PDA

View Full Version : Phasing out Google: alternatives to GMail



lads
April 3rd, 2013, 01:15 PM
Hello everyone.

Here's a topic not directly related to Ubuntu, but that I believe most folk in the community should be familiar with. Although I've been a Google user for over 15 years I've grown increasingly wary of their Big Brother functionalities. I've dropped Docs (in great measure due to U1), the search engine and the web sites. The most difficult has been to drop GMail, since there's nothing really quite like it. But my resolution is growing, I'll be testing an alternative pretty soon.

I thus would like to hear experiences from folk that has phased out GMail in the past, or that may have any advice on the alternatives I'm contemplating, namely:


Setting up my own mail server
Using an alternative "private" mail provider: Lavabit (https://lavabit.com/), Neomailbox (https://neomailbox.com/), RiseUp (https://mail.riseup.net/), Hushmail (http://www.hushmail.com/)


Thanks for sharing your thoughts.

mips
April 3rd, 2013, 01:26 PM
www.gmx.com (http://www.gmx.com/)

Elfy
April 3rd, 2013, 01:30 PM
Hi - there is a thread re gmail alternatives, if it's the same/similar to what you're after let me know and I'll merge them.

http://ubuntuforums.org/showthread.php?t=2125732&highlight=gmail

vasa1
April 3rd, 2013, 01:30 PM
http://ubuntuforums.org/showthread.php?t=2125732
Oops!

lads
April 3rd, 2013, 02:25 PM
www.gmx.com (http://www.gmx.com/)

Thanks for the suggestion, didn't know about this one. It sounds too good to be true, what's the catch?

lads
April 3rd, 2013, 02:43 PM
www.gmx.com (http://www.gmx.com/)

Loads of ads, no encryption, and many reports (http://www.reviewcentre.com/reviews169906.html) of usability problems. Apparently a downgrade from GMail.

mike acker
April 4th, 2013, 12:22 AM
Hello everyone.

Here's a topic not directly related to Ubuntu, but that I believe most folk in the community should be familiar with. Although I've been a Google user for over 15 years I've grown increasingly wary of their Big Brother functionalities. I've dropped Docs (in great measure due to U1), the search engine and the web sites. The most difficult has been to drop GMail, since there's nothing really quite like it. But my resolution is growing, I'll be testing an alternative pretty soon.

I thus would like to hear experiences from folk that has phased out GMail in the past, or that may have any advice on the alternatives I'm contemplating, namely:


Setting up my own mail server
Using an alternative "private" mail provider: Lavabit (https://lavabit.com/), Neomailbox (https://neomailbox.com/), RiseUp (https://mail.riseup.net/), Hushmail (http://www.hushmail.com/)


Thanks for sharing your thoughts.

contact CoreComm . you get your own domain and 5gb web area + 25 email addresses -- $15\quarter. the e/mail service is excellent and ou can ser the size of the mail boxes on each user . WORKS WITH THUNDERBIRD and IMAP servers.

lads
April 4th, 2013, 02:29 PM
contact CoreComm . you get your own domain and 5gb web area + 25 email addresses -- $15\quarter.

Thanks Mike for the hint. On this particular kind of service, RackSpace (https://www.rackspace.com/email-hosting/webmail/) seems the best around.

mike acker
April 4th, 2013, 02:52 PM
Thanks Mike for the hint. On this particular kind of service, RackSpace (https://www.rackspace.com/email-hosting/webmail/) seems the best around.

i'm not familiar with RackSpace. I have used CoreComm for years and been very satisfied. they have a whole library of PHP software you can incorporate into your website -- all of it at n/c

their privacy statement says they do not monitor what you do.

and there is no advertising .

to me though I find the performance better. their e/mail just works better and as i said -- you can set the capacity as you like

Lars Noodén
April 4th, 2013, 03:15 PM
www.gmx.com (http://www.gmx.com/)

That is Stateside There is also gmx.net in the EU. With either one you can use IMAP, then you are free to use the mail client of your choice and add encryption that way. For example, Thunderbird with Enigmail would work for that.

mike acker
April 4th, 2013, 04:05 PM
IMAP is the way to go. I use only IMAP on the CoreComm service.
and Thunderbird although you can access their e/mail with a web client

goghard
July 18th, 2013, 04:37 AM
My favorite is a Zimbra free hosting (1 GB): www.mrmail.com/free-zimbra-hosting/
I think it's awesome.
A promising alternative: www.mykolab.com

You can also configure a Lavabit account (8 usd yearly for the whole encryption) and use Thunderbird + Enigmail

mr john
July 18th, 2013, 05:12 AM
Yawn, another person on the Internet who is afraid of the Internet companies... If you don't like being spied on you might as well just turn your computer off and go do something else. Every internet company collects data about people. You can either accept that and be sensible about what you do online or you can put your tinfoil hat on and rant and rave all you want about how company X is evil. The rest of us are happy using whatever works best for us.

mastablasta
July 18th, 2013, 07:14 AM
whats the problem with gmail? just encrypt messages on thunderbird before sending them out.

lads
July 18th, 2013, 10:41 AM
Yawn, another person on the Internet who is afraid of the Internet companies... If you don't like being spied on you might as well just turn your computer off and go do something else. Every internet company collects data about people. You can either accept that and be sensible about what you do online or you can put your tinfoil hat on and rant and rave all you want about how company X is evil. The rest of us are happy using whatever works best for us.

