Silk Road forums
Discussion => Security => Topic started by: ImTylerDurden on August 16, 2013, 09:44 am
-
Tormail is gone forever and I need an email to buy bitcoins. What is the next email provider in line that is simple to use for people like myself that are not balls deep in security knowledge? I'm not moving heavy weight, but if I wound up in jail because I used gmail then I would feel pretty stupid. My knowledge goes about as deep as PGP and no further. I have done a few searches and most providers that are listed end up gettting shot down by someone that knows what they are talking about.
TL;DR: What do newbs use now, since Tormail is gone?
SEND HELP. SOS.
-
Any email service you can access over Tor and doesn't require Javascript. Safe-mail.net for example.
Realize that anything you send or receive may be reviewed by law enforcement so use PGP and/or don't identify yourself. Nothing is safe.
-
bitmailendavkbec.onion (clearnet; bitmessage.ch ) seems like an acceptable option. You should use PGP with any sensitive information, but bitmessage seems like a relatively safe replacement for tormail (you DID always use PGP with tormail right?).
-
I use safe-mail.net
Only 3MB of space though, but no problem, you just delete the mails after a while :)
-
But safe-mail.net isn't a hidden service is it?
-
But safe-mail.net isn't a hidden service is it?
I dont know that for sure. But i have been told it is pretty safe to use.
Many people that lost the TORmail, have gone over to safe-mail
-
But safe-mail.net isn't a hidden service is it?
It is not a hidden service.
Tormail isn't a hidden service anymore either.
Makes no difference if you are using Tor and PGP (other then timing attacks I suppose).
Email sucks. Nothing is safe.
-
You're not finding what you want because it doesn't exist.
Consider this, Phil Zimmerman, the inventor of PGP, just pre-emptively shut down his much-hyped Silent Circle email service. The father of encryption said it's no longer worth it, you'll just end up fighting the gov until they bleed you dry in the courts.
Lavabit, tormail, hushmail, you name it, the Feds are bringing their A game now and the new name of the game is whack-a-mole. As in, as soon as a new "privacy-oriented" mail service emerges, the Feds whack it. The Lavabit founder is so scared of the Feds that he won't even say why he's shutting it down because of a gag order.
And to make matters worse, the next Tormail 2.0 service is probably going to be a Fed honeypot. It's an easy sell on their part. Low-hanging fruit for LE.
Email is dead, find another method.
-
I just swapped over to the bitmail service. Seems ok, just gotta use encryption!
-
I just heard of (clearnet) http://bitmessage.org . It's motivation is to operate in a way similar to bitcoin. Everyone receives everyone's emails, but only the person with the private key can actually decrypt it. Also it uses a proof of work similar to bitcoin but no where near as rediculous. For example sending a message takes about 3 minutes of "work" on my machine. Once it does it's initial sync (can take a few hours) then messages are typically delivered within a few minutes. It also supports portable mode and can go through a proxy so it should be able to be run in a self-contained way. Uses python so it should run just about anywhere. Currently they seem to just offer a windows client on the front page but there's instructions on getting it to work in linux. As they even say on the front page they're looking for an independent security audit to verify everything is good but it could well be the replacement for emails.
In the meantime though, just pm and use pgp.
-
Has anyone considered buying a vps or dedicated server in russia with bitcoins and running your own mail server?
As long as you encrypt every message there really shouldnt be any problems.
-
Hushmail!
Sorry, bad joke. :-\
-
Has anyone considered buying a vps or dedicated server in russia with bitcoins and running your own mail server?
As long as you encrypt every message there really shouldnt be any problems.
Would you also be able to use this vps to run a tor relay?
-
www.cryptoheaven.com
It encrypts your email with AES256 bit, LE can't do shit about it. And it's 100% anonymous. Just use the free trail, you don't need to put down your name. Use VPN or Tor for extra security. That's it.
-
Somebody needs to create a mail service that basically allows users to upload their public keys to their emails, and have all emails auto-encrypted. Nobody would need to pre-emptively exchange anybodies public key, but each person trying to access their mail would need their private key to read each email.
That way anybody can send anybody an email and have it be encrypted, and that person could also respond to the other person via encryption, since uploading a public key would be required to have an account.
This would be fairly safe but the only risk I see is if LE took over the site, they could basically replace a persons key without their knowledge and read all their future emails(but then the user would not be able to decrypt the mail he receives). Someone should make this.
-
Somebody needs to create a mail service that basically allows users to upload their public keys to their emails, and have all emails auto-encrypted. Nobody would need to pre-emptively exchange anybodies public key, but each person trying to access their mail would need their private key to read each email.
That way anybody can send anybody an email and have it be encrypted, and that person could also respond to the other person via encryption, since uploading a public key would be required to have an account.
This would be fairly safe but the only risk I see is if LE took over the site, they could basically replace a persons key without their knowledge and read all their future emails(but then the user would not be able to decrypt the mail he receives). Someone should make this.
This service already exists, and has for almost 20 years now -- it's called a nymserver. Over the time I've been here, I've tried to interest people in using them, but I've only had a handful of takers. They can be tricky to setup and use, but the security they provide is still about the best available.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Somebody needs to create a mail service that basically allows users to upload their public keys to their emails, and have all emails auto-encrypted. Nobody would need to pre-emptively exchange anybodies public key, but each person trying to access their mail would need their private key to read each email.
That way anybody can send anybody an email and have it be encrypted, and that person could also respond to the other person via encryption, since uploading a public key would be required to have an account.
This would be fairly safe but the only risk I see is if LE took over the site, they could basically replace a persons key without their knowledge and read all their future emails(but then the user would not be able to decrypt the mail he receives). Someone should make this.
I thought that was basically how lavabit worked? message comes in (either externally or from another lavabit user) and it gets encrypted with that user's public key which was generated on account generation. The user retrieves their mail by supplying the password that not only grants them access to their account but unlocks the private key to decrypt the mail for them. Problem there was it wasn't REALLY secure as sending an email to someone@yahoo.com would be traversing the internet unencrypted. Also it's a single point of failure as evident by LE pretty much pressuring the guy to the point he closed up shop (I feel sorry for the guy but also commend him for not giving in to whatever demands LE was making)
I've looked more into bitmessage ((clearnet)https://bitmessage.org/wiki/Main_Page) and it looks like it could solve this. It works a lot like bitcoin's infrastructure works. Everyone receives everyone else's email but only if you have the private key can you decrypt it. Benefit here is all data is encrypted. Using pgp or s/mime you're just encrypting the contents but things like to, from, subject, and servers it goes through are in the clear. with bitmessage nothing is known other than it's for some long string that represents a bitmessage id. The windows client makes it painless to create multiple identities for the same benefits as always sending to new bitcoin addresses.
There's also bitmessage.ch. It can be accessed on clearnet at bitmessage.ch but also has a tor address of http://bitmailendavkbec.onion/ and it acts as a gateway between regular mail and bitmessage mail. So your email address is something like BM-asdfasdfadfasdfasdfasdfsdfadf@bitmessage.ch people with normal email addresses can send to that, peole with bitmessage can just send to BM-asdfasdfadfasdfasdfasdfsdfadf. Likewise you can send to BM-1341341234123412341234@bitmessage.ch and if that account doesn't exist at bitmessage.ch it will forward it into the bitmessage network. Also supports configuring standard mail clients. The problem with bitmessage.ch is your now relying on a single point to host mail. So if LE (I did some initial verification and it does seem the servers are located in switzerland) came by and shut down the server your email there would no longer work. Also you can't make multiple aliases as far as I can tell, instead you create a whole new account which can get a little crazy. The native bitmessage client supports running portably and that way you have control over the keys and it keeps it decentralized. Also has a broadcast option which for example a merchant could setup and say "hey, if you want updates on when I add stuff subscribe to this broadcast" and the merchant could then send stuff out privately.
TL;DR: email is fundamentally broken from a security standpoint, look into bitmessage.
-
riseup.net
-
I'm pretty sure, countermail, hushmail, and safe mail are well known to work close with LE.
In the steroid selling business, they are a big no no.
-
One time email good for website activation, other temp. things.
https://www.guerrillamail.com/
-
I'm sorry I can't give a more in depth reply at the moment - I'm trying to get my vendor profile set up and get some listings up.
I think that looking for a secure/private/anonymous email provider is about pointless right now. Yes, you can use Safe-mail.net and others, but DEFINITELY encrypt EVERYTHING! I am currently looking into offshore secure/private/anonymous/crazy-encrypted email providers that offer subscription-based pay plans only. If you find a server in a country that doesn't cooperate with the US for this sort of thing, I doubt it matters, but I'd like to think it helps a LITTLE, y'know? Some of the countries off the top of my head that would be great locations for email hosting are Switzerland, Panama, Sweden, Phillipines, Hong Kong, and Cyprus... *Don't quote me on that!*
Random, but I think I remember reading something about subscription-based pay service email providers are exempt from the backdoor access policies... AGAIN - Don't mark my words!
The best email services will keep no logs what-so-ever, and will not retain copies of your messages, both in and out. This is obvious, but I'm setting up for something... try looking for a service that only stores unread emails and such on the servers' RAM! This is undoubtedly the most promising in my opinion, as far as the record keeping aspect of email privacy goes. As soon as you've read a message, the allotted amount of space on the RAM is freed and the tracks will be completely covered by the next person to login (I GUESS - haha, I don't know exactly how the RAM storage works, but when I read about it, it sounded very secure. I simply didn't retain the information I read!).
Anyway, wanted to post something as this is a GREAT topic. I'm sorry I couldn't give better information or examples. When I'm not as busy, I'll def. come back and share some of my notes! ;D ;D
Take care friends!
