Forgot your password?
typodupeerror
Encryption Communications Government United States

Silent Circle Follows Lavabit By Closing Encrypted E-mail Service 470

Posted by Soulskill
from the privacy-hostile-environment dept.
Okian Warrior writes "Silent Circle shuttered its encrypted e-mail service on Thursday, in an apparent attempt to avoid government scrutiny that may threaten its customers' privacy. The company announced that it could 'see the writing on the wall' and decided it would be best to shut down its Silent Mail feature. 'We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that the worst decision is always no decision.' The company said it was inspired by the closure earlier Thursday of Lavabit, another encrypted e-mail service provider that alluded to a possible national security investigation." Does anyone have replacement recommendations for people who used these services?
This discussion has been archived. No new comments can be posted.

Silent Circle Follows Lavabit By Closing Encrypted E-mail Service

Comments Filter:
  • Nicely done (Score:5, Insightful)

    by beefoot (2250164) on Friday August 09, 2013 @09:32AM (#44519341)
    The US government is basically forcing technology firms to move else where.
    • Re:Nicely done (Score:5, Insightful)

      by flitty (981864) on Friday August 09, 2013 @09:54AM (#44519609)
      1. Force shutdown of US based communications companies for non-compliance with PRISM.
      2. Suddenly, all commucation is "foreign".
      3. All communications are now collectible without any oversight.
      • by gmuslera (3436) on Friday August 09, 2013 @10:09AM (#44519799) Homepage Journal
        If is encrypted is collected anyway. So, or you have it in a way easy to collect (and no guarantee that is not collected anyway, still a lot to be disclosed), or you have it in a hard way to collect (and there they will try to get it). Your best bet is still hard to break encryption, and if by law you can't have it inside US, you must have it outside. And if is important (i.e. concerned about the intellectual property of what you discuss), move yourself outside too, at least your communication with the server have less chances to be intercepted.
      • Re:Nicely done (Score:4, Interesting)

        by Bill, Shooter of Bul (629286) on Friday August 09, 2013 @10:14AM (#44519843) Journal

        Brilliant!
        I think the idea in this case was that lavabit and silent circle didn't have any way to decrypt your email. If this was true, then it wouldn't matter where it was as long as that remained true and email was between two users of the service ( obviously the NSA could read your sent and received email by just hacking the recipient/ sender of each email) .

        • Re:Nicely done (Score:5, Interesting)

          by Charliemopps (1157495) on Friday August 09, 2013 @11:14AM (#44520643)

          No I think the way lavabit stored the keys was faulty. They were stored on their own servers and unlocked by the users password when they logged in. So the NSA couldn't crack your email unless they watched you log in, then they would have your password. I suspect the NSA ordered them to allow the NSA to do this very thing and the owners realized that the only way to prevent them from gaining access was to shut down the service so no-one could log-in and give the NSA access to their accounts. Someone in the Lavabit thread suggested that they should have had a client side app that generated keys for you, then there would have been no-way for anyone to crack it unless your local machine was key-logged.

    • What the government is doing is repugnant, but only because most people are stupid and take the wrong lessons from it. If people had their shit together, then it would actually cause a positive effect, and we'd be talking about how US government's thuggery inadvertently did everyone a favor.

      I never even heard of these encrypted email services until yesterday (except for hushmail about a decade ago but that was an even dumber beast) and the more I look into them, the more apparent it is that they sell .. we

  • by beefoot (2250164) on Friday August 09, 2013 @09:34AM (#44519357)
    In USA, if you google search specific terms will result a visit from the authority (hint pressure cooker and back pack). In China, if you want to find something the government does not want you to know, you just can't find it. I don't know which one I like best.
    • by therealkevinkretz (1585825) * on Friday August 09, 2013 @09:37AM (#44519403)

      It turned out that the visit from Homeland Security after the "pressure cooker" and "backpack" searches weren't a result of Google monitoring but of a report from the guy's employer after finding the search on his work computer.

      • by sacrilicious (316896) on Friday August 09, 2013 @09:53AM (#44519599) Homepage
        Yes, that's what the official story may be... but who knows? Just two or three days ago was the whole exposing of how the government admitted that they have been coming up with "alternate explanations" of how they get various pieces of intelligence so that the official explanations don't point to prism/etc. So truly, how can we possibly know?
        • Well, why don't you test the official story? It's easy, go to your computer and google search "pressure cooker" and a few minutes later "back pack". Make sure to let us know if the MIB go visit you. Here on /., we like to know.

        • Re: (Score:3, Insightful)

          by thoth (7907)

          Surely the Streisand effect would have already happened - some percentage of people (especially Slashdot readers) would have read that and immediately searched for "pressure cooker backpacks" - and we'd hear about hundreds/thousands of people suddenly gone missing or being detained for questioning.

          I mean come on, there's legit concern, there's paranoia, and there's all out tin-foil-nutjob behavior with layered conspiracies hiding deeper multi-level conspiracies. The story about the employer reporting his em

      • In capitalist America, employer IS government!
      • Re: (Score:3, Insightful)

        by Dunbal (464142) *
        No that was the bullshit damage control. You know how I know? Don't you remember the guy in England who said he was going to "have a blast" (or something to that effect) in Los Angeles, and was turned around at the US border? They are reading everything. They just don't want you to think that they are.
  • by Anonymous Coward on Friday August 09, 2013 @09:35AM (#44519379)

    Does anyone have replacement recommendations for people who used these services?

    The first rule of Fight Club is: You do not talk about Fight Club.

  • enigmail/pgp/gpg (Score:4, Insightful)

    by Eunuchswear (210685) on Friday August 09, 2013 @09:35AM (#44519381) Journal

    Encryption should be end-to-end. How can you trust someone else to do it for you?

    • Re:enigmail/pgp/gpg (Score:5, Interesting)

      by doconnor (134648) on Friday August 09, 2013 @09:39AM (#44519443) Homepage

      One advantage of these 3rd party email services is that you can't tell who is emailing who without getting access to their servers. It seems some of them are willing to go out of business to prevent that.

      • Re:enigmail/pgp/gpg (Score:5, Interesting)

        by Hatta (162192) on Friday August 09, 2013 @10:50AM (#44520295) Journal

        Can't you do the same thing on a public forum? e.g. I generate a public key with no personally identifable information, and give it to you. To contact me, you encrypt your message with my public key, and post it to e.g. USENET. I then connect to USENET, download a bunch of posts, try to decrypt everything with my private key, and keep the ones that are successful.

        • I did that. I only get messages that say "Drink more ovaltine".

    • Re:enigmail/pgp/gpg (Score:4, Informative)

      by PetiePooo (606423) on Friday August 09, 2013 @10:04AM (#44519733)

      Encryption should be end-to-end. How can you trust someone else to do it for you?

      I was thinking the same thing; Phil Zimmerman [wikipedia.org] had it figured out decades ago. As long as both ends keep the snoops out of their computers, with PGP or GnuPG, [wikipedia.org] all they can read is the envelope information between SMTP relays. As far as we know, anyway...

      That method requires a little more technical skill than having some SaaS provider do it, but if you've got secrets to protect, that's a small price to pay. Use big keys and EC to help future-proof.

      And for keeping even the envelope info private, just run a private email service of your own (with no external mail gateway), and keep the snoops off of it. Allow access only via VPN or SSH tunnels.

  • Simple option(s)... (Score:5, Interesting)

    by pla (258480) on Friday August 09, 2013 @09:39AM (#44519427) Journal
    Does anyone have replacement recommendations for people who used these services?

    I would say "something hosted outside the US", but as the international banking community has shown, Uncle Sam's jack-booted foot extends well outside our own borders.

    So that really leaves "GPG" as you sole realistic option. End to end encryption, with no one but you and the recipient knowing what you wrote. Of course, "they" can compromise either end, but it deprives them of the ability to funnel everything on the wire into their data centers for 4th-amendment violating goodness.

    Or, we could all go back to writing letters. Oddly enough, that still has more legal protections behind it than any other form of communication.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      There is one flaw...they may not know what the message says, but they can still tell WHO you are emailing

    • by JeanCroix (99825) on Friday August 09, 2013 @09:44AM (#44519505) Journal

      Or, we could all go back to writing letters. Oddly enough, that still has more legal protections behind it than any other form of communication.

      Well, except for that whole thing about USPS photographing and storing images of every envelope it processes. They've resorted to actually opening and reading them in the past; I don't think, given the current state of affairs, that they're beyond that now.

    • by Anonymous Coward on Friday August 09, 2013 @09:48AM (#44519537)

      https://www.neomailbox.net/

      Neomailbox is a good one. Hosted in Switzerland, also provides VPN services.

      They have stronger privacy laws than we do, which helps on the non-technical end.

    • by Type44Q (1233630) on Friday August 09, 2013 @10:32AM (#44520067)

      Or, we could all go back to writing letters. Oddly enough, that still has more legal protections behind it than any other form of communication.

      The entire point of all these [not necessarily so recent] revelations is that legal protections are no protection.

  • To me, the takeaway message from all of this is that, if you value privacy above all else in your email exchanges, you can't trust a company, because either they'll sell you up the river for a song, or they'll shutter themselves to avoid government pressure. So here's my question: why don't more people simply run their own mail servers? It's certainly not difficult. [ubuntu.com] There are a few problems, of course, namely, needing an always-on computer, sorting out the issue of dynamic IP (dyndns [dyn.com] is a great, free soluti
    • Found it! [comcast.com]

      Under "Technical Restrictions," they list

      use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers

      However, I don't think they go to the trouble of enforcing this very often.

      • The Comcast quote says "public services". If I have a mail server that only has accounts for my family living at this residence, I'm not providing "services to anyone outside of [my] Premises local area network". Wouldn't that be an allowed server?

        Of course, Comcast could change the contract without me having any say in the matter.
      • by thaylin (555395)
        This does not stop it. You just cant give access to anyone outside your network. If the server is just for your personal email you are good.
    • Re: (Score:3, Insightful)

      by ahadsell (248479)

      The issue that Silent Circle points out is that SMTP is inherently unable to provide security against traffic analysis. Even if the body of the email is encrypted, the headers cannot be.

      So yes, you can run your own email server, and require that only gpg traffic pass through it. But that won't keep you secure against traffic analysis (aka "metadata collection") with collection performed at your ISP.

      • ... SMTP is inherently unable to provide security against traffic analysis. Even if the body of the email is encrypted, the headers cannot be.

        I2P-Bote is one alternative, an experimental distributed e-mail system which addresses the header issue. It's implemented as a distributed hash table with connectivity through I2P. The design allows senders and receivers to remain anonymous, in addition to encrypting the content of the messages.

    • Running a mail server from home is near impossible on most ISPs. The majority of ISPs block incoming traffic, and in some cases even outgoing traffic, on port 25 (SMTP). Even if you can get around this using alternate ports, chances are your ISPs IP range is blanket blacklisted by most anti-spam lists.

      Your best bet for privacy and control of your e-mail would be to setup a collocated or rented server. You'll have to configure some sort of encryption for your e-mail messages in case the data center gets raid

      • Re:Distributed Mail (Score:4, Interesting)

        by Bigbutt (65939) on Friday August 09, 2013 @10:34AM (#44520093) Homepage Journal

        Not only that, many _other_ ISPs won't send mail to mail servers located in comcast space or accept mail coming from comcast space. It's why I set up my own colocated server. The problem with that is all the difficulties dealing with such a system including spam and attackers.

        The last time I checked I was getting a bit over a million ssh break in attempts each month. I eventually blocked all of Taiwan at my firewall due to the majority of attempts coming from their address space.

        The other issue is with the colocated site address space. Since I have no control over the other addresses they host, DNS blacklist sites that blacklist IP ranges prevent mail from my mail server from being delivered. There are some sites that will let me communicate with their NOC and get put on a white list but there are others, like shaw.ca, that have no way to communicate with them to get off their list. They want me to contact the DNS blackhole sites they use but the DNS blackhole site has no way to get off their list (it's been a while, I remember shaw.ca).

        And Microsoft sucks. They have my server blocked with no way to clear it however I can pay a fee to Microsoft to open up my server to Hotmail (for example) so I can send advertising. And on the funny side, Microsoft only blocks me about 50% of the time.

        [John]

  • Encrypted (Score:5, Funny)

    by DeBaas (470886) on Friday August 09, 2013 @09:47AM (#44519527) Homepage

    The company announced that it could 'see the writing on the wall'

    They were however not able to read it.....

  • Just this time it's not Scientology sect, but governments.

    http://en.wikipedia.org/wiki/Penet_remailer [wikipedia.org]

    The only lesson learned is that there is no such thing as fully anonymous email service, it's always just a certain degree, especially when it comes to USA power play.

