"At approximately 1:30p.m. eDT on August 2, 2013, Mr. Levison gave the FBI a printout of what he represented to be the encryption keys needed to operate the penregister. This printout, in what appears to be 4-point type, consists of 11 pages of largely illegible characters.
Moreover, each of the five encryption keys contains 512 individual characters - or a total of 2560 characters. To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."
> To make use of these keys, the FBI would have to manually input all 2560 characters...
My reaction to that was "oh boo hoo".
When people my age were kids (get off my lawn) we used to type pages of raw hexadecimal from the back of magazines into a machine prompt. We didn't cry about it, we were just careful.
I can't find a hexadecimal example at the moment, but look at some of these TRS-80 programs (pp. 110-111, 143) which have multiple pages of data/digits to transcribe:
And also... C64 programs. They were manually typed in by 10 year old kids. The programs were printed in the computer magazines (early 80s) that dealt specifically with C64's. These programs were far more than 2560 characters (in some cases).
If young, interested kids can do it, I'd hope that a nation state could figure it out.
Yep, I remember doing that with an Apple II back in '79 to get a simple lunar lander game. The process took more than a day, with two friends to help double check the values as we copied everything over. When it ran, and worked, we thought we were gods!
Yeah, in the grand scheme of things it's easier to get a few people to type that in (it's parallelizable, after all) than to wait for another court order. Though I'd still have brought it to the judge's attention as this is like the dictionary definition of "contempt of court". If someone tried to be GPL-compliant in this fashion they'd be laughed off the mailing list.
Keep reading: a couple of days later, he was then forced to send them in digital format under penalty of $5000 per day after the new deadline. So yeah, contempt was clearly detected, if not explicitly mentioned... your justice system works very quickly when it wants to.
Oh, I knew had presented it to the attention of the court, I was agreeing with their course of action in that regard bringing it to the judge's attention. A couple of days later is still too long of a wait though.
4 people can get this data entry done in an hour. One person reads out loud while the other person types and confirms each character. The second team does exactly the same work enabling a diff on the completed work to quickly find errors once everything is done. One character per second isn't unreasonable, so that's less than an hour. Or the same team does it twice in 2 hours.
It's not a big deal though. They subsequently specifically asked him to put it on a CD in PEM format and deliver it by 5 that day or be faced $5000 fine per day or something like that.
Single sided, double-spaced, abstract, appendices, title page, dedication page, headers, footers... still doesn't seem to be enough. Maybe the numbers were in Roman numerals?
They were to turn over the keys and all information required to decrypt everything. Presumably, they wrote a LOT of 4pt boilerplate on how to use the keys for decryption.
This is what happens when you try to "hack" the legal system as if it was a simple, deterministic computer program (it comes up here frequently as the "FBI wasn't here"-sign-in-library hack).
When a judge orders you to do something, you have to comply with the substance of the order, not evade it by sort-of technically complying while actually avoiding it.
I have all the respect in the world for Levison, he did the right thing and it takes guts. But trying to "hack" a judge's order is just silly.
I disagree. If the judge wanted an electronic copy then he or she could ask for that, which is indeed what the judge later did. Levison would have known that his initial 'compliance' wouldn't make the problem go away, but it did buy him some time while the judge figured out what to do next (or the FBI figured out that they needed to be more precise in what they were asking for). He didn't refuse to comply at any point - he complied with the original request, at which point the judge gave him fresh instructions and ordered him to comply with those or face a fine.
Consider it from another perspective - people often request data from governments or large corporations and, when ordered or pressured into providing it they often do so in the least helpful format available. They are rarely punished for this because the law doesn't really have a position on whether CSV is a better document format than PDFs of scanned printouts, or whether a 50-page printout is more useful than a CD-ROM or USB stick. Why should the rules be any different for someone like Levison?
There are specific terms in the GPL[1], and probably elsewhere, that address this issue:
[3(a)] Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;
It's still open to some interpretation, such as exactly what constitutes "customary media", but probably does rule out the printed on the side of a cow[2] approach taken here.
It's not entirely fair to call this "resisting evil". The Feds went through the appropriate, judge-authorized channels to get the information. Is every search warrant an act of evil? And is each person served with the warrant the arbiter of what is evil and what isn't?
I support what Snowden did. Yet we must admit that it was illegal, and the feds had every justification to get a warrant for is communications. This wasn't carte blanch monitoring, this was targeted data collection.
Of course I realize that, but we're not talking about abstract concepts here, we're talking about a narrow and specific set of circumstances.
Do you really think it was evil of the Feds to get a court order to inspect the communications of someone that was known to, without a shadow of a doubt, be leaking classified information? I do not.
I think Snowden was right to do what he did, I think the Feds were right to respond with a search warrant request to investigate him, and I think the judge was right to grant it.
Don't focus too much on Snowden. The rightness or wrongness of his behavior is not germane to this discussion. Levison provided a lawful service to willing consumers. Snowden was the pretext the FBI used, but it's clear in this case that they also wanted the ability to surveil other customers of Levison's besides Snowden. That's evil.
> Don't focus too much on Snowden. The rightness or wrongness of his behavior is not germane to this discussion.
Snowden is the context. Ignoring the context in rarely a good idea. And while I agree that the rightness or wrongness of his behavior is not germane to the discussion, his actual behavior is most certainly germane. If the Feds requested, and received, a court order because Snowden wrote a critical blog entry of the government that would be one thing. Requesting and having it granted because of his actual actions is another thing entirely.
> Snowden was the pretext the FBI used, but it's clear in this case that they also wanted the ability to surveil other customers of Levison's besides Snowden.
Is that absolutely clear to you? Because it isn't to me. The Feds gave Levison a chance to provide lawfully requested information on Snowden that did not require decryption and Levison refused. Okay, if they couldn't compel Levison to alter his code to provide the requested metadata, they could compel him to give up the keys to that information directly. What do you expect them to do? Give up and go home? Pout?
Levison stood up for his convictions and I applaud him for that. I'd like to think that I would have done the same thing in his shoes. That doesn't mean I vilify the Feds for doing what they did. I don't feel anyone acted unreasonably, much less evil, at least not with the information we have available to us right now.
What do you expect them to do? Give up and go home?
When they determine there is no lawful or ethical way to prosecute someone, I absolutely wish they would would give up and go somewhere. Unfortunately I'm not naïve enough to expect that. (I stipulate we don't agree on the facts in this case; I intend merely to contradict the idea that LEOs and prosecutors ever have to do anything.)
Is that absolutely clear to you? Because it isn't to me.
From the "big announcement" earlier today:
During an investigation into several Lavabit user accounts, the federal government demanded both unfettered access to all user communications and a copy of the Lavabit encryption keys used to secure web, instant message and email traffic.
Right, that's the same thing I just typed. They requested the encryption key that would give them access to everything after Levison refused to modify his code to give them access to only the one thing. If they're able to get a warrant for Snowden's data, and the only way they can lawfully obtain it is a method that also gives them access to everything, then that's what they are going to do.
Like I said, I don't find that evil. From their perspective, the only way to lawfully get Snowden's data incidentally required they get the keys to all of the data.
The entire point of Lavabit was keeping communications secure. It was in fact designed to have the property that you and the government would have liked to "modify" away. The government's position was akin to telling Ford Motors to sell dangerous vehicles to bad people, and then after they refuse forcing them to sell dangerous vehicles to everybody. If you want to outlaw safe vehicles, do that in an open session of Congress. Search warrant proceedings are not the proper fora in which to legislate what sorts of online services are legal.
It's clear that we have different thresholds for the concept of evil.
> The entire point of Lavabit was keeping communications secure. It was in fact designed to have the property that you and the government would have liked to "modify" away.
I truly don't see how that's pertinent. So because Lavabit designed a "secure" service and promised their customers secure communications, their customers, and by extensions Lavabit, are shielded from the judicial process of the country Lavabit resides in? Even in cases when they have the technical capability to comply? Seems a bit much.
