ISPs providing "warrant canaries"
Someone wrote here in the recent past about libraries bypassing secret warrants by updating their boards every X days/months with a "nobody has served us a secret warrant" type message. I am using a new offsite storage vendor, rsync.net, which publishes what they call a "warrant canary": http://www.rsync.net/resources/notices/canary.txt Which I found interesting. Is this what they have been called, or did they make up the term "warrant canary" ? How large of a grain of salt should I take this with ? It seems (and always did when I read of the libraries doing it) like a reasonable idea, and their implementation (signing the message, including a non-forgeable date stamp) is thoughtful. It's an interesting time we live in ... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 5/16/06, Jason Arnaute <non_secure@yahoo.com> wrote:
... I am using a new offsite storage vendor, rsync.net, which publishes what they call a "warrant canary": ... Is this what they have been called, or did they make up the term "warrant canary" ?
i've never heard of it before and google seems to think they coined it.
How large of a grain of salt should I take this with ?
doesn't seem too useful. if a warrant/NSL is served, was it for your system? do you now switch providers? assume all secrets are compromised? if you are concerned then a hosting facility is probably the wrong place to keep your data / servers.
--- coderman <coderman@gmail.com> wrote:
I am using a new offsite storage vendor, rsync.net, which publishes what they call a "warrant canary":
(snip)
How large of a grain of salt should I take this with ?
doesn't seem too useful. if a warrant/NSL is served, was it for your system? do you now switch providers? assume all secrets are compromised?
Well, no it's not useful in _avoiding_ the warrant, but nothing really is. It seems useful in defeating the secrecy of the warrant. I'd rather know than not know, all else being equal ...
if you are concerned then a hosting facility is probably the wrong place to keep your data / servers.
This is less of an ISP and more of a "filesystem in the sky" ... an offsite filesystem. I encrypt all of the data I send there, so it's not an issue, but it is an issue to know when things like this happen, and I like their stance. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 5/16/06, Jason Arnaute <non_secure@yahoo.com> wrote:
... It seems useful in defeating the secrecy of the warrant.
this part i like! i'm waiting for some judge to rule that these tricks effectively disclose the reception of an NSL and are thus illegal. judges don't like technical hair splitting when the intent is clear: to disclose what you are forbidden from disclosing. (of course, Doug Thompson was able to skate by disclosure carefully so perhaps this isn't much of a concern[1] :)
This is less of an ISP and more of a "filesystem in the sky" ... an offsite filesystem. I encrypt all of the data I send there, so it's not an issue
no keys are stored at the remote location? or the traffic is encrypted before the files are stored to disk plaintext? keeping remote secrets secure is hard (usually requires hardware tokens with tamper resistance) 1. http://www.capitolhillblue.com/blog/2006/03/telling_the_approved_story.html
--- coderman <coderman@gmail.com> wrote:
This is less of an ISP and more of a "filesystem in the sky" ... an offsite filesystem. I encrypt all of the data I send there, so it's not an issue
no keys are stored at the remote location? or the traffic is encrypted before the files are stored to disk plaintext?
Yes, that's right. Unlike Iron Mountain and the other commercial offsite data storage providers, rsync.net is open to the entire SSH suite. So what I do is mount my offsite filesystem over sshfs, so i can use it as a local filesystem, and then create a FreeBSD GBDE image on it, which I then also mount. So it is a remote encrypted filesystem over ssh. If my data is ever seized or a search warrant is ever served, all they will see is a 4 gigabyte file of random bits. So in the end, the "warrant canary" doesn't concern me much practically, because I don't really care if rsync.net gets served ... it's still nice to see though. YMMV. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
At 06:44 AM 5/16/2006, Jason Arnaute wrote:
Someone wrote here in the recent past about libraries bypassing secret warrants by updating their boards every X days/months with a "nobody has served us a secret warrant" type message.
That might have been me. I did post about apparently legal ways to circumvent such secret warrants but I did not use a BB method but rather provide a service where clients can request if a warrant has been served on the library or ISP for their account or any account. The service provider is free to reply if no warrant has been received but is muzzled if one has. This failure to reply, which is not a positive action, is what reveals the warrant. rsync's approach appears consistent with mine. Steve
Hum. Would there be value in a (TOR?) service whereby, if the key is beaten out of someone (whether that key leads to the real data or not), then a flag is sent up somewhere saying, "If you are reading this then the key for Data X has been beaten out of me, or they are attempting to beat it out of me." This nice thing about TOR-stored data and services is that it would be well-nigh impossible for interrrogators to know in advance that they won't be making the canary sing. In fact, depending on the nature of the data stored, it could be set up to be irretrievable without a message going off. -TD
From: Steve Schear <s.schear@comcast.net> To: cypherpunks@jfet.org Subject: Re: ISPs providing "warrant canaries" Date: Sat, 20 May 2006 13:30:53 -0700
At 06:44 AM 5/16/2006, Jason Arnaute wrote:
Someone wrote here in the recent past about libraries bypassing secret warrants by updating their boards every X days/months with a "nobody has served us a secret warrant" type message.
That might have been me. I did post about apparently legal ways to circumvent such secret warrants but I did not use a BB method but rather provide a service where clients can request if a warrant has been served on the library or ISP for their account or any account. The service provider is free to reply if no warrant has been received but is muzzled if one has. This failure to reply, which is not a positive action, is what reveals the warrant. rsync's approach appears consistent with mine.
Steve
On 2006-05-20T13:30:53-0700, Steve Schear wrote:
At 06:44 AM 5/16/2006, Jason Arnaute wrote:
Someone wrote here in the recent past about libraries bypassing secret warrants by updating their boards every X days/months with a "nobody has served us a secret warrant" type message.
That might have been me. I did post about apparently legal ways to circumvent such secret warrants but I did not use a BB method but rather provide a service where clients can request if a warrant has been served on the library or ISP for their account or any account. The service provider is free to reply if no warrant has been received but is muzzled if one has. This failure to reply, which is not a positive action, is what reveals the warrant. rsync's approach appears consistent with mine.
I think this is entirely too clever, and while I don't agree with sneak-and-peak warrants in general, as long as they exist, these countermeasures clearly violate the non-disclosure terms. A "warrant canary" does in fact disclose sneak-and-peak warrant service. Anyone arguing otherwise must rely on some limited, naive definition of "disclose." Not even Webster's, the clearinghouse of shallow and narrow definitions, defines "disclose" as "communicate something to something through positive action." Does anyone have a link to a sample sneak-and-peak warrant no-disclosure clause? -- The six phases of a project: I. Enthusiasm. IV. Search for the Guilty. II. Disillusionment. V. Punishment of the Innocent. III. Panic. VI. Praise & Honor for the Nonparticipants.
On 5/20/06, Justin <justin-cypherpunks@soze.net> wrote:
... Does anyone have a link to a sample sneak-and-peak warrant no-disclosure clause?
http://www.aclu.org/nsl/legal/NSL_formletter_080404.pdf """ You are further advised that Title 18, U.S C , Section 2709(c), prohibits any officer, employee or agent of yours from disclosing to any person that the FBI has sought or obtained access to information or records under these provisions. """
At 02:25 PM 5/20/2006, Justin wrote:
On 2006-05-20T13:30:53-0700, Steve Schear wrote:
That might have been me. I did post about apparently legal ways to circumvent such secret warrants but I did not use a BB method but rather provide a service where clients can request if a warrant has been served on the library or ISP for their account or any account. The service provider is free to reply if no warrant has been received but is muzzled if one has. This failure to reply, which is not a positive action, is what reveals the warrant. rsync's approach appears consistent with mine.
I think this is entirely too clever, and while I don't agree with sneak-and-peak warrants in general, as long as they exist, these countermeasures clearly violate the non-disclosure terms.
I don't see how not saying anything to an inquiry violates the terms of the warrant. Before the inquiry there is no warrant. So how can you violate an order which had not been given and you could not know ever would be given?
A "warrant canary" does in fact disclose sneak-and-peak warrant service. Anyone arguing otherwise must rely on some limited, naive definition of "disclose." Not even Webster's, the clearinghouse of shallow and narrow definitions, defines "disclose" as "communicate something to something through positive action."
Does anyone have a link to a sample sneak-and-peak warrant no-disclosure clause?
It does not matter what the warrant says unless it says you must give false information regarding an inquiry. I have not ever heard of a court ordering a person to lie. Have you? Steve
participants (5)
-
coderman
-
Jason Arnaute
-
Justin
-
Steve Schear
-
Tyler Durden