Compromising the Services
- Inicie sesión o regístrese para enviar comentarios
Many services claim they will never give backdoors or release any information to goverments or companies. Unfortunately, they eventually are subject to such mishaps, and despoil their distinction in return. With the rise in contemporary surveillance, such problems have been occurring even more, for example hushmail and now even Startpage/ixquick.
My question to all of you is:
What e-mail services and search enignes do you use, and how do you avoid these government and commercial breaches in our freedom and privacy? Do you ever feel these services will fail to keep your searches/mail private?
If you use the email service of a company, you have to trust those guys.
I switched recently from gmail to lavabit and I think this is a step up, but it's not the perfect solution.
Of course it's better to use an email provider which claims to respect your privacy than just a service like gmail.
Chance of getting a victim of privacy violation is lower;
nevertheless, a good digital society should not need to trust a company with closed eyes.
Therefore, I would really love to see projects like "freedombox" succeed. It's the plan of a simple and easy-to-use device which allows non-technical persons without great effort to host most services on their own;
We need such a thing, and everyone should have one:
own mail server, own cloud server and so on.
At the moment I use duckduckgo and startpage as a search engine.
You mentioned concerns about last one. What are these concerns? Can you explain / give more links?
>At the moment I use duckduckgo and startpage as a search engine.
>You mentioned concerns about last one. What are these concerns?
While Starpage/Ixquick has not knowingly been tracking its users, there is still much suspicion to have over it, just as there is with duckduckgo. Here are my main concerns with Ixquick:
They are a proprietary service, which shows that albiet the fact that they have many claims to not track users, it can still be doing so in private. However it is not considered an attack to our freedom because it is a service and not a software. It is just something to consider.
Ixquick also admits to tracking the user's other information that they say "does not qualify as personal data." They don't mention this AT ALL on their website, however they made it clear through their public report for Europrise, which gave them the "seal of privacy".
You can read the exact text here:
https://www.european-privacy-seal.eu/awarded-seals/de-110022/
Now that I have shown you some of the few problems with Ixquick, I should probably show a few problems with the popular DuckDuckGo.
Rather than fully proprietary like Ixquick, DuckDuckGo is partly proprietary, and has released most of their source code via github. However, due to the parts that they haven't released, it is still impossible to know whether they do or not track you.
You can read on that here:
http://help.dukgo.com/customer/portal/articles/216390-open-source
DuckDuckGo is also a service based in America, rather than Ixquick which is based in the Netherlands. This means that they can be compromised by the government to hand over any logs they might have, which could potentially identify the users. However, like Ixquick, it ultimately depends on how much you trust their services, and should just be something to consider.
The server owner using free software is good for her. Not for the users of her service. Even if she distributes, under a free license, all the software the service is supposed to run, the user cannot know if this really is the software that is executed on the server side. There necessarily is "trust" involved at some point... or you run the software by yourself (a viable solution for e-mailing, not really for Web crawling).
Well, most users run precompiled software packaged by the distributor and they aren't capable of compiling the whole system by themselves. So actually, this quite a similiar problem.
The question is: who deserves our trust more?
Definitely the distributor;
But one does not know.
"DuckDuckGo is partly proprietary, and has released most of their source code via github. However, due to the parts that they haven't released, it is still impossible to know whether they do or not track you."
Even if all the code was released, you have no way of knowing if that is really what runs on their server.
I use Lavabit and DuckDuckGo, but hope to switch to a personally owned mail server and YaCy.
"With the rise in contemporary surveillance, such problems have been occurring even more, for example hushmail and now even Startpage/ixquick."
What are the issues with Ixquick and Startpage?
I am a translator!
I am in the process of setting up my own mailserver. The webserver is already online and I'm testing it and filling it with interesting stuff, etc.
The cost is minimal if you manage to get a cheap domain name like I did (like up to 10 EUR per year in some cases below that). Just a bit of phantasy is required for that. Also, there are lots of domain registrars out there, some are (way) cheaper than others. As long as you are going to run your own server, I think it makes sense to opt for the cheapest domain registrar (the quality of their webhosting is irrelevant).
Electricity can be a non-issue if you use the Raspberry Pi. It will cost somewhat more though than just the R. Pi itself - you need an SD card, possibly an SD-card reader for your computer (for installation purposes) and the power adapter costs extra too. The R. Pi basically does not affect your electricity bill, I don't think it needs even 10Watts under load.
