
How Snowden's Email Provider Tried To Foil The FBI Using Tiny Font - bernardom
http://www.npr.org/blogs/thetwo-way/2013/10/03/228878659/how-snowdens-email-provider-tried-to-foil-the-fbi-using-tiny-font
======
spikels
How can you not love this guy? Please donate to his defense fund:

[http://tinyurl.com/m65n4ko](http://tinyurl.com/m65n4ko)

[http://lavabit.com/](http://lavabit.com/)

Lavabit Legal Defense Fund 10387 Main Street, Suite 205 Fairfax, VA 22030
(703) 291-1999

~~~
anologwintermut
Because, if this article is correct[0], his refusal to obey a court order is
the only reason the FBI made him hand over private keys.

The story is the FBI asked for Snowden's emails and correspondence. Lavabit
said they would not hand over the information(but admitted they had the
technical capability ... it was server side encryption after all). Only after
that refusal did the FBI start taking more drastic action.

This is, if that story is true, about on par with a Bank complaining that the
FBI ransacked the safe all their safety deposit boxes were stored in. Expect
the bank neglects to mention that the only reason the FBI had to break open
the safe and be put in the position of being able easily break open all the
safety deposit boxes was because the Bank failed to to hand over one box when
given a valid court order.

This is particularly problematic in Lavabit's case because a major cornerstone
of the argument against the NSA's warrantless surveillance is that there are
legal means to compel access to data when it is actually necessary and that
those means make it totally illegal to do what the NSA was doing. This is
really a hard point to argue when those means don't work because other's thumb
their nose at the law as well.

[0]
[http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/](http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/)

~~~
guelo
After studying the requirements Lavabit said they could write code to do it
for $3500. But the FBI said they didn't trust Lavabit to do it right and
thought it cost too much. They demanded direct access.
[http://imgur.com/A3RNQWY](http://imgur.com/A3RNQWY)

~~~
kudzoo
Why is scp redacted? And only partially so...

~~~
guelo
I think whoever created that imgur image had the word highlighted when they
captured it. If you look at the pdf it's not there. (page 100
[http://s3.documentcloud.org/documents/801182/redacted-
pleadi...](http://s3.documentcloud.org/documents/801182/redacted-pleadings-
exhibits-1-23.pdf))

------
DigitalSea
Wouldn't the FBI have the technical capability to use optical character
recognition to digitise the keys to actual text? Or maybe it's too small to be
legible to a high DPI scanner? I really admire Lavabit here, they're not
dealing with your average Joe, they're dealing with the American Government
and that costs money. Everyone has the chance to help potentially make history
by supporting Lavabit and donate to its legal fund.

Many would have just given up the moment things escalated, but Ladar Levison
never gave in and fought for the privacy of his users at the cost of his
profitable business and life. The cards are stacked against him, but he didn't
let it get in the way of trying to fight the case and have it made publicly.

How many other companies have secretly complied with similar requests we don't
know about? United States of America, the land of the free, right?

~~~
Xylakant
A simple character flip in a single letter would make the key unusable. ocr is
fairly good, but it's not uncommon that you get a handful of errors. That's
usually fine if the result is meant for humans, but here, 99.9% correct is not
enough, you need 100% correctness.

------
byroot
Not totally related:

It remind me of the case of "Free" a French ISP, they were forced like others
ISP to send to the government the customer information related to IPs caught
on P2P networks [0].

But the law did not specified how the data had to be sent, so to troll the
government they sent everything by fax. And the volume was around multiple
thousand queries a day.

[0]
[http://en.wikipedia.org/wiki/HADOPI_law](http://en.wikipedia.org/wiki/HADOPI_law)

~~~
enscr
The govt after receiving the fax : [http://thehacktory.org/wp-
content/uploads/2011/03/office-spa...](http://thehacktory.org/wp-
content/uploads/2011/03/office-space-employees-smashing-printer.jpeg)

------
pluies_public
Once again, if you want to support Lavabit, please donate to the defense fund
either at [http://lavabit.com/](http://lavabit.com/) or
[https://rally.org/lavabit](https://rally.org/lavabit).

------
kabdib
Other wonderful delivery methods:

\- Baked into cuneiform

\- Wax tablets. "Oh, sorry, it got hot in my car and they're a little
runny..."

\- In the form of a crossword puzzle.

\- Knitted into a scarf. "Perl one, skip two..."

Best to have hardware from which it is impossible to export a key.

~~~
lifeformed
In all seriousness, is it possible to design a system where it is simply
impossible to hand over data to a third party?

