Lavabit Tried Giving The Feds Its SSL Key In 11 Pages Of 4-Point Type; Feds Complained That It Was Illegible
from the kudos-to-ladar dept
We already wrote about the basics of Lavabit’s Ladar Levison standing up to the feds, however, the full filing has now been released, and (on top of that), Kevin Poulsen has updated his story with more details, so it’s worth digging in a bit. Lavabit was hit with an initial pen register, which it refused, leading to the order to hand over the SSL keys. The new details show that Lavabit explained to the judge that giving up Lavabit’s SSL keys wouldn’t just let the feds spy on Snowden, but all of Lavabit’s customers, and for obvious reasons, the company had a huge problem with that:
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
And it becomes clear that Levison then was actually willing to abide by the initial pen register, to basically figure out a way to just tap Snowden, but at this point the government was no longer willing to stop there. The government pushed for getting the SSL key, basically promising not to abuse it:
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” [Prosecutor James] Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”
“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”
“All right,” said [Judge Claude] Hilton. “Well, I think that’s reasonable.”
The judge then made a ruling that should cast a massive chill over anyone setting up private communications services:
[The government’s] clearly entitled to the information that they’re seeking and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that information just as they could from any telephone company or any other e-mail source that could provide it easily.”
Yikes. So, even if you set up a secure communication system, this judge says that you have to let the feds wiretap it.
Somewhat amusingly, Lavabit tried to comply “by turning over the private SSL keys as an 11 page printout in 4-point type.” The feds complained that “the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data.” Poor, poor FBI. The judge has no problem putting a massive burden on Lavabit, but asking the FBI to actually do some data entry is too onerous? Yup. Apparently. The court then ordered Levison to provide a more useful electronic copy, which then resulted in the $5,000/day fine for failing to live up to that, and then the closure of the site.
Filed Under: doj, ed snowden, fbi, feds, ladar levison, ssl
Companies: lavabit
Comments on “Lavabit Tried Giving The Feds Its SSL Key In 11 Pages Of 4-Point Type; Feds Complained That It Was Illegible”
11 pages of 4pt text is significantly more than 2560 characters.. A typical page would be around 36000 characters.
Re: Re:
Re: Re: Re:
heh – using more than one key?
must be a trrrrrist
Re: Re:
“11 pages of 4pt text is significantly more than 2560 characters.. A typical page would be around 36000 characters.”
even 12-point text (regular size) is just over a page long.
i think he did it that way to make it more cumbersome. that is, it’s conceivable that they could scan a single-page document with a hi-res scanner, blow it up, and then try their luck at deciphering the characters. he probably spread it out over many pages and they weren’t numbered, so you don’t know which character comes next. plus, it’s just a bit more ass-holey. that’s my guess.
Here's your problem
Governments don’t have rights, people do.
Re: Here's your problem
Governments grants rights. Shut up and do what they say or you lose the rights you use to complain!
Re: Re: Here's your problem
Governments are people my friend
Re: Re: Re: Here's your problem
you just keep thinking that and live in your happy little world.
Re: Re: Re:2 Here's your problem
You look funny
Re: Re: Re: Here's your problem
Never forget this. Next time you wonder how they could be such utter rat bastards, you have your answer.
Re: Re: Re: Here's your problem
Doesn’t it then follow that governments are made of Soylent Green?
Re: Re: Here's your problem
I hope you’re being sarcastic.
Re: Re: Re: Here's your problem
Probably is being sarcastic, but at the same time it is inline with government double speak.
Re: Re: Re: Here's your problem
He is paraphrasing Mitt Romney.
Re: Here's your problem
amen. let that be heard again please. governments don’t have rights, people do.
Re: Re: Here's your problem
Actually, the government is the people. You are all just the plebs put here to support us with your taxes.
Altogether now: NSA! NSA! NSA!
Re: Here's your problem
President Lincoln (and the governors of the confederate states) would have disagreed with you on that one. 😉 Millions of US and CS soldiers died over that concept. States refusing to (likely/potentially) give up a way of life, versus a federal government that was literally facing extinction and (likely/potential) foreign invasion. Industrialization ironically would make the very concept of plantations obsolete. You’d still have ‘wage slaves’ though, where people get stuck buying from the company store, paying company rent… Coal miners and loggers rioted over this, but that’s another story.
