thunderbird with enigmail and openpgp with tormail not good enough?

Discussion in 'privacy technology' started by happyyarou666, Jan 29, 2012.

Thread Status:
Not open for further replies.
  1. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    so heard about all this encryption buisness and how it supposedly sux , for sending general emails to people around the globe , atm im a hotmail user
    just wanna stay safe and not the government snooping my private info , its none of theyre buisness what i do including my email traffic :mad:

    any insight would be appreciated , thanks :ninja:

    p.s: wilders security forums ftw! aint nothing that comes close in experienced members on the webz not even the deep webz xD
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    It doesn't work to send encrypted messages to people unless they can decrypt them ;) And most people won't bother. Some hosting providers, for example, will send root login passwords in plain text messages (because using encryption would require too much support)! So, unless you have friends who already use gpg, that's not a good place to start.

    To prevent snooping by your ISP and government, you could use VPN "anonymity" services or Tor. Your ISP etc will see whichever you're connecting through, but not the content (only throughput magnitude over time).

    Tor by itself probably provides enough anonymity. But there are issues to consider. It's slow. And proper setup is complicated, so it's best to use the TAILS LiveCD, or the Tor Browser Bundle (TBB). Exit node operators can see your traffic, and can mount MITM attacks, so you want to use encrypted connections (HTTPS, SSL, etc). Also, you may now want your government to know that you use Tor.

    VPN "anonymity" services just provide pseudonymity, because providers know your IP address and payment information. Tor entry nodes also see your IP address, but they don't share that with other nodes. VPNs are much faster. Although VPN exit nodes can see and manipulate your traffic, you at least know who they are. And you can use encrypted connections. Using VPNs probably attracts less attention from governments than using Tor, and there will be more VPN users per capita.

    Routing Tor through a VPN is easy using TBB. You just start the VPN, verify that your IP address has changed to the provider's exit node, and start Tor. For extra protection, you can use a firewall to block non-VPN traffic. You can also route Tor through a VPN using TAILS, but you need to run TAILS as a VM.
     
  3. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    im already routing tor and any other net traffic through my vpn perhaps i wasnt clear enough -.-'

    thats not what i meant , what i wanted was a way to have some sort of security from people being able to snoop info from my emails containing personal info like my one hotmail email with fake information containing my ebay transactions or paypal payments etc wich have my real info of course, and since ive heard tormail isnt a good thing for using for such things id need a solution , i hope you understand now what i meant , thanks in advance

    p.s: ive never said anything bout tor browser bundle xD , please read before replying thanks

    p.s.s: any merits using thunderbird in combination of pop3, since this approach would remove emails from being possibly read by uninvited guests or should i just use the hotmail website as per usual?

    p.s.s.s: im using a firewall the best out there commodo firewall , its a software firewall but strong as a hardware one imo and yes i run a router too with hardware firewall xD
     
    Last edited: Jan 29, 2012
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I didn't get that. I do now :)

    Yes. You can set up a GMX account, and access it with Thunderbird using SSL/TLS. You can install Enigmail, and add a gpg key pair. But you have the problem that Ebay and PayPal won't accept or send encrypted messages. Without message encryption, GMX and maybe other intermediaties see your plaintext, although traffic between you and GMX is encrypted.

    How are you using Tor? If you're not using TAILS or TBB, you had better know what you're doing!

    I don't think that it matters. Just because messages can be "deleted" after download with POP3, you can't be sure that they're not stored somewhere.

    Do you have exit rules that block non-VPN traffic?
     
  5. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    xD im using tor through the browser bundle nduh xD, what i was talking about was tormail xD,thou after some research tormail isnt what i was looking for in terms of privacy towards personal info emails , ill check out gmx as youve mentioned and the thunderbird combo ive mentioned is a good decision then afterall ey? minus the tormail and pop3 xD, thanks

    even better instead of exit rules my vpn software cuts off any connection to the internet should there be a problem, btw there isnt no non vpn traffic on my pc due to full openvpn

    p.s: coming back on the gmx suggestion , this is the best? heard about safemail, hushmail etc hmmmm....common yall i know you can do better than that ,have i joined in at a bad time? xD , wheres all em specialists here? xD
     
    Last edited: Jan 30, 2012
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Hushmail will give you up!

    Countermail is secure between you and it, but I doubt that they can secure all upstream traffic. Countermail has a Wilders account. so you could PM and ask.
     
  7. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    http://email.about.com/u/reviews/gmxmail/Gmx-Mail-User-Reviews-Free-Email-Service/

    this dont sound to good for gmx , i think ill pass on gmx -.-'

    and countermail ..one month and afterwards pay? anything in the free section ? yeah i know im cheap xD

    p.s: i can understand paying for a vpn but for email common its enough having to pay to have peace of mind of not being tracked but email service too?

    http://www.hacker10.com/email-encryption/

    want the best free secure email with unlimited storage and maximum file attachment possibility , thanks in advance
     
    Last edited: Jan 30, 2012
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
  9. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Well unfortunately you can't have your cake and eat it too. You are going to have some risks with any free email provider. The only way to be sure of what is happening on the back end is to set up your own server for email and register a domain. The best free email service out there currently is gmail, you may cringe at privacy with them, though they do provide an excellent email service. Not to mention two factor authentication over ssl. You may also want to look into your ISP offerings as well.
     
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    lmao my isp offerings? hell no that would be even worse using an email from my isp that has all my personal data -.-'

    but i guess i shall give gmx a whirl after the positive things being said here, and gmail ? are you serious!? why dont i just hand my address over to the feds instead -.-',thanks

    perhaps you should read the updated privacy policy google released a few days ago that should change your mind if what google has been doing in the past hasnt already raised red flags

    i use duckduckgo as my main search engine nowadays unlike google they dont hoard your personal information for theyre own corrupted reasons, and it still lets you use google maps etc but google wont know who searched what since it reroutes your searches


    btw keep em comments coming im always open for new ideas and what others use, youd think more people was interested in this topic or have i perhaps really joined in at a bad time? hmmm....



    p.s: set up a own server for email? thats about as secure as setting up my own vpn server ....wich is not at all -.-' , correct me if im wrong


    update: i really aint too sure with gmx sorry but all those negative reviews left a VERY bad taste in my mouth, cant believe tormail is the ONLY one that provides security for free , even thou its not a solution for private info use -.-'
     
    Last edited: Jan 30, 2012
  11. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Well going off what you asked for "free", it would be free to you given you are a customer. It is simply another avenue to explore

    Again going off what you asked for and offered another suggestion. You can review other offerings here:

    http://en.wikipedia.org/wiki/Comparison_of_webmail_providers
    http://email.about.com/od/freeemailreviews/tp/free_email.htm

    Well again it is up to you, buying some cheap domain and hosting can give you what you want.


    I would say Tor mail provides anonymity not security. Email by default is sent in the clear without encryption. With tor mail you are still trusting the tormail servers which deliver your mail are doing what they claim. I would not use tormail for personal/sensitive mail with a 10 foot poll. Tor is used to keep someone anonymous not secure their data.
     
    Last edited: Jan 30, 2012
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    What do you have to lose? I doubt that they'd bother to hunt you down. You post at Wilders, after all ;)

    I have friends who have Gmail accounts, which they've confirmed by cellphone (anonymous) and use with debit cards (anonymous). They use real addresses, just not theirs ;)

    You'd need a VPS, rented anonymously. That will cost you about 30 USD per month, plus about 13 USD for domain registration. Hosting services may also want telephone confirmation, by the way. And you'll need other users, for crowding.

    Most of the bad reviews are from users who accessed it from too many different IP addresses, I think. That and bad support. You want support with your free email account?

