Ortis said the foreign ally, who he is not at liberty to name, spoke of a plan to encourage criminal targets to begin using an online encryption service called Tutanota ā a āstorefrontā operation created by intelligence agents to snoop on adversaries.
Telling no one, Ortis decided to act, drafting a list of four possible recipients as part of Operation Nudge ā as in nudging them to adopt the new email service.
Thatās when Ortis says he began enticing investigative targets with promises of secret information ā including tantalizing portions of documents ā with the actual aim of getting them to communicate with him via Tutanota.
Heās not exactly a reliable source. However, if you wanted to go about collecting data from people with something to hide, you would likely set up an encrypted email service - right?
I wouldnāt be surprised in a slightest, because whole idea of private e-mail is absurd.
E-mail by itās nature is honeypot that CAN NOT be secure / private.
I donāt use Tutanota (or any āsecure/privateā mail service really, I treet them all as āmail open to the postmanā) but I thought their service is supposedly client-side E2EE, with the client being open-source.
Taking in mind your disclaimer that the source is not reliable, I wouldnāt pay that much attention to that article.
Especially in todayās day and age that Clickbait is (sadly) kingā¦
If you do find a reliable source though, please do update us, sounds like an interesting topic
Client to server is probably encrypted, but server to server is usually not encrypted. So all you would need to do is intercept packets between servers and voilĆ , you can read the entire email (or at least the email headers).
Is this an assumption or do you have some source that states that as a fact?
Because the service claims E2EE? Which would mean client-to-client (if the implementation is correct, then Iād say that server code is irrelevant, but I havenāt audited the implementation neither will I ever because I donāt care enough since I donāt use such services)
That said, as I said Iām not too familiar with the service, but if what you are saying is indeed the caseā¦
Anyone using āclient to serverā encryption as āsecure communicationā is well deserving of no security at all to be fairā¦
I believe Tutanota only claims to encrypt emails sent from Tutanota to Tutanota domains. They can totally promise this and itās technically feasible to do. However, email architecture does not allow email headers to be encrypted, so if you send emails to anyone outside tutanota, your email headers are sent in plain text. Also, unlike Protonmail, they do not allow you to import/export public PGP keys. I would therefore expect that all emails sent from a tutanota server to a gmail server would be sent in plain text. Please feel free to correct me if Iām wrong - itās been a few years since I decided against subscribing to Tutanota.
Edit: they allow you to set a password for your emails to non-tutanota users. So your emails to non-tutanota recipients are password protected, but any replies from that contact are not. Also the email headers are not encrypted.
If whatever you are saying in your email is sensitive enough to get you arrested or exclusively watched by the government, you shouldnāt rely on emails for your conversations and messages.
Encrypt your own messages, send them on a platform that is less of a honeypot, then send the (very strong) password through another somewhat trustable platform, that fragmentation makes it much harder for a third party to decrypt your message. Once the other person gets the message and password, delete both from the platforms. We assume their servers truly delete what you sent to spare disk space.
Besides this case, protonmail is pretty alright for daily use and the most private public email service for anything that isnāt illegal or borderline.
I use it with a custom domain for the simple reason that it has no ads and allows me to set a separate user and mailbox password (which I prefer to 2FA).
Ah, then you are totally right and thanks for taking the time to explain.
I must have misunderstood the claims of Tutanota.
Then again Iām dumbfounded that people would consider the process you described as private and secure communicationsā¦
Thatās absurd!!! Edit: Honestly, I thought the whole āwe encrypt your emailsā would be based on PGP. Why on earth would someone that wants encrypted emails not use PGP?
I would even argue further that nothing is actually really secure. For example, Tucker Carlson recently revealed that his messages on āSignal Private Messengerā were compromised, and he specifically said ādonāt trust signal, itās not as private as you thinkā. Now Iām not saying itās the software per se because it very well could be the OS itās being used on, but just the idea of completely secure digital communications to me is a joke. Governmentās always have vastly more powerful tech within their reach and likely can break that encryption if they desire.
Iām old school. If I want to tell you a secret, itāll be in a room where we are the only two, and I will whisper it in your ear. Anything else is a risk for compromise.
I wouldnāt go that far, you need to have a lot of knowledge and stellar OPSEC.
Great example, because heās clearly very naive. There were other red flags about Signal before, but main one is so obviousā¦anything that asks your phone number - certainly can not be secure by definition, itās absurd.
He should have used Session instead.
As well as his OS or even keyboard on his phone (iām sure he doesnāt use Linux or DeGoogled Android)
Also, since heās very high profile and obviously targeted - i wouldnāt use anything with SIM-card inserted if i were him
If the NSA has quantum computing capabilities which Iām sure they do, surely they can crack most encryption, no?
I still wouldnāt trust technology for extremely sensitive comms. Sure, itās generally user error or a security vulnerability thatās exploited, but you even have crooks using āTails OSā with Tor and PGP who end up getting caught. I just donāt think itās worth the risk.
Iām pretty sure if the Mafia was at itās peak of activity right now, they would have a rule to not talk business on digital comms as they did in the past for not speaking on phones or out in public without cover their mouths.
Maybe Iām getting cynical, but I just have the mindset that if something can be made, it can also be broken, and weāve seen this time and time again with software. When freedom is at stake, thatās a tough one.
Edit: I donāt think phone numbers on signal is exactly what is compromising their messages. That is only useful for metadata. Thereās something larger going on.
Edit 2: You are right though, Tucker should at the minimum use GrapheneOS with session.
No, theyāre not idiots - nobody in their right mind would spend insane amounts of money to decrypt some encryption as strong as Signal, which has quantum-resistant cryptography.
Theyāll use methods to compromise OS (backdors, Pegasus) / hijack / swap SIM etc.
Itās much easier and costs nothing.
Carlsonās OPSEC is clearly not even near Edwards Snowdenās for them to use quantum computers on it, for crying out loud.
Signal is fine for discussing topics you donāt want everyone and anyone to know about. Itās the virtual equivalent of inviting your friend over to your house for tea and letting them in through the front door. Your nosey neighbour knows youāre talking to your friend and for how long but not whatās been said. The convenience of Signal is that itās based on a shared phone numbers. However this is the biggest vulnerability.
Iām not a celebrity, criminal, terrorist or spy so I really donāt worry about metadata as a vulnerability. If I needed total privacy, that would be a lot more challenging and I probably wouldnāt have any friends.
