AuthorTopic: Proton Secure Email Club  (Read 5697 times)

Offline g

  • Golden Oxen
  • Contrarian
  • Master Chef
  • *
  • Posts: 12280
    • View Profile
Re: Proton Secure Email Club
« Reply #15 on: October 17, 2015, 03:13:41 PM »
Quote
I am in the process of changing over many of my online accounts to my kollapsnik@protonmail.com account.  It will take some time, as I have dozens if not hundreds of different accounts on various servers.  Overall I am not all that worried about it, I already got my main bank account info secured and the numerous vendor accounts do not worry me that much.  Over time though, I will secure those as well as best I can.

RE

Thanks, just went to the site and it looks pretty classy. Like the fact they don't want to know a thing about you to set up an account.

Going to do it in the morning, looks like they know what their doing alright.

Should I cancel my old e-mail accounts after joining? Get a lot of subscriber blog stuff and to notify everybody would be a big time hassle since they are not in my address book.  :icon_scratch:

Thanks again for good info, has to better than normal e-mail services it would appear.  :emthup:

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #16 on: October 17, 2015, 03:30:58 PM »
Quote
I am in the process of changing over many of my online accounts to my kollapsnik@protonmail.com account.  It will take some time, as I have dozens if not hundreds of different accounts on various servers.  Overall I am not all that worried about it, I already got my main bank account info secured and the numerous vendor accounts do not worry me that much.  Over time though, I will secure those as well as best I can.

RE

Thanks, just went to the site and it looks pretty classy. Like the fact they don't want to know a thing about you to set up an account.

Going to do it in the morning, looks like they know what their doing alright.

Should I cancel my old e-mail accounts after joining? Get a lot of subscriber blog stuff and to notify everybody would be a big time hassle since they are not in my address book.  :icon_scratch:

Thanks again for good info, has to better than normal e-mail services it would appear.  :emthup:

No, don't cancel old accounts, no reason to do that.  Lots of old friends and old accounts have that email addy, so you don't want to lose access to that stuff.

Once set up, you can set your Proton mail account to Notify your more usual Email account of any messages you receive there.

The main thing to use the Proton Email Account for is your highly sensitive and secure information, which for most people would be their financial stuff.  For most communications via email, your Yahoo or Gmail account is fine.

RE
Save As Many As You Can

Offline g

  • Golden Oxen
  • Contrarian
  • Master Chef
  • *
  • Posts: 12280
    • View Profile
Re: Proton Secure Email Club
« Reply #17 on: October 17, 2015, 03:49:40 PM »
Quote
No, don't cancel old accounts, no reason to do that.  Lots of old friends and old accounts have that email addy, so you don't want to lose access to that stuff.

Once set up, you can set your Proton mail account to Notify your more usual Email account of any messages you receive there.

The main thing to use the Proton Email Account for is your highly sensitive and secure information, which for most people would be their financial stuff.  For most communications via email, your Yahoo or Gmail account is fine.

RE

Thanks again RE, you are a font of knowledge on these topics.

Being computer illiterate, I am paranoid of traps and pitfalls in new things, always scared of getting conned by a hacker wizard offering goods.

Wish I had talked to you before going Apple instead of Samsung with android. Locked into that friggin Apple now and can't leave or escape. Bastards even forced me to give them my credit card info without even buying anything. They suck big time and you have to do things their way.

You can bet they know everything about all their members and share info with anyone they can to make a buck. Much too big and powerful now.  :-\


Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #18 on: October 17, 2015, 04:15:07 PM »
Quote
No, don't cancel old accounts, no reason to do that.  Lots of old friends and old accounts have that email addy, so you don't want to lose access to that stuff.

Once set up, you can set your Proton mail account to Notify your more usual Email account of any messages you receive there.

The main thing to use the Proton Email Account for is your highly sensitive and secure information, which for most people would be their financial stuff.  For most communications via email, your Yahoo or Gmail account is fine.

RE

Thanks again RE, you are a font of knowledge on these topics.

Being computer illiterate, I am paranoid of traps and pitfalls in new things, always scared of getting conned by a hacker wizard offering goods.

Wish I had talked to you before going Apple instead of Samsung with android. Locked into that friggin Apple now and can't leave or escape. Bastards even forced me to give them my credit card info without even buying anything. They suck big time and you have to do things their way.

You can bet they know everything about all their members and share info with anyone they can to make a buck. Much too big and powerful now.  :-\

I understand the Paranoia, since I have it myself when being sold something.  LOL.

However, there is no vested interest for me here, I have nothing to do with the CERN Physicists and there is no financial benefit to me at all if you set up an email account on their server.  In fact, there is no financial benefit to them either!

I am just pitching out the best stuff I know about this, and I do know quite a bit about it.  I am a long time Internet Junkie and have run through the Security Issues many times over the years, and they get tougher to negotiate all the time.  for someone like myself who puts up as much as I do every day on the net, it is an important consideration, so I think about it all the time.

