CryptoSeal shutters, ala: LavaBit
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call: In 1979, when that Supreme Court case on pen registers was issued, http://en.wikipedia.org/wiki/Smith_v._Maryland , telephone companies 'had to' keep metadata records in order to bill phone calls, including the number called and the time of the call. Today, with 'unlimited' phone service (at least within the US; in some cases around the world) there is no reason that a phone company 'has to' keep those records, and certainly not all of them. Why not x-out the last 3-4-7 digits of the 'called number', since it is not necessary to keep it in order to bill the customer?? (When was the last time most of us received a telephone bill listing the calls we made? If we need to know what number(s) we called, they do not need to include all 3+7 numbers, do they?) Why not omit the duration of the phone call? The justification for these meta-data warrants presumes that the government is subpoenaeing 'business records': So, no longer keep those 'business records'! If the government claims these companies 'must' keep these records, then they are no longer 'business records' within the meaning of Smith v. Maryland: They are purely 'government-compliance records'. Or, encrypt them and only give the decrypt key to the customer, ONCE: In the very unlikely chance that the phone co needs the records (which will never happen, of course), depend on the customer to regurgitate those keys: They will likely have 'lost'/shredded/burned/pulped those keys, right? Jim Bell Syllabus from Smith v. Maryland: "(b) Petitioner in all probability entertained no actual expectation of privacy in the phone numbers he dialed, and even if he did, his expectation was not "legitimate." First, it is doubtful that telephone users in general have any expectation of privacy regarding the numbers they dial, since they typically know that they must convey phone numbers to the telephone company and that the company has facilities for recording this information and does in fact record it for various legitimate business purposes. And petitioner did not demonstrate an expectation of privacy merely by using his home phone rather than some other phone, since his conduct, although perhaps calculated to keep the contents of his conversation private, was not calculated to preserve the privacy of the number he dialed. Second, even if petitioner did harbor some subjective expectation of privacy, this expectation was not one that society is prepared to recognize as "reasonable." When petitioner voluntarily conveyed numerical information to the phone company and "exposed" that information to its equipment in the normal course of business, he assumed the risk that the company would reveal the information [442 U.S. 735, 736] to the police, cf. United States v. Miller, 425 U.S. 435 . Pp. 741-746" My (Bell's) comments follow: A phone company which announces that it WILL NOT record phone metadata gets around this decision, by allowing in its customers the 'reasonable expection of privacy' in their as-dialed phone numbers; or at least it allows the customer to argue that unlike in Smith v. Maryland, he did indeed have an 'actual expectation of privacy' unlike in 1979. Today's customer knows, contrary to any customer in 1979, that his phone company no longer has any 'legitimate business purposes' in keeping phone metadata recorded. Further, 'society' is prepared to to recognize as 'reasonable' any business practice that a phone company may conceivably announce that it will follow, even if it thwarts the desires of government. Unlike in 1979, when there was only one 'phone company' (in a given geographic area), and that phone company was beholden to the government rather than any individual customer, now phone companies have a legitimate motivation to compete on the issue of metadata privacy. ============================= From: grarpamp <grarpamp@gmail.com> To: cypherpunks@cpunks.org Sent: Monday, October 21, 2013 5:19 PM Subject: CryptoSeal shutters, ala: LavaBit Voluntary shutdown beforehand... https://privacy.cryptoseal.com/ http://cryptoseal.com/team/ https://news.ycombinator.com/item?id=6585649 http://arstechnica.com/information-technology/2013/10/cryptoseal-vpn-shuts-d... http://it.slashdot.org/story/13/10/21/2157225/cryptoseal-shuts-down-consumer...
