[tptacek]

I like everything Matthew Garrett writes but I can't resist being annoying about this:

Signal has had forward secrecy forever, right? The modern practice of secure messaging was established by OTR (Borisov and Goldberg), which practically introduced the notions of "perfect forward secrecy" and repudiability (as opposed to non-repudiability) in the messaging security model. Signal was an evolution both of those ideas and of the engineering realization of those ideas (better cryptography, better code, better packaging).

What's so galling about this state of affairs is that people are launching new messaging systems that take us backwards, not just to "pre-Signal" levels, but to pre-modern levels; like, to 2001.

[nickpsecurity]

Let's not forget three things from prior leaks:

1. Core Secrets said the FBI "compelled" companies to secretly backdoor their products. Another leak mentioned fines by FISA court that would kill a company. I dont know if you can be charged or not.

2. They paid the big companies tens of millions to $100+ million to backdoor their stuff. Historically, we know they can also pressure them about government contracts or export licenses. Between 1 and 2, it looks like a Pablo Escobar-like policy of "silver or lead."

3. In the Lavabit trial, the defendant said giving them the keys would destroy the business since the market would know all their conversations were in FBI's hands. The FBI said they could hide it, basically lying given Lavabit's advertising, which would prevent damage to the business. IIRC, the judge went for that argument. That implies the FBI and some courts tell crypto-using companies to give them access but lie to their users.

Just these three facts make me wonder how often crypto in big platforms is intentionally weak by governemnt demand or sloppy because they dont care. So, I consider all crypto use in a police state subverted at least for Five Eyes use. I'll change my mind once the Patriot Act, FISC, secret interpretations of law, etc are all revoked and violators get prosecuted.

[tptacek]

There is no such thing as "fines by FISA court". FISA doesn't hear adversarial cases and doesn't have statutory authority or even subject matter jurisdiction to enforce compliance on private actors. FISA is an authorizer for other government bodies, who then use ordinary Article III courts to enforce compliance. Other than the fact that they're staffed by Article III judges and not directly overseen by Article III courts, the FISA court functions like a magistrate court, not a normal court. So: I immediately distrust the source.

People are going to come back and say "well yeah that's just what they tell you about FISA court, but I bet FISA courts fine people all the time", but no, it's deeper than that: private actors aren't parties to FISA cases. It's best to think of them as exclusively resolving conflicts between government bodies.

[voxic11]

You are just wrong:

> In some circumstances, nongovernmental parties may litigate the lawfulness of FISA orders or directives to provide information or assistance to the government. For example:

> A private company or individual that has been served with a directive to assist in acquiring information under Section 702 may petition the FISC to modify or set aside the directive. Conversely, the government may petition the FISC to compel the recipient to comply with the directive.

> In responding to the government’s petition, the private party has the opportunity to show cause for the noncompliance or argue that the order should not be enforced as issued.

> In 2007, Yahoo! Inc. refused to comply with directives issued by the government under provisions of FISA that have been replaced by Section 702. The government filed a motion with the FISC to compel compliance.

https://www.fisc.uscourts.gov/about-foreign-intelligence-sur...

The warrants the court issues do apply to private parties. Failure to comply with a warrant is contempt of court and the court can compel compliance by fines and other sanctions. You can read what that looks like in this FISA court ruling against Yahoo.

PDF warning: https://donohueintellaw.ll.georgetown.edu/sites/default/file...

[nickpsecurity]

It was a big company that said they'd be fined per day for non-compliance with mass surveillance. Core Secrets etc says that was done by FBI for FISA warrants. So, whoever enforces that.

I dont know the mechanics of it, like jurisdiction. It might be as you say. I just know they and their targets were both clear at different times they could force a company to do it.

[tptacek]

I have no idea, I just know they weren't facing fines from a FISA court.

[pessimizer]

The part nobody mentions about Crypto AG:

https://inteltoday.org/2020/02/15/crypto-ag-was-boris-hageli...

We've always done this.

[numpad0]

And it's going to remain that way as long as people download apps written on PC through App Store.

[remram]

On PC? What do you mean?

[numpad0]

I meant to say, the big shift to mobile created discontinuity between "host" PCs and "target" phones, and that's horrible for software freedom.

[remram]

Why? Do you think many people would want to develop from their phones instead of PCs if that was an option? I've certainly never wanted to.

You can actually run a desktop VM on a phone pretty easily (I even run a Windows one, for games) so I wouldn't say I feel a restriction in my software freedom.