mike@glue:~$ wget -q -O - https://privacy.cryptoseal.com/ | gpg --verify
gpg: Signature made Mon 07 Oct 2013 12:38:07 BST using DSA key ID D2E0301F
gpg: BAD signature from "Ryan Lackey <email@example.com>"
it still meets the xkcd definition of a secure pgp message, at least.
cat my-aspergers-unformmatted-text-file.txt | fold -s > readable.txt
$ wget -q -O - https://privacy.cryptoseal.com/ | gpg --verify
gpg: Signature made Mon Oct 7 14:38:07 2013 EEST using DSA key ID D2E0301F
gpg: Good signature from "Ryan Lackey <firstname.lastname@example.org>"
Primary key fingerprint: B8B8 3D95 F940 9760 C64B DE90 07AD BE07 D2E0 301F
Amazon said they didn't want anything powered by FreeBSD in AWS. There are currently negotiations about running on a larger instance that supports the HVM, and avoids the 'Windows tax', but there are significant usage fees for that tier (today that´s the cluster compute and M3 instances) as well.
We could release a variant of the AMI as a "public" AMI. It wouldn't be in AWS then, but it would be available. If your account is new enough, it would allow a completely free VPN service on Amazon's "free tier".
It would also allow people to setup their own VPN service (OpenVPN and IPSEC are both fully supported.) Hosting on top of EC2 isn't perfect (there are possible key recovery attacks from others hosted on the same infrastructure), but, correctly configured, Law Enforcement would need more than a pen register order to obtain anything beyond the enclosing IP packet data. Since, in theory, you would be your own provider, the FBI (or an equivalent in other EC2 zones) would have a higher burden to install even a pen register.
My question is: should we bother? Anyone with sufficient clue could setup a linux instance to do the same thing.
You indeed could setup some basic stuff this way, but I wouldn't recommend it as a long term strategy. The way that our privacy product was built protected users from a variety of issues. I also wouldn't recommend using AWS for this till you can install your own trusted hypervisor and encrypt memory/disk/etc.
Incidentally, PrivateCore has a trusted, remotely-attested hypervisor that encrypts memory and runs on providers like SoftLayer: http://www.privatecore.com
We heard it directly from Amazon. To quote:
"After reviewing with our team and leadership, we will not be able to list the product in its current form. Only products built on supported file systems are allowed, and specifically we are not accepting any new FreeBSD products into Marketplace."
As I indicated above, we are continuing to work with them. The "supported file systems" is about the process used to build the AMI. (And yes, Colin uses exactly the same process.)
BTW, thanks for the work on PFSense, while I don't use it at the moment, its been very useful in the past.
I guess the issue with needing a VPN is that you need one far away from where you are geographically.
Maybe i have misunderstood the whole thing.
0) Remote access to small business office
1) Connect to home router to access home network
2) To avoid ISP throttling of YouTube, etc
3) Download torrents, usenet
4) Commit crimes (routed through unallied nations)
5) To watch Netflix or Hulu from Europe
I ask because in a recent blog post from Silent Circle (a secure comms company), they explicitly state "we are not a U.S firm" . I'm beginning to think any company that wants to offer security products like this has to place their Global HQ outside the US's legal jurisdiction. I doubt it solves all the problems but it probably helps to some extent.
It does very little good to just "incorporate offshore" and still have US operations, US principals, etc.
If you're a US citizen doing something questionable in the US, you have basically three choices: try to do it in a compliant way, renounce your citizenship, or leave the US and/or operate underground and hope you never get caught.
While I have problems with the US Government's actions in the terrorism/cyberspace regulation/IP spheres (particularly in that the legislative branch has totally abdicated its role in oversight, as well as being generally incapable and obstructionist in general), I'm a loyal US citizen, respect the laws of the US and its political process, etc. So, all I'm willing to do is try to do things in a superior technical way, or to try to get the laws changed in the US.
The silent circle guys are basically all US citizens, and as far as I'm aware, equally wedded to the idea of US legal compliance.
I agree with the sentiment of trying to change the system, which won't happen if people (and companies) simply try and leave.
The ultimate solution is providers which can prove their operational security to end users continuously, through technical controls.
If the courts decide that you can't be compelled to give away master keys, then the US is a good choice. If not, no amount of governmental honesty can protect you.
There's still a few safe places out there to do business legally and protect your data. The Bahamas comes to mind.
They have software engineers in "Silicon Valley".
What makes you think they're "outside the US' legal jurisdiction"?
Perhaps this is a question I should direct at the other company but I wondered if it was something that the CryptoSeal folks had considered.
(I'm also not a lawyer)
One consideration, though, is that we're all US citizens, and so even if we set up a Hong Kong company with Hong Kong servers, we'd be at risk to US court orders or any civil/criminal action. So for US citizens, the only real solution is technical controls, or legal/legislative reforms in the US.
The NZ government has no hesitation in breaking whatever laws it needs to in order to satisfy US requests.
They would, however, need highly trusted agents in several legal jurisdictions. Agents who they trusted with the ability to bring the company down. Still... I think I might pay for a service like that, if some of the principle participants were people I trusted so I was sure it wasn't a honeypot.
If you need advice from experts at setting up a legal foreign business, LMK, and I'll send you a few referrals.
The Swiss SIGINT equivalent is called PTSS:
And don't get me started in HK, NZ or Iceland. If you really want to protect Osamas IRC server and worse with your VPN service, you require specific political protection from the host country.
Essentially from lavabit it appears if you don't have technical capabilities inside the service already in place to provide pen trap level realtime reporting, they can compel you to install a pen trap device, and provide all keying/etc. required to make it work.
On June 10, the federal government served a court order on Lavabit issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act.
The Stored Communications Act (SCA, codified at 18 U.S.C. Chapter 121 §§ 2701–2712) is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act (ECPA, Pub.L. 99–508, 100 Stat. 1848, enacted October 21, 1986).
Users generally entrust the security of online information to a third party, an ISP. In many cases, Fourth Amendment doctrine has held that, in so doing, users relinquish any expectation of privacy. The Third-Party Doctrine holds "…that knowingly revealing information to a third party relinquishes Fourth Amendment protection in that information."
It doesn't follow that a private individual can be compelled to install a pen register on his/her own infrastructure.
Are you kidding!?
Hahahaha. NZ bent over backwards to let the US decimate mega. Let's be honest, we have/had basically each of those countries be complicit in extraordinary rendition, extradition, or compliance with US IP-law.
What do you honestly think will happen when we, in the name of international security and terrorism prevention, ask them to hand over a few computers instead of, well, people?
Advertised cryptography/anonymizing services really can't exist in a climate where all rules are thrown out the window because terrorists.
Of course a party of 3 out of 63 is not going to make big waves legislatively, but the center-right coalition wouldn't touch this issue. Hell, the previous administration didn't want to touch the issue either. Noise, that's all.
Although, for the most part, it has good intentions.
I wonder how broadly that could be interpreted. The UK doesn't give me hope.
Isn't it likely that Iceland has – as all functioning countries – a surveillance apparatus and is cooperating with the US? For the latter, the usual legal trick is not to spy on your own citizens but to ask a partner service for data about your own citizens …
Strict privacy laws can be great, however, they are no protection from surveillance. Surveillance is usually excluded from privacy laws as far as countries are snoopy and not 'just' private entities.
There is no spy agency in Iceland. We are a nation of roughly 350k people. Last interior minister actually sent the FBI packing when they came to investigate something.
Spying electronically on Icelanders is a useless and expensive pursuit, if you want to know anything you go downtown and sit around while your average Joe or Jane talk about it.
Seriously though, it is amazing how much information can be gleaned from someone (rightly or wrongly) if you just sit down and talk with them for a bit. And even more information about someone's true feeling can be determined from their non-verbal communication, something that electronic surveillance (like email snooping) can do nothing about.
"CryptoSeal Privacy Consumer VPN service terminated with immediate effect
With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.
Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.
Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-plea...) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.
We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.
We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.