On Mon, Oct 21, 2013 at 9:49 PM, Jim Bell <jamesdbell8@yahoo.com> wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
So how do you propose that a provider perform SSL without keeping their private cert? And how should they respond when a court *orders* them to allow law enforcement or other agencies to install sniffers on their network? That's essentially what Lavabit faced. Also: it's easy to accuse someone of lacking guts or imagination, but I don't think any of these folks are shutting down services and even businesses without serious consideration of the costs involved - financial and otherwise. -- @kylemaxwell
Crazy idea. Put the server into the hands of a third party outside of the US. Have that 3rd party have total and absolute rights to the SSL root certificate and your party to not have any capacity to force said party to hand over the certificate. You use it, but you don't have any ability to actually get access to it directly. Crazy idea, but I wonder if there would be some way to make this work where even if they tried to force you, you couldn't hand it over. On 21/10/2013 11:09 PM, Kyle Maxwell wrote:
On Mon, Oct 21, 2013 at 9:49 PM, Jim Bell <jamesdbell8@yahoo.com> wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
So how do you propose that a provider perform SSL without keeping their private cert? And how should they respond when a court *orders* them to allow law enforcement or other agencies to install sniffers on their network? That's essentially what Lavabit faced.
Also: it's easy to accuse someone of lacking guts or imagination, but I don't think any of these folks are shutting down services and even businesses without serious consideration of the costs involved - financial and otherwise.
-- @kylemaxwell
-- Kelly John Rose Mississauga, ON Phone: +1 647 638-4104 Twitter: @kjrose Document contents are confidential between original recipients and sender.
...so the third party decrypts your traffic for you and sends you plaintext? On Mon, 2013-10-21 at 23:26 -0400, Kelly John Rose wrote:
Crazy idea.
Put the server into the hands of a third party outside of the US. Have that 3rd party have total and absolute rights to the SSL root certificate and your party to not have any capacity to force said party to hand over the certificate. You use it, but you don't have any ability to actually get access to it directly.
Crazy idea, but I wonder if there would be some way to make this work where even if they tried to force you, you couldn't hand it over.
On 21/10/2013 11:09 PM, Kyle Maxwell wrote:
On Mon, Oct 21, 2013 at 9:49 PM, Jim Bell <jamesdbell8@yahoo.com> wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
So how do you propose that a provider perform SSL without keeping their private cert? And how should they respond when a court *orders* them to allow law enforcement or other agencies to install sniffers on their network? That's essentially what Lavabit faced.
Also: it's easy to accuse someone of lacking guts or imagination, but I don't think any of these folks are shutting down services and even businesses without serious consideration of the costs involved - financial and otherwise.
-- @kylemaxwell
-- Sent from Ubuntu
No. You receive the data over an ssl encrypted stream just like everyone else. It just is that no one can get the private key to mitm everything and get all data for all users. On Monday, October 21, 2013, Ted Smith wrote:
...so the third party decrypts your traffic for you and sends you plaintext?
On Mon, 2013-10-21 at 23:26 -0400, Kelly John Rose wrote:
Crazy idea.
Put the server into the hands of a third party outside of the US. Have that 3rd party have total and absolute rights to the SSL root certificate and your party to not have any capacity to force said party to hand over the certificate. You use it, but you don't have any ability to actually get access to it directly.
Crazy idea, but I wonder if there would be some way to make this work where even if they tried to force you, you couldn't hand it over.
On 21/10/2013 11:09 PM, Kyle Maxwell wrote:
On Mon, Oct 21, 2013 at 9:49 PM, Jim Bell <jamesdbell8@yahoo.com<javascript:;>> wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also
an
incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
So how do you propose that a provider perform SSL without keeping their private cert? And how should they respond when a court *orders* them to allow law enforcement or other agencies to install sniffers on their network? That's essentially what Lavabit faced.
Also: it's easy to accuse someone of lacking guts or imagination, but I don't think any of these folks are shutting down services and even businesses without serious consideration of the costs involved - financial and otherwise.
-- @kylemaxwell
-- Sent from Ubuntu
-- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam@kjro.se MSN: msn@kjro.se Document contents are confidential between original recipients and sender.
On Tue, Oct 22, 2013, at 02:26 PM, Kelly John Rose wrote:
Crazy idea.
Put the server into the hands of a third party outside of the US. Have that 3rd party have total and absolute rights to the SSL root certificate and your party to not have any capacity to force said party to hand over the certificate. You use it, but you don't have any ability to actually get access to it directly.
Crazy idea, but I wonder if there would be some way to make this work where even if they tried to force you, you couldn't hand it over.
