Avoid Hushmail, Safe-mail, and Cyber-rights!

If you surf anonymously you have nothing to fear. Masked IP's are as safe as it gets.

Yes I agree there is nothing 100% safe.

I have said this MANY times. I am plugging no one. Get an email service run in a country with no coop with US.

an anonymizer would solve the ip issue but as pointed out, when push comes to shove, safe-mail will give it up just like cyber. i really like the idea of using whatever you want and encrypting sensitive emails. of course then you need the anonymizer to mask your ip. <sigh> and of ocurse you need a secure backup of information htat you do not want to lose when your provider shuts down your acct.

does anyone know of a free "iron curtain" email provider?

jb

\


+1 When the Feds Bring you to court and you have to pay all the large lawyer fees I bet my House they would roll like a dog..

has anyone tried anonymousspeech?

yes... it's a paid service hosted out of Japan... I think

The great thing about using an anonymous proxy or an SSH Client, is that most severs used for this type of "tunneling" don't keep logs for more than 12-24hrs. So in essence even if they do get a court order to get information from them, by the time they turn it over there isn't any on you..

Again, utilizing a server outside of the country is even better, will buy you more time, *IF* they can even get to the and apply pressure.

still cant hide from ISP unless you use XXXX I will state more once i get a pm bout becoming a sponsor.ok shit for the community

look into web n walk it is a prepaid usb 3g network modem, which works at all tmobile hotspots for free, since it is not here in usa you will pay roaming fees but you will never have a static ip as long as you are using a laptop and dont pay to top up with a credit or debit in your name....how can they find you?

vodafone has something similiar. their modems the size of a thumbdrive with a sim chip andy just buy more minutes when ready. or use a green dot card to top up. easy to get info for GD card

oh and almost all have signed on to the MLAT treaty so will you not have any luck there, the flaw in hushmail wasnt the algorithm it was the java applet that allowed them a back door to see the password. it still cant be cracked so dont beleive all that i net jazz about how they can crack pgp, no they went in with warrant and got passswords. then did ip checks and went from there.

hush.ai and cyber rights may give you a better chance since there servers are in anguila but they are still part of the mlat treaty. and no i dont believe they are the same owner two brothers own cyber rights. which is off the coast of the uk i think. im not too sure about hushmail but the articlle i read mentioned nothing about them being affilliated, dont quote me though

anonspeech wording is decceiving. a brilliant marketing ploy.

they state they will not cooperate iwth any le agency without court order. Well shit no one will. all they need to do is get one from japan. i guess the plus is that by law tey are allowed not to log ip's, not to sure how true this is.

SWIM someone who isnt me would get a fake prepaid card for an annonymous service to pay for which ever provider he chooses, use either anonymizer or steganos, go with the vpn and staganos, along with web n walk and i think as long as you dont sell in gym like a fool youll be alright, I SAID ALRIGHT NOT ARREST PROOF

With all due respect, I have to disagree. LE's ability to monitor email is quite limited, if proper precautions are taken.

The reason that LE was/is able to monitor Hushmail/Safe-Mail is due to two factors:

1) Both of these services violate one of the fundamental tenets of public key cryptography, that is, the strict separation of public and private halves of the keypair. The user should generate their own encryption keys, and under NO circumstances should the private half EVER leave their custody or control.

2) They kept records of the IP addresses of those who used their systems.

Frankly, both Hushmail/Safe-Mail not to mention other services of that ilk positively rely count on the ignorance of their users, as well as their users' preference for convenience over security. _Any_ service that generates/stores both halves of the encryption keys should be avoided like the proverbial
plague.

Easily unencrypted with simple tools??!! With all due respect, Sir, this is errant nonsense. If what you have stated were correct, then the U.S. Secret Service would not have had to construct a massive password-cracking network. You can read about their efforts at the following URL:



Essentially what the Secret Service's Distributed Network Attack (DNA) system does is to compile dictionaries of terms gleaned from web site bookmark found on a user's machine. These dictionaries are used to attempt to decrypt the information the authorities wish to decrypt.

What the Secret Service, the FBI and virtually every other law enforcement agency counts on is that users are lazy and are unwilling to choose proper passwords/passphrases. Such attempts can be trivially defeated, using the right methods. One such method of choosing provably secure passphrases is Diceware.

If you read the above quoted Washington Post article, you can see that they claim that the Secret Service DNA network is capable of carrying out about a million cracking attempts per second, where the workload is spread over some 4,000 computers. They hoped to expand the system to 10,000 computers agency-wide, and eventually to the 100,000 computers in the Homeland Security network. For the purpose of the calculations shown below, I have assumed that the default capability of the DNA network is about 100,000 times that stated in the article.

In a nutshell, Diceware has two components: a 7,776 word list, and 5 dice.

To choose a passphrase, a user rolls the dice, and records the results, then looks-up the word related to the dice-rolls on the wordlist.

Example:

45654 plea

66151 666

34141 insect

16563 cilia

32232 haag

56414 tally

55154 spat

So, as you can see, we have seven words in our passphrase. Now the question remains, just how strong is it?

The total search space is 7776^7 = 1.71907079975e+27 combinations in total.

Assuming that the Secret Service's DNA network can process 100 billion passphrase attempts per second (or 100x10^9) this works out to:

1.71907079975x10^27 passwords / 100x10^9 passwords/second = 1.71907079975x10^16 seconds

1.71907079975e+16 seconds / 86,400 seconds/day = 198,966,527,749 days = 544,740,664 years.

It is a general rule of thumb that keys are found are searching approximately one-half of the total keyspace. That means that the time required to determine the key is now reduced to only a quarter of a billion years, instead of half-a-billion.

Even assuming that the DNA network (or any other similar network for that matter) were capable of carrying out operations 10,000 times faster, or 1,000 trillion (i.e. 10^18) attempts/second, this would still require 54,474 years to exhaustively search the entire space, or 27,237 years to go through half the space.

See: http://www.diceware.com for details.

So, as you can see, brute-forcing a properly-chosen Diceware passphrase is simply NOT feasible, regardless of the resources thrown at the problem.

If one pays attention to court (and other) records, you can see just how much a problem cryptography is posing for law enforcement. One such case was that of Sebastien Boucher. Mr. Boucher was crossing the border from Canada into the U.S. at Derby Line, Vermont. A Customs and Border Patrol agent noticed a laptop in the vehicle Boucher was travelling in. Upon inspection, the agent allegedly observed numerous images of child pornography. Mr. Boucher was arrested, and his computer seized. Some time later, another CBP agent fired-up Mr. Boucher's laptop, and found to his dismay that the drive containing the alleged child pornography was encrypted with PGP Whole Disk Encryption. Mr. Boucher refused to give the agent the passphrase to decrypt the encrypted drive partition.

The reason all this came to light was that Boucher claimed that to give over the passphrase would constitute self-incrimination under the 5th Amendment. The U.S. government attempted to crack Mr. Boucher's encrypted partition for the better of part of two years, without success.

Furthermore, within the last few months, the LulzSec faction of Anonymous released the archived mailbox contents of an IACIS member, including the archived contents of the IACIS mailing list. IACIS is the International Association of Computer Investigative Specialists.

Most of the members of IACIS are sworn police officers responsible for computer forensic investigations. On this list, many members poured out their frustration at encountering encrypted data they were unable to access. Many of them advised their colleagues that if a suspect chose a good enough password, that cracking open encrypted files was simply not feasible.

Currently, the only known attack against systems like PGP (Pretty Good Privacy) is brute-force.

Indeed. That is why Phil Zimmermann, author of PGP, has been saying since the early 1990s that unencrypted email is like sending all your mail on postcards.

Email can be used safely, but it takes knowledge of how to do so, as well as the discipline to use these methods consistently.

As far as being surveilled goes, you're absolutely correct. While one can take steps to avoid surveillance, it would be difficult, if not impossible to escape it entirely.

Mirrorshades

With all due respect, I couldn't disagree with you more, If push comes to shove, any VPN provider is going to roll over on you.
This was brought home very clearly earlier this year, when a member of Anonymous unwisely revealed the fact that he used HideMyAss, a British VPN provider. Before you know it, HideMyAss was presented with a British court order compelling them to turn over the identities of the users in question.

When you boil it down, a VPN is essentially an encrypted, single-hop proxy. It can't be stressed enough: VPNs are for privacy -- they are NOT for anonymity -- ideally, you want both.

You're far better off using Tor, and a hidden service like Tormail. Combine that with PGP encryption, and you've got a much better solution.

Mirrorshades

What about sending messages that been encrypted before hand thru a service like hotmail? To most casual users such encrypted messages would look like a wall of gibberish. To decrypt the message usually you copy and paste it into a document then run document thru some decryption utility to view it

Mirrorshades, you kinda make me uneasy with your knowledge... I'm not sure if that good or bad.

Could you elaborate a little more, please? It's kinda hard to know how to respond, when I don't know what it is. precisely, that's making you uneasy.

If you'd prefer, you can PM me with your concerns, instead of making it public, and I'll respond in kind.

Mirrorshades

Encrypting a message prior to it being sent and leaving your machine is almost always the best solution. Encryption alone, however, is NOT enough.

Being anonymous is FAR MORE IMPORTANT than using encryption. Why? consider the following 4 scenarios, ordered from worst to best outcomes.

Scenario #1: The authorities CAN read (decrypt) your mail and they CAN locate you

If the person you're writing to -- let's call him Bob -- is a cop, or has been busted and turned informer -- the fact that you've used PGP isn't going to protect you, as they will have the PGP key to decrypt your messages (if they didn't, Bob could never have read them in the first place.)

So, encryption provides you with NO PROTECTION WHATSOEVER in this case.

If they can read your email, and you are NOT anonymous, then essentially, it's game over. They will have all the details of what you've written about, and they can potentially locate you in order to carry out a raid.

Depending on the content of the emails, these could be used as the basis for conspiracy charges; the contents might prove sufficient to convict you of possession and perhaps even trafficking.

Remember, you may be very careful about your security, but there is absolutely nothing you can do about the other guys, the ones you're corresponding with. If they're sloppy about security, it also puts you at risk.

Scenario #2: The authorities CANNOT read (decrypt) your mail and they CAN locate you

Let's assume for a moment that the person you've been writing to (Bob) with is somewhat crypto-savvy; furthermore, Bob has refused to cooperate with the authorities.

As a result, the authorities have Bob's email, which is encrypted, and they cannot induce Bob to cooperate. Accordingly, the authorities have only two alternatives:

i) Assuming the authorities came into possession of Bob's PGP keyrings, they can attempt to brute-force his passphrase on his private key, enabling them to decrypt Bob's messages; or

ii) They can attempt to locate you to induce you to cooperate.

Whether option i) will succeed or not depends on whether Bob has chosen a strong passphrase. If Bob made use of Diceware, and used 8-10 Diceware words for his passphrase, then it simply cannot be brute-forced.

On the other hand, if Bob chose a weak passphrase, it will likely to fall to a brute-force attack. (This assumes, of course, that Bob did not make the fatal mistake of writing down his passphrase, where it could be discovered in a raid, or otherwise stored it unprotected on his computer, where it could be discovered.)

Remember, the authorities can be very persuasive; once someone is in custody, they usually give-in to the pressure placed upon them.

It's a bit like defensive driving -- it's the other guy you've gotta watch out for. As a fundamental principle, as a matter of safety, you have to assume:

1) That the other guy is a cop or an informant; or

2) If they're not a cop or informant, that they're sloppy about security.

If you've used Yahoo! mail, Hotmail, Gmail, or (frankly) most others, it's almost a certainty that you can be traced, as your mail provider has kept a record of your IP address.

Copies of the law enforcement guides for Yahoo!, Gmail and others have been leaked onto the Net -- you can learn what types of information they store, how long they store it, and even how much they charge the cops to provide it.

Scenario #3: They CAN read (decrypt) your mail, but they CANNOT locate you

This is the basic fallback position. If the authorities somehow manage to break/bypass your encryption (usually by using the methods outlined above), the only thing that will save your bacon is their inability to locate you. All the conditions in Scenario #2 can apply, except that they don't have a clue as to your real identity/location.

Even though you're using encryption, you simply must assume that anything you say, even in an encrypted email, will eventually come to light. Don't say anything, even in an encrypted email. that you would't mind seeing published in your local newspaper.

In a similar vein, be careful who you trust. Remember the old French proverb, "Three people can keep a secret only if two of them are dead."

If anyone is interested, I can list examples of cases where people have been undone because they trusted the wrong people.

Scenario #4: They CANNOT read (decrypt) your mail and they CANNOT locate you

This is the ideal scenario -- this is what you're hoping for.

If there is only one lesson you can take away from what I've said, it's that anonymity is more important than encryption -- if you cannot be identified and/or located, you cannot be raided/arrested.


Not only to casual users -- even major governments have trouble dealing with PGP-encrypted messages.

That's pretty much how it's done.

Mirrorshades

Are you serious? I'm not talking about your bodybuilding knowledge...
It's guys like you that make me think twice about being on the Internet. No need to get offended.