Secure communications?

Secure communications?

Post by ezvasque » Tue, 01 Mar 2005 02:52:32



I am a 44 year old female who lives in a Third World Country, and I am
trying to establish a small export business. Because of the political
and business climate in my homeland I feel it absolutely necessary to
use encryption when I communicate with customers in other countries.

But few people use encryption at my level in the business world. I
find that exasperating. In fact it will kill my business if I don't
find a way around the problem. I simply cannot send and receive
messages in the clear. For me it is too dangersous.

My attempts to convince people to use PGP or GPG are falling on deaf
ears. All I get are reasons why THEY feel encryption is unnecessary and
therefore a waste of time for them. To me it is beginning to look as if
they refuse to encrypt their emails simply because they don't have the
brains for it.

Does anyone offer an email client that allows for an EASY and simple
way to communicate securely? Something that even an idiot can use? My
financial future depends on it.

E.Z Vasquez
 
 
 

Secure communications?

Post by Juergen Ni » Tue, 01 Mar 2005 04:37:09


That wouldn't help you, I'm afraid. People will still need to be forced
to use it.

Just about ANY decent email client will support S/MIME nowadays, and
that's secure - but you'll need to make your business partners accept
that THEY will have to spend a few minutes into generating
x.509-certificates, for example at Trustcenter.de or Thawte.com


Juergen Nieveler
--
famous last words: .....shure I'm shure!

 
 
 

Secure communications?

Post by Bruno Wolf » Tue, 01 Mar 2005 06:38:55


What are you actually trying to prevent? There are different strategies
you want to pursue depending on what you need to hide. This might for example
include that you are communicating with people outside of your country, that
you are communicating with specific people and the contents of your
communications.


A possible option is for you to get a shell account on a machine that you
think might be safe from snooping by whoever you are afraid of. There is
a good chance that your government won't be able to snoop traffic outside
of your country unless you are known to be a high value target in which case
you are probably hosed anyway. You should be able to communicate with that
remote computer without your government being able to read your traffic
unless they tamper with your computer. They will know that you are
communicating with a computer outside of the country and that still may cause
you problems. If you use that remote computer for sending and receiving
email, your government won't have easy access to the content of the email.
 
 
 

Secure communications?

Post by Tom McCun » Tue, 01 Mar 2005 07:08:33

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe you could use Hushmail http://www.yqcomputer.com/
and convince them to as well.

I don't know if your business is large enough to use PGP Universal,
and if that might take care of the situation for you. I really don't
know the details of what all it involves.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: My PGP Page & FAQ: http://www.yqcomputer.com/

iQEVAwUBQiJE5WDeI9apM77TAQLb+Af5AVixZ+XTm+gajdVogQeqjby4GEYabG0c
iPzVmlKFDvSeUMc79TEyzCke1skYYLSHxpoWHGVEwqrvOwpekeOUXy+eBhH2B+yy
+adA+ZOw6/BUsApT/btEoVhGaZlsiR+hBqYeuWgG44SLtyn7SjqVofoKXbIF081L
O0V1GNUTsfdtLusWx4AdJPo7/tmCpDNU8YHNL4tHNYFdaG5XnBxgMFditOUphNEx
r3M1fpf9iE/hmv0qbTFuqz3hLw+Bnc00lIc4vjg9JYhvAxJKjGNEaQD9f2UtUKq+
lT2+jE117C+W9CNFXYChD7kQZ1VT9J+baydouNfD3GZZKx9xt5Fflw==
=7ktB
-----END PGP SIGNATURE-----
 
 
 

Secure communications?

Post by William Ta » Tue, 01 Mar 2005 10:48:47


Have you considered storing your received mail on an IMAP server and using
a secure/encrypted webmail interface?

--
William Tasso
 
 
 

Secure communications?

Post by ezvasque » Wed, 02 Mar 2005 04:07:49

I thank each of you for taking the time to respond to my plea, but it
is obvious that none of you can help although I'm sure you want to do
that.

Mister Juergen Nieveler, You are apparently correct when you say that
S/MIME is secure. But how do I force my interlocutors to use it. With a
gun? And as far as obtaining and using an X509 certificate is
concerned, if my correspondents don't have brains enough to use PGP
they don't have brains enough to do what you suggest.

