[liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox
Caspar Bowden (lists)
lists at casparbowden.net
Thu Apr 24 15:24:05 PDT 2014
On 24/04/14 21:09, Zooko Wilcox-OHearn wrote:
> On 24/04/14 19:21, Zooko Wilcox-OHearn wrote:
>> Oh, by the way, this part was incorrect. An example of a Tahoe-LAFS
>> service provider is my company, https://LeastAuthority.com.
>> LeastAuthority.com does not have any ability to acquire our
>> customers's keys, nor to backdoor our customers.
> On Thu, Apr 24, 2014 at 6:13 PM, Caspar Bowden (lists)
> <lists at casparbowden.net> wrote:
>> This is semantics. If you provide the service to a customer, you can be
>> forced to backdoor
> No, this is wrong. I can understand why you say this, because you've
> looked at dozens — perhaps hundreds — of services which made claims
> like those above, and in every case it turned out that the service
> actually had the technical capability to backdoor its customers. Am I
> right? The Hushmail case that you cite was an early and famous
> example, and the recent Lavabit case is an example.
>
> But LeastAuthority.com is different from that, for a very specific
> technical reason.
>
> That reason is that not *only* is our operation free from customer
> plaintext and customer encryption keys, but *also* we don't deliver
> software to our customers.
>
> When new customers sign up at https://LeastAuthority.com, we send them
> a nice email explaining that now they need to go acquire the Free and
> Open Source software named "Tahoe-LAFS". We recommend that they get it
> from their operating system provider, e.g. Debian, Ubuntu, or the
> "pkgsrc" system (http://www.pkgsrc.org/).
So I had not realized that and, that is a very good idea generally, for
these types of legal attack, and would be even better idea if we had
deterministic compilers
> Therefore if a government, or a murderous mafia, compelled us to
> cooperate with them, we would then say "Well… okay, but… have you
> figured out how your target users acquires the software? Because, you
> know, if they're getting it from Debian, or from Tails, or something,
> then there's not a whole lot we can do to help you backdoor your
> target users…".
>
> Here's an open letter on this topic that I wrote to the Silent Circle
> folks when they shut down their mail service after the Lavabit story
> broke:
>
> https://leastauthority.com/blog/open_letter_silent_circle.html
I agree.
Inadvertently, I muddied the waters by referring to Hushmail, since the
storage providers in your system don't (and don't purport to) provide
confidentiality
Caspar
More information about the liberationtech
mailing list