Slashdot Mirror
'World's Most Secure' Email Service Is Easily Hackable (vice.com)
Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."
My hosts file protects me and my email from hackers. Thanks APK!
Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.
"Imagination is more important than knowledge" - Einstein
I use it, and I haven't had any issue. It's not as nice as gmail, but if you're looking for a relatively simplistic layout, and encrypted email - Proton is solid.
Uh, this feels like something posted by a Nomx employee...
"Imagination is more important than knowledge" - Einstein
It appears the "hack" requires local hardware access to accomplish:
https://nomx.com/
The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.
You fail to realize why this response is, inadequate, fallacious, and utterly garbage. 1) Of course no nomx data was compromised, it was a test machine 2) How do they know that no nomx account has been compromised. They don't. They aren't a web service. This is a physical device, managed by individuals, not monitored by the company 3) Even if no one has been compromised, that doesn't negate the real, high risk vulnerabilities 4) Statistics don't tell a compelling story. Nomx is not used by billions of people, as such, the attack vector is statistically insignificant to warrant anyones time to attempt to hack it. Furthermore, I highly doubt they can hold up to the same standards as Google/Yahoo, or any other company they list on their website as being hacked in recent years. Typical apples to oranges. 5) 'In the last two years alone, every major email service provider was hacked' & `world's most secure email service` are unsubstatianted hasty generalizations. What's the criteria they're using exactly? 6) 'nomx ensures absolute security and privacy when communicating online by resolving issues with the Transmission, Routing, Acceptance, Communication header data, Encryption and Storage (TRACES) vulnerabilities that have been present in email since its creation.' How convenient. A snakeoil promise for problems that are extremely vague. Sounds like a strawman to me. Never even heard of the term T.R.A.C.E.S. And what exactly is it resolving with routing? Is this a router? Did they provide a new routing protocol? RIPv2 or OSPF isn't good enough for them? The BS meter is full.
nevermind this:
future devices would be built around different chips that would also be able to encrypt messages as they travelled.
So it's a fail right off the bat if it doesn't encrypt the mail in the first place.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
What exactly does that mean... encrypt as they travel? As someone that spent nearly a decade at a SaaS email security firm, SMTPS is only PtoP. If there are points in between, there's a chance that your email will have an unencrpyted hop. otherwise your looking at GPG/SMIME solutions... based on the info provided, I don't see what they are doing any different other than providing a "dedicated" box....
How do you get around the blacklists, reverse dns issues, and port blocks?
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Hillary?
I use protonmail too and it seems to be about as secure as webmail could possibly be.
The good: /don't/ have access to old messages on your account
-hosted in Switzerland at CERN, away from the "five eyes".
-Switzerland has data privacy in it's constitution.
-unfortunately sometimes the authorities in Switzerland will ask information about a user and protonmail has to cooperate. but this happens rarely and always shows up on their quarterly transparency report. and they
-your account logs every sign-in attempt and if it succeeded or failed, so you can tell if someone is trying to guess your password
-your emails are symmetrically encrypted against your password, so they can't access your old emails without you even if they tried. (and a side effect of that is if you forget your password, they can recover your account, but not your old emails)
-when two protonmail accounts email each other, it uses end-to-end encryption straight from one browser to the other
-they have an work-around for emailing insecure accounts: you can choose to just send them clear text OR you tell someone a password in advance then instead of sending them your email message, it emails them a link to an encrypted protonmail webpage with your message in it. It's awkward but it's an option.
The bad: ...IMO, beats NSA spying.
-They put a signature in every email "sent from protonmail secure email". If you want to delete it you need to do it manually. Disabling it is a premium feature you have to pay for.
"Everything else is insecure" is actually a pretty clever claim. It doesn't tell anything about their security.
The old software's vulnerability were few and you needed physical access to exploit
The researcher/blogger needed physical access to discover the exploits, but the CSRF attacks can be embedded onto any webpage, he even provides the code in his blog post.
Side note: I'd suggest watching the nomx videos about "How it Works". Quality.
1. Most ISPs don't allow residential customers to run an email service of their own.
Wrong. Sometimes, you may have to ask to have the port opened, but most allow it.
many domains will reject any email out-of-hand that's sent from just some random IP address
Set it up correctly. Set up the various SPF records and other such stuff. That'll greatly reduce the impact of this.
Furthermore, you *can* get your own static IPv4 IP that isn't in those blocks, and/or you can use a virtual server and forward that stuff, and/or you can use IPv6 to route around it, and/or you can use a different outbound SMTP server or forward through one. There are lots of ways around this trivial issue.
Why even bother with this when there's something like Proton Mail out there ...
Using a common service/server is one of the primary things this product is trying to avoid, as is using hardware/storage someone else owns (virtual servers / hosting / cloud / etc). There's nothing wrong with that part of the theory.
If you don't want to use a service like Proton Mail, what's wrong with using your own end-to-end encryption?
It relies on accessible and verifiable public keys and integration with the client software. That works within protonmail because all users get keys and can share public keys (AFAICT). Doing it yourself means pgp/gpg or s/mime, and both parties must have that, and there's no encryption of email headers (including TO, FROM, and SUBJECT) with those, so they won't be protected once they leave your server.
If you're really so worried about someone hacking into your communications over the Internet, then why are you even bothering with email in the first place?
What type of argument is that? Probably shouldn't use http either, nor facebook, nor any instant messenger, nor any search engine, nor the internet... heck, you should probably completely disconnect from every external line and seal yourself in a faraday cage within a bunker underground.
Email has loads of benefits and still the most widely used (head count) communication platform. It's certainly capable of sending an encrypted payload and the delivery mechanism is very well established... why not use it?
None of this means this product is good or worthwhile, but a secure communication appliance *could* be done right.