I think the question that should be asked is do we have a lawful right to privacy and anonymity anymore? The response by governments around the world lately seems to suggest that we don't. Skirting around this issue (i.e. moving VPN hosting from jurisdiction to jurisdiction) just ends in an arms race with governments worldwide. Unless the solution is a perfect system that guarantees privacy and anonymity, even from the carriers, then I can only see the progressive way forward is through political change. Alfie -- Alfie John alfiej@fastmail.fm
On 2013-10-22 13:47, Alfie John wrote:
I think the question that should be asked is do we have a lawful right to privacy and anonymity anymore? The response by governments around the world lately seems to suggest that we don't.
End to end encryption. Cannot trust any central point, because any central point gets rubber hosed.
On Mon, Oct 21, 2013 at 9:49 PM, Jim Bell <jamesdbell8@yahoo.com> wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant (whether search- or pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
So how do you propose that a provider perform SSL without keeping their private cert? And how should they respond when a court *orders* them to allow law enforcement or other agencies to install sniffers on their network? That's essentially what Lavabit faced.
They should respond by saying, "You, Federal Judge, do not have the legal authority to order me/the company to ASSIST in the task, at most you can require me to ALLOW it; Further, you do not have the authority to order me/the company to not speak of the existence of the warrant: See the First Amendment to the US Constitution". Traditionally, there were two kinds of warrants: 'Search' (allow authorities to perform a search) and 'arrest' (find a person and stop him and take him into custody). No secrecy was necessary with either 'search' nor 'arrest warrants'. 'Wiretap' and 'pen-register' warrants came into being when phone companies were closely regulated by the government, and they didn't have a sufficient motivation to defend the rights of their company and/or customers. They also did not have the motivation to challenge any order of secrecy they would have been under: The government has an enormous burden to try to justify any violation of a person's/company's First Amendment right. The mere fact that it would be very useful to keep the victim of a warrant unaware of a wiretap/pen-register warrant doesn't rise to the level of justification to violate the freedom of speech of the person or company on which the warrant is served. The only reason we don't automatically assume that such rights do not exist in such cases is that for too long, phone companies were negligent in defending the rights of their customers. This led courts to conclude that they had the power to require phone companies to keep silent: The issue simply was never litigated. In both of these cases, the companies were not motivated to defend their rights to inform the victims of these warrants of the existence of that violation of their privacy. I argue that now and in the future, all such companies should react as if they are in no way required to comply with any 'warrant' except that is specifically allowed in law. "Is there a law which requires a company to disclose a private SSL certification"? No?!? Then, "We challenge this with a lawsuit: We have already served the intended victim of the warrant. Here is the copy for the court". They can initiate what's referred to as an 'interlocutory appeal', which would take weeks or months, and they can serve it on the victim of the warrant, making him part of the case and making the warrant rather useless. In other words, if they wanted to fight it, they could do so quite easily. Set it up so that a foreign lawyer, one outside the jurisdiction of the judge, informs the victim. Play hardball, and moreover, make sure that the government knows you're going to play hardball,and that the information WILL get into the hands of the person to be tapped, in an unproveable fashion. In court, force the government to argue that the victim of the warrant cannot be brought into the case as a necessary party.
Also: it's easy to accuse someone of lacking guts or imagination, but I don't think any of these folks are shutting down services and even businesses without serious consideration of the costs involved - financial and otherwise.
The problem is that while they are aware of the costs to themselves, they arent' paying sufficient attention to the costs to the people to whom the warrant is directed. Also, you didn't address my point about phone companies deliberately avoiding keeping phone metadata, to ensure that it cannot be subpoenaed. It is that kind of 'imagination' that everybody needs to start using. Jim Bell
On 2013-10-22 13:54, Jim Bell wrote:
They should respond by saying, "You, Federal Judge, do not have the legal authority to order me/the company to ASSIST in the task, at most you can require me to ALLOW it; Further, you do not have the authority to order me/the company to not speak of the existence of the warrant: See the First Amendment to the US Constitution".
