On this page, you will find a listing of various email service providers.
Visit here to specific informations around their security and privacy (website refreshed every 30 minutes).
from here
Category Archives: General
Recommended Mail Provider
The following email providers are privacy-friendly and offer secure SSL encryption for POP3 and SMTP. The HTTPS encryption for some webinterfaces is not genuinely secure and email tracking features are not blocked at all if you were using webinterfaces. We recommed the usage of email clients like Mozilla Thunderbird for email communication to avoid this flaws. (The random order in the list isn’t an assessment.)
| Provider | Comment |
|---|---|
| neomailbox.com | offers secure, anonymous e-mail accounts hosted in Swiss, sender IP hiding, for $3.33 per month, anonymous payment with Pecunix, secure HTTPS encryption for webinterface) |
| Posteo and aikQ | German mail providers, servers located in Germany, accounts from 1 € per month, anonymous accounts possible, anonymous payment by letter, secure HTTPS encryption |
| Mailbox.org | German mail provider, servers located in Germany, anonymous accounts from 1 € per month with calendar, addressbook, filesharing, OpenPGP encrypted mailbox and mail delivery only with SSL/TLS possible, sender IP hiding, anonymous payment by letter and Bitcoin, secure HTTPS encryption |
| JPBerlin | German mail provider, political committed, servers located in Germany, accounts from 1 € per month, user address is used only for the bill and fakes are accepted as well, anonymous payment is possible by letter and Bitcoin, secure HTTPS encryption |
| runbox.com | Runbox Solutions AS is a Norwegian limited company, server located in Norway, accounts for $1,66 per month, anonymous payments by postal letter possible, secure HTTPS encryption |
| VFEmail | anonymous mail provider, free and premium, sender IP hiding for premium user, use a temporary e-mail address for registration and choose hosting in Netherlands, disposable addresses, secure HTTPS encryption |
| ETHICmail | offshore corporation (Seycellen), operators are located in Gibraltar, servers located in Japan, Swiss, two accounts from $11.90 per month, emergency wipe of mailbox by SMS possible, secure HTTPS encryption |
| CryptoHeaven | anonymous accounts from $60 per year, offshore corporation, servers located in Canada, flaws in HTTPS encryption |
| Private DE Mail | supported with donations (not free as FreeBeer), free anonymous email accounts with POP3/IMAP/SMTP, operator unknown(!) and NOT listed on website, Tor hidden services for all protocols |
| XMAIL.net | operated by Aaex Corp registrated at British Virgin Islands, server located in Canada, free version with POP3 but without SMTP, premium accounts from $10 per year, flaws in HTTPS encryption |
| MyKolab.com | Swiss hosted groupware with addressbook, calendar and email, email accounts for 4.41 CHF per month with SMTP/IMAP/POP3, groupware accounts for 10 CHF per month, no third party ads used for webinterface, secure HTTPS encryption |
| Associazione-Investici, Nadir.org, AktiviX.org | services for political activists, offers blogs and mailing lists too, you have to give a prove for your political activities but it is not required to give a real name |
Due to the US PATRIOT Act (especially p. 215ff) and the fourth amendment to the FISA Amendments Act it is possible for US authorities to eavesdrop on the communication of non US citizens without warrant. According to the US authorities it is enough that the servers are located in the US. In the EC study Fighting cyber crime and protecting privacy in the cloud the authors are warning about political surveillance. That’s why we can recommend the following email providers only partially.
- SecureNym (offers anonymous e-mail accounts, offshore corporation, servers located in US)
- Fastmail.fm (free version without SMTP support, premium version full featured, server located in US)
- Riseup.net (service for political activists, offers blogs and mailing lists too, servers located in US)
Security Notes: Information about long term communication partners can be used to feature out your real identity! If you need a highly anonymous e-mail account to do something – may be for whistleblowing – create a new mail account and use it only for this one job. Delete the account, if the job was done and never use it for other communication partners.
GMail and anonymisation services
User of GMail accounts may have problems using TorBirdy and anonymisation services like JonDonym. The Google account security team wrote an answer because of questions by the Tor community:
Hello,
I work for Google as TL of the account security system that is blocking your access.
Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:
- With Tor active, log in via the web and answer a security quiz, if any is presented. You may need to receive a code on your phone. If you don’t have a phone number on the account the access may be denied.
- Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.
Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.
Hope that helps,
Google account security team
from here
Anonymizing Documents and Pictures
Office documents and pictures contain lots of information in the meta tags that may deanonymize their author. Before uploading them to the Internet you should remove this meta data.
Pictures and Fotos
Meta tags in pictures and image files may be deleted in the file manager with a right-click. Choose the option “Remove meta tags” in the context menu. You may select and clean several files at once if you press the <CTRL>-key simultaneously. In the properties dialog of the file manager you may check the success of your attempt to delete the meta information.
Office Documents, PDFs, MP3….
You can use the Metadata Anonymisation Toolkit (MAT) to clean OpenOffice documents, Microsoft Office documents, PDFs and MP3 and FLAC sound files. Archives are supported too. Simply click with right mouse button on the file in the file manager and choose the entry “Metadata Anonymisation (MAT)”.
Alternatively you may open the GUI of MAT. A menu entry you may find in the applications menu in the group “Utilities”. Add the files you want to clean to list clean the list. The cleaned files are stores in the same directory like the original files with the extension “.cleaned” in the name.
Documents from unknown source
MAT for documents and “exiv2” for fotos are useful tools to remove meta data from your own, self created files. Both can not anonymise the content, nor handle watermarking, steganography, or any overly customized metadata field/system from unknown source. You have to clean such documents more aggressively:
-
You may print the document with low resolution and scan it afterwards. For scanning of text documents you may use black/white color scheme and a low resolution too. Clean the scan images as descripted above.
from here
Freedom Hosting Owner Arrested, Tormail Compromised, Malicious JS Discovered
NSA Email and Phone Tracking Programs
Reportedly based on Edward Snowden NSA documents provided to Glenn Greenwald who co-authored an article for Brazil’s O Globo newspaper.
Source of four slides:
http://oglobo.globo.com/infograficos/volume-rastreamento-governo-americano/
Translation from Portuguese to English by Google, slides by Cryptome.
Original in Portuguese
![[Image]](http://cryptome.org/2013/07/nsa-tracking/nsa-oglobo.jpg)
from here
Lavabit and End-point Security
[In reverse chronological order.]
Date: Sun, 11 Aug 2013 08:55:42 -0700
From: Andy Isaacson <adi[at]hexapodia.org>
To: cypherpunks[at]cpunks.org
Subject: Re: Lavabit and End-point Security
On Sun, Aug 11, 2013 at 10:39:55AM -0400, Sean Alexandre wrote [full email not received]:
> your more typical sys admin could find
> and use. They might not have everything, but enough to make their services
> 99.99% secure. Those that provide the info would probably still have some
> things to their own and be 99.9999% secure.
Security doesn’t work that way. Keeping your system secure is like walking a tightrope across a gorge filled with ravenous tigers every morning. There are a billion ways to fuck up and get owned/eaten by the tigers, and asking someone who’s successfully walked the tightrope every day for 40 years “tell me your secret?” completely misses the point.
The expert can share advice and point out when you’re about to step off the tightrope, but no kind of advice can substitute for your own caution and experience. Pretending that a magic balance bar, or a magic technique that can be applied without careful thought, or a magic shoe that will make you stick to the rope, will save you is the kind of thing that works in a fairy tale but not in real life.
The analogy breaks down, though, because in fact you can get totally owned, through and through; exfiltrated, impersonated, and strung up by a prosecutor before a secret grand jury before you even learn that your security has failed. At least the tiger has the courtesy of giving you pain when you fail.
