National Security

Story: FU Yahoo!Total Replies: 8
Author Content
dotmatrix

Oct 06, 2016
10:20 AM EDT
I understand the anger and frustration at Yahoo. However, there are a few things to keep in mind...

  1. These government requests are issued through secret court order.
  2. The companies that receive these requests are under a gag order to not tell the public.
  3. Any company that receives a similar request will follow through on the request because if they do not, some high level company officer will probably end up in prison
  4. All US companies are actually extensions of government power. And are required to abide by the law or lose the ability to do business.
  5. So, any statement from any US company that goes something like, "If we received such a request, we would not comply" is not trustworthy and might even be a blatant lie... since that company may be complying with such an order at the moment the statement is made.
So, the anger at Yahoo for compliance of a government request for what amounts to wiretapping... is rather misplaced. I am much more outraged at Yahoo for the late disclosure of comprised databases. The compromised database itself is understandable. However, Yahoo has full control over the public disclosure of such attacks. It was not under any government order to remain quiet. It had every obligation to its customers to inform them of the problem, and failed to do so.

I've written something like the following before:

On the government ordered data collection, it's important to view all companies as potential government agents. If you use an email service provided by a US company, you should treat that email service as already compromised and watched and recorded by the US government. And, it's through no fault of the company.
penguinist

Oct 06, 2016
10:27 AM EDT
... and the same comments could be made for cloud services in general.

Any data you store on "the cloud" is available to a secret government request, and most likely you will never know it. That goes for personal data and for company data as well. Your (unencrypted) cloud data is fully exposed to prying eyes, not just your Yahoo email.
gary_newell

Oct 06, 2016
11:26 AM EDT
People still use Yahoo? What for?
skelband

Oct 06, 2016
12:01 PM EDT
My understanding from the news that I have read is that this operation was a fishing operation through all emails.

Wasn't it ruled unconstitutional for the US government to blanket trawl emails of Americans ages ago and therefore any "secret orders" are de facto unenforceable?

I still use Yahoo for my email, for legacy reasons, but I've reactivated my Proton Mail account and am trialling that at the moment. The only downer for me as yet is that they don't have an option for offline viewing through something like Thunderbird, although they do promise that they are working on it.
seatex

Oct 06, 2016
1:21 PM EDT
People need to direct their anger at our out-of-control police-state government. Yahoo was the victim here, but I left them many years ago because their email security is lousy.
penguinist

Oct 06, 2016
1:31 PM EDT
I don't understand why people are so enamored by cloud email services.

sendmail and postfix are both not difficult to set up, and then YOU are in control.
dotmatrix

Oct 06, 2016
1:51 PM EDT
>sendmail and postfix are both not difficult to set up, and then YOU are in control.

I agree and I disagree.

I've set up postfix with courier as my imap service. It was easy to setup. However, it was not easy to secure. Email security seems to be misunderstood by most experts, let alone most non-experts. It took a long while before I understood the ins and outs of email security, and I'm sure I've just brushed the surface.

However, once everything is in place and working well, the control is truly wonderful. I will never go back to using a 'regular' email service. It just seems insane to use anything other than my own server. Many of my technical friends (including CISOs) think I'm insane for running my own email. They continually complain about how my solution doesn't 'scale', and I simply reply that my scale is 1.0.

The entire setup is also not free, as in it costs cash upfront rather than being paid in Personally Identifiable Information (PII).

However, I still have a Yahoo email account... because I have family who post 'news' items to a 'groups' list. So, even though I run my own services, I am still directly affected by the 'big guys'

***

So... my proposal for the 'best' email practices would be to gather together several 'users' of friends and family. Each 'user' contributes a small portion of the monthly Internet access fees (either a business static IP line with an in-house server or a rented server). Then one of the group becomes the technical person who runs the server and updates it, etc...

However, there was an apropos post by someone somewhere regarding running your own email vs. the data collecting warehouses of Google, Yahoo, Hotmail...

Something like this:

https://mako.cc/copyrighteous/google-has-most-of-my-email-because-it-has-all-of-yours
jdixon

Oct 06, 2016
1:53 PM EDT
> Wasn't it ruled unconstitutional for the US government to blanket trawl emails of Americans ages ago and therefore any "secret orders" are de facto unenforceable?

How long has it been since our government cared about what's constitutional and what isn't? I'd say at least 25 years.

> sendmail and postfix are both not difficult to set up, and then YOU are in control.

And Squirrelmail isn't hard either if you have to have webmail.
dotmatrix

Oct 06, 2016
2:31 PM EDT
On Email Security:

I used to make drawings of what I was doing while learning how to run my own email server.

Here's a fun one:



In order to operate with TLS running throughout, you need two separate certificates. Both of these can be self-signed. I suppose they can be the same cert, but then you should be careful because compromise of the non-critical SMTP cert will compromise your email account login credentials.

If you don't have the SMTP cert installed and configured as 'may' along with opening the submission port (587)... gmail receivers will get a warning and a red 'open' lock. It's actually quite funny. The TLS on the server to server side is unauthenticated. This means there is no protection against MITM... which also means that the server to server TLS protection is essentially meaningless. The only protection you get is if someone is listening on the wire. However, a targeted attack on your traffic is not prevented. And for that very minor lack of protection, Google presents a 'scary' warning to its gmail users.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!