LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 06-12-2011, 10:38 PM   #1
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Odd claim in Lavabit's pitch for their encrypted email service


In the OP in this LQ thread, gnuweenie asked about an encrypted email service offered by Lavabit LLC, which appears to be based in Texas, USA. gnuweenie cited the rather murky "technical description" offered by Lavabit. Comments on that should go the original thread, I think.

Meanwhile, I noticed this
Quote:
Originally Posted by Lavabit page cited by gnuweenie
In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand.
...
In safer times, a strict Privacy Policy would have been enough to protect the rights of honest Internet citizens. But everything changed when the United States Congress passed the Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act in 2001. If you’re currently unaware of the PATRIOT Act, we highly recommend you visit the Electronic Frontier Foundation (EFF) website.

The key element of the PATRIOT Act is that it allows the FBI to issue National Security Letters (NSLs). NSLs are used to force an Internet Service Provider, like Lavabit, to surrender all private information related to a particular user. The problem is that NSLs come without the oversight of a court and can be issued in secret. Issuing an NSL in secret effectively denies the accused an opportunity to defend himself in court. Fortunately, the courts ruled NSLs unconstitutional in 2005; but not before illustrating the need for a technological guarantee of privacy.
I believe that the claim that a US "court ruled NSL's unconstitutional" is misleading. As far as I know, NSL's are still being used in the USA to bully American ISPs; in fact I think I saw about six months ago a study suggesting that they are more common than ever in the US. Can any American clarify the current status/usage of NSLs in the US?

If I understand win32sux's instructions correctly, I should ask this question in this LQ forum rather than in the original thread.
 
Old 06-13-2011, 03:09 AM   #2
Latios
Member
 
Registered: Dec 2010
Distribution: Arch
Posts: 115

Rep: Reputation: 21
I dont see why you cant encrypt the mail locally, and use any service (MSN / Yahoo / Google) to submit the encrypted content
 
Old 06-13-2011, 08:03 AM   #3
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
You can make a completely secure communication system using gpg public/private keys. So, they can do whatever they want, including beat you with a wrench (which they probably will, except they have more sophisticated wrenches), but they won't be able to unencrypt your communication. Except, maybe they have a supercomputer that can crack it ...
 
Old 06-13-2011, 09:28 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Ping Peufelon: I thought you would find this treat to be read worthy. The comment about NSL letters caught my attention as the article claims that the "problem" with them has been addressed while at the same time says that the agents can now 'investigate' without even having to make a record log indicating that they did so. So, show me your papers Comrade, no, wait, they can get them from your trash.
 
Old 06-14-2011, 12:50 AM   #5
rob.rice
Member
 
Registered: Apr 2004
Distribution: slack what ever
Posts: 784

Rep: Reputation: 99
Quote:
Originally Posted by H_TeXMeX_H View Post
You can make a completely secure communication system using gpg public/private keys. So, they can do whatever they want, including beat you with a wrench (which they probably will, except they have more sophisticated wrenches), but they won't be able to unencrypt your communication. Except, maybe they have a supercomputer that can crack it ...
ya beat me to it on gpgp
our government is a bully they never pick a fight they have even the slightest chance of losing just look at the shit the big banks get away with
I doubt they would tie up super computer time to read anybody's email even known terrorist
gpgp was cracked but it took 6months of about 16 hours every day on 10,000 computers to decode a 100 word message
so even if they tried any message would be outdated before it could be read
 
Old 06-14-2011, 11:48 PM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,263

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
Actually, there are several public standards for encrypted email. One of them is S/MIME. Another uses PGP (or GPG).

Most e-mail programs ... KMail, OS/X Mail, Microsoft Outlook, and so on and on and on, are capable of handling digitally-signed and encrypted mail and to do so quite transparently. If you like, all of the mail that you send to a particular person will "simply be encrypted," and every message that you receive from that person will be decrypted on-the-fly. It's every bit as easy to use as an "https:" encrypted web-site.

And when should you use it? My rule of thumb is ... "under the same circumstances where you would want to use an 'https:' encrypted web site." Or, "under the same circumstances where you would choose to put your letter into an envelope instead of writing it on a postcard." If the message is "nobody else's business but yours," then you probably should encrypt it as a matter of routine ... and software makes it routine. "It Just Works."

You very quickly get used to the idea that a message really did come from the person you thought it did, and that it contains exactly what that user sent, and, heh, that Google probably didn't mine it for marketing purposes.

As for "what this-or-that guv'mint is doing," I personally think that it is entirely safe to assume that every message you send, every text, every phone call, every post to a forum like this one, every Facebook, every "Tweet," everything, is being recorded and will be kept forever. Why? "Because it can be done." "Because people want to cover their backsides." "Because it sells tons of disk drives and cameras." Fill in the blanks. And, this is the environment that you have to live and work in. It might not be optimal, or legal, or cheap, or fair. But that is quite beside the point.

Last edited by sundialsvcs; 06-14-2011 at 11:55 PM.
 
Old 06-15-2011, 04:41 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
As for "what this-or-that guv'mint is doing," I personally think that it is entirely safe to assume that every message you send, every text, every phone call, every post to a forum like this one, every Facebook, every "Tweet," everything, is being recorded and will be kept forever. Why? "Because it can be done."
Very wise and probably very true statement. The problem is that this can quickly devolve into an Orwellian nightmare and it is clearly the beginning of the "thought police." Do you ever behave differently because of this? I think anyone with more than two neurons does.

I hear a lot of people talk of fearing the "gov'mint" and maybe I am being naive, but I think for the average citizen the threats are a lot closer to home. Right now there are a near record number of job seekers. How many of them won't get hired because of something that they have said in a forum, posted on Facebook, or even the fact that they spend traceable time in a forum or on Facebook, or whatever?

Have you pulled up a web page on a "popular" site like MSN recently without ad and script blocking or using Internet Explorer? Try it. You will see all sorts of ads that are targeted directly towards you for products and services in your area. Granted some of that is easy to obtain by geo-ip location, but by combining the pieces it is possible to get a lot more precise.

And when should you use GPG? I think more often than when it is required. If all of your mail is on a postcard and you send something in an envelope, it stands out. If all your mail, or better yet, if all mail were in an envelope it wouldn't stand out. However, on the flip side, one could argue that as long as a very small percentage of mail is encrypted the need to focus on breaking the encrypted stuff could be lesser because there is plenty of data that isn't encrypted to get "the job", whatever that may be, done. The problem I have is with things like allowing agents, of any organization, to search, seize, detain, question, or any such action, anybody without the checks and oversight of due process. There is just too much potential for abuse and it is clearly being abused. It used to be reasoned that it was better for one guilty party to get away than for one innocent party to suffer. We seem to have forgotten that. This is also one of the reasons why I run my own email server. The SCOTUS has already ruled that email contained on your ISP's server is public domain, unlike paper mail in the post office, and any police officer is allowed to walk in and demand access to it. With the server being in my home and not my ISP's office, this becomes a little harder to pull off at least on one end. With the email encrypted, it becomes A LOT harder to pull off.

For at least the last 100 years, there has been some form of surveillance and ill action in the name of security, in most nations around the world. The face of the enemy changes with the society, but the premise is still the same. The difference is that technology has made the ability engage in active search on the common citizen a lot less expensive and more automated. This has lead to an expansion of the scope and use of surveillance for other purposes. While most of those purposes may be fairly benign, such as putting an ad on your web browser advertising a restaurant down the road, the safeguards are clearly lacking that prevent this information from being used not only by "the gov'mint", but companies and even individual criminals.

What would be even worse is if and when "the people" decide they want a change that the establishment could or would use such technologies to try and prevent said change. Personally, I think they are starting to. I think they are starting to wake up from the stupor. Why? Because they are becoming uncomfortable. Their perception of their wealth is diminishing, the fears over their own futures, not to mention that of their children is growing, they see the crumbling infrastructure, they see their health declining, they see the nation as a whole heading towards a financial train wreck. This is not a recent development, it has been at least 30 years in the making. While for 95% of the populace, things have gotten worse, for approximately 5% things have gotten better, a hell of a lot better and this 5% isn't going to want to give it up. So what do they do? They put political candidates in front of the public stating things like "they have Christian, or Catholic, or Family Values", or the big trump card, "they want to ban abortion", or "they oppose gay marriage", and in response the idiot but voting masses sing the praise, thump their bibles like chimps banging rocks, send money to the campaigns and run to the polls to vote for the "candidate who shares their values." All the while they do not even look at what that candidate really stands for, but not that it matters because the choice of candidate is currently irrelevant as long as you pick from those that have been presented to you. Then what happens? Here is a prime and very current example from my home state: once elected these candidates slash spending on schools (need more non thinking, voting, idiots right?) and give their staff (supporters) a 30% pay raise while stating the need to take services and benefits away from the public. And what state am I from? I bet you could take your pick from just about any of them.
 