-andy
Date: Sun, 11 Aug 2013 05:45:02 -0700
Subject: Re: Lavabit and End-point Security
From: coderman <coderman[at]gmail.com>
To: cypherpunks[at]cpunks.org
some questions, some answers, …
On Sun, Aug 11, 2013 at 2:27 AM, coderman <coderman[at]gmail.com> wrote:
> …
> 1. use a common distro, but rebuild critical components – bootloader,
> initramfs, openssl, openssh, the kernel, gnutls, libgmp, use 64bit,
> etc.
this means rebuild hardened versions of these libraries from source; excluding insecure cipher suites in an OpenSSL build for example, altering architecture optimizations, supported features, in others, the goal being that an exploit targeted to a vanilla distribution will more likely fail with observable error or crash, rather than succeed silently.
many exploits are very brittle in this respect, with any change in symbol offsets or capabilities rendering them completely ineffective.
> 2. use isolation and RBAC, Qubes, VirtualBox, VMWare, Parallels,
> remember that VM escapes are available and expected. defense in depth
> can never be too deep.
virtualization implies chained exploits for full compromise. combined with the above you’ve drastically increased the cost of a successful attack with modest effort. the likelihood of detection (by appearing vulnerable yet not being so) is also increased.
remember that VMMs and hypervisors are themselves potentially vulnerable software systems suitable for hardening and customization.
> 3. use constrained network access – identify anomalies, control
> bandwidth, firewall ingress and egress aggressively. this implies
> constant monitoring to detect such events. (another exercise left to
> the reader)
data exfiltration can be very visible via network behavior if you’re paying attention. cross referencing connection state in your upstream router vs. local OS view of sockets can identify discrepancies where compromise has concealed covert connections. malware communicating directly on an ethernet or wireless adapter outside of the OS is also visible at this junction.
> 4. rootkit and backdoor your own systems – use the dirty tricks to
> observe and constrain your system before someone else uses dirty
> tricks to compromise your system.
this is mostly a variant of #1 at a kernel / system level. like notepad.exe connecting to the internet, there are some syscall, file access, and network requests which are clearly anomalous and indicators of compromise.
> 5. don’t forget physical security – this is the universal oversight
> and most effective end run around all other operational and technical
> security measures. there is a reason physical access so often implies
> “game over” and why black bag jobs are still and will continue to be
> effective against all targets.
this is a storied tangent unto itself…
last but not least: you must develop a routine of continuous hardening and improvement. these steps are not done once and finished; they are elements within a larger strategy of operational rigor defending against motivated and capable attackers. asking for my “hardened linux build” is missing the point entirely!
Date: Sun, 11 Aug 2013 06:51:32 -0400
Subject: Re: Lavabit and End-point Security
From: Steve Furlong <demonfighter[at]gmail.com>
To: coderman <coderman[at]gmail.com>
Cc: cypherpunks[at]cpunks.org
On Sun, Aug 11, 2013 at 5:27 AM, coderman <coderman[at]gmail.com> wrote:
if i were to summarize what i have found effective against dedicated
and resourceful attackers (again, i can’t go into details 🙂 this
would be the top 5:1. use a common distro, but rebuild critical components – bootloader, initramfs, openssl, openssh, the kernel, gnutls, libgmp, use 64bit, etc.
By “rebuild” do you mean compile it yourself or are you talking full-up review and rewrite? The former should be no problem for anyone capable of setting up a secure hosting service. The latter is probably beyond the means of small teams in any commercially reasonable timeframe.
—
Neca eos omnes. Deus suos agnoscet. — Arnaud-Amaury, 1209
Date: Sun, 11 Aug 2013 02:27:54 -0700
Subject: Re: Lavabit and End-point Security
From: coderman <coderman[at]gmail.com>
To: cypherpunks[at]cpunks.org
On Fri, Aug 9, 2013 at 7:43 AM, Sean Alexandre <sean[at]alexan.org> wrote:
> … this says Lavabit’s security was so good they
> couldn’t back door his machines….
>
> I’d love to see some kind of write-up by Ladar about how he did this…maybe
> even a book.
i’ve been contemplating a write up about this, but the problem is once you advertise your methods they become less effective.
there really is “security through obscurity” in this sense; when at a resource disadvantage, every little bit counts…
if i were to summarize what i have found effective against dedicated and resourceful attackers (again, i can’t go into details 🙂 this would be the top 5:
1. use a common distro, but rebuild critical components – bootloader, initramfs, openssl, openssh, the kernel, gnutls, libgmp, use 64bit, etc.
2. use isolation and RBAC, Qubes, VirtualBox, VMWare, Parallels, remember that VM escapes are available and expected. defense in depth can never be too deep.
3. use constrained network access – identify anomalies, control bandwidth, firewall ingress and egress aggressively. this implies constant monitoring to detect such events. (another exercise left to the reader)
4. rootkit and backdoor your own systems – use the dirty tricks to observe and constrain your system before someone else uses dirty tricks to compromise your system.
5. don’t forget physical security – this is the universal oversight and most effective end run around all other operational and technical security measures. there is a reason physical access so often implies “game over” and why black bag jobs are still and will continue to be effective against all targets.
Follow discussion thread: http://cpunks.org/pipermail/cypherpunks/
from here
We see the writing on the wall
Last week the email provider Lavabit.com was closed. It was one of few secure email provider. It was used by Edward Snowden along with other privacy sensitive users. Ladar Levison (founder of Lavabit.com) did not say what it had been asked to do, only that it was legally prohibited from sharing the events leading to its decision. He don’t want to “become complicit in crimes against the American people.”. In an interview he said:
If you knew what I know about email, you might not use it either.
A second secure email service was closed last week too. Lavabit’s note has led to Silent Circle dropping its email service, saying “We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail now.”. In the opinion of Phil Zimmermann and other privacy activist working for Silent Circle there is no way to get email secure:
Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.
Because of publications by NSA whistleblowers like Snowden, Binney, Bamford or Drake we get knowledge about vast surveillance programs. Email is one of the first targets for communication surveillance. It seems, there is no email privacy any more. You may re-think you communication behavior and don’t use email anymore as far as possible in future. Think about Jabber (XMPP), private messages in forums, TorChat… More ideas are welcome.
from here
Internet Censorship and Control
The Internet is and has always been a space where participants battle for control. The two core protocols that define the Internet – TCP and IP – are both designed to allow separate networks to connect to each other easily, so that networks that differ not only in hardware implementation (wired vs. satellite vs. radio networks) but also in their politics of control (consumer vs. research vs. military networks) can interoperate easily. It is a feature of the Internet, not a bug, that China – with its extensive, explicit censorship infrastructure – can interact with the rest of the Internet.
In the following collection, published as an open access collection here and as well in a special issue of IEEE Internet Computing, we present five peer reviewed papers on the topic of Internet censorship and control. The topics of the papers include a broad look at information controls, censorship of microblogs in China, new modes of online censorship, the balance of power in Internet governance, and control in the certificate authority model. These papers make it clear that there is no global consensus on what mechanisms of control are best suited for managing conflicts on the Internet, just as there is none for other fields of human endeavour. That said, there is optimism that with vigilance and continuing efforts to maintain transparency the Internet can stay as a force for increasing freedom than a tool for more efficient repression.
This collection was edited by Steven J. Murdoch of the University of Cambridge Computer Laboratory and Hal Roberts of the Berkman Center for Internet & Society at Harvard University.
Resources
- Introduction to Special Issue on Internet Censorship and Control by Steven J. Murdoch and Hal Roberts.
- Not by Technical Means Alone: The Multidisciplinary Challenge of Studying Information Controls by Masashi Crete-Nishihata, Ronald J. Deibert, and Adam Senft.
- Assessing Censorship on Microblogs in China: Discriminatory Keyword Analysis and Impact Evaluation of the ‘Real Name Registration’ Policy by King-wa Fu, Chung-hong Chan and Michael Chau.
- Censorship V3.1 by Derek E. Bambauer.
- Anarchy, State, or Utopia? Checks and Balances of Power in Internet Governance by Christopher M. Riley.
- Trust Darknet: Control and Compromise in the Internet’s Certificate Authority Model by Steven B. Roosa and Stephen Schultze.
from here
PRISM Brothers
The Guardian and The Washington Post recently published slides about the PRISM project of the US government’s National Security Agency (NSA). The agency is engaged in mass surveillance of users around the world. I assume, the topic is well known to readers of our blog. International protests against PRISM are mostly focusing on US spying by NSA and FBI only. But other countries have projects like PRISM too.