To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a
consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.
For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action."
A current example:
Clio, a cloud provider for lawyers, recently started to offer a server location in Ireland in order to comply with European privacy laws . The price, however, is about 60% higher than in the US …
US = 49 USD/month = about 36 EUR 
EU = 49 GBP/month = about 58 EUR 
 = http://www.goclio.com/blog/2013/10/clio-online-practice-mana...
 = http://www.goclio.com/signup/
 = http://www.goclio.co.uk/signup/
Didn't they have an IPSec cert for each individual subscriber?
If not.. I wouldn't have wanted to go anywhere near them if they were using one keypair for all traffic.
Public-facing websites are usually dependent on a single server cert because they can't easily provide a separate client cert for everyone who visits. A private, subscription-based service should not be using that model and thus should not have encountered the 'Lavabit Paradox'.
Neither should Lavabit, but I digress.
If the bar set to do this were at search warrant level (probable cause of criminal activity), that would still kind of suck, but the bar for pen traps being so low by comparison totally invalidates our security model.
All US providers (including "foreign" providers with US principals or US operations) are vulnerable to this specific problem right now.
There are technical ways to deal with this, but it would take months to implement, and no one has done it before. I've got a bunch of talks scheduled for conferences over the next year on how to implement exactly this (and am working on the tech for it), but it's not going to be instantaneous. We didn't want to be in the position of screwing over even one customer in the interim.
Until that stuff is in place, my recommendation is to use a non-US VPN provider. There, you're still at risk to local search warrants, but those are a relatively high legal standard in some jurisdictions. The problem in the US is that the lavabit case implies a much lower legal standard to effectively compel all traffic.
It'll probably be a year or two before this plays itself out in the courts. Hopefully 6-9 months for a much stronger technical solution. I'm actually working with some pretty kickass legal people on v2.
(as always, I Am Not A Lawyer; I Am Not Your Lawyer; This is not legal advice; Consult an attorney licensed in your jurisdiction for specific legal advice in your particular case.)
Can you say who they are? I'm looking for legal advice in this area as well (and I'm not a competitor to CrytoSeal in any way). Our service is currently in Australia (only), but I'm an owner, based in the US, and by design we also aren't able to support a pen trap order without the same problems you've encountered.
It's sucks when crypto best-practices are, effectively, either illegal or useless.
The whole thing is quite unsettled right now, and unique to every case. I'd probably contact EFF. If I were looking for someone to pay, Marcia Hofmann is now a commercial option, and she's probably the best in the world.
Here's a criminal defense attorney who makes the case for this better than I could:
...they are screwing up the world for the rest of us, for everyone.. Choices being made by the tech-savvy and law ignorant are creating the precedents, while destroying themselves, that form the foundation for computer law going forward. We may be saddled with bad law for decades...
The point seems to be: when a random computer person provides a service, and that service is targeted by federal prosecutors, and idiotic judges use the opportunity to cripple civil society, it's the random computer person's fault. Are lawyers and judges simply vengeful automatons, whom any citizen should expect to destroy civilization if given any opportunity? Maybe others in the jurisprudential profession could help defend society from their colleagues?
The context is important here: Levison was initially defended by a small business lawyer who was only 4 years out of law school. That was truly a boneheaded decision and may very well be why Lavabit crumbled so quickly.
My previous comment was thinking more generally. Society has in the past successfully weathered innovations in technology and commerce without the legal profession running amok. Often innovators were not "connected" enough to hire the best legal representation, if they did so at all. What's different this time?
The author addressed this ad nauseam in the comments. In particular, see:
> My previous comment was thinking more generally. Society has in the past successfully weathered innovations in technology and commerce without the legal profession running amok. Often innovators were not "connected" enough to hire the best legal representation, if they did so at all. What's different this time?
I don't think technological innovation has ever had the potential to disrupt existing power structures as much as the Internet and cryptography. I'm not sure what you mean by "legal profession running amok," but if you mean bad court decisions and draconian government legal theories, that's nothing new. We're only starting to see this in the context of technology because of the aforementioned clash between technology and government power.
That's a bold statement. You don't think the cotton gin and improved looms contributed to the numbers of people enslaved in the antebellum southern USA? You don't think the railroads and telegraph contributed to the settling of the West? You don't think the rise of manufacturing, which pulled multitudes of (black and white) Southerners north, changed both the South and the Midwest?
I'm not sure what you mean by "legal profession running amok," but if you mean bad court decisions and draconian government legal theories, that's nothing new.
Let me preface this by saying that I'm not comparing Lavabit to Dred Scott in terms of the degree of injustice the two parties suffered. Mostly I just don't know a great deal of legal history and this historical "worst case ever" is what came to mind. However, I have never seen the unfortunate Mr. Scott blamed for the infamous Dred Scott v. Sandford decision. So, bad court decisions: not new. Blaming the victims of those decisions: new.
Mostly it just speaks to an audacious sense of entitlement on the part of any attorney who upon news of a fresh new legal outrage, immediately excoriates the victims of our federal Department of Injustice. When he says a society without Lavabit is better than a society in which Lavabit doesn't have him (or a similarly experienced and wise litigator) on retainer, that is self-serving. He is fundamentally no different than the feds, because he also wants the legal profession to act as a check on all innovation. The slight cosmetic difference is that he wants to be the one running things, because his judgment is better than that of the feds.
Of course we mustn't fall victim to the classic is/ought confusion. When in legal trouble, it's best to be well-represented. However, when any developer who wants to help people maintain a modicum of privacy and dignity is automatically in legal trouble, we all have legal trouble.
I appreciate the high ground CryptoSeal is coming from, but from a customer standpoint I don't think this was done well.
The financial issue was the potentially huge liability due to a legal action or battle, not the (small) costs of operating the service; my cofounder and I are both not really able to take a lavabit-style stand (I do DoD/USG consulting work, so I have additional special considerations in doing anything which isn't absolutely legally compliant in every appearance which Ladar et al didn't have...).
We're still working on similar things, now without the revenue from the privacy vpn service.
I'm very pleased that there are people working in this area, and I look forward to seeing what happens.
(There's a new group trying to re-launch "HavenCo", although it has no real connection to Sealand; it's a VPN service and some mail and stuff run out of non-Sealand colos. I wouldn't touch it, myself.)
There is no solution to any of this other than pure technology. You want something where even the operators can't do worse than shut the service down, even if you have a gun to their heads. That's not technically feasible given current technology, but is a 6-24 months of development from being practical. And even with better technology, you end up having to worry about the entire stack, all the time -- constant vigilance is expensive.
> decent profits to cover costs
Do you mean it was meeting costs and growing in a way which would have led to profit in the absence of a legal tangle with the FBI or whatever?
If we were the legally best VPN option, I would probably have pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-us providers run by non-US people (there are several good ones) are an objectively better option, so in good conscience there's no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user.
And regarding the actual content, it doesn't really make sense to me why a startup would lose face if they shut down a service that wasn't viable. They are expected to experiment. It happens all the time and nobody minds. Sure, it probably makes the decision easier to shut down if there aren't a lot of users, but let's not jump to conclusions.
I did not make this claim, so feel no need to answer your question.
> It's very sad that these kinds of drive-by accounts are so successful (he got at least two upvotes) for what seems like a personal attack without any data to back up the claims.
I don't think he meant to express it as a statement of fact, but meant to suggest it as his strong oppinion. I just think it was worded badly. Lots of people don't sign up until they decide to make their first comment.
> And it doesn't really make sense to my why a startup would lose face if they shut down a service that wasn't viable. They are expected to experiment. It happens all the time and nobody minds. Sure, it probably makes the decision easier to shut down if there aren't a lot of users, but let's not jump to conclusions.
Many people are embarrased when their companies fail.
In this case it was just one product getting shut down (and only until we can do something better); there's clearly a demand in the market for it, maybe stronger than ever.
I'm actually much more embarrassed by the horrible formatting of my PGP message (I never really did PGP stuff on Mac before, and forgot about the newline issues.)