Slashdot Mirror
Silent Circle Follows Lavabit By Closing Encrypted E-mail Service
Okian Warrior writes "Silent Circle shuttered its encrypted e-mail service on Thursday, in an apparent attempt to avoid government scrutiny that may threaten its customers' privacy. The company announced that it could 'see the writing on the wall' and decided it would be best to shut down its Silent Mail feature. 'We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that the worst decision is always no decision.' The company said it was inspired by the closure earlier Thursday of Lavabit, another encrypted e-mail service provider that alluded to a possible national security investigation."
Does anyone have replacement recommendations for people who used these services?
The US government is basically forcing technology firms to move else where.
In USA, if you google search specific terms will result a visit from the authority (hint pressure cooker and back pack). In China, if you want to find something the government does not want you to know, you just can't find it. I don't know which one I like best.
Does anyone have replacement recommendations for people who used these services?
The first rule of Fight Club is: You do not talk about Fight Club.
Encryption should be end-to-end. How can you trust someone else to do it for you?
Watch this Heartland Institute video
Does anyone have replacement recommendations for people who used these services?
I would say "something hosted outside the US", but as the international banking community has shown, Uncle Sam's jack-booted foot extends well outside our own borders.
So that really leaves "GPG" as you sole realistic option. End to end encryption, with no one but you and the recipient knowing what you wrote. Of course, "they" can compromise either end, but it deprives them of the ability to funnel everything on the wire into their data centers for 4th-amendment violating goodness.
Or, we could all go back to writing letters. Oddly enough, that still has more legal protections behind it than any other form of communication.
The same thing the Fourth Amendment is for. Keeping out people who have no business reading your mail.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Anyone who thinks their private communications should be just that... private
"Cursed is he who rises early in the morning..." Isiah 5:11
The customers of the company I work for do not like it when their blueprints are publicly available. Would you like to have your code and documentation searched by gmail to show ads? (What information do these ads leak to the company that pays for it?)
And any "alien" Amazon, Microsoft, Yahoo or Google cloud data is up for collection by the NSA. Sounds like a good reason to encrypt at least some of your mail.
extern warranty;
main()
{
(void)warranty;
}
The company announced that it could 'see the writing on the wall'
They were however not able to read it.....
---
political types who don't want their election strategies sent to the their opposition because someone at the NSA supports the other political party. political dissidents in "friendly" countries like Saudi Arabia who would be turned over at the drop of a hat. people who are negotiating contracts with the government and don't want their negotiating strategies revealed. whistleblowers.
Encrypted messages sent by pigeon carriers worked in the past!
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
So i guess, you didn't use envelopes for your mail before email?
Why use clothes even? What do you have to hide?
Why whisper?
That's right... it's called privacy.
I don't think Silent Circle would commit an effective suicide just preventively. Lavabit, while technically not saying a word about NSLs, told us very clearly what the request was. If the government criminals are not idiots, they learned and worded the Silent Circle order in a way that prevented such disclosure.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
So what'd be "encrypted email" for?
It's like the envelope in snail mail. You put your mail in an envelope to protect it until it arrives at its destination, don't you? Encryption accomplishes the same thing for e-mail.
Under "Technical Restrictions," they list
use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers
However, I don't think they go to the trouble of enforcing this very often.
Does anyone have replacement recommendations for people who used these services?
Citizen, we welcome you to use the new service at secure.nsamail.com. This will ensure that no terrorists, paedophiles, or drug dealiers co-opt your email account for their nefarious purposes.
Thank you for your cooperation.
Silence is a state of mime.
The issue that Silent Circle points out is that SMTP is inherently unable to provide security against traffic analysis. Even if the body of the email is encrypted, the headers cannot be.
So yes, you can run your own email server, and require that only gpg traffic pass through it. But that won't keep you secure against traffic analysis (aka "metadata collection") with collection performed at your ISP.
Open WhisperSystems (https://whispersystems.org) doesn't have encrypted e-mail, however they do have Android-based encrypted phone (RedPhone) and text (TextSecure) capabilities. They are working on iPhone releases in the near future of their products. Btw, all of it is open source and they DO release the source code as well.
Running a mail server from home is near impossible on most ISPs. The majority of ISPs block incoming traffic, and in some cases even outgoing traffic, on port 25 (SMTP). Even if you can get around this using alternate ports, chances are your ISPs IP range is blanket blacklisted by most anti-spam lists.
Your best bet for privacy and control of your e-mail would be to setup a collocated or rented server. You'll have to configure some sort of encryption for your e-mail messages in case the data center gets raided and the servers/hard drives confiscated.
