Submit Your Article Forum Rules

Results 1 to 6 of 6

Thread: Not quite anonymous e-mail

  1. #1
    Junior Member mbutler755's Avatar
    Join Date
    Jul 2013
    Location
    Peoria, AZ
    Posts
    10

    Not quite anonymous e-mail

    There has been a lot of talk lately of the NSA's PRISM program. I'm not going to get into particulars because I'm not trying to start an argument. I'm not interested in how you feel about the NSA PRISM program or your interpretation of its limitations (if any).

    What I am interested in is what it could lead to. To my knowledge, PRISM has nothing to do with e-mail at this point. However, there has been chat about different e-mail providers reading your e-mail in order to display targeted ads and larger companies handing over data when subpoenas are involved. That's all fine and dandy, but what if you didn't want that? What if there was nothing to turn over if the Government came knocking on your door with a subpoena for somebody's e-mails?

    I purchased the domain npmail.us. The idea behind it is to supply e-mail addresses and allow people to exchange e-mails and such without any type of logging. Therefore, if somebody came to me and asked for the logs, I would have nothing to provide them with because logging isn't turned on for that service. Of course, if I start hearing complaints of mail not reaching its destination it would be pretty difficult to troubleshoot, but I haven't had that issue yet.

    Right now, it's just a small box out in the cloud, but it could be scaled as necessary. Does anybody have any opinions on this post? Do you think it's something people would care about? I know of at least one person on this forum who is pretty passionate about PRISM and I think he might like it, but would a lot of people want it? I'm just trying to gauge the "general public" point of view on the issue?
    Please read the
    Hidden Content

  2. #2
    Moderator SteveGerencser's Avatar
    Join Date
    Jan 2005
    Location
    Small town Tennessee
    Posts
    2,242
    As has been discussed elsewhere, the vast majority of collected data is not done at the server level, but rather on the upstream point. So, while you may not keep a log, an email sent from me to some one else can still be tracked. At this point, the NSA and others appear to be collecting meta data. Not so much what you sent, but who you sent it to. So again, a log free server doesn't really help. And finally, to be sure that there is no logging, not only would you not have to log traffic, but your provider and their provider, etc. would also not have to log and track.

    I better offering might be an encrypted mail service. The meta data would still be available, but barring gaining access to the decryption keys, no one could read it very easily.
    You can't create artful marketing with color by number seo

  3. The following user agrees with SteveGerencser:
  4. #3
    Junior Member mbutler755's Avatar
    Join Date
    Jul 2013
    Location
    Peoria, AZ
    Posts
    10
    That's true, I couldn't do anything about the actual providers. All the e-mail is encrypted and all SSL ports are opened up and functioning. I do have regular ports open as well, but hopefully nobody uses them. Thanks Steve!

    - - - Updated - - -

    Quote Originally Posted by SteveGerencser View Post
    As has been discussed elsewhere, the vast majority of collected data is not done at the server level, but rather on the upstream point. So, while you may not keep a log, an email sent from me to some one else can still be tracked. At this point, the NSA and others appear to be collecting meta data. Not so much what you sent, but who you sent it to. So again, a log free server doesn't really help. And finally, to be sure that there is no logging, not only would you not have to log traffic, but your provider and their provider, etc. would also not have to log and track.

    I better offering might be an encrypted mail service. The meta data would still be available, but barring gaining access to the decryption keys, no one could read it very easily.
    It seems the most protection would be from one person within npmail.us to another person within npmail.us. The e-mail would never leave the server because the software I am using is smart enough to know it should just stay within the localhost. In that particular instance, the e-mail never existed.

    Outside of that though, sending an e-mail to gmail.com would have the mail go outside of the system and therefore it would be trackable. Nice post!
    Please read the
    Hidden Content

  5. #4
    Senior Member alphaomega's Avatar
    Join Date
    Apr 2004
    Location
    Sunshine Coast, Australia
    Posts
    566
    My understanding of PRISM is that it connects to the major telecommunication cables directly. At least this is the case between Australia and the US. Totally independent from any provider. In fact Telstra, which is the largest telco in this country signed agreement with the US now to allow this to happen and connect to the fiber cable directly. PRISM has its own equipment and does not rely on Telstra. As for encryption, they are able to read any encrypted data. It would be naive to think that the US service will be stopped by encryption. As your legal standing on what you provide, I can't comment since the US law is not known to me. But I think you should consult on this to protect yourself.