What a useful comment! Thanks for dropping by.

lads
July 18th, 2013, 10:44 AM
whats the problem with gmail? just encrypt messages on thunderbird before sending them out.

Had you read the initial message you'd know what is wrong with GMail and that I don't use Thunderbird.

buzzingrobot
July 18th, 2013, 01:51 PM
You get what you pay for. If you don't pay for an email provider, the provider must find ways to make money off you. People don't do these sorts of things as charities.

I switched from Gmail to Fastmail. It's not free, just good.

mastablasta
July 18th, 2013, 03:43 PM
Had you read the initial message you'd know what is wrong with GMail and that I don't use Thunderbird.

oh i've read it. and you said abotu gmail:


I've grown increasingly wary of their Big Brother functionalities


And i've said just encrypt the email before you send it out.

What is wrong with Thunderbird? Anyway there are other email clients that support encryption.

even if you prefer web interface to dedicated e-mail program - no one is preventing you to encrpyt the message before sending it out on gmail.

then again - you can use your own email server (as you suggested yourself). depends how good your infrasctructure is and how much your travel arround the world while using email.

aysiu
July 18th, 2013, 05:42 PM
I wouldn't phrase it quite as bruskly as mr john has, but I agree with the principle. Pretty much anything you don't host yourself is not really that private. There are a few common sense things you can do not to overly advertise your private info. Unless you live in a cave, grow your own food, don't have a credit card, don't have a car, don't have student loans, don't have a bank account, never check out books at a library, and somehow manage to never have pictures taken by anyone you know who has a Facebook account... you're pretty much out there.

There is a reasonable middle ground between the extremes of "They can't get me" v. "Well, they know so much anyway, I might as well make everything public." Gmail is in that middle.

Even if you encrypt your messages, how do you know what the people you're sending those messages to are doing? Are you sending to a Gmail address? Well, then Google has your message anyway. Sending to Yahoo? Yahoo has it. Sending to Microsoft mail (Outlook? Hotmail? Whatever they call it?)? Microsoft has it. Not everyone you communicate is going to host her own mail server and encrypt everything and never forward your messages.

buzzingrobot
July 18th, 2013, 08:19 PM
Not everyone you communicate is going to host her own mail server and encrypt everything and never forward your messages.

Not if they have any sense. :)

Unless you setup your own hardware and buy your own personal internet node, the mail server anyone sets up is very likely going to be running in a rented virtual machine on a VPS somewhere and they're going to use it with an account rented from an ISP. Encrypted ot not, that person's email is going to sit on hardware someone else owns and controls. (And encryption is no good when the person on the other side isn't prepared to deal with it.)

Running your own mail server is a first class pain. A bit like running a restaurant to make sure you eat homecooked food.

The best way to ensure your privacy is to practice privacy. The web is a publishing medium, not a commo system, so don't publish personal info.

aysiu
July 19th, 2013, 12:14 AM
Encrypted ot not, that person's email is going to sit on hardware someone else owns and controls.

Running your own mail server is a first class pain. A bit like running a restaurant to make sure you eat homecooked food. These were the exact points I was trying to make.

vishal2
August 12th, 2013, 01:52 PM
Hi,

I found gmail alternative forum post here but that was closed so i start new thread here.I am shifting to my services to email.biz and see what kind of services i would get there.

Elfy
August 12th, 2013, 02:53 PM
you obviously didn't find this one then

merged

beacon-videotron
August 12th, 2013, 03:05 PM
Look, if Google/Fastmail/GMX/HOTMAIL/ whatever doesn't have a copy of your encrypted email, then the NSA does. Have you not heard about Snowden and PRISM? Relax. Commercialization has
ruined the Internet - they have turned it into something they can control, while keeping everyone dumb and happy :)

lads
August 12th, 2013, 04:07 PM
What just happened to Lavabit (http://ubuntuforums.org/showthread.php?t=2166284) is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:



German email providers team up for anti-snooping bid (http://www.themalaymailonline.com/world/article/german-email-providers-team-up-for-anti-snooping-bid)

Germany's three biggest email providers announced Friday a partnership to bolster the security of messages sent between them in the wake of revelations of US online surveillance.

Telecommunications giant Deutsche Telekom as well as GMX and Web.de, both subsidiaries of Germany's United Internet, will automatically encrypt their email traffic from now on.

Email content as well as the identity of the sender and recipient and attachments will be encrypted, Deutsche Telekom and United Internet told reporters, presenting the "Email Made in Germany" initiative.
- See more at: http://www.themalaymailonline.com/world/article/german-email-providers-team-up-for-anti-snooping-bid#sthash.kzGsJai3.dpuf

I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

1clue
August 12th, 2013, 05:40 PM
What just happened to Lavabit (http://ubuntuforums.org/showthread.php?t=2166284) is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:



I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

What happened to Lavabit is what you have to worry about, only a thousand fold.

Speaking as somebody who has managed a mail server for years, there are a lot of issues most of you don't seem to want to consider, most of which has been mentioned on this thread already.

If the mail server is not on your hardware on a network you personally have the entire contract on, then somebody else is in control and you can be monitored without your knowledge.
If your ISP is subpoena'd then you can be monitored without your knowledge.
Comcast and Midcontinent and AT&T are on that list of companies who let the US government put hooks in, which covers the lion's share of high speed US connections to homes and small businesses I think.
Small office/home office (SOHO) routers are notoriously buggy, if you're using one then probably your security isn't as good as you were hoping.


Now, about the whole stream:

If you encrypt at the desktop-style client (not webmail) then, assuming you're using an encryption mode that's not cracked you can gain a certain measure of privacy.
That said, in order for this to work you need both ends of the chain to be encrypted, which means whoever you're talking to needs to be encrypted and careful as well.
By encryption I don't mean using ssl to get to the server. Encryption means that you have an encryption key with a public and private part, you've shared the public part with your friends, and they've done likewise with you. Encryption means that sending an email to Bob, I've encrypted my message such that only Bob can decrypt it without going through a cracking process. Not even you can read that message anymore.
Encrypting the body does not mean the entire communication is secure. They still know who mailed whom because that's in plain text, by definition.
Picture your brothers and sisters, and your parents in light of the above statement. How about your kids?
Picture your coworkers. While almost all of my coworkers could figure out encryption, absolutely none of them wants anything to do with it.
Using encryption to a webmail-style place does not in any way mean the entire chain is encrypted. Almost certainly not.
Any point where your data crosses a national boundary, you are probably going to have your email scanned. Again, if you didn't encrypt it with a key aimed specifically at the recipient it's probably plain text by the time it gets to the national boundary.


I went through the trouble to set this up awhile back, and absolutely nobody was interested. Absolutely nobody would go further than say they got an unreadable email from me, please send it in plain text.

So, everyone who wants 'secure' email needs:

Their own physical server, on their own physical hardware with a properly configured secure mail server on it, inside of a secure building which limits physical access.
A non-trivial firewall and the expertise to use it. This is an understatement, you need defense in depth.
An obsessive fascination with CERT and other security-based institutions.
An ISP who won't cave to whatever the equivalent of a federal subpoena is in your country. (Meaning they're willing to go to prison to protect your privacy)
Friends who are just as obsessive and careful about this as you are.



Online monitoring sucks, but the only way to fix it is overwhelmingly difficult. Skip one part and the whole thing is nothing. It's a house of cards.

Gilad_Pellaeon
August 12th, 2013, 08:26 PM
Or you could wait until Kim Dot Com sets up an email alternative

From http://yro.slashdot.org/story/13/08/11/1244209/after-lavabit-shut-down-dotcoms-mega-promises-secure-mail



Lavabit may no longer be an option (http://yro.slashdot.org/story/13/08/08/1956215/encrypted-email-provider-lavabit-shuts-down-blames-us-govt), but recent events have driven interest in email and other ways to communicate without exposing quite so much, quite so fast, to organizations like the NSA (and DEA, and other agencies). Kim Dotcom as usual enjoys filling the spotlight, when it comes to shuttling bits around in ways that don't please the U.S. government, and Dotcom's privacy-oriented Mega (https://mega.co.nz/) has disclosed plans to serve as an email provider with an emphasis on encryption (http://www.zdnet.com/mega-to-fill-secure-email-gap-left-by-lavabit-7000019232/). ZDNet features an interview with Mega's CEO Vikram Kumar about the complications of keeping email relatively secure; it's not so much the encryption itself, as keeping bits encrypted while still providing the kind of features that users have come to expect from modern webmail providers like Gmail:

"'The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,' Kumar said. 'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard. That’s why even Silent Circle didn’t go there.'"

lads
August 13th, 2013, 01:18 PM
What happened to Lavabit is what you have to worry about, only a thousand fold.

Speaking as somebody who has managed a mail server for years, there are a lot of issues most of you don't seem to want to consider, most of which has been mentioned on this thread already.

Thank you 1clue, this is the kind of detailed information I was looking for when I started this thread. Just to add: I found out recently that a colleague of mine ran his own mail server for a few years; in his case what eventually overwhelmed him was spam, at some point it was just too much work to keep it running.

Understanding the risks of having one's email stored at someone else's server, having it in a foreign country where individual privacy seems not to be a civil right, such as the US, only increases that risk further. As someone who values privacy, keeping my e-mail stored at the US by a US company seems at this stage idiotic (even if GMail actually has the best GUI out there).

E-mail secrecy is a business in the making. Just like some countries live off banking secrecy.

buzzingrobot
August 13th, 2013, 02:05 PM
Since email, like everything else about the web, is, by intent and design, a public publishing protocol, not a private communication tool, it's always seemed to me to be naive and ill-informed to expect privacy in that environment. That so many people seem to be taken aback to find their email is not private speaks to a wide and deep ignorance of how, and why, the internet works. Getting that kind of privacy as a matter of course would mean modifying the internet to a degree most of us would not like.