It is a "living constitution", also known as an undead constitution. Invoking the first amendment will get you in jail so fast it will make your head spin.
On Tue, Oct 22, 2013 at 12:42 AM, James A. Donald <jamesd@echeque.com> wrote:
On 2013-10-22 13:54, Jim Bell wrote:
They should respond by saying, "You, Federal Judge, do not have the legal authority to order me/the company to ASSIST in the task, at most you can require me to ALLOW it; Further, you do not have the authority to order me/the company to not speak of the existence of the warrant: See the First Amendment to the US Constitution".
It is a "living constitution", also known as an undead constitution.
Invoking the first amendment will get you in jail so fast it will make your head spin.
A little bit of time in contempt [even criminal contempt] isn't going to hurt an independantly wealthy CEO. And these days it would likely bump your rep into the stratosphere preliminary to your second career in the freedoms crowd. That wouldn't be in conflict since you were already thinking about it anyways. Interesting times ahead I think.
________________________________ From: grarpamp <grarpamp@gmail.com>
On 2013-10-22 13:54, Jim Bell wrote:
They should respond by saying, "You, Federal Judge, do not have the legal authority to order me/the company to ASSIST in the task, at most you can require me to ALLOW it; Further, you do not have the authority to order me/the company to not speak of the existence of the warrant: See the First Amendment to the US Constitution".
It is a "living constitution", also known as an undead constitution.
Invoking the first amendment will get you in jail so fast it will make your head spin.
A little bit of time in contempt [even criminal contempt] isn't going to hurt an independantly wealthy CEO. And these days it would likely bump your rep into the stratosphere preliminary to your second career in the freedoms crowd. That wouldn't be in conflict since you were already thinking about it anyways. Interesting times ahead I think.
'You ain't seen nothin' yet!' Jim Bell
Someone misdirected this top post of theirs to me instead of the list. ---------- Either way. Companies like cryptoseal and lavabit are closing so that the users can't participate in a class action suit against them. Decreasing the chances of justice by making the next available court room a more controlled one. rant: [ This effects the possibiloty of a night watchman state (where private companies compete for the remaining government services that should be replaced and become efficient). They want to bring the ideology of slow public / government controlled entities / oligopolies controlled by people in the BR. Once the Business Roundatable's philosophy on businesses affecting public policy came true and once they started affecting policies themselves: they've decided -> corporate interest is to use all of our information for advertisements and so from what it seems no decent crypto or true private companies shall make an unregulated alliance better than stopwatchingus to stop the death of a private corporation. However, this somehow gets us closer to a social market economy. So that might be a plus for those that agree but what is a capitalistic society who's class structure will resemble a fascist one do with any form of socialism for anybody who isn't in their class? Throw some conformity in the short run and in the long: starve them with no options except possible infinite detention or death. These are threats to all companies that are trying to bypass US intelligence or do anything anonymous. There will be a monopoly on predictions by inferring trade secrets from the direct access of these servers / keys / user data. It becomes harder to confiscate decentralized structures and data centers if they're out in the sea. Except it may be easier to just send submarines missiles or drones but expecting that might be a little to schizophrenic. ] Does anyone know of a project that connects real dedicated pirate ships? That perhaps get docked here and there but ultimately stay across sea in a seasteeding like environment? That might be the cheapest legal way besides satellites, space stations and low orbit devices. Sea regulation, I believe, is easier to comply with than air regulation. Yes we are living in interesting times when more and more people want to be pirates in order to remain free! If this didn't make much sense this was sent at ~0345 (UTC-4). On Tue, Oct 22, 2013 at 12:42 AM, James A. Donald <jamesd@echeque.com> wrote:
On 2013-10-22 13:54, Jim Bell wrote:
They should respond by saying, "You, Federal Judge, do not have the legal authority to order me/the company to ASSIST in the task, at most you can require me to ALLOW it; Further, you do not have the authority to order me/the company to not speak of the existence of the warrant: See the First Amendment to the US Constitution".
It is a "living constitution", also known as an undead constitution.
Invoking the first amendment will get you in jail so fast it will make your head spin.
A little bit of time in contempt [even criminal contempt] isn't going to hurt an independantly wealthy CEO. And these days it would likely bump your rep into the stratosphere preliminary to your second career in the freedoms crowd. That wouldn't be in conflict since you were already thinking about it anyways. Interesting times ahead I think. ----------
On Mon, Oct 21, 2013 at 8:09 PM, Kyle Maxwell <kylem@xwell.org> wrote:
... So how do you propose that a provider perform SSL without keeping their private cert?
change it every day. i know every CA i've used allows unlimited re-issue once purchased. every time you hand it over, change it. enforce forward secrecy, allow no non-forward secret suites. this is critical. problem solved.. ...they will however treat this as contempt of court - the escalation would be infinitely interesting! fuck this bullshit, i can't convey my contempt for this practice (private keys via pen/trap register order) enough...
On Mon, Oct 21, 2013 at 8:57 PM, coderman <coderman@gmail.com> wrote:
... every time you hand it over, change it.
there's risk of an active attack; and some browser *cough* disabled CRL checks "for performance reasons". rock and a hard place... still better than nothing to roll them upon delivery.
Legally rolling them would defeat the point of the request and thus likely out you in contempt. The only solution is to not have the private key itself available to you and design the system such that you don't need it to do the minimal job Adminning the server. It's like having no logs. You can't give away something you don't have. The solution is to design the systems so Americans simply don't have access to the info being requested. On Tuesday, October 22, 2013, coderman wrote:
On Mon, Oct 21, 2013 at 8:57 PM, coderman <coderman@gmail.com<javascript:;>> wrote:
... every time you hand it over, change it.
there's risk of an active attack; and some browser *cough* disabled CRL checks "for performance reasons".
rock and a hard place... still better than nothing to roll them upon delivery.
-- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam@kjro.se MSN: msn@kjro.se Document contents are confidential between original recipients and sender.
On Mon, Oct 21, 2013 at 9:08 PM, Kelly John Rose <iam@kjro.se> wrote:
Legally rolling them would defeat the point of the request and thus likely out you in contempt.
this is probably true; also yet to be tested in court.
The only solution is to not have the private key itself available to you and design the system such that you don't need it to do the minimal job Adminning the server.
It's like having no logs. You can't give away something you don't have. The solution is to design the systems so Americans simply don't have access to the info being requested.
agreed; this does imply that some services (email!) are forever vulnerable and thus verboten. i agree with this as well, though there's lots of resistance to acceptance of this new reality...
On 2013-10-22 14:13, coderman wrote:
On Mon, Oct 21, 2013 at 9:08 PM, Kelly John Rose <iam@kjro.se> wrote:
Legally rolling them would defeat the point of the request and thus likely out you in contempt.
this is probably true; also yet to be tested in court.
They would rather not test it court, so will put you in jail for something else. Anyone who operates a business commits hundreds of felonies daily. They can always find something.
On Tue, 22 Oct 2013, James A. Donald wrote:
They would rather not test it court, so will put you in jail for something else.
Anyone who operates a business commits hundreds of felonies daily. They can always find something.
s/operates a business/breathes/ It's been that way for a long time now. //Alif -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another.
On 10/22/13 9:47 AM, J.A. Terranson wrote:
Anyone who operates a business commits hundreds of felonies daily. They can always find something.
s/operates a business/breathes/
It's been that way for a long time now.
<http://www.harveysilverglate.com/Books/ThreeFeloniesaDay.aspx> Three Felonies a Day is the story of how citizens from all walks of life—doctors, accountants, businessmen, political activists, and others—have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong, broke no laws, and harmed not a single person. From the perspective of both a legal practitioner who has represented the wrongfully-accused, and of a legal observer who has written about these trends for the past four decades, Three Felonies a Day brings home how individual liberty is threatened by zealous crusades from the Department of Justice. Even the most intelligent and informed citizen (including lawyers and judges, for that matter) cannot predict with any reasonable assurance whether a wide range of seemingly ordinary activities might be regarded by federal prosecutors as felonies.
