Clash of the titans
Google, Microsoft, Yahoo! and Facebook are still fighting for permission to warn people who are under online surveillance, after their campaign for transparency was derailed by the US Department of Justice. The web giants had asked the DoJ to lift restrictions on alerting users when they are being snooped on by intelligence …
Lavabit was required to hand over the keys while they went after 1 account, Snowdens, and required to have a box on their network. The Judge was told the box would only record Snowdens account and everyone elses would be discarded, which might well be true....of the box.
i.e. Lavabit's transparency report would say "1 request about 1 account".
But the NSA has the backbone tapped, and it keeps all encrypted traffic for when it can get the keys. The NSA also is the technical center for this tapping. So it *would* get the keys.
So in reality, by giving them the keys, you gave them every past and present Lavabit users account. The box isn't needed because the backbone tap provides the data and they have all the encrypted emails on file.
So suppose the Fed did agree to release the warrants, there would be large blacked out bits to hide the key requests (Lavabit could hardly have been the first, they have the boxes already, so there must be a system of grabbing the keys for these boxes and many boxes on many US networks).
So the release would shed more light on this practice, which is enlightening for the judges I think, because I suspect they've been duped as to the 'narrow' nature of these taps. As well as enlightening Congress and Senate.
I wonder what the NSA would have done had Lavabit provided Snowdens key in clear (digitally I mean - not the paper trick :) ) and included all the others but redacted them?
What's good for the goose etc.
NSA, you are a bunch of <redacted> <redacted>.
or perhaps that would read better as..
NSA, <redacted> <redacted> <redacted> <redacted> <redacted> fucking cunts.
If the NSA created "corporate profiles" for each of these companies and treated those the way that these companies treat user profiles.
"We've changed our corporate profile privacy settings. You can change these settings, but different privacy aspects are controlled by three different spots on our website. In the meantime, we've changed your profile settings to our default levels--full government access." :)
(More seriously though, I hope these companies can make some headway.)
I got my email today that the StartMail beta is about to launch. Should be interesting, the email says:
"The revelations this summer of NSA spying through the PRISM program prompted us to add even more features to our already rock-solid privacy."
Features of StartMail are supposed to be:
- fully-encrypted user vault,
- protection of perfect forward secrecy and transport layer security,
- state-of-the-art SSL encryption,
- email provider based in the Netherlands, outside of US jurisdiction
To each point, I challenge:
- Who keeps the keys to the user vault? You and you alone? Remember, a master key was what nailed Lavabit.
- Neither forward secrecy nor TLS can do much against cryptanalysis: attacks on the PROTOCOLS using side-channel techniques. That's what led to BEAST and all the other secure-channel attacks.
- Again, the spooks are targeting the protocols, not the keys. IOW, they're not trying to get a key to copy; they're trying to secretly cut a way through the wall.
- May not be good enough. As noted, the NSA can already possess international shared-secret agreements with other nations. That can include the EU at large, of which the Netherlands is a member. Either that or the NSA can compromise those countries even against their wishes. I'm inclined to think the ONLY countries the NSA can't tap in some way are countries that are in turn beholden to ANOTHER, anti-Western state spook authority like the Russians or the Chinese.
To each point, I challenge:
- They have their core DNS records in the US (GoDaddy registration, DNS geo-locates to Manchester, US). In other words, if anyone wants to grab that traffic they're already set up for a MITM attack.
- The company appears to be in the Netherlands, which is not exactly the most benevolent country when it comes to wiretapping. I found their national security services to be rather aggressive - no idea how they behave in relation to following the law, though (haven't had time to dig deeper).
- Storage encryption is actually a problem rather than a solution. If a company supplies the means to encrypt, it can be legally forced to undo that (which makes it pointless), or be told close shop (which then hurts every client they have) - it's only if the CLIENTS encrypt (like you'd do before you go near any cloud service) that you're home free as a provider. An alternative route to that is to use software which the clients can get from anywhere like Open Source derived code, so being forced to supplying a version with a backdoor would be pointless. The UK Regulation of Investigative Powers Act is in that respect actually clearest, but I would suspect the Netherlands have an equivalent as it is derived from EU provided models.
In this last context, trying to bypass local laws or telling people they don't apply (which is really what Lavabit and Silent Circle were doing - it's not like US intercept laws have only sprung up in the last few years) means that you're quite simply lying to your clients. Call me picky, but I don't consider that the best starting point for selling protection.
The only way that gets changed is if the law FISA operates under gets changed, as (IIRC) it was a lot by various clauses in THE PATRIOT Act.
Americans. How does this equate to the principles of democracy you are familiar with?
Ironically, that seems to be the exact attitude. In the US; they have indeed managed to frame the debate so that every time you question these laws you're automatically ranked as bad guy. They really, really have come off the rails there.
Why do you assume we Americans are familiar with the principles of democracy?
We've not practiced it since the days of the smoke-filled back rooms and the truck (lorry) loads of cash passing through the back doors. America has long lived by the golden rule*.
If you think it is fun now, just wait until that big-eared, dark-complected person who currently resides in the White House is replaced by a more extreme, fascist-leaning chap with Tea Party affiliations. Several candidates come to mind. Ted Cruz is one. (A pity that he'll never be able to travel abroad; he still believes the 'round earth' theory is so much scientific deception. Those 'photos from space' were filmed in a secret warehouse in the Nevada desert.)
NSA/CIA violations of the Constitution and their Congressional mandate is really nothing new. J. Edgar and his FBI set the standard many years ago; we're just seeing the extension of that practice. To oppose the NSA/CIA intelligence gathering mission is to weaken America's national security. So reads the Gospel of St. Vigilant.
Trust US. We're the good guys.
(* He who has the gold, rules.)
"they have only just realised they have been using black highlighters on documents for years…"
Every Parent can sympathize ... but apparently the NSA and the CIA did not even know they had a two year old in the House (let alone 435 of them), a hundred more in the Senate and one in the White House.
You didn't see Mary Poppins letting the little monsters play with black highlighters, did you ? A spoonful of sugar makes the Laudanum go down, sing it with me ....
Wow. May you live in interesting times.... The privacy issue is definitely becoming overshadowed by the only thing America truly cares about... the bottom line. The whistle-blowing privacy war has morphed into a hotbed credibility war, with the creditability of US corps now open to question. So Google, Facebook, Yahoo, MS et al are worried that their tech empires are threatened. There'll be some heated conversations going on behind closed doors I imagine.... After all politicians set policy and policy sets NSA behaviour. But Lobby groups set policy too by buying their own politicians. This could lead to a bloodbath...
Biting the hand that feeds IT © 1998–2019