Posts
2
Encrypted Email Services Shut Down to Avoid NSA Snooping
Two
encrypted email services shut down on Thursday, citing concerns
related to NSA surveillance and government requests for user data.
10
August, 2013
Private
communications startup Silent Circle preemptively shut down its
encrypted email service on Thursday evening, an unexpected move that
came just a few hours after Lavabit, another encrypted email
provider, allegedly used by Edward Snowden, decided to close doors
rather than comply with a national security-related investigation.
"We
see the writing on the wall, and we have decided that it is best for
us to shut down Silent Mail now," wrote Silent Circle's CTO and
cryptographer Jon Callas on the company's blog, after explicitly
pointing to Lavabit's earlier decision. "We have not received
subpoenas, warrants, security letters, or anything else by any
government, and this is why we are acting now."
Silent
Circle, a startup founded by former U.S. Navy Seal Mike Janke, and
well-known cryptographer Philip Zimmermann (pictured above), provides
encrypted phone calls, text messages and video calls for $10 a month.
In
a phone interview with Mashable on Friday, Janke said they had been
thinking about this decision for a while, but Lavabit's announcement
gave them the final push to not only close down the service, but to
also wipe the servers and destroy them, removing "every and all
traces of email in the entire architecture," he said.
The
main reason behind their decision, however, is that even encrypted
email isn't completely safe, he said.
"Email
is fundamentally broke," Janke said, explaining that even
perfectly encrypted emails leak metadata — the sender's IP address,
the subject of the email, the time it was sent and received. "All
those things are really, really sensitive information that
governments can use to pinpoint and track you, and know who you're
communicating with and where you're at and what time."
Janke
said that 50% of Silent Circle's total users, though he declined to
give a specific number, used the encrypted email service. Most of
them, according to Janke, were supportive of the company's decision.
And although Janke admits the action was abrupt and without prior
warning, it had to be because many Silent Circle users are government
employees around the world or people that might have been targets.
"If
we send an email saying, 'in 12 hours we're shutting off email,'"
Janke said, "it doesn't take but a half hour for a government
agency to send you a National Security Letter."
Despite
the current service being effectively destroyed, Janke revealed
they're working on a fully encrypted and peer-to-peer email service
which could be unveiled in the next few months.
A
few hours before Silent Circle's decision, Lavabit had announced it
was suspending its service.
"
I have been forced to make a difficult decision: to become complicit
in crimes against the American people or walk away from nearly ten
years of hard work by shutting down Lavabit I have been forced to
make a difficult decision: to become complicit in crimes against the
American people or walk away from nearly ten years of hard work by
shutting down Lavabit. After significant soul searching, I have
decided to suspend operations," wrote Lavabit's founder Ladar
Levison.
The
reasons behind Levison's decision are as yet unclear, though his full
statement hints that he is under gag order following an unspecified
request from the U.S government. (Levison didn't respond to
Mashable's requests for comment.)
CNET
reporter Declan McCullagh speculated on his Google Plus page that the
reason might have been that the FBI served Lavabit with an order to
intercept Snowden's, or other users', passwords.
The
two companies' surprising decisions do appear to be ideologically
motivated, but they are business decisions as well. Both Lavabit's
and Silent Circle's business models are built on the promise of
private communications and their advertised inability to comply with
surveillance orders. Hence, it makes a lot of sense from a business
perspective to fight government snooping. "If we turned evil,
then you're still covered," Phil Zimmerman told Mashable in a
previous interview, alluding to the value of protecting user data at
any cost.
"Lavabit
and Silent Circle's extraordinary behavior demonstrate not only their
principles, but that they understand the business they're in,"
wrote computer scientist Matt Blaze on Twitter.
CryptoCat,
a browser-based encrypted chat service, also announced it would do
the same if necessary.
If we receive a surveillance or backdoor order that we are unable to legally fight, we will shut down Cryptocat rather than implement it.
In
an email to The Guardian's Glenn Greenwald, Snowden praised Lavabit's
decision, and warned about the dangers of forcing companies to shut
down to protect their users.
"America
cannot succeed as a country where individuals like Mr. Levison have
to relocate their businesses abroad to be successful. Employees and
leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of
our Internet titans must ask themselves why they aren't fighting for
our interests the same way small businesses are."
Will
other companies have to do the same thing Silent Circle and Lavabit
did? In his statement, Levison finished with a dire warning.
"This
experience has taught me one very important lesson: without
congressional action or a strong judicial precedent, I would
_strongly_ recommend against anyone trusting their private data to a
company with physical ties to the United States."
Meshnet
activists rebuilding the internet from scratch
Worried
about the NSA snooping on your email? Maybe you need to start
creating your own personal internet
8
August, 2013
THE
internet is neither neutral nor private,
in case you were in any doubt.
The US National Security Agency can reportedly collect
nearly everything
a user does on the net,
while internet service providers (ISPs) move traffic according to
business agreements, rather than what is best for its customers. So
some people have decided to take matters into their own hands, and
are building their own net from scratch.
Across
the US, from Maryland to Seattle, work is underway to construct
user-owned wireless networks that will permit secure communication
without surveillance or any centralised organisation. They are known
as meshnets and ultimately, if their designers get their way, they
will span the country.
Dan
Ryan is one of the leaders of the Seattle Meshnet project, where
sparse coverage already exists thanks to radio links set up by fellow
hackers. Those links mean that instead of communicating through
commercial internet connections, meshnetters can talk to each other
through a channel that they themselves control.
Each
node in the mesh, consisting of a radio transceiver and a computer,
relays messages from other parts of the network. If the data can't be
passed by one route, the meshnet finds an alternative way through to
its destination. Ryan says the plan is for the Seattle meshnet to
extend its coverage by linking up two wireless nodes across Lake
Union in downtown Seattle. And over the country at the University of
Maryland, Baltimore County, student Alexander Bauer is hoping to
build a campus meshnet later this year. That will give his fellow
students an alternative communications infrastructure to the
internet.
While
these projects are just getting off the ground, a mesh network in
Catalonia, Spain, is going from strength to strength. Guifi was
started in the early 2000s by Ramon Roca, an Oracle employee who
wanted broadband at his rural home. The local network now has more
than 21,000 wireless nodes, spanning much of Catalonia. As well as
allowing users to communicate with each other, Guifi also hosts web
servers, videoconferencing services and internet radio broadcasts,
all of which would work if the internet went down for the rest of the
country.
So
successful is the community model that Guifi is now building physical
fibre-optic links to places like hospitals and town halls where it
can help carry the heaviest traffic.
Earlier
this month, the General Hospital in the Catalan town of Gurb was
wired up to Guifi with a fibre-optic link, and cable is being rolled
out into the nearby town of Calldetenes too.
In
the US, people can generally already get online with relative ease,
so meshnets there are less about facilitating access and more about
security, privacy and net neutrality – the idea that ISPs should
treat all traffic equally, and not charge more for certain types.
After
the extent of the NSA's clandestine PRISM program was revealed,
privacy advocates like the Electronic
Frontier Foundation urged
users to start using relatively simple email encryption programs
like Pretty
Good Privacyand
GNU Privacy Guard. But even those can be daunting to set up. A better
idea would be a decentralised network that relies on encryption by
default.
This
is the case with Hyperboria,
the virtual layer that underpins meshnet efforts in the US.
Hyperboria is a virtual meshnet because it runs through the existing
internet, but is purely peer-to-peer. This means people who use it
exchange information with others directly over a completely encrypted
connection, with nothing readable by any centralised servers.
When
physical meshnet nodes like those in Maryland and Seattle are set up,
existing Hyperboria connections can simply be routed through them. At
the moment, Hyperboria offers a blogging platform, email services,
and even forums similar to reddit.
Encryption
is the starting point. Computer researcher Caleb James DeLisle wrote
software called cjdns which
allows the Seattle Meshnet nodes to use Hyperboria and keep all
communications between them encrypted. Instead of letting other
computers connect to you through a shared IP address which anyone can
use, cjdns only lets computers talk to one other after they have
verified each other cryptographically. That means there is no way
anyone can be intercepting your traffic.
The
Seattle Meshnet has just completed a successful crowdfunding campaign
for meshboxes – routers that come preloaded with the cjdns software
needed to join Hyperboria. Users will just plug the routers into
their existing internet connection and be ready to go on the virtual
meshnet – or a local physical meshnet when one becomes available.
Some
form of encryption is already in use across much of the internet, but
to be useful it has to be ubiquitous. Web services like Gmail, for
example, let you log in using an encrypted connection. But when you
send an email it leaves Google's encrypted garden and hits the open
web in clear text for anyone to read. With Hyperboria's peer-to-peer
connections, every single link in the chain of communication is fully
encrypted. Intermediaries that handle traffic cannot even see what
kind of traffic it is, let alone read any email. Use the
purpose-built hyperboria.name email service, and your communication
becomes untraceable.
Instead
of a few established players building network infrastructure, DeLisle
wants anyone to be able to do it. For him, decentralised internet
access in the hands of the people is just a start. The services they
use must be decentralised, too. "If people continue to use
Facebook, they will continue to be spied on, that's just the reality
of the world."
This
article appeared in print under the headline "Let's start the
net again"
Into the darknet
Visions
of a decentralised internet come with a seedier side – the darknet.
One way to access it is through the anonymising routing service Tor,
which lets a user find hidden web pages that have .onion addresses,
rather than IP addresses. But anonymisation like this can facilitate
otherwise unacceptable activities. Illegal drug market, Silk Road can
only be accessed using its .onion address. But Alexander Bauer, who
works on a meshnet in Maryland thinks meshnets are less likely to
carry this content. Any website that can successfully run on a
meshnet must be socially acceptable to every peer they connect with,
making it less attractive for child pornographers or websites like
Silk Road.
"That's
why we don't think the network will be taken over by child porn. You
have to have someone accept what's on your node in order for them to
pass your traffic around," he says.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.