Thursday, October 3, 2013

Your Digital Crime & Punishment Blotter

The story of the government shutdown has overshadowed virtually all other news recently, but two major stories from the digital realm have broken this week.

The first story is that the FBI has taken the notorious hidden web site The Silk Road offline and captured the man who allegedly operated it, Ross Ulbricht, aka The Dread Pirate Roberts.

The Silk Road was an interesting experiment in running a fully encrypted, anonymous online marketplace. Users wishing to connect to it had to do so through TOR, which encrypts all its users communications and reroutes them through a series of nodes so that they can't be traced. Then they had to follow a rabbit trail of arcane websites to find it (Google will not take you to The Silk Road). Finally, once connected all transactions were conducted in Bitcoins, a private digital currency which is difficult to trace.

Underneath all its elaborate security precautions, though, The Silk Road was basically EBay for drugs. The vast majority of its users used it to buy illegal drugs from anonymous dealers, who then sent their illicit purchases via the postal system. The Silk Road, and by extension The Dread Pirate Roberts, took a cut of each transaction.

Predictably this drew the attention of the US federal government, specifically the FBI. While the startling leaks by whistle-blower Edward Snowden have revealed the vast hacking and data-mining resources available to the feds, it appears that Ross Ulbricht was undone primarily by sloppiness in his own personal security, sloppiness that was exploited by good-old-fashioned police work.

Ars Technica has the best coverage of the story which involves not just one but two murder-for-hire schemes.

The second story is a more troubling revelation about the extent of the federal government's overreach into personal privacy.

Encrypted email provider Lavabit shut down on August 8 without warning. Owner Ladar Levison left a cryptic message saying that to continue operations would be 'to become complicit in crimes against the American people'. In follow-up interviews he indicated that he was legally forbidden from elaborating further. Because Edward Snowden had a Lavabit email account, many people surmised that Levison had been secretly contacted by the authorities and forced to hand over access to Snowden's emails.

Lavabit was built with an encryption scheme that allowed only an email's sender and its recipient to share the keys. Even if Lavabit itself traced the emails it would not be able to read their content.

In a court order unsealed today we learn that the government asked Lavabit to do just that: modify the code of his own website so that he could snoop on the emails of just one user, Edward Snowden. When the resulting emails were shown to be useless because they were encrypted, the government then ordered Ladar Levison to turn over the SSL encryption key for the entire system, which would have effectively granted them access to the private, encrypted emails of every Lavabit user.

When Levison did not immediately comply, the judge overseeing the case ordered that he be fined $5,000/day until he handed over electronic copies of the keys. It was at that point that Levison decided to shut down Lavabit.

To sum up, the US government required a private citizen to reverse engineer his company's security scheme against his will and provide blanket access to all of its encrypted communications or face large fines and possible jail time. Oh, and he couldn't tell anyone about it.

Wired has the whole story. Following the unsealing of the court documents, Levison has issued a press release on his Facebook page. Levison has now lost his primary source of income and is asking for donations to fund an appeal to the Fourth Circuit courts.

No comments: