[lvh]

I mean, sure? You can use encryption to get security and privacy features but "FDE" isn't it. FDE is more important for Helm but that's a problem of their own design: suddenly the e-mail is in a box in my kitchen and it's a lot easier to walk out with a box in my kitchen than it is to walk out with a drive from us-east-2a :-) For anything in the cloud it's a belt-and-suspenders/compliance thing.

[lolc]

How many people have access to drives in us-east-2a? Do you know? Can you verify?

Assuming the software works flawlessly (if it doesn't, it doesn't matter where it runs) you'll need RAM and storage access to recover the keys and the data. If you're in the cloud, you won't notice when insiders or state agencies take a peek. If the device is in your home, you can set it up so you notice.

It all depends on the threat model.

[lvh]

> How many people have access to drives in us-east-2a? Do you know? Can you verify?

AWS, like every non-clownshoes provider, is transparent about the security controls on its datacenters. It has those verified by independent third parties and auditors (for relevant compliance standards). They have published whitepapers and compliance/audit reports, and continue to.

The odds that someone compromises a Helm update and the odds that someone walks out of us-east2a with a drive are not in the same ballpark.

To reiterate, because somehow I'm in the "FDE is an important threat model!" corner: it is not. Walking away with a Helm is not the easiest way to read e-mail on that thing, especially not for an organization capable of dragnet surveillance in general.

[lolc]

> The odds that someone compromises a Helm update and the odds that someone walks out of us-east2a with a drive are not in the same ballpark.

Sure, but why are you comparing a software compromise against physical access? There are attacks that work against cloud providers which don't work against Helm. If somebody can compromise a Helm update they essentially got root. And that is a step up from just read access to storage.

Here's how I see it: There is a provider that runs my mail infrastructure. They can either run it on AWS, or host it at my home. If the data is in my home I don't have to trust Amazon. I still have to trust my mail provider ultimately, but using AWS doesn't improve on that.

[lvh]

Because we started talking about FDE specifically?

[lolc]

I don't get why you're so hung up about physical access. But at least I think I understand how we got there:

gsreenivas: Most cloud-based email services hold email in the clear

lvh: are you suggesting cloud e-mail services don't use FDE?

lolc: They may but they also hold the keys.

lvh: it's a lot easier to walk out with a box in my kitchen than it is to walk out with a drive from us-east-2a

lolc: How many people have access to drives in us-east-2a?

In that last quote I should have said "storage", because I didn't mean physical access only. So apologies if that set you on the wrong track.

[gsreenivas]

I'm curious about how you arrived at the conclusion that we are capable of dragnet surveillance. Connections to/from the Helm server use TLS end to end.

[lvh]

That (organizations) was in reference to state level actors, which is what GP was talking about.

EDIT: removed bit about 993/587 because you're answering that elsewhere.

[gsreenivas]

gotcha - thanks for clarifying