Hacker News new | past | comments | ask | show | jobs | submit login
Two Providers of Secure E-Mail Shut Down (bits.blogs.nytimes.com)
244 points by jrochkind1 on Aug 9, 2013 | hide | past | web | favorite | 69 comments



" Mike Janke, Silent Circle’s chief executive, said in a telephone interview late Thursday that his company had destroyed its server. “Gone. Can’t get it back. Nobody can,” he said. “We thought it was better to take flak from customers than be forced to turn it over.”

That guy has brass balls. It may very well be that this will be interpreted as obstruction of justice, there is a specific element in there about destroying evidence.

http://en.wikipedia.org/wiki/Obstruction_of_justice


The reason why he destroyed it now is so that he doesn't face obstruction of justice charges later. He realized they were coming, one way or another.

A lot of lawyers advise that the only and best time to destroy evidence is before it becomes evidence.


I wouldn't put it past the DOJ to conjure up claims that there are always investigations into every company at all times, so any destruction of property at any time could be construed as destruction of evidence.

Then again I'm a bit more paranoid than most.


They've done it in the past, to the auditing firm involved in the Enron scandal. They actually indicted and convicted them of destroying audit records according to their standard procedures prior to them being investigated by the SEC.

http://en.wikipedia.org/wiki/Arthur_Andersen_LLP_v._United_S...


Jayzus. That would be as close as possible to actual implementation of the concept of 'thoughtcrime'. Thanks for the shiver.


What I thought you said, at first read, was "That would be close to impossible..." which would be a more correct statement.


I wonder if they destroyed it before it was part of an investigation? It may have been preemptive to avoid that scenario when the Feds eventually did come knocking on the door.

Edit - yes that looks to be the case. From their blog: We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.


Although if they had received a FISA subpoena, isn't that what they would be obliged to say?


except for "that is why we are acting now" and the rest of the text, yes


What he did was equally an act of heroism (in face of Internet history) and stupidity (in face of his own life). Perhaps, he should just have wiped and destroyed the disks, and have it "seemed like a system crash at a bad timing" caused it :)


Isn't it fucked up when someone suggests that someone's life might be at risk because of some data he had (and completely had the right to delete) and it doesn't sound utterly ridiculous?

This is now the world we live in.


People 'suggest' the government is going to kill people all the time, it doesn't make it true. That is the world you live in. You do not live in a James Bond film.

This guy didn't risk his life. His livelihood perhaps, but not his life.


Snowden's life is probably in danger, and Manning isn't having a swell time, just for coming out and saying that the US is involved in unsavory activities. Sure, this isn't at that level, but it's not inconceivable any more.

This isn't a James Bond film. It's 1984.


he risked his life in in the way that he may be placed in jail for a while. I don't think anyone is suggesting that he may be killed over a destroyed server.


I would probably argue that being imprisoned for an undetermined time is fairly comparable to "losing your life" for most people.


Lying under oath (or even when questioned by the police) is rarely a great idea. Because even if they can't prove you did anything illegal, that can still use your lie to hang you.


Why would it be if there was no on going investigation that they were made aware of (officially)? I think they are smarter than that. This seems like a pre-emptive move.


But they weren't being prosecuted, how is that obstruction? How would they prove that it was "evidence"?


You're asking this of a government with a growing record of retroactively rewriting laws in its own favour?


Retroactive law for warrantless wiretapping, I am aware of. What other laws can you add to that list?


Perhaps, the secret laws in secret courts that you (we) are neither aware of now, nor ever will.


woah! ex post facto laws are illegal according to the constitution... oh wait... they don't follow that thing anymore do they?


This is officially Iran level of government-busdiness interaction guys.

US seems to have state religion now, that is State Security. Sin and get destroyed. Reminds me of USSR in that regard.


"State Security" as defined by a handful of war-mongers living in the past and bent upon visiting its ghosts on the present, and sadly, the future generation.


Related but I just checked the USPTO, and the trademark for "State Secrets" is available.


So long as they are doing this to target legitimate national security threats, it isn't. There is no filter on free speech nor any hint that one might be coming. Right now it's just overzealous prosecution that is nipping at the 4th amendment. The 1st amendment is secure for now.


A slashdot commenter put this up a few weeks ago, it's worthwhile viewing for an hour - you can get an idea of what the providers are going through. There's a good interview with an archive.org employee around who also received one, and tried to resist in his capacity as a librarian.

https://www.youtube.com/watch?v=C25EkdWLU1k


I remember that guy. I think he was the first to fight an NSL, and to make it so you can tell your lawyer about NSL's.

He also tried to crowdfund a very privacy-oriented ISP a while ago, but he could only do it on IndieGoGo, and it was very new at the time, and I don't think he completed the goal.

http://news.cnet.com/8301-31921_3-57412225-281/this-internet...



In response to these email shutdowns, I propose a PGP key signing party in SOMA tomorrow.


Reminds me of when they took Megaupload down. There was a domino effect where a lot of torrent and file sharing sites decided to pack their things and go home.

First the file sharers, then the secure emails. I wonder who's going to be next? The reddits? The HNs?


I think it's just going to lead to decentralization. More, smaller fish.


I think you're absolutely right. The only effect that NSA/... (and let's be honest, any other country is just jealous they don't have the capabilities of an NSA :p) has on the Internet community is going to be a wider and further proliferation of darknets, P2P and F2F services.


It's funny I think that's one of the primary results of the internet. I think of movie and music production, software, bitcoin, bittorrent and so on. I would argue they have been decentralised by the internet. I think centralised services are against the 'spirit of the internet'.


How did Silent Circle become a "major secure email service provider?" Lavabit launched in 2004. Silent Circle launched "Silent Mail" four months ago.

I don't see how SC's action belongs in the same sentence as what Lavabit was forced to do.


Lavabit was a much more "under the radar" provider. Silent circle has gained huge traction since they started and provide secure Phone, SMS and mail services. They may not be "equal" but silent circle is certainly more of a high profile target.


What evidence is there of the huge traction? Have they announced actual numbers?


This is why I setup my own email server...

Here is a great guide for anyone interested: https://www.exratione.com/2012/05/a-mailserver-on-ubuntu-120...

I set mine up on CentOS 5 using this guide. I would recommend you also look at DKIM signing and SPF records to improve deliverability! :)


email is not encrypted... they'll just have your hosting provider or ISP copy your email when it's received/sent


My e-mail system is set to prefer TLS wherever possible. Spot-checks of headers incoming from other sources show that, at the minimum, a TLS session is successfully negotiated approximately 85% of the time so messages from those sources are presumed to be encrypted while in transit. All clients must connect using TLS (either IMAP-S or HTTPS). Yes, unencrypted copies likely exist on the sending side (the data storage disks for my e-mail servers are encrypted) and the client storage for some of my users is in the clear but it's not possible for my ISP to read the bits in flight.


so the nsa gets a list of IP addresses of mail servers that sent you mail, and sends a subpoena to each of those providers instead.


If they want to get you they're gonna get you. The point is that takes a lot more work than the analyst sitting at his desk typing in friggin Google searches on your Gmail.


And the odds you'll know it has happened is much higher.


And if the other side happens to be self-hosted as well or an provider based outside the US?


The NSA is primarily concerned with communication outside of the US. You would have less protection with a foreign provider.


Given that I am not an US-citizen I would argue that I am better of an provider outside.. namely myself. Have fun puzzling together a complete picture from dozens of providers.


Since when did the American government care about things being outside the US?


Since it's more work to coerce the mail provider into providing them the data, by finding something dirty about them or something like that.

If they just send their subpoena without any of that, it will just end up in /dev/null and that's the end of the story.


Right, but my email service is not likely to suddenly disappear overnight (like post) and also isn't owned and controlled by a large corporations in the same pocket as the US government (which isn't even my government... but seemingly still has access to my emails...).


It seems like there's an opportunity for a PGP mail forwarder, a service that encrypts all incoming mail and then forwards it without saving anything in the process. I'd pay bitcoins for that.


This sounds totally useless as a 3rd party service due to how obvious a target it would be but a simple encrypting proxy or MTA config would be pretty useful for self hosted setups.


It'd be much less of a target than any encrypted hosted mail since it wouldn't store anything, just be a pass-through filter.

Yeah, ideally we would all have our own encrypted, self hosted setup, but that's just not realistic.


It's a victory of NSA-US govt. over the efforts of EFF and similar organizations. We must continue this fight to safeguard our future.

Here are two free and secure email providers who keep themselves up only by donations:

1. https://openmailbox.org

2. https://autistici.org


Previous discussion on OpenMailbox: http://news.ycombinator.com/item?id=6174603


There's also: https://www.cotse.net/


SSL errors on the 2nd... seems... worrisome.


I'm but a layman but browser-side SSL verification is essentially 3rd-party centralized validation of the authenticity of one side of an encryption mechanism - predetermined vendors tell the browser whether a SSL cert is as claimed and an SSL cert is only an encryption key.

This service doesn't care whether a browser-maker thinks its cert is real; they also provide a means to validate that their downloadable cert is as claimed - the cert is valid encryption between you and them, from anyone not you and them, despite whatever errors a browser throws up.


Obama is willing to deprive his constituents of their bread and butter to enforce surveillance. Un. Fucking. Believable.

This is in no way Schadenfreude, but it does provide an opportunity for countries with more transparency, or less appetite for strong-arming their people.


The question is, why is this "secure email" safer? Apparently, not as safe as some people assumed.

Focus on security on the ends, not on the middle.


Interesting to see talk about what is legal and what is not. Think about this: Everything Hitler did in the Nazi Germany was legal.

How about a law that classifies tracking or stalking on the internet is the same as in person, therefore illegal?


> Taken together, the closures signal that e-mails, even if they are encrypted, can be accessed by government authorities and that the only way to prevent turning over the data is to obliterate the servers that the data sits on.

Can someone explain to me how this is possible? Or is this inaccurate?


That's probably inaccurate. It is likely that the problem Lavabit faced was being required to transmit malware to their customers.


I think it is inaccurate. The concerns of lavabit and silent circle seemed to be about unencrypted email.


Their concerns are not about unencrypted email, they refuse to install eavesdropping equipment in their server rack.

You can encrypt your email all you want but it's not encrypted in the space between your load balancer and your app server.


I think in general "encrypted email" refers to end-to-end encrypted email which of course does not have that problem.


Hm, i wonder why Silent Circle just went ahead and shutdown their relativly young and unknown mailservice without any clear reason other than to use the opportunity to do get some publicity for their other secure services.

Lavabit was alot bigger than Silent Circle and this announcement seems a bit suspicious to me. I might me totally wrong, but going ahead and shutting down the service on the same day a popular competitor does without any clear reason while at the same time embracing their other still running services seems a bit strange to me.


I don't think 'any news is good news' applies to secure services providers. It will not make other offerings more appealing. Why bother with a provider that has to resort to this kind of behaviour to protect its customers?


as someone who (wisely or unwisely) depends on my email account as an online datastore, the prospect of it just shutting down overnight and my losing everything is terrifying. which probably means it's time to start some sort of active backup mechanism, but more to the point i do wonder if any of lavabit's or silent circle's clients ran into the same predicament.


snowden used lavabit?

it shouldn't, but it makes me more confident in my choice of lavabit.

good thing I didnt use webmail.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: