Another US 'Secure' Service Shuts Down: CryptoSeal VPN Goes Dark To Protect Against US Surveillance
from the chilling-effects dept
The full details here aren’t clear, but it looks like another “secure” service based in the US has felt the need to shut down over fears about US surveillance efforts compromising actual security. VPN provider CryptoSeal has announced that it’s shuttered the service (via Hacker News):
CryptoSeal Privacy Consumer VPN service terminated with immediate effect
With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.
Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.
Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.
We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.
We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government’s current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.
To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.
For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.
From this it doesn’t sound like the company had been approached by the feds yet, but is doing this in a proactive manner, highlighting the chilling effects of the US government’s overreach into online security services.
Filed Under: cryptography, nsa surveillance, privacy, private keys, surveillance, vpn
Companies: cryptoseal, lavabit
Comments on “Another US 'Secure' Service Shuts Down: CryptoSeal VPN Goes Dark To Protect Against US Surveillance”
-1 for humanity
I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many living in Europe feel the same way.
Re: Re:
I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many feel the same way.
FTFY
some people are questioning why they keep the business service open but closed the personal service.
My guess is that business portion is more profitable and person service is more likely to get them served. If that’s the case, by handing over the key, it would compromised their business service…
so they had to shut down personal service because of this risk.
Good job America, the land of the pseudo-free!
Re: Re:
you can thank barry and his criminal cohorts
Re: Re: Re:
It started well before Obama, but if by “criminal cohorts” your mean Congress and the Judiciary, then I agree with you.
Re: Re: Re: Re:
Re: Re: Re:2 Re:
War is peace. Freedom is slavery. Ignorance is strength.
And thanks to Obama, we have another: Secrecy is transparency.
Re: Re:
It’s partially that, but it’s also that the business system has full monitoring built in (so owners can monitor employees, automatically, with DLP and such).
It’s used in regulated industries which already are subject to much more monitoring than court-ordered pen traps, so the monitoring from pen traps is irrelevant to them.
We’re working on some better solutions to both sets of customers, but it’ll be 2014 before they’re ready. Privacy-conscious consumers should use non-US services for now.
Well done, US gov! Tech companies are fleeing the US. This will get worse after tonight’s EU vote on dataprotection. So, besides pumping ludicrous amounts of money into NSA e.a., you lose more money on businesses fleeing the country. And all of this helped to catch how many terrorists exactly?
We are on the threshold of a chain reaction. Entire industries will pack up and move overseas, all due to our government’s ongoing efforts to emulate third-world dictatorships; their desperate seizure of power under the quixotic (when not blatantly fraudulent) banner of “fighting terrorism”.
For all their clamoring about “job creation”, it’s clear that they care far more about preserving their own power than improving the economy. (As if that hadn’t already been proven by over two weeks of petty bickering during a government shutdown and nearly defaulting on the national debt because neither side was mature enough to put the entire nation’s wellbeing above their own political maneuverings until the last possible moment.)
Re: Re:
absolutely this is all to evident. The whole thing is a disaster. Once the boomers pass on if we do not change fundamentally how campaign finance, lobbying, financial regulation and patent/copyright law works we are totally fucked.
We will also need to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills in the future.
Re: Re: Re:
you forgot the NDAA and barry
Re: Re: Re: Re:
to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills … you forgot barry
What is this “barry” bill?
Re: Re: Re:
Got news for you. It isn’t the boomers cause they are not listening to us any more than you.
It’s the politicians.
Re: Re: Re: Re:
“Got news for you. It isn’t the boomers cause they are not listening to us any more than you.
It’s the politicians.“
qft
Used to be, the Chamber of Commerce would be leaning on Gov’t. in this type of situation.
william: the land of the pseudo-free
. . . and home of the sort-of brave.? our forefathers and foremothers would be so proud of us.
A lot VPN services are simply pulling their U.S. servers, to avoid US law. As long as they no servers in U.S. datacenters, they are not subject to U.S. wiretap orders.
I know this becuase I had to move, the only Internet I had for a while was through my 4G cell provider, and I had to use a VPN to bypass the part of the system that detects and blocks any “tethering”. However, none of the VPN providers I was using have U.S. servers. Some VPN services are solving the problem by pulling all servers from U.S. datacenters.
Because of this, I could not watch Netflix, or access U.S.-only web sites for quite a while, since the VPN services I was using pulled all their U.S. servers, to avoid U.S. laws.
I could not watch Netflix, access my bank accounts. I could not even cancel service from my old ISP, because they block access to certain parts of their network to non-US IP addresses to protect their customers. They are very privacy minded.
I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.
One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.
To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?
Re: Re:
We’re all US citizens, working and living in the US, and just setting up our servers offshore wouldn’t have protected us from personal jurisdiction for things like civil or criminal contempt. We could potentially have owned/licensed an offshore operator to run the whole thing, but at that point, there’s not much value we could add — just use an entirely offshore business run by non-US-citizens.
I am not a lawyer, of course.
Re: Re:
http://www.hidemyass.com/vpn/servers/#us
Did it? Has this been tested yet? Could be that they only think their problem is solved when it isn’t.
Re: Re: Re:
The experience with LulzSec two years ago show that a VPN service can be subject to a court order (in the UK) or other legal subpoena or warrant despite not having servers, or any presence, in the U.S.
http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/
Law enforcement cooperation between countries may mean you are not necessarily protected although you might be more protected than being subject to U.S. law enforcement (or CIA etc.) activities directly.
Re: Re:
[To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?]
That’s not enough. As long as their company has U.S. based entities, they have to obey U.S. court orders.
So while non-U.S. based VPN providers can evade by moving their assets out, native U.S. based VPN providers are cannot. They have to shutdown their copmany and re-register in other countries that is considered “safe”.
StrongVPN
I ditched StrongVPN post PRISM. One of the leaks XKEYSCORE, mentioned you could query for users in a country that had just started a VPN link.
If you’re in a militarized country, speaking out can get you shot, so VPN’s like CryptoSeal are essential.
One of the other big leaks of that data is msftncsi.com, the Microsoft network awareness URL.
Your PC queries this & its DNS, on each network startup to report if you have a network connection. I notice it reports outside of the VPN and inside the VPN to see if a connection exists without the VPN and via VPN, which lets an observer of that URL unmask the VPN’s alternate IP.
131.107.255.255 dns.msftncsi.com
127.0.0.1 http://www.msftncsi.com
One of the software packages could report if a new device appears or disappears off the net, and I suspect it’s watching the network awareness URLs.
Re: StrongVPN
Mine doesn’t.
Offshore it
Close the service down, and move it and the company offshore to a country that values privacy.
Of course, that’s basically what will happen over the next five to ten years – and hopefully countries will fall over themselves to show how conscious they are of the need for individual privacy protection.
Re: Offshore it
Like I said in one other comment, many VPN companies are now pulling out servers from US datacenters, and that, alone, is goo enough for most VPN companies to avoid U.S. laws.
So if you like to watch Netflix, Hulu, or any other U.S.-only site, by way of a proxy or VPN, that soon may not be an option.
Re: Offshore it
The USA could still try and make US laws apply. A few years ago, one VPN company, based outside the USA, was bullied into pulling its Cuba, Iran, and North Korea servers. They decided that since the owner was a US citizen, he was still subject to OFAC regulations prohibting him from operating servers in those countries.
SO if you are going to offshore your VPN service, be sure to move it to a country that will tell the US government to get lost, and no cooperate with the US government in any way.
Re: Re: Offshore it
Brazil seems to be the next capital of internet. Ironic, isn’t it?
US Government invasion of privacy
How many people realise though that many of the ‘free’ email services offered around the world are actually all hosted by the same company in California and the company that owns the hosting company is 45% owned by the US Federal Government? I had two, seemingly separate, email accounts some years back but it turns out they were both hosted by this one company. When I expressed too much interest in the HAARP facility my main account was closed down. I then used my backup account to complain about this and it too was closed down. I believe the Federal involvement in this email hosting company was deliberate in an attempt to offer easy access to and control of worldwide email traffic.
