Lavabit shut down due to U.S. government
From the source:
>I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
If the service is in the U.S. or has some ties to it consider it wiretapped. I'd be careful of Riseup as well.
Earlier today, the site claimed that they were performing maintainance, too bad, because now I'll have to get a new email address.
Yup, same here.
I'm guessing that the govt. wanted him to turn over the emails of his clients, and he refused.
Riseup is based in Seattle, so I wouldn't be surprised if they get shut down, too.
I was wondering why Thunderbird wouldn't connect to my inbox. Well, that sucks. I'll need to find a new email provider now.
If you need a new provider take a look at this link http://libreplanet.org/wiki/Group:Free_Software_Webmail_Systems. I checked out OpenMailBox, but unless I misunderstood it is run by the government. It runs out of France, but it still made me cringe. Please post any other providers you guys know!
This makes me angry, and I don't know where to find an alternate email account.
I use Rise.up as my primary email account and most of my email comes via a User list run from Riseup.
Not had any perceivable problems today.
Have never been able to get my XMPP riseup account working on Pidgen, though that is probably down to my inexperience and lack of technical knowledge.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ok people,
I've said it before and I'll say it again - you CAN'T TRUST any external provider with your sensitive emails.
The ONLY way to control what's going on is to run your own email server. It's not as hard as you think - you just have to have a machine that you can leave on 24/7, and preferably a static IP address. A Raspberry Pi or similar will do just fine.
I'm happy to provide help to anyone who wants to go down this route - I myself use a Debian GNU/Linux 7.0 system for my server, as I already used this as a NAS, but anything capable of running a free system should work. You can use Trisquel if you don't like Debian.
Also, use GPG whenever possible.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIEDmMACgkQgijxUCZnvlskWgD9FjPoAGUvM5LYdN+0Y+Nxg17I
wW7a/GEl3gmIZp2bkcIBAJogVwhUPhYqZguDIXKKlc0c+dTOWobOQhvdKAsiL83I
=V4zL
-----END PGP SIGNATURE-----
What software is used for a mail server?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I use Postfix for SMTP and Dovecot for IMAP. Dovecot can also handle POP3 if you prefer that.
Both are in the Trisquel repos. If you need Webmail, there are packages for that, too, though I personally prefer to access my mail via IMAP.
If you need any help with the configuration, just ask - happy to help!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIEFVgACgkQgijxUCZnvlv/xgEAlXv7aHap+SmOXEDeYkQYe22B
RsTy4WzCNJ1Z//7QBw0A/2vuJuFvT0PvUbJdHHXJRQ/gbJQIUStUhGnluuHSQwVY
=DdmU
-----END PGP SIGNATURE-----
Have any of you used Roundcube with your personal mail servers? I haven't touched it in years and they seem to have a GPL dependent version available to download: http://roundcube.net/download
Which would be easiest for beginners to learn, that also keeps a local copy of the email on the client?
Roundcube is IMAP which means it loads from the server each time unless you delete it.
I have been thinking, most people have a smartphone these days. That means a device that is connected to the internet 24/7, with a SD card inside.
How about we run a mail server in there??
I actually think it could be a good idea. I don't know about you guys, but I don't usually get that much email that would be necessary a lot of bandwidth or storage.
lloydsmart, could you maybe provide some ideas for this? You seem to know more about this than anyone else here, we would certainly appreciate =)
What Internet connection does the smartphone use? Mobile providers
might not give public IP addresses or prevent running a mail servers in
other ways. Sending might be blocked too (not all is: my server logs
connection attempts from mobile ISP users), servers might blacklist all
"consumer" IPs to reduce spam (Google and other big providers do this).
If you run GNU/Linux on your phone and have root access (e.g. a chroot
on an Android-compatible phone), it should be possible to run the mail
server.
Many phones have modems with access to all RAM and nearly all phones
have nonfree drivers running on the application CPU, they could read the
mails or keys from memory.
Hello Lloydsmart,
you do a great favor to many of us if you write a little tutorial or post a tutorial which you can recommend.
The raspberry pi is down in the office and I would love to set up an own mail server if there remain enough resources for a simple cloud service.
I heard many bad things about running an own mailserver, and I'm really worried about opening ports;
But I know you're right; an own mailserver is the only solution.
In addition to setting up your own mail server there is always the question of whether your emails is being intercepted. The best solution is to encrpyt everything but usually no possible with all my contacts. Aside from these options MyKolab was suggested on www.prism-break.org and looks pretty good. The servers are in Switzerland and you have to pay for an account. Plans start at about 2 GB and run about 10 USD. https://www.mykolab.com/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
While there's no specific reason to suspect that MyKolab would betray your data if asked, recent events have shown that you really cannot trust any external party with your cleartext emails.
So yes, encrypt whenever possible, and encourage others to do the same. This is vital. But even if you PGP everything, your email provider still sees WHO you're talking to, even if they can't read the content. That's why it's essential to run your own server for actual privacy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIEFe4ACgkQgijxUCZnvlvZ6AD/fdqUHfvf/en9GZG/NYSI+XJ2
Qe1qyEssv+aqoC1Ajn0A/R+SlNj9ctlwiVJXE8eskBJ87fu/KsQ3TS1zY5mSj6NO
=kFaF
-----END PGP SIGNATURE-----
Just wondering, wouldn't Big Brother still know who one is talking even if each user runs his or her own e-mail server? I mean, the ISP that's connecting the machine to the Internet is probably already part of PRISM so does that not mean there's no way out?
I think there is an easier way: most of your friends probably use Google
servers for their mail, there is no need for the NSA to get packets from
your ISP to have these mails.
GPG keeps the text of your mails (i.e. usually some MIME parts) secret,
not the headers: the server knows the sender and receiver of the mail.
It's enough to learn the social network of the user, it does provide
some information about you. (See e.g. the MIT gaydar study, it had
similar data from Facebook users.)
If you trust the servers, TLS (technically, SMTP with STARTTLS) prevents
the ISPs from learning the text or headers of the mail, they know only
who sends to what server. It doesn't seem safe if the server usually
has only one user. It's not secure: TLS isn't enabled for many mail
servers and there is usually no verification of certificates: an ISP/NSA
can make a man-in-the-middle attack to get the mail. (Details:
http://www.postfix.org/TLS_README.html#client_tls_limits.)
Dear Lloyd, You would help a lot if you could could write a tutorial in the Trisquel wiki on how to make your own email server.
If you can't (understandable), please, share a link where they teach how to make it.
Thank you
This is unfortunate. Mailoo is base in France http://www.mailoo.org Can this be a good alternative.
I use https://www.openmailbox.org/ because it uses only free software. Well, is hosted on France, but you can use Thunderbird and Enigmail to encrypt your mails :) .
Trisquel comes with an utility to create a public/private key pair.
Thanks for the suggestion. From what little we can read in their website, it seems to be a good company, similar maybe to Lavabit. But these days, one can never be too confident in email providers...
Anyway, I might choose to use them for the time being.
Do take note of part 2 of their Terms of Service. Link here: https://www.openmailbox.org/cgu.php. It states: "Les services sont proposés en l'état et sous réserve de disponibilité." Now, hopefully there's someone on here that's actually fluent in French and can verify but I think that roughly translates to: "The services are provided by the state and free of warranty."
Your translation is wrong. A better translation would be:
The services are proposed as is and availability is not warranted
There is nothing wrong with this clause. I am less sure about what comes before:
The user will not use our services to send messages that are undesirable or to people who did not explicitly give their consent. She will not send either messages breaking the law. Consequently, no illegal, insulting, fraudulent, obscene, racist, xenophobic message.
Okay, thanks for the correction. I was fairly certain it was wrong when I first read it so I put it through Google Translate and it came back out with what I wrote basically.
Edit: Why would the part you mention be a problem?
Well, I tend to think nothing should limit the freedom of speech. That said:
- Mails mainly support one-to-one communications and not public speech (just to be clear: I believe mail-based harassment should be punished);
- I guess the laws that punish some speeches would apply whether the terms of service would specify it or not.
Ninthfloor were kind enough to give me an account over there (perhaps in
exchange for a small Bitcoin donation, which I promised on account request).
Their website:
http://ninthfloor.org/
It's hosted in Italy.
Andrew.
The Guardian has an article about the Lavabit shutdown:
http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-down-edward-snowden
I found this out today, too. I was wondering why my email wouldn't send since Tuesday, and when I realized I hadn't received any in a long time, too, I checked [lavabit.com].
I'll probably just find another email provider, but at this point it feels like were all being herded toward companies that cooperate with the government.
But, I'm interested in running my own services, and email might be the first/most important one. I have an old computer I could dust off and plug in for always-on service. My question -- and I'll ask for everyone else, too -- [b]are there any Internet Service Providers that allow you to run your own server?[/b]
I've heard that many provider policies prohibit running your own webserver, and they routinely search for and block ports for people who try to run their own email server. Services in my area include COX, AT&T, and some setellite dish network.
If you get the Business class you can run your own server. I've heard that some (don't really know about those, but a quick search should answer that) flat out block standard e-mail ports for regular consumers (presumably to stop junk mail).
I had never, ever thought of looking at Business class. No idea why! Thanks for the advice: it looks more expensive but could be worth it.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Most "consumer" ISPs don't allow you to run your own servers at home, but remember that you don't need a web server to have an email server. They're two different applications - HTTP and SMTP. Webmail uses both, but that's different.
I use a "consumer" ISP but have been running my own email server for years now. I think basically so long as you're not providing services for others, they won't care too much. YMMV.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIGMHcACgkQgijxUCZnvluxxgEAxl1I/CZS8ao7aB4quALn8TAy
khbRSJTcZuTFGY8lcQkBAL9wHGjzpngBtvHqYaaiIII01FqU4HrHQT8Kf9oAJHym
=8b5j
-----END PGP SIGNATURE-----
That's very good news. If I had to get business ISP service, it would be a long while before I made the switch. If it's relatively okay to run an email server on consumer, perhaps I'll actually try it soon. It would be quite beneficial!
I cannot understand why any democratic, peace and freedom-loving people would host anything in that country at all.
Here is another one going down:
One of the saddest days for the freedom of people =(
Lavabit has been an important part of freedom for many people, as they always provided a good service, in a multitude of ways, and had some of the best prices anyone could ask for.
They had a great website, you could use it without cookies and JS...
well, I am happy that they showed us again that our trust was in good hands. They actually refused to collaborate with the NSA and they are going to fight them in court. That's some good in it I guess.
So... what next?
I know running my own webmail server would be the best, but I cannot at the moment, so, what good european email services we have?
Hats off for them for doing the right thing!
Now let's see if google, apple, microsoft and facebook do the right thing and close shop as well.
> Now let's see if google, apple, microsoft and facebook do the right thing and close shop as well.
I wouldn't hold my breath lembas ;)
This is an inconvenience for me, but kudos to them for doing the right thing. It's terrible that they had to choose between two evils (shut down the service or give information to the government).
The worst part is that the government is able to do this in secret. Secret court orders are the kind of thing you expect in a totalitarian government, not in a free society.
They should have at least let users download any emails to their clients. (Perhaps they were legally restrained from doing so?) I'm glad I set the account up using POP instead of IMAP.
From what I've read my understanding is that this is precisely what he was trying to prevent. If users logged in, and the servers were already bugged it would have compromised their data. If the users didn't log in, the mailbox should be encrypted, so it should take Big Brother longer to get to the data. This would explain why the initial response was to disable the servers (the day before the shutdown, the servers were down but the rest of the page was working).
I was using IMAP with Lavabit, mistakenly thinking that it downloaded copies of each message I read, but also left them on the server. Seems I was wrong, since I have only headers and no message bodies.
What are the advantages of using POP? I've heard it's a terrible relic from some people, but I wan't my mail downloaded AND available on the server.
On 22/08/13 16:45, virx61 wrote:
> I was using IMAP with Lavabit, mistakenly thinking that it downloaded
> copies of each message I read, but also left them on the server.
> Seems I was wrong, since I have only headers and no message bodies.
Depends on your email program. With Thunderbird you can occasionally do
File > Offline > Download/Sync Now and it will download all of the
messages. Alternatively, you could have moved your emails to "Local
Folders" to take it off IMAP.
> What are the advantages of using POP? I've heard it's a terrible
> relic from some people, but I wan't my mail downloaded AND available
> on the server.
It's good for most simple setups, e.g. single user, single device. More
complicated for multiple people or multiple devices. Many mail clients
have a "keep on server" feature which can be useful if you have multiple
devices. POP is probably better for privacy, as your email client should
only talk to the POP server when you tell it to, rather than every time
you read a message. And most email clients allow you to delete messages
off the server when the email is downloaded (although some servers, like
Outlook.com keep all email even when it is "deleted" over POP3 and then
make it available in the "Recover email" feature on their webmail).
Andrew.
Riseup.net may be a good email service, but if I must agree with them politically, then I can't join. They say they are anti-capitalism, but I'm not exactly sure what that means[0].
[0] http://xrl.us/bpnaxz (Link to distributedrepublic.net)
The URL shortening service Metamark is partially shutting down,
> Please note: Adding new links will be disabled around August 15th. More than a decade of this has been enough and there are plenty good services of this kind around now (and honestly much less need, email-, irc- and what have you clients all support long URLs just fine now). The existing short links will continue to work, most likely at least for several years -- maybe for another decade...
so I am posting the full link here.
http://www.distributedrepublic.net/archives/2006/03/14/capitalism-corporatism-mercantilism
related
http://silentcircle.wordpress.com/2013/08/09/to-our-customers/
Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sorry for my late reply.
A few commenters here have asked me to write a tutorial on setting up your own mailserver. I'm happy to do this, and will get to work on it asap, and post it on the Trisquel wiki when complete.
However, it will take some time to write, due to work and family commitments. I'll post here again when it's done and uploaded.
In the mean time, duckduckgo is your friend. Search terms - postfix, dovecot, smtp, imap, pop3, dns, tls, gpg, firewall, email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iF4EAREIAAYFAlIGKqgACgkQgijxUCZnvls3iwEAhV2cjOLdW8PNoHfnU9nmWyAg
d1U9yjxfVfdCOhVWKAAA/3LjEdR5qMoX3jDiDUGYgnjV9so1wvRzNmEzMxiBON3M
=rDNh
-----END PGP SIGNATURE-----
That would be nice of you!
I actually made that search you mentioned, but I am unsure if all the programs required are free.
Also: could you please think about my earlier suggestion? Using smartphone as email server? It's the only machine I have right now that is connected 24/7 to the internet =S
Thanks in advance ;)