-
Here's a resource that I'm sure most of you are aware of:
https://prism-break.org - Great privacy solutions for everything from web browsers, to phones, to email.
https://epic.org/privacy/tools.html - More great privacy solutions from email to secure disk & file erasing, secure instant messaging, voice encryption, and disk encryption. Lots of good links. Worth a look.
https://www.securenym.net - Email... haven't looked into it too much, but they offer server side PGP and everything is SSL encrypted.
http://www.trilightzone.org/securemail.html - Email... looks promising. Servers in Netherlands, Luxembourg, Hong Kong, and Malaysia. Server Systems are completely realtime encrypted including your email, IP is never visible, all communication is SSL/TLS encrypted, SSL/TLS POP3/SMTP/IMAP protocols, SSL Webmail to further enhance your privacy, Included Webmail features: encrypted file storage with 125MB upgradable space, fetching email from thirdparty accounts using POP3, Full (Open)PGP Support with up to 4096 bits keys, no logs kept - no java or javascript required, email from accountholders to other accountholders is automatically encrypted, 125MB upgradable eMail Storage - 250MB total capacity to start with. Only 45 Euro per 12 months - I just converted it to USD... $46.76/year.
They also include the above email with any of these SSH privacy tunnels:
http://www.trilightzone.org/trishell.html - Only $86.85/year and you get the email mentioned above, bandwidth that supposedly exceeds what most ISPs offer, MYSQL databases, PHP, Perl, etc. (I'm def. getting this! I'm a web/app/graphic designer and I could use the shit out of the MYSQL, PHP, Perl, and so on like crazy!). Then it says, "Got Requests? Contact Us!" - It seems like these cats might be down for some hagglin' :D
-
I switched to countermail....happy with it so far...based in Sweden.
-
I just think email just isn't a good way to securely converse with people. If everyone was on one service so all traffic is kept within the provider's network then maybe but it just seems fundamentally not secure. Really the only way to secure it is by using pgp on your computer to encrypt a message and send it to someone. But that will show that you sent an encrypted blob of stuff to someone so that can be used to link the two of you. Also if you do something stupid like put "Here's my address to ship all that crack to" as the subject line it's going to cause some suspicion. That said I would like to get to the point where local encryption is as ubiquitous for email as it is for the web and https. If everyone is always encrypting every message then it becomes this large pool to make weeding out things difficult. Although I'm more a fan of PGP I think S/MIME has been winning that. For example s/mime is built in to most email clients and at least on iphone. PGP isn't.
What I would do if I had a need to discuss some things in secrecy is first just try to meet up in person. You can go somewhere secluded, lock the doors, and discuss what you need. Second I'd use something like bitmessage. It's very easy to setup and although it takes a few hours to do the initial sync messages then happen in a couple minutes. Another option is something like cryptocat and secure im. I'm sure there's a client out there that supports pgp keys transparently. But yeah, it's not easy to really hide everything.
As for mail servers, the good news is I'm hosting the mail myself so I have full control over the server. Bad news is I didn't bother with any sort of full disk encryption. But I also know that if I do get something inappropriate or sensitive I know I can delete it and even where I can delete it from backups.
-
Hushmail and cyber-rights are horrible. Google Operation Raw Deal (ORD) A bunch of steroid dealers were taken down and most were using those email providers. You can still use them, but if you type in certain key words, your account gets frozen.
Safe-mail.net is also bad.. its easily hacked..
Dont use privatdemail.net either. My account was hacked by someone in the Russian Federation according to Admin Support at this escrow service website. Only emails that were hacked were privatdemail.net accounts.
You need to use PGP, and find an email provider that does not allow bruteforce, meaning they lock you out after a fixed number of unsuccessful attempts at login.
Make sure you are using the max digit password allowed. Use numbers/letters/characters/numbers/etc.. everything you can to make it impossible
best out there right now is anonymousspeech.com
-
Make sure you are using the max digit password allowed. Use numbers/letters/characters/numbers/etc.. everything you can to make it impossible
I'd argue if they impose some weird restrictions on passwords (like can only be between 6-8 characters, letters and numbers only, no special characters) that would typically raise a huge red flag. Unfortunately with the way email works and the protocols (POP/IMAP/SMTP) and login methods (PLAIN, CRAM-MD5, and so on) most of those methods have a trade off. Either store the password locally in the clear or encrypt in a way that can get the clear text on command (ie not using hashing) but support various authentication methods to scramble the password on internet like CRAM-MD5. Other option is to store the password locally hashed in such a fashion that you can make your password whatever the heck you want and it gets reduced to 256bits or something and can't get the password from the result (eg SHA256) but then the password has to be sent in the clear. Now if they enforce ssl connections where the services aren't even listening on non-ssl ports then ssl will protect the password.
On my server I opted for storing on local server plain text and then support things like CRAM-MD5 for login. Also have ssl running. I've also taken great steps to secure my server like it blocking you after I think 12 failed attempts to connect. Try to connect to my server as root just once and you're permabanned.
...But anyway getting back to the first sentence, if they have some limits on the length and complexity of password you can assume it's being stored in the clear. Thus make sure to use a unique password. I use lastpass in my "real internet life" but for "underground" identities I have a keepass so everything is contained in one location.