Hi, Iceland checking in here. While we appreciate you hosting here, we're by no means any safer than other countries now.
First I'll note that this posting is from 2013, so quite a bit has changed here since that time. IMMI (immi.is) is still being hashed out in parliaments and making slow progress. Meanwhile we've had some particularly ridiculous public spectacles regarding ppl hosting data here in Iceland thinking it was safe.
Here's a few:
I won't even get into our limited internet connectivity and resulting high IP transit rates. I'm not saying don't host here in Iceland, but do some research first.
Also from Iceland; can confirm that the Icelandic govt. has taken a 180 on online civil liberties and privacy since the early days of the IMMI, which also never really made it into law.
Well, it goes both ways with that one, the PPI (full disclosure here, I'm one of the founders) is keeping them on constant scrutiny which is good, imho. IMMI status is a mixed bag, the parliamentary committee is still convened however. As of todays date 5 out of 13 law proposals have succeeded. Like all law proposals it takes time and political will.
Thanks for the links. So, what's the word on how much they protect something that's not a crime in Iceland, not proven to be criminal in general (eg crypto app site), and demanded highly by FBI?
Same as any other country I would imagine. If anything we benefit a little further here, since we're so small (pop. 320,000 in total) we tend not to have enough people to do a thorough job of much. Everyone tends to wear several hats. You should be fine, just take necessary technical precautions too, like FDE.
1) Iceland is not a safe harbor from the NSA. Iceland is fully within the U.S. orbit. Iceland, actually does not maintain a standing army and its defense is the responsibility of the U.S. In addition, banking is a significant portion of Iceland's economy, and thus vulnerable to the U.S. cutting of access to SWIFT. Basically, if the U.S. really wants something from Iceland, it will be able to get it.
2) By making the front page of HN, the author is sure to have been noticed by somebody at the NSA. Because, the NSA has pretty broad authorizations for intercepting and decrypting foreign messages (that is actually why they exist), there is a very good chance that they are probably reading the author's email right now. If the email server had been in the U.S., there would have been at least some political/legal considerations about reading the email. By being in Iceland, there are none, and I am sure the author's email presented a very easy challenge (and probably is the butt of an inside joke about how this naive person thought their setup was NSA-proof)
A lot of crypto nerds have this fantasy of "NSA-proofing" themselves or their information.
That's near impossible. If the NSA cares enough about someone specifically to use, say, tools from the TAO catalog, they will be able to find out what they want to know. (See http://www.spiegel.de/international/world/a-941262.html ). The FBI also has powerful targeted surveillance tools.
Targeted surveillance is often legitimate, anyway. Authorities have suspicion that someone is, say, planning an attack or running a cartel, or someone is a suspect in murder case. It's good that powerful tool exist to find the truth.
I think the right goal is to stop mass surveillance. Mass surveillance the continuous monitoring of whole populations at a time. Mass surveillance is illegitimate and a threat to liberal democracy.
That leads to a totally different approach. Moving your own personal email server to Iceland does nothing at all to prevent mass surveillance (and honestly doesn't protect you from targeted surveillance either, as others have pointed out).
To roll back mass surveillance, both in the US and around the world, we need tools that are clean and simple and easy to use, even for people who have never heard of a "key" or a "cipher" and don't care what those are. We need to make things like end-to-end encryption, forward secrecy, and metadata security available by default.
Signal and WhatsApp are the biggest success stories so far. Moxie is the boss.
How do you prevent mail that you send from going to recipients whose mail is not hosted in your magical Icelandic data bunker?
End of the day, all of this stuff is nonsense. The only thing standing between your stuff and unauthorized access is your contract and the actions of the third party running the datacenter. The only way you can exert any meaningful control over your data is to host it yourself... as in have computers and storage that hold your stuff running in your home.
Even then, making a statement like "I NSA-Proofed my email" is either self-delusional or clueless.
The idea that putting your server in Iceland somehow makes it NSA-proof seems questionable. If anything, Google's servers in the US are likely better protected both legally and by Google's resources.
The FBI had little trouble getting access to Robert Ulbricht's servers, with the help of the Reykjavik Metropolitan Police.
> The FBI had little trouble getting access to Robert Ulbricht's servers, with the help of the Reykjavik Metropolitan Police.
Notably in that case, the Icelandic police did not even seek a court order, as they didn't need to since the server was owned by a US citizen. They just got a letter from the US police and decided to perform a raid. So you're absolutely right.
