Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys

Posted by timothy on from the c'mon-fellas-it's-for-the-greater-good dept.

jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."

118 of 527 comments (clear)

  1. https by jobsagoodun · · Score: 5, Funny

    Luckily I browse my favourite sites like /. using http so I'm not affected by this.

    1. Re:https by Anonymous Coward · · Score: 5, Interesting

      Your favorite site also bans random TOR exit nodes from browsing it. I can understand banning posting to prevent spam and such, but browsing ? That's just moronic. It also craps when the IP of the user changes during editing/posting.

      Slashdot, please get on with the times, you are probably the legal site most visited by TOR users. You need to add HTTPS and improve TOR support.

    2. Re:https by NatasRevol · · Score: 5, Funny

      I'm sure the beta will fix this.

      It's one of the areas they're working on.

      --
      There are two types of people in the world: Those who crave closure
    3. Re:https by thevirtualcat · · Score: 2

      In Slashdot's defense, they are probably just repurposing a system to ban the IP addresses of abusive users. Why build a second, paralell system for TOR users when the system that's already in place does the job just fine?

    4. Re:https by aliquis · · Score: 5, Funny

      Wait for your turn!

      They are still trying to figure out these non-ASCII char sets.

    5. Re:https by geekoid · · Score: 2

      Why would they need to add https? To encrypt the text you are posting publicly? What is the impact of a MITM attack for a /. user?

      Not very much, is anything.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    6. Re:https by AmiMoJo · · Score: 2

      If it is encrypted they can't see what page you are browsing, or trivially associate your IP address/subscriber details with your Slashdot UID. Of course they could do all that stuff with some effort anyway, but we need to make it as hard and computationally intensive as possible. That's one of the best ways to thwart mass surveillance.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:https by lgw · · Score: 5, Insightful

      Because I'd prefer my employer not to know my /. UID?

      Never ask "why do you want privacy"; that's always a stupid question. Privacy is simply an integral part of the two prime human goals: liberty and dignity.

      This is a fundamental mindset change that's needed in developers! We've learned to write software that uses the least possible privilege, as the core of security. We need to learn to write software that offers the most possible privacy, as the core of human rights.
       

      --
      Socialism: a lie told by totalitarians and believed by fools.
    8. Re:https by geoskd · · Score: 2

      Why would they need to add https? To encrypt the text you are posting publicly? What is the impact of a MITM attack for a /. user?

      Might improve the quality of some of the posts...

      --
      I wish I had a good sig, but all the good ones are copyrighted
  2. Nothing left to do by Anonymous Coward · · Score: 5, Insightful

    Understandable that he shut down.
    The USA is ruled by evil bastards that have no respect for the citizens.
    Time to revolt is now.

    1. Re:Nothing left to do by fustakrakich · · Score: 5, Funny

      You already ARE revolting!

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Nothing left to do by Anonymous Coward · · Score: 5, Funny

      That's the worst haiku I've ever read.

    3. Re: Nothing left to do by fizzer06 · · Score: 2

      Land of the free, home of the brave?

    4. Re:Nothing left to do by Lunix+Nutcase · · Score: 3, Insightful

      You mean the time is now for others to revolt while you sit in the basement playing armchair general. Who about you actually di something rather than just make empty threats?

    5. Re: Nothing left to do by Anonymous Coward · · Score: 3, Insightful

      Land of the cowards, home of the slaves.

      Where else in the world can people be so cowed while simulatenously bragging about their right to go armed?

    6. Re:Nothing left to do by wonkey_monkey · · Score: 5, Funny

      *facepalm* on my part.

      *facepalm* on your face like everyone else. Dirty boy.

      --
      systemd is Roko's Basilisk.
    7. Re:Nothing left to do by Anonymous Coward · · Score: 5, Funny

      You mean the time is now for others to revolt while you sit in the basement playing armchair general. Who about you actually di something rather than just make empty threats?

      Surely you're not suggesting that this AC is some sort of...coward...are you?

    8. Re: Nothing left to do by jedidiah · · Score: 3, Insightful

      It's almost like there's more than one person wandering around.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    9. Re:Nothing left to do by NewWorldDan · · Score: 4, Interesting

      And if you get one of these national security letters or other absurd warrant from the feds, publish it. The right of the press to publish otherwise classified material was affirmed in the 1971 case New York Times Co. v. United States, although that was a pretty weak ruling. But unless you've agreed to keep something secret, you're theoretically free to do with it as you like. Also, I'm not a lawyer and you shouldn't take your legal advice from the internet.

    10. Re:Nothing left to do by sociocapitalist · · Score: 3, Insightful

      Understandable that he shut down.
      The USA is ruled by evil bastards that have no respect for the citizens.
      Time to revolt is now.

      It's basically your fault there will be no revolution because you decided not to put an exclamation point which, very appropriately,sums up the attitude of most Americans about anything other than sports, shitty beer and big tits.

      --
      blindly antisocialist = antisocial
    11. Re: Nothing left to do by lgw · · Score: 2

      We have this system of "checks and balances": as long as the government checks come every month, people are satisfied with the balance.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    12. Re:Nothing left to do by SteveFoerster · · Score: 3, Interesting

      Yes, the U.S. has the equivalent to parliamentary privilege, and it's been used in living memory rather famously. During the Vietnam War era, Mike Gravel, a Senator from Alaska, included the Pentagon Papers into the Congressional Record, meaning they were then publicly available. He was protected by Article I, Section 6 of the Constitution, which among other things says about members of Congress that "for any Speech or Debate in either House, they shall not be questioned in any other Place." ("Speech" includes inclusions into the Congressional Record.)

      --
      Space game using normal deck of cards: http://BattleCards.org
    13. Re:Nothing left to do by davester666 · · Score: 2

      While the press is free to publish it, you are not free to give it to them. The rubber-stamp judges say so.

      --
      Sleep your way to a whiter smile...date a dentist!
  3. Why? by jbmartin6 · · Score: 4, Insightful

    I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Why? by jareth-0205 · · Score: 5, Informative

      I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?

      Because presumably the whole point of Lavabit is that the stored email was encrypted based on a key that only the user had, so in-transit is the only place they could see it.

    2. Re:Why? by Jose · · Score: 4, Informative

      Why would they want to intercept the traffic when they could just read it off the server?

      from TFA: ....But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

      --
      The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
    3. Re:Why? by cold+fjord · · Score: 2, Interesting

      If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

      Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show

      “The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

      U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

      By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

      A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    4. Re:Why? by Anonymous Coward · · Score: 5, Interesting

      Actually, they did not have access to the site (that would have been overly broad and unconstitutional), but lavabit was forced by the court to install a packet dumper. So FBI had the full encrypted streams of all user sessions. FBI then requested the SSL key that would unlock all stored streams. The court reasoned that because the site uses a single SSL key for all users, that's lavabit's fault and agreed that the request is not overly broad.

      Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange. The encryption key is ephemeral and the SSL private key cannot be used to perform a passive attack on the sniffed. FBI/NSA is forced to perform a MIM on the very sessions they target; if done on the scale of the whole internet, this would be easily detected.

      All HTTPS servers should ship with this cypher suite as the default.

    5. Re:Why? by bluefoxlucid · · Score: 4, Interesting

      The best part is they said here that they wanted the "Root Certificate", which would allow them to sign new keys. Caveat: that's just a trust model, allowing them to replace LavaBit's SSL key. What they wanted was LavaBit's site SSL private key.

      Let's say that the NSA got the Verisign Root Certificate and started using it to sign Verisign CSRs. A CSR includes the public key (certificate), but not the private key. The public key is already known. The NSA gains ... nothing.

      Now if they get the Google Gmail SSL private key, they can decrypt the SSL session handshake and key exchange. The key exchange exchanges a symmetric encryption key for AES or RC4 (yes RC4 is secure; yes I know it's used in WEP, which uses a new NONCE for every packet, and in their implementation they generate insecure NONCE/IV pairs and you can collect millions of these and crack it. Not applicable here). With Gmail's SSL private key, the NSA can decrypt the symmetric session key exchange and use that key to decrypt your session and read your e-mail.

      That's the difference.

      --
      Support my political activism on Patreon.
    6. Re:Why? by CanHasDIY · · Score: 5, Insightful

      If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

      Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!

      Seriously, I think you just posited a digital variant of the 'skinny jeans defense' rapists use.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    7. Re:Why? by Anonymous Coward · · Score: 3, Informative

      Why would they want to intercept the traffic when they could just read it off the server?

      from TFA: ....But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

      The message contents, yes. But the header information they did have access to, as it's necessary for delivery. And that information is what the FBI wanted, and that information is what was all protected by a single SSL cert.

    8. Re:Why? by squiggleslash · · Score: 5, Interesting

      Well, I read the court documents and it appears the sequence of events went something like:

      1. FBI asked for real time details of (Snowden? Everyone thinks Snowden, the request was one day after it was revealed he has an account with Lavabit) an account, specifically metadata relating to email exchanges.

      2. Lavabit didn't respond.

      3. FBI got pissed, involved courts

      4. Lavabit made an offer to provide the information on a monthly basis, rather than a realtime basis, and asked for payment of $3,500 ($2,000 for labor and I can't remember what the other $1,500 was.)

      5. FBI threw a fit, announced that instead they were now asking for a box to be installed to intercept communications. The box would be programmed to only transmit the required information about person-we-think-is-Snowden, but because of the way it's designed would require Lavabit's SSL keys.

      5. Lavabit: Nu-uh.

      6. Courts: Uh yeah, we're siding with the FBI on this one.

      7. "But I don't trust the government to only intercept $PROBABLY_SNOWDEN's records. Also I want to talk about this case, first amendment and whatnot."

      8. Courts: "Well the government doesn't trust you, has good reason not to trust you based on your history of non-cooperation, and I don't care whether you trust it, established precedent says you have to cooperate. Also I'm not going to let you tell anyone about anything so there."

      At this point the courts started threatening fines. Lavabit gave up its key but in a way designed to piss off the FBI, which, of course, pissed off the court too. Court started imposing fines. Lavabit shut itself down.

      My reading:

      1. Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?

      2. Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns, and not made a clearly bad-faith offer to provide something useless to the FBI - I don't mean they should have offered something useful, they should have said instead "Look, this is a major problem for us, we have to investigate further and determine something that can satisfy the law and your requirements that does not damage the integrity of our system", and had a lawyer work with the courts on this.
      3. Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional. Given the circumstances, I have to assume that Snowden was the target - if $RANDOM_DRUGDEALER was the target, Lavabit going to a politician and saying "We've been told to hand over records of one of our 50,000 users" wouldn't tip anyone off.

      This is a total fuck-up. The EFF and ACLU can get involved now, but so many mistakes were made early on it's going to be an uphill fight for everything except the free speech issue. In particular, if you're expecting this to end up with a judgement that it was wrong to demand access to Lavabit's data, you're going to be sorely disappointed.

      --
      You are not alone. This is not normal. None of this is normal.
    9. Re:Why? by GameboyRMH · · Score: 2

      Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange.

      Did you know that ECDH stands for Elliptic Curve Diffie-Hellman? Yeah it would solve the problem of the NSA's request alright...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    10. Re:Why? by omnichad · · Score: 2

      The public key is already known.

      I don't know about you, but I don't get any warning telling me that "The stored public key for secure.site.com does not match the one received. Continue to site?" Maybe I need to upgrade my browser.

      So for most, a MITM attack would be completely undetected.

    11. Re:Why? by Anonymous Coward · · Score: 2, Informative

      Lavabit has complied with warrant requests before, the FBI wanted more than just 1 users account, the warrant they had was only for a single user account, they demanded access to more. Did you even read the documents?

    12. Re:Why? by ArsenneLupin · · Score: 2

      Maybe I need to upgrade my browser.

      You need the Certificate Patrol plugin, which warns you when a site's certificate changes unexpectedly, even when the new certificate has a "valid" signature.

      Unfortunately, this doesn't work with Google's servers, who rotate among a gazillion certificates "legitimately", and thus drown the user in false positives. But given Google's cooperation with Prism, maybe this effect is wanted?

    13. Re:Why? by whoever57 · · Score: 3, Interesting

      By July 9, Lavabit still hadnâ(TM)t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt âoefor its disobedience and resistance to these lawful orders.â

      In my humble and non-judgely opinion, the fact that Lavabit would have had to defeat its own security means that the original decision that allowed collection of metadata without a warrant supported by facts (Smith v. Maryland) should not apply to this case and the government should have had to articulate facts that led to reasonable suspicion in order to obtain a warrant to get metadata from Lavabit.

      --
      The real "Libtards" are the Libertarians!
    14. Re:Why? by dwpro · · Score: 2

      When you say the FBI "asked" for real time metadata, did they have a warrant?

      Regardless, the jump from "you're not doing what we ask" to "we get to install a black box on your network and spoof as you, trust us not to abuse this" seems excessive if not absurd as lavabit's core business is centered around privacy. It would be like a safe company being required to issue a key to every safe they've ever made to the FBI because they wouldn't hand over a single purchaser's account information.

      --
      Millions long for immortality who do not know what to do with themselves on a rainy Sunday afternoon. -- Susan Ertz
    15. Re:Why? by LateArthurDent · · Score: 4, Insightful

      Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?

      Once they were given a proper warrant, complying is the principled thing to do. That's proper due process. The point is to prevent the government from gaining access to information while skipping said due process. So no, at best I can argue they were telling the truth, and doing the right thing.

      Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns

      Assuming the facts are correct, agreed.

      and not made a clearly bad-faith offer to provide something useless to the FBI

      I don't think that's what they did. The first offer of providing the information on a monthly basis seems both useful and better targeted than the initial FBI request. Why is this a bad-faith offer?

      Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional.

      Right. The whole thing was the government throwing a fit. "Oh, you want to fight us. We'll up the ante, and ask for something completely unreasonable then.." It was very principled on their part to not fold as a result, and to shut down instead of giving them what they wanted.

    16. Re:Why? by Anonymous Coward · · Score: 4, Insightful

      Lavabit could have provided that, but refused.

      Good on them!

      This is on Lavabit.

      And for that, they are to be viewed as heroes.

      As opposed to Fed apologists, such as yourself.

    17. Re:Why? by cold+fjord · · Score: 2

      Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!

      The problem is that the law says what the investigators wanted in this case was legal, and it appears that the Supreme Court has previously said was legal. If you want to claim that it was "illegal surveillance," you're going to have to come up with some interesting magic since it apparently was for investigation of an actual specific crime.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    18. Re:Why? by r_naked · · Score: 2

      This is on Lavabit?!? YOU are what is wrong with this country. Get the FUCK out.

      --
      -- http://anonet.org -- The internet the way it was meant to be. Check it out, you may be surprised.
    19. Re:Why? by jedidiah · · Score: 5, Insightful

      Lavabit being "in contempt" regarding the first request in no way justifies the second.

      This is just more of this sort of post-factum argumentation that is so common everywhere lately. You even see it at the level of the SCOTUS. Some goal is declared supremely important and then the law is distorted to fit that objective rather than to actually honestly examine if that objective is even legal to begin with.

      "We must do X, therefore we will ignore the law"

      Same nonsense, different day.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    20. Re:Why? by goose-incarnated · · Score: 2

      1. Non-cooperation is neither illegal nor prejudicial to your case. You have a right, as a legal entity, to refuse to cooperate.

      2. Bad-faith cooperation is neither illegal nor prejudicial to your case. You have a right, as a legal entity, to place limits on the extent of your cooperation, if any

      The state can issue warrants for data, but until and unless they successfully do, they are entitled to sweet fuck-all from whoever they are requesting the data from. A court can go ahead and give a warrant for whatever it wants to, up to and including retrieving data that cannot possibly ever be retrieved: The respondent in such a case has to convince the court (not too hard with expert testimonies/affidavits) that such a request is not possible due to the laws of physics.

      --
      I'm a minority race. Save your vitriol for white people.
    21. Re:Why? by TheGratefulNet · · Score: 4, Insightful

      if the US gov asked a huge mega-corp to break its whole business model and trust, essentially going out of business (think big auto makers or sony or some huge corp like that) do you think it would happen? would the gov push around a huge company and try to ruin them, just to get some (cough) meta-data?

      small guys who can be made to look 'dodgy': yes

      big co's who donate to the election campains: certainly not!

      "business as usual" ;( might makes right. time and time again, the larger the government gets, the more power it gets and the more corrupt it gets until its main goal is just to keep itself going along the same trajectory. ethics and fair treatment be damned.

      --

      --
      "It is now safe to switch off your computer."
    22. Re:Why? by IamTheRealMike · · Score: 2

      PFS would not help in this case. The FBI asserted that a pen register (which is not a warrant and merely requires the government to assert "relevance") is sufficient to obtain the SSL keys for an entire service, because they choose to implement it via an SSL interceptor. LavaBit argued the pen register does not grant such broad power, so then they went and got a search warrant for it instead.

      Obviously if the FBI has the SSL key, they can impersonate LavaBit and intercept everything at that point. It helps only to prevent the NSA reading their old packet logs.

      The news here is not change your crypto - it doesn't work in the face of the $5 wrench attack (more accurately, $1000 fine per day). The news is that the FBI believes (and the court agreed) that the only thing they have to do to obtain an SSL key is assert that it is "relevant" to an ongoing investigation, an extremely low standard that is almost meaningless.

    23. Re:Why? by HeckRuler · · Score: 3, Insightful

      Ah, the NSA lapdog comes in to try and weedle and twist and squirm any way he can to apologize for the NSA.

      But no. You can't even do that correctly, can you? Listen, the FBI demanded something. Lavabits said no. The court said yes. Then the FBI came in with an even bigger demand.

      A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

      "Upping the ante" is pretty synonymous with bullying. They refused the request, and the court order, and then the FBI "ups the ante" and demands complete access to everything? That's bullying flat out. It's abuse of power. Comply with our demands or we'll throw the whole book at you and make you dance.

      This is on Lavabit

      You mean the blame for this shit? No. No I don't think the blame is on Lavabits. I think the FBI got miffed that their cock wasn't sucked hard enough so they decided to rape a business to death.

      Hey, the FBI came back with a warrant. Ok. That's not that bad. It's actually a lot better than this bullshit warrantless "pen register order". That the warrant includes COMPLETE control over ALL communication that your entire business is specifically sold as being secure? That's bad.

    24. Re:Why? by CanHasDIY · · Score: 4, Insightful

      It's not magic, it's the rule of law: Per the Constitution, it is the supreme law of the land, and cannot be superseded by anything except a Constitutional Amendment. As no one has, to date, amended the Constitution to nullify the 4th Amendment, any "law" that violates the right of the People to be free from unlawful search and seizure is, in fact, not a legitimate law, no matter how many political appointees scream that it is.

      If the government made a law that said it was required for every goyim to kill at least 1 Jew, and the SCOTUS supported it, would you say the murders are legitimate, legal acts?

      Well, OK, maybe not you, specifically, but a person of reasonable faculties who has not already proven themselves to be an ardent licker of federal boot.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    25. Re:Why? by wiredlogic · · Score: 4, Insightful

      Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing.

      You shouldn't have to use a lawyer to get justice in a free nation. It shouldn't be possible to use a defendant's naivete as a procedural trap to extort concessions and violate due process. Judges are supposed to be biased in favor of defendants to ensure this doesn't happen. The puppet FISA "judges" are so quick to lick the boots of their real master that they can't be bothered to maintain a believable charade.

      --
      I am becoming gerund, destroyer of verbs.
    26. Re:Why? by Fnord666 · · Score: 2

      from TFA: ....But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

      If this is true, then how could Lavabit also have done the following?

      Lavabit offered an alternative method to tap into the single user in question but ...

