Re: [tor-talk] Email provider for privacy-minded folk
[set where, how is it stored, for how long?] Specific location will depend on the browser and implementation. There may be guidance in the RFC but I can't remember the specifics. You could check https://tools.ietf.org/html/rfc6797 and the chrome/firefox implementations to get the exact details. *because you must catch the very first connection on an _empty browser store_.* This is referring to the blackhat's perspective. If you want to do a cert replacement mitm attack against a client for an hsts site, you'd have to perform it (catch the victim's request) the very first time they ever visit that hsts site (because otherwise a long-lived authentication token is set in the browser's data store that says hey, this is the specific ssl certificate this site should have, and if it doesn't match this, it's bullshit). Basically, if you try to swap the cert and the browser knows that's not the right cert, it should hard-fail (not just give you a hey, are you sure this is the right cert? dummy box) because it knows there are shenanigans afoot. *as an inherent consequence of his fresh root* blah blah This is explaining that since you can't easily downgrade https (encrypted) connections to http (unencrypted) for HSTS sites as a bad exit by modifying the connection requests themselves (which is how ssl stripping works), you would use a different vector. It's a little less convenient, but still pretty easy for a reasonably sophisticated actor. Basically, instead of trying to mess with the https connections, you poison the content of any requested http pages proxied through your exit node with browser exploits (you can drop in any you choose on the fly) targeting the fingerprint of that particular browser (or just shotgunning it if you don't care about being noisy, but that's lazy). Since the idea of a browser exploit is to execute arbitrary code (i.e. whatever the attacker wants), the bad guy can basically give himself persistent root (administrator) access to the victim's machine. This is obviously a way more reliable approach than the blackhat simply crossing his fingers and hoping he catches somebody's first access to an HSTS site. Once he has root, he gets the plaintext of the victim's https connections (since he owns your machine... he can see your tx/rx data before you've encrypted it to the server and after you've decrypted it from the server). As a fringe benefit, this now works for him regardless of whether or not you're connected to Tor, because he owns your machine basically until you reformat. Make sense? On 2/21/2013 3:44 PM, Joe Btfsplk wrote: On 2/21/2013 4:58 PM, survivd wrote: Seems like there's a bit of confusion regarding what a bad exit node can and can't do here. For many sites, you can trivially strip the SSL connection request as the exit node, downgrading it to vulnerable plaintext just by using ssl-strip. There'd be no cert warning, but smart users will notice the connection is http instead of https. Gmail is not one of those sites. Gmail forces HSTS, so he couldn't ignore the certificate warning even if he wanted to because the HSTS req is pinned in the browser itself (with any reasonably modern browser) and if you've EVER securely visited gmail, an HSTS token indicating the proper cert for the site is set that should prevent MITM replacement cert attacks. Bottom line: an exit node simply can't SSL-strip an HSTS site, and MITM is practically impossible, because you must catch the very first connection on an empty browser store. That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, as an inherent consequence of his fresh root, access to the plaintext of your https connections. Basically, trojaning your box and snagging your un/pw fields clientside is much more reliable for HSTS sites. Torproject doesn't currently do very much to detect this kind of attack (imo they should at least have an agent automatically comparing known-good site requests with what they actually receive from each exit and flagging unusual variations), and the bad exit vector is unlikely to go away soon. In fairness, there are only so many devs, and most of them pooh-pooh realistic (paranoid) threat models. I know what most of the words mean. I understand much of the context. Some things I don't understand: In more simple terms, what do *an HSTS token indicating the proper cert for the site is set*... and *because you must catch the very first connection on an _empty browser store_.* mean? This paragraph is confusing, in relation to its preceding paragraph: That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, *as an inherent consequence
Re: [tor-talk] Email provider for privacy-minded folk
Seems like there's a bit of confusion regarding what a bad exit node can and can't do here. For many sites, you can trivially strip the SSL connection request as the exit node, downgrading it to vulnerable plaintext just by using ssl-strip. There'd be no cert warning, but smart users will notice the connection is http instead of https. Gmail is not one of those sites. Gmail forces HSTS, so he couldn't ignore the certificate warning even if he wanted to because the HSTS req is pinned in the browser itself (with any reasonably modern browser) and if you've EVER securely visited gmail, an HSTS token indicating the proper cert for the site is set that should prevent MITM replacement cert attacks. Bottom line: an exit node simply can't SSL-strip an HSTS site, and MITM is practically impossible, because you must catch the very first connection on an empty browser store. That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, as an inherent consequence of his fresh root, access to the plaintext of your https connections. Basically, trojaning your box and snagging your un/pw fields clientside is much more reliable for HSTS sites. Torproject doesn't currently do very much to detect this kind of attack (imo they should at least have an agent automatically comparing known-good site requests with what they actually receive from each exit and flagging unusual variations), and the bad exit vector is unlikely to go away soon. In fairness, there are only so many devs, and most of them pooh-pooh realistic (paranoid) threat models. On 2/19/2013 5:41 AM, Joe Btfsplk wrote: On 2/19/2013 2:11 AM, adrelanos wrote: scarp: On 2/18/2013 9:01 PM, Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. Or he just ignored the SSL warning like so many people do. All the replies make good points. Question - how do we know which is the real Mysteriousflyer, or if there are even 2? The latest one hasn't responded how or w/ what he was accessing his Gmail acct. Sometimes from public wifi? There are too many unanswered questions variables. Has he checked for key loggers or trojans, that could capture his PW? One simple way hackers get a PW. He didn't answer if always used encrypted connection to Gmail, or - as mentioned - if ever got a security warning ignored it. Don't know about Gmail, but some providers still allow clients to use unencrypted connections. If uses a laptop / phone, has he ever left it alone, while logged into Gmail, or PWs are unsecured? If uses an email client, are stored login / SMTP PWs secured w/ reasonably strong PW, or are they stored unprotected? Many other factors. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/21/2013 4:58 PM, survivd wrote: Seems like there's a bit of confusion regarding what a bad exit node can and can't do here. For many sites, you can trivially strip the SSL connection request as the exit node, downgrading it to vulnerable plaintext just by using ssl-strip. There'd be no cert warning, but smart users will notice the connection is http instead of https. Gmail is not one of those sites. Gmail forces HSTS, so he couldn't ignore the certificate warning even if he wanted to because the HSTS req is pinned in the browser itself (with any reasonably modern browser) and if you've EVER securely visited gmail, an HSTS token indicating the proper cert for the site is set that should prevent MITM replacement cert attacks. Bottom line: an exit node simply can't SSL-strip an HSTS site, and MITM is practically impossible, because you must catch the very first connection on an empty browser store. That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, as an inherent consequence of his fresh root, access to the plaintext of your https connections. Basically, trojaning your box and snagging your un/pw fields clientside is much more reliable for HSTS sites. Torproject doesn't currently do very much to detect this kind of attack (imo they should at least have an agent automatically comparing known-good site requests with what they actually receive from each exit and flagging unusual variations), and the bad exit vector is unlikely to go away soon. In fairness, there are only so many devs, and most of them pooh-pooh realistic (paranoid) threat models. I know what most of the words mean. I understand much of the context. Some things I don't understand: In more simple terms, what do *an HSTS token indicating the proper cert for the site is set*... [set where, how is it stored, for how long?] and *because you must catch the very first connection on an _empty browser store_.* mean? This paragraph is confusing, in relation to its preceding paragraph: That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, *as an inherent consequence of his fresh root*, access to the *plaintext of your https* connections. Basically, trojaning your box and snagging your un/pw fields clientside *is much more reliable _for HSTS_ sites*. Can you explain the last paragraph / statements? Thanks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, 19 Feb 2013 18:51:55 -0800 (PST) Mysterious Flyer mysteriousfl...@yahoo.com wrote: Yes, thank you. That is EXACTLY what I was looking for. I was thinking that the Tor Project ought to have a list of super-trusted hidden services, as well as a list of known violators. We're not going to become a directory of hidden services. I will delete any page which tries to become a hidden wiki. There are already 20+ hidden wikis out there, use one of them please. If someone wants to start a service like stopbadware.org or mywot.com for hidden services, more power to them. The Tor Project isn't going to do this. What the TorIPViolators page lists is public domains which try to trick users into thinking the domain/company/organization is associated with the Tor Project. A growing number of people around the world are getting really angry at us for their tormail, tor-browser-download, and similar experiences. We're receiving emails and phone calls from global law enforcement about tormail, specifically. They are surprised to learn tormail isn't run by the Tor Project. In the grand scheme, none of these domains have anything to do with us. From a trademark perspective, this is the definition of confusion in the marketplace. Unfortunately in US laws, if we don't address the confusion, we lose our trademark. And then it's open season on the Tor name. It's a totally stupid and crappy situation to be in, but alas here we are. Trademark lawyers tell us this is a sign of success. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin FWIW, I logged into my Tor Yahoo email acct using TBB. I got in fairly easily, but it didn't like the 1st captcha, even though it was easily read. It gave another easy one after entering, it said you're logging in from a computer we don't recognize. (duh). So it asked me a security question. Then it let me in - in German language. So, I guess the exit relay was in Germany. But, they had an American flag icon. So, they haven't deactivated my acct, yet. It's entirely possible if you don't log in the time period before they inactivate an acct (I have gotten a regular, inactive acct re activated on Yahoo), they might not reactivate it, if they know you're using Tor. Even if I wasn't using Tor or a German IP address, how do they know if your a traveling sales person? I guess that's good security effort on their part, but a poorly worded, canned reason to ask for the security question. Yahoo.de front page seemed a little racier than U.S. My Deutch is a bit rusty, but the picture was a young woman (clothed) laying on a young man. Forgot the actual caption - something about, mädchen küssen und schleifen junge. No clue. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Mon, 18 Feb 2013 23:51:58 -0700 Jim jimmy...@copper.net wrote: Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? Joe Btfsplk already discussed the ability of exit nodes to sniff unencrypted traffic. I would also point that the attacker didn't necessarily use Tor to crack your email account(s). Just as a data point which may or may not be relevant for your case, last year I advised *two* friends that I suspected their email accts had been compromised. I was getting spam under their user names. While I am aware that it is trivial to spoof From addresses, in both cases there were details about the emails that made me suspect they came from the actual accts rather than merely spoofed headers. In both cases my friends checked and indeed their accts. had been compromised. Neither person had any idea how their acct. got compromised and I am reasonably sure neither had ever used Tor. Both swore they had not been phished. One had a Hotmail acct. and I think the other used mail.com. Both Hotmail and Yahoo have had worms circulating for a year or so that propagate via their logged in account; it is triggered by opening a malicious email. Also, many passwords are easy to guess based on info in people's linked social media accounts or even just commonly used passwords. In all cases it is advisable to change the account password, ensure your operating system and browser are up to date, and engage some sort of javascript safety checks (such as NoScript). Sadly, there are few HTML-only javascript-free webmail sites anymore. Yahoo's answer page if your account is sending spam: http://help.yahoo.com/kb/index?locale=en_USpage=contenty=PROD_MAIL_MLid=SLN3417 My point is that attacks against email accts. w/o using Tor to do it is apparently commonplace, something that seems to be confirmed in that Abuse at Scale PDF that a Google employee linked to from this list a while back. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Joe Btfsplk: On 2/18/2013 9:01 PM, Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Will the real Mysteriousflyer please stand up? Maybe the list admins can trace the 1st mysteriousflyer your emails, back to the origin gain some knowledge. I don't know about the dual use / acct hacking, but if you send unencrypted data through a Tor exit, a malicious relay operator could capture it. This is has been well documented for ages. DON'T send any critical data, if not using secure connection (or encrypted file) through Tor. Treat it like you would dealing w/ your bank - you wouldn't do business on a non secure connection (with the destination site). Do you use gmail's https connection - both w/ Tor w/out? You should. If you don't, they could have gotten your PW, if using a regular browser or Tor Browser. If you use gmail's (or any) https connection, it's no easier for an exit relay to steal your PW than anyone else, AFAIK. It's still an encrypted connection. But, as news stories point out, there are many ways for hackers / con men to get your PW other than running a Tor relay. If your PW wasn't that strong, they could easily hack it using software. I assume they didn't have your PW reset, but that's another way hackers do it - if they can guess security question answers, or they know you or something about you (or can look it up). How would they make a copy of a debit card through Tor or your Gmail acct? Do you keep a picture or all data of the card, unencrypted in your email acct? Also, using a credit card is generally safer than debit cards. You're better protected by the contract of most CC companies. ___ When I read this I was thinking hmm, if he was using https then it's unlikely that this could occur. I'm pretty sure that's the default nowadays anyway, especially for authentication. You can further tighten security by using two-factor authentication. My guess would be they got the password some other way other than posing as a malicious tor exit node. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRIyvZAAoJEF2gSFkP1LMT9KgP/iBWq79ccpWtz5bMqP5nQFfG Hm3isqlaf8zNNIiAzaLAyUOxB/CQLtlPSwEnJznzy41/r1bzpwTwDRFgjBwoGDsy B3RGJHI4ZSKJELP0nfOVBquBzhLG2KS0k/WeO9+7Z7zL7YleSXF7j+CzIH6xOxLJ nTHy6n5CVLC+NdaNa45YpFS7RfTyPjJ5YoeaxgTBtXYvEko8nsuvbprsnIBcNVoY +GydEatBCvZIivsKfO8oZHsk8TSefg76LNLORL+8AHniLGHyJQUVa1tR5JXtV/MT pYYAR8uK2DdWh1mALBP+ZhVSIvEgxlHGuPxCJ50jS0N2ljYKxl6lQ/Mxe1OiaqIh ZLGWw7HbrnxthSwOL6WcHq7wI03sl+8BY5W3DnBIsfpUatdYX+StImXpn7jbADPu nO7cbLoQBMq/4tOayH6jTN/5ctXUWnu6yQmf1jJGXx9nnyClk4Bj0qwY60VRIcE6 TckNCjOJ9zeQi90xpe7iS5zPW6iIxR4y2MvXUwAjS9yCekYnJC6HV+KCo8kNe6x8 E6oaPzkifMM4pZRCmDBSWKAczJhkJvTzSLZ90mRamZcO3naRwQu9hI3d2Xbsydll AlGBX5dpym/3BpEo92cM4IzYA9aHEdloeieTOrDaJkWT1h1rT1qIAXUnbJZs2ak8 aRQ5E6ea3yFUc7PwAE31 =tH1M -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
scarp: Joe Btfsplk: On 2/18/2013 9:01 PM, Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Will the real Mysteriousflyer please stand up? Maybe the list admins can trace the 1st mysteriousflyer your emails, back to the origin gain some knowledge. I don't know about the dual use / acct hacking, but if you send unencrypted data through a Tor exit, a malicious relay operator could capture it. This is has been well documented for ages. DON'T send any critical data, if not using secure connection (or encrypted file) through Tor. Treat it like you would dealing w/ your bank - you wouldn't do business on a non secure connection (with the destination site). Do you use gmail's https connection - both w/ Tor w/out? You should. If you don't, they could have gotten your PW, if using a regular browser or Tor Browser. If you use gmail's (or any) https connection, it's no easier for an exit relay to steal your PW than anyone else, AFAIK. It's still an encrypted connection. But, as news stories point out, there are many ways for hackers / con men to get your PW other than running a Tor relay. If your PW wasn't that strong, they could easily hack it using software. I assume they didn't have your PW reset, but that's another way hackers do it - if they can guess security question answers, or they know you or something about you (or can look it up). How would they make a copy of a debit card through Tor or your Gmail acct? Do you keep a picture or all data of the card, unencrypted in your email acct? Also, using a credit card is generally safer than debit cards. You're better protected by the contract of most CC companies. ___ When I read this I was thinking hmm, if he was using https then it's unlikely that this could occur. I'm pretty sure that's the default nowadays anyway, especially for authentication. You can further tighten security by using two-factor authentication. My guess would be they got the password some other way other than posing as a malicious tor exit node. Or he just ignored the SSL warning like so many people do. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Mon, Feb 18, 2013 at 10:01 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. I hate to call shenanigans on this, but it seems extremely unlikely that someone would hack your email account and then use it to post to the Tor mailing list. Or any mailing list. ~Griffin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/19/2013 2:11 AM, adrelanos wrote: scarp: On 2/18/2013 9:01 PM, Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. Or he just ignored the SSL warning like so many people do. All the replies make good points. Question - how do we know which is the real Mysteriousflyer, or if there are even 2? The latest one hasn't responded how or w/ what he was accessing his Gmail acct. Sometimes from public wifi? There are too many unanswered questions variables. Has he checked for key loggers or trojans, that could capture his PW? One simple way hackers get a PW. He didn't answer if always used encrypted connection to Gmail, or - as mentioned - if ever got a security warning ignored it. Don't know about Gmail, but some providers still allow clients to use unencrypted connections. If uses a laptop / phone, has he ever left it alone, while logged into Gmail, or PWs are unsecured? If uses an email client, are stored login / SMTP PWs secured w/ reasonably strong PW, or are they stored unprotected? Many other factors. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
IMO, only stupid idiot doesn't use https with gmail. That's why I think all talkings about gmail and beeing hacked is useless. Let him set Use always https in the gmail settings, then log out, log in, change password and secure q/answer and that's all. This should be about Tor and Tor close stuff... Game's over. https://www.torproject.org https://www.eff.org http://www.linuxfoundation.org -Original Message- Or he just ignored the SSL warning like so many people do. All the replies make good points. Question - how do we know which is the real Mysteriousflyer, or if there are even 2? The latest one hasn't responded how or w/ what he was accessing his Gmail acct. Sometimes from public wifi? There are too many unanswered questions variables. Has he checked for key loggers or trojans, that could capture his PW? One simple way hackers get a PW. He didn't answer if always used encrypted connection to Gmail, or - as mentioned - if ever got a security warning ignored it. Don't know about Gmail, but some providers still allow clients to use unencrypted connections. If uses a laptop / phone, has he ever left it alone, while logged into Gmail, or PWs are unsecured? If uses an email client, are stored login / SMTP PWs secured w/ reasonably strong PW, or are they stored unprotected? Many other factors. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Share photos screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Griffin Boyce: On Mon, Feb 18, 2013 at 10:01 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. I hate to call shenanigans on this, but it seems extremely unlikely that someone would hack your email account and then use it to post to the Tor mailing list. Or any mailing list. Confirmed. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
IMO, only stupid idiot doesn't use https with gmail. That's why I think all talkings about gmail and beeing hacked is useless. Let him set Use always https in the gmail settings, then log out, log in, change password and secure q/answer and that's all. This should be about Tor and Tor close stuff... Game's over. Indeed! I also employ one additional measure, which, admittedly, may not be to everyone's taste - I have all my browser/system/email/everything-else-you-care-to-name root certificate store wiped out clean! If I have to access a specific (https) site or access a new email account (by using secure pop/starttls, secure smtp or secure imap) I tend to get the site's certificate well in advance via other means (not through tor, obviously) and store it manually on my system for use by these programs. That way, I know that if the certificate unrecognised error pops up there is either 1) a new site I have never accessed before (most likely); or 2) someone is trying to use spoof certificates. The latter doesn't occur very often, though I've had this on a number of (rare) occasions when a tor exit node for example (prior to being banned in my torrc file and banished forever) tries to pretend to be my email server and gets caught out with its pants down, quite literally... This measure also prevents the likes of hacked/rogue CA's out there leaking certificates to people/organisations who use them for various criminal/unsavoury purposes. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
In all the multiplicity of good ideas here, here's a A Tutorial on Anonymous Email Accounts from the Electronic Frontier Foundation - https://www.eff.org/deeplinks/2012/11/tutorial-how-create-anonymous-email-accounts and two, related, wiki subject pages at World University and School, which is like Wikipedia with MIT OCW, with plans to be in all 7,413 + languages: Privacy - http://worlduniversity.wikia.com/wiki/Privacy Security - http://worlduniversity.wikia.com/wiki/Security Is there a way to check or prove that Tor / Vidalia / Firefox etc., is actually working? Regards, Scott On Tue, Feb 19, 2013 at 11:08 AM, Mr Dash Four mr.dash.f...@googlemail.com wrote: IMO, only stupid idiot doesn't use https with gmail. That's why I think all talkings about gmail and beeing hacked is useless. Let him set Use always https in the gmail settings, then log out, log in, change password and secure q/answer and that's all. This should be about Tor and Tor close stuff... Game's over. Indeed! I also employ one additional measure, which, admittedly, may not be to everyone's taste - I have all my browser/system/email/everything-else-you-care-to-name root certificate store wiped out clean! If I have to access a specific (https) site or access a new email account (by using secure pop/starttls, secure smtp or secure imap) I tend to get the site's certificate well in advance via other means (not through tor, obviously) and store it manually on my system for use by these programs. That way, I know that if the certificate unrecognised error pops up there is either 1) a new site I have never accessed before (most likely); or 2) someone is trying to use spoof certificates. The latter doesn't occur very often, though I've had this on a number of (rare) occasions when a tor exit node for example (prior to being banned in my torrc file and banished forever) tries to pretend to be my email server and gets caught out with its pants down, quite literally... This measure also prevents the likes of hacked/rogue CA's out there leaking certificates to people/organisations who use them for various criminal/unsavoury purposes. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- http://scottmacleod.com/worlduniversityandschool.htm This email is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and confidential. If the reader of this email message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this email in error, please notify the sender and destroy/delete all copies of the transmittal. Thank you. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