In the end, your SMTP traffic can still be sniffed acrossed the network anyway, since most SMTP traffic is unencrypted.
Their statement about closing the service specifically said they hadn't been contacted so if they have been contacted then they didn't just make an ommission it would have been an outright lie.
Because Lavabit has been officially contacted they can't destroy any data, they can shutup shop to prevent anyone else falling into the net which is what they have done but for anyone who have already used the service and have any data already on the Lavabit servers, it's just a matter of time before their data is decrypted one way or another..
I suspect that Silent Circle are shutting up shop before any warrents arrives, that means that it's completely legal for them to destroy any and all data they have. I wouldn't be surprised if the data is already wiped at a software level and the hardware destruction is either in progress or getting planned.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
With that in mind, why do we put mail in lined envelopes? People do not seem to remember that email is sent plain text. Can be read by anyone. If you do not care who reads it, then why just have one recipient? CC everyone? CC the NSA and CIA? The conversation I share with people is not sensitive, not dangerous, does not contain anything that would cost a person their life. That conversation though, is between the person and myself. I feel uneasy using email due to this reason.
The customers of the company I work for do not like it when their blueprints are publicly available. Would you like to have your code and documentation searched by gmail to show ads? (What information do these ads leak to the company that pays for it?)
And any "alien" Amazon, Microsoft, Yahoo or Google cloud data is up for collection by the NSA. Sounds like a good reason to encrypt at least some of your mail.
Using SMTP to transmit that kind of info in the clear is a bad idea, even if the endpoints are credible. Interception is your biggest risk if you are two known parties trading in proprietary information, and probably doing so to/from fixed geographic locations as well. Why not encrypt the payload to guard against this?
What an encrypted email service does is different, they offer a quasi-anonymous way for people to send/receive email so that they can accept messages from unknown parties and trust that the contents will be a secret (if they arrived without being snooped). A person in Snowden's position is attracted to this because he can trade emails with otherwise uninvolved persons (who wouldn't necessarily be subject to scrutiny by the feds or "evil corp X") and the only real "link" between any of those parties is heavily encrypted on the server (and the provider doesnt even hold the keys) unless a snooper gets really lucky and intercepts enough of them to put the pieces together.
Does anyone remember when the press covered stuff like this? Before 2009, the Lavabit shutdown would have been national news. Everyone would have known the name of Lavabit's owner.
His name is Ladar Levison.
Lavabit and silent circle inspired me to think about some kind of peer to peer distributed email system.
Although currently everyone can install an email server (e.g. there are several available in debian). It is not what would solve the problem. Not just because it requires technical expertise, but also because it requires too much dedication on your side to maintain your freshly installed server. Also to make sure it has outside access with SMTP port, and so on. Not mentioning that it needs about 100% uptime. Such solution is too much centralized.
I was thinking about p2p email more like this one which I googled right after I had this initial idea. This is a proof of concept so it can work.
Key features would be:
1) uses p2p distributed encrypted file system, like tahoe
2) each p2p node can act as email receiver/sender
3) to send email to someone you use nick@1.2.3.4 where 1.2.3.4 is any IP that is running p2pemail. Simplest would be 127.0.0.1 if you just run a p2pemail node yourself.
4) everyone can have p2pemail account, just connect via https to nearest p2pemail node. It can be running on your computer or anywhere else. Doesn't matter. This just requires setting up an account name on your side, and a lenghty password, which is also used as a sha256 seed for private key for encryption of your emails and also as a PGP signature for you emails.
5) PGP signing emails would be so easy, that it would be a new standard.
6) all encryption and decryption is done locally on your computer either in javascript or in your email client. Just make sure that your browser and computer are not compromised.
7) if any of p2pemail nodes are running compromised code (eg. like compromised tor nodes) they still cannot read your email, because they have no acces to your private key. The only hope they can have is to monitor when you are accessing your data, but only if a request to the compromised node is made.
8) even if huge NSA datacenter decided to store all p2pemail data, they still cannot read it, and have nobody to file a warrant to.
If we combined that with bitcoins we would get additional (optional) features:
9) buy storage with bitcoins, while buying decide how many copies of your data you want to have (can change this anytime later). Offer any price you want, lower bids might not be taken.
10) provide encrypted storage space and get paid. If you store multiple copies of same data (might be possible before p2pemail gets popular) ensure that at least it is on different physical locations, otherwise you might be compromising security
11) create whitelists with people from whom you want to receive email, add mandatory bitcoin fees if anyone not on the whitelist wants to send you email.
12) You can create various stages if whitelisting, depending on domains you can define different prices to receive email. Or you can say that first email is free for everyone, and each next will be paid or not depending on if you received spam. Or configure spamassasin to decide for you.
