Forgot your password?
typodupeerror
Encryption Government The Internet

CryptoSeal Shuts Down Consumer VPN Service To Avoid Fighting NSA 361

Posted by Soulskill
from the another-one-bites-the-dust dept.
sl4shd0rk writes "CryptoSeal Privacy, a VPN provider, has closed down its consumer VPN service. The company says it has zeroed its crypto keys, adding, 'Essentially, the service was created and operated under a certain understanding of current U.S. law, and that understanding may not currently be valid. As we are a US company and comply fully with U.S. law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.' The announcement ends with a warning: 'For anyone operating a VPN, mail, or other communications provider in the U.S., we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.' Sounds like another victim of FISA-endorsed NSA activity."
This discussion has been archived. No new comments can be posted.

CryptoSeal Shuts Down Consumer VPN Service To Avoid Fighting NSA

Comments Filter:
  • by Austrian Anarchy (3010653) on Monday October 21, 2013 @07:20PM (#45195317) Homepage Journal
    Back in the old spy days, the gentlemanly thing to do was crack the other guy's encryption, NOT beat his keys out of him. This is just cheating, pure and simple.
  • Time to start (Score:5, Interesting)

    by ugen (93902) on Monday October 21, 2013 @07:20PM (#45195319)

    Sounds like it's high time time to start a VPN provider in SeaLand (or what do we have left that's not firmly in jurisdiction of governments with grubby hands and long noses)?

    • Re:Time to start (Score:4, Informative)

      by Austrian Anarchy (3010653) on Monday October 21, 2013 @07:27PM (#45195405) Homepage Journal

      Sounds like it's high time time to start a VPN provider in SeaLand (or what do we have left that's not firmly in jurisdiction of governments with grubby hands and long noses)?

      Perhaps your solution lies on a "pirate" data boat on the high seas?

    • by dmbasso (1052166) on Monday October 21, 2013 @07:41PM (#45195537)

      Will you let the Seamen manage your VPN? Be careful of backdoors!

    • Re:Time to start (Score:5, Insightful)

      by PopeRatzo (965947) on Monday October 21, 2013 @08:45PM (#45196043) Homepage Journal

      Sounds like it's high time time to start a VPN provider in SeaLand

      This, though maybe not in SeaLand.

      The first country that offers verifiably secure email and VPN services to the world will enjoy an economic boom and the love of billions. And if it's a country like Iceland, it could go a long way toward making them wealthy. And if the US decides to invade Iceland, then at least the gloves can come off and the world can declare the United States a rogue state. But I don't see that happening, because at some point, if the rest of the world really starts to turn sour on the US, you'll start to see things change over here. But as long as we have to cover of the EU and Asia as our allies, the US spymasters can pretend that all is well. But with every week there's a new revelation about a president of a free country having their email hacked by the NSA, maybe we're closer to a worldwide shunning than we think.

      I'd gladly pay for secure email that I knew was beyond the reach of the upskirting creeps in the NSA. And I would love to be able to pay a place like Iceland, Finland, etc for that privilege.

      No one who values freedom, economic, social or just the freedom to not be watched, should be quiet about this. Me, I've become a one-issue voter thanks to the revelations about what the NSA is up to. Any legislator who voted against reining in those bastards is now on my list to support any opponent who will vote to put a stop to ubiquitous surveillance in the US.

      • by icebike (68054)

        I'd gladly pay for secure email that I knew was beyond the reach of the upskirting creeps in the NSA.

        Would you?

        How much would you pay? It seems the going price is around $10/Month.

        http://gizmodo.com/why-kolab-might-be-the-best-secure-email-service-still-1171618005 [gizmodo.com]

      • Re:Time to start (Score:5, Insightful)

        by Shavano (2541114) on Monday October 21, 2013 @10:03PM (#45196535)

        What the hell? Why would I trust ANY country, or for that matter ANY third party with my encryption codes? I generate them myself, keep them to myself and never disclose them to the government or to any business.

