Lavabit Tried Giving The Feds Its SSL Key In 11 Pages Of 4-Point Type; Feds Complained That It Was Illegible

from the kudos-to-ladar dept

We already wrote about the basics of Lavabit's Ladar Levison standing up to the feds, however, the full filing has now been released, and (on top of that), Kevin Poulsen has updated his story with more details, so it's worth digging in a bit. Lavabit was hit with an initial pen register, which it refused, leading to the order to hand over the SSL keys. The new details show that Lavabit explained to the judge that giving up Lavabit's SSL keys wouldn't just let the feds spy on Snowden, but all of Lavabit's customers, and for obvious reasons, the company had a huge problem with that:
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
And it becomes clear that Levison then was actually willing to abide by the initial pen register, to basically figure out a way to just tap Snowden, but at this point the government was no longer willing to stop there. The government pushed for getting the SSL key, basically promising not to abuse it:
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” [Prosecutor James] Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”

“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”

“All right,” said [Judge Claude] Hilton. “Well, I think that’s reasonable.”
The judge then made a ruling that should cast a massive chill over anyone setting up private communications services:
[The government's] clearly entitled to the information that they're seeking and just because you-all have set up a system that makes that difficult, that doesn't in any way lessen the government's right to receive that information just as they could from any telephone company or any other e-mail source that could provide it easily."
Yikes. So, even if you set up a secure communication system, this judge says that you have to let the feds wiretap it.

Somewhat amusingly, Lavabit tried to comply "by turning over the private SSL keys as an 11 page printout in 4-point type." The feds complained that "the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data." Poor, poor FBI. The judge has no problem putting a massive burden on Lavabit, but asking the FBI to actually do some data entry is too onerous? Yup. Apparently. The court then ordered Levison to provide a more useful electronic copy, which then resulted in the $5,000/day fine for failing to live up to that, and then the closure of the site.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Rabbit80 (profile), Oct 3rd, 2013 @ 1:49am

    11 pages of 4pt text is significantly more than 2560 characters.. A typical page would be around 36000 characters.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 2:27am

    Here's your problem

    Governments don't have rights, people do.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    That One Guy (profile), Oct 3rd, 2013 @ 2:29am

    Talk about deja vu...

    “We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” [Prosecutor James] Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”

    “So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that(1), no one stores it(2), no one has access to it(3).”


    'No see, just because we could go over all the data, looking for interesting bits of information on people who had nothing to do with our investigation, of course we'd never do something like that, as we've only got authorization to monitor one account, and doing otherwise would be wrong.'

    Hmm, now where have I heard that kind of argument before?

    (1) Until we get around to it.
    (2) Honest, we pinky-swear we'd never store data after saying we wouldn't.
    (3) Well, except anyone with access to a computer and enough clearance, or any other agency that would love to get their hands on the data stream as well...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 2:35am

    Re:

    >Somewhat amusingly, Lavabit tried to comply "by turning over the private SSL keys as an 11 page printout in 4-point type."
    >SSL keys
    >keys
    >s

    More than one bub.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 2:49am

    Here is an alternative:

    Quote:
    RetroShare is free software for encrypted, filesharing, serverless email, instant messaging, chatrooms, and BBS, based on a friend-to-friend network built on GPG (GNU Privacy Guard). It is not strictly a darknet since optionally, peers may communicate certificates and IP addresses from and to their friends.

    Retroshare

    Maybe someone should contact Groklaw and ask them to do a search for SERVERLESS mail clients, which will allow them to restart Groklaw with more privacy guarantees.

    Reddit also is on top of it, following all the developments.
    http://www.reddit.com/r/retroshare/

    Other options:

    ePOST SERVERLESS EMAIL SYSTEM

    GNUNet

    Bittorrent Chat

    FlowingMail

    Lavabit founder could contact one of those projects or all of them to see how he could build an email service on top of those anonymous secure platforms in a business like environment, using his servers to just speed up the process instead of handling the encryption and delivery and performing non critical services for clients wink, wink :)

    Remember the Napster!

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 2:54am

    Re: Talk about deja vu...

    The very first question you should ask is how do they know that the system is working correctly if nobody verifies the data.

    It is obviously that someone looks at the data to at the very least make sure it is collecting the right stuff, that person is the next Snowden portal.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Capt ICE Enforcer, Oct 3rd, 2013 @ 3:27am

    Government

    God I miss the days when I could say the US government was made by the people, for the people. How I hang my head low.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Rikuo (profile), Oct 3rd, 2013 @ 3:28am

    Re:

    Didn't Groklaw shut down?

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Kaemaril (profile), Oct 3rd, 2013 @ 3:36am

    Re: Re:

    It's still up (for now, at least ...) but no longer appears to be updating.

    Which is a damn shame, as I found it one of the most useful and informative sites on the entire worldwide web.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Ninja (profile), Oct 3rd, 2013 @ 3:48am

    Plain epic win for this guy. There's a certain Nobel prize deep buried in rotten shit that could be awarded to Mr Ladar. Maybe peace has nothing to do with what he did but then again the holder is doing stuff that are the polar opposite of peace so why bother with specifics?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 3:49am

    Re: Government

    No, it was made by the nobility, for the nobility. Always has been, always will be, lamentable as it is.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    lfroen (profile), Oct 3rd, 2013 @ 3:57am

    Judge is right

    Basically, what the judge said is correct: "just because you-all have set up a system ..., that doesn't in any way lessen the government's right to receive that information".

    In other words, US have laws which explicitly allow wiretapping. Nothing extraordinary about it. Remember, this government official gave sword testimony, and judge have no reason to think he's lying. If this official says "we're not looking", what do you thing judge will do, say: "nah, don't believe you"?

    That's not how (any) functional government works.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    beech, Oct 3rd, 2013 @ 4:10am

    Excuse my ignorance, but why would encryption "master keys" even exist? Why even have something the government ask for? "You want to tap our servers? Go for it, everything on there is heavily encrypted. You want the key? Sorry, never had one/it was destroyed as soon as we were done with it"

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 4:18am

    Re: Here's your problem

    Governments grants rights. Shut up and do what they say or you lose the rights you use to complain!

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Spaceman Spiff (profile), Oct 3rd, 2013 @ 4:32am

    Where is a scanner w/ OCR when you need one?

    I guess the NSA only had a Xerox WorkCenter scanner/printer, set to the default (faulty) resolution... :-)

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 4:42am

    Re: Judge is right

    Wrong, judges have an obligation to be distrustful of any statements issued in his court, the law deals with facts not statements, if the government can't prove what they say it is a fact then there is no reason to believe it now is there?

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 4:49am

    Re: Re: Re:

    From what I heard the originator trying to get out from under of the site but unwilling for anyone else to take it over.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 4:51am

    Re: Judge is right

    You know whom else gives sworn testimonies?
    Liars, people who lie to congress also give sworn testimonies, isn't that glorious.

    Is unfortunate that we need to have an entire bureaucracy which its whole purpose is to lie and deceive to conceal its working, but there it is paid and bought with public funds, now you are saying that we should trust professional liars?

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 4:56am

    Re:

    The quick answer to your question is convenience. Keeping Email content private requires that people manage their own keys. This includes ob This requires effort to set up and use.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:00am

    Re: Re: Re: Re:

    Suicide bomber mentality?

    That would be sad, I miss Groklaw.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:04am

    Re: Re: Judge is right

    You mean "Sword" testimonies like the OP. I think you give the testimony under threat of your head being lopped off!

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:05am

    Re:

    For some thing like gMail- mail comes in under one SSL key, is decoded, stored and goes out under a second SSL key. The SSL is to secure the data in the pipes not the server. Lavabit kept security on mail differently but still needed away to decode the mail to make it useful.

    SSL keys are business records. Business records are not all that protected and can be requested without much more than a Subpoena and I'm not that clear if they need that much. Business records tend to get turned over by business without much of a fuss- Just like phone, bank, credit card transaction records...

    The really scary thing here is that the NSA seemed to expect them to be turned over. Does that mean other services (Google, Yahoo!, Verizon....) have been honoring these requests? The evidence indicates that the NSA may be storing data going into and out of sites so they don't need to bother with the companies beyond getting a key to read the mail later.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    Rabbit80 (profile), Oct 3rd, 2013 @ 5:12am

    Re: Where is a scanner w/ OCR when you need one?

    OCR is not a perfect technology. Especially on 4pt text with mixed characters and no "dictionary" words it can check against. It would be just as quick to have the data typed in as it would be to manually check it after OCR.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:13am

    Re: Re:

    Oops
    'This includes ob'
    should be deleted

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:13am

    Re: Judge is right

    Then the laws are anti-democratic and should be nuked from orbit.

    Moreover, the government has no rights - it has privileges.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:30am

    Take this to a higher level of abstraction the biggest growth industry in the US for the last 20 years has been information technology in the form of companies like Microsoft, Apple, Google, Yahoo, Face Book et.

