[tor-talk] Email provider for privacy-minded folk

[Joe Btfsplk]

On 2/19/2013 7:07 PM, Mysterious Flyer wrote:
> OK, more information on the circumstances:
>
> 1.  The whole reason I started up with all this "privacy" and "anonymous" stuff was because someone had hacked my gmail account, and was trying to ruin my life.  I happen to know from their IP address that they work at Google in San Jose.
> 2.  I used a dedicated Tor Mail account to open the anonymous "Torrified" Yahoo account, and then only ever used the Yahoo account to post to this forum.
> 3.  I have to admit that I got lazy with my passwords.
> 4.  I only use Google through https, but you know that gets unencrypted at the exit node, right?  Or am I wrong about that?
> 5. I use Keyscrambler whenever I'm online, and I have AdAware.  I sometimes download free trials of other anti-malware programs, just to make sure that AdAware is doing a good job.
> 6. I use an unsecured wireless network at home because we're too lazy to set up a password.  We set one up once, but then got new computers and it was hard, K?  We live in a very spaced-out area, so our nearest neighbor is too far away to hop on our connection.  Our nearest neighbor has TWO secured connections at his own house.  One of them is named "Black Ops", which is funny.  I doubt the neighbor with two connections is hopping on to mine.
>
> I have my suspicions about Tor Mail.  Do any of you think that someone got access to my Yahoo account by hacking into the Tor Mail account that was used to set it up?  I was using this little algorithm to make passwords, which probably would have easily been guessed if a person had my user name and password from the one Tor Mail account.
>
> I noticed that my back-up account to the Yahoo account had been changed from "xxxx at tormail.org" to "xxx at tormail.com".  I also can't for the life of me seem to remember my password to the dedicated Tor Mail account that was used to set up the dedicated Yahoo account.  Was the password changed at Tor Mail, or did I just plumb forget it?
>
> I have gotten conflicting information on whether or not it is EVER safe to access e-mail through Tor.  I have read that your Google cookie can be stolen through Tor, even when you aren't on Google.  Is that true?
>
> So I am thinking there are two possibilities:
> 1.  My hater has been spying on my this whole time, even though I thought they were gone, and they are good at spying.
> 2.  This is a new person (not the hater) who got at me through Tor Mail, and they just posted the posing post as way to make fun of me because they think it's funny.
>
> I doubt the debit card thing is related.  Someone probably stole my numbers through a swipe-logging device at a gas station.
>
> Based on the information above, can anyone provide any further insight that has not already been given?
>
> Signed,
> The REAL mysterious flyer.
>
OK, much of this has nothing to do w/ Tor or Tor browser, per se.  I 
don't run "this joint," so I can't tell you what / what not to discuss 
here.  Much of the situation would perhaps be better discussed on a 
privacy forum. Wilder's Security forum has a good section.  Another is 
on Neowin - the internet security forum.

But, several things you describe *could* be the root of some of your 
problems.
1) As mentioned, Tor Mail isn't associated w/ Tor Project.  Beside, JUST 
using tor mail, by itself, has little to do w/ anonymity, AFAIK - from 
reading about them.
2) From what you describe, Tor probably isn't your problem.  It's your 
security practices (or lack there of). :(
It also sounds like you might open an email attachment (when NOT 
expecting it), click on links in email - even just to "unsubscribe."  
All those can load malware on your system. Sometimes, it's very 
difficult to detect, once on your system.
To be anonymous w/ email, you must open an acct using Tor & NEVER use 
anything else to access it.  You can use their webmail & it should be 
fine, if you're not doing stupid things w/ Tor / TBB.

If you used a BU email acct (for PW reset or what ever) w/ the Tor - 
Yahoo acct, & if you EVER accessed the BU (tor mail) acct from your real 
IP address, then the anonymity of the Tor Yahoo acct was blown.

No one can get lazy w/ PWs & not have problems, sooner or later (I 
assume you meant: not strong, not completely random, not very long).  
Especially on high traffic / high target sites like google or email 
providers.  If that's the case, your former hacker probably knew things 
about you.  That & good PW cracking software is likely how he got your 
PW.  Use a PW manager & generate STRONG, random PWs, not something that 
involves any of your personal data, email acct names, etc.

I get the feeling that there's more to "your hater" story than you let 
on (& more than ANYone here wants to hear). ;)

Unless you're using a GOOD method to replace all characters.  All the 
simple, easy ways to replace say, letters of your email acct, are used 
in PW cracking software.  If you feel you MUST memorize it, use methods 
endorsed by security experts.  Just best NOT to start w/ personal data, 
that someone could know / guess / search for.  It still needs to be > or 
= 15 chars: upper / lower case letter, #s, special characters.  Twenty 
to 25 chars is MUCH better, for safety from PW cracking software.  Use a 
PW mgr that autotypes - like Password Safe or Keepass - both free, open 
source.  Have portable versions.  Get them on Sourceforge.net

3) NO!  If using an https connection, that security / encryption has 
NOTHING to do w/ Tor.  TOR ENCRYPTION ends at the exit relay.  HTTPS 
(SSL / TLS) encryption does not.  Unless, someone / some site imitates 
or hacks the site you were trying to reach, & then usually you'd see a 
"Security Warning" from the browser, about being unable to verify the 
security certificate.  Most people just ignore those, w/o checking out 
the situation.

Even if someone stole an email provider's cookie, it wouldn't do them 
any good because they're not using it on the same machine (AFAIK).  
That's the least of your worries.

If someone hacked you before & knows something about you (or knows you), 
you need to COMPLETELY beef up your security methods on ALL online accts.
Now, if you have more questions about email safety, PWs, general 
security, I suggest going to sites like I mentioned, or others. Most of 
your questions / issues have already been answered there.