Slashdot Mirror
Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
Luckily I browse my favourite sites like /. using http so I'm not affected by this.
Understandable that he shut down.
The USA is ruled by evil bastards that have no respect for the citizens.
Time to revolt is now.
http://i.imgur.com/Xp2q6up.jpg
How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?
I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?
Because presumably the whole point of Lavabit is that the stored email was encrypted based on a key that only the user had, so in-transit is the only place they could see it.
Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.
Fuck this government and its institutions and fuck the people that support it.
Lavabit is still in court over this. You can contribute to their legal defense fund here.
Actually, they did not have access to the site (that would have been overly broad and unconstitutional), but lavabit was forced by the court to install a packet dumper. So FBI had the full encrypted streams of all user sessions. FBI then requested the SSL key that would unlock all stored streams. The court reasoned that because the site uses a single SSL key for all users, that's lavabit's fault and agreed that the request is not overly broad.
Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange. The encryption key is ephemeral and the SSL private key cannot be used to perform a passive attack on the sniffed. FBI/NSA is forced to perform a MIM on the very sessions they target; if done on the scale of the whole internet, this would be easily detected.
All HTTPS servers should ship with this cypher suite as the default.
UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.
“People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/
Firstly they wanted *all* meta data on every Lavabit user, not just Snowden. It was a blanket demand to get all of the data.
They also wanted man-in-the-middle box. A device which would have the root certificate under control of the government and would sit in Lavabits network able to man-in-the-middle attack emails (i.e. speech) of Lavabit users not connected to Snowden.
Lavabit are guardians of the customers data, how can they guard if a black-box is on their network? It can do anything, the judge has no way of telling, Lavabit has no way of telling. Google apparently refused these boxes and with good reason. There is no trust here, the Judge is not supposed to trust the FBI & NSA to do only what it says. He's supposed to be the guardian of the law, just as Lavabit are the guardians of the data.
An example, if I had such a box, I could spoof email convincingly in a way that would pass forensics. I could create fake evidence. I could spread disinformation (propaganda) again untraceably.
They also asserted that it filters out only the data they were allowed to have and throws away the rest. We know this has been proven to be false in many many leaks, even the President now pretends the data goes into a 'lockbox'. A lockbox isn't a lockbox if the NSA has the key and no judicial oversight stops them turning that key at will.
It seems, once again, the judicial branch has simply become a fawning sidekick to the executive branch.
If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.
Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!
Seriously, I think you just posited a digital variant of the 'skinny jeans defense' rapists use.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.
Well, I read the court documents and it appears the sequence of events went something like:
1. FBI asked for real time details of (Snowden? Everyone thinks Snowden, the request was one day after it was revealed he has an account with Lavabit) an account, specifically metadata relating to email exchanges.
2. Lavabit didn't respond.
3. FBI got pissed, involved courts
4. Lavabit made an offer to provide the information on a monthly basis, rather than a realtime basis, and asked for payment of $3,500 ($2,000 for labor and I can't remember what the other $1,500 was.)
5. FBI threw a fit, announced that instead they were now asking for a box to be installed to intercept communications. The box would be programmed to only transmit the required information about person-we-think-is-Snowden, but because of the way it's designed would require Lavabit's SSL keys.
5. Lavabit: Nu-uh.
6. Courts: Uh yeah, we're siding with the FBI on this one.
7. "But I don't trust the government to only intercept $PROBABLY_SNOWDEN's records. Also I want to talk about this case, first amendment and whatnot."
8. Courts: "Well the government doesn't trust you, has good reason not to trust you based on your history of non-cooperation, and I don't care whether you trust it, established precedent says you have to cooperate. Also I'm not going to let you tell anyone about anything so there."
At this point the courts started threatening fines. Lavabit gave up its key but in a way designed to piss off the FBI, which, of course, pissed off the court too. Court started imposing fines. Lavabit shut itself down.
My reading:
1. Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?
2. Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns, and not made a clearly bad-faith offer to provide something useless to the FBI - I don't mean they should have offered something useful, they should have said instead "Look, this is a major problem for us, we have to investigate further and determine something that can satisfy the law and your requirements that does not damage the integrity of our system", and had a lawyer work with the courts on this.
3. Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional. Given the circumstances, I have to assume that Snowden was the target - if $RANDOM_DRUGDEALER was the target, Lavabit going to a politician and saying "We've been told to hand over records of one of our 50,000 users" wouldn't tip anyone off.
This is a total fuck-up. The EFF and ACLU can get involved now, but so many mistakes were made early on it's going to be an uphill fight for everything except the free speech issue. In particular, if you're expecting this to end up with a judgement that it was wrong to demand access to Lavabit's data, you're going to be sorely disappointed.
You are not alone. This is not normal. None of this is normal.
the US gets the press, but every country is doing as much as they can (and are able to) with the money and network taps they have in place.
this is human nature. the dark side of human nature.
at least its out in the open, now. what we do with it, as a species, is up to us. do we put our data thieves (ie, the government) behind bars or do we just say 'I have nothing to hide!' and let them continue along with their abuse and theft of our privacy?
there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it. companies includes (your corp firewall and your corp provided laptop probably has built-in certs from the company)
--
"It is now safe to switch off your computer."
Lavabit being "in contempt" regarding the first request in no way justifies the second.
This is just more of this sort of post-factum argumentation that is so common everywhere lately. You even see it at the level of the SCOTUS. Some goal is declared supremely important and then the law is distorted to fit that objective rather than to actually honestly examine if that objective is even legal to begin with.
"We must do X, therefore we will ignore the law"
Same nonsense, different day.
A Pirate and a Puritan look the same on a balance sheet.
there is no country that won't do this, no matter what they say. so stop thinking its the big bad old USA. its everyone, everywhere, who CAN do it.
Qualitatively, yes you're probably right. Quantitatively, not so much. It's like the military. Every country, or almost, has one. But only the USofA spends about as much on "defense" as the rest of the planet put together.
PS Capitals, used with some restraint, go a long way to making heads and tails out of a sentence.
Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
I live in Ireland. I can pretty much guarantee you of three things.
1) The state lacks the expertise to snoop on any communications.
2) The state lacks the legal clout to force anyone to turn over their encryption keys.
3) The government would likely not survive the closure of an IT SME such as Lavabit -- and loss of associated jobs -- which resulted from direct government interference in that company's ability to operate in Ireland.
The rules that apply to the US government do not apply to every government. Some governments lack the skills, laws, and nerve to pull off what the White House/NSA is doing to US internet companies right now. More governments simply lack the money to pay for so extensive a network of surveillance and control.
That can includes more than simply being ABLE to do it. It includes being EMPOWERED to do it, being PERMITTED by the people to do it, and to being able to AFFORD to do it. Right now the US government is able, empowered, but only just about permitted and certainly not able to afford to continue to finance a spying program of this magnitude.
The Soviet Union exhausted both its finances and legitimacy in trying to keep its populace under control. Hopefully the US will not have to go through as painful a breakup in order to reverse its present trend.
May the Maths Be with you!