PROBLEM: where do my friends send email to?
ANSWER: your_nick@p2pemail.org/net/com/info (we need to register many domains, and use many IPs to resolve those dns-es)
PROBLEM: Will my address still be the same after long time?
ANSWER: your nick in p2pemail will be the same, tell your friends that if they cant send email (eg. govt seized all p2pemail domain names), then they have to find some p2pemail node. Google it, or install one themselves. If they can't do that, you can solve this by installing a node yourself, and making sure it has the same domain name all the time. Services like dyndns can help you with that.
well maybe that's just a pipe dream. But the proof of concept implementation that I linked above gives some hope. What do you think?
#
#\ @ ? Colonize Mars
#
I'm on the verge of installing this Enigmail addon for Thunderbird, however as Thunderbird still uses my web based mail provider it will still show who it's too and from etc, does anyone know of a completely peer to peer e-mail system which could get around this?
In a cybernetic fit of rage she pissed off to another age...
This is the reason why the fourth and fifth amendments exist. The fourth/fifth amendments does not exist for the purpose of protecting criminals. The fourth/fith amendments exist to protect innocent citizens from otherwise accidentally incriminating themselves. If it's extremely dangerous (and often incriminating) to speak to the police for a few hours in an interrogation, imagine what the police could do with years worth of email conversation.
This is how it works:
1) The government suspects you of a crime (rightly or wrongly)
2) The government looks up your email history to try to find something with which to convict or embarass you (do you honestly think that if you have years of email conversations that there's not SOMETHING in there that could do this?)
3) The government uses that as leverage against you
Remember, most people "don't have anything to hide", and therefore don't care that much about their privacy. The problem is that most Americans commit 3 felonies a day, and therefore, by definition do have something to hide, even IF they've done nothing wrong intentionally.
If you think it can't happen to you, think again. They searched for years and eventually found something to prosecute him with.
Seriously, watch the first video. 15 minutes now could very well save you from a life of jail, if the police come knocking.
-=Lothsahn=-
It appears that what is happening is that the government is applying pressure to anyone who enables communication in a way where the government cannot detect who is talking to whom. This is a logical extension of the methods that Snowden leaked. He showed that they already have full coverage of the metadata of phone calls, texts, emails, and webpage views routed through the US. The leaks have pressured the US to close the loops. This is a very dangerous threat to our Constitutional rights. Secrecy does not equal guilt, and our founders went to great lengths to enshrine that principle in our Bill of Rights.
Both Lavabit and Silent Circle closed by their own will. What government agents did, or will do, is to force all secure mail providers to give them a backdoor for them to access all that "secure" mail (or else put them in prison). So, for that reason, will not be any secure/private mail in US, if someone claims that do, or is lying already or soon will face the choice to lie to its customers or close.
Does anyone remember when the press covered stuff like this?
It was second from the top on http://www.bbc.co.uk/news/ this morning:
http://www.bbc.co.uk/news/world-us-canada-23627656
The government wanted them to be open, but with a backdoor, not closed. And the enforcing of that backdoor was, for the case of Lavabit, giving them the chance to go to jail for helping Snowden or put their backdoor.
Not only that, many _other_ ISPs won't send mail to mail servers located in comcast space or accept mail coming from comcast space. It's why I set up my own colocated server. The problem with that is all the difficulties dealing with such a system including spam and attackers.
The last time I checked I was getting a bit over a million ssh break in attempts each month. I eventually blocked all of Taiwan at my firewall due to the majority of attempts coming from their address space.
The other issue is with the colocated site address space. Since I have no control over the other addresses they host, DNS blacklist sites that blacklist IP ranges prevent mail from my mail server from being delivered. There are some sites that will let me communicate with their NOC and get put on a white list but there are others, like shaw.ca, that have no way to communicate with them to get off their list. They want me to contact the DNS blackhole sites they use but the DNS blackhole site has no way to get off their list (it's been a while, I remember shaw.ca).
And Microsoft sucks. They have my server blocked with no way to clear it however I can pay a fee to Microsoft to open up my server to Hotmail (for example) so I can send advertising. And on the funny side, Microsoft only blocks me about 50% of the time.
[John]
Shit better not happen!
> Does anyone have replacement recommendations for people who used these services?
For those from outside the US, your best bet is probably to use small, local players who might not yet have had pressure applied to them. For those inside the US, I have one recommendation: run for Congress.
