Silk Road forums
Discussion => Security => Topic started by: elementaryskool on July 31, 2011, 08:53 pm
-
I have been recommended to not use hushmail. I'm just curious on everyones opinion here since you guys obviously know what you're doing.
Also this is off topic and I don't want to make it a full topic unless I absolutely have to. But if anyone is savvy with PGP on MACs, please PM me or check out the thread in the Security forum here that I've posted in.
My posts start toward the middle of the thread
Here is the link:
http://dkn255hz262ypmii.onion/index.php?topic=845.0
-
So someone else can see the answers, and it'll be available via the search function of the site:
Most email services are the same. All (most?) of them can read any email you write with little to no reason at all.
Hushmail is not recommended because they actively cooperate with LE. This means that if LE asks them for your emails, they will hand them over.
Some places will require a warrent, but those aren't hard to get, and a lot will just hand your info over. Your IP address, you passwords, and the text of your emails will all be in the hands of LE.
If you use email to talk about things, encrypt. GPG will work very nicely. Then all LE gets is your IP address and your password. and probably your public key.
With that in mind, pretty much all email providers are shitty.
Lavabit claims to not be able to read your emails, and I doubt they would give your info over without a warrant. I cannot see any way that they would not be able to see plain text emails, but whatever.
Get whatever you want, and be sure that you use encryption.
Some providers will block TOR. Its best to get one that doesn't. That way, you aren't even giving up your real IP.
Don't reuse passwords. Ever. Remember Mt Gox?
With this in mind, the specifics do not matter so much.
-
I'm actually new here, so I don't remember mt. gox? What happened with that, someone got caught reusing passwords?
Thanks for your advice though - i think encrypted emails are the way to go, as well as very long and random passwords that "exponentially" reduce the risk of them being decrypted.
i'm still struggling to learn pgp encryption on my mac :(
hopefully ill have that figured out soon with the help of joe blow and can actually safely buy something with a little peace of mind
-
I may be wrong on the details, but Here is the general idea.
Mt Gox is a bitcoin exchange.
Someone hacked Mt Gox, and got a bunch of usernames and passwords.
The users and passes were leaked on the internet, and some other sites have frozen accounts that have the same info.
Still, quite a bit of users lost quite a bit of money.
There have been a few reports of people having accounts on other sites hacked because they used the exact same usernames and passwords.
I used to know the location of a 'official' email but it was on Mybitcoin, which has been down for quite some time now.
There is speculation that they have been hacked, or that they have simply stolen everyone's coins.
Anyways, the Moral of the story is: don't trust anyone, and never reuse names and passwords.
-
PGP makes sense when you figure it out. (kinda, it's a little counter-intuitive)
If any of this BEGINS to confuse you, just stop. There are better teachers out there.
Here is my Public key, send me a test message and i'll send you one back, if you wanna little practice.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQENBE4nVf0BCADH5BR0vXxS1k25fRs+nSkU9XB3bhUJBBgclNtntN5bDVtqXHS+
K3WvnMQnakiDUMHy+kj2m5Meum3jCnmXwPfH20ImDv8vW2+oBtzbfxzh6pYocRXr
abEO4QgSZtJ2VEUTvmiZ7jHmF33rhPXgZVrvSkYwIrlQBsruGvvfeCtHHpwSEDlP
umBE7SrDwUSUF4hRDobueyVkEfm0s7sEOyVdflGgiz/LHMLE+gGizQ2LkcGX2PI/
88Sbd7709b5jIt4j2icN7erSb7Hqr9b/I34Nz5EhL8NNj/DkOkngViiJn1sBBld4
5+k7+EZxkBhndp8+NlcIraDm8J7RbCbuhwArABEBAAG0NXRoZW9sZG9uZSAoc2Vj
cmV0c2VydmljZSkgPE04Ui1sOTB1dGRAbWFpbGluYXRvci5jb20+iQE4BBMBAgAi
BQJOJ1X9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAApfB1GkMafN9i
B/4iXO+qlI50dFZVseb3w7hlkG0qWOJVZ+0oj8j2OgtcTBIV1U9brysyd9x6WMhk
FR7g8dYC4Qnqg1lT/0920pdftNfXDKiOGMyI60JBiQCb5FHQNo6pROg95f+0BFgG
M99CPHavDT0grWRRX9pgTIRY32kz7Ix88O+8ucWpfKuKdPjbpReStYOUyzjyDrcx
rzB16UEmq+BK4sD0RnB1IdiTV4em0TCU4BYoiDSia/L8B5AVtWV1czRhbRBtGyEn
2q8hp2oHtvW3phwYWAbcPZwshitA2TQJ1fCAvSKJHa4yND2ARjK3IQ5nM9qSwlZX
TvDmV4+2reZHvHTb69JodUyiuQENBE4nVf0BCAC/2WYLEUi0lEBp9tFc7YsG6TQn
sqGTSv35lfz2sSQ3HSQWXJC1GKHqEatH4vHVBLklP7ZZwVFvRSx+HhQ2o/L2X6mj
eucicZE007e1H8VTHXOOggLNzYmgDkcm8DaYvr0YApi8E9rJucjUgpB3jzZp8bjL
8GV8mAKSTjucVU5vMgNBmQegU3qZLkZwQIaBrI+Z5zrHzAl/VRQP7s5Kx2e6l/GV
DbEEGnH/vIYU7MpjLpRYEIcSD5fksi+kTmUMlAr24N5YU3Pf2NCmuWivHU01y0Af
hVAG1HBxloi2KU9/B/PK8/YHNEACiXIJocnDMLNwUUIxgs3NHg5F7MvWaS9nABEB
AAGJAR8EGAECAAkFAk4nVf0CGwwACgkQAKXwdRpDGnzRjgf/WzeWVgo3G1yftsl2
5dJNaGxx0siUSoVW0WJVkIgHXLDIs3aAk8Qc/5tEy+gr0h0djVUj7lLd2CPX+zO4
0uj9psPafI12do+O8GJ6DJkaiFR+17lP88I5T9GbtvQgpaOp06WiSRx5j8NZZJ+m
VUSNf9LpzWaKGINqwaaaNQLUEKDzQn5xEN1JK4elH12u4j+TKKWDR99hyw0WwfNw
d2Ul/9/bvlBN+3gReDlgZ157rjxIgON/FGMW1pm0uc48gYjZB2Um5axJC+JBNn75
frS7wl7cbs8vrb85FNZGpGzGTHEc2aHQUXo5bA82oS3Tm/zuYaWtnmY9jLbB09nD
+igA7A==
=C9+f
-----END PGP PUBLIC KEY BLOCK-----
email is encryptioniskey@lavabit.com
I check it daily.
