
CryptoSeal (YC S11) Shutting Down Private VPN - Udo
https://privacy.cryptoseal.com/
======
mike-cardwell
If you're gonna publish something with a PGP signature. At least make sure
it's valid:

    
    
      mike@glue:~$ wget -q -O - https://privacy.cryptoseal.com/ | gpg --verify
      gpg: Signature made Mon 07 Oct 2013 12:38:07 BST using DSA key ID D2E0301F
      gpg: BAD signature from "Ryan Lackey <rdl@icloud.com>"
      mike@glue:~$

~~~
rdl
sigh, I think it got screwed up when someone put it on the website. And I'm
currently in Asia for a conference and don't have my keys (intentionally...).

it still meets the xkcd definition of a secure pgp message, at least.

~~~
natch
I guess you didn't know about the fold command, either...

cat my-aspergers-unformmatted-text-file.txt | fold -s > readable.txt

~~~
mike-cardwell
Useful to know. Thanks.

------
gonzo
We're currently sitting a a version of pfSense 2.1 that can run on EC2. (Ob
disclosure, I own over half of ESF, the company behind pfSense.)

Amazon said they didn't want anything powered by FreeBSD in AWS. There are
currently negotiations about running on a larger instance that supports the
HVM, and avoids the 'Windows tax', but there are significant usage fees for
that tier (today that´s the cluster compute and M3 instances) as well.

We _could_ release a variant of the AMI as a "public" AMI. It wouldn't be in
AWS then, but it would be available. If your account is new enough, it would
allow a completely free VPN service on Amazon's "free tier".

It would also allow people to setup their own VPN service (OpenVPN and IPSEC
are both fully supported.) Hosting on top of EC2 isn't perfect (there are
possible key recovery attacks from others hosted on the same infrastructure),
but, correctly configured, Law Enforcement would need more than a pen register
order to obtain anything beyond the enclosing IP packet data. Since, in
theory, you would be your own provider, the FBI (or an equivalent in other EC2
zones) would have a higher burden to install even a pen register.

My question is: should we bother? Anyone with sufficient clue could setup a
linux instance to do the same thing.

~~~
bifrost
> My question is: should we bother? Anyone with sufficient clue could setup a
> linux instance to do the same thing.

You indeed could setup some basic stuff this way, but I wouldn't recommend it
as a long term strategy. The way that our privacy product was built protected
users from a variety of issues. I also wouldn't recommend using AWS for this
till you can install your own trusted hypervisor and encrypt memory/disk/etc.

~~~
sweis
You can run on bare-metal providers like SoftLayer, which allows you run your
own trusted hypervisor or OS. This, as you said, isn't currently possible on
AWS.

Incidentally, PrivateCore has a trusted, remotely-attested hypervisor that
encrypts memory and runs on providers like SoftLayer:
[http://www.privatecore.com](http://www.privatecore.com)

~~~
bifrost
PrivateCore has some very cool stuff, I think they're one of the only
solutions available right now.

------
amirmc
To the founders of CryptoSeal. When you first set up, did you consider _not_
being a US headquartered company? If so, what were the overriding factors that
made you stay US-based?

I ask because in a recent blog post from Silent Circle (a secure comms
company), they explicitly state "we are not a U.S firm" [1]. I'm beginning to
think any company that wants to offer security products like this has to place
their Global HQ outside the US's legal jurisdiction. I doubt it solves all the
problems but it probably helps to some extent.

[1] [http://silentcircle.wordpress.com/2013/10/16/one-heck-of-
a-y...](http://silentcircle.wordpress.com/2013/10/16/one-heck-of-a-year-
silent-circles-first-anniversary/)

~~~
rdl
There are multiple concepts of jurisdiction.

It does very little good to just "incorporate offshore" and still have US
operations, US principals, etc.

If you're a US citizen doing something questionable in the US, you have
basically three choices: try to do it in a compliant way, renounce your
citizenship, or leave the US and/or operate underground and hope you never get
caught.

While I have problems with the US Government's actions in the
terrorism/cyberspace regulation/IP spheres (particularly in that the
legislative branch has totally abdicated its role in oversight, as well as
being generally incapable and obstructionist in general), I'm a loyal US
citizen, respect the laws of the US and its political process, etc. So, all
I'm willing to do is try to do things in a superior technical way, or to try
to get the laws changed in the US.

The silent circle guys are basically _all_ US citizens, and as far as I'm
aware, equally wedded to the idea of US legal compliance.

~~~
hannibal5
As far as I know, US citizens can't be ordered to violate laws when they
operate in foreign countries. If they receive compliance letter requesting
them to use foreign company with servers located in that country to break
those laws, they can point out that it's outside US jurisdiction.

~~~
rdl
There would probably be an argument about "instrumentality", and the US person
sitting in the US would be in an exceptionally uncomfortable position.

------
Beltiras
Come to Iceland. Law is on your side here and the infrastructure is coming
along.