The NSA counterpart in Canada is the CSEC (Communications Security Establishment Canada). Like NSA the CSEC has far-reaching national security powers to monitor and map electronic communication signals around the globe. Defense Minister Peter MacKay spoke about the spying activities only: “We don’t target Canadians, okay.”
The British counterpart of NSA is called GCHQ (Government Communications Headquarters). It operates in partnership with NSA, CSEC and other spying agencies, uses an own worldwide nework of monitoring station and is part of ECHELON.
The DSD (Defence Signals Directorate, Australia) and GCSB (Government Communications Security Bureau, New Zealand) are cooperating with NSA, CSEC and GCHQ too (UKUSA Agreement). Both are ECHELON partners with own monitoring station. The cooperation includes information sharing. According to Fairfax Media’s sources, intelligence agencies in Australia have been receiving a high volume of valuable data from NSA, with some even coming from the PRISM program itself.
The NSA counterpart in Sweden is called FRA (Försvarets radioanstalt). In June 2008 it got the power to warrantlessly wiretap all telephone and Internet traffic that crosses Sweden’s borders. Swedish people are target of FRA espionage too.
France has an own spying network called Frenchelon. Like the US counterpart Echelon it is not only used for counter terrorism but economic espionage and spying on political activists too.
The secret Onyx interception system is the Swiss intelligence gathering system for espionage and maintained by the NDB (Federal Intelligence Service). It is used to monitor telephone, fax and Internet communications worldwide. In 2006 a secret document sent by the Egyptian department of Foreign Affairs to the Egyptian Embassy in London and intercepted by Onyx was public.
The NSA counterpart in Russia is the SSSI (formerly FAPSI). It was setup in 2003 by reorganization of intelligence agencies in Russia and has unlimited power to warrantlessly wiretap all internet communications. The FBI counterpart in Russia is the FSB. The interception system SORM offers unlimited, direct access to the servers of almost all Russian ISPs for the FSB (Wired). Intercepted e-mails and phone calls were published by Russian media in 2011 to discredit opposition member. The largest social network in Russia is Vkontakte.ru with 200 million members. It cooperates with FSB and sent data of opposition member.
In Germany warrantlessly wiretapping and espionage is done by BND (Federal Intelligence Service). It is scanning 20% of all emails routed over German AS for 16,400 keywords. In 2010 the keyword scanners sent copies of 37,000,000 email to the BND for more detailed analysis. In 2008 W. Schäuble (formerly minister of the interior) recommended the setup of a spying agency like NSA or like the British GCHQ for Germany. The project was cancelled in 2010 but the recommendation was renewed by R. Wendt last days.
Minister of the interior Friedrich approved, that German intelligence services gets valuable data from NSA but he didn’t know anything about a program called PRISM.
Stand up! It’s time NOW!
- StopWatching.Us (Mozilla Foundation)
- EUhackathon 2013 (visualization of government surveillance)
- Respect my Privacy (campaign for European Data Protection Regulation)
- Denials Are Not Enough (ACCESS NOW)
- … and others
from here
A/I VPN
Leggi questa pagina in Italiano
- What are A/I VPNs?
- Why would you want to use A/I VPNs?
- Limitations to using A/I VPNs
- How do you configure your PCs to use A/I VPNs?
What are A/I VPNs?
Virtual Private Networks (VPN) are typically used to connect remote workers to the main office network. The A/I VPNs are different: they sends all your internet traffic through an encrypted connection to our servers, where it then goes out onto the public internet. This type of VPN is sometimes called a “Personal VPN”. The goal with a personal VPN is not to securely connect you with a private network, but to securely connect you to the internet as a whole.
Personal VPN can be used for many different reasons. A/I chose to provide this service for emergency situations limited in time, such as a journey, the coverage of an event or a demo. A/I VPNs are not available for permanent home use: if you need to anonimize your Bittorrent traffic you should look forward to different solutions.
Why would you want to use A/I VPNs?
A/I Collective believes that providing its users with safe and anonymous channels to connect to the internet is a very important step against censorship and institutions’, governments’ and polices forces’ dreams of total control on internet access. That’s why we have been suggesting to our supporters to use Tor and that’s why we are releasing this new A/I VPN project.
