Slashdot Mirror
Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
Luckily I browse my favourite sites like /. using http so I'm not affected by this.
Understandable that he shut down.
The USA is ruled by evil bastards that have no respect for the citizens.
Time to revolt is now.
I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
http://i.imgur.com/Xp2q6up.jpg
How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?
if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone.
I don't think so. There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google -- and handing over the ability to read everything is definitely not something that a simple warrant can legally require. Nor even an NSL.
In fairness, in this case the FBI's original request did ask for just specific metadata about one user. I haven't read it closely enough to understand how the scope was broadened so dramatically, except that I understand that Lavabit refused to comply early on, and then eventually the FBI decided that they didn't trust Lavabit to comply correctly due to Lavabit's obstructionism, and so decided that they just wanted to be able to read all the traffic and extract the bits they needed themselves.
Lavabit, of course, decided to shut down instead. That way there would be no traffic to read.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.
Fuck this government and its institutions and fuck the people that support it.
Lavabit is still in court over this. You can contribute to their legal defense fund here.
I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more. Isn't this over reaching the scope of the warrant and therefore any case developed would be tossed out? IANAL, but I thought the scope limitations were there for a reason. That idea TPB had to buy an island is sounding more and more convincing these days...
Lavabit did not offer an alternative solution, they offered to comply with the ORIGINAL search warrant that asked for just one user after prosecutors upped the ante when Lavabit refused the first search warrant.
FTA:
"By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested."
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Was this the thing PJ said she couldn't reveal but would cause anyone to distrust email?
Is the situation really different anywhere else?
Of course not. Therefore we have to do this.
Pssst, hey, buddy.. Wanna buy a court order? I gotta million of 'em, right here in my pocket.. Waddya need? I got your restraining orders, discovery, wiretap, asset forfeiture, arrest warrants, you name it...
“He’s not deformed, he’s just drunk!”
UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.
“People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/
act accordingly.
Firstly they wanted *all* meta data on every Lavabit user, not just Snowden. It was a blanket demand to get all of the data.
They also wanted man-in-the-middle box. A device which would have the root certificate under control of the government and would sit in Lavabits network able to man-in-the-middle attack emails (i.e. speech) of Lavabit users not connected to Snowden.
Lavabit are guardians of the customers data, how can they guard if a black-box is on their network? It can do anything, the judge has no way of telling, Lavabit has no way of telling. Google apparently refused these boxes and with good reason. There is no trust here, the Judge is not supposed to trust the FBI & NSA to do only what it says. He's supposed to be the guardian of the law, just as Lavabit are the guardians of the data.
An example, if I had such a box, I could spoof email convincingly in a way that would pass forensics. I could create fake evidence. I could spread disinformation (propaganda) again untraceably.
They also asserted that it filters out only the data they were allowed to have and throws away the rest. We know this has been proven to be false in many many leaks, even the President now pretends the data goes into a 'lockbox'. A lockbox isn't a lockbox if the NSA has the key and no judicial oversight stops them turning that key at will.
It seems, once again, the judicial branch has simply become a fawning sidekick to the executive branch.
Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.
The phrase "no U.S. company can be trusted" may erroneously suggest that you might still be able to trust non-U.S. companies. But serious and offensive as this is, don't assume that you're safe anywhere else. The only reason we know about this is because the US legal system at least allowed the order to be unsealed (and probably only because it was the FBI rather than the NSA). Legal systems and spy agencies in other nations have powers that are at least as broad, and often far broader, than their US equivalents, and often have even less government supervision.
If we are to chose a single country, then probably US is the best option (at least if you are not a brown person). Nations are generally divided in two bunches: US sockpupets that can be used for things even the US does not want to be seen doing (hint: like Canada) and totalitarian dumps who's leaders would gladly murder just about anyone that threatens their access to power. So a common counterargument is that we either end up with US, or someone much worse.