This'll probably just confuse you, I'm no teacher, but:
There are three parts.
A Public Key, and Private Key, and a password.
You may give the public key to anyone. messages encrypted with the public key can only be decrypted with the private key and the password.
If you look at the forum, there are threads listing every seller's public key. This is safe and normal.
The rest is in the details.
Let's say you want to send a message to someone.
Get their public key, write your message and put YOUR public key in the message. plain text.
Meaning:
hello this is a test.
--GPG public key--
blah blah blah bunch of numbers...
--end--
encrypt the message with THEIR public key.
they can use their private key to read the message, and they now have your public key to send a message back.
-
I'm having trouble importing people public key block using GPG keychain access and GPG drop thing only on a Mac. Any advice on how to do that?
-
can you create a file called public.asc, open it as a text file and copy the public key inside. close text editor and try right clicking thefile and seeing what your options are.
I dont know anything about macs, but that is what i'd try. shrug
-
as long as your text in the email is encrypted, you can use any service that you want.
i like to use a simple service, one that doesn't have any frills, just plain and simple text. it has no ads or any of that crap.
ENCRYPT.
-
i have noticed that hushmail now tells me that my computer is banned every time i try to log in using tor. i don't try to log in without using tor but wondered if anyone else has noticed the same thing. i am wondering because i put a hushmail account in my public cert. if i log in without using tor then le can ultimately trace it back to a specific location and time. i have used new identities multiple times so i doubt that this is really tied to a specific computer that hushmail has identified.
lavabit is not accepting new account creation now either.
this strikes me as a technique that le might be using to try to tie tor activity to non-tor activity.
any thoughts by others?
ecm
-
paranoia can be an asset but, if you encrypt everything, an intercepted transmission will only reveal that you are sending encrypted text.
yes, it does mean that they know your ip and the recipient but, what do they have on you? that is, unless you are already being watched and they have an on going investigation on you.
public wifi use is a layer of anonymity. use several different emails along with encryption(make use of multiple public keys)
-
Don't use e-mail if you can avoid it. SMPT is inherently unsafe. PGP can remedy this, but you have to trust the sender and the e-mail provider will still have your ip address.. The only way to really be safe is to own the servers and domain and connect via vpn. Oh, and don't trust anyone based in the US\Canada. Its been a while since any company in NA put up a fight against warrentless searches.
-
i agree pcgamer. my question was whether others had seen the same behavior by email providers - i'm trying to see if hushmail has turned off access for tor users.
encryption is good but i suspect that having any email at all is bad. webmail wouldn't generate smtp traffic but that's not my concern. if one puts an email account in their public key then uses email without tor then le can tie that user to a specific ip (or set of ips) and times. if that is a home ip address (cox, comcast, at&t, etc.) then things are pretty clear pretty quickly. if it is a wifi cafe then it's slightly more complicated but still more pieces in a puzzle.
have others seen this behavior by hushmail, lavabit, etc.?
-
well you'd have to be crazy to log in your public email without protection... a lot of email services will block tor mainly due to spam. Not unusual you can't use them with tor.
Using email servers hosted outside of your country adds jurisdiction complication, they can still get a warrant for it but will be way bigger pain in the ass. That combined with encrypting anything senstive should be fairly safe.
You can make new mail account at Mail.ru via tor, keep all sensitive communication encrypted, should be relatively safe for what this site deals with.
-
There are a lot of sites that allow Tor.
Lavabit is a decently reputable company that is accessible through Tor.
Tormail is another. I cannot vouch for either company, but as long as it's through Tor, and you encrypt everything important, it shouldn't matter.
Either way, I like the fact that Tormail has a .onion address that you can connect to.