Old 06-15-2011, 08:29 AM   #8
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
@Noway2:

Yes, very interesting. Some quick comments:
  • the secret police in all the "democratic" nations keep arrogating to themselves even more power to snoop on anyone at any time without oversight, with emphasis on not alerting the target of the intrusions
  • not just changes giving more leeway in assessments, but giving them the freedom to apply unlimited repeat assessments to any citizen, without oversight
  • not just more leeway to break into computers, homes, sift trash, but to administer lie detector tests
  • that last doesn't scan: what kind of "lie detector test" can be administered without the "target"'s knowledge? while the FBI is searching his trash and considering trying to "turn" him for exploitation as a snitch? answer: "voice stress analysis", which academic speech analysts denounce as pseudoscience, and which the UK government recently abandoned after extensive trials, saying it works no better than chance... but the American secret police have a worldwide reputation for placing great faith in it and other "lie detector" technology

Quote:
I personally think that it is entirely safe to assume that every message you send, every text, every phone call, every post to a forum like this one, every Facebook, every "Tweet," everything, is being recorded and will be kept forever.
...
For at least the last 100 years, there has been some form of surveillance and ill action in the name of security, in most nations around the world.
Yes, but the scope, scale, and detailed nature of current surveillance is unprecedented.

Look into the datacenters the American Surveillance State has recently built. Hard to find but its public information. They each draw as much power as a mid-sized American city. You can estimate how much memory and processing would be required to store and sift a minute-by-minute record of the activity of everyone in the world, how much would be required to store and sift all the speech uttered anywhere in the world, and compare with the NSA's estimated processing power to assess the extent of their mad ambition to watch absolutely everyone all the time... they still fall short, but clearly this is their intention. Read Mayer, "The Dark Side", and Bamford, "The Shadow Factory".

Julian Assange has drawn attention to two particularly interestings facts:
  • the American Surveillance State depends crucially upon the technical skill and expertise of entire professions, and has largely "captured" the cybersecurity professionals and the mathematicians (whose talents they exploit in order to try to process on the fly the torrents of data they are continuously snarfing), yet the secret police deeply distrust these professions, feeling that they tend to... well, basically, the problem is that smart and creative people think for themselves, and that terrifies the secret police.
  • in the rush to set up "fusion centers" all across a America, one of the most important hiring criteria was apparently whether or not private spycos applying to provide contract analysts to work in these centers could show that their employees had recent overseas military intelligence experience; two selling points were of particular interest as shown in one of the largest document sets ever posted at Wikileaks:
    • "our employees have operational experience directing killer drone strikes"
    • "our employees have earned the waterboarding certificate"--- no joke, there is a certificate interrogators can frame and hang on their wall, certifying that they have been trained in applying enhanced interrogation techniques.
    Many police forces around the world (but especially in American cities) are scrambling to buy microdrones which are modified to carry and drop gas canisters, flashbangs, and other nonlethal weaponry, but the "Judge Dredd" sniper rifle is said to be on their list of desiderata. One has the impression that American Swat teams want their very own killer drones, and the only US government agency standing in their way has been... the FAA! But the FAA is apparently giving in.

To elaborate on the first point: the American Surveillance State leaks like a sieve, which is good because this is the most capable and ambitious model, the one which sets the standard for similar (but less lavishly funded) efforts by other governments. So no matter where you live, study the American model, then try to infer how it is being applied in your location.

