I once worked at a company that made Parking Meters - and accepted credit cards at them. They sent their data over https, and had random issues with timeouts.
It turns out they would format their data in (very descriptive) XML, and discovered an excessively large file combined with an SSL handshake over crappy 2g connection took too long to transfer the data (it didn't help the programmers 'forgot' they hardcoded a timeout, so if the comms was just slow, it would throw a generic error and they blamed Apache for it).

In any case, the offshore dev team's solution was to create a UDP client/server protocol of their own.

It was working nicely when I left, and was PCI Compliant, but at that point we had no way to reliably monitor communications from the perspective of the meter because we (SysAdmins in charge of the backend systems) would have had to write proprietary code from non-existing documentation just to replicate what used to be a simple HTTP POST.

Some things look great, but aren't thought out all the way ...

Agreed! It's not unlike the elderly dictatorship of only allowing adults to vote.

The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.

When I did this 'search test', Most of my hits were PDFs of credit card statements.

To Quote - " I'd rather use some tools with more of a community than just the 4 of us."
He also never said that there were shortcomings in the toolset they created. It sounds like he may not like the database, maybe he wants a nicer front-end for managing the tables? But it's not described as 'the problem'.

Therefore, if they create a community around their own toolset, then the only problem actually described in the OP is resolved.

Of course he was asked to hand over the SSL keys, he refused to hand over the requested information in the first place.

Duplicating incoming and outgoing email, on a server you own and apparently WROTE THE CODE FOR, is trivial. Even Exchange can do it. Page 7 is the request for mailbox contents, but a separate device is NOT REQUIRED . It should be obvious that using SMTP means the data is in clear text until it's encrypted - at rest.

At best, he's an incompetent admin, and you want him to secure your email?

It's going to be called 'LavaCircle'. And the whitepaper that's produced to explain it will include a lot of busy work and confusion, and the result will be locally encrypted/decrypted files.

Then, when someone asks how that can actually be secure, Ladar will throw a tizzy and claim all our constitutional rights are being trampled on.

It can't be encrypted at all times if a normal client is able to view it. It was merely encrypted at rest, with a single encryption/decryption key stored on the same server.

Assuming every corner of the government was in on it. Most of those people are just doing their jobs. Trails of bodies tend to attract attention

We are talking about the genius who, upon deciding to commit treason, used an account with his name on it - not even an alias.
So either he's incredibly stupid, or incredibly intelligent. It would be incredibly intelligent to save your ass from the fire by making yourself appear to be a folk hero.

Well - public/private key encryption comes to mind. Your users would just need a local client, either plugged into a fat client, run as Java (like the CA provider), or using opengpg's javascript or Chrome plugins. The solutions exist, Lavabit just created an overly complex 'paper shuffling' process to hide the fact it's not really secure.

So what's the problem with providing account information and log data for a single account, requested by court order? If Snowden's a whistleblower, then there's nothing to be afraid of. If he's sending highly classified data to the Russians... uhm, my age is showing... Chinese, and using 'whistleblower' as a cover for his actions, then we have a problem. That's not Ladar's call to make. That's why there are professional investigators involved, a 'Federal Bureau', as it were.

'Clearly'. I disagree. He was being an ass, and the operation didn't have the security he touted in the first place - it's like buying a lockbox at a bank, but giving your stuff to the teller to put in the box. That's not secure.

As an email service provider, I can attest these orders are not executed by the NSA, they're part of investigations performed by the FBI. They DO NOT want any more info than is listed on the court order. Are you kidding me? Using evidence gained illegally as part of a prosecution? A defense lawyer would have a field day with that.

If you mean that he made the right choice in talking with the media about the abuse of the government taking his SSL keys, instead of talking about his lack of cooperation, then yeah, I agree he made the choice that was in his best interests. No publicity is bad publicity they say.

The encryption key was encrypted by the user's password. Merely intercepting the user's password would decrypt the mailbox. Since they wrote the software, it would be trivial to log the password for any or all user's accounts. It was not much more than 'security by obscurity'.

The contempt part should relate to his all out lack of cooperation, as the original request wasn't even for mailbox data - it was for metadata. He escalated it to requiring SSL keys, because the government didn't trust him. Unless you want the government to charge people with crimes without a proper investigation, there's no reason to ignore a signed metadata request (from a non-FISA court for that matter).

Read the first document Only metadata was requested, Ladar refused, and the government escalated.

It's not reported that way because 'company ignores warrant for user account information' isn't anywhere near as flashy as 'ZOMG GUBERMENT SPYING ON US!'

The NSA isn't even involved in this. This is a company owner refusing to provide BASIC information, and the government taking logical steps in order to attain the information a non-FISA court agreed was needed in their investigation. One particular person is benefiting immensely from media manipulation, and it's the same person who claimed he could encrypt and decrypt data, and not have access to it.

Ladar destroyed his 'business' (Secure storage where the storing party holds the keys? Not possible) by not handing over the requested METADATA in the first place. By not handing over data that a judge deemed was necessary in an ongoing investigation, the government escalated to the point of pentrap / SSL keys.

There was no FISA court involved in this issue. It was a standard warrant.

Read the first document - there's nothing in that request that should be objected to - unless you want people to be charged with a crime without a proper investigation. Feel free to compare that court with the list of FISA courts at Wikipedia.

Ladar is playing you all - and you're all falling for it. The NSA spying is most definitely an issue, but this has nothing to do with NSA spying.

Right. There was nothing wrong with the initial request Lavabit received. It requested metadata for a single account, and was signed off by a judge. By ignoring that request, Ladar escalated the issue into one of epic proportions. From one perspective, an investigator is requesting the steps that need to be taken in order to fulfill the initial request. From another perspective, the government is taking the 'keys to the kingdom'.

There was no reason for Lavabit to not turn over metadata other than Ladar didn't want to. He should be in jail.