Goodbye Lavabit

[Shados]

There's no valuable contribution that you can make to privacy unless you're willing to invent new forms of cryptography.  The heart of the intelligence beast is the gatekeeper for cryptographic standards.  And if you're inventing new forms of cryptography, you had best get them right, or your cryptography work is useless.

Building isolated infrastructure just means the beast will attack your infrastructure at the points you don't control.  So, for example, they will just tap your traffic upstream if you refuse to comply.  And, that may make your upstream disconnect you.  See, there's plenty of ways they can get in your head and mess with you, as a service provider.

There is certainly no way to have privacy from the beast on the modern Internet.

Inventing new forms of cryptography is far from the only way to make a valuable contribution to privacy as a 'cause', and really, it's not even the best one. You can build secure, distributed, infrastructure without centralized points of failure, control or observation, you can raise awareness about security & privacy issues, you can lower the barrier to entry for laymen interested in privacy/security, etc.

So start building city-wide wireless mesh networks and then figure out a way of interconnecting them long-distance... of course, even though your upstream is now not sanely controllable/compromisable, they'll still be able to find another way to fuck you, but this stuff is like any kind of security: It's not about making something 'unbreakable', it's about making it prohibitively difficult to break.

Thanks for posting about Bitmessage.  It is new to me.  Starting to get up to speed and knowledgeable about it.

P2P isn't any layer of security.  It just is kind of like everyone is a server.  Distributed many servers instead of fewer centralized servers.  

In regards to email, the entire hassle of reverse DNS, non moving server target, etc. poses a clear privacy and monitoring issue, so giving a server mobility, ability to change IP, etc. is a mass improvement --- but of course we are comparing email to something entirely different.

P2P/distributed systems design (if done right) does provide some level of extra security because it makes it significantly more difficult for any single organization to attack, control or monitor the entire system. If your infrastructure is federated (and why not, if you're building something distributed in the first place), then you also get 'trust agility'.

These are strange days considering modern history where the worlds largest COMMUNIST nation is hip tied to the world purported beacon of freedom and independence.  After all those decades of Cold War, all that money extorted from citizen sweat, and now we lay with the commies?!?!?  See, simple I say, reality isn't as it was advertised to us.

To be fair to communism, China is not particularly communist in their actions - more like some bizarre state-run capitalism. On the other hand, to be fair to capitalism, everywhere else isn't particularly capitalist (let alone actually good at being capitalist, as opposed to good at being short-sighted and stupid).

 

[Aldryic C'boas]

But, prior to near recent times in the US, worst that could happen publicly is

Fixed that for ya.  Don't get me wrong, there were a lot of people publicly hauled off.  Speaking as someone who used to have partial access to a 'suspect' file repository.. yeah, the hauling off was only done to mask the people that simply vanished for good.

 

[drmike]

So start building city-wide wireless mesh networks and then figure out a way of interconnecting them long-distance... of course, even though your upstream is now not sanely controllable/compromisable,

Yeppers, truly time for next generation semi-open wireless on local / regional basis.  Independent operations, not incumbent monopolies.

Still have the issue with anything destined for the other net --- the controlled internet --- and your upstreams which are all spying and complying with mass monitoring and recording of likely everything.  So that needs to enter and tunnel out to elsewhere and ideally multiple tunnels to multiple ends.

 Speaking as someone who used to have partial access to a 'suspect' file repository.. yeah, the hauling off was only done to mask the people that simply vanished for good.

Before the hauling aware and being disappeared by truly CIA and related intelligence agencies (mainly) doing it + their contractors.   Now it could be any alphabet agency for any ridiculous reason or total lack of reason.   

Killing people in almost every circumstance other than say self defense is criminal.   Government wants to watch, I say sure, now lets make all your "secret" stuff transparent and monitored too.   If we catch you doing as government criminal things, then life in prison and/or death penalty.   Violate rights, oh yeah, they've been doing that...  They should face the piper and pay up.

Remember our common social saying of don't shoot the messenger?  In times of war and desperate retaliation, those bearing gifts, the messengers should be sent back gifted.  Only a matter of time before this all escalates into physical conflict.  Seems to be what Uncle Scam wants, sadly.

 

[jarland]

Remember that not every task in a war is about immediate victory. They may shut down what we do, circumvent it, adapt, all those great things. We just keep on. There has always been people who oppose the idea of freedom, there will always be. A call to arms or a call to keyboards? Start coding!

 

[MannDude]

Pretty sure Lavabit was hosting some Tor related stuff, including FreedomHosting and TorMail.

Court records show that, in March, Lavabit complied readily with a search warrant targeting a child pornography suspect in a Maryland case. That suggests that Levison isn’t a privacy absolutist. Whatever compelled him to shut down now must have been exceptiona

Lavabit ordered to (1) let FBI take over Snowden's account? (2) Send >Snowden a 0-day? (3) Something to do with Freedom Hosting? Lavabit was also a hosting company. I missed one obvious possibility. Freedom Hosting may have run its hidden services there.

Source: http://www.reddit.com/r/technology/comments/1jyzpl/i_have_been_forced_to_make_a_difficult_decision/

Do you guys feel safer now?

 

[texteditor]

These are strange days considering modern history where the worlds largest COMMUNIST nation is hip tied to the world purported beacon of freedom and independence.  After all those decades of Cold War, all that money extorted from citizen sweat, and now we lay with the commies?!?!?  See, simple I say, reality isn't as it was advertised to us.

China has never really been communist, even in Mao's day

 

[texteditor]

You'd have figured after the whole hushmail thing the people who were truly paranoid about email would have learned that self-hosting is the only real option

 

[MannDude]

You'd have figured after the whole hushmail thing the people who were truly paranoid about email would have learned that self-hosting is the only real option

But is it? I mean, what's to stop your average VPS provider from complying and giving some agency access to their machines? Not hard to see whats going on in VPSes once you have access to the host node with OpenVZ. Unsure what the process is for KVM and Xen, but that's just because I've not deal with either. Sure it's not difficult if someone wanted or 'needed' to.

Internet sucks anyways. I'd rather just have a city-wide meshnet so I can see whats going on in my local community and communicate with my friends. "Oh nice, this restaurant is having a great deal. They've got the best rubens!"

I've always said that I work from home and use the internet so that one day I can live without it. Need to make that happen sooner than later now.

 

[drmike]

Kevin Poulsen has some interesting thoughts on the subject:

Court records show that, in March, Lavabit complied readily with a search warrant targeting a child pornography suspect in a Maryland case. That suggests that Levison isn’t a privacy absolutist. Whatever compelled him to shut down now must have been exceptional.

and from his Twitter account:

Lavabit ordered to (1) let FBI take over Snowden's account? (2) Send >Snowden a 0-day? (3) Something to do with Freedom Hosting? Lavabit was also a hosting company. I missed one obvious possibility. Freedom Hosting may have run its hidden services there.

Really frightening stuff. I feel bad now complaining to their support service about the frequent downtime in the last few weeks.

http://www.wired.com/threatlevel/2013/08/lavabit-snowden/

Lavabit ordered to (1) let FBI take over Snowden's account? (2) Send Snowden a 0-day? (3) Something to do with Freedom Hosting? #speculation

— Kevin Poulsen (@kpoulsen)

August 8, 2013
(Edit: added links)
permalink

 

[jarland]

He said all this that he can't talk about took place in the last 6 weeks. While the freedom hosting thing is possible, it just seems like we've got more clear lines to draw to Snowden as the likely cause that put lavabit under the microscope. I had just paid for a year of service too. Not much money, don't want it back, wish I had more to give to their legal fund. No matter the circumstance, I highly doubt that a gag order is necessary for any short term risk to American citizens by the release of this information. More likely it's bad PR for the government. Speculation is all we have I suppose.

 

[drmike]

No doubt Snowden brought the creep heat.   Hopefully these bureaucrats don't believe in hell and are right, cause I am certain they are headed for hot sulfur bathes.   Then again, I think we can emulate hell and give them proper sulfur beforehand. Bahahahah!

