Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] PRISM Re: TLD for Personal Use - Email

Regarding PRISM:  "Just because you're paranoid doesn't mean they /aren't/ out
to get you."  If you remember the 2002 Tom Cruise film "Minority Report", you
can get a sense of what the gov't can do with a permanent record of all your
personal associations.  Today's kids, and apparently those born the past
several years, can expect that every interaction they ever had or ever will
make is going into a government hard-drive someplace.  Their political and
personal opponents, if given access to this searchable database, will find it
hard to resist going all the way back.  Public knowledge that this is actually
happening, and isn't just the stuff of paranoid science fiction, will impinge
on the 1st-amendment right of association: conscious of such monitoring,
people will either associate differently, or not associate at all.

I have associated with criminals, only knowing this fact later; many of us
associate with them knowingly, as family members or other acquaintances. I've
even been a John-Doe defendant in a federal case involving one of them.  So
it's not just a hypothetical:  even if you have "nothing to hide", those
around you do.

The next shoe to drop in this case, or some future one, that I expect to see: 
content (as well as pen-register metadata) of SMS text messages is probably
visible on the wire that attaches government servers at the big telco data
centers.  Chances are, it's being recorded in full; Verizon has been quoted in
public saying they don't record SMS but they have plausible deniability even
if the gov't is keeping such records.  And even if Congress were to try to
limit duration of such record-keeping, expect that it will be kept for life
unless the practice is banned as it is in European countries.

The "real criminals" have more motivation than the rest of us to evade this
type of monitoring and most already do.  So PRISM and other programs are a
pointless dragnet that will be usurped for dangerous/corrupt political
purposes and repression.

I still self-host my email (ever since setting it up in 1993) and relay it
through Europe and other places but here are the problems:

- Most ISPs block port 25. If that's the case, you need an inbound (and likely an
outbound) relay setup. I use separate commercial services for those, and while
it's possible to create your own relay site, you'd have to solve the other

- Your outbound email will get tagged as spam unless you can establish a positive
reputation for your sending IP address(es). Dynamic addresses won't work, and
static ones will only work if they aren't already associated with the types of
services that spammers can readily subscribe to (such as cloud services like
Amazon EC2).

- Spam-control software isn't perfect and requires some care & feeding; if you
drop your expectations a bit, it turns out SpamAssassin with a daily rules
cronjob is good enough to keep about 99% of spam out without any other updates
for years at a time.

I use EasyDNS to relay my inbound mail and MailJet to relay most of my
outbound on ports other than 25.  A slightly-customized postfix and
spamassassin installation is all I need for software, and I also use haproxy
to make the thing fault-tolerant across two virtual machines.

P.S. One court case I have followed at the state level is "People v. Diaz" in
the California Supreme Court.  If this is upheld at the federal level (which
it likely will), it means your mobile devices are subject to warrantless
searches and can be monitored by law enforcement.  If you happen to be
incarcerated at the time, you probably won't be able to activate a remote
erase or deactivation command, so inbound communications can be monitored
until you regain freedom (possibly long after, if you didn't install a
remote-erase app).  This applies to everyone regardless of whether they broke
the law or are dismissed later.  The obvious protection would be device-level
encryption but this is unavailable on iPhone and can only protect old data
(vs. new data coming in) on Android.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /