CryptoSeal VPN Goes Dark: More Dots To Connect

At Techdirt, Mike Masnick brings the sad news that CryptoSeal, another “secure” service has shut its virtual doors.

CryptoSeal Privacy Consumer VPN service terminated with immediate effect

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

While details remain unclear, and possibly will never be made clear on purpose, they explain the closure on the nexus between what the United States law demands and what they promise their customers.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product. 

And they point directly to Lavabit. That didn’t take long.  The dots are growing, the dominoes falling, and all the rhetorical bravado in the world didn’t save CryptoSeal.  Some may argue that they’re just a bunch of cowards, not tough enough to outgun the United States government. Some may argue that they lacked the technological savvy to make it impossible for the government to beat them at their game (and let’s not go down that path again, please. It leads nowhere).

The arguments of creating privacy systems that are impenetrable by the government have obvious appeal. From the CryptoSeal statement, it appears they favor off-shoring privacy, at least for now:

To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating. 

Will that beat the system? In another post by Masnick, he writes about an identity theft ring

run out of Vietnam by a guy named Hieu Minh Ngo. Ngo was just arrested, after a grand jury indictment, and the feds luring him out of Vietnam to Guam over a supposed business deal.

Wait! How does the US get jurisdiction over some guy in Vietnam? That’s wrong! That’s against the rules! They cheating!  Welcome to the ugly side of the rules, which is that the government makes them.

“But the guy was stupid enough to go to Guam…”

Next, meet our old friend, extraordinary rendition.  That’s where they just snatch someone in the middle of the night and whisk them off to wherever they want. Maybe it’s the United States to stand trial. Maybe it’s a black ops prison in some desert to engage in enhanced interrogation techniques. Maybe it’s nowhere you will ever be found again.

If the government wants you badly enough, they will find a way to get you.  Remember this scene:

Guess who’s the guy with the scimitar?

It’s not that all hope is lost. The government can be overreaching, but only to the extent it reflects the will of the people to tolerate it, and the state of the law that permits it.  This is why the fight must be made before the law is lost to neglect and privacy dead in the age of whatever War we’re fighting today.

There are two points that need desperately to be made, and CryptoSeal does its part to make the points by closing down rather than operating a lie.  First, that there will be no privacy left once we’ve either given it away or allowed the government to take it from us. Second, that it’s not just the dreaded terrorists that are affected, but everyone.

The vehement arguments by hackers don’t resonate with moms in Peoria.  Not only don’t they care about you, but they are threatened by the crazy stuff they hear about Anonymous and Wikileaks. Whether it’s true or wholesale fiction isn’t important. They believe it to be true, and they don’t find hacker culture particularly alluring or persuasive.

You may not care much about how they feel, but there are a lot of them and relatively few of you. They go to League of Women Voters meetings and you go to comicon. Their influence dwarfs yours. Hard as it may be to imagine, you aren’t the center of the universe.

There are parallels here between what happened to asset forfeiture law in its earliest days, when it was only applied to crack dealers and, well, nobody gave a damn. So the law that developed was a nightmare, and is now being applied to non-drug dealers.  Suddenly, everyone is up in arms and wants to know how it happened, how it’s possible that such horrible law can be precedent.

It’s happening again with privacy. Connect the dots. Would you rather stay up all night writing about somebody is wrong on the internet, or would you rather try to stop the end of privacy before it’s too late?



20 thoughts on “CryptoSeal VPN Goes Dark: More Dots To Connect

  1. Ultraviolet admin

    The scary thing is encouraging off shoring makes things worse unless your crypto method is completely foolproof. The NSA isn’t suppose to operate on domestic companies like CryptoSeal, as the FBI and pen register laws are suppose to be enough. However, an offshore VPN is allowed a full court press by the NSA without pesky concerns like the law.

    I’m thinking they figured out they had a similar flaw like Lavabit, no way to allow the feds to conduct the equivalent of a wiretap without giving the keys to everything.

    1. SHG Post author

      I think that’s correct, they are facing a Lavabit-type problem and are being up front about the fact that they can’t meet their promises.

    2. Jack

      The thing is, contrary to what every news story is saying, if Lavabit wanted to, they could have easily complied with court orders to allow the government access a single person’s data without compromising the entire system.

      For example, with LavaBit, even though everything is encrypted via a key not stored by Lavabit (they know the key’s hash for authentication) and transmitted over SSL, there are still unique user ids and the server sees the un-hashed key before authentication. If they wanted to tap Snowden, all they needed to do was add the logic to the authentication code to store the un-hashed password when his specific ID (e-mail address) was used. They could have given the FBI un-restriced instant access to his account without handing over the SSL key. Servers behind SSL don’t see data any differently than non-SSL servers – they still had access to his plain-text password. SSL simply encrypts the communication channel between the user and server.

      The service endpoint always has access (at least some) to the plain data. It simply couldn’t function otherwise. Of course privacy comes in because they don’t store the information needed to decrypt (be it the key or the initialization vector), but they have access to it. Adding in the ability to store that information for a specific user id, IP address, e-mail address, etc. is extremely simple and doesn’t require handing over things like SSL keys.

      The government doesn’t need SSL Keys to tap a single user with services like this and privacy conscious companies don’t have to give up the keys to the castle to comply with a court order. An hour of a developer’s time can achieve the same thing far more easily. However, when stupidity mixed with stubbornness come into play, bad things happen.

      1. pj_cryptostorm

        This explanation evinces a tragic, albeit common, fundamental misunderstanding of asymmetric cryptography.

        The only relevant issue wrt Lavabit – and now CryptoSeal – is the absence of properly-implemented ephemeral key exchange methodologies. That, and the failure in the former case to provide client-side symmetric encipherment once the key exchange itself was completed. That’s, as a clueless troll recently tried to reference, known colloquially as “the Hushmail problem.”

        HTTPS is provisioned via the use of the TLS framework (not actually SSL, whose use has been deprecated for nearly a decade). TLS can be used for many other things; it’s extensible. For example, CryptoSeal was making use of a TLS-based (control channel) VPN protocol – which has nothing to do with secure web pages. Lavabit’s use of TLS-based ciphers (actually, use of the OpenSSL cipher library itself, which in turn is called during TLS-framed session negotiations) was not directly related to providing “secure” web pages; rather, it was intended to encrypt the contents of email messages, end-to-end… including during server transit/storage.

        Their failure to deploy against that model is mysterious given the (near) ubiquitous availability of DHE/ECDHE via the aforementioned libraries. It seems almost inexplicable, but such things happen. Certainly the replacement services stepping in to fill that void all know to make use of such tools. Lessons learned, etc.

        Naturally, this “hackerspeak” is likely unwelcome here – all these bits and bytes, and not a word about what is “allowed” or not. Still, it’s painful to watch these basic cryptographic concepts get mangled so badly during a conversation (putatively) concerning this very topic.

        There’s a story behind these two shutdowns, but the absence of competent technical expertise in this discussion obviates an accurate understanding of the real fundamentals at play here. Oh well… ignorance always has a price.

        1. SHG Post author

          Since Jack is a computer guy, and has offered technical information in his comment, your technical explanation in response is appropriate. It won’t mean much to the rest of us, but that doesn’t make it unwelcome. It doesn’t address the nexus between tech issues and the law, which is your blind spot, but it’s appropriate in response to Jack.

          If you want to be persuasive on a subject, you might want to tone down your rhetoric, stop sounding like such a whiny child and make a greater effort to realize where your knowledge ends and others begins. You probably have much to add to the discussion once you realize that you are clueless when it comes to the nexus between law and tech. And you might even learn enough to protect yourself.

        2. Jack

          PJ – I understand how public-private key encryption works just fine and understand the shortfalls LavaBit had – however this is the United States and companies that provide “privacy services” have to be able to comply with court orders. Yes, using DHE/ECDHE LavaBit could have given up access to the server and the communication channel and the FBI wouldn’t have been able to decrypt the communications. It could have also forced the government to “trust them” with the decryption. But, a static DH wasn’t their only weak point – LavaBit themselves had the ability to decrypt any user messages. There are a dozen things LavaBit could have done that would have forced the FBI to pound sand – but in every one of those cases, they wouldn’t be able to comply with court orders.

          My explanation wasn’t meant to be at the level someone would use at an InfoSec conference, but to dumb down a complex topic using terms and concepts people have heard before while getting the big picture. How many people know, that TLS is the predecessor to SSL or even heard the term TLS? Not many – but everyone has heard of SSL before. Nobody on here is going to understand ephemeral vs static cryptography. Did it get mangled a bit – of course it did, but it’s also readable. I am correct that LavaBit could have written into their code-base the ability to bypass all encryption for the FBI since they offered to do that, but the court rejected it since it required trust between FBI and Levison – which at that point was all gone. It’s pretty clear that LavaBit wasn’t set up to beat the government.

          None of what I said was related to CryptoSeal.

          1. SHG Post author

            This goes to the “when you’re a hacker, everything looks like code” point. PJ believes that it’s all about, and only about, the code, and neither law nor anything else can trump what hackers are capable of doing. As you say, it’s an inability to see the big picture because of the unfortunate (I would add arrogant, but don’t want to incite PJ) myopic focus on the minutiae of tech rather than how it intersects with law. But as PJ has already made clear, he’s smarter than me and has no need to concern himself with law. Then again, he keeps returning to SJ to read.

  2. Jack

    I understand where the government is coming from on this to a degree – but it seems so asinine to be completely taking out these US-based privacy-conscious companies in a global marketplace. With both Lavabit and now CryptoSeal, the government could easy get what they wanted without demanding the keys to the castle. From a security or control standpoint, having bad guys using US based services within the reach of the law should be a good thing. What makes it more absurd is that the “real” bad guys won’t and don’t even use these services.

    An impenetrable system that the government can’t access is all to easy to create and extraordinarily inexpensive. A typical VPS server in an unfriendly country is around $15-$30/month and most of those providers readily take BitCoints. Simply run an encrypted VPN through that server and route everything over Tor. Why the government shuts down these companies when it knows about this I simply don’t understand.

    What is the point of harming US business and making our country less free when the end result is far worse off for law enforcement and the intelligence community? Is it supposed to be lip-service to the moms in Peoria who demand the government to “do something”? Even as a way to score political points as tough on crime, it seems weak since those moms really don’t give two shits about hacker culture and are more afraid of crack dealers. This seems like a very, very poor road to go down since it hurts business, hurts privacy, makes criminals harder to catch, and doesn’t even score a lot of political points in the process…

    1. SHG Post author

      An InfoSec friend of mine tells me that there is no such thing as an impenetrable system. I dunno. But what I do know is that anybody taken into a dark room by a couple of goon-types and told he’s about to learn a thing or two about cooperation won’t be thinking about codes.

      1. Jack

        Theoretically, it is true there is no such thing as a usable “impenetrable system” (there has to be a way in somehow, otherwise it’s useless), but for all intents and purposes, from the government’s point of view, a cheap server outside of US jurisdiction, properly configured, that is running a VPN over SSL and connecting out through TOR is impenetrable.

        If the government can somehow take over the entry and exit points the server is using on TOR it can track back to the server that is hosting the VPN. The problem is, they have no access to this server and it tells them nothing. If it was paid for with BitCoin, there is no name to connect this to and even if they trace back the BitCoins used to pay for it, if they were tumbled properly there is nowhere to go back to. They couldn’t hack that server because anyone doing this is only going to allow access to the server from a single IP address that the investigator wouldn’t know. They would need physical access to the machine to possibly do anything and they aren’t going to get that in Iran or China.

        The only way to break a system like that is profiling and hoping to catch someone making a mistake or being sloppy. Logging into a secure e-mail account from an insecure computer, using your real name to reference something secure, getting an informant, etc. Same kind of stuff they used to get Ross Ulbricht.

        My fiancee’s father is a computer forensics specialist who works for one of the government agencies we are talking about gathering evidence after warrants are issued and we have had many conversations about what the government can and can’t crack. Obviously, that didn’t include the classified stuff the NSA and CIA can do.

        1. SHG Post author

          Again, I’m giving only the end result, since I’m not a hacker and have no clue how to connect the doodads. That said, today’s hacktivists will be working for the government when they have a mortgage to pay, so whatever the govt can or can’t do today doesn’t limit the future. I’m not in a position to dispute anything you’ve said, other than to say that I’m told by others they can do it. And if they can, eventually the govt can too.

