Feeds

back to article Lavabit founder: Feds ORDERED email providers to stay open

Lavabit's founder has claimed other secure webmail providers who threatened to shut themselves down in the wake of the NSA spying revelations had received court orders forcing them to stay up. Ladar Levison made the claim during a recent Reddit AMA (ask-me-anything) Q&A chat without going into details about the alleged strong- …

COMMENTS

This topic is closed for new posts.
Silver badge

"Forced" to stay open ..

I wonder who has to pay in these circumstances ?

15
0
Gav
Bronze badge

Re: "Forced" to stay open ..

It's an interesting idea. After being forced to stay open, can you effectively do what you want with the business? Run up massive bills, buy outrageously over specced kit, pay everyone double salary and produce a really crappy service that scares your customers away?

At which point the Feds bail you out to force you to remain in business?

Because that sounds like a fun business model.

13
1

Re: "Forced" to stay open ..

I'm guessing that it's not so much being forced to stay open as a running business, it's more to do with not being able to shut up shop and either shred your servers & disk arrays, or terminate the contract with your hosting supplier who then secure erases the disk array you were using and rents the server to someone else.

It's to stop the "Give us all your data now or else! " "What data guv', dunno what you mean? All perfectly legal, see, innit?" scenario that our beloved protectors dread so much.

5
1
Silver badge

Re: "Forced" to stay open .. running up masssive losses

Works for the banks.

5
1

Re: "Forced" to stay open ..

" beloved protectors" I smell a stoolie...

0
0
Gold badge
Unhappy

Re: "Forced" to stay open .. running up masssive losses

"Works for the banks."

Not quite.

They convinced the mugs politicians they were "Too big to fail." In some cases the senior managers of said bands were then hired to run the regulators (in the US).

1
0
Anonymous Coward

RE: "Forced" to stay open ..

Tax payer ?

0
0
Silver badge

How long before being forced to stay open comes as part of the court order to hand over the keys?

3
0
Bronze badge
Trollface

business is booming

Next time, create a separate business for each and every customer.

6
0
Thumb Down

Re: business is booming

Great idea !

Lavabit00000000000001

Lavabit00000000000002

Lavabit00000000000003

Etc...

The feds and the NSA would have to send a letter to each and every one seperately, and of course there's no way the taxpayer is going to foot the bill is there ?

11
0
Silver badge

Re: business is booming

Would be a nightmare to register them all.

2
0
Silver badge

Re: business is booming

"The feds and the NSA would have to send a letter to each and every one seperately"

Actually, the feds and NSA would in theory* have to justify each of those in an individual court order. They couldn't ask for the encryption keys of company Lavabituserx because they were interested in a user whose mail provider was a completely different company LavabitSnowdenEd

*In practice I'm sure their pet lawyers would find a way to twist the law to their desired end results. After all, they found lawyers who wrote official legal opinions saying that waterboarding, sleep deprivation etc etc were not torture, and all those lawyers are not only still free and practicing, they're f***ing celebrities

10
0
Silver badge

Re: business is booming

Has anyone else read Accerando by Charles Stross? A big part is around auto generated corporations and the fun that can be had with them.

0
0
Silver badge
IT Angle

I wonder if this can be tried under property rights clauses in U.S. constitution

I haven't read much on this, or whether receiving a warrant to disclose customer info counts as "due process" in relationship to the government being able to "take" Lavabit and force it to remain open.

0
0
Bronze badge
Gimp

Re: I wonder if this can be tried under property rights clauses in U.S. constitution

Hey, it has to be all legal - after all, Obama's a constitutional scholar, right? So he must know what he's doing.

Obama: "Right to privacy? HA!"

(I want to count the number of mindless Obama zombie fanbois by the number of downvotes this will get)

9
7
Anonymous Coward

Re:count the zombies

I downvoted you for a lack of logic.

0
0
Silver badge

You can't reveal what you don't know

I am at a loss as to why this stuff is so mysterious to people. Sure, people who don't have much exposure to security might be confused, but there must be all kinds of readers here who understand enough...

You can make things almost arbitrarily secure. You can't do that with vanilla Email infrastructure, but who says you have to use that?

You have to trust somebody, but you do not have to place all your trust with a single entity. Rather than design some commercial enterprise offering whatever, we need to design a co-operative protocol that causes data to be stored in a widely distributed fashion encrypted on keys not accessible without the co-operation of multiple parties.

The U.S. government may be able to obtain bogus overly broad warrants but they can't effectively rubber-hose decrypt huge portions of the Internet spread all over the world.

My expertise is somewhat limited when it comes to designing and implementing some of the arcane details, but I am pretty sure I could design and code a brute-force protocol that is extremely costly to attack.

Beyond technical measures, I would require anyone accessing the network to warrant that they will not, under *any* circumstances attempt to intercept communications that do not belong to them.

It has been exceedingly difficult to establish a web of trust to this point but that is because attempting to have security like that has been confined to a small cadre of hard-core geeks too thin on the ground to create critical mass ... and ... tools have been maddeningly difficult to install, configure and set up for inter-operation.

Now that most of us have become aware of the extent of our exposure and what that means, there may well be enough critical mass this time to put in place the secure communications we should have had all along.

10
0
Silver badge

@btrower Re: You can't reveal what you don't know

"You can make things almost arbitrarily secure. You can't do that with vanilla Email infrastructure, but who says you have to use that?"

Well you can*, but you need to exchange keys first.

* modulo the clear text not being intercepted somewhere between being typed into the keyboard and point the email is encrypted on your client machine/device prior to sending. If that's happening, you're pretty much hosed whatever you do mind.

1
0
Anonymous Coward

For Starters: USENET

The protocol is extremely simple:

1.) Publish your GNUpg public key on a number of different sites, worldwide. Make it politically diverse. Russia, US, UK, Japan, India etc.

2.) Ask people to post encrpypted messages to you on a set of USENET groups. Ask them to use a unique identifier plus a codeword. For example "TO_ED_SNOWDEN Haberdasher", "TO_ED_SNOWDEN LameLeviathan"

3.) Write a script to download said USENET groups and automatically decode all the messages addressed to you with your secret key.

Of course you can use pseudonyms. And you can secure all of it using TOR.

If that's too complicated for you, continue using NSAbook and NSAmail and hand them plaintext.

3
0
Bronze badge

Re: For Starters: USENET

Skip the unique identifier. Just decrypt every message posted - the ones not for you will result in a hash fail.

That way an observer can't even extract metadata. All they can tell is how many each person is sending, but not who to nor how many they receive.

4
0
Silver badge

Re: For Starters: USENET

You could do the same thing with a chan-type webpage where anyone can post a message without any kind of header information. Then the page is just downloaded wholesale.

Thing is, what about those with bandwidth restrictions? Trying to obfuscate your message has a price, and unlike with a Times advertisement that price may not be affordable to the paranoid.

And going back to trust, there's also the potential paranoia of the state, one of the most powerful and resourceful agencies around, cooperating or subverting OTHER states and creating a kind of MiniLuv that can subvert enough of a trust system (even a key exchange) to still be able to figure you out.

0
0

Silly people.

Privacy is dead.

Good job all the criminals are now behind bars..... oh wait.....

2
2
Anonymous Coward

all the criminals are now behind bars

In Wall Street? Plenty of bars there.

3
1
Silver badge
Boffin

Off the top of my head.

(Bearing in mind exchange of encrypted data is always vulnerable to the initial key exchange)

1) Choose a book*, obviously in digital form

2) Parse the book into a database. You need to be able to search for words and letters.

3) Encrypt your plaintext by matching words from your book, and noting the position. Obviously you will have many exemplars for common words, so your algorithm should try and use different word positions for repeated words (e.g. "The"). For words not in the book (technical, foreign) you escape and insert letter positions (again mixing them up).

4) You now have a text document which is meaningless without knowing which book was used. (And - see Sherlock Holmes - which edition).

Now you could just generate your own hash table. But then you'd have to distribute it. With the book system, you can distribute the DETAILS of the book by a separate, trusted channel. Say a face to face meeting.

However, my understanding is that the spooks are less interested in the contents of messages, as the sender and recipient relationship. In which case, posting to newsgroups would avoid the link.

*Magazine, newspaper, research paper.

1
3
tfb

Re: Off the top of my head.

I think this is fairly vulnerable to attack. If the bad guys have all the books you have, then they can index them the same way you can and use word/letter frequencies to try and guess which book it is. So for instance maybe "the" and "a" are common words, so they take your message and match it against all the books, selecting ones which look to have about the right density of "the" and "a". For those they then try and match the remaining text until they get something like English.

2
0
Silver badge

Re: Off the top of my head.

It'd also be something of a pain for anyone who needed to receive data from you and others. Storing a (relatively) small key isn't too big an issue, storing half a fecking library because everyone you know uses a different book is a bit of a hassle.

Feels like an appropriate thread to mention double ROT13......

0
0
Bronze badge

Re: Off the top of my head.

When you read that Sherlock Holmes story, did you miss the part where he cracked the crypto system you're proposing?

0
0
Silver badge

Re: Off the top of my head.