Bruno Wolff, you ask what I am trying to prevent. Before exposing your
lack of knowledge you should do a little research on what it is like to
live in a Third World country. Five minutes worth of education will
tell you that I am trying to prevent the kidnap and possible murder of
my loved ones by those who read my email and believe I am rich. Is that
clear enough for you?

You say that there is a GOOD chance that my government won't be able
to read my email once it is outside of my country. GOOD CHANCE? I'm
betting my daughter's life on the fact they can't read my mail. Tell me
how to make my chances GOOD enough to warrant a risk that large.

And how do I prevent the criminal element from reading my mail while
it travels "in the clear" over the phone lines within my own country?
No, they don't have to tap my phone, all they have to do is pay twenty
dollars a month to some employee at my ISP. The employee is as corrupt
as the government officials and he or she will record everything I put
through their system then pass that information on to whoever pays him.
It is very tempting because twenty dollars is thirty percent of his
monthly pay.

Tom McCune, I tried very hard to convince people to try Hushmail, but
all I get in return are arguments that THEY have no need to go to all
that trouble. Besides, I'm not willing to trust my future and the life
of my daughter to some unknown third party like Hushmail. How about
you? Will you place the life of your loved ones in the hands of a
stranger? I think not. I won't either. Money is important to me but not
as important as a life.

As far as PGP Universal is concerned, I cannot afford it, especially
while knowing that my business contacts will not work with me on the
project. I've found not one person in the First World who even tries to
understand my situation let alone work with me on a solution. They are
lazy and it is too easy for them to imagine that encryption is
unnecessary. I do wonder, though, if in the dead of night they ever
admit to themselves that the real reason for their failure is because
they lack the intelligence for it.

William Tasso, I have not considered an IMAP server and a secure link
to it. Talk to me about that. You are all invited to talk to me about
that.

Tell me a about the IMAP server and tell me a lot about the link to
it. I'm particularly interested in how easy it is to use a system like
that and how secure it truly is. And while talking to me about
security, keep in mind that in a Third World country the criminal
element will go to extraordinary lengths to extract money from those
who have it. Also remember that the largest and best organized criminal
element in a Third World country is almost always law enforcement
itself. It is they who commit most of the robberies, do the kidnappings
and execute the extortion plots. I cannot count on law enforcement for
help.

One other thing. I am presently in the United States and for t
 
 
 

Secure communications?

Post by Eric M » Wed, 02 Mar 2005 05:44:42

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...


Here's a reference link to IMAP4:
http://www.yqcomputer.com/

IMAP4 is for accessing incoming emails and SMTP is for sending outgoing
mails. You will want to encrypt both your access to incoming mails and
your sending off outgoing mails. Your mail clients will need to support
both (Eudora does) and you may want to use a software network sniffer to
make sure your communication (both receiving and sending mails) is
indeed encrypted.

I use http://www.yqcomputer.com/ and I believe it supports both secure
IMAP4 and SMTP. However, I use their secure IMAP4 but send emails with
my local ISP only. (I just tried secure SMTP with mailsnare and it
seemed to work.) Mailsnare.net also supports webmail access via SSL
(make sure you choose secure login; regular logon exposes your
communication). If you're so inclined, you can use my mailsnare
referral code AD6EEA0ANUU0000 .

In your situation, you may consider http://www.yqcomputer.com/ . In addition
to secure IMAP4 and secure SMTP, cotse also provides secure http
proxies. You can have your web accesses hidden from your ISP through
this service. Make sure you use secure login if you use their webmail.
I have not used cotse though.

You may wish to find an IMAP4 provider that allows procmail also. If
they let you install PGP software, you can then encrypt (with your
public key) sensitive emails once they reach your mail account but
before they pass through your local ISP. I am thinking of doing this
(just for fun) but haven't got a chance to research it further.

Despite all these, you are leaving one problem for yourself. You are
telling your local ISP that you are accessing information hidden from
them and they probably think the information could be valuable to them.

I hope this helps.

Eric --
 
 
 

Secure communications?

Post by Bruno Wolf » Wed, 02 Mar 2005 06:26:30

n article < XXXX@XXXXX.COM >, XXXX@XXXXX.COM wrote:

This is a nonsequitor. It seems like you may have construed my request
for your threat model as a dismissal of your concerns.


If you want a 100% chance to be safe, the answer is clear and that you
shouldn't try to do this.


I answered that part. You use a secure connection from your computer to
a computer in a safe haven and have email sent to and from that computer.


The question is are they likely to search your house or computer? Are you
already a recognized threat?