Encryption can deliver a degree of privacy as long as both parties in an email exchange opt in. I doubt it will see wide acceptance in the mainstream market. People can't keep passwords straight, much less the paraphenelia of encryption. Courts will certainly require the turning over of keys in criminal cases. After a serious terror incident in which the participants conspired via encrypted email, legislation banning it will stand a good chance of passage.

kurt18947
August 13th, 2013, 02:06 PM
What just happened to Lavabit (http://ubuntuforums.org/showthread.php?t=2166284) is a sort of sad vindication to this thread.

Over the weekend there was also this announcement:



I've signed up for GMX, that has an English interface, and am now assessing its capabilities. So far looks better than others I've tried.

I wonder if this is true of GMX.com as well. GMX.com appears to be hosted by 1+1 in the U.S. I've signed up for it after the demise of lavabit.com. I'm not terribly concerned about privacy on this account but it'd be nice if it's at least secure enough that it'd take the resources of an state sponsored organization to read my mail. The things I receive there Uncle can find from other sources with little effort if he's interested.

lads
August 13th, 2013, 02:44 PM
I wonder if this is true of GMX.com as well. GMX.com appears to be hosted by 1+1 in the U.S. I've signed up for it after the demise of lavabit.com.

I turns out that mail boxes of US users are stored in Kansas (http://download.cnet.com/GMX-Webmail/3000-2369_4-75452680.html). I've sent an e-mail to costumer support asking where my mail box is being stored.

1clue
August 13th, 2013, 02:49 PM
Actually buzzingrobot has a good point, maybe not the one he intended but anyway I'll stop babbling and tell you about it.

If you know the IP address of your recipient, it seems to me much simpler to communicate directly host to host in a relatively secure fashion.

Again you would need collaboration and a certain amount of education on both ends, and you'd need to secure your own systems, but it would be a whole lot easier than securing email.

You could do it just by having a 'shared' folder and scp files back and forth. Or, you could use some sort of skype-like video conferencing service, or telephone app. I say Skype-like because it's peer to peer once you've made the connection, however making the connection is NOT peer to peer so it wouldn't be all that helpful that way.

This obviously doesn't work for a replacement for general email, but if you have one or two people or servers you want to secure this sort of thing would work. Here you'd only need to make sure your system is secure, and that you have a good encryption key in both directions.

ukripper
August 13th, 2013, 05:08 PM
Running your own mail server is a first class pain. A bit like running a restaurant to make sure you eat homecooked food.


lol Agree from my personal experiences

kurt18947
August 13th, 2013, 09:42 PM
I turns out that mail boxes of US users are stored in Kansas (http://download.cnet.com/GMX-Webmail/3000-2369_4-75452680.html). I've sent an e-mail to costumer support asking where my mail box is being stored.

I'm not terribly fond of GMX.com's web site. It's quite persistent about my using it's service to check multiple email accounts which I don't want to do and don't know how to stop it asking. I'll check with them. It does seem to work quite well on T'bird using IMAP. I have no illusions about privacy from the 3-letter organizations but for what I use this account, my information would be available to them via other sources over which I have control anyway.

buzzingrobot
August 13th, 2013, 11:06 PM
If you know the IP address of your recipient, it seems to me much simpler to communicate directly host to host in a relatively secure fashion.

Again you would need collaboration and a certain amount of education on both ends, and you'd need to secure your own systems...

Yes, but...

Most people have no concept of what an IP address is. And do not want to have a concept.

You might get collaboration and willingness to endure some "education" between people we call "enthusiasts", not among normal people. Besides, if you know someone well enough, and you also know that you will need to communicate with them frequently, it's a magnitude easier to just pick up your phone and call them.

If the kind of privacy being proffered by the encryption-based products that we've seen hyped since Snowden are really to make an impact, they need to be made as easy, as accessible, as universal, and as braindead as current email. I don't think you can sustain a universal and secure email architecture if you depend on the skills and knowledge of users to make it work.

So, we're likely to see ourselves in a situation where people who use encryption techniques simply attract attention from the folks they are trying to hide from.

1clue
August 13th, 2013, 11:30 PM
Yes, but...

Most people have no concept of what an IP address is. And do not want to have a concept.

You might get collaboration and willingness to endure some "education" between people we call "enthusiasts", not among normal people. Besides, if you know someone well enough, and you also know that you will need to communicate with them frequently, it's a magnitude easier to just pick up your phone and call them.

If the kind of privacy being proffered by the encryption-based products that we've seen hyped since Snowden are really to make an impact, they need to be made as easy, as accessible, as universal, and as braindead as current email. I don't think you can sustain a universal and secure email architecture if you depend on the skills and knowledge of users to make it work.

So, we're likely to see ourselves in a situation where people who use encryption techniques simply attract attention from the folks they are trying to hide from.

That's exactly what I've been saying. Except that if you don't do it yourself on your own hardware, on your own network, then your data can be subpoena'd without your knowledge. If you own and maintain everything, then you at least KNOW when it's been subpoena'd, although you can't prevent it. Of course if anyone knows how to break through your security then you'll never know anyway.

