Lavabit To Release Code As Open Source, As It Creates Dark Mail Alliance To Create Even More Secure Email

from the it's-needed dept

This whole morning, while all these stories of the NSA hacking directly into Google and Yahoo's network have been popping up, I've been at the Inbox Love conference, all about the future of email. The "keynote" that just concluded, was Ladar Levison from Lavabit (with an assist from Mike Janke from Silent Circle), talking about the just announced Dark Mail Alliance, between Lavabit and Silent Circle -- the other "security" focused communications company who shut down its email offering after Lavabit was forced to shut down. Levison joked that they went with "Dark Mail" because "Black Mail" might have negative connotations. Perhaps just as interesting, Levison is going to be releasing the Lavabit source code (and doing a Kickstarter project to support this), with the hope that many others can set up their own secure email using Lavabit's code, combined with the new Dark Mail Alliance secure technology which will be available next year.

As noted, the Alliance is working on trying to create truly secure and surveillance-proof email. Of course, nothing is ever 100% surveillance proof -- and both members of the alliance have previously claimed that it was almost impossible to do surveillance-proof email. However, they're claiming they've had a "breakthrough" that will help.
The newly developed technology has been designed to look just like ordinary email, with an interface that includes all the usual folders—inbox, sent mail, and drafts. But where it differs is that it will automatically deploy peer-to-peer encryption, so that users of the Dark Mail technology will be able to communicate securely. The encryption, based on a Silent Circle instant messaging protocol called SCIMP, will apply to both content and metadata of the message and attachments. And the secret keys generated to encrypt the communications will be ephemeral, meaning they are deleted after each exchange of messages.

For the NSA and similar surveillance agencies across the world, it will sound like a nightmare. The technology will thwart attempts to sift emails directly from Internet cables as part of so-called “upstream” collection programs and limit the ability to collect messages directly from Internet companies through court orders. Covertly monitoring encrypted Dark Mail emails would likely have to be done by deploying Trojan spyware on a targeted user. If every email provider in the world adopted this technology for all their users, it would render dragnet interception of email messages and email metadata virtually impossible.
Importantly, they're not asking everyone to just trust them to be secure -- even though both companies have the right pedigree to deserve some level of trust. Instead, they're going to release the source code for public scrutiny and audits, and they're hoping that other email providers will join the alliance.

At the conference, Levison recounted much of what's happened over the last few months (with quite a bit of humor), joking about how he tried to be "nice" in giving the feds Lavabit's private keys printed out, by noting that he included line numbers to help (leaving unsaid that this would make OCR'ing the keys even more difficult). He also admitted that giving them the paper version was really just a way to buy time to shut down Lavabit.

Janke came up on stage to talk about the importance of changing the 40-year-old architecture of email, because it's just not designed for secure communications. The hope is that as many other email providers as possible will join the Alliance and that this new setup becomes the de facto standard for end-to-end secure email, which is where Levison's open sourcing of his code gets more interesting. In theory, if it all works out, it could be a lot easier for lots of companies to set up their own "dark mail" email providers.

Either way, I would imagine that this development can't make the NSA all that happy.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    PRMan, Oct 30th, 2013 @ 12:37pm

    As a bonus...

    As a bonus, would this kill off some spam by the encryption slowing messages enough to make it unprofitable?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:39pm

    "Lavabit To Release Code As Open Source, As It Creates Dark Mail Alliance To Create Even More Secure Email"

    Join the dark side of the force?

    Darth Vader would approve!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:44pm

    It's good to see new private communication technologies are coming out. They're badly needed. Legislation alone, won't be enough to ensure our fundamental human right to private conversations.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:48pm

    https://github.com/kripken/emscripten/wiki

    Could people port SCIMP to Javascript?

    So everyone could use it anywhere that there is a browser?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:48pm

    Just look at all the damage Snowden has done to US interests

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    coward (anon), Oct 30th, 2013 @ 1:05pm

    Ban encryption

    This will just provide more reason for the NSA/Congress to outlaw (or criminalize) encryption code. The fact that this would likely destroy the Internet and kill off some of the US's largest companies is of little concern to the NSA and their mouthpieces.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 1:10pm

    I suspect there is going to be a lot the NSA doesn't particularly like coming in the future.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Not an Electronic Rodent (profile), Oct 30th, 2013 @ 1:10pm

    Re:

    Just look at all the damage Snowden has done to US interests
    Did you mean the US government's interests or the US people's interests?
    Theoretically, I know, those should be the same, but reality is so far removed that the distinction is important.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Not an Electronic Rodent (profile), Oct 30th, 2013 @ 1:14pm

    Re: Ban encryption

    The fact that this would likely destroy the Internet
    Or, with a lot of luck and on the bright side, might just destroy the disproportionate leverage the US has on the internet instead.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 1:15pm

    I'm loving this. I knew that after all the revelations it would make a lot of developers and cryptographers pissed off with the NSA and will try to find solutions against their mass surveillance. I think we're going to see a lot more great stuff like this in the future.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    silverscarcat (profile), Oct 30th, 2013 @ 1:15pm

    Re:

    Hmm...

    Just look at all the damage the NSA has done to US interests.

    MUCH more accurate!

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 1:18pm

    Re:

    That's right blame the messenger. The US government is the root cause of damage to US business interests in this case.

     

    reply to this | link to this | view in thread ]

  13. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 30th, 2013 @ 1:20pm

    Couldn't make Google very happy, either!

    BUT so long as the masses of dolts go along with Google and nearly every other email "service" spying on them, this isn't going to bother NSA. -- Heck, waving flags that say "I'm hiding something!" is actually of high value to spies: it's the needle popping out of the haystack.

    So long as "The Market" (if not NSA directly) rewards Google for spying, do you expect it to do LESS of it?

    09:19:21[k-362-3]

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 1:23pm

    "Either way, I would imagine that this development can't make the NSA all that happy"

    well we wouldn't want that.


    - I have always thought of this as a technical problem. It won't be solved by new laws or new oversight or Politicians. Its simply a set of technical problems we will address, part of the reason its been so ignored is because of laziness. I think this will give us our edge back and we will be creating secure mail/messaging/P2P websites w/no traditional DNS lots of good stuff in the pipe.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Me, Oct 30th, 2013 @ 1:32pm

    Re:

    "I have always thought of this as a technical problem. It won't be solved by new laws or new oversight or Politicians."
    _______________________________

    I agree with you, although we need both. There must be a legal prohibition on certain activities as well (to provide accountability), but having tech-minded folks applying their skills to engineered solutions is essential as well.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Russ (profile), Oct 30th, 2013 @ 1:46pm

    As it ever is

    Coders and decrypters have been going back and forth since the middle ages and it will continue forever.

    Although the NSA won't be happy, they would be naive to assume there would be no reaction. It does put the NSA's reaction in a different context, although it was embarrassing and the terrorist's a red herring, the exposure of wide spread email monitoring will impact the ease at which they spy as programs such as dark mail are developed.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 1:50pm

    'If every email provider in the world adopted this technology for all their users, it would render dragnet interception of email messages and email metadata virtually impossible.'

    so why are email companies not doing it then? i can see very soon that those that dont will be losing customers, and so they should!

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Ed Allen, Oct 30th, 2013 @ 2:14pm

    Re: As a bonus...

    Since every message goes between two boxes, not hundreds on a mailing list, then spam costs the sender more for each added recipient, both time and CPU cycles, so spam becomes less attractive to send to lots of recipients.

    So yes, spam volume ought to go down and spammer profits will fall or the cost for the senders will go up.

    Eventually they might figure a way to work around holes in this but once we encrypt all email then tweaks to the protocols will be easier next time.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    PopeRatzo (profile), Oct 30th, 2013 @ 2:20pm

    Hooray

    Good for Lavabit. Man, there's nothing that engenders trust in consumers like a company that actually cares about their well-being and proves it.

    Take my money, please.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Mr Big Content, Oct 30th, 2013 @ 3:36pm

    Very Clever Deception

    Their not fooling anyone by releasing this so-called "source code". Who pretends to understand this stuff, anyway? We've all seen the movies: the best place to hide something is in plain sight, because that's the last place the so-called "experts" will look!

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 4:36pm

    Re: Very Clever Deception

    your an idiot.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    That One Guy (profile), Oct 30th, 2013 @ 5:26pm

    Re: Re: Very Clever Deception

    And you just got 'whooshed'. Look at the name, then re-read the comment with the view of sarcasm/joking and you'll get it.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    That One Guy (profile), Oct 30th, 2013 @ 5:28pm

    Re: Ban encryption

    They would have to do it on the sly, companies like banks and others that do business online know full well that banning encryption would mean the death of them, so they would be sure to throw their considerable influence to stop any attempt at doing so.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 5:34pm

    Black Ops Mail

    Dark Mail, WTF does that mean? Black background? Used by Darth Vader and Dark Helmet?

    Black Ops Mail, now that is a name that not only sounds cool but does a great job describing what they want to build.

    They could register the Spanish domain bom.es which would really freak out the NSA as an added bonus!

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    Atkray (profile), Oct 30th, 2013 @ 6:00pm

    Re:

    I'm stunned that mike didn't let Dark Helmet write this.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    ahow628 (profile), Oct 30th, 2013 @ 6:45pm

    Cut by their own sword...

    Either way, I would imagine that this development can't make the NSA all that happy.

    Haha, no shit. It is definitely worth pointing out though that all of this is of the NSA's own making. If they wouldn't have been so cavalier about sucking up data, something like Dark Mail would never have been necessary and they could have continued - status quo.

     

    reply to this | link to this | view in thread ]

  27.  

    Talking about which, why not adopt a similar protocol for chat?

    XMPP providers ought to adopt the Off-The-Record standard for encrypted chat, by the way: https://otr.cypherpunks.ca/

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    AC Unknown (profile), Oct 30th, 2013 @ 8:05pm

    Re: Black Ops Mail

    It's a mail server that's "in the dark", or hidden from sight.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 9:01pm

    Re: Re: Very Clever Deception

    right over your pointy little head. WHOOSH!!!

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    spodula, Oct 31st, 2013 @ 1:46am

    Re: Re: As a bonus...

    Isnt most spam sent by botnets these days? In which case the cost of sending email by the spammer would be multipled from Nothing to Nothing.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Oct 31st, 2013 @ 2:47am

    Re: Ban encryption

    > This will just provide more reason for the NSA/Congress to outlaw (or criminalize) encryption code.

    They tried (Google for "Clipper chip"). We fought. We won.

    Too much depends on encryption now, and it is too widespread. The negative reaction to any attempt to ban encryption would be very strong.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Oct 31st, 2013 @ 2:49am

    Re: Talking about which, why not adopt a similar protocol for chat?

    OTR works on the clients. XMPP providers do not need to do anything. It is the client developers who do all the work with OTR.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    me@me.net, Oct 31st, 2013 @ 4:20am

    Re:

    the backlash has already begun ad this is their own fault. they have proven they are the enemy and there is no reason whatever trust them or anything they say. Reap what you sow....

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    JustMe (profile), Oct 31st, 2013 @ 4:33am

    Key management

    Has always been the problem when scaling these things beyond very small groups of people. How are keys exchanged between strangers (new vendor wants a quote, someone asking for support) or even non techies like dear old grandma, ahead of time? Is there instead a central repository for the public keys, if so, who controls it?

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    gezzerx, Oct 31st, 2013 @ 5:49am

    Re:

    Don't blame Snowden or the Press for the actions of NSA & GCHQ & our Governments, they are the ONLY ones responsible for the crimes they have committed ! ! ! See USC Title 18 Sec. 241 & 242. So why no arrest warrants for high crimes, but only for misdemeanors ? ? ?

    High crimes = NSA + GCHQ + PUBLIC OFFICALS OF THE UK
    & US ! ! !

    Misdemeanors = Snowden, Manning, Assange, lAVABIT

    REMEMBER: POLITICIANS, BUREAUCRATS AND DIAPERS SHOULD BE
    CHANGED OFTEN AND FOR THE SAME REASON.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Dave, Oct 31st, 2013 @ 12:07pm

    Wish 'em well

    Damn' good show, chaps - and bloody good luck with this. NSA needs a good slapping.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This