
Lavabit SSL Cert Revoked - jambo
https://lavabit.com/?8-oct-2013
======
brian_cloutier
Lavabit has revealed something incredibly important.

The US Government has no problem with seizing your _private keys_. It claims
the right to impersonate you without your permission.

It no longer matters which system you use, Sovereign Keys, PGP web-of-trust,
traditional PKI, they're all the same. Services based in the US can be MITM'd
without leaving any traces.

If this is allowed to continue uncontested there will no be no way to stay
secure online. The _only_ solution is a partial solution, to create
decentralized services. This, at least, will require the government to seize
the private keys of each individual they want to track.

~~~
abalone
Ok, let's keep this in perspective. The problem here is Lavabit was
_specifically designed to disallow lawful intercepts of individuals._

Targeting individuals is absolutely the right way to go about a lawful
intercept. Sucking up all traffic like the NSA has been doing is totally
overbroad and invasive.

But the whole point of the asymmetric encryption feature of Lavabit was to
make it impossible for _anyone but the account holder_ to access their email.
This is obviously why Snowden used the service. Duh. And this is why the
government resorted to threatening to seize the keys and trying to impersonate
the service.

What actually happened is, in the court proceedings Lavabit responded to this
by offering to make modifications to the service to essentially wiretap an
individual account without handing over the keys. Thus confirming the problem
the government faced. But by this point the government didn't trust him to act
as a spy on their behalf (which frankly is not an unreasonable assumption).

To be absolutely clear, I am taking no position on the _justness_ of the
government's targeting of Snowden. Personally I think he's a hero.

But surely we can all agree there exist circumstances under which some lawful
intercepts are justified: child pornographers, terrorists actively planning
murders, missing persons, etc.

The problem is Lavabit was not designed to facilitate intercepts _under any
circumstances._ That is why the keys were seized.

Source:
[http://www.newyorker.com/online/blogs/elements/2013/10/how-l...](http://www.newyorker.com/online/blogs/elements/2013/10/how-
lavabit-edward-snowden-email-service-melted-down.html)

~~~
kelnos
I disagree with the premise. I don't believe that a service should be required
by law to provide the possibility for the government to intercept the activity
of its users.

You can always say "but the child pornographers!" or, "but the terrorists!"...
but... no, sorry. I believe that people should have the ability to engage in
total privacy. The fact that the US gov't is doing this because of Snowden (a
person I admire) just reinforces my belief.

~~~
jasonlotito
> I believe that people should have the ability to engage total privacy.

They already have the ability to do this.

That's not what you are asking for. What you are really asking for is:

"I believe that people should have the ability to engage total privacy through
any means of communication they so choose."

~~~
ds9
So according to you, if people can still communicate secretly by meeting in
person and whispering in a forest or such, then it's no impairment of their
rights to destroy their ability to do the equivalent with electronics.

Kinda like Bush's "free speech zones", where protesters are kept in a little
cage far from the public to whom they would like to express their opinions -
as long as they're free to speak in this one little place, they're not totally
silenced and there is no invasion of their rights, according to the clever
lawyers.

The right of communicating confidentially with persons of one's choice, and
not with others, is a robust right which is not to be reduced to a formality.

The fascist mentality is strong in the US right now, but citizens are going to
work around the police state until it's reformed or overthrown, and they are
on the right side of history.

~~~
abalone
Not equivalent. It's at least possible to tail someone to the forest (private
house, etc.) and surveil them, with proper judicial oversight. Not so with
systems designed to defeat lawful intercept.

There is no "robust right" to defeat lawful intercept. The right to privacy
has always been subject to a body of law governing lawful surveillance and
policework. Example: mobsters meeting in a private home can be bugged with a
warrant.

~~~
marssaxman
I don't agree that there should be any robust right to "lawful" interception.

------
l33tbro
I'm so sick of being sickened. I hate that this is becoming the norm and we
can't do anything about it. I hate to spit cliches, but is this where my tax
dollars go?

For me, govt and internet should almost be like church and state. Where is the
data around foiled terrorist plots? I just can't stomach the obtuse logic that
we need to pay our taxes to employ these virtual minders. This is not what the
internet is about. It just seems so incredibly difficult to mobilise and take
action against this shit ...

Btw, Ladar ... you've been incredible in all of this (tips Stetson)

~~~
thangalin
I have mocked-up a system for policy creation. The project is open; please
contribute your thoughts. People say "it has flaws" but never explain the
flaws, nor how to address them.

[https://bitbucket.org/djarvis/world-
politics/](https://bitbucket.org/djarvis/world-politics/)

Would greatly appreciate constructive criticism. The system serves to educate
everyone (openly and transparently) on implications of existing and upcoming
policies.

If the idea intrigues you, check out what other people are doing along the
same lines:

[https://bitbucket.org/djarvis/world-
politics/wiki/Related%20...](https://bitbucket.org/djarvis/world-
politics/wiki/Related%20Links)

Rather than getting to the point where citizens have to "mobilize against" the
current government, we should be seeking to self-govern in such a way that
mobilization is not necessary.

~~~
gregw134
I love the idea, but I don't think people should be allowed to have unlimited
up or down votes. That would encourage whimsical opinions, and would make the
site reflect the opinions of the most active and opinionated users instead of
the average person. I think there needs to be a way to limit the voice of each
user so each person has the same amount of influence.

One idea I like is to give each user 100 points to distribute among topics.
Once the user has assigned a certain number of points for or against a
position, they could then distribute those points amongst the comments that
best represent their position. So if a user votes 20 points for gun control,
gun control would get 20 points, and the user would have to choose which
comments best support their position--5 points to this comment, 7 points for
this comment, etc.

I think this would solve two problems: it would encourage thoughtful opinions
to rise to the top, and it would give voice to the minority of voters that
care passionately about a topic that the majority disagrees with or doesn't
care about.

~~~
bshanks
This sort of scheme can cause problems with vote splitting and 'spoilers'; see
[https://en.wikipedia.org/wiki/Spoiler_effect#Bush.2C_Gore.2C...](https://en.wikipedia.org/wiki/Spoiler_effect#Bush.2C_Gore.2C_and_Nader_.282000_U.S._presidential_election.29)
, and also
[https://en.wikipedia.org/wiki/Independence_of_clones_criteri...](https://en.wikipedia.org/wiki/Independence_of_clones_criterion)
.

For example, if 50% of voters are "for" gun control, and 50% are "against" gun
control, but there are 2 very popular, well-written posts supporting gun
control, and only one very popular, well-written post opposing it, then the
gun control supporters will "split the vote" and their best comments will only
be ranked about half as highly as the opposition.

Which may or may not matter depending on how people interpret comment scores.

One alternative that i like is reweighted score voting:
[http://rangevoting.org/RRV.html](http://rangevoting.org/RRV.html)

~~~
gregw134
Interesting post on reweighted score voting. How would that work in practice
for sorting comments? Would you have people rank the top-level comments in the
order they agree with?

The strategy I had in mind for comments was to create a column of arguments
for and against, and to only allow users to vote on comments in the column
where they've placed their opinion. That way the strongest arguments from both
sides would be shown.

------
orclev
To my understanding this is what I would expect to happen. He handed over the
cert to the FBI, so from a security standpoint it's useless now and should be
considered compromised.

~~~
enaeseth
Will having the private key allow the decryption of ciphertext that was
previously intercepted (while the service was active) and stored? Lavabit was
already shut down, so this revocation is equally useless for user security. :(

~~~
bcoates
If the connection was using a forward-secret key exchange (like DHE or ECDHE),
then no. Unfortunately it's common not to and browsers don't do anything to
warn people that they're using a low-security mode.

~~~
Amadou
FWIW, just now I went looking for a firefox plugin that reports (in a human-
friendly way) whether or not the SSL connection for a page is using perfect
forward secrecy (PFS).

I found "Calomel SSL Validation," which I am about to install. The PFS
reporting only works with Firefox 25 and up.

[https://addons.mozilla.org/en-US/firefox/addon/calomel-
ssl-v...](https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-
validation/)

~~~
mstrem
Also the Netcraft Extension gives you this information:
[http://news.netcraft.com/archives/2013/09/06/perfect-
forward...](http://news.netcraft.com/archives/2013/09/06/perfect-forward-
secrecy-in-the-netcraft-extension.html)

~~~
sdfjkl
Sadly it comes with an awful toolbar.

------
anologwintermut
Anyone using Safari or IE apparently isn't getting a forward secure connection
to [https://Lavabit.com](https://Lavabit.com) . They end up with
TLS_RSA_WITH_AES_256_CBC_SHA according to SSLLabs[0].

Since things escalated to the point where Lavabit had to hand over it's key
rather than the data on one account the FBI obtained an initial court order
for [1], anyone with a transcript of those sessions and access to the key can
read them.

The resulting cipher suites:

IE 6 / XP No FS * SSL 3 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168

IE 7 / Vista TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256

IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168

IE 8-10 / Win 7 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256

IE 11 / Win 8.1 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256

Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS
256

Safari 6 / iOS 6.0.1 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256

Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS
256

Safari 7 / OS X 10.9 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256

[0][https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...](https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Flavabit.com)
[1][http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/](http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/)

------
rebelidealist
Consider donating to [https://rally.org/lavabit](https://rally.org/lavabit).
Lavabit needs at least 250k to continue fighting in the supreme court.

See his last update on the rally page.

~~~
interstitial
And our contribution becomes part of our "permanent record" with the NSA? So
glad I'm a US citizen and need not fear about such things.

~~~
scott_karana
That just sounds like fearmongering. I can't see any way that helping to fund
someone's _court case_ can be considering a crime, even if he were completely
in the wrong.

I strongly suspect that there are favourable legal precedents, even.

~~~
kyboren
Non-citizens can be turned away at the US border for any reason, or no reason
at all.

Considering that a person's ability to travel to the US is so professionally
important in this industry (for conferences, business meetings, etc.), I do
not believe this is fearmongering.

Remember the case of the man refused entry after a misinterpreted Tweet about
'destroying America'? [1] It seems clear NSA surveillance informs CBP's entry
decisions in at least some cases. Credit card payments are surely surveilled
by NSA, so this actually sounds like a pretty well-grounded fear.

[1]: [http://www.nbclosangeles.com/news/local/British-Tourists-
Den...](http://www.nbclosangeles.com/news/local/British-Tourists-Denied-US-
Entry-Twitter-Comments-Customs-Border-Protection-138364904.html)

~~~
PeterisP
If such donations really cause problems at borders, then it will be a sign
that the place is FUBAR and you (and everyone else) should avoid traveling
there.

~~~
kyboren
As posted in this same thread, David House discovered that donations to legal
defense funds can indeed cause problems (even for citizens) at the US border.

I do not think the US is FUBAR: FU, certainly, but not BAR. And although I
refuse to be frightened into Appelbaum-esque total exile from my own country,
I do take appropriate precautions before crossing the US border (CBP take note
before sending me to secondary screening next time...).

------
alextingle
And this is exactly why perfect forward secrecy is so important.

~~~
anologwintermut
Did he actually use forward secure SSL cipher suites for everything?

~~~
jtdowney
The site currently negotiates for DHE-RSA-AES256-SHA, which is forward secure.

~~~
anologwintermut
Right. But if you connect with a browser that doesn't support that? And what
about SMTP connections?

~~~
jamesaguilar
Presumably if you care about security you are using a browser that does PFS
and have personally verified that it is working.

~~~
sillysaurus2
You mean browsers _actually fall back_ to non-perfect-forward-secrecy? They
even have the option of doing that? That's interesting if true. Ideally it
should be enforced by the server, and if the browser can't support it, then
the browser can't see the webpage.

~~~
harshreality
They have to, because many sites don't support any PFS ciphersuites. For
instance, banks.

[https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofame...](https://www.ssllabs.com/ssltest/analyze.html?d=www.bankofamerica.com&s=171.161.207.100)

[https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.c...](https://www.ssllabs.com/ssltest/analyze.html?d=chaseonline.chase.com)

[https://www.ssllabs.com/ssltest/analyze.html?d=online.citiba...](https://www.ssllabs.com/ssltest/analyze.html?d=online.citibank.com)

[https://www.ssllabs.com/ssltest/analyze.html?d=us.hsbc.com&s...](https://www.ssllabs.com/ssltest/analyze.html?d=us.hsbc.com&s=161.113.4.5)

[https://www.ssllabs.com/ssltest/analyze.html?d=online.wellsf...](https://www.ssllabs.com/ssltest/analyze.html?d=online.wellsfargo.com&s=159.45.2.70)

Ideally, Microsoft, Google, Apple, and Firefox would gang up and all disable
ciphersuites lacking DHE/ECDHE in their current browsers. Short of that, one
browser disabling them would be viewed as "broken" and would lose marketshare.

~~~
hrjet
Well, the browsers could disable non PFS ciphers by default. When a site
doesn't match any PFS cipher list, show a pop-up with a way to add an
exception for the site.

Much more graceful than a complete switch-over and doesn't require co-
ordination from other vendors.

------
lettergram
I've read quite a few complaints about the government on this post. My
suggestion is to simply do something. You have (a) the ability to vote, so
stop voting in Republicans OR Democrats (both equally as bad) OR even run
yourselves. (b) send a letter to your representative, they occasionally will
read the mail, plus you at least can vent your frustration at someone who CAN
do something.

~~~
MustBeAShill
Or run for office yourself. I would vote for a centrist candidate that offered
a bill that declared email as sacrosanct as a telephone call or postal mail.

~~~
balabaster
The only issue with running yourself is that you need enough funding to
generate more propaganda and PR than the cartel you're up against... and you
forget that lobbyists run your country anyway. Don't delude yourself into
thinking that your vote actually means anything. That "democracy" you think
you live in is theatre designed to make you feel cosy and warm, just like the
TSA does when they "protect" your air travel. It's all just a sham to keep you
and everyone else from rocking the boat too much.

------
powertower
Can this be classified as -
[http://en.wikipedia.org/wiki/Obstruction_of_justice](http://en.wikipedia.org/wiki/Obstruction_of_justice)
?

That is, I'm sure he understands that this action might be interfering with an
investigation, and that it's reasonable to believe it was a willful act on his
part.

Can you get into trouble for doing something like this?

~~~
shmerl
When did unconstitutional massive surveillance become justice?

~~~
notdonspaulding
The same day that everyone agreed "Roadside Safety Checks" (police looking for
drunk drivers under the auspices of checking children's carseats at 1AM) was
the lesser of two evils (Drunk drivers killing innocent people is a greater
evil than everyone's 4th amendment rights being violated).

To a lesser extent, anytime that politicians frame an issue with the two
phrases "it's for the good of the public" and "it's not a problem if you
aren't guilty", they're generally trouncing a constitutional right, or
greasing the tracks for it to inevitably happen.

~~~
sixothree
I'm hoping driverless cars begin to make people realize how intrusive these
types of stops really are.

~~~
interstitial
When it comes to public safety, the American people stand ready for intrusions
of all kinds, it is truly for our own good. Government agents are privy to
secret information unknown to the public, therefore we have no choice but to
submit.

~~~
shmerl
That's an excuse which can be abused for anything up to making a police state.
It's all about how far is acceptable. Surely not "all kinds".

------
7402
I wondered why Safari (running on an older OS X 10.6 system) didn't report the
certificate as revoked, although Firefox on the same system did.

The answer appears to be as described here: [http://www.intego.com/mac-
security-blog/protect-safari-from-...](http://www.intego.com/mac-security-
blog/protect-safari-from-fraudulent-digital-certificates/)

After setting the proper options in Keychain Access, Safari reported the
revocation correctly.

~~~
pkteison
FYI, this was enabled by default in Lion (10.7.2).

------
WestCoastJustin
Can someone weight in on what this means or why it is an issue?

~~~
miketucker
Today the owner, Ladar Levison, had to hand over the SSL certificates by court
order. It marks the ending of a long battle in court, with unfortunately it
ending in the govenment's favor. I'm assuming the post is just a hacker way of
acknowledging the event.

Related article:

[http://www.newyorker.com/online/blogs/elements/2013/10/how-l...](http://www.newyorker.com/online/blogs/elements/2013/10/how-
lavabit-edward-snowden-email-service-melted-down.html)

~~~
mpyne
Interesting link, and much more informative than the other Lavabit news
articles.

It's a shame the government didn't work with Levison to either allow Levison
to add the requested intercept himself (which, yes, would have required Uncle
Sam to trust him) or to allow a third-party (or even a third party requested
from both sides) to audit the proposed interception code.

The judge is correct in stating that if Levison doesn't trust the government,
then why should the government trust Levison, but Levison is clearly correct
when he notes that giving up his SSL private keys would destroy the security
of his whole infrastructure.

The government would have been far better off by allowing a service like
Lavabit to exist with the cooperation of an activist citizen than to force him
to either harm all of his customers or shutdown the service. Somehow I don't
think the D.A. here realized how serious many civil libertarians are.

Props on Levison for trying to stick it out in the U.S. and make things better
from within!

~~~
quadlock
> The judge is correct in stating that if Levison doesn't trust the
> government, then why should the government trust Levison

The judge is incorrect. The U.S. Government was designed to not completely
trust itself. That's why there are checks and balances. Giving the FBI the
private key lets them have unchecked access to data encrypted with it. It is
wrong to asked to not be checked.

[edited for format]

~~~
Zoepfli
Also, we have ample proof that the US Government cannot be trusted period. An
entity that cannot be trusted can still reflect on itself, realize it has done
lots of wrongs, and trust others that are reaching for higher standards.

------
zmmmmm
So I wonder, if he has been banned from revealing that he has handed over the
key, does revoking it count as such a revelation?

At this point, the authorities have Streisand'ed their own case - anybody they
were interested in would have stopped using Lavabit months ago. So they seem
to be pursuing it out of pure belligerence at this point.

~~~
beedogs
which isn't all that surprising. The feds act like spoiled children when they
don't get their way.

------
jpinkerton88
That's awesome that the certificate authority is being proactive.

~~~
Fzzr
Is it clear that's the case? Or is it possible that this was upon request from
Levison?

~~~
jpinkerton88
good question. not sure

------
ihsw
It would be interesting to see it be re-instated at the behest of the FBI.

~~~
jevinskie
It would be pointless, everyone knows by now that it is burned.

~~~
recursive
Perhaps there is some automated robot that uses it that doesn't follow the
news headlines.

~~~
michaelmior
Hopefully if such a robot really cares about security, it is checking for
revoked certificates. Although this is admittedly a pain to set up.

------
huslage
This is not new people! We've known for many years that MiTM was "normal" in
surveillance circles. We've been saying for years that CAs are probably
compromised as well. Why does it take some "revelation" to make people PAY
ATTENTION?

This is not a technical issue. It's a rights issue. Solving it by technical
means only kicks the can down the road by an exceedingly small amount of time.
Fix the system first.

~~~
MustBeAShill
Isn't the fact the cert was revoked showing that the CA system works? The FBI
would love for it to be still chained back to a valid CA.

You were only seconds away from calling folks "sheeple", weren't you ;)

------
schrodinger
Safari on my iPhone is capable of accessing it with no warning. Anyone else
seeing this?

~~~
thefreeman
same with chrome on my android

------
interstitial
I'm sure this comment will be buried, but I sleep better at night knowing HN
can still get its panties in a wad over tramplings of freedom and the abuse of
the system -- long after the main stream media has lost interest. The young
and old hackers reading these posts will no doubt start spending frontal lobe
CPU cycles on solutions that will find their agile way into the public sphere
in months, not years.

------
spindritf
I cannot ignore this warning in Firefox 24 from official repository on Ubuntu
13.04. Actually, I cannot ignore outdated certificates, or those with unknown
OCSP status (for example freshly issued certs) either.

Was there some change in Firefox's security model or is it my config? It's
rather annoying.

~~~
briansmith
Firefox treats an explicit "unknown" OCSP status as equivalent to being
revoked, except we don't cache the "unknown" status.

Firefox doesn't allow the user to override "revoked." The thinking behind our
cert error override strategy is that cert error overrides are intended mostly
to allow the user to fix something that is probably supposed to work, but a
revocation is a very explicit signal that the certificate isn't supposed to
work.

Also, ensure Options -> Advanced -> Certificates -> Validation -> When an OCSP
server connection fails, treat the certificate as invalid is unchecked.

~~~
spindritf
Thanks for answering.

Yes, I have it unchecked. Is there some about:config magic or "kamikaze mode"
that I could enable that would allow me to ignore at least outdated certs?

Last night I locked myself out of my own website. The old cert expired and the
OCSP server didn't know about the new one yet.

~~~
conductor
You can disable querying OCSP servers by setting the "security.OCSP.enabled"
to false. This adds some privacy (otherwise OCSP servers can know and collect
what SSL enabled sites you visit). Combined with the Certificate Patrol add-on
[0] (to track certificate changes) this must be pretty secure, except when a
certificate is being revoked you will not know about it automatically.

[0] - [http://patrol.psyced.org](http://patrol.psyced.org)

~~~
newman314
Which begs the question: "Better to enable OSCP and leak info or run the risk
of a bad cert and disable OSCP?"

------
jervisfm
When I viewed this page running Chrome (Version 30.0.1599.88 beta) on a
ChromeOS device I did not get any warnings.

Interestingly, when I used chrome on my Win8 PC (version 29.0.1547.76 m), I
did see the warning pop up.

Doing some quick searching online revealed that chrome does not appear to do
online revocation checks any longer by default[1]. You can still manually turn
it back on with the "Check for server certificate revocation"[2] option which
is what I did.

[1] -
[http://www.macworld.com/article/1165273/google_chrome_will_n...](http://www.macworld.com/article/1165273/google_chrome_will_no_longer_check_for_revoked_ssl_certificates_online.html)

[2] - chrome://settings/search#revocation

------
rektide
Almost on display: heavy-handed web-browsers that won't let us visit a site,
for our own good.

~~~
bcoates
Unfortunately the way cookies, etc. work it's nontrivial for a browser to just
visit a site that's offering a compromised certificate without undermining
past and future security.

A revoked certificate being offered doesn't have any innocent explanations,
you would want to use a specialized tool not a general-purpose web browser to
analyze it.

------
balabaster
Am I reading into this right? The court declared he must hand over the private
key to the SSL encryption on his server so the government could do as they
wished with the traffic... and then Levison revoked the key, thus making it
useless to everyone?

~~~
scintill76
He shut down the site, so unless they've been capturing all the encrypted data
and the sessions didn't have forward secrecy, the key was already useless.

------
SCAQTony
This is both chilling and depressing. The only reason why the general public
is barely phased or even cares about this nonsense is that they don't even
understand what a SSL Cert is or what it means to have it taken away.

------
malandrew
The lavabit case highlights something interesting that we need. We need that
not only individuals have privacy, but that businesses have privacy of who
their users are. The same way we provide anonymity to users through
centralized means, is there not a way to provide a way for service provider to
have a sufficient level of opaqueness of who their customers are. You can't
subpeona Service Provider A if you don't know whether Person of Interest X is
using the services of A, B, C, or D, etc.

~~~
Pitarou
Customer: I wish to make a complaint.

Shopkeeper: Go away. I don't know you.

Dead parrot problem solved.

~~~
malandrew
Not exactly the same. The company can know that I am a customer. What I'm
talking about is a third party not knowing that I am a customer of the
company.

------
general_failure
Android 4.3 cm shows page with no problems. CRL not working?

~~~
flux_w42
Here to with 2.3.7-CM. If you explicitly check the certificate it even says:
"This certificate is valid" with a reassuring green check mark. Seems legit
... These things really makes me pull out my hair.

------
tonyplee
The rebel's force is weaken. Feel the power of the Empire.

:-)

------
tomphoolery
Well this is annoying.

~~~
robmcm1982
They are still down today.

