[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fsuk-manchester] Manchester Geek Nights - Pixelated Hack Night
From: |
Bob Mottram |
Subject: |
Re: [Fsuk-manchester] Manchester Geek Nights - Pixelated Hack Night |
Date: |
Thu, 13 Nov 2014 09:44:33 +0000 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Wed, Nov 12, 2014 at 07:24:47PM +0000, Mircea Moise wrote:
> On Thursday, 20th of November we will host a hack night on Pixelated
> ([1]https://pixelated-project.org) in the ThoughtWorks office in
> Manchester.
> Pixelated is a secure Open Source email solution. It aims to help
> organisations to implement secure solutions. It addresses two key
> problems: mass surveillance and centralisation. More info about the
> event can be found here:
> [2]http://www.meetup.com/manchester-geek-nights/events/218619965/ . The
> code is on github: [3]https://github.com/pixelated-project
> The session is hands-on and it's aim is to get people started on the
> project. It will be great if we will be able to address a couple of the
> project's issues.
> I hope to see you there,
> Mircea
I think that attempts to increase the security of email are useful simply
because email protocols are so ubiquitous but that ultimately those protocols
can't be made secure. Instead it might be worth putting effort into something
like Bitmessage with an email bridge (so that you can still use conventional
email clients) or have a look at whatever the Darkmail people are doing.
The threat model for conventional email - even if the body and subject of the
message are encrypted - is kind of disturbing if you consider what a pervasive
adversary can do to obtain the social graph.
https://github.com/pixelated-project/pixelated-platform/blob/master/threatmodel.md
IMHO the main threat comes from passive surveillance either by states or
corporations. Both of those adversaries are primarily interested in the social
graph, not the content. From the state perspective via email you can easily
find hubs, "key influencers" and sources of what they refer to as "social
contagion". From the corporate perspective they're mainly interested in who
your current or prospective customers and suppliers are, and they don't need to
know the content to guess what you're buying or selling.
I have made my own attempts to run a secure email server with the Freedombone
project. There is a mailbox variant, so you can install an email server in
isolation with only email ports open, and that minimises the attack surface and
ensures that there isn't any possible web/database compromise pathway into the
mailbox. Also, I'd advise against using STARTTLS because it gets downgraded.
Use SSL/TLS instead.
If you use an email to Bitmessage bridge installed on the client machines then
that mitigates a lot of the metadata leakage (although not entirely).
signature.asc
Description: Digital signature