Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This article seems to speculate on things that are not necessarily true. It's possible that the government simply told him that he had to be able to supply information arbitrarily on demand without an explicit warrant. This does not mean that they required him to install their own software on his machines.

Of course, one certainly still argue that this a line that the Government should not cross - I'd wholeheartedly agree with that. However, statements such as “We’ve had a couple of dozen court orders served to us over the past 10 years, but they’ve never crossed the line,” do not imply that the government required him to install software or otherwise compromise his security in a way that he was not already able to do.



That's actually the whole point, in the past he complied with warrants because there wasn't much he could supply in the first place. Yes there is a lot of reading between the lines here, but there was a clear line they crossed. In other words, he would no longer be able to just turn over a bunch of encrypted emails, this was a full compromise of the security he had in place.

If you look at the quotes he made, he strongly hints that this affects all his users, that they want to collect data for later review, and that they would have the ability to decrypt any emails they wanted. Yes, there is a lot of speculation going on here, but it is based on facts--what they technically would be able to do based on how Lavabit worked.

Edit: this wasn't just some casual speculation, I did quite a bit of research on this and carefully reviewed every statement he has given to the press. I carefully analyzed their infrastructure and encryption techniques. I'm fairly confident with my conclusions.


What I don't see is these three statements:

1. Force Lavabit to provide their private SSL keys and route all their traffic through a government machine that performed a man-in-the-middle style data collection; 2. Change their software to subvert Lavabit’s own security measures and log emails after SSL decryption but before encrypting with the users’ public keys; or 3. Require Lavabit to install malicious code to infect their own customers with government-supplied malware.

It sounds like he already has the ability to comply with demands for information. I don't see where this new stipulation by them requires any meaningful change to his existing infrastructure.


Again, that's the whole point. He wasn't able to provide them with what they wanted, and doing so meant that he either had to allow them to intercept messages (or passwords) on Lavabit's application servers, which is the only place they could be intercepted. Doing so would require either impersonating their servers through a MitM or code changes on their server.

I do acknowledge in the article that this could simple be an overhyped reaction to placing a black box on his network, but the statements Levison made seem to indicate otherwise. And hey I could be wrong about this whole thing, it still is largely speculation based on circumstantial evidence.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: