There are whistle blower laws that would have protected him if he'd played by the rules. He chose to make a martyr out of himself.
Fool. That isn't how whistleblower laws work, not even in theory, let alone practice, especially in the intelligence industry.
And he did try to play by the rules; his superiors made it abundantly clear to him (repeatedly so) that his opinion on the matter was not solicited, and furthermore, endangered his career.
It's getting old hearing the same story day after day.
Until naive, delusional fools like yourself can't see the problem we're facing, it should be repeated constantly and continuously until you get the fucking message.
I agree with both of you - but my beef is with Lavabit. People are supporting that guy left and right, when he could have simply CCd (archived) incoming/outgoing mail for the FBI Target. That target we assume to be Snowden, is a single person, who was sheltered and protected by a business owner who has now taken in at least half a million dollars in donations and kickstarter campaign funds. And his service was never as secure as he claimed in the first place.
IMHO, you cannot be a trustworthy person when you cannot follow the law of the land (recall, these are normal subpoenas, not NSL, not FISA, not NSA related in any way other than the probable target). I think he's a Digital Madoff - refusing to duplicate email (which is not encrypted), then trying to milk the government for thousands to do it.
I'm tired of hearing his 'woe is me' crap, and until the naive, delusional fools see that he's full of shit, it won't stop - so I'm repeating it as often as possible to let people know that guy is doing nothing but riding on Snowden's coattails to simply make more money for himself.
Those protocols are there to protect the vendors, not you.
Of course they are, they're meant to protect the Card Issuers. Having implemented PCI at a credit card processor, I'm not even sure it applies to debit transactions - and it surely doesn't apply to private label cards.
If you want to be protected as a card holder, use CREDIT not DEBIT. Credit card transactions are protected by Visa/MC regulations - you as the user are not liable for ANY loss. If you use debit, you are subject to your banks regulations, which aren't not in the best interests of the cardholder. Mine would limit the bank's liability to $500, anything higher I would be on the hook for.
Just as an aside - I also worked InfoSec at Kohls - we had multiple subnets in all the stores. Kohls is not built like Target.
You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.
Will they ever learn?
So you think they were able to access card readers, and NOT plant a 3g device on the same network?
Other than lies, lies and more damn lies, what else can NSA come up with ?
No matter how slick or how polished their lies be, NSA's lies are still LIES.
NSA has betrayed America.
NSA has betrayed the Constitution.
NSA is a rogue organization within the government of the United States of America.
And yet I have a feeling you're completely behind Ladar Levison - who's entire business model was built upon a lie, and is now exploiting Snowden and his own incompetence for more money.
I was skeptical about our nation in the past, but this entire episode has revealed to me the full breadth of lies, deceit, and gullibility of our nation.
We're you asked for a password for accessing the data? If not, then you really shouldn't be surprised. What did you think it was doing? It can't meaningfully encrypt it without a key.
A session ID would tell the server you were already, or previously, authenticated. It's up to the server to determine if you are still authenticated between browser sessions.
Saving the password, encrypted or not, is not necessary.
Of course, we're assuming the researcher didn't check the "save password' box, and then go 'OMG! My password is in clear text but the site is HTTPS!'. If that were true, then he's a moron. I hope they peer review their releases.
I think if they get enough people up there, and things go to hell, all of a sudden we'll have an 'emergency disaster relief' effort to get supplies Mars - and all of a sudden many of those hurdles we're fretting over (including costs) will become speed bumps.
It's like a Trial by Fire combined with forced capitulation. Like when a (real) hurricane strikes and (justified) conservative concerns about welfare are overridden by the (relatively) immediate need for support.
My company prides itself on an office environment that follows a modern design aesthetic: open floor plan, bold colors on the walls, cool lamps in the corners.
My lame company only prides itself on stupid shit like making good products and pleasing its customers.
No it isn't. It is only partially wrong. AHDH is a real disorder. My brother suffered from. I know it when I see it. I regularly volunteer to help out in my son's elementary school classroom for two hours every Friday morning. I know all his classmates, and work with all of them regularly. They are all normal kids. None of them are even close to ADHD. Yet, since I started working with them, several of the boys have been put on medication. That is insane. But I can see how it happens. Shoving pills into the kids makes the teacher's job easier. The parents are happy because they can continue to let the kid sit in front of the TV and munch potato chips, which is much easier than being a responsible parent. And the doctor is guaranteed a steady income stream. All the incentives are in the wrong direction.
And those parents don't know what they're getting their kids into. Years from now, even after they discover they were sold a load of bullshit, they'll find out that all those 'psych rejects' who are now teachers have been busily inspecting their children's files and will be treating them decisively different from the rest of the students.
They'll be lucky if one of them slips up and lets the parents know that's happening. Though you can be sure it'll be discussed in the teacher's lounge.
While I agree with your point, I have to also agree with a few of the points Gartner's analyst made. Ever try to implement OpenStack? Some things are okay (Virtual Machines), but other things are horribly convoluted (Virtual Routing). Version upgrades break previous functionality, and documentation is lacking so finding what actually broken requires lots of time and effort. Waiting for the documentation to catch up is fine until you need a feature or bug fix in the latest version.
I'm not claiming that it's horrible mind you, but rather pointing out that it needs some time to mature. Gartner's opinion does not mention the fact that OpenSource products like this can do very well (Apache, Linux, MariaDB/MySQL). At the same time, enough OpenSource projects fall off the Earth to have some concerns.
"A lie is best placed between two truths."
Gartner always makes some valid points. They are masters of manipulation.
While it sounds like you're well-informed, the majority of their followers are not and I would go so far as to say those people, even when reading the details presented within, rarely truly understand the content.
Keep in mind, the cost of the pharmaceutical company's studys used to verify the accuracy of the test and gain FDA approval likely pushes the cost-per-test up quite a bit.
FTFY. Preclinical, phase 1, phase 2, and phase 3 at a minimum
And then of course there needs to be someone licensed in reading the results, and prescribing a treatment.
My foot is killing me from gout, but I'm not dropping $200 for a doctors visit to get $10 in meds.
The article mentions "Dark Friday" but links to a wiki page called "Black Friday". What is that about?
Many people refused to support the shopping event "Black Friday" on the grounds that it is racist towards people of other skin tones. The politically correct term is "Dark Friday", which is on the eve of "Darkie Weekend" during which most people don't have to work and can just laze about on their porches like monkies.
ROFL. That's most appropriate explanation I've ever seen.
> reliable UDP protocol
You want a reliable *unreliable* datagram protocol protocol?
Sounds like something guaranteed to fail.
Everyone tries to reinvent TCP. Almost always they make something significantly worse. This is no exception.
I once worked at a company that made Parking Meters - and accepted credit cards at them. They sent their data over https, and had random issues with timeouts.
It turns out they would format their data in (very descriptive) XML, and discovered an excessively large file combined with an SSL handshake over crappy 2g connection took too long to transfer the data (it didn't help the programmers 'forgot' they hardcoded a timeout, so if the comms was just slow, it would throw a generic error and they blamed Apache for it).
In any case, the offshore dev team's solution was to create a UDP client/server protocol of their own.
It was working nicely when I left, and was PCI Compliant, but at that point we had no way to reliably monitor communications from the perspective of the meter because we (SysAdmins in charge of the backend systems) would have had to write proprietary code from non-existing documentation just to replicate what used to be a simple HTTP POST.
Some things look great, but aren't thought out all the way...
Completely against PCI Compliance, they were using your 'account number' (full card number) as your identifier when downloading your statement in PDF form. So their web server logs would have been chock full of credit card numbers in clear text. Doh!
The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.
When I did this 'search test', Most of my hits were PDFs of credit card statements.
What does "a community" have to do with whether the tools work or not?
To Quote - " I'd rather use some tools with more of a community than just the 4 of us."
He also never said that there were shortcomings in the toolset they created. It sounds like he may not like the database, maybe he wants a nicer front-end for managing the tables? But it's not described as 'the problem'.
Therefore, if they create a community around their own toolset, then the only problem actually described in the OP is resolved.
In p 31 he is asked to hand over the SSL and TLS keys for his service, which in practical terms it would allow the FBI to eavesdrop in the communications of *everybody* at will, this with all certainty would have meant a breach of contract with his users, lawsuits would have ensued. Would the FBI have paid for the damages?
Most importantly Lavabit was willing to comply with the original request, which was limited to a single email account.
You'll have to try harder if you want to dispel the positive aura around Ladar..
Of course he was asked to hand over the SSL keys, he refused to hand over the requested information in the first place.