~~~
adrianb
I believe Julian Assange worked on a system that would make it impossible for
an external entity to determine if there is any useful information on a data
partition. Basically you would have a hard drive full of random numbers and it
would be unfeasible to determine if there is any actual information on it,
without the right keys and tools.

~~~
hyperbovine
I have never heard Assange's name in connection with this, but that's what
Truecrypt purports to do:
[http://www.truecrypt.org/hiddenvolume](http://www.truecrypt.org/hiddenvolume)

~~~
hamburglar
He did. It was a project called rubberhose.

------
anigbrowl
_Wired Magazine details the ordeal_

From the HN guidelines:

'Please submit the original source. If a blog post reports on something they
found on another site, submit the latter.'

------
eli
This was already discussed at length earlier today
[https://news.ycombinator.com/item?id=6487969](https://news.ycombinator.com/item?id=6487969)

~~~
brymaster
And first revealed here yesterday
[https://news.ycombinator.com/item?id=6485562](https://news.ycombinator.com/item?id=6485562)

------
Raphmedia
Small moves like that makes me proud to be on the internet at this day and age
of crisis. I hope I can tell my children or grand children that I actually
cared and that I made a small difference, even if it's only the smallest of
all.

I hope it will stay the way it is. Probably not, seeing how the public is
ignoring and/or is not caring about the issue at all.

~~~
saraid216
> I hope it will stay the way it is.

...this is the _Internet_ we're talking about. It's almost completely
unrecognizable from the way it was 5 years ago.

~~~
Raphmedia
I broadly meant that as in not controlled by any single state, entity or
corporation.

I for one welcome the new holographic internet cats shared by our minds and
made entirely of pastas that are shaped into code. So long as those pastas are
open.

------
praptak
See? Ridiculous key sizes do give additional protection (imagine scanning a
4MB key printout.) Eat that, Bruce Schneier!

------
eyeareque
If my understanding is correct, the FBI could decrypt historical traffic if
they had the keys. So, assuming the FBI/NSA has a huge archive of Lavabit's
customer traffic (would not surprise me), couldn't they decrypt it all now
since they have the SSL keys?

~~~
eli
Probably, but not necessarily [https://www.net-
security.org/article.php?id=1856](https://www.net-
security.org/article.php?id=1856)

------
sxp
>To make use of these keys, the FBI would have to manually input all 2,560
characters, and one incorrect keystroke in this laborious process would render
the FBI collection system incapable of collecting decrypted data

That would take an intern less than an hour to digitize. Maybe three interns
if you needed redundancy. This seems like a completely useless action on
Levison's part since it end up giving the FBI the information they wanted but
will still piss them off.

~~~
Ecio78
Probably he was confident that they were too lazy to do it, and infact they
didn't but just whined..

------
MayankGoyal
>>"To make use of these keys, the FBI would have to manually input all 2,560
characters, and one incorrect keystroke in this laborious process would render
the FBI collection system incapable of collecting decrypted data," prosecutors
complained.

That's pretty misleading - they make it sound like if they press the wrong key
once it'll destroy the FBI's entire system.

------
mcphilip
Off topic, but brings to mind another technique famously used by Goldman when
they dumped over a billion pages to the 50 staffers in the Federal Crisis
Inquiry Commission:

[http://money.msn.com/top-
stocks/post.aspx?post=00000065-0000...](http://money.msn.com/top-
stocks/post.aspx?post=00000065-0000-0000-6ef7-1a0000000000)

------
jgeraert
Clever. We did something similar for a friend getting married. Instead of
giving his present directly we created a text file encrypted with his public
pgp key. We printed out the ascii-armored cryptotext and handed it over. He
had lots of fun typing it back into his computer.

~~~
jzzskijj
I'm sure FBI didn't have as much fun.

Anyway, as he decided to give the SSL key, pulling this kind of prank seems
bit childish. On the other hand, he must have been under a heavy pressure, so
can't blame the guy for not thinking 100% straight.

Sad, that people are sidetracked to talking about the font size instead of
warrantless wiretapping.

------
devx
Upvoted because of the story, but I like NPR less and less these days. So far
they've been mainly pro-government than pro-Snowden.

~~~
NonEUCitizen
NPR is very pro-government and pro-war.

------
joe_computer
I'm just happy the FBI doesn't know how to run OCR. Hell they could have
mechanical turked segments, like captcha farms.

------
stretchwithme
I think he should have encrypted the key using itself. That way he can give
them the key. And they can decrypt it and send it back in time so they can
decrypt it.