OK, more information on the circumstances: 1. The whole reason I started up with all this privacy and anonymous stuff was because someone had hacked my gmail account, and was trying to ruin my life. I happen to know from their IP address that they work at Google in San Jose. 2. I used a dedicated Tor Mail account to open the anonymous Torrified Yahoo account, and then only ever used the Yahoo account to post to this forum. 3. I have to admit that I got lazy with my passwords. 4. I only use Google through https, but you know that gets unencrypted at the exit node, right? Or am I wrong about that? 5. I use Keyscrambler whenever I'm online, and I have AdAware. I sometimes download free trials of other anti-malware programs, just to make sure that AdAware is doing a good job. 6. I use an unsecured wireless network at home because we're too lazy to set up a password. We set one up once, but then got new computers and it was hard, K? We live in a very spaced-out area, so our nearest neighbor is too far away to hop on our connection. Our nearest neighbor has TWO secured connections at his own house. One of them is named Black Ops, which is funny. I doubt the neighbor with two connections is hopping on to mine. I have my suspicions about Tor Mail. Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up? I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account. I noticed that my back-up account to the Yahoo account had been changed from x...@tormail.org to x...@tormail.com. I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account. Was the password changed at Tor Mail, or did I just plumb forget it? I have gotten conflicting information on whether or not it is EVER safe to access e-mail through Tor. I have read that your Google cookie can be stolen through Tor, even when you aren't on Google. Is that true? So I am thinking there are two possibilities: 1. My hater has been spying on my this whole time, even though I thought they were gone, and they are good at spying. 2. This is a new person (not the hater) who got at me through Tor Mail, and they just posted the posing post as way to make fun of me because they think it's funny. I doubt the debit card thing is related. Someone probably stole my numbers through a swipe-logging device at a gas station. Based on the information above, can anyone provide any further insight that has not already been given? Signed, The REAL mysterious flyer. From: Joe Btfsplk joebtfs...@gmx.com To: tor-talk@lists.torproject.org Sent: Tuesday, February 19, 2013 12:36 PM Subject: Re: [tor-talk] Email provider for privacy-minded folk On 2/19/2013 12:21 PM, adrelanos wrote: Griffin Boyce: I hate to call shenanigans on this, but it seems extremely unlikely that someone would hack your email account and then use it to post to the Tor mailing list. Or any mailing list. Confirmed. What do you mean by confirmed? In King's English :) confirmed would mean - in this context - Boyce's statement about it possibly being a hoax / prank, had somehow actually been proven true. Like running down IP addresses, email message keys, etc. I'd be interested in that. Or did you mean, I agree? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, 19 Feb 2013 17:07:54 -0800 (PST) Mysterious Flyer mysteriousfl...@yahoo.com wrote: [...] 2. I used a dedicated Tor Mail account to open the anonymous Torrified Yahoo account, and then only ever used the Yahoo account to post to this forum. [...] I have my suspicions about Tor Mail. Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up? I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account. I noticed that my back-up account to the Yahoo account had been changed from x...@tormail.org to x...@tormail.com. I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account. Was the password changed at Tor Mail, or did I just plumb forget it? [...] Only to comment on the Tor Mail points, and i think Andrew mentioned it on this list before, Tormail.org is not affiliated with Tor Project. Furthermore, they are listed on this page: https://trac.torproject.org/projects/tor/wiki/LikelyTMViolators So Tormail.org is merely another potential email provider. It would be offtopic to discuss Tormail.org-specific support issues here. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Joe Btfsplk: On 2/19/2013 12:21 PM, adrelanos wrote: Griffin Boyce: I hate to call shenanigans on this, but it seems extremely unlikely that someone would hack your email account and then use it to post to the Tor mailing list. Or any mailing list. Confirmed. What do you mean by confirmed? In King's English :) confirmed would mean - in this context - Boyce's statement about it possibly being a hoax / prank, had somehow actually been proven true. Like running down IP addresses, email message keys, etc. I'd be interested in that. Or did you mean, I agree? Yes. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Mysterious Flyer: OK, more information on the circumstances: 1. The whole reason I started up with all this privacy and anonymous stuff was because someone had hacked my gmail account, and was trying to ruin my life. I happen to know from their IP address that they work at Google in San Jose. 2. I used a dedicated Tor Mail account to open the anonymous Torrified Yahoo account, and then only ever used the Yahoo account to post to this forum. 3. I have to admit that I got lazy with my passwords. 4. I only use Google through https, but you know that gets unencrypted at the exit node, right? Or am I wrong about that? 5. I use Keyscrambler whenever I'm online, and I have AdAware. I sometimes download free trials of other anti-malware programs, just to make sure that AdAware is doing a good job. 6. I use an unsecured wireless network at home because we're too lazy to set up a password. We set one up once, but then got new computers and it was hard, K? We live in a very spaced-out area, so our nearest neighbor is too far away to hop on our connection. Our nearest neighbor has TWO secured connections at his own house. One of them is named Black Ops, which is funny. I doubt the neighbor with two connections is hopping on to mine. I have my suspicions about Tor Mail. Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up? I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account. I noticed that my back-up account to the Yahoo account had been changed from x...@tormail.org to x...@tormail.com. I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account. Was the password changed at Tor Mail, or did I just plumb forget it? I have gotten conflicting information on whether or not it is EVER safe to access e-mail through Tor. I have read that your Google cookie can be stolen through Tor, even when you aren't on Google. Is that true? So I am thinking there are two possibilities: 1. My hater has been spying on my this whole time, even though I thought they were gone, and they are good at spying. 2. This is a new person (not the hater) who got at me through Tor Mail, and they just posted the posing post as way to make fun of me because they think it's funny. I doubt the debit card thing is related. Someone probably stole my numbers through a swipe-logging device at a gas station. Based on the information above, can anyone provide any further insight that has not already been given? Signed, The REAL mysterious flyer. I think Mysterous Flyer is either an idiot or a troll, the fact that he accuses Google of changing his password, and Tormail, and isn't even sure whether he forgot his password or not is laughable. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRJEiTAAoJEF2gSFkP1LMTzTsP/0pI00xGP3UoAAQmFi3zLoJF EDUfe0LwWUfRkOzbdhphPxsGkHVckc/svGxpwrLsNTG8oq3n3f51Kaw0DwARN2rw zSkKbdxnLlT92p0Vc1bczPEafIYq5djmPBdOdk7Fh9G2hNGi7sqA39e9/qUNDhWZ l3znXSHklhJ4wGw8loh3fyi8jBlNpg/ORn156PRUZfop3GAIx96zVip0uznvDdq8 cXF6XwrTpCjCgrtHjuffqctL4AA3eN94EaSmJJX87QijvBgqwlfeInapiPzFYA1W iqT2y/jETuHypfQuPiqJmb4OMCVkngRFr2mr5lnrZdSdQD6XJIl27NOu/qv/fRwg PkLmptgK/eWQ0RaH0PnxBoZ2yj51VBvUOqjt/kahTCYhdQLNbFczFFEtBcUYcFJc nc4dwHC5ue5EDNj999iUGsb1jKfBVdWo6fq+RO2O8vuOOFRExcuQotf+cMCr6Kp2 LFal2PHOr+1FoC07M+CAgZ5A48r6OaVsiIxJrUm0aapvHVnGdYedA10UYuaCgL/C gorY5UFvBWADqmkjf5F+4RIeuNseLs9kJ3jHMIqiNp308UTnWZE+kw5EnLozFT0D v79O6hTbkxnUxidMtjonc+s4cq78TPsW69inwAaOo0+fGWzCBYOq+ZcZ/ykv3nPh f60VqSLAFdU9jjndsIYp =Icrp -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 k e bera: On Tue, 19 Feb 2013 17:07:54 -0800 (PST) Mysterious Flyer mysteriousfl...@yahoo.com wrote: [...] 2. I used a dedicated Tor Mail account to open the anonymous Torrified Yahoo account, and then only ever used the Yahoo account to post to this forum. [...] I have my suspicions about Tor Mail. Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up? I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account. I noticed that my back-up account to the Yahoo account had been changed from x...@tormail.org to x...@tormail.com. I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account. Was the password changed at Tor Mail, or did I just plumb forget it? [...] Only to comment on the Tor Mail points, and i think Andrew mentioned it on this list before, Tormail.org is not affiliated with Tor Project. Furthermore, they are listed on this page: https://trac.torproject.org/projects/tor/wiki/LikelyTMViolators I actually think that list is a joke, because it combines people that provide legitimate services with obvious scammers. It does actually say on tormail.org/tormail.net: Tor Mail is a Tor Hidden Service that allows anyone to send and receive email anonymously. This product is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else. The reason it is called Tormail is because you need to access a .onion to get to it. Probably not the best name as I guess some people could interpret this as inferred affiliation. They do fully disclose they have nothing to do with the torproject.org group. You'll also notice http://torfone.org/ says: This product is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project. as well. I have not used torfone, but I assume it is called that because it requires the Tor software. As for torguard.net I'm not quite sure what they are inferring by the usage of 'tor' in the name, as I don't believe it would use Tor for anything. To me it just looks like a anonymous VPN provider, one which was reviewed by TorrentFreak: https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ On the other hand you have other entries on that list such as: download-tor-browser.com which is an obvious scam to get you to download an altered copy of Tor Browser with a load of toolbars. Also http://sourceforge.net/projects/torbrowser/ looks dodgy, not complete source, 1 ancient binary. So Tormail.org is merely another potential email provider. It would be offtopic to discuss Tormail.org-specific support issues here. Agreed - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRJEtzAAoJEF2gSFkP1LMTLAUP/j4ctRRxUquOEUahsMC2zBUQ YzWO8YkOQq+glKe/w2n8qECqRgwDTtvZLSZPdldxLVThIHppt4sXGhKd2Y74eR7x PHpOmw+E6/mlZKji8CF3Xe8BF/ICm22zAhwt1W5Fx/Kv77v8b69R3P1Dw71XbiZ+ Lj5u0q4b+HrEL7jbQLXSxOPCrGBcS2LxQCo7tXw55ycj+GbqBNo1UYW/vs6Ybaiw cYM/ESwEvdoxYbaA3uV5OJ1WPjvNB/MKbKoLOoPiG+rg+mCGTXTFNAfMVaHxCB1H zL4aif1PRa7taO7VdZZdgI3hG2ZJ2rCT0IZmUxqv48u7drMzqjtzZQ7DJq7CcjYK C9/VXvZo1C4yDU4UsBdxdWYhVIDSxPJg+OOfF8a5wEByZkcbiIYd27CgPIvgCylf Rqi0n4xzc7XPef4rFjH3lCezyruXar812WfJZSrQbFyHntOoKDvS9Tsb4Cey+sXE r38Pbolylq+RIecBsZzPb7Fwxpdtmc+6DhYuarlKTefOzRbQf4E63cV4uvLOx5yX QCIw/SR43fNIEi7y3VafMEc30p/hf0uiL5h4mYWzdBnJ0PBDmzxa34RTDEF7kVzS dzWu01FftYer8ND5fm2HPyoSsbGS3bNzQnJS0wvuSVIyZriMXrPCh9DlXRJbul1W BqZuIG3XP4oRWiyP5wDU =85j2 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Mysterious Flyer: From k e bera keb at cyblings.on.ca : Only to comment on the Tor Mail points, and i think Andrew mentioned it on this list before, Tormail.org is not affiliated with Tor Project. Furthermore, they are listed on this page: https://trac.torproject.org/projects/tor/wiki/LikelyTMViolators Yes, thank you. That is EXACTLY what I was looking for. I was thinking that the Tor Project ought to have a list of super-trusted hidden services, as well as a list of known violators. I couldn't find such a list anywhere. The link you gave me is perfect. I now know that Tor Mail not safe to use. It's just another shady hidden service. I'm glad I tried the experiment before going off and using it for anything important. Lesson learned: Do not use Tor Mail in a quest for free private e-mail! I think I will buy an e-mail account. - Mysterious And how exactly would you propose that TorProject verify such a list? Keep in mind anything on the trac is _not_ necessarily endorsed by torproject or official in any way. It is just one user's opinion. That particular list is unsubstantiated and does not provide any evidence for it's claims. On the other hand, you should assume any email provider can read your mail, so if it is sensitive use client side encryption such as pgp. Then you will know for certain only the recipient can decrypt it. If it is an account used on a mailing list such as this one, it is going to be public anyway. It is probably a good practice to sign your emails too, this makes impersonation virtually impossible. (Assuming you keep your private keys secure). - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRJE6kAAoJEF2gSFkP1LMT/F0P/1nY4YIggATsvgqmdofj3ehc uMle9n4bsICDcCxOVQ53/Okvz4xcvuslXRc1d5jHkKZLRyCojnuEqueJ+rW6oY7y QX6aPIVG0w8fl1W25HFXEJcWbJoCCyAd5tfNyDVljh5C5m3fwPcNFszIb1itug8b k7f8vZGKL7iPFr1XlNRkLsdNgt1KIDK+74nD5orhxmKXtG1BUMVbRTQn5qpI+Vd5 jlBs6OmIDAoHvljvv5lshX/JCpTFXDGAp7KZPJPK+F0RmPMAoJ+WQPN/LIsX1/Gq prRcyqviUiUOM3p27gn+uB2i2aW2e+ua9PGW0rnvRzTJnzQ0qMtlD+Ot+jX5GPl8 4Mb0V7VvEkOTrZGPzvp6S5hvcRFEtV+qov9vKdPS1jjNX1XzsNbhqKRgTy0OMjQZ kS0+hsj7M1QPvN6NFAbysBOSgS6Q55sXo0By0mpfHmevXspKyBY/iA5CkEUyLGQS TEMtAuvJCoQkruly+rF54vmnj6cR115Qt28im8Ijq2noL02l5FOD1R80olxPd+u4 wMvcyUSZfjVIBq20PAFwma/Tx7DRHUawITtjFTkfEvJIjs3cnI1KaIcIh5DB5zu1 M+8gThQolqXy2JzX8WZ6zygcTMccIn0D2vteLL7ZTSgSqArcBbqYZUn6Mb9vh3Kr /PCPbBmoVOXMPJiu8cDd =xoJG -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 scarp: As for torguard.net I'm not quite sure what they are inferring by the usage of 'tor' in the name, as I don't believe it would use Tor for anything. To me it just looks like a anonymous VPN provider, one which was reviewed by TorrentFreak: https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/ Now I think about it I'm pretty sure the 'tor' comes from 'torrent'. It makes sense if you say 'torrent guard'. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRJFKmAAoJEF2gSFkP1LMT90YP/j9hl4M2WHDNPJlg2qLTSfug hysIOG2HUtkfRzbMBLQmJERgWClZrfEQvYCTPjlzBNB3vDX+gtDiysYmZF6n4btQ c4ew/DGcMrFYJnHVT8eOSTxe+D/XwGO/g26lz7Wb931fd76EQBHti/j+9zBrR/uO taSZXy52n80O2MoTFCfYZKtu5QCr53D6REj++PCmW3Wqht6WbqhpZhcqjuhDVGfh aUt28kJZq+oyKqnw1NXq6qKmvqkL+x9RtHbZyX+svSJcGyOtXqUHqPAuJJem2VVM Budaz2hR7+rVRBNCc5mK0/vxLjORhsSPXrDW/1UZGxdPmLqTC6hKscehrm7Q60On 2OfzR4pd826uXHYCftTyfonn3Gg4vrfXjPBE5wh0i9H6C0LYL510Bq++0LekIMSs gugE4YJKwqBTMQwe8zggYts2NJ/4wQ+3K7GfxCPnqZz+5NktBbRypvzfeIN+ 47GJhLn9aaIr+XmddN+DU7t2j0ttDmnetLrlqZTKtNeYnDh/qmU410M7cCSVX5AF c1WAyqJ+TB0gU65RGwBoDm8KUwZkiRcETk5+yluyU6gFXnTqEe94Ir1a9EhqU1Xs QBup22kfsUNwypVbEuv1J7aaT7hjAAKW+RmEZI2tLz0te75PKrGIzyNe04krbULB UwG4L/IsM/AmBQdC5Iaz =u7ga -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/19/2013 7:07 PM, Mysterious Flyer wrote: OK, more information on the circumstances: 1. The whole reason I started up with all this privacy and anonymous stuff was because someone had hacked my gmail account, and was trying to ruin my life. I happen to know from their IP address that they work at Google in San Jose. 2. I used a dedicated Tor Mail account to open the anonymous Torrified Yahoo account, and then only ever used the Yahoo account to post to this forum. 3. I have to admit that I got lazy with my passwords. 4. I only use Google through https, but you know that gets unencrypted at the exit node, right? Or am I wrong about that? 5. I use Keyscrambler whenever I'm online, and I have AdAware. I sometimes download free trials of other anti-malware programs, just to make sure that AdAware is doing a good job. 6. I use an unsecured wireless network at home because we're too lazy to set up a password. We set one up once, but then got new computers and it was hard, K? We live in a very spaced-out area, so our nearest neighbor is too far away to hop on our connection. Our nearest neighbor has TWO secured connections at his own house. One of them is named Black Ops, which is funny. I doubt the neighbor with two connections is hopping on to mine. I have my suspicions about Tor Mail. Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up? I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account. I noticed that my back-up account to the Yahoo account had been changed from x...@tormail.org to x...@tormail.com. I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account. Was the password changed at Tor Mail, or did I just plumb forget it? I have gotten conflicting information on whether or not it is EVER safe to access e-mail through Tor. I have read that your Google cookie can be stolen through Tor, even when you aren't on Google. Is that true? So I am thinking there are two possibilities: 1. My hater has been spying on my this whole time, even though I thought they were gone, and they are good at spying. 2. This is a new person (not the hater) who got at me through Tor Mail, and they just posted the posing post as way to make fun of me because they think it's funny. I doubt the debit card thing is related. Someone probably stole my numbers through a swipe-logging device at a gas station. Based on the information above, can anyone provide any further insight that has not already been given? Signed, The REAL mysterious flyer. OK, much of this has nothing to do w/ Tor or Tor browser, per se. I don't run this joint, so I can't tell you what / what not to discuss here. Much of the situation would perhaps be better discussed on a privacy forum. Wilder's Security forum has a good section. Another is on Neowin - the internet security forum. But, several things you describe *could* be the root of some of your problems. 1) As mentioned, Tor Mail isn't associated w/ Tor Project. Beside, JUST using tor mail, by itself, has little to do w/ anonymity, AFAIK - from reading about them. 2) From what you describe, Tor probably isn't your problem. It's your security practices (or lack there of). :( It also sounds like you might open an email attachment (when NOT expecting it), click on links in email - even just to unsubscribe. All those can load malware on your system. Sometimes, it's very difficult to detect, once on your system. To be anonymous w/ email, you must open an acct using Tor NEVER use anything else to access it. You can use their webmail it should be fine, if you're not doing stupid things w/ Tor / TBB. If you used a BU email acct (for PW reset or what ever) w/ the Tor - Yahoo acct, if you EVER accessed the BU (tor mail) acct from your real IP address, then the anonymity of the Tor Yahoo acct was blown. No one can get lazy w/ PWs not have problems, sooner or later (I assume you meant: not strong, not completely random, not very long). Especially on high traffic / high target sites like google or email providers. If that's the case, your former hacker probably knew things about you. That good PW cracking software is likely how he got your PW. Use a PW manager generate STRONG, random PWs, not something that involves any of your personal data, email acct names, etc. I get the feeling that there's more to your hater story than you let on ( more than ANYone here wants to hear). ;) Unless you're using a GOOD method to replace all characters. All the simple, easy ways to replace say, letters of your email acct, are used in PW cracking software. If you feel you MUST memorize it, use methods endorsed by security experts. Just best NOT to
Re: [tor-talk] Email provider for privacy-minded folk
Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. From: Joe Btfsplk joebtfs...@gmx.com To: tor-talk@lists.torproject.org Sent: Tuesday, February 12, 2013 5:46 AM Subject: Re: [tor-talk] Email provider for privacy-minded folk On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Interesting. I haven't logged into my Tor / Yahoo acct in a week or so - I may be surprised. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/18/2013 9:01 PM, Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? I certainly never made any online purchases through Tor. On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Will the real Mysteriousflyer please stand up? Maybe the list admins can trace the 1st mysteriousflyer your emails, back to the origin gain some knowledge. I don't know about the dual use / acct hacking, but if you send unencrypted data through a Tor exit, a malicious relay operator could capture it. This is has been well documented for ages. DON'T send any critical data, if not using secure connection (or encrypted file) through Tor. Treat it like you would dealing w/ your bank - you wouldn't do business on a non secure connection (with the destination site). Do you use gmail's https connection - both w/ Tor w/out? You should. If you don't, they could have gotten your PW, if using a regular browser or Tor Browser. If you use gmail's (or any) https connection, it's no easier for an exit relay to steal your PW than anyone else, AFAIK. It's still an encrypted connection. But, as news stories point out, there are many ways for hackers / con men to get your PW other than running a Tor relay. If your PW wasn't that strong, they could easily hack it using software. I assume they didn't have your PW reset, but that's another way hackers do it - if they can guess security question answers, or they know you or something about you (or can look it up). How would they make a copy of a debit card through Tor or your Gmail acct? Do you keep a picture or all data of the card, unencrypted in your email acct? Also, using a credit card is generally safer than debit cards. You're better protected by the contract of most CC companies. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Mysterious Flyer wrote: Um. I am the REAL mysteriousfl...@yahoo.com. I guess it's super-duper easy for a person's user names and passwords to get hacked when accessing e-mail over Tor. I also noticed that someone has been reading my gmails (since they were marked as read), so I changed my password over there and will never access gmail through Tor again. Someone ALSO made a copy of my debit card and tried to use it in another state, but that may be coincidence. Does anyone have any knowledge as to HOW a hacker may get this information? Is it through an exit server? Joe Btfsplk already discussed the ability of exit nodes to sniff unencrypted traffic. I would also point that the attacker didn't necessarily use Tor to crack your email account(s). Just as a data point which may or may not be relevant for your case, last year I advised *two* friends that I suspected their email accts had been compromised. I was getting spam under their user names. While I am aware that it is trivial to spoof From addresses, in both cases there were details about the emails that made me suspect they came from the actual accts rather than merely spoofed headers. In both cases my friends checked and indeed their accts. had been compromised. Neither person had any idea how their acct. got compromised and I am reasonably sure neither had ever used Tor. Both swore they had not been phished. One had a Hotmail acct. and I think the other used mail.com. My point is that attacks against email accts. w/o using Tor to do it is apparently commonplace, something that seems to be confirmed in that Abuse at Scale PDF that a Google employee linked to from this list a while back. Jim ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Hi, On 13.02.2013 22:47, Joe Btfsplk wrote: One item is how long providers retain mail, after you delete it. Some don't store at all; - to hrs / days / months / indefinitely. It is unlikely that any mail provider wipes/shreds mails on deletion and while they go through the various processing stages. [1] Even if they use an encrypted file system (another doubt there, why should they; probably not even encrypted swap), as long as the system is up and running the mail could be recovered from various places. A big problem also is backups: Most of us do want backups. It is quite hard to design a backup system that allows you to remove files selectively later. If that is even what you want, since it is a backup and you might have deleted the file by mistake. I don't know of any mail provider that offers to selectively exclude accounts/aliases from backup. Same for IP logs. Are they stored on a tmpfs, shredded on deletion? How long are they kept? Even Autistici and Riseup will keep some IP/user logs to kill spamming accounts? I doubt 24hours is enough... Another neat feature would be accounts where the Maildir completely live on a tmpfs -- including spool etc. If there was any money in this, at least to cover costs, I would have started a mail provider myself long time ago. Another showstopper is that in Germany, every mail provider is required to install a law enforcement blackbox and retain shitloads of logs if they have more than customers. [1] http://moblog.wiredwings.com/archives/20130206/Linux-Automatically-shredding-files-before-deletion.html -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 13.02.2013 22:47, Joe Btfsplk wrote: I suppose even providers offering encryption of files while on their server (like Lavabit), could read the mail just before it was encrypted / decrypted, since they are doing the encrypting. Even if they encrypt maildirs on their servers and unlock only while you are logged in, they can sniff your login/encryption password and poof. That's what Hushmail was forced to do on request by law enforcement. The only way to do this properly is to encrypt all incoming mails using your public key. That way, existing mails are protected. New incoming mails can still be intercepted when they are coming in, of course, that's why the provider should offer an option to drop non-PGP mail directly at MTA level for selective aliases/accounts. [1] Webmail will become mostly useless for these accounts. To be able to do fulltext search etc. one could add a local (!) imapproxy that decrypts all mails before putting them into the mail application's inbox. Is there anything like that? Similar thoughts for outgoing mails. I believe one or 2 offer end to end encryption. Every provider supports this, just use PGP for everything. No provider can offer it, that is impossible. [1] https://github.com/moba/pgpmilter -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Moritz Bartl: On 13.02.2013 22:47, Joe Btfsplk wrote: I suppose even providers offering encryption of files while on their server (like Lavabit), could read the mail just before it was encrypted / decrypted, since they are doing the encrypting. Even if they encrypt maildirs on their servers and unlock only while you are logged in, they can sniff your login/encryption password and poof. That's what Hushmail was forced to do on request by law enforcement. What if Hushmail (or any other mail provider) had recommended the user to install a browser add-on to do encryption locally? Could they get forced to convince the user to install a malicious browser add on, on request by law enforcement? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
k e bera wrote: Hoping to be helpful, i transcribed that PDF to the tor wiki: https://trac.torproject.org/projects/tor/wiki/doc/EmailProviderComparison Thanks for transcribing that! I realize you are only the transcriber, but if I understand the table correctly I see some errors/ambiguities for Hushmail. Note that I have a free acct. and so have no personal knowledge of their paid accounts. -- My understanding of that table is that Hushmail can only receive email. That is not true. It is perfectly possible to use Hushmail as a normal email acct. (receive *and* send*) via their web interface. I do not know if SMTP is available on a paid acct. -- IMAP and POP3 are only available for paid accts. Hushmail's business model is selling email accts and they impose quite a number of restrictions on the free accts. to persuade you to pay. This includes requiring you to log in at least every 3 weeks to keep the account available. -- This was left blank in the table but I am pretty sure that Hushmail provides aliases with its paid accts. -- this was also left blank in the table but according to a reply from Hushmail to a question of mine, messages between Hushmail users which are marked for encryption are stored on the server encrypted. Emails with non-Hushmail users that are sent/received as plain text are stored as plain text. HTH Jim ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Hi, On 14.02.2013 11:42, adrelanos wrote: What if Hushmail (or any other mail provider) had recommended the user to install a browser add-on to do encryption locally? Could they get forced to convince the user to install a malicious browser add on, on request by law enforcement? Most likely. Why not? My way would be to produce the browser addon independently from offering mail services. The mail provider would then just be recommending the third-party addon -- even if the addon is made specifically for that service (or web interface). Browser plugins for en/decryption were often discussed here and you should be aware of their issues. In short, you cannot create a safe en/decryption plugin and at the same time have high usability. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Moritz Bartl: Hi, On 14.02.2013 11:42, adrelanos wrote: What if Hushmail (or any other mail provider) had recommended the user to install a browser add-on to do encryption locally? Could they get forced to convince the user to install a malicious browser add on, on request by law enforcement? Most likely. Why not? I was actually thinking exactly this myself. My way would be to produce the browser addon independently from offering mail services. The mail provider would then just be recommending the third-party addon -- even if the addon is made specifically for that service (or web interface). Browser plugins for en/decryption were often discussed here and you should be aware of their issues. In short, you cannot create a safe en/decryption plugin and at the same time have high usability. I don't see any point in a browser extension if you're going to go to the extent of installing that why not just use an email client. It would use a lot less bandwidth to use a email client like Thunderbird and use POP/IMAPS than a web interface anyway. I'd also argue that it's a lot more secure too, given that implementations like FireGPG always had issues. Also, the source code for the extension would need to be available, and then it would be bound to particular browsers, not a good move in my opinion. It would also be only available then on particular platforms. I know for example with PGP I can decrypt emails on Android using K9/Kaiten with APG. Also as it would only be used with one provider, the code would have a lot less widespread usage in comparison to something like Enigmail and Thunderbird or Sylpheed etc. I also think hushmail's Java requiring extension is a lot less usable than a decent mail client with pgp support, even inexperienced users detest horribly slow java applets. Then there's also the fact that Oracle can be kinda slow to fix 0day Java exploits, and those nearly always revolve around the web browser. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRHPKFAAoJEF2gSFkP1LMTl+wP/io9fHqggZUCQXihfRjVWInF 12xnpJMiM5amVCTHv0ypUEU0FB+zlPRXCZPWOkoKw9P8NK/NZuEq0KFVXT1SKxRS l2WBmVIdOwj1r7dGxIEc2HL/+St47qunQAWcOluRAvIY1UHFSZFRS29zvQr72WDt +OYOrciFmR2cu+qMx9xtJzZx3637yZ/VYiHFhrE3bJ2tXAaESmwT78MdhTbJr+/Z qimUDyUtWt08vuQ6+mbipxVUWBadpw64zvV66v4ZUGoj9utzYqW/PYiYrdZ9Pk7V Y62mlcN8ylGSfiQDUvmAUcHJgEp8QUlPpVLzYxY4wZHNYLNyMtnHP3qFRb/samix dXljclYEoGkDxmJFudbI2FQGJAurNYzrz2wE+K4HH307MLE5G4gCIxQ8MdgUZefa roQkhcSjm2/H+dxGIHBBr5wKjkJ8F41nEnLdtzuOq76zd/n1TgAqAxcLAaNItYql 0qg2+9bmZDZqoVXzqaOsgrkeA0emRObTE4vg4bvVVPxsqSib/YJwlCwmEhSqz8JA yD+yYqoKnsBRZgQngAV1tQrBJAulFlsnVVLyJ1s52JK+0ZKhY429GQDv/hBA+uke +f+5n2BfXcJ9ACNt12S9dlBr8jyMDPx16S5b0y/clBUNcK0PtCTsOHAfig2TnXZG j5IQ8TH/ShiZwCCPgm03 =BYdp -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/14/2013 4:42 AM, adrelanos wrote: Moritz Bartl: On 13.02.2013 22:47, Joe Btfsplk wrote: I suppose even providers offering encryption of files while on their server (like Lavabit), could read the mail just before it was encrypted / decrypted, since they are doing the encrypting. Even if they encrypt maildirs on their servers and unlock only while you are logged in, they can sniff your login/encryption password and poof. That's what Hushmail was forced to do on request by law enforcement. What if Hushmail (or any other mail provider) had recommended the user to install a browser add-on to do encryption locally? Could they get forced to convince the user to install a malicious browser add on, on request by law enforcement? That concept of feds forcing Hushmail send targeted users a modified Java applet, (that does the encrypting on client side), so their pass phrase could be captured, is discussed here: http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ But can the feds force Hushmail to modify the Java applet sent to a particular user, I don't know if Hushmail still offers a method to encrypt email locally, before sent to Hushmail servers. But for any that do offer such a feature, it's possible w/ a court order, or something such as a National Security Letter - NSL https://en.wikipedia.org/wiki/National_security_letter - they could be forced / coerced into doing something like that. That wouldn't affect majority of users, who aren't direct targets of investigation. That said, BEFORE the Patriot Act in U.S. ( now similar acts / laws in other countries), no one would've dreamed it would be so easy for LEAs to get private email - even encrypted ones. So what's next? Interesting fact: I've read documented correspondence (issued by an ISP) that ISPs probably email providers, get paid QUITE a bit, to gather turn over data requested in NSLs maybe ? for other LEA requests. We're not just talking chump change. Big providers get LOTS of requests to turn over data each yr. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, Feb 12, 2013 at 11:41 PM, Maxim Kammerer m...@dee.su wrote: On Wed, Feb 13, 2013 at 6:05 AM, Griffin Boyce griffinbo...@gmail.com wrote: This is an oft-overlooked point about Riseup. They never did approve me for an account. I'm sketchy. ;P Don't say... Do you approve of “a vanguard strategy for revolution”? Or support “the idea that class oppression supersedes race or gender oppression”? This is serious stuff! https://help.riseup.net/en/social-contract No, but I would definitely be considered a capitalist. After reading their social contract, yeah, I'm probably not what they're looking for. Having said that, lots of people seem very happy using their services, and it's frequently recommended that I make the switch. ~Griffin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Il 12/02/2013 21:21, Joe Btfsplk ha scritto: I went read a LOT on their site. One problem is, they say it may take 1 day or 10 to answer a support request. They're all volunteers. That's fine. Except if the support issue is your acct is locked, not because of your actions, 10 days is a long time to wait. When you open an email account you set your password (obvious) and a security question (optional). That would keep your account safe and you should not need support, hopefully. That said, I did not have a single support issue in years. I didn't see if they offer aliases (or disposable addresses). I assume not? They offer half a dozen of email aliases that point to your account and can be configured and deleted on the fly. Jan ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Hi tor-talk, Thanks for the information about email providers. Obviously, I currently use Lavabit but this email, and activity it's used with, is kept separate from my real life. My real life email has been on GMail for a long time, which is what needs to change. Two things I really like about Lavabit: that they've published their infrastructure setup, and the simplicity of signing up. Two things I don't like about Lavabit: location is in USA (I may have missed more location details, though), and the email sender's IP is in the headers. Because of the latter, I'm not convinced to use them as my personal email provider just yet. I really like everything I read about Autistici. I applied for an email account but regardless if they approve of me/my reasons, I'm happy to donate to support them. Those guys have a great message. I'll check out the providers mentioned and report back on my experiences in case anyone's interested. bvvq. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 12/02/2013 3:04 PM, grarpamp wrote: The rest are just shopping items, but when you do find one, consider sending them a donation and a note about why you chose them once in while. I hope I didn't sound as though I was looking for a free meal in my original posting when I said that a free service would be nice; I really would be concerned that if I no longer had a job that I wouldn't be able to keep my email account. You do make a good point, however, and I'd like to give an anecdote to support your message. It wasn't until I volunteered for local activist and atheist groups that I realised how important donations are to some causes. These guys were surviving solely on donations from the public. As a result, I happily donate to groups that I think are doing a great service, and I encourage others to do the same (because really, who can't spare $20 for a good cause that can spare $20 a week for overpriced coffee?) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 12/02/2013 3:15 PM, Joe Btfsplk wrote: Here's an article someone pointed out on email providers privacy; if allow signing up w/ Tor, etc.: the_simple_computer http://www.thesimplecomputer.info/articles/email-for-privacy.html They all have + -, depending on needs. For many, if read TOS Privacy Policy closely, they may be better than gmail, but not as private as their hype says. Great link. Interesting site. (It's amazing that the web is so vast that after 15 years online, there are still websites tucked away that I haven't seen.) I took the info from The Simple Computer article made a chart, plus current data (some not in the article) from several providers' sites. If anyone was interested if I knew how to (easily) get it uploaded - somewhere - I could do that. It's not the be all end all, but has current info on several providers, including how long they retain data. It's now in pdf and / or .ODT format. I don't know if it's possible to attach small files to tor-talk emails. I would be interested in your data. Do you have any problems uploading it to mainstream file sharing sites? You could encrypt it and send tor-talk the passphrase. Or perhaps upload it to a .onion (I don't know any off-hand). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 13/02/2013 7:21 AM, Joe Btfsplk wrote: I didn't see if they offer aliases (or disposable addresses). The link you provided in your first response (http://www.thesimplecomputer.info/articles/email-for-privacy.html) says Autistici offer 5 aliases. I didn't read any confirmation of this on their website, so it may or may not be accurate. If I'm approved for email, I'll let tor-talk know. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
For my email privacy I elected to run my own server. I use SmarterMail by SmarterTools. It has a really nice web interface as well as IMAP and POP3. There is a free version where you can run a personal server with 10 email accounts and 1 domain. John Perry - WX5JP http://www.jpunix.net http://blog.jpunix.net From: Ted Smith te...@riseup.net Sent: Tuesday, February 12, 2013 11:11 PM To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Email provider for privacy-minded folk On Tue, 2013-02-12 at 11:23 -0600, Joe Btfsplk wrote: On 2/12/2013 8:41 AM, Ted Smith wrote: I use riseup.net -- I trust their promise not to store any logs, I know they'll never block Tor, and they don't have any ads in their web interface. That said, if you're financially stable in a first-world country, you should probably throw some bitcoins their way to cover the cost of your email account (they recommend you donate three hour's worth of pay per year IIRC, which is pretty trivial for most people). How difficult is it to get an acct w/ risup if you apply, rather than have 2 recommendations from members? I don't know any riseup members forgot how you get the recommendations from members, to riseup. I don't have a problem w/ their political social stance - it's a free country. I'm not sure what they look for in the application to approve or reject an acct. Probably some sort of social/political goal that they agree with, though if you said you were mostly interested in privacy and were willing to donate more than they recommend, I somewhat doubt they'd turn you down. I don't know how difficult it is; I got this account a long time ago, and when I did I knew people using Riseup. The way you get recommendations is by generating an invite code on user.riseup.net. How well do they handle support issues? Only by email? Typical response time for serious issues? I rarely need support, but when I have a question for the Riseup people they're always in IRC. Due to their low storage limit, I guess you just immediately delete msgs when d/l w/ a client? Attachment size limit is very small.\ I immediately delete messages from the server anyway; but before I did that I raised my quota (you can do it from their user page). I justified that to myself by giving them more support, as they mention on the page where you can raise your quota. -- Sent from Ubuntu ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 12.02.2013 01:47, bvvq wrote: * Privacy-conscious (don't parse my emails to target advertisements to users) Email was not born in an era when privacy was any concern. In a way, privacy was using the email as only few knew how to use it. That means plain text connections. That means a lot of data is tracked, including the entry point and the traject of the email. The errors disclose a lot of private data. And the whole thing is passed around in plain text. Given that, not only your provider, but any server passed along the way, can parse emails for any imaginable purpose, not just target advertising. As a rule of the thumb, when I read one service that promises a lot I just move to the next as they are liars. Beware that the US has the nasty habit of recording and analysing any email passing through their space. So an Italian server sending mail to a Dutch server, if it ever passes through an US server than is parsed and stored for an indefinite period of time. Privacy should be by design and not by policy anyway. * Reasonable storage space (I have currently have 418 emails using ~100MB in my personal GMail account) I don't know any server that would give less than 1G and will not upgrade if asked nicely or for a few USD. So you'd be safe. * Don't close the account if I don't log in with the web interface in {X} days Take a look at wikipedia in your own language. There is a webmail server comparison or something like that. In that table you will find the days before automatic closing of the account. If paid, usually is the last pay day, unless they have a free plan. * IMAP preferred but POP will suffice Some give IMAP4. Some give POP3. Sourceforge has a couple of small apps that can convert any other webmail into a POP3 source. SMTP would be the thing to look for. And the SMTP restrictions too. * Free would be nice (I don't want to lose my email account if I lose my job) I think email is the cheapest service you can get online by far. The problem for some of the tor users is associating a credit card with an account. Otherwise, the most expensive personal accounts are still below 20 USD a year. For someone in an Indian village would be a 6-month pay. For someone in the industrialised world is one, two cheap meals at most. Cheers! ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
I use riseup as well. They have always been great for me, including when I've had a minor problem or two -- such as when emails from a list for freelance writers were accidentally marked as spam. That ticket was fixed right away. The only trouble I have with riseup is the 2 MB limit for outbound email attachments. I sometimes have to send large documents (PDFs, DOCs) to clients, and a larger limit would be convenient. I should ask riseup about raising it; I would be willing to pay for that. If you use riseup, be sure to donate. You can donate to them through Flattr. On 02/12/2013 08:41 AM, Ted Smith wrote: On Tue, 2013-02-12 at 10:13 +0100, Karsten N. wrote: On 02/12/2013 01:47 AM, bvvq wrote: I would like to change. You may try VFEmail https://www.vfemail.net/ For a one-time payment of $15 you get an good service. Use an anonymous prepaid credit card to stay anonymous. Free service works well with SMTP, POP and IMAP too but contains ads and taglines. Best regards Karsten N. I use riseup.net -- I trust their promise not to store any logs, I know they'll never block Tor, and they don't have any ads in their web interface. That said, if you're financially stable in a first-world country, you should probably throw some bitcoins their way to cover the cost of your email account (they recommend you donate three hour's worth of pay per year IIRC, which is pretty trivial for most people). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Hi guys girls, I'm the person behind /the_simple_computer/, nice to see the site making the rounds here. To address a few concerns some people brought up, Autistici took 2 days to approve my account. I sent them some questions after the account was made and the replies were always in my inbox the next morning. At the time I had the account, there were 5 aliases you could make from the single email address you signed up for. You also have the choice of a bunch of different domains if you didn't like @autistici.org. The best thing to do with Riseup is just go for it. If they don't approve you...meh, not much you can do at that point and there are alternatives. Give it a shot if you think it's your best choice. I would try to steer clear of mentioning politics though, and pitch your request from the privacy standpoint. Just my $0.02. The biggest points I try to make to the people who ask me about email addresses are 1. Find something that doesn't show your ip address in the mail headers. 2. Stay away of targeted advertising, (though browser cookies can blur that 'targeted' definition now) and 3. Autistici and Riseup are two companies worth donating to, imo but especially if you're using their service. If anyone spots any errors in the email article or something that doesn't align with their observations (grammar nazis also welcome), let me know and I'll look into it asap. If anyone knows any services which aren't listed but should be, please share here. I'm sure there are some I've missed. Thanks. -tSc -- www.thesimplecomputer.info Research for Digital Privacy and Security ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Wed, 2013-02-13 at 13:14 -0700, the_simple_computer wrote: 3. Autistici and Riseup are two companies worth donating to, imo but especially if you're using their service. This is a nitpick, but riseup.net isn't a company. Riseup Labs (http://riseuplabs.org/) is a registered (donations tax-deductible!) non-profit in the US, and Riseup Networks (riseup.net) is an activist collective (with no formal legal structure of which I am aware). (I should also maybe point out that I'm in no way affiliated with riseup.net other than using their services and donating regularly.) -- Sent from Ubuntu signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
How truly important is webmail for you all? Can you use your client and survive with a provider that only offers: IMAP over SSL Submission with STARTTLS (and maybe legacy SMTP over SSL) (and maybe legacy POP3 over SSL) If the server enforces message expiry and deletes oldest messages, what timeframe you survive with? Weeks? One month? Three Months? Six? A year? And how long to maintain an account that hasn't authenticated in X time? Max mailbox size? Max message size? You know, basic minimums that you actually need. Not free dreams at other's expense (ultimately your own). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/13/2013 3:58 AM, bvvq wrote: On 12/02/2013 3:15 PM, Joe Btfsplk wrote: Here's an article someone pointed out on email providers privacy; if allow signing up w/ Tor, etc.: the_simple_computer http://www.thesimplecomputer.info/articles/email-for-privacy.html They all have + -, depending on needs. For many, if read TOS Privacy Policy closely, they may be better than gmail, but not as private as their hype says. Great link. Interesting site. (It's amazing that the web is so vast that after 15 years online, there are still websites tucked away that I haven't seen.) I took the info from The Simple Computer article made a chart, plus current data (some not in the article) from several providers' sites. If anyone was interested if I knew how to (easily) get it uploaded - somewhere - I could do that. It's not the be all end all, but has current info on several providers, including how long they retain data. It's now in pdf and / or .ODT format. I don't know if it's possible to attach small files to tor-talk emails. I would be interested in your data. Do you have any problems uploading it to mainstream file sharing sites? You could encrypt it and send tor-talk the passphrase. Or perhaps upload it to a .onion (I don't know any off-hand). ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Sure - there's nothing private about it. Most data I took right off the provider's TOS Privacy Policy (or verified The Simple Computer site's data). I didn't fill in all items on all the providers. Some policy specs weren't mentioned by some providers. You can ask CS if they don't have some privacy issue in writing, but a verbal / email reply probably doesn't mean much (legally, at least), if it's not in their official TOS / Privacy Policy. One item is how long providers retain mail, after you delete it. Some don't store at all; - to hrs / days / months / indefinitely. VFEmail's storage falls into indefinitely category (though not on my chart). I've never had a need to u/l a file to a free server, so if someone could give suggestion of a simple, free one (file's only 100 KB). I see no need to encrypt it - unless I'm overlooking a reason. Nothing private, sensitive. Had an interesting response from VFEmail CS. Though I've researched more privacy conscious email providers a while, I'd over looked one thing. Unless you encrypt the email - yourself - BEFORE it hits their server, ANY provider can does read (scan) the email, *at least for spam checking* - at minimum. Many of you know this probably many don't. What else they say they do / don't do with scanning results (or anything to do w/ privacy), like any other agreement / contract, is only as good as the company that wrote it. And if they violate an agreement, only recourse is to ask them to stop or sue them. I asked about this one sentence, out of VFEmail's - ONE - paragraph privacy policy: 7. VFEmail.net PRIVACY POLICY VFEmail.net will not monitor, edit or disclose the contents of a User's email or any other communication based on VFEmail.net, except that User agrees VFEmail.net may do so: (a) as part of the TECHNICAL PROCESSING of the VFEmail.net communication; Joe: That's fairly vague. Monitor could mean anything or nothing. Do you scan or look at email contents - ESPECIALLY the message body or attachment contents, in any manner, except for data in the header needed to send receive mail, to scan for viruses or when legally compelled to monitor email? I suggest that vfemail clarify expand this part of the privacy policy. VFEmail responded: Of course the message body is viewed. If you send out 200 emails and cause the free outgoing queue to stop with your 'flood', would you prefer if we verified you were just sending an address change, or should we just block your account for spamming? You're welcome, and encouraged, to use PGP from your local PC to ensure no middle man can read your emails. Any provider who claims they can not and will not read your mail are full of it. As I said, wrote that before thinking, all providers scan unencrypted mail for spam, at minimum. That may not violate privacy, if that's ALL they do. If you really want privacy, use encryption. BUT... you have to convince a lot of people to do the same. Not easy, in my experience - outside of a crowd like this list. I suppose even providers offering encryption of files while on their server (like Lavabit), could read the mail just before it was encrypted / decrypted, since they are doing the encrypting. I believe one or 2 offer end to end encryption. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/13/2013 2:14 PM, the_simple_computer wrote: Hi guys girls, I'm the person behind /the_simple_computer/, nice to see the site making the rounds here. ... ... If anyone spots any errors in the email article or something that doesn't align with their observations (grammar nazis also welcome), let me know and I'll look into it asap. If anyone knows any services which aren't listed but should be, please share here. I'm sure there are some I've missed. Thanks. -tSc Yes, appreciated the info. As I replied to bvvq, I made a chart - starting w/ your info updated / clarified some. They indicated interest in me uploading it to some free file server. Haven't published it, but made it clear where I got the idea, w/ a link. Technically, all I got from your article was provider names. I went to all the providers (that I was interested in) dug the data straight from current TOS / Privacy Policies - ignoring hype. Most of your data matched what I saw. Some I didn't find mentioned in TOS / Privacy Policies, so didn't include it. Some providers may have been revised data. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/13/2013 3:47 PM, Joe Btfsplk wrote: On 2/13/2013 3:58 AM, bvvq wrote: On 12/02/2013 3:15 PM, Joe Btfsplk wrote: Here's an article someone pointed out on email providers privacy; if allow signing up w/ Tor, etc.: the_simple_computer http://www.thesimplecomputer.info/articles/email-for-privacy.html They all have + -, depending on needs. For many, if read TOS Privacy Policy closely, they may be better than gmail, but not as private as their hype says. Great link. Interesting site. (It's amazing that the web is so vast that after 15 years online, there are still websites tucked away that I haven't seen.) I took the info from The Simple Computer article made a chart, plus current data (some not in the article) from several providers' sites. If anyone was interested if I knew how to (easily) get it uploaded - somewhere - I could do that. It's not the be all end all, but has current info on several providers, including how long they retain data. It's now in pdf and / or .ODT format. I don't know if it's possible to attach small files to tor-talk emails. I would be interested in your data. Do you have any problems uploading it to mainstream file sharing sites? You could encrypt it and send tor-talk the passphrase. Or perhaps upload it to a .onion (I don't know any off-hand). Sure - there's nothing private about it. Most data I took right off the provider's TOS Privacy Policy (or verified The Simple Computer site's data). I didn't fill in all items on all the providers. Some policy specs weren't mentioned by some providers. You can ask CS if they don't have some privacy issue in writing, but a verbal / email reply probably doesn't mean much (legally, at least), if it's not in their official TOS / Privacy Policy. Here's link to the email provider comparison chart. I didn't cover all that were on The Simple Computer list, because wasn't interested / didn't think private enough / some policy not acceptable to me, etc. If I couldn't find the info in TOS or Privacy Policy, I didn't include it, even if some users say it was a provider's policy. Simply because, policies change I was using official TOS Privacy Policies. There may be features (or practices) not mentioned in some TOS or Privacy Policies. http://bayfiles.com/file/F4Ix/TI09mE/Email_provider_comparison.pdf [URL=http://bayfiles.com/file/F4Ix/TI09mE/Email_provider_comparison.pdf]http://bayfiles.com/file/F4Ix/TI09mE/Email_provider_comparison.pdf[/URL] ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Wed, 13 Feb 2013 22:22:22 -0600 Joe Btfsplk joebtfs...@gmx.com wrote: Sorry, but when I tried the download from Bayfiles, clicking on the big, orange download button, it tries to d/l iLividSetupV1.exe instead ( I can't seem to get around it). It actually transferred me to another site - for the free download manager. Here: http://lp.ilivid.com/?appid=362lpid=513subid=322014151 I had no idea it would do that, as I was just using the suggestion from someone here, to use Bayfiles as a free u/l site. I apologize. Don't know if it does this all the time. When I clicked on the MUCH smaller gray d/l button, near middle of page, it starts the d/l count down, but when waiting time's up click d/l - it goes back into another 120 sec count down (using Tor, for me). So, maybe I'll use another site, if someone has a better suggestion. Again, sorry. On 2/13/2013 7:57 PM, Joe Btfsplk wrote: http://bayfiles.com/file/F4Ix/TI09mE/Email_provider_comparison.pdf I had none of those problems, but my browser has Adblock Plus ;) Hoping to be helpful, i transcribed that PDF to the tor wiki: https://trac.torproject.org/projects/tor/wiki/doc/EmailProviderComparison ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 02/12/2013 01:47 AM, bvvq wrote: I would like to change. You may try VFEmail https://www.vfemail.net/ For a one-time payment of $15 you get an good service. Use an anonymous prepaid credit card to stay anonymous. Free service works well with SMTP, POP and IMAP too but contains ads and taglines. Best regards Karsten N. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, 12 Feb 2013 11:47:53 +1100 bvvq beveryveryqu...@lavabit.com wrote: Hi tor-talk, I'm not sure where else to ask this question so I give my apologies if this is off-topic. Please feel free to suggest a better list/forum/website. I've had a personal email account with GMail since it was invite-only, but lately I've read a few stories about Google's use of our emails to provide better targeted advertising to its users. These stories make me uncomfortable and, continuing with my (slow) changeover from Google services and products, I would like to change. In no particular order, what I would like from the email provider is: * Privacy-conscious (don't parse my emails to target advertisements to users) * Reasonable storage space (I have currently have 418 emails using ~100MB in my personal GMail account) * Don't close the account if I don't log in with the web interface in {X} days * IMAP preferred but POP will suffice * Free would be nice (I don't want to lose my email account if I lose my job) In the past I used http://www.autistici.org/en/services/mail.html But really, it is not very difficult to just register a domain and run your own Postfix/Dovecot setup, and doable even on residential dynamic IPs (with low TTL on MX records). Sending from a dynamic IP is more complicated due to everyone's spam-filtering; but you can send via your ISP's SMTP server (chances are they do provide one), or via some free webmail service's SMTP, or via the above-mentioned autistici. -- With respect, Roman signature.asc Description: PGP signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I rather like tormail, because the provider can't hand over any information even if they wanted to. You access it via a .onion so the actual locations of the remailers is unknown. None of Tor Mail's mail systems are hosted on this server, or on any server that you can find the IP address. Siezing or shutting down this web site will have no effect on Tor Mail's services. Tor Mail consists of several servers, a Tor hidden service, and an incoming and outgoing internet facing mail servers. These internet facing mail servers are relays, they relay mail in and out of the Tor network, the relays are purchased anonymously and not tracable to us. The only thing stored on the hard drive of those servers is the Exim mail server, and the Tor software. No emails or logs or anything important are stored on those servers, thus it doesn't matter if they are seized or shut down. We are prepared to quickly replace any relay that is taken offline for any reason. Tor Mail's goal is to provide completely anonymous and private communications to anyone who needs it. We are anonymous and cannot be forced to reveal anything about a Tor Mail user. You can only sign up and access Tor Mail via our Tor Hidden Service, we do not ask for any identifying information such as name or address, our service is free so we do not have billing information and tor hidden services cannot see your IP so we have no way to identify any user. Sensitive or private communication, should be encrypted with pgp, and this must be at the user's end, ie with enigmail+thunderbird for example. Any web-mail provider that does 'pgp' or stores your pgp keys isn't beyond handing those keys over. I think in the past hushmail has done so. http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ Unfortunately I've found a couple of problems, sometimes I get a message from the tor-talk mailing list like: Your membership in the mailing list tor-talk has been disabled due to excessive bounces The last bounce received from you was dated DD-MMM-. However clicking the link in the email seems to fix it. I'm on some other mailing lists like liberationtech I haven't had any issues. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJRGhSLAAoJEF2gSFkP1LMTe44P/2j1ResTITa5jc/wY1AI7sw8 C+Q/+k+ALGQRVm5GZjKNlVcErKYUmCo6v27qC31r4xHlSKmOFYHdFFoJT3gcjg2J yFT8ev8uyQfwovxA0UWwJO7rTZsmGbT8sA+NI35NGfLJcImG7piPgAWnnGm8L3p1 Dr83LaWk+B5w2NN81o5pAuJ8bdhp9ZUsZCR5mCgkHHkZsAn9nL21NGItINoDUoUI F4Aa9k7asEjEvpTyePLzxpBlyTGBww82aHckyG87K1WBuvgVrKK4SP+PzrNROLK0 5sme8rtKeOORvHb67aaI+XBisn+iomxG0H433E3l4fI3ihcYsdUjaqSsq8/bOxvh ZBISJSPbuvAZ4lI4JzYQrBd86aRSVh12nQ5k2AXQUEDJ25EjfjWnUrbcFEpiPtGI f79DcbNMzfABFm+2ECElBTUs3CXLEUR6ripV5NzN9jEqChfRNyki6ylSIOKxBIHk gZNm/IRGvYQQtZJT8Tiy7GkZs+LPmPLcCTXF4c1BXnW+vysWt8TkBMVA8Op9fEF+ Fbqc/jWZHg9lEiEHjHyl/dNlHK1Ew8Lb8tMAbupjO+hJvc/pk2Fzm7x3yi4nFBVy oUrLZvbw+O/EqceB4xwUolkJEeIvAlNrgQT0H5tNfjWhUG0U++yBVy9jTIv0Q265 c6dtwFXNm9AtfIgg3OLm =c6j1 -END PGP SIGNATURE- ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, 2013-02-12 at 10:13 +0100, Karsten N. wrote: On 02/12/2013 01:47 AM, bvvq wrote: I would like to change. You may try VFEmail https://www.vfemail.net/ For a one-time payment of $15 you get an good service. Use an anonymous prepaid credit card to stay anonymous. Free service works well with SMTP, POP and IMAP too but contains ads and taglines. Best regards Karsten N. I use riseup.net -- I trust their promise not to store any logs, I know they'll never block Tor, and they don't have any ads in their web interface. That said, if you're financially stable in a first-world country, you should probably throw some bitcoins their way to cover the cost of your email account (they recommend you donate three hour's worth of pay per year IIRC, which is pretty trivial for most people). -- Sent from Ubuntu ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Il 12/02/2013 10:42, Roman Mamedov ha scritto: In the past I used http://www.autistici.org/en/services/mail.html I recommend autistici.org if you are in Europe, it's based in Italy. Reliable service with strong privacy mind, good italian/english communication with users in case of outages and other issues. Jan ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/12/2013 8:41 AM, Ted Smith wrote: I use riseup.net -- I trust their promise not to store any logs, I know they'll never block Tor, and they don't have any ads in their web interface. That said, if you're financially stable in a first-world country, you should probably throw some bitcoins their way to cover the cost of your email account (they recommend you donate three hour's worth of pay per year IIRC, which is pretty trivial for most people). How difficult is it to get an acct w/ risup if you apply, rather than have 2 recommendations from members? I don't know any riseup members forgot how you get the recommendations from members, to riseup. I don't have a problem w/ their political social stance - it's a free country. I'm not sure what they look for in the application to approve or reject an acct. How well do they handle support issues? Only by email? Typical response time for serious issues? Due to their low storage limit, I guess you just immediately delete msgs when d/l w/ a client? Attachment size limit is very small. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 12.02.2013 17:09, Jan Reister wrote: Il 12/02/2013 10:42, Roman Mamedov ha scritto: In the past I used http://www.autistici.org/en/services/mail.html I recommend autistici.org if you are in Europe, it's based in Italy. Reliable service with strong privacy mind, good italian/english communication with users in case of outages and other issues. I can also vouch for the guys at autistici. The server though is not in Italy, but at XS4ALL in the Netherlands - which I think is good, Italy isn't exactly the privacy friendliest place on earth... -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/12/2013 12:47 PM, Moritz Bartl wrote: On 12.02.2013 17:09, Jan Reister wrote: Il 12/02/2013 10:42, Roman Mamedov ha scritto: In the past I used http://www.autistici.org/en/services/mail.html I recommend autistici.org if you are in Europe, it's based in Italy. Reliable service with strong privacy mind, good italian/english communication with users in case of outages and other issues. I can also vouch for the guys at autistici. The server though is not in Italy, but at XS4ALL in the Netherlands - which I think is good, Italy isn't exactly the privacy friendliest place on earth... I went read a LOT on their site. One problem is, they say it may take 1 day or 10 to answer a support request. They're all volunteers. That's fine. Except if the support issue is your acct is locked, not because of your actions, 10 days is a long time to wait. I didn't see if they offer aliases (or disposable addresses). I assume not? I've never had an email acct get hacked (yet). Either lucky or because use strong PWs nonsensical security answers (if used) that no one could guess or even friends would know. But, I've read a good way to increase security (as hackers ramp up their game) is w/ provider that offers alias addresses, open an acct w/ a real address. Immediately, create an alias address (maybe a name you wanted, anyway) - that links to the real (main) address. Don't ever use the real address, so no one ever sees it. Would make it much harder to hack when no one has the *real address*, that's needed to login to the acct to make acct changes, or even request by phone to reset the PW. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Joe Btfsplk joebtfs...@gmx.com wrote: Hello, Though I don't use them - yet, Lavabit is more serious about privacy, has reasonable storage (nothing as large as gmail). I have had good luck with Lavabit as well, but according to people on another list, they've started restricting accounts for Tor users because of abuse. Riseup.net is VERY serious about privacy. In fact, you have to apply for an acct. They have fairly small storage limits. But w/ any provider, you can always d/l store important msgs. This is an oft-overlooked point about Riseup. They never did approve me for an account. I'm sketchy. ;P My only real concern about Riseup is that with so many activists moving to one provider, it makes an attractive target for both law enforcement and infrastructure attacks. ~Griffin ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On Tue, 2013-02-12 at 11:23 -0600, Joe Btfsplk wrote: On 2/12/2013 8:41 AM, Ted Smith wrote: I use riseup.net -- I trust their promise not to store any logs, I know they'll never block Tor, and they don't have any ads in their web interface. That said, if you're financially stable in a first-world country, you should probably throw some bitcoins their way to cover the cost of your email account (they recommend you donate three hour's worth of pay per year IIRC, which is pretty trivial for most people). How difficult is it to get an acct w/ risup if you apply, rather than have 2 recommendations from members? I don't know any riseup members forgot how you get the recommendations from members, to riseup. I don't have a problem w/ their political social stance - it's a free country. I'm not sure what they look for in the application to approve or reject an acct. Probably some sort of social/political goal that they agree with, though if you said you were mostly interested in privacy and were willing to donate more than they recommend, I somewhat doubt they'd turn you down. I don't know how difficult it is; I got this account a long time ago, and when I did I knew people using Riseup. The way you get recommendations is by generating an invite code on user.riseup.net. How well do they handle support issues? Only by email? Typical response time for serious issues? I rarely need support, but when I have a question for the Riseup people they're always in IRC. Due to their low storage limit, I guess you just immediately delete msgs when d/l w/ a client? Attachment size limit is very small.\ I immediately delete messages from the server anyway; but before I did that I raised my quota (you can do it from their user page). I justified that to myself by giving them more support, as they mention on the page where you can raise your quota. -- Sent from Ubuntu ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
Hello bvvq: Gmail is horrid. The only way I can think of to get Google of my path is to encrypt all the e-mails I send through them. The only problem is that I can't get anyone I know to download the software they would need to decrypt. I'm pretty sure the only way around all that is to get a paid type of account. I think the next-best thing might be to delete the e-mails off your server after you download them to your computer. -Myserious Flyer On Tue, 12 Feb 2013 11:47:53 +1100 bvvq beveryveryqu...@lavabit.com wrote: Hi tor-talk, I'm not sure where else to ask this question so I give my apologies if this is off-topic. Please feel free to suggest a better list/forum/website. I've had a personal email account with GMail since it was invite-only, but lately I've read a few stories about Google's use of our emails to provide better targeted advertising to its users. These stories make me uncomfortable and, continuing with my (slow) changeover from Google services and products, I would like to change. In no particular order, what I would like from the email provider is: * Privacy-conscious (don't parse my emails to target advertisements to users) * Reasonable storage space (I have currently have 418 emails using ~100MB in my personal GMail account) * Don't close the account if I don't log in with the web interface in {X} days * IMAP preferred but POP will suffice * Free would be nice (I don't want to lose my email account if I lose my job) Anonymous-/encryption-type services offered by HushMail or Safe-Mail aren't a priority for me; I mostly want something reliable, long-lasting, and not doing a Google on my emails. I appreciate your advice. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Hello bvvq: Gmail is horrid. The only way I can think of to get Google of my path is to encrypt all the e-mails I send through them. The only problem is that I can't get anyone I know to download the software they would need to decrypt. I'm pretty sure the only way around all that is to get a paid type of account. I think the next-best thing might be to delete the e-mails off your server after you download them to your computer. -Myserious Flyer On Tue, 12 Feb 2013 11:47:53 +1100 bvvq beveryveryqu...@lavabit.com wrote: Hi tor-talk, I'm not sure where else to ask this question so I give my apologies if this is off-topic. Please feel free to suggest a better list/forum/website. I've had a personal email account with GMail since it was invite-only, but lately I've read a few stories about Google's use of our emails to provide better targeted advertising to its users. These stories make me uncomfortable and, continuing with my (slow) changeover from Google services and products, I would like to change. In no particular order, what I would like from the email provider is: * Privacy-conscious (don't parse my emails to target advertisements to users) * Reasonable storage space (I have currently have 418 emails using ~100MB in my personal GMail account) * Don't close the account if I don't log in with the web interface in {X} days * IMAP preferred but POP will suffice * Free would be nice (I don't want to lose my email account if I lose my job) Anonymous-/encryption-type services offered by HushMail or Safe-Mail aren't a priority for me; I mostly want something reliable, long-lasting, and not doing a Google on my emails. I appreciate your advice. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- What do you think Indians are supposed to look like? What's the real difference between an eagle feather fan and a pink necktie? Not much. ~Sherman Alexie PGP Key etc: https://www.noisebridge.net/wiki/User:Fontaine ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
* Privacy-conscious (don't parse my emails to target advertisements to Anonymous-/encryption-type services offered by HushMail or Safe-Mail That rules out gmail, yahoo, hotmail/live. Few services will state they don't, and statements are no guarantee. Privacy (OpenPGP, etc) is your responsibility, there is no trust. There are activist mail providers out there, you will have to look for them. They probably won't willingly shovel your data to the mine, but still. * Free would be nice (I don't want to lose my email account if I lose my The rest are just shopping items, but when you do find one, consider sending them a donation and a note about why you chose them once in while. Because with no ads and no selling and mining you, they need to make their money the normal way. Try giving $5/yr to fastmail and don't abuse them in return. Since you don't seem to have a major issue with paying, that should work, as does their mail. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/11/2013 6:47 PM, bvvq wrote: Hi tor-talk, I'm not sure where else to ask this question so I give my apologies if this is off-topic. Please feel free to suggest a better list/forum/website. I've had a personal email account with GMail since it was invite-only, but lately I've read a few stories about Google's use of our emails to provide better targeted advertising to its users. These stories make me uncomfortable and, continuing with my (slow) changeover from Google services and products, I would like to change. In no particular order, what I would like from the email provider is: * Privacy-conscious (don't parse my emails to target advertisements to users) * Reasonable storage space (I have currently have 418 emails using ~100MB in my personal GMail account) * Don't close the account if I don't log in with the web interface in {X} days * IMAP preferred but POP will suffice * Free would be nice (I don't want to lose my email account if I lose my job) Anonymous-/encryption-type services offered by HushMail or Safe-Mail aren't a priority for me; I mostly want something reliable, long-lasting, and not doing a Google on my emails. I appreciate your advice. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk Hello, Though I don't use them - yet, Lavabit is more serious about privacy, has reasonable storage (nothing as large as gmail). Riseup.net is VERY serious about privacy. In fact, you have to apply for an acct. They have fairly small storage limits. But w/ any provider, you can always d/l store important msgs. Here's an article someone pointed out on email providers privacy; if allow signing up w/ Tor, etc.: the_simple_computer http://www.thesimplecomputer.info/articles/email-for-privacy.html They all have + -, depending on needs. For many, if read TOS Privacy Policy closely, they may be better than gmail, but not as private as their hype says. I took the info from The Simple Computer article made a chart, plus current data (some not in the article) from several providers' sites. If anyone was interested if I knew how to (easily) get it uploaded - somewhere - I could do that. It's not the be all end all, but has current info on several providers, including how long they retain data. It's now in pdf and / or .ODT format. I don't know if it's possible to attach small files to tor-talk emails. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/11/2013 9:51 PM, Griffin Boyce wrote: There are some good ones out there, but if you're using Tor to create the account and login, you should know that many have started blocking Tor users (or deactivating their accounts in the case of Yahoo). Size could also be an issue, but if you're deleting them off the server on download, then that problem goes away. ~Griffin On Mon, Feb 11, 2013 at 10:10 PM, Mysterious Flyer mysteriousfl...@yahoo.com wrote: Interesting. I haven't logged into my Tor / Yahoo acct in a week or so - I may be surprised. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Email provider for privacy-minded folk
On 2/11/2013 10:04 PM, grarpamp wrote: * Privacy-conscious (don't parse my emails to target advertisements to Anonymous-/encryption-type services offered by HushMail or Safe-Mail That rules out gmail, yahoo, hotmail/live. Few services will state they don't, and statements are no guarantee. Privacy (OpenPGP, etc) is your responsibility, there is no trust. There are activist mail providers out there, you will have to look for them. They probably won't willingly shovel your data to the mine, but still. * Free would be nice (I don't want to lose my email account if I lose my The rest are just shopping items, but when you do find one, consider sending them a donation and a note about why you chose them once in while. Because with no ads and no selling and mining you, they need to make their money the normal way. Try giving $5/yr to fastmail and don't abuse them in return. Since you don't seem to have a major issue with paying, that should work, as does their mail. Whether a provider is good depends partly on one's expectations. For $5 you can get a Fastmail.fm acct w/ no ads. But if you're looking for your mail to be deleted from logs quickly (or possibly ever), after you delete it from their server, look elsewhere. Their official policy is it may not be practical for it to be deleted from all logs. It depends on what one wants / needs, in terms of privacy. Other providers rarely keep backup logs, some like Lavabit, usually delete logs of incoming mail within 7 days. Records of outgoing mail are deleted as soon as they are delivered. Like you said, (true) privacy is the users responsibility. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk