Anonymous Email Review – Deadfake.com

Over the years I’ve seen a lot of sites that offer the visitor the ability to send emails that they promote as being anonymous.  Unfortunately, most of them offer very little if any actual anonymity at all.

Most of these sites tell the user that they make it possible to send an email that the recipient will not be able to find out who sent it when in fact, the email can be traced back to the server it came from and from there it’s a simple matter of a subpoena to get the website server logs and discover when the website form sent the message to the mail server, the IP address of the user that filled out the form and the date & time the form was sent.

Given the IP address and the timestamp, it’s almost trivial for somebody’s lawyer to take the steps needed to get their ISP to give up what user account was assigned that IP address at that time.  From there the person responsible for that user account gets contacted by the attorney and things may or may not get legal depending on the situation.

The so-called anonymous email services that many sites offer are good for very little more than to be used as toys, joking back and forth with friends, family and acquaintances that aren’t going to decide to haul your carcass into court and get legal on you.

Therefore I’m going to start doing reviews of these sites and explaining why I believe their services to not be nearly as anonymous as they look at first glance.  The first of these is deadfake.com.

Deadfake has a simple introduction that tells the visitor that they can use the site to send anonymous emails and make it look like it came from somebody else.  It appears to be intended for the sole purpose of playing pranks on people and having some fun with them.  As a point in their favor they do have a warning:

Don’t send any spam or other illegal things from this site. Email is never really fully anonymous (check the FAQ for more info). It’s also bad karma, and I will track you down and bite you.

Their FAQ also explains that this isn’t *really* anonymous and that it does add both an X-Mailer and X-Originating-Ip headers that contain all the information needed to identify the sender’s ISP and find the sender.

As a test, I went on to the “send fake mail” page and filled in the form to send myself a test message.  Once the message was done I filled in the captcha and hit “send now”.  Instead of being told that the message was sent, I was greeted with an error message:

Oops!

Sorry, there was some sort of problem while sending your message – please try again in a few minutes!

I tried again a few minutes later and then again a few hours later, each time getting the same error message.  That’s when I noticed a block of stats in the sidebar:

Stats

Total emails sent: 223291

…in last 24 hours: 0

I never did get deadfake to work and perhaps it’s just as well.  While a site like this can be fun to play around with sending your kid sister emails from Elvis and such, they can also be all too easily used by somebody who need to really anonymous, only to find out that their anonymity was very thin indeed.

Another thing that the site offers is a two page walk through that explains how to use a very simple nslookup command to identify a mail server to use and how to use telnet to connect to that server and send email from it.

I Strongly recommend AGAINST doing that.

For one thing, if you have a real need to be anonymous, you’ve blown it the second you open the telnet session.  The server logs will have your IP address and a timestamp of when you connected.  In short, you’re pwned before the message is even sent.

For another, while this technique CAN be used to send mail (I’ve done it myself with my own mail server just to prove I could), It requires that the mail server does not require authentication in order to send mail.  That kind of mail server is becoming a rare beast indeed these days as server admins take steps to keep from being an “open relay” that can be taken advantage of by spammers.

Another good reason not to use the telnet method is that there are plenty of sites whose legal departments will be all too glad to jump down your throat for unauthorized use of their servers and frankly, if such a case goes to court they’re going to win.  Save yourself the trouble and DON’T do it in the first place.

Yes, there ARE ways to have secure anonymity and send anonymous email that’s all but impossible to trace.  Deadfake.com isn’t one of them.

Technorati Tags: website review, anonymous email, anonymous email site, review, send anonymous email, anonymity

FBI Wants Authority To Snoop Internet Backbone Data

I think it’s pretty safe to say that the fact that there are government agencies doing a lot of snooping on all manner of Internet traffic.  It’s also safe to say that since 9-11 this snooping has escalated massively.  Now, the FBI is trying to get access to data that the NSA has been collecting from the Internet backbone (servers through which ALL Internet traffic passes through) so that they can look for criminal activity.

The problem with this is that they’re apparently not just limiting this to justifiable searches and evidence gathering in the course of an ongoing investigation.  This is a lot more “Big Brother” in nature, scanning data looking for things that they can then investigate and prosecute as crimes.  As if they don’t already have enough active cases to work on.

The problems with this kind of thing are many, most of which have to do with the fact that it blows all sorts of holes in people’s right to privacy.  It also means that it becomes more and more necessary to watch what you say online because you never know when “Big Brother” is watching and what he may decide is a sign that you’re on the wrong side of the law.

It means that people need to take active steps to maintain privacy.  The first thing to remember is that the online world has always been subject to people being able to snoop.  While it’s generally a good practice to never write anything online that you wouldn’t want posted on a billboard where everyone in town can read it, it’s also sometimes necessary to communicate privately.

This is why I think that everybody should take a little bit of time to get and learn how to use some basic privacy tools.  Like for example, users of the Thunderbird mail client could get GnuPG and the Enigmail plugin and learn how to send encrypted and / or signed emails.  Maintaining safe browsing practices, never entering important passwords on un-trusted computers. (and untrusted means something that you’re not in control of what’s on it)

As for the FBI’s quest for access to still more information about everybody and their habits.  This needs to be stopped, the problem is that too many people are either ignorant of or foolishly unconcerned about things like this until it’s too late.

Technorati Tags: encryption, security, fbi, nsa, internet+backbone, domestic+spying, gnupg, enigmail, safe+computing, privacy

Anonymous Email – Step Two: Jack B. Nymble

At this point I’m assuming that you have PGP 6.5.8 installed and have taken some time to become familiar with how to create keys and sign and/or encrypt text messages.

One way to send anonymous mail is to use the Cypherpunk remailer system.  The way it works is actually simple, it’s just cumbersome to do by hand.  Say for example you need to send a message to “user1@example.com” by way of a chain of 3 Cpunk remailers.  You would write out the message, then at the top of it put instructions telling remailer #3 to send it to “user1@example.com”.  Then you encrypt the whole thing to remailer #3’s key and put another instruction at the top telling remailer #2 to send it to #3, repeating this until you have built a chain of nested encrypted messages.

Each remailer decrypts the part that is for it, reads the instructions and sends it to the next step.  This process guarantees that no message headers from your original email to remailer #1 will remain.  As long as your message content doesn’t give you away, you are anonymous.

Obviously “hand rolling” like this, while possible (I’ve done it myself with more complicated chains than this), It’s cumbersome and easy to make a single mistake that will cause your efforts to be wasted and your message not to arrive.

This is where software like Jack B. Nymble comes in.  JBN automates a lot of this work so that all you have to do is give it the address, type your message, choose the remailers in the chain and JBN handles all of the formatting and multiple layers of encryption and sends the result to the first remailer in the chain.  Once it’s set up right, JBN makes using remailers easy.

First you need the software.  If you just search “Jack B. Nymble” download you can find it in several places or you can download JBN and a detached signature from the Panta-Rhei website.

You can (and should) use PGP to verify the signature, this assures that setup_jbn214.exe hasn’t been altered.  (of course, to verify the signature you’ll need to have PGP search keyservers for the author’s PGP key (User-id: RProcess key-id: 0x9310EE89).

Once you’re satisfied that you’ve got a good file you’re ready to install it.  When you install JBN and start it up, DO NOT have it update stats just yet.  This is because the stats urls that the program ships with are old and out of date.  Before you can allow it to update stats, you need to give it current urls to work with.

On it’s Window menu, choose ‘stats config’ and on the cypherpunk tab, replace the urls there with the one’s on this page.  Once this is done, JBN can be allowed to get remailer keys and stats.

Once it has current stats it’s a simple matter of opening ‘Window | Send Profiles’ and putting in the information for the mail server it’s to use for sending mail.  (note, this original version of JBN cannot perform SMTP Auth, for that, you will need a MOD that was created to add features to JBN.

It does take some time, both in reading the documentation that comes with the program and in plain old fashioned trial and error to learn how to use it, but it’s worth the time.

More information and help can be found on the Pantawiki.  You can also ask questions (and sometimes find answers) in the Usenet group alt.privacy.anon-server (Beware of the trolls)

I’ve only just touched on the subject here.  But I think it’s enough to get you started learning how to use JBN.  In an upcoming post I’ll cover adding Mixmaster capability for stronger anonymity and a larger choice of remailers.

Technorati Tags: , , , , ,

This post was sponsored by www.buy.com, among other things they’re a source of all sorts of equipment from a Linksys router to computers, CD’s, downloads and more.


4th Amendment Protection Eliminated In E-mail

I just read something on Slashdot that should be a great big red flag to anyone that has any interest in email privacy at all.

The 11th Circuit court handed down a decision in Rehberg v. Paulk which severely limits how much fourth amendment protection there is for Email.  The decision was that constitutional protection in stored copies of e-mail held by third parties disappears as soon as any copy of the communication is delivered.

The problem with this is that because of how email works, Just because a copy of the message was delivered to you when your email program downloaded it from the server it doesn’t mean that the copy on the server instantly ceases to exist.  This means that the government or any Law Enforcement Agency can just wait until email is delivered and then snag a copy from the server it was delivered from.

If you’d like an in depth look at why this decision is wrong I suggest you have a look at this article.  The author goes into the legal nuts and bolts of why the 11th circuit court is wrong.

Regardless of whether it’s ever overturned or not, this case serves as a reminder that even with forth amendment protections, email is NOT very private at all unless you take steps to MAKE it private.

The only real answer to the problem of course is to use encryption.  And before you start going with the “If you haven’t got anything to hide then you have nothing to worry about” crap think about this.  For the average person (even law abiding people), it’s not a question of having “something to hide” so much as having privacy.  Back in the days when everybody used postal mail, if you didn’t want the contents of your message to be read then you would use a security envelope or perhaps even put it into a package that was much more difficult to open.

The same thing applies to email.  People send emails every day the contents of which they very much do NOT want to be read by anyone but the intended recipient.  Those emails can be literally anything from important business matters about a new secret project to you Aunt Jane’s secret collection of home remedies for acne.  The point is that you want them to be read only by the person that you’re sending them to and that anyone else reading them is an invasion of privacy.

This is where encryption comes in.  For example if you use Thunderbird as your email program it’s a small thing to get a plugin called Enigmail and a copy of GnuPG, take a few minutes to read some instructions about how to set them up and create a keypair, publish the public part of the key and you’re ready to begin encrypting your email.

Ok, Granted, it’s not much use to encrypt email unless the other party has the same kind of setup but that’s really easy.  All of the programs I just mentioned are free and take only minutes to set up.

I have personally been using encryption for years.  Even when I don’t encrypt emails I use Enigmail & GnuPG to digitally sign all of my emails so that the recipients can A, verify that it was me that sent it and B, they can tell if the message has been altered in any way.

If you want your email to be private the ONLY way to insure this is to use encryption.  I think that it’s long overdue for encryption to come into mainstream use.  It’s not hard to do and does something that regular, unencrypted, email can’t do: It guarantees that you have an “Expectation of privacy” because you have taken extra steps to make it clear to anyone looking at the message that you don’t want anyone but the intended recipient to read it.

Technorati Tags: forth amendment, enigmail, encryption, gnupg, privacy, email, 11th circuit court

New Govt Policy Could Allow Feds Too Much Access

Somethings going on that needs to be stopped.  A new “Cyber-Security Policy” being developed by National Intelligence Director Mike McConnell.  This policy will give the government sweeping authority to police the Internet and make it possible for them to get access to any email, web search or file transfer.

This is going to make Warrantless wiretapping look like a Sunday afternoon picnic at the beach.

Dangerous nonsense like this needs to be stopped.  Dangerous nonsense like this is yet another reason that EVERYBODY SHOULD USE ENCRYPTION.

You wouldn’t send private letters written on the back of a post card would you?  Email that is not encrypted is nothing but pure text and can be read by anyone who takes the time to find out where email is stored on a mail server.

it’s well worth time to get GNU Privacy Guard, a freeware open source equivalent of PGP and tools like the Enigmail add on for the thunderbird email program that make encrypting email easy for anyone.

Technorati Tags: encryption, privacy, government+snooping, wiretaps, cyber+security, internet+security

 Page 1 of 2  1  2 »