      Either they could access the data or they couldn't.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    27. Re:Why? by jkflying · · Score: 2

      Lavabit didn't provide access in the first place because the FBI didn't have a warrant. By co-operating with the FBI they would have been violating the contractual agreement with their customers, which would have been illegal. However, by the time the FBI got a warrant they weren't interested in what they had come looking for in the first place.

      It's like a cop asking if he can search your car, and when you say no, as is your right, he goes off and gets a warrant to have your house searched and your business frozen.

      --
      Help I am stuck in a signature factory!
    28. Re:Why? by suutar · · Score: 2

      Actually, the 4th amendment does not say "unlawful", it says "unreasonable". Which opens a different can of worms, but does mean that the whole "it's a law, so it's lawful" discussion can go away.

    29. Re:Why? by chill · · Score: 4, Informative

      The summary is wrong.

      The FBI originally wanted access to just Snowden's account and Lavabit refused. In order to get it, they demanded SSL keys to feed into their snoop machine so they could filter out just Snowden's info.

      At that point, Lavabit AGREED to provide a tap on just Snowden. The FBI basically said "too late, we don't trust you to do it properly".

      Not that they should get what they tried to -- the SSL private keys -- but the summary makes it out to be something different than what happened.

      --
      Learning HOW to think is more important than learning WHAT to think.
    30. Re:Why? by CanHasDIY · · Score: 2

      The Fourth Amendment:

      The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

      As you see, there are multiple criteria that must be met before a warrant is considered legal per the Amendment: There must be probable cause, the probable cause must be supported "by Oath or affirmation," and the request must describe a particular place to search, and a particular person or thing to be seized.

      Feel free to post the evidence that supports the claim that all these criteria have been met.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    31. Re:Why? by chill · · Score: 4, Informative

      In 1979 the SCOTUS ruled that pen registers didn't require warrants.

      http://en.wikipedia.org/wiki/Pen_register#Background

      --
      Learning HOW to think is more important than learning WHAT to think.
    32. Re:Why? by LateArthurDent · · Score: 2

      That makes sense only if you assume the judge is impartial, and the suspect in question is not persecuted for political reasons. Those are bad assumptions in todays America. We already have a lawless society, as demonstrated by the complete lack of prosecutions against anyone involved in illegal surveillance, any bankers whose fraud destroyed the economy and thousands of lives, and against anyone who committed or authorized torture during the Bush regime.

      You have to decide which side you are on. The side who breaks the law for the greater good? Or the side who uses the law to commit evil? This is the reality in which we live.

      I agree with you completely that problems exist. I don't agree that arbitrary ignoring the justice system is a solution, instead of an action that furthers the problem. It's hard to fight a lack of respect for justice by demonstrating your own lack of respect for justice.

      When a judge gives you a warrant to turn over information on one of your users, and you have absolutely no idea whatsoever who the user is or what information is contained in the messages (Lavabit itself couldn't decrypt the communication), you don't have a leg to stand on to deny them the request. How do you know you're not interfering with a proper investigation on someone who used your service to arrange an assassination? You're assuming that particular warrant is invalid, merely because unjust warrants have been issued in the past. I'm not sure sure how you can rationally defend that view, considering perfectly just warrants are also issued all the time.

      On the other hand, when you're given a warrant that says, "give me information on all your users," you know that's fishing expedition. You can certainly take a principled stand there.

  4. Your move, NSA by Max_W · · Score: 5, Funny

    http://i.imgur.com/Xp2q6up.jpg

  5. What moron judge allowed this? by h4rr4r · · Score: 5, Insightful

    How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

    1. Re:What moron judge allowed this? by loganljb · · Score: 4, Informative

      Things are a bit more involved than they seem from reading just the summary. The fed originally requested that LavaBit provide them with information regarding a single account (header information only, but on an ongoing basis), which they are allowed to obtain without probable cause. LavaBit refused the initial request, then stalled when given a court order to provide this information (I believe LavaBit was in the right in doing so -- I'm NOT supporting the fed's case, just providing information). The fed took LavaBit back to court, and obtained a court order requiring that LavaBit provide the SSL key, as the fed did not believe that LavaBit would comply with an order for information on a single account. The best part was when LavaBit sent them the SSL key, as a 4 point font printout :-)

      In other words, when LavaBit wouldn't provide them information on a single account, the fed escalated to the nuclear option.

    2. Re:What moron judge allowed this? by h4rr4r · · Score: 4, Insightful

      Stop right there. The fact that they are allowed this without probable cause is already too much.

      They should have sent it 4 point one character per page.

      The fact that the judge believed the FBI would only take the info the warrant allowed makes him either an accomplice or as naive as a child.

    3. Re:What moron judge allowed this? by FriendlyLurker · · Score: 4, Interesting

      Let's be clear, the single account was Edward Snowden's - and Lavabit's resistance was not futile, the so called nuclear option has backfired on the fed in terms of public sentiment.

    4. Re:What moron judge allowed this? by the+eric+conspiracy · · Score: 3, Insightful

      It's not a warrant. Email headers are not protected information under the law so all you need is a subpoena. Since they are disclosed to third parties there is no expectation of privacy under current law.

      It's the same idea that the outside of the envelope that you give the postman is not protected. Nor is a list of phone numbers that you call.

    5. Re:What moron judge allowed this? by h4rr4r · · Score: 3, Insightful

      The previous order was a violation of due process.
      Then the judge somehow believed the FBI would not take more data than they were allowed. So either he was in on it or incredibly foolish.

    6. Re:What moron judge allowed this? by h4rr4r · · Score: 2

      All of those should not be up for mass inspection.
      There is a huge difference between seeing the outside of one letter and running the data on all the letters I ever sent.

    7. Re:What moron judge allowed this? by loganljb · · Score: 4, Insightful

      Like I said, I don't disagree with how LavaBit handled this. In fact, I think EVERYONE should treat federal 'requests' for information the way that Ladar Levinson has, and greatly admire the stand he has taken. I was simply saying that it was more complicated than the summary made it out to be.

      That being said, in my personal opinion the fact that the fed can request envelope information with no probably cause is a travesty. I see it as no different than pulling mail out of my mailbox to see who I write letters to and who writes to me. This should be illegal search and seizure

    8. Re:What moron judge allowed this? by Russ1642 · · Score: 3, Funny

      FBI guy: But Judge, I need to break these fifteen laws and the constitution to catch the bad guys!
      Judge: Oh, gotta catch the bad guys. Is this where I sign?
      FBI guy: Yes, thanks. Oh, and can you please nullify this parking ticket for me while you're at it?
      Judge: Sure thing. Now go get 'em.

    9. Re:What moron judge allowed this? by silas_moeckel · · Score: 5, Insightful

      The header information blanket traces back to an idiotic ruling that the outside of a letter was not protected since everybody can and had to read it to get it there (the USPS digitizes and stores all of them now). The FBI then applied this to encrypted traffic which makes no sense since it's no longer data that anybody but them or there agent can read.

