Lavabit founder: Feds ORDERED email providers to stay open

Plus: Moxie labels shuttered service's crypto no better than 'a promise not to peek'

Top three mobile application threats

Lavabit's founder has claimed other secure webmail providers who threatened to shut themselves down in the wake of the NSA spying revelations had received court orders forcing them to stay up.

Ladar Levison made the claim during a recent Reddit AMA (ask-me-anything) Q&A chat without going into details about the alleged strong-arm tactics.

When I was deciding whether to shut down the decision really boiled down to whether users would prefer to have their emails secretly snooped, or simply lose their service altogether. Since the court prevented me from telling anyone the situation, I had to make that choice for everyone. I had to decide on behalf of everyone without the benefit of their feedback. In the end I chose to shut down.

Why didn't I warn anyone? Because if the feds had known I was planning to shut down they would have gotten a court order requiring me to continue operating the service. If I had shut down the service after receiving such an order I would have almost certainly been charged with obstruction of justice. I've been told that other service providers have threatened a shut down and received such orders.

Asked to go into details, Levison responded: "I didn't ask and my source, who shall remain nameless, didn't tell.”

The exchange occurred in the midst of an ongoing appeal to overturn a contempt-of-court ruling against Lavabit and its owner Levison for resisting a government subpoena and search warrant that would have put the private communications of Lavabit's 410,000 customers at direct risk of government snooping.

Levison brought down the shutters on Lavabit's encrypted email service in August, rather than play ball with court orders that initially demanded metadata about an undisclosed user. Whistleblower Edward Snowden was among the paid-up users of Lavabit and it is widely assumed the court actions were the result of attempts by the National Security Agency (NSA) to get at Snowden through Lavabit.

Edward Snowden reportedly used the Lavabit email address edsnowden@lavabit.com to send invites to human rights lawyers and activists to a press conference during his confinement at Moscow's Sheremetyevo International Airport back in July.

The Feds targeted Snowden’s email provider more than a month before this in a legal action that started the day after the NSA whistleblower went public, Wired reports.

A PGP key reportedly attached to the Lavabit account suggests he'd been using the service since 2010, although security experts reckon he must have used a more secure methodology for anything sensitive.

The government's move against Lavabit was resisted tenaciously by Levison. After much wrangling, Levison eventually handed over Lavabit's cryptographic key in digital form, after earlier trying to satisfy a court order by printing out and handing over a copy of the key in 4-point type, a move that irked the judge handling the case.

After Lavabit resisted complying with government demands, it was held in contempt of court and fined $5,000 a day until it turned a machine-readable version of the key over.

Days after handing over the encryption key, a move that would have made it much easier for the NSA or other federal agencies to run man-in-the-middle attacks against Lavabit, Levison pulled down the shutters on the service, which he had been running for 10 years prior to its closure.

The contempt of court order become the subject of an appeal, which argues that forcing Lavabit to hand over its encryption keys violated the US Constitution's Fourth Amendment that prohibits unreasonable searches and seizures. In the course of the latest legal exchanges, government lawyers disputed arguments by Lavabit's lawyers (PDF) that handing over the encryption key would enable the government to spy on every user of the service, not just those that they had obtained a warrant against.

That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.

Government lawyers argue that "just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems".

DoJ attorneys also dismissed Lavabit's argument that disclosing its encryption keys was incompatible with offering a secure email service. Marketing a business as a "secure" service to consumers provides no legal obstacle to court orders, US government lawyers state in the conclusion to their argument (PDF).

Lavabit claims the right to ignore those courts and thwart such investigations simply by offering for sale, to the general public, encrypted email. Because there is no reason to treat a business that offers encrypted email services differently from any other business, this court should affirm the district court’s order for sanctions.

An informed discussion of the latest legal broadsides in this landmark privacy rights case can be found in a post on the Sophos Naked Security blog.

In the wake of the Lavabit shut-down, Silent Circle closed its Silent Mail email service days afterwards. The security firm, which boasts Phil Zimmermann as a co-founder, made the move with an eye on potential trouble ahead and not in response to any "subpoenas, warrants, security letters, or anything else by any government".

Silent Circle has since allied with Lavabit's Levison to create the Dark Mail Alliance, which aims to build an email system that provides end-to-end encryption. Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, a long time collaborator with Zimmerman stretching back to their PGP days, outlined the project in an interview with El Reg here.

Was Lavabit a house built of straw?

Cryptographer Moxie Marlinspike put together a damning critique of Lavabit's claims which concluded that its security was little more than a “promise not to peek”. Marlinspike pitched into the Reddit AMA with Levison to take him to task for pre-takedown claims that Lavabit was "so secure even we can't read your email". The exchanges are recorded there and are well worth reviewing for anybody with an interest in the technical challenges ahead for anyone hoping to develop a truly secure "NSA proof" email service.

Marlinspike raised the issue because he remains concerned over how reliable any future claims Levison might make about offering bulletproof email security might be, as he explains in his opening remarks.

Yes it is completely true that there was nothing Lavabit could have done within the configuration of a standard SMTP/POP/IMAP server to be secure in the way that it advertised, without dedicated client support.

It's not Ladar's fault that the e-mail infrastructure doesn't natively support end-to-end security, but I do think that we should hold him accountable for advertising that his system provided a false level of security.

When people knowingly sell snake oil, I think we should hesitate to support their future security endeavours, particularly endeavours with virtually no technical information available in advance. What if it puts users at risk all over again?

An independent take on the daunting challenges that come with putting together a secure email system can be found in guest article by Matthew Green, a cryptographer and research professor at Johns Hopkins University, in the New Yorker here. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.