RE
Save As Many As You Can

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
    • https://palloy.wordpress.com
Re: Proton Secure Email Club
« Reply #19 on: October 17, 2015, 08:09:22 PM »
Glad to see people are starting to take this more seriously.

NSA has already got everything you have done on-line this century.  They haven't had time to look at everyone's history, and they probably never will.  But they can do it to important targets and their correspondents.  What you may not realise is how closely connected your are to some target - perhaps you have received an email from someone who later turned out to be a "terrorist" like an Animal Rights activist, or an Anti-Coal activist, or an Anti-Nukes activist.  Have you ever signed up an Anti-Empire blog like Noam Chomsky, William Blum, Occupy, etc?  Do you think DD counts? - I do.

The article says some internet accounts store their passwords in clear text, and names Netflix as one.  This is very bad practice.  The proper way to store passwords is by storing the hash of the password (a hash is non-decryptable encryption, or one-way encryption).  But it also says cracking hashes is easy, which it is not.

Palloy Bank stores passwords hashed with sha-512 (1-way), so brute force will take a VERY long time.  Then the file of hashed passwords is itself encrypted with AES-256 (2-way encryption), as are the individual statement files.  Then the drive holding the website files is itself encrypted with LUKS.  Then all the drives on the computer are NOT automatically mounted at start up, and are therefore invisible unless you know the password to the application that does the mounting.  All of this is standard practice, with no excuse for not doing it.

You should have a password manager, like KeePass2, to create and keep all your passwords in an AES-256 encrypted file.  You can set it to generate passwords of various strengths.  Using all the printable and typeable characters and 20 chars long gives 92^20 = 1.8 x 10^39 possible combinations, which I reckon is enough for most purposes.  GPG4USB with a 4096-bit key gives 10^1233 combinations.

Key-loggers being introduced by viruses are a problem for Windows OSes, but there is a piece of software that plugs in to the key-logging point and blocks them, I forget the name now.  Linux OSes (Ubuntu, Lubuntu, Mint, Fedora, etc) are much safer than Windows.

Using a VPN service is a cheap and easy way to have ALL your internet traffic encrypted, and your IP address anonymised.  The encryption should be OpenVPN as the other common ones (L2TP, P2TP, IPSec) are reputedly crackable due to weaknesses in the coding.  I have tried a few and use PIA  .

Switching from Windows to Linux is probably the best thing you can do security-wise, although it is a big step.  You can practice at Linux by first installing in Windows the free software package VirtualBox, and then running Ubuntu inside it.  This is called "Windows Host - VB - Lubuntu Guest" configuration.  Then once you feel comfortable with that, you can set up "Lubuntu Host - VB - Windows Guest" configuration.  That's what I have, as it allows me to still use Excel 2000 and PaintShopPro - 2 Windows-only applications which Linux cannot match for certain tasks.  GoogleEarth renders better in Windows too.  If you want to try that, you can PM me for more assistance.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Proton Secure Email Club: How to construct a REALLY Hard Password to Break
« Reply #20 on: October 18, 2015, 05:41:48 AM »
As I indicated, the weakest link in your online Accounts is the email you use to set up those accounts in the first place.  So this password to this email account is the WEAK LINK in the chain, if it is not as good as you can make it, everything else is compromised because of that.

You have  a BIG PROBLEM here though, which is that first off the Character String for this password must be quite long to make it uncrackable by even the fastest of Supercomputers, and second you have to be able to REMEMBER this character string without storing it on the computer or even writing it down in a notebook either.  The ONLY place this password can exist is INSIDE YOUR HEAD,  and the only way for it to be discovered is for you to be TORTURED into giving it up.

I will not tell you precisely how I constructed my character string for my Primary Password on Proton Mail.  To do so would give parameters to anyone trying to crack it.

However, here are the basic principles for creating a very long character string you can remember.  You can for example use the full address of someplace you lived at some time in the past, then follow that with your birthdate, then follow that with your favorite TV Show then follow that with your most Hated Politician, etc.  You can get incredibly long character strings this way and they are not hard to remember.  In the example here, I could use:

3709CherryStreet-NYNY-19047-8-31-57-ItTakesAThief-Nixon.

Needless to say, I have never used that character string for a password and never will now.  LOL.  Palloy can fill you in on the number of possibilities here for a character string of this length, I am pretty sure it is past 105 though.

Regardless of the length and complexity of the character string though, your weak link is in using it and the possibility your keystrokes can be recorded when you do.  This is what you have to guard against as best you can, which is why I suggest shutting down EVERYTHING on your computer other than your email when you need to access it.  NOTHING else should be running in the background at this time.