Around the world, governments are using the internet for social control, through both surveillance and censorship. While many people are familiar with the censorship of the internet by governments in China and Iran (just to mention a couple of examples), you may not realize that the US practices active surveillance of internet users’ relationships and the European Union countries require all ISPs and website operators to record and retain personal data on your behavior. With three-strikes laws, many countries now deny citizens access to the internet if accused of file sharing. Some countries (like Egypt during Tahrir square unrest in 2011) forbid the use of new communication technologies, like skype.
That’s why A/I VPNs can help those who feel the need for a safe, encrypted channel to communicate free of the prying eyes and ears of governments, ISPs and repression or control institutions. A/I VPNs aim to:
- protect against ISP surveillance: A/I VPNs eliminate the ability of your ISP to monitor your communication. They have no meaningful records which can be used against you, either by marketers or the state.
- bypass government censorship: A/I VPNs can entirely bypass all government censorship, so long as you still have access to the internet. Note, however, that careful analysis of your traffic could reveal that you are using a VPN, which may or may not be legal in your jurisdiction.
- allow you to reach the internet through an encrypted channel.
- access the entire internet, regardless of where you live: A/I VPNs allow you to pretend to live in any country where we have a VPN server. This gives you access to restricted content only available in those countries. A/I VPNs also allow you to use services that may be blocked in your country, like Skype.
- break free from a corporate firewall: so you work for an evil corporation and you try to waste as much time as possible surfing the web? Unfortunately, the corporate firewall probably prevents you from visiting many websites (riseup.net is on the list of banned sites for many corporate firewalls). A/I VPNs will let you entirely bypass these restrictions and gives you access to the whole web.
- secure your Wi-Fi connection: any time you use a public Wi-Fi connection, everyone else using that access point can spy on your traffic. A/I VPNs will prevent this.
Limitations to using A/I VPNs
A/I VPNs shares some limitations common with all “personal” VPNs, and their use is further limited by some choices we made as A/I Collective.
From a technical standpoint VPNs are not a panacea: although VPNs accomplish a lot, they can’t fix everything. You should use in any case SSL/TLS connections (https to surf, pop-ssl/imaps/smtp-tls for mail exchange, and so on). Furthermore once your data is securely routed through our servers it will go out on the internet as it normally would, A/I VPNs will only anonymize your location. And A/I VPNs cannot increase your security if your computer is already compromised with viruses or spyware. If you give personal information to a website, there is little that a VPN can do to maintain your anonymity with that website or its partners. Last but not least the internet might get slower: the A/I VPNs routes all your traffic through an encrypted connection to our servers before it goes out onto the normal internet. This extra step can slow things down: this does not matter if your main aim is to communicate safely and privately, but it’s of course a big pain in the neck if you are using A/I VPNs for leisure (the wrong reason to use our resources).
A/I Collective resources are limited, that’s why the package we offer you with A/I VPNs will work for 7 days, after which you will have to renew all the configurations. This is not due to our sadistic nature, but simply to the need to be sure that you are using A/I VPNs for actual needs and to struggle against censorship and control.
How do you configure your PCs to use A/I VPNs?
To activate a A/I VPN you have to browse to the vpn.autistici.org website and download a zip file containing an SSL certificate (and private key) used to authenticate to the VPN network. This file is very sensitive, keep it in a safe place, and with it you can configure one of the many different software created to setup personal VPNs. In the zip file you will find a README.txt file where you will specific instructions to install the VPN connection on your device, depending on your OS. Once the A/I VPN has been estabilished all your internet traffic will be routed through an encrypted connection to our server before reaching any other target.
Remember: to download the zip file and use A/I VPNs you have to be one of our users, ie you have to own a mail on our servers and its password. If you don’t have one, get one!
A/I VPN uses OpenVPN. You can use a lot of different client to connect to it. We have written some manuals for most widespread systems. If the information in the README.txt files were not enough for you, read one of the following howtos:
We wish to thank a thousand times Riseup for inspiring this document
from here