Last October, a startup called Helm announced a $500, plug-and-play home email server that was designed to be a secure, decentralized, privacy-oriented alternative to using one of Big Tech’s email systems like Gmail, an option that was potentially even more robust than using email from a privacy-oriented provider like Riseup or Protonmail because your metadata would not be stored anywhere except in your home.
Micah Lee is a computer security engineer who was formerly a staff technologist at EFF; now he works at The Intercept. For several months, he’s been hosting his personal email on a Helm device in his living room. He’s just published an excellent, in-depth review of Helm, including a preliminary security audit.
His conclusion: largely positive. Helm’s biggest security gap is the lack of an intrusion detection system that can warn you if someone is trying to hack it (this is in the works); but it has a “proximity-based authentication” setup that makes it much harder to phish an account (it also means that any time you set up a new account or a new mobile device to manage an existing account, you have to be within Bluetooth range of your Helm device, which might be a problem if your phone breaks while you’re traveling).
The service itself works just like you’d expect a traditional, POP-based email service to work. Using a program like Thunderbird, you fetch your email and it just shows up in your inbox. The Helm doesn’t support server-side filtering (a feature that power-users who already run their own mail-servers might miss), but it otherwise functionally identical to a managed, data-center-based mail server, except that it lives in your house. Helm provides DNS and other back-end services, and even includes a domain with the hardware (you can also use an existing domain).
I don’t think I’ll be getting a Helm, but only because I have a better “self-hosted” solution that most people don’t have access to (Ken Snider, Boing Boing’s amazing sysadmin, hosts my mail for me on a server he personally manages). If I didn’t have access to this kind of one-off, non-scaleable solution, I’d definitely be willing to pay $100/year to get email from Helm, especially in light of Micah’s positive review.
I believe that Helm’s technical infrastructure is well-engineered from a security prospective. It uses best practices (I go into greater detail in the “under the hood” section below), I don’t see any obvious flaws, and, though I haven’t made a thorough comparison, it appears to offer similar security as most small, well-run email providers. Basically, the only attackers who can get in are those armed with expensive zero-day exploits — exploits that rely on bugs that the software-makers themselves don’t even know exist and thus have not been able to release security updates for. An attacker would need to find a zero day for software Helm is known to run, like Dovecot, the open-source email server. The vast majority of attackers will remain locked out.
That said, there are some security tradeoffs involved with using Helm and some areas in which the system’s security could be improved.
If someone does manage to hack your Helm, you probably won’t notice, unfortunately. Sreenivas told me that Helm doesn’t have an intrusion detection system at this time. “We plan to summarize failed attempts in a weekly digest email,” he told me, “but alerting on actual intrusion is something we haven’t defined yet.”
Avoid Surveillance with Helm, a Home Server Anyone Can Use to Keep Emails Truly Private [Micah Lee/The Intercept]
Samsung’s folding phone, which will ding buyers about two grand after tax, is already in deep trouble: the review units sent to journalists are dying after hours of use. CNBC’s Todd Haselton writes that it was “a tantalizing glimpse of the future — before it broke.” During my second day of testing, the screen began […]
Who wouldn’t want to buy a telescreen from Facebook, the least-trusted privacy merchant on Earth, so that they may be placed around the house? The obviously despised Facebook Portal will now be half-price, reports Matt Navarra. Details: No, you’re not misremembering the details from that young adult dystopian fiction you’re reading — Facebook really does […]
Time 4 Machine is a Ukrainian design shop led by Denis Okhrimenko; their latest project is “The most beautiful construction set in the world”, a set of thin steel parts that you bend together to make (yes) beautiful mechanical models: a business-card case, a tractor, a working clockwork timer, a vintage sportscar, a springpowered cabriolet, […]
We’ve all had it stuck in our head: That catchy song, sometimes a favorite but mostly out of nowhere, endlessly looping just on the tip of our tongue. It can be annoying, but it was only a matter of time before somebody put the addictive properties of music to good use. And the name says […]
Haven’t tried CBD yet? We get it. CBD (or cannabidiol) is a non-psychoactive compound derived from the cannabis plant that has loads of testimonials about its stress-busting properties, but whose products can you trust in a largely unregulated field? Sunday Scaries are emerging as a pretty good bet. The company was started by two avid […]