Stuff like this almost always makes me wish the DoJ was more diligent. If you want to see excess laws removed from the books, have them enforced as written. Suddenly a lot of senators families will be arrested and rich individuals in jail (along with almost everyone else). After that the politicians will fall over themselves to remove the law from the books. Or at least amend it. On Tuesday, October 22, 2013, David wrote:
On 10/22/13 9:47 AM, J.A. Terranson wrote:
Anyone who operates a business commits hundreds of felonies daily.
They can always find something.
s/operates a business/breathes/
It's been that way for a long time now.
Three Felonies a Day is the story of how citizens from all walks of life—doctors, accountants, businessmen, political activists, and others—have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong, broke no laws, and harmed not a single person. From the perspective of both a legal practitioner who has represented the wrongfully-accused, and of a legal observer who has written about these trends for the past four decades, Three Felonies a Day brings home how individual liberty is threatened by zealous crusades from the Department of Justice. Even the most intelligent and informed citizen (including lawyers and judges, for that matter) cannot predict with any reasonable assurance whether a wide range of seemingly ordinary activities might be regarded by federal prosecutors as felonies.
-- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam@kjro.se MSN: msn@kjro.se Document contents are confidential between original recipients and sender.
On 10/22/13 11:31 -0400, Kelly John Rose wrote:
Stuff like this almost always makes me wish the DoJ was more diligent. If you want to see excess laws removed from the books, have them enforced as written. Suddenly a lot of senators families will be arrested and rich individuals in jail (along with almost everyone else).
What kinds of laws are we talking about? I'm genuinely interested in laws (particularly US federal) that may unwittingly end me up in jail if I were to encounter an over-zealous prosecutor. The book mentioned below seems to focus on something different, based on this Amazon review: "With such a provocative title, I expected a thorough list of ways that ordinary citizens can be unwittingly trapped by federal law. Maybe a handful of frightening anecdotes, maybe some telling historical analysis. Instead, after two lengthy introductions, I find a dense chapter defending ... a Florida politician accused of corruption. And a Massachusetts governor. And a Massachusetts House speaker. When I got to the chapter defending Michael Milken I started skimming instead of reading. Don't get me wrong: if those people were railroaded, then they deserved better. But those aren't the sort of stories that excite people's sympathy. I'd much rather hear about innocent doctors getting tried for prescribing legal painkillers (which Silverglate does address, albeit later), or citizens being sent away for behavior that nobody knew was illegal. When Silverglate writes about one politician going after another, my blood doesn't exactly boil at the injustice being done. Silverglate writes with a didactic, passionate style. It's likely to inflame the hearts of people who already care about civil liberties. But for people who don't see expanding federal power as that big of a deal, a sob story about how Ken Lay was strung up won't elicit any sympathy. All of the above would make the book 4 stars. I'm giving it 3 stars because it's a substandard Kindle edition. There's no table of contents. The footnotes don't hyperlink to the end of the text (a feature in every other footnoted book I've read on Kindle). And for a book that's been out nearly a year, it's still far too expensive."
After that the politicians will fall over themselves to remove the law from the books. Or at least amend it.
On Tuesday, October 22, 2013, David wrote:
Three Felonies a Day is the story of how citizens from all walks of life—doctors, accountants, businessmen, political activists, and others—have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong, broke no laws, and harmed not a single person. From the perspective of both a legal practitioner who has represented the wrongfully-accused, and of a legal observer who has written about these trends for the past four decades, Three Felonies a Day brings home how individual liberty is threatened by zealous crusades from the Department of Justice. Even the most intelligent and informed citizen (including lawyers and judges, for that matter) cannot predict with any reasonable assurance whether a wide range of seemingly ordinary activities might be regarded by federal prosecutors as felonies.
-- Dan White
Drug laws are a good example. Where politicians openly admit to breaking the law with no consequences. On Tuesday, October 22, 2013, Dan White wrote:
On 10/22/13 11:31 -0400, Kelly John Rose wrote:
Stuff like this almost always makes me wish the DoJ was more diligent. If you want to see excess laws removed from the books, have them enforced as written. Suddenly a lot of senators families will be arrested and rich individuals in jail (along with almost everyone else).
