On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andré de la porte wrote:
2013/8/9 Sean Alexandre <sean@alexan.org>
Or, maybe it was cover-up, to get the information "legally." But I'm guessing they really couldn't get what they wanted.
This. They don't want to show people what power they have. So they use the "most public method", letters. They are very, very, very aware of what you might guess. You have to remember they could legally prevent him from saying he even received letters, they have done so in the past.
Why haven't they now? Might it have to do with you assumptions? Or is it as innocent as genuinely not wanting to cause more harm than needed?
Do you think the NSA is innocent?
I can't really argue with that. I think it's very possible this is just "parallel contruction" where they want to cover their tracks and say they got things "legally." Still, I have to hope it's possible to run a service such as Lavabit and have it be so locked down that it can't be backdoored. Nothing can be 100% secure, but secure enough that it's very, very unlikely. I'd like to see a github project that has scripts (puppet?) to take a fresh Debian box and lock it down as much as possible, running only ssh. Those scripts could be used to create a CTF box sitting out on the open Internet, for others to try and hack into. Pen test it to death. Update the scripts. Make the config as perfect as possible. Then others could take those scripts and add more modules to them, for other services: exim, dovecot, apache, roundcube. People could pick and choose which they want to run. Put different boxes out there, as other CTF machines to pentest. Make it fun. Give people rewards, or some kind of recognition, if they can break into the box. "Encryption works," we know. End-point security's the weak link. This could be a way to shore that up. Thoughts?