I had a computer suitable for this task and it doesn't "eat" more than 7 Euros per month in electricity. Remember that no high-end PC is needed, 500Mhz are probably fully sufficient (underclocking and undervolting are really great for conserving power and reducing heat), one HDD is sufficient, no disk-drive is needed after installation, no fancy GPU is needed (use a mainboard with graphics on-board), soundcard and many other peripherals are useless.
Setting up a personal mail server will solve the privacy and surveillance issues, but can cause new issues altogether: spammers trying to use your server for their needs. I have to find a way to deal with it yet, there has to be some way of preventing that.
If I will find a way of securely running my own mail server, I'll post a step-by-step how-to.
I am a member!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks for the info. I too run my own email server at home, but the electricity wasn't an issue for me because I already had a machine running Debian 24/7 acting as a media server.
I definitely think the Freedombox is the way forward, and it deserves our full support. It's a fantastic idea, and if the team can pull off the feat of making it both stable and user-friendly (noob-friendly), I can see it becoming a great success.
If you do find a solution to the SMTP-hijacking problem, please let me know. Currently, I have mine set to refuse connections from outside my local subnet, but that's not great for when I'm using my Android mobile on the go, and want to reply to an email. Is there something we can do with public/private keys here? Just a thought.
If it helps I'm using Postfix for SMTP and Dovecot for IMAP. As I said I use them on Debian (only free repos!) but they are available in the Trisquel repos, too.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlHT/JMACgkQgijxUCZnvluWkQD/ermdIN0xYmuw+2ub6wFBZzkf
h0sHlmmLkORU3eKaDGIBAI5uFgo0HHUMbIV0Tz1f+YSnOhTn6YMd3Ji7AtZZWwoB
=+Njl
-----END PGP SIGNATURE-----
Known and reported mail to forum bug, http://listas.trisquel.info/pipermail/trisquel-users/2013-July/023092.html should have the same text.
I think the blank message problem on the forum might be caused by
MIME/PGP (I could be wrong though).
Michał's post, for the forum:
-------- Original Message --------
Subject: Re: [Trisquel-users] Compromising the Services
Date: Wed, 3 Jul 2013 12:44:37 +0200
From: Michał Masłowski
To: User help and discussion <name at domain>
> If you do find a solution to the SMTP-hijacking problem, please let me
know.
> Currently, I have mine set to refuse connections from outside my local
> subnet, but that's not great for when I'm using my Android mobile on
the go,
> and want to reply to an email. Is there something we can do with
> public/private keys here? Just a thought.
Isn't it solved by SMTP-AUTH? Postfix can use Dovecot SASL for
authentication. My server accepts relay only on 587 (requires STARTTLS
and authentication), I don't see many failures in the logs (unlike
zombies trying to relay on port 25).
I am a member!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks, SMTP-AUTH was the solution to this. It was a PITA to set up, but I eventually got it working with Dovecot SASL over TLS on port 587.
Thanks for the hint!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlHVRJUACgkQgijxUCZnvlvImwEAsULWXgPZMN3bQbqIF/dFEPJP
+hCEHaxInwezD0XQS54BAKUibbEQdM5aEYnCJT+c0evlFUxqZVXwR0EyEd/vaRkU
=YtjH
-----END PGP SIGNATURE-----
Although yet incomplete, i think this can be of great help:
Besides only using Free (and "Open Source") Software operating systems...
I use *Mail.ru* for e-mail (which has an English and Spanish interface, for those of you who don't know it) and the *Yandex.com* search engine, whenever possible - which is an English language implementation of the well-known Yandex (.ru) search engine.
Seriously corrupt as our Western society is, and knowing how all the big companies are (behind the scenes) allied with each other and their puppet governments, I don't trust any big company in the West.
At least the Russian government and Russian companies, I know, are not something (that, for a lot of reasons) I have to worry about.
Concerning "Startpage"... It is (to me, at least) an obvious example of "controlled opposition" - https://trisquel.info/en/forum/ixquickstartpage-launching-new-privacy-aware-email-service#comment-36230.
- Inicie sesión o regístrese para enviar comentarios