Another Secure Email Service Shuts Down To Avoid Having To Do So Later
from the us-government-destroying-american-businesses dept
When Lavabit announced its sudden decision to shut down yesterday, many of its customers were actually fairly perturbed that they were given no notice, and no way to retrieve their mail before it went away. While I can certainly understand that emotional response to losing your email account like that, it seems rather obvious that there was no real choice here. If Lavabit had alerted customers that they had a day or a week or whatever before the service shut down, it seems quite likely from the hints given that the government would have stepped in with an order to preserve the information it was clearly seeking access to.Given that, it's noteworthy that another secure email provider, Silent Circle, chose to announce its own plans to close down its secure email service hours later. Silent Circle isn't facing the same hidden court orders/government demands, but it recognized that it would likely come some day soon -- and thus it was better to shut down ahead of time, before the government forced it to make the same decision. I'm somewhat surprised that Silent Circle didn't at least give its customers a day or whatever to close out their email, but rather the company flat out destroyed its servers, noting:
"Gone. Can't get it back. Nobody can."The company is still offering other secure tools that feature end-to-end encryption such that there's nothing they can hand over to the government.
In discussing this, I saw some people point out that another service, CryptoCloud, has actually had it as a part of its privacy policy for over five years that it would shut down rather than let the government get direct access to accounts:
If a court orders us to allow them to secretly place surveillance "sniffers" on a specific account, we will fight this order to the highest judicial authority possible. If we lose, we will shut down the business and call it a day. End of story.Still, this kind of thing is showing how these ridiculous surveillance policies from the US government are doing massive harm to US businesses, basically making them either lie to their customers and violate their privacy, or to shut down completely. It's going to drive many, many users to overseas services. Is that really worth it?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, secure email, shutting down, surveillance
Companies: lavabit, silent circle
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's imploding
What are you going to do Obama? Insist that there's nothing to worry about?
[ link to this | view in chronology ]
Re: It's imploding
[ link to this | view in chronology ]
Re: Re: It's imploding
Unlikely.
Google is too big to just pack up and leave. Plus, they don't want to burn bridges (the US is such a huge market, after all). As it stands, Google's best move (form their point of view) is to stay put, shut up and do as they are told. They have no incentive to act otherwise.
I mean, why would they sacrifice some market share and lucrative connections in the US just for some geek cred?
"...and only offer SSL connections."
Haven't you been paying attention? All it takes is a few scary man in suits to show up at a Google office and say "Hand over your SSL keys", and Google will just hand them over, because - frankly - they have no other choice, and no incentive to push back. From then on, your "secure connection" is compromised.
[ link to this | view in chronology ]
Re: Re: Re: It's imploding
[ link to this | view in chronology ]
Re: Re: Re: It's imploding
They probably won't go beyond a few token gestures as a sop to public opinion, of course, but they do have the option.
[ link to this | view in chronology ]
Re: Re: Re: It's imploding
Which is why Google has been using perfect forward secrecy ciphersuites. As long as both the server (Google's servers do) and the client (Google's Chrome browser do) support ECDH ciphersuites, a passive attacker cannot decrypt the connection, even if the attacker has the server's SSL keys.
An active MITM attacker with the server's SSL keys can still decrypt the connection. However, active attacks are more costly, risk detection (with huge repercussions if detected), and from what we know, NSA's XKeyscore is completely passive.
[ link to this | view in chronology ]
Re: Re: Re: Re: It's imploding
Oh, you've fallen for the oldest flaw in security: assuming that you can trust ANYONE. When applied to an amoral mega-corporation, already known to give NSA "direct access" to its servers, it's worse than naive to trust Google. -- You have NO effective way of auditing actual code run or ruling out backdoors! So don't bother trying to point me to this algorithm or that, because you don't know what's actually in use.
Here's something known that should make any reasonable non-shill question Google:
http://refreshingnews99.blogspot.in/2013/07/nsa-is-quietly-writing-code-for-googles.html
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: It's imploding
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: It's imploding
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: It's imploding
No, he hasn't, at least not in the way you're talking about. There is no need to trust Google (or anyone) for perfect forward secrecy. That's the point of perfect forward secrecy. It is easy to confirm the protocol is being used by looking at the data being sent and received from Google.
Where the "trust Google" part comes in is with what happens to the data once it's left the pipe and entered Google's servers, and you're absolutely right. At that point, there is no way of knowing what happens to that data.
But his approach to reducing the risk of MITM attacks is correct and helpful.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: It's imploding
[ link to this | view in chronology ]
Re: It's imploding
Non-US companies are quickly abandoning US-based cloud services and email providers. Businesses are dropping US-based software solutions and are rolling out their own solutions developed in-house instead.
Personal anecdote time: my company is even dropping Windows in favour of an open-source alternative for everything, end-users included (much to the delight of the geeks, myself included). And from what I've been hearing around the water cooler, we aren't the only ones in the business shifting very quickly away form Microsoft.
The credibility of all software companies in the US has been irreparably damaged. Time will tell how extensive the economic damage will be.
[ link to this | view in chronology ]
Re: Re: It's imploding
[ link to this | view in chronology ]
Re: Re: Re: It's imploding
The US already has high unemployment, and no other countries are stepping up to employ US workers.
The US might be only 5% of the world's population, but it's the largest contributer to the GDP. A collapse of the US economy *will* bring down economies the world over.
The rest of the world is still feeling the effects of a small economic collapse five years ago. You want that again? Or worse even?
[ link to this | view in chronology ]
Re: Re: Re: Re: It's imploding
Act ually, the rest of the world is quickly figuring out how to mitigate the effects of another such collapse.
[ link to this | view in chronology ]
Think about what they're doing: going around to e-mail service providers, demanding that they hand over all user data, acting more the order of a mafia cartel. These people truly do not represent the American people.
[ link to this | view in chronology ]
Re:
Next, they will make people use the internet with expensive virtual reality gear, and implement those 3D visuals of Willian Gibson Cyberpunk novels, just so that people trying to copy files get also charged with trespassing, since that in order to do that you had to enter the virtual building - and if you do copyright infringiment, it automaticaly becomes theft.
Sorry, i just couldn't help myself.
[ link to this | view in chronology ]
Of course it is worth it
[ link to this | view in chronology ]
By Design
[ link to this | view in chronology ]
Re: Of course it is worth it
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Well, just use Gmail!
[ link to this | view in chronology ]
Kudos to these services for shutting down rather than compromising their values by bending over and accepting a shafting from the US government. Pity Google, Microsoft, Apple et al could not club together and tell the government where to stick it.
[ link to this | view in chronology ]
Bitmessage
https://bitmessage.org/wiki/Main_Page
[ link to this | view in chronology ]
Not quite
Yes, they're offering tools. No, those tools are not open source, therefore they haven't been independently audited for functionality and security. Therefore, they shouldn't be trusted any more than any other piece of closed-source code or third-party service. The promises and assurances of Silent Circle are meaningless self-promoting hype until/unless they publish ALL the source code.
[ link to this | view in chronology ]
Re: Not quite
It's a lot better than most.
[ link to this | view in chronology ]
gmail 70%+ of users are outside the US
Numbers from the forthcoming article by Orin Kerr (Volokh Conspiracy) in University of Pennsylvania Law Review pp.36-38
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302891
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Lavabit was a US company to
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If you believe that all of those eyeballs are honorable, honest, folks with a need to know, you're very naive. There'll be all kinds of breeches. Cabals sharing "interesting" sexting images with each other, folks playing the stock market on the strength of insider information gleaned on the net, etc. Open season.
[ link to this | view in chronology ]
This gives them 'easy mode' access to the data... They don't even need to spend CPU cycles cracking.
The problem is that backdoors can be exploited by bad people, be they outside criminals or corrupt employees of the people.
Pen and paper, hand delivery and lock and key are the best available techs for privacy.
[ link to this | view in chronology ]
Re:
There is no single "best" type of tech for privacy. It's very situation-dependent. In some cases, you're right, the old-school is the best school. In other cases, it's the least secure choice. It all depends.
Case in point: one time pads. These are very old-school, and require nothing more than pen and paper and a way to generate random numbers (during WW2, they used bingo balls to do this). Properly done, encrypting with one-time pads is 100% unbreakable encryption.
Despite this, they are far from the most common kind of encryption, because in most cases, they are one of the most vulnerable for a single reason: you have to transmit the "key" (the OTP itself) to the other end of the communication channel in a secure fashion. And most of the time if you can accomplish that, you could just send the massage itself the same way and don't need to use the OTP at all.
On the other hand, if you're fielding an army, you can just give everyone their pads in advance before sending them out into the battlefield. Their use makes a lot of sense in that context (ignoring the possibility that the enemy might be able to obtain the pads by searching bodies.)
[ link to this | view in chronology ]
Re: Re:
One 'soft' factor favoring old fashioned, analog encryption and retention is that these days is that every one has gotten lazy! Govt has the digital firehose and go straight to that every time. I'm not not even sure most of them know how to read cursive....
Anyway they make way fewer housecalls than they used to until the SWAT team comes. Best place to keep something safe is where very few will bother to look.
[ link to this | view in chronology ]
Re:
Oh wait. I forgot. They're trying to kill the USPS too. Then we'll all have to send "mail" through FedEx and UPS, who uphold no expectation of privacy for their customers...
[ link to this | view in chronology ]
Re: Re:
Not so much, really. For a long, long time, the post office has had a secret program where mail of interest is diverted and steamed open by spies, the contents recorded, then resealed and delivered as normal. All without a warrant.
[ link to this | view in chronology ]
Coming Soon
Includes tips such as: ...and many others.
....
Sigh. What started as a joke would probably make a pretty successful book.
[ link to this | view in chronology ]
Re: Coming Soon
Right now, Kim Dotcom is smelling like roses near the kind of things that are coming to surface. I'm half expecting that something of the leaked documents from Snowden relates to the Mega Case. And i'm very irritated about the WCIT conference last year in Dubai. Because right now, our worst fears about what would have come to pass are already confirmed.
[ link to this | view in chronology ]
Re: Coming Soon
Right now, Kim Dotcom is smelling like roses near the kind of things that are coming to surface. I'm half expecting that something of the leaked documents from Snowden relates to the Mega Case. And i'm very irritated about the WCIT conference last year in Dubai. Because right now, our worst fears about what would have come to pass are already confirmed.
[ link to this | view in chronology ]
I'm rather upset by all of this. Zero trust, zero integrity, zero value.
Escalation is inevitable.
[ link to this | view in chronology ]
Sounds Good to Me
http://luciusonsecurity.blogspot.co.uk/2012/01/cybercrime-state-of-online-piracy.html
[ link to this | view in chronology ]
Re: Sounds Good to Me
[ link to this | view in chronology ]
Only if you want to have secure services.
Here in the USA that will not be allowed.
Turn Key Tyranny, it's already happened here in the USA.
[ link to this | view in chronology ]
It's obvious...
Contacting foreign personnel and services overseas on an encrypted network connection = Terrorist.
It's like the government isn't even trying anymore.
[ link to this | view in chronology ]
Cutting the cord
The Supreme Court or the President has that power. Not Congress, and not any business. Even then it's a touch and go situation because the NSA's best friends will push back hard.
It will take mandated shut downs of the programs to do it. Nothing else. Budget cutting won't, because the 'black bag' operation budget for the military is always accessible.
Throw in the TSA while they're at it, plus the DEA, the FBI, and a few other alphabet agencies that have been plundering the public's private information.
Until that happens, watch the sinking of small businesses and destruction of people's lives.
Brought to you by those who believe that your privacy isn't worth preserving.
Oh, one note though: the government can do this invasion of privacy stuff without facing penalties. Don't you try it or else you'll be in prison pronto. Justice is only for some.
[ link to this | view in chronology ]
Re: Cutting the cord
SCOTUS can't do anything until a case is brought to it... After working its way up through all the lower courts for ten years.
[ link to this | view in chronology ]
Welfare, socially manipulative and heavy-handed programs have been using that excuse for decades. It immunizes them from the lazy grubs currently working in mainstream news. "We meant well!" is their best defense and they're using it because it works.
If the NSA just says "we mean well," the press will shrug and look for another rabbit to chase.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
WHAT?
[ link to this | view in chronology ]
what about non-US based servers
[ link to this | view in chronology ]
[ link to this | view in chronology ]
the odd life of timothy green^exit been made^.
[ link to this | view in chronology ]
Some Freelance/Firm Idea's Guru Will Think a Loop-Hole
SORRY FOR THE RAMBLE and thanks 4 ur guys patience.
I Design for United Worldwide Collaboration to do my part against the 'splitting' agenda...Well & to meet like minded individuals from all over, make life long friends and project partners, and of course increase our PORTFOLIO'S ;) @Code_Collective - Jay (2nd Project Manager)
[ link to this | view in chronology ]
toko obat kuat herbal
[ link to this | view in chronology ]
mainan seks wanita
[ link to this | view in chronology ]