd bet that they're pretty good at what they do. After all, if they can install backdoors in the firmware of Cisco devices, how do you know they haven't done that to whatever brand you're using?
Maybe they have, maybe they haven't....but these days it's damn near impossible to know, even with deep audits and best security practices.
Re: (Score:2)
Well, yes. Obviously. If "they" compromise at a level below what we are capable of seeing - for example baseband controllers on every brand of motherboard that we own, then there's nothing we can do about it. There's nothing anyone can do about that, including the theoretical "run my own email server from home".
So I don't waste much sleep worrying about that case, because there's nothing I could about it. We do everything we can to ensure security - for example airgapped internal networks with physically
Re: (Score:2)
We do everything we can to ensure security - for example airgapped internal networks with physically separate switching hardware rather than VLANs to avoid the risk of compromised switch firmware.
Exactly. We do the best we can, but we can never really know for certain if it's sufficient. That's basically the situation we're in today.
So while I don't think my communications are being monitored or intercepted, I have to accept the fact that it's certainly possible, and that if I was a "person of interest" then there's really nothing I could do that would ensure the privacy of my communications.
Re:FastMail (Score:5, Informative)
Thanks for the plug. We definitely recommend that users who are concerned about security use GPG with our servers via the standard IMAP/SMTP protocols. We have very good standards support, and as others have pointed out in this thread - if we ran GPG server-side, you'd be delegating the security to us anyway, because we would see plaintext versions of your communication.
For the best security, you should definitely be running the encryption on equipment under your control (and not 0wned under you... which is your own lookout in that scenario)
Re: (Score:2)
Web based email is not secure.
Re: (Score:1)
Re: (Score:1)
Metadata will still give you away. The better alternative is still through the newspapers' classified ads. Transmitter and receiver remain unknown.
Re: (Score:1)
The post mark will suffice, gives the date and the city. That's a start. And you do need to put the address of your intended recipient on the front, amirite?