undefined | Better HN

0 pointsMagicWishMonkey12y ago0 comments

He sounds like someone who has probably toyed around with SMTP software at some point or another and it never occurred to him that you can design a custom system from the ground up to handle email and still implement SMTP functionality just fine.

I guess he thinks Ladar installed some off the shelf SMTP software and didn't bother to configure it correctly? Really weird.

0 comments

4 comments · 1 top-level

fnordfnordfnord12y ago· 3 in thread

He claims to have his own free email service (linked from his blog). He also claims (remarkably) that it is a "secure" email service, right next to where he complains about Levison's failure to kowtow fast enough to the FBI.

MagicWishMonkeyOP12y ago

He doesn't sound like the kind of guy who would have a problem handing the feds his SSL keys or whatever else they ask for, so even if his system is reasonably secure I wouldn't trust him as a steward of my information.

tomrod12y ago

Bingo.

peterwoo12y ago

It doesn't sound to me like the author is as technically inept as your making it sound here. Perhaps a little ignorant of some legal details of the court orders, but someone who has done a bit more than "toyed around" with SMTP. In fact, obviously so -- making your assertions about his intelligence appear more ideologically motivated than reasonable.

The system design for VFEmail is apparently available here: https://www.vfemail.net/design.php

It appears to have occurred to him to think about how to build custom email systems with SMTP support.

The privacy FAQ for VFEmail is here: https://www.vfemail.net/privacyandsecurity.php

It's not true that he claims on the blog that VFEmail is a secure service in the same sense that Lavabit claimed to be, and his FAQ answers for people concerned about privacy are essentially:

1) Use their web interface to PGP. He's transparent about the fact that with this option your encrypted email could be read, if your password were intercepted.

2) Better yet use client side PGP.

> ...using the Webmail interface for PGP stores your private key on the server, and requires you to send your key password to VFEmail. That subjects your encryption key to interception by a third party.

> ... Most importantly - Use PGP with your own email client. You should store your key on your device(s), under your control. Again, illegal access by a 3rd party could compromise your key, so be very careful of what you open and where you surf.

Lavabit marketed a claim to be so secure that even their administrators couldn't read your email. This was untrue, and curious in juxtaposition to the spam/content filtering features it had. VFEmail is pretty upfront -- unless you're encrypting everything client side, someone can read it.

So basically if one reads beyond the first few paragraph, or visits the email service that he "claims" to own, it's clear that all these "he's a moron, has only toyed around with email, doesn't understand Lavabit's encryption, etc." claims being made are simply character assassination.

Furthermore, the FBI didn't "call" or "ask for" the pen register or SSL keys. They subpoenaed Lavabit and served them with a search warrant for a criminal case. One which they eventually complied with.[1]

[1] http://archive.is/Tdneo: "Since the SSL certificates formerly used to protect access to Lavabit have been compromised..."

j / k navigate · click thread line to collapse