Lavabit Briefly Allowing Users To Recover Their Data

← Back to Stories (view on slashdot.org)

Lavabit Briefly Allowing Users To Recover Their Data

Posted by Soulskill on Tuesday October 15, 2013 @08:22AM from the back-from-the-dead-for-a-few-days dept.

itwbennett writes "Former users of the Lavabit encrypted email service that was shut down in August have 72 hours (starting yesterday at 7 p.m. U.S. Central Time) to change their passwords and start recovering their data. 'Following the 72 hour period, Thursday, October 17th, the website will then allow users to access email archives and their personal account data so that it may be preserved by the user,' said Lavabit's founder and owner Ladar Levison."

52 comments

Min score:

Reason:

Sort:

It's a trap! by Kookus · 2013-10-15 08:24 · Score: 5, Informative

It must be encrypted and the only way for the nsa to get it is to have it unencrypted and sent over the wire via ssl!!!
1. Re:It's a trap! by K.+S.+Kyosuke · 2013-10-15 08:31 · Score: 2
  
  It's a trap!
  SNMP confirms.
  
  --
  Ezekiel 23:20
2. Re:It's a trap! by Havokmon · 2013-10-15 08:39 · Score: 1, Offtopic
  
  It must be encrypted and the only way for the nsa to get it is to have it unencrypted and sent over the wire via ssl!!!
  Exactly - cause when it was sent to the server unencrypted, and then encrypted ON the server itself with the password you sent - it's totally secure.
  I'll just give my lockbox key to the teller, watch her disappear into the vault, and she should reappear with all my stuff without having looking through it.
  
  --
  "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
3. Re:It's a trap! by Anonymous Coward · 2013-10-15 08:47 · Score: 0
  
  watch out I think the MIB is after you
4. Re:It's a trap! by Anonymous Coward · 2013-10-15 08:49 · Score: 0
  
  Interesting... More details, please.
5. Re:It's a trap! by Anonymous Coward · 2013-10-15 09:22 · Score: 0
  
  Just keep on walking.
6. Re:It's a trap! by heypete · 2013-10-15 09:32 · Score: 4, Insightful
  
  i consider my lavabit mail a lost cause
  Then you are not the user that the archive download service is intended for.
  Many users expressed a desire to download the contents of their mailbox even if it meant that the messages would be potentially snooped on, as they had important-but-not-private messages that they needed to recover. The archive download service is intended for those users, not those with high-security needs.
7. Re:It's a trap! by intermodal · 2013-10-15 09:38 · Score: 1
  
  Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
  
  --
  In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
8. Re:It's a trap! by Anonymous Coward · 2013-10-15 09:44 · Score: 0
  
  This. Anyone using Lavabit trusting it to be secure is silly. If Lavabit had done the encryption/decryption 100% in browser than yes, sure.
9. Re:It's a trap! by Anonymous Coward · 2013-10-15 09:52 · Score: 0
  
  If Lavabit allowed users to download the *encrypted* data files from the server and provided some open-source utilities or instructions on how to decrypt them, this wouldn't be an issue. The user would never have to give Lavabit their password and no decryption would happen except on the user's own computer. Sounds pretty secure to me.
  The fact that they are not doing it this way makes me suspicious. The owner of Lavabit is obviously an intelligent guy.. Maybe he sees a show-stopper to this idea that I do not.
10. Re:It's a trap! by heypete · 2013-10-15 10:04 · Score: 2
  
  Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
  Perhaps. I recall there being a rather substantial number of unhappy users who wanted access to their mail even if it could be snooped -- such users posted on various public fora, commented on articles, etc.
  I wouldn't be surprised if many users used Lavabit simply because it was a reasonably priced (for the paid plans) IMAP/POP3/SMTP service with a strong privacy policy, didn't do data-mining, etc. Such users may well want to recover the contents of their mailboxes even if it means that they might get snooped on. If so, they can do so. If they don't feel comfortable with that, nobody's twisting their arms. :)
11. Re:It's a trap! by Anonymous Coward · 2013-10-15 10:27 · Score: 0
  
  According to the news stories, he was forced to provide the PRIVATE KEYS of his TLS certificate (which was subsequently revoked). So, with the old certificate its a no go. But if they use a new one, they will likely be required to turn over the private keys as well. Best case, this means that only a DH exchange will protect the info from being decrypted right away (if you and the browser even negotiate one). Worst case, the FBI or whomever gets to MITM your connection and get your password (and subsequently your info) in plain text.
12. Re:It's a trap! by BrokenHalo · 2013-10-15 11:00 · Score: 1
  
  Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
  Seems to me that this debacle serves to highlight another reason to take charge of your own mail via POP3. That way, you can manage your own backup routine, which of course means that if you fail to do so, you're SOL and deserve to be.
  
  I'm sometimes accused of being a troglodyte for my preference to POP3 over IMAP, but the latter offers nothing I really want, including an absolute dependence on the availability of an internet connection, which is not universally practicable where I live.
13. Re:It's a trap! by GameboyRMH · 2013-10-15 11:01 · Score: 1
  
  Or maybe he doesn't have that much say in the matter...
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
14. Re:It's a trap! by Anonymous Coward · 2013-10-15 11:41 · Score: 0
  
  Yes. It could be his get-out-of-jail-free card - in trade for daring to expose some of NSA's unmentionables.
15. Re:It's a trap! by Impy+the+Impiuos+Imp · 2013-10-15 11:44 · Score: 2
  
  They can't force him to say a damned thing. They can only force him to be silent.
  They could, of course, trump up some charge (or even use a real violation, the arguable real purpose to well over 60,000 laws -- having something you can lord over the head of everyone somehow) and let him off the hook if he lies out his ass.
  My god. How did we get to this cynical point in our own government?
  Oh yeah, studying all of human history.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
16. Re:It's a trap! by TheGratefulNet · 2013-10-15 18:23 · Score: 1
  
  maybe so, but its only a matter of time before the government decides who its going to GET-NEXT.
  
  --
  
  --
  "It is now safe to switch off your computer."
17. Re:It's a trap! by Anonymous Coward · 2013-10-15 23:11 · Score: 0
  
  I find it hard to suspect that this is a very large demographic.
  Regardless of how you find it hard to suspect that it's a large demographic, those actually part of said demographic do care about this and could probably not care less about what you think, not being a part of the demographic and all.
  But hey, if you find it entertaining to comment on things that do not concern you, have at it.
18. Re:It's a trap! by Anonymous Coward · 2013-10-16 00:40 · Score: 0
  
  You know I was a little left of pissed about the rapid shut down until a ./ poster pointed out that the guy actually did what he promised, and every bit of my anger at him evaporated. He was paid to do a job and he did it, and he did it well at that. I realized I'd outsmarted myself by keeping a local copy and had all my email anyways. It was a tiny bit inconvenient, but it was a fair burden to pay for the service to protect my privacy.
19. Re:It's a trap! by intermodal · 2013-10-16 01:22 · Score: 1
  
  I actually tend to agree with you on that. I just don't use email for much of anything at this point other than resetting passwords to various accounts online when necessary. Back when I did use it more, I did the same, and encrypted when available (signed when not).
  
  --
  In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
20. Re:It's a trap! by TheGratefulNet · 2013-10-16 03:57 · Score: 1
  
  funny. I guess no one understands the joke, but I thought it was a funny reply.
  
  --
  
  --
  "It is now safe to switch off your computer."
21. Re:It's a trap! by TheGratefulNet · 2013-10-16 03:59 · Score: 1
  
  also a funny reply. for those that don't get the joke, in SNMP you often do a 'walk' of the MIB tree. 'walking' is a frequently used term in this field.
  
  --
  
  --
  "It is now safe to switch off your computer."
Trap by Anonymous Coward · 2013-10-15 08:24 · Score: 0

So, NSA still wants more, eh?
It's a trap! by Anonymous Coward · 2013-10-15 08:25 · Score: 0

i consider my lavabit mail a lost cause
Dont Do It ! by Anonymous Coward · 2013-10-15 08:26 · Score: 0

Right .. just about enough time to get MITM setup.
1. Re:Dont Do It ! by Anonymous Coward · 2013-10-15 09:29 · Score: 0
  
  I knew the NSA wanted to get their hands on my pokemon training tips! Bastards! Now they'll sell it to some Brownnie to fund their black ops budget!
Suckers by Anonymous Coward · 2013-10-15 08:44 · Score: 0

Looks like an NSA honeypot to me.
1. Re:Suckers by noh8rz10 · 2013-10-15 08:59 · Score: 1
  
  I don't think you know what honeypot means... based on who I've met in govt, I think a NSA honeypot would be remarkably unsuccessful.
2. Re:Suckers by smash · 2013-10-15 17:50 · Score: 1
  
  Have read somewhere that the new setup does not use perfect forward secrecy any more. So yes, you're probably right.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I wonder what will replace LB... by mlts · 2013-10-15 08:48 · Score: 2

I wonder what will replace Lavabit for secure E-mail [1] these days. There is always the old standby Hushmail, but it would be nice to find something that can do other features (calendars and such.)
[1]: Others, it is different, but to me, a secure mail provider, where I am their paying customer and not their product, where they have innate intrusion resistance, and their mail service is designed so an attacker couldn't just grab Exchange mailboxes, or scp off /var/spool/mail/*. More assurance than "yes, we use 'encryption', 'passwords', and 'firewalls'."
1. Re:I wonder what will replace LB... by Hatta · 2013-10-15 09:17 · Score: 1
  
  Just use GPG with any email service you like. Nothing else is trustworthy.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:I wonder what will replace LB... by Bill,+Shooter+of+Bul · 2013-10-15 09:30 · Score: 2
  
  What makes you think GPG is?
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
3. Re:I wonder what will replace LB... by paskie · 2013-10-15 09:35 · Score: 1
  
  It's opensource and regularly audited?
  
  --
  It's not the fall that kills you. It's the sudden stop at the end. -Douglas Adams
4. Re:I wonder what will replace LB... by Anonymous Coward · 2013-10-15 09:49 · Score: 2, Interesting
  
  I started using https://mykolab.com
  They have calendar service too.
5. Re:I wonder what will replace LB... by mlts · 2013-10-15 10:15 · Score: 1
  
  GPG has had a number of eyeballs on it, as well as funding from more than one government (Germany in particular.)
  All and all, it is a good program, although trying to build 2.x on a number of platforms like AIX can be an exercise in frustration due to the sheer number of libraries it uses.
6. Re:I wonder what will replace LB... by Anonymous Coward · 2013-10-15 11:59 · Score: 0
  
  Mailpile is looking good:
  http://www.indiegogo.com/projects/mailpile-taking-e-mail-back
  but it is not ready yet.
7. Re:I wonder what will replace LB... by vlueboy · 2013-10-15 13:21 · Score: 1
  
  Good point. Most of us can't trust GPG anymore, due to having made those GPG keys under Windows.
  Dual-booting is my only real option since I can't completely abandon Windows. I thought of live USB booting, but found no trustworthy linux distribution anyway. Redhat has government ties, derivatives like Centos are not safe either. Ubuntu? It was the firs big disappointment with GUI decisions, so few would trust it with our security in face of NSL meddling. Mandrake and derivatives? Too dead, and fail to boot properly. Debian and Slackware? Don't feel like going in blind to a world where I don't know the package manager, or the compiling setups and so on.
  I got as far as setting up usb-stick persistence when I forced myself to choose a potentially compromised system. But persistance means that if I log in anywhere I'm tainting that USB setup forever, defeating the purpose of having a Live USB. Do I really want to go full tinfoil and use obscure browsers and untrustworthy extensions, disable JS and renounce all US search engines and services, when I still have to do my banking, check my US email address and watch the ocassional video playlist. Who am I kidding? my router and ISP know it's me going on Youtube, accessing my email accounts, and have nearly a decade of browsing logs, google searches and random stuff that flags us as slightly dissident geeks with potential for trouble.
  I2P died to me when I found it has no real exit nodes, so it's basically a black hole if you have nobody to talk to on the other end. Many of us have little use for GPG encryption besides feeling better about what would happen if someone stole our hard drives.
8. Re:I wonder what will replace LB... by EETech1 · 2013-10-15 16:18 · Score: 1
  
  I've been using PCLinuxOS, and it has many different encryption options incorporated in the right click menu.
  Encrypt, decrypt with various options and ciphers as well as gpg encrypt and mail.
  I'm finding it very well thought out, and user friendly, as well as everything just works. The control center, and system settings managers take care of everything I would ever need to configure, and there are many options to secure and verify the system.
  Their monthly magazine of tips and tricks is a nice read, and every question I had was already answered (correctly!) in the PCLinuxOS forums!
  The "Full Monty"' version has just about EVERYTHING already installed and working, and it has been much easier to try the many different programs available for Linux when they are included and installed correctly, then simply remove the ones I don't like / use, instead of installing a bunch of them to try after the fact, and potentially (usually) breaking the install.
  It is a rolling release as well.
  Ubuntu is dead to me, and finally gone! I wiped my 10.04 Gnome 2 partition I've been trying to replace for 3 years, and my Mint of the month, maybe this distro / desktop won't suck test partition, and installed PCLinuxOS. I've upgraded many of my friends as well. We are all loving it!
  (Thanks Tex)
9. Re:I wonder what will replace LB... by smash · 2013-10-15 17:51 · Score: 1
  
  Like the debian openSSL package from 2006-2008? Oh you generated your PGP key with a debian sourced version of openSSL in that time-frame? Oops.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
10. Re:I wonder what will replace LB... by Anonymous Coward · 2013-10-15 18:45 · Score: 0
  
  I recommend the church of the swimming elephant @ http://www.cotse.net/
  they provide secure email, proxy, SSH tunneling, and a number of other security and privacy conscious services.
11. Re:I wonder what will replace LB... by Anonymous Coward · 2013-10-15 19:12 · Score: 0
  
  I recommend the church of the swimming elephant @ http://www.cotse.net/
  I read that URL as goatse...
12. Re:I wonder what will replace LB... by Anonymous Coward · 2013-10-15 20:50 · Score: 0
  
  Do you really think the Swiss are worth more than dogshit right now? Didn't they roll over and give up a bunch of account information to the NWO? Do you think it will be any different when it comes to getting your email? Who do they have more loyalty to guys depositing a few hundred million bucks or you and your 10 dollar a month email account? They'll turn on you in a New York minute. Only expect privacy when you use end-to-end crypto and pay attention.
13. Re:I wonder what will replace LB... by vlueboy · 2013-10-16 11:44 · Score: 1
  
  Thanks
  I too stopped at Ubuntu 10. I'm not sure why I hadn't looked at this distro before. The full monty looks good from what I see on their page and wikipedia which includes printing, multimedia and liveusb support. I'm going to get it.
14. Re:I wonder what will replace LB... by EETech1 · 2013-10-16 15:34 · Score: 2
  
  I think you'll really enjoy it!
  There is also a script in the menu that allows you to make a live CD or live USB from your customized install, so you can get it how you like it, and then clone it to take with you. When you do a system update, just make new live media to take along, and if you do screw up your home install, just reinstall your custom version from your live media and be right back where you were in a few clicks.
  It's the most well thought out distro I've ever used, and I (used to until now) do a lot of distro hopping in search of something better.
  It includes lots of non-free wireless drivers and programs, but I'm not as concerned about purity as I am about having my computer do everything I need or want it to (but a bare bones version is available as well).
  If you look at what's included, it really is the full monty, and if you don't like the customized KDE theme based desktop, standard KDE is a click away from the menu, and most if not all other desktops are ready to install from synaptic.
  I really can't say enough about the forums and help / documentation that's included or available as well. Most settings have right-click "what's this" help available too.
  Have a look at the customized settings and configurations available on the system config desktop too, it's far beyond what I've found anywhere else, and makes doing anything (including locking it down and verifying the install) a snap (or click).
  They take the good parts of nearly every distro, and wrap them up in a well thought out and fully functional package.
  It's been in the top 10 distros on distrowatch as long as I can remember, I can easily see why. It's so much easier and safer IMHO to uninstall what you don't use, and gives new users something fully functional so you don't get nearly as many of the "how do I get it to do???" questions that normally come with ditching windows.
  There is also a menu that pops up when you put in media that shows you everything you can do, and with what program, so it's very simple to find your way around.
  Enjoy!
Balancing Act by heypete · 2013-10-15 09:16 · Score: 1

If one had enabled the secure storage functionality at Lavabit prior to the shutdown, the messages are inaccessible without the password. Naturally, with the password an adversary (say, the feds) could decrypt the messages (assuming they have a copy -- Ladar has stated in several public interviews that the feds did not make a copy of data on the servers).
Thus, one needs to balance the security of the messages stored with Lavabit with the desire to access old messages. Many users don't have any particular concern for privacy or security but have important messages in their mailbox that they would like to download (they might not have made local copies before the shutdown). This function is aimed at those people, not those that would prefer to keep messages encrypted even if they remain inaccessible to themselves.
Could be a trap but there is a solution by Anonymous Coward · 2013-10-15 09:45 · Score: 1

Lavabit should let it's ex-users with encrypted mailboxes download their data in the encrypted form that it's currently stored on the server. If they provide instructions on how to decrypt it properly, or even some utilities to help do so.
This way Lavabit doesn't have to be trusted. Download the data and decrypt it with your passphrase on your own computer!
1. Re:Could be a trap but there is a solution by Anonymous Coward · 2013-10-15 20:31 · Score: 0
  
  Agree. This smells bad to me.
2. Re:Could be a trap but there is a solution by Anonymous Coward · 2013-10-15 20:46 · Score: 0
  
  Even more to the point. If you have any archived data and you're stupid enough to go for this "change your password" ruse then they whoever "they" might be can then decrypt all the emails that ever flowed through Lavabit for that userid since presumably they have them archived somewhere. Just orphan your email accounts and be smart enough not to let your email sit on anybody's server unless they're encrypted by you with your own key. And stay out of trouble and don't piss the gov. off because as we all know they're here to help.
Honeypot by Anonymous Coward · 2013-10-15 09:49 · Score: 0

I'm guessing anyone who really needed encrypted mail services is sane enough not to log in any more.
To add to those that said TRAP! by Anonymous Coward · 2013-10-15 12:31 · Score: 0

I say, TRAP!!!!!
Sounds good for some people by davidwr · 2013-10-16 02:16 · Score: 1

But "walk up" service with a clone of the Lavabit server running on a private LAN would be better.
If I were Lavabit and wasn't prohibited by court order or economic reality, I would offer this service over a several-month period, but I would ask (not require) that the customers donate a "reasonable" amount to the EFF or another freedom-supporting organization, where "reasonable" is the amount of money I'm losing by providing this service.
If I (as Lavabit) had the funds, I would "take this on the road" to major cities and major events to raise public awareness.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.