New evidence reveals FBI demands companies secretly turn over crypto keys, allowing them to simultaneously wiretap all customers worldwide, and threatens to jail them if they violate the gag order : worldnews

liotier CC BY-SA 3/10/2013

Think Lavabit overreacted ? Think again: there is now proof that FBI extorts root certificates from companies. Cryptography is only as good as the PKI’s physical security and its political environment.

▻http://www.reddit.com/r/worldnews/comments/1nm8nr/new_evidence_reveals_fbi_demands_companies/ccjv26q

For those that don’t remember, Lavabit was Edward Snowden’s email provider, and they shut down their fucking business rather than cooperating with a court order they claimed “would make them complicit in crimes against the American people.” They were bound by a gag order and threatened with jail if they violated it.

Today they won a victory in court and were able to get the secret court order unsealed, and holy shit is it a doozy: the ACLU’s Chris Soghoian called it “the nuclear option.” The court order revealed the US government demanded Lavabit turn over their root SSL certificate, something that allows them to monitor the traffic of every user of the service. Security researchers have argued for years over whether the government would be so heavy-handed as to try this, but there has never been any proof that they actually do, as no one has ever challenged such an order in court.

If a government can force a company to turn over the SSL keys, it breaks the trust model for the entire internet. Everything from google to facebook to skype to your bank is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key, they can bet your ass they did the same thing to Google. People don’t understand how big this is from an internet trust model. This story changes everything. No US company that relies on SSL encryption can be trusted with sensitive data, which is what lavabit asserted in their “farewell address” and people thought was an overreaction."

liotier CC BY-SA

tbn @thibnton PUBLIC DOMAIN 3/10/2013

#Lavabit
Lavabit Founder Waged Privacy Fight as F.B.I. Pursued #Snowden
▻http://www.nytimes.com/2013/10/03/us/snowdens-e-mail-provider-discusses-pressure-from-fbi-to-disclose-data.html?
cf. ▻http://seenthis.net/messages/182835

tbn @thibnton PUBLIC DOMAIN
Simplicissimus @simplicissimus 3/10/2013

Explication détaillée dans les commentaires :
When you get an SSL key, what you actually get is a private key and a public key. The public key is what is signed by the certificate authority and is published.
You can have the CA generate the private/public key pair for you (which is honestly unwise) or you can generate the key pair yourself and provide just the public key to the CA.
What the FBI demanded, and the court required, and Lavabit provided in 4-point font, is the private key.
They wanted it because - and this is a strong guess - Snowden, being a competent and paranoid person, did not trust certificates that he had not previously vetted and trusted, so spoofing a certificate in a man in the middle attack wouldn’t fool him. The only way to intercept his traffic would be to use the original cert and the original key.
puis un peu plus bas, complément
This bears repeating since it is one of the most awesome things I’ve read concerning this awful mess:
In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”
“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.
The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter...
Lavabit has raised approximately $30,000 in an online fundraising drive1 to finance its appeal to the 4th Circuit. Today the appeals court extended the deadline for opening briefs to October 10.
11 pages in #4-point_font !

Simplicissimus @simplicissimus
Fil @fil 3/10/2013

reddit pointe vers l’article de Wired :
Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show
By Kevin Poulsen
▻http://www.wired.com/threatlevel/2013/10/lavabit_unsealed

Fil @fil
Simplicissimus @simplicissimus 3/10/2013

Merci @fil !

Simplicissimus @simplicissimus
severo @severo PUBLIC DOMAIN 3/10/2013

en passant merci aussi @fil pour autre chose : faire découvrir le lecteur PDF utilisé par Wired, et basé sur des outils opensource qui ont l’air de décoiffer :
– recherche : ▻http://www.documentcloud.org/public/search
– liste des outils libres : ▻http://www.documentcloud.org/opensource
– le viewer : ▻https://github.com/documentcloud/document-viewer
– extraction d’informations : ▻http://documentcloud.github.io/docsplit
– recherche à facettes : ▻http://documentcloud.github.io/visualsearch/#demo

severo @severo PUBLIC DOMAIN
liotier @liotier CC BY-SA 3/10/2013

L’ensemble de la plate-forme est à ▻https://github.com/documentcloud/documentcloud - quelqu’un connaît des instances publiques de ce système ? Pour entoiler des PDF ce serait beaucoup mieux que cette horreur de Scribd...

liotier @liotier CC BY-SA

Écrire un commentaire