New safe email (http://www.countermail.com)

I know its not open yet but looking at the features it will be offering i wonder if there is any other service like this already out there?

http://www.countermail.com

* Full anonymity and no IP logging
* Diskless login servers
* Double protection, using SSL and OpenPGP
* Private keyfile storage on USB memory

 

Been a beta the website does give alot of information it. Its hosted in Sweden, so its legally pretty sound, Sweden is very resistant to outside pressure how its known to engage in inspecting international traffic that passes through its internet connections. If that doesn't worry you then it could be a good provider, see how the beta goes, others have done this but are either in the US or have been compromised in the past (ie hushmail).

 

Beware, In the very first line is a lie: "Full Anonymity"

Sweden is a heavy surveillance and data-retention country, how are they defeating sweden's surveillance program to hide the identity of the person who is accessing their server? That they don't do "IP Logging" is immaterial and is not the same as anonymity either, as sweden already logs your IP if that is where their servers are.

Diskless login servers, that could be good or bad. If they are storing the mail on the login servers, diskless means that if someone does a buffer overflow or the machine loses power, it permanently loses your messages. If they are not storing the email on the login servers, why diskless unless they can't properly implement encryption? Would like to understand their implementation.

"Using SSL and OpenPGP" ... How are they applying it? They are using SSL on their log files they send to the police, and OpenPGP on the copies they are emailing to the IFPI? If they are using OpenPGP properly and caching pub/priv keys how is this different than mailvault which has been around for 5+ years? I don't know and they don't say.

 

You know, I honestly don't think we need any more proof of the "Big Brother" effect taking hold world-wide. If the concept was truly in the mind of the tin foil hat wearers and "mountain people", these services would not be cropping up left and right like they have been. But, opinion aside, Steve once again "reads the fine print" for those who just see the big flashing sign and think "yay!".

 

What is this mailvault and is it free?

 

And why would IFPI be interested in people's mail?
Otherwise you're darn right. Anybody worried about privacy should stay away from Sweden-based services. Anything passing in or out of or through the country is monitored. It's also very likely that the security police will get full access to the monitoring system soon, and they're well known to cooperate with intelligence agencies like CIA, Mossad and MIT, besides being political morons with a racist bias.

 

Anti-piracy lawsuits are big business. Anything that could help them in court would be of interest to them. This organisation wouldn't be actively sending information to the IFPI, though. Perhaps Steve was implying that they would be immediately complicit with subpoenas served on behalf of the IFPI

MIT are an intelligence agency now?

 

Yep - they have a little room out the back.

Noone talks about it.

Ssshhhh...

 

I will ask the makers of this service.

But i dont think the server will be in Sweden anyway.
And with diskless i still think is good, even if i lose my emails if the server is attacked its fine by me, i just dont want any law be able to re create my emails.

 

u working for xerobank?

 

MailVault, try it out for free.

 

Milli Istihbarat Teskilati, the Turkish "National Intelligence Organization". The political police of Sweden will probably cooperate with any intelligence agency as long as it's okayed by the US - and please believe me, I'm not being paranoid here.

 

Sweden does not have any more privacy law, they log & sniff all the traffic which pass thought,
as far as internet goes there's no such things as anonymity

 

no update from him....

 

You ain't frum around here, are ya boy?

 

You shore got a purdy mouth...

Squeal for me, piggy!

 

And all readers should be aware that SteveTX is working for Xerobank, and he is therefore biased in his judgement.

I would say that all countries is under "heavy surveillance and data-retention", do you really think that NSA skip small offshore countries?
I don't think so.

When we are talking about "Anonymity" we are talking about our email accounts, no one can prove that "John Smith" is the real person behind the account "joe@countermail.com".

So far, 2048 bits OpenPGP is considered secure, even for government agencies (and if that changes we can increase to 4096 bits).

Our encryption is done on the client, before anything leaves your computer, government spying won't lead to much. When you login to our web server your loginname is encrypted with our public key, it's only our web server that can decrypt your loginname, and our diskless login server do not store IP-addresses, so it's impossible to trace IP-addresses to a certain account. It does'nt matter if someone see's that your IP is connected to our web server, because the loginname is still heavily protected.

The email body is of course not encrypted with our public key, it's only readable by the recipients that you selected.

We also have other unique features to increase the security:
- Hardware authentication with USB-stick, to help protect against key loggers and bruteforce-attacks
- We don't use cookies, cookies are evil
- Time delayed sending, to prevent "time logging"

This is wrong, it's important to skip IP logging. If you keep IP-logs on the servers it could help if someone want to go back in time and backtrace the identity of users.