What I'm saying is that nobody else is going to go to jail in order to protect your privacy. I'm saying that even if they do, if somebody really really wants your data they'll get it, and I'm not talking about just governments.

Also regarding the phone, I don't know how much you know about phones. At some level all phone traffic becomes digital, which means it is VOIP. Once it's VOIP it's a network switch, which is exactly the same as a data switch except different software. Police and therefore other government officials can tap that at least as well as they can tap your data. If you're afraid of your government then using a phone is not secure.

Personally I think that most governments are a lot more benign than the other guys who would be interested in this sort of thing. Some notable exceptions of course, like China and Russia and Iran. In the USA (where I'm from) you might be implicated in some crime, but they won't just come over and burn your house down, or more appropriately bomb it. And the other bad guys out there might just steal your house from you, and the entire contents of every bank account you have. And buy a few other houses with your credit rating. Or turn on your webcam when you're not looking and use whatever shows up however they see fit.

So really what it comes down to, what I'm saying is that if you aren't an expert you don't get secure communications that you can rely on, period. If you ARE an expert, AND your friend is an expert, then MAYBE you can devise secure communications, IF it's on your hardware.

PS: You might be able to get something better than GMail, meaning your ISP doesn't actively cooperate with the government or maybe even private inquiries, but you won't be able to rely on privacy as much as if you went through it the hard way.

buzzingrobot
August 14th, 2013, 12:34 AM
I'm actually not convinced anything we publish on the net, including mail, needs to be subject to subpoena to be acquired. It's a public space. We like to think it's private, but it isn't. It's a big wall where we tape things for everyone else to see.


Cellphones are radios that transmit and receive on the public airwaves. No promise of privacy there.

in both instances -- mail and phones -- people are looking to technology to deliver the kind of privacy that can only be provided if people agree not to look at the stuff other people do and say in public. That won't happen.

And, even with encryption on both ends of a conversation, I still need to trust that the other person won't disseminate my correspondence after decrypting it.

monkeybrain20122
August 14th, 2013, 08:29 AM
Kim Dotcom?

http://www.huffingtonpost.com/2013/08/12/kim-dotcom-encrypted-email_n_3745199.html

philinux
August 14th, 2013, 04:08 PM
This article is in the Daily Mail uk. Personally I like google calendar and use gmail rarely. I suppose my hotmail account is also not very private.

http://www.dailymail.co.uk/sciencetech/article-2392773/Gmail-email-users-NOT-expect-privacy-Google-claims-stunning-admission.html

monkeybrain20122
August 14th, 2013, 08:04 PM
This article is in the Daily Mail uk. Personally I like google calendar and use gmail rarely. I suppose my hotmail account is also not very private.

http://www.dailymail.co.uk/sciencetech/article-2392773/Gmail-email-users-NOT-expect-privacy-Google-claims-stunning-admission.html

Well hotmail (outlook) and all MicroSoft services have built-in NSA backdoor, I suppose this is worse piracy violation than google showing you ads by matching keywords.

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

MasterNetra
August 14th, 2013, 10:25 PM
mail.com is another good one it seems even have quite a select of @ endings when you setup account and can connect other email accounts to it if you wanted. Dunno about encryption for messages with it as I've never tried it.

There are ads though, but there is a premium account to which of course are no ads. Prem Upgrade ad claims you get SSL Encryption as well with prem.

1clue
August 15th, 2013, 02:32 AM
Come on you guys. If it's a web site then any encryption you put on it is in the hands of someone else. If they're bent then it just as well not be encrypted.

lads
August 16th, 2013, 02:41 PM
Got this in my GMX mail box:


Dear GMX Customer,

We thank you for your inquiry. Please note that GMX as a German and international company operates in different countries. As such we have data stored in both European countries and the U.S.A. Therefore and for security reasons, we cannot provide you with a definite answer as to where your data might be stored.


With kind regards,
Your GMX Support Team.

buzzingrobot
August 16th, 2013, 08:19 PM
Got this in my GMX mail box:

Email sits on the servers of the providers all your *recipients* use, too.

Email is plain text on publicly available servers. It is not private, cannot be private, and was never intended to be private. Your email is published to a server, not sent to a single individual.

No one needs backdoors to look at email. Only a few passwords and the integrity of the admins running your mail servers are keeping your mail "private".

If you don't want it known, don't put it on the net. Period.

codingman
August 18th, 2013, 03:34 AM
*Sigh*
You really can't set up your email to be secure unless you have a group of friends that all have their own servers and only send it to the other people in the group, therefore making the entire operation near impossible.

But let's say you want to send a letter to your boss, and he uses GMX because he doesn't have the time to maintain the server, and then your mail is then public. Aaaaaahhhhhh.... public. Meaning that an admin at GMX can easily read your letter to your boss.

There is no way to keep your stuff secure on the internet.

RichardET
August 18th, 2013, 04:17 PM
Hello everyone.

Here's a topic not directly related to Ubuntu, but that I believe most folk in the community should be familiar with. Although I've been a Google user for over 15 years I've grown increasingly wary of their Big Brother functionalities. I've dropped Docs (in great measure due to U1), the search engine and the web sites. The most difficult has been to drop GMail, since there's nothing really quite like it. But my resolution is growing, I'll be testing an alternative pretty soon.