But it does not have to be that way. An international agreement drafted by the major industrialized nations with an eye towards freedom of expression and democracy could be a much better deal than a single nation calling the shots. One important provision in such a treaty would be banning spying of international traffic passing though domestic lines. Nations would still be tempted but if caught it would justify international sanctions like a connectivity embargo. Imagine that, the first country with a closed internet would not be Iran, but USA. And the closure will come from the exterior. Quite a sensation on Nasdaq.
Anyway, don't get your hopes up, the way things work in the UN, there will never ever by a sanction against US, because it along with select few can veto any such action.
"In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter."
Reading this makes my day
That's nonsense, and in particular Javabit encrypted the user data and communication using public key encryption methods. The problem is that the communication is SSL-encrypted. And that means the private SSL keys allow complete eavesdropping on the communcation and man-in-the-middle attacks (insertion of malicious content). That allows getting a hook into key exchanges and ultimately compromising whatever you want that depends on ongoing trust of the service.
If the service has been set up well, past data and communication are secure from decryption. The Lavabit owner had built a service ultimately relying on his personal integrity (and at some point in the process, you can't take that out of the equation) for its principal goal, secure mail, and the feds demanded he hand over his integrity. Any continued operation of the service would have been effectively fraud since its core tenet would no longer be provided.
He might have to serve prison for refusing to defraud all of his customers regarding his sole product. The good news is that he shut down before they were able to turn his service into a trap.
Fucking totalitarian injustice regime.
It's not public and you should always oppose surveillance, but exercising caution would still do you well.
Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
I'd say, my banking is still reasonably safe even if FBI can see, what I'm doing. There is simply nothing there, that they (or the IRS) can't get through traditional means. My banking secrets haven't been secrets for the government (unless the banks are abroad) for a long time — but smaller-time crooks are still kept away by SSL.
When/if the national healthcare is implemented — despite our fiercest opposition — medical history will be similarly "safe".
E-mails and like communications are a different story — for now...
Finally, what this also means, is that the government still does not have the means of breaking SSL — they wouldn't be needing the keys otherwise. Which is comforting...
In Soviet Washington the swamp drains you.
1) Some idiot makes an illegal request
2) You say no
Why does this not seem to be happening?
I wonder if this makes more a case for using self signed certificates for email. Of course It wouldn't help eCommerce, https:, or many other client server type applications.
Roman empire fell apart not because the government was monitoring the citizenry too closely — exactly the opposite. The broke into two (the Eastern half surviving for another thousand years, BTW), because the means of communications and control then available simply weren't sufficient for a country of that size.
Their government structure, unlike ours, also was not up to the task of running such a big country and could only work, if all rulers were wise and benevolent. Ours, on the other hand, expects no outstanding qualities from the people in charge...
So, while I share your dissatisfaction with America's recent developments, I don't think, we are anywhere near collapse.
In Soviet Washington the swamp drains you.
How is a user who just reads considered "abusive" to Slashdot? Treat Tor like any other open proxy, giving it read-only access.
The good think about the US is: :)
The 1st and 4th amendments make what most other countries can do less easy.
The US press and lawyers now know more
In other countries cleared bureaucrats or police would set up long term isp logging based on ip/ports/time found via their work laptops at home.
Find, point, click your in the system for years.
Your automated isp logging might get a more senior bureaucrats or police review after many months. Some 'ministers'/'court' staff rushed review year/s later for an extension.
The good think about the rest of the world is:
They can air gap, invest, design, export hardware and encrypt in new ways long term.
Domestic spying is now "Benign Information Gathering"
When I was growing up (70s and early 80s), all the US propaganda about how bad the Soviet Union was, how bad East Germany was, in terms of privacy, citizen rights, and being police states.
"Hypocrisy!", in my opinion.
In my opinion laws should protect non-suspect citizen rights, and enforcement agencies (FBI in this case) should be legally required to only target and restrict their levels of privacy breach to only those individuals or organizations of inquiry. They should have no legal authority to make such demands, and if a company or citizen gets such a demand, the FBI should be able to be publicly sued for attempting to exceed their authority.
AND, if the FBI currently is allowed to do such dragnets, the laws should be amended to remove such authority, and be enforced.
Uh, Linux geek since 1999.