Yes, exactly. In today's world, everyone is probably a felon and doesn't even realize it. That's exactly why it behoves us all to jealously guard our privacy, even when we shouldn't have to. It's not paranoia, it's simple prudence. I don't lock my doors because I think I'll be robbed. I lock my doors because I'd be foolish not to.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
That will work. Right up to where law enforcement says anyone posting/downloading encrypted content from such forums is dealing in child porn. Guilty unless you prove your innocence.
Have gnu, will travel.
Can happen, has happened.
I can't find any name now, but there was an incident many years ago when police in the US charged a man with possession of child pornography after an internet investigation lead to his IP address. It turned out to be a mistake on their part - when the family were eventually able to get an independent examination of their computer (Which itsself took months, as the prosecution considered it evidence and refused to permit access) it was found to be infected with a trojan that was responsible for relaying the images around the internet. It was very embarrassing for the prosecutors - but during the investigation they noticed that the accused, while in high school, had once shown a Playboy issue to a friend. So they offered him a plea: They'd drop the possession of child pornography charge if he instead confessed to the lesser charge of 'distributing pornography to a minor' and registered as a sex offender. IIRC, he eventually got off by taking his story to the media - even had the story shown on a TV program (50-50?) about overzealous prosecutors, and all charges were drops to quell public outrage.
I can't find a name now though, because all google gives me is page after page after page of false results - a mixture of people discussing 'sexting' and news stories on unrelated events.
Last time we brought this up on here, some jagoff went berzerk about how he was a respectable family man with a job who had never committed a felony blah blah blah.
The government and public education system has already won the war on the Bill of Rights by confusing and corrupting what they mean and what they're for in the minds of those they've churned out into society.
Remember when the press in the USA covered stuff like this?
All the comments on that book about "3 felonies a day" say:
You can find more there, but in essence, there is no mention of what 3 felonies the "common man" is doing per day. Is there any? Is this not FUD?
Don't get me wrong, I think everyone should have privacy, and we do have "stuff" to hide, but I also believe in the truth, and it would seem you, and that book, are spreading FUD.
... SMTP is inherently unable to provide security against traffic analysis. Even if the body of the email is encrypted, the headers cannot be.
I2P-Bote is one alternative, an experimental distributed e-mail system which addresses the header issue. It's implemented as a distributed hash table with connectivity through I2P. The design allows senders and receivers to remain anonymous, in addition to encrypting the content of the messages.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
The likelihood is about 100%.
As seen on Slashdot. And if they're helping a much less powerful and reaching government than the U.S., what do you think the odds are of them helping the U.S. too?
Liberty in your lifetime
TLS and encrypted IMAP protect the path, not the content. Only if you deliver directly to and receive directly from the other endpoint is there known protection. Any relay in the system might not store the message encrypted on disk and might not relay on with TLS.
Encryption of the body itself is the only real way to protect the message completely. And that shouldn't need a third party like Lavabit or Silent Circle to do as it is a mail client function.
Trying to become famous by taking photos. Visit my homepage please.
That's precisely why, in today's society, exercising one's basic, constitutionally protected civil rights is called "probable cause".
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
If you have nothing to hide, you have nothing to fear. Freedom is Slavery. The government is here to help.
It sounds like we're trending towards not being allowed to encrypt our own stuff because that automatically means we're doing something shady. There's all sorts of reasons I might want to encrypt information that have nothing at all to do with American national security.
Hopefully some non-American company will step up to the plate and give us this, and we can send a big "Fuck You" to the NSA that says we'll encrypt if we want to, and you can eat shit. My rights aren't defined by your security interests.
Sorry, but the rest of the world doesn't give a crap about what you want, and want to retain our privacy without having to cede it to the US government.
Thanks America, you've now essentially broken the internet, and are only going to make computing less secure for all of us. Welcome to the new world, where industry and government demands full control over technology in order to enforce their will on us.
Lost at C:>. Found at C.
Who gives a damn?
I see no reason to defend the situations in which I could choose to encrypt something. I am not going to open my stuff up to you so that I can prove I'm not a terrorist unless you have something to suggest that I am. That's not how it works in a free society.
This "we'll assume everyone is guilty and ignore the ones we don't care about" mentality is crap, and in complete opposition to privacy, freedom, and everything else the US claims to hold so dear.
It doesn't matter if I'm discussing something I'd like to patent, my financial statements, my medical condition, having an affair, or planning to BASE jump off a building -- it's none of the governments business, and without evidence to suggest I'm doing something they need to be concerned about, they can fuck off.
This is just an undue control over your citizens, and sadly, everyone else on the planet since these guys are tapping pretty much everything.
That more an more people might choose to encrypt on general principles is something the NSA is just going to have to learn to deal with -- because I see no point in helping them any more than I can avoid.
