"One alternative is of course SSL", said the expert.
No it's not. SSL offers security for data in transit but not for data at rest.
Internet service provide GMX claims to have overcome the notorious usability problems of PGP with the launch of a new email service that offers end-to-end encryption. The new email security works across all devices and platforms: including laptops, tablets, smartphones and web browsers, according to GMX, which says that the …
...the recent change, last month or so, when they moved their email operation from the US back to Germany (where GMX originally started).
This would stop them from getting hit with a subpoena a la Hushmail, as there is no remotely legal way you can pull that off in Germany.
I've been a GMX user for close to 20 years now and I've been entirely satisfied with them all along the way thus far.
I'm genuinely happy for you if you are. Just let me mention as an anecdotal data point that after years of use, they simply locked me out of my account then when I inquired as to why, using a different account from a different provider, they only replied "yep, it was not an error, the decision was justified". Failing again to offer any clue regarding the reason. And I'd like to note I've never, ever, ever did anything sketchy with that or any other mail account I ever had - to this day it's a complete mystery for me what they were smoking when they did that. So I sincerely hope you have a local copy of your mail and never, ever end up needing to rely on their fucked-up idea of customer support. Oh, and by the way - fuck those uncle-molesting fuckers with a @%$^## &U%^ @#$# &U*&* @#$#$ *)(#$ #$%^^& @$ #$% ^&...!!!
> Just let me mention as an anecdotal data point that after years of use, they simply locked me out of my account
Were you using a gmx.net, gmx.de, or gmx.at account without having German or Austrian residence? I don't know if that's still the case, but those are subject to different conditions than other addresses, and in that case you would not have had a leg to stand on.
In any event, if there were no ongoing legal proceedings or blatant abuse on your part, they should at least have allowed access to your account to retrieve your emails, as I recall from their T&Cs. Failing that you could have sent them a (paper) letter or requested assistance from the relevant consumer organisation.
I agree with always backing up your emails. Personally I have three online (as in, real time) copies, and two off-line ones. Redundancy is key with anything computer related.
Not sure. Seems like crypto is illegal now...
He has additionally been charged with being in possession of a "Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation, or instigation of terrorism."
They have made possessing an operating system (shock! horror!) on a USB stick (more shock! more horror!) a "terrorist" offence too???? What the hell OS was it? Windows 10?
I suddenly feel compelled to burn anything that might ever have had Qubes, Tails, Whonix, BSD or Linux on it before I get "rendered"
The police state's gone completely stark-staring 100% certifiably MAD. Didn't take long, did it? :(
Well that should have been a red flag right away. If he'd called himself Da'i Ullah he might of got away with it. I guess 'Land of my Fathers' should now be re-titled "Land of my 'alaba" :)
@ Dan 55: 'Cops charge Cardiff man with “training, researching” how to use crypto software' ref.
...you're never going to go mainstream. Encryption is too difficult for the average user to understand, so "going it alone" is not an option. By your standards, if the only way to do it right is too hard for the average person, no wonder encrypted e-mail never takes off. You're basically saying it's a bridge too far. And that's bad for ALL of us.
Besides, what's to say the program you use to create your own keys isn't backdoored in some clever way or is already broken by the TLAs without your knowledge. And you can't code encryption from scratch because doing it right is HARD. Meaning you can't trust YOURSELF to do it, nor can you trust ANYONE ELSE to do it, either. Logically, that means you can't trust ANYONE to do it right. IOW, we're screwed.
"...you're never going to go mainstream."
Even if you have it working turnkey that won't be enough to go mainstream because it's still an add-on. Few people know anyone who uses encrypted email because the people they know don't know anybody who uses encrypted email because...so it's not worth using encrypted email. It needs to be incorporated in email standards as the default mode of operation. As it also makes provision for signing it should have a major part to play in preventing phishing and other email scams.
But then the keys get STOLEN. I recall Realtek's driver signing key (a private key) got stolen and used to make signed malware that couldn't be revoked easily (because so many PCs use Realtek chips on their motherboards for audio).
OK, it's a fair cop, I'll put my hands up to it !
About twenty years ago I had a copy of 'The Anarchist's Cookbook' on a hard drive - briefly - and right at this moment I think I have two memory sticks with different versions of Linux on them on my desk at the moment..
What if public keys were put in email headers and once you had someone's public key you could send them encrypted email? Otherwise it goes out plain-text.
You still have the problem of email systems without plugins - web-based for example.
What if you also automatically web-hosted all your *sent* email and included an https URL with your correspondent's public key automatically added to your web-server and associated with their identity? With any web client in which they have installed their certificate, they can read the mail you sent them. Maybe after the certificate exchange there could be an automated password exchange so that your mail server can accept passwords for those using non-certificate-capable platforms. You might want that for friends, but disable all encryption for non-sensitive commercial email, circulars etc. Identity management is, er, key.
Since you hold the data, if they lose their key that isn't too bad and there is no reason why a mail client can't decrypt email and store the plain-text if you want. They can generate a new key-pair and send you the new public key. Your mail client can do a three-way handshake to confirm the identity isn't just spam and flag you to check with the person manually that they haven't had their account compromised.
Key distribution, multi-application key management and graceful fallback is the key to success.
The problem is you're supposed to already have the public key, not the message, because you don't know if you can trust the message. You may also want to send a message to them first, but you can't encrypt it because you don't know their public key.
Maybe putting the public key in a header is okay, if they all match from that sender then the mail client can assume it's safe to go ahead. Something like SSH's first connection certificate - it makes things easier and it's probably okay to use.
The browser itself is a security hole.
With that attitude and a Don't Trust Anyone world, ANYTHING could be a security hole, even the CPU used to run your OS and everything on top of it. IOW, you're basically saying NOTHING is safe. At which point, you're left with a choice. Do you take the chance or abandon everything and go live in the mountains somewhere?
American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.
The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.
Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).
Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.
That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.
The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.
Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.
Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.
"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."
Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.
These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.
Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.
A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.
In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence."
A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.
Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.
Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.
"Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."
Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.
Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.
So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.
A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.
The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.
Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.
EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.
In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.
Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.
A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.
Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.
Biting the hand that feeds IT © 1998–2022