Slashdot Mirror
After Lavabit Shut-Down, Dotcom's Mega Promises Secure Mail
Lavabit may no longer be an option, but recent events have driven interest in email and other ways to communicate without exposing quite so much, quite so fast, to organizations like the NSA (and DEA, and other agencies). Kim Dotcom as usual enjoys filling the spotlight, when it comes to shuttling bits around in ways that don't please the U.S. government, and Dotcom's privacy-oriented Mega has disclosed plans to serve as an email provider with an emphasis on encryption. ZDNet features an interview with Mega's CEO Vikram Kumar about the complications of keeping email relatively secure; it's not so much the encryption itself, as keeping bits encrypted while still providing the kind of features that users have come to expect from modern webmail providers like Gmail:
"'The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side,' Kumar said. 'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard. That’s why even Silent Circle didn’t go there.'"
The latency is really bad, but at least your information will be secure!
Heh heh, secure. Heh.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How does searching work for this kind of tranport/storage?
Kumar? Are him and Harold gonna get baked and go to White Castle?
I think you need a new new plan
http://news.yahoo.com/ap-interview-usps-takes-photos-mail-072949079.html
Are those actual links, or just the <a> tags?
Learning HOW to think is more important than learning WHAT to think.
Mail sorting equipment will take photographs of every letter that is passed through there system.
http://torrentfreak.com/dotcoms-mega-debuts-spy-proof-messaging-this-summer-email-follows-130711/
A link to an actual article.
Learning HOW to think is more important than learning WHAT to think.
I am thinking it is time to start a restaurant, ditch my smartphone and internet connection and crawl into a hole until 2+2=5.
Thanks for destroying the internet you neo-con proto-facists.
Meet the new boss, pawn of the same old bosses...
The should be developed an international mechanism of verifications of the Article #12 of The Universal Declaration of Human Rights. Many countries have signed it. The should be international inspections of data centers, telephone companies, etc.
http://www.un.org/en/documents/udhr/index.shtml#a12
Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Ok I actually tried to read the article and those links don't work. A low day for Slashdot editors.
Check out the new Slashdot iPad app
http://www.zdnet.com/mega-to-fill-secure-email-gap-left-by-lavabit-7000019232/
We already know they are storing all senders and receivers for traffic analysis there too.
The best thing to do is replace email with posting encrypted messages on Usenet.
I find this farcical, so the NSA is going to start playing whack-a-mole with a what will be in the near future, a plethora of alternative secure email providers. Ask the RIAA how well that works out.
AC.. because I can.
I think you need a new new plan
http://news.yahoo.com/ap-interview-usps-takes-photos-mail-072949079.html
(selectively) Quoting the article:
...the photos of the exterior of mail pieces are used primarily for the sorting process..
See, that's just _metadata_. No worries.
It is dangerous to be right when the government is wrong.
According to Security Now/Steve Gibson, the encryption/security on the MEGA file site is not very sound
https://www.grc.com/sn/sn-390.htm (search for "Java Crypto" to get about 3/4 way through the show) or listen to the podcast..
MEGA is well intentioned Im sure, but the Javascript code in MEGA does not cut it for serious security, and they need to dp waaay better for an email service.
Remember that ALL THE DATA is being retained now, so one crack in the system and there is a way in.
Air tight security is do-able, but needs to be serious - I wish Mega lots of luck.
Move along... there is no sig here.
Actually, there's a product in there.
Envelopes for the paranoid. Made of extra-thick paper, with an aluminium foil lining. Each pack comes with very, very thin stickers bearing a pack-unique printing that can be placed over the seal, making it impossible to open the envelope without tearing.
The problem is that private key, in server solution, are available on the server. Even in Mega, the private key is located server side and the password/passphrase is supplied by the end user over SSL. So, the weakpoints are SSL and the domestic machine, as well as an intercept placed on a server at Mega.
What we require is a private key that a person hold, on a smartcard type arrangement. From this we derive a personal certificate authority and a public key. We issue certificates through our personal CA for particular roles and upload them to our provider. This then acts as our transport encryption, digital signatures, email encryption and so forth. The private key never enters the network and everyone has a unique encrypted layer, rather than a common SSL certificate.
Decryption is performed by streaming the contents through the smartcard. We can add additional factors to this authentication such as biometrics, pin, etc. In fact, the user should be able to determine the amount of factors, their order, etc. The decrypted output can either be sent back into the machine (if you feel it is secure), or forwarded to a secure offline machine.
We only need to make sure that this forwarding eliminates the possibility of an exploit and that means a limited stack that only provides certain features. Such as text and/or video.
There is no reason that a standard mobile phone could not have two physical portions, one connected to the web and another for secure comms.
Jabba Dotcom protecting us from the empire? Sign me up!
Oh, the rights exist already, it's just that the US and other nations are infringing on the rights of citizens of other countries. What does it matter if my country actually has these laws, when the US "invades" our local systems?
You know you can send ciphertext in well you know, paper text format? ;) If you are going the physical route with encryption, one time pads become increasingly more appealing and if done correctly(no pad reuse etc) is truly secure.
Or you could go to DEFCON and learn how to remove tamper seals without leaving traces. :)
I DO suspect there's a product in there, but it's a lot more complex than that
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This only works if the recipient knows you are sending it in your special high security envelop. If not dear old Uncle Sam can open the letter read it, and put it back in a regular secure envelope to send on to the recipient.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Don't all email clients do this?
Are those people so infatuated with web applications that they don't realize true applications do everything on the client?
Or you could go to DEFCON and learn how to remove tamper seals without leaving traces. :)
I DO suspect there's a product in there, but it's a lot more complex than that
Use the old method of a wax seal. 100% tamper proof.
Just don't put the correct returtn address on the envelope!
I forsee a large rise in the use of M Mouse, Disneyworld, Florida as the return address.
Of course, the truly devious would make the return address the message itself.
A code that is in plain sight and virtually unbreakable.
Kim Schmitz has a history of ratting people out.
Not so much:
http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html?pagewanted=all&_r=0
Taxation is legalized theft, no more, no less.
I've been wanting to get away from GMail for a long time, and my hotmail expired itself long ago and since started asking for a phone number.
This sounds good. Sad that 'pirates' are more trustworthy than law enforcement but I guess it's because they have their own morals instead of ones that are payed for.
No, it works. Uncle Sam can't read it. You just print your document, then scan it on a Xerox printer/scanner like the Workcenter 7335. http://arstechnica.com/information-technology/2013/08/confused-photocopiers-randomly-rewriting-scanned-documents/. If your document is carefully crafted, your message will be obfuscated by the scanner. Print and send that. The receiving party must then send it through another Xerox to get your actual message back.
Not at all.
1. Press soft clay up to the seal to get an impression..
2. Open envelope, read, close.
3. Fire clay. Smooth it down a little carefully.
4. Melt wax, apply clay stamp.
Oh, it doesn't have to actually work. So long as the suckers believe it will work, and will fork over money for it. Because really, the government isn't going to care what the typical conspiracy-theorist paranoid is writing to his friends about.
The problem is that email is managed from a central location.
If email clients opereated as fully encrypted standalone, "peer to peer" entities, the central mail server would be eliminated, and snoops would only be able to grab the encrypted content, and perhaps the locations of sender and receiver.
I've said it before and I'll say it again, this concentration on encryption is fiddling while the house burns. Encryption is sexy, and easy, and kewl, and l33t... but it won't protect against the real threat - traffic analysis.
Uhhh...dude? yeah kinda hate to be the bearer of bad news and all but they don't even have to do the old "steam the letter open" trick anymore, not with envelopes being so...well paper thin now and with multispectral scanners being so good.
So unless you are hand delivering the email i really don't think your way is gonna be any kind of improvement, hell if USPS wanted they could go "Whoops, don't know where that went" as after all it wouldn't be the first time it was lost in transmission.
ACs don't waste your time replying, your posts are never seen by me.
The amazing thing to me is that using any of these encrypted mail services will automatically flag you as a suspect for the NSA. Just like when detect patterns used by Tor and store all of the traffic in a special place.
How long until the FBI and NSA keep files on everyone that they can identify using these services? Like a new era of McCarthyism but instead of a public trial you have a secret trial where the government has all of the cards. This is essentially what the guy Aaron Swartz and the Lavabit guy ran into right? At some point if you run afoul of these "public" agencies you are taken out of circulation.
This reminds me of the movie "Firefox" in the 80s directed by Clint Eastwood. There was a scene where some english chap was telling Clint Eastwood's character about the KGB, he was comparing it to a monster. He was saying that your only real hope for safety was to sneak carefully by it and not awaken it. That is what I am thinking the "security" services of this country (and many other western countries) is becoming on an unprecedented scale. With more people in prison than ever and people (ohh sorry "terrorists") in jails all over the world without due process (or any judicial representation for that matter) how is this any different?
Of course, a technical solution is best, but, (and IANAL), but these companies should plan ahead for an NSA gag-order, and have a public policy on how they will shut down if their arm gets twisted too hard, or in a way they did not expect, by anyone. If possible, it should be part of a binding EULA, one that places them in a such a position that they cannot legally conspire with wiretappers.
Your uncle sam scans both sides of the envelope capturing the metadata!
May be all the worlds email traffic should go through (and stay at) archive.org this way one would at least know where ones emails end up,...
By court order your mail can be opened and read. It can also be read after opening when you get hit with a search warrant.
---- Booth was a patriot ----
Just use mail on FreeNet,
Sure, FreeNet, which would be the more secure option we have currently, doesn't have any outside gateways, but if you are concerned about security, you don't want one anyway.
---- Booth was a patriot ----
The matter of protecting your e-mail is a simple one - there are standards (S/MIME). What you need to look in a provider is:
(1) They SHOULD NEVER have copies of your private keys
(2) They should follow published standards
(3) Allow S/MIME e-mails
For example, if you want to use your Gmail account with military-grade security that neither NSA can read, just install Penango in your browser and send messages encrypted - this solution is also used by US military and corporations. Penango does not hold any of your private information and/or your keys - so they can not be forced by anybody to give out your secret.. simply because they do not have it!!!! For more info, go to http://www.penango.com/
Look at it this way: everyone's all "we gotta have email encryption" and we've completely lost interest in "OMG 99% of all email is spam and we can't get rid of it." It's the NSA's way of encouraging Internet Businesses.
(please please PLEASE don't make me bring out the whoosh or sarcasm tags m'kay?)
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Which is amusing, because this is what the government believes too.
This whole thing about privacy will be a non-issue in about 2 years.
There's currently a mass-exodus away from US-based cloud services, and (within the US) away from all cloud services.
Cloud services will have to provide privacy or go out of business. The only way to ensure privacy is client-based encryption keys and open-source software. Since it's impossible to control the distribution of open-source software, the client-side package will end up being free.
This is a good thing, IMHO. Cloud services will focus on the actual service, they won't be able to rummage around in our lives (both corporate and personal), they won't be able to "monetize" their customers as products to advertisers, and the NSA will be shut out of much illegal snooping.
People are already thinking about how to encrypt existing web-based mail services, and I'm even hearing rumors about replacing SMTP altogether with a more secure protocol.
Expect a lot of wailing and gnashing-of-teeth from the government, proposals to make this or that protocol "illegal" or to require government backdoor access, but in the end it will come down to simple economics.
There is an enormous market-driven push towards more privacy. Edward Snowden has had a measurable effect on the world, and probably deserves the Nobel peace prize he was nominated for.
This is just advertisement. Since the product isn't finished yet there is nothing to back this information, it seems necessary to keep them in the spotlight of weekly news even if it means creating a story without a story.
When you rely on a third party for security, you are placing an enormous amount of trust in them. You're trusting that they have not installed backdoors, that they do not copy your encryption keys and that they really are doing all the things they say they are. There are also external factors that may be beyond their control, like government demands, as we saw with Lavabit.
Now, if Mega is going to do something like build plugins, extensions or local proxies for popular web and local mail clients that makes end-to-end encryption easy and commonplace -- and will release all the relevant source code -- then we'll talk.
I would assume the decryption would be performed on login. The data would likely be stored locally in a format like JSON and you would use js to apply your searching algorithm. The locally stored files (temp) would have to be removed at the end of the login session.
The whole concept of searching emails client side could be solved by having a searchable key=value store locally pointing to message id's, so when the user searches for something, the search is conducted locally and only returns pointers to actual messageid's, which themselves are encrypted (either on server or locally). So the search never happens remotely, it happens locally. This does give up a bit of privacy, but only locally. The keys themsevles could be md5 hashes of the true search keywords to make it even more difficult to deduce local words pointing to messageids.
There is indeed something to consider here, a secure email service is (mostly) stupid: The casual conversation with your friends has moved to social networking or other chat clients, (almost) no one uses email for that kind of communication today. At companies you could not use the Mega email for obvious reasons. There you would use GPG/PGP here when it makes sense and host on your companies servers. If you take part in discussions on mailing lists encryption is unnecessary too. The few occasions where you still need email today isn't that special that you would move it to Kim Dotcom.
Email is great for business, but then it is handled by your company. Apart from that, email usage continues to drop as it is replaced by other services. Of course this isn't true for everyone, but it is true for anyone who doesn't care about secure email. Everyone who really cares would not use 'just another service provider'.
If you want secure email, don't put it in the cloud. People who try to set up new cloud services to get attacked aren't helping, and can't deliver on what they want to make people believe they can.
It's not hard to set up a mail server. It's not hard to use PGP. Be at least a little harder target.
Just say no to the goddamn cloud, already.
Only the outside of the envelope. They can't see contents unless they open the envelope, which requires a warrant. They can't retroactively open your letter once it has been delivered. If you want to encrypt the contents, you can do that too, but you can't encrypt the routing information.
With encrypted email, the header is unencrypted because it's needed for routing, so the government can record every entire message that passes through a cooperating server. With encrypted email, you could copy every message that passes through a server and decide later which ones you want to try and decrypt.
If you want to add real anonymity, you can use anonymous email accounts. But that's thin security. A government really interested in who's getting and sending anonymous emails can figure it out by tracing packet routing.
For harder-to-crack anonymity, you can upload encrypted files anonymously to a server and download all the messages periodically. Whichever ones you can decrypt with your keys are addressed to you. It's very inefficient, but there's no way to figure out who got your messages without either seizing your computer or hacking it. They can still identify who sent it and what set or receivers might have gotten it by tracing packets.
I'll tell you how I plan to solve it with my solution: fumail.me
I will use a local dictionary to match subjects/nouns in the email, hash it using md5, then when a user goes to search, hash the same words they type in again and compare against the database of hashes.
Thing is, they aren't too interested in the contents of the envelope at all, at least until you're a person of interest. What they really want is use all that juicy metadata (outside of the envelope, i.e. headers) to establish ties between everyone.
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
PGP encrypted snail mail, then.
Send emails through USPS!
Using modern technology we can print an email, put it in an encapsulation method that's called an envelope, attach an easy to use header "stamp" protocol, and drop it off at any USPS "mailbox" upload hotspot.
The latency is really bad, but at least your information will be secure!
First class mail, in sealed envelope.
http://supreme.justia.com/cases/federal/us/96/727/case.html
2. In the enforcement of regulations excluding matter from the mail, a distinction is to be made between what is intended to be kept free from inspection, such as letters and sealed packages subject to letter postage, and what is open to inspection, such as newspapers, magazines, pamphlets, and other printed matter purposefully left in a condition to be examined.
If the body of an email doesn't need to be visible for inspection for email service to work reasonably, but you send it that way anyway, well.. I really don't understand why anyone has an expectation of privacy there. All free email providers AFAIK read your emails to build a targeted advertising profile on you, and tell you such.
All this "But But the NSAs SIGINT is worse than corporate marketing intelligence" bullshit is just that, complete and utter bull shit unless you'd genuinely feel better if the NSA just privatized their collection efforts. Until someone can specifically tell me which US law a US email service provider is violating by picking up someone's email account and sharing it with someone else, accidentally or purposefully, sit down and shut up.
But But MY country has strong privacy laws...
if American health records were sent legally to a German company, would they be subject to _HIPAA_ rules? Thank you, come again.
If you want privacy laws, fight for privacy laws, and get off these retarded 'NSA is illegal' and 'gubmint is untrustworthy' tracks while letting the private sector have carte blanche access to your "private" information. You know, or encrypt your fucking email like you were told.
+1 Nothing has really changed post-Snowden, we've all always known that emails have the privacy expectation of a postcard-- how many of use were putting "Echelon Food" on out emails a decade ago. It's just, like the Nazis and Enigma, we always assumed the government would never put the brute force resources into collecting everything, so emails were basically "safe." And you're right, in that once you share information with any commercial entity, and there's no bailment, contract or NDA, you've got not privacy. Just accept it, and fight for change-- don't get hung up on some kind of phony "betrayal" narrative that just doesn't stand up to scrutiny. We need privacy on the Internet, strong legal protection. It has not existed up until this point, it will require new laws, the existing ones simply do not work, they're based on assumptions which no longer hold. Fight for new laws, not stupid rearguard actions over what the Constitution Really Means(tm). Courts interpret that, not us, and courts follow laws, not blogs.
Don't blame me, I voted for Baltar.
How does searching work for this kind of tranport/storage?
If you have a bevy of beautiful, friendly, young scantily-clad Polynesian girls that you can sit and watch go through the envelopes searching, who cares how long a search takes?
Now *that's* what I call an upgraded mail service!
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
From a novel I read called "Sedition Awakening" (Cushman) where the charactors are discussing putting messages in the least significant bits of photos:
“So that's where you hide the message!”
“Right! But it's not quite that simple. If you put the information there in the open nobody seeing the photo would notice, that's for sure. But anyone looking for a code would find it in no time at all by scanning it electronically. So you have to make those bits look random, which they usually are in real photos anyway, without them being so random that your message isn't there. There's a very effective and simple way to do that. It's called ‘exclusively or-ing with a one-time pad.’ What that means is, you first get a long string of random bits, say by recording some static off of a radio. Then you take this big long random number and at every bit position do a logical exclusive-or with the same bit position in your message. The exclusive-or operation is a single instruction in the computer, usually called XOR, but the actual operation is this. Each bit of the message is sequentially compared with each bit of the random noise. If both bits are zeros, then the output of the comparison is zero. If both bits are ones, then the output of the comparison is zero. If either of the bits being compared is a one, and the other is a zero, then the output is a one. That exclusive-or operation makes your message as random as the original static, or whatever you use for your one-time pad. Then, at the other end you use the same one-time pad, your long random number that is, compared to the encoded message with the same logical exclusive-or to decode the message back to the original form from the least significant bits of the photo to the original message. This is a completely secure way to pass a message that can't be cracked, but it requires both ends of the communication to have the same one-time pad, or random string of bits.”
“Fantastic! I think I get it! Or, anyway I think I understand the end result. So we could have two CDs with the same string of random bits on them, plus a little program to extract the least significant bits from a photo, or add them, and exclusive-or them to add or extract a message. . . and you say this is completely uncrackable?”
“Yup. As long as the random string is as long as the message, or longer, and the random bits you use are actually random it's perfectly secure and cannot be cracked or even detected as a message.”
typical conspiracy-theorist paranoid
friends
There's a fatal flaw in your thinking right there...
"Little does he know, but there is no 'I' in 'Idiot'!"
Paper mail is not opened or scanned unless there is an actual warrant. Yes, they will "log" your mail and possibly take a picture of the envelope, but you don't have to put a "valid" senders address on the envelope and you can post away from home. As far as drag net "security" from the NSA and such, paper mail is more or less left alone. You can still encrypt the contents and sign it with a private key. Even if they open up the envelope, they won't be able to decrypt if they don't have the key and your encryption is sound.
I was promised a flying car. Where is my flying car?
I'm a Canadian living in the middle east. Canada's spooks simply just rip my mail open and seal it again with red tape when they feel like it. The funniest thing is that they *always* rip open my tax envelopes. That makes zero sense, since they can just open my tax file and read all about it, they really don't need to rip open their own mail, yet they do.
Actually it makes perfect sense AC, you see who are you most likely to send something nasty like a poisoned letter to? The taxman.
ACs don't waste your time replying, your posts are never seen by me.
It would be interesting to see what they are finding -- in a meta-metadata sort of way. How many degrees of separation between the average person and a known or suspected terrorist? Are there dense networks of association? How many degrees of separation do you have to go out before a terrorist's association look like everyone else's? One? Three?
'If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That’s] not quite impossible but very, very hard."
Why not let user the compromise on security in order to search, etc., by giving the server permission to decrypt for N minutes or seconds? Then client software sends the key, Mega promises to destroy the key and the unencrypted text at the allowed time. Standard legal advice in advance explains the resulting exposure risk (if the sovereign requires Mega to silently betray the user). But even then previous email stays secure, despite past permissions, provided there is no future permission.
Most users won't need to encrypt a large volume of email anyway. So they could search locally by eye, and maintain full security.
I know this idea won't work but ... What about a encrypted virtual machine? Just like a hard drive can be encrypted I wonder if it would be possible to run an encrypted virtual machine on a real machine such that the real machine can not observe what the virtual machine is doing.
Well, some people, and by some people I mean the people who have been pushing the panic button for the last decade, say the spooks are routinely looking out for up to three degrees of separation. Three sounds like an entirely plausible optimal number.
There was a relevant facebook study about the small world theory a couple years ago, and IIRC, the average distance between any two people (globally) on the network was 4.6 or some such. Of course, you have the people who have to friend anyone and everything even if they don't know them; probably skews the idea somewhat.
The idea that you and I could be as few as 1.6 additional degrees of separation from some suspected individual is...unsettling. How much longer until the lidless eye wanders further?
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
Cut off the seal with a hot knife. When you're done violating someone's confidentiality, stick it back on.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Even easier, have the delivery service remove every wax seal. No more communication.
Kim Dotcom as usual enjoys filling the spotlight,
you can put a period there, that's all there is to say about it.
If you trust an e-mail service run by Kim, you are a stupid idiot. The guy ratted out people to the authorities before, when it served him.
One thing is right about this idea, though: If you want a secure e-mail provider, it absolutely has to be located outside the USA. Nothing on US grounds can be considered secure anymore.
Assorted stuff I do sometimes: Lemuria.org
Truly anonymous email needs to be both encrypted and efficiently hide communication patterns.
If the system is based on a central server that maps addresses and you have the ability to listen to inbound and outbound mail you can fairly easy generate a map that will link real and anonymous email addresses if the system runs in real time. Mails to be relayed should be delayed a random time and sent out in random sized pools. That would hide the link.
An alternative would be a private bulletin board system where no messages ever leave the server and both sender and recipient must log in to send or receive mail. It will also hide the patterns provided the database is completely encrypted, including relations.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
What do you mean secure?
USPS scans the front and back of every envelope that goes through their processing centers. They then use these images and OCR to create the same metadata they are capturing on phone records.
you can upload encrypted files anonymously to a server and download all the messages periodically. Whichever ones you can decrypt with your keys are addressed to you. It's very inefficient, but there's no way to figure out who got your messages without either seizing your computer or hacking it..
I like this idea, and think it can be made plenty efficient by decreasing the number of recipients that "share" a given inbox -- say 1000 users or so.
Yes, please secure email me at 3013@mailinator.com using my public key.
I'd give my right arm to be ambidextrous...
Wow. All these brilliant ideas on encrypting communication like snail mailed rubber envelopes wax seals etc Nothing screams "I have a secret" as loud as obvious encryption attempts. And nothing is as tempting for CIA or DHS operatives to try and circumvent. Security services in *other* countries don't waste their time trying to crack "encrypted email" or rubber envelopes in snail mail. Why? Becaus professional agents don't ever use an *obvious* encryption method at all!. A REAl spy's email might look like "H mom how are you.. yadayada" Instead if, say, looking for foreign spies, they uase psychology to try and discern odd behavior.. and once they have a solid target THEN they try to see if the correspondence looks suspicious. If the US tries to crack MEGA's new encrypted email service, it'll be sour grapes and not any hope of success in catching a "spy". After all they didn't think to start checking Snowden's emails until AFTER he came out ;-)