      We need clear guidance, which a simple presidential order could give that prohibits all of these sorts of searches.

      --
      No sir I dont like it.
    10. Re:What moron judge allowed this? by bill_mcgonigle · · Score: 3, Insightful

      If you read TFA you'll see that it came about because Lavabit did not comply with the previous order. There is little mystery about it.

      They could have gone for enforcement (pretty much "SWAT team" these days) of the previous order. But they used the situation as an excuse to get what they really wanted, 4th Amendment be damned.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    11. Re:What moron judge allowed this? by Anonymous Coward · · Score: 5, Funny

      I doubt many in the public will support them when the fact emerge that they were defying court orders.

      Yeah, how dare they challenge authority! It's unamerican!

    12. Re:What moron judge allowed this? by AlphaWoIf_HK · · Score: 3, Insightful

      While that's certainly a possibility (given how illogical the law often is), it has nothing to do with whether or not these actions were wrong.

      --
      Da derp dee derp da teedly derpee derpee dum. Rated PG-13.
    13. Re:What moron judge allowed this? by towermac · · Score: 5, Interesting

      I got no mod points, but this is absolutely the takeaway.

      The US depends on it's software industry; we shipped all our labor jobs overseas to trade them for office work (programming). That, and Hollywood, is why we're so mean to other countries over IP.

      And now the US government has completely undermined them. It's probably a good time to be a programmer in Brazil and Germany. I wonder If our software industry will be able to recover from this.

    14. Re:What moron judge allowed this? by FriendlyLurker · · Score: 5, Insightful

      ...when the fact emerge that they were defying [Secret, Unaccountable, Undemocratic] court orders.

      Cold Fjords subservient cheerleading to power never ceases to entertain. Obviously the operators of the Cold Fjord account have learned absolutely nothing from history, or are on the wrong side. See: "Means Used by the Nazi Conspirators in Gaining Control of the German State". Quote: "To make certain that cases with political ramifications would be dealt with acceptably and in conformity with Party principles, the Nazis granted designated areas of criminal jurisdiction to the so-called Special Courts (Sondergerhte)."

    15. Re:What moron judge allowed this? by c · · Score: 2

      In other words, when LavaBit wouldn't provide them information on a single account, the fed escalated to the nuclear option.

      It sounds like LavaBit's security was essentially an "all or nothing" situation, though. If they compromised just one of their users, then effectively none of their users were secure anymore.

      Obviously, the feds weren't too keen on getting "nothing".

      Not sure how LavaBit could have architected things to not be in this position. Maybe giving each individual user a subdomain with its own separate SSL server key would allow a specific user to be targeted without breaking everyone's encryption. But quite frankly, who in their right mind would depend on a secure e-mail provider who'd design things for their own legal convenience?

      --
      Log in or piss off.
    16. Re:What moron judge allowed this? by david672orford · · Score: 5, Insightful

      Stop right there. The fact that they are allowed this without probable cause is already too much.

      It is interesting that the prosecutor portrayed this as a pen trap. Courts have ruled that users do not have a reasonable expectation that the numbers they dial on their phone line will remain private (basicaly because they show up on the bill) but that they do have a reasonable expectation that nobody is listening in. That is why this information can be obtained without probable cause. But if Lavabit offered specific guarantees that this information would not be recorded except in the encryted e-mail boxes, then the users had a reasonable expectation of privacy. This might make the use of a pen trap without probable cause illegal.

    17. Re:What moron judge allowed this? by david672orford · · Score: 2

      Lavabit shut down. Their other customers have lost service. They are almost certainly going to lose in court. I doubt many in the public will support them when the fact emerge that they were defying court orders.

      What if their appeal creates legal precedent which strengthens privacy protections? Presumably that is something the 400,000 users who lost service care about.

    18. Re:What moron judge allowed this? by Anonymous Coward · · Score: 2, Insightful

      Lavabit shut down. Their other customers have lost service.

      Their other customers retained their privacy and security in the face of a well-resourced attack from the US government and Lavabit even managed to make the attack, it's tactics and its source publicly known. The owner sacrificed his business to do it. If there were a heaven for secure email services, Lavabit would be the ones getting to judge everyone else for whether they make the cut for getting in. I doubt you've ever been as successful at anything in your life as these people have in preserving their customers' privacy - which was exactly the service that they were providing.

    19. Re:What moron judge allowed this? by AHuxley · · Score: 2

      Re.."public will support them when the fact emerge that they were defying court orders."
      The public now understands that the totality of the encryption was at risk and not just for 'one' account.
      That basic insight is a great fact that has emerged and now its public can be talked about :)

      --
      Domestic spying is now "Benign Information Gathering"
    20. Re:What moron judge allowed this? by mrBoB · · Score: 2

      Hmmm... wonder if LavaBit can sue the Justice Department and the FBI for illegally restricting their commerce? IANAL, but damn sure wish I was...

      True justice transcends "laws." There are unjust, unfair and unethical laws. Unfortunately, too many people believe that "the law is the law" and it cannot be changed. The civil rights movement wouldn't have (moved) if it weren't for the realization of the contrary (that some laws _should_ be changed).

    21. Re:What moron judge allowed this? by tnk1 · · Score: 4, Insightful

      More likely it is:

      FBI: The precedents handed down allow us to demand this.
      Judge: That sucks... unfortunately you are right.
      FBI: Tell them to hand over the goods or we'll appeal and you'll get slapped down and you'll still have to do it.
      Judge: Fine, assholes.
      Lavabit: We're going to comply in the least cooperative way.
      Judge: Don't fuck with me, I'm already in a bad mood from Special Agent Dickface over there.
      Lavabit: Nyaahhh
      Judge: Okay, fine. Which is to say, pay a fine, now.

    22. Re:What moron judge allowed this? by blueg3 · · Score: 4, Insightful

      They should have sent it 4 point one character per page.

      No. You should have a good reason for telling them "no", then you should tell them "no" with your reason, and get lawyers involved. Pretending to technically comply with a court order while making an obviously obstructive, bad-faith effort is a good way to ensure that things go rapidly downhill for you.

    23. Re:What moron judge allowed this? by TangoMargarine · · Score: 2

      Protecting *all* of your users or shutting down to avoid betraying one of them has a philosophical elegance about it in my mind. After all, what good is your service if it's basically "we'll protect your data...unless the government tells us they feel like reading yours. Then you're SOL"?

