Category: Other

Other computing tips

List of the best free webmail privacy services

One of the most private email communication systems consists in using Tor or a VPN to connect to a free webmail service and encrypt the messages yourself with PGP, this method gives you privacy and anonymity. Thunderbird+Enigmail, or GPG4Win can do that and it won’t cost you a cent, the problem is the time and learning curbe it takes to do this.

Encryption built-into the webmail service might not as secure as doing it yourself but if the company claims are true, encryption secure and their privacy policy trustworthy, it is a really easy way to secure your email messages.

Atomic Mail: Free encrypted email service with aliases, zero access encryption and no advertising. Atomic Mail is a new privacy email service based in Estonia compliant with European GDRP privacy laws. You can use it to send password protected emails to people using an insecure email providers, when you send a password protected email only the link to the message hosted in a secure server is sent and not the content.

Proton Mail: Company keeps minimum logs and can not read your data as the inbox is encrypted. Servers are based in Switzerland. Communicating with other Protonmail users is end to end encrypted, and emailing other email providers is done in plain text, to make the best of this service your friends should ideally be using too. the company itself can’t read your data.

Tuta Email: Email privacy service based in Germany, messages are encrypted in your browser and nobody can access the encryption keys, Tuta staff has no decryption keys, they keep no login IPs and have no way to identify customers or decrypt data. They also publish transparency reports showing how many court orders they had and what it was done about it, like, handing over encrypted data.

Tuta free privacy email service

VFEmail: With support for PGP encrypted webmail using the interface and anonymous sign up using Tor, this service has a Tor hidden node from where you can access your account. Metadata is scrubbed from emails and your computer IP removed from the headers.

Mailfence: Email service hosted in Belgium that supports sending OpenPGP encrypted messages and two factor authentication. Seamless keystore integration. All encryption happens in the browser. Service includes a calendar and cloud document storage with paid for accounts giving you access to Android and iPhone apps to access your email using a portable device.

NOTICE: List only includes services with free option. If you are willing to pay for a privacy email service other companies you should look at are Posteo (Germany), Countermail (Sweden), StartMail (Netherlands), CodaMail (USA) and KolabNow (Switzerland).

Webmail services hiding your IP

The following email services do not encrypt your messages but hide your computer IP in the headers. I tested all of them and the sender’s IP is replaced with a neutral IANA (Internet Assigned Numbers Authority) private IP address, a range of IP addresses not linked to any country or person reserved for use in private networks, the only way to find out who sent the email is to contact the company and ask them.

Yandex: Russian email provider offering Email accounts in multiple languages, with huge storage space (10GB), beautiful interface of interchangeable themes, spam and virus filter and free storage for files and documents. Yandex strips your email from the headers but this is not a privacy service they keep internal logs of the real IP in case of abuse.

GMX Mail: Free German email provider with PGP encryption, large attachments, filter rules and mail collector as well as 10 free aliases to be able to compartmentalize different online identities. GMX finances the free email service with advertising being displayed on their page.

NOTE: Some email services will only strip your computer IP from the headers for webmail and include the computer IP in messages sent using SMTP.

25 June, 2018
Review Dutch free speech host LibertyVPS

LibertyVPS is a hosting provider that has been in business four years and they specialise in free speech. Their servers are located in the Netherlands, so your content will have to be compliant with Dutch law, the company provides hosting for those facing censorship but they also warn in their terms and conditions that they will work with law enforcement to prevent illicit activity.

I asked them if I could host pharmacy related products like Viagra or vitamin supplements and I was given a link to their terms and conditions where the only listed content restrictions are child porn, spam, malware and human and animal pain sites, the bottom line is that LibertyVPS doesn’t allow any activity which is illegal but will happily host whistle blowers and sites exposing government and corporations malpractice and abuse.

LibertyVPS control panel free speech hosting

Prices are reasonable, I did not feel I was being charged extra for privacy, but if you are after unlimited bandwidth you have to upgrade to a VPS, which can be set to CentOS, Ubuntu, Fedora, Debian or OpenSUSE, even if you pick one distribution you will not be stuck with it for ever, you can reinstall the VPS with a new distribution using the control panel.