    All of the above companies are known to have provides all US government and many foreign government alphabet soop agencies with backdoors to any and all information.

    We have also heard that most of the major back bone teleco companies are also providing equal access.

    Translate the one and only major economic bright spot in the world economy has been and is governments' establishment in world wide spy networks on private citizens.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:32am

    give it to them

    i say give them what they want no one said you had to give it to them in order make it a fun 10000 charater puzzle print one 72 pt letter per page and turn it in by dumping it on the desk of the @sshat whom requested it

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:33am

    print each page on a print out of the laws they are breaking one big letter of requested data per page like they do when we ask

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    New Mexico Mark, Oct 3rd, 2013 @ 5:35am

    Counter argument?

    Your honor, sometimes you deem it necessary to seal certain records or transcripts. Assume for a moment that a law has been passed and under that law a large organization may have access to one any of those sealed records for another case.

    Because there is only one key to the vault where all records are stored, it is difficult to perform this without compromising everything and you have severe misgivings about this in the first place, but if push comes to shove, you are willing to work with them to make that happen.

    However, the argument is made that that is not good enough. You must provide access to every record, *including all future records*, and do it in such a way that it is completely unverifiable whether one record, a few records, or all records have been copied, stored, viewed, or shared with other organizations. Would you be satisfied with that ruling or with an unaccountable and unenforceable statement from one person that none of this will ever happen, despite all evidence to the contrary?

    1. Would you be willing to trust that organization to this degree?
    2. Would your order to "seal" a record have any real meaning at that point?
    3. Could the people that come into your court trust any promises of discretion that you made or would you be effectively lying to them?

    As a judge, we presume truth matters to you. Yet you are about to force a private company to not only compromise their entire business model, which is founded on trust, but then to lie about it to their customers through silence or denial.

    You must decide whether you will cynically and unquestioningly enforce laws that are moving us farther and farther from "the great experiment" in freedom and representative government that are the foundation of this nation, or whether you will push back against this precipitous descent toward a police state founded on lies and lack of government accountability. As part of the judicial branch of government, this is not only your privilege, it is your sworn duty.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:39am

    Re: Where is a scanner w/ OCR when you need one?

    I wonder if he used a nice textured paper, 4pt body height is about an 18th of an inch high or about 1.4 mm high.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Brazenly anonymous, Oct 3rd, 2013 @ 5:39am

    Re: Judge is right

    Actually, the judge isn't right. The statement itself is not in contradiction with the constitution (even the idea of the government having been granted rights, see the tenth amendment). The statement is incorrect only with regard to the scope it is being applied to, but in context, it is incorrect.

    The government can, through a warrant that specifically targets certain data, force you to hand over that data unencrypted. However, the keys themselves along with the entire data stream is no longer "particularly describing the place to be searched, and the ... things to be siezed."

    Basically, the government can demand:
    Decryption of sessions carried out with certain target IPs within a certain date range and the seizure of email bearing certain addresses as headers from among that data. Just as they cannot demand a key to your house or the combination of your safe, they also cannot demand SSL keys. They are, however, free to demand that you unlock these things with a properly targeted warranty.

    The government will complain that it can't compile the necessary information and thus can't prosecute dangerous criminals. Oh well, the system has never been balanced under the idea of maximal enforcement. American ideals place the rights and protection of innocents above enforcing crimes, except those rights specifically reserved to government and enumerated in the constitution as allowed.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Brazenly anonymous, Oct 3rd, 2013 @ 5:42am

    typo correction

    They are, however, free to demand that you unlock these things with a properly targeted warranty.


    Should be:

    They are, however, free to demand that you unlock these things with a properly targeted warrant.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:44am

    Re:

    Translate the one and only major economic bright spot in the world economy has been and is governments' establishment in world wide spy networks on private citizens.

    That is not a bright spot, but a parasitic growth, the private citizen pays for all of this spying.
    Note any cost and taxes levied on companies get passed up the chain of customers until it arrives at the private citizen.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Brazenly anonymous, Oct 3rd, 2013 @ 5:49am

    Re: Re:

    Is the code to the bank vault also a business record?

    Keys, of any kind, are not records. Further, the word "papers" in the fourth amendment has always included mail and thus naturally extends to email, thus requiring warrants and not subpoenas in at least this instance.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    The Real Michael, Oct 3rd, 2013 @ 5:56am

    “So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”

    Then why demand access for it in the first place?

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:57am

    Re: Re:

    SSL keys are business records.

    Whose bright idea was it to make that classification?

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:00am

    “All right,” said [Judge Claude] Hilton. “Well, I think that’s reasonable.”

    No it's not. When is it reasonable to say "I need access to item C and only C, so give me items A-Z."?

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:01am

    Re: Re:

    heh - using more than one key?
    must be a trrrrrist

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:01am

    Re: Re: Here's your problem

    Governments are people my friend

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:04am

    Re: Re: Here's your problem

    I hope you're being sarcastic.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    anonymouse (profile), Oct 3rd, 2013 @ 6:04am

    Re: Here's your problem

    amen. let that be heard again please. governments don't have rights, people do.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:06am

    Re: Re: Re: Judge is right

    Just what type of sword is used in taking testimony?
    Has this ever appeared on NCIS?

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:07am

    Re: Judge is right

    That's exactly how the judiciary is supposed to view the executive branch. When the judiciary takes the executive branch at the word no questions asked there can be no meaningful checks on executive power.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:29am

    Re: Re: Re: Here's your problem

    Probably is being sarcastic, but at the same time it is inline with government double speak.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    anonymouse (profile), Oct 3rd, 2013 @ 6:32am

    Re: Govt "right" vs. Govt propensity

    here's a quote from a Thomas Jefferson letter to John Adams:

    If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be. The functionaries of every government have propensities to command at will the liberty & property of their constituents. There is no safe deposit for these but with the people themselves; nor can they be safe with them without information.Where the press is free and every man able to read, all is safe.

    Because the government holds your items, whatever they may be, has always meant that those items are not safe nor secure.

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:35am

    The narrative about Lavabit takes a bit of a hit in light of providing even 'obfuscated' copies of the key.

    OCR does exist and is quite feasible, so there's a period of a few days? where Lavabit was vulnerable, and not shuttered. This makes me wonder about a plausible deniability effort by Levison, only dealing with the issue when that became infeasible. And only closing when there were financial penalties?

    It's still admirable, but that fighting image takes a bit of a knock I think.

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:37am

    Re:

    When nobody there gives a fuck that is when.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 6:45am

    Re: Re: Re: Here's your problem

    He is paraphrasing Mitt Romney.

     

    reply to this | link to this | view in thread ]

  49.  
    identicon
    Anonymous Anonymous Coward, Oct 3rd, 2013 @ 6:55am

    Re: Talk about deja vu...

    Man, those pinky-swears are sooooo restrictive that I just KNOW that the participating parties would NEVER violate such a oath. Take our elected, appointed, and hired officials, and how seriously they take THEIR oaths of office.............................................................................................. .................................................................................................... ..................................................................oh wait...

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Haudenosaun, Oct 3rd, 2013 @ 6:56am

    The peeps are looking for others involved. Hopefully Lavabit bought them sufficient time.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 7:02am

    Decentralization is the only answer

    The vulnerability here is that there was a trusted third-party (Lavabit).

    It is much better when the only entities who can give access to the information are the sender and the recipient. The incentives align in this case: the only ones who can access the information are also the ones who are interested in protecting it.

    Increasing the use of encryption (HTTPS everywhere) is an important first step, but the goal should be to avoid depending on trusted third-parties in the first place.

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    Cerberus, Oct 3rd, 2013 @ 7:09am

    Re:

    But he *did* agree to let the NSA snoop on Snowden, says the article. That's still pretty bad, isn't it? Not as bad as letting them spy on all your users, but still.

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 7:10am

    Re: Re: Re: Re: Judge is right

    A Templar longsword probably.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Cerberus, Oct 3rd, 2013 @ 7:13am

    Re: Re:

    Wait, I (and the article) stand corrected. From Ars Technica:

    "The new 162-page set of documents shows that Lavabit was first served with a “pen register” and "trap and trace device" order, which would require the handover of one of its user’s login details. As Lavabit encrypts those details, that wouldn't have done much good for the government's case. Indeed, Levison told the court in a July 16 hearing that he had "always agreed to the installation of the pen register devices," as they would have yielded almost zero useful data."
    http://arstechnica.com/tech-policy/2013/10/lavabit-defied-order-for-snowdens-login-info-then-govt-as ked-for-sites-ssl-key/

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    John Fenderson (profile), Oct 3rd, 2013 @ 7:22am

    Re: Judge is right

    In other words, US have laws which explicitly allow wiretapping


    As I understand it, there are laws that compel telephone companies to provide a means to easily wiretap telephone calls, but no equivalent law for email.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Rabbit80 (profile), Oct 3rd, 2013 @ 7:22am

    Re:

    "OCR does exist and is quite feasible..."

    Unless you know of some magical new OCR technology then OCR is NOT feasible for this type of job. For it to work with 4pt text the OCR software would be very inaccurate. Modern OCR software uses predictive technologies such as dictionary checking, grammar checking, near-neighbor analysis etc in order to get good results. It expects text within certain size constraints in certain fonts and of a certain quality. A SSL key printed at 4pt might get 30-40% accuracy at best. Then you would have to compare each and every character by hand - that means looking at two separate images to make sure the OCR is correct.

    Much quicker to have it blown up and have a typist copy it by hand. A good typist could get 98% or above accuracy at a fair speed - and they would not need to look at two separate images.

    Disclaimer: I work on the development of a document management system with OCR capabilities and have studied many OCR technologies as part of my work.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 7:23am

    Re: Decentralization is the only answer

    Yup. Secure webmail is an oxymoron.

     

    reply to this | link to this | view in thread ]

  58.  
    icon
    Rabbit80 (profile), Oct 3rd, 2013 @ 7:25am

    Re: Re:

    In fact, the quickest way to do this would be to have multiple typists copy the text and perform a test for differences across the produced text.

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 7:30am

    Re: Re: Re:

    Sure, I'll accept that, I don't use OCR at those scales much ;)

    My main point was about the narrative and period of vulnerability really.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 7:49am

    HSM

    Just thought of another thing.

    Most people do not use a HSM (Hardware Security Module) with SSL/TLS. Without a HSM, you can be forced to provide the key, like happened with Lavabit.

    With a HSM, it is next to impossible. The key never leaves the HSM. And the HSM is designed to erase the key if any attempt is made to tamper with it; usually, the key is kept in RAM, and the HSM has a built-in battery. Cut the battery power, lower the temperature (to increase the RAM retention), drill into the case, all these are actions which a high-quality HSM will detect and erase the key.

    They would have to either change the key (detectable with the Certificate Patrol browser extension), plug the HSM into their interceptor (which would become a man-in-the-middle attack), or compromise the server. In any of these situations, they still could not decrypt older traffic, even without forward secrecy.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:01am

    Good one, LavaBit. Stay Classy!

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    alternatives(), Oct 3rd, 2013 @ 8:18am

    Valid submission - font size and spacing

    Many courts have rules about the font, the size and the spacing for it to be a valid document.

    A request for sanctions for the lawyer should have 'solved' the font issue.

     

    reply to this | link to this | view in thread ]

  63.  
    icon
    Internet Zen Master (profile), Oct 3rd, 2013 @ 8:22am

    Re: Re: Judge is right

    Please don't give Congress any ideas John. They'll probably pass a law allowing that (and odds are it'll be championed by none other than Sen. Feinstein in the name of "national security").

     

    reply to this | link to this | view in thread ]

  64.  
    icon
    Arthur Moore (profile), Oct 3rd, 2013 @ 8:26am

    Re: HSM

    You have a good point, but there are problems with HSMs.

    First, they're expensive. A good HSM easily can run into the hundred thousand dollar range. Second, you can only have one server terminating all SSL connections. Since the HSM wont let anyone get the key, then the server with the HSM must be able to handle everyone. Then there's the downtime that occurs if the server or HSM ever breaks. They'd need to get a whole new Cert issued.

    The big reason why companies don't use Hardware Security Modules to store their SSL keys is the way that HSMs work. In order to make sure the keys never leave the HSM, the HSM itself decrypts all the data. Something that just isn't feasible when dealing with multiple SSL connections.

     

    reply to this | link to this | view in thread ]

  65.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:30am

    Re: Re: Re:

    Probably an NSA stooge. Saves effort thinking that way.

     

    reply to this | link to this | view in thread ]

  66.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:32am

    Re: HSM

    Still, it's theoretically possible to inject faulty code into a HSM's RNG, thus making it infinitely weaker than expected.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:33am

    So....apparently no one makes scanners and OCR software anymore?

     

    reply to this | link to this | view in thread ]

  68.  
    icon
    Rabbit80 (profile), Oct 3rd, 2013 @ 8:55am

    Re:

    I guess you don't read through the comments then?

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:57am

    Re: Re: Govt "right" vs. Govt propensity

    Where the press is free and every man able to read, all is safe.

    What Jefferson is missing there is that every man must not just be able to read, but must actively exercise that skill. The ability is meaningless otherwise.

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 8:59am

    Re: Re:

    Nope. When someone wants to pay me to read through 65 prior comments, I'll consider it. Until then, piss off.

     

    reply to this | link to this | view in thread ]

  71.  
    identicon
    PRMan, Oct 3rd, 2013 @ 9:02am

    Re: Re:

    But didn't they have a warrant for Snowden? I don't find that bad if they had that.

     

    reply to this | link to this | view in thread ]

  72.  
    identicon
    PRMan, Oct 3rd, 2013 @ 9:03am

    Re: Re: Re: Re: Judge is right

    "the sword of the Spirit, the Word of God"

    You know, that book they put their hand on right before they start lying...

     

    reply to this | link to this | view in thread ]

  73.  
    identicon
    PRMan, Oct 3rd, 2013 @ 9:07am

    Re: give it to them

    I think that's what he did, hence the $5000 fine.

     

    reply to this | link to this | view in thread ]

  74.  
    identicon
    PRMan, Oct 3rd, 2013 @ 9:08am

    Re:

    Because they seized a copy of the servers and now are asking for the master SSL key.

     

    reply to this | link to this | view in thread ]

  75.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 9:09am

    Re: Re: Re: Here's your problem

    you just keep thinking that and live in your happy little world.

     

    reply to this | link to this | view in thread ]

  76.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 9:46am

    Re: Re: Re:

    When they rotate keys they become records.

     

    reply to this | link to this | view in thread ]

  77.  
    icon
    John Fenderson (profile), Oct 3rd, 2013 @ 9:58am

    Re: Re: Re: Re:

    This makes no sense. That's like saying that the key to a business' front door is a business record.

     

    reply to this | link to this | view in thread ]

  78.  
    icon
    william (profile), Oct 3rd, 2013 @ 10:15am

    So... with all the massive millions and billions of dollars, they could figure out how to scan a page, put it through OCR and then proof read it.

    I mean, even the Harry Potter scan-a-thon was able to reproduce an electronic copy for 795 pages within 24 hours with relatively small errors.

    Now you lazy ass really done it. Instead of putting on a little bit of elbow grease, you get nothing for being lazy.

    Life Lessons. :P

     

    reply to this | link to this | view in thread ]

  79.  
    icon
    Thomas (profile), Oct 3rd, 2013 @ 11:13am

    Sounds reasonable

    "Yikes. So, even if you set up a secure communication system, this judge says that you have to let the feds wiretap it."

    That sounds reasonable to me. The government does need the right to wire tap potential criminals and threats to the US. What's not reasonable is them doing so without a warrant. That's where the checks and balances are. That's what's wrong with what the NSA is doing.

    If law enforcement can show probably cause, they should be allowed to wiretap a "target".

    What's scary about this case is that the Judge just let them wiretap 400k people for which they don't have warrants for.

     

    reply to this | link to this | view in thread ]

  80.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 11:25am

    Re: Re: Re: Re: Re:

    A door key is mostly a simple physical object. A cryptographic key is a list of numbers and other characters. It becomes a record in a file.

    FWIW A physical key can be represented by a short series of numbers for the depth of the cuts on the key and the blank number. You can get a new car key cut from records easily enough. You could do it with a house key but that record is less likely to be kept.

    I'm not agreeing with the logic but this is what is being used.

     

    reply to this | link to this | view in thread ]

  81.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 11:28am

    Re:

    4pt characters and random data are effectively impossible to transcribe accurately, or read via an OCR. Note there is nothing within the text to help spot mistakes, as it is a random stream of characters. Also being 4pt, the characters will be subject to blurs and breaks causing misreads. Unlike real text, there is no surrounding context to resolve such issues.
    That print out qualifies for a 10 out of 10 for for complying without giving them what they wanted.

     

    reply to this | link to this | view in thread ]

  82.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 11:40am

    Re: Re: Re:

    Papers and records held by a second party lose protection. It is the result of a bunch of court decisions.

    They have been discussing these sorts of privacy problems all week on NPR:All things considered. http://www.npr.org/blogs/alltechconsidered/2013/10/02/228134269/your-digital-trail-does-the-fourth-a mendment-protect-us

     

    reply to this | link to this | view in thread ]

  83.  
    icon
    Sunhawk (profile), Oct 3rd, 2013 @ 11:52am

    As a bonus, I would hope that there are two or three characters in each key that are 'misprinted' ^_~

     

    reply to this | link to this | view in thread ]

  84.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 11:56am

    Re: Re: Where is a scanner w/ OCR when you need one?

    Output on newsprint with ink jet before steam texturizing it on top of watercolor paper. That should do the trick.

     

    reply to this | link to this | view in thread ]

  85.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 12:00pm

    Re: give it to them

    THAT should have been the next response when the rejected the 11 pages of 4pt type. 1 page per character stacked in order such that if they happened to get accidentally out of order while going through them they became absolutely worthless.

     

    reply to this | link to this | view in thread ]

  86.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 12:05pm

    The proper response...

    to the court's claiming that it was the right of the government to acquire the information regardless of whether the system had been setup to make it difficult would be to then point out that it is also the PUBLIC'S right to acquire the information about the decisions made in it's courts and therefore the court's own argument precludes them from issuing a gag order on the matter.

     

    reply to this | link to this | view in thread ]

  87.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 12:08pm

    Re: Re:

    More like they have a copy of all the traffic from PRISM.

     

    reply to this | link to this | view in thread ]

  88.  
    icon
    John Fenderson (profile), Oct 3rd, 2013 @ 12:52pm

    Re: Re: Re: Re: Re: Re:

    Hmmm, so then if the SSL keys were stored on a punched card and had to be entered into a reader to use, then that would make it no longer a business record?

    I think the logic by which it's considered a "business record" is deeply flawed.

     

    reply to this | link to this | view in thread ]

  89.  
    icon
    The Mighty Buzzard (profile), Oct 3rd, 2013 @ 2:16pm

    Re: Re: Re: Here's your problem

    Never forget this. Next time you wonder how they could be such utter rat bastards, you have your answer.

     

    reply to this | link to this | view in thread ]

  90.  
    icon
    Sheogorath (profile), Oct 3rd, 2013 @ 4:56pm

    Re: Re: Here's your problem

    Actually, the government is the people. You are all just the plebs put here to support us with your taxes.
    Altogether now: NSA! NSA! NSA!

     

    reply to this | link to this | view in thread ]

  91.  
    identicon
    Anonymous Coward, Oct 3rd, 2013 @ 5:28pm

    Re: Re: Re: Re: Here's your problem

    You look funny

     

    reply to this | link to this | view in thread ]

  92.  
    icon
    Bergman (profile), Oct 3rd, 2013 @ 9:53pm

    Re: Re: Re: Here's your problem

    Doesn't it then follow that governments are made of Soylent Green?

     

    reply to this | link to this | view in thread ]

  93.  
    identicon
    Me, Oct 7th, 2013 @ 5:24pm

    Why are we even honoring the premise, let alone the argument

    We embolden the liberties taken against the Constitutional protection accorded our privacy through years of sacrifice by even discussing the "merits" of such requests. The request had no merit and the judge should be ashamed of a ruling that makes such inroads into personal privacy. These are not his/her opinions that should be written up but the law and how the request is either valid or not valid. Comparing the request submitted to a phone company ROI as opposed to the scattershot request for all traffic traversing a wire is ridiculous and shows how incapably the judges have been prepared to listen to these cases. Uninformed jurists are notoriously easy to sway especially by the doom and gloom the prosecutors cast before them.

    A pity that our liberties are being taken away piecemeal by judges and prosecutors paid for with our own taxes. Who stands for our liberty if the folks we pay taxes to are all on the other side of this constitutional debate ??

     

    reply to this | link to this | view in thread ]

  94.  
    identicon
    Me, Oct 7th, 2013 @ 5:54pm

    Judge is absolutely wrong and exceeded his/her mandate

    One need only look at New Mexico Mark's arguments and understand how the records in this instance span political and jurisdictional boundaries to understand the danger this ruling puts all future US dealings(individual or otherwise) to foreign government seizure. Lavabits probably saved them from having to find out what it would feel like for China making a parallel "finding" in the case of some company under its territorial jurisdiction(Hong Kong) to hand over ssl keys because of 1 suspicious money transfer and being able to henceforth read all communications say from dissidents or activists. There are things I understand them needing access to and then there is the other stuff that I just don't think they think through regarding precedent, both in the US and internationally.

     

    reply to this | link to this | view in thread ]

  95.  
    identicon
    Joe2, Feb 3rd, 2014 @ 8:30am

    Re: Here's your problem

    President Lincoln (and the governors of the confederate states) would have disagreed with you on that one. ;) Millions of US and CS soldiers died over that concept. States refusing to (likely/potentially) give up a way of life, versus a federal government that was literally facing extinction and (likely/potential) foreign invasion. Industrialization ironically would make the very concept of plantations obsolete. You'd still have 'wage slaves' though, where people get stuck buying from the company store, paying company rent... Coal miners and loggers rioted over this, but that's another story.

    Not saying it's "right" to have absolute monarc-I mean slav- err I mean national socialism. Just that it's been established for over a century in the USA that the constitution as much protects the government as it does the citizens, in this republic. Go and openly make threats against that judge just because you disagree and see what happens. You'll be arrested as quickly as you can say "intimidating government official". The fact that the government itself made the decision to give themselves more power is like a kid in a candy store saying they can have more... It's their job and perogative/self-interest to do so. In the long term, you're trading stability, safety, and security for power, though.

    Caveat: (USA) Southerner with individualist leanings

     

    reply to this | link to this | view in thread ]

  96.  
    identicon
    Joe2, Feb 3rd, 2014 @ 8:36am

    Re:

    They've likely known about Freenet+FMS, for years. You don't even need to worry about traffic analysis, AFAIK. It would still be wise to use PGP or similar program's clipboard functionality. I assume they're not incompetent as attorneys in this field. They pretty much HAVE to know about it!

     

    reply to this | link to this | view in thread ]

  97.  
    identicon
    Joe2, Feb 3rd, 2014 @ 8:50am

    Re: Re:

    Depends on the system. It's quite possible to have a P2P server ('cloud') arrangement where each peer ('node') broadcasts it's public key and the sender's node sends that. Also, this can be layered so that you can have say, 10 servers hand off the message and just unpeel the 11 layers. This wouldn't protect you against timing attacks or traffic analysis, though. For that, you need randomized onion routing instead of an optimal-path algorithm, and some kind of traffic delay. As in, Freenet. I2P and TOR have the onion routing part, but you have to run a secondary protocol on top, to support random delays at each node. There's always big arguments between developers and their cliques over rather it's better to bake it in to make it noob-proof, or to make it an OSI-style layer, to make it less buggy.

     

    reply to this | link to this | view in thread ]

  98.  
    identicon
    Joe2, Feb 3rd, 2014 @ 9:04am

    Re: Counter argument?

    "However, the argument is made that that is not good enough. You must provide access to every record, *including all future records*, and do it in such a way that it is completely unverifiable whether one record, a few records, or all records have been copied, stored, viewed, modified, or shared with other organizations." FTFY
    Clerics: We put the doctored in doctrine!

     

    reply to this | link to this | view in thread ]

  99.  
    identicon
    Joe2, Feb 3rd, 2014 @ 9:12am

    Re: Re: Re: Govt "right" vs. Govt propensity

    Well, he lived before Mr. Orwell... It's interesting how "independent" AKA noncompliant methods of problem-solving are punished in class, now. No wonder homeschoolers often are way ahead of their peers. You almost couldn't do worse! Of course, they have the occasional 'special' parents that place religion over academics or practical experience. Also, one of the most ironic things about critical thinking, is that as soon as you have an official class for it, it's almost certainly sabotaged.

     

    reply to this | link to this | view in thread ]

  100.  
    identicon
    Joe2, Feb 3rd, 2014 @ 9:19am

    Re: Re: HSM

    Begs for an "IBM-compatibilization" of the HSMs. It also seems like you could get 'good enough' capability, with off-the-shelf parts and an open-source design.

    It would need sufficient randomness.
    It would need tamper resistance.
    It would need to be reviewed for exploits.
    It would need reliability (might have to use redundant HSM's).
    It would need to be less than current HSM's (including TCO).
    It would need massive storage and processing power.
    It would need overtly-silent tamper evidence.

    This would obviously be a very intensive project with lots of security pitfalls. :/

     

    reply to this | link to this | view in thread ]

  101.  
    identicon
    Joe2, Feb 3rd, 2014 @ 9:23am

    Re: Re:

    Hmm, doesn't PGP have some kind of checksums on each line? We're talking some kind of Base64-based format, right? If it's hexadecimal and in only one font, then there's only 16 'shapes' for the OCR to know. I wouldn't need better OCR, I'd need better noise filtering to remove gray levels, if I was the one scanning it.

     

    reply to this | link to this | view in thread ]

  102.  
    identicon
    snowden, Mar 15th, 2014 @ 1:02pm

    Re:

    "11 pages of 4pt text is significantly more than 2560 characters.. A typical page would be around 36000 characters."

    even 12-point text (regular size) is just over a page long.

    i think he did it that way to make it more cumbersome. that is, it's *conceivable* that they could scan a single-page document with a hi-res scanner, blow it up, and then try their luck at deciphering the characters. he probably spread it out over many pages and they weren't numbered, so you don't know which character comes next. plus, it's just a bit more ass-holey. that's my guess.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This