  • by schneidafunk (795759) on Friday August 09, 2013 @09:49AM (#44519557)
    Encrypted messages sent by pigeon carriers [nytimes.com] worked in the past!
  • by KiloByte (825081) on Friday August 09, 2013 @09:50AM (#44519565)

    I don't think Silent Circle would commit an effective suicide just preventively. Lavabit, while technically not saying a word about NSLs, told us very clearly what the request was. If the government criminals are not idiots, they learned and worded the Silent Circle order in a way that prevented such disclosure.

  • What the heck is going on over there?

    Do you really have running governmant agents around closing shops at will?

    That's not a good sign.

    • by gmuslera (3436) on Friday August 09, 2013 @10:31AM (#44520055) Homepage Journal
      Both Lavabit and Silent Circle closed by their own will. What government agents did, or will do, is to force all secure mail providers to give them a backdoor for them to access all that "secure" mail (or else put them in prison). So, for that reason, will not be any secure/private mail in US, if someone claims that do, or is lying already or soon will face the choice to lie to its customers or close.
  • Okay, playing devil's advocate here.

    LavaBit shuts down "citing" pressure they have received from gov't agencies. No evidence is provided to indicate that reason behind the shutdown...just they guy's word.

    Given how everybody is rallying against the gov't at this time - could this actually just be an action of protest rather than a true, official, take-down? Everybody will just assume that the gov't forced the take down "just because". Who would be the wiser? Right? Makes their point, right?

    Now, we have

    • by gmuslera (3436)
      The government wanted them to be open, but with a backdoor, not closed. And the enforcing of that backdoor was, for the case of Lavabit, giving them the chance to go to jail for helping Snowden or put their backdoor.
  • Security investigations lead to closures of secure services.

  • Citizen... (Score:5, Funny)

    by wbr1 (2538558) on Friday August 09, 2013 @09:56AM (#44519657)

    Does anyone have replacement recommendations for people who used these services?

    Citizen, we welcome you to use the new service at secure.nsamail.com. This will ensure that no terrorists, paedophiles, or drug dealiers co-opt your email account for their nefarious purposes.

    Thank you for your cooperation.

    • by wbr1 (2538558)
      In addition, if you are one of the first 100,000 to sign up, we will give you an expedited TSA search pass to use when you travel. (Good for a single one-way trip only, limit one per citizen.)
  • Open WhisperSystems (Score:4, Informative)

    by Anonymous Coward on Friday August 09, 2013 @10:02AM (#44519715)

    Open WhisperSystems (https://whispersystems.org) doesn't have encrypted e-mail, however they do have Android-based encrypted phone (RedPhone) and text (TextSecure) capabilities. They are working on iPhone releases in the near future of their products. Btw, all of it is open source and they DO release the source code as well.

  • by Kohath (38547) on Friday August 09, 2013 @10:20AM (#44519915)

    Does anyone remember when the press covered stuff like this? Before 2009, the Lavabit shutdown would have been national news. Everyone would have known the name of Lavabit's owner.

    His name is Ladar Levison.

  • by Janek Kozicki (722688) on Friday August 09, 2013 @10:24AM (#44519965) Journal
    Lavabit and silent circle inspired me to think about some kind of peer to peer distributed email system.

    Although currently everyone can install an email server (e.g. there are several available in debian). It is not what would solve the problem. Not just because it requires technical expertise, but also because it requires too much dedication on your side to maintain your freshly installed server. Also to make sure it has outside access with SMTP port, and so on. Not mentioning that it needs about 100% uptime. Such solution is too much centralized.

    I was thinking about p2p email more like this one [psu.edu] which I googled right after I had this initial idea. This is a proof of concept so it can work.

    Key features would be:
    1) uses p2p distributed encrypted file system, like tahoe [tahoe-lafs.org]
    2) each p2p node can act as email receiver/sender
    3) to send email to someone you use nick@1.2.3.4 where 1.2.3.4 is any IP that is running p2pemail. Simplest would be 127.0.0.1 if you just run a p2pemail node yourself.
    4) everyone can have p2pemail account, just connect via https to nearest p2pemail node. It can be running on your computer or anywhere else. Doesn't matter. This just requires setting up an account name on your side, and a lenghty password, which is also used as a sha256 seed for private key for encryption of your emails and also as a PGP signature for you emails.
    5) PGP signing emails would be so easy, that it would be a new standard.
    6) all encryption and decryption is done locally on your computer either in javascript or in your email client. Just make sure that your browser and computer are not compromised.
    7) if any of p2pemail nodes are running compromised code (eg. like compromised tor nodes) they still cannot read your email, because they have no acces to your private key. The only hope they can have is to monitor when you are accessing your data, but only if a request to the compromised node is made.
    8) even if huge NSA datacenter decided to store all p2pemail data, they still cannot read it, and have nobody to file a warrant to.

    If we combined that with bitcoins we would get additional (optional) features:
    9) buy storage with bitcoins, while buying decide how many copies of your data you want to have (can change this anytime later). Offer any price you want, lower bids might not be taken.
    10) provide encrypted storage space and get paid. If you store multiple copies of same data (might be possible before p2pemail gets popular) ensure that at least it is on different physical locations, otherwise you might be compromising security
    11) create whitelists with people from whom you want to receive email, add mandatory bitcoin fees if anyone not on the whitelist wants to send you email.
    12) You can create various stages if whitelisting, depending on domains you can define different prices to receive email. Or you can say that first email is free for everyone, and each next will be paid or not depending on if you received spam. Or configure spamassasin to decide for you.

    PROBLEM: where do my friends send email to?
    ANSWER: your_nick@p2pemail.org/net/com/info (we need to register many domains, and use many IPs to resolve those dns-es)

    PROBLEM: Will my address still be the same after long time?
    ANSWER: your nick in p2pemail will be the same, tell your friends that if they cant send email (eg. govt seized all p2pemail domain names), then they have to find some p2pemail node. Google it, or install one themselves. If they can't do that, you can solve this by installing a node yourself, and making sure it has the same domain name all the time. Services like dyndns can help you with that.

    well maybe that's just a pipe dream. But the proof of concept implementation that I linked above gives some hope. What do you think?
  • by Spottywot (1910658) on Friday August 09, 2013 @10:24AM (#44519967)
    I'm on the verge of installing this Enigmail addon for Thunderbird [mozilla.org], however as Thunderbird still uses my web based mail provider it will still show who it's too and from etc, does anyone know of a completely peer to peer e-mail system which could get around this?
  • what's happening (Score:4, Informative)

    by rlwhite (219604) <rogerwh@gmaMONETil.com minus painter> on Friday August 09, 2013 @10:28AM (#44520009)

    It appears that what is happening is that the government is applying pressure to anyone who enables communication in a way where the government cannot detect who is talking to whom. This is a logical extension of the methods that Snowden leaked. He showed that they already have full coverage of the metadata of phone calls, texts, emails, and webpage views routed through the US. The leaks have pressured the US to close the loops. This is a very dangerous threat to our Constitutional rights. Secrecy does not equal guilt, and our founders went to great lengths to enshrine that principle in our Bill of Rights.

  • > Does anyone have replacement recommendations for people who used these services?

    For those from outside the US, your best bet is probably to use small, local players who might not yet have had pressure applied to them. For those inside the US, I have one recommendation: run for Congress.

  • by gstoddart (321705) on Friday August 09, 2013 @11:13AM (#44520635) Homepage

    If you have nothing to hide, you have nothing to fear. Freedom is Slavery. The government is here to help.

    It sounds like we're trending towards not being allowed to encrypt our own stuff because that automatically means we're doing something shady. There's all sorts of reasons I might want to encrypt information that have nothing at all to do with American national security.

    Hopefully some non-American company will step up to the plate and give us this, and we can send a big "Fuck You" to the NSA that says we'll encrypt if we want to, and you can eat shit. My rights aren't defined by your security interests.

    Sorry, but the rest of the world doesn't give a crap about what you want, and want to retain our privacy without having to cede it to the US government.

    Thanks America, you've now essentially broken the internet, and are only going to make computing less secure for all of us. Welcome to the new world, where industry and government demands full control over technology in order to enforce their will on us.

  • by Xicor (2738029) on Friday August 09, 2013 @11:43AM (#44521055)
    just do the smart thing and encrypt everything on your computer before you send it to other ppl. give ppl you trust the means to decrypt, then send everything totally encrypted through unsecure email. even if the NSA forces the email company to give up your emails, they still cant read them.
  • by ThatsNotPudding (1045640) on Friday August 09, 2013 @01:46PM (#44522849)
    http://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.html [schneier.com]

    Last para:

    "When the small companies can no longer operate, it's another step in the consolidation of the surveillance society."

    Game. Set. Match.

Any given program, when running, is obsolete.

Working...