~~~
rdl
Iceland, Switzerland, New Zealand, Hong Kong, and a few other places do look
really interesting (and Switzerland and Hong Kong have pretty good
infrastructure). Investigating a few more as well.

One consideration, though, is that we're all US citizens, and so even if we
set up a Hong Kong company with Hong Kong servers, we'd be at risk to US court
orders or any civil/criminal action. So for US citizens, the only real
solution is technical controls, or legal/legislative reforms in the US.

~~~
bandushrew
Im from NZ. NZ is not a good place to trust your private data.

The NZ government has no hesitation in breaking whatever laws it needs to in
order to satisfy US requests.

~~~
hrrsn
See also: Kim Dotcom raids, GCSB amendment bill.

------
Udo
I was just trying to sign in to my account, as I was greeted with this:

" _CryptoSeal Privacy Consumer VPN service terminated with immediate effect_

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN
service, is terminated. All cryptographic keys used in the operation of the
service have been zerofilled, and while no logs were produced (by design)
during operation of the service, all records created incidental to the
operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain
understanding of current US law, and that understanding may not currently be
valid. As we are a US company and comply fully with US law, but wish to
protect the privacy of our users, it is impossible for us to continue offering
the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen of
Wired.com ([https://www.documentcloud.org/documents/801182-redacted-
plea...](https://www.documentcloud.org/documents/801182-redacted-pleadings-
exhibits-1-23.html)) reveals a Government theory that if a pen register order
is made on a provider, and the provider's systems do not readily facilitate
full monitoring of pen register information and delivery to the Government in
realtime, the Government can compel production of cryptographic keys via a
warrant to support a government-provided pen trap device. Our system does not
support recording any of the information commonly requested in a pen register
order, and it would be technically infeasible for us to add this in a prompt
manner. The consequence, being forced to turn over cryptographic keys to our
entire system on the strength of a pen register order, is unreasonable in our
opinion, and likely unconstitutional, but until this matter is settled, we are
unable to proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison and
Lavabit in their ongoing legal battle. Donations can be made at
[https://rally.org/lavabit](https://rally.org/lavabit) We believe Lavabit is
an excellent test case for this issue.

We are actively investigating alternative technical ways to provide a consumer
privacy VPN service in the future, in compliance with the law (even the
Government's current interpretation of pen register orders and compelled key
disclosure) without compromising user privacy, but do not have an estimated
release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. For any
users with positive account balances at the time of this action, we will
provide 1 year subscriptions to a non-US VPN service of mutual selection, as
well as a refund of your service balance, and free service for 1 year if/when
we relaunch a consumer privacy VPN service. Thank you for your support, and we
hope this will ease the inconvenience of our service terminating.

For anyone operating a VPN, mail, or other communications provider in the US,
we believe it would be prudent to evaluate whether a pen register order could
be used to compel you to divulge SSL keys protecting message contents, and if
so, to take appropriate action."

------
beaker52
With every shut down in a similar vein, I weep and fear for the future.

~~~
Udo
It may sound strange for me as a European to be saying this, but I worry that
the second stage of this will be a massive exodus of talent and startups out
of the US.

~~~
SeanDav
This would probably be a good thing. Right now the internet is way too US
driven and focused. A more balanced, global distribution of talent would be
far more beneficial.

~~~
chmars
I agree. And it might ease some of the pricing issue too. There are many plans
for cloud services outside the US but there's usually a lack of know-how and
competitive functionality/pricing.

A current example:

Clio, a cloud provider for lawyers, recently started to offer a server
location in Ireland in order to comply with European privacy laws [1]. The
price, however, is about 60% higher than in the US …

Price comparison:

US = 49 USD/month = about 36 EUR [2] EU = 49 GBP/month = about 58 EUR [3]

[1] = [http://www.goclio.com/blog/2013/10/clio-online-practice-
mana...](http://www.goclio.com/blog/2013/10/clio-online-practice-management-
platform-launches-in-europe/) [2] =
[http://www.goclio.com/signup/](http://www.goclio.com/signup/) [3] =
[http://www.goclio.co.uk/signup/](http://www.goclio.co.uk/signup/)

~~~
toomuchtodo
The cost issue is probably because they're using Linode instead of AWS.

~~~
chmars
What could be the reason for using Linode instead of AWS's European data
center?

~~~
toomuchtodo
Just personal preference I'm guessing. They probably went live US side with
Linode, and their DevOps is probably already built around Linode's
API/environment, so it was easier to just spin up new gear in Linode EU vs AWS
EU.

------
peterwwillis
A VPN is just an access control mechanism for network services; it is for
network service privacy. If you're worried about the privacy of your data, you
should be using technology to protect your data at rest, such as PGP.

------
dingaling
Perhaps I'm being daft, but I'm struggling to see the connection between SSL
certs ( per the Lavabit scenario ) and a VPN service.

Didn't they have an IPSec cert for each individual subscriber?

If not.. I wouldn't have wanted to go anywhere near them if they were using
one keypair for _all_ traffic.

Public-facing websites are usually dependent on a single server cert because
they can't easily provide a separate client cert for everyone who visits. A
private, subscription-based service should not be using that model and thus
should not have encountered the 'Lavabit Paradox'.

Neither should Lavabit, but I digress.

~~~
rdl
The problem is a pen trap order, which is a very low legal bar, far lower than
probable cause, can be applied to any single customer. Since we couldn't
implement that effectively, we would be forced to give all of that customer's
raw traffic to the government. It's entirely likely they would also compel an
entire node or even the entire system if they felt that was more effective for
their purposes in any way.

If the bar set to do this were at search warrant level (probable cause of
criminal activity), that would still kind of suck, but the bar for pen traps
being so low by comparison totally invalidates our security model.

All US providers (including "foreign" providers with US principals or US
operations) are vulnerable to this specific problem right now.

There are technical ways to deal with this, but it would take months to
implement, and no one has done it before. I've got a bunch of talks scheduled
for conferences over the next year on how to implement exactly this (and am
working on the tech for it), but it's not going to be instantaneous. We didn't
want to be in the position of screwing over even one customer in the interim.

Until that stuff is in place, my recommendation is to use a non-US VPN
provider. There, you're still at risk to local search warrants, but those are
a relatively high legal standard in some jurisdictions. The problem in the US
is that the lavabit case implies a much lower legal standard to effectively
compel all traffic.

It'll probably be a year or two before this plays itself out in the courts.
Hopefully 6-9 months for a much stronger technical solution. I'm actually
working with some pretty kickass legal people on v2.

(as always, I Am Not A Lawyer; I Am Not Your Lawyer; This is not legal advice;
Consult an attorney licensed in your jurisdiction for specific legal advice in
your particular case.)

~~~
erichocean
_I 'm actually working with some pretty kickass legal people on v2._

Can you say who they are? I'm looking for legal advice in this area as well
(and I'm not a competitor to CrytoSeal in any way). Our service is currently
in Australia (only), but I'm an owner, based in the US, and by design we also
aren't able to support a pen trap order without the same problems you've
encountered.

It's sucks when crypto best-practices are, effectively, either illegal or
useless.

~~~
rdl
Law students and their professors; I don't think my "bro deal" with them is
transferable, sadly. (we're trying to get law review and/or conference papers
out of it, too)

The whole thing is quite unsettled right now, and unique to every case. I'd
probably contact EFF. If I were looking for someone to pay, Marcia Hofmann is
now a commercial option, and she's probably the best in the world.

~~~
agwa
Please consider also looking for a criminal defense attorney with significant
experience defending people in federal court. When it hits the fan and you get
a court order and are being threatened by federal prosecutors, lawprofs don't
do you much good. You need someone who has experience fighting back.

Here's a criminal defense attorney who makes the case for this better than I
could: [http://blog.simplejustice.us/2013/10/03/lavabits-levisons-
re...](http://blog.simplejustice.us/2013/10/03/lavabits-levisons-really-bad-
call/) [http://blog.simplejustice.us/2013/08/31/why-hackers-dont-
win...](http://blog.simplejustice.us/2013/08/31/why-hackers-dont-win-too-
often/)

~~~
jessaustin
Ouch. The first post seems especially unfair.

 _...they are screwing up the world for the rest of us, for everyone.. Choices
being made by the tech-savvy and law ignorant are creating the precedents,
while destroying themselves, that form the foundation for computer law going
forward. We may be saddled with bad law for decades..._

The point seems to be: when a random computer person provides a service, and
that service is targeted by federal prosecutors, and idiotic judges use the
opportunity to cripple civil society, it's the random computer person's fault.
Are lawyers and judges simply vengeful automatons, whom any citizen should
expect to destroy civilization if given any opportunity? Maybe others in the
jurisprudential profession could help defend society from their colleagues?

~~~
agwa
You've missed the point big time. They screw things up when they pick
inexperienced lawyers whose inexperience costs them their cases. If they pick
experienced lawyers who lose despite their experience, then no one is blaming
them.

The context is important here: Levison was initially defended by a small
business lawyer who was only 4 years out of law school. That was truly a
boneheaded decision and may very well be why Lavabit crumbled so quickly.

~~~
jessaustin
Well sure I see that point: one should hire good attorneys. If one cannot
afford good attorneys, one is boned. That doesn't seem profound. (Not
particularly _just_ either, but whatever.)

My previous comment was thinking more generally. Society has in the past
successfully weathered innovations in technology and commerce without the
legal profession running amok. Often innovators were not "connected" enough to
hire the best legal representation, if they did so at all. What's different
this time?

~~~
agwa
> Well sure I see that point: one should hire good attorneys. If one cannot
> afford good attorneys, one is boned. That doesn't seem profound. (Not
> particularly just either, but whatever.)

The author addressed this ad nauseam in the comments. In particular, see:

[http://blog.simplejustice.us/2013/10/03/lavabits-levisons-
re...](http://blog.simplejustice.us/2013/10/03/lavabits-levisons-really-bad-
call/#comment-84105)

> My previous comment was thinking more generally. Society has in the past
> successfully weathered innovations in technology and commerce without the
> legal profession running amok. Often innovators were not "connected" enough
> to hire the best legal representation, if they did so at all. What's
> different this time?

I don't think technological innovation has ever had the potential to disrupt
existing power structures as much as the Internet and cryptography. I'm not
sure what you mean by "legal profession running amok," but if you mean bad
court decisions and draconian government legal theories, that's nothing new.
We're only starting to see this in the context of technology because of the
aforementioned clash between technology and government power.

~~~
jessaustin
_I don 't think technological innovation has ever had the potential to disrupt
existing power structures as much as the Internet and cryptography._

That's a bold statement. You don't think the cotton gin and improved looms
contributed to the numbers of people enslaved in the antebellum southern USA?
You don't think the railroads and telegraph contributed to the settling of the
West? You don't think the rise of manufacturing, which pulled multitudes of
(black and white) Southerners north, changed both the South and the Midwest?

 _I 'm not sure what you mean by "legal profession running amok," but if you
mean bad court decisions and draconian government legal theories, that's
nothing new._

Let me preface this by saying that I'm not comparing Lavabit to Dred Scott in
terms of the _degree_ of injustice the two parties suffered. Mostly I just
don't know a great deal of legal history and this historical "worst case ever"
is what came to mind. However, I have never seen the unfortunate Mr. Scott
_blamed_ for the infamous _Dred Scott v. Sandford_ decision. So, bad court
decisions: not new. Blaming the victims of those decisions: new.

Mostly it just speaks to an audacious sense of _entitlement_ on the part of
any attorney who upon news of a fresh new legal outrage, immediately
excoriates the victims of our federal Department of Injustice. When he says a
society without Lavabit is better than a society in which Lavabit doesn't have
him (or a similarly experienced and wise litigator) on retainer, that is self-
serving. He is fundamentally no different than the feds, because he also wants
the legal profession to act as a check on all innovation. The slight cosmetic
difference is that he wants to be the one running things, because his judgment
is better than that of the feds.

Of course we mustn't fall victim to the classic _is /ought_ confusion. When in
legal trouble, it's best to be well-represented. However, when any developer
who wants to help people maintain a modicum of privacy and dignity is
automatically in legal trouble, we all have legal trouble.

------
derstang
What I don't understand is why I didn't get a notification of the shutdown. As
a paying customer I shouldn't read about it on HN. I used the service
primarily to shield myself in hotels/coffeeshops, but I know the NSA can get
to me if they want to and I don't really care.

I appreciate the high ground CryptoSeal is coming from, but from a customer
standpoint I don't think this was done well.

~~~
Zelphyr
If they let you know then the government knows and CryptoSeal runs the risk of
the government compelling them by force of FISA court order to stay in
business, turn over all customer data, and don't say anything about it.

~~~
oijaf888
Have any companies ever been compelled to stay in business? How does that even
work, especially if the company (not sure if its applicable in this case) is
losing money at the time? Does the government subsidize all of the operations
at that point? Can they compel people not to quit their jobs in this case too?

~~~
atomatica
"'I could be arrested for this action,' Ladar Levison told NBC News about his
decision to shut down his company, Lavabit LLC, in protest over a secret court
order he had received from a federal court that is overseeing the
investigation into Snowden."

[http://investigations.nbcnews.com/_news/2013/08/13/20008036-...](http://investigations.nbcnews.com/_news/2013/08/13/20008036-lavabitcom-
owner-i-could-be-arrested-for-resisting-surveillance-order)

------
lnanek2
If they were serious about running a privacy startup, they would move out of
the US. Better luck next startup guys.

------
rnts08
Https://simple-vpn.com, why deal with us companies for security services?

~~~
aluhut
[http://www.simplevpn.net/](http://www.simplevpn.net/) ?

~~~
rnts08
No, actually [https://simple-vpn.com](https://simple-vpn.com), it's paid for
with BTC for those who really care about anonymity and privacy. Seems like the
service got hackernewsed though. :)

~~~
aluhut
Ah that explains the 502 :)