The diskless web server is a unique security feature, it will prevent any IP leaking to any harddrive or swapareas, if someone "steals" it they will find nothing. The diskless login server is used as a "filter" to our database server, which of course have harddrives, how should we otherwise store the encrypted messages?? All messages stored on our database server is already encrypted at the client side.

The end-users never have any contact with our database/mail servers, only with our diskless web servers.

See the simplified sketch on the picture below.

That comment is just ridiculous, you don't know us at all.
First, we don't have any log files to send second, if we betray customers our company would die. We would never invest 400k in a service who betray their customers. Hushmail's betrayal was one reason that we started our service.

I don't know MailVault, and I only get Internal error when I try to register an account, doesn't seem promising...

I do recommend people to read the privacy policy for every security service they're using, it's the only way to know what the company can do, and can not do, for example: https://xerobank.com/company/privacy-policy/

Best Regards
CounterMail Staff

 

my simple qns for him is ...... is he working for xb?
and when he give comment(s)... is he acting as an individual?
no need rocket science knowledge to answer that...

 

Why all the questions about Steve's connection with Xerobank?
Everybody know he is connected to Xerobank.

But why suddenly pointing fingers about his affiliation with Xerobank?

Besides, his comments are appropriate.
Is this going to be one of those "let's shoot the messenger"-topics, because we don't like the questions being raised?

Countermail, unfortunately I can't get into every point that you are raising.
Some are valid, but most are very roughly put.
You are right on some points...to a certain extent.

First example: hardware-keyloggers:
- You simply can't protect your customers (or anybody else for that matter) from a good implemented hardware-keylogger.
What are you going to do about it?
Encrypt their keystrokes? Hardware-keyloggers can circumvent all that.
Having a hardware-keylogger in, or connect to your systems is "game over".
The strategy to follow is to never let a hardware-keylogger get in your laptop, desktop or between keyboard-connection in the fist place.
Software-keylogger is, again, a slightly different matter.
I can certainly see solutions to solve that problem, albeit extremly difficult being used from just a USB-token only.
Bu I love to see more info on that, if you wish to share that.

The second example is about the data-retention part:
No, NSA doens't listen to every bit of traffic on the internet.
But because alot of the world's internet-traffic goes though the USA, the NSA has a lot of internettraffic within reach for analisys.
But even with the proper measures even that can be circumvented.

See this graphic:
http://www.wired.com/images/article/full/2007/10/nsa_2005_traffic_flows_630px.jpg
Or the whole article:
http://www.wired.com/politics/security/news/2007/10/domestic_taps

The fact of the matter is that you raise some issues in such an uninformed manner that questions your credibility in total.

But to not come across to much as a sour grapefruit: I do like it that you are atleast trying to come up with a solution for this problem.
Look at it like it's lockpicking....keep jiggling that keyhole, eventually you'll be getting where you want to be.

 

are you steve?

 

this thread is about countermail.com

why direct others to another site?
whats your intention?

 

No, I'm not.
But I've communicated with him before in some 1-on-1 contact, I'm very open about that.

 

I am not Steve T., but I do play him on TV.

 

LOL, which series?

But seriously, how about going back ontopic.
I still haven't seen a proper response to my first reply in this topic.

 

No, everybody don't know that he's connected to Xerobank, even if Wildersecurity forum seems to be good, it's not that huge.

Yes, questions is good, but not false accusations.

Hmm, you must have missunderstood our goal with the USB authentication completely. I have been working with development of anti-keylogger software, so I know exactly how they work, probably 99% of all keyloggers only read the keyboard input, and sometimes they take screen dumps.

We're using the USB memory as a keyfile:
http://www.truecrypt.org/docs/?s=keyfiles

Mr Joe enter his password as usual, and if he bought the USB-memory option it must be inserted before he can access his account. The keyfile is combined with his password. This will definitely increase the security a lot, since the attacker need both the password and the keyfile.

You don't know exactly what NSA is listening on, and I don't, and no other on this forum. So it's impossible to discuss it in a meaningful way. But I do know that almost every country have their own surveillance and data-retention computers, the big thing that differs between countries is if it's official or not. Countries like USA, UK, Sweden, France, etc. have acknowledged that they do collect information, while others don't acknowledge it. And Yes, I do have some inside information about this.

Most cryptographers believe that OpenPGP is secure enough, even against government agencies. By protecting the loginname and other things with OpenPGP they can't map the IP to your account. It's does not matter if someone is listening on the traffic, if you protected it well.

However, there are some other good things with offshore countries, it's the laws that affect the internet/email providers. If the law changes in Sweden we will immediately move to another country, we have already prepared for that.

We have invested a lot of time and money on this, and we are trying really hard to not do the same mistakes that other security providers do.

We are going live within 3-4 weeks, beta invites will be released earlier.