  6. #5
    Senior Member ron angel's Avatar
    Join Date
    Jan 2004
    Posts
    343

    Cool

    There is a way I believe that the powers to be do not want widely known (tough because here it is) and has been used by( terrorists or freedom fighters depending on your point of view). A free email account is set up from an internet café then the password is given to two or more people. One person writes a draft email and saves draft but does not send it. The second person logs into site from another location and reads mail then deletes and leaves their own message. this goes on ect. If more than one person is in contact with each other then the message is marked with letter or number until the group knows has been read by all and deleted by last to read or designated member. No email is ever sent to anybody so were they to be read by an outside source would not be able to trace although it is not lightly that draft mails are read in real time. A further security would be to encrypt messages. These messages are only used for short term communications such as giving the number of a prepaid cell phone and a time within 12 hours once call is made during which further contact information is given the number not used again. One stage further is to leave phone in public place men’s room or bar so somebody will take and use and the persons checking the emails will have to check all the numbers called which could be anything from his mother girlfriend boy friend or drug deals! This Information is only for academic purposes or writing movie scripts and must not be used for illegal reasons.
    historical information links re uk and usa
    Hidden Content

  7. #6
    Junior Member
    Join Date
    Jul 2013
    Posts
    2
    There's a lot of dancing around semantics of how PRISM operates (and far from the only such program, noting the CALEA et al mandates for us to fund remote wiretapping without traditional process for LEO's to present a court order to a telco). It sounds to me as if NSA has remote control of custom API's on major net service servers, and not insert or tap boxes as it apparently has on AT&T and other major routing switch systems ("deliver to the door", not sniff/directly monitor language in now public reports). Functionally, there's little difference there, and spooks and LEO kooks are known to interpret law and rules as broadly as they can rationalize, even if by some pretty warped stretches of the Bill of Rights.

    As to protected mail, there's a need for Tor or at least VPN tunnels, to limit metadata and user traffic pattern tracking, on top of users not interacting with people who'd be sniffed in the open on the other end. That includes MiTM attacks on Google or MSN server to user HTTPS/SSL with open content in between on servers with NSA remote controlled API's, absent use of PGP or similar that few users seem to care to use. That could be partially anonymized going through such servers if the NP system used obfuscation of any mapping of usernames to accounts, or had some kind of rolling table of variable addresses for users, like rolling code car or garage opener remotes, or second key corporate VPN login credentials systems.

    If it never left some server that was low profile and isolated from clouds that might be bugged, and content was encrypted end to end, plus VPN's or Tor used to limit traffic tracking externally, that might limit attack modes. That'd require generic or proprietary clients on either end though to handle encryption, plus one or more modes of secure tunnels on both ends.

    There are music and movie file sharing sites hosted in countries known for a FOAD attitude towards DMCA, that appear to be operated for reasons other than file sharing. That kind of traffic from random public users with various small and large file transfers all over the world could serve as cover for traffic patterns, and not security but creating a big haystack in which needles aren't invisible, but difficult to notice. Add stego to mp3's or video, and encrypt the content within the stego coding, and hide traffic patterns in a sea of noise, and spook sniffing is still possible, but difficult to sort out target info.

    OTOH, how many net users install a MiTM hook like Fiddler, or Wireshark and PCAP or similar, and inspect their own traffic patterns for weak configs or poor use of only partial TLS or SSL on logins or transfers, for various POP, IMAP, or Web mail accounts, etc?

    Contrary to some rumors, it appears there are VOIP or XMPP Android clients in the Google Play Store with SRTP or ZRTP, which some claim are subject to ITAR or similar export controls, or others claim were lifted 2 years ago (and some compile and serve from outside the HSA, the Hypocritical States of Amerika). How many people could compare Android, iOS, Win, OSX, and *nix, versions of Google Talk, Voice, and Hangouts, Skype, MizuDroid, SipDroid, Lumicall, SIP Dialer, Nimbuzz, Ekiga, Jitsi, Pidgin, and Linphone, as to the uniform or platform specific security features or weaknesses, and overall security including server or endpoint direct connect routing? How about Team Viewer and similar free or pay remote login tools, many of which have voice or IM or video conference modes, sometimes including white boards or file transfer? How about running secure VOIP/XMPP servers, that deal with the issues of lookup discrimination and security that make Ekiga numbers often incompatible with other OpenSIP? Did I miss any important ones?

    If there were any single, strong, highly popular system for secure private communications, that'd likely become high priority to break for LEO's and spooks. It's tricky to create an actual end to end secure system, that's not too costly or annoying to use for that minority who think it's an ethical issue even if not a safety need. Systems like NP mail sound more like a political statement with a few niche features, than seriously secured mail, unless more of those issues could be addressed. (Such political statements, and the chaos added to larger tech deployments, DO serve a valuable and useful purpose.)

    A good test of literacy in our society would be to hand someone a locked Cisco Vonage router, and instruct the subject to unlock it using a local TFTP server, browser plugin capable of unlocking a length-limited Java user interface script command box (eg, FF Web Developer), generic firmware flash, and then provision one or more each FX0 and FXS ports. Were such tests used to qualify Congresscritters for voting on telecom policy Bills, we'd likely remove the vast majority of corrupt DC officials, without even asking about comparative backbone designs for AT&T, Verizon, and DoD.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •