Lavabit to Briefly Reinstate Services for Data Recovery

Lavabit to Briefly Reinstate Services for Data Recovery.

-- Tom

 

Ladar Levison can stick his email service up his bum after leaving me high and dry with no email service when he cut it off before. He won't be getting a penny out of me ever again!

 

I would never guess that he is asking for $ to do the right thing - even though he does need contributions to continue the good-fight for all of us in his court case.

Hard feelings won't make you feel any better about not giving him any more $, but if you have any archives worth saving, you should certainly try to recover what you value while you still can.

-- Tom

 

Why not be angry at the FBI who put Levinson in an impossible position, forcing him either to let them spy on all of his users or shut the service down? I think it took a lot of courage to do what Levinson did, knowing it would make users angry and giving up his livelihood that he had spent a decade building.

And it's not like he did this for no small reason. If you read the article from D Magazine about him recently posted in this part of the Wilders forum, a prominent constitutional lawyer says Levinson's case will probably go the the Supreme court and be the defining privacy case of our era. The lawyer Bruce Fein says, “It is to the Fourth Amendment what Brown v. Board of Education was to the equal protection clause. It draws the line."

People who care about privacy should be donating money to Levinson's legal defense fund, not getting angry at him because the government is engaging in unprecedented abuses of power that force people to make hard decisions.

 

By the way, the link in this quote from the OP is wrong. It leads to a blank page. You need "https" for it to work correctly. https://liberty.lavabit.com

 

My gripe is that one day it was there, the next it was gone. No access, no warning. If he had given me 24 hours to recover my emails I would have understood, but 4 months down the line is no good to anyone. What would you think if Gmail did the same, or yahoo etc.
I paid for the premium service, expecting a service in return..............not being cut off with no warning. You can compare this to any service you want, but if you pay for something then you expect it to be there. My two cents

 

Do you really think if that had been an option he wouldn't have done it?

He provided a service that promised to users it was not possible for anyone to see their email, including himself. The FBI was asking him to break that system and barring him legally from telling anyone. A 24 hour warning would have probably broken the gag order (landing him in jail) and tipped off the FBI to what he was going to do giving them a chance to stop him.

He took huge risk to himself, gave up his entire business and livelihood, and now will be embroiled in years of legal battles, all so that he could keep his promise to his users that no one could see their email.

Of course what happened sucked for users of Lavabit. But blaming Levinson the way you are is totally misunderstanding the situation and criticizing someone who took huge risks to protect you and the rest of his users. Sometimes there are only hard choices and you don't get what you want.

And Frankly, the reason Google or Yahoo wouldn't do this is because 1) They have already sold you out to the NSA, et al. 2) They don't want to fight the government, because they have too many things they want from Congress (via their lobbying) to get in a big fight with them. So you're prefectly free to trade privacy for that kind of "reliability" if you want it.

And at the end of the day, if you have personal data that's important to you and the only place that it's stored is in the cloud, you don't really have anyone to blame but yourself. This is hardly the first highly publicized example of people losing everything they had, because it was all online (sometimes through technical glitches, sometimes through hacking). Anything that's important should always be backed up in redundant ways. If it's only in a single place, in the cloud, you should be prepared to lose it.

 

I take your point, but it just goes to show that its not worth investing in secure email anymore as there is now always a chance that any service will go the same way as Lavabit.
I used it as I didn't like the way google trawled through my emails sending me adverts relating to their content. I have nothing to hide from the authorities, if they need to have a look then they are welcome.

 

Nothing to hide? When you get all your email back, zip it all up and send it to me. I won't do anything with it...trust me.

PD

 

Haha, nothing to hide from the authorities..........but you are not the authorities
Unfortunately all the details I needed are no longer needed as deadlines have now passed and I had to re gather all my important info. Heyho, lesson learned, if it looks too good to be true it probably is......

 

We all have good reason to hide our personal files, emails, etc from those who don't have a legitimate need to know what is in them. The only case where the authorities may have a legitimate need to know what is in them is when you are violating the law. Ergo, if you are a law abiding citizen you have good reason to hide things from the authorities.

 

Smart investors always assess the risk before making the investment. They leave no stone unturned in knowing all the risks. However, despite setbacks, some investments are like Lazarus. Don't discount Levison's case going to the Supreme Court at this point in time. As a former user, you may yet reap an unexpected reward. Hopefully, the rest of us as well.

-- Tom

 

Its a good job I've never dabbled in shares then

 

You would rather he kept the service up while NSA read all your emails?

I don't know if you are a kid or just not very smart, but you really.... really..... really....... want to throw insults at a man that almost sacrificed his whole life in jail to protect his users just because your butt hurt about not having your emails? Guess what Einstein, that's why we use Thunderbird/outlook so when this happens we don't loose all our emails, I guess nobody gave you the memo.

 

I was not a Lavabit subscriber, but my answer would be yes (though I really, really doubt they would be interested in me at all).
If I woke up to find >a decade of communications were gone, I'd be a bit miffed.
A "heads up" from Ladar would have been nice so that clients could have at least had a chance to download their emails.

 

You don't understand, if he even said a thing it would be done. He would be in jail and every 3 letter agency of the USA would be your emails and his servers. He did what he could, and if you were a subscriber why would you not use Thunderbird / Outlook to download and save your mails to your computer? Lavabit was not just an email service it was a privacy service, that is why you pay the premium, if you did not want a privacy service you should not use one. Its like using a VPN service and being mad when they take a server offline claiming "I PAY TO USE MY INTERNETS".

 

Hi Taliscicero,

How secure is/was your connection between Lavabit using Thunderbird / Outlook to download and save your mails to your computer? Would NSA have been able to intercept them, and were they still encrypted between Lavabit to your computer?

Just asking, not disagreeing with you about the issue of saving your emails.

-- Tom

 

My emails were encrypted on the lavabit servers, I used the strongest SSL protocol to downloads them to my computer over a blowfish encrypted VPN onto my twofish full disc encrypted hard drive using Thunderbird.

 

I do sympathize with how much it must have sucked to suddenly not have access to your email. (I had a Lavabit account too, although it doesn't sound like I was using for crucial things in the way you were.) And I can see that many people may have signed up for Lavabit wanting privacy from Google, et al, and not really understood how dead serious Levinson was about privacy (hence the choice he made, when he had no other way to protect his users' privacy). The information was there, but you would have had to read a lot of complicated, often pretty technical, stuff on the Lavabit site, about how the system worked and what Levinson's intentions were.

So I see how circumstances arose, in which a lot of users suddenly found themselves without access to their email, in a way that they did not anticipate (did any of us really see the whole NSA, FBI, Snowden debacle coming?). And I can see in retrospect how some people might have chosen the downsides of Gmail over what happened (although only because in retrospect they finally understood what Lavabit and Levinson were really about). So I really sympathize with that. I just don't blame Levinson. He did a courageous, principled, thing, not for lazy or selfish reasons, but instead taking huge risk to himself to protect his users and keep a promise he made to them (whether or not all of them fully understood it).

That aside, as Taliscicero points out, you could use a private email service like Lavabit (while it still existed) or Countermail, with a client like Thunderbird on your own system that downloads the emails to your computer and then you would have the privacy and not the risk of losing your email if the system gets shut down. You could also set it up to leave copies of your email on the server, so that you can still use the webmail client also, if you don't have access to your computer at a particular time (although any emails sent or received while on the webmail client would not be on your own computer). You could also periodically just download your whole mailbox somewhere to back it up. So it is possible to have privacy, without the risk of losing all your email if the system gets shut down. In addition, as well run as Gmail is, I wouldn't one hundred percent count on it being impossible to lose your email. As long as you're trusting it to all be stored in only in one place, by one service, the risk of losing everything is real.

*

Taliscicero already answered your question, describing his complex highly secure method. But I think the simpler, and perhaps more generally relevant, answer is that if you're using Thunderbird and it's connecting to an email service via SSL, then it is exactly as secure as it is if you use the service's webmail client over SSL. The connection occurs in the same way using the same technology, what's the difference?

Perhaps people are unclear on the fact that when you log into email via an webmail client in a browser, you are still establishing a remote connection to the email service to effectively download your email to your system. It's just not stored anywhere persistently by the webmail client, other than perhaps temporarily in the browser's cache.

I'd also guess that using Thunderbird over SSL in some ways is probably intrinciscally more secure than accessing email through a webmail client over SSL, because browsers are so insecure, subject to javascript exploits, cross-site scripting attacks from other websites you might still be connected to, etc.

 

What cb474 said.

Basically, it's foolish to use any email provider in webmail or full-on IMAP mode, with no local copy. Stuff happens, and blame doesn't help when your email's gone. Yahoo! lost a bunch of email some years ago, as I recall.

 

Some people are using the wrong service since privacy isn't a priority over availability for them. Then they blame others for their own incompetence of not backing up of such important emails (or buying a service that specialize in archiving). End of story.

 

Note that it isn't just about backing up email. For maximum security/privacy you shouldn't leave messages on your email provider's server to begin with. You should download messages to properly secured local storage and then delete them from the server. Frequently. Same for logs as well, where possible.

Even if someone doesn't care about that for their own messages, that someone surely has received emails from others. Others who might want/expect the recipient to handle things in the most secure and private way.

 

We know Ladar didn't give up the SSL keys, so an SSL/TLS connection to them should have been safe (extra points for Forward Secrecy being used), to download the mail to Thunderbird. Also, if there was a crack anywhere in that chain, the FBI wouldn't have had to ask for the SSL/TLS keys - To the gov, Snowden would have warranted all tools in the tool box to be used. Schneier was right - trust the math.

PD

 

Good point, but I'd add a caveat:

If you have a *good* provider (and I'm thinking Countermail, Austici, or RiseUp! here) - the mail may be safer on the server. A raid on them would be publicly noisy, and they have the $$$ for lawyers. If 'they' can get to you (they know who you are because you're the target) - a raid on *you* could be kept hidden from the world pretty much. I know I don't have money for a lawyer either.

Now, proper local encryption can throw a wrench in there, but it's much easier to get an individual to roll over, than an activist oriented privacy provider.

I do both - some local, some on the server. I removed my Private Key from Countermail's server, so there is no way to decrypt any email anyway. All cleartext incoming, gets encrypted every hour. The only thing they *might* be forced to do, is add themselves as a decrypting party. That is easily detectable, and it would be for clear text emails only - which contain nothing I care about, LOL. The private stuff is encrypted already, between me and my correspondent.

PD

 

Well you don't sound very mature