    Tormail is OK if you use gpg encrypted messages. You need to trust the provider, but that's the case for any account. It's a hidden service, so you're not vulnerable to evil exit nodes.
     
  13. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    hmmm well even using gmail with a fake address as i do with hotmail , still wont help them once someone checks theyre emails containing theyre real info and sadly google uses lots of info from you not to mention we dont know about theyre email checking habits when asked by feds -.-', i hope you understand this isnt even bout covering up "shady" activities wich i dont even partake in its keeping all my personal info such as transactions , orders etc etc from spying eyes, paranoid? hell no its sad facts

    and i see setting up your own email server will cost you more than using services like countermail , has nobody found a reasonable way to not get ones personal info leaked and still being free


    p.s: sure i want support with my free email provider lolz xD , and using a email address your isp provides is a big no no fyi

    p.s.s: "I doubt that they'd bother to hunt you down. You post at Wilders, after all " you trying to say something with that? xD , not everything has to be questioned over tor .onion boards xD
     
    Last edited: Jan 30, 2012
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    You should never send or get email using your pseudonymous accounts that contains real information. And you should never send or get email using your real accounts that contains pseudonymous information. Real and pseudonymous information should never exist on the same machine, or even on the same LAN, and you should never use USB drives for both.
     
  15. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    never use usb drives for both ? please elaborate on that yeah im abit a noob in this area so forgive me ive been catching up all week long ok xD, never bothered in the past but with recent events and all the talk goin around you sure want to do something

    so you say for real information use a real account with your address etc? and thats good? hmmmm....


    ive usually did it like this i got no real info linked to my accounts but use 2 for my regular web adventures and one for real private info such as mentioned all hotmail , guess im doing it wrong?, of course i never used them with tor , for that theres tormail the only use for it after all the talk ive heard it would seem xD

    btw before i forget i heard somebody mention using the random free email accounts approach is better than a paid service , due to way less suspicion bout you doing anything that could be of interest, its all about staying under the radar
     
    Last edited: Jan 30, 2012
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Each pseudonym has its own VM(s) and its own USB flash drive(s). Whenever anything leaves a VM, even to the host machine, it's encrypted (using Truecrypt for serious stuff, and tared folder inside encrypted zip for casual stuff).

    Sure. Why not? Anything else would attract attention. Have a Facebook page, a Google account, and so on. Just be a normal person. You can maintain some interest in privacy etc, because abrupt change would attract attention. Right?
     
  17. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    good one , thou tbh wouldnt use facebook or twitter the rest sounds good thou, guess im gona go and update some account info for my private emails then xD

    and so i guess using a truecrypt encrypted vm on a fully encrypted drive with truecrypt is ok then and advisable ?, how many vms should i have to run ,isnt one enough? with the real sensitive stuff being in a truecrypt hidden volume of course within the vm aforementioned , tbh im using a regular os install atm on my system , never used encryption or vms perhaps due to me being more of an relaxed user you could say , as said im bout to change all that to the better , so any advice would be appreciated and experiences from others
     
    Last edited: Jan 30, 2012
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    My hosts run Ubuntu with RAID1 (or RAID 10) and encrypted LVM (so everything except /boot is encrypted). I don't routinely bother encrypting VMs, because VM-host leakage might occur anyway. Both encrypted /home and encrypted LVM do work on VMs, though. Sometimes I keep really private stuff in Truecrypt file volumes on VMs. Also, I use different hosts for real and pseudonymous stuff.

    Remember to encrypt your backups, at least as well as the source. Tahoe-LAFS is probably the way to go. If you have several machines, you can put a share on each, plus shares on friends' machines and/or in the cloud. Tahoe-LAFS works well over VPNs. It also works over I2P, but it's S-L-O-W. You need at least ten shares total.
     