      Granted, it's debatable whether that was really the intent, but oh well.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    24. Re:What moron judge allowed this? by TangoMargarine · · Score: 2

      Back in grade school, with the random printer we had and my bare eyes, I could read font size 2 printouts with just a bit of squinting. And there's OCR.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    25. Re:What moron judge allowed this? by dcollins · · Score: 3, Insightful

      I wish I could agree but I don't. The US government has crushed some fairly small-time players. They have the big players well in control (MS, Google, Facebook), and they aren't going anywhere (too many stakeholders, can't be moved or shut down the same way). This particular skirmish is win-win for the US government -- fewer choices for citizens, more people forced onto the big centralized systems they have full access/control to, proven threats to use against any future outliers.

      --
      We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
    26. Re:What moron judge allowed this? by sjames · · Score: 2

      Actually, it does. The 'expectation of privacy' is not based on a particular entity, but is based on who the information is already disclosed to. For example, you have no expectation of privacy in a park because total strangers can see what you're doing and you know it.

      The whole pen register deal was a bit of sophistry in the first place claiming that you already disclosed the number dialed to the phone company. Lavabit ups the ante by specifically agreeing that the headers are your private information and that they won't record them (unlike the phone company).

    27. Re:What moron judge allowed this? by david672orford · · Score: 2

      Then congress will quickly pass a new law to overrule that precedent. They can call it the... 'PATRIOT' is taken. Maybe the 'SAFE AMERICA' act. Something with an awkward backronym, anyway.

      Congress can "overrule" court precedent under two circumstances: 1) the law was ruled unconstitutional due to a correctable technical fault such as being too vague or 2) the court ruled that the law did not apply to the specific case and that if congress wants it to apply to such cases in the future it should rewrite it. But congress cannot overrule a court finding that a law violates the constitution by its intent. That requires a constitutional amendment.

    28. Re:What moron judge allowed this? by tlhIngan · · Score: 2

      Things are a bit more involved than they seem from reading just the summary. The fed originally requested that LavaBit provide them with information regarding a single account (header information only, but on an ongoing basis), which they are allowed to obtain without probable cause. LavaBit refused the initial request, then stalled when given a court order to provide this information (I believe LavaBit was in the right in doing so -- I'm NOT supporting the fed's case, just providing information). The fed took LavaBit back to court, and obtained a court order requiring that LavaBit provide the SSL key, as the fed did not believe that LavaBit would comply with an order for information on a single account. The best part was when LavaBit sent them the SSL key, as a 4 point font printout :-)

      In other words, when LavaBit wouldn't provide them information on a single account, the fed escalated to the nuclear option.

      Slight error.

      The Feds wanted a "pen register" put on an account (basically an account of destinations and origins). Lavabit refused, saying that even if they had that data, it'll be encrypted and thus useless.

      The feds then asked for a key to that information, which was also refused because that would reveal unrelated users accounts.

      Then the feds asked for a wiretap warrant (which is actually a VERY hard thing to get and requires a ton of manpower because you're not allowed to record unrelated conversations)

      The judge granted the order because she was very unimpressed with lavabit's responses - the first she accepted just fine (ok, it's encrypted). So she allowed the second order for the encryption key to decrypt just that account.

      When lavabit refused because it would reveal more information than the warrant allowed ,she got a bit testy - why would you do everything based on one key? Secure email indeed...

      So the feds got back with a wiretap warrant because if getting the requisite key was going to decrypt everything, then that's the only way it'll be allowed.

      Basically the nuclear option was taken because the precise strike option was blocked - Lavabit said they can't do the pen register (or rather, it would be useless as that information is encrypted). But to decrypt that would require using the global site key which would unlock more accounts than just the one, so the feds have no choice but to ask for said key.

      The judge couldn't see why there couldn't have been a per-account key used to guard the data per account, rather than locking it all up with one global key.

      Even worse, lavabit's still on the hook for the information despite being shut down.

    29. Re:What moron judge allowed this? by CowTipperGore · · Score: 4, Informative

      The FISA courts were created by Congress, the same as any other Federal court besides the Supreme Court. The FISA court is accountable to both its appeal court and the Supreme Court like other Federal Courts, and the Judges can be removed by Congress as can other Judges. In fact, the Judges on the FISA court are ordinary Federal judges that rotate through the FISA court from other Federal courts.

      The FISA Court is accountable to no one. The FISA Court meets in secret and only one side is represented, so there is no possibility of appeal for those whose rights are trampled. The FISA Court has denied only 11 of 33,942 requests in its 33 years of operation and the FISA Court of Review has met a total of twice in that time period. The design and operation of the FISA Court provides no path for accountability to the Supreme Court. Even if the telecom companies that were required to provide customer data to the government wanted to appeal, there is no requirement that their arguments are considered (the FISA Court allowed Yahoo! to appeal in 2008 so that the law in question could be ruled okay and a heavily redacted ruling released to make sure no one else bothers to try). No FISA-related case has ever gone to the Supreme Court and it isn't clear how one could.

      Congress has no oversight of the judges. Each judge is appointed by the Supreme Court Chief Justice with no oversight or confirmation by anyone else, including Congress. In the 33 years of FISA, we've had three chief justices, all conservative Republicans. John Roberts appointed every single FISA Court judge currently serving.

      Your dishonesty regarding FISA is troubling. Either you are ignorant of something you strongly support or you are lying in hopes of deceiving others.

  6. That doesn't follow by swillden · · Score: 4, Informative

    if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone.

    I don't think so. There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google -- and handing over the ability to read everything is definitely not something that a simple warrant can legally require. Nor even an NSL.

    In fairness, in this case the FBI's original request did ask for just specific metadata about one user. I haven't read it closely enough to understand how the scope was broadened so dramatically, except that I understand that Lavabit refused to comply early on, and then eventually the FBI decided that they didn't trust Lavabit to comply correctly due to Lavabit's obstructionism, and so decided that they just wanted to be able to read all the traffic and extract the bits they needed themselves.

    Lavabit, of course, decided to shut down instead. That way there would be no traffic to read.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:That doesn't follow by h4rr4r · · Score: 4, Insightful

      In all fairness their first request was horseshit. The idea that the metadata of email even encrypted email is not protected is already so outlandish as to be nearly unbelievable. We now know we live in a police state.

      This judge is either willingly part of this bullshit or the most naive SOB that ever lived when he believed the FBI would only take the information the warrant allowed. If you give them the ability to get more they will take more.

    2. Re:That doesn't follow by the+eric+conspiracy · · Score: 4, Insightful

      Umm in a police state Lavabit would have never existed in the first place.

      We are in one of those times where the US government is over-reaching their powers under the Constitution. It isn't the first time.

      Time to wake up folks. The price of freedom is eternal vigilance.

    3. Re:That doesn't follow by h4rr4r · · Score: 3, Insightful

      All police states have to start somewhere and letting lavabit operate while holding the keys to it is one hell of an observation tool.

      I am aware this is not the first time, but like before we will need something major to wake people up.