        • An email system requires the recipient to be able to read the email. That requires them having a valid key. The simple way is to have each user have a key to give secure communications with the email provider, who decodes the messages then recodes them with the recipients codes for delivery. And that makes a single point of failure, the email provider has all the codes.
          • Re:Time to start (Score:5, Insightful)

            by chihowa (366380) on Monday October 21, 2013 @11:22PM (#45197029)

            If you're going to move yourself and your contacts to a system incompatible with plain old email, why not just start using GPG (or even S/MIME)? Why choose a "solution" where you have no choice but to trust a third party (who you've never even met, in a foreign country, with opaque practices and facilities)?

            With GPG, nobody but you and your contact can decrypt the messages. If you add in a third party, they can now decrypt the messages too. You're adding points of failure this way, not making fewer of them! Why on earth would you even trust the provider? Why would you choose a system where you have to?

      • Re: (Score:2, Insightful)

        by viperidaenz (2515578)

        The first country that offers verifiably secure email and VPN services to the world will enjoy an economic boom and the love of hundreds, maybe thousands.

        FTFY, because billions of people just don't really care that much to do anything about it.

  • Sorry... (Score:4, Insightful)

    by Anonymous Coward on Monday October 21, 2013 @07:21PM (#45195325)

    You are not going to have much advanced IT business left over there soon if this goes on.

    • Re:Sorry... (Score:5, Interesting)

      by ObsessiveMathsFreak (773371) <obsessivemathsfreakNO@SPAMeircom.net> on Monday October 21, 2013 @07:43PM (#45195567) Homepage Journal

      You are not going to have much advanced IT business left over there soon if this goes on.

      I think we are witnessing the (not very) slow disintegration of the principals and reality of the American Internet. Whether the internet itself will survive this is another matter.

      • Re:Sorry... (Score:5, Interesting)

        by ColdWetDog (752185) on Monday October 21, 2013 @08:00PM (#45195679) Homepage

        We all knew this would happen. As soon as the government saw that the Internet was an opportunity and / or threat, they would work to get it under their control. Actually took them a bit longer than I expected, although the NSA-style snooping has likely gone on longer than we realize.

        Nothing to see here, move along.

        • Re:Sorry... (Score:5, Insightful)

          by houstonbofh (602064) on Monday October 21, 2013 @08:17PM (#45195827)

          Nothing to see here, move along.

          Plenty to see here. Mainly, that businesses now have yet another reason to offshore.

        • It wouldn't be NSA style if you realized it was going on....

      • The internet was designed to survive a nuclear war, and the flame war going on because of the NSA surely counts as the next closest thing. Given that most of the "great" achievements of the USA were done by foreigners, I think it's time to import the next generation.
  • by lesincompetent (2836253) on Monday October 21, 2013 @07:23PM (#45195349)
    I hope that when american corporations start seeing their customers scared away by this 1984 crap they'll turn their lobbying powers to reverse the trend.
    Isn't this how politics work in the US, the country that legalized bribery?
    • Re: (Score:2, Troll)

      by icebike (68054)

      I hope that when american corporations start seeing their customers scared away by this 1984 crap they'll turn their lobbying powers to reverse the trend. Isn't this how politics work in the US, the country that legalized bribery?

      Would someone please hurry up and start scaring them away?!!

      Because I'm not seeing any rush to forbid Facebook or Google or restrict use of American Cloud providers.
      In fact they are growing faster than their off-shore competition.

      Oh, yes, we've seen the boastful threats of EU legislation, but the EU can't even agree that Tuesday follows Monday,
      let alone do any thing to inflict a penalty on anyone using American services.

      And in spite of the indignant bashing of all things American (and there is no doubt a gr

  • I wonder what the public reaction would be if some pro-democracy dissident who is operating covertly in their own hostile country is murdered and the country gives a press release saying that they couldn't have found their criminal if it wasn't for the help of the NSA compromising internet security...

    Does that put the NSA/FISA on the side of dictatorships and other anti-freedom nations?

    • by AHuxley (892839)
      Re side of dictatorships and other anti-freedom nations?
      http://www.zerohedge.com/contributed/2013-10-17/apologist-assassination-americans-be-named-new-homeland-security-chief [zerohedge.com]
      Guess your may find out that the terms "pro-democracy", "dissident" and "internet security" means legally speaking soon :)
    • by eyegone (644831)

      I wonder what the public reaction would be if some pro-democracy dissident who is operating covertly in their own hostile country is murdered and the country gives a press release saying that they couldn't have found their criminal if it wasn't for the help of the NSA compromising internet security...

      It depends. Is American Idol on that night?

    • by gl4ss (559668)

      well usa has already done bombing of dissidents on behalf of foreign nations. that's what the the drone strikes are, technically. the host nation doesn't want to send in cops so they can ask for them to be hellfired from the sky.

      (not pro democracy dissidents but dissidents none the less)

  • DoS? (Score:5, Interesting)

    by dex22 (239643) <plasticuser@gma[ ]com ['il.' in gap]> on Monday October 21, 2013 @07:26PM (#45195381) Homepage

    What is to stop the NSA doing a form of DoS attack on these types of services by demanding keys, and giving the services little option but to shut down?

    The effect of this is to remove secure competitors from the market and force users onto pre-compromised services.

    • Re:DoS? (Score:5, Insightful)

      by LordLucless (582312) on Monday October 21, 2013 @07:34PM (#45195477)

      The effect of this is to remove secure competitors from the market and force users onto overseas services.

      Fixed that for you.

      • by PPH (736903)

        That will work until the US Congress passes a law similar to FATCA [wikipedia.org] which compels foreign businesses to turn over financial records involving US persons. So far, few if any foreign countries have attempted to defend their sovereignty to protect Americans. I doubt much will change when it comes to data.

        It matters very little anyway. Because the 'big money' is in corporate accounts and corporate data. You and I, as individuals, can't wave a magic legal wand and move ourselves offshore. Corporations can. And t

        • Re:DoS? (Score:4, Interesting)

          by myowntrueself (607117) on Monday October 21, 2013 @09:26PM (#45196303)

          That will work until the US Congress passes a law similar to FATCA [wikipedia.org] which compels foreign businesses to turn over financial records involving US persons. So far, few if any foreign countries have attempted to defend their sovereignty to protect Americans. I doubt much will change when it comes to data.

          It matters very little anyway. Because the 'big money' is in corporate accounts and corporate data. You and I, as individuals, can't wave a magic legal wand and move ourselves offshore. Corporations can. And that's who the people running offshore banks or data services cater to.

          What FATCA is achieving is that many non-US financial institutions are turning away customers who are US citizens; they won't have their money, don't want their custom. And many of these US citizens are giving up their US citizenship because of this. There are millions of US citizens around the world who are experiencing this financial blacklisting because of FATCA, especially in the EU.

    • And even if you go with Brand-X VPN service that is all over the world, what's to say that because they might have servers in the USA their key isn't already compromised? Or that someone at Brand-X wasn't paid off by the NSA for the key? Or that they obtained the key directly from the key right when it was signed?

      Let's go all out on this. I'm really curious to see what others think of these conspiracy theories. Because lately they could just as easily be believed because of some of the stuff that has co

    • Re:DoS? (Score:5, Interesting)

      by Teckla (630646) on Monday October 21, 2013 @07:48PM (#45195607)

      The effect of this is to remove secure competitors from the market and force users onto pre-compromised services.

      I know this is going to sound mighty odd, but hear me out...

      I kind of wish the NSA sold things like consumer routers, for which they wrote all the firmware, user interface, etc.

      The NSA employs Really Ridiculously Smart People, so then I could count on my router being really, really secure against everyone and everything... except the NSA.

      Which would be an OK trade-off for me, and I think would be an OK trade-off for a lot of people...