I thus would like to hear experiences from folk that has phased out GMail in the past, or that may have any advice on the alternatives I'm contemplating, namely:


Setting up my own mail server
Using an alternative "private" mail provider: Lavabit (https://lavabit.com/), Neomailbox (https://neomailbox.com/), RiseUp (https://mail.riseup.net/), Hushmail (http://www.hushmail.com/)


Thanks for sharing your thoughts.

I doubt that you have been a google user for over 15 years....

bra|10n
August 18th, 2013, 04:49 PM
https://beta.startmail.com/

RichardET
August 18th, 2013, 05:22 PM
That startmail seems very interesting - thanks for the tip. But other secure systems have recently stopped doing business; Why, in your opinion, is startmail any different?

RichardET
August 18th, 2013, 05:31 PM
Well hotmail (outlook) and all MicroSoft services have built-in NSA backdoor, I suppose this is worse piracy violation than google showing you ads by matching keywords.

http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

How do you know that you can "trust" "The Guardian"? Why do you assume that Glenn G. has no personal agenda in this matter beyond investigative journalism? I find journalists to be a curious lot - they expose top secrets for the thrill of it, but would most likely go crazy if their own private sources were ever exposed. It's the ultimate double standard.

RichardET
August 18th, 2013, 05:38 PM
What happened to Lavabit is what you have to worry about, only a thousand fold.

Speaking as somebody who has managed a mail server for years, there are a lot of issues most of you don't seem to want to consider, most of which has been mentioned on this thread already.

If the mail server is not on your hardware on a network you personally have the entire contract on, then somebody else is in control and you can be monitored without your knowledge.
If your ISP is subpoena'd then you can be monitored without your knowledge.
Comcast and Midcontinent and AT&T are on that list of companies who let the US government put hooks in, which covers the lion's share of high speed US connections to homes and small businesses I think.
Small office/home office (SOHO) routers are notoriously buggy, if you're using one then probably your security isn't as good as you were hoping.


Now, about the whole stream:

If you encrypt at the desktop-style client (not webmail) then, assuming you're using an encryption mode that's not cracked you can gain a certain measure of privacy.
That said, in order for this to work you need both ends of the chain to be encrypted, which means whoever you're talking to needs to be encrypted and careful as well.
By encryption I don't mean using ssl to get to the server. Encryption means that you have an encryption key with a public and private part, you've shared the public part with your friends, and they've done likewise with you. Encryption means that sending an email to Bob, I've encrypted my message such that only Bob can decrypt it without going through a cracking process. Not even you can read that message anymore.
Encrypting the body does not mean the entire communication is secure. They still know who mailed whom because that's in plain text, by definition.
Picture your brothers and sisters, and your parents in light of the above statement. How about your kids?
Picture your coworkers. While almost all of my coworkers could figure out encryption, absolutely none of them wants anything to do with it.
Using encryption to a webmail-style place does not in any way mean the entire chain is encrypted. Almost certainly not.
Any point where your data crosses a national boundary, you are probably going to have your email scanned. Again, if you didn't encrypt it with a key aimed specifically at the recipient it's probably plain text by the time it gets to the national boundary.


I went through the trouble to set this up awhile back, and absolutely nobody was interested. Absolutely nobody would go further than say they got an unreadable email from me, please send it in plain text.

So, everyone who wants 'secure' email needs:

Their own physical server, on their own physical hardware with a properly configured secure mail server on it, inside of a secure building which limits physical access.
A non-trivial firewall and the expertise to use it. This is an understatement, you need defense in depth.
An obsessive fascination with CERT and other security-based institutions.
An ISP who won't cave to whatever the equivalent of a federal subpoena is in your country. (Meaning they're willing to go to prison to protect your privacy)
Friends who are just as obsessive and careful about this as you are.



Online monitoring sucks, but the only way to fix it is overwhelmingly difficult. Skip one part and the whole thing is nothing. It's a house of cards.

Thats a great online post, very educational. Finally, someone with some sense, in the GNU/Linux world.

lads
August 20th, 2013, 02:04 PM
I doubt that you have been a google user for over 15 years....

I doubt you intend to be any useful to this discussion.

monkeybrain20122
August 20th, 2013, 05:26 PM
How do you know that you can "trust" "The Guardian"? Why do you assume that Glenn G. has no personal agenda in this matter beyond investigative journalism? I find journalists to be a curious lot - they expose top secrets for the thrill of it, but would most likely go crazy if their own private sources were ever exposed. It's the ultimate double standard.

MicroSoft has pretty much admitted to it. Why do you think the Guardian would make it up to frame MS? Don't you think they would get sued? Why is it so incredible?

slw210
August 20th, 2013, 07:35 PM
So, everyone who wants 'secure' email needs:


Their own physical server, on their own physical hardware with a properly configured secure mail server on it, inside of a secure building which limits physical access.
A non-trivial firewall and the expertise to use it. This is an understatement, you need defense in depth.
An obsessive fascination with CERT and other security-based institutions.
An ISP who won't cave to whatever the equivalent of a federal subpoena is in your country. (Meaning they're willing to go to prison to protect your privacy)
Friends who are just as obsessive and careful about this as you are.




