[graue]

Hmm... did this site get served a secret warrant last week? Or did they just forget to update their warrant canary?

https://mediacru.sh/transparency/warrant-canary.txt

(Note: the date 08/11 is written European style meaning November 8th, as you can see if you go up a directory.)

[jdiez17]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    This is a reply to a comment posted by graue on 2013/11/21 at 06:00h GMT.

    > Hmm... did this site get served a secret warrant last week? Or did they just forget to update their warrant canary? 
    > https://mediacru.sh/transparency/warrant-canary.txt
    > (Note: the date 08/11 is written European style meaning November 8th, as you can see if you go up a directory.)

    Hi, just wanted to let you know that we haven't, in fact, been served a warrant.

    The failure to update the canary was due to my own mistake, and I'm terribly sorry about that.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.14 (GNU/Linux)

    iQIcBAEBAgAGBQJSjdtLAAoJELJF4ERQRPL8VuMP/j8bqNm/uAMzq1n+ebf90RRq
    cDQUsjCbENoR3/1VF4GR0iQhzxDQ28C2Wcc/rjgPjNkL5fLL9QQNb5hUZ38a+ray
    r3fBE4ZQZ5XSriq9iOGy2RoXKhwM/1QuJ9qaOOYmJwkc+/Re+1WbAtAbKnBoPkOy
    z5xMkSnr7b1jI/sUHHmlU6s5wvchXKKLmniCKjtaLp2WLVv95FoxrzRoNu/gHVv2
    LXnjKTllzfcPm9thvCRoikv/N3PKuDBvCIbGm6yhYsNo8a1croAlnChEf0rDWk1B
    8IFM5SXcsuVOSymHJ18VVp2s7xGi1RRcTpUyDt/s74kUuLx7Wpd27YWf5Yko8O+m
    BWfLXbAUamxwRyCmNN219xnhdAb0paaiddbvQX+PHUMMM2+UwdWSSgWnyloFVhGs
    bqZ/vQO6FSP4CVCZvvxyFm493MWSBTvZ2bpWWgdVdIBAg/qSv+D0I6XGyAhUdCqh
    5j38U7nMaHFROr+lCISXdtMxUvPBzNFxKV+3ZTxm/L3hWU75pT9XWsJOxejiIdFe
    7IMgKpbwsWDUg5Mat5muhn13vBH9B5qfa1smhO1eiP/29XLogLj3B2gZ0nnEIO0q
    1o+j/G5crxxhqW01nGBzJq3IaP3+dsCP9Eiwom3cO0EsulZUL9TRsAPjT5IhXJNz
    uPzRgvYpICnrL2qqyGfP
    =uKWu
    -----END PGP SIGNATURE-----

[jqueryin]

Speaking of warrant canaries, has anybody open sourced one to produce something similar with PGP and news?

http://www.rsync.net/resources/notices/canary.txt

http://en.wikipedia.org/wiki/Warrant_canary

[Sir_Cmpwn]

Ack! My other half is responsible for the warrant canary. He keeps forgetting it. We may as well not even have it. It doesn't mean much without a signature, but I assure you that we have never been served a warrant.

[laureny]

Nice try, NSA.

[Sir_Cmpwn]

Well, even if we had been served a warrant, I dunno what we'd give them. We don't store anything about our users. https://blog.mediacru.sh/2013/07/19/MediaCrush-for-nerds.htm...

[vinceguidry]

I'm pretty sure he was joking.

[duiker101]

can't you make it automatic, taking the news with rss and stop it if you get a warrant?

[Wilya]

That defeats the purpose.

I think the whole point of a warrant canary is that you have to do something, every week/month, to confirm that you never had to obey a warrant. And (presumably, I don't think it has been tried in courts yet) a gag order can prevent you to speak about a warrant, but it can't force you to do anything, including actively saying that you didn't receive anything.

If it's automated.. the gag order prevents you to stop it, so it might as well not be there.

[Sir_Cmpwn]

Nope. If an adversary seizes our servers, we couldn't stop it from falsely reporting that all is well.

[atlbeer]

If you sign the request w/ a key that isn't present on your servers than it should be impossible for that to occur.

Unless they seize the computer with the key as well

[duiker101]

If an adversary seizes your servers wouldn't you have bigger worries like getting them back or complaying with the warrant?

[mike-cardwell]

  mike@glue:~$ wget -qO - https://mediacru.sh/transparency/warrant-canary.txt|gpg --verify
  gpg: Signature made Fri 08 Nov 2013 11:48:13 GMT using RSA key ID 5044F2FC
  gpg: BAD signature from "MediaCrush Administrators <admin@mediacru.sh>"
  mike@glue:~$

[jdiez17]

That's not the signed warrant canary - the PGP signed message lives at https://mediacru.sh/transparency/warrant-canary.signed.txt.

    josemanueldiez@InfiniteImprobabilityDrive:~$ wget -qO - https://mediacru.sh/transparency/warrant-canary.signed.txt|gpg --verify
    gpg: Signature made Fri Nov  8 12:48:13 2013 CET using RSA key ID 5044F2FC
    gpg: Good signature from "MediaCrush Administrators <admin@mediacru.sh>"