Protonmail Secure? Not So Fast.

From The Hacker News,

ProtonMail Logs Activist’s IP Address With Authorities After Swiss Court Order

Yes, the Swiss email provider that many activists use on all sides of the political spectrum has exposed itself. This is coming on the heels of a German court rendering Tutanota in the same boat.

On its website, ProtonMail advertises that: “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”

Yeah, ok. First problem here is that people tend to want to rely on technology to supplement tradecraft. Doesn’t work that way. Nothing in the electronic realm should be considered 100% secure unless you physically own the protocol by which it operates (and to that end, built it). This means physical encryption via analog. You can get it, but you can’t make any sense of it.
The second problem, which dovetails on the first, is that if something of a sensitive nature needs passing, its done in person. Its called compartmentalization. This is, of course, an alien concept in the era of social media groups supplanting physical human contact. When everyone only lives online they reap the results. There’s a reason groups like the Taliban and the old moonshiner network in Appalachia are notoriously hard to infiltrate, and its because they primarily operate in the human domain.
The third issue is that by its nature the tools used in online tradecraft do not remain in stasis. Its a constantly evolving game and we, with it. When it comes to surveillance, everything revolves around patterns of life. If you have any doubt, there is no doubt. Assume its compromised and work within those parameters.
 

Spread the love
                

Share This Story, Choose Your Platform!

About the Author: NC Scout

NC Scout is the nom de guerre of a former Infantry Scout and Sergeant in one of the Army’s best Reconnaissance Units. He has combat tours in both Iraq and Afghanistan. He teaches a series of courses focusing on small unit skills rarely if ever taught anywhere else in the prepping and survival field, including his RTO Course which focuses on small unit communications. In his free time he is an avid hunter, bushcrafter, writer, long range shooter, prepper, amateur radio operator and Libertarian activist. He can be contacted at [email protected] or via his blog at brushbeater.wordpress.com .

21 Comments

  1. Anonymous September 8, 2021 at 11:59

    5

  2. Madman_Actual September 8, 2021 at 12:15

    Scout, what are your thoughts on mailing password protected USB drives with trusted associates?Type up a messages(that can also be coded) on notepad from a device with zero wifi or internet. Obviously the mail system is a giant security risk. But, you could hide it in a package with some other innocent material that masks the USB in the scanning devices, so even if the package was compromised in transit it lowers the risk of the drive actually being found? Layered security.
    Just spit balling ideas. Because short of hosting our own email domain, ‘over the net’ electronic communications always become compromised.

    • NC Scout September 8, 2021 at 12:22

      It can be done, but understand the points of exploitation with thumb drives as well if they’re intercepted.

      • Johnny Paratrooper September 8, 2021 at 13:09

        LockpickingLawyer has a video on this. I will locate and post later.
        Thumb drives can mimic Keyboard or mouse driver protocols and subvert security settings.
        Thumb drives can also contain capacitors in series that will charge and fry your computer. Best case scenario they fry your USB port.
        I assume this can be used to open search query’s which would obviously be helpful to backtrack a computer logged into the net.

        • NC Scout September 8, 2021 at 15:03

          Its how Stuxnet made its way into Iran’s nuclear facilities.

      • BePrepared September 8, 2021 at 17:08

        If you want a Hollywood interpretation of USB exploits… see also ‘Blackhat’
        Then think outside the box.

        • NC Scout September 8, 2021 at 17:17

          That was a decent flick.

      • From the Mist September 8, 2021 at 22:54

        “understand the points of exploitation…” is the key. There is a way to compromise anything. Knowing how a particular method can be compromised allows us to make a proper risk assessment and also establish canaries, where possible, to provide an alert of the compromise if it occurs.
        OTP is a good example. People think it is unbreakable – and it is. Unless someone gets a copy of the OTP. The OTP has to be held by both parties and one party can be compromised with a gun pointed at their spouse. Doesn’t mean it isn’t valuable for protecting valuable info under certain circumstances.

    • no September 8, 2021 at 12:35

      Stegonagraphy with out-of-band sharing of decrypt / encrypt keys. A sophisticated attacker can detect that stego is involved but they’d have a hell of a time getting at the plain-text.
      Some fieldcraft here…you know imaging sharing sites like Imgur and even Twitter? A lot of stego happening on those sites. To the point where they will often re-encode uploaded files to spoil the stego. But you get the idea and not every site is that sophisticated.

    • No September 8, 2021 at 12:37

      Sorry, piling on my previous….
      Hosting your own email doesnt’ solve the problem. The underlying protocols for moving email across the Internet were never designed with security in mind. It’s a lost cause. NC is right. Assume anything involving the Internet is compromised.
      There are some peer-to-peer and web3 technologies arriving now which could help with some of that but it’ll be years before they get mass adoption barring some really big lever pushing people to them in accelerate fashion.

