Great news of the gag order being lifted, and to hear from Levison himself.
Although in regard to the post title (which has since been changed) indicating Snowden was the Lavabit investigation target, here's original discussion from March: https://news.ycombinator.com/item?id=11308160
When the court forced him to turn over the SSL private key for lavabit's servers, Ladar submitted the private key in miniscule font on like 30 printed pages. The gov was not pleased. Mad respect for Mr. Levison. Glad to hear the gag was lifted.
I think the attack vector (getting ssl/tls keys) the government was going after was a surprise. I had thought they would have requested access to the servers.
Either they had captured packets from Lavabit that they wanted to decrypt, or they wanted to be able to decrypt all traffic to/from Lavabit.
With how much traffic the NSA was collecting and archiving during that time, it is very likely that they had captured traffic that they thought might contain messages to/from Snowden.
> The original case concerned law enforcement’s authority to compel the disclosure of an SSL/TLS private key, which belonged to Lavabit, and was used to protect the communications of all 410,000 customers, when only one of those customers was the subject of a criminal investigation.
No, not completely true. From what I recall about the case, law enforcement asked Lavabit to eavesdrop on his communications. I recall law enforcement claiming that Lavabit had done this before, previously, when asked. Lavabit balked this time for some particular reason, and ineffectively attempted to fight the request in immature ways. When asked for digital data, printed out a bunch of hex or base64 on many reams of paper. Courts frown on this kind of shenanigans. In this and other ways, Levison engaged with the court in naive, immature, and ineffectual ways, including by appearing in court without representation. By failing to make a number of arguments in his defense at trial, he was consequently unable to revisit most issues on appeal. (You usually cannot raise new issues on appeal.)
It was only after Lavabit refused to eavesdrop, after receiving a lawful order to do so, that law enforcement demanded the TLS keys in order to do it themselves. Lavabit's ineffectual handling of the issue alone was what put the privacy of the rest of their users at risk.
Lavabit was not a secure service. The site could easily eavesdrop on your communications at will and decrypt your data. The site simply made a promise not to store a key based on the user password (if I'm recalling correctly), but had the technical ability to do so upon each login. Quote from their site: "Lavabit has developed a system so secure that it prevents everyone, even us, from reading the email of the people that use it."
The site was not actually secure in the ways that it claimed, specifically the claims that it was secure against site operators reading your data, and as a consequence obviously against law enforcement. Lavabit was poorly designed and dangerously close to snake oil, and I don't think they should be hailed as having done something venerable by privacy or security advocates. They were essentially a regular webmail service with a gimmick that allowed them to claim they were doing something different, without actually doing something that provided a meaningful security guarantee. This critique by Moxie Marlinspike includes a detailed substantiation of my statements above: https://moxie.org/blog/lavabit-critique/
> The cryptography was nothing more than a lot of overhead and some shorthand for a promise not to peek. Even though they advertised that they “can’t” read your email, what they meant was that they would choose not to.
(Moxie is behind Open Whisper Systems, the end-to-end encryption system that was recently integrated into WhatsApp)
There is no way for a webmail provider to ever handle your email in the clear (such as while sending or receiving it) while claiming not to be able to read it. The only way for this to be true is with end-to-end encryption with keys that reside exclusively on client machines.
DarkMail, however, which Levison started contributing to after the shutdown of Lavabit, does appear to attempt to provide true end-to-end security for email participants. https://darkmail.info/
> It took a week for me to identify an attorney who could adequately represent me given the complex issues involved – and we were in contact for less than a day when agents served me with a summons ordering me to appear in a Virginia courtroom (over 1,000 miles from home). Two days later, after admitting their demand to my lawyer, I was served a subpoena for the encryption keys – also marking the first time they put their demand in writing.
With such short notice, my first attorney was unable to appear alongside me in court. Because the whole case was under seal, I couldn't admit to anyone who wasn't a lawyer that I needed help, let alone why. In the days before my appearance I would spend hours repeating the facts of the case to a dozen attorneys, as I sought someone else that was qualified to represent me. I also discovered that as a third party in a federal criminal indictment, I had no right to counsel. Thus my pleas for more time were denied. After all, only my property was in jeopardy – not my liberty. My right to a “fair hearing” was treated as a nuisance, easily trampled by a team of determined prosecutors. In the end, I was forced to choose between appearing alone, or face a bench warrant for my arrest.
A person who is running a business focused on this kind of privacy should have counsel for their company set up and ready to go. The fact that they didn't was another sign that the company was unprepared for the business that they were handling.
I'd expect someone running this sort of business to have an attorney on retainer who has advised the company of its rights and responsibilities, and who is ready to provide at least emergency counsel if not trial counsel.
I don't think Lavabit was that big of a bussiness. They had to shutdown just because of a $10,000 contempt fee.
And even if they didn't have enough foresight to have regular attorney, it seems very bullish for the government to try to overwhelm the guy with seven different court orders in about 30 days. Just because I do not have the foresight to have an attorney before something like this stars, it doesn't mean I don't have the right to run my bussiness and neither does it make any more acceptable for the government to close it down just because they didn't get their way.
The original discussion was if the owner of Lavabit is to be blamed for being at court without representation, any it was established that he probably didn't have enough resources/foresight to keep an attorney on call (and should not be "blamed" IMO). How things are/should be is off-topic in that matter.
Agreed. Makes one suddenly long for a Ceta-styloe Company-Court, such a company-court might recognize your companys now or future value for acquisitions, and thus allow you to continue to exist instead of being traitor-trampled.
> without actually doing something that provided a meaningful security guarantee.
Indeed there was considerable discussion at the time that determined that Lavabit only used one SSL keypair, even for internal communication between servers, and therefore by disclosing it enabled eavesdropping on all users.
Unfortunately Mr Levison's awkward situation, unpleasant as it was, was the result of poor architectural choices and too much hype. Perhaps it was best for the security of all users of the service that it closed down.
"...Lavabit only used one SSL keypair ... poor architectural choices..."
Thanks for mentioning this. I was just now wondering if its practical, useful to use multiple keypairs.
What do you recommend? I don't know enough about CAs and SSL to how to partition risk. For instance, if Lavabit used their "parent" pairs to self issue "child" pairs, wouldn't the govt just ask for the parent keypairs?
Being a casual user, implementer, reader of crypto stuff. It seems to me the technically correct answer is for everyone everywhere to uses unique keypairs per relationship. If true, then I'm not understanding what practical mitigation an email service provider can do.
Levison's follow-up project DarkMail also works in a similar way while focusing on email: https://darkmail.info/
Although I don't have a great opinion of Lavabit, I have skimmed the technical documentation for DarkMail and it does appear to solve the problem properly and to make up for the deficiencies in Lavabit. It's not backwards-compatible with existing email, while being secure, though, so it wouldn't automatically upgrade the security of webmail. It's very difficult to secure web-based email any better than the major name-brand providers already do. DarkMail will work, but it requires a new protocol layered on top of email that handles key exchange and opportunistic end-to-end encryption.
Was their algorithm to turn your password into a private key? They _could_ store that key, but if they didn't, then they would not be able to comply with law-enforcement requests as long as you didn't log in.
Seems like a reasonable compromise in a world where nobody knows what PGP is anymore.
The problem with linking to Facebook posts is that non-Facebook users are now greeted with a "sign in or sign up" pop-over that cannot be removed and obstructs the page. This is a relatively recent change. Facebook do not want to be part of the open web, so don't link to them as if they are.
This is a public wall post by the creator of Lavabit himself. Would you rather a random third party news site pick it up first before it is reposted here?
I see no problem with Facebook posts if they were created by an authoritative representative of the discussion and that was the primary point of publication (i.e. not a Facebook post pointing to their blog, in which case their blog would be a better place to link to.)
Yep and there is nothing wrong with a public wall post up until 2016 when Facebook decided to restrict read-access to those public pages by way of the annoying nag prompt. Clicking "not now" doesn't hide the nag prompt enough to call the page 'publicly accessible'. Sorry to be off-topic on this, but I feel Facebook is quite arrogant with this behavior, as their users should be in control of the public status of their posts, not Facebook.
I don't see it as shitty. It is simply not complying with the modus operandi of the owner of the original source (facebook).
I'd rather see http://archive.is/ffjTe or even an image than to be reminded that facebook wants to be the gatekeeper of content.
I do block these pop ups when I can (ublock). But that means you want the average user (not using blacklists, not using whitelists, not even using adblockers) to be reminded that he should login so as not to feel like a criminal.
Oh wait. The average user has a facebook account and is always logged in.
I am not the average user, I am a specific person.
> It is simply not complying with the modus operandi of the owner of the original source (facebook).
The authors intent is irrelevant. They are a monetized product sold to advertisers. Facebook will never act against its own interest of maximizing the size and salability of its graph network.
> Facebook will never act against its own interest of maximizing the size and salability of its graph network.
Agreed.
What I meant to say is, if we don't like the agressive behaviour of "facebook acting in its own interest to maximize the size and salability of its graph network", we shouldn't link to facebook URLs.
Blocking content deliberately is an accessibility issue, solved only by signing up to Facebook. Not cool when all I wanted to do was read some words, not "use Facebook".
Yeah probably, but then again "entirely readable" is generous considering on my laptop screen 30+% of the page is covered needlessly by a panel with no dismiss button. "Public post" redefined to mean 30% less screen layout than only a few months ago.
You could look at it that way... 2016 rolls in and quietly, Facebook reduces your web publish layout area by 30% without word. If member I'd be asking what's up with that. Answer might be that you are not CEO of your own contributions on fb.
Yes I know there are ways to technically work around their walled garden annoyances, but the principle is more important. The fundamental function of a web link from one page to another should not involve nagging to register or sign in for a service which boasts "free and always will be". I don't think most FB users and business pages are aware that their "public" posts and pages are now obscured by sign-up nag sliders.
> I don't think most FB users and business pages are aware that their "public" posts and pages are now obscured by sign-up nag sliders.
Unfortunately, I guess most FB users would be more surprised that some people don’t have a Facebook account, not that they are greeted with a signup window.
Copy-paste for people who do not wish to visit facebook:
Press Release
Gag Order on Lavabit’s Levison Lifted After Three-Year Battle
For Immediate Release: June 24, 2016
Alexandria, VA--Lavabit founder Ladar Levison can finally confirm that Edward Snowden was the target of the 2013 investigation, which led to the shutdown of the Lavabit email service. The original case concerned law enforcement’s authority to compel the disclosure of an SSL/TLS private key, which belonged to Lavabit, and was used to protect the communications of all 410,000 customers, when only one of those customers was the subject of a criminal investigation. After three years, and five separate attempts, the federal judge overseeing the case has granted Mr. Levison permission to speak freely about investigation. The recently delivered court decision unseals the vast majority of the court filings, and releases Mr. Levison from the gag order, which has limited his ability to discuss the proceedings until now.
Mr. Levison has consistently relied on the First Amendment in his court filings, which sought to remove the gag orders entered against him. He argued that such orders are an unconstitutional restraint against speech, and an afront to the democratic process. He plans to use his newfound freedom to discuss the case during a planned presentation on Compelled Decryption at DEF CON 24 in Las Vegas, NV.
“One of the rights guaranteed to Americans, and a cornerstone for a
functional democracy, is the freedom to speak the truth,” stated Mr. Levison in announcing the court decision. “The First Amendment protects opinions, including those unfavorable to government, from injunctions against speech. The gag orders in this case were a violation of that inalienable right. No American should have to live for three years, gagged, with every word carefully weighed, when such opinions are concerned with such a public and controversial issue as state surveillance. I believe the public only grants permission to be governed when it knows the means and methods its government uses to protect the body politic. While I'm pleased that I can finally speak freely about the target of the investigation, I also know the fight to protect our collective freedom is far from over. That is why I will continue to do everything within my power to protect our right to speak freely and privately.We must decide when speech is necessary. Our rights must never be subject to the whims of those officials we seek to criticize.”
In order to continue the fight, Mr. Levison is forming the Lavabit Legal Defense Foundation (or “LavaLegal”), a non-profit organization founded to, among other things, protect service providers from becoming complicit in unconstitutional activities, and fight secret attempts aimed circumventing digital privacy or impinging upon the right of those involved to speak of the experience. The foundation will be funded by donations from people and organizations all over the world that want to help protect digital privacy and bolster our collective defense against government overreach. Donations can be accepted at the foundation’s rally.org page or through bitcoin donations at 1Bqqy3SxZ27ZUogEeiKHYqPsmFwuRTErMu.
For more information contact Lavabit founder Ladar Levison
or Lavabit’s counsel, Jesse Binnall.
For those who dont want to read blog posts on Facebook, here is a well written piece on this: https://techcrunch.com/2016/06/24/ladar-levison-finally-conf...