Re: [ubuntu-uk] OT - secure email?
On 4 September 2013 12:28, Nigel Verity nigelver...@hotmail.com wrote: SNIP I suspect that the solution fundamentally relies on denying access to encryption keys to anybody other than the sender and the intended recipient. The system based on page, line numbers and word positions in a commonly available book worked well for the SOE during WW2. With so much digital media available today, perhaps an updated version of that approach might provide a pointer. Thank you for the mail as a whole, you've succinctly wrapped up the issues in a much clearer way than I could! With regards to your last comment (included above), just bear in mind that in the UK, should you be arrested and requested to hand over your decryption keys, you are required to comply with that request, by law, under RIPA (http://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_III). For many that won't be an issue, but just bear it in mind. Regards, -- Jon The Nice Guy Spriggs -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 05/09/13 12:57, Jon Spriggs wrote: On 4 September 2013 12:28, Nigel Verity nigelver...@hotmail.com wrote: SNIP I suspect that the solution fundamentally relies on denying access to encryption keys to anybody other than the sender and the intended recipient. The system based on page, line numbers and word positions in a commonly available book worked well for the SOE during WW2. With so much digital media available today, perhaps an updated version of that approach might provide a pointer. Thank you for the mail as a whole, you've succinctly wrapped up the issues in a much clearer way than I could! With regards to your last comment (included above), just bear in mind that in the UK, should you be arrested and requested to hand over your decryption keys, you are required to comply with that request, by law, under RIPA (http://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_III). For many that won't be an issue, but just bear it in mind. Regards, -- Jon The Nice Guy Spriggs It gets worse? http://falkvinge.net/2012/07/12/in-the-uk-you-will-go-to-jail-not-just-for-encryption-but-for-astronomical-noise-too/ -- alan cocks -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
I think that The Nice Guy and Liam Proven make excellent points which illustrate both ends of the security/interception issue. Most people are not involved in radical politics, crime or anything else which could prove, at the very least, embarrassing if made public. For them the notion you have nothing to fear if you are not doing anything wrong probably hits the mark. That is the luxury of living in a country with a relatively benign system of government. There are, however, plenty of places where things we take to be perfectly acceptable, such as moaning about the government, watching a bit of adult entertainment or encouraging friends to go to church can land someone in seriously hot water. Helping those people should be the driver behind finding ways of defeating interception. Everyone will subsequently benefit, whether they see email security as an issue or not. As with any issue, it's for the people who do understand the problem to do something about it. Waiting for the mainstream to call for action probably means leaving it too late. The analogy of an email being a postcard rather than a letter makes the point really well. I am convinced that total security and anonymity on the internet is impossible, but if the communication process involves a sufficiently large number of chain links then, due to the vast number of messages, routine interception becomes impractical. It's product of permutations and probabilities. I suspect that the solution fundamentally relies on denying access to encryption keys to anybody other than the sender and the intended recipient. The system based on page, line numbers and word positions in a commonly available book worked well for the SOE during WW2. With so much digital media available today, perhaps an updated version of that approach might provide a pointer. Regards Nige -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
Most people are not involved in radical politics, crime or anything else which could prove, at the very least, embarrassing if made public. For them the notion you have nothing to fear if you are not doing anything wrong probably hits the mark. That is the luxury of living in a country with a relatively benign system of government. There are, however, plenty of places where things we take to be perfectly acceptable, such as moaning about the government, watching a bit of adult entertainment or encouraging friends to go to church can land someone in seriously hot water. Helping those people should be the driver behind finding ways of defeating interception. Everyone will subsequently benefit, whether they see email security as an issue or not. As with any issue, it's for the people who do understand the problem to do something about it. Waiting for the mainstream to call for action probably means leaving it too late. I suspect that the solution fundamentally relies on denying access to encryption keys to anybody other than the sender and the intended recipient. The system based on page, line numbers and word positions in a commonly available book worked well for the SOE during WW2. With so much digital media available today, perhaps an updated version of that approach might provide a pointer. Hello, Thanks for this conversation. I finally think I understood mail encryption thanks to Cory Doctrows's ”little brother” How about as a starting point we all sign are emails with the public key? That will get people curious. K-9 email client for android seems to have some support for it. I seem to recall before the Snowden stuff someone in this mailing list did this and made me think about it a bit. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
[ubuntu-uk] OT - secure email?
Given the revelations about PRISM, I now use an encrypted cloud service, but am concerned about using the usual suspects for email. Does anyone have any thoughts about a free or minimal cost secure email? (Must support IMAP). Ta! -- Sent from my Kindle -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
http://hak5.org/episodes/hak5-1410 Worth a look. On Tue, Sep 3, 2013 at 10:18 AM, Gordon C Burgess-Parker gbpli...@gmail.com wrote: Given the revelations about PRISM, I now use an encrypted cloud service, but am concerned about using the usual suspects for email. Does anyone have any thoughts about a free or minimal cost secure email? (Must support IMAP). Ta! -- Sent from my Kindle -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 3 September 2013 10:18, Gordon C Burgess-Parker gbpli...@gmail.com wrote: Given the revelations about PRISM, I now use an encrypted cloud service, but am concerned about using the usual suspects for email. Does anyone have any thoughts about a free or minimal cost secure email? (Must support IMAP). https://mykolab.com/ Cheers, Al. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
Gordon, On 03/09/13 10:18, Gordon C Burgess-Parker wrote: Given the revelations about PRISM, I now use an encrypted cloud service, but am concerned about using the usual suspects for email. Does anyone have any thoughts about a free or minimal cost secure email? (Must support IMAP). What do you mean by secure? Comms between your client and the server is encrypted? Individual messages encrypted in transit and stored encrypted? The best way to achieve the latter is to use PGP, but that requires your recipients to use PGP. Of course, however secure your e-mail system is, as soon as you send something to an insecure system you've exposed everything! Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 705 344 3082 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
Sadly, even MyKolab isn't really secure [0] Realistically, what are you looking for? It's like the famous Easy, cheap or secure, pick 2 statement... If it's protecting the messages you have sent from inspection (casual or otherwise on the server), use something like GPG/PGP. Consider backing MailPile [1] which is a mail client which bakes GPG into the UI, it's not an after thought. Bear in mind however, that GPG doesn't protect the metadata of your e-mail, so all the headers are still there. You may be able to circumvent that by going via Tor, but still... If it's protecting the messages in-transit between your client and your server (in case of someone running a packet capture between you and your mail server), ensure they're running TLS encrypted SMTP and TLS encrypted IMAP. If you want to completely harden your mails, look at BitMessage [2], which as a benefit, doesn't require a mail server, as your client is a P2P node, in a very similar way to how bitcoin works. Bear in mind though, it's a very new technology, has a small number of users, has limited client support (nothing on Android/iOS etc), and hasn't even had a security audit yet. Out of interest though, please let us know how you get on, and where you decided to go next. [0] https://twitter.com/SGgrc/statuses/370210611411423232 [1] http://www.indiegogo.com/projects/mailpile-taking-e-mail-back [2] https://bitmessage.org Regards, -- Jon The Nice Guy Spriggs On 3 September 2013 10:32, Alan Pope a...@popey.com wrote: On 3 September 2013 10:18, Gordon C Burgess-Parker gbpli...@gmail.com wrote: Given the revelations about PRISM, I now use an encrypted cloud service, but am concerned about using the usual suspects for email. Does anyone have any thoughts about a free or minimal cost secure email? (Must support IMAP). https://mykolab.com/ Cheers, Al. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 3 September 2013 11:55, Jon Spriggs j...@sprig.gs wrote: Sadly, even MyKolab isn't really secure [0] Got anything better than a single tweet from Steve RAW SOCKETS! Gibson? I have a hard time taking anything he says seriously. Cheers, Al. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
OK, there's a longer form version of it on a recent Security Now podcast (again, Steve Gibson), but the long and short of it is that the NSA (and GCHQ, and I'm sure there are many many more) are (in theory) inspecting traffic upstream of the various Data Centres that Google, Yahoo, et al are using, and therefore, unless your S2S (Server to Server) connections are also using TLS (only Google supports that, I believe) then no matter how secure your C2S (client to server) connection is, no matter how much your ISP promises not to inspect the content, whenever the resultant mail leaves that server and crosses an interception point, it will be parsed by government agencies. There are rumours (although, I don't recall the source) that NSA etc. are requesting the expired TLS certificates from companies such as Google, so they can decrypt the stored-for-later-decryption collection of packets. Ultimately, we should have moved off SMTP as a communication method many years ago (in the same way we moved away from telnet and FTP), but it's an easily understood and implemented protocol that non-techies can grasp. The move from HTTP-HTTPS was prompted by the financial industries worried about the risks of interception, but this is easily controlled because the focal point of an HTTPS connection is the same as the focal point of an HTTP connection, and so it's relatively simple to redirect that HTTP (insecure) connection to an HTTPS (secured) connection, just by saying Don't ask here, ask over there... there's nothing inherent in the SMTP protocols (as far as I can tell) that would do the same thing, plus the decentralized and S2S nature of SMTP makes it much harder to say Don't use plain text with this host. Just to clarify, I'm not saying MyKolab is particularly a bad actor here (I don't really know much about them, beyond the fact that PJ promoted them and Steve suggested that wasn't a great idea), but by suggesting it is a secure host you are ignoring the underlying problems in SMTP as a whole, especially as the initial question was started with Given the revelations about PRISM. Personally, I'd prefer to see something on an always-on device such as an Android or iOS phone that is physically local to you, which provides your mail services - either using something like BitMessage, or SMTP which has forced GPG encryption before relaying (ideally over Tor), so that the communications are always managed by you... but this won't happen until more people get concerned about this stuff. Regards, -- Jon The Nice Guy Spriggs On 3 September 2013 12:09, Alan Pope a...@popey.com wrote: On 3 September 2013 11:55, Jon Spriggs j...@sprig.gs wrote: Sadly, even MyKolab isn't really secure [0] Got anything better than a single tweet from Steve RAW SOCKETS! Gibson? I have a hard time taking anything he says seriously. Cheers, Al. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 3 September 2013 13:51, Jon Spriggs j...@sprig.gs wrote: unless your [...] Server to Server [...] connections are also [encrypted] then no matter how secure your [...] client to server [...] connection is, [...] whenever the resultant mail leaves that server and crosses an interception point, it will be parsed Doesn't everyone with 0.5 of a clue know this? The Internet is a public place. It doesn't matter how many passwords you put on anything, what ticky-boxes you enable, /all internet communications are public./ Emails do not have an envelope. They are not letters, they are postcards. Anyone can grab one as they go past and read what it says. This is why email encryption exists. It is why we have PGP and Enigmail and all that sort of thing. It is why people bother with codes and cyphers and encryption. Scott McNeally said it in about 1996: You *have* no privacy on the Internet. Get over it. Facebook, Twitter, blogs, fora, it doesn't matter. Once you hit send, it's public. -- Liam Proven • Profile: http://lproven.livejournal.com/profile Email: lpro...@cix.co.uk • GMail/G+/Twitter/Flickr/Facebook: lproven MSN: lpro...@hotmail.com • Skype/AIM/Yahoo/LinkedIn: liamproven Tel: +44 20-8685-0498 • Cell: +44 7939-087884 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 3 September 2013 15:38, Jon Spriggs j...@sprig.gs wrote: On 3 September 2013 14:51, Liam Proven lpro...@gmail.com wrote: Doesn't everyone with 0.5 of a clue know this? Frankly, No. As soon as (if not before) the NSA whistleblower is in Hong Kong headlines dropped off the BBC front page, outside of those of us who actually care about this stuff stopped being interested, and went back to sharing cat photos with my family. My wife doesn't care, and frankly is bored witless of me waffling on about it. SNIP Scott McNeally said it in about 1996: You *have* no privacy on the Internet. Get over it. It doesn't have to be like this. In code we can solve this, the problem is getting a usable interface, a compelling reason and a good marketing team to solve the last 5%. Mailpile might be able to do it, bitmessage could also, but all the time it's just the Tin Foil Hat Wearers Brigade (mine just covers the tips of my ears) and the Free-as-in-Freedom crowd banging on about it, the rest of the world won't give a flying Ooo, You're a kitty! (http://xkcd.com/231/) Exactly. Your wife doesn't know and as you yourself said *doesn't care*. The thing to do is not try to build more little isolated secure bits of the Internet. There is absolutely no use or point to a secure email service because as soon as you use it to email anyone else it /ceases/ to be secure. In other words, the selling point of the tool immediately stops applying the instant that you use it. Summary: chocolate teapot. Completely and utterly useless. So the smart thing to do is to get the message out there and make sure that people know that the Internet is public, what they are doing can be observed and tracked, and if you don't want people to know or see what you're doing online then don't do it online in the first place. That is the /only/ real solution. If you like, sure, start a secure email service in some jurisdiction that permits you - i.e. not N America, the EU or much of the world - and make it dead easy to send and receive full round-trip encrypted email. But if the other end isn't using it too, it's useless. It'll cost a lot to do it, and since email is now as free as air, you won't make a penny from it unless you come up with a remarkable, fascinating new spin on the Freemium model. Meantime, next best thing, given we're on an Ubuntu forum? Make it super stupid easy to do PGP email in Thunderbird. I've done it before, for an employer who insisted on it. I'm a skilled techie with over 2 decades' experience. It took me days of research and hours of work. It was horrid, a nightmare. That's the problem to fix. Not introducing new secure email protocols, which won't do a damned bit of good. Because http://xkcd.com/927/ You cannot fix the insecurity of email for unskilled users with new tools. All the tools *already exist,* they're just too hard to use. http://xkcd.com/1200/ http://xkcd.com/538/ http://xkcd.com/1181/ -- Liam Proven • Profile: http://lproven.livejournal.com/profile Email: lpro...@cix.co.uk • GMail/G+/Twitter/Flickr/Facebook: lproven MSN: lpro...@hotmail.com • Skype/AIM/Yahoo/LinkedIn: liamproven Tel: +44 20-8685-0498 • Cell: +44 7939-087884 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] OT - secure email?
On 3 September 2013 14:51, Liam Proven lpro...@gmail.com wrote: Doesn't everyone with 0.5 of a clue know this? Frankly, No. As soon as (if not before) the NSA whistleblower is in Hong Kong headlines dropped off the BBC front page, outside of those of us who actually care about this stuff stopped being interested, and went back to sharing cat photos with my family. My wife doesn't care, and frankly is bored witless of me waffling on about it. SNIP Scott McNeally said it in about 1996: You *have* no privacy on the Internet. Get over it. It doesn't have to be like this. In code we can solve this, the problem is getting a usable interface, a compelling reason and a good marketing team to solve the last 5%. Mailpile might be able to do it, bitmessage could also, but all the time it's just the Tin Foil Hat Wearers Brigade (mine just covers the tips of my ears) and the Free-as-in-Freedom crowd banging on about it, the rest of the world won't give a flying Ooo, You're a kitty! (http://xkcd.com/231/) -- Jon The Nice Guy Spriggs -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/