      • BePrepared September 8, 2021 at 17:12

        “The underlying protocols for moving email across the Internet were never designed with security in mind. It’s a lost cause. NC is right. Assume anything involving the Internet is compromised.”
        https://www.amazon.com/Takedown-Pursuit-Capture-Americas-Computer/dp/0786889136
        Best book on internet security I never got back… Pakets don’t care, they tell all.

        • Ralph k September 8, 2021 at 19:25

          The best advice I ever read was just to assume anything you post on the internet is like sending a postcard, everyone can read it.

  3. Ralph k September 8, 2021 at 13:22

    At least they had to obtain a court order (not sure how legitimate their judicial system is of course) instead of doing it on the sly. Too bad about proton mail, I use it, and I know you use tutonota. Your observation that the best way is in person is the real kernel of truth here. Thanks for the update.

  4. JHM September 8, 2021 at 14:13

    The emails themselves were not read, merely location information of the endpoint. Which could have been masked with a simple VPN. Even ProtonVPN would work according to the company since VPN traffic is treated differently under Swiss law.
    Given than ProtonMail can easily be accessed over Tor, you could at least do that.
    Bottom line is this dude wasn’t as smart as he thought and now he’ll pay for his hubris. But we can learn from his mistakes.

  5. Captain Mike September 8, 2021 at 16:31

    I knew a guy whose protonmail was not secure back around 2006 and he got his ass shot 17 times by sheriff for homicide and he stole research notes from a friend. His choice. Protonmail open to homicide division to say the least.

  6. boss21 September 8, 2021 at 18:49

    5 EYES to become 9 EYES – maybe https://www.voltairenet.org/article213959.html

  7. GenEarly September 9, 2021 at 08:10

    At some point the “John Hancock” moment arrives with consequences known and confronted.

  8. Live Free In The Field September 9, 2021 at 19:12

    The only safe machine is one that is not connected and unplugged at night for lights out.
    Trust no Big Tech Bolsheviks no matter where they are located or what blather they prattle on about.
    Just like Brave browser is a big fraud, they are all in on the global soviet control grid matrix.
    As for cellphones, never had one and never will, no that doesn’t mean I’m untraceable as I type from an IP address right now.
    Look up keystroke loggers, and some way to detect the gov spyware, there was a program for journalists that got memory holed.
    It is on a build disc somewhere and always keep “controversial” files away from any shared or online machine.
    Obviously, never use the evil browser/searcher that starts with a G, and when you type in WRSA in that monstrosity it comes up with pages of results with nothing to do with the real page.

  9. Jlr87105 September 11, 2021 at 13:57

    Re https://www.americanpartisan.org/2021/09/protonmail-secure-not-so-fast
    As a Protonmail user this directly affects me – so I asked Protonmail about this – sent on Thursday, 9 September 2021 21:30 – here is my reply rcd on 11 September 2021 0301hrs (-7Tango)
    Hello,
    Thank you for your message. We are also deeply concerned about this case.
    In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. Details about how we handle Swiss law enforcement requests can found in our transparency report:
    https://protonmail.com/blog/transparency-report/
    Transparency with the user community is extremely important to us and we have been publishing a transparency report since 2015.
    As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed.
    What does this mean for users?
    First, unlike other providers, ProtonMail does fight on behalf of users. Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone, which is a huge amount. This particular case however could not be fought.
    Second, ProtonMail is one of the only email providers that provides a Tor onion site for anonymous access. This allows users to connect to ProtonMail through the Tor anonymity network. You can find more information here:
    protonmail.com/tor
    Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.
    We hope this gives additional clarification about the situation. This incident is also deeply concerning for us, but unfortunately Swiss law gives us no possibility to appeal or refuse this particular request. Thanks to the support of the Proton user community, we are actively campaigning to strengthen Swiss law to provide even stronger privacy protections for all users.
    https://protonmail.com/blog/climate-activist-arrest/
    Furthermore, our overriding policy is to collect as little user information as possible to ensure a completely private and anonymous user experience when using the Services. We have no technical means to access the content of your encrypted emails, files, and calendar events. For more information on data collection, and how that data can be used, please refer to our Privacy Policy:
    https://protonmail.com/privacy-policy
    Thank you for your patience and understanding.
    Have a nice weekend!
    Best Regards,
    The ProtonMail Team

    • NC Scout September 11, 2021 at 16:46

      “This particular case however could not be fought.”
      And why is that.

Comments are closed.

GUNS N GEAR

Categories

Archives

Spread the love