The secret police worldwide, but especially the American secret police, face a conundrum: they need more and more people to operate their vast surveillance machinery, to run all those surveillance teams, but the population is finite. So they need to keep hiring more and more unvetted people and giving them security clearances. But they can't trust their own minions, because who knows which one of them might not react like Manning when they are confronted with the utter insanity of it all?

Everyone in America is guilty until proven innocent, until the next "assessment", oh joy. The irony: the very people running this evil espionage empire are the very ones which the Surveillance State trusts the least. With good reason.

Is that an incoming Hellfire missile I hear? Or only the sound of someone trying to "turn" me?

Read Orwell's novel, "1984", or reread it if you haven't read it in decades. I am astonished at just how prescient he really was: Truthspeak, hidden microphones in every room...

Last edited by Peufelon; 06-15-2011 at 09:15 AM.
 
Old 06-15-2011, 08:43 AM   #9
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,263

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
You can be sure that "the secret police" are out there, but you can also be sure that "the secret criminals" are out there, too. In both cases, secrecy is a large and very necessary part of how they do what they do.

(Hint... back in the days when you could use a police scanner to eavesdrop on the patrol cars... you quickly discovered that you really didn't want to know. The fiction of the "nice, quiet neighborhood" is comforting, even when it isn't real. You don't want their job. You don't want it.)

(P.S. ... you know who you are ... "Thanks, folks.")

(The kid over there pounding away on his keyboard and slurping another latte looks up and gives you the very faintest nod...)

Realistically, if you encrypt your mail, you're not going to stop the folks at the mysterious government agencies with three-letter acronym names. (If you can, then they're all fired, and I want my billions of dollars back.) If you're committing a crime, you're going to be found and you probably won't know that you have been found ... and you damn well deserve what you get! But the act of encrypting an e-mail really does not "stand out" these days, any more than "using an https web-site" stands out. If the nature of the communique is such that it needs protection, from tampering or from forgery or from casual disclosure or all of the above, then, "well, that is what you do, and this is how you do it."

I personally don't like my mail-carrier to "data mine" my messages. It's none of their business. Their job is to carry the mail, not to read it, and not to sell data about the content of the messages they carry, even in the aggregate. I also like to know that, when a message of any importance is coming to me, I know, without having to look, that the message is probably authentic and probably untouched. Existing e-mail security technologies can accomplish this as effortlessly and as unobtrusively as "https." And the highly-paid "spooks," well, they can do whatever they want, and I hope they have a nice day.

Last edited by sundialsvcs; 06-15-2011 at 08:47 AM.
 
Old 06-15-2011, 09:05 AM   #10
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
You can be sure that "the secret police" are out there, but you can also be sure that "the secret criminals" are out there, too.

...you really [don't] want to know.
Yes, you do. If you are a sysadmin, you have a responsibility to know who is messing with your network, your communications. Traditional for-profit-cybercriminal? "Rogue" spycos like HBGary Federal? Cyberwarriors foreign or domestic? "Hacktivists"?

(I would argue that the spycos are all "rogue", that the principal reasoning behind the creation of the American style public-private partnership structure of the modern Surveillance State is that the private spycos assume the risk of breaking all the laws in the nations where they operate.)

Some of us have been using Tor for years for all our websurfing, mainly to try to duck under the All-Seeing-Eye-O'Sauron, AKA Google and friends. But the ties between Google and the Surveillance State have long been closer than Google has liked to admit (e.g., the ole revolving door). It is not hard and rather interesting to watch the Surveillance State watching Tor traffic. In your /etc/torrc, try adjusting the parameters to find the spycos in various nations. Compare your results with sites like InspecTor.

The script "listips" could be useful in processing lists of known Tor nodes:
Code:
#!/bin/bash
# Find and list any numerical IP occurring as words in a text file
# syntax        listips filename
cat $1 | grep '\<[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\>' | tr -c '.[:digit:]' '\n' | grep '^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$'
# 1. extract lines containing words which look like numerical IPs
# 2. change any string not of form "char, digit" to a newline
# 3. show only the lines containing words which look like numerical IPs
# Can pipe output like this
#       listips filename | sort -n | uniq
You can write the output to a file and feed it back to drill down to identify entities doing monitoring. Often not on just one subnet, and of course they change IPs over time, even move entire domains.

Things to look for include:
  • nodes which never deliver packets, apparently because they forward them to a spy server
  • nodes which inject content such as RESET packets (censorship by another name) or worse
  • nodes which degrade or remove encryption
  • nodes with strange configurations (which is public information in the Tor network)
What percentage of nodes appear to be hostile? It matters very much where you live. The American Surveillance State is the wealthiest, so no surprise that nodes hosted by American based ISPs are more likely to be bad nodes. But there seems to be quite a bit of variation even among American ISPs; some (comcast.net) seem to have about 10% bad nodes, others much less. Some domains are entirely bad (krypt.com). There is quite a bit of nudge, nudge, wink, wink, as you will see if you explore. The really interesting ones are the ones which start messing with you if you cut out the obvious ones.

@Noway2: did you notice that the odious Team Themis and the respected Team Cymru seem to share some common personnel? See Mayer, "The Dark Side", for more about the utterly appalling legal advice upon which the American Surveillance State has been built. This made me change my attitude towards Team Cymru, which for years I regarded as "friendly".

This comes back to the point raised above, the old "if you aren't doing anything wrong, you have nothing to fear" argument. That is so wrong, for so many reasons. Life would be much easier if it were true, but it just ain't, and everyone needs to recognize this. Because I am more and more convinced that there is no-one looking out for your interests but you yourself. So get smart and educate yourself about your enemies.

sundial, one point you may not have considered is that as the American Surveillance State continues to expand (some estimates already but the number of its employees in the US at some two million!), chances increase that someone with complete access to your calling circle, your phone calls, your emails, your banking records, your travel records, your family history, your medical records, will have acquired a personal grudge against you. Since there is no effective oversight of their activity behind the curtain of secrecy, they are free to use all that against you.

To mention just one recent news item:
[code]
http://www.expressandstar.com/news/2011/05/30/police-officers-disciplined-over-private-snooping/
[code]
Express and Star, "Police officers disciplined over private snooping", 30 May 2011
Quote:
More than 50 police officers in the West Midlands have been disciplined for using police computer systems to check up on people for personal reasons.

Some officers have been sacked, fined, or handed written warnings, and others have been reduced in rank after being caught obtaining information for private use between 2005 and 2010, or for passing information on to unauthorised people.
Then there is the question "what is a crime"?

Is whistleblowing a crime or a public service? Everyone has a different answer for that one, but whatever you think you think, you should read this by Jane Mayer (author of a book I cited above): "The Secret Sharer", Jane Mayer, The New Yorker, 23 May 2011

So what is a "crime"? Is reading the news a crime? In some places it is, and maybe soon where you live also.

Some argue that this is unknowable: the law is too far behind the technology to have any relevance, and in any case, governments have abandoned any pretense of trying to obey their own laws: "Post-legal America and the national security complex", Tom Engelhardt, Mother Jones, 31 May 2011

Quote:
Realistically, if you encrypt your mail, you're not going to stop the folks at the mysterious government agencies with three-letter acronym names. (If you can, then they're all fired, and I want my billions of dollars back.)
I'd like to see you try to fire them, but FYI, they claim that cryptanalyzing everyone's encrypted emails requires so much work that they "need" permission to perform an end run around cryptography, for example by a warrantless secret remote intrusion into your computer, hoping you left your keyring "in plain sight" in an uncrypted area of your hard drive.

GPG consists of several parts:
  • DSA authentication scheme
  • El Gamal cipher (used to encrypt the session key)
  • CAST-5, AES-256, or some other choice of block cipher
It is noteworthy that the first of these is an NSA product.

Last edited by Peufelon; 06-15-2011 at 10:14 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing IMAP folders using mutt with Lavabit. 108134865 Linux - Software 3 12-12-2011 09:37 AM
Email server - solution - encrypted email filesystem dlugasx Linux - Server 1 02-12-2010 11:02 PM
public key encrypted email via command line? hank43 Linux - Software 4 04-21-2007 08:03 PM
Odd email every day namit Linux - Software 4 12-20-2005 04:12 AM
first time for Encrypted email mohapi Linux - General 4 09-19-2004 11:25 AM


All times are GMT -5. The time now is 02:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration