Embattled email guru Ladar Levison updates the DefCon crowd on encrypted email project DarkMail and asks for help from the hacker faithful to get what may be his final email project done.
LAS VEGAS — Email was not originally intended to be cryptographically hidden from prying eyes, but one-click, end-to-end email encryption is just what Ladar Levison is within six months of achieving.
Or it will be, he told a standing room-only audience of around 2,000 hackers and security experts at DefCon on Friday evening, if all goes according to plan.
Levison is the founder of the webmail service Lavabit that is widely believed to have been used by Edward Snowden. Levison shuttered it rather than hand over Lavabit’s encryption keys and source code to the US government.
He told the enthusiastic crowd that his DarkMail project has expanded.
Now called the Dark Internet Mail Environment, or DIME, it’s an ecosystem comprised of email transfer protocols DMAP and DMTP, the email server Magma, and a Mozilla Thunderbird-based desktop email client called Volcano.
“DarkMail combines all my knowledge of security and email into one last hurrah,” Levison said in a conversation with CNET following his DefCon presentation where he used DarkMail and DIME interchangeably.
“To a large extent, we’re re-architecting email with DIME. It’s a parallel system that’s completely encrypted,” Levison said, and added that one of the inventors of email, Dave Crocker, is working with him on documentation.
But encrypting email is technologically difficult, and currently only available to users willing to fiddle around with complicated procedures.
“In order for everyone to use end-to-end encryption, we have to make it auto-magical,” Levison said, meaning that it must be as easy and automatic as when a website uses encryption. “I work with email experts [on DIME] who still struggle to use PGP.”
DIME is a work in progress. From a six-bedrooom “hacker house” in Dallas, Levison coordinates a small handful of developers. While Levison and one of his lead developers, Stephen Watt, showed pre-recorded video of the service working at DefCon — it “seemed suicidal” to attempt a live demo over the routinely hacked conference Wi-Fi, Watt said — there’s still a lot of work to be done to have the service ready by Levison’s deadline: December’s Chaos Communication Conference in Germany.
One of the goals of DIME is for others to implement as the backend for their email servers, he said. But he’s not sure that includes resurrecting Lavabit with DIME at its heart.
This slide from Levison’s presentation diagrams how DarkMail works.
“Whether Lavabit reopens is an open question,” he said. If he does reopen it, he said he probably would have to leave the US.
He said that he founded Lavabit on April 1, 2004, the same day that Google opened Gmail, as a more privacy-protective alternative to Gmail. After 10 years of working on email, though, Levison says he’s almost sick of it. Physical ailments have worn him down, too, as he suffers from chronic back and knee injuries, and likely will have to have surgery next year.
Levison first mentioned DarkMail a few months after he shuttered Lavabit as a solution to encrypting email that does not involve the complicated public and private key requirements of current email encryption tools like Pretty Good Privacy. PGP, as its known, is cryptographic software that has until this point been one of the few ways to encrypt email. It’s hard to use because each user is responsible for managing their public and private keys, lengthy strings of alphanumeric characters necessary to encrypt and decrypt messages.
DIME works in part by breaking email headers into pieces and encrypting them separately. It’s technologically difficult to encrypt email headers and ensuring that they reach their intended destination.
Along with basic email sending and receiving features, Levison showed that the desktop client Volcano will flag an email address recipient that is not using DIME with a red warning. It doesn’t prevent you from sending the email, but it does make it easy to tell when an email won’t be encrypted.
DIME is not the only email encryption project in the works. By his count, there are more than three dozen end-to-end email and webmail encryption projects in the works. Two of them are under way from Silicon Valley powerhouses Google and Yahoo. User-friendly, easy-to-use end-to-end email encryption has been elusive thus far, but for people who want the contents of their emails hidden from spies, change appears to be on its way.
Levison argued his case by explaining his anger at the US government. He wasn’t, he said, upset because they “railroaded” his business and forced him to shut down.
“I’m upset because we need a milspec [military-grade defense specification] for the mail system for the entire planet, just to be able to talk to our friends and family without fear of government surveillance,” he said. “I’m upset because I thought we won this war in the ’90s, when we won the right to use cryptographic algorithms,” he said, referring to the repeal of laws at the end of the 1990s that considered cryptography a weapon.
He concluded with a plea for help.
“We need more people to help us. We took a year off from personal gain. If anyone’s interested moving to dallas and working for a subsistence wage on the DarkMail project, please come talk to me.”
Moments after stepping off the stage, Levison was surrounded by 30 people.