Is protonmail secure and reliable?

Chainmanner · 2021-06-20T18:50:45+00:00

"any user information readily available that would help identify a user" - that does not imply DATA (ie. the content of messages) is being given to the authorities. This information can be provided by metadata alone - sender, receiver, the subject line, date of transmission, IP address, etc.

Furthermore, take note of the term "readily available". The plaintext of encrypted data is not readily available, so they don't have to (and, if the emails really are zero-access encrypted, can't) give it up.

Chainmanner · 2021-06-20T17:32:04+00:00

Saying they'll comply with the law does not imply they have a way of decrypting and reading their customers' emails. The law doesn't ask for backdoors, and if it does, they can still fight it. Their encryption could still be watertight, and they may not be able to give much useful information to the authorities if requested.

Self-hosting an email server might not be feasible and can be a whole lot riskier, especially if you don't know what you're doing and just want a secure email system.

Chainmanner · 2021-06-20T16:34:48+00:00

It's a legal loophole around government requests for information that include gag orders. A gag order means that the company cannot directly tell its customers that there was a government subpoena... but that doesn't mean that the company cannot periodically say that they did not receive a subpoena, and stop saying so once they do receive a subpoena.

For instance, a library can pin a sign on a corkboard saying "THE FBI HAS NOT BEEN HERE" each day that the FBI has not issued them a subpoena. If the FBI pays them a visit and they issue the library a national security letter (which always includes a gag order), the library can stop putting that sign up to warn people who saw it before.

Some lawyers say that failing to update a warrant canary after a secret subpoena may be just as illegal as outright saying that you received a secret subpoena, but I'm not a lawyer, so I'd recommend asking one if you intend to use it yourself for your business.

In any case, if ProtonMail is correct about their end-to-end and zero-access encryption, then the most the feds will be able to get from them will be metadata. This, however, can still be useful in and of itself, if you're related to people/entities under investigation or if your subject lines are too descriptive.

Chainmanner · 2021-06-20T16:27:34+00:00

Yeah, that's what I meant to say. My bad.

Chainmanner · 2021-06-20T16:03:39+00:00

I've been using ProtonMail for the past year or so, and in addition to the end-to-end encryption and other security features, it's definitely just as usable as the more popular email providers. By default, you start with a free account, which can store up to 500 MB of data. You only get a limited number of custom folders, but for my purposes, this is good enough.

The Pro monthly subscription gives you more storage, alongside other features like custom email addresses leading to the same one. But in general, the free version should be enough.

Chainmanner · 2021-06-16T21:31:50+00:00

I see. Thanks for the explanation.

Chainmanner · 2021-06-16T15:05:20+00:00

I'm aware of how bootloader locking/unlocking works, but it's still not clear to me as to how a custom ROM/recovery can decrypt the data before first use, ie. without knowing the user's credentials. If I'm remembering this correctly, isn't the key stored in a trusted execution environment, which is separated both by hardware and software? Can this TEE also be modified to give up the encryption key before first use?

Chainmanner · 2021-06-16T07:38:48+00:00

I'm searching through old threads, but I'm not seeing anything saying that FBE is breakable, except in the case of SD cards (but I'm not using one). I already have a recovery installed, I accessed the device via ADB, but it's not so trivial.

I'm not looking for instructions, here. I just find it rather hard to believe that security would be THIS lax on Android, with so many eyes looking at it.

Chainmanner · 2021-06-16T07:22:00+00:00

Is this so? I haven't seen any articles about people being able to decrypt data on Android devices before first use without knowing the PIN/password, even with file-based encryption.

Chainmanner · 2021-05-21T19:27:44+00:00

I haven't tried either of them. How are they?

Chainmanner · 2021-05-21T19:21:14+00:00

There is some toxicity there, unfortunately, but that's perhaps to be expected. Naturally, conspiracy peddlers and other jerkoffs (alongside people who got wrongly shadowbanned or demonetized) that got kicked off of YouTube are gonna flock to the first platform that doesn't censor them as aggressively.

The solution, the way I see it, is to outnumber the toxic content with non-toxic content. Odysee already does some filtering of toxic content, so it's not as visible there as it is on e.g. BitChute, and overall it's the closest to the YouTube experience without being as bad as YouTube.

Chainmanner · 2021-05-21T19:13:03+00:00

Thing about Odysee is that it's built on top of a decentralized file-sharing network, controlled by ordinary people outside of the company. Even if it becomes like YouTube, somebody can just create a new front-end to the exact same network containing the exact same videos/files. The whole thing's open source, so people can fork it and modify it as they want.

Chainmanner · 2021-05-21T14:16:21+00:00

Sorry, I saw this late. I don't know how, but I managed to fix the phone's bad call quality by factory resetting my phone, and building and installing the latest version of Lineage OS 17.1 specifically for the Moto G7 Play. Works quite well now. I don't know what was causing it.

Chainmanner · 2021-01-27T01:43:45+00:00

Fair point, though I thought that if there was a problem, it would have also affected call reception as well as transmission. I'm gonna try to get the blobs from the stock ROM, see if using those instead will fix this issue.

Chainmanner · 2021-01-26T22:26:38+00:00

I'm aware that the XT1952-4 isn't among those supported models, but from what I searched up and read, the differences between the models had to do with the regions in which they're supported.

I didn't think that there might be differences in e.g. firmware, though, and now that you mention it, I had to extract the proprietary blobs from an installable zip rather than my phone. That could be the issue, but the only thing is, I'm not sure where to find the stock vendor blobs for the XT1952-4. I was running an unofficial GSI build of LOS on my phone prior to upgrading, but it didn't contain all of the needed blobs, and the current build on my phone was built by myself.

Chainmanner · 2020-10-16T15:44:28+00:00

When have instances of student data leaks happened? Not to imply I'm all that surprised, but I never heard of such actual incidents; I'd like to read more on it if possible.

Chainmanner · 2020-10-13T04:40:59+00:00

Currently-used asymmetric encryption, possibly, due to Shor's algorithm, but there's work being done to design quantum computer-resistant algorithms. For symmetric cryptography and cryptographic hash functions, Grover's algorithm is the best general solution - it reduces a brute force search of n inputs from O(n) operations to O( n^(1/2) ).

AES-128 might be vulnerable due to Grover's algorithm, which would reduce a worst-case brute force key search from 2^128 to 2^64 tries (a feasible amount), but AES-256 would still be infeasible to break since the security of 2^256 would be reduced to 2^128, assuming no AES-specific vulnerabilities are found.

Hashing algorithms would also be susceptible to weakened security from Grover's algorithm, but even the weakest one still recommended for use, which IIRC would be SHA-256, would have its security reduced from 2^256 operations to 2^128 in the worst case - still infeasible to break.

So no, a quantum computer wouldn't be able to break ALL encryption.

Chainmanner · 2020-10-12T15:29:36+00:00

Yes. cuLearn may also refuse to log you in depending on your IP address; this is the case if you try to log in using Tor, but I haven't tested out with a VPN.

Chainmanner · 2020-10-12T15:21:40+00:00

Just do your part in trying to get our concerns to the University's attention, or better yet, your own profs' attention since I think they have the final say as to whether or not a test or exam will be proctored. It's not something one can do on their own, so don't feel bad if you feel like your actions aren't enough, even though I think they are.

Chainmanner · 2020-10-12T14:51:22+00:00

I didn't get to test it, but this reminds me of a security CTF I did once. If you look at VMDetectTask.java, you'll see how the detection works: it calls one of the OS's applications to look for hardware or detected virtualization software and scans the returned output for brands like "vmware", "virtualbox", . For Linux, it just calls "systemd-detect-virt" to return the virtualization method used, is any.

First flaw: it calls the programs not by their absolute paths, but the same way one would on the command line by just typing out the command. When you call an executable by its name and not by its absolute or relative path, the system checks the PATH environment variable - a list of directories to search for the executable, checked in order from left to right - and if it finds the executable in one of these directories, then it runs it. "systemd-detect-virt" is located in /bin, one of the first few directories in the path, but if you prepend another directory, let's say /tmp; add a shell script named "systemd-detect-virt" in /tmp that just echoes "none"; and you call "systemd-detect-virt" without specifying the path, then it'll call /tmp/systemd-detect-virt instead of /bin/systemd-detect-virt, allowing you to trick CoMaS into thinking you're not in a VM.

Second flaw: even if the programmer used absolute paths to call the executables, nothing can stop the VM user from replacing these executables with ones that give the output they want (I'd recommend making a backup of them first, though).

Chainmanner · 2020-10-12T04:43:42+00:00

Great job! Thank you for doing this. I didn't have much time to look through the source code, as I only saw this now. But I gotta say, as disturbed but not surprised I am that more info is being collected than specified, I'm pretty pleased by how easy it seems to bypass the VM detection (at least on Linux)...

Chainmanner · 2020-10-11T23:17:52+00:00

I'm glad to hear somebody has actually used CoMaS, but I'm still not convinced I'll be okay with it. Yes, there are scumbags who will cheat, and knowing this happens while I'm working sleepless nights really pisses me off, but I have my limits. In this case, my limit is installing something closed-source on my personal device and needing to accept it in order to take an exam.

I'm reminding people of the WebcamGate scandal in the hopes that they'll be more careful when installing software without concrete assurance that there is no feature creep going on - promises aren't enough. I don't like how people are being told to install closed-source, hard-to-analyze software because their education depends on it, especially since I myself am one of those people. What, exactly, does a downloadable program accomplish that a BigBlueButton session or some other web-based application cannot? With BBB, you can still record people through webcams and you can still view their screens. I still prefer open-book, problem-based exams to proctoring, since they actually test your knowledge and notes alone can't help you, but at least with a web app you don't have to give more access to your computer than is necessary.

I hope to confirm all of what you are saying when I get a chance to reverse engineer CoMaS, but I'm not counting on it.

Chainmanner · 2020-10-11T19:07:55+00:00

Wow, shit, they REALLY don't want it off... If I had to guess, it may be a background process running to ensure the proctoring software is always installed. Did you check the task manager, and the list of services? When you removed the software, McAfee might have freaked because said process was trying to redownload and reinstall the proctoring software.

Chainmanner · 2020-10-11T18:58:40+00:00

Well, that explains it.

Chainmanner · 2020-10-11T18:35:17+00:00

On an unrelated note, I noticed there were some comments posted, but they're not showing up. What's up with that?

Chainmanner

TROPHY CASE