I said it once I'll say it again "No mail is safe Period" It does not matter what you use, it is or can be monitored by LE. The servers can even be in a diffrent country.
With all due respect, I have to disagree. LE's ability to monitor email is quite limited, if proper precautions are taken.
The reason that LE was/is able to monitor Hushmail/Safe-Mail is due to two factors:
1) Both of these services violate one of the fundamental tenets of public key cryptography, that is, the strict separation of public and private halves of the keypair. The user should generate their own encryption keys, and under NO circumstances should the private half EVER leave their custody or control.
2) They kept records of the IP addresses of those who used their systems.
Frankly, both Hushmail/Safe-Mail not to mention other services of that ilk positively rely count on the ignorance of their users, as well as their users' preference for convenience over security. _Any_ service that generates/stores both halves of the encryption keys should be avoided like the proverbial
plague.
Any mail sent SMTP is just that, Simple Mail Transfer Protocal. Even if it is encrypted it is very easly un-encrypted with simple tools.
Easily unencrypted with simple tools??!! With all due respect, Sir, this is errant nonsense. If what you have stated were correct, then the U.S. Secret Service would not have had to construct a massive password-cracking network. You can read about their efforts at the following URL:
http://www.washingtonpost.com/ac2/wp-dyn/A6098-2005Mar28?language=printer
Essentially what the Secret Service's Distributed Network Attack (DNA) system does is to compile dictionaries of terms gleaned from web site bookmark found on a user's machine. These dictionaries are used to attempt to decrypt the information the authorities wish to decrypt.
Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.
In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.
"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.
What the Secret Service, the FBI and virtually every other law enforcement agency counts on is that users are lazy and are unwilling to choose proper passwords/passphrases. Such attempts can be trivially defeated, using the right methods. One such method of choosing provably secure passphrases is Diceware.
If you read the above quoted Washington Post article, you can see that they claim that the Secret Service DNA network is capable of carrying out about a million cracking attempts per second, where the workload is spread over some 4,000 computers. They hoped to expand the system to 10,000 computers agency-wide, and eventually to the 100,000 computers in the Homeland Security network. For the purpose of the calculations shown below, I have assumed that the default capability of the DNA network is about 100,000 times that stated in the article.
In a nutshell, Diceware has two components: a 7,776 word list, and 5 dice.
To choose a passphrase, a user rolls the dice, and records the results, then looks-up the word related to the dice-rolls on the wordlist.
Example:
45654 plea
66151 666
34141 insect
16563 cilia
32232 haag
56414 tally
55154 spat
So, as you can see, we have seven words in our passphrase. Now the question remains, just how strong is it?
The total search space is 7776^7 = 1.71907079975e+27 combinations in total.
Assuming that the Secret Service's DNA network can process 100 billion passphrase attempts per second (or 100x10^9) this works out to:
1.71907079975x10^27 passwords / 100x10^9 passwords/second = 1.71907079975x10^16 seconds
1.71907079975e+16 seconds / 86,400 seconds/day = 198,966,527,749 days = 544,740,664 years.
It is a general rule of thumb that keys are found are searching approximately one-half of the total keyspace. That means that the time required to determine the key is now reduced to only a quarter of a billion years, instead of half-a-billion.
Even assuming that the DNA network (or any other similar network for that matter) were capable of carrying out operations 10,000 times faster, or 1,000 trillion (i.e. 10^18) attempts/second, this would still require 54,474 years to exhaustively search the entire space, or 27,237 years to go through half the space.
See:
http://www.diceware.com for details.
So, as you can see, brute-forcing a properly-chosen Diceware passphrase is simply NOT feasible, regardless of the resources thrown at the problem.
If one pays attention to court (and other) records, you can see just how much a problem cryptography is posing for law enforcement. One such case was that of Sebastien Boucher. Mr. Boucher was crossing the border from Canada into the U.S. at Derby Line, Vermont. A Customs and Border Patrol agent noticed a laptop in the vehicle Boucher was travelling in. Upon inspection, the agent allegedly observed numerous images of child pornography. Mr. Boucher was arrested, and his computer seized. Some time later, another CBP agent fired-up Mr. Boucher's laptop, and found to his dismay that the drive containing the alleged child pornography was encrypted with PGP Whole Disk Encryption. Mr. Boucher refused to give the agent the passphrase to decrypt the encrypted drive partition.
The reason all this came to light was that Boucher claimed that to give over the passphrase would constitute self-incrimination under the 5th Amendment. The U.S. government attempted to crack Mr. Boucher's encrypted partition for the better of part of two years, without success.
Furthermore, within the last few months, the LulzSec faction of Anonymous released the archived mailbox contents of an IACIS member, including the archived contents of the IACIS mailing list. IACIS is the International Association of Computer Investigative Specialists.
Most of the members of IACIS are sworn police officers responsible for computer forensic investigations. On this list, many members poured out their frustration at encountering encrypted data they were unable to access. Many of them advised their colleagues that if a suspect chose a good enough password, that cracking open encrypted files was simply not feasible.
Currently, the only known attack against systems like PGP (Pretty Good Privacy) is brute-force.
I myself have (being the work I do) got copies of mail as it moves from system to system you just have to have the right tool.
Indeed. That is why Phil Zimmermann, author of PGP, has been saying since the early 1990s that unencrypted email is like sending all your mail on postcards.
You are never safe with any mail system. People think they are safe with using the internet but if people only knew how much is monitored you would fall over.
Email can be used safely, but it takes knowledge of how to do so, as well as the discipline to use these methods consistently.
As far as being surveilled goes, you're absolutely correct. While one can take steps to avoid surveillance, it would be difficult, if not impossible to escape it entirely.
Mirrorshades
..... :wtf:
