Risk
8/9/2013
09:57 AM
Connect Directly
RSS
E-Mail
50%
50%

Lavabit, Silent Circle Shut Down: Crypto In Spotlight

Two encrypted email services shut the doors; gag order clouds details of apparent U.S. government interest related to Snowden case.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Encrypted email service provider Lavabit is shutting down, but a gag order prevents the company from detailing exactly what triggered that business decision.

Ladar Levison, the owner and operator of Texas-based Lavabit, said in a statement that his hand was forced after six weeks of legal wrangling and two attempts by him to squash the gag order, both of which were rejected by a judge. As a result, he's not at liberty to publicly reveal exactly what's going on.

"I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit," he said. "After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot."

[ Do you know how to secure your social media? Read 3 Facebook Privacy Settings To Check. ]

Lavabit had promised that it would be an "e-mail service that never sacrifices privacy for profits" and "only release private information if legally compelled by the courts in accordance with the U.S. Constitution." The service backed up those claims by storing only encrypted versions of emails on its servers, which could only then be decrypted using a user's passphrase, which the service didn't store.

Lavabit's closure led startup company Silent Circle to announce Thursday that it would shutter Silent Mail, which is its encrypted email service. "We see the writing [on] the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now," said Silent Circle CTO Jon Callas in a blog post.

Privacy rights advocates slammed the secret legal maneuvers by the government that lead to the closures. "We need more transparency so the public can know and understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity," said Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation (EFF), in a blog post.

In response to the two services being shuttered, the team behind the free, open source GPG Suite offered their software as an alternative. "We're sorry to hear that lavabit and silent mail shutdown [sic]. OS X users wanting to protect your mails, have a look at https://gpgtools.org," they tweeted.

But in his blog post, Silent Circle's Callas suggested that technologically speaking, any type of crypto email may offer less security than it seems. "Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves," he said. "Email as we know it with SMTP, POP3, and IMAP cannot be secure."

Furthermore, leaked National Security Agency (NSA) operating guidelines suggest that simply using encryption tools draws extra scrutiny from the agency's analysts. Encrypted communications, when intercepted, are also exempt from protections afforded to Americans' regular communications. While ordinary communications can legally only be retained by the NSA for six months, unless they contain evidence of a crime, encrypted communications may be retained indefinitely.

Lavabit's Levison sounded a further ominous note for anyone storing any type of sensitive data with a third party. "This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States," he said.

What lead to the U.S. government -- or intelligence services -- taking an apparent interest in Lavabit? The most likely answer is that NSA whistleblower Edward Snowden used the service. That was revealed last month when Tanya Lokshina, a senior Russia researcher for Human Rights Watch in Moscow, published a copy of an emailed invitation asking her to attend a meeting at the local Sheremetyevo airport to discuss Snowden's bid for asylum, sent from "edsnowden@lavabit.com." Snowden also used Hushmail and PGP encryption.

The closure of two well-regarded crypto email services is the latest chapter in the ongoing saga kicked off by Snowden's leaking of documents -- not all of which have been published -- that detail secret NSA programs, including the agency's wide-ranging digital dragnet that captures and stores the everyday communications of millions of Americans. That state of massive surveillance is aided by a secretive Foreign Intelligence Surveillance Court that in recent years has apparently compelled technology providers -- including Facebook, Google and Microsoft -- to provide the NSA with easy access to their users' communications.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
8/12/2013 | 9:00:08 PM
re: Lavabit, Silent Circle Shut Down: Crypto In Spotlight
I think it would be appropriate. Here's one thing accomplished by the Internet blackout during SOPA debates did: It made people who were unaware of SOPA, and who blithely tried to log onto Wikipedia or whatever, stop and think about the interaction between technology and government. The relationship is trending very rapidly in a certain direction, and the social conversation is several years behind. With these most recent stories, it will be good for more people to stop and think again.
JosephB344
50%
50%
JosephB344,
User Rank: Apprentice
8/9/2013 | 9:56:12 PM
re: Lavabit, Silent Circle Shut Down: Crypto In Spotlight
"There is a very small window here, for something to occur to shut down this thing.

That window is closing rapidly; you can bet that any meetings being held, are being held for "EVERY" reason other than to "engage in a national debate", such as this charade with Apple, Google, and AT &T, all subterfuge, designed to get the people believing something will occur...

They will seek to buy time with numerous meaningless meetings, and toothless investigations, while behind the scenes they will be busy little sociopaths, burying the entire program ever deeper within society, honing their abilities, and furiously developing ways to make it all more and more invisible to everyone...

If we want to see real change occur, we need to demand that a verification process be set up, throughout the country, with offices set up in every state, staffed by individuals who are vetted and proven to have no ties of any kind with any governmental agency or subcontractor of any governmental agency...

These individuals will be equipped with state of the art audio and video recording equipment, and just like the NSA did after Snowden blew the whistle, teams of two or more individuals will record the removal and total destruction of surveillance equipment that is being used against law abiding Americans and others throughout the world...

Recordings will be made of the destruction of all private records of whomever has been subjected to such collection, and individual letters will be sent to all, attesting that all illegally held surveillance records have been destroyed, and apologizing for the invasion of privacy.

With respect to damages, which are yet to be determined, a special multi-billion dollar fund will be set up to make people whole, again, under the control of totally independent individuals or entities, subject to public verification as well...

Out of time, but essentially, what I'm proposing here is that process that, someone suggested, during the Nuclear Reduction Treaty with Russia, be employed to establish compliance, referred to as "Trust But Verify".

At this stage in this game, No one in their right mind could possibly trust anything anyone in our government or any of its agencies does, or indicates they will do...

One last thing, the perpetrators need to be publicly charged with crimes against the American people and other Nations, arrested, tried and jailed, no exceptions...

Treat these b8stards as was done during the Nuremburg Trials... That will teach all those out there who might consider attacking our Constitution and our Bill of Rights, in the future, that there will be consequences...

I'm so bl**dy upset I can hardly think coherently..."
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/9/2013 | 9:43:26 PM
re: Lavabit, Silent Circle Shut Down: Crypto In Spotlight
The entire U.S. Internet community ought to shut down temporarily to protest secret law and gag orders.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/9/2013 | 9:24:26 PM
re: Lavabit, Silent Circle Shut Down: Crypto In Spotlight
I think this is an unfortunate outcome. I've been very unhappy with the NSA's data collection of Americans' communications. Terrorism is a serious and significant problem, but it's not carte blanche to subject citizens to life in a surveillance state.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.