Lavabit Briefly Allowing Users To Recover Their Data 52
itwbennett writes "Former users of the Lavabit encrypted email service that was shut down in August have 72 hours (starting yesterday at 7 p.m. U.S. Central Time) to change their passwords and start recovering their data. 'Following the 72 hour period, Thursday, October 17th, the website will then allow users to access email archives and their personal account data so that it may be preserved by the user,' said Lavabit's founder and owner Ladar Levison."
It's a trap! (Score:5, Informative)
It must be encrypted and the only way for the nsa to get it is to have it unencrypted and sent over the wire via ssl!!!
Re: (Score:2, Offtopic)
It must be encrypted and the only way for the nsa to get it is to have it unencrypted and sent over the wire via ssl!!!
Exactly - cause when it was sent to the server unencrypted, and then encrypted ON the server itself with the password you sent - it's totally secure.
I'll just give my lockbox key to the teller, watch her disappear into the vault, and she should reappear with all my stuff without having looking through it.
Re: (Score:2)
Or maybe he doesn't have that much say in the matter...
Re: (Score:2)
They can't force him to say a damned thing. They can only force him to be silent.
They could, of course, trump up some charge (or even use a real violation, the arguable real purpose to well over 60,000 laws -- having something you can lord over the head of everyone somehow) and let him off the hook if he lies out his ass.
My god. How did we get to this cynical point in our own government?
Oh yeah, studying all of human history.
Re: (Score:3)
It's a trap!
SNMP confirms.
Re: (Score:2)
also a funny reply. for those that don't get the joke, in SNMP you often do a 'walk' of the MIB tree. 'walking' is a frequently used term in this field.
Re: (Score:2)
funny. I guess no one understands the joke, but I thought it was a funny reply.
Re: (Score:2)
maybe so, but its only a matter of time before the government decides who its going to GET-NEXT.
Re:It's a trap! (Score:5, Insightful)
i consider my lavabit mail a lost cause
Then you are not the user that the archive download service is intended for.
Many users expressed a desire to download the contents of their mailbox even if it meant that the messages would be potentially snooped on, as they had important-but-not-private messages that they needed to recover. The archive download service is intended for those users, not those with high-security needs.
Re: (Score:1)
Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
Re: (Score:3)
Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
Perhaps. I recall there being a rather substantial number of unhappy users who wanted access to their mail even if it could be snooped -- such users posted on various public fora, commented on articles, etc.
I wouldn't be surprised if many users used Lavabit simply because it was a reasonably priced (for the paid plans) IMAP/POP3/SMTP service with a strong privacy policy, didn't do data-mining, etc. Such users may well want to recover the contents of their mailboxes even if it means that they might get snoop
Re: (Score:1)
Considering LavaBit is intended for the high-priority-needs user, I find it hard to suspect that this is a very large demographic.
Seems to me that this debacle serves to highlight another reason to take charge of your own mail via POP3. That way, you can manage your own backup routine, which of course means that if you fail to do so, you're SOL and deserve to be.
I'm sometimes accused of being a troglodyte for my preference to POP3 over IMAP, but the latter offers nothing I really want, including an absolute dependence on the availability of an internet connection, which is not universally practicable where I live.
Re: (Score:1)
I actually tend to agree with you on that. I just don't use email for much of anything at this point other than resetting passwords to various accounts online when necessary. Back when I did use it more, I did the same, and encrypted when available (signed when not).
Re: (Score:2)
I don't think you know what honeypot means... based on who I've met in govt, I think a NSA honeypot would be remarkably unsuccessful.
Re: (Score:2)
I wonder what will replace LB... (Score:3)
I wonder what will replace Lavabit for secure E-mail [1] these days. There is always the old standby Hushmail, but it would be nice to find something that can do other features (calendars and such.)
[1]: Others, it is different, but to me, a secure mail provider, where I am their paying customer and not their product, where they have innate intrusion resistance, and their mail service is designed so an attacker couldn't just grab Exchange mailboxes, or scp off /var/spool/mail/*. More assurance than "yes, we use 'encryption', 'passwords', and 'firewalls'."
Re: (Score:2)
Just use GPG with any email service you like. Nothing else is trustworthy.
Re: (Score:3)
What makes you think GPG is?
Re: (Score:2)
It's opensource and regularly audited?
Re: (Score:2)
GPG has had a number of eyeballs on it, as well as funding from more than one government (Germany in particular.)
All and all, it is a good program, although trying to build 2.x on a number of platforms like AIX can be an exercise in frustration due to the sheer number of libraries it uses.
Re: (Score:2)
Re: (Score:2)
Good point. Most of us can't trust GPG anymore, due to having made those GPG keys under Windows.
Dual-booting is my only real option since I can't completely abandon Windows. I thought of live USB booting, but found no trustworthy linux distribution anyway. Redhat has government ties, derivatives like Centos are not safe either. Ubuntu? It was the firs big disappointment with GUI decisions, so few would trust it with our security in face of NSL meddling. Mandrake and derivatives? Too dead, and fail to boot p
Re: (Score:2)
I've been using PCLinuxOS, and it has many different encryption options incorporated in the right click menu.
Encrypt, decrypt with various options and ciphers as well as gpg encrypt and mail.
I'm finding it very well thought out, and user friendly, as well as everything just works. The control center, and system settings managers take care of everything I would ever need to configure, and there are many options to secure and verify the system.
Their monthly magazine of tips and tricks is a nice read, and ever
Re: (Score:2)
Thanks
I too stopped at Ubuntu 10. I'm not sure why I hadn't looked at this distro before. The full monty looks good from what I see on their page and wikipedia which includes printing, multimedia and liveusb support. I'm going to get it.
Re: (Score:3)
I think you'll really enjoy it!
There is also a script in the menu that allows you to make a live CD or live USB from your customized install, so you can get it how you like it, and then clone it to take with you. When you do a system update, just make new live media to take along, and if you do screw up your home install, just reinstall your custom version from your live media and be right back where you were in a few clicks.
It's the most well thought out distro I've ever used, and I (used to until now) do
Re: (Score:2, Interesting)
I started using https://mykolab.com
They have calendar service too.
Balancing Act (Score:2)
If one had enabled the secure storage functionality at Lavabit prior to the shutdown, the messages are inaccessible without the password. Naturally, with the password an adversary (say, the feds) could decrypt the messages (assuming they have a copy -- Ladar has stated in several public interviews that the feds did not make a copy of data on the servers).
Thus, one needs to balance the security of the messages stored with Lavabit with the desire to access old messages. Many users don't have any particular co
Could be a trap but there is a solution (Score:1)
Lavabit should let it's ex-users with encrypted mailboxes download their data in the encrypted form that it's currently stored on the server. If they provide instructions on how to decrypt it properly, or even some utilities to help do so.
This way Lavabit doesn't have to be trusted. Download the data and decrypt it with your passphrase on your own computer!
Sounds good for some people (Score:1)
But "walk up" service with a clone of the Lavabit server running on a private LAN would be better.
If I were Lavabit and wasn't prohibited by court order or economic reality, I would offer this service over a several-month period, but I would ask (not require) that the customers donate a "reasonable" amount to the EFF or another freedom-supporting organization, where "reasonable" is the amount of money I'm losing by providing this service.
If I (as Lavabit) had the funds, I would "take this on the road" to ma