Quote from: foxen624 on August 10, 2013, 04:43 am@Nightcrawler - that was quite a post you made there! As far as dial-up ... hate to admit it, but I do remember when I thought that was the only way to get to the Internet. For many years it was the only way to get online. Quote from: foxen624 on August 10, 2013, 04:43 amAlso, even way back when, I had the creepy feeling with no basis in any kind of real knowledge, that whatever was written in an email was being watched by... someone. Bad people who wanted to do harm in some way. Although at that time, the idea that those "bad people" who in fact were and are listening/reading/watching are none other than our own government :o Your impression, although correct, was the exact opposite of the more widely-held (although erroneous) impression that email was somehow 'private'. Quote from: foxen624 on August 10, 2013, 04:43 amBut, what I did not know until I just read your post was that the very basis of email was founded on the principal of saving money on long distance phone calls (basically). I never really questioned "why" it was "free" (aside from the monthly ISP bill) to communicate through the phone line to someone anywhere in the world. Though upon reading it the way you explained, it does make perfect sense.. for the age of dial-up at least. That part, I did find fascinating as a concept. For what it's worth, both email and Usenet use similar methods. Usenet, one of the oldest surviving technologies (along with email) uses a flooding algorithm to propagate news posts. Again, back in the day, I think that the idea was to reduce communications costs. Quote from: foxen624 on August 10, 2013, 04:43 amO.K. back to modern day... See, what it was/is that bothered me - even though I didn't read the archived paper that you posted anywhere except in your post, of the various articles that I did happen across earlier when I first made the post, was in part the fact that Silent-Mail did in fact offer - as stated in your posted archive:"Complete end-to-end encryption with you, the Silent Mail user, holding your own OpenPGP key or S/MIME certificate." Which sounds to me to be identical to the GnuGP PGP that we use here today... which is the PGP that I started to wonder if it really is still secure. Perhaps I'm missing something here? ??? Yes and no. The situation is exactly the same as the current one, in that by using GnuPG we are all controlling our own PGP keys. We are also using the same crypto algorithms, so in that sense it's the same. As best as I can tell, not having been a subscriber, it would appear that the situation would be closest to a hybrid of Hushmail and Tormail. Let me explain: You have to understand that there are several factors at play here. One factor that Hushmail and Tormail both have in common is the "one stop shopping" factor. Both Hushmail and Tormail attracted a large number of users with something to hide (not necessarily criminal activity, I should point out). In the case of Hushmail, it was being used by illegal steroid vendors, their customers, and even the vendors' Chinese bulk powered steroid suppliers. Silent Circle, by running their own mailservers, would have been in precisely the same position, in other words, a big, fat, juicy target for the Feds. Once a mailserver is seized, the Feds can see what email(s) have been sent and received by their targets of choice. They can also peruse address books. By its very nature, email is NOT anonymous -- there is lots of header information there to allow the Feds to conduct relationship/traffic analyses on the seized emails. Silent Circle aims its products/services at those with less security sophistication -- like Hushmail, that is their primary selling point. (I didn't subscribe because it would have been pointless for me, I simply have no need of it.) For those who use GnuPG (and thereby manage our own keys, as well as those of others) the situation would be more akin to that of GPG users who used Tormail. With the seizure of the server(s), the Feds can see who is writing to who, and glean what little information they can from the headers. One of the things that has to be emphasized is that neither Silent Circle nor Hushmail were anonymity services, unlike Tormail. Gleaning a user's real IP address from Tormail's email headers simply isn't going to happen, because Tormail was accessed solely through Tor. The idea was to prevent the operator from learning anyone's real IP address. In contrast, neither Hushmail nor Silent Circle would be routinely accessed through an anonymity network like Tor, thus the users'IP addresses would be available for capture (and would probably, to some extent, show up in the server logs and/or email headers). With users who used SIlent Circle to manage their keys, the service became more akin to Hushmail than anything else, and therefor subject to the same types of compromise. Quote from: foxen624 on August 10, 2013, 04:43 amThe other feature offered by Silent Mail which I'm also quoting from your posted archive:"Managed encryption using our PGP Universal