Lavabit shut down due to U.S. government

62 replies [Last post]
BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

https://lavabit.com/

From the source:

>I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

If the service is in the U.S. or has some ties to it consider it wiretapped. I'd be careful of Riseup as well.

ssdclickofdeath
Offline
Joined: 05/18/2013

Earlier today, the site claimed that they were performing maintainance, too bad, because now I'll have to get a new email address.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

Yup, same here.

ssdclickofdeath
Offline
Joined: 05/18/2013

I'm guessing that the govt. wanted him to turn over the emails of his clients, and he refused.

ssdclickofdeath
Offline
Joined: 05/18/2013

Riseup is based in Seattle, so I wouldn't be surprised if they get shut down, too.

akirashinigami

I am a member!

I am a translator!

Offline
Joined: 02/25/2010

I was wondering why Thunderbird wouldn't connect to my inbox. Well, that sucks. I'll need to find a new email provider now.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

If you need a new provider take a look at this link http://libreplanet.org/wiki/Group:Free_Software_Webmail_Systems. I checked out OpenMailBox, but unless I misunderstood it is run by the government. It runs out of France, but it still made me cringe. Please post any other providers you guys know!

Christianity
Offline
Joined: 10/09/2012

This makes me angry, and I don't know where to find an alternate email account.

lynton
Offline
Joined: 12/17/2012

I use Rise.up as my primary email account and most of my email comes via a User list run from Riseup.

Not had any perceivable problems today.

Have never been able to get my XMPP riseup account working on Pidgen, though that is probably down to my inexperience and lack of technical knowledge.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ok people,

I've said it before and I'll say it again - you CAN'T TRUST any external provider with your sensitive emails.

The ONLY way to control what's going on is to run your own email server. It's not as hard as you think - you just have to have a machine that you can leave on 24/7, and preferably a static IP address. A Raspberry Pi or similar will do just fine.

I'm happy to provide help to anyone who wants to go down this route - I myself use a Debian GNU/Linux 7.0 system for my server, as I already used this as a NAS, but anything capable of running a free system should work. You can use Trisquel if you don't like Debian.

Also, use GPG whenever possible.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIEDmMACgkQgijxUCZnvlskWgD9FjPoAGUvM5LYdN+0Y+Nxg17I
wW7a/GEl3gmIZp2bkcIBAJogVwhUPhYqZguDIXKKlc0c+dTOWobOQhvdKAsiL83I
=V4zL
-----END PGP SIGNATURE-----

ssdclickofdeath
Offline
Joined: 05/18/2013

What software is used for a mail server?

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I use Postfix for SMTP and Dovecot for IMAP. Dovecot can also handle POP3 if you prefer that.

Both are in the Trisquel repos. If you need Webmail, there are packages for that, too, though I personally prefer to access my mail via IMAP.

If you need any help with the configuration, just ask - happy to help!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIEFVgACgkQgijxUCZnvlv/xgEAlXv7aHap+SmOXEDeYkQYe22B
RsTy4WzCNJ1Z//7QBw0A/2vuJuFvT0PvUbJdHHXJRQ/gbJQIUStUhGnluuHSQwVY
=DdmU
-----END PGP SIGNATURE-----

t3g
t3g
Offline
Joined: 05/15/2011

Have any of you used Roundcube with your personal mail servers? I haven't touched it in years and they seem to have a GPL dependent version available to download: http://roundcube.net/download

ssdclickofdeath
Offline
Joined: 05/18/2013

Which would be easiest for beginners to learn, that also keeps a local copy of the email on the client?

t3g
t3g
Offline
Joined: 05/15/2011

Roundcube is IMAP which means it loads from the server each time unless you delete it.

GNUser
Offline
Joined: 07/17/2013

I have been thinking, most people have a smartphone these days. That means a device that is connected to the internet 24/7, with a SD card inside.
How about we run a mail server in there??
I actually think it could be a good idea. I don't know about you guys, but I don't usually get that much email that would be necessary a lot of bandwidth or storage.

lloydsmart, could you maybe provide some ideas for this? You seem to know more about this than anyone else here, we would certainly appreciate =)

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

What Internet connection does the smartphone use? Mobile providers
might not give public IP addresses or prevent running a mail servers in
other ways. Sending might be blocked too (not all is: my server logs
connection attempts from mobile ISP users), servers might blacklist all
"consumer" IPs to reduce spam (Google and other big providers do this).

If you run GNU/Linux on your phone and have root access (e.g. a chroot
on an Android-compatible phone), it should be possible to run the mail
server.

Many phones have modems with access to all RAM and nearly all phones
have nonfree drivers running on the application CPU, they could read the
mails or keys from memory.

quantumgravity
Offline
Joined: 04/22/2013

Hello Lloydsmart,
you do a great favor to many of us if you write a little tutorial or post a tutorial which you can recommend.
The raspberry pi is down in the office and I would love to set up an own mail server if there remain enough resources for a simple cloud service.
I heard many bad things about running an own mailserver, and I'm really worried about opening ports;

But I know you're right; an own mailserver is the only solution.

ngawang
Offline
Joined: 08/05/2013

In addition to setting up your own mail server there is always the question of whether your emails is being intercepted. The best solution is to encrpyt everything but usually no possible with all my contacts. Aside from these options MyKolab was suggested on www.prism-break.org and looks pretty good. The servers are in Switzerland and you have to pay for an account. Plans start at about 2 GB and run about 10 USD. https://www.mykolab.com/

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

While there's no specific reason to suspect that MyKolab would betray your data if asked, recent events have shown that you really cannot trust any external party with your cleartext emails.

So yes, encrypt whenever possible, and encourage others to do the same. This is vital. But even if you PGP everything, your email provider still sees WHO you're talking to, even if they can't read the content. That's why it's essential to run your own server for actual privacy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIEFe4ACgkQgijxUCZnvlvZ6AD/fdqUHfvf/en9GZG/NYSI+XJ2
Qe1qyEssv+aqoC1Ajn0A/R+SlNj9ctlwiVJXE8eskBJ87fu/KsQ3TS1zY5mSj6NO
=kFaF
-----END PGP SIGNATURE-----

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

Just wondering, wouldn't Big Brother still know who one is talking even if each user runs his or her own e-mail server? I mean, the ISP that's connecting the machine to the Internet is probably already part of PRISM so does that not mean there's no way out?

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

I think there is an easier way: most of your friends probably use Google
servers for their mail, there is no need for the NSA to get packets from
your ISP to have these mails.

GPG keeps the text of your mails (i.e. usually some MIME parts) secret,
not the headers: the server knows the sender and receiver of the mail.
It's enough to learn the social network of the user, it does provide
some information about you. (See e.g. the MIT gaydar study, it had
similar data from Facebook users.)

If you trust the servers, TLS (technically, SMTP with STARTTLS) prevents
the ISPs from learning the text or headers of the mail, they know only
who sends to what server. It doesn't seem safe if the server usually
has only one user. It's not secure: TLS isn't enabled for many mail
servers and there is usually no verification of certificates: an ISP/NSA
can make a man-in-the-middle attack to get the mail. (Details:
http://www.postfix.org/TLS_README.html#client_tls_limits.)

a_slacker_here
Offline
Joined: 06/29/2013

Dear Lloyd, You would help a lot if you could could write a tutorial in the Trisquel wiki on how to make your own email server.

If you can't (understandable), please, share a link where they teach how to make it.

Thank you

Lemuriano

I am a member!

Offline
Joined: 04/20/2012

This is unfortunate. Mailoo is base in France http://www.mailoo.org Can this be a good alternative.

andermetalsh
Offline
Joined: 01/04/2013

I use https://www.openmailbox.org/ because it uses only free software. Well, is hosted on France, but you can use Thunderbird and Enigmail to encrypt your mails :) .

Trisquel comes with an utility to create a public/private key pair.

GNUser
Offline
Joined: 07/17/2013

Thanks for the suggestion. From what little we can read in their website, it seems to be a good company, similar maybe to Lavabit. But these days, one can never be too confident in email providers...
Anyway, I might choose to use them for the time being.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

Do take note of part 2 of their Terms of Service. Link here: https://www.openmailbox.org/cgu.php. It states: "Les services sont proposés en l'état et sous réserve de disponibilité." Now, hopefully there's someone on here that's actually fluent in French and can verify but I think that roughly translates to: "The services are provided by the state and free of warranty."

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Your translation is wrong. A better translation would be:
The services are proposed as is and availability is not warranted

There is nothing wrong with this clause. I am less sure about what comes before:
The user will not use our services to send messages that are undesirable or to people who did not explicitly give their consent. She will not send either messages breaking the law. Consequently, no illegal, insulting, fraudulent, obscene, racist, xenophobic message.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

Okay, thanks for the correction. I was fairly certain it was wrong when I first read it so I put it through Google Translate and it came back out with what I wrote basically.

Edit: Why would the part you mention be a problem?

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Well, I tend to think nothing should limit the freedom of speech. That said:

  • Mails mainly support one-to-one communications and not public speech (just to be clear: I believe mail-based harassment should be punished);
  • I guess the laws that punish some speeches would apply whether the terms of service would specify it or not.
andrew
Offline
Joined: 04/19/2012

Ninthfloor were kind enough to give me an account over there (perhaps in
exchange for a small Bitcoin donation, which I promised on account request).

Their website:
http://ninthfloor.org/

It's hosted in Italy.

Andrew.

oldfolio
Offline
Joined: 06/20/2013
EricxDu
Offline
Joined: 02/02/2013

I found this out today, too. I was wondering why my email wouldn't send since Tuesday, and when I realized I hadn't received any in a long time, too, I checked [lavabit.com].

I'll probably just find another email provider, but at this point it feels like were all being herded toward companies that cooperate with the government.

But, I'm interested in running my own services, and email might be the first/most important one. I have an old computer I could dust off and plug in for always-on service. My question -- and I'll ask for everyone else, too -- [b]are there any Internet Service Providers that allow you to run your own server?[/b]

I've heard that many provider policies prohibit running your own webserver, and they routinely search for and block ports for people who try to run their own email server. Services in my area include COX, AT&T, and some setellite dish network.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

If you get the Business class you can run your own server. I've heard that some (don't really know about those, but a quick search should answer that) flat out block standard e-mail ports for regular consumers (presumably to stop junk mail).

EricxDu
Offline
Joined: 02/02/2013

I had never, ever thought of looking at Business class. No idea why! Thanks for the advice: it looks more expensive but could be worth it.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Most "consumer" ISPs don't allow you to run your own servers at home, but remember that you don't need a web server to have an email server. They're two different applications - HTTP and SMTP. Webmail uses both, but that's different.

I use a "consumer" ISP but have been running my own email server for years now. I think basically so long as you're not providing services for others, they won't care too much. YMMV.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIGMHcACgkQgijxUCZnvluxxgEAxl1I/CZS8ao7aB4quALn8TAy
khbRSJTcZuTFGY8lcQkBAL9wHGjzpngBtvHqYaaiIII01FqU4HrHQT8Kf9oAJHym
=8b5j
-----END PGP SIGNATURE-----

EricxDu
Offline
Joined: 02/02/2013

That's very good news. If I had to get business ISP service, it would be a long while before I made the switch. If it's relatively okay to run an email server on consumer, perhaps I'll actually try it soon. It would be quite beneficial!

Liberty
Offline
Joined: 08/05/2013

I cannot understand why any democratic, peace and freedom-loving people would host anything in that country at all.

Here is another one going down:

http://arstechnica.com/tech-policy/2013/08/in-wake-of-lavabit-shutdown-another-secure-e-mail-service-goes-offline/

GNUser
Offline
Joined: 07/17/2013

One of the saddest days for the freedom of people =(
Lavabit has been an important part of freedom for many people, as they always provided a good service, in a multitude of ways, and had some of the best prices anyone could ask for.
They had a great website, you could use it without cookies and JS...

well, I am happy that they showed us again that our trust was in good hands. They actually refused to collaborate with the NSA and they are going to fight them in court. That's some good in it I guess.

So... what next?
I know running my own webmail server would be the best, but I cannot at the moment, so, what good european email services we have?

lembas
Offline
Joined: 05/13/2010

Hats off for them for doing the right thing!

Now let's see if google, apple, microsoft and facebook do the right thing and close shop as well.

GNUser
Offline
Joined: 07/17/2013

> Now let's see if google, apple, microsoft and facebook do the right thing and close shop as well.

I wouldn't hold my breath lembas ;)

onpon4
Offline
Joined: 05/30/2012

This is an inconvenience for me, but kudos to them for doing the right thing. It's terrible that they had to choose between two evils (shut down the service or give information to the government).

The worst part is that the government is able to do this in secret. Secret court orders are the kind of thing you expect in a totalitarian government, not in a free society.

ssdclickofdeath
Offline
Joined: 05/18/2013

They should have at least let users download any emails to their clients. (Perhaps they were legally restrained from doing so?) I'm glad I set the account up using POP instead of IMAP.

BlinkingArrow

I am a member!

Offline
Joined: 12/27/2011

From what I've read my understanding is that this is precisely what he was trying to prevent. If users logged in, and the servers were already bugged it would have compromised their data. If the users didn't log in, the mailbox should be encrypted, so it should take Big Brother longer to get to the data. This would explain why the initial response was to disable the servers (the day before the shutdown, the servers were down but the rest of the page was working).

EricxDu
Offline
Joined: 02/02/2013

I was using IMAP with Lavabit, mistakenly thinking that it downloaded copies of each message I read, but also left them on the server. Seems I was wrong, since I have only headers and no message bodies.

What are the advantages of using POP? I've heard it's a terrible relic from some people, but I wan't my mail downloaded AND available on the server.

andrew
Offline
Joined: 04/19/2012

On 22/08/13 16:45, virx61 wrote:
> I was using IMAP with Lavabit, mistakenly thinking that it downloaded
> copies of each message I read, but also left them on the server.
> Seems I was wrong, since I have only headers and no message bodies.

Depends on your email program. With Thunderbird you can occasionally do
File > Offline > Download/Sync Now and it will download all of the
messages. Alternatively, you could have moved your emails to "Local
Folders" to take it off IMAP.

> What are the advantages of using POP? I've heard it's a terrible
> relic from some people, but I wan't my mail downloaded AND available
> on the server.

It's good for most simple setups, e.g. single user, single device. More
complicated for multiple people or multiple devices. Many mail clients
have a "keep on server" feature which can be useful if you have multiple
devices. POP is probably better for privacy, as your email client should
only talk to the POP server when you tell it to, rather than every time
you read a message. And most email clients allow you to delete messages
off the server when the email is downloaded (although some servers, like
Outlook.com keep all email even when it is "deleted" over POP3 and then
make it available in the "Recover email" feature on their webmail).

Andrew.

ssdclickofdeath
Offline
Joined: 05/18/2013

Riseup.net may be a good email service, but if I must agree with them politically, then I can't join. They say they are anti-capitalism, but I'm not exactly sure what that means[0].

[0] http://xrl.us/bpnaxz (Link to distributedrepublic.net)

ssdclickofdeath
Offline
Joined: 05/18/2013

The URL shortening service Metamark is partially shutting down,

> Please note: Adding new links will be disabled around August 15th. More than a decade of this has been enough and there are plenty good services of this kind around now (and honestly much less need, email-, irc- and what have you clients all support long URLs just fine now). The existing short links will continue to work, most likely at least for several years -- maybe for another decade...

so I am posting the full link here.

http://www.distributedrepublic.net/archives/2006/03/14/capitalism-corporatism-mercantilism

4815162342
Offline
Joined: 08/10/2013

related

http://silentcircle.wordpress.com/2013/08/09/to-our-customers/

Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sorry for my late reply.

A few commenters here have asked me to write a tutorial on setting up your own mailserver. I'm happy to do this, and will get to work on it asap, and post it on the Trisquel wiki when complete.

However, it will take some time to write, due to work and family commitments. I'll post here again when it's done and uploaded.

In the mean time, duckduckgo is your friend. Search terms - postfix, dovecot, smtp, imap, pop3, dns, tls, gpg, firewall, email.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlIGKqgACgkQgijxUCZnvls3iwEAhV2cjOLdW8PNoHfnU9nmWyAg
d1U9yjxfVfdCOhVWKAAA/3LjEdR5qMoX3jDiDUGYgnjV9so1wvRzNmEzMxiBON3M
=rDNh
-----END PGP SIGNATURE-----

GNUser
Offline
Joined: 07/17/2013

That would be nice of you!
I actually made that search you mentioned, but I am unsure if all the programs required are free.

Also: could you please think about my earlier suggestion? Using smartphone as email server? It's the only machine I have right now that is connected 24/7 to the internet =S

Thanks in advance ;)