×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys

timothy posted about 7 months ago | from the c'mon-fellas-it's-for-the-greater-good dept.

Communications 527

jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

527 comments

https (5, Funny)

jobsagoodun (669748) | about 7 months ago | (#45024077)

Luckily I browse my favourite sites like /. using http so I'm not affected by this.

Re:https (5, Interesting)

Anonymous Coward | about 7 months ago | (#45024341)

Your favorite site also bans random TOR exit nodes from browsing it. I can understand banning posting to prevent spam and such, but browsing ? That's just moronic. It also craps when the IP of the user changes during editing/posting.

Slashdot, please get on with the times, you are probably the legal site most visited by TOR users. You need to add HTTPS and improve TOR support.

Re:https (2)

thevirtualcat (1071504) | about 7 months ago | (#45024663)

In Slashdot's defense, they are probably just repurposing a system to ban the IP addresses of abusive users. Why build a second, paralell system for TOR users when the system that's already in place does the job just fine?

Nothing left to do (5, Insightful)

Anonymous Coward | about 7 months ago | (#45024091)

Understandable that he shut down.
The USA is ruled by evil bastards that have no respect for the citizens.
Time to revolt is now.

Re:Nothing left to do (5, Funny)

Anonymous Coward | about 7 months ago | (#45024231)

That's the worst haiku I've ever read.

Re: Nothing left to do (2)

fizzer06 (1500649) | about 7 months ago | (#45024495)

Land of the free, home of the brave?

Re: Nothing left to do (3, Insightful)

Anonymous Coward | about 7 months ago | (#45024641)

Land of the cowards, home of the slaves.

Where else in the world can people be so cowed while simulatenously bragging about their right to go armed?

Re:Nothing left to do (3, Insightful)

Lunix Nutcase (1092239) | about 7 months ago | (#45024565)

You mean the time is now for others to revolt while you sit in the basement playing armchair general. Who about you actually di something rather than just make empty threats?

Why? (4, Insightful)

jbmartin6 (1232050) | about 7 months ago | (#45024097)

I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?

Re:Why? (5, Informative)

jareth-0205 (525594) | about 7 months ago | (#45024143)

I don't see why they would want the SSL key, when presumably they have easy access to the data on the servers under the laughable "due process" already in place. Why would they want to intercept the traffic when they could just read it off the server?

Because presumably the whole point of Lavabit is that the stored email was encrypted based on a key that only the user had, so in-transit is the only place they could see it.

Re:Why? (4, Informative)

Jose (15075) | about 7 months ago | (#45024149)

Why would they want to intercept the traffic when they could just read it off the server?

from TFA: ....But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

Re:Why? (3, Informative)

Anonymous Coward | about 7 months ago | (#45024465)

Why would they want to intercept the traffic when they could just read it off the server?

from TFA: ....But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

The message contents, yes. But the header information they did have access to, as it's necessary for delivery. And that information is what the FBI wanted, and that information is what was all protected by a single SSL cert.

Re:Why? (1)

Richard_at_work (517087) | about 7 months ago | (#45024545)

Having SSL key access means they can capture stuff in transit, which means that either the end user key or the plain text decrypted email must be in transit... So, where is it transiting to and from? Or we're the FBI injecting something onto the page during transit to capture stuff in the users browser?

Does Lavabit do the decryption on the client end, or does the client send their key to the server? What exactly is going on?

Re:Why? (2, Interesting)

cold fjord (826450) | about 7 months ago | (#45024259)

If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show [wired.com]

“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

Re:Why? (5, Insightful)

CanHasDIY (1672858) | about 7 months ago | (#45024419)

If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

Yes, how dare the impudent bastards attempt to protect their customers from illegal surveillance!

Seriously, I think you just posited a digital variant of the 'skinny jeans defense' [google.com] rapists use.

Re:Why? (-1)

Anonymous Coward | about 7 months ago | (#45024505)

the FBI was investigating a case of espionage

go back to mommy's basement and encrypt all your porn from the FBI since they will come for you next

Re:Why? (2, Informative)

Anonymous Coward | about 7 months ago | (#45024673)

Lavabit has complied with warrant requests before, the FBI wanted more than just 1 users account, the warrant they had was only for a single user account, they demanded access to more. Did you even read the documents?

Re:Why? (5, Interesting)

Anonymous Coward | about 7 months ago | (#45024261)

Actually, they did not have access to the site (that would have been overly broad and unconstitutional), but lavabit was forced by the court to install a packet dumper. So FBI had the full encrypted streams of all user sessions. FBI then requested the SSL key that would unlock all stored streams. The court reasoned that because the site uses a single SSL key for all users, that's lavabit's fault and agreed that the request is not overly broad.

Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange. The encryption key is ephemeral and the SSL private key cannot be used to perform a passive attack on the sniffed. FBI/NSA is forced to perform a MIM on the very sessions they target; if done on the scale of the whole internet, this would be easily detected.

All HTTPS servers should ship with this cypher suite as the default.

Re:Why? (2)

GameboyRMH (1153867) | about 7 months ago | (#45024629)

Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange.

Did you know that ECDH stands for Elliptic Curve Diffie-Hellman? Yeah it would solve the problem of the NSA's request alright...

Re:Why? (4, Interesting)

bluefoxlucid (723572) | about 7 months ago | (#45024357)

The best part is they said here that they wanted the "Root Certificate", which would allow them to sign new keys. Caveat: that's just a trust model, allowing them to replace LavaBit's SSL key. What they wanted was LavaBit's site SSL private key.

Let's say that the NSA got the Verisign Root Certificate and started using it to sign Verisign CSRs. A CSR includes the public key (certificate), but not the private key. The public key is already known. The NSA gains ... nothing.

Now if they get the Google Gmail SSL private key, they can decrypt the SSL session handshake and key exchange. The key exchange exchanges a symmetric encryption key for AES or RC4 (yes RC4 is secure; yes I know it's used in WEP, which uses a new NONCE for every packet, and in their implementation they generate insecure NONCE/IV pairs and you can collect millions of these and crack it. Not applicable here). With Gmail's SSL private key, the NSA can decrypt the symmetric session key exchange and use that key to decrypt your session and read your e-mail.

That's the difference.

Re:Why? (2)

omnichad (1198475) | about 7 months ago | (#45024667)

The public key is already known.

I don't know about you, but I don't get any warning telling me that "The stored public key for secure.site.com does not match the one received. Continue to site?" Maybe I need to upgrade my browser.

So for most, a MITM attack would be completely undetected.

They wanted a man-in-the-middle box (5, Informative)

Anonymous Coward | about 7 months ago | (#45024385)

Firstly they wanted *all* meta data on every Lavabit user, not just Snowden. It was a blanket demand to get all of the data.
They also wanted man-in-the-middle box. A device which would have the root certificate under control of the government and would sit in Lavabits network able to man-in-the-middle attack emails (i.e. speech) of Lavabit users not connected to Snowden.

Lavabit are guardians of the customers data, how can they guard if a black-box is on their network? It can do anything, the judge has no way of telling, Lavabit has no way of telling. Google apparently refused these boxes and with good reason. There is no trust here, the Judge is not supposed to trust the FBI & NSA to do only what it says. He's supposed to be the guardian of the law, just as Lavabit are the guardians of the data.

An example, if I had such a box, I could spoof email convincingly in a way that would pass forensics. I could create fake evidence. I could spread disinformation (propaganda) again untraceably.

They also asserted that it filters out only the data they were allowed to have and throws away the rest. We know this has been proven to be false in many many leaks, even the President now pretends the data goes into a 'lockbox'. A lockbox isn't a lockbox if the NSA has the key and no judicial oversight stops them turning that key at will.

It seems, once again, the judicial branch has simply become a fawning sidekick to the executive branch.

Re:Why? (5, Interesting)

squiggleslash (241428) | about 7 months ago | (#45024621)

Well, I read the court documents and it appears the sequence of events went something like:

1. FBI asked for real time details of (Snowden? Everyone thinks Snowden, the request was one day after it was revealed he has an account with Lavabit) an account, specifically metadata relating to email exchanges.

2. Lavabit didn't respond.

3. FBI got pissed, involved courts

4. Lavabit made an offer to provide the information on a monthly basis, rather than a realtime basis, and asked for payment of $3,500 ($2,000 for labor and I can't remember what the other $1,500 was.)

5. FBI threw a fit, announced that instead they were now asking for a box to be installed to intercept communications. The box would be programmed to only transmit the required information about person-we-think-is-Snowden, but because of the way it's designed would require Lavabit's SSL keys.