encryption servers that manage keys and certificates for you." Which does sound a whole lot like Hush-mail as in that there was a central server or third party who would also know how to decrypt the user's messages and obviously would not be secure as no matter the good intentions of the server, they could still be compelled to hand over the info to the fbi/nsa/multiple government spy agencies. Though apparently Hush Mail didn't have the most honourable of intentions - but that's neither here nor there as I was not referring to this type of encryption. Precisely. Quote from: foxen624 on August 10, 2013, 04:43 amIt was the fact that as I read in various articles (I believe I have the url's to at least two of them in my OP) that both Lavabit and Silent Circle were closing down their email services because even with the heavy encryption (I don't know a whole lot about Lavabit, but assume they surely also offered the same kind of PGP that we use here - where the server has zero knowledge of what the messages contained or how to decrypt them), that had me concerned about just how secure PGP really is. Fair points. Let me give you my take on this...To the best of my knowledge (which may be far from complete), Lavabit used server-side encryption; if memory serves it was based on some type of elliptic key algorithm (ECC). While on the surface, this sounds extremely good (especially those looking for buzzword compliance) it still has a problem, namely: the data has to be decrypted in order for you to access it. It's very much like TrueCrypt -- the encrypted containers offer superb security -- when the computer is shut-down, or the containers are closed. However, as long as the containers are mounted, they are essentially in the clear. Hushmail made similar claims, that even their own administrators could not read your mail. Hushmail relied on a client-side Java applet to decrypt your private key -- that was the hole that the Feds exploited. Using a poisoned Java applet to grab your passphrase, they could trivially get access to your private key, and thus all your encrypted email. By the same token, even if the data in your Lavabit email account were ECC-encrypted, it would, of necessity, have to be decrypted in order for you to access it. Accordingly, all the Feds would have to do is snag whatever they needed to decrypt your data when you login to the service. Quote from: foxen624 on August 10, 2013, 04:43 amIf Silent-Mail was truly secure with using just the one option, then it seems they would be able to simply stop offering the other option that sounds like the same concept that Hush-mail used, and keep operating using just the one option where only the user has all the info and the server has none.... but, nothing I read on this over the past two days sounds as if those who created the concept of the PGP we use today feel it secure enough to "keep Uncle Sam from snooping" (I believe was the wording w/o being able to see it at the moment).  The reason that Silent Circle offered a managed key option (and why Hushmail exists) is because the average customer (especially business and professional-types) can't be bothered to learn about public key encryption. If I had to hazard a guess, I would guess that only 5-10% of their users self-managed their keys. Silent Circle's CIO/CEO has said that given the nature of their customers (including some very prominent people) the odds of a major breach of security is simply too high. Finally, there is another major difference between Lavabit/Silent Circle and the Hushmail debacle in 2007, which makes the current situation even worse or more omnious. Remember that in 2007, the DEA used the Mutual Law Enforcement Assistance Treaty (MLAT) to get a judge to sign a warrant -- Hushmail has always stated that they do not honour warrants issued outside of Canada. Using the MLAT treaty, the DEA was able to convince an American government official to approach his/her counterpart in the Canadian government, and have the Canadian Minister of Justice order the British Columbia courts to issue a warrant to get the data the DEA wanted. While this was bad enough, it was still a case of criminal law/law enforcement. The current situation with Lavabit/Silent Circle purportedly involves the issuance (or potential issuance) of National Security Letters (NSLs). These NSLs can be signed by any FBI supervisor, without ever having been presented before a judge. WHile the judicial level of protection was narrow, it was at least there. It provided at least _some_ guarantees against abuse. Not so with NSLs. Quote from: foxen624 on August 10, 2013, 04:43 amSooooooo.... apparently I'm still a bit confused on that..... :-\Hope that clears-up your confusion somewhat. Nightcrawler4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B   (MIT clearnet keyserver)PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B  (IndyMedia https: clearnet keyserver)PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090  (Silk Road Forums PGP Key Link)PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0