For shared hosting LibertyVPS is using a standard cPanel that most people will be familiar with and you can back up your own site using it. They also offer Windows VPS which I did not test.

Uptime was fine, I have not been with them for long but so far all good and the backbone is provided by Dutch company Ecatel, with up to 1 Gigabit line speed. Support is only via ticket, LibertyVPS replied to the three tickets I opened in under 24 hours.

Overall I think that this company fills in a much needed niche, free speech hosting on a budget, reliable, with good support, standard industry hosting software and payment in Bitcoins. I can´t think of too many improvements for this company and even if you don´t need a free speech host, given their average prices, I would also recommend them for hosting mainstream content outside the US.

Visit LibertyVPS host

12 March, 2017
Fake ISP HM Customs And Excise HQ UK Network

I was looking at the server logs when I detected multiple visitors coming from the HM Customs And Excise HQ Network, the UK government agency in charge of collecting custom duties at the border. I became mistrustful of so many visits from the same government department, using IPs 163.172.209.46, 163.172.145.100, 163.175.5.218 and others in the same range.

The first thing I did was a traceroute and I found out that 163.172.209.46 was in fact not located in the UK but in France, I then looked at the host name, as you can see in the picture it reads watchme.tor-exit.network, at the URL there is a message displayed saying that they are Tor Exit Router.

Additionaly I reaserched open data with DuckDuckGo and I uncovered a customer of a VPN company complaining in a blog that his OpenVPN French node was being identified on the Internet as belonging to UK Customs and Excise. Futhermore, I have discovered numerous warez and porn websites like Yellowasians identifying themselves as being hosted by Her Majesty Customs and Excise HQ.

Fake ISP Customs And Excise UK

What happened here? I suspect the network administraror entered as an IP owner HM Customs and Excise HQ when in reality their hosting company is Online.net, a subsidiary of the Iliad Group, a French company renting dedicated servers in France, also being marketed as Dedibox.

Likely they are doing this to avoid being blocked, many data centers out there block Tor exit nodes and this way it makes them harder to spot, the hostname is not always labelled you would need a traceroute to know this is not a UK IP, another benefit is that with this French IP you should be able to watch online TV restricted to UK viewers like the BBC iPlayer, but malicious bots can also use the craft to gather information before a hacking attack or spam.

I don’t know if it is legal impersonating a government agency in the IP, that is for lawyers to say and it will likely differ from country to country. I am only posting the information to help out other webmasters seeing multiple visits from a UK government to their site, no, they are not monitoring you, it is a fake ID.

2 June, 2016
U.S. government funding encryption apps used by the Islamic State
Despite all the FBI talk against encryption software, public records show that Radio Free Asia, a broadcaster funded by the United States Congress to help advance their foreign policy in East Asia, in 2012 created the Open Technology Fund, which in turn gave over a million dollars to Open Whisper Systems, the company responsible for developing the iOS and Android encryption apps Signal, Redphone and TextSecure, apps recommended in Twitter by various Islamic State members.

It is very bizarre that American taxpayers are financing development of the same encryption software that American officials say are helping terrorists evade surveillance and supposedly threatening intelligence services of “going dark“.

Some cybersecurity experts suggest that the NSA could be behind the funding to try to stay one step ahead of the game, presumably by influencing the development of the apps or gaining internal knowledge.

Open Technology Fund diagram

Just because the USA government is funding a privacy project it doesn’t automatically mean that the technology is not safe, it is also the US taxpayer who is footing the bill for developing Tor. A network used by drug dealers, terrorists and Chinese dissidents alike, and so far, the only arrests in Tor have been the result of zero day browser vulnerabilities, FBI identity theft in forums, Bitcoin tracing or other user related mistake, like, using the same nickname in the open Internet and the darknet.

There isn’t any known arrest due to the Tor network being broken in the same way that Freenet has been infiltrated by law enforcement.