Its not exclusive to the US. All governments are like this.
---- Booth was a patriot ----
I've been saying this for over a decade. We are living in complete and utter denial. The average American is more concerned with what's happening on their favorite TV show than they are about what's happening in their own government - and it is made obvious by the fact that we keep electing a Congress that only 10% of us approve of.
And to answer your question: No, I do not think it can be fixed at this point. There is too much debt, too much oppression, too much corruption, and above all too much apathy to ever be able to recover.
Perfect Forward Secrecy can block the NSA from secure web pages, but no one uses it
...and our justice system has demonstrated they will sign a warrant for anything the men in black ask for. 'MURICA!
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
So few people know it happened that its sort of funny to hear that. The real (voting ) public has no clue this ever happened. Nor would they understand it if they did.
Besides that, those that do know what happened and matter will soon have a squirrel event and forget all about it anyway.
---- Booth was a patriot ----
Seems I did not know enough of the story, per this "Wired" article, so, um, 'nevermind' :
http://www.wired.com/threatlevel/2013/10/lavabit_unsealed?ref=cm
Uh, Linux geek since 1999.
It seems a lot of the recent NSA activity is about metadata mining. Is it possible to trash the metadata?
I have experimented with randon searches, for example, to see the effect on targeted advertising.
Would random searches, and phone calls, for example, make the metadata less useful?
Imagine I am a frequent visitor to whitehouse.gov, but each time I visit, I also visit gop.com, and click a few random things.
Democrat, rebpublican, libertarian, green, social justice, reddit, facebook, my little pony, new your times.
"if the FBI can force Lavabit to hand over their SSL key or face shutdown, they have done it to everyone."
FTFY
Prove anything by multiplying Huge Number times Tiny Number
It's not limited to just SSL. Any company that holds a copy of your encryption/decryption keys (a public certificate is OK, the matching private key that goes with it is the problem) can be ordered to turn them over. The only safe system is where the keys that secure the system never leave your possession.
For e-mail that means using S/MIME or OpenPGP with a self-signed certificate and a private key you generate yourself. For encrypted documents, the same. The e-mail and documents need to be encrypted on your end before they leave your computer. Be aware that if you're encrypting messages to someone else the security will be controlled by their handling of their keys. You're encrypting using their public key, there's no security implications from disclosure there. However, if the recipient's using a service where the provider has a copy of their private key (used to decrypt messages to them) then messages can potentially be eavesdropped on by outsiders who've compromised the provider and gotten the key. Be aware of this aspect and make sure you know how recipients are handling their own security.
Yes, the above means any and all web-based or hosted services are automatically vulnerable no matter how they're designed. The only secure systems are ones where you, or software running on your computer and that you control, does the encryption and decryption and the private keys are never disclosed to any other party.
Basically, the government can force you to do anything it wants, and there's nothing you can do about it. Strange, I remember hearing about some document that spelled out certain limitations on the governments powers, and certain rights that people had, but I must have misremembered.
Mr Levingston: "I've been ready to do that since Agent howard spoke to me the first time"
"In light of the conference call on July 10th and after subsequently reviewing the requirements of the June 28th order I now believe it would be possible to capture the required data ourselves and provide it to the FBI." ...
"because all other options for installing then pen-trap have failed. In a typical case, a provider is capable of implementing a pen-trap by using its own software or device, or by using a technical solution provided by the investigating agency; when such a solution is possible, a provider need not disclose its key" ...
Lavabits said they would change their system to do it for $2k or whatever it was yet government did not accept the offer cuz $2k was too much and they wanted faster/realtime updates. Seriously? How much did it cost taxpayers to quibble over $2k and update frequency? A lot more than $2k I assume.
The FBI knows full well lavabits is done if it hands over private keys yet they are militantly unwilling to work with Lavabits in good faith to get the information Lavabits has always agreed it would help them provide. The FBI is acting like a spoiled little brat and it got what all spoiled little brats deserve (NOTHING). The unwillingness to work together in this case is unprofessional and ridiculous. I feel comfortable assuming either extreme FBI incompetence/BSD or a conspiracy to possess private keys in an effort to continue this countries systematic overreach and circumvention of limits to power.