Snowden while admirable, isn't a reason to go taking down legitimate businesses and disrupting commerce.  Obama has done quite good at killing legitimate businesses.  Add Lavabit to the list.  Screw it, let's set Lavabit part 2 up in Iceland and shoot them the bird.

 

[Tux]

But is it? I mean, what's to stop your average VPS provider from complying and giving some agency access to their machines? Not hard to see whats going on in VPSes once you have access to the host node with OpenVZ. Unsure what the process is for KVM and Xen, but that's just because I've not deal with either. Sure it's not difficult if someone wanted or 'needed' to.

Internet sucks anyways. I'd rather just have a city-wide meshnet so I can see whats going on in my local community and communicate with my friends. "Oh nice, this restaurant is having a great deal. They've got the best rubens!"

I've always said that I work from home and use the internet so that one day I can live without it. Need to make that happen sooner than later now.

KVM can be dealt with easily. Just attach gdb to it and force a memory dump.

 

[perennate]

But is it? I mean, what's to stop your average VPS provider from complying and giving some agency access to their machines? Not hard to see whats going on in VPSes once you have access to the host node with OpenVZ. Unsure what the process is for KVM and Xen, but that's just because I've not deal with either. Sure it's not difficult if someone wanted or 'needed' to.

Automatically encrypt all incoming emails with OpenPGP. And to avoid tampering, host it on your own computer. (And reinstall every two weeks... just kidding... maybe

 

[drmike]

If someone has full server access regardless of platform, there is always total packet dumps as well as reading the raw disk files.

It is in part why shared environments are unsecured unknowns.

Securing such an environment for virtualized customer, well, can it actually be done?  Would require full cryptoed packet traffic and crptoed disk.  The disk part is a puzzle I've never figured out since the OS would need to have credentials to read and write and that would require full access to the volume.

 

[drmike]

Automatically encrypt all incoming emails with OpenPGP. And to avoid tampering, host it on your own computer. (And reinstall every two weeks... just kidding... maybe

Well, this isn't too far off of a semi solution that only hides the actual body of the message.  It still exposes the sender and recipient info.  So they know A and B interacted on this date and the subject.  That's leaking, but better than nothing.

If you use OpenPGP or equivalent on remote device, the message should be fully crypted along the way.  So no hazard there.

In that model could use absolutely any email server.  Secure, unsecure, etc.

 

[GVH-Jon]

Guys this is totally off topic but I met a guy the other day that looked like a 20 year old version of Snowden ..

 

[MannDude]

Someone should write-up some good tutorials... Just sayin'.

Been wanting to set up my own mail stuff for a long while, more as a learning project than for privacy reasons, but it can be both now.

 

[perennate]

Someone should write-up some good tutorials... Just sayin'.

Been wanting to set up my own mail stuff for a long while, more as a learning project than for privacy reasons, but it can be both now.

There are good tutorials, but you have to use Google to find them

DuckDuckGo doesn't work so well yet.

 

[drmike]

DuckDuckGo doesn't work so well yet.

Really?  While it isn't perfect (had issues looking for a local hardware store a city + state + hardware style search --- where the store showed up about 10th in results) it is pretty alright generally.  

When I have a search snafu I run the same on StartPage.com which is another supposedly secure search engine that does pull from Google.

I've found Google's results to increasingly worse for most of my queries than they use to be.  

 

[drmike]

Someone should write-up some good tutorials... Just sayin'.

I might cobble together a DNS tutorial for end DNS users.  That's the first layer for some of these general security issues.

Since my interests and designs revolve around SSH tunnels, will probably mix that into the DNS piece.

Dawned on me today how much snooping, spying, watching, profiling and intelligence info is gathered just from passively recording DNS requests (domain + request IP).  All those DNS requests fly around fully plaintext in the wide open. Not for long soldiers.

As for email server roll your own, @jarland continues to swear by iRedMail as working currently with the Ubuntu environment.  It's short listed in my world.