"(Bearing in mind exchange of encrypted data is always vulnerable to the initial key exchange)"

Not normally an issue, although you do have to be a little careful e.g. using a bog-standard public key cryptographic scheme the only obvious vulnerability in the initial exchange is associating the user ID with the public key, and there are ways to easily check that without needing a big PKI set-up.

0
0
Silver badge
Facepalm

<Yawn>

Asked to go into details, Levison responded: "I didn't ask and my source, who shall remain nameless, didn't tell.”

Translation = large pile of steaming brown stuff, generated whilst desperately trying to puff up his rep with the sheeple.

0
17
Bronze badge

Re: <Yawn>

Obviously you've neither appreciation nor experience of the wrath of a thwarted government authority ... most esp. a US authority that perceives its position as invincible and unassailable. Pray you never need know.

5
1
Silver badge

Re: <Yawn>

It's happened on a number of occasions. I've been privy to some of the mechanations.

Not just sites like Lavabit, Various owners of websites containing "discussions of interest" have had a knock on the door and been handed a court order.

And no, they don't reimburse. You keep it running on your own dime or you cool your heels in a cell.

3
0
Thumb Up

Re: <Yawn>

I got more time than money.

0
0
Silver badge
FAIL

Re: Gray Re: <Yawn>

Obviously you have a very limited appreciation of reality. Lavabit was selling a dud product yet still managed to turn a dime doing so because of the paranoid. He now wants to sell a new dud product, hence the sales pitch. I suggest you unwind your tinfoil headgear and get over yourself before your next post - you are of zero interest to anyone, let alone the authorities.

0
10
Bronze badge

Re: <Yawn> @Plump & Bleaty

> Translation = large pile of steaming brown stuff, generated whilst desperately trying to puff up his rep with the sheeple.

Hey ewe, I know you're going to struggle with this due to your inability to comprehend that other people are any more than text in your browser and might even have their own existence with views that (deep breath lambchop, this is going to hurt) aren't the same as yours but you are really pissing people off.

Keep calling people sheeple and I'll take an interest, and I have the time and you are entertainment enough for me to make the effort again.

Now, just to get things going here's my arse and doubtless you can find a plate to present back to me the one upon the other. You know, just like you do every time I pushed you into a corner and had you denying the colour of your own socks just so you could pretend you didn't get it wrong (lovely bit, that, about reading text through envelopes at high speed via the carbon in the ink via x-ray fluorescence. Even the paper you quoted showed you up).

Reminder: you are the biggest, fattest, bleatiest sheep here. And on linkedin, which you aren't a member of because yours is a nom-de-plum.

4
1
Silver badge
Happy

Re: Loser Re: <Yawn> @Plump & Bleaty

"....you are really pissing people off...." Stop whining and admit what really gets your goat is you know it's true, you desperately want to believe you matter, that you have a purpose in life other than being just a biological happening. News flash - you are not Neo. Grow up, get over yourself and try some independent thought for a change.

".....Keep calling people sheeple and I'll take an interest...." Obviously very little going on in your life then, haven't you got homework you should be doing? Or is it that you have a personal interest? Did you spend your pocket money on a Lavabit account so you could send your one equally sad friend "seekret messahjezs"? Or do you have some woolly scheme of copying Lavabit's "secure email" service and making some cash off your fellow sheeple? After all, all that Ritalin you must take probably can't be cheap.

".....just like you do every time I pushed you into a corner and had you denying the colour of your own socks just so you could pretend you didn't get it wrong...." Oh dear, you're still insisting all those times you've been shown up for a complete moron were somehow your "victories". But then I suppose without those fantasies of success to keep you going your whole life would just be o be long failure. And you're trying to relive those "victories" by going back to old topics (where you took a mental thrashing) instead of admitting that - once again - you cannot argue the the topic of the current thread. Keep on denying, it only makes others laugh the harder. All your posts do is reinforce the image of the whining, bleating, shrieking sheeple.

0
6
Bronze badge

Re: Loser <Yawn> @Plump & Bleaty

> Stop whining and admit ...

MBZCC

> Obviously very little going...

MBZCC

Oh dear, you're still insisting ...

MBZCC again! Hattrick from plumps, he does it again!

Smashed me into the ground again plumpo, I haven't got such a kicking since last time you ground my face into the grass. Truly you are a sheep with the heart of a lion. Overstating it a bit, perhaps a dog? Well, maybe a goat. Maybe not a goat but something clearly dangerous in skilled hands, like a sharp tool. Hmm, that could so easily and incorrectly interpreted as a cheap double entendre, perhaps more like a grape on the supermarket floor that you step on and so nearly go over? Less a grape, something more dried out, reduced... - a raisin? I think so. More sheep-dropping-ish.

Plumpy, you are the raisin of death. I lift my glass to you.

2
1
Silver badge
FAIL

Re: Loser Re: Loser <Yawn> @Plump & Bleaty

And once again, BlueGreen, you demonstrate you simply do not have the capability to discuss the topic of the thread, only that you don't want anyone to question the opinion you have been spoonfed as The Truth. I suppose it must really hurt you to even try to consider that Levison was happy to squeal long and loud about what he claims were Fed attempts to silence him, but suddenly goes all shy when asked to provide some evidence of his claims that others have been silenced. ROFLMAO! Your consistent failure provides nothing but amusement.

0
3

Lots of people coming up with solutions that suggest the NSA etc have to work within the law, recent events have clearly shown that they don't and that existing laws will be amended to suit them.

6
1

Security and Ethics

I think Marlinspike has some good points; however, I think that Lavabit (Levison) provided a reasonably secure service, and the fact that Levison was willing to shut it down instead of compromising his customers says a lot about him as a person. Yes, his service could have been more secure, such that even with his own keys, the lock could not be picked, but to my mind, that is beside the point of this exercise.

2
1
Bronze badge

Re: Security and Ethics

I don't fully understand the technicalities, but it seems to me that the key that he was compelled to surrender might not itself allow him to read his users' e-mail, but if he intended to crack that, using NSA-type resources, it would help, a lot.

How is it anything but creepy that they photograph every envelope that they deliver to anyone in the country? Including presumably lawyers and police and such.

1
0
Bronze badge

@Robert Carnegie Re: Security and Ethics

"How is it anything but creepy that they photograph every envelope that they deliver to anyone in the country? "

Now we know why US letters bear the sender's name and address on the envelope as well (metadata).

0
0
Big Brother

Not allowed to be secure

"DoJ attorneys also dismissed Lavabit's argument that disclosing its encryption keys was incompatible with offering a secure email service. Marketing a business as a "secure" service to consumers provides no legal obstacle to court orders"

Or in other words: you're not allowed to secure yourself against your own government.

Even if that government is basically a fascist regime, clearly in the wrong, and in serious violation of your human rights.

Which is exactly why you'd want to secure yourself against it in the first place.

Hmm.

2
1
Silver badge

Re: Not allowed to be secure

Whilst no fan of this, it does have to be pointed out that it has been like this probably since government began. The leader (this can include multi-party governance as well) thinks he is the right one to be leading, no matter how objectively correct that opinion is, and there are always functionaries who will garner information on his (their) enemies for a number of reasons. Let's not forget that Walsingham his a hero to a great many people* because he intercepted communications between private people - Catholics - who had a different point of view about how England should be run, and so probably contributed to a great change in the path of European history. The fact the Soviets (for example) did exactly the same makes them bad people ...

To me, the question is not "Should it be done?" but "What are the limitations and protections that should be placed on it?" Given that we are in an extremely low-risk world at the moment (religious nutters don't constitute a serious threat, and the number of countries we should worry about is small and most nominally constitute our friends), the limitations on internal surveillance should be high, and the level of spying on other countries should be at the usual background level for that country.

*Including me.

1
1
Big Brother

Re: Not allowed to be secure

The problem with your argument is that it assumes those in "power" represent themselves (and their associates), not the electorate, which isn't in fact supposed to be the case in a democracy. No democratic government has a mandate to do unto the people anything not sanctioned by the people, and I'm fairly sure very few of those people would sanction their government engaging in wholesale spying without probable cause and a warrant.

But then I keep forgetting that the US is not a democracy, and indeed wasn't even established as such, it's an elitist republic.

3
1
Bronze badge

O Rly...?

"DoJ attorneys also dismissed Lavabit's argument that disclosing its encryption keys was incompatible with offering a secure email service. Marketing a business as a "secure" service to consumers provides no legal obstacle to court orders"

Well in that case I also fully expect the police, firefighters and ambulances to give up their entirely baseless priority privileges over every other vehicle. After all, their need to reach their destination quickly provides no legal obstacle to obeying the same traffic laws as everyone else has to. </sarcasm>

3
1
Silver badge

Re: O Rly...?

Except THEIR services ARE under government mandate AND described as "life-saving". Providing a secure e-mail service doesn't have a direct effect on whether people live or die. Stopping a shooter, putting out a fire, or rushing a heart attack victim to the hospital DOES. Meanwhile, history has shown that private companies in such a service can "go mafia" and start protection rackets (once upon a time, fire services were private until THAT bit), so they made most life-saving services answerable to the government and thus the people.

Oh, and before you thing it went over my head...(Reveals the cricket ball that tried to go over his head, only it's too torn up to be worth using). I'm not responding to sarcasm but to BAD sarcasm that can easily be taken seriously.

2
0
This topic is closed for new posts.