How do you read your personal e-mail when not at home?

9 replies [Last post]
hack and hack
Offline
Joined: 04/02/2015

The way I understand it,

The phone (smart or dumbphone), whether with Replicant or not, isn't really safe for stocking or consulting personal data such as e-mails.
Yes, there is encryption, but not all my recieved e-mails are encrypted.
Also, when decrypted on the recieiving device, since the firmware or bootloader aren't free, they're potentially exposed.
So it feels pointless.
But there's surely something I misunderstand about encryption since Replicant website states:
Is my data safe when stored on a device running Replicant?
While Replicant is a fully free system, some proprietary components that are not part of the system, such as bootloaders, may still be executed (the situation depends on each device). These proprietary pieces have access to the data stored on the device. Hence, they represent a risk for security.
On telephony-enabled devices, if the modem is poorly isolated from the rest of the device, it may also be able to compromise the data stored on the device and apply software changes.
Despite being fully free, Replicant may also be exposed to security issues that were not disclosed and/or fixed yet, like any operating system. Just as well, installing third party applications may bring security issues, especially if they come from untrusted sources. Of course, installing any proprietary application creates a risk for security.

but also states:
General good advice for freedom and privacy/security

Some general good advice to ensure the best possible respect of freedom and privacy/security on mobile devices includes:

Installing only free software applications, from trusted sources such as F-Droid on Replicant.
Encrypting the device's storage, to prevent some unauthorized access to the device's data.
Using software that provides secure peer-to-peer-encrypted communications such as ChatSecure for instant messaging and AGP with K-9 Mail for emails on Replicant.
Using Tor to achieve reliable anonymity, for instance with Orbot on Replicant.

I read this as a contradiction. I'm obviously wrong, but I don't understand why.

Checking e-mails at work: same issue, unless having my personal machine with me at all times, which isn't the most convenient but doable.
Actually, with the ability to share the connection with the phone, it can be worth it.

What do you think?

hack and hack
Offline
Joined: 04/02/2015

Expanding on the subject a bit more, removing the battery of the phone (or at least turn it off) can help getting off the grid, but then again there are other ways to track someone.

Using a car? Soon, all will be forced by law to be equipped with "spyware".
Public transportation? Single tickets cost much more then the monthly card that records your location every time you enter the network.

An alternative is biking, but most people cant afford it (like if you work very far from home).

What I'm seeing as I write is that there are alternatives, but not always possible or convenient enough. Yet they're doable.

Then I'm thinking out loud: why it's so important to be off the grid in terms of location? or, by extension, in terms of the people I meet? I'm speaking for the average citizen, not journalists for example.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>How do you read your personal e-mail when not at home?

I ask the friend if I can use their computer to read my mails. If they say yes, I install TorBB and go to riseups's mail website, put my login info and read my mail.
As simple as that.

hack and hack
Offline
Joined: 04/02/2015

Good one, didn't think of that. A webmail through TorBB.

Thanks!

hack and hack
Offline
Joined: 04/02/2015

I see, so it's safe until/unless proven otherwise.
Which is acceptable I suppose, regarding the unimportance of my e-mails content (but it's still MY content).

But here's something written by Replicant's author, that gives some more useful info:
We don't call firmware the software that runs on the CPU. See DeveloperGuide. With Replicant, the software that runs on the CPU is free, except for the bootrom and the bootloaders, that are loaded prior to the system and shouldn't be running anymore once the kernel is started (that would have to be verified).
Also, once there is proprietary software running the CPU, the modem becomes irrelevant as an attack vector, as any program can just spy and collect data on its own without the need of the modem. This is why the software running on the CPU is actually the most important attack vector, hence why we believe a fully free system such as Replicant is important for privacy/security.

But regarding your comment, isn't full disk encryption actually intended to protect the data against the phone being stolen? Sure, it needs to be turned off, but worst case, changing passwords ASAP should be enough, no?

onpon4
Offline
Joined: 05/30/2012

Your email is probably never safe from being read unless both you and the person you're talking to are using end-to-end encryption and do not have any proprietary software in your systems which can be used to snoop on you. Or alternatively, a computer that never connects to any network being used to encrypt and decrypt messages.

If the emails are unencrypted, I wouldn't be too concerned about the security risk of proprietary software in a phone being able to read it. For one, it can be read on the server as well. For another, most computers you tend to find these days, and this probably includes yours, are backdoored. If anything, a lot of phones are probably safer in general than modern x86 systems. It's just hard to tell which ones.

As for how I read emails on the go, well, I recently replaced the phone I had, which was just one of those basic phones with a proprietary OS, with a cheap Android phone, so I'm able to read email that way. When I have wifi, though, I prefer my OpenPandora. I imagine I'll probably get a Pyra at some point and replace both devices with it.

hack and hack
Offline
Joined: 04/02/2015

Your email is probably never safe from being read unless both you and the person you're talking to are using end-to-end encryption and do not have any proprietary software in your systems which can be used to snoop on you. Or alternatively, a computer that never connects to any network being used to encrypt and decrypt messages.
This is totally what I had in mind when thinking encryption feeling pointless.
Most of my contacts don't have a free OS to start with. So let's say I learn then teach them e-mail encryption. At least the mail provider (the server) won't be able to read a thing. But the hardware and/or OS maker most likely will, or could.
So even me having a free OS (either on the phone or a laptop/desktop) looks pointless. Yet it's useful for any other type of computing I can do besides e-mailing.

The Pyra looks so nice! Similarly, I was thinking of getting a cheap x200 and libreboot it (the hardest part). A bit heavier to take on the go, and it doesn't have gaming controls. But I'm tempted.

hack and hack
Offline
Joined: 04/02/2015
callmeclean
Offline
Joined: 03/31/2016

Read the 'Why is the latest Intel hardware unsupported in libreboot?' and 'Why is the latest AMD hardware unsupported in libreboot?' sections in the libreboot FAQ(https://libreboot.org/faq/) to see just how dire security is on the modern x86 platform. It seems to me the simple proprietary bootloaders & "well" isolated modems are a much better choice than management systems built into modern AMD & Intel CPUs, which are proven to be exploitable and can completely own your PC.

The best choice I guess would still be an older x86 system supported by libreboot. I hope to get my hands on one eventually.

hack and hack
Offline
Joined: 04/02/2015

I recently refurbished a Samsung NP-NC10 (the brand new battery failed on Windows, but worked on trisquel), even if the screen is still a bit unstable.

Sure it doesn't have Libreboot, but as a studying tool (no real personal data inside), I don't care that much.

It's also nice to have an "on the go" machine that could be stolen without me feeling completely down (though it would still suck).

I just hope I'll be able to make a netinstall on it with Trisquel 8 (32bits).