USA and Canada are losing the VPN business.
as it’s only the public, basically, that are affected here, no one will give a toss. the whole aim of all this stuff is to stop the public from having any secrets, anywhere. if there were some/one business/es affected, there would be all sorts of backlash going on!
Keep ’em coming. When you hit where it hurts the most (the pockets) things will start changing.
Individual SSL keys per customer?
Could a privacy service use a separate subdomain for each customer (or group of customers) with a separate SSL key, allowing them to comply with a pen register order for one customer without revealing all customers’ traffic?
Yes, the price of SSL keys could be a factor, but perhaps a different CA would be appropriate for this.
vpn
i personally recomend https://www.waselpro.com/en/ Service. I always have a good experience with it VPN because some time VPN causes on wifi but this VPN support team is available 24/7 for customers assistance.
Top VPN service that rises in USA
I have been using VPN for 2 years and now i got good understanding about the nature of VPN. In my opinion people having has two major concerns with VPN specially in USA and these are connectivity and speed. Therefore now I only recommend Hidemyass, ipvanish and Purevpn, because all of them provide excellent services with fast connectivity and speed. Though i still recommend you to go through some other top services for USA that are getting more strong in USA. Source: http://www.vpnranks.com/usa-vpn/
USA fastest VPN is helpful to secure your identity
I always prefer to use Fast VPN connection to secure my identity while, I used many VPN providers but they sucks my internet speed and based on my experience in USA VPN connectivity and speed is a major concern, I always use Hidemyass it superb on all VPN services as it offers high speed connection. You can also have a look at Fast VPN Service site http://www.fastvpnservice.com/ they keep updated their site and only list the fastest VPN Providers from all over the world.
I was looking for a fast speed USA VPN to bypass the geo-restrictions as well and provide me full security also I searched my VPN services but found the best one here http://goo.gl/yiiRCO
Before Snowden we would have laughed at the tinfoil crowd. Now we know that for the average user it is nearly impossible to keep their information secret from the US government if the computer is connected to the Internet. System backdoors from Apple and Microsoft, internet and phone companies handing over data sharing the source with the NSA. VPN and Crypto services compromised, even international crypto standards.
Amerika is not free
1. Before America was associated with freedom particularly as regards freedom of action and privacy. Now the situation has changed completely. The new laws are ordained for imposing restrictions on human activity. In the case mentioned above CryptoSeal VPN coped with the problem successfully. What could they do? The proposal concerning their users is also great.
Nowadays everything changes and the same law has been adopted in Russia https://www.bestvpnrating.com/news/dire-consequences-passed-law according to which the services containing the private data should reveal it if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
More will follow...
More and more services will have the same fate only honeypots and agency controlled services will remain. I would be weary about purchasing any of the more mainstream ones https://vpntrends.com as they may probably be state controlled.
Amerika is not free
1. Before America was associated with freedom particularly as regards freedom of action and privacy. Now the situation has changed completely. The new laws are ordained for imposing restrictions on human activity. In the case mentioned above CryptoSeal VPN coped with the problem successfully. What could they do? The proposal concerning their users is also great.
http://ontimefeed.com/bitmain-antminer-d3-review
Nowadays everything changes and the same law has been adopted in Russia according to which the services containing the private data should reveal it
http://ontimefeed.com if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
VPN a must
A VPN is a must have in this day and age. While most pay for Netfilx or Hulu the amount of content on Kodi and a good Build is hard to ignore. http://whyingo.org/the-top-best-kodi-17-krypton-builds-2017/
Great https://abcd.com
Best VPNs for USA
In our time, it`s not even worthwhile to use a public wi-fi without a virtual private network. So, please, be careful and secure while surfing the web. I can advise you the list of VPNs that can be used in USA –
https://topvpnchoice.com/best-vpns-for-usa/, attentively read reviews and only then make a decision which VPN perfectly meets your requirements.
Best VPN for Australia
Get the Australia VPN service to unblock geo-blocked knowledge from Australia. With military-grade security, users in Australia or any place around the world will surf the net restriction-free! Make a choice from 70+ servers and obtain IPs to relish native content from various countries.
https://fastestvpn.com/australia-vpn