Ortis said the foreign ally, who he is not at liberty to name, spoke of a plan to encourage criminal targets to begin using an online encryption service called Tutanota â a âstorefrontâ operation created by intelligence agents to snoop on adversaries.
Telling no one, Ortis decided to act, drafting a list of four possible recipients as part of Operation Nudge â as in nudging them to adopt the new email service.
Thatâs when Ortis says he began enticing investigative targets with promises of secret information â including tantalizing portions of documents â with the actual aim of getting them to communicate with him via Tutanota.
Heâs not exactly a reliable source. However, if you wanted to go about collecting data from people with something to hide, you would likely set up an encrypted email service - right?
I wouldnât be surprised in a slightest, because whole idea of private e-mail is absurd.
E-mail by itâs nature is honeypot that CAN NOT be secure / private.
I donât use Tutanota (or any âsecure/privateâ mail service really, I treet them all as âmail open to the postmanâ) but I thought their service is supposedly client-side E2EE, with the client being open-source.
Taking in mind your disclaimer that the source is not reliable, I wouldnât pay that much attention to that article.
Especially in todayâs day and age that Clickbait is (sadly) kingâŚ
If you do find a reliable source though, please do update us, sounds like an interesting topic
Client to server is probably encrypted, but server to server is usually not encrypted. So all you would need to do is intercept packets between servers and voilĂ , you can read the entire email (or at least the email headers).
Is this an assumption or do you have some source that states that as a fact?
Because the service claims E2EE? Which would mean client-to-client (if the implementation is correct, then Iâd say that server code is irrelevant, but I havenât audited the implementation neither will I ever because I donât care enough since I donât use such services)
That said, as I said Iâm not too familiar with the service, but if what you are saying is indeed the caseâŚ
Anyone using âclient to serverâ encryption as âsecure communicationâ is well deserving of no security at all to be fairâŚ
I believe Tutanota only claims to encrypt emails sent from Tutanota to Tutanota domains. They can totally promise this and itâs technically feasible to do. However, email architecture does not allow email headers to be encrypted, so if you send emails to anyone outside tutanota, your email headers are sent in plain text. Also, unlike Protonmail, they do not allow you to import/export public PGP keys. I would therefore expect that all emails sent from a tutanota server to a gmail server would be sent in plain text. Please feel free to correct me if Iâm wrong - itâs been a few years since I decided against subscribing to Tutanota.
Edit: they allow you to set a password for your emails to non-tutanota users. So your emails to non-tutanota recipients are password protected, but any replies from that contact are not. Also the email headers are not encrypted.
If whatever you are saying in your email is sensitive enough to get you arrested or exclusively watched by the government, you shouldnât rely on emails for your conversations and messages.
Encrypt your own messages, send them on a platform that is less of a honeypot, then send the (very strong) password through another somewhat trustable platform, that fragmentation makes it much harder for a third party to decrypt your message. Once the other person gets the message and password, delete both from the platforms. We assume their servers truly delete what you sent to spare disk space.
Besides this case, protonmail is pretty alright for daily use and the most private public email service for anything that isnât illegal or borderline.
I use it with a custom domain for the simple reason that it has no ads and allows me to set a separate user and mailbox password (which I prefer to 2FA).
Ah, then you are totally right and thanks for taking the time to explain.
I must have misunderstood the claims of Tutanota.
Then again Iâm dumbfounded that people would consider the process you described as private and secure communicationsâŚ
Thatâs absurd!!! Edit: Honestly, I thought the whole âwe encrypt your emailsâ would be based on PGP. Why on earth would someone that wants encrypted emails not use PGP?
I would even argue further that nothing is actually really secure. For example, Tucker Carlson recently revealed that his messages on âSignal Private Messengerâ were compromised, and he specifically said âdonât trust signal, itâs not as private as you thinkâ. Now Iâm not saying itâs the software per se because it very well could be the OS itâs being used on, but just the idea of completely secure digital communications to me is a joke. Governmentâs always have vastly more powerful tech within their reach and likely can break that encryption if they desire.
Iâm old school. If I want to tell you a secret, itâll be in a room where we are the only two, and I will whisper it in your ear. Anything else is a risk for compromise.
I wouldnât go that far, you need to have a lot of knowledge and stellar OPSEC.
Great example, because heâs clearly very naive. There were other red flags about Signal before, but main one is so obviousâŚanything that asks your phone number - certainly can not be secure by definition, itâs absurd.
He should have used Session instead.
As well as his OS or even keyboard on his phone (iâm sure he doesnât use Linux or DeGoogled Android)
Also, since heâs very high profile and obviously targeted - i wouldnât use anything with SIM-card inserted if i were him
If the NSA has quantum computing capabilities which Iâm sure they do, surely they can crack most encryption, no?
I still wouldnât trust technology for extremely sensitive comms. Sure, itâs generally user error or a security vulnerability thatâs exploited, but you even have crooks using âTails OSâ with Tor and PGP who end up getting caught. I just donât think itâs worth the risk.
Iâm pretty sure if the Mafia was at itâs peak of activity right now, they would have a rule to not talk business on digital comms as they did in the past for not speaking on phones or out in public without cover their mouths.
Maybe Iâm getting cynical, but I just have the mindset that if something can be made, it can also be broken, and weâve seen this time and time again with software. When freedom is at stake, thatâs a tough one.
Edit: I donât think phone numbers on signal is exactly what is compromising their messages. That is only useful for metadata. Thereâs something larger going on.
Edit 2: You are right though, Tucker should at the minimum use GrapheneOS with session.
No, theyâre not idiots - nobody in their right mind would spend insane amounts of money to decrypt some encryption as strong as Signal, which has quantum-resistant cryptography.
Theyâll use methods to compromise OS (backdors, Pegasus) / hijack / swap SIM etc.
Itâs much easier and costs nothing.
Carlsonâs OPSEC is clearly not even near Edwards Snowdenâs for them to use quantum computers on it, for crying out loud.
Signal is fine for discussing topics you donât want everyone and anyone to know about. Itâs the virtual equivalent of inviting your friend over to your house for tea and letting them in through the front door. Your nosey neighbour knows youâre talking to your friend and for how long but not whatâs been said. The convenience of Signal is that itâs based on a shared phone numbers. However this is the biggest vulnerability.
Iâm not a celebrity, criminal, terrorist or spy so I really donât worry about metadata as a vulnerability. If I needed total privacy, that would be a lot more challenging and I probably wouldnât have any friends.