  7. Should the US still be in charge of the internet? by Anonymous Coward · · Score: 5, Interesting

    Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.

    Fuck this government and its institutions and fuck the people that support it.

  8. Contribute by kajsocc · · Score: 5, Informative

    Lavabit is still in court over this. You can contribute to their legal defense fund here.

    1. Re:Contribute by Mhtsos · · Score: 2

      Mod parent up.
      Also google, amazon and microsoft should be fighting on who will send the most lawyers over to lavabit if they have any sense in them, because of a thing called legal precedence.

    2. Re:Contribute by DeathToBill · · Score: 5, Informative

      I'm blowing seven mod points I've already handed out on this story doing this, but meh, who cares. Pointing out someone has no idea what they're talking about is worth it. Sending the most lawyers has nothing to do with legal precedence. Lawyers can't influence legal precedence any more than any other person in the country. I'm not sure why you even care about legal precedence - it's not usually a very controversial subject. It's just how things are.

      A court has precedence because courts are set up in a hierarchy by the legislature.

      Some types of law have precedence over others, for instance the constitution over statute and statute over regulation.

      Of course, they may want to send lawyers because of things called legal precedents. It's something different. Go look it up.

      --
      Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
    3. Re:Contribute by Ragica · · Score: 3, Interesting

      It's interesting that Americans have a choice to contribute a few bucks to this defense... while having apparently no choice about the amount they are paying for the prosecution.

    4. Re:Contribute by ColdWetDog · · Score: 2

      You blew mod points because of spelling error?

      Kudos to you sir, a Slashdot pedant extraordinaire. It's what makes us great!

      --
      Faster! Faster! Faster would be better!
    5. Re:Contribute by dcollins · · Score: 2

      That's "a spelling error".

      I blew twenty-four mod points, came home from work, crashed my car, paid a thousand dollars, screamed at some people on the street, and made my girlfriend break up with me in order to fix that missing article.

      --
      We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
  9. So much for narrow scope by Supp0rtLinux · · Score: 3, Interesting

    I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more. Isn't this over reaching the scope of the warrant and therefore any case developed would be tossed out? IANAL, but I thought the scope limitations were there for a reason. That idea TPB had to buy an island is sounding more and more convincing these days...

  10. misleading summary by schneidafunk · · Score: 3, Informative

    Lavabit did not offer an alternative solution, they offered to comply with the ORIGINAL search warrant that asked for just one user after prosecutors upped the ante when Lavabit refused the first search warrant.

    FTA:
    "By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested."

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
  11. Groklaw/PJ by Anonymous Coward · · Score: 2, Interesting

    Was this the thing PJ said she couldn't reveal but would cause anyone to distrust email?

  12. update by Anonymous Coward · · Score: 5, Interesting

    UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.

    “People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/

  13. They wanted a man-in-the-middle box by Anonymous Coward · · Score: 5, Informative

    Firstly they wanted *all* meta data on every Lavabit user, not just Snowden. It was a blanket demand to get all of the data.
    They also wanted man-in-the-middle box. A device which would have the root certificate under control of the government and would sit in Lavabits network able to man-in-the-middle attack emails (i.e. speech) of Lavabit users not connected to Snowden.

    Lavabit are guardians of the customers data, how can they guard if a black-box is on their network? It can do anything, the judge has no way of telling, Lavabit has no way of telling. Google apparently refused these boxes and with good reason. There is no trust here, the Judge is not supposed to trust the FBI & NSA to do only what it says. He's supposed to be the guardian of the law, just as Lavabit are the guardians of the data.

    An example, if I had such a box, I could spoof email convincingly in a way that would pass forensics. I could create fake evidence. I could spread disinformation (propaganda) again untraceably.

    They also asserted that it filters out only the data they were allowed to have and throws away the rest. We know this has been proven to be false in many many leaks, even the President now pretends the data goes into a 'lockbox'. A lockbox isn't a lockbox if the NSA has the key and no judicial oversight stops them turning that key at will.

    It seems, once again, the judicial branch has simply become a fawning sidekick to the executive branch.

  14. Certificate Authorities compromised? by kaalon · · Score: 5, Interesting

    Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.

  15. Re:Should the US still be in charge of the interne by Anonymous Coward · · Score: 2, Insightful

    If we are to chose a single country, then probably US is the best option (at least if you are not a brown person). Nations are generally divided in two bunches: US sockpupets that can be used for things even the US does not want to be seen doing (hint: like Canada) and totalitarian dumps who's leaders would gladly murder just about anyone that threatens their access to power. So a common counterargument is that we either end up with US, or someone much worse.

    But it does not have to be that way. An international agreement drafted by the major industrialized nations with an eye towards freedom of expression and democracy could be a much better deal than a single nation calling the shots. One important provision in such a treaty would be banning spying of international traffic passing though domestic lines. Nations would still be tempted but if caught it would justify international sanctions like a connectivity embargo. Imagine that, the first country with a closed internet would not be Iran, but USA. And the closure will come from the exterior. Quite a sensation on Nasdaq.

    Anyway, don't get your hopes up, the way things work in the UN, there will never ever by a sanction against US, because it along with select few can veto any such action.

  16. Summary is hogwash by Anonymous Coward · · Score: 2, Informative

    Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys

    That's nonsense, and in particular Javabit encrypted the user data and communication using public key encryption methods. The problem is that the communication is SSL-encrypted. And that means the private SSL keys allow complete eavesdropping on the communcation and man-in-the-middle attacks (insertion of malicious content). That allows getting a hook into key exchanges and ultimately compromising whatever you want that depends on ongoing trust of the service.

    If the service has been set up well, past data and communication are secure from decryption. The Lavabit owner had built a service ultimately relying on his personal integrity (and at some point in the process, you can't take that out of the equation) for its principal goal, secure mail, and the feds demanded he hand over his integrity. Any continued operation of the service would have been effectively fraud since its core tenet would no longer be provided.

    He might have to serve prison for refusing to defraud all of his customers regarding his sole product. The good news is that he shut down before they were able to turn his service into a trap.

    Fucking totalitarian injustice regime.

  17. Read-only vs. complete ban by tepples · · Score: 4, Insightful

    How is a user who just reads considered "abusive" to Slashdot? Treat Tor like any other open proxy, giving it read-only access.

  18. Re:Should the US still be in charge of the interne by AHuxley · · Score: 2

    The good think about the US is:
    The 1st and 4th amendments make what most other countries can do less easy.
    The US press and lawyers now know more :)
    In other countries cleared bureaucrats or police would set up long term isp logging based on ip/ports/time found via their work laptops at home.
    Find, point, click your in the system for years.
    Your automated isp logging might get a more senior bureaucrats or police review after many months. Some 'ministers'/'court' staff rushed review year/s later for an extension.
    The good think about the rest of the world is:
    They can air gap, invest, design, export hardware and encrypt in new ways long term.