That is one variation on my suggestion.


I hope the name you used on this post is forged. You may have already
provided enough information for officials in your home country to
become interested in you which will make your job harder.

Also, have you considered how you are going to handle money? You mentioned
that you were conducting business and if you are planning to get money
going to you in your country that is likely to raise suspicions there.

From what I have seen in your posts so far, doing this kind of thing
seems unacceptably dangerous for you and you should probably give up
on the idea. The cost of failure is very high and your lack of training
in security is going to make for a signifcant chance of failure. You might
be betting off paying off people whatever is standard in your country
to "legitimize" your business than trying to go around them.
 
 
 

Secure communications?

Post by William Ta » Wed, 02 Mar 2005 07:01:44


Having read the rest of your posts I am no longer convinced that this
would give you the security you desire. Personally I cannot see that I
would wish to place life threatening information on a public server
anywhere. Anyway, here's the scheme:

o find a location (country?) you trust
o find a host/isp you trust that sells IMAP service with an SSL secured
webmail interface
o mail from your contacts is stored on the IMAP server
o you connect (maybe via proxy) using SSL to the webmail interface

Mail is stored on that server and you are in control of what, if anything,
is downloaded and stored on your local machine.

However there are risks:
o Server could be compromised
o mail between the server and your contacts is unencrypted

As I said that risk would be unacceptable to me. It's not just 3rd world
countries that should be wary of their own security services. This may be
of interest: http://www.yqcomputer.com/

If SSL is secure enough for you then here's an alternative plan.
o ditch the entire idea of email
o have your contacts communicate via a web based interface, much like an
'issue ticketing' system.

In any event, good luck.
--
William Tasso
 
 
 

Secure communications?

Post by Berett » Wed, 02 Mar 2005 14:55:05


<snip>

I'd highly recommend purchasing a Unix/Linux/BSD shell account, and then using
PINE via an SSH connection.

Heck, pleny of places give out free shell accounts if they aren't going to be
used for IRC stuff.

you could use PGP-PINE (compatible with GNUPG) if you want even more security.
 
 
 

Secure communications?

Post by Eric M » Wed, 02 Mar 2005 23:01:03

In article < XXXX@XXXXX.COM >, XXXX@XXXXX.COM
says...

Make sure that not only the link between the user PC and the server is
secure, but both the user PC and the server are themselves secure as
well. If your user PC is full of loopholes, they probably can _secure_
their own trojan or key logger to keep a *** of your activities.

Eric --
 
 
 

Secure communications?

Post by Christophe » Thu, 03 Mar 2005 12:42:59

In an attempt to throw the authorities off his trail, William Tasso < XXXX@XXXXX.COM > transmitted:


[much elided]

This approach is likely of _some_ value; it would mean that in order
for someone to obtain information from "ezvasquez's" mail account,
they would have to be able to tamper with servers in foreign
countries, and that that won't be as simple as bribing some local
person that only makes $50/month to whom an extra $20 is a lot.

However, it does not address the other side of the threat model.

If "ezvasquez," who lives in Dangeria, is sending commercial messages
containing dangerously sensitive information to other people that also
live in Dangeria but who don't care to secure their own mail, then
there's an additional unaddressable threat.

The "ezpvasquez" mail might be essentially unassailable based on the
resources available in Dangeria. But if sales (and communications)
are going to "Mr Pink" (who doesn't think crypto is important), then
the Dangerian criminal elements can bribe "Mr Pink"'s ISP to get
copies of what "ezpvasquez" sent him as well as his responses.

Based on this, I don't think there's any good news there for
"ezpvasquez." Communications can only be as secure as the measures
taken by BOTH sides, and if you can't trust the other side, you're
toast.
--
let name="cbbrowne" and tld="gmail.com" in name ^ "@" ^ tld;;
http://www.yqcomputer.com/
Rules of the Evil Overlord #45. "I will make sure I have a clear
understanding of who is responsible for what in my organization. For
example, if my general screws up I will not draw my weapon, point it
at him, say "And here is the price for failure," then suddenly turn
and kill some random underling." < http://www.yqcomputer.com/ ;
 
 
 

Secure communications?

Post by vedaa » Sat, 05 Mar 2005 00:39:11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



able
I'm
Tell me
while
country?

from what you describe,

the only reasonable solution would be to have someone that 'you'
trust,
in a 'free' country abroad, act as your middle-person between you and
your contacts

[1] this person would communicate with you only in secure encrypted
communication with pgp

(btw, i would recommend gnupg instead, and use the throw-keyid
options,
and using hushmail as your mailer

(hushmail hides the origins in the headers and footers,
and allows for anonymous signup,

the throw-keyid option hides the keyid in the pgp message, so that if
the message is intercepted, it cannot be proven who it was encrypted
to,
without trying the 'real' key and passphrase,
so if the passphrase is suddenly 'forgotten', (and was a 'secure' one
to begin with, then there is no known way to link that pgp message to
its intended decrypting key )

[2] your chosen middle person, handles all the transaction with the
client
using ordinary acceptable business communication standards


now for the 'hard' part: 'finding' such a person

a reasonable place to start, might be to contact some of the
international human rights organizations,
explain your situation,
and ask for someone whom they trust as
'aware of the real dangers in the countries you describe, and deeply
committed to protecting the innocent against such human rights
abuses,
and who would also be interested in going into a business arrangement
with you.


good luck,

vedaal


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32) - WinPT 0.9.50
Comment: Acts of Kindness better the World, and protect the Soul

iQIVAwUBQicu3lqiDIZqWJqXAQhhnRAAtK21n2y70GplAuVT6NtRF6Pa1ixda0mz
hckZMAL/ZGCgbExY3MLzc/BzJmVXivxvC20m0UADth0FU6EZIzCl8jg1JqCrbU0u
pC/mJALr3xLGIuYXmD7jPfe6nouv+n1rOsXMeHVnMyvSdwjkutFqzR+epNCYNObR
TQWMDrB6qdnC4dlEkErMsb9379LbW/Vgfq9o5bkylsVA1qrsNTITO4Teq8RMYm5Y
kMJneTwgqyVdT8yLc5BxG0zA/GnXoGZn9zvdsw/vTdlTl9fBOJB7lY1pNOkU4FAV
IXpIQLBztfQvbZlOjfOLJ3ZYg+BEFZFDxd4ZmziA7rQg+oNjR2v3srDcEDnMFeRl
NQaq7sa7BSCZQi3xrqEDCOe1EJbHVQTBb0P4D2zXLdxQTq8k0XHm3SJO9d4kj8CE
tLMbRDCfb2RAPW9CJWpqDSTdi08mNQ4IpJ/NBLWRTuCLGtyIWnPemZblxMybzQI7
38p7WjHLyCa3dsel73YLer3fA6yQFFP6AxjCzY3putze/Qhs3goc8/1NbVAtoe2t
lCRBhIYjy1wcg2JBDSAvNblwlujez2cAvuSbZ0Ren2wkYJlpH7Ws15O3KzXuEXtv
rEXuNr7CC1KCQ59XrfieNWRYPD1BBfSDu5dG7QT/8FZX1bz0Xc3jSXmIlqm6MMLw
rwnr2x+SPPg=
=OWBy
-----END PGP SIGNATURE-----
 
 
 

Secure communications?

Post by John Wunde » Sun, 06 Mar 2005 05:40:29

"vedaal" < XXXX@XXXXX.COM > wrote in


[...]

Is it just me or is vedaal's signature not verifying?

-- John
 
 
 

Secure communications?

Post by Tom McCun » Sun, 06 Mar 2005 08:03:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Wunderlich < XXXX@XXXXX.COM > wrote in



It's bad here too - looks like there has been some wrapping.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: My PGP Page & FAQ: http://www.yqcomputer.com/

iQEVAwUBQijpWGDeI9apM77TAQIdtgf9FclbAl6khfVB2B/GklbUvTzzwe0L//5q
pEzx0xGaE9qFStfsIojABrrXEMEPRA8DKYI9tXtOCNPR6XglujJI6CRfvur+QyhX
JW9DNw+NI2dv7fWoVU2/0m0B3JIowDeF0wQjgyw1CMXdHkI1GXe//jWrG2JFSPz4
IkJKbdJWUaSIRD3+6Z0x4zMaRdjtclcG3TOL22bUUCt43xz69lT9xjsCSVAEcA7/
U+8tPw8zp3Jt411aa25+O21BSQ09nIso6cOAmUlKPSl/VOEJZJuTxYG+jf0tqKQZ
0QzklQ61GxwrzDiGhOiw9lVDQoA+LXVbYxwblqjN049P27nTAXe1fA==
=azL0
-----END PGP SIGNATURE-----