Email for the security paranoid

If you don’t wish the NSA and GCHQ to illegally read your communications, the method below should allow you to bypass Internet wiretapping from intelligence services:
1. Open an account with an email provider that has encrypted servers (Tutanota,ProtonMail,Countermail).
2. Share the password of that account with your contact.
3. Write an email and don’t send it, save it in the drafts folder.
4. Your contact reads the draft email, erases it and replies writing another email that is never sent, only saved in the drafts folder.
Method Weaknesses
1. Email provider you have chosen is not as secure as they claim to be. Fix: Encrypt the message with a second layer using PGP or 7zip.
2. ISP middle in the man attack, breaks SSL connection to the email account and sees anything you upload Fix: Same as above, apply second encryption layer.
3. ISP sees metadata, sites you visit. Fix: Use Tor or a no logs VPN to connect to the email account.
Islamic State member Twitter account

The downside of the method above is that it is only be useful to communicate with somebody you already know.

For an open chat where you can post your address in public, you can open a Tor Email account and access it in your smartphone using Orbot or any other mobile app that allows you to connect to the Tor network, or as advised by the Islamic State Twitter account above, ChatSecure is the best form of anonymous communication using a smartphone.

The country where these Islamic terrorists are based, Syria, doesn’t have wide Internet access, it makes sense that a smartphone app is their preferred method of communication.

Open Whisper Systems financial details:

https://www.opentech.fund/project/open-whisper-systems
28 November, 2015
Censorship resistant hosting platform Zeronet

Zeronet is an open source decentralized peer to peer webhosting platform using cryptographic hashes and torrents to distribute websites and files. Any computer with an Internet browser and the software installed can access websites hosted in Zeronet. When you first launch your browser you will not see any IP in the toolbar, a Zeronet website is served from your own computer after downloading the files, your browser toolbar will show localhost:43110 and a cryptic address, supporting .bit domains, a peer to peer top level domain name managed by a decentralized registrar called Namecoin.

To make a website available in Zeronet you only have to host it in a single machine, visitors to the site will help distribute the content from their own computers when they view the pages, the more nodes/visitors a website has, the quicker it will be for others to download it, scalability is easy, when a site becomes very popular files are available from multiple sources.

Decentralised P2P webhost Zeronet

Zeronet users can see in the interface what websites they are seeding, how many peers it has and right click on one of the sites to update, pause or delete it from their system. Cryptographic hashes verify the integrity of the files in the website, it tells Zeronet what to download and protects from man in the middle attacks. When you upload a website to the network you will be handed over a private encryption key for when you wish to modify and update the content, visitors automatically use the public encryption key to verify that the files have been changed by the rightful owner.

The network is not truly anonymous, but their websites are quicker to download than hidden Tor sites, optionally you can run Zeronet over Tor to hide your computer IP from anybody tracking file downloads although this will slow it down. Zeronet also comes with a guestbook and forum where to debate and post links to internal websites that are not accessible using the regular Internet, only people with the software installed can access websites.

Zeronet should work very well for Chinese surfers craving for information about the national liberation struggle in Tibet, but if the content is banned worldwide, this network isn’t going to cut it. Since it is possible to find out what computers are hosting the content, authorities can knock on the door of people distributing those files until not a single one of them is left.

Personally, I don’t believe in censorship resistant networks that don’t provide anonymity by default and I am skeptical of the need for this project when Iranian or Chinese users can download a VPN proxy to access banned information instead of using Zeronet with access to a limited range of websites.

Visit ZeroNet homepage

10 June, 2015
Sync multiple devices with open source tool Syncthing

Syncthing is a decentralized open source tool to synchronize files across multiple devices without using third party cloud servers like Dropbox, what should be an objective for people who care about privacy.

Data in Syncthing is transmitted peer to peer via TLS encryption with perfect forward secrecy directly to your other devices, it never touches the Internet where it could be intercepted, only nodes you have previously authenticated are able to connect.

Other advantages or running your own cluster are that there is no storage space restriction other than your own drive, you will not be reliant on a cloud service that could not be available when you need it and data transfer is speedy.

Dropbox alternative Syncthing

Syncthing is cross platform, it works in Windows, Mac, Linux, BSD, Solaris, Android, iPhone, it can be installed on any computer, server or mobile device you own. This tool is similar to Bittorrent Sync with the difference that everything is open source, including the protocol used to synchronize files, called Block Exchange Protocol.

Machines are identified with an ID, when you add a node ID to the network, any folder listed in the repository starts to synchronise downstream, files are split into blocks for easier transmission, the more devices are connected, the quicker everything will sync as more download sources are available.

There is one downside to running your own cloud, if you wish to publicly share files over the Internet, it can be done but you have to be tech knowledgeable, you will have to combine it with something like Cloudup or Freehold, it is not supported by the developers. If you often share files over the Internet, it is best to download to Owncloud, which needs a server, whereas Syncthing can be run on any desktop computer.

I liked the open source nature of this tool as well as the support it has for all operating systems, it is more complex to use than BT Sync but it gives you more control over how you share files on a network.

Visit Syncthing homepage

7 May, 2015
Review free anonymous surfing proxy Browsec

Browsec is an anonymous Internet surfing addon for your browser, this is not a real VPN, applications you have installed, like FTP, Bittorrent and the like will not be tunnelled, Browsec only hides your computer IP for Internet browsing and nothing else. I am always very cautious when something is provided for free, my logic is that if I am not paying for it, the company must be covering expenses some other way.

Browsec’s privacy policy discloses that they collect information about your surfing habits when the proxy is switched on and data can be used for monitoring and research, it is also disclosed that after anonymising the data, it can be shared with business partners, a standard way of funding for most unlimited VPN providers, you normally get hassled to upgrade the service to a paid package or, like in this case the company makes money selling your data to outsiders.

It was alarming to me that there is no physical office and no information about the company behind Browsec, all they have is a support email address, obviously this is not a privacy friendly company but I was willing to give them a go to be able to read the news and playing online games behind a firewall, evading visits to banking or email accounts to ward off opportunities of passwords being captured.

Browsec anonymous surfing Firefox addon

There are two ways to get Browsec, you can install a Chrome browser extension from the official Chrome store, which gave me some reassurance knowing that Google monitors extensions for viruses, and another way is to download a portable Firefox browser with Browsec embodied or you can find it in the official Mozilla Firefox addons website.

I decided to download the portable Firefox browser, the first thing I did before launching the browser was to scan it for viruses with Bitdefender, nothing dangerous was found, I ran the package and extracted the files inside a folder in my hard drive, initialising the Firefox portable browser clicking on FirefoxPortable.exe, the first thing I noticed was that surprisingly the addon was not enabled by default, I had to access the Firefox menu and start Browsec manually, when this is done a shield button appears on the browser toolbar and clicking on it activates or deactivates the proxy.

Only a single location in the Netherlands is provided, you can’t choose in between countries or servers, speed was decent, I am on a 10Mbps home connection and I was getting 9Mbps, perfectly acceptable but a single location is not going to help you stream online content from USA or UK online TV, you can’t even use this proxy to stream online content from the Netherlands where the proxy is located, when you visit Google services like YouTube, Google believes that you are in Russia, you can only watch online content available in Russia.

Browsec Bitdefender virus detection

After a minute of browsing the Internet with Browsec, Bitfender warns me that it has found a potentially malicious application and it has deletes a file named brwsc.exe from my drive alleging that “the application’s behaviour can harm your computer“, this is when it comes to my mind that Bitdenfer detected the virus after I activated the addon, when it first scanned Firefox Portable it gave me the all clear but Browsec ships disabled.

Bitdefender didn’t name an specific trojan horse or virus, the detection was based on the addon behaviour, probably because Browsec collects data about my browsing habits. It would be unfair to claim that Browsec contains a trojan horse, this would not be first time that my antivirus wrongly claims a VPN service behaviour can be harmful and it inspires me a little trust that the Browsec addon can be downloaded from the official Chrome and Firefox websites, but, the red flag from my antivirus put me off.

The number of days that it would take me to do a clean reinstall if my computer is infected, and the economical damage that I would incur in if a trojan horse captures my passwords, persuaded me that it works out cheaper paying $5/month for a trusted VPN that does not sell my data, than living with the uncertainty of not knowing what is going on with the proxy when I surf the Internet.

My conclusion is that, the addon works, and speed is fantastic, but you are selling your data to Browsec and the file is flagged as harmful by some antivirus, do you really want to take that risk? Your call.

Visit Browsec homepage

23 April, 2015