Forgot your password?
typodupeerror
Communications Encryption Government Privacy The Courts United States

Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys 527

Posted by timothy
from the c'mon-fellas-it's-for-the-greater-good dept.
jest3r writes "Lavabit won a victory in court and were able to get the secret court order [which led to the site's closure] unsealed. The ACLU's Chris Soghoian called it the nuclear option: The court order revealed the FBI demanded Lavabit turn over their root SSL certificate, something that would allow them to monitor the traffic of every user of the service. Lavabit offered an alternative method to tap into the single user in question but the FBI wasn't interested. Lavabit could either comply or shut down. As such, no U.S. company that relies on SSL encryption can be trusted with sensitive data. Everything from Google to Facebook to Skype to your bank account is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key or face shutdown, they can do it to anyone."
This discussion has been archived. No new comments can be posted.

Lavabit Case Unsealed: FBI Demands Companies Secretly Turn Over Crypto Keys

Comments Filter:
  • by Anonymous Coward on Thursday October 03, 2013 @08:36AM (#45024167)

    Go ahead, mod me troll. But given the recent revelations, how can we claim to be any better than even the fucking UN at this point? I've made a complete u-turn on this issue, and it scares the crap out of me that I would have continued to defend the US as the savior and guardian of the open and free internet if it wasn't for a single guy leaking some stuff. And we can't even push something as simple as net-neutrality regulations through without it becoming a horrible political mess.

    Fuck this government and its institutions and fuck the people that support it.

  • by Supp0rtLinux (594509) <Supp0rtLinux@yahoo.com> on Thursday October 03, 2013 @08:39AM (#45024205)
    I thought these and similar laws (wiretap, etc) were only allowed to act upon the entities being investigated and for which the warranty was issued. And it sounds like Lavabit tried to keep the scope narrowed to the one person being investigated, but the FBI wanted more. Isn't this over reaching the scope of the warrant and therefore any case developed would be tossed out? IANAL, but I thought the scope limitations were there for a reason. That idea TPB had to buy an island is sounding more and more convincing these days...
  • Groklaw/PJ (Score:2, Interesting)

    by Anonymous Coward on Thursday October 03, 2013 @08:42AM (#45024235)

    Was this the thing PJ said she couldn't reveal but would cause anyone to distrust email?

  • Re:Why? (Score:2, Interesting)

    by cold fjord (826450) on Thursday October 03, 2013 @08:43AM (#45024259)

    If you read the article, they demanded the SSL key since Lavabit did not comply with the earlier order. All the Feds originally wanted was metadata for one user. Lavabit could have provided that, but refused. The prosecutors asked they be held in contempt of court, and then asked for the SSL keys. This is on Lavabit.

    Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show [wired.com]

    “The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.

    U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.

    By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

    A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”

  • Re:Why? (Score:5, Interesting)

    by Anonymous Coward on Thursday October 03, 2013 @08:43AM (#45024261)

    Actually, they did not have access to the site (that would have been overly broad and unconstitutional), but lavabit was forced by the court to install a packet dumper. So FBI had the full encrypted streams of all user sessions. FBI then requested the SSL key that would unlock all stored streams. The court reasoned that because the site uses a single SSL key for all users, that's lavabit's fault and agreed that the request is not overly broad.

    Luckily there's a simple technical fix for this: perfect forward secrecy in HTTPS, using RSA DiffieHellman or ECDH key exchange. The encryption key is ephemeral and the SSL private key cannot be used to perform a passive attack on the sniffed. FBI/NSA is forced to perform a MIM on the very sessions they target; if done on the scale of the whole internet, this would be easily detected.

    All HTTPS servers should ship with this cypher suite as the default.

  • by FriendlyLurker (50431) on Thursday October 03, 2013 @08:44AM (#45024271)
    Let's be clear, the single account was Edward Snowden's - and Lavabit's resistance was not futile, the so called nuclear option has backfired on the fed in terms of public sentiment.
  • update (Score:5, Interesting)

    by Anonymous Coward on Thursday October 03, 2013 @08:48AM (#45024319)

    UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.

    “People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people. http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-asked-for-sites-ssl-key/

  • Re:https (Score:5, Interesting)

    by Anonymous Coward on Thursday October 03, 2013 @08:51AM (#45024341)

    Your favorite site also bans random TOR exit nodes from browsing it. I can understand banning posting to prevent spam and such, but browsing ? That's just moronic. It also craps when the IP of the user changes during editing/posting.

    Slashdot, please get on with the times, you are probably the legal site most visited by TOR users. You need to add HTTPS and improve TOR support.

  • Re:Why? (Score:5, Interesting)

    by bluefoxlucid (723572) on Thursday October 03, 2013 @08:52AM (#45024357) Journal

    The best part is they said here that they wanted the "Root Certificate", which would allow them to sign new keys. Caveat: that's just a trust model, allowing them to replace LavaBit's SSL key. What they wanted was LavaBit's site SSL private key.

    Let's say that the NSA got the Verisign Root Certificate and started using it to sign Verisign CSRs. A CSR includes the public key (certificate), but not the private key. The public key is already known. The NSA gains ... nothing.

    Now if they get the Google Gmail SSL private key, they can decrypt the SSL session handshake and key exchange. The key exchange exchanges a symmetric encryption key for AES or RC4 (yes RC4 is secure; yes I know it's used in WEP, which uses a new NONCE for every packet, and in their implementation they generate insecure NONCE/IV pairs and you can collect millions of these and crack it. Not applicable here). With Gmail's SSL private key, the NSA can decrypt the symmetric session key exchange and use that key to decrypt your session and read your e-mail.

    That's the difference.

  • by kaalon (2861517) on Thursday October 03, 2013 @08:57AM (#45024421)
    Can we assume that all the major Certificate Authorities have been "compromised" by the FBI / NSA as well.
  • by towermac (752159) on Thursday October 03, 2013 @09:14AM (#45024595)

    I got no mod points, but this is absolutely the takeaway.

    The US depends on it's software industry; we shipped all our labor jobs overseas to trade them for office work (programming). That, and Hollywood, is why we're so mean to other countries over IP.

    And now the US government has completely undermined them. It's probably a good time to be a programmer in Brazil and Germany. I wonder If our software industry will be able to recover from this.

  • Re:Why? (Score:5, Interesting)

    by squiggleslash (241428) on Thursday October 03, 2013 @09:16AM (#45024621) Homepage Journal

    Well, I read the court documents and it appears the sequence of events went something like:

    1. FBI asked for real time details of (Snowden? Everyone thinks Snowden, the request was one day after it was revealed he has an account with Lavabit) an account, specifically metadata relating to email exchanges.

    2. Lavabit didn't respond.

    3. FBI got pissed, involved courts

    4. Lavabit made an offer to provide the information on a monthly basis, rather than a realtime basis, and asked for payment of $3,500 ($2,000 for labor and I can't remember what the other $1,500 was.)

    5. FBI threw a fit, announced that instead they were now asking for a box to be installed to intercept communications. The box would be programmed to only transmit the required information about person-we-think-is-Snowden, but because of the way it's designed would require Lavabit's SSL keys.

    5. Lavabit: Nu-uh.

    6. Courts: Uh yeah, we're siding with the FBI on this one.

    7. "But I don't trust the government to only intercept $PROBABLY_SNOWDEN's records. Also I want to talk about this case, first amendment and whatnot."

    8. Courts: "Well the government doesn't trust you, has good reason not to trust you based on your history of non-cooperation, and I don't care whether you trust it, established precedent says you have to cooperate. Also I'm not going to let you tell anyone about anything so there."

    At this point the courts started threatening fines. Lavabit gave up its key but in a way designed to piss off the FBI, which, of course, pissed off the court too. Court started imposing fines. Lavabit shut itself down.

    My reading:

    1. Lavabit wasn't as principled as claimed by Glenn Greenwald et al. They did actually plan (or told the courts and the FBI they would anyway) to release the records relating to $PROBABLY_SNOWDEN to the FBI. At best you can argue they were lying, but how's that showing integrity?

    2. Lavabit made a number of elementary legal mistakes from the beginning, even avoiding using a lawyer in the first hearing. These mistakes made it easy for the FBI to argue that they couldn't trust Lavabit to do what Lavabit was offering to do. Lavabit should have contacted the FBI immediately, made it clear their concerns, and not made a clearly bad-faith offer to provide something useless to the FBI - I don't mean they should have offered something useful, they should have said instead "Look, this is a major problem for us, we have to investigate further and determine something that can satisfy the law and your requirements that does not damage the integrity of our system", and had a lawyer work with the courts on this.
    3. Notwithstanding the above, the court's refusal to allow Lavabit to talk to politicians et al about the basic principles in the case seems absurd and completely unconstitutional. Given the circumstances, I have to assume that Snowden was the target - if $RANDOM_DRUGDEALER was the target, Lavabit going to a politician and saying "We've been told to hand over records of one of our 50,000 users" wouldn't tip anyone off.

    This is a total fuck-up. The EFF and ACLU can get involved now, but so many mistakes were made early on it's going to be an uphill fight for everything except the free speech issue. In particular, if you're expecting this to end up with a judgement that it was wrong to demand access to Lavabit's data, you're going to be sorely disappointed.

  • Re:Contribute (Score:4, Interesting)

    by Ragica (552891) on Thursday October 03, 2013 @09:36AM (#45024871) Homepage

    It's interesting that Americans have a choice to contribute a few bucks to this defense... while having apparently no choice about the amount they are paying for the prosecution.

  • Re:Why? (Score:4, Interesting)

    by whoever57 (658626) on Thursday October 03, 2013 @09:39AM (#45024919) Journal

    By July 9, Lavabit still hadnâ(TM)t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt âoefor its disobedience and resistance to these lawful orders.â

    In my humble and non-judgely opinion, the fact that Lavabit would have had to defeat its own security means that the original decision that allowed collection of metadata without a warrant supported by facts (Smith v. Maryland) should not apply to this case and the government should have had to articulate facts that led to reasonable suspicion in order to obtain a warrant to get metadata from Lavabit.

  • by NewWorldDan (899800) <dan@gen-tracker.com> on Thursday October 03, 2013 @10:13AM (#45025339) Homepage Journal

    And if you get one of these national security letters or other absurd warrant from the feds, publish it. The right of the press to publish otherwise classified material was affirmed in the 1971 case New York Times Co. v. United States, although that was a pretty weak ruling. But unless you've agreed to keep something secret, you're theoretically free to do with it as you like. Also, I'm not a lawyer and you shouldn't take your legal advice from the internet.

  • by SteveFoerster (136027) <steve@noSPaM.stevefoerster.com> on Thursday October 03, 2013 @12:52PM (#45027265) Homepage

    Yes, the U.S. has the equivalent to parliamentary privilege, and it's been used in living memory rather famously. During the Vietnam War era, Mike Gravel, a Senator from Alaska, included the Pentagon Papers [wikipedia.org] into the Congressional Record, meaning they were then publicly available. He was protected by Article I, Section 6 of the Constitution, which among other things says about members of Congress that "for any Speech or Debate in either House, they shall not be questioned in any other Place." ("Speech" includes inclusions into the Congressional Record.)

Life would be so much easier if we could just look at the source code. -- Dave Olson

Working...