Link to Original Source
Link to Original Source
Lavabit is supposed to be a zero knowledge mail provider.
If you believe that, I have a bridge I'd like to sell you. It is perfectly possible to make a email system where the provider knows very little, but you need to change the basic email protocols to do that. Even PGP isn't sufficient, since it doesn't protect key portions of the mail (To:, From:, Subject:, message length, etc) from observation.
Clearly the operator of Lavabit received a national security letter or warrant which he objected to.
Now since Lavabit is based on normal mail protocols, the operator has the ability to see all the data when it comes in, and obviously with a warrant or NSL, the provider can be compelled to provide the information to the feds. But I suspect that the request was not just something mild ("This sleazebag's mail account") but something broader, given the reaction was to close down the service completely.
In any case, this is also a great reminder of why the cloud, especially US cloud providers, can't be trusted. Companies who care about security are going to have to abandon the cloud and go back to insourcing their infrastructure.
Which is being pointed out by others on twitter: Some random neighbor called in "these people are suspicious".
No comment yet reported from the local PD which sent the investigators.
The Atlantic article is BAD. Not only is it a summary with no additional information (and information removed), but uses a bad and unrelated photograph!
Read the original article on Medium, and I strongly suggest that a Slashdot editor change the article link.
Although circumstantial, this implies one of two possibilities. Either Google is voluntarily looking for "suspicious" searches and reporting them to law enforcement, or law enforcement (using a warrant, a wiretap, a NSL, or similar) is either forcing Google to look for such suspicious searches or simply wiretapping Google.
The problem is the credible fear of a lifecycle attack is sufficient to require that such hardware be avoided. There is a reasonable fear that the chinese might try something using Lenovo kit, therefore the classified networks need to avoid it. Its the same reason why Huawei networking hardware is avoided in some circles.
Of course, with the NSA now clearly off the leash, US IT equipment is now in the same position. Microsoft clearly backdoored Skype to enable easy wiretapping, the NSA is reportedly hacking foreign networks to introduce monitoring (who knows, perhaps it was the NSA responsible for the Athens Affair?), and with any US Cloud service provider subject to PRISM-style requirements, US IT infrastructure is now in the same boat that the Chinese have been struggling with for years now.
Strongbox technically is very strong, without a doubt. But, being TOR based, it will be hard to use. Worse, a potential leaker not only must use their own computer (ideally a throwaway computer), but they can never have VISITED the Strongbox information page from work, because otherwise any leak to the New Yorker will be suspicious.
And Strongbox's information page drives Ghostery crazy! Not a good sign for a privacy tool.
Probably more important is general Operational Security, including burner phones and/or burner computers.
Julia Angwin has an excellent additional point: Physical mail (dropped in a random post-box with a bogus return address) is perhaps the best way for anonymous one-way communication. The USPS will record address information when asked by law enforcement, but (currently) doesn't record this on all mail. Thus there is no history and, even if there was, this can only be traced to the processing post office. Perhaps the best use of the mail is simply to send the reporter a burner phone preprogrammed so that the reporter can call your burner.
Yes, send your unwanted bitcoins here: 1FuckBTCqwBQexxs9jiuWTiZeoKfSo9Vyi
Overall, a general problem with BitCoin mining is that it is a classic "Red Queen's Race". The fixed rate of bitcoin addition means you can only get ahead at the cost of someone else. Which means, IF bitcoin succeeded, mining is effectively non-profit as the rather low barrier to entry (even ASIC rigs are only $2K) and no monopoly power means that the profit from mining gets, well, stripped out.
Its someone stupid enough to think a Senator opens his own mail. (Shamelessly stolen from Twitter)
Oh, and thanks to @SteveBellovin for the suggestion on how Apple could (but does not seem) to do things in a secure manner.
iMessage keeps messages secret from the carrier, but it can't keep the messages secret from the feds.
Apple has to be able to know the user's private key to allow them to log in new devices, at least when the user logs into Apple using their Apple password. And therefore, with a warrant, so can the police.
Now Apple could use a technique where your password is hashed one way to create your iMessage key, and hashed a different way to be sent to Apple for logging in. But this doen't seem likely, as a login to iCloud (using a user's apple Password) on the web interface sends the password to Apple where its hashed on their end for login validation. So unless the iPhone/Mac iCloud login uses a different technique, Apple must (at a minimum) be able to access the user's iMessage key when the user logs into Apple.
And its far more likely that Apple (and therefore the police with a search warrant) can get the user's iMessage key whenever they want.
Rather than having a phone that's designed to spill everything I do to Google, I get a phone designed to spill everything I do to both Google AND Facebook. Geez, loverly.
It's all a simple matter of area: With an electric vehicle my entire transportation energy usage can pretty much be covered with a small rooftop solar system. To do it with biofuels would require acres of space.
The problem is simple: Photosynthesis is just vastly less efficient than photo voltaic solar
a: An FFL7 (which is what Defense Distributed got), once they complete some additional tax paperwork, allows them to make and sell semiautomatic rifles like any other manufacturer. And there are lots of small manufacturers these days. Heck, there is one in Napa, CA, if you want a fine, vintage 2013 AR-15 with "Made in Napa, CA" printed on the side.
b: Plastic AR lower receivers are old news. There is a lot of panic buying of AR rifle components thanks to Dianne Feinstein's salesmanship, but the plastic lowers are readily available.
You can even get a 5-pack for $400!.
Distributed Defense's sales, if any, are going to be those wanting to support their R&D, as there is no way they can compete with the existing aluminum lowers, let alone existing plastic ones, on price or quality for a given price.
c: There are a lot of businesses which legally help you make your own gun. EG, you buy an 80% lower (a not completed lower receiver) which the ATF does not consider to be a gun and then you finish it yourself by renting some milling machine time and doing it yourself. Until its finished by the purchaser, its a paperweight, not a gun.
d: Some guy has even managed to do a home-made polymer lower using molding techniques.