Your OP system (windows, apple even linux) can undermine all of this, although since Linux is Open Source it is the best for the Security Paranoid people out there.  LOL.

We are Diners and we KNOW what is going on.  We KNOW how to prepare.  Let's be CAREFUL out there.



RE
Save As Many As You Can

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
    • https://palloy.wordpress.com
Re: Proton Secure Email Club
« Reply #21 on: October 30, 2015, 04:59:13 PM »
Quote
3709CherryStreet-NYNY-19047-8-31-57-ItTakesAThief-Nixon

That password is good, but it could be better.  A brute force attack has to start with something as its first try,"aaaaa...." for example, and work its way through every combination, and it only has to go as far as the target.  So if your password starts with "aaaaa" then it is going to find it fairly quickly whatever the rest of it is.  Of course the brute force algorithm might start with "AAAAA...", or "00000..." but it is very unlikely to start with "{{{{{..." so starting with that is likely to make the attack take longer.

Quote
The ONLY place this password can exist is INSIDE YOUR HEAD

Yes, but then it can only open one account, because you don't want to use the same password on lots of different accounts.  The solution is to use it to open your Password Manager, and then let your PM generate and remember all your individual account passwords.

You then copy-paste the username and password into your login form or whatever, without using the keyboard.  Then keyboard loggers won't record anything other than Control+C and Control+V.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #22 on: November 06, 2015, 04:38:40 PM »
The Proton Email Server has been down since last night.

Hang on to your copies of GPG4USB.

RE
Save As Many As You Can

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
    • https://palloy.wordpress.com
Re: Proton Secure Email Club
« Reply #23 on: November 07, 2015, 12:51:23 AM »
http://www.eweek.com/blogs/security-watch/protonmail-learns-that-paying-ransom-doesnt-stop-attacks.html
ProtonMail Learns That Paying Ransom Doesn't Stop Attacks
By Sean Michael Kerner
2015-11-06

When confronted by a cyber-extortionist, do you pay the ransom or do you stand firm and not negotiate? It's both an ethical and a procedural dilemma.

By paying the ransom, in some respects, the victim is enabling and perhaps encouraging the extortionist to commit future acts since after all, if it worked once, it might well work again. In giving extortionists what they want, the general idea is that the victim will get back what they want and it could well be the quickest route to resolving a ransom situation.

But what if the victims pay the ransom, but still don't get what they want back?

That's what happened this week with Switzerland-based email service ProtonMail, which was hit by a distributed denial-of-service (DDoS) attack starting on Nov. 3. The attack was preceded by a blackmail email that warned of the attack. According to ProtonMail, the email came from criminals allegedly tied to multiple DDoS attacks across Switzerland.

The initial attack against ProtonMail took the site offline for 15 minutes, while the second attack, which started on Nov. 4, was more intense and sophisticated.

"The coordinated assault on our ISP exceeded 100G bps and attacked not only the data center, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes," ProtonMail wrote in a blog post. "This coordinated assault on key infrastructure eventually managed to bring down both the data center and the ISP, which impacted hundreds of other companies, not just ProtonMail."

At 3:30 Geneva time on Nov. 4, ProtonMail decided that enough was enough, it was suffering and so were others on its service provider. As such, ProtonMail paid the ransom (approximately $6,000) in Bitcoin.

"We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless," ProtonMail wrote. "This was clearly a wrong decision, so let us be clear to all future attackers—ProtonMail will NEVER pay another ransom."

So to recap, ProtonMail was extorted to pay a ransom to stop a DDoS attack; they paid and then they continued to be attacked.

I understand the imperative and the pressure that an organization would be under just to settle a situation and move on. It makes some sense from a straight line business perspective to just be done with the threat and move on, rather than continuing to be offline.

Then again, paying a digital ransom is only ever truly a short-term solution, isn't it? Even if the ProtonMail attackers had stopped the attack, what would have stopped them from doing it again a week, a month or a year later?

The best course of action is to have multiple layers of defense to mitigate the risk of DDoS in the first place. There are multiple providers—including VeriSign, Akamai and CloudFlare—that offer commercial DDoS protection services that can scale up to the largest attacks ever seen on the Internet. Having highly available back-ups also is crucial in cases where some form of ransomware encrypts data.

Hindsight, of course, is always 20/20, so it's easy to say what should have been done at this point. What's harder is to be prepared.

So let's hope that ProtonMail's story is a cautionary tale and inspires others to invest in DDoS protection and highly available backups, rather than paying protection fees to attackers.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #24 on: November 07, 2015, 03:23:35 AM »
Paying ransom definitely not a good idea, unless you can use it to somehow catch the extortionist.

Proton is still down last I checked.  They're getting hit hard obviously.

RE
Save As Many As You Can

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #25 on: November 08, 2015, 02:10:38 PM »
Proton mail server is back up.

RE
Save As Many As You Can

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Proton Email: Note from Proton on the Cyber Attack that took them down
« Reply #26 on: November 16, 2015, 09:39:16 PM »
From Proton:

Dear ProtonMail Community,

As many of you know, last week ProtonMail came under a massive distributed denial-of-service (DDoS) attack which knocked our service offline for several days. Unfortunately, we were initially unable to defend against such a massive attack and suffered downtime as a result. Despite the ferocity of the attack, our server security measures and end-to-end encryption meant we were able to keep user data secure.

This incident was one of the largest cyberattacks ever in Switzerland and caused enough damage to knock an entire datacenter offline. In an attempt to keep ProtonMail offline, upstream ISPs were also attacked, knocking hundreds of other businesses offline in countries as far away as Russia. The main attack began on Wednesday, November 4th, and it was not until the evening of Saturday, November 7th that we were able to bring the situation until control. Full details about the attack can be found on our blog here.

There is no doubt that the purpose of the attack was to keep ProtonMail offline for as long as possible. In doing so, the attackers wanted to deny email privacy to nearly a million people worldwide. The attackers hoped to destroy our community, but this attack has only served to bring us all together, united by a common cause and vision for the future. Our vision for an Internet that respects privacy and freedom can be assaulted, but it will never be destroyed.

Instead of weakening ProtonMail, these attacks have only made us stronger, and rallied more people to our cause. Collectively, the ProtonMail community raised $50,000 for the ProtonMail Defense Fund in just three days, giving us the resources to defeat the current attack and protect against future ones. In defending ProtonMail, we were joined by Radware, one of the world's premier DDoS protection companies. We also redesigned our network infrastructure to have a dedicated link to a Tier 1 carrier in Zurich. In addition to the privacy benefits of controlling all traffic in and out of our datacenter, this also makes our network far more difficult to attack.

Our cause is also joined by IP-Max, the best network experts in Switzerland. The IP-Max team worked extremely long hours for several days in a row to bring us back up. And they did it entirely on a volunteer basis, simply to support our community. Building an entire network from scratch and bringing it online in a few days requires an incredible effort, and it was only with their assistance that we were able to come back online as quickly as we did.

The result is that ProtonMail is now stronger than ever. Not only did we mitigate the largest DDoS attack in Switzerland in a couple days, we also gained the ability to resist such attacks in the future. We would like to thank the entire ProtonMail community for your many kind words of encouragement and support during this difficult time. We built ProtonMail for you, and it is truly an honor to have you standing behind us, in both good times and bad times. We look forward to continuing on this journey towards a more private and free Internet with all of you.

Best Regards,

The Entire ProtonMail Team
Save As Many As You Can

Offline Eddie

  • Master Chef
  • *****
  • Posts: 19758
    • View Profile
Re: Proton Secure Email Club
« Reply #27 on: November 17, 2015, 06:37:10 AM »
Speculation as to who was behind the attack? Government? NSA? China? Other?
What makes the desert beautiful is that somewhere it hides a well.

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 42050
    • View Profile
Re: Proton Secure Email Club
« Reply #28 on: November 17, 2015, 12:21:52 PM »
Speculation as to who was behind the attack? Government? NSA? China? Other?

A DDoS of that magnitude could only come from a few places, and you mentioned 3 of them.  I believe the North Koreans could do this and the Indians also probably.  Also, Anonymous could pull it off, they have done some very big DDoS attacks.  However, I discount Anonymous as responsible for this.  Anonymous uses secure systems like Proton for communications.

If I had to place a bet on this, it was the NSA.  I have no evidence of that though.

RE
Save As Many As You Can

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3751
    • View Profile
    • https://palloy.wordpress.com
Re: Proton Secure Email Club
« Reply #29 on: November 17, 2015, 01:55:37 PM »
DDoS attacks of this record-breaking magnitude need lots of seriously big computers or millions of small ones.  When it is sustained over such a long period of time, it's hard to believe that no one could work out what was going on, at least at the wider network level.  The silence on this from the major players is strange, unless they have even bigger problems that they are trying to deal with.

http://map.ipviking.com is currently showing the National Computer Centre in Riyadh is attacking itself via the Samba file-sharing system - they must have been hacked.  Microsoft Corp in Silicon Valley is also launching attacks (they wouldn't do that, would they?) so they have probably been hacked too.  There's also a big attack from Beijing to Chicago via Los Angeles, although sometimes the reverse is winning.

It's mayhem out there.
The State is a body of armed men

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
896 Views
Last post July 10, 2014, 01:15:46 PM
by JRM
Secure Chat

Started by Palloy « 1 2 3 » Cyber Security

35 Replies
4259 Views
Last post June 06, 2017, 01:54:24 AM
by Palloy
0 Replies
491 Views
Last post August 03, 2016, 05:43:31 PM
by Palloy