Unsealed Lavabit docs show that Feds demanded SSL keys


#1

[Permalink]


#2

LOL, 11 pages of tiny printed keys. Ballsy!


#3

"11 pages of 4 point type...the court didnt' go for that" ...do you even Photoshop, Bro??


#4

"To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data"

Surely it would be trivial to OCR that?


#5

I dunno how good OCR is but when ONE character wrong makes the whole thing not work. Yea Still, ballsy move. Kindof like that one site way back when getting told to remove links and instead left the text up and just de-linkafied (meaning people could just copy the addresses in.)

The grand tradition continues.


#6

I would maybe have "accidentally" transcribed one wrong character before sending the print off out. Blame the key entry/OCR.


#7

Getting someone to spend the time carefully keying it in surely would have cost less time and money than litigating the whole thing out.


#8

Well, anything goes because terrorism.


#9

I guess I don't really understand what the point of Lavabit was, or why users were supposed to trust them in the first place, if the users depended on them to keep some key a secret which could maliciously be used to decrypt all their data.


#10

Because it's better than the alternative I suppose.


#11

Because it was a third party that two people who want to communicate through the internet could agree to trust as an intermediary. There could never be a guarantee that Lavabit was trustworthy, but the site claimed up front that everything was encrypted so that intruders wouldn't be able to steal anything.

Compare to something such as sending email from a gmail account to a hotmail account. You have no promises that the email on either end is encrypted (and in fact those messages are completely unencrypted and are data mined as a matter of habit), and unless the connection between gmail and hotmail is encrypted, anyone sitting on the wire between the two sites could capture it as well.

End result: Lavabit was a "least bad" option for sending communication over the internet. For anything truly important it's still not secure enough, say for a cache of classified NSA documents. But for organizing an in-person meeting to discuss those documents it's a lot better than many other methods.


#12

He wouldn't need to transcribe, he'd just have to make sure they use the 'correct' Xerox scanner.


#13

Given the advertising for Lavabit centered around security, wasn't this a court order effectively compelling Levison to commit fraud?

I didn't think a court could compel you to break the law.


#14

I suspect the point of spending the time/money litigating to get it in electronic format was less about efficiency, and more about asserting dominance and setting a precedent.

I find it telling that responses to FOIA requests are routinely delivered in formats that are intentionally difficult to digitize, copy, or proliferate, and I've yet to hear about a judge who has a problem with that.


#15

He should have printed one character per page, but without page numbers.


#16

Weeellll - it would 'only' require breaking a civil contract and undermining the product of his own business. So it doesn't really count.


#17

But that would mean all these civil services would have to actually serve We the People.


#18

Wow, what a face.


#19

For its premium (paid) customers, there was an option to provide Lavabit with a public key from a private - public key pair; it would drop all incoming mail to your account through the public key and delete the original plain text, leaving only an encrypted blob. Since Lavabit never had the private key, and deleted logs, if they were compromised on the server, there would be nothing to analyse.


#20

when ssl keys are outlawed , only outlaws will have ssl keys ?