Lavabits and its closure
I needed to research the Lavabits closure story and I found these links;
- http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html, the original story and the first to press.
- http://arstechnica.com/tech-policy/2013/08/ed-snowdens-encrypted-e-mail-service-shuts-down-leaving-cryptic-message/ , followed by Arstechnica who repeat Levison’s goodbye statement and goes to the Google cache and finds and quotes details on the encryption solution, including the use of ECC 512 to encrypt the payload and AES 256 for password exchange.
- An honest man, my post-facto documentation of the closure
- http://arstechnica.com/tech-policy/2013/08/in-wake-of-lavabit-shutdown-another-secure-e-mail-service-goes-offline/, Arstechnica covers Silent Circle‘s decision to follow Lavabits and turn off their mail services, although they also have phone and text, which they claim are secure; they have end-to-end security… tell that to Blackberry.
- Cory Doctrow also covers the Silent Circle decision at BoingBoing.
- http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden , the Guardian reports on the Lavabits closure and the legal attempts to open up the courts, currently sitting in secret and issuing gagging orders. The new fans of openness are led noisily by Yahoo!
- http://arstechnica.com/tech-policy/2013/08/lavabit-founder-under-gag-order-speaks-out-about-shut-down-decision/ Still under the terms of the court and warrant secrecy Levison starts to talk about why he closed down his company, accusing the actions of the FBI and warrants as unconstitutional. They have embedded a video in this page, and includes a quote from Ed Snowden from Russia.
- El Reg predicts that the Feds’ll take Levison to court as his closure, rather than compliance breaches the secrecy elements to the warrant and court rulings; in actual fact it would seem, he was already in contempt of court, so timely reporting again it would seem.
- http://arstechnica.com/tech-policy/2013/08/how-might-the-feds-have-snooped-on-lavabit/ This one is quite cool, it explains how to break open the Lavabits security solution. It suggests that it requires source code engineering to insert traps to capture client encryption keys or it requires that Lavabits surrender their private key and thus open the content for all Lavabits’ customers; some of whom will be US citizens and thus have 4th amendment rights and protection from arbitrary search.
- Techdirt reports that once the Certificate provider, GoDaddy came to know that the certificate/encryption key had been compromised, they revoked it. It took a while and Lavabits is now gone so it’s only a gesture, but at least it’s the right gesture. It’s also an interesting precedent. GoDaddy took the view that even a court ordered seizure of a Certificate violates the terms of issue.
- https://freedom-to-tinker.com/blog/felten/a-court-order-is-an-insider-attack/ Ed Felton argues that a court order is an insider attack. Felton starts form the Judge’s criticisms of Lavabits when he questioned why it was so hard for them to comply with the original orders. (The reason is that they do not have individual account decryption keys and do not keep the data required to comply.) They did however have the master key. This would be a the site certificate key that would allow the capture of the passwords/private keys and this is what they refused to surrender. Felton argues that the next generation of providers will need to build better protection against insider attacks, and these will be more resistant to court orders.
- https://www.eff.org/press/releases/eff-has-lavabits-back-contempt-court-appeal – as we can see, it seems that Levison’s actions incurred the wrath of the FBI and he is up before the beak for contempt of court, in fact he’s been found guilty and the EFF are with him on appeal. The EFF bring up the argument that wothout rust-worthy encryption, the internet breaks, or at least e-commerce does.
- Pc World also cover this story about the EFF and it’s defence of Levison, or more accurately its desire to have the warrants declared unconstitutional, http://www.pcworld.com/article/2058000/lavabit-encryption-key-ruling-threatens-internet-privacy-eff-argues.html
- http://www.pcworld.com/article/2051860/us-demanded-access-to-encryption-keys-of-email-provider-lavabit.html – outlines the story to the Contempt ruling, the timing of this story suggests that the secrecy surrounding the execution of these legal powers means that the story couldn’t be told until it reached the Court of Appeal; Levison rejected the warrants until he couldn’t then he offered the key in an unusable format, the Judge was not amused and fined him $5,000/day at this point he closed the company and found himself threatened with more contempt hearings. The author of this piece, Jeremy Kirk was also syndicated in ComputerWorld.
- Silent Circle and Lavabit announce the launch “DarkMail Alliance” to thwart e-mail spying, reported by Arstechnica here. The plan to start from XMPP and relace SMTP, the code will be open source and based on Silent Circle’s current chat product. In this article, Levison makes clear that the use of Diffie Hellman at Lavabits i.e. PKI solutions was not pervasive.