On Thu, Oct 11, 2012 at 07:49:00PM -0500, sungpae@gmail.com wrote:
On Thu, Oct 11, 2012 at 02:13:54PM -0400, Dave Reisner wrote:
Really, just add two-factor auth to a gmail account and be done with it. Google has no interest in singular people.
It should be noted that Gmail's two-factor authentication provides no extra security if you're planning on using it with a mail client. You will have to set up an "application specific password", which is a fixed-length alphanumeric password given to you by Google. Despite the name, it is simply another password that can be used to log in via IMAP/POP through any client (`openssl s_connect`, etc), without the out-of-band verification.
Sure, what I had in mind was actually to take advantage of it. Disable POP/IMAP access and use OTP with webmail. This is true two factor auth and *does* provide added security.
Moreover, Googlers who take an interest in data or logs belonging to singular people find themselves no longer working at Google.
This is true, but if you were really very paranoid, you would notice
No, if you were really very paranoid, you'd realize that you just need to stay off the Internet.
that you don't have any control over how long Google keeps "deleted" email on the server, and that any unencrypted emails on a server can be obtained by governments with relative ease.
Well, I happen to know the retention policies, so this doesn't apply to me. I'll further point out that Google in particular is extremely transparent about what they give out to the government: http://www.google.com/transparencyreport/removals/government/ I'm not sure what you're trying to imply about unencrypted email and government bodies, but it sounds rather silly. Perhaps I don't drink enough koolaid.
If you control the server and mailserver, you can encrypt your drive and also have all incoming email encrypted with your public key, so that your mail isn't just sitting around on a box for the taking.
Receive encrypted email? How are you going to ensure that this always happens? I suppose you could simply deny anyone who isn't relaying over TLS (and just accept that you're going to miss out on a lot mail), but how do you control the sender's environment? There's equally many things on the sender's side (assuming they're vulnerable) that could potentially implicate you in whatever it is you're trying to hide. To expand on this, how do you control what happens to a message that you forward or write? You need to equally paranoid friends.
Neither of these things would stop a truly determined government-level attacker (unencrypted mail is still vulnerable in-flight for instance), but it would be useful if you have not yet been identified as someone of interest.
Again, if you're really going to be paranoid, just stay off the Internet. What we have here is an OP who's merely "waking up" to the realization that the definition of freedom is a bit different between meatspace and cyberspace. d