  19. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    i see ,any way for a comfortable windows user to implement this? xD

    would doing a simple full disk encryption suffice? or is a vm required on top of that? btw never asked this but does the encryption slow down anything with truecrypt?

    since ive heard lots of different things from different people , some dont use a vm at all , they just do a full encryption of theyre disk and make one visible encrypted container and one hidden encrypted container inside that regular encrypted container , so that when you give up the pass all you get is the outer encrypted container but they dont know theres another encrypted hidden container there , any thoughts?

    i know this is a difficult subject , lots of people have gotten headaches while in the process like me -.-'

    http://4sysops.com/archives/dont-use-truecrypt-drive-encryption-bitlocker-is-better/

    so is it true that bitlocker is the best choice then? or what? first i hear truecrypt is the holy grail of software encryption but then , this guy sez otherwise? -.-'
     
    Last edited: Jan 30, 2012
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    There are many on Wilders who can better answer your questions about Windows.

    Setting up a Ubuntu VM host with encrypted LVM isn't that hard. It was my first Linux project :) See https://www.wilderssecurity.com/showthread.php?t=315680 and, if you want deniability, PaulyDefran's comment about putting /boot on a SD card. Without the SD card, the machine just boots Windows :)
     
  21. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Encrypted LVM is also vulnerable to recovering passphrases from memory. One workaround is using a binary keyfile in addition to the passphrase. You can store it on a CD. For example, you could have a CD that contains a large collection of device drivers, one of which is your keyfile. Even if you lose it, you can get another copy online. Having it on a CD is good, because it's read only, and the last accessed date can't change.
     
  23. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    i see id rather use something like

    i know im going on about ironkey xD but i mean if not for anything else id use it for highly sensitive passwords , after 10 trys its kabooom!!! xD , all you do is give them a random password of course not the right one and tell them your not sure if it was upper or lower case or mixed

    btw ive checked theyre main site here http://imationmobilesecurity.com/en/...l-flash-drives

    wish theyre external hdds where selfdestructible too then id get me 4 of em and tell the feds all the passwords for the drives are on the ironkey they just destroyed, rubber hose cryptanalysis wont even save them then and voila you got yourself your plausible deniability

    no lvm with possible holes no nothing thou it requires abit of extra cash but not overly expensive imo, just another solution and this one dont require you to be a IT expert xD, but if anybody got more insight and feedback please bring it and ive heard about a pay program called drivecrypt plus pack , supposedly has the ability to hide your second os in a hidden volume and not be detected while you just use your decoy os


    check it out


    http://www.securstar.com/products_drivecryptpp.php

    p.s: cd's are too suspicious and unprotected? not quite sure thats an good idea putting your binary keyfile on a cd , for such things you need something like yes gona say it again , and ive been impressed by it namely ironkey , wish they wouldve thought of that earlier xD
     
    Last edited: Jan 30, 2012
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    According to the Passware press release that you cited:

    According to Torbjörn Pettersson (2007) Cryptographic key recovery from Linux memory dumps:

    So, make sure that Firewire is disabled.
     
  25. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Yes what they fail to mention is you need to have the drive mounted for their magical fairy dust to work.:rolleyes: Full disk encryption is only good when used correctly, when a drive is mounted it is no longer encrypted and can be examined, that is when this tool will be used. That tool can be useful only if you ignore the security requirements for using TrueCrypt that are listed in the TrueCrypt User's Guide.

    Specifically:

    http://www.truecrypt.org/docs/?s=unencrypted-data-in-ram

    http://www.truecrypt.org/docs/?s=physical-security

    See also: http://www.truecrypt.org/docs/?s=security-model

    FDE with a strong password ensures that anyone attempting to brute force their way into your laptop is going to have a fun time. Weak passwords, evil maid attacks, or using FDE improperly will not protect the end user. If you ever lose physical access to your machine you should consider it compromised and not use it. In conclusion Truecrypt is plenty secure and does what it promises to do. ;)
     
Loading...
Thread Status:
Not open for further replies.