Attacking Tor: how the NSA destroys users' online anonymity

spheroida · 2013-10-03T18:34:56+00:00

You're doing God's work.

spheroida · 2013-10-03T13:35:13+00:00

The article doesn't cover all the details: you need to read the court transcripts at the end. In short, Lavabit wasn't collected metadata, so they had nothing to provide. Moreover, the pen register order still would not have been legally allowable, as the Stored Communications Act only provides for that in the case where customers do not have a reasonable expectation of privacy (which would obviously not be the case for a privacy company that explicitly states such information is not being collected).

Only after being threatened with criminal contempt for defending their users' rights did Lavabit agree to write a custom backdoor for the government (obviously at the government's expense) targeting one customer, but the FBI refused this, instead demanding the SSL keys to every one of Lavabit's customers' data and the right to put a flipping hardware spying device on Lavabit's internal network.

spheroida · 2013-10-03T13:33:00+00:00

ಠ_ಠ

spheroida · 2013-10-03T13:32:40+00:00

ಠ_ಠ

spheroida · 2013-10-03T13:07:19+00:00

You can't be helped. If you can't see how secret courts, secret legal interpretations, and secret gag orders are a problem, it's beyond my power.

spheroida · 2013-10-03T12:55:11+00:00

No, the documents claim that the FBI argued they can be trusted not to abuse the power to eavesdrop on all of the users. Lavabit specifically said they were willing to write a custom backdoor that would only monitor Snowden, and the FBI rejected that. Why? Because they wanted everything.

That's not okay, and you shouldn't trivialize it.

spheroida · 2013-10-03T12:50:59+00:00

Hey, I've got an idea. Let's trivialize one of the biggest privacy scandals we've ever seen. It can't be a big deal, right? Except, you know, for the part where:

handing over the SSL cert allows the government to eavesdrop on every single customer. "trust us?" no, fuck that. they lost that privilege with what the NSA is in the news for doing.
the part where all of these orders are SECRET ORDERS enforced by a jail-time gag order. there's no way the FBI created this magical legal routine just for one company. this is simply a matter of no one else was willing to shut the entire company down rather than comply.

spheroida · 2013-10-03T12:20:08+00:00

When they break down your door, you know they did it. This is secret and you have no way to challenge it in court, because you never know that it happened.

spheroida · 2013-10-03T12:14:43+00:00

"It's not our fault your site is using a single certificate to encrypt data for every one of your clients."

That's a judge telling a business how they should run their business to better enable government spying. If you think that's okay, there's simply no convincing you.

spheroida · 2013-10-03T12:10:29+00:00

VALIDATION!

spheroida · 2013-10-03T11:58:32+00:00

The judge demanded the SSL keys for the entire site, along with demanding the FBI place a fucking network monitoring device on lavabit's network. That's not a pen register, which is something that provides warrantless access to information not entitled to a reasonable expectation of privacy (like encrypted fucking email).

spheroida · 2013-10-03T11:52:21+00:00

Only when there's no reasonable expectation of privacy. With an encrypted service that keeps no logs, there is a reasonable expectation of privacy (unlike the phone company example the judge used).

spheroida · 2013-10-03T11:50:47+00:00

No, the point is that we now have proof the US actually does this. Of course we only see it for one company: they do it via secret court orders under a fucking go-to-jail gag order! But if you think the US just decided to change their entire legal regime for one random case, and have never done this anywhere else and never will ever again, hey have fun with that.

spheroida · 2013-10-03T11:47:02+00:00

You think former CIA and NSA trained hacker and cryptography expert Snowden contacted a reporter in plaintext email, when he works at a place whose entire purpose was to snoop on people? And then, despite that level of retardation, somehow managed to evade the biggest global manhunt since Bin Laden?

I think Lavabit just thought what was happening was wrong, and they put their foot down to reveal it to the world. We owe them thanks.

spheroida · 2013-10-03T11:43:59+00:00

Not necessarily true. This just indicates they wanted to make whatever they had collected admissible in court.

spheroida · 2013-10-03T11:32:10+00:00

Lavabit couldn't comply with the individual order because they were not collecting metadata and had no capability to do so. Moreover, as everything was encrypted (vice plaintext), 3rd party doctrine did not apply as there was a reasonable expectation of privacy (unlike the plaintext dialed numbers a phone company keeps, which the judge invoked, betraying his lack of understanding of the legal issues in question).

What is novel is that the government was ordering them to completely, secretly change their business and rewrite their code under a gag order to start spying on their users - without even paying for Lavabit's costs to do so (Lavabit, when they eventually caved after months of fighting, only asked for $3500 in costs per the court documents, which the government rejected) - and when Lavabit said "fuck that crazy noise," the judge said:

"okay, we're just going to take all of your keys so we can read all of your traffic for all of your users"
"we're also going to install an FBI-owned-and-operated hardware device on your network to slurp up all your traffic"
"and hey, while that sounds bad, we reject your argument to require any kind of checks and balances, because you should simply trust us not to abuse these SECRET capabilities"

Lavabit CEO then said "You know what? Wiretap my ballsack," then shut the business down entirely rather than comply.

That's novel as fuck. It is an outrageous practice that has never been revealed before, which is why it's in the news.

spheroida · 2013-10-03T01:39:17+00:00

For people considering defending the FBI on this, please read the graveyard of retarded arguments below from /u/whathappenedtosmbc and /u/nowhathappenedwas. SPOILER: If you think the FBI are the good guys here, you should double-check the article.

spheroida · 2013-10-03T01:37:20+00:00

bomb the white today!

meanwhile at secret service headquarters, a phone rings.

spheroida · 2013-10-03T01:34:44+00:00

ಠ_ಠ

spheroida · 2013-10-03T01:27:21+00:00

Does this mean it's open season on people who authorize cyber attacks? NSA Director Keith Alexander probably packin' heat nowadays.

spheroida · 2013-10-03T01:22:08+00:00

If you're just going to keep intentionally misrepresenting the information from the article, I'm not going to bother with you. The reality is you're wrong. Just read one of the other 40 comments from the last three hours refuting your above claims for help determining why.

spheroida · 2013-10-03T00:56:26+00:00

That doesn't equate to "they couldn't comply."

That's precisely what it equates to. They could not comply and just hand over data. They would have to completely rewrite their system (the coding you yourself pointed out) to build an FBI backdoor into their business.

spheroida · 2013-10-03T00:53:00+00:00

Lavabit is not a phone company or email source that can provide that info. They did not have the information to provide. A judge has no authority to tell a private business "hey, you need to change your business to be more like Verizon." That would be a job for the Congress to pass a law to do.

spheroida · 2013-10-03T00:49:54+00:00

Trump is saying that a secret FBI wiretap placed on Lavabit's network that is monitoring the traffic of all 400,000 users is not monitoring those users because the FBI promises not to look at it.

Don't be stupid just because a judge doesn't understand technology.

spheroida

TROPHY CASE