        2. Jack

          Of course, none of this matters if you are sitting in a dark room, naked, and tied to a chair. On the lighter side, they even have encryption specifically designed for situations like this: it’s called “Rubber Hose Cryptography”.

          However, normal law enforcement that is going through the courts, presumably the type that caused LavaBit and now CryptoSeal to shut down, don’t do that kind of stuff. Of course if the NSA or CIA are after you and they want you bad enough, what I described above probably isn’t going to stop them – but that is outside the scope of what I am talking about.

          If my solution is able to be cracked by the NSA and CIA, LavaBit or CryptoSeal would have been down for the count long before that.

          1. SHG Post author

            Dangerous speculation about what the govt will or won’t do. Remember, Lavabit was all about Ed Snowden. They wanted Snowden, and wanted to stop him, very badly. He beat them out of here before they had a chance to beat him. Are you really that sure they wouldn’t have engaged in, ahem, serious interrogation if necessary? Would you bet your life on it?

            As for thaw the govt can do, one of the great joys of the govt is turf. Each agency has its own turk, which it protects from the others with every dime in hits budget. Just because the agency doing one thing doesn’t have the mechanics capable of doing something doesn’t mean another agency doesn’t. Also, sometimes they need to manufacture a legally acceptable basis for evidence. They can get it in other ways, but just can’t admit they got did. Think DPR.

            All this is to say don’t assume. It can lead to very dangerous mistakes.

            1. Jack

              I have absolutely no doubt if the government wants you bad enough, they will stop at nothing to get you – torture and murder included.

              I am sure the government has capability beyond what I can even imagine and beyond even what government law enforcement can dream up – however for the time being, I would certainly trust my life on a properly set up secure channel as I described, just as criminals, spies, and dissidents do on a daily basis.

              I think that Snowden and Ulbricht go to show that even modest encryption can foil the government – to a point. Ulbricht was sloppy as hell and look at what it took to get at LavaBit to fold.

            2. SHG Post author

              Well, as for Lavabit, he was giving it up for free until they demanded the private encryption key. Snowden was number 13, and he gave them Snowden, just not as much as they ultimately wanted. Some criminals, spies and dissidents get away with it. Some don’t. Some get away with it until they don’t. And they’re always shocked when they get caught.

            3. Jack

              As is the nature of the game they play.

              I totally agree with everything you have said – I just think what the government is doing is really stupid because they are making it harder to catch criminals, curtailing privacy, and not even scoring any political points in the process.

              At least with asset forfeiture for crack dealers, they scored a bunch of political points with the “tough on crime” crowd and made it easier to punish dealers more harshly. But, with this they lose on all fronts.

    2. Ultraviolet admin

      My guess is the fear more dangerous criminals will use these services to avoid regular wiretaps. Back in the 60’s the mob knew about wiretaps on their phones so they used payphones. Now the Cartels know their Skype is monitored, so they likely moved on to trying encryption.

      The problem is if you’re running a communications system, you need to be able to allow wiretapping somehow. And bringing out a case where the encrypted or anonymous email sending kidnapping demands is all that’s needed to make people ok with it.

  3. Fubar

    My inner Cassandra spoke to me in the 1970s, after ordering and reading a small tome from the Government Printing Office. In those days you filled out a form, sent a check, and they sent you the publications.

    The report, authored by I forget who, maybe the GAO or somebody like them, addressed a perceived problem: the possibility of interlinking government databases becoming a threat to civil liberties. The conclusion, quite correct for the time and well hedged, was that current processor and storage media technologies limited the threat at the moment, but that technological developments could change that. But it was less than sanguine about those future technological developments actually happening.

    Those were the days when mainframe processors were hardly as fast as the first Pentium would be, and mag tape and disks required large rooms to house them.

    My inner Cassandra invoked Moore’s law, hardly news at the time, and the likelihood that a similar phenomenon would occur with storage media. She said “the threat will arrive in your lifetime.” She was right.

    1. SHG Post author

      If there is any flaw in Moore’s law today, it’s that two years may be a year and a half more than necessary. And you don’t look at all like Cassandra.

Comments are closed.