The Intercept's top security expert reviews Helm, a standalone home email server that keeps your comms out of Big Tech's data-centers

Originally published at: https://boingboing.net/2019/04/30/threat-models-r-us.html

Managing my own email server? No, thank you. I did enough of that in the 90s and aughts. And POP? Don’t make me laugh.

11 Likes

Snort and Barnyard. Come on people.

I don’t understand why people keep designing these “living room friendly” tech appliances. Is there some reason they can’t just pack it in a nice flat package that’ll tuck away out of sight without wasting space? If I want living room art I’ll buy art.

7 Likes

Waiting for an open source clone of Gmail. Google as a whole sucks, but their mail UI is great.

After RTFAing, a couple of observations. What the fuck is with the shape of the device? Why can’t it be flat (I know the likely answer: cooling). I want my network appliances shoved in a closet, not out on display thank you very much. $500 for the device plus $100 per year? That’s… a lot. And this also means you’re beholden to Helm to protect your information – whether it’s stored on your device or not.

The first thing that stood out in the privacy policy is that, like Google, Mail.ru, and all other companies everywhere in the world, Helm must comply with lawful government requests for data. “We may disclose your information if required to do so by law, in response to a court order, judicial or other government subpoena or warrant,” the privacy policy reads.
[snip]
This is a ban on reverse engineering, preventing a type of close examination of computer hardware and code that can help uncover defects and add new functionality.

So, they design the thing as a black box; you cannot ssh into it or customize it beyond what the web UI allows you to do. You just have to trust them.

So, yeah…

I have to wonder who Helm’s target audience is here. Anybody likely to spend $500 plus $100 a year for a subscription for an appliance like this is probably more likely to just build and run their own server for considerably cheaper that they can actually customize and truly control.

14 Likes

I think that email (smtp, pop, imap, etc…) is not going to work for secure communication. Signal is looking very good. I think that would be better to develop distributed web and social media solutions. Email needs to go away, crazy as that sounds.

That larger internet network, communication, and app providers have utterly failed the user community. It is time to put them down.

I’m done with the Intercept and Glenn Greenwald. They are dinosaurs of a past age. The Intercept is so detached from the threats and reality that we face that their reporting and focus is counter productive. They are a detriment.

3 Likes

Not sure how much of a qualification “The Intercept’s top security expert” is… https://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

7 Likes

sure. imagine if hillary clinton had been using POP.

1 Like

My first thought as well on reading this. You can build something like this on a $50 Raspberry Pi as long as your residential ISP isn’t blocking mail ports (which would also be a problem for Helm) or your IP address isn’t being flagged as a source of spam:

https://www.raspberrypi.org/forums/viewtopic.php?t=210084

5 Likes

I use the Helm for my personal email. I switched when the company that bought the company that bought the company that was hosting my email discontinued support for emails through their domain name after 21 years! With Helm, your cost of service includes domain registration fees, so you can choose any one you like and you can take it with you if you leave. They fully administer the server. They don’t even provide a way for you to get a terminal session on it. The device tunnels traffic through an Amazon AWS cloud server with a public IP address.

Overall, it’s fast and easy and mostly just works. They are working on other useful features, like a VPN server, so it is becoming more useful over time. It is not perfect, but their support team is highly responsive. IMO, it is well worth it if you would otherwise consider paying to have your email hosted (and if you are growing wary of the centralized private control of all of your personal data, private hosting of email is a fairly easy step you should consider). The drawbacks are:

Their admin app (on your cell phone), which connects to the device via bluetooth, is a balky and can be opaque (on Android at least), but it does work.

Every email account needs a separate copy of the app to configure the account options. The app sets up a unique password for every separate device you use to access the server, so the separate app for each user provides protection for those credentials and self-service updates, but it is a pain in the butt to require every person whose email you want to host to install and use the app (and inevitably ask you for support) and, at least in my family, some people have opted out of using smart phones for reasons of cost or simplicity. Overall, everyone would rather that I did all the account admin, but I can’t. It’s also easy to think of annoying scenarios like lost phones that require a return to the users manual or tech support.

There are times when the devices needs to be restarted, which requires physical access to it.

In the modern landscape of fighting illegitimate emails, the public IP associated with your email server and domain name needs to build up trust before some providers stop marking it as spam. This “burn in” period requires cooperative recipients to fish your message out of spam and reply to them.

If you can tolerate the above drawbacks and would otherwise go in for private hosting, you might want to see if there’s room for their pointy white triangular email thing in your life.

7 Likes

I run my own email server, which is a great solution for me, even if it’s not ultra-secure. I can receive email from anyone just fine, but if I want to send mail, I have to use a remailer service. Email from my residential IP address will be blocked as spam by the vast majority of decent email services. So, this hideous, unstackable “Helm” appliance is going to have to hand your email off to another service, perhaps hosted by Helm, which will produce a fountain of insight into your personal business for industrial and state spies. If you want a secure product, you need to kick out the middlemen and place the server where your country and your ISP can’t intercept it undetectably.

I can’t get my head around why the fugly helm costs $500 plus $100/yr. My email server is practically an off-the-shelf free product, runs on any old PC or VM, and it comes with all the goodies this Helm product seems to be still valiantly promising to work on. It cost nothing to buy, and the cost to run it, with dozens of domains and hundreds of email addresses, is so negligible that it’s nothing next to the mere $50/year that PC itself costs in electricity.

My server can’t tell me when my emails are being intercepted, but if this is a feature Helm is “working on”, then they have an alpha product and ought to be paying people to use it rather than charging them.

Go home, Helm.

4 Likes

I’m a fan of Synology servers. They are sold as NAS, but that’s the least of what they can do. VPN, cloud storage, email, web server, etc. Just download and turn on whatever features you need. For as little as $100 plus a hard drive you add yourself.
https://www.synology.com/en-us/dsm/packages

1 Like

Micah Lee is legit. He was at EFF before the Intercept and, is well respected in the privacy and data security world. I’ve never seen an account of what role, if any, he played in the mistakes that outed Reality Winner, but the Intercept responded constructively to those mistakes, with new practices and training, contributions to her defense, and ongoing coverage of her situation. Although they failed to protect their source (full stop), it would be hopelessly naive to assume that she wouldn’t have been caught anyway.

If you are actually interested in the topic of his article on Helm (i.e. not just trolling the Intercept), but are legitimately concerned about Micah’s credentials, you can find a similarly positive with caveats review from Lee Hutchinson at Ars Technica. https://arstechnica.com/gadgets/2018/12/review-helm-personal-server-gets-email-self-hosting-almost-exactly-right/

2 Likes

wait, $100/year? who owns this thingie?

1 Like

Email is 2-sided - so what if you keep YOUR emails on your own Helm, or whatever.

I remember a blog by a Prof. who used to run his own mail server, and then saw ~70% of his emails were to or from gmail alone. SO at that point Big Tech has your emails…

7 Likes

Me too, but it is interesting how much privacy we’ve (well, I’ve) ceded to big tech. Like lots of people I’ve been using Gmail since it required a referral to get an account, and they’ve been mining my personal info that whole time. (Insert quote about “if you don’t know what the product is, you’re the product”).

Can you think of a good alternative to that other than hosting your own server somewhere? Oddly I can’t. I think this product fills a much needed niche, and draws attention to something far more privacy invasive than Amazon Alexa.

Love the idea above about a privacy friendly Gmail clone. I’ll pay for it of course. I’m already paying for Gmail anyway, for the extra storage.

The privacy benefits are largely illusory as most people you communicate with will be hosting their email with Gmail or some equally privacy-infringing outfit.

POP3 and no IMAP4 is ridiculous in 2019.

I run my own email server, with TLS encryption for the SMTP connections, which is almost universally supported so Google Fiber can’t read my emails at least. It’s really not that hard. I wonder if someone can package building something like Helm using Ansible scripts the way Streisand and Algo automated running your own VPN.

4 Likes

So… How hosed are you if Helm suddenly disappears?

3 Likes