Layers of Security: The dead drop email.

Here is a bit of electronic security that is not mentioned often and can be beneficial for people moving numbers.

The dead drop email is as simple as creating an email account. Find a service with servers outside of your country (preferably in countries like Taiwan, Thailand, etc...)

This email address is only ever accessed via TOR. The password is known by only the two people communicating with each other.

Instead of sending an email (which gets logged by both the sender and the recipient) you create your message in draft form. PGP still applies and preferably both parties use a separate key only for the email.

An additional layer can come in the form of a digital signal, this prevents unnecessary logins. The signal can be something simple, like a prearranged status on a social media site. In addition to the mail signal both parties can have a busy signal and a distress signal.

Signals should be simple and not obvious. Like, I ate pizza today.

Food for thought.


Comments


[15 Points] pingobingodingo:

If only prostitutes were game for this my wife wouldn't have found out.


[5 Points] whatisopsec:

The director of the CIA tried this with his mistress. It did not go so well for him. Many email providers will retain drafts. Just encrypt your shit.

https://www.usatoday.com/story/tech/2012/11/13/petraeus-broadwell-email/1702057/ https://www.techdirt.com/articles/20160722/08490035042/drug-dealers-lawyers-want-to-know-how-yahoo-is-recovering-communications-it-previously-said-were-unrecoverable.shtml


[3 Points] JelloCreationist:

Neat idea, if i understand correctly.


[3 Points] HeyItsMassacre:

Basically you create a PGP message and save it as a draft, then the other person logs onto the account and reads the PHP message?


[3 Points] intothestarz:

You sure have been eating a lot of pizza lately


[3 Points] BoxAddict:

WHAT IF ALL THESE SHIT POSTS LATELY ARE ACTUALLY COMMUNICATION IN CODE!! (Not saying yours is a poo-pop-post, either)


[3 Points] CookyDough:

This is how US general David Petraeus' career ended.

https://www.usatoday.com/story/tech/2012/11/13/petraeus-broadwell-email/1702057/

It's also something that investigators were able to discover about how, prior to her abduction, a school teacher communicated with the 14 year old student whom he kidnapped. They were able to read all the deleted drafts.

http://www.foxnews.com/us/2017/04/20/tad-cummins-elizabeth-thomas-found-in-california.html


[2 Points] EndlessMorning:

What's the point of only ever accessing the email over Tor if you're in contact on social media and know who each other are anyway?


[1 Points] 18_Farralon_Ave:

Just keep in mind this is not a new idea. Government is well aware of folks using a common email account and communicating via the drafts folder. This is one reason why government got really deep with email providers, to acquire access to servers - either directly or by hacking.

Always use pgp.


[1 Points] shillface:

I wouldn't use a large corporation's draft folder for anything sensitive.

A tor only email provider would be a better option. They're a lot less likely to be storing draft message data.


[1 Points] R245SA:

Sounds great. More work.


[1 Points] duraldo:

Emailing my accomplices using the same email? That's a bit much don't ya think? Besides my opsec is foolproof. I prefer to use the classical Caesar Cipher, written with invisible ink, naturally. I then shut my eyes and tie to one of the pigeons I have. The shutting of eyes is important, as to keep the identity of the pigeon completely anonymous.

One of my guys used PGP the other day....fuckin amateur.


[0 Points] slayed_:

yup, that's pretty classic. I recommend the email provider to be in Russia. So many other great ways of achieving the same though :)