NSA-resistant email service Lavaboom goes BOOM! (we think) Snowden-inspired crypto-email service Lavaboom has apparently gone titsup, according to several net sources. Rumours that the German encrypted mail service was no more surfaced through an ex contractor Piotr on the blog of rival ProtonMail, before getting picked up and discussed on Reddit. Attempts by El Reg to reach the firm …
That title should keep the security agencies out of this post.
I sometimes wonder if the NSA and GCHQ put on these big disinformation productions (such as intense court battles for decryption keys) to assure the world that there's some encryption they can't break, even if they really can. If you never hear from me again, you'll know the answer is "Yes."
Maybe you're the disinformation station making us all think that crypto doesn't work so we don't even bother. Ever thought of THAT?
No kidding even arguing over this stuff is absurd, I imagine they can break a lot of stuff but we have a fair idea what's relatively weak and what's relatively strong. No doubt the NSA (and GCHQ) have smart people working for them but if they could break everything everywhere their capabilities (Snowden et al) wouldn't be such a shit-show around this stuff and the wouldn't be so focused on breaking into things and rootkitting things.
The theory of encryption isn't that hard to understand, and it is surprisingly easy for a single person to write an encryption routine that uses, say , a photograph you shot with your cell phone, as a key.
So yes, there likely is a lot of "custom" encryption out there that the security agencies are trying very hard to keep from being passed around, because it would sink them.
The only real problem is the masses don't know how to upload such a photo to their computer and then find it so they can use it as a key , though even minimally experienced computer techies will have no problem.
I doubt encryption is a major concern of theirs. Especially when they'll have a library of zero-days for every major OS, many popular apps, programmes and firmware. And why use your valuable zero-days when you can just coerce Google/Apple/Microsoft/etc to just hand you the keys to the front door?
Well their source code is up on github, so if anyone wants to continue their work they can do so: https://github.com/lavab
A sensible idea to make is open source -- who would trust anything like this if it were not. However: they were going to run it as a service, I don't know how they were intending to demonstrate that the code that they were running was the same as the code on github.
Running a service is a mistake, especially for a single individual.
Building an email client that encrypts before it sends , and then sends garbage like
kdso7 34ij2 ab,x3 kdso7 34ij2 ab,x3
kdso7 34ij2 ab,x3 kdso7 34ij2 ab,x3
kdso7 34ij2 ab,x3 kdso7 34ij2 ab,x3
kdso7 34ij2 ab,x3 kdso7 34ij2 ab,x3
would be easier. Just download the client and use it with your regular email service.
The whole reason these services are doomed to fail is that they exist inside a little bubble. Focus should be on getting everybody using secured email by making it both stronger and easier for normal people to attain. Lava* services never did this (they mostly only appeal to people who already know how to secure their communications anyway) so even if nobody turns up with a warrant they're inevitably doomed to failure in the long-run.
The way I see it, sending and receiving encrypted message/mail/files... needs to be as simple as what people do with paper mail and packages. It's not that people are id10ts, they aren't, it's just too damn easy to screw it up putting not only the sender and receiver's conversation at risk but the keys themselves too. Even the most thoughtful users can blow it. [That doesn't even take into account having different grades of keys and selecting the right one every time!]
"Most problems are simple. Simple things are hard." [L. E. Modessitt in case you're interested.] Solve it and likely fame is yours. Then the TLA's will be mostly back to smaller scale compromises. With a lot of luck. Maybe?
I had a notification a couple of days ago that Pluto Mail was closing. At least it came with enough notice for me to change a whole bunch of subscription services.
That's about the fourth decent free mail service that has closed now. It may be time to throw some cash at Protonmail in the hope they keep going.
I guess it's a fair question... the warrant canary hasn't been updated. I'd guess it's due to funding but....
On the one hand, you would HOPE that if they are in the process of closing up shop due to lack of funds, SOMEONE would be able to say "The warrant canary died of natural causes, we're simply closing up shop".
On the other hand, I HAVE seen and heard of those businesses where, instead of wrapping up the business in an orderly fashion when it becomes clear they aren't going to pull through (or attempting a restructure if possible), they'll just run the accounts right to zero, no recovery plan, but assure the (now unpaid) employees that things'll work out if they stick with it. Needless to say in those circumstances, people tend to just walk off the job and things are NOT wrapped up in an orderly fashion. I would fully expect the warrant canary person to just walk off without so much as a post in these types of circumstances.
1. before any discussion of security can begin you have to have a secure operating system. a secure O/S is one which will not allow itself to be compromised by the activity of an application program and which prevents any one application from compromising another application.
it is generally agreed we don't have such a system although it is also agreed some options are much better than others. Get LINUX.
2. with LINUX you get the Thunderbird e/mail client, ENIGMAIL and the Gnu Privacy Guard -- GmuPG -- all included. and all this stuff is free.
3. n.b. nobody is going to do this for you; nobody is going to give you security.
4. generate your key-pair and start learning.
"2. with LINUX you get the Thunderbird e/mail client, ENIGMAIL and the Gnu Privacy Guard -- GmuPG -- all included. and all this stuff is free."
There is a windows version too. Install and use procedures are basically the same, except for some of the code of course.
Every OS is likely to have vulnerabilities, and they will be zero day vulnerabilities until their existence is found and disclosed. While I prefer Linux for various reasons, provably better security is not one of them. In particular, I do not think it is reliably established that it is less subject to software vulnerabilities than Windows or MacOS; OpenBSD or FreeBSD may be more secure, but I do not think such a claim is provable.
Thunderbird, Enigmail, and GnuPG are equally available for Windows as Linux, and seem also to be available for MacOS, FreeBSD, and OpenBSD. They take a bit of effort to set up and use, but no more than most ordinary users - if motivated - are capable of, and not much more, if any, than ProtonMail. In my experience, it is difficult to convince most people that email encryption is worth any effort at all.
ProtonMail may provide easier to use public key management than GnuPG or PGP, but it seems to require users to trust them.
For nearly everyone, the security of either ProtonMail (or similar services) or Thunderbird with Enigmail and GnuPG will be entirely adequate, as they are not, in fact, targets of any SIGINT or law enforcement agency.
Anyone seriously concerned about intelligence and law enforcement agencies should use other methods than email, or should handle all email encryption or decryption on equipment built from rather old components; enclosed in a windowless, soundproofed, and electromagnetically shielded room and powered with a battery or generator within the room; and never connected to the internet. Encrypted messages should be transferred from and to that machine using media that cannot convey malware. CDs or degaussed and freshly formatted floppy disks probably are ok for outbound, but are a risk for inbound, for which, paper and typing may be the only safe way. For such cases, ProtonMail might be a good delivery vehicle for messages already encrypted using GnuPG, as it seems to provide metadata security that may exceed what is possible for Enigmail with GnuPG.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
