On 08/06/2015 11:22 AM, Bob Bernstein wrote:
On Thu, 6 Aug 2015, Jape Person wrote:
I could jump through all the hoops I wanted to, but using my
ISP-provided e-mail account (even with encrypted contents and
directed through a VPN) for communications with people at risk
would be laughable.
How much of that particular POV, expressed in the above-cited
paragraph, did you adopt only AFTER the Lavabit experience?
Just about none of it. I've been involved in sensitive political
communications since the 60s. We didn't trust regular mail then, and we
don't trust "regular" Internet now. We used "poor man's encryption"
(messages compressed in encrypted archives with special arrangements for
figuring out the passwords) in the Fido-NET days. Actually the gimmicks
used to get around physical mail services were far more torturous than
anything I use now.
Using encrypted contents on an e-mail server that doesn't keep the
messages after delivery which is hosted by the VPN provider or by
a third trusted party who doesn't log IP addresses begins to
improve the safety of the communicators.
Again, I am struck by how much of this advice (and it's good advice,
_if_ you can find such a server) seems to point directly back to
Lavabit and its fate.
I think that a great many people who were burned were well-aware of the
dangers of trusting a single source for security. The more cautious
people didn't do that if they had the knowledge and means to avoid it. I
know that among those burned were some solid citizens of the planet and
also some folks you wouldn't want hanging around the local school yard
in a white van.
The more cautious people these days use multiple VPN hops with hosted
virtual machines created and run on-demand in volatile memory to create
and send messages. Job done, machine eradicated. Each VPN and VM located
in a different country -- preferably none of these countries bing
particularly close allies. It's easy enough to do from where I live, but
hard to learn about and do from many locations.
In any case, I don't think most of us are fooled into thinking that it's
safe to cross Big Brother (or Big Business). The weak point is often at
one end or another of the communications chain. Moles in the activist
communities have always been a huge problem. But, nothing risked,
nothing gained.
The primary safeguards that help when communications are compromised are
to compartmentalize activities until it makes you bleed, vary your
communications styles over extreme ranges, and make use of plausible
deniability (a tactic actually made easier sometimes by deliberate use
of insecure methods).
But I can tell ya this: if they want my lotion 'n tissues they'll
have to pry them out of my cold dead hands!
Ugh, now there's a mental image! I may have to go pour Drain-O on my brain.
Brings up another point. I've always wondered how the sticky fingers
crowd could manage all the key-presses necessary for arranging proper
security.
Jape
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/55c38d27.7090...@comcast.net
