back to article Go dark with the flow: Lavabit lives again

It's taken longer than first expected, but the first fruits of Lavabit founder Ladar Levison's Dark Mail Technical Alliance have landed with the relaunch of the encrypted mail service he closed in 2013. After shuttering Lavabit, Levison joined hands with Silent Circle to form the DMTA and promised Lavabit would flow again in …

  1. Nastybirdy

    ~Slow handclap~

    Well that's lovely and all, but given the abrupt shuttering of Lavabit.com back in the day is STILL causing me problems with recovering accounts, he can sod off if he thinks I'm giving him my business for a second time. His grand gesture was all well and good, but I bet I'm not the only customer it caused a shit ton of trouble for.

    1. Anonymous Coward
      Anonymous Coward

      Re: ~Slow handclap~

      That is what you bought last time, you are buying it this time too.

      If you are buying spook-resistant email, you have to account for it being shuttered to remain spookproof as one of the possible outcomes.

      Your inconvenience originated from you not fully understanding what are you buying. Can't help you with that one I am afraid.

      1. Ogi

        Re: ~Slow handclap~

        > Your inconvenience originated from you not fully understanding what are you buying.

        Indeed, one of the reasons I would download all my mail off lavabit to my own home via POP. In this world secure communications channels not backed by military power can be shut down, and I would rather lavabit shut down, then just open up a backdoor to all our mail. If I wanted that, I could just use Google.

        FWIW, I will be going to back to lavabit once up and running. He proved himself by shutting down his business and going through the courts for years rather than give up the keys.

        Also, they say they still have the old lavabit accounts for reactivation, so I am going to see if they can re-activate my old accounts there.

        In theory, they may have all the old mail too. I suspect that during the court case, deletion of emails would have been seen as tampering of evidence, so chances are they may still have your original data, as well as the original accounts.

    2. NoneSuch Silver badge
      WTF?

      Re: ~Slow handclap~

      He shuttered the business rather than risking a breach in your privacy. An ethical man challenging authoritarian decree. This is the sort of action that should drive business to his door.

      Only the most selfish would fail to see that.

  2. WaveyDavey
    Black Helicopters

    Groklaw

    I wonder if this will allow groklaw to resurface ? Would be nice to see it again.

    1. Zippy's Sausage Factory
      Thumb Up

      Re: Groklaw

      Yes, thank you. Exactly what I was going to say. Have an upvote.

  3. Charles 9 Silver badge

    Still can't help feeling there's still a way for the spooks to get in. The old First Contact Problem. What if the spooks got a way to infiltrate the chain of trust at the very beginning, enabling them to track the chains as they're being built?

    1. Anonymous Coward
      Anonymous Coward

      The biggest flaw is whether the client-side decryption code could be trojaned to ping a copy of your keys and passwords to an NSA server after you've entered them, then served selectively to targets of interest. Is there a way to sign a javascript file with a key, pin that key to a domain/file (so any variation gets reported and rejected), and have the browser reject any code that fails that signature check?

      Even so, that then assumes the provider is able to keep control of their signing key, won't be complicit with an NSL letter to sign a trojan. Perhaps keep the signing key offshore with a third party that won't sign any code he hasn't personally inspected, or use some kind of federated approach that requires x out of y third parties to inspect and sign the code.

      Tough nut to crack with the current web (in)security technology.

    2. Ogi

      > Still can't help feeling there's still a way for the spooks to get in.

      No system is 100% secure, there is always a way for spooks to get in, even if it is directly through you (i.e "5 dollar wrench" solution -- https://xkcd.com/538/).

      The point of this exercise is to make it harder and more expensive for them to do so. It means that they would only then do it if there is probable cause, or enough reason that it would justify the cost to rifle through your personal life.

      What we are trying to avoid is a situation where it is so easy and cheap for almost anyone to rifle through your personal life, that they can do it en masse and for almost nothing per person. That is where we are heading now, and IMO a very dystopic future.

      The alternative "secure" solutions don't have to be 100% secure, just secure enough to deter casual/automated spying.

      1. Charles 9 Silver badge

        "What we are trying to avoid is a situation where it is so easy and cheap for almost anyone to rifle through your personal life, that they can do it en masse and for almost nothing per person."

        And what I'm saying is that I don't think they did enough to raise that cost. For example, there's a point of trust in this new system. All the plods would have to do is subvert or duplicate this starting point, then they have ways to trace you and then just do highly-targeted attacks as needed.

        As for the $5 xkcd solution, I've always said it doesn't work against two types of people: wimps (who keep fainting at the mere sight) and masochists (who are turned on by the wrench and ask you to hit harder).

        1. Ogi

          > And what I'm saying is that I don't think they did enough to raise that cost. For example, there's a point of trust in this new system. All the plods would have to do is subvert or duplicate this starting point, then they have ways to trace you and then just do highly-targeted attacks as needed.

          Fair enough, I haven't read their paper just yet, so cannot provide constructive rebuttal or agreement. What would you change in the system to make it more secure, but still a palatable alternative to replace the widespread popularity of current email?

          At this point, it sounds like it is more secure than 95% of the systems up there, which is an improvement I will not complain about. If it can deter casual spying that is good.

          Targeted attacks are harder to counteract, and you may well find that this system will not be enough, you may need to consider multi-layered security systems, or perhaps something other than this.

          Still, I won't knock the guy for coming up with a proposal for something better than the unencrypted store-and-forward system we have now. It is all about convenience vs security, if we can get increased security for all, even if not perfect, it is better than what we have currently.

          Those who are at greater risk (or have increased paranoia) are free to use more secure and less convenient systems, as they see fit.

          > As for the $5 xkcd solution, I've always said it doesn't work against two types of people: wimps (who keep fainting at the mere sight) and masochists (who are turned on by the wrench and ask you to hit harder).

          Heh, natural selection working to increase the number of wimps and masochists then =)

          In seriousness though, the combined masochists and wimps are what? 5% of the population? more? Even if it was 25% (a bit optimistic I think), that leaves 75% that would be scared enough of the threat to reveal what is demanded, or they will give in not too long after the procedure has begun.

          1. Anonymous Coward
            Anonymous Coward

            "Still, I won't knock the guy for coming up with a proposal for something better than the unencrypted store-and-forward system we have now. It is all about convenience vs security, if we can get increased security for all, even if not perfect, it is better than what we have currently."

            Unless it becomes LESS convenient, turning the average person OFF to the idea. I sometimes wonder if we're going to find it's an UNhappy medium out there: too irksome to use yet not secure enough to be practical. Remember the unwashed masses control the market, and they're searching for unicorns at this point. And we REALLY need the herd effect for this to be really effective. Unless, of course, the State has the computational resources to still winnow this out, in which case we're at the Big Brother stage already, in which case we're pretty much screwed.

            "In seriousness though, the combined masochists and wimps are what? 5% of the population? more? Even if it was 25% (a bit optimistic I think), that leaves 75% that would be scared enough of the threat to reveal what is demanded, or they will give in not too long after the procedure has begun."

            But like you said, natural selection might result in security people hiring sociopathic masochistic loners since they can't be tortured: directly (wrench turns them on) or indirectly (don't care about anyone else enough for that to be an angle). And this is only in SEMI-jest, since it seems sociopathy is just about a requirement for ANY position of power.

            1. Ogi

              > Unless it becomes LESS convenient, turning the average person OFF to the idea. I sometimes wonder if we're going to find it's an UNhappy medium out there: too irksome to use yet not secure enough to be practical. Remember the unwashed masses control the market, and they're searching for unicorns at this point. And we REALLY need the herd effect for this to be really effective. Unless, of course, the State has the computational resources to still winnow this out, in which case we're at the Big Brother stage already, in which case we're pretty much screwed.

              I am willing to let them try. GPG has been around for donkeys years, and it never caught on beyond a few special industries and crypto nerds.

              If they can provide similar levels of security in a more convenient fashion, then I don't have a problem with letting them try. Even if the security is worse than GPG, it would be moving forward as long as it isn't unencryped email (which is the equivalent ot writing messages on a post card and sending that).

              Plus in theory I could GPG encrypt my mail myself before I send it through this system if I feel particularly paranoid, while for joe average it will be more secure than before, but with (in theory) similar levels of convenience.

              I still would class that as a win, because we have moved forward and improved an infrastructure that was designed back when the Internet was an academic utopia, rather than the modern day cesspit it has become.

              And yes, if the state can winnow it out anyway without much effort, then we are deeper down the rabbit hole then I expected. In which case, not much you can do. If you can't organise an effective opposition because all comm channels are under scrutiny/control, then you are done essentially. Individuals can either rage impotently against the machine, accept that is the world they live in, or attempt to leave for greener pastures.

              > But like you said, natural selection might result in security people hiring sociopathic masochistic loners since they can't be tortured: directly (wrench turns them on) or indirectly (don't care about anyone else enough for that to be an angle). And this is only in SEMI-jest, since it seems sociopathy is just about a requirement for ANY position of power.

              I thought they already hired sociopathic masochists? :-D Or at least a mixture of sociopathic sadists and masochists... (their Christmas parties must be fun)

              Well, this is a human condition, not something technology will control or remedy (nor am I sure it would be wise to do so). Either way, it is outside the scope of this project's goals :-)

              1. Charles 9 Silver badge

                "Plus in theory I could GPG encrypt my mail myself before I send it through this system if I feel particularly paranoid, while for joe average it will be more secure than before, but with (in theory) similar levels of convenience."

                Except PGP/GPG is pre-quantum. You may want to assume the data center in Utah is really a cover for a black-project (read: years if not decades ahead of its time AND deny it even exists) working quantum computer.

  4. Anonymous Coward
    Anonymous Coward

    I have the beat email security.

    I practice being an obnoxious bastard so as to disuade people from wanting to contact me.

    I have one email in my mailbox with the subject "GET OFF MY LAWN". I was going to send it to myself, for now its my drafts until I find time to hit send.

    1. Steve K

      GET OFF MY LAWN!

      It's "dissuade"

      Now GET OFF MY LAWN!

      1. Anonymous Coward
        Anonymous Coward

        Re: GET OFF MY LAWN!

        See? It works.

        1. Anonymous Coward
          Anonymous Coward

          Re: GET OFF MY LAWN!

          Until someone decides to defy you by bringing in a rugby team...

          1. Alistair
            Coat

            Re: GET OFF MY LAWN!

            @ac I see your rugby team and raise you a herd of sheep.

            1. Charles 9 Silver badge

              Re: GET OFF MY LAWN!

              I don't know. All the sheep would do is graze it and leave fertilizer. Meanwhile, rugby players wear cleats. Things get ugly, they can probably tear any lawn to shreds.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like