Not saying it’s “right” to have absolute monarc-I mean slav- err I mean national socialism. Just that it’s been established for over a century in the USA that the constitution as much protects the government as it does the citizens, in this republic. Go and openly make threats against that judge just because you disagree and see what happens. You’ll be arrested as quickly as you can say “intimidating government official”. The fact that the government itself made the decision to give themselves more power is like a kid in a candy store saying they can have more… It’s their job and perogative/self-interest to do so. In the long term, you’re trading stability, safety, and security for power, though.
Caveat: (USA) Southerner with individualist leanings
Talk about deja vu...
?We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,? [Prosecutor James] Trump said. ?It filters everything, and at the back end of the filter, we get what we?re required to get under the order.?
?So there?s no agents looking through the 400,000 other bits of information, customers, whatever,? Trump added. ?No one looks at that(1), no one stores it(2), no one has access to it(3).?
‘No see, just because we could go over all the data, looking for interesting bits of information on people who had nothing to do with our investigation, of course we’d never do something like that, as we’ve only got authorization to monitor one account, and doing otherwise would be wrong.’
Hmm, now where have I heard that kind of argument before?
(1) Until we get around to it.
(2) Honest, we pinky-swear we’d never store data after saying we wouldn’t.
(3) Well, except anyone with access to a computer and enough clearance, or any other agency that would love to get their hands on the data stream as well…
Re: Talk about deja vu...
The very first question you should ask is how do they know that the system is working correctly if nobody verifies the data.
It is obviously that someone looks at the data to at the very least make sure it is collecting the right stuff, that person is the next Snowden portal.
Re: Talk about deja vu...
Man, those pinky-swears are sooooo restrictive that I just KNOW that the participating parties would NEVER violate such a oath. Take our elected, appointed, and hired officials, and how seriously they take THEIR oaths of office……………………………………………………………………………………………………………………………………………………………………………………………………………………………………..oh wait…
Here is an alternative:
Quote:
Retroshare
Maybe someone should contact Groklaw and ask them to do a search for SERVERLESS mail clients, which will allow them to restart Groklaw with more privacy guarantees.
Reddit also is on top of it, following all the developments.
http://www.reddit.com/r/retroshare/
Other options:
ePOST SERVERLESS EMAIL SYSTEM
GNUNet
Bittorrent Chat
FlowingMail
Lavabit founder could contact one of those projects or all of them to see how he could build an email service on top of those anonymous secure platforms in a business like environment, using his servers to just speed up the process instead of handling the encryption and delivery and performing non critical services for clients wink, wink 🙂
Remember the Napster!
Re: Re:
Didn’t Groklaw shut down?
Re: Re: Re:
It’s still up (for now, at least …) but no longer appears to be updating.
Which is a damn shame, as I found it one of the most useful and informative sites on the entire worldwide web.
Re: Re: Re: Re:
From what I heard the originator trying to get out from under of the site but unwilling for anyone else to take it over.
Re: Re: Re:2 Re:
Suicide bomber mentality?
That would be sad, I miss Groklaw.
Re: Re:
They’ve likely known about Freenet+FMS, for years. You don’t even need to worry about traffic analysis, AFAIK. It would still be wise to use PGP or similar program’s clipboard functionality. I assume they’re not incompetent as attorneys in this field. They pretty much HAVE to know about it!
Government
God I miss the days when I could say the US government was made by the people, for the people. How I hang my head low.
Re: Government
No, it was made by the nobility, for the nobility. Always has been, always will be, lamentable as it is.
Plain epic win for this guy. There’s a certain Nobel prize deep buried in rotten shit that could be awarded to Mr Ladar. Maybe peace has nothing to do with what he did but then again the holder is doing stuff that are the polar opposite of peace so why bother with specifics?
Re: Re:
But he did agree to let the NSA snoop on Snowden, says the article. That’s still pretty bad, isn’t it? Not as bad as letting them spy on all your users, but still.
