Slashdot Mirror
Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
Luckily I browse my favourite sites like /. using http so I'm not affected by this.
Understandable that he shut down.
The USA is ruled by evil bastards that have no respect for the citizens.
Time to revolt is now.
I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
http://i.imgur.com/Xp2q6up.jpg
How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?
if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone.
I don't think so. There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google -- and handing over the ability to read everything is definitely not something that a simple warrant can legally require. Nor even an NSL.
In fairness, in this case the FBI's original request did ask for just specific metadata about one user. I haven't read it closely enough to understand how the scope was broadened so dramatically, except that I understand that Lavabit refused to comply early on, and then eventually the FBI decided that they didn't trust Lavabit to comply correctly due to Lavabit's obstructionism, and so decided that they just wanted to be able to read all the traffic and extract the bits they needed themselves.
Lavabit, of course, decided to shut down instead. That way there would be no traffic to read.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.
Fuck this government and its institutions and fuck the people that support it.
Lavabit is still in court over this. You can contribute to their legal defense fund here.
I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more. Isn't this over reaching the scope of the warrant and therefore any case developed would be tossed out? IANAL, but I thought the scope limitations were there for a reason. That idea TPB had to buy an island is sounding more and more convincing these days...
Lavabit did not offer an alternative solution, they offered to comply with the ORIGINAL search warrant that asked for just one user after prosecutors upped the ante when Lavabit refused the first search warrant.
FTA:
"By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested."
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.
“People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/
Firstly they wanted *all* meta data on every Lavabit user, not just Snowden. It was a blanket demand to get all of the data.
They also wanted man-in-the-middle box. A device which would have the root certificate under control of the government and would sit in Lavabits network able to man-in-the-middle attack emails (i.e. speech) of Lavabit users not connected to Snowden.
Lavabit are guardians of the customers data, how can they guard if a black-box is on their network? It can do anything, the judge has no way of telling, Lavabit has no way of telling. Google apparently refused these boxes and with good reason. There is no trust here, the Judge is not supposed to trust the FBI & NSA to do only what it says. He's supposed to be the guardian of the law, just as Lavabit are the guardians of the data.
An example, if I had such a box, I could spoof email convincingly in a way that would pass forensics. I could create fake evidence. I could spread disinformation (propaganda) again untraceably.
They also asserted that it filters out only the data they were allowed to have and throws away the rest. We know this has been proven to be false in many many leaks, even the President now pretends the data goes into a 'lockbox'. A lockbox isn't a lockbox if the NSA has the key and no judicial oversight stops them turning that key at will.
It seems, once again, the judicial branch has simply become a fawning sidekick to the executive branch.
Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.
How is a user who just reads considered "abusive" to Slashdot? Treat Tor like any other open proxy, giving it read-only access.
When I was growing up (70s and early 80s), all the US propaganda about how bad the Soviet Union was, how bad East Germany was, in terms of privacy, citizen rights, and being police states.
"Hypocrisy!", in my opinion.
In my opinion laws should protect non-suspect citizen rights, and enforcement agencies (FBI in this case) should be legally required to only target and restrict their levels of privacy breach to only those individuals or organizations of inquiry. They should have no legal authority to make such demands, and if a company or citizen gets such a demand, the FBI should be able to be publicly sued for attempting to exceed their authority.
AND, if the FBI currently is allowed to do such dragnets, the laws should be amended to remove such authority, and be enforced.
Uh, Linux geek since 1999.
the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.
this is human nature. the dark side of human nature.
at least its out in the open, now. what we do with it, as a species, is up to us. do we put our data thieves (ie, the government) behind bars or do we just say 'I have nothing to hide!' and let them continue along with their abuse and theft of our privacy?
there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it. companies includes (your corp firewall and your corp provided laptop probably has built-in certs from the company)
--
"It is now safe to switch off your computer."
there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.
Qualitatively, yes you're probably right. Quantitatively, not so much. It's like the military. Every country, or almost, has one. But only the USofA spends about as much on "defense" as the rest of the planet put together.
PS Capitals, used with some restraint, go a long way to making heads and tails out of a sentence.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
It's not limited to just SSL. Any company that holds a copy of your encryption/decryption keys (a public certificate is OK, the matching private key that goes with it is the problem) can be ordered to turn them over. The only safe system is where the keys that secure the system never leave your possession.
For e-mail that means using S/MIME or OpenPGP with a self-signed certificate and a private key you generate yourself. For encrypted documents, the same. The e-mail and documents need to be encrypted on your end before they leave your computer. Be aware that if you're encrypting messages to someone else the security will be controlled by their handling of their keys. You're encrypting using their public key, there's no security implications from disclosure there. However, if the recipient's using a service where the provider has a copy of their private key (used to decrypt messages to them) then messages can potentially be eavesdropped on by outsiders who've compromised the provider and gotten the key. Be aware of this aspect and make sure you know how recipients are handling their own security.
Yes, the above means any and all web-based or hosted services are automatically vulnerable no matter how they're designed. The only secure systems are ones where you, or software running on your computer and that you control, does the encryption and decryption and the private keys are never disclosed to any other party.
Basically, the government can force you to do anything it wants, and there's nothing you can do about it. Strange, I remember hearing about some document that spelled out certain limitations on the governments powers, and certain rights that people had, but I must have misremembered.
I live in Ireland. I can pretty much guarantee you of three things.
1) The state lacks the expertise to snoop on any communications.
2) The state lacks the legal clout to force anyone to turn over their encryption keys.
3) The government would likely not survive the closure of an IT SME such as Lavabit -- and loss of associated jobs -- which resulted from direct government interference in that company's ability to operate in Ireland.
The rules that apply to the US government do not apply to every government. Some governments lack the skills, laws, and nerve to pull off what the White House/NSA is doing to US internet companies right now. More governments simply lack the money to pay for so extensive a network of surveillance and control.
That can includes more than simply being ABLE to do it. It includes being EMPOWERED to do it, being PERMITTED by the people to do it, and to being able to AFFORD to do it. Right now the US government is able, empowered, but only just about permitted and certainly not able to afford to continue to finance a spying program of this magnitude.
The Soviet Union exhausted both its finances and legitimacy in trying to keep its populace under control. Hopefully the US will not have to go through as painful a breakup in order to reverse its present trend.
May the Maths Be with you!
Go start your revolution. Do whatever you think that entails.
Or, if you aren't willing to do that, because revolutions are messy and often as not end up worse than what you had, kindly shut the fuck up.
I will not be joining you because while I feel the US has not been moving in a positive direction as of late, I feel that the solution to fixing it involves using the democratic process, not violent revolution, since I understand how nasty those are and also have a perspective on how good the US has it overall.
I get really tired of whiny, usually anonymous, basement dwellers playing toughguy on the net, decrying the US and saying we need to "revolt" or "rise up" or some BS. You aren't going to do that and you know it. So you are just being a douchebag, whining and complaining, suggesting that others should do the dirty work.
So put up or shut up. If revolution is really what you think is needed, get on that then. Though you might want to research a little as to what often happens to revolutionaries, and to countries after. If you don't, then STFU about it. Less whine, more action.
In fact, you will probably find that if you and other like you spent less time whining and more time working to affect actual change in the country within the system we have, things might start getting better.