Ethics Class 11

Computer Ethics, Sum 2015

Comm 010, MW 6:00-9:00

Class 11, Monday, June 22

Week 6 Readings

Read Baase Chapter 5, sections on crime

Google and revenge porn: http://googlepublicpolicy.blogspot.com/2015/06/revenge-porn-and-search.html

Illinois Supreme Court and Anonymous Posting.

Lavabit and Proton Mail

Ladar Levison halted his Lavabit encrypted-email service when the US Government demanded his SSL key. This would allow them to read all emails passing through the service. As the government appeared only to want one person's email (likely Edwards Snowden's), Levison felt this was overbroad. He tried to negotiate a narrower solution, but ended up shutting down the site. The highlight of Levison's court experience is probably his contempt order:

Then, a federal judge entered an order of contempt against me – without even so much as a hearing.

But the judge created a loophole: without a hearing, I was never given the opportunity to object, let alone make any any substantive defense, to the contempt change. Without any objection (because I wasn't allowed a hearing), the appellate court waived consideration of the substantive questions my case raised – and upheld the contempt charge, on the grounds that I hadn't disputed it in court.

Proton Mail is a newer encrypted-email service. Users have a login password and a mailbox password; the latter acts as the key (after being suitably hashed) for decrypting the user's mailbox.

When Alice signs up for a protonmail account, she creates a public and private RSA key. The private key is then encrypted with her mailbox password, and the public key and encrypted private key are uploaded to protonmail.ch. The encrypted private key is uploaded only for convenience.

If Bob sends Alice a message, it is encrypted with Alice's public key and placed in her mailbox. Bob trusts Protonmail to encrypt the email with Alice's genuine public key.

When Alice logs in, her encrypted mailbox and encrypted private key are downloaded to her machine. She enters her mailbox password, and her mailbox is decrypted on her local machine.

The weakest link appears to be the strength of the mailbox password. Consider the password in the following xkcd comic:

correct horse battery staple

If each of the four words is chosen from a pool of 2000, then each word has 11 bits of entropy, for a total of 44 bits. That's a lot more than the average password like "rAmbler5", and will keep out eavesdroppers who are not really committed, but 56-bit DES is decryptable within a week and this is 2¹² = 4000 times weaker. Once the NSA has obtained your encrypted secret key, they can test password candidates a lot faster than 1000 a second. The second panel hints at this; in this case, a stolen hash is what you should worry about. 1,000,000,000 guesses a second -- typical for a stolen hash -- means the password can be guessed in 5 hours.

Patents:

    Paul Graham

    Europe
    Reform
    Bilski and Machine or Transformation
    Mayo v Prometheus
    Alice
    Trolls

Computer Crime