Best bet is to stop using internet and email, use a Mission Impossible style self-destructing tape for communication that you want to stay private and no record.

I'm cautious, but have nothing to hide, I just use Yahoo and Comcast, even though I do have my own as well.




MicroSoft has pretty much admitted to it. Why do you think the Guardian would make it up to frame MS? Don't you think they would get sued? Why is it so incredible?

Show where MicroSoft has admitted to it. (Spoiler Alert: They haven't) NSA Backdoor (https://en.wikipedia.org/wiki/Criticism_of_Microsoft_Windows#Secret_backdoor_con spiracy_theory)

buzzingrobot
August 20th, 2013, 11:16 PM
Whether Microsoft has "admitted" anything doesn't matter.

Plain text files sitting on publicly accessible servers -- that's what email is -- are not private. If they were private, email wouldn't work.

Anything that's protecting the privacy of your email can be undone by the server's admin.

Encryption? Sure. But, you have to decrypt mail before you can read it. How many people copy encrypted files to another machine with no network access for decryption?

Publishing on the net -- that's what email is -- is like talking in a shopping maill or a busy airport. Both places are completely public. Still, odds are no one is listening to you. But, if they want to, they can, and nothing you can do can stop them.

1clue
August 21st, 2013, 01:30 AM
Let's be clear here:

Email itself is unencrypted.
Anyone who has read access to the directory the data is stored in can read all of the header information and any unencrypted attachments.
An email attachment could be encrypted, in which case that attachment could not be read easily; you would need to crack it.


If anyone is curious, you can search on "email rfc' and see the spec yourself. The fact of interoperability between email servers means that the header information MUST BE unencrypted across the network. It's possible that a company could cook up their own protocol for internal documents, or make a VPN such that the two servers are inaccessible from outside the secure channel, but that's semantics.

Every mail server I've used stores its email exactly the same way. It's unencrypted unless there's an encrypted attachment. To encrypt or decrypt on the fly takes a lot of CPU power, and email servers tend to be struggling for all the resources they can get, especially something big.

slw210
August 21st, 2013, 05:06 PM
Whether Microsoft has "admitted" anything doesn't matter.

Matter to what?

monkeybrain20122, claims they admitted to it, so yes, it does matter.

Opinions are one thing, but, you are not entitled to your own FACTS.

Camuflage
August 24th, 2013, 11:08 AM
Well i'm also looking to know alternatives to Gmail, i don't want any based american service but one based in a country like Iceland, Norway or Switzerland does anyone know free or paid email from that countries?

buzzingrobot
August 24th, 2013, 12:52 PM
Matter to what?

monkeybrain20122, claims they admitted to it, so yes, it does matter.

Opinions are one thing, but, you are not entitled to your own FACTS.

Because you don't need a "back door" to read plain text files on public servers.

No opinion there.

People can be upset about other people snooping in their email. But, to think email is, or was ever intended to be, a securely private technology, is naive. As with traditional mail, our privacy depends on the unwillingness of other people to look at our mail.

Email is thoroughly unprivate by virtue of the way it is designed and works. If we want email that is actually private -- readable only by sender and recipient(s), with headers and other associated metadata that cannot be read by anyone else -- then we need to reengineer email to do that, including figuring out how to make software that can read metadata that is unreadable.

Have at it.

sammiev
May 31st, 2014, 04:58 PM
I never read all 6 pages but if you use a free email service you could only assume the info or emails may not be private.

beameup
May 31st, 2014, 08:40 PM
Just to add a note: Mail.com uses GMX, same interface; which has just recently been updated.

My 2 cents. I have Gmail, Yahoo, Outlook, Zoho, GMX, Mail.com(my old "@linuxmail.org" addy), Icloud, and even AOL(my old "@netscape.net" addy).

Use them all for various functions. Don't expect privacy from any of them. They'll just have a little bit of work to track me :)

All set up IMAP in Geary. Only one that gives me issues is Yahoo, asks for password from time to time.

IMHO: Best web interface is Icloud, although a little sluggish for me, GMX new interface not bad, the old one wasn't too keen looking. Zoho reminds me of Outlook windows software.

Tar_Ni
May 31st, 2014, 11:47 PM
There is also Yandex, a Russian web based email service.

https://mail.yandex.com/

sam-c
June 6th, 2014, 08:19 PM
Try Yahoo Mail I use yahoo and gmail but prefer yahoo anyday.
Uncle Sam
Hope it helps you

sam-c
June 6th, 2014, 08:44 PM
ps I will also try gmx

echotech2
June 7th, 2014, 09:27 AM
In the GMX Privacy Policy:

GMX may use the personally identifiable information collected by GMX to contact customers regarding products and services offered by GMX and, to the extent the user has agreed to it, by its trusted affiliates, independent contractors and business partners.

The red section you have agreed to just signing up for GMX. "Business partners" are anyone we sell the information to.

buzzingrobot
June 7th, 2014, 12:54 PM
In the GMX Privacy Policy:

GMX may use the personally identifiable information collected by GMX to contact customers regarding products and services offered by GMX and, to the extent the user has agreed to it, by its trusted affiliates, independent contractors and business partners.

