With admirable clarity and brevity, Princeton's Ed Felten explains why Lavabit's owner was right to design his email service to be resistant to court orders. The whole piece is good and important, but here's the takeaway: "At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.
From a purely technological standpoint, these two scenarios are exactly the same."
As Felten goes on to point out, insider attacks are brutal -- just look at what happened to the NSA when insider Edward Snowden decided to go after it.
Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time, and Lavabit, or any well-run service that holds user data, has good reason to try to control them.
From a user’s standpoint, a service’s resistance to insider attacks does more than just protect against rogue employees. It also helps to ensure that a company will not be tempted to repurpose or sell user data for commercial gain without getting users’ permission.
In the end, what led to Lavabit’s shutdown was not that the company’s technology was too resistant to insider attacks, but that it wasn’t resistant. The government got an order that would have required Lavabit to execute the ultimate insider attack, essentially giving the government a master key to unlock the data of any Lavabit user at any time. Rather than do this, Lavabit chose to shut down.
Had Lavabit had in place measures to prevent disclosure of its master key, it would have been unable to comply with the ultimate court order—and it would have also been safe against a rogue employee turning over its master key to bad actors.
A Court Order is an Insider Attack
M. David Weisman, a magistrate judge in Illinois’s Eastern Division, denied a federal warrant application that would have allowed law enforcement officers to force suspects to unlock their mobile devices with a fingerprint, ruling that the suspects’ Fourth Amendment (undue search and seizure) and Fifth Amendment (self-incrimination) rights protected them from being forced to unlock […]
For $170, Motherboard’s Joseph Cox bought SpyPhone Android Rec Pro, an Android app that you have to sideload on your target’s phone (the software’s manufacturer sells passcode-defeating apps that help you do this); once it’s loaded, you activate it with an SMS and then you can covertly operate the phone’s mic, steal its photos, and […]
Some employees with the U.S. Department of Homeland Security who work in the Washington, D.C. area and in Philadelphia, PA were unable to access the DHS computer network on Tuesday, reports Reuters, citing “three sources familiar with the matter.”
Although there will never be a consensus about the best way to make coffee, any coffee connoisseur will agree that controlling the grind of your beans and balancing water temperature are the keys to a tasty cup. Since your plastic coffee pot doesn’t really allow for that kind of customization, going back to the French […]
Not all hackers are malicious information thieves—white-hat ethical hackers work with technology companies to ensure the security of their computer systems and user data. With all of today’s high-profile data breaches, ethical hackers are in considerable demand. To learn these critical skills and break into the high-paying cyber security field, try taking the courses in this […]
Making people aware of goods and services in the digital age requires an array of new strategies from social media and email to number-crunching tools like Google Analytics. To get a handle on the techniques used to capture attention and convert traffic into dollars in a crowded online environment, the Full-Stack Marketer Bundle offers 22 hours of training to get […]