5. Lavabit: Nu-uh.

6. Courts: Uh yeah, we're siding with the FBI on this one.

7. "But I don't trust the government to only intercept $PROBABLY_SNOWDEN's records. Also I want to talk about this case, first amendment and whatnot."

8. Courts: "Well the government doesn't trust you, has good reason not to trust you based on your history of non-cooperation, and I don't care whether you trust it, established precedent says you have to cooperate. Also I'm not going to let you tell anyone about anything so there."

At this point the courts started threatening fines. Lavabit gave up its key but in a way designed to piss off the FBI, which, of course, pissed off the court too. Court started imposing fines. Lavabit shut itself down.

My reading:

1. Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?

2. Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns, and not made a clearly bad-faith offer to provide something useless to the FBI - I don't mean they should have offered something useful, they should have said instead "Look, this is a major problem for us, we have to investigate further and determine something that can satisfy the law and your requirements that does not damage the integrity of our system", and had a lawyer work with the courts on this.
3. Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional. Given the circumstances, I have to assume that Snowden was the target - if $RANDOM_DRUGDEALER was the target, Lavabit going to a politician and saying "We've been told to hand over records of one of our 50,000 users" wouldn't tip anyone off.

This is a total fuck-up. The EFF and ACLU can get involved now, but so many mistakes were made early on it's going to be an uphill fight for everything except the free speech issue. In particular, if you're expecting this to end up with a judgement that it was wrong to demand access to Lavabit's data, you're going to be sorely disappointed.

What moron judge allowed this? (5, Insightful)

h4rr4r (612664) | about 7 months ago | (#45024103)

How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

Re:What moron judge allowed this? (4, Informative)

loganljb (1424009) | about 7 months ago | (#45024199)

Things are a bit more involved than they seem from reading just the summary. The fed originally requested that LavaBit provide them with information regarding a single account (header information only, but on an ongoing basis), which they are allowed to obtain without probable cause. LavaBit refused the initial request, then stalled when given a court order to provide this information (I believe LavaBit was in the right in doing so -- I'm NOT supporting the fed's case, just providing information). The fed took LavaBit back to court, and obtained a court order requiring that LavaBit provide the SSL key, as the fed did not believe that LavaBit would comply with an order for information on a single account. The best part was when LavaBit sent them the SSL key, as a 4 point font printout :-)

In other words, when LavaBit wouldn't provide them information on a single account, the fed escalated to the nuclear option.

Re:What moron judge allowed this? (4, Insightful)

h4rr4r (612664) | about 7 months ago | (#45024245)

Stop right there. The fact that they are allowed this without probable cause is already too much.

They should have sent it 4 point one character per page.

The fact that the judge believed the FBI would only take the info the warrant allowed makes him either an accomplice or as naive as a child.

Re:What moron judge allowed this? (4, Insightful)

loganljb (1424009) | about 7 months ago | (#45024359)

Like I said, I don't disagree with how LavaBit handled this. In fact, I think EVERYONE should treat federal 'requests' for information the way that Ladar Levinson has, and greatly admire the stand he has taken. I was simply saying that it was more complicated than the summary made it out to be.

That being said, in my personal opinion the fact that the fed can request envelope information with no probably cause is a travesty. I see it as no different than pulling mail out of my mailbox to see who I write letters to and who writes to me. This should be illegal search and seizure

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024649)

I see it as no different than pulling mail out of my mailbox to see who I write letters to and who writes to me. This should be illegal search and seizure

They already scan and record every envelope that passes through the USPS.

Re:What moron judge allowed this? (0)

cold fjord (826450) | about 7 months ago | (#45024375)

Do you "stick it to the man" by defying court orders with any frequency? If not, I have another nomination for who is "naïve."

Re:What moron judge allowed this? (0)

h4rr4r (612664) | about 7 months ago | (#45024411)

No, I do not.
Would I rather lose my job than comply with that order? Sure.

English does not use pronunciation marks. This is why jalapeno does not have the ~ over the N for example.

Re:What moron judge allowed this? (0)

CRCulver (715279) | about 7 months ago | (#45024511)

English does not use pronunciation marks. This is why jalapeno does not have the ~ over the N for example.

Preserving diacritics in borrowed words or not varies from country to country and publisher to publisher. The use of a diaeresis in naïve is very well-established in the UK -- even the American dictionary Merriam-Webster lists it as a variant -- surely you've seen it somewhere in print.

I don't think that the OP was trying to correct you, but rather was writing the word according to his own way while quoting you.

Re:What moron judge allowed this? (1)

AHuxley (892839) | about 7 months ago | (#45024459)

They went back to challenge the order... If you keep reading..
'We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”"
The entire encryption system was up for total decryption long term.

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024639)

Just because a court issues an order neither makes it right or Constitutional. It's amazing how fast the "home of the brave" because the "home of the bootlickers".

Re:What moron judge allowed this? (5, Insightful)

Давид Чапел (3032005) | about 7 months ago | (#45024713)

Stop right there. The fact that they are allowed this without probable cause is already too much.

It is interesting that the prosecutor portrayed this as a pen trap. Courts have ruled that users do not have a reasonable expectation that the numbers they dial on their phone line will remain private (basicaly because they show up on the bill) but that they do have a reasonable expectation that nobody is listening in. That is why this information can be obtained without probable cause. But if Lavabit offered specific guarantees that this information would not be recorded except in the encryted e-mail boxes, then the users had a reasonable expectation of privacy. This might make the use of a pen trap without probable cause illegal.

Re:What moron judge allowed this? (4, Interesting)

FriendlyLurker (50431) | about 7 months ago | (#45024271)

Let's be clear, the single account was Edward Snowden's - and Lavabit's resistance was not futile, the so called nuclear option has backfired on the fed in terms of public sentiment.

Re:What moron judge allowed this? (0, Troll)

cold fjord (826450) | about 7 months ago | (#45024405)

Lavabit shut down. Their other customers have lost service. They are almost certainly going to lose in court. I doubt many in the public will support them when the fact emerge that they were defying court orders.

Re:What moron judge allowed this? (5, Funny)

Anonymous Coward | about 7 months ago | (#45024553)

I doubt many in the public will support them when the fact emerge that they were defying court orders.

Yeah, how dare they challenge authority! It's unamerican!

Re:What moron judge allowed this? (5, Insightful)

FriendlyLurker (50431) | about 7 months ago | (#45024635)

...when the fact emerge that they were defying [Secret, Unaccountable, Undemocratic] court orders.

Cold Fjords subservient cheerleading to power never ceases to entertain. Obviously the operators of the Cold Fjord account have learned absolutely nothing from history, or are on the wrong side. See: "Means Used by the Nazi Conspirators in Gaining Control of the German State" [nizkor.org]. Quote: "To make certain that cases with political ramifications would be dealt with acceptably and in conformity with Party principles, the Nazis granted designated areas of criminal jurisdiction to the so-called Special Courts (Sondergerhte)."

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024671)

That's because the public is full of sissy yokels like yourself. "Home of the brave"... That's a good joke...

Re:What moron judge allowed this? (5, Interesting)

towermac (752159) | about 7 months ago | (#45024595)

I got no mod points, but this is absolutely the takeaway.

The US depends on it's software industry; we shipped all our labor jobs overseas to trade them for office work (programming). That, and Hollywood, is why we're so mean to other countries over IP.

And now the US government has completely undermined them. It's probably a good time to be a programmer in Brazil and Germany. I wonder If our software industry will be able to recover from this.

Re:What moron judge allowed this? (5, Insightful)

silas_moeckel (234313) | about 7 months ago | (#45024431)

The header information blanket traces back to an idiotic ruling that the outside of a letter was not protected since everybody can and had to read it to get it there (the USPS digitizes and stores all of them now). The FBI then applied this to encrypted traffic which makes no sense since it's no longer data that anybody but them or there agent can read.

We need clear guidance, which a simple presidential order could give that prohibits all of these sorts of searches.

Re:What moron judge allowed this? (2)

c (8461) | about 7 months ago | (#45024699)

In other words, when LavaBit wouldn't provide them information on a single account, the fed escalated to the nuclear option.

It sounds like LavaBit's security was essentially an "all or nothing" situation, though. If they compromised just one of their users, then effectively none of their users were secure anymore.

Obviously, the feds weren't too keen on getting "nothing".

Not sure how LavaBit could have architected things to not be in this position. Maybe giving each individual user a subdomain with its own separate SSL server key would allow a specific user to be targeted without breaking everyone's encryption. But quite frankly, who in their right mind would depend on a secure e-mail provider who'd design things for their own legal convenience?

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024239)

I would think that the court judge must not understand the blanket approach the justice department is requesting... It does indeed invade the privacy of all the users on the network, not just the one that they are seeking information about (Snowden).

