Lavabit closes down

[herzmeister]

wtf what a mess, it was almost my main account these days  

http://lavabit.com/

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

probably because it has been found out that Snowden used Lavabit.

[1715311622]

1715311622

[cjp]

Does anybody know a good alternative for Lavabit?

I'd like a free (or cheap Bitcoin-paid   ) e-mail service which is
* reliable (running for at least a couple of years with very little downtime)
* has reasonable support
* is dedicated to privacy
* has no ties to the United States
* is preferably operated by people who are part of geek / free software / crypto culture
* has preferably only a low level of advertisement annoyance

[favdesu]

Does anybody know a good alternative for Lavabit?

I'd like a free (or cheap Bitcoin-paid   ) e-mail service which is
* reliable (running for at least a couple of years with very little downtime)
* has reasonable support
* is dedicated to privacy
* has no ties to the United States
* is preferably operated by people who are part of geek / free software / crypto culture
* has preferably only a low level of advertisement annoyance

I don't think there is one. Use PGP, so you don't have to worry about this kind of things. https://prism-break.org/ is a good site to look for privacy related stuff, btw.

[escrow.ms]

Does anybody know a good alternative for Lavabit?

I'd like a free (or cheap Bitcoin-paid  ) e-mail service which is
* reliable (running for at least a couple of years with very little downtime)
* has reasonable support
* is dedicated to privacy
* has no ties to the United States
* is preferably operated by people who are part of geek / free software / crypto culture
* has preferably only a low level of advertisement annoyance

You can use Chinese/Russian email services. Like qqmail and mail.ru

[HeroC]

What was lavabit again?

[herzmeister]

stories:

http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html

http://arstechnica.com/tech-policy/2013/08/ed-snowdens-encrypted-e-mail-service-shuts-down-leaving-cryptic-message/

[halfawake]

Does anybody know a good alternative for Lavabit?

I'd like a free (or cheap Bitcoin-paid   ) e-mail service which is
* reliable (running for at least a couple of years with very little downtime)
* has reasonable support
* is dedicated to privacy
* has no ties to the United States
* is preferably operated by people who are part of geek / free software / crypto culture
* has preferably only a low level of advertisement annoyance

The closest I'd be able to get to a site that meets your requirements is magnesium.net, which probably fits most of your requirements.  Unfortunately, I can't really recommend it because it hasn't really been reliable lately.  Most of the time it's up, but there are occasions when it's down for weeks at a time, so reliable it isn't.  

If you can afford it, the easiest way to get something like this is to host your own website, then you can have an email address that you control more than you would otherwise since it's hosted on your own domain.  I'm going to buy my own hosting eventually and would be happy to sell you an email address through it if you like, but I'm not planning on setting it up for a while so that doesn't really help you now.

Edited to add: Actually, I would be remiss if I didn't mention Hushmail here.  They're based in Canada and I think they meet all your requirements: PGP based email, good support, no advertisements.  I don't know how reliable they are, but I've heard good things about them, so that's what I'd go for if I were you.

[ccl]

yeah...most of my accounts is tied up to my lavabit email  Privacy again....dang  

[aigeezer]

Looks like Silent Circle is down too: http://techcrunch.com/2013/08/08/silent-circle-preemptively-shuts-down-encrypted-email-service-to-prevent-nsa-spying/

[narayan]

It sucks that Lavabit has closed down. It was my favorite email service. However, I'd rather have them shut down instead of comply with the NSA/DoJ and insert a backdoor into their service.

I think running your own mail server would be a good idea.

[bernard75]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

[Spendulus]

Does anybody know a good alternative for Lavabit?

I'd like a free (or cheap Bitcoin-paid  ) e-mail service which is
* reliable (running for at least a couple of years with very little downtime)
* has reasonable support
* is dedicated to privacy
* has no ties to the United States
* is preferably operated by people who are part of geek / free software / crypto culture
* has preferably only a low level of advertisement annoyance

You can use Chinese/Russian email services. Like qqmail and mail.ru

Any centralized site can be the victim of attacks and shutdowns.  

[ccl]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

freaking crazy man...

[chipug]

A minority of commenters were more supportive. “Holy shit, you guys are crying over your Steam accounts,” wrote one. “Just change your email to something else. Lavabit either had to roll over for the government, compromising our privacy, or shut down service. Be happy Ladar shut it down instead of rolling over.”

^ I think that's also a fair point.

[J603]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

So the government went after a hosting service that hosts child porn? Oh no!

[bernard75]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

So the government went after a hosting service that hosts child porn? Oh no!

LOL, thats all i got to say.

[BitCoiner2012]

It is happening quickly.

[J603]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

So the government went after a hosting service that hosts child porn? Oh no!

LOL, thats all i got to say.

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network

That's from the article you posted.

[bernard75]

They also hosted 95% of freedom and liberty sites on the tor network.
Please educate yourself, before you jump on the bandwagon yelling "Child molesters, lets burn it down!".

[Spendulus]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

So the government went after a hosting service that hosts child porn? Oh no!

LOL, thats all i got to say.

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network

That's from the article you posted.

Think it out.  What does this actually mean?  That Tor actually is effective in hiding the identity of the surfers?  Seems like otherwise, they would have wanted the site left open as a honeypot.

There's a story here, and it's not just a shrug and a laugh and....

So the government went after a hosting service that hosts child porn? Oh no!

[J603]

And Tormail taken down too:
http://www.wired.com/threatlevel/2013/08/freedom-hosting/
This is becoming crazy.

So the government went after a hosting service that hosts child porn? Oh no!

LOL, thats all i got to say.

Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network

That's from the article you posted.

Think it out.  What does this actually mean?  That Tor actually is effective in hiding the identity of the surfers?  Seems like otherwise, they would have wanted the site left open as a honeypot.

There's a story here, and it's not just a shrug and a laugh and....

So the government went after a hosting service that hosts child porn? Oh no!

It is a shrug and a laugh. I don't have to worry about my identity being compromised because I don't go to those kinds of sites... Yes, I suppose that now technically we are all at risk for our identities to be exposed. But the thing is, the government isn't doing one massive attack on every tor user. They're going after people associated with child porn, which is not something I disagree with. I don't have anything to worry about, so I am just going to shrug it off and laugh.

[bernard75]

Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.

[J603]

Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.

I don't have any child porn to hide. I use torbrower for other things.

[cjp]

The closest I'd be able to get to a site that meets your requirements is magnesium.net, which probably fits most of your requirements.  Unfortunately, I can't really recommend it because it hasn't really been reliable lately.  Most of the time it's up, but there are occasions when it's down for weeks at a time, so reliable it isn't.  

If you can afford it, the easiest way to get something like this is to host your own website, then you can have an email address that you control more than you would otherwise since it's hosted on your own domain.  I'm going to buy my own hosting eventually and would be happy to sell you an email address through it if you like, but I'm not planning on setting it up for a while so that doesn't really help you now.

Edited to add: Actually, I would be remiss if I didn't mention Hushmail here.  They're based in Canada and I think they meet all your requirements: PGP based email, good support, no advertisements.  I don't know how reliable they are, but I've heard good things about them, so that's what I'd go for if I were you.

Thanks for the advice. Hushmail looks good to me (even when taking into account the criticism they've received), except their free account has extremely little storage space and doesn't support POP/IMAP. For their paid accounts, they don't accept Bitcoin or other anonymous payment methods.

I already own a domain name, and I think I'm going to use it for the e-mail address I communicate to my (non-pseudonymous) contacts. Right now, my hosting account only supports redirecting, but I'll check whether it is possible to upgrade it to a POP/IMAP mail box.

I considered self-hosting on my home server, but since it has so many single points of failure (ISP, modem, server, power supply etc.) I don't think I can reach the reliability level I'm looking for without significant investments.

Does anyone have experience with the e-mail services that accept Bitcoin?

When it comes to privacy, I'm thinking in two categories of e-mail:

E-mail with peers who don't care enough about privacy to put effort in protecting it:

• This is, unfortunately, the huge majority of peers
• E-mail has to be sent/received as plaintext, so it can be wiretapped
• Temporary plaintext storage at an e-mail provider (few days at most, until I move it to my own computer) probably makes little difference
• That is, unless the provider spontaneously does freaky analysis stuff on the e-mail data (like gmail does)
• Therefore, I want a good privacy statement for non-authority privacy, and don't expect much privacy protection against authorities
• I need a secondary account if I don't want the other (non-authority) party to know who I am (for temporary contact I'll use mailinator).

E-mail with peers who care about privacy:

• We'll use end-to-end encryption (e.g. PGP)
• Might use the same account as other e-mail if I don't care that others know the 'meta-data' (who talks to who on what moments)
• When I do care about the meta-data, I need a fully pseudonymous account, accessed with something like TOR.

[cjp]

You can use Chinese/Russian email services. Like qqmail and mail.ru

I considered it, but I'm afraid that the language is going to be a problem. mail.ru doesn't even offer alternative language choices for their home page!

Besides, I trust the Russians and Chinese even less than the U.S. government. The only good thing is that my own government is not a close ally of them.

Does anyone know whether this is worth its money?
https://www.trilightzone.org/securemail.html

[vm1990]

Ah one of those "I have nothing to hide".
Ive heard of your kind, you guys are very dangerous.

I don't have any child porn to hide. I use torbrower for other things.

id stop digging XD he could have been referring to drugs not just child porn

anyhow onto more important things if i could get the interest and a couple of coders together i might be open to hosting a private encrypted email service...
id also refuse any information requests from any LEA and probably host it on the Tor network

id like to start off with something super simple like Tormail and work up to something a bit more complex.. and id make sure emails dont have a tiny 3mb limit maybe something like 10mb to start with

[favdesu]

or just use bitmessage with pgp.

[bernard75]

or just use bitmessage with pgp.

seems like the only thing left

[grandinvestments]

A word on hushmail:

https://en.wikipedia.org/wiki/Hushmail

However, developments in November 2007 led to doubts among security-conscious users about Hushmail's security and concern over a backdoor. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.

[favdesu]

A word on hushmail:

https://en.wikipedia.org/wiki/Hushmail

However, developments in November 2007 led to doubts among security-conscious users about Hushmail's security and concern over a backdoor. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.

yeah, safe money and open a gmail or yahoo. still better than a fake privacy mail service

[bernard75]

There is still Riseup:
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.

[ccl]

soooo, I forgot my dropbox password great!  since I have my lavabit account tied to it I cannot reset it  Hopefully dropbox support gives me a positive answer.....

[manfred]

There is still Riseup:
https://www.riseup.net/de/riseup-and-government-faq
Although they are US based they keep on fighting.

Also MEGA is setting up an encrypted email service, but it still several months before its finished.
http://www.zdnet.com/mega-to-fill-secure-email-gap-left-by-lavabit-7000019232/ or
http://www.techhive.com/article/2046445/kim-dotcoms-mega-vows-to-create-useable-encrypted-email-for-the-masses.html
.

[cryptasm]

There's a decent list of alternatives here:

http://www.dailydot.com/lifestyle/tor-tormail-dark-web-communication-pgp/

Looking forward to when Tox.im is fully developed

Plus an interesting interview with Lavabit boss here:

https://www.youtube.com/watch?v=Ui3KpztUzVg

[halfawake]

There was an article in our local newspaper today about a company called Privato which offers double encrypted email.  It's not free - the article says they charge $100 / year, but I just thought I'd throw it out there as an option.  Looks like they are geared more towards businesses than personal email, but I'd doubt they'd turn you down if you'd want to shell out the money.

Personally, I'd probably just stick with my Gmail account and encrypt the messages that I want to be secure.  The government would still be able to tell who I'm sending things to, but not what's actually in the message.  It's a shame more people don't use encryption - for me, that's the hard part about encryption, I know how to use it, but most people I'm communicating with don't use PGP / GPG.

[MysteryMiner]

Don't use Russian or Chinese e-mail providers at all! mail.ru is just as bad as gmail the only difference is that it have direct link to FSB and Russian oligarchs instead of FBI/NSA.

Self-hosted server is great but it have many points of failure. Then comes mail servers hosted in Latin America or Africa.

[chipug]

https://bitcointalk.org/index.php?topic=279981.msg2991953#msg2991953

[bernard75]

Lavabit, Silent Circle, Tormail and now Bitmessage:

It seems like all users received the following message today:

Bitmessage has several potential security issues including a broken proof of work function and potential private key leaks.

 Full details:
 http://secupost.net/*RefNumber/bitmessage-security

Somebody is collecting IPs, i wonder who?

[bernard75]

http://www.chronicles.no/2013/08/bitmessage-crackdown.html

Mr "Robert White" was behind the "attack" (message from secupost.net and Bitmessage):
-- -- --
This message is also available at http://secupost.net

Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.

As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.

It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.

I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.

So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.

Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.

Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.

Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:

def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]

This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.

This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.

Robert White (BM-2D8yr4fzoMzwndqPwLMVyzUcdfK9LWZXjY)

[Akka]

It's coming back. Better than before (?): http://silentcircle.wordpress.com/2013/10/30/announcing-the-dark-mail-alliance-founded-by-silent-circle-lavabit/