I've never understood why Firefox makes it so difficult for web site users to use unsigned keys. Now it makes sense, the "authorities" probably have a back-door into the companies that sell "authenticated" keys and can access those keys "when necessary" (and with what counts as "due process" nowadays).
Did the spy agencies infiltrate the crypto system in Firefox and put these scary warnings in place to prevent a proliferation of self-signed keys that they can't access? The Wired article mentioned the FBI was "entitled" to the Lavabit SSL key - how many other SSL keys are they "entitled" to?
n an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout "illegible."
Well played. Futile, but well played anyway.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Is Ax-crypt safe? f not what encryption software is?
Jack of all trades,master of none
Would these help? If TLS depends on both a client and a server certificate, then the FBI/NSA acquiring a web servers' certificates wouldn't give them access to connection content. For them to intercept a particular individual's connection, they would have to obtain the client key as well as the server key. In most cases (idiots who store their client keys in the cloud aside), this means physical access to the client system.
Physical access means either having to serve an individual with a search warrant or attempting to sneak in and grab it. I don't think there are too many FBI agents that would survive sneaking in to peak at my system.
Have gnu, will travel.
From the average user's point of view, this makes sense. Who can be bothered to authenticate a site's certificate through some alternate channel? Like a key fingerprint printed on your snail mail delivered bank statement. Or in a print advertisement. So all a self signed certificate indicates is that some unknown entity generated a certificate and is vouching for themselves.
Trust me. Have I ever lied to you before?
Have gnu, will travel.
We now have plausible denyability of ever posting certain stuff on the internet. It might just be some NSA employee that, with help of some neat tricks, can hijack your account.
nosig today
The US depends on it's software industry; we shipped all our labor jobs overseas to trade them for office work (programming).
Really? Then how do you explain the fact that the US has a multi-Trillion manufacturing sector which employs around 12 million people?
Bear in mind that the size of the global market for software is around $300 Billion and the number of US software developers is around 900,000.
Land of the free, home of the brave?
O say does that scar-strangled banner yet wave,
O'er the land of the sheep, and the home of the slaves...
"What in the name of Fats Waller is that?"
"A four-foot prune."
i'd vote switzerland.
The guy who said the election was rigged won the presidency with the second-most votes.
There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google
But, while Lavabit apparently can afford to close down before yielding, can you imagine GMail or Yahoo or Facebook choosing to close? I can't.
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
May take a little more work, but just encrypt the text file yourself and send via regular email. Regular email will have less eyes looking at it. For added security modify the extension to a common one such as .jpg (from .7z or whatever format you chose). Unless they dedicated processing time to look at each individual file attached in an emal and analyze it further than reading the extension (computationally costly) you're gonna be just fine sending, "Dude, let's watch The Matrix tonight. Shhhhhhh. Bring booze. My mom's out of town."
Go start your revolution. Do whatever you think that entails.
Or, if you aren't willing to do that, because revolutions are messy and often as not end up worse than what you had, kindly shut the fuck up.
I will not be joining you because while I feel the US has not been moving in a positive direction as of late, I feel that the solution to fixing it involves using the democratic process, not violent revolution, since I understand how nasty those are and also have a perspective on how good the US has it overall.
I get really tired of whiny, usually anonymous, basement dwellers playing toughguy on the net, decrying the US and saying we need to "revolt" or "rise up" or some BS. You aren't going to do that and you know it. So you are just being a douchebag, whining and complaining, suggesting that others should do the dirty work.
So put up or shut up. If revolution is really what you think is needed, get on that then. Though you might want to research a little as to what often happens to revolutionaries, and to countries after. If you don't, then STFU about it. Less whine, more action.
In fact, you will probably find that if you and other like you spent less time whining and more time working to affect actual change in the country within the system we have, things might start getting better.
The good think about the US is:
The 1st and 4th amendments make what most other countries can do less easy.
