Italian ISP Hides Data Acquisition by Police

jaromil writes "It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective, keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications."

Physical security is important

[Bishop]

We always suspected that they [the isp Aruba] weren't trustworthy...

Why did they think their system was secure?

This article highlights why physical security is so important. Cryptography is a work around for poor physical security. It is not a replacement. As the server held encryption keys the security of the system was completely dependant on the physical security of that server.

Unfortunately this group hasn't learned their lesson:

We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.

This service will still be susceptible to the very same attack.

ISP's answer was absolutely true

[kawika]

If that isn't a "power loss" I don't know what is. This is an answer worthy of the Oracle at Delphi.

Re:Summary is fine

[marcello_dl]

I am still trying to figure out waht this means: Aruba lied to a customer calling "power loss"

It appears the police raid was made and no one bothered to tell the responsible for the servers that an investigation/seizing of data was being made.

Disruption of service occurred, and the phone calls by costumers were answered with technical excuses, instead of telling the truth.

This is what italian webpress says.

Note also that 30000 accounts, personal data, crypto keys, was seized because one single hosted site was under investigation.