      • by noh8rz10 (2716597)

        The NSA employs Really Ridiculously Smart People, so then I could count on my router being really, really secure against everyone and everything... except the NSA.

        Which would be an OK trade-off for me, and I think would be an OK trade-off for a lot of people...

        oh, totes. if the nsa gave you a router with a 100% backdoor for them, then you would be golden against all other threats. except... obv the nsa can be infiltrated cf snowden. and others could engineer your router backdoor. and if the nsa has a router backdoor they could potentially get access to your computer and all your bizness, not to mention the computers and bizness of everybody you communicate with.

        So, perhaps you would rethink your hypothetical statement?

        • by Teckla (630646)

          oh, totes. if the nsa gave you a router with a 100% backdoor for them, then you would be golden against all other threats. except... obv the nsa can be infiltrated cf snowden. and others could engineer your router backdoor. and if the nsa has a router backdoor they could potentially get access to your computer and all your bizness, not to mention the computers and bizness of everybody you communicate with.

          I would trust the NSA's security guys to get security better than any for-profit company with strong economic incentive to cut corners.

          And I realize I'd be handing the NSA the keys to get inside my network -- that's the trade-off I think many people would find worthwhile -- giving the NSA access in exchange for them writing the most secure firmware they possibly could.

          • by Urza9814 (883915)

            What exactly makes you think the NSA would have any incentive to do a better job than the existing producers? My guess would be the NSA's products would be *worse*. They don't need you to trust them. They don't need to turn a profit. Things are easier for them if you shit is not secured. And they don't give a damn if anyone else reads your traffic. Exactly what incentive would they have to make things secure?

      • Re: (Score:3, Insightful)

        In Italy we call that "mafia". That is, paying criminals against your will, to protect you from themselves and other bad guys.
    • What is to stop the NSA doing a form of DoS attack on these types of services by demanding keys, and giving the services little option but to shut down?

      Nothing, seemingly. The NSA seem to act completely in secret, US citizens aren't privy to their actions or any court rulings except those disclosed months or years after the ruling. It's like playing a game where no-one but one player knows the rules, you are certain to lose.

      The choice seems to be either compromise your service, or shut down your business. I really feel for anyone who is having to give up their livlihood on account of their actions.

      One thing is certain. This is the antithesis of democracy.

      • by eyegone (644831)

        One thing is certain. This is the antithesis of democracy.

        Bullshit.

        It may be illiberal; it may be unconstitutional; but it is very, very democratic.

        A large majority of human beings have always been (and presumably always will be) perfectly happy to trade something as abstract as "privacy" or "liberty" for the comforting illusion of protection from the bogeyman de jour.

    • by Shavano (2541114)

      It SHOULD force you onto servers where you alone hold the key to your data, which is the only way to do business in the first place.

  • Sad (Score:5, Insightful)

    by Anonymous Coward on Monday October 21, 2013 @07:26PM (#45195387)

    We've got technology businesses shutting down their services because they are now afraid of (i.e.: terrorized by) their own government?
    Did the terrorists actually win this war on terror?

    • by game kid (805301)

      Won this war, and started this war.

    • Re:Sad (Score:5, Insightful)

      by adolf (21054) <flodadolf@gmail.com> on Monday October 21, 2013 @07:50PM (#45195625) Journal

      We've got technology businesses shutting down their services because they are now afraid of (i.e.: terrorized by) their own government?
      Did the terrorists actually win this war on terror?

      The terrorists won as soon as we had to take off our shoes and throw away our nail files in order to get on an airplane, starting around 12 years ago.

      It's been an easy slide down the slippery slope since then.

    • by jschrod (172610)

      Did the terrorists actually win this war on terror?

      Yes, for sure, in the USA they did. It was a full-fledged, all-around victory, without any substantial opposition. That the terrorist's victory also helped companies like Halliburton to enormous profits was not inconvenient, either. Haven't you left your mother's basement in the last 13 years?