Lavabit claimed security, not shielding from the judicial process (they complied with other warrants in the past, supposedly). And if they did claim shielding from the judicial process, then their product did a shit job of backing it up. That they could even technically comply with a warrant makes them just as vulnerable to the judicial process as every other service. How is that the government's fault?
> If you want to outlaw safe vehicles, do that in an open session of Congress. Search warrant proceedings are not the proper fora in which to legislate what sorts of online services are legal.
This statement is ridiculous. The search warrant process is authorized by Congress and issued by the judicial branch. It's no secret. Should every search warrant be run through Congress?
> It's clear that we have different thresholds for the concept of evil.
At least we can agree on that. As I've said, I'm a Snowden supporter, and I've contributed to the Lavabit defense fund. But federal agents investigating a national security leak by issuing a search warrant to a provider located in the continental US whose only means of complying is unlocking their entire service (whose fault is that?) doesn't fit the bill of "evil" for me.
At this point we're probably talking in circles though, so I'll leave my thoughts there.
Levison's conduct in prior incidents shows that he had cooperated with the gov't when the scope was limited to a single account. It is only when the gov't pushed for the ability to decrypt all customers' data that he refused.
But remember, civil disobedience means you agree to the legal consequences of your actions. In the case of contempt of court, it means jail time until you comply.
Defenders of the status quo really don't get to define this term. Civil disobedience will be, whatever it must be. In a hundred years blowhards on the intermind will compare their political opponents unfavorably with Levison, Snowden, etc. It will be just as ridiculous and unseemly as it is now.
>>He didn't refuse to comply at any point - he complied with the original request
Just like the parent said, while he kind of technically complied. But, again, it's more than obvious to everyone that it's not what was expected/demanded from him.
>>Why should the rules be any different for someone like Levison?
Because it's related to Snowden. Again, it's quite obvious to everyone, that it's a hot issue and the government might go far to solve it.
Like it was said above, while I really support and respect Levison, it's not something you should be trying to fool - it's not a computer program...
When you have lost, the best you can do is to lose with dignity: he had lost (either by complying, whereby he would be failing to his clients or by not complying, whereby he would suffer a penalty). He took what looks to me the better option: comply "formally".
So that he cannot be said to have not obeyed the mandate and at the same time making it clear that he did not want to comply.
Against the Leviathan the only possible defense is foolishness. This gives you publicity (in a '''''free''''' society and the conscience of your own freedom).
> Just like the parent said, while he kind of technically complied. But, again, it's more than obvious to everyone that it's not what was expected/demanded from him.
Government and judicial institutions do this all the time, so to anyone with a common sense, it's more than obvious to everyone that it's exactly what was expected/demanded from him.
Just like the parent said, while he kind of technically complied. But, again, it's more than obvious to everyone that it's not what was expected/demanded from him.
No, it really isn't. This is precisely why interactions between the law and technology are often quite confusing, because there's a mismatch between what the law says and the technological reality. It wasn't obvious what the law was demanding of him because such demands are rare and judges haven't figured out a boilerplate form of words to ask for the surrender of PGP keys or SSL certificates in particular file formats yet, and so they ask in general terms for 'encryption keys', leaving much open to interpretation. The existence of such ambiguities is why lawyers earn as much money as they do.
Levison wasn't 'fooling' the law at any point - he complied with the request as presented to him. The FBI wasn't happy with that response and went back to the judge for a more tightly-worded request, backed up by a threat of fines. At no point was the legal process subverted, 'hacked' or 'fooled'.
My point is that this is how the law works. If a judge wants you to do something then it is incumbent upon the judge to specify clearly what that is. You can't refuse without facing legal sanctions, but if the judge is vague or imprecise then you have at least some freedom to interpret the judge's instructions yourself. As I said earlier, corporate and government lawyers are experts in finding the most favourable interpretation of judicial rulings for their clients, and many legal cases revolve around reaching an interpretation of the law that is unambiguous enough to be enforceable.
Because it's related to Snowden. Again, it's quite obvious to everyone, that it's a hot issue and the government might go far to solve it.
Like it was said above, while I really support and respect Levison, it's not something you should be trying to fool - it's not a computer program...
What are you trying to say here? Sure, the government cares a lot about this case. But the judiciary and the government are not the same thing, and the law, as a matter of principle, is meant to apply equally in all cases. There are no special cases where the law should be applied differently because the case has the attention of senior government officials. You might say that I am being somewhat naive in that belief, but I think that most judges would agree that their role is as neutral arbiters of the law, not agents of the government of the day.
There is absolutely no sense in which it's possible to describe Levison's actions as incorrect. You can believe that he should have surrendered the keys in electronic format immediately, despite not being asked to do so, or you believe that he should have refused point blank to disclose them and thus disobey the judicial order, but those options are variously immoral or illegal, and the action of providing the printed copies of the keys was neither.
>When a judge orders you to do something, you have to comply with the substance of the order, not evade it by sort-of technically complying while actually avoiding it.
Attorneys do this kind of crap all of the time. Often, when ordered to provide docs for discovery, they will print pdfs and re-scan them in (sometimes over and over again, to make them barely legible) to make opposing counsel's task that much harder. The judge in this case may not have had much appreciation for Levison's wit, but it may not be as silly as you think. Perhaps Levison knew he was at the end-game and merely needed a brief delay to tidy up some loose end, in which case his tactic worked well.
Conscientious objections aren't silly. He's risking further abuse.
It takes guts, just as you say. It takes guts specifically because he's unwilling to gracefully comply. "Monkey-wrenching" usually appears silly to people who are defeatist or subservient to a particular order/agenda. I'm not saying you are. I appreciate your comment otherwise. I'm only suggesting that you reconsider your view on his tactic, if only a delaying tactic, as an act of courage rather than silliness.
> I have all the respect in the world for Levison, he did the right thing and it takes guts. But trying to "hack" a judge's order is just silly.
Perhaps he knew it was silly but just wanted something to show he's trying to resist the order. It's been a very popular move with people, and probably caused people to remember who he is, increasing customers for his next business.
It's a shame he's still got so little in the legal defence fund. $20,000 is nothing for a legal case.
There's plenty of examples of governments forced to comply with open data/FOIA doing precisely this. You can definitely hack the legal system, you just need to understand it fully and properly first, which tends to be where people, particularly hackers with high opinions of their own abilities fall down.
Civil disobedience can be a wonderful thing. If the Civil Rights movement followed every judge's instruction they would not have achieved what they did.
You're implying malicious intent, but he may have simply wanted to buy some time. The number of options to defer punitive measures will have been very limited and this one seems pretty straight-forward.
I disagree. "Hacking" the system by creatively interpreting the laws is what lawyers do! It's their job to hack the legal code to their clients' benefit.
Google is doing it in Brazil. They say it isn't necessary to comply to Brazilian laws because their servers aren't located in Brazil. BTW, it is a lie.
See:
ping google.com
PING google.com (201.17.31.88) 56(84) bytes of data.
64 bytes from c9111f58.virtua.com.br (201.17.31.88): icmp_req=1 ttl=60 time=11.8 ms
64 bytes from c9111f58.virtua.com.br (201.17.31.88): icmp_req=2 ttl=60 time=12.9 ms
64 bytes from c9111f58.virtua.com.br (201.17.31.88): icmp_req=3 ttl=60 time=11.5 ms
64 bytes from c9111f58.virtua.com.br (201.17.31.88): icmp_req=4 ttl=60 time=13.1 ms
I'm in Rio de Janeiro. In 6ms travelling at the speed of ligth, I'd travel 1800km. Florida (the nearest American state) is more than 7000km far from my city.
I don't know. It might've been worth a shot to send it in PDF format the second time, after he asked to deliver it digitally, just as a sign of protest. Didn't Twitter refuse to comply with a judge's order once, too?
THE POLICE HAVE REQUESTED ALL FILES UNDER DIRECTORY TITLE RAND.
"Dump it for them at 300 baud."
"Art! Are you sure?"
"We cleaned Rand's directory first thing. Took out everything not routine, then we added a few files. Old engineering catalogs. Maintenance schedules. Ratings of TV shows. Makes a pretty big file---" MILLIE, what is the total stored in Rand's directory?
23,567,892 BYTES
"Good Lord. Art, that will take hours to print out---"
"Yeah, that gives the cops a hobby." [1]
[1] Larry Niven and Jerry Pournelle. Oath of Fealty. New York: Pocket Books, 1981. ISBN 0-671-82802-9, pp. 287--8.
I really don't get why dude didn't respond to the requests for information with a totally straightfaced, and factual, "we do not have the technical capability to recover messages for a user using the encryption software". Not "we could possibly defeat our own system, but we don't want to." Just the "we do not have the technical capability to do that, but we're happy to turn over any other information which we can provide, pursuant to lawful order or warrant." Be polite, totally responsive, completely honest, but don't go into the "yes, we could possibly build something which would possibly do what you want, but we don't want to."
You don't get it. Emails were encrypted at rest with the user's password. This was publicly disclosed by lavabit on their site. With the SSL key material the state could decrypt the user's password from network traffic. The encrypted emails and SSL key material are obtained through the courts, SSL encrypted passwords via surveillance, bob's your uncle they can read a user's email. Lavabit wouldn't need to "build" anything and couldn't argue they didn't have the technical capability to turn over SSL keys and encrypted email data. This is why he shut down, so that user's wouldn't continue to submit their passwords over the wire using a compromised SSL key.
The only reason they got the SSL key search warrant was his aggressive noncompliance with the pen register/pen trap. I didn't realize pen register applied to non-CALEA entities (this is a PATRIOT 216 thing); if it didn't, there would have been no justification for 1) forcing his cooperation and 2) getting SSL keys from him.
With Patriot 216 pen trap, they can compel full cooperation to the same standard as a CALEA covered entity, which they knew he couldn't provide as well as their own pen trap device (at least without work; they found $2k unreasonable to implement it!), so they can get a warrant for SSL keys for their pen trap. With that they can do whatever.
There may be a solution in SSL keys which can't be exported (HSMs) into the pen trap; you'd potentially be able to require a secret compatriot offshore (or via a cutout) to assist in adding a new load balancer or front end, so you'd be technically unable to comply. They could require you generate and use new keys, but users could detect that, and you could warn of this when you first set up the system.
Yes, but it's not instant. He was asked for pen register, he wasn't 100% helpful (partially due to how the system was set up), so they went back in various ways to get what they wanted (threatening criminal or civil contempt charges, fines, and a warrant for ssl keys).
Then Ladar delayed on the warrant in a variety of ways (trying to quash a warrant, which I didn't know could be done before executing it; trying to claim it was invalid until after the pen trap was set up without it to actually observe it failing, the "little 4 points" trick.)
It would be absolutely factual. There's a difference between "we could build x, given months of engineering effort, possibly including outside experts" and "we can do x in response to a court order in our current system, on demand."
There is no prior requirement for an email provider to be CALEA compliant, so there doesn't need to be a particular LI function built into the system.
>"we could build x, given months of engineering effort, possibly including outside experts" and "we can do x in response to a court order in our current system, on demand."
That sounds almost like a solicitation for work, and I suspect that is the way that others (Google, MS, friendface, et al) replied.
Right, which is why you just answer with "we do not have that facility." Turn over your billing records and other material you do have, but don't turn over anything you don't have, and be unfailingly polite, prompt, and not a dick.
It was kind of game over once the search warrant for key came in, unless the keys were in an HSM. As long as you can prevent the search warrant from being issued, a regular pen register isn't going to be terribly onerous if it doesn't produce useful data due to everything being encrypted. If you don't have a system to do user logging, you can honestly respond "we do not have records of messages sent through our system". I don't know if they can even require you to turn logging on if it's not already on in that case; they could get a warrant for your whole system, possibly, but that's a much higher legal bar, and "fine, it's in fedex billed to USG account" might be a reasonable answer there.
It appears under USA-PATRIOT 216, virtually any information service provider is compelled to assist with a pen register implementation, which is bullshit. Prior to that, you could have not assisted, forcing the LEA to do it themselves, and if you had crypto and no technical ability to turn over the keys, it'd be at worst a shutdown. Now, you probably can be legally compelled to assist fully and subvert anything.
I assumed this stuff only applied to CALEA entities like PSTN, PSTN-interconnected-voip, and broadband ISPs; it appears it is actually patriot and means there's enough legal pretext to essentially always get keys:
1) Any non-CALEA entity probably does NOT have a system which can log every pen trap piece of data desired. If there's even a single thing which your system internally can't provide, LEA could argue that their own pen trap would be more effective, and could compel you to turn over keys to populate their device. They could compel you to generate new keys outside an HSM if you have technical controls to protect your existing keys from disclosure, too, and disguise that as "hsm failure" or something like that. It seems pretty open ended.
A non-charitable view of the entire Lavabit thing is that it was a roundabout way/pretext to compel key disclosure. It doesn't matter if USG uses the keys illegally for something which isn't used in a criminal prosecution; the data in Snowden's mail is of intelligence value where those rules don't apply.
2) Unless Patriot 216 is found unconstitutional, Ladar is fucked, as is the entire US IT/cloud industry. I don't believe in Lavabit's "keys are protected" argument -- the court presumes LEAs are trustworthy, and will accept just restrictions in policy on what they can do with keys. Only eliminating pen registers for "arbitrary Internet services" will work, and that probably won't happen.
> Turn over your billing records and other material you do have, but don't turn over anything you don't have, and be unfailingly polite, prompt, and not a dick.
No, in fact, when dealing with law enforcement you should be as uncooperative as possible. It is in your best interest. The expectation that if we are polite to some adversarial authority then they'll go easier on us seems quite widespread (seems to me it has some deep bio/psychological roots). Unfortunately, it's completely false. The police doesn't care the least bit if you are cooperative, polite, prompt, not a dick... In fact, they are trained to exploit one's urge to be polite, honest and helpful against you.
If law enforcement decides to come after you (for whatever reason), no politeness in the world is going to make them turn around and say: "Gee, what a nice fellow, we're sure sorry we wasted his time." They are there to get you, not to negotiate and make good first impressions. There is absolutely nothing you can say that can help you in any way.
It's different if you're the target of an investigation vs. a service provider. If you're the target, you just have your lawyer give them as little as possible. If you're a service provider, on the advice of your counsel, there is actually a lot of cooperation you're forced to give them. And they have a pretty broad amount of discretion on how much of a hassle to be to a third party service provider.
I've just sped through the court docs so may be recalling incorrectly but the judge says that as far as he's aware no-one has previously been paid to build something to enable pen/test devices
I think the judge is lying. Every telco in the USA has been paid for providing LEOs with call detail records, which are completely equivalent to the output of such a device. I'm sure the bigger telcos like VZN and ATT have been paid development costs as well, which speaks to either ignorance or deceit on the judge's part.
I don't know how the US court system works, but if companies have opposed the orders and have subsequently been paid costs then these court orders are usually "sealed" so the judge wouldn't know of them.
Some companies probably just rolled over and agreed costs directly with the agencies involved.
Historically, pen/trap is much less controversial than the "Room 641A" crap, so even if the legal department examines every request (which isn't true for every telco), nobody fights any of them. This was actually the source of the unfortunate "if the phone company knows who you call it isn't personal information" theory. Each telco treats this as just another line of business, and they send invoices to law enforcement agencies. "Modern" switches are smart enough to track called and calling numbers without the installation of actual old-fashioned "devices", so I wouldn't be surprised to learn that the price of this service has decreased. However, this is such common knowledge in telcos that I'd be shocked to find it isn't common knowledge in courthouses. So, the judge is either ignorant or dishonest.
Almost all providers want to comply with almost all orders, because 1) they generally like being friends with the law and 2) criminals using their service are bad customers, too. So it probably hasn't been an issue in a lot of cases.
There's OCR systems which work on the basis of internal font consistency. They break the page into a series of single character images, and because the same character repeated is close to identical it's trivial to match them up, so you can easily build a map of characters.
You then just need a human to label each character once. With a pixel image comparison 0 looks completely different from o.
If they're using a standard font then a regular OCR (you'd only need four nines accuracy to get it 100% correct) would be fine, even with a weird font it still be easy to get that level of accuracy.
The obvious solution to this would be to cycle randomly between fonts every few characters (or keep a running total of the font used for each particular symbol, and ensure it stays below some threshold). For bonus points you could convert the key from base64/ascii to unicode or similar.
The obvious solution to this would be to cycle randomly between fonts every few characters (or keep a running total of the font used for each particular symbol, and ensure it stays below some threshold).
This sounds like a useful defence in general against OCR re-use of particular things you might publish. I wonder if it could be done in a manner unobtrusive to the eye, but progressively more expensive to algorithms, either in terms of memory or time. This is really a neat idea you have.
Doesn't matter. A few wrong characters can easily be brute-forced. Once you have enough of the characters, you can just write a program to try modifying a few of them until you get a key that works.
Passive aggressive ftw. I would have used an excessively decorative script font and not number the pages or identify which keys. Perhaps even a typo or two, that'd buy some time.
On the size, 4 pt is generous. I remember printing an allowed note index card for high school final exams in 1 pt Times New Roman on a laser printer @ 600 dpi. At arm's length, it looked like a series of lines, but up-close the text was quite readable. Under magnification, the print quality was amazing.
Even if futile, beautiful example of civil disobedience. If only there were more people that at least tried as he did.
I'm supporting his rally[1] and hope more people will.
Isn't the key this sentence: "Wired reported the government as complaining that a Lavabit representative indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system."?
If they used something like Perfect Forward Secrecy, could they not legitimately have claimed to be unable to defeat their own system (as it is currently configured)?
offtopic: scrolling through the printout by dragging the scrollbar handle slowly (~3 pages per sec) crashes the chrome renderer (tried on 2 win7-32 boxes)
FYI, I would guess that Attachment A starting on page 144 is a reproduction of the keys in a very small font. If that is correct, they are indeed illegible.
The worst part about this is that it's not even that hard to fix. If you wanted to - you could hire a VA for $5/hour to digitize it (and hire another to QA). Total cost probably less than $100.
Technically speaking he did comply with the order. They never specified what format it should be in.
Plus companies shouldn't be required to beautify data for the government. They got what they asked for it-s up to them to figure out how to use it.
I know this is a bit sneaky this time but if they allow this to stand then soon companies will have to employ full time staff to beatify data for the government with pretty graphs and such because a database dump is incomprehensible.
It's like a kid asking you how to make a website and then complaining that HTML, CSS, JavaScript,etc is incomprehensible.
Sorry, but I'm not a fan. Either comply with the order or don't, but don't play games.
This is the same nonsense the government pulls when they want to "technically" comply with a FOIA request, but want to make life as hard as possible for the requester.
Apparently double standards are wrong when the government does it, but are OK when "we" do it.
What I'm not a fan of, however, is that Levison had claimed that he's be willing to comply with (indeed, has complied with) specific warrants. He left the impression that the FBI was asking him to ruin his security in general.
However the court filings show that the request for the SSL priv keys came only after Levison failed to comply with... a specific warrant relating to Snowden and Snowden alone. So if Levison wasn't lying, he was definitely leaving something major out of his story.
He was probably still working on a way to compromise Snowden while leaving all of the users still secure, and the FBI was probably just impatient. But that's pure speculation on my part.
From what I can gather in the released order, the FBI didn't actually ask for Snowden's communications to be compromised anyways, they wanted the "connection information" (i.e. IP addresses, any metadata). I don't understand why Levison didn't think he could comply with that, unless it was completely impossible for him to implement.
But he never told the FBI it was technically impossible, he told them that he would not (as opposed to "could not") do it.
Moreover, each of the five encryption keys contains 512 individual characters - or a total of 2560 characters. To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."