    --
    Domestic spying is now "Benign Information Gathering"
  19. Orwellian by mrflash818 · · Score: 3, Insightful

    The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested.

    When I was growing up (70s and early 80s), all the US propaganda about how bad the Soviet Union was, how bad East Germany was, in terms of privacy, citizen rights, and being police states.

    "Hypocrisy!", in my opinion.

    In my opinion laws should protect non-suspect citizen rights, and enforcement agencies (FBI in this case) should be legally required to only target and restrict their levels of privacy breach to only those individuals or organizations of inquiry. They should have no legal authority to make such demands, and if a company or citizen gets such a demand, the FBI should be able to be publicly sued for attempting to exceed their authority.

    AND, if the FBI currently is allowed to do such dragnets, the laws should be amended to remove such authority, and be enforced.

    --
    Uh, Linux geek since 1999.
  20. Re:The USA is ruled by TheGratefulNet · · Score: 5, Insightful

    the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

    this is human nature. the dark side of human nature.

    at least its out in the open, now. what we do with it, as a species, is up to us. do we put our data thieves (ie, the government) behind bars or do we just say 'I have nothing to hide!' and let them continue along with their abuse and theft of our privacy?

    there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it. companies includes (your corp firewall and your corp provided laptop probably has built-in certs from the company)

    --

    --
    "It is now safe to switch off your computer."
  21. Re:The USA is ruled by erikkemperman · · Score: 5, Insightful

    there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

    Qualitatively, yes you're probably right. Quantitatively, not so much. It's like the military. Every country, or almost, has one. But only the USofA spends about as much on "defense" as the rest of the planet put together.

    PS Capitals, used with some restraint, go a long way to making heads and tails out of a sentence.

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  22. Not just SSL by Todd+Knarr · · Score: 3, Insightful

    It's not limited to just SSL. Any company that holds a copy of your encryption/decryption keys (a public certificate is OK, the matching private key that goes with it is the problem) can be ordered to turn them over. The only safe system is where the keys that secure the system never leave your possession.

    For e-mail that means using S/MIME or OpenPGP with a self-signed certificate and a private key you generate yourself. For encrypted documents, the same. The e-mail and documents need to be encrypted on your end before they leave your computer. Be aware that if you're encrypting messages to someone else the security will be controlled by their handling of their keys. You're encrypting using their public key, there's no security implications from disclosure there. However, if the recipient's using a service where the provider has a copy of their private key (used to decrypt messages to them) then messages can potentially be eavesdropped on by outsiders who've compromised the provider and gotten the key. Be aware of this aspect and make sure you know how recipients are handling their own security.

    Yes, the above means any and all web-based or hosted services are automatically vulnerable no matter how they're designed. The only secure systems are ones where you, or software running on your computer and that you control, does the encryption and decryption and the private keys are never disclosed to any other party.

    1. Re:Not just SSL by Todd+Knarr · · Score: 2

      Oh BTW, yes that means that public-key certificates issued by a certificate authority are also vulnerable. Not as vulnerable, but if you're depending on a CA to vouch for the validity of the certificate then the government can demand (and have demanded) that the CA turn over their root signing keys. At that point the government can issue themselves a certificate in your name, signing it with the CA's key, and their certificate will be accepted as valid by everyone allowing them to impersonate you. That's not quite as bad a compromise as them being able to eavesdrop on all your communications, but it's bad enough to be a problem.

  23. basically by Khashishi · · Score: 4, Insightful

    Basically, the government can force you to do anything it wants, and there's nothing you can do about it. Strange, I remember hearing about some document that spelled out certain limitations on the governments powers, and certain rights that people had, but I must have misremembered.

  24. Some actual facts by sjbe · · Score: 2

    The US depends on it's software industry; we shipped all our labor jobs overseas to trade them for office work (programming).

    Really? Then how do you explain the fact that the US has a multi-Trillion manufacturing sector which employs around 12 million people?

    Bear in mind that the size of the global market for software is around $300 Billion and the number of US software developers is around 900,000.

  25. Re:The USA is ruled by erikkemperman · · Score: 2

    So, basically you're saying that the military spending isn't outrageous, but the GDP is?

    Anyway, when you end up comparing military expenditure in practice -- on the battlefield, or what passes for it these days -- it is still one army (etc) against another.

    And the US military accounts for 39% of the world total (so not entirely half, I stand corrected.)

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  26. Re:The USA is ruled by ObsessiveMathsFreak · · Score: 5, Insightful

    the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.

    I live in Ireland. I can pretty much guarantee you of three things.

    1) The state lacks the expertise to snoop on any communications.
    2) The state lacks the legal clout to force anyone to turn over their encryption keys.
    3) The government would likely not survive the closure of an IT SME such as Lavabit -- and loss of associated jobs -- which resulted from direct government interference in that company's ability to operate in Ireland.

    The rules that apply to the US government do not apply to every government. Some governments lack the skills, laws, and nerve to pull off what the White House/NSA is doing to US internet companies right now. More governments simply lack the money to pay for so extensive a network of surveillance and control.

    there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.

    That can includes more than simply being ABLE to do it. It includes being EMPOWERED to do it, being PERMITTED by the people to do it, and to being able to AFFORD to do it. Right now the US government is able, empowered, but only just about permitted and certainly not able to afford to continue to finance a spying program of this magnitude.

    The Soviet Union exhausted both its finances and legitimacy in trying to keep its populace under control. Hopefully the US will not have to go through as painful a breakup in order to reverse its present trend.

    --
    May the Maths Be with you!
  27. Ok, get on that then by Sycraft-fu · · Score: 3, Insightful

    Go start your revolution. Do whatever you think that entails.

    Or, if you aren't willing to do that, because revolutions are messy and often as not end up worse than what you had, kindly shut the fuck up.

    I will not be joining you because while I feel the US has not been moving in a positive direction as of late, I feel that the solution to fixing it involves using the democratic process, not violent revolution, since I understand how nasty those are and also have a perspective on how good the US has it overall.

    I get really tired of whiny, usually anonymous, basement dwellers playing toughguy on the net, decrying the US and saying we need to "revolt" or "rise up" or some BS. You aren't going to do that and you know it. So you are just being a douchebag, whining and complaining, suggesting that others should do the dirty work.

    So put up or shut up. If revolution is really what you think is needed, get on that then. Though you might want to research a little as to what often happens to revolutionaries, and to countries after. If you don't, then STFU about it. Less whine, more action.

    In fact, you will probably find that if you and other like you spent less time whining and more time working to affect actual change in the country within the system we have, things might start getting better.