Duplicating incoming and outgoing email, on a server you own and apparently WROTE THE CODE FOR, is trivial. Even Exchange can do it. Page 7 is the request for mailbox contents, but a separate device is NOT REQUIRED . It should be obvious that using SMTP means the data is in clear text until it's encrypted - at rest.
At best, he's an incompetent admin, and you want him to secure your email?
I didn't expect to get modded up - but Ladar's not the white knight that's being presented in the media (if anyone would actually read the documents and see he bought it on himself), and I'm damn tired of it.
It's going to be called 'LavaCircle'. And the whitepaper that's produced to explain it will include a lot of busy work and confusion, and the result will be locally encrypted/decrypted files.
Then, when someone asks how that can actually be secure, Ladar will throw a tizzy and claim all our constitutional rights are being trampled on.
Well - public/private key encryption comes to mind. Your users would just need a local client, either plugged into a fat client, run as Java (like the CA provider), or using opengpg's javascript or Chrome plugins. The solutions exist, Lavabit just created an overly complex 'paper shuffling' process to hide the fact it's not really secure.
I believe the content of the email was encrypted at all times. But a mail server has to have information on sending and receiving the mail. so not all data can be encrypted by the user's key.
It can't be encrypted at all times if a normal client is able to view it. It was merely encrypted at rest, with a single encryption/decryption key stored on the same server.
So what's the problem with providing account information and log data for a single account, requested by court order? If Snowden's a whistleblower, then there's nothing to be afraid of. If he's sending highly classified data to the Russians... uhm, my age is showing... Chinese, and using 'whistleblower' as a cover for his actions, then we have a problem. That's not Ladar's call to make. That's why there are professional investigators involved, a 'Federal Bureau', as it were.
It's a problem when all of the reporters on that list end up going missing a short time afterwards. You are fra too trusting of the government here. Think of this situation like it were reversed, and a Russian or Chinese operative was exposing their dirty laundry to the world in the US. Think of the things that these regimes would do. Now, realize that the US would do all of the same things if they could manage to keep it quiet.
Assuming every corner of the government was in on it. Most of those people are just doing their jobs. Trails of bodies tend to attract attention
Also, the theory that he was very publicly a whistleblower as a cover to give foreign governments intel is ridiculous. That's about the worst way to try and accomplish that.
We are talking about the genius who, upon deciding to commit treason, used an account with his name on it - not even an alias.
So either he's incredibly stupid, or incredibly intelligent. It would be incredibly intelligent to save your ass from the fire by making yourself appear to be a folk hero.
'Clearly'. I disagree. He was being an ass, and the operation didn't have the security he touted in the first place - it's like buying a lockbox at a bank, but giving your stuff to the teller to put in the box. That's not secure.
The system was about as secure as an email service you don't personally host can be, at least as far as the general model goes.
Well - public/private key encryption comes to mind. Your users would just need a local client, either plugged into a fat client, run as Java (like the CA provider), or using opengpg's javascript or Chrome plugins. The solutions exist, Lavabit just created an overly complex 'paper shuffling' process to hide the fact it's not really secure.
As an email service provider, I can attest these orders are not executed by the NSA, they're part of investigations performed by the FBI. They DO NOT want any more info than is listed on the court order. Are you kidding me? Using evidence gained illegally as part of a prosecution? A defense lawyer would have a field day with that.
They were searching for information on Snowden. They weren't looking for information for a trial. They were trying to find out who he was in contact and exactly what he had so they could control the situation.
So what's the problem with providing account information and log data for a single account, requested by court order? If Snowden's a whistleblower, then there's nothing to be afraid of. If he's sending highly classified data to the Russians... uhm, my age is showing... Chinese, and using 'whistleblower' as a cover for his actions, then we have a problem. That's not Ladar's call to make. That's why there are professional investigators involved, a 'Federal Bureau', as it were.
Reading a little bit further into the docs, it would appear that they initially wanted a bit more access than he was comfortable giving. They wouldn't let him just give the info after 60 days and wanted a trace device that would let them intercept information unencrypted in real time. The court order only gave them permission to intercept certain information, but they would have had access to much more, and it would have compromised the security of their entire operation. Given the information we have available right now about US spy agencies' utter disrespect for the rule of law, he clearly made the right choice.
'Clearly'. I disagree. He was being an ass, and the operation didn't have the security he touted in the first place - it's like buying a lockbox at a bank, but giving your stuff to the teller to put in the box. That's not secure.