America is rapidly becoming some of the same things they used to criticize the Soviets for. And that is sad.
Lost at C:>. Found at C.
The fourth/fith amendments exist to protect innocent citizens from otherwise accidentally incriminating themselves.
And even more specifically, the fourth and fifth amendment exist to protect innocent citizens from being forced into incriminating themselves by an overreaching government who is trying to silence dissidents.
People frequently overlook the historical context of the Bill of Rights. You have a bunch of people who had just fought a revolution against a government that they believed was oppressive, and they were trying to safeguard themselves against falling under another oppressive government. The Bill of Rights was created specifically for that reason. Essentially, you have a bunch of people who were recently rebels, who want to limit the government's ability to quash a rebellion, silence dissidents, or subvert a popular uprising.
To guide them, they look through their recent history for the tools employed by the power they had just thrown off. The British had limited speech, forbidden ownership of guns, stationed military personnel in people's homes, performed searches without cause, etc. In order to prevent a new oppressive government from using those tools, the authors of the Bill of Rights made them illegal.
So it's not really a defense to say, "This should be ok, because we're only trying to catch dissidents, terrorists, and enemies of the state!" The founding fathers were dissidents, terrorists, and enemies of the state. The Bill of Rights was written to protect exactly those kinds of people.
just do the smart thing and encrypt everything on your computer before you send it to other ppl. give ppl you trust the means to decrypt, then send everything totally encrypted through unsecure email. even if the NSA forces the email company to give up your emails, they still cant read them.
What the government is doing is repugnant, but only because most people are stupid and take the wrong lessons from it. If people had their shit together, then it would actually cause a positive effect, and we'd be talking about how US government's thuggery inadvertently did everyone a favor.
I never even heard of these encrypted email services until yesterday (except for hushmail about a decade ago but that was an even dumber beast) and the more I look into them, the more apparent it is that they sell .. well .. "snakeoil" is maybe too harsh, but I guess I'd have to say they sell the service of closing barn doors after horses escape. If I had to put it really nicely, to the point of sickening insincere sweetness, I suppose I could say they help you deploy "defense in depth" and I might be able to avoid making any gagging sounds as I did it.
Either the sender encrypts your email with your key, or they don't.
If they do it (i.e. if people do things right), then you don't need any service's special help with anything. All you want from your service are reliability, performance, and low prices -- a commodity, just like ISP's service of packet-passing.
If the sender doesn't encrypt the email with your key, then you're fucked. This is the common scenario, and the fact that people are basically fucked but still want to somehow mitigate it, is how this market emerged. Fair enough, I get it: when life hands you lemons, you make lemonaide. But you're taking it way too seriously, expecting far too much from a lossy premise. Your lemonaide is never going to be Dogfish Head 90 Minute IPA, ever, period. You should lament that, that people don't encrypt. You don't know who all read your PLAINTEXT before it got to Silent Circle or Lavabit and then they encrypted the storage of it.
(Worse, from what people are hinting about how lavabit worked, it sounds like they did the storage wrong, and that everyone always knew they would be able to decrypt things under certain circumstances, if forced.)
Users and their endpoint software must provide security. Other people's media and services running on other people's computers, can't really help you. Everything in between the endpoints is untrusted. Gag orders, CALEA-like laws, etc will make even the best-meaning services untrustworthy.
So. If it makes users feel better to move their hosting to other jurisdictions, fine. But for fuck's sake, go beyond just trying to make yourself feel better, and actually do something to make things really better: have a keysigning party. Help webmail users find and upgrade to decent (i.e. openpgp-compatible) mailreaders. And so on. Every time you see an unencrypted email come in, think about WTF went wrong and how that could have been prevented. And if you really do this, then you'll find that you can still host in America.
BTW, we've been through all this before. It's not like anything truly new is happening. All the same issues were coming up ten years ago, and ten years before that. (And probably ten years before that but I missed out on that round.) It always comes down to jurisdiction-shopping being a waste of time. You have the ultimate weapon which makes it all obsolete: 1970s PK tech. The only time you need jurisdiction-shopping is if your government outlaws the tech (France still? Not sure.).
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
http://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.html
Last para:
"When the small companies can no longer operate, it's another step in the consolidation of the surveillance society."
Game. Set. Match.
12.12pm ET
Question:
http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower
Q&A with Mr. Snowden himself:
---cut---
Mathius1
17 June 2013 2:54pm
Is encrypting my email any good at defeating the NSA survelielance? Id my data protected by standard encryption?
Answer:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
---cut---
Spread the word. FUD does not help if we agree on the fact that we must "remember, remember the 5th of november".
We should not curl down in a fetal position. We should act - as much as we could.