Re:What moron judge allowed this? (1)

MickyTheIdiot (1032226) | about 7 months ago | (#45024257)

Easy. The U.S. Court is filled with old farts that can't grok what an SSL key even is.

This is just another textbook case of NSA gaming a system that is far from equipped to adjudicate these modern problems.

Re:What moron judge allowed this? (1)

Anonymous Coward | about 7 months ago | (#45024527)

>NSA

At least read the fucking *headline*.

Re:What moron judge allowed this? (1)

cold fjord (826450) | about 7 months ago | (#45024281)

How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

If you read TFA you'll see that it came about because Lavabit did not comply with the previous order. There is little mystery about it.

Re:What moron judge allowed this? (3, Insightful)

h4rr4r (612664) | about 7 months ago | (#45024335)

The previous order was a violation of due process.
Then the judge somehow believed the FBI would not take more data than they were allowed. So either he was in on it or incredibly foolish.

Re:What moron judge allowed this? (1)

cold fjord (826450) | about 7 months ago | (#45024423)

The other possibility is that your opinion is contrary to settled law.

Re:What moron judge allowed this? (3, Insightful)

AlphaWoIf_HK (3042365) | about 7 months ago | (#45024587)

While that's certainly a possibility (given how illogical the law often is), it has nothing to do with whether or not these actions were wrong.

Re:What moron judge allowed this? (3, Insightful)

bill_mcgonigle (4333) | about 7 months ago | (#45024477)

If you read TFA you'll see that it came about because Lavabit did not comply with the previous order. There is little mystery about it.

They could have gone for enforcement (pretty much "SWAT team" these days) of the previous order. But they used the situation as an excuse to get what they really wanted, 4th Amendment be damned.

Re:What moron judge allowed this? (3, Insightful)

the eric conspiracy (20178) | about 7 months ago | (#45024291)

It's not a warrant. Email headers are not protected information under the law so all you need is a subpoena. Since they are disclosed to third parties there is no expectation of privacy under current law.

It's the same idea that the outside of the envelope that you give the postman is not protected. Nor is a list of phone numbers that you call.

Re:What moron judge allowed this? (2)

h4rr4r (612664) | about 7 months ago | (#45024347)

All of those should not be up for mass inspection.
There is a huge difference between seeing the outside of one letter and running the data on all the letters I ever sent.

Re:What moron judge allowed this? (1)

AlphaWoIf_HK (3042365) | about 7 months ago | (#45024601)

Since they are disclosed to third parties there is no expectation of privacy under current law.

If that is the case, I believe current laws are morally wrong and should be changed and opposed.

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024339)

How is this legal? How do you get a warrant that broad? Are fishing expeditions now allowed by law enforcement?

They're protecting us from "them," so anything is acceptable. Pitiful isn't it? The USA is a plutocracy and we have to protect the "job creators" at any cost.

Re:What moron judge allowed this? (3, Funny)

Russ1642 (1087959) | about 7 months ago | (#45024417)

FBI guy: But Judge, I need to break these fifteen laws and the constitution to catch the bad guys!
Judge: Oh, gotta catch the bad guys. Is this where I sign?
FBI guy: Yes, thanks. Oh, and can you please nullify this parking ticket for me while you're at it?
Judge: Sure thing. Now go get 'em.

Re:What moron judge allowed this? (1)

crakbone (860662) | about 7 months ago | (#45024585)

Probably a bit more like. FBI - Hey, Judge we noticed what websites you have been going to and the emails to the Rent Boy you have on the side. Would you like me to tell your wife or would you like to sign right here?

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024707)

Or how about: only a tiny fraction of Americans actually think any of this is wrong.
There are those who interpret it as unconstitutional, but those whose job and authority it actually is to decide such questions don't.

Re:What moron judge allowed this? (0)

Anonymous Coward | about 7 months ago | (#45024547)

Are fishing expeditions now allowed by law enforcement?

Now allowed? Now? Bwa ha ha!

That doesn't follow (4, Informative)

swillden (191260) | about 7 months ago | (#45024127)

if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone.

I don't think so. There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google -- and handing over the ability to read everything is definitely not something that a simple warrant can legally require. Nor even an NSL.

In fairness, in this case the FBI's original request did ask for just specific metadata about one user. I haven't read it closely enough to understand how the scope was broadened so dramatically, except that I understand that Lavabit refused to comply early on, and then eventually the FBI decided that they didn't trust Lavabit to comply correctly due to Lavabit's obstructionism, and so decided that they just wanted to be able to read all the traffic and extract the bits they needed themselves.

Lavabit, of course, decided to shut down instead. That way there would be no traffic to read.

Re:That doesn't follow (4, Insightful)

h4rr4r (612664) | about 7 months ago | (#45024159)

In all fairness their first request was horseshit. The idea that the metadata of email even encrypted email is not protected is already so outlandish as to be nearly unbelievable. We now know we live in a police state.

This judge is either willingly part of this bullshit or the most naive SOB that ever lived when he believed the FBI would only take the information the warrant allowed. If you give them the ability to get more they will take more.

Re:That doesn't follow (4, Insightful)

the eric conspiracy (20178) | about 7 months ago | (#45024241)

Umm in a police state Lavabit would have never existed in the first place.

We are in one of those times where the US government is over-reaching their powers under the Constitution. It isn't the first time.

Time to wake up folks. The price of freedom is eternal vigilance.

Re:That doesn't follow (3, Insightful)

h4rr4r (612664) | about 7 months ago | (#45024263)

All police states have to start somewhere and letting lavabit operate while holding the keys to it is one hell of an observation tool.

I am aware this is not the first time, but like before we will need something major to wake people up.

Re:That doesn't follow (1)

Anonymous Coward | about 7 months ago | (#45024373)

Vigilance is worth shit unless you actually stand up and do something.

Re:That doesn't follow (0)

Anonymous Coward | about 7 months ago | (#45024657)

In a police state the secret police would run Lavabit. Not exist? Give up all that juicy information flow? Bah, never.

Re:That doesn't follow (0)

Anonymous Coward | about 7 months ago | (#45024333)

I don't think so. There's a big difference between the legal firepower available to a small service provider like Lavabit and someone like Yahoo or Google -- and handing over the ability to read everything is definitely not something that a simple warrant can legally require. Nor even an NSL.

There's also a difference in the willingness to fight of someone like Yahoo or Google, as already well demonstrated. Neither company would shut down rather than comply if faced with such an order.

If (0)

cold fjord (826450) | about 7 months ago | (#45024133)

if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."

With a court order, yes. Is the situation really different anywhere else?

Re:If (1)

fustakrakich (1673220) | about 7 months ago | (#45024283)

Is the situation really different anywhere else?

Of course not. Therefore we have to do this.

Pssst, hey, buddy.. Wanna buy a court order? I gotta million of 'em, right here in my pocket.. Waddya need? I got your restraining orders, discovery, wiretap, asset forfeiture, arrest warrants, you name it...

Re:If (0)

Anonymous Coward | about 7 months ago | (#45024643)

Is the situation really different anywhere else?

Shouldn't matter if others do it or don't. Only question must be "is it the right thing for a court to order?"

Should the US still be in charge of the internet? (5, Interesting)

Anonymous Coward | about 7 months ago | (#45024167)

Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.

Fuck this government and its institutions and fuck the people that support it.

Re:Should the US still be in charge of the interne (2, Insightful)

Anonymous Coward | about 7 months ago | (#45024521)

If we are to chose a single country, then probably US is the best option (at least if you are not a brown person). Nations are generally divided in two bunches: US sockpupets that can be used for things even the US does not want to be seen doing (hint: like Canada) and totalitarian dumps who's leaders would gladly murder just about anyone that threatens their access to power. So a common counterargument is that we either end up with US, or someone much worse.

But it does not have to be that way. An international agreement drafted by the major industrialized nations with an eye towards freedom of expression and democracy could be a much better deal than a single nation calling the shots. One important provision in such a treaty would be banning spying of international traffic passing though domestic lines. Nations would still be tempted but if caught it would justify international sanctions like a connectivity embargo. Imagine that, the first country with a closed internet would not be Iran, but USA. And the closure will come from the exterior. Quite a sensation on Nasdaq.

Anyway, don't get your hopes up, the way things work in the UN, there will never ever by a sanction against US, because it along with select few can veto any such action.

Contribute (5, Informative)

kajsocc (2955535) | about 7 months ago | (#45024171)

Lavabit is still in court over this. You can contribute to their legal defense fund here [rally.org].

