The paranoid #! Security Guide

A pretty comprehensive guide to harden your Linux box http://crunchbang.org/forums/viewtopic.php?id=24722

 

Wow, that is an awesome source of information. Thanks.

 

Looks pretty good aside from the email section. Obviously hushmail is terrible and lavabit isn't an option anymore.

 

Yeah, I didn't see what was so special about vfemail.net, either, which was the third service is his top three services.

Anyway, nothing's perfect. But there is a huge amount of useful information in that guide.

 

VFEmail creates new addresses without asking for any information, even an existing email address. Also, it's accessible via Tor.

 

I see. But it does nothing to secure your email on their servers, correct? And they are based, it looks like, in Wisconsin. So they provide zero protection from court orders, etc.

Also, looking at their privacy policy it doesn't seem so great:

Maybe this is common place in email privacy policies, but I find the part of agreeing that they can look at my email to enforce intellectual proprety rights (d), pretty weird for an email service. I would understand it for a file sharing service or an ISP. But for email? How does that even work, who complains about email containing intellectual property? And we all know how incredibly abusive the defenders of intellectual property can be, even when they have no claim.

Also in their member conduct part of their TOS, they write:

I get most of those categories, but why should I agree not to transmit something obscene? Does this apply to communication with friends? Shouldn't I be able to say anything I want? Obscenity, obviously, is in the eye of the beholder and if I was sending unwanted communications to someone I don't know, that would fall under harrassment anyway, so the nature of the content is really not relevant in and of itself. "Libelous" is also a little weird along these lines. And once they've proscribed "threatening" and "harassing," what exactly is "harmful" about? And, what would be a "privacy invading" email transmission? And then the last category, users agree not to transmit "otherwise objectionable material of any kind." That pretty much covers anything, since there's always someone who will object to anything. It seems like a catch all phrase to let VFEmail justify any sort of incursion into a users email they deem necessary for any reason. Which I interpret to mean, we will roll over on you the first second we feel any kind of pressure, justified or not.

I realize this stuff is written just to cover their butt. But it's pretty broad and obviously not written with the protection of the user's privacy in mind. In fact, it's pretty much the opposite of a privacy policy. It's about creating the opening necessary to read the users email, should any sort of sticky situation arise. It says, we agree not to look at your email as long as no one objects to anything you do ever, but once there's an objection all bets are off. Of course, communications that no one would ever object to don't need to be protected by definition.

Anyway, to me it seems like they are just a regular email service, with a very nominal intent to show some regard for their users' privacy, and a focus on scanning email for spam and viruses. But pretty much not that different from any old email service you might pay for. Mostly it just gets you out of the Google, etc., matrix. So I'm not sure I see why it appears in a list of secure email providers like Hushmail (whatever their issues) or Lavabit (still in operation at the time the list was made).

 

@cb474

All that you say about VFEmail may be true.

But if you're, for example, using Tor and need an email address to sign up for some forum, they're a useful resource. There are one-time-use email services, but there aren't many ask-no-questions email providers left.

Edit: I suspect that the warnings are mostly directed at spammers.

 

I agree they seem useful for that purpose and preferable to Google or Yahoo.

But they were listed in a list of three "secure" email providers with Hushmail and Lavabit. To me I don't see any reason they belong in that list. In fact, I was surprised when I went to check them out. I was expecting some kind of service doing encryption or making strong claims about privacy. I just seemed out of place and a bit (unintentionally) misleading.

And I agree, as I said, the privacy policy disclaimers are just there to cover their butt or about spammers, as you suggest. But the general tenor of the privacy policy, while lacking any strong (more than generic) statment about protecting the privacy of the users, to me suggests this is an organization that has zero interest in resisting the pressures of the powers that be, justified or not.

It seems worthwhile being aware of that, given that the security guide suggested they offer some sort of secure email service.

 

I've never played much with Yahoo. But Google is a total pain. Although some of their staff are Tor-friendly, Gmail isn't usable via Tor. They block many exits, they freeze accounts if your IP changes too often, and they demand cellphone numbers to unfreeze accounts. I've looked pretty hard for Tor-friendly email providers, with little success.

Indeed. That alone leads me to distrust this "security guide".

Right. They aren't a privacy-centric email provider. They're a we-won't-ask-too-many-questions-but-don't-be-a-jerk email provider

Well, if both parties create anonymous email addresses on VFEmail using Tor, and if all messages are encrypted, there really isn't anything left that needs protected. Right?

But I agree that it's bad to recommend them without making that clear.

 

But any email service used through Tor and with users doing their own encryption would be just as good. So I still don't see what's especially great about VFEmail, versus many many other options out there. I'm not saying they're not prefectly fine. They just don't seem particulary special, except for being a step above Google and Yahoo, which isn't saying much. But they don't seem like they belong in a list of secure or private email providers either.

For what it's worth, the guide does suggest that people encrypt their email. I think other information in the guide looked pretty useful and well done. I don't know how closely you looked at it. And at least a good starting place for a lot of ideas. But I'm not an expert, so perhaps I'm missing shortcoming of other parts of the guide. And they do also mention autistici, mailoo, riseup, and countermail, as email providers. It's just that whoever wrote the guide had no personal experience with them and was repeating someone else suggestions, separate from their own hushmail, lavabit, vfemail list.

 

@cb474

I haven't looked very carefully

Do you know other Tor-friendly email providers that offer instant signup, and don't require providing an email address? Knowing more than one would be cool. It seems that vmail.me is totally dead

 

What's in the guide may all be stuff you already know, given my sense of your pretty large level of knowledge. It was just informative to me.

I guess I wasn't aware that accessing email through Tor was generally a problem, so again, perhaps you know more than me. I'm assuming any paid email service, with a modicum of respect for privacy, will let you do it. Gmail obviously has reasonable security reasons to be suspicious of IP address changes for the average everyday user.

On a brief search it sounds like Zoho email will work with Tor. Also fastmail. Found that in an Ubuntu guide to anonymous email: http://ubuntuguide.org/wiki/Anonymous_email.

The Ubuntu guide also provides this link to a Tor hidden service wiki, that reviews Tor compatible email services: http://kpvz7ki2v5agwt35.onion/wiki/index.php/Email. The wiki entry is a bit of a jumble, but there are some interesting services mentioned towards the bottom that I'd never heard of. Hope that helps.

 

@cb474

Thanks

I'll check those out.

I'm usually just in a hurry to find something that works

 

Do you mean vfmail has a hidden service? If so please post the .onion.

 

No, it doesn't.

I mean that it doesn't seem to block Tor exits, as Gmail (for example) does.

But I haven't tested that exhaustively.

 

thanks gitmo for the link

I optimised and ran the about config for my ff and it improved my overall rating under https://panopticlick.eff.org/

I also used Firegloves addon and now hit 3.5 million unique browser with 21.8 bits of id info.

Not sure its a good figure to have under Panopticlick but its 10x better then the score coming up before !

What are others Panopticlick scores ?

 

I know this should be obvious and incredibly simple, but I keep having trouble wrapping my head around which is better on panopticlick and higher or lower number? A lower number is better, right, because it means my browser fingerprint is very common and not easily distinguished from others?

Sadly, right now, panopticlick says my browsers appears to be unique.

 

Would a higher number not indicate your browser finger print is the same as the millions around you?

If its say showing 8000 people, then it means 8000 people out there look just like you are on the internet. So a higher number say 3.5million means your even less unique.

When I ran thru the paranoid guide linked here I went from 800 to 2000 then I installed firegloves addon and it made my browser even more unique since it switched off people seeing what addons/extensions and what fonts etc I used to the point it put me in the 3 million range.

hopefully someone else can confirm this!

 

Yes, as you supposed a lower number is better.

Exactly.

You are pointing out the problems with the countermeasures. They (very) often do the exact opposite of what they're supposed to do.

Someone posted an interesting link to a lecture on browser fingerprinting here on this forum not long ago. For me it's been very enlightening especially the facts about proxies (should apply for VPNs as well) Flash and that it's very hard to minimize your browser fingerprint.

Code:

http://www.securitytube.net/video/8943

Noscript is always a good option. You will notice that with scripts disallowed your fingerprint shouldn't be unique. So in order to be a little less visible you should only allow scripts on websites that won't work without them. But I guess everyone on this forum is using noscript.

 

Still confused you said a lower number is better yet agreed my higher number ie 3 million is better?

So after spending 2 hrs tweaking my firefox and following the paranoid guide I made my browser even less unique then it was before ?

 

I think there's a little misunderstanding. A lower number (no matter in what regard on this website) is better because the lower the number the smaller the bits of identifying information. I think that is logical.

I didn't say your example of 3 million is "better". I agreed to you saying that it makes you more unique, which is a bad thing.
1 in a 100.000 is better than one in a million because the latter is just saying that less people are having the same browser fingerprint.


You can be happy making your browser less unique because it won't stand out as much as before.

 

Thx for the clarification think I meant to say less unique not more

I 100% agree with cb474 on panopticlick its a mind bender one

 

I wasn't quite sure if I got what you meant either (especially the first part with the 8000 people). But the 2nd part sounded right so I thought you meant what I thought.

Another thing: I think we should call it more or less identifiable instead of unique. It is either unique or it is not. There is no comparative degree for unique. I don't mean to sound pedantic but I just think it sounds a little weird talking about more or less unique. (Just read my own stuff again and it felt wrong).

 

less identifiable sounds better

I use noscript and request policy... its incredible what stuff gets through

Java and Flash only on the websites I require, I hear some people switch off firefox addon's and extensions and flash and java so so they do not leak your real IP while online (even under a VPN) but from what I recall on a thread I posted not so long ago as long as your using a secure and configured VPN and fixed any leaks/disconnections and DNS leaks you should be more secure.

Or use Tor naturally.

I still enjoy https://prism-break.org/ for latest info on addons for browsers and other software its always nice and updated.

 

Adding to the confusion, I get different results, when I check at different times, even though I've changed nothing about my browser. Anyway, at this moment I get this result:

I now think the higher the number, the worse. If only 1 out of every 1.2 million browsers look like mine, then my browser is very unique, and therefore easily identifiable.

On the other hand, just to make it easy, if it said "one in 2" browsers have the same fingerprint, that would mean every other browser looks just like mine (or 50% of all browsers tested look exactly like mine), that would not be very unique, and that would mean my browser is not easily identifiable from all the other browsers that look just like it.

In other words, the more unique the worse. But the wording is confusing because the "only" in "only one in 1,219,465 browsers" has a kind of positive ring to it, like I'm a needle in the haystack. When in fact I'm more of a brightly shinning and unusual color light in the darkness, amongst a lot of other people who are dark and well cloaked and all look like each other.

It really is poorly worded.