The red section you have agreed to just signing up for GMX. "Business partners" are anyone we sell the information to.

Unless the law in their jurisdiction prohibits it, nothing prevents anyone running a site or a server from selling user-generated data. Terms and Services statements exist to demonstrate that businesses acted to inform customers.

PondPuppy
June 7th, 2014, 10:46 PM
For me it's about perception. Today I went to OfficeMax and bought packing materials, and while there I talked to my wife about our hike the day before. Those purchases, and that conversation, were "private" in that they reveal details of my personal life. But of course anyone watching and listening has those details. I think of email the same way. Most of the respondents in this thread say much the same thing.

I figure that mostly what Google will do is send me targeted ads. I don't care. Or the guvermint will figure out that I donated to GHacks and the Nature Conservancy. Again, not important. Or Microsoft will find out I don't update my Win 7 installation very often :D, or whatever. Most peoples' communications are mostly mundane, I think. Certainly mine are. So, like the conversation in OfficeMax, I don't worry much about being overheard.

BUT if you need to hide something -- because you are fighting tyranny in a police state, for instance -- then you might be able to do stuff with Linux Liberte or TAILS or LPS, and TOR, and using artificial identities and encrypted communication drops. Pain in the tuchis. And as everyone has mentioned, the people you're communicating with will need to play ball at that level as well.

PartisanEntity
June 10th, 2014, 10:46 AM
Just some feedback from me:

Some years ago I was on a path of war against invasions of privacy and wanted to ensure that I am not snooped and spied upon by web services providers because I cherish my privacy. It has now become apparent to me that privacy online is broken, this has to do with how the entire system is built so nothing that can be fixed quickly.

But what you can do is make it harder for data mining companies to get information about you. This is what I do, and granted it's nothing special to write home about, but it works for me:

1. I use my domain hosted email mainly.
2. I use a gmail account for things like forum access or any low level service I think is bound to spam me.
3. I use a hosted Linux node to manage my contacts, calendars and files (owncloud).
4. I personally don't use social media.
5. I do not keep any sensitive or important data/files online anywhere.
6. I use opendns to try and limit how much data my ISP collects about me.
7. I use a paid VPN service for obscurity and some privacy when needed.
8. On my smartphone I use cyanogenmod with things like Privacy Guard enabled by default.

Yes, all of these can by bypassed at some point and in some way I am sure. But as a whole, this footprint is much harder to compile as a whole compared to not doing it this way.

My main aim is to make it harder for someone to compile a surfer/user/consumer profile about me. I am fully aware that in order to use the internet, I will naturally have to give up some privacy because at the moment that is how the system is built.

But I do not want to give up everything (I am careful about what I share and post online), and I do not want to make it easy for anyone to collect data about me.

Some say, why go through all the trouble, if you have nothing to hide then you should not care. Well that misses the point sorely. Rights must be defended or they are no longer respected. I have nothing to hide, but I don't leave my home door open and unlocked, I don't leave my car doors open, I don't leave my financial data and passwords lying around on the street.

Having nothing to hide and caring about ones privacy are not diametrically opposed values as some seem to think.

Because by the same token I can ask, if you have nothing to hide, why lock your doors, why lock your car, why not blurt out your pin codes and passwords in public, why enable Facebook privacy settings, why keep your passwords secret and hidden?

buzzingrobot
June 10th, 2014, 12:26 PM
It has now become apparent to me that privacy online is broken, this has to do with how the entire system is built so nothing that can be fixed quickly.


Yor're right that the net was designed to protect privacy. It was designed as a space for public exchanges between academics and others.

Because the net is a public space, my operating metaphor for using it is that I'm on a busy downtown street posting plain text messages on a giant bulletin board, and each post has a magic number that can identify me. It's not like my house, where I have a reason to expect privcy.

I tried one of those so-called secure mail providers but cancelled when I realized that mail I send also sits on the servers of the recipients' providers. E.g., every time I send mail to someone using Gmail, my mail is on a Google server.

mastablasta
June 10th, 2014, 03:10 PM
I tried one of those so-called secure mail providers but cancelled when I realized that mail I send also sits on the servers of the recipients' providers. E.g., every time I send mail to someone using Gmail, my mail is on a Google server.

exactly so you might as well encrypt it on your end. the trouble is that receiver needs the key to unlock it.

otherwise thunderbird addon Will do it nicely and Google itself won't get much use from those emails.

buzzingrobot
June 10th, 2014, 05:58 PM
exactly so you might as well encrypt it on your end. the trouble is that receiver needs the key to unlock it.

otherwise thunderbird addon Will do it nicely and Google itself won't get much use from those emails.

Yeah, the people I send mail to don't have a clue about encryption and I'm not inclined to persuade them to use it. Way too much hassle.

The most revealing mail I get is probably order confirmations from Amazon. If that interests anyone, they can have it.

If I want to convey something personal/private to someone, I usually just phone them. (Of course, that's just radio...;))

Habitual
June 10th, 2014, 07:48 PM
https://runbox.com/