As an email service provider, I can attest these orders are not executed by the NSA, they're part of investigations performed by the FBI. They DO NOT want any more info than is listed on the court order. Are you kidding me? Using evidence gained illegally as part of a prosecution? A defense lawyer would have a field day with that.
If you mean that he made the right choice in talking with the media about the abuse of the government taking his SSL keys, instead of talking about his lack of cooperation, then yeah, I agree he made the choice that was in his best interests. No publicity is bad publicity they say.
Slashdot Mirror
There are whistle blower laws that would have protected him if he'd played by the rules. He chose to make a martyr out of himself.
Fool. That isn't how whistleblower laws work, not even in theory, let alone practice, especially in the intelligence industry.
And he did try to play by the rules; his superiors made it abundantly clear to him (repeatedly so) that his opinion on the matter was not solicited, and furthermore, endangered his career.
It's getting old hearing the same story day after day.
Until naive, delusional fools like yourself can't see the problem we're facing, it should be repeated constantly and continuously until you get the fucking message.
I agree with both of you - but my beef is with Lavabit. People are supporting that guy left and right, when he could have simply CCd (archived) incoming/outgoing mail for the FBI Target. That target we assume to be Snowden, is a single person, who was sheltered and protected by a business owner who has now taken in at least half a million dollars in donations and kickstarter campaign funds. And his service was never as secure as he claimed in the first place.
IMHO, you cannot be a trustworthy person when you cannot follow the law of the land (recall, these are normal subpoenas, not NSL, not FISA, not NSA related in any way other than the probable target). I think he's a Digital Madoff - refusing to duplicate email (which is not encrypted), then trying to milk the government for thousands to do it.
I'm tired of hearing his 'woe is me' crap, and until the naive, delusional fools see that he's full of shit, it won't stop - so I'm repeating it as often as possible to let people know that guy is doing nothing but riding on Snowden's coattails to simply make more money for himself.
Of course they are, they're meant to protect the Card Issuers. Having implemented PCI at a credit card processor, I'm not even sure it applies to debit transactions - and it surely doesn't apply to private label cards.
If you want to be protected as a card holder, use CREDIT not DEBIT. Credit card transactions are protected by Visa/MC regulations - you as the user are not liable for ANY loss. If you use debit, you are subject to your banks regulations, which aren't not in the best interests of the cardholder. Mine would limit the bank's liability to $500, anything higher I would be on the hook for.
Just as an aside - I also worked InfoSec at Kohls - we had multiple subnets in all the stores. Kohls is not built like Target.
You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.
Will they ever learn?
So you think they were able to access card readers, and NOT plant a 3g device on the same network?
Me too. I don't like gold, but I like Bitcoin. I guess we've split the party 50/50.
Other than lies, lies and more damn lies, what else can NSA come up with ?
No matter how slick or how polished their lies be, NSA's lies are still LIES.
NSA has betrayed America.
NSA has betrayed the Constitution.
NSA is a rogue organization within the government of the United States of America.
And yet I have a feeling you're completely behind Ladar Levison - who's entire business model was built upon a lie, and is now exploiting Snowden and his own incompetence for more money.
I was skeptical about our nation in the past, but this entire episode has revealed to me the full breadth of lies, deceit, and gullibility of our nation.
We're you asked for a password for accessing the data? If not, then you really shouldn't be surprised. What did you think it was doing? It can't meaningfully encrypt it without a key.
A session ID would tell the server you were already, or previously, authenticated. It's up to the server to determine if you are still authenticated between browser sessions.
Saving the password, encrypted or not, is not necessary.
Of course, we're assuming the researcher didn't check the "save password' box, and then go 'OMG! My password is in clear text but the site is HTTPS!'. If that were true, then he's a moron. I hope they peer review their releases.
It's like a Trial by Fire combined with forced capitulation. Like when a (real) hurricane strikes and (justified) conservative concerns about welfare are overridden by the (relatively) immediate need for support.
My company prides itself on an office environment that follows a modern design aesthetic: open floor plan, bold colors on the walls, cool lamps in the corners.
My lame company only prides itself on stupid shit like making good products and pleasing its customers.
Right. What stock should I be selling?
And the pun in the last sentence of the Slashdot summary is why there are not more.
Why do you say that? She's kinda hot.
It is also completely wrong.
No it isn't. It is only partially wrong. AHDH is a real disorder. My brother suffered from. I know it when I see it. I regularly volunteer to help out in my son's elementary school classroom for two hours every Friday morning. I know all his classmates, and work with all of them regularly. They are all normal kids. None of them are even close to ADHD. Yet, since I started working with them, several of the boys have been put on medication. That is insane. But I can see how it happens. Shoving pills into the kids makes the teacher's job easier. The parents are happy because they can continue to let the kid sit in front of the TV and munch potato chips, which is much easier than being a responsible parent. And the doctor is guaranteed a steady income stream. All the incentives are in the wrong direction.
And those parents don't know what they're getting their kids into. Years from now, even after they discover they were sold a load of bullshit, they'll find out that all those 'psych rejects' who are now teachers have been busily inspecting their children's files and will be treating them decisively different from the rest of the students.
They'll be lucky if one of them slips up and lets the parents know that's happening. Though you can be sure it'll be discussed in the teacher's lounge.
While I agree with your point, I have to also agree with a few of the points Gartner's analyst made. Ever try to implement OpenStack? Some things are okay (Virtual Machines), but other things are horribly convoluted (Virtual Routing). Version upgrades break previous functionality, and documentation is lacking so finding what actually broken requires lots of time and effort. Waiting for the documentation to catch up is fine until you need a feature or bug fix in the latest version.
I'm not claiming that it's horrible mind you, but rather pointing out that it needs some time to mature. Gartner's opinion does not mention the fact that OpenSource products like this can do very well (Apache, Linux, MariaDB/MySQL). At the same time, enough OpenSource projects fall off the Earth to have some concerns.
"A lie is best placed between two truths."
Gartner always makes some valid points. They are masters of manipulation.
While it sounds like you're well-informed, the majority of their followers are not and I would go so far as to say those people, even when reading the details presented within, rarely truly understand the content.
Gartner is nothing more than a PR company for whoever pays for their 'analysis'.
Keep in mind, the cost of the pharmaceutical company's studys used to verify the accuracy of the test and gain FDA approval likely pushes the cost-per-test up quite a bit.
FTFY. Preclinical, phase 1, phase 2, and phase 3 at a minimum
And then of course there needs to be someone licensed in reading the results, and prescribing a treatment.
My foot is killing me from gout, but I'm not dropping $200 for a doctors visit to get $10 in meds.
The article mentions "Dark Friday" but links to a wiki page called "Black Friday". What is that about?
Many people refused to support the shopping event "Black Friday" on the grounds that it is racist towards people of other skin tones. The politically correct term is "Dark Friday", which is on the eve of "Darkie Weekend" during which most people don't have to work and can just laze about on their porches like monkies.
ROFL. That's most appropriate explanation I've ever seen.
> reliable UDP protocol You want a reliable *unreliable* datagram protocol protocol? Sounds like something guaranteed to fail. Everyone tries to reinvent TCP. Almost always they make something significantly worse. This is no exception.
I once worked at a company that made Parking Meters - and accepted credit cards at them. They sent their data over https, and had random issues with timeouts.
It turns out they would format their data in (very descriptive) XML, and discovered an excessively large file combined with an SSL handshake over crappy 2g connection took too long to transfer the data (it didn't help the programmers 'forgot' they hardcoded a timeout, so if the comms was just slow, it would throw a generic error and they blamed Apache for it).
In any case, the offshore dev team's solution was to create a UDP client/server protocol of their own.
It was working nicely when I left, and was PCI Compliant, but at that point we had no way to reliably monitor communications from the perspective of the meter because we (SysAdmins in charge of the backend systems) would have had to write proprietary code from non-existing documentation just to replicate what used to be a simple HTTP POST.
Some things look great, but aren't thought out all the way ...
Sounds like a thinly disguised milliatary dictatorship to me.
Agreed! It's not unlike the elderly dictatorship of only allowing adults to vote.
The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.
When I did this 'search test', Most of my hits were PDFs of credit card statements.
What does "a community" have to do with whether the tools work or not?
To Quote - " I'd rather use some tools with more of a community than just the 4 of us."
He also never said that there were shortcomings in the toolset they created. It sounds like he may not like the database, maybe he wants a nicer front-end for managing the tables? But it's not described as 'the problem'.
Therefore, if they create a community around their own toolset, then the only problem actually described in the OP is resolved.
If you published your tools, you might find you're not the only ones who need the flexibility you've written into your toolset.