Re:Contribute (2)

Mhtsos (586325) | about 7 months ago | (#45024315)

Mod parent up.
Also google, amazon and microsoft should be fighting on who will send the most lawyers over to lavabit if they have any sense in them, because of a thing called legal precedence.

Re:Contribute (5, Informative)

DeathToBill (601486) | about 7 months ago | (#45024617)

I'm blowing seven mod points I've already handed out on this story doing this, but meh, who cares. Pointing out someone has no idea what they're talking about is worth it. Sending the most lawyers has nothing to do with legal precedence. Lawyers can't influence legal precedence any more than any other person in the country. I'm not sure why you even care about legal precedence - it's not usually a very controversial subject. It's just how things are.

A court has precedence because courts are set up in a hierarchy by the legislature.

Some types of law have precedence over others, for instance the constitution over statute and statute over regulation.

Of course, they may want to send lawyers because of things called legal precedents. It's something different. Go look it up.

So much for narrow scope (3, Interesting)

Supp0rtLinux (594509) | about 7 months ago | (#45024205)

I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more. Isn't this over reaching the scope of the warrant and therefore any case developed would be tossed out? IANAL, but I thought the scope limitations were there for a reason. That idea TPB had to buy an island is sounding more and more convincing these days...

Re:So much for narrow scope (1)

cold fjord (826450) | about 7 months ago | (#45024481)

I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more.

The Feds originally just wanted metadata for one account, which Lavabit could have provided. They didn't comply with court orders so now they are facing the consequences.

Re:So much for narrow scope (1)

Anonymous Coward | about 7 months ago | (#45024677)

they didn't comply with FBI orders they went to court ti fight it since they were fighting it the FBI wanted complete access. Sounds to me like a kangaroo court. You are not allowed to talk to anyone and if you refuse we will go after everyone.

misleading summary (3, Informative)

schneidafunk (795759) | about 7 months ago | (#45024209)

Lavabit did not offer an alternative solution, they offered to comply with the ORIGINAL search warrant that asked for just one user after prosecutors upped the ante when Lavabit refused the first search warrant.

FTA:
"By this point, Levison was evidently willing to comply with the original order, and modify his code to intercept the metadata on one user. But the government was no longer interested."

Groklaw/PJ (2, Interesting)

Anonymous Coward | about 7 months ago | (#45024235)

Was this the thing PJ said she couldn't reveal but would cause anyone to distrust email?

update (5, Interesting)

Anonymous Coward | about 7 months ago | (#45024319)

UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.

“People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/

simple: if it goes over the internet, it's public (1)

Anonymous Coward | about 7 months ago | (#45024325)

act accordingly.

Re:simple: if it goes over the internet, it's publ (1)

AlphaWoIf_HK (3042365) | about 7 months ago | (#45024653)

It's not public and you should always oppose surveillance, but exercising caution would still do you well.

Certificate Authorities compromised? (5, Interesting)

kaalon (2861517) | about 7 months ago | (#45024421)

Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.

Re:Certificate Authorities compromised? (0)

Anonymous Coward | about 7 months ago | (#45024483)

Yes.

Re:Certificate Authorities compromised? (0)

Anonymous Coward | about 7 months ago | (#45024607)

Well, maybe for the NSA, but not necessarily for the FBI. Otherwise, why would the FBI need to compel Lavabit to turn over their keys in order to read its customers' emails when they could just set up a MITM device to intercept them?

Re:Certificate Authorities compromised? (1)

lucag (24231) | about 7 months ago | (#45024615)

So what?
A SSL certificate is used just to provide end-to-end encryption, not to protect the storage.
As such, it is sort of pointless to wonder if the root certificate used by any major provider has been or is known by some federal agency or not... it is much easier to ask the owner of the server for its contents than to intercept communication.

This being said, it appears that lavabit used encrypted storage as well but there is something amiss in the way the protocol was implemented, I fear.
(I have never been using their service, so it might be I am grossly misreading things: corrections would be very welcome!)

Let me explain: as long as encryption and decryption are being performed by a remote server there is no guarantee that data might not be captured (ok ... homomorphic encryption might be going to change part of the scenario; unfortunately is far from practical nowadays and so it will be in the next 5/10 years).
There are basically three approaches I might be thinking about
  1. perform decryption with a custom program on the client: the key is never sent "in clear" and the server just owns a public key to encrypt data as soon as they are received; however there is a window in which the server knows the plaintext (i.e. before writing it down to permanent storage) and might copy it.
[the sensible option is to ask people to use gpg and then rely on public servers, trusting the cryptography]
  2. perform decryption locally in a javascript client in the browser. This might actually work, and with the proper setup it is also possible to use public key algorithms
  (basically the user has to upload a copy of her private key encrypted with a symmetric algorithm to the server, together with a public key; upon a decryption request the server downloads the packet in the javascript app and locally decrypt it; then, once the private key is recovered it moves on to locally decrypt every single datum as stored remotely). There is the same disadvantage as in 1 here, in the sense that the server can copy the data while they are "in clear", but no special client is required. I point out, however, that in this scenario it is possible for the server to offer a compromised javascript page which also uploads the secret key as soon as decryption is required; as such the surface of attack is larger.
3. perform decryption remotely by providing a symmetric (and/or private) key. Here it is just a matter of trust between the user and the server in that the administrators are not going to either clone the data (yet this they could have done also in scenarios 1 and 2) or keep a copy of the key as provided. This is the simplest solution, but also the least safe of them all.

In summary: do not trust anybody to do cryptography in your own stead (unless you work on homomorphic encryption, of course ;-) ) and least of all to do decryption of any data; if you need secure (in the sense of 'secret') mail require all parties to use client applications providing the encryption on their own machines and not to delegate to any third party (third parties might be used to store encrypted data, though).

Re:Certificate Authorities compromised? (0)

Anonymous Coward | about 7 months ago | (#45024697)

Without question.

"no U.S. company" (1)

stenvar (2789879) | about 7 months ago | (#45024499)

The phrase "no U.S. company can be trusted" may erroneously suggest that you might still be able to trust non-U.S. companies. But serious and offensive as this is, don't assume that you're safe anywhere else. The only reason we know about this is because the US legal system at least allowed the order to be unsealed (and probably only because it was the FBI rather than the NSA). Legal systems and spy agencies in other nations have powers that are at least as broad, and often far broader, than their US equivalents, and often have even less government supervision.

Diffie-Hellman would at least force an MTM-attack (0)

Anonymous Coward | about 7 months ago | (#45024535)

From the source:

With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.

If lavabit had used Diffie-Hellman key exchange, then the private ssl-key is still not enough to eavesdrop on the communication. The interceptors would have needed to perform a full blown man in the middle attack.

Best part of that wired article (1)

Anonymous Coward | about 7 months ago | (#45024579)

"In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter."

Reading this makes my day

Summary is hogwash (2, Informative)

Anonymous Coward | about 7 months ago | (#45024593)

Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys

That's nonsense, and in particular Javabit encrypted the user data and communication using public key encryption methods. The problem is that the communication is SSL-encrypted. And that means the private SSL keys allow complete eavesdropping on the communcation and man-in-the-middle attacks (insertion of malicious content). That allows getting a hook into key exchanges and ultimately compromising whatever you want that depends on ongoing trust of the service.

If the service has been set up well, past data and communication are secure from decryption. The Lavabit owner had built a service ultimately relying on his personal integrity (and at some point in the process, you can't take that out of the equation) for its principal goal, secure mail, and the feds demanded he hand over his integrity. Any continued operation of the service would have been effectively fraud since its core tenet would no longer be provided.

He might have to serve prison for refusing to defraud all of his customers regarding his sole product. The good news is that he shut down before they were able to turn his service into a trap.

Fucking totalitarian injustice regime.

How's that working out for you? (0, Insightful)

Anonymous Coward | about 7 months ago | (#45024611)

How's that "land of the free, home of the brave" thing working out for you guys?

At some point, America is going to have to learn to reconcile their beliefs about themselves with reality.

You're not free. You're not in favor of freedom. And you've become a country whose government which is actively working against the things you claim to stand for.

So when the rest of the world stops buying your products, putting up with your shit, or giving a damn about your business interests ... you can own that. All of your industry has been rendered as not trustworthy by your government spying.

There's no reason for any other country to trust America any more than they would Iran.

Face it guys, the terrorists won, because they've more or less destroyed the last illusions you had about your way of life.

Not so long ago if someone had said "papers please, comrade", and "if you have nothing to hide you have nothing to fear" would apply to America many of us would have laughed. Instead, we now see that America stopped being free a very long time ago.

You're like the Roman empire -- in decline and oblivious to it. The only question is how long before you do, and if you can fix it. At this point, I seriously doubt you can.

Manifest douchebags.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...