Re: Re: Re:
Wait, I (and the article) stand corrected. From Ars Technica:
“The new 162-page set of documents shows that Lavabit was first served with a ?pen register? and “trap and trace device” order, which would require the handover of one of its user?s login details. As Lavabit encrypts those details, that wouldn’t have done much good for the government’s case. Indeed, Levison told the court in a July 16 hearing that he had “always agreed to the installation of the pen register devices,” as they would have yielded almost zero useful data.”
? http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/
Re: Re: Re:
But didn’t they have a warrant for Snowden? I don’t find that bad if they had that.
Judge is right
Basically, what the judge said is correct: “just because you-all have set up a system …, that doesn’t in any way lessen the government’s right to receive that information”.
In other words, US have laws which explicitly allow wiretapping. Nothing extraordinary about it. Remember, this government official gave sword testimony, and judge have no reason to think he’s lying. If this official says “we’re not looking”, what do you thing judge will do, say: “nah, don’t believe you”?
That’s not how (any) functional government works.
Re: Judge is right
Wrong, judges have an obligation to be distrustful of any statements issued in his court, the law deals with facts not statements, if the government can’t prove what they say it is a fact then there is no reason to believe it now is there?
Re: Judge is right
You know whom else gives sworn testimonies?
Liars, people who lie to congress also give sworn testimonies, isn’t that glorious.
Is unfortunate that we need to have an entire bureaucracy which its whole purpose is to lie and deceive to conceal its working, but there it is paid and bought with public funds, now you are saying that we should trust professional liars?
Re: Re: Judge is right
You mean “Sword” testimonies like the OP. I think you give the testimony under threat of your head being lopped off!
Re: Re: Re: Judge is right
Just what type of sword is used in taking testimony?
Has this ever appeared on NCIS?
Re: Re: Re:2 Judge is right
A Templar longsword probably.
Re: Re: Re:2 Judge is right
“the sword of the Spirit, the Word of God”
You know, that book they put their hand on right before they start lying…
Re: Judge is right
Then the laws are anti-democratic and should be nuked from orbit.
Moreover, the government has no rights – it has privileges.
Re: Judge is right
Actually, the judge isn’t right. The statement itself is not in contradiction with the constitution (even the idea of the government having been granted rights, see the tenth amendment). The statement is incorrect only with regard to the scope it is being applied to, but in context, it is incorrect.
The government can, through a warrant that specifically targets certain data, force you to hand over that data unencrypted. However, the keys themselves along with the entire data stream is no longer “particularly describing the place to be searched, and the … things to be siezed.”
Basically, the government can demand:
Decryption of sessions carried out with certain target IPs within a certain date range and the seizure of email bearing certain addresses as headers from among that data. Just as they cannot demand a key to your house or the combination of your safe, they also cannot demand SSL keys. They are, however, free to demand that you unlock these things with a properly targeted warranty.
The government will complain that it can’t compile the necessary information and thus can’t prosecute dangerous criminals. Oh well, the system has never been balanced under the idea of maximal enforcement. American ideals place the rights and protection of innocents above enforcing crimes, except those rights specifically reserved to government and enumerated in the constitution as allowed.
Re: Re: typo correction
Should be:
They are, however, free to demand that you unlock these things with a properly targeted warrant.
Re: Judge is right
That’s exactly how the judiciary is supposed to view the executive branch. When the judiciary takes the executive branch at the word no questions asked there can be no meaningful checks on executive power.
Re: Judge is right
As I understand it, there are laws that compel telephone companies to provide a means to easily wiretap telephone calls, but no equivalent law for email.
Re: Re: Judge is right
Please don’t give Congress any ideas John. They’ll probably pass a law allowing that (and odds are it’ll be championed by none other than Sen. Feinstein in the name of “national security”).
Excuse my ignorance, but why would encryption “master keys” even exist? Why even have something the government ask for? “You want to tap our servers? Go for it, everything on there is heavily encrypted. You want the key? Sorry, never had one/it was destroyed as soon as we were done with it”
Re: Re:
The quick answer to your question is convenience. Keeping Email content private requires that people manage their own keys. This includes ob This requires effort to set up and use.
Re: Re: Re:
Oops
‘This includes ob’
should be deleted
Re: Re: Re:
Depends on the system. It’s quite possible to have a P2P server (‘cloud’) arrangement where each peer (‘node’) broadcasts it’s public key and the sender’s node sends that. Also, this can be layered so that you can have say, 10 servers hand off the message and just unpeel the 11 layers. This wouldn’t protect you against timing attacks or traffic analysis, though. For that, you need randomized onion routing instead of an optimal-path algorithm, and some kind of traffic delay. As in, Freenet. I2P and TOR have the onion routing part, but you have to run a secondary protocol on top, to support random delays at each node. There’s always big arguments between developers and their cliques over rather it’s better to bake it in to make it noob-proof, or to make it an OSI-style layer, to make it less buggy.
Re: Re:
For some thing like gMail- mail comes in under one SSL key, is decoded, stored and goes out under a second SSL key. The SSL is to secure the data in the pipes not the server. Lavabit kept security on mail differently but still needed away to decode the mail to make it useful.
SSL keys are business records. Business records are not all that protected and can be requested without much more than a Subpoena and I’m not that clear if they need that much. Business records tend to get turned over by business without much of a fuss- Just like phone, bank, credit card transaction records…
The really scary thing here is that the NSA seemed to expect them to be turned over. Does that mean other services (Google, Yahoo!, Verizon….) have been honoring these requests? The evidence indicates that the NSA may be storing data going into and out of sites so they don’t need to bother with the companies beyond getting a key to read the mail later.
Re: Re: Re:
Is the code to the bank vault also a business record?
Keys, of any kind, are not records. Further, the word “papers” in the fourth amendment has always included mail and thus naturally extends to email, thus requiring warrants and not subpoenas in at least this instance.
Re: Re: Re: Re:
When they rotate keys they become records.
Re: Re: Re:2 Re:
This makes no sense. That’s like saying that the key to a business’ front door is a business record.
Re: Re: Re:3 Re:
A door key is mostly a simple physical object. A cryptographic key is a list of numbers and other characters. It becomes a record in a file.
FWIW A physical key can be represented by a short series of numbers for the depth of the cuts on the key and the blank number. You can get a new car key cut from records easily enough. You could do it with a house key but that record is less likely to be kept.
I’m not agreeing with the logic but this is what is being used.
Re: Re: Re:4 Re:
Hmmm, so then if the SSL keys were stored on a punched card and had to be entered into a reader to use, then that would make it no longer a business record?
I think the logic by which it’s considered a “business record” is deeply flawed.
Re: Re: Re: Re:
Papers and records held by a second party lose protection. It is the result of a bunch of court decisions.
They have been discussing these sorts of privacy problems all week on NPR:All things considered. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-amendment-protect-us
Re: Re: Re:
SSL keys are business records.
Whose bright idea was it to make that classification?
Re: Re: Re: Re:
Probably an NSA stooge. Saves effort thinking that way.
Where is a scanner w/ OCR when you need one?
I guess the NSA only had a Xerox WorkCenter scanner/printer, set to the default (faulty) resolution… 🙂
Re: Where is a scanner w/ OCR when you need one?
OCR is not a perfect technology. Especially on 4pt text with mixed characters and no “dictionary” words it can check against. It would be just as quick to have the data typed in as it would be to manually check it after OCR.
Re: Where is a scanner w/ OCR when you need one?
I wonder if he used a nice textured paper, 4pt body height is about an 18th of an inch high or about 1.4 mm high.
Re: Re: Where is a scanner w/ OCR when you need one?
Output on newsprint with ink jet before steam texturizing it on top of watercolor paper. That should do the trick.
Take this to a higher level of abstraction the biggest growth industry in the US for the last 20 years has been information technology in the form of companies like Microsoft, Apple, Google, Yahoo, Face Book et.
All of the above companies are known to have provides all US government and many foreign government alphabet soop agencies with backdoors to any and all information.
We have also heard that most of the major back bone teleco companies are also providing equal access.
Translate the one and only major economic bright spot in the world economy has been and is governments’ establishment in world wide spy networks on private citizens.
Re: Re:
That is not a bright spot, but a parasitic growth, the private citizen pays for all of this spying.
Note any cost and taxes levied on companies get passed up the chain of customers until it arrives at the private citizen.
give it to them
i say give them what they want no one said you had to give it to them in order make it a fun 10000 charater puzzle print one 72 pt letter per page and turn it in by dumping it on the desk of the @sshat whom requested it
Re: give it to them
I think that’s what he did, hence the $5000 fine.
Re: give it to them
THAT should have been the next response when the rejected the 11 pages of 4pt type. 1 page per character stacked in order such that if they happened to get accidentally out of order while going through them they became absolutely worthless.
print each page on a print out of the laws they are breaking one big letter of requested data per page like they do when we ask
Counter argument?
Your honor, sometimes you deem it necessary to seal certain records or transcripts. Assume for a moment that a law has been passed and under that law a large organization may have access to one any of those sealed records for another case.
Because there is only one key to the vault where all records are stored, it is difficult to perform this without compromising everything and you have severe misgivings about this in the first place, but if push comes to shove, you are willing to work with them to make that happen.
However, the argument is made that that is not good enough. You must provide access to every record, *including all future records*, and do it in such a way that it is completely unverifiable whether one record, a few records, or all records have been copied, stored, viewed, or shared with other organizations. Would you be satisfied with that ruling or with an unaccountable and unenforceable statement from one person that none of this will ever happen, despite all evidence to the contrary?
1. Would you be willing to trust that organization to this degree?
2. Would your order to “seal” a record have any real meaning at that point?
3. Could the people that come into your court trust any promises of discretion that you made or would you be effectively lying to them?
As a judge, we presume truth matters to you. Yet you are about to force a private company to not only compromise their entire business model, which is founded on trust, but then to lie about it to their customers through silence or denial.
You must decide whether you will cynically and unquestioningly enforce laws that are moving us farther and farther from “the great experiment” in freedom and representative government that are the foundation of this nation, or whether you will push back against this precipitous descent toward a police state founded on lies and lack of government accountability. As part of the judicial branch of government, this is not only your privilege, it is your sworn duty.
Re: Counter argument?
“However, the argument is made that that is not good enough. You must provide access to every record, including all future records, and do it in such a way that it is completely unverifiable whether one record, a few records, or all records have been copied, stored, viewed, modified, or shared with other organizations.” FTFY
Clerics: We put the doctored in doctrine!
?So there?s no agents looking through the 400,000 other bits of information, customers, whatever,? Trump added. ?No one looks at that, no one stores it, no one has access to it.?
Then why demand access for it in the first place?
Re: Re:
Because they seized a copy of the servers and now are asking for the master SSL key.
Re: Re: Re:
More like they have a copy of all the traffic from PRISM.
?All right,? said [Judge Claude] Hilton. ?Well, I think that?s reasonable.?
No it’s not. When is it reasonable to say “I need access to item C and only C, so give me items A-Z.”?
Re: Re:
When nobody there gives a fuck that is when.
Govt "right" vs. Govt propensity
here’s a quote from a Thomas Jefferson letter to John Adams:
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be. The functionaries of every government have propensities to command at will the liberty & property of their constituents. There is no safe deposit for these but with the people themselves; nor can they be safe with them without information.Where the press is free and every man able to read, all is safe.
Because the government holds your items, whatever they may be, has always meant that those items are not safe nor secure.
Re: Govt "right" vs. Govt propensity
Where the press is free and every man able to read, all is safe.
What Jefferson is missing there is that every man must not just be able to read, but must actively exercise that skill. The ability is meaningless otherwise.
Re: Re: Govt "right" vs. Govt propensity
Well, he lived before Mr. Orwell… It’s interesting how “independent” AKA noncompliant methods of problem-solving are punished in class, now. No wonder homeschoolers often are way ahead of their peers. You almost couldn’t do worse! Of course, they have the occasional ‘special’ parents that place religion over academics or practical experience. Also, one of the most ironic things about critical thinking, is that as soon as you have an official class for it, it’s almost certainly sabotaged.
The narrative about Lavabit takes a bit of a hit in light of providing even ‘obfuscated’ copies of the key.
OCR does exist and is quite feasible, so there’s a period of a few days? where Lavabit was vulnerable, and not shuttered. This makes me wonder about a plausible deniability effort by Levison, only dealing with the issue when that became infeasible. And only closing when there were financial penalties?
It’s still admirable, but that fighting image takes a bit of a knock I think.
Re: Re:
“OCR does exist and is quite feasible…”
Unless you know of some magical new OCR technology then OCR is NOT feasible for this type of job. For it to work with 4pt text the OCR software would be very inaccurate. Modern OCR software uses predictive technologies such as dictionary checking, grammar checking, near-neighbor analysis etc in order to get good results. It expects text within certain size constraints in certain fonts and of a certain quality. A SSL key printed at 4pt might get 30-40% accuracy at best. Then you would have to compare each and every character by hand – that means looking at two separate images to make sure the OCR is correct.
Much quicker to have it blown up and have a typist copy it by hand. A good typist could get 98% or above accuracy at a fair speed – and they would not need to look at two separate images.
Disclaimer: I work on the development of a document management system with OCR capabilities and have studied many OCR technologies as part of my work.
Re: Re: Re:
In fact, the quickest way to do this would be to have multiple typists copy the text and perform a test for differences across the produced text.
Re: Re: Re: Re:
Sure, I’ll accept that, I don’t use OCR at those scales much 😉
My main point was about the narrative and period of vulnerability really.
The peeps are looking for others involved. Hopefully Lavabit bought them sufficient time.
Decentralization is the only answer
The vulnerability here is that there was a trusted third-party (Lavabit).
It is much better when the only entities who can give access to the information are the sender and the recipient. The incentives align in this case: the only ones who can access the information are also the ones who are interested in protecting it.
Increasing the use of encryption (HTTPS everywhere) is an important first step, but the goal should be to avoid depending on trusted third-parties in the first place.
Re: Decentralization is the only answer
Yup. Secure webmail is an oxymoron.
HSM
Just thought of another thing.
Most people do not use a HSM (Hardware Security Module) with SSL/TLS. Without a HSM, you can be forced to provide the key, like happened with Lavabit.
With a HSM, it is next to impossible. The key never leaves the HSM. And the HSM is designed to erase the key if any attempt is made to tamper with it; usually, the key is kept in RAM, and the HSM has a built-in battery. Cut the battery power, lower the temperature (to increase the RAM retention), drill into the case, all these are actions which a high-quality HSM will detect and erase the key.
They would have to either change the key (detectable with the Certificate Patrol browser extension), plug the HSM into their interceptor (which would become a man-in-the-middle attack), or compromise the server. In any of these situations, they still could not decrypt older traffic, even without forward secrecy.
Re: HSM
You have a good point, but there are problems with HSMs.
First, they’re expensive. A good HSM easily can run into the hundred thousand dollar range. Second, you can only have one server terminating all SSL connections. Since the HSM wont let anyone get the key, then the server with the HSM must be able to handle everyone. Then there’s the downtime that occurs if the server or HSM ever breaks. They’d need to get a whole new Cert issued.
The big reason why companies don’t use Hardware Security Modules to store their SSL keys is the way that HSMs work. In order to make sure the keys never leave the HSM, the HSM itself decrypts all the data. Something that just isn’t feasible when dealing with multiple SSL connections.
Re: Re: HSM
Begs for an “IBM-compatibilization” of the HSMs. It also seems like you could get ‘good enough’ capability, with off-the-shelf parts and an open-source design.
It would need sufficient randomness.
It would need tamper resistance.
It would need to be reviewed for exploits.
It would need reliability (might have to use redundant HSM’s).
It would need to be less than current HSM’s (including TCO).
It would need massive storage and processing power.
It would need overtly-silent tamper evidence.
This would obviously be a very intensive project with lots of security pitfalls. :/
Re: HSM
Still, it’s theoretically possible to inject faulty code into a HSM’s RNG, thus making it infinitely weaker than expected.
Good one, LavaBit. Stay Classy!
Valid submission - font size and spacing
Many courts have rules about the font, the size and the spacing for it to be a valid document.
A request for sanctions for the lawyer should have ‘solved’ the font issue.
So….apparently no one makes scanners and OCR software anymore?
Re: Re:
I guess you don’t read through the comments then?
Re: Re: Re:
Nope. When someone wants to pay me to read through 65 prior comments, I’ll consider it. Until then, piss off.
So… with all the massive millions and billions of dollars, they could figure out how to scan a page, put it through OCR and then proof read it.
I mean, even the Harry Potter scan-a-thon was able to reproduce an electronic copy for 795 pages within 24 hours with relatively small errors.
Now you lazy ass really done it. Instead of putting on a little bit of elbow grease, you get nothing for being lazy.
Life Lessons. 😛
Re: Re:
4pt characters and random data are effectively impossible to transcribe accurately, or read via an OCR. Note there is nothing within the text to help spot mistakes, as it is a random stream of characters. Also being 4pt, the characters will be subject to blurs and breaks causing misreads. Unlike real text, there is no surrounding context to resolve such issues.
That print out qualifies for a 10 out of 10 for for complying without giving them what they wanted.
Re: Re: Re:
Hmm, doesn’t PGP have some kind of checksums on each line? We’re talking some kind of Base64-based format, right? If it’s hexadecimal and in only one font, then there’s only 16 ‘shapes’ for the OCR to know. I wouldn’t need better OCR, I’d need better noise filtering to remove gray levels, if I was the one scanning it.
Sounds reasonable
“Yikes. So, even if you set up a secure communication system, this judge says that you have to let the feds wiretap it.”
That sounds reasonable to me. The government does need the right to wire tap potential criminals and threats to the US. What’s not reasonable is them doing so without a warrant. That’s where the checks and balances are. That’s what’s wrong with what the NSA is doing.
If law enforcement can show probably cause, they should be allowed to wiretap a “target”.
What’s scary about this case is that the Judge just let them wiretap 400k people for which they don’t have warrants for.
As a bonus, I would hope that there are two or three characters in each key that are ‘misprinted’ ^_~
The proper response...
to the court’s claiming that it was the right of the government to acquire the information regardless of whether the system had been setup to make it difficult would be to then point out that it is also the PUBLIC’S right to acquire the information about the decisions made in it’s courts and therefore the court’s own argument precludes them from issuing a gag order on the matter.
Why are we even honoring the premise, let alone the argument
We embolden the liberties taken against the Constitutional protection accorded our privacy through years of sacrifice by even discussing the “merits” of such requests. The request had no merit and the judge should be ashamed of a ruling that makes such inroads into personal privacy. These are not his/her opinions that should be written up but the law and how the request is either valid or not valid. Comparing the request submitted to a phone company ROI as opposed to the scattershot request for all traffic traversing a wire is ridiculous and shows how incapably the judges have been prepared to listen to these cases. Uninformed jurists are notoriously easy to sway especially by the doom and gloom the prosecutors cast before them.
A pity that our liberties are being taken away piecemeal by judges and prosecutors paid for with our own taxes. Who stands for our liberty if the folks we pay taxes to are all on the other side of this constitutional debate ??
Judge is absolutely wrong and exceeded his/her mandate
One need only look at New Mexico Mark’s arguments and understand how the records in this instance span political and jurisdictional boundaries to understand the danger this ruling puts all future US dealings(individual or otherwise) to foreign government seizure. Lavabits probably saved them from having to find out what it would feel like for China making a parallel “finding” in the case of some company under its territorial jurisdiction(Hong Kong) to hand over ssl keys because of 1 suspicious money transfer and being able to henceforth read all communications say from dissidents or activists. There are things I understand them needing access to and then there is the other stuff that I just don’t think they think through regarding precedent, both in the US and internationally.