In p 31 he is asked to hand over the SSL and TLS keys for his service, which in practical terms it would allow the FBI to eavesdrop in the communications of *everybody* at will, this with all certainty would have meant a breach of contract with his users, lawsuits would have ensued. Would the FBI have paid for the damages?
Most importantly Lavabit was willing to comply with the original request, which was limited to a single email account.
You'll have to try harder if you want to dispel the positive aura around Ladar..
Of course he was asked to hand over the SSL keys, he refused to hand over the requested information in the first place.
Duplicating incoming and outgoing email, on a server you own and apparently WROTE THE CODE FOR, is trivial. Even Exchange can do it. Page 7 is the request for mailbox contents, but a separate device is NOT REQUIRED . It should be obvious that using SMTP means the data is in clear text until it's encrypted - at rest.
At best, he's an incompetent admin, and you want him to secure your email?
I didn't expect to get modded up - but Ladar's not the white knight that's being presented in the media (if anyone would actually read the documents and see he bought it on himself), and I'm damn tired of it.
It's going to be called 'LavaCircle'. And the whitepaper that's produced to explain it will include a lot of busy work and confusion, and the result will be locally encrypted/decrypted files.
Then, when someone asks how that can actually be secure, Ladar will throw a tizzy and claim all our constitutional rights are being trampled on.
I believe the content of the email was encrypted at all times. But a mail server has to have information on sending and receiving the mail. so not all data can be encrypted by the user's key.
It can't be encrypted at all times if a normal client is able to view it. It was merely encrypted at rest, with a single encryption/decryption key stored on the same server.
It's a problem when all of the reporters on that list end up going missing a short time afterwards. You are fra too trusting of the government here. Think of this situation like it were reversed, and a Russian or Chinese operative was exposing their dirty laundry to the world in the US. Think of the things that these regimes would do. Now, realize that the US would do all of the same things if they could manage to keep it quiet.
Assuming every corner of the government was in on it. Most of those people are just doing their jobs. Trails of bodies tend to attract attention
Also, the theory that he was very publicly a whistleblower as a cover to give foreign governments intel is ridiculous. That's about the worst way to try and accomplish that.
We are talking about the genius who, upon deciding to commit treason, used an account with his name on it - not even an alias.
So either he's incredibly stupid, or incredibly intelligent. It would be incredibly intelligent to save your ass from the fire by making yourself appear to be a folk hero.
The system was about as secure as an email service you don't personally host can be, at least as far as the general model goes.
Well - public/private key encryption comes to mind. Your users would just need a local client, either plugged into a fat client, run as Java (like the CA provider), or using opengpg's javascript or Chrome plugins. The solutions exist, Lavabit just created an overly complex 'paper shuffling' process to hide the fact it's not really secure.
They were searching for information on Snowden. They weren't looking for information for a trial. They were trying to find out who he was in contact and exactly what he had so they could control the situation.
So what's the problem with providing account information and log data for a single account, requested by court order? If Snowden's a whistleblower, then there's nothing to be afraid of. If he's sending highly classified data to the Russians... uhm, my age is showing... Chinese, and using 'whistleblower' as a cover for his actions, then we have a problem. That's not Ladar's call to make. That's why there are professional investigators involved, a 'Federal Bureau', as it were.
Reading a little bit further into the docs, it would appear that they initially wanted a bit more access than he was comfortable giving. They wouldn't let him just give the info after 60 days and wanted a trace device that would let them intercept information unencrypted in real time. The court order only gave them permission to intercept certain information, but they would have had access to much more, and it would have compromised the security of their entire operation. Given the information we have available right now about US spy agencies' utter disrespect for the rule of law, he clearly made the right choice.
'Clearly'. I disagree. He was being an ass, and the operation didn't have the security he touted in the first place - it's like buying a lockbox at a bank, but giving your stuff to the teller to put in the box. That's not secure.
As an email service provider, I can attest these orders are not executed by the NSA, they're part of investigations performed by the FBI. They DO NOT want any more info than is listed on the court order. Are you kidding me? Using evidence gained illegally as part of a prosecution? A defense lawyer would have a field day with that.
If you mean that he made the right choice in talking with the media about the abuse of the government taking his SSL keys, instead of talking about his lack of cooperation, then yeah, I agree he made the choice that was in his best interests. No publicity is bad publicity they say.