What kinds of laws are we talking about? I'm genuinely interested in laws (particularly US federal) that may unwittingly end me up in jail if I were to encounter an over-zealous prosecutor.
The book mentioned below seems to focus on something different, based on this Amazon review:
"With such a provocative title, I expected a thorough list of ways that ordinary citizens can be unwittingly trapped by federal law. Maybe a handful of frightening anecdotes, maybe some telling historical analysis.
Instead, after two lengthy introductions, I find a dense chapter defending ... a Florida politician accused of corruption. And a Massachusetts governor. And a Massachusetts House speaker. When I got to the chapter defending Michael Milken I started skimming instead of reading.
Don't get me wrong: if those people were railroaded, then they deserved better. But those aren't the sort of stories that excite people's sympathy. I'd much rather hear about innocent doctors getting tried for prescribing legal painkillers (which Silverglate does address, albeit later), or citizens being sent away for behavior that nobody knew was illegal. When Silverglate writes about one politician going after another, my blood doesn't exactly boil at the injustice being done.
Silverglate writes with a didactic, passionate style. It's likely to inflame the hearts of people who already care about civil liberties. But for people who don't see expanding federal power as that big of a deal, a sob story about how Ken Lay was strung up won't elicit any sympathy.
All of the above would make the book 4 stars. I'm giving it 3 stars because it's a substandard Kindle edition. There's no table of contents. The footnotes don't hyperlink to the end of the text (a feature in every other footnoted book I've read on Kindle). And for a book that's been out nearly a year, it's still far too expensive."
After that the politicians will fall over themselves to remove the law
from the books. Or at least amend it.
On Tuesday, October 22, 2013, David wrote:
<http://www.harveysilverglate.****com/Books/ThreeFeloniesaDay.****aspx<; http://www.**harveysilverglate.com/Books/**ThreeFeloniesaDay.aspx<http://www.harveysilverglate.com/Books/ThreeFeloniesaDay.aspx>
Three Felonies a Day is the story of how citizens from all walks of life—doctors, accountants, businessmen, political activists, and others—have found themselves the targets of federal prosecutions, despite sensibly believing that they did nothing wrong, broke no laws, and harmed not a single person. From the perspective of both a legal practitioner who has represented the wrongfully-accused, and of a legal observer who has written about these trends for the past four decades, Three Felonies a Day brings home how individual liberty is threatened by zealous crusades from the Department of Justice. Even the most intelligent and informed citizen (including lawyers and judges, for that matter) cannot predict with any reasonable assurance whether a wide range of seemingly ordinary activities might be regarded by federal prosecutors as felonies.
-- Dan White
-- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam@kjro.se MSN: msn@kjro.se Document contents are confidential between original recipients and sender.
My biases, such as they are: The topmost aim of security design is to choose tolerable failure modes. The topmost aim of security engineering is to have no silent failures. A state of security is achieved when there are no unmitigatable surprises. That said, the challenge here is to pick what are the tolerable failure modes, to ensure that when they occur that they are neither silent nor silenceable, and to have mitigations in hand against that day. Easier said than done, of course. Would that it were possible for one lone wolf to have a flash of brilliance leading to compact satisfaction of these needs, but I doubt that possibility. YMMV, --dan
On Mon, Oct 21, 2013 at 9:00 PM, coderman <coderman@gmail.com> wrote:
... there's risk of an active attack; and some browser *cough* disabled CRL checks "for performance reasons".
also relevant: https://github.com/agl/crlset-tools i've found this useful for monitoring CRLs.
On Mon, Oct 21, 2013 at 11:57 PM, coderman <coderman@gmail.com> wrote:
On Mon, Oct 21, 2013 at 8:09 PM, Kyle Maxwell <kylem@xwell.org> wrote:
... So how do you propose that a provider perform SSL without keeping their private cert?
// Kelly John Rose wrote: // Put the server into the hands of a third party outside of the US. Have // that 3rd party have total and absolute rights to the SSL root // certificate and your party to not have any capacity to force said party Piratebay is an example of some international jurisdictional issues. So is the US waving down South American planes over Europe. Without a wiki containing a well documented matrix of jurisdictional policy and case history, be careful what you trust to such means.
change it every day. i know every CA i've used allows unlimited re-issue once purchased. every time you hand it over, change it. enforce forward secrecy, allow no non-forward secret suites. this is critical.
