

Lavabit – There's a sucker born every minute - tujv
http://havokmon.blogspot.com/2013/12/lavabit-theres-sucker-born-every-minute.html

======
MagicWishMonkey
Holy shit, I've read some ignorant "internet expert" posts about Lavabit but
this one is, by a wide margin, the dumbest one yet.

If the moron who wrote this article had bothered to spend 2 seconds to scan
over the whitepaper (and other security details that have been published
since) he would realize that the email files were stored in encrypted form in
the Lavabit database, and decrypting those records would require the password
for the relevant account. Lavabit DID provide the FBI with a dump of the
records they requested, but without Snowdens personal password the records
were useless. To retrieve his password they would need to snarf it of the wire
as he logged in, which would require specific code written by the server
administrator or access to the SSL keys and a listening device installed
between the router and server. Ladar offered to do the former, the FBI refused
to pay him for his work and demanded his SSL keys instead.

I don't know what this guy is talking about SMTP archiving, that has nothing
to do with any of this.

~~~
tomrod
My thoughts too. I get the feeling this guy is pretty incompetent since he
spends so much of his initial paragraphs complaining about lavabit.

~~~
MagicWishMonkey
He sounds like someone who has probably toyed around with SMTP software at
some point or another and it never occurred to him that you can design a
custom system from the ground up to handle email and still implement SMTP
functionality just fine.

I guess he thinks Ladar installed some off the shelf SMTP software and didn't
bother to configure it correctly? Really weird.

~~~
fnordfnordfnord
He claims to have his own free email service (linked from his blog). He also
claims (remarkably) that it is a "secure" email service, right next to where
he complains about Levison's failure to kowtow fast enough to the FBI.

~~~
MagicWishMonkey
He doesn't sound like the kind of guy who would have a problem handing the
feds his SSL keys or whatever else they ask for, so even if his system is
reasonably secure I wouldn't trust him as a steward of my information.

~~~
tomrod
Bingo.

------
Perseids
The article confuses two things: 1. Live interception of SMTP communication
going in and out of Lavabit and 2. Interception of the encryption key to
access the stored emails.

The first would be relatively easy, in that the post is correct. But what the
warrants actually requested was the stored data of an account. Lavabit
provided these, but they were encrypted (as per design of the service). The
FBI then wanted the keys for the stored account data. And for that Lavabit
asked for 3500USD which is reasonable, because there is no off the shelf
software to grab the POP3 or IMAP password in the handshake. Especially as the
TLS endpoint and the software decrypting the stored account data with the POP3
or IMAP password was probably the same, so there is no plain TCP traffic in
the internal network containing the key.

You can see that the FBI asked for (2) and not (1) in the transcript of the
court hearing, page 50 of the cited pdf [http://cryptome.org/2013/10/lavabit-
orders.pdf](http://cryptome.org/2013/10/lavabit-orders.pdf) . It is a really
entertaining read btw.: The FBI agent and the judge bicker about whether or
not Levison should be asked right there in court if he would comply with a
warrant (about the TLS key) they haven't even served him yet.

> THE COURT: I don't know, Mr. Trump. I don't think I want to get involved in
> asking him. You can talk with him and see whether he's going to produce them
> or not and let him tell you. But I don't think I ought to go asking what
> he's going to do and what he's not going to do because I can't take any
> action about it anyway. If he does not comply with the subpoena, there are
> remedies for that one way or another.

------
viseztrance
The entire episode was CAUSED by Levison's failure, and flat-out incompetence,
to implement a simple SMTP archive feature and then his attempted fleecing of
the American taxpayer by charging $2000 to provide that information.

Why does this feel like a personal attack?

~~~
dhoulb
Yeah, the author seems to be coming at this from completely the wrong angle.

I don't think anyone, the FBI, Lavabit, the NSA, or the non-technical public,
is under any illusion that it's fairly simple to route around the at-rest
encryption. We all KNOW Levison was just stalling with his 'technical reasons'
arguments.

He didn't want to give information over to the NSA, and bluffed for as long as
he could, then finally shut the service down in protest. That's obvious right?
The author of the article doesn't seem to have figured that out.

He also seems to accept government intrusion into private email as a fact of
life, and doesn't seem to comprehend why that might be a bad thing. I can't
tell if he's just trying to make a point, or he genuinely doesn't understand
people's outrage.