    • Re:Sad (Score:5, Insightful)

      by couchslug (175151) on Monday October 21, 2013 @09:37PM (#45196367)

      "Did the terrorists actually win this war on terror?"

      Yes, but there were multiple winners.

      AQ inflicted trivial numbers of casualties compared to conventional wars, did that with minimal assets and personnel, and triggered/excused the US elites doing what they'd been working at anyway. The team damaged the US + world.

      The terrorists won by getting their adversary to make toxic structural changes, and the elites won by obtaining the excuse to make those changes! The American public and other Star Trek Red Shirts of the world lost. AQ and the Elites can both claim victory BUT also claim the battle is not over. Obvious to see where this will go...

  • anyone anywhere (Score:5, Insightful)

    by YesIAmAScript (886271) on Monday October 21, 2013 @07:36PM (#45195497)

    For anyone operating a VPN mail or other communications in any country you should consider that your government can compel you to produce information.

    This intellectual exercise has been done a long time ago by those who looked a little deeper than you. It's why there were crazy ideas such as offshore data havens.

    In the end, you can't really do anything about it. The government your company is under (at the very least, maybe other entities too) can compel you. So now it's just a matter of which government you're least worried about.

    • by BitterOak (537666)

      For anyone operating a VPN mail or other communications in any country you should consider that your government can compel you to produce information.

      True. Is anyone here old enough to remember anon.penet.fi?

    • In the end, you can't really do anything about it. The government your company is under (at the very least, maybe other entities too) can compel you. So now it's just a matter of which government you're least worried about.

      In the end the problem is bigger than that. The government of the countries you do business in can tell you to do certain things too, as many Europeans are fond of pointing out to Americans.

  • by arthurpaliden (939626) on Monday October 21, 2013 @08:04PM (#45195701)
    So the NSA is supposed to be covertly gathering intelligence. Yet they use high pressure tactics that force these sites to shut down therefore tipping off their users that something may be amiss. Leading them to change their procedures there by wasting all the time an effort the NSA put into thin initial investigation.
  • by duke_cheetah2003 (862933) on Monday October 21, 2013 @08:33PM (#45195963) Homepage

    Maybe the US Government's objective here is not collect data from these types of services like LavaBit, SilentCircle or whoever else has shuttered in fears (or actual) of being tapped by the NSA.

    It's starting to feel like to me the objective isn't the data, the objective is the services. This is denial of service. Denial of crypto services by the US Govt.

    I just can't really see why they would put the pressure on so blatantly. It's like they're sending a clear message to all of us, no more crypto services, we're going to find you and tap you so you're are ineffective, or shut down.

  • by Heretic2 (117767) on Monday October 21, 2013 @09:31PM (#45196339)

    Donate to Lavabit legal fund [rally.org]

    The legal briefs filed so far [wired.com] look like they are about to hand the government its own ass in respect to seizing SSL keys.

    • by greenbird (859670)

      look like they are about to hand the government its own ass in respect to seizing SSL keys.

      Never gonna happen. And neither you nor anyone else will ever know why. Cause, you know, national security all.

  • Okay, this whole synopsis is off base here. While CryptoSeal is shutting down it's over the ramifications of the Lavabit case...

    With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

    Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

    Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.

    We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit [rally.org] We believe Lavabit is an excellent test case for this issue.

    We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.

    To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.

    For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.

    What you have is a Federal Judge, the regular unleaded variety not the leaded FISA guys ordering that since Lavabit can't give the government what they're asking for, give us your SSL keys so we can go ahead and dig however we want with whatever traffic we choose to monitor or have already stored. It's an interesting legal theory and there's probably no precedent that the judge i

  • Right, now just wait until as a cost saving measure the NSA starts using 'advanced' software analysis programs to not only tag but also to vet all your emails and chats instead of people and then you end up automatically being put on a watch list.

    Now try to get off of it.

    That is the problem.

Never trust an operating system.

Working...