Why per service certs for transport? Why not per user certs/keys? Stick them in LDAP, service sign them for service authenticity, enhance daemons to lookup. Though securely figuring out which user cert to check for / use with each inbound service connection might still be a problem.
...they will however treat this as contempt of court - the escalation would be infinitely interesting!
fuck this bullshit, i can't convey my contempt for this practice (private keys via pen/trap register order) enough...
If lavabit is the case, we'll probably know in a year or two.
On 2013-10-22 12:49, Jim Bell wrote:
The practice of shutting down a service in anticipation of the government showing up and issuing a warrant
Everyone knows, but no one is allowed to publicly say, that these shutdowns are not in anticipation of a warrant demanding all information about all their users regardless of probable cause, but that they received a warrant demanding all information about all their users regardless of probable cause, and are forbidden to say that they received such a warrant, and forbidden to contest such a warrant in court. (yes, it is unconstitutional, but so is the "voluntary" income tax. Just try not volunteering.) (whether search- or
pen-register, or whatever) shows not merely a lack of guts, but also an incredible lack of imagination. For example, I previously pointed out that there is no longer any real basis for keeping records on the metadata involved in in setting up a telephone call:
The government, aware of this, does not demand their records, but a live connection transmitting everything they do to the government as it happens. And if they don't supply the live connection they go to jail, and if they say out loud under their own identities in public that this was the deal they go to jail - one of the ever broader exceptions to freedom of speech that the supreme court is just fine with.
Either way. Companies like cryptoseal and lavabit are closing so that the users can't participate in a class action suit against them. Decreasing the chances of justice by making the next available court room a more controlled one. rant: [ This effects the possibiloty of a night watchman state (where private companies compete for the remaining government services that should be replaced and become efficient). They want to bring the ideology of slow public / government controlled entities / oligopolies controlled by people in the BR. Once the Business Roundatable's philosophy on businesses affecting public policy came true and once they started affecting policies themselves: they've decided -> corporate interest is to use all of our information for advertisements and so from what it seems no decent crypto or true private companies shall make an unregulated alliance better than stopwatchingus to stop the death of a private corporation. However, this somehow gets us closer to a social market economy. So that might be a plus for those that agree but what is a capitalistic society who's class structure will resemble a fascist one do with any form of socialism for anybody who isn't in their class? Throw some conformity in the short run and in the long: starve them with no options except possible infinite detention or death. These are threats to all companies that are trying to bypass US intelligence or do anything anonymous. There will be a monopoly on predictions by inferring trade secrets from the direct access of these servers / keys / user data. It becomes harder to confiscate decentralized structures and data centers if they're out in the sea. Except it may be easier to just send submarines missiles or drones but expecting that might be a little to schizophrenic. ] Does anyone know of a project that connects real dedicated pirate ships? That perhaps get docked here and there but ultimately stay across sea in a seasteeding like environment? That might be the cheapest legal way besides satellites, space stations and low orbit devices. Sea regulation, I believe, is easier to comply with than air regulation. Yes we are living in interesting times when more and more people want to be pirates in order to remain free! JJS On Mon, Oct 21, 2013 at 8:19 PM, grarpamp <grarpamp@gmail.com> wrote:
Voluntary shutdown beforehand...
https://privacy.cryptoseal.com/ http://cryptoseal.com/team/ https://news.ycombinator.com/item?id=6585649
http://arstechnica.com/information-technology/2013/10/cryptoseal-vpn-shuts-d...
http://it.slashdot.org/story/13/10/21/2157225/cryptoseal-shuts-down-consumer...
participants (13)
-
Alfie John -
coderman -
Dan White -
dan@geer.org -
David -
grarpamp -
J.A. Terranson -
James A. Donald -
Jayvan Santos -
Jim Bell -
Kelly John Rose -
Kyle Maxwell -
Ted Smith