While true, most other countries that depend upon the Internet for commerce have robust privacy laws that the US lacks.
So these privacy laws make what the US does less easy as well. That is to say, in both situations, the government has to work to weasel around established laws.
Well then you were INCREDIBLY uninformed and a DECADE behind, because the US government's mass surveillance has been made public several times in the previous years.
* In December 2005, U.S. District and FISA court judge James Robertson resigned in protest over warrant-less wiretapping on US citizens. -- http://abcnews.go.com/Politics/story?id=1429647
* "News reports in December 2005 first revealed that the National Security Agency (NSA) has been intercepting Americansâ(TM) phone calls and Internet communications."
* "a USA Today story in May 2006 and the statements of several members of Congress, revealed that the NSA is also receiving wholesale copies of American's telephone and other communications records."
* "In early 2006, EFF obtained whistleblower evidence from former AT&T technician Mark Klein showing that AT&T [...] makes copies of all emails web browsing and other Internet traffic to and from AT&T customers and provides those copies to the NSA."
-- https://www.eff.org/nsa-spying
There were well-publicized lawsuits over this issue:
-- http://news.cnet.com/ATT-sued-over-NSA-spy-program/2100-1028_3-6033501.html
And even if you missed all of that:
* "In 2008, [the US] Congress granted telecoms immunity for cooperating with the government's intelligence-gathering activities." Obviously, you only need "immunity" from prosecution if you were complicit in committing criminal acts.
--http://www.cryptogon.com/?p=26717
Hell, what did you think Barak Obama's 2008 presidential campaign promises about surveillance and government secrecy reforms were all about? -- http://news.cnet.com/8301-10784_3-9845595-7.html
If you only found out about all of this recently, you'd have to been locked in a cave, or be a drooling moron.
I really didn't get the point of Snowden's leaks, or the public outcry after the fact, since this stuff has been public knowledge for many years now. I will say he had a decidedly positive impact, as the EFF's lawsuit (above) that was halted on national security grounds, was allowed to proceed after Snowden made enough of the program public knowledge that the state secrets excuse was laughable.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Why did the FBI not just raid the location, take the physical servers and storage assets, clone them and then let the courts sort it out? That way they could go and fetch the keys themselves, MiTM the traffic to the host through his ISP, masquerading as Lavabit, and snarf whatever they needed. They're already doing it in other cases.
What I'm wondering, is that when someone comes to your door with a warrant, and you say "No" and close the door, why would they allow you to go back and manipulate the bits and digital information that comprises the portion the warrant asked for?
In this case, how was Lavabit even allowed to shut down their services, if the FBI was at the door asking for the keys?
Something doesn't add up here.
because after this it's clear that their tech companies will be automatically deleted from applying for contracts in most of the world. And that, ladies and gentlemen, boys and girls, is why the NSA will be reigned in, NOT because the courts or the politicians will do anything about it.
FBI would have been happy with this condition - all they wanted was the metadata (headers) showing who this one guy was sending emails to or receiving them from. They never asked for the actual data.
Is it just my observation, or are there way too many stupid people in the world?
Yeah, that must be why Soviet Union and other Socialist/Communist governments, which could only function with omniscient and benevolent rulers, did so well...
In Soviet Washington the swamp drains you.
Don't want to trust me? Ok, let's go to plain text http then.
Anybody know how the Dutch company "Lavabyte" is coming along? When can I sign up?
It's crap like this that is causing U.S. technology to flee overseas.
Spread it around!
Other countries may have great laws on privacy or not like entrapment or fast track appeals to high courts.
They may also have concepts historically based on http://en.wikipedia.org/wiki/Inquisitorial_system
You also risk long term bureaucratic or police tracking or the domestic telco system been legally close to gov tracking efforts.
Domestic spying is now "Benign Information Gathering"
I wouldn't get too worked up about it. Analysis: Despite fears, NSA revelations helping U.S. tech industry
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Though I suspect a one line summary would be 'Too early to say'. Politically speaking, it's those tech companies that have the clout to achieve real change at the NSA, and are probably the best hope for it. We shall see!