I'd question the technical compentency of anyone who would claim to have "NSA-proofed" anything without expounding further on the threat model.
> Notably in that case, the Icelandic police did not even seek a court order, as they didn't need to since the server was owned by a US citizen.
And the trial judge didn't allow Ulbricht's challenge to suppress that evidence[1] on fourth amendment grounds as Ulbricht didn't claim or demonstrate ownership of the server[2]
Which is a shame, as it would have been an interesting case and could have changed a lot of that trial.
[1] and everything that followed per fruit of poisonous tree - which was most of the case
Europe is a safer place than Iceland to host data and it will be interesting to watch how the "Microsoft" case plays out in the Irish courts over the coming months.
If your adversary is the NSA, you need to determine how interested they are in you. If you're on the shortlist, I doubt any national borders or legal frameworks will protect you - TAO doesn't respect them.
If it's law enforcement like in the Ulbricht case, some countries may have stricter requirements for a local search warrant to be issued. But I doubt you can make such a sweeping generalisation about "europe".
"Server software and all packages are open source."
From what source and how were they validated, both from a secure checksum perspective and code audit? Was a full application pen-test done on each package after installation and configuration? Additionally, what controls are running server-side to audit memory execution and modifications on disk? Is Tripwire being used as an example? How about Wireshark? Is it being used to monitor all traffic from the host NICs with alerts sent out if it spots any non-encrypted traffic or traffic to IP addresses not explicitly white-listed? How about ongoing monitoring for zero-days for each of the packages used?
Nothing I read in the article leads me to believe there is any NSA proofing here whatsoever. Making something secure isn't about finding a "secure" data center and hosting a solution yourself. In fact, self hosted solutions can be some of the toughest to secure because you must have a broad and deep knowledge of security as it relates to the entire environment and then keep up with package changes in a way which results in auditing each and every future change. Honestly, no one has time for that and even if secure at x point in time, it won't be at y point, say when a Hartbleed level vuln is announced for a package used while the author is on vacation and can't reach his servers to appropriately mitigate.
SMTP authentication is broken. Don't rely on it for confidentiality. There is no cert-pinning RFC for STARTTLS afaik, so stripping attacks on STARTTLS are still possible. And, by far the most important: most of the world uses a large E-mail provider. So, if you send a mail to someone using Gmail/Yahoo Mail/Outlook, your "confidential" data is leaked. And don't forget metadata leakage. Metadata is by far more interesting for the NSA than then the content of your mails.
I use Gmail + GPG (almost nobody uses GPG) in Thunderbird. When I truly need confidentiality over internet communication, I use Signal.
No, e-mail was not originally designed for you to host it yourself. E-mail was designed for a system operator to maintain a server for many other users.
Aside from the many maintenance problems of hosting e-mail yourself, the biggest problem here is the distance: Iceland is far away from the user in the USA. Latency doesn't matter so much for e-mail, but connectivity does, and if there's a problem with a transatlantic link (which does happen on occasion) there goes your most important communications medium.
Finally, the biggest fallacy with e-mail is that it is ever secure. It's never secure. The mail on your client devices is unencrypted, and if you ever reply, forward, or send an e-mail to anyone it's very likely for the whole thread go over an unencrypted relay and be stored temporarily, not to mention the logs, and the unencrypted storage on the destination, etc.
Your physical mail isn't secure in the postal service, and neither is your virtual mail in the e-mail service.
In marketing speak "NSA proof" is the new post-Snowden[1] "military grade encryption"
Email is hard to secure and identified personal accounts are difficult to keep private.
The "better" answer is to do what those on Wall St figured out after various scandals and Sarbanes-Oxley - if you want something to remain private keep it off email.
While "NSA proof" might be marketing speak, there are new innovative solutions that make it easier to secure email data and harder for entities such as the NSA and others to hack into the email.
One such end-to-end email encryption solution can be found at www.jumble.io
The "better" answer of not putting sensitive information into email is true for all industries, however, more companies are installing end-to-end email encryption solutions to comply with SOX and mitigate risk in the event of a breach.
We're talking past the difference in email, the protocol, that can be secured - and email, the worldwide communication network, that is largely insecure[1] [2]
Seems like a pretty superficial take on the topic. In particular:
- No mention of reputation, the hardest part of self-hosting email
- Advises using StartSSL, so he hasn't purged his trust store of root CAs under the NSA's control (given StuxNet and the relationship between the US and Israel, Israel isn't a country that's free from NSA influence)
> ... on vastly more secure servers with every connection under SSL/TLS for end-to-end encryption.
I wish people would stop using the term "end-to-end encryption" to simply mean using encrypted channels. It really does confuse people who have heard that end-to-end is great, but don't actually understand/appreciate the differences between the two.
The NSA used to certify systems as highly assured by exhaustively analyzing and pentesting them for years. Had to beat their pentesters to be approved. Then, they'd try to restrict their export. It was a whole system process that applied from bottom to top to minimize complexity, reduce leaks, and enforce security policies. Here's a description of a superset of that I used in private work:
So, let's just compare the author's email to that list. A strong TCB at OS/firmware/trusted-component level like with EROS, INTEGRITY-178B, or GenodeOS? Nope. Components or apps made in a manner to reduce complexity, be type/memory safe, use static analysis, analyzed for covert channels, and so on? Probably not given names I saw. Do the underlying projects use a subversion-resistant development process and SCM security that assumes a number of them are malicious w/ independent auditing? Virtually nobody does that despite Myers (1980) showing subversion the most powerful attack. Has the crypto and its implementation been tested by experts in that? Don't know. Has the overall system and configuration been pentested by TAO-grade hackers? No.
So, it's far from NSA-proof as the underlying properties necessary for NSA-proof operation don't exist here. They exist only in a handful of defense-oriented products with some traits existing in other security-focused projects (esp in academia). This, at best, will slow down nation state attackers who are probably uninterested in his system anyway. A good configuration and 0-day mitigation tech might make this build survive typical blackhats and snoops. A real, threat profile along with more reasonable goal.
Won't stop the NSA, though. You can put money on that. Assume it's true every time you hear it, too. You can't stop nation-state attackers until you know how (see framework) then apply that to every level and user/machine interfaces. Even then, it might work and might just be an obstacle. So, include monitoring & logging on top of it.
> "Sovereign is a set of Ansible playbooks that you can use to build and maintain your own personal cloud based entirely on open source software, so you’re in control."
It makes use of all the techniques described in the article for e-mail, including dovecot/postfix, DKIM, encfs.
I decided to give it a try a few weeks ago. I went and bought a $10/month linode instance and a domain name. By the end of the day I could send and receive e-mail. letsencrypt was a big help here, because it allowed me to get TLS for free.
I always assumed that hosting your own e-mail was virtually impossible but my friend has been hosting his personal e-mail and the e-mail for his company for around two years now, with linode and sovereign. He says that the server requires maintenance about once every six months.
This doesn't really protect you from the three-letter orgs, as other commenters here have mentioned. But it does put you in control of your own data, and prevents analytics of your own inbox by corporations like google.
I'm really surprised this could be NSA-Proofed without the use of true end-to-end encryption tech.
There is no mention of PGP for instance.
Using PGP (with a locally stored private key) is one of the best option I'm aware of to secure emails and continue to use email cloud clients like gmail or yahoo.
The only caveat is that you loose search which is one of the requirements in the article.
I have doubts about PGP but GPG is a great choice. One of best given it's specifically mentioned in the Snowden leaks as a problem for NSA. Only a few tech like that, which didn't include the PGP/GPG alternatives everyone was crowing about. Apparently they weren't much of a problem for NSA. ;)
My biggest gripe is not the server (I run my own), it's the client(s). Currently I use Trojita on the desktop and K-9 on my mobile. I never managed to get PGP to play with Trojita, so for signing/encrypting/decrypting I have Claws installed as well.
Trojita often randomly hangs and needs to be killed. K-9 is functional, but is to mail what Gimp is to painting..
Mailpile (I'm a backer) might be interesting, but is still unstable and the future isn't certain for happy reasons (i.e. 'paternity leave'). Stumbled upon Whiteout from the references in the mailpile blog, only to learn that the company behind that effort is dead. No clue if or how this project will continue.
I regularly see (new) mail clients mocked as 'unnecessary', but I'm still waiting for a decent one. Mail as a medium works incredibly well for me, but it feels unpolished to use whereever I am.
I'm curious - have you ever used a text/curses based email client ? It's amazingly fast and you can forget all about browser security since you do it over SSH. It's an extremely efficient workflow (albeit with some hacks required to get modern functionality).
I switched to pine in ... 1993 ? I've never used anything else (except for brief stints of corporate email account and consulting, many years ago).
You'll note that in the "screenshots from famous developers"[1] that Brian Kernighan (Unix legend, the K in K&R and AWK) is using alpine in his 2015 screenshot...
Yes. I was using (al)pine for a while. It's bearable, okay even.
But I guess I don't see how you could turn that into a 'mobile' client. For the time I used pine I was ssh-ing into a box of mine for most of the day, while I was in front of a computer. I didn't care much about mail notifications on the go.
Now I do. If there's some (reliable! I don't care about the initial one-off effort) way to make that work with emails on the go, I'd be glad to learn about that.
But I guess I don't see how you could turn that into a 'mobile' client
Solution to this is to remember what the purpose of email actually is. It's supposed to be asynchronous communication, with the expectation that it may be checked, at most, 1-3 times daily. If you need communication immediately and in any location, instant messaging covers that use case much better.
For me mail is for async, coherent exchanges. IM is not a replacement: It is usually a conversation, usually short and short-lived and synchronous.
Async doesn't have to imply that I don't get a notification about your mail. It just means that I probably won't answer right away - or at least on my time.
Anyway: Mail plus ~instant~ notification is a thing for me and I don't want to give that up.
Founders are good friends of mine here, rest assured the one on paternity leave will keep going with it once again. I have no doubt in my mind, he cares passionately about providing this service and software to the community.
In his "overview of features" he is missing one very interesting and valuable security gain when you host your own mail server:
- local mail delivery does not traverse any network
So if you are user A on a mailserver and your wife/friend/uncle is user B, when you send mail to them that mail is simply a local copy operation (provided they don't POP or IMAP it to a local mailtool).
That's pretty interesting, I think.
It may interest you to know that no piece of rsync.net company email has ever traversed a network - everyone logs in via SSH and uses (al)pine and all internal mail is just local copy ...
Well, its going over ssh which uses networking. If you're viewing the email on a networked terminal connection, its still traversing a network as it displays it in pine and that data gets sent over ssh. I don't see why using ssh suddenly makes you immune to these concerns. This is no different than using a rich webmail client over SSL.
Maybe SSH has better cryptographic properties (say, around forward secrecy and key management) than the common options for delivering e-mail remotely over the network. (You could choose the key types and key lengths yourself and choose how authentication keys are stored and when they need to be changed, and you don't have to rely on an external naming or CA mechanism if you distribute fingerprints and authentication keys directly to the users.)
This is a post from 2013, any pointer as to how this could be improved in this post-CISA world? The part about the location seems to still be relevant.
As for spooky23, while most your email recipients might be NSA accessible, maybe not _all_ of them are. If you manage to keep your email account confidential, then peeping toms only have a partial view of your social graph (the part that is in your compromised correspondent inbox).
Greenqloud as a VPS provider is no more Thor data centre run by Advania is still alive and well here. We also have a few more VPS providers like Orange, 1984, Icehost and Datacell.
No advantage hosting in Iceland. Why not just encrypt all data on the VPS? If the VPS provider was required to provide a copy of the VPS, it would be useless to requestor.
Encrypting data on a VPS, for example using LUKS encrypted volumes, does not provide any meaningful security if the host can take a memory dump of the running machine.
And just to clarify: taking a memory dump of a virtual machine is trivial. Just click on the 'snapshot' button.
On a physical machine, you have to plug in a dumping device into a DMA-capable port, cool down the RAM and move it to another machine as fast as possible, or reset the machine and boot it from another medium (hoping the BIOS didn't override anything useful). In many jurisdictions you also have better protections in regards to required warrants and such for your own hardware.
Excellent point. I highly doubt a VPS provider would volunteer a memory dump of a VM when presented with a search warrant for a copy of the VM. Most providers would likely just copy the VM files and call it a day.
Ever since .ch violated their own bank secrecy laws to make Uncle Sam happy, they are the same as everyone else in their insatiable quest to please their American masters.
Silk Road Iceland http://www.wired.com/2014/09/the-fbi-finally-says-how-it-leg...
ISIS domain name take down http://english.alarabiya.net/en/media/digital/2014/10/18/In-...
Iceland ISP's block TPB http://grapevine.is/news/2015/09/16/icelandic-isps-will-bloc...
Iceland BGP route attack http://www.internetsociety.org/deploy360/blog/2014/02/bgp-hi...
Rememeber that ashley madison hack? our prime minister had credentials on it! http://icelandmag.visir.is/article/icelandic-minister-financ...
Iceland seeks to ban porn http://www.theguardian.com/world/2013/feb/25/iceland-seeks-i...
I won't even get into our limited internet